diff --git a/compliance/controls/aws/aws_account_alternate_contact_security_registered.yaml b/compliance/controls/aws/aws_account_alternate_contact_security_registered.yaml index 759c6ea9a..03d54951d 100644 --- a/compliance/controls/aws/aws_account_alternate_contact_security_registered.yaml +++ b/compliance/controls/aws/aws_account_alternate_contact_security_registered.yaml @@ -1,57 +1,58 @@ id: aws_account_alternate_contact_security_registered title: Security contact information should be provided for an AWS account +type: control description: This control checks if an AWS Web Services (AWS) account has security contact information. The control fails if security contact information is not provided for the account. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH alternate_security_contact AS ( - SELECT - name, - account_id - FROM - aws_account_alternate_contact - WHERE - contact_type = 'SECURITY' - ) - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN a.partition = 'aws-us-gov' THEN 'info' - WHEN c.name IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.partition = 'aws-us-gov' THEN a.title || ' in GovCloud, manual verification required.' - WHEN c.name IS NOT NULL THEN a.title || ' has security contact ' || c.name || ' registered.' - ELSE a.title || ' security contact not registered.' - END AS reason, - a.account_id - FROM - aws_account AS a - LEFT JOIN alternate_security_contact AS c ON c.account_id = a.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH alternate_security_contact AS ( + SELECT + name, + account_id + FROM + aws_account_alternate_contact + WHERE + contact_type = 'SECURITY' + ) + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN a.partition = 'aws-us-gov' THEN 'info' + WHEN c.name IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.partition = 'aws-us-gov' THEN a.title || ' in GovCloud, manual verification required.' + WHEN c.name IS NOT NULL THEN a.title || ' has security contact ' || c.name || ' registered.' + ELSE a.title || ' security contact not registered.' + END AS reason, + a.account_id + FROM + aws_account AS a + LEFT JOIN alternate_security_contact AS c ON c.account_id = a.account_id; severity: low tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '1.18' - cis_level: - - '1' - cis_section_id: - - '1' - cis_type: - - not_scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/IAM + category: + - Compliance + cis: + - "true" + cis_item_id: + - "1.18" + cis_level: + - "1" + cis_section_id: + - "1" + cis_type: + - not_scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/IAM diff --git a/compliance/controls/aws/aws_account_part_of_organizations.yaml b/compliance/controls/aws/aws_account_part_of_organizations.yaml index bc974ae34..ab86f40bd 100644 --- a/compliance/controls/aws/aws_account_part_of_organizations.yaml +++ b/compliance/controls/aws/aws_account_part_of_organizations.yaml @@ -1,42 +1,43 @@ id: aws_account_part_of_organizations title: AWS account should be part of AWS Organizations +type: control description: Ensure that an AWS account is part of AWS Organizations. The rule is non-compliant if an AWS account is not part of AWS Organizations, or AWS Organizations' master account ID does not match rule parameter MasterAccountId. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN organization_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN organization_id IS NOT NULL THEN title || ' is part of organization(s).' - ELSE title || ' is not part of organization.' - END AS reason, - region, - account_id - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN organization_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN organization_id IS NOT NULL THEN title || ' is part of organization(s).' + ELSE title || ' is not part of organization.' + END AS reason, + region, + account_id + FROM + aws_account; severity: medium tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - gxp_21_cfr_part_11: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/IAM + category: + - Compliance + cis_controls_v8_ig1: + - "true" + gxp_21_cfr_part_11: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/IAM diff --git a/compliance/controls/aws/aws_acm_certificate_expires_30_days.yaml b/compliance/controls/aws/aws_acm_certificate_expires_30_days.yaml index c3bb1dc91..76175d33f 100644 --- a/compliance/controls/aws/aws_acm_certificate_expires_30_days.yaml +++ b/compliance/controls/aws/aws_acm_certificate_expires_30_days.yaml @@ -1,64 +1,65 @@ id: aws_acm_certificate_expires_30_days title: ACM certificates should not expire within 30 days +type: control description: Ensure network integrity is protected by ensuring X509 certificates are issued by AWS ACM. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_acm_certificate - definition: | - SELECT - certificate_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN renewal_eligibility = 'INELIGIBLE' THEN 'skip' - WHEN DATE(not_after) - DATE(current_date) >= 30 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN renewal_eligibility = 'INELIGIBLE' THEN title || ' not eligible for renewal.' - ELSE title || ' expires ' || TO_CHAR(not_after, 'DD-Mon-YYYY') || - ' (' || EXTRACT(DAY FROM not_after - current_date) || ' days).' - END AS reason, - region, - account_id - FROM - aws_acm_certificate; + language: sql + primary_resource: aws_acm_certificate + definition: | + SELECT + certificate_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN renewal_eligibility = 'INELIGIBLE' THEN 'skip' + WHEN DATE(not_after) - DATE(current_date) >= 30 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN renewal_eligibility = 'INELIGIBLE' THEN title || ' not eligible for renewal.' + ELSE title || ' expires ' || TO_CHAR(not_after, 'DD-Mon-YYYY') || + ' (' || EXTRACT(DAY FROM not_after - current_date) || ' days).' + END AS reason, + region, + account_id + FROM + aws_acm_certificate; severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gdpr: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/ACM - soc_2: - - 'true' + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gdpr: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/ACM + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_acm_certificate_no_failed_certificate.yaml b/compliance/controls/aws/aws_acm_certificate_no_failed_certificate.yaml index 4a04217b6..528e7fe9a 100644 --- a/compliance/controls/aws/aws_acm_certificate_no_failed_certificate.yaml +++ b/compliance/controls/aws/aws_acm_certificate_no_failed_certificate.yaml @@ -1,23 +1,24 @@ id: aws_acm_certificate_no_failed_certificate title: Ensure that ACM certificates are not in failed state +type: control description: This control ensures that ACM certificates are not in failed state. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_acm_certificate - definition: | - SELECT - certificate_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN status IN ('VALIDATION_TIMED_OUT', 'FAILED') THEN 'alarm' - ELSE 'ok' - END AS status, - title || ' status is ' || status || '.' AS reason - FROM - aws_acm_certificate; + language: sql + primary_resource: aws_acm_certificate + definition: | + SELECT + certificate_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN status IN ('VALIDATION_TIMED_OUT', 'FAILED') THEN 'alarm' + ELSE 'ok' + END AS status, + title || ' status is ' || status || '.' AS reason + FROM + aws_acm_certificate; severity: low tags: {} diff --git a/compliance/controls/aws/aws_acm_certificate_no_pending_validation_certificate.yaml b/compliance/controls/aws/aws_acm_certificate_no_pending_validation_certificate.yaml index 3592469a4..027a05262 100644 --- a/compliance/controls/aws/aws_acm_certificate_no_pending_validation_certificate.yaml +++ b/compliance/controls/aws/aws_acm_certificate_no_pending_validation_certificate.yaml @@ -1,23 +1,24 @@ id: aws_acm_certificate_no_pending_validation_certificate title: Ensure that ACM certificates are not in pending validation state +type: control description: This control ensures that ACM certificates are not in pending validation state. When certificates are not validated within 72 hours after the request is made, those certificates become invalid. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_acm_certificate - definition: | - SELECT - certificate_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN status = 'PENDING_VALIDATION' THEN 'info' - ELSE 'ok' - END AS status, - title || ' status is ' || status || '.' AS reason - FROM - aws_acm_certificate; + language: sql + primary_resource: aws_acm_certificate + definition: | + SELECT + certificate_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN status = 'PENDING_VALIDATION' THEN 'info' + ELSE 'ok' + END AS status, + title || ' status is ' || status || '.' AS reason + FROM + aws_acm_certificate; severity: low tags: {} diff --git a/compliance/controls/aws/aws_acm_certificate_no_wildcard_domain_name.yaml b/compliance/controls/aws/aws_acm_certificate_no_wildcard_domain_name.yaml index c76ea96bb..dd3e98817 100644 --- a/compliance/controls/aws/aws_acm_certificate_no_wildcard_domain_name.yaml +++ b/compliance/controls/aws/aws_acm_certificate_no_wildcard_domain_name.yaml @@ -1,26 +1,27 @@ id: aws_acm_certificate_no_wildcard_domain_name title: ACM certificates should not use wildcard certificates +type: control description: Ensure that ACM single domain name certificates are used instead of wildcard certificates within your AWS account in order to follow security best practices and protect each domain/subdomain with its own unique private key. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_acm_certificate - definition: | - SELECT - certificate_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN domain_name LIKE '*%' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN domain_name LIKE '*%' THEN title || ' uses wildcard domain name.' - ELSE title || ' does not use wildcard domain name.' - END AS reason - FROM - aws_acm_certificate; + language: sql + primary_resource: aws_acm_certificate + definition: | + SELECT + certificate_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN domain_name LIKE '*%' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN domain_name LIKE '*%' THEN title || ' uses wildcard domain name.' + ELSE title || ' does not use wildcard domain name.' + END AS reason + FROM + aws_acm_certificate; severity: low tags: {} diff --git a/compliance/controls/aws/aws_acm_certificate_not_expired.yaml b/compliance/controls/aws/aws_acm_certificate_not_expired.yaml index 30eef866c..861f9252c 100644 --- a/compliance/controls/aws/aws_acm_certificate_not_expired.yaml +++ b/compliance/controls/aws/aws_acm_certificate_not_expired.yaml @@ -1,30 +1,31 @@ id: aws_acm_certificate_not_expired title: Ensure that all the expired ACM certificates are removed +type: control description: This control ensures that all expired ACM certificates are removed from AWS account. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_acm_certificate - definition: | - SELECT - certificate_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN renewal_eligibility = 'INELIGIBLE' THEN 'skip' - WHEN DATE(not_after) < (CURRENT_DATE - INTERVAL '1' minute) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN renewal_eligibility = 'INELIGIBLE' THEN title || ' not eligible for renewal.' - WHEN DATE(not_after) < (CURRENT_DATE - INTERVAL '1' minute) THEN title || ' expired ' || TO_CHAR(not_after, 'DD-Mon-YYYY') || - ' (' || EXTRACT(day FROM not_after - CURRENT_DATE) || ' days ago).' - ELSE title || ' expires ' || TO_CHAR(not_after, 'DD-Mon-YYYY') || - ' (' || EXTRACT(day FROM not_after - CURRENT_DATE) || ' days).' - END AS reason - FROM - aws_acm_certificate; + language: sql + primary_resource: aws_acm_certificate + definition: | + SELECT + certificate_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN renewal_eligibility = 'INELIGIBLE' THEN 'skip' + WHEN DATE(not_after) < (CURRENT_DATE - INTERVAL '1' minute) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN renewal_eligibility = 'INELIGIBLE' THEN title || ' not eligible for renewal.' + WHEN DATE(not_after) < (CURRENT_DATE - INTERVAL '1' minute) THEN title || ' expired ' || TO_CHAR(not_after, 'DD-Mon-YYYY') || + ' (' || EXTRACT(day FROM not_after - CURRENT_DATE) || ' days ago).' + ELSE title || ' expires ' || TO_CHAR(not_after, 'DD-Mon-YYYY') || + ' (' || EXTRACT(day FROM not_after - CURRENT_DATE) || ' days).' + END AS reason + FROM + aws_acm_certificate; severity: low tags: {} diff --git a/compliance/controls/aws/aws_acm_certificate_rsa_key_length_2048_bits_or_greater.yaml b/compliance/controls/aws/aws_acm_certificate_rsa_key_length_2048_bits_or_greater.yaml index ee0690cef..6aee38c26 100644 --- a/compliance/controls/aws/aws_acm_certificate_rsa_key_length_2048_bits_or_greater.yaml +++ b/compliance/controls/aws/aws_acm_certificate_rsa_key_length_2048_bits_or_greater.yaml @@ -1,28 +1,29 @@ id: aws_acm_certificate_rsa_key_length_2048_bits_or_greater title: RSA certificates managed by ACM should use a key length of at least 2,048 bits +type: control description: This control checks whether RSA certificates managed by AWS Certificate Manager use a key length of at least 2,048 bits. The control fails if the key length is smaller than 2,048 bits. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_acm_certificate - definition: | - SELECT - certificate_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN NOT key_algorithm LIKE 'RSA-%' THEN 'skip' - WHEN key_algorithm = 'RSA_1024' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT key_algorithm LIKE 'RSA-%' THEN title || ' is not a RSA certificate.' - WHEN key_algorithm = 'RSA_1024' THEN title || ' is using 1024 bits key length.' - ELSE title || ' is using ' || split_part(key_algorithm, '-', 2) || ' bits key length.' - END AS reason - FROM - aws_acm_certificate; + language: sql + primary_resource: aws_acm_certificate + definition: | + SELECT + certificate_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN NOT key_algorithm LIKE 'RSA-%' THEN 'skip' + WHEN key_algorithm = 'RSA_1024' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT key_algorithm LIKE 'RSA-%' THEN title || ' is not a RSA certificate.' + WHEN key_algorithm = 'RSA_1024' THEN title || ' is using 1024 bits key length.' + ELSE title || ' is using ' || split_part(key_algorithm, '-', 2) || ' bits key length.' + END AS reason + FROM + aws_acm_certificate; severity: low tags: {} diff --git a/compliance/controls/aws/aws_acm_certificate_transparency_logging_enabled.yaml b/compliance/controls/aws/aws_acm_certificate_transparency_logging_enabled.yaml index 9db04d7de..c1d4b8453 100644 --- a/compliance/controls/aws/aws_acm_certificate_transparency_logging_enabled.yaml +++ b/compliance/controls/aws/aws_acm_certificate_transparency_logging_enabled.yaml @@ -1,28 +1,29 @@ id: aws_acm_certificate_transparency_logging_enabled title: ACM certificates should have transparency logging enabled +type: control description: Ensure ACM certificates transparency logging is enabled as certificate transparency logging guards against SSL/TLS certificates issued by mistake or by a compromised certificate authority. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_acm_certificate - definition: | - SELECT - certificate_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN type = 'IMPORTED' THEN 'skip' - WHEN certificate_transparency_logging_preference = 'ENABLED' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN type = 'IMPORTED' THEN title || ' is imported.' - WHEN certificate_transparency_logging_preference = 'ENABLED' THEN title || ' transparency logging enabled.' - ELSE title || ' transparency logging disabled.' - END AS reason - FROM - aws_acm_certificate; + language: sql + primary_resource: aws_acm_certificate + definition: | + SELECT + certificate_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN type = 'IMPORTED' THEN 'skip' + WHEN certificate_transparency_logging_preference = 'ENABLED' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN type = 'IMPORTED' THEN title || ' is imported.' + WHEN certificate_transparency_logging_preference = 'ENABLED' THEN title || ' transparency logging enabled.' + ELSE title || ' transparency logging disabled.' + END AS reason + FROM + aws_acm_certificate; severity: low tags: {} diff --git a/compliance/controls/aws/aws_acmpca_root_certificate_authority_disabled.yaml b/compliance/controls/aws/aws_acmpca_root_certificate_authority_disabled.yaml index 7c36e34f3..5d9cd036a 100644 --- a/compliance/controls/aws/aws_acmpca_root_certificate_authority_disabled.yaml +++ b/compliance/controls/aws/aws_acmpca_root_certificate_authority_disabled.yaml @@ -1,28 +1,29 @@ id: aws_acmpca_root_certificate_authority_disabled title: AWS Private CA root certificate authority should be disabled +type: control description: This control checks if AWS Private CA has a root certificate authority (CA) that is disabled. The control fails if the root CA is enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_acmpca_certificate_authority - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN type <> 'ROOT' THEN 'skip' - WHEN status = 'DISABLED' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN type <> 'ROOT' THEN title || ' is not root CA.' - WHEN status = 'DISABLED' THEN title || ' root CA disabled.' - ELSE title || ' root CA not disabled.' - END AS reason - FROM - aws_acmpca_certificate_authority; + language: sql + primary_resource: aws_acmpca_certificate_authority + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN type <> 'ROOT' THEN 'skip' + WHEN status = 'DISABLED' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN type <> 'ROOT' THEN title || ' is not root CA.' + WHEN status = 'DISABLED' THEN title || ' root CA disabled.' + ELSE title || ' root CA not disabled.' + END AS reason + FROM + aws_acmpca_certificate_authority; severity: low tags: {} diff --git a/compliance/controls/aws/aws_api_gateway_method_authorization_type_configured.yaml b/compliance/controls/aws/aws_api_gateway_method_authorization_type_configured.yaml index 7d7e6d0c7..67005a6de 100644 --- a/compliance/controls/aws/aws_api_gateway_method_authorization_type_configured.yaml +++ b/compliance/controls/aws/aws_api_gateway_method_authorization_type_configured.yaml @@ -1,26 +1,27 @@ id: aws_api_gateway_method_authorization_type_configured title: API Gateway methods authorizer should be configured +type: control description: This control checks whether API Gateway method has an authorizer configured. This rule is non-compliant if API Gateway method has no authorizers configured. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_api_gateway_method - definition: | - SELECT - resource_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN authorization_type = 'NONE' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN authorization_type = 'NONE' THEN title || ' authorization type not configured.' - ELSE title || ' authorization type ' || authorization_type || ' configured.' - END AS reason - FROM - aws_api_gateway_method; + language: sql + primary_resource: aws_api_gateway_method + definition: | + SELECT + resource_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN authorization_type = 'NONE' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN authorization_type = 'NONE' THEN title || ' authorization type not configured.' + ELSE title || ' authorization type ' || authorization_type || ' configured.' + END AS reason + FROM + aws_api_gateway_method; severity: low tags: {} diff --git a/compliance/controls/aws/aws_api_gateway_method_request_parameter_validated.yaml b/compliance/controls/aws/aws_api_gateway_method_request_parameter_validated.yaml index 6501a2c24..e62ae2e1c 100644 --- a/compliance/controls/aws/aws_api_gateway_method_request_parameter_validated.yaml +++ b/compliance/controls/aws/aws_api_gateway_method_request_parameter_validated.yaml @@ -1,26 +1,27 @@ id: aws_api_gateway_method_request_parameter_validated title: API Gateway methods request parameter should be validated +type: control description: This control checks whether API Gateway method request parameter is validated. This rule is non-compliant if API Gateway method request parameter is not validated. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_api_gateway_method - definition: | - SELECT - resource_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN request_validator_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN request_validator_id IS NULL THEN title || ' request parameter not validated.' - ELSE title || ' request parameter validated.' - END AS reason - FROM - aws_api_gateway_method; + language: sql + primary_resource: aws_api_gateway_method + definition: | + SELECT + resource_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN request_validator_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN request_validator_id IS NULL THEN title || ' request parameter not validated.' + ELSE title || ' request parameter validated.' + END AS reason + FROM + aws_api_gateway_method; severity: low tags: {} diff --git a/compliance/controls/aws/aws_api_gateway_rest_api_public_endpoint_with_authorizer.yaml b/compliance/controls/aws/aws_api_gateway_rest_api_public_endpoint_with_authorizer.yaml index b9be5f458..b180cafd3 100644 --- a/compliance/controls/aws/aws_api_gateway_rest_api_public_endpoint_with_authorizer.yaml +++ b/compliance/controls/aws/aws_api_gateway_rest_api_public_endpoint_with_authorizer.yaml @@ -1,38 +1,39 @@ id: aws_api_gateway_rest_api_public_endpoint_with_authorizer title: API Gateway REST API public endpoints should be configured with authorizer +type: control description: Ensure API Gateway REST API public endpoint is configured with authorizer. This rule is non-compliant if API Gateway REST API public endpoint has no authorizer configured. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_api_gateway_rest_api - definition: | - SELECT - 'arn:' || p.partition || ':apigateway:' || p.region || '::/apis/' || p.api_id AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT (endpoint_configuration_types ? 'PRIVATE') - AND (a.provider_arns IS NOT NULL AND jsonb_array_length(a.provider_arns) > 0) - THEN 'ok' - WHEN NOT (endpoint_configuration_types ? 'PRIVATE') - AND (a.provider_arns IS NULL OR jsonb_array_length(a.provider_arns) = 0) - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT (endpoint_configuration_types ? 'PRIVATE') - AND (a.provider_arns IS NOT NULL AND jsonb_array_length(a.provider_arns) > 0) - THEN p.name || ' has public endpoint with authorizer.' - WHEN NOT (endpoint_configuration_types ? 'PRIVATE') - AND (a.provider_arns IS NULL OR jsonb_array_length(a.provider_arns) = 0) - THEN p.name || ' has public endpoint without authorizer.' - ELSE p.name || ' has private endpoint.' - END AS reason - FROM - aws_api_gateway_rest_api AS p - LEFT JOIN aws_api_gateway_authorizer AS a - ON p.api_id = a.rest_api_id; + language: sql + primary_resource: aws_api_gateway_rest_api + definition: | + SELECT + 'arn:' || p.partition || ':apigateway:' || p.region || '::/apis/' || p.api_id AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT (endpoint_configuration_types ? 'PRIVATE') + AND (a.provider_arns IS NOT NULL AND jsonb_array_length(a.provider_arns) > 0) + THEN 'ok' + WHEN NOT (endpoint_configuration_types ? 'PRIVATE') + AND (a.provider_arns IS NULL OR jsonb_array_length(a.provider_arns) = 0) + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT (endpoint_configuration_types ? 'PRIVATE') + AND (a.provider_arns IS NOT NULL AND jsonb_array_length(a.provider_arns) > 0) + THEN p.name || ' has public endpoint with authorizer.' + WHEN NOT (endpoint_configuration_types ? 'PRIVATE') + AND (a.provider_arns IS NULL OR jsonb_array_length(a.provider_arns) = 0) + THEN p.name || ' has public endpoint without authorizer.' + ELSE p.name || ' has private endpoint.' + END AS reason + FROM + aws_api_gateway_rest_api AS p + LEFT JOIN aws_api_gateway_authorizer AS a + ON p.api_id = a.rest_api_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_api_gatewayv2_route_authorization_type_configured.yaml b/compliance/controls/aws/aws_api_gatewayv2_route_authorization_type_configured.yaml index f6d4790b2..c27cfe194 100644 --- a/compliance/controls/aws/aws_api_gatewayv2_route_authorization_type_configured.yaml +++ b/compliance/controls/aws/aws_api_gatewayv2_route_authorization_type_configured.yaml @@ -1,40 +1,41 @@ id: aws_api_gatewayv2_route_authorization_type_configured title: API Gateway routes should specify an authorization type +type: control description: This control checks if AWS API Gateway routes have an authorization type. The control fails if the API Gateway route does not specify an authorization type. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_api_gatewayv2_route - definition: | - SELECT - 'arn:' || partition || ':apigateway:' || region || '::/apis/' || api_id || '/routes/' || route_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN authorization_type IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN authorization_type IS NULL THEN route_id || ' authorization type not configured.' - ELSE route_id || ' authorization type ' || authorization_type || ' configured.' - END AS reason, - region, - account_id - FROM - aws_api_gatewayv2_route; + language: sql + primary_resource: aws_api_gatewayv2_route + definition: | + SELECT + 'arn:' || partition || ':apigateway:' || region || '::/apis/' || api_id || '/routes/' || route_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN authorization_type IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN authorization_type IS NULL THEN route_id || ' authorization type not configured.' + ELSE route_id || ' authorization type ' || authorization_type || ' configured.' + END AS reason, + region, + account_id + FROM + aws_api_gatewayv2_route; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - secure_access_management - foundational_security_item_id: - - apigateway_8 - plugin: - - aws - service: - - AWS/APIGateway + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - secure_access_management + foundational_security_item_id: + - apigateway_8 + plugin: + - aws + service: + - AWS/APIGateway diff --git a/compliance/controls/aws/aws_api_gatewayv2_route_authorizer_configured.yaml b/compliance/controls/aws/aws_api_gatewayv2_route_authorizer_configured.yaml index 51c821fee..0968353c9 100644 --- a/compliance/controls/aws/aws_api_gatewayv2_route_authorizer_configured.yaml +++ b/compliance/controls/aws/aws_api_gatewayv2_route_authorizer_configured.yaml @@ -1,26 +1,27 @@ id: aws_api_gatewayv2_route_authorizer_configured title: API Gateway V2 authorizer should be configured +type: control description: This control checks whether API Gateway V2 has an authorizer configured. This rule is non-compliant if API Gateway V2 has no authorizers configured. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_api_gatewayv2_route - definition: | - SELECT - 'arn:' || partition || ':apigateway:' || region || '::/apis/' || api_id || '/routes/' || route_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN authorizer_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN authorizer_id IS NULL THEN route_id || ' authorizer not configured.' - ELSE route_id || ' authorizer ' || authorizer_id || ' configured.' - END AS reason - FROM - aws_api_gatewayv2_route; + language: sql + primary_resource: aws_api_gatewayv2_route + definition: | + SELECT + 'arn:' || partition || ':apigateway:' || region || '::/apis/' || api_id || '/routes/' || route_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN authorizer_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN authorizer_id IS NULL THEN route_id || ' authorizer not configured.' + ELSE route_id || ' authorizer ' || authorizer_id || ' configured.' + END AS reason + FROM + aws_api_gatewayv2_route; severity: low tags: {} diff --git a/compliance/controls/aws/aws_apigateway_rest_api_authorizers_configured.yaml b/compliance/controls/aws/aws_apigateway_rest_api_authorizers_configured.yaml index 054a86e62..212c8c014 100644 --- a/compliance/controls/aws/aws_apigateway_rest_api_authorizers_configured.yaml +++ b/compliance/controls/aws/aws_apigateway_rest_api_authorizers_configured.yaml @@ -1,30 +1,31 @@ id: aws_apigateway_rest_api_authorizers_configured title: API Gateway stages should have authorizers configured +type: control description: Ensure API Gateway stages have authorizers configured. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_api_gateway_rest_api - definition: | - SELECT - p.name AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN jsonb_array_length(a.provider_arns) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN jsonb_array_length(a.provider_arns) > 0 THEN p.name || ' authorizers configured.' - ELSE p.name || ' authorizers not configured.' - END AS reason - FROM - aws_api_gateway_rest_api AS p - LEFT JOIN - aws_api_gateway_authorizer AS a - ON - p.api_id = a.rest_api_id; + language: sql + primary_resource: aws_api_gateway_rest_api + definition: | + SELECT + p.name AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN jsonb_array_length(a.provider_arns) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN jsonb_array_length(a.provider_arns) > 0 THEN p.name || ' authorizers configured.' + ELSE p.name || ' authorizers not configured.' + END AS reason + FROM + aws_api_gateway_rest_api AS p + LEFT JOIN + aws_api_gateway_authorizer AS a + ON + p.api_id = a.rest_api_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_apigateway_rest_api_endpoint_restrict_public_access.yaml b/compliance/controls/aws/aws_apigateway_rest_api_endpoint_restrict_public_access.yaml index 1f980bb2c..f5ee945da 100644 --- a/compliance/controls/aws/aws_apigateway_rest_api_endpoint_restrict_public_access.yaml +++ b/compliance/controls/aws/aws_apigateway_rest_api_endpoint_restrict_public_access.yaml @@ -1,26 +1,27 @@ id: aws_apigateway_rest_api_endpoint_restrict_public_access title: API Gateway REST API endpoint type should be configured to private +type: control description: This control checks whether API Gateway endpoint is public or private. This rule is non-compliant if API Gateway endpoint is public. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_api_gateway_rest_api - definition: | - SELECT - 'arn:' || partition || ':apigateway:' || region || '::/apis/' || api_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN endpoint_configuration_types ? 'PRIVATE' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN endpoint_configuration_types ? 'PRIVATE' THEN name || ' not publicly accessible.' - ELSE name || ' publicly accessible.' - END AS reason - FROM - aws_api_gateway_rest_api; + language: sql + primary_resource: aws_api_gateway_rest_api + definition: | + SELECT + 'arn:' || partition || ':apigateway:' || region || '::/apis/' || api_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN endpoint_configuration_types ? 'PRIVATE' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN endpoint_configuration_types ? 'PRIVATE' THEN name || ' not publicly accessible.' + ELSE name || ' publicly accessible.' + END AS reason + FROM + aws_api_gateway_rest_api; severity: low tags: {} diff --git a/compliance/controls/aws/aws_apigateway_rest_api_stage_use_ssl_certificate.yaml b/compliance/controls/aws/aws_apigateway_rest_api_stage_use_ssl_certificate.yaml index e97a7eff2..0ef0b9bb3 100644 --- a/compliance/controls/aws/aws_apigateway_rest_api_stage_use_ssl_certificate.yaml +++ b/compliance/controls/aws/aws_apigateway_rest_api_stage_use_ssl_certificate.yaml @@ -1,52 +1,53 @@ id: aws_apigateway_rest_api_stage_use_ssl_certificate title: API Gateway stage should uses SSL certificate +type: control description: Ensure that a REST API stage uses a Secure Sockets Layer (SSL) certificate. This rule is compliant if the REST API stage does not have an associated SSL certificate. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_api_gateway_stage - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN client_certificate_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN client_certificate_id IS NULL THEN title || ' does not use SSL certificate.' - ELSE title || ' uses SSL certificate.' - END AS reason, - region, - account_id - FROM - aws_api_gateway_stage; + language: sql + primary_resource: aws_api_gateway_stage + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN client_certificate_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN client_certificate_id IS NULL THEN title || ' does not use SSL certificate.' + ELSE title || ' uses SSL certificate.' + END AS reason, + region, + account_id + FROM + aws_api_gateway_stage; severity: low tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/APIGateway + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/APIGateway diff --git a/compliance/controls/aws/aws_apigateway_rest_api_stage_xray_tracing_enabled.yaml b/compliance/controls/aws/aws_apigateway_rest_api_stage_xray_tracing_enabled.yaml index 205bf0893..52fdc92bd 100644 --- a/compliance/controls/aws/aws_apigateway_rest_api_stage_xray_tracing_enabled.yaml +++ b/compliance/controls/aws/aws_apigateway_rest_api_stage_xray_tracing_enabled.yaml @@ -1,40 +1,41 @@ id: aws_apigateway_rest_api_stage_xray_tracing_enabled title: API Gateway REST API stages should have AWS X-Ray tracing enabled +type: control description: This control checks whether AWS X-Ray active tracing is enabled for your AWS API Gateway REST API stages. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_api_gateway_stage - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN tracing_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN tracing_enabled THEN title || ' X-Ray tracing enabled.' - ELSE title || ' X-Ray tracing disabled.' - END AS reason, - region, - account_id - FROM - aws_api_gateway_stage; + language: sql + primary_resource: aws_api_gateway_stage + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN tracing_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN tracing_enabled THEN title || ' X-Ray tracing enabled.' + ELSE title || ' X-Ray tracing disabled.' + END AS reason, + region, + account_id + FROM + aws_api_gateway_stage; severity: low tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - detection_services - foundational_security_item_id: - - apigateway_3 - plugin: - - aws - service: - - AWS/APIGateway + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - detection_services + foundational_security_item_id: + - apigateway_3 + plugin: + - aws + service: + - AWS/APIGateway diff --git a/compliance/controls/aws/aws_apigateway_stage_cache_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_apigateway_stage_cache_encryption_at_rest_enabled.yaml index b2441c39e..0016f7418 100644 --- a/compliance/controls/aws/aws_apigateway_stage_cache_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_apigateway_stage_cache_encryption_at_rest_enabled.yaml @@ -1,66 +1,67 @@ id: aws_apigateway_stage_cache_encryption_at_rest_enabled title: API Gateway stage cache encryption at rest should be enabled +type: control description: To help protect data at rest, ensure encryption is enabled for your API Gateway stage's cache. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_api_gateway_stage - definition: | - SELECT - 'arn:' || partition || ':apigateway:' || region || '::/apis/' || rest_api_id || '/stages/' || name AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN method_settings -> '*/*' ->> 'CachingEnabled' = 'true' - AND method_settings -> '*/*' ->> 'CacheDataEncrypted' = 'true' - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN method_settings -> '*/*' ->> 'CachingEnabled' = 'true' - AND method_settings -> '*/*' ->> 'CacheDataEncrypted' = 'true' - THEN title || ' API cache and encryption enabled.' - ELSE title || ' API cache and encryption not enabled.' - END AS reason, - region, - account_id - FROM - aws_api_gateway_stage; + language: sql + primary_resource: aws_api_gateway_stage + definition: | + SELECT + 'arn:' || partition || ':apigateway:' || region || '::/apis/' || rest_api_id || '/stages/' || name AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN method_settings -> '*/*' ->> 'CachingEnabled' = 'true' + AND method_settings -> '*/*' ->> 'CacheDataEncrypted' = 'true' + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN method_settings -> '*/*' ->> 'CachingEnabled' = 'true' + AND method_settings -> '*/*' ->> 'CacheDataEncrypted' = 'true' + THEN title || ' API cache and encryption enabled.' + ELSE title || ' API cache and encryption not enabled.' + END AS reason, + region, + account_id + FROM + aws_api_gateway_stage; severity: medium tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_moderate_rev_4: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/APIGateway - soc_2: - - 'true' + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_moderate_rev_4: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/APIGateway + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_apigateway_stage_logging_enabled.yaml b/compliance/controls/aws/aws_apigateway_stage_logging_enabled.yaml index 0bac44053..de2b5ce30 100644 --- a/compliance/controls/aws/aws_apigateway_stage_logging_enabled.yaml +++ b/compliance/controls/aws/aws_apigateway_stage_logging_enabled.yaml @@ -1,96 +1,97 @@ id: aws_apigateway_stage_logging_enabled title: API Gateway stage logging should be enabled +type: control description: API Gateway logging displays detailed views of users who accessed the API and the way they accessed the API. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: '' - definition: | - WITH all_stages AS ( - SELECT - name AS stage_name, - 'arn:' || partition || ':apigateway:' || region || '::/apis/' || rest_api_id || '/stages/' || name AS arn, - method_settings -> '*/*' ->> 'LoggingLevel' AS log_level, - title, - region, - account_id, - tags, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'aws_api_gateway_stage' AS platform_table_name, - _ctx - FROM - aws_api_gateway_stage - UNION - SELECT - stage_name, - 'arn:' || partition || ':apigateway:' || region || '::/apis/' || api_id || '/stages/' || stage_name AS arn, - default_route_logging_level AS log_level, - title, - region, - account_id, - tags, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'aws_api_gatewayv2_stage' AS platform_table_name, - _ctx - FROM - aws_api_gatewayv2_stage - ) - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - platform_table_name AS platform_table_name, - CASE - WHEN log_level IS NULL OR log_level = '' OR log_level = 'OFF' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN log_level IS NULL OR log_level = '' OR log_level = 'OFF' THEN title || ' logging not enabled.' - ELSE title || ' logging enabled.' - END AS reason, - region, - account_id - FROM - all_stages; + language: sql + primary_resource: "" + definition: | + WITH all_stages AS ( + SELECT + name AS stage_name, + 'arn:' || partition || ':apigateway:' || region || '::/apis/' || rest_api_id || '/stages/' || name AS arn, + method_settings -> '*/*' ->> 'LoggingLevel' AS log_level, + title, + region, + account_id, + tags, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'aws_api_gateway_stage' AS platform_table_name, + _ctx + FROM + aws_api_gateway_stage + UNION + SELECT + stage_name, + 'arn:' || partition || ':apigateway:' || region || '::/apis/' || api_id || '/stages/' || stage_name AS arn, + default_route_logging_level AS log_level, + title, + region, + account_id, + tags, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'aws_api_gatewayv2_stage' AS platform_table_name, + _ctx + FROM + aws_api_gatewayv2_stage + ) + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + platform_table_name AS platform_table_name, + CASE + WHEN log_level IS NULL OR log_level = '' OR log_level = 'OFF' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN log_level IS NULL OR log_level = '' OR log_level = 'OFF' THEN title || ' logging not enabled.' + ELSE title || ' logging enabled.' + END AS reason, + region, + account_id + FROM + all_stages; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/APIGateway - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/APIGateway + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_apigateway_stage_use_waf_web_acl.yaml b/compliance/controls/aws/aws_apigateway_stage_use_waf_web_acl.yaml index 45e907687..8958d2bd5 100644 --- a/compliance/controls/aws/aws_apigateway_stage_use_waf_web_acl.yaml +++ b/compliance/controls/aws/aws_apigateway_stage_use_waf_web_acl.yaml @@ -1,54 +1,55 @@ id: aws_apigateway_stage_use_waf_web_acl title: API Gateway stage should be associated with waf +type: control description: Ensure that an AWS API Gateway API stage is using a WAF Web ACL. This rule is non-compliant if an AWS WAF Web ACL is not used. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_api_gateway_stage - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN web_acl_arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN web_acl_arn IS NOT NULL THEN title || ' associated with WAF web ACL.' - ELSE title || ' not associated with WAF web ACL.' - END AS reason, - region, - account_id - FROM - aws_api_gateway_stage; + language: sql + primary_resource: aws_api_gateway_stage + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN web_acl_arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN web_acl_arn IS NOT NULL THEN title || ' associated with WAF web ACL.' + ELSE title || ' not associated with WAF web ACL.' + END AS reason, + region, + account_id + FROM + aws_api_gateway_stage; severity: medium tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/APIGateway + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/APIGateway diff --git a/compliance/controls/aws/aws_appstream_fleet_default_internet_access_disabled.yaml b/compliance/controls/aws/aws_appstream_fleet_default_internet_access_disabled.yaml index 20a45c121..5cccc37ab 100644 --- a/compliance/controls/aws/aws_appstream_fleet_default_internet_access_disabled.yaml +++ b/compliance/controls/aws/aws_appstream_fleet_default_internet_access_disabled.yaml @@ -1,26 +1,27 @@ id: aws_appstream_fleet_default_internet_access_disabled title: AppStream fleet default internet access should be disabled +type: control description: Enabling default internet access for AppStream fleet is not recommended. This control will be considered non-compliant if default internet access is enabled for AppStream fleet. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_appstream_fleet - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN enable_default_internet_access THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN enable_default_internet_access THEN title || ' has default internet access enabled.' - ELSE title || ' has default internet access disabled.' - END AS reason - FROM - aws_appstream_fleet; + language: sql + primary_resource: aws_appstream_fleet + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN enable_default_internet_access THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN enable_default_internet_access THEN title || ' has default internet access enabled.' + ELSE title || ' has default internet access disabled.' + END AS reason + FROM + aws_appstream_fleet; severity: low tags: {} diff --git a/compliance/controls/aws/aws_appstream_fleet_idle_disconnect_timeout_600_seconds.yaml b/compliance/controls/aws/aws_appstream_fleet_idle_disconnect_timeout_600_seconds.yaml index d220ee770..2100ca65c 100644 --- a/compliance/controls/aws/aws_appstream_fleet_idle_disconnect_timeout_600_seconds.yaml +++ b/compliance/controls/aws/aws_appstream_fleet_idle_disconnect_timeout_600_seconds.yaml @@ -1,23 +1,24 @@ id: aws_appstream_fleet_idle_disconnect_timeout_600_seconds title: AppStream fleet idle disconnect timeout should be set to less than or equal to 10 mins +type: control description: Ensure session idle disconnect timeout is set to 10 minutes or less. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_appstream_fleet - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN idle_disconnect_timeout_in_seconds <= 600 THEN 'ok' - ELSE 'alarm' - END AS status, - title || ' idle disconnect timeout in seconds is set to ' || idle_disconnect_timeout_in_seconds || ' seconds.' AS reason - FROM - aws_appstream_fleet; + language: sql + primary_resource: aws_appstream_fleet + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN idle_disconnect_timeout_in_seconds <= 600 THEN 'ok' + ELSE 'alarm' + END AS status, + title || ' idle disconnect timeout in seconds is set to ' || idle_disconnect_timeout_in_seconds || ' seconds.' AS reason + FROM + aws_appstream_fleet; severity: low tags: {} diff --git a/compliance/controls/aws/aws_appstream_fleet_max_user_duration_36000_seconds.yaml b/compliance/controls/aws/aws_appstream_fleet_max_user_duration_36000_seconds.yaml index 2cc759e52..b20e592a7 100644 --- a/compliance/controls/aws/aws_appstream_fleet_max_user_duration_36000_seconds.yaml +++ b/compliance/controls/aws/aws_appstream_fleet_max_user_duration_36000_seconds.yaml @@ -1,23 +1,24 @@ id: aws_appstream_fleet_max_user_duration_36000_seconds title: AppStream fleet max user duration should be set to less than 10 hours +type: control description: Ensure user maximum session duration is no longer than 10 hours. A session duration exceeding 10 hours is unnecessary and may offer malicious users an extended period of unauthorized usage beyond acceptable limits. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_appstream_fleet - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN max_user_duration_in_seconds < 36000 THEN 'ok' - ELSE 'alarm' - END AS status, - title || ' max user duration in seconds is set to ' || max_user_duration_in_seconds || ' seconds.' AS reason - FROM - aws_appstream_fleet; + language: sql + primary_resource: aws_appstream_fleet + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN max_user_duration_in_seconds < 36000 THEN 'ok' + ELSE 'alarm' + END AS status, + title || ' max user duration in seconds is set to ' || max_user_duration_in_seconds || ' seconds.' AS reason + FROM + aws_appstream_fleet; severity: low tags: {} diff --git a/compliance/controls/aws/aws_appstream_fleet_session_disconnect_timeout_300_seconds.yaml b/compliance/controls/aws/aws_appstream_fleet_session_disconnect_timeout_300_seconds.yaml index 81dfdb6ff..b2016465b 100644 --- a/compliance/controls/aws/aws_appstream_fleet_session_disconnect_timeout_300_seconds.yaml +++ b/compliance/controls/aws/aws_appstream_fleet_session_disconnect_timeout_300_seconds.yaml @@ -1,23 +1,24 @@ id: aws_appstream_fleet_session_disconnect_timeout_300_seconds title: AppStream fleet session disconnect timeout should be set to less than or equal to 5 mins +type: control description: The disconnect timeout in minutes refers to the duration for which a streaming session remains active even after users have disconnected. It is recommended to set the disconnect timeout to 5 minutes or less for the AppStream Fleet. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_appstream_fleet - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN disconnect_timeout_in_seconds <= 300 THEN 'ok' - ELSE 'alarm' - END AS status, - title || ' disconnect timeout in seconds is set to ' || disconnect_timeout_in_seconds || ' seconds.' AS reason - FROM - aws_appstream_fleet; + language: sql + primary_resource: aws_appstream_fleet + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN disconnect_timeout_in_seconds <= 300 THEN 'ok' + ELSE 'alarm' + END AS status, + title || ' disconnect timeout in seconds is set to ' || disconnect_timeout_in_seconds || ' seconds.' AS reason + FROM + aws_appstream_fleet; severity: low tags: {} diff --git a/compliance/controls/aws/aws_appsync_graphql_api_field_level_logging_enabled.yaml b/compliance/controls/aws/aws_appsync_graphql_api_field_level_logging_enabled.yaml index f22d3feb4..5f0a08fcf 100644 --- a/compliance/controls/aws/aws_appsync_graphql_api_field_level_logging_enabled.yaml +++ b/compliance/controls/aws/aws_appsync_graphql_api_field_level_logging_enabled.yaml @@ -1,26 +1,27 @@ id: aws_appsync_graphql_api_field_level_logging_enabled title: AppSync graphql API logging should be enabled +type: control description: This control checks whether an AWS AppSync API has field-level logging turned on. The control fails if the field resolver log level is set to None. Unless you provide custom parameter values to indicate that a specific log type should be enabled, Security Hub produces a passed finding if the field resolver log level is either ERROR or ALL. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_appsync_graphql_api - definition: | - SELECT - name AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN log_config ->> 'FieldLogLevel' IN ('ERROR', 'ALL') THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN log_config ->> 'FieldLogLevel' IN ('ERROR', 'ALL') THEN title || ' field level logging enabled.' - ELSE name || ' field level logging disabled.' - END AS reason - FROM - aws_appsync_graphql_api; + language: sql + primary_resource: aws_appsync_graphql_api + definition: | + SELECT + name AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN log_config ->> 'FieldLogLevel' IN ('ERROR', 'ALL') THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN log_config ->> 'FieldLogLevel' IN ('ERROR', 'ALL') THEN title || ' field level logging enabled.' + ELSE name || ' field level logging disabled.' + END AS reason + FROM + aws_appsync_graphql_api; severity: low tags: {} diff --git a/compliance/controls/aws/aws_athena_workgroup_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_athena_workgroup_encryption_at_rest_enabled.yaml index ddc207077..9902a27a6 100644 --- a/compliance/controls/aws/aws_athena_workgroup_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_athena_workgroup_encryption_at_rest_enabled.yaml @@ -1,26 +1,27 @@ id: aws_athena_workgroup_encryption_at_rest_enabled title: Athena workgroups should be encrypted at rest +type: control description: This control checks if an Athena workgroup is encrypted at rest. The control fails if an Athena workgroup isn't encrypted at rest. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_athena_workgroup - definition: | - SELECT - name AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN encryption_option IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption_option IS NOT NULL THEN name || ' encryption at rest enabled.' - ELSE name || ' encryption at rest disabled.' - END AS reason - FROM - aws_athena_workgroup; + language: sql + primary_resource: aws_athena_workgroup + definition: | + SELECT + name AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN encryption_option IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption_option IS NOT NULL THEN name || ' encryption at rest enabled.' + ELSE name || ' encryption at rest disabled.' + END AS reason + FROM + aws_athena_workgroup; severity: low tags: {} diff --git a/compliance/controls/aws/aws_athena_workgroup_enforce_configuration_enabled.yaml b/compliance/controls/aws/aws_athena_workgroup_enforce_configuration_enabled.yaml index 1e6c25790..5c10895c8 100644 --- a/compliance/controls/aws/aws_athena_workgroup_enforce_configuration_enabled.yaml +++ b/compliance/controls/aws/aws_athena_workgroup_enforce_configuration_enabled.yaml @@ -1,26 +1,27 @@ id: aws_athena_workgroup_enforce_configuration_enabled title: Athena workgroups should enforce configuration +type: control description: This control checks if an Athena workgroup enforces configuration. The control fails if an Athena workgroup doesn't enforce configuration. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_athena_workgroup - definition: | - SELECT - name AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN enforce_workgroup_configuration THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enforce_workgroup_configuration THEN name || ' has enforce workgroup configuration enabled.' - ELSE name || ' has enforce workgroup configuration disabled.' - END AS reason - FROM - aws_athena_workgroup; + language: sql + primary_resource: aws_athena_workgroup + definition: | + SELECT + name AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN enforce_workgroup_configuration THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enforce_workgroup_configuration THEN name || ' has enforce workgroup configuration enabled.' + ELSE name || ' has enforce workgroup configuration disabled.' + END AS reason + FROM + aws_athena_workgroup; severity: low tags: {} diff --git a/compliance/controls/aws/aws_autoscaling_ec2_launch_configuration_no_sensitive_data.yaml b/compliance/controls/aws/aws_autoscaling_ec2_launch_configuration_no_sensitive_data.yaml index 3d281d14d..f4e774aab 100644 --- a/compliance/controls/aws/aws_autoscaling_ec2_launch_configuration_no_sensitive_data.yaml +++ b/compliance/controls/aws/aws_autoscaling_ec2_launch_configuration_no_sensitive_data.yaml @@ -1,30 +1,31 @@ id: aws_autoscaling_ec2_launch_configuration_no_sensitive_data title: EC2 auto scaling group launch configurations user data should not have any sensitive data +type: control description: Ensure that sensitive information is not included in the user data of the launch configuration. It is recommended to utilize Secrets Manager as an alternative for securely managing sensitive data. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_launch_configuration - definition: | - SELECT - launch_configuration_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN - user_data LIKE ANY (ARRAY [ '%pass%', '%secret%', '%token%', '%key%' ]) - OR user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN - user_data LIKE ANY (ARRAY [ '%pass%', '%secret%', '%token%', '%key%' ]) - OR user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' THEN title || ' has potential secret patterns in user data.' - ELSE title || ' does not contain secret patterns in user data.' - END AS reason - FROM - aws_ec2_launch_configuration; + language: sql + primary_resource: aws_ec2_launch_configuration + definition: | + SELECT + launch_configuration_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN + user_data LIKE ANY (ARRAY [ '%pass%', '%secret%', '%token%', '%key%' ]) + OR user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN + user_data LIKE ANY (ARRAY [ '%pass%', '%secret%', '%token%', '%key%' ]) + OR user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' THEN title || ' has potential secret patterns in user data.' + ELSE title || ' does not contain secret patterns in user data.' + END AS reason + FROM + aws_ec2_launch_configuration; severity: low tags: {} diff --git a/compliance/controls/aws/aws_autoscaling_group_multiple_az_configured.yaml b/compliance/controls/aws/aws_autoscaling_group_multiple_az_configured.yaml index fcfba3bf9..3de17ce72 100644 --- a/compliance/controls/aws/aws_autoscaling_group_multiple_az_configured.yaml +++ b/compliance/controls/aws/aws_autoscaling_group_multiple_az_configured.yaml @@ -1,37 +1,38 @@ id: aws_autoscaling_group_multiple_az_configured title: EC2 auto scaling groups should cover multiple availability zones +type: control description: This control checks whether an AWS EC2 Auto Scaling group spans multiple availability zones. The control fails if an auto scaling group does not span multiple availability zones. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_autoscaling_group - definition: | - SELECT - autoscaling_group_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN jsonb_array_length(availability_zones) > 1 THEN 'ok' - ELSE 'alarm' - END AS status, - title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' AS reason, - region, - account_id - FROM - aws_ec2_autoscaling_group; + language: sql + primary_resource: aws_ec2_autoscaling_group + definition: | + SELECT + autoscaling_group_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN jsonb_array_length(availability_zones) > 1 THEN 'ok' + ELSE 'alarm' + END AS status, + title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' AS reason, + region, + account_id + FROM + aws_ec2_autoscaling_group; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - high_availability - foundational_security_item_id: - - autoscaling_2 - plugin: - - aws - service: - - AWS/AutoScaling + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - high_availability + foundational_security_item_id: + - autoscaling_2 + plugin: + - aws + service: + - AWS/AutoScaling diff --git a/compliance/controls/aws/aws_autoscaling_group_no_suspended_process.yaml b/compliance/controls/aws/aws_autoscaling_group_no_suspended_process.yaml index 38119bedf..c93d4d158 100644 --- a/compliance/controls/aws/aws_autoscaling_group_no_suspended_process.yaml +++ b/compliance/controls/aws/aws_autoscaling_group_no_suspended_process.yaml @@ -1,26 +1,27 @@ id: aws_autoscaling_group_no_suspended_process title: Auto Scaling groups should not have any suspended processes +type: control description: Ensure that there are no Auto Scaling Groups (ASGs) with suspended processes provisioned in your AWS account in order to avoid disrupting the auto scaling workflow. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_autoscaling_group - definition: | - SELECT - autoscaling_group_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN suspended_processes IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN suspended_processes IS NULL THEN title || ' has no suspended process.' - ELSE title || ' has suspended process.' - END AS reason - FROM - aws_ec2_autoscaling_group; + language: sql + primary_resource: aws_ec2_autoscaling_group + definition: | + SELECT + autoscaling_group_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN suspended_processes IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN suspended_processes IS NULL THEN title || ' has no suspended process.' + ELSE title || ' has suspended process.' + END AS reason + FROM + aws_ec2_autoscaling_group; severity: low tags: {} diff --git a/compliance/controls/aws/aws_autoscaling_group_propagate_tags_to_ec2_instance_enabled.yaml b/compliance/controls/aws/aws_autoscaling_group_propagate_tags_to_ec2_instance_enabled.yaml index ed51f23b2..34f0b4108 100644 --- a/compliance/controls/aws/aws_autoscaling_group_propagate_tags_to_ec2_instance_enabled.yaml +++ b/compliance/controls/aws/aws_autoscaling_group_propagate_tags_to_ec2_instance_enabled.yaml @@ -1,40 +1,41 @@ id: aws_autoscaling_group_propagate_tags_to_ec2_instance_enabled title: Ensure EC2 Auto Scaling Groups Propagate Tags to EC2 Instances that it launches +type: control description: Tags can help with managing, identifying, organizing, searching for, and filtering resources. Additionally, tags can help with security and compliance. Tags can be propagated from an Auto Scaling group to the EC2 instances that it launches. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_autoscaling_group - definition: | - WITH propagate_tags_to_ec2_instance AS ( - SELECT - autoscaling_group_arn, - COUNT(*) AS count - FROM - aws_ec2_autoscaling_group, - jsonb_array_elements(tags_src) AS t - WHERE - (t ->> 'PropagateAtLaunch' = 'false') - GROUP BY - autoscaling_group_arn - ) - SELECT - p.autoscaling_group_arn AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN count > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN count > 0 THEN title || ' does not propagate all tags to the EC2 instance' - ELSE title || ' propagate all tags to the EC2 instance.' - END AS reason - FROM - aws_ec2_autoscaling_group AS p - LEFT JOIN propagate_tags_to_ec2_instance AS i - ON i.autoscaling_group_arn = p.autoscaling_group_arn; + language: sql + primary_resource: aws_ec2_autoscaling_group + definition: | + WITH propagate_tags_to_ec2_instance AS ( + SELECT + autoscaling_group_arn, + COUNT(*) AS count + FROM + aws_ec2_autoscaling_group, + jsonb_array_elements(tags_src) AS t + WHERE + (t ->> 'PropagateAtLaunch' = 'false') + GROUP BY + autoscaling_group_arn + ) + SELECT + p.autoscaling_group_arn AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN count > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN count > 0 THEN title || ' does not propagate all tags to the EC2 instance' + ELSE title || ' propagate all tags to the EC2 instance.' + END AS reason + FROM + aws_ec2_autoscaling_group AS p + LEFT JOIN propagate_tags_to_ec2_instance AS i + ON i.autoscaling_group_arn = p.autoscaling_group_arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_autoscaling_group_uses_ec2_launch_template.yaml b/compliance/controls/aws/aws_autoscaling_group_uses_ec2_launch_template.yaml index 8a43c13d4..a8c54121a 100644 --- a/compliance/controls/aws/aws_autoscaling_group_uses_ec2_launch_template.yaml +++ b/compliance/controls/aws/aws_autoscaling_group_uses_ec2_launch_template.yaml @@ -1,40 +1,41 @@ id: aws_autoscaling_group_uses_ec2_launch_template title: EC2 Auto Scaling groups should use EC2 launch templates +type: control description: This control checks whether an AWS EC2 Auto Scaling group is created from an EC2 launch template. This control fails if an AWS EC2 Auto Scaling group is not created with a launch template or if a launch template is not specified in a mixed instances policy. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_autoscaling_group - definition: | - SELECT - autoscaling_group_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN launch_template_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN launch_template_id IS NOT NULL THEN title || ' using an EC2 launch template.' - ELSE title || ' not using an EC2 launch template.' - END AS reason, - region, - account_id - FROM - aws_ec2_autoscaling_group; + language: sql + primary_resource: aws_ec2_autoscaling_group + definition: | + SELECT + autoscaling_group_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN launch_template_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN launch_template_id IS NOT NULL THEN title || ' using an EC2 launch template.' + ELSE title || ' not using an EC2 launch template.' + END AS reason, + region, + account_id + FROM + aws_ec2_autoscaling_group; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - resource_configuration - foundational_security_item_id: - - autoscaling_9 - plugin: - - aws - service: - - AWS/AutoScaling + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - resource_configuration + foundational_security_item_id: + - autoscaling_9 + plugin: + - aws + service: + - AWS/AutoScaling diff --git a/compliance/controls/aws/aws_autoscaling_group_with_lb_use_health_check.yaml b/compliance/controls/aws/aws_autoscaling_group_with_lb_use_health_check.yaml index 29d8cabdb..eb5105472 100644 --- a/compliance/controls/aws/aws_autoscaling_group_with_lb_use_health_check.yaml +++ b/compliance/controls/aws/aws_autoscaling_group_with_lb_use_health_check.yaml @@ -1,58 +1,59 @@ id: aws_autoscaling_group_with_lb_use_health_check title: Auto Scaling groups with a load balancer should use health checks +type: control description: The Elastic Load Balancer (ELB) health checks for AWS Elastic Compute Cloud (AWS EC2) Auto Scaling groups support maintenance of adequate capacity and availability. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_autoscaling_group - definition: | - SELECT - autoscaling_group_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN load_balancer_names IS NULL AND target_group_arns IS NULL THEN 'alarm' - WHEN health_check_type != 'ELB' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN load_balancer_names IS NULL AND target_group_arns IS NULL THEN title || ' not associated with a load balancer.' - WHEN health_check_type != 'ELB' THEN title || ' does not use ELB health check.' - ELSE title || ' uses ELB health check.' - END AS reason, - region, - account_id - FROM - aws_ec2_autoscaling_group; + language: sql + primary_resource: aws_ec2_autoscaling_group + definition: | + SELECT + autoscaling_group_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN load_balancer_names IS NULL AND target_group_arns IS NULL THEN 'alarm' + WHEN health_check_type != 'ELB' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN load_balancer_names IS NULL AND target_group_arns IS NULL THEN title || ' not associated with a load balancer.' + WHEN health_check_type != 'ELB' THEN title || ' does not use ELB health check.' + ELSE title || ' uses ELB health check.' + END AS reason, + region, + account_id + FROM + aws_ec2_autoscaling_group; severity: low tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/AutoScaling + category: + - Compliance + cis_controls_v8_ig1: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/AutoScaling diff --git a/compliance/controls/aws/aws_autoscaling_launch_config_hop_limit.yaml b/compliance/controls/aws/aws_autoscaling_launch_config_hop_limit.yaml index 489035430..dfb33e391 100644 --- a/compliance/controls/aws/aws_autoscaling_launch_config_hop_limit.yaml +++ b/compliance/controls/aws/aws_autoscaling_launch_config_hop_limit.yaml @@ -1,41 +1,42 @@ id: aws_autoscaling_launch_config_hop_limit title: EC2 auto scaling group launch configurations should not have metadata response hop limit greater than 1 +type: control description: This control checks the number of network hops that a metadata token can travel. The control fails if the metadata response hop limit is greater than 1. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_launch_configuration - definition: | - SELECT - launch_configuration_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN metadata_options_put_response_hop_limit IS NULL THEN 'ok' - WHEN metadata_options_put_response_hop_limit > 1 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN metadata_options_put_response_hop_limit IS NULL THEN title || ' metadata response hop limit set to default.' - ELSE title || ' has a metadata response hop limit of ' || metadata_options_put_response_hop_limit || '.' - END AS reason, - region, - account_id - FROM - aws_ec2_launch_configuration; + language: sql + primary_resource: aws_ec2_launch_configuration + definition: | + SELECT + launch_configuration_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN metadata_options_put_response_hop_limit IS NULL THEN 'ok' + WHEN metadata_options_put_response_hop_limit > 1 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN metadata_options_put_response_hop_limit IS NULL THEN title || ' metadata response hop limit set to default.' + ELSE title || ' has a metadata response hop limit of ' || metadata_options_put_response_hop_limit || '.' + END AS reason, + region, + account_id + FROM + aws_ec2_launch_configuration; severity: high tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - secure_network_configuration - foundational_security_item_id: - - autoscaling_4 - plugin: - - aws - service: - - AWS/AutoScaling + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - secure_network_configuration + foundational_security_item_id: + - autoscaling_4 + plugin: + - aws + service: + - AWS/AutoScaling diff --git a/compliance/controls/aws/aws_autoscaling_launch_config_public_ip_disabled.yaml b/compliance/controls/aws/aws_autoscaling_launch_config_public_ip_disabled.yaml index 7718548b3..baf7b74a5 100644 --- a/compliance/controls/aws/aws_autoscaling_launch_config_public_ip_disabled.yaml +++ b/compliance/controls/aws/aws_autoscaling_launch_config_public_ip_disabled.yaml @@ -1,58 +1,59 @@ id: aws_autoscaling_launch_config_public_ip_disabled title: Auto Scaling launch config public IP should be disabled +type: control description: Ensure that AWS EC2 Auto Scaling groups have public IP addresses enabled through Launch Configurations. This rule is non-compliant if the Launch Configuration for an Auto Scaling group has AssociatePublicIpAddress set to 'true'. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_launch_configuration - definition: | - SELECT - launch_configuration_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN associate_public_ip_address THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN associate_public_ip_address THEN title || ' public IP enabled.' - ELSE title || ' public IP disabled.' - END AS reason, - region, - account_id - FROM - aws_ec2_launch_configuration; + language: sql + primary_resource: aws_ec2_launch_configuration + definition: | + SELECT + launch_configuration_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN associate_public_ip_address THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN associate_public_ip_address THEN title || ' public IP enabled.' + ELSE title || ' public IP disabled.' + END AS reason, + region, + account_id + FROM + aws_ec2_launch_configuration; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/AutoScaling + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/AutoScaling diff --git a/compliance/controls/aws/aws_autoscaling_launch_config_requires_imdsv2.yaml b/compliance/controls/aws/aws_autoscaling_launch_config_requires_imdsv2.yaml index 94b06bad3..aa055f4a3 100644 --- a/compliance/controls/aws/aws_autoscaling_launch_config_requires_imdsv2.yaml +++ b/compliance/controls/aws/aws_autoscaling_launch_config_requires_imdsv2.yaml @@ -1,40 +1,41 @@ id: aws_autoscaling_launch_config_requires_imdsv2 title: Auto Scaling group should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2) +type: control description: This control checks whether IMDSv2 is enabled on all instances launched by AWS EC2 Auto Scaling groups. The control fails if the Instance Metadata Service (IMDS) version is not included in the launch configuration or if both IMDSv1 and IMDSv2 are enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_launch_configuration - definition: | - SELECT - launch_configuration_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN metadata_options_http_tokens = 'required' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN metadata_options_http_tokens = 'required' THEN title || ' configured to use Instance Metadata Service Version 2 (IMDSv2).' - ELSE title || ' not configured to use Instance Metadata Service Version 2 (IMDSv2).' - END AS reason, - region, - account_id - FROM - aws_ec2_launch_configuration; + language: sql + primary_resource: aws_ec2_launch_configuration + definition: | + SELECT + launch_configuration_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN metadata_options_http_tokens = 'required' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN metadata_options_http_tokens = 'required' THEN title || ' configured to use Instance Metadata Service Version 2 (IMDSv2).' + ELSE title || ' not configured to use Instance Metadata Service Version 2 (IMDSv2).' + END AS reason, + region, + account_id + FROM + aws_ec2_launch_configuration; severity: high tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - secure_network_configuration - foundational_security_item_id: - - autoscaling_3 - plugin: - - aws - service: - - AWS/AutoScaling + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - secure_network_configuration + foundational_security_item_id: + - autoscaling_3 + plugin: + - aws + service: + - AWS/AutoScaling diff --git a/compliance/controls/aws/aws_autoscaling_use_multiple_instance_types_in_multiple_az.yaml b/compliance/controls/aws/aws_autoscaling_use_multiple_instance_types_in_multiple_az.yaml index 7593687b1..461e797f5 100644 --- a/compliance/controls/aws/aws_autoscaling_use_multiple_instance_types_in_multiple_az.yaml +++ b/compliance/controls/aws/aws_autoscaling_use_multiple_instance_types_in_multiple_az.yaml @@ -1,67 +1,68 @@ id: aws_autoscaling_use_multiple_instance_types_in_multiple_az title: EC2 auto scaling groups should use multiple instance types in multiple availability zones +type: control description: This control checks whether an AWS EC2 Auto Scaling group uses multiple instance types. The control fails if the Auto Scaling group has only one instance type defined. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_autoscaling_group - definition: | - WITH autoscaling_groups AS ( - SELECT - autoscaling_group_arn, - title, - mixed_instances_policy_launch_template_overrides, - region, - tags, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - _ctx, - account_id - FROM - aws_ec2_autoscaling_group - ), - distinct_instance_types_count AS ( - SELECT - autoscaling_group_arn, - COUNT(DISTINCT(e -> 'InstanceType')) AS distinct_instance_types - FROM - autoscaling_groups, - jsonb_array_elements(mixed_instances_policy_launch_template_overrides) AS e - GROUP BY - autoscaling_group_arn, - title, - mixed_instances_policy_launch_template_overrides - ) - SELECT - a.autoscaling_group_arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.distinct_instance_types > 1 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.distinct_instance_types > 1 THEN title || ' uses ' || b.distinct_instance_types || ' instance types.' - ELSE title || ' does not use multiple instance types.' - END AS reason, - a.region, - a.account_id - FROM - autoscaling_groups AS a - LEFT JOIN distinct_instance_types_count AS b ON a.autoscaling_group_arn = b.autoscaling_group_arn; + language: sql + primary_resource: aws_ec2_autoscaling_group + definition: | + WITH autoscaling_groups AS ( + SELECT + autoscaling_group_arn, + title, + mixed_instances_policy_launch_template_overrides, + region, + tags, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + _ctx, + account_id + FROM + aws_ec2_autoscaling_group + ), + distinct_instance_types_count AS ( + SELECT + autoscaling_group_arn, + COUNT(DISTINCT(e -> 'InstanceType')) AS distinct_instance_types + FROM + autoscaling_groups, + jsonb_array_elements(mixed_instances_policy_launch_template_overrides) AS e + GROUP BY + autoscaling_group_arn, + title, + mixed_instances_policy_launch_template_overrides + ) + SELECT + a.autoscaling_group_arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.distinct_instance_types > 1 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.distinct_instance_types > 1 THEN title || ' uses ' || b.distinct_instance_types || ' instance types.' + ELSE title || ' does not use multiple instance types.' + END AS reason, + a.region, + a.account_id + FROM + autoscaling_groups AS a + LEFT JOIN distinct_instance_types_count AS b ON a.autoscaling_group_arn = b.autoscaling_group_arn; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - high_availability - foundational_security_item_id: - - autoscaling_6 - plugin: - - aws - service: - - AWS/AutoScaling + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - high_availability + foundational_security_item_id: + - autoscaling_6 + plugin: + - aws + service: + - AWS/AutoScaling diff --git a/compliance/controls/aws/aws_backup_plan_min_retention_35_days.yaml b/compliance/controls/aws/aws_backup_plan_min_retention_35_days.yaml index e8034ad19..99a95599a 100644 --- a/compliance/controls/aws/aws_backup_plan_min_retention_35_days.yaml +++ b/compliance/controls/aws/aws_backup_plan_min_retention_35_days.yaml @@ -1,75 +1,76 @@ id: aws_backup_plan_min_retention_35_days title: Backup plan min frequency and min retention check +type: control description: Checks if a backup plan has a backup rule that satisfies the required frequency and retention period(35 Days). The rule is non-compliant if recovery points are not created at least as often as the specified frequency or expire before the specified period. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_backup_plan - definition: | - WITH all_plans AS ( - SELECT - arn, - r AS rules, - title, - region, - account_id, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - _ctx - FROM - aws_backup_plan, - jsonb_array_elements(backup_plan -> 'Rules') AS r - ) - SELECT - r.arn AS resource, - r.platform_integration_id AS platform_integration_id, - r.platform_resource_id AS platform_resource_id, - CASE - WHEN r.rules IS NULL THEN 'alarm' - WHEN r.rules ->> 'Lifecycle' IS NULL THEN 'ok' - WHEN (r.rules -> 'Lifecycle' ->> 'DeleteAfterDays')::int >= 35 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN r.rules IS NULL THEN r.title || ' retention period not set.' - WHEN r.rules ->> 'Lifecycle' IS NULL THEN (r.rules ->> 'RuleName') || ' retention period set to never expire.' - ELSE (r.rules ->> 'RuleName') || ' retention period set to ' || (r.rules -> 'Lifecycle' ->> 'DeleteAfterDays') || ' days.' - END AS reason, - region, - account_id - FROM - all_plans AS r; + language: sql + primary_resource: aws_backup_plan + definition: | + WITH all_plans AS ( + SELECT + arn, + r AS rules, + title, + region, + account_id, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + _ctx + FROM + aws_backup_plan, + jsonb_array_elements(backup_plan -> 'Rules') AS r + ) + SELECT + r.arn AS resource, + r.platform_integration_id AS platform_integration_id, + r.platform_resource_id AS platform_resource_id, + CASE + WHEN r.rules IS NULL THEN 'alarm' + WHEN r.rules ->> 'Lifecycle' IS NULL THEN 'ok' + WHEN (r.rules -> 'Lifecycle' ->> 'DeleteAfterDays')::int >= 35 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN r.rules IS NULL THEN r.title || ' retention period not set.' + WHEN r.rules ->> 'Lifecycle' IS NULL THEN (r.rules ->> 'RuleName') || ' retention period set to never expire.' + ELSE (r.rules ->> 'RuleName') || ' retention period set to ' || (r.rules -> 'Lifecycle' ->> 'DeleteAfterDays') || ' days.' + END AS reason, + region, + account_id + FROM + all_plans AS r; severity: medium tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/Backup - soc_2: - - 'true' + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/Backup + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_backup_plan_region_configured.yaml b/compliance/controls/aws/aws_backup_plan_region_configured.yaml index 63290ec94..e3b3941ef 100644 --- a/compliance/controls/aws/aws_backup_plan_region_configured.yaml +++ b/compliance/controls/aws/aws_backup_plan_region_configured.yaml @@ -1,40 +1,41 @@ id: aws_backup_plan_region_configured title: Backup plan should exist in a region +type: control description: Ensure that there exists at least one backup plan in a region. The rule is non-compliant if there are no backup plans in a region. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_backup_plan - definition: | - WITH count_plans AS ( - SELECT - region, - account_id, - COUNT(*) AS count - FROM - aws_backup_plan - GROUP BY - region, - account_id - ) - SELECT - 'arn:' || r.partition || '::' || r.region || ':' || r.account_id AS resource, - r.platform_integration_id AS platform_integration_id, - r.platform_resource_id AS platform_resource_id, - CASE - WHEN cp.count > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN cp.count > 0 THEN cp.count || ' backup plan(s) exist in region ' || r.region || '.' - ELSE 'No backup plans exist in region ' || r.region || '.' - END AS reason - FROM - aws_region AS r - LEFT JOIN count_plans AS cp - ON r.account_id = cp.account_id - AND r.region = cp.region; + language: sql + primary_resource: aws_backup_plan + definition: | + WITH count_plans AS ( + SELECT + region, + account_id, + COUNT(*) AS count + FROM + aws_backup_plan + GROUP BY + region, + account_id + ) + SELECT + 'arn:' || r.partition || '::' || r.region || ':' || r.account_id AS resource, + r.platform_integration_id AS platform_integration_id, + r.platform_resource_id AS platform_resource_id, + CASE + WHEN cp.count > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN cp.count > 0 THEN cp.count || ' backup plan(s) exist in region ' || r.region || '.' + ELSE 'No backup plans exist in region ' || r.region || '.' + END AS reason + FROM + aws_region AS r + LEFT JOIN count_plans AS cp + ON r.account_id = cp.account_id + AND r.region = cp.region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_backup_recovery_point_encryption_enabled.yaml b/compliance/controls/aws/aws_backup_recovery_point_encryption_enabled.yaml index 4744488dc..8bdde95f7 100644 --- a/compliance/controls/aws/aws_backup_recovery_point_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_backup_recovery_point_encryption_enabled.yaml @@ -1,54 +1,55 @@ id: aws_backup_recovery_point_encryption_enabled title: Backup recovery points should be encrypted +type: control description: Ensure that a recovery point is encrypted. The rule is non-compliant if the recovery point is not encrypted. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_backup_recovery_point - definition: | - SELECT - recovery_point_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN is_encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN is_encrypted THEN recovery_point_arn || ' encryption enabled.' - ELSE recovery_point_arn || ' encryption disabled.' - END AS reason, - region, - account_id - FROM - aws_backup_recovery_point; + language: sql + primary_resource: aws_backup_recovery_point + definition: | + SELECT + recovery_point_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN is_encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN is_encrypted THEN recovery_point_arn || ' encryption enabled.' + ELSE recovery_point_arn || ' encryption disabled.' + END AS reason, + region, + account_id + FROM + aws_backup_recovery_point; severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/Backup - soc_2: - - 'true' + category: + - Compliance + cisa_cyber_essentials: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/Backup + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_backup_recovery_point_manual_deletion_disabled.yaml b/compliance/controls/aws/aws_backup_recovery_point_manual_deletion_disabled.yaml index 68ba08a22..c3cf95f76 100644 --- a/compliance/controls/aws/aws_backup_recovery_point_manual_deletion_disabled.yaml +++ b/compliance/controls/aws/aws_backup_recovery_point_manual_deletion_disabled.yaml @@ -1,69 +1,70 @@ id: aws_backup_recovery_point_manual_deletion_disabled title: Backup recovery points manual deletion should be disabled +type: control description: Checks if a backup vault has an attached resource-based policy which prevents deletion of recovery points. The rule is non-compliant if the Backup Vault does not have resource-based policies or has policies without a suitable 'Deny' statement. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_backup_vault - definition: | - WITH recovery_point_manual_deletion_disabled AS ( - SELECT - arn - FROM - aws_backup_vault, - jsonb_array_elements(policy -> 'Statement') AS s - WHERE - s ->> 'Effect' = 'Deny' - AND s -> 'Action' @> '["backup:DeleteRecoveryPoint", "backup:UpdateRecoveryPointLifecycle", "backup:PutBackupVaultAccessPolicy"]' - AND s ->> 'Resource' = '*' - GROUP BY - arn - ) - SELECT - v.arn AS resource, - v.platform_integration_id AS platform_integration_id, - v.platform_resource_id AS platform_resource_id, - CASE - WHEN d.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN d.arn IS NOT NULL THEN v.title || ' recovery point manual deletion disabled.' - ELSE v.title || ' recovery point manual deletion not disabled.' - END AS reason, - v.region, - v.account_id - FROM - aws_backup_vault AS v - LEFT JOIN recovery_point_manual_deletion_disabled AS d - ON v.arn = d.arn; + language: sql + primary_resource: aws_backup_vault + definition: | + WITH recovery_point_manual_deletion_disabled AS ( + SELECT + arn + FROM + aws_backup_vault, + jsonb_array_elements(policy -> 'Statement') AS s + WHERE + s ->> 'Effect' = 'Deny' + AND s -> 'Action' @> '["backup:DeleteRecoveryPoint", "backup:UpdateRecoveryPointLifecycle", "backup:PutBackupVaultAccessPolicy"]' + AND s ->> 'Resource' = '*' + GROUP BY + arn + ) + SELECT + v.arn AS resource, + v.platform_integration_id AS platform_integration_id, + v.platform_resource_id AS platform_resource_id, + CASE + WHEN d.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN d.arn IS NOT NULL THEN v.title || ' recovery point manual deletion disabled.' + ELSE v.title || ' recovery point manual deletion not disabled.' + END AS reason, + v.region, + v.account_id + FROM + aws_backup_vault AS v + LEFT JOIN recovery_point_manual_deletion_disabled AS d + ON v.arn = d.arn; severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/Backup - soc_2: - - 'true' + category: + - Compliance + cisa_cyber_essentials: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/Backup + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_backup_recovery_point_min_retention_35_days.yaml b/compliance/controls/aws/aws_backup_recovery_point_min_retention_35_days.yaml index 52f897544..3e3776342 100644 --- a/compliance/controls/aws/aws_backup_recovery_point_min_retention_35_days.yaml +++ b/compliance/controls/aws/aws_backup_recovery_point_min_retention_35_days.yaml @@ -1,56 +1,57 @@ id: aws_backup_recovery_point_min_retention_35_days title: Backup recovery points should not expire before retention period +type: control description: Ensure a recovery point expires no earlier than after the specified period. The rule is non-compliant if the recovery point has a retention point less than 35 days. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_backup_recovery_point - definition: | - SELECT - recovery_point_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN (lifecycle -> 'DeleteAfterDays') IS NULL THEN 'ok' - WHEN (lifecycle -> 'DeleteAfterDays')::int >= 35 THEN 'ok' - ELSE 'alarm' - END as status, - CASE - WHEN (lifecycle -> 'DeleteAfterDays') IS NULL - THEN split_part(recovery_point_arn, ':', -1) || ' retention period set to never expire.' - ELSE split_part(recovery_point_arn, ':', -1) || ' recovery point has a retention period of ' || (lifecycle -> 'DeleteAfterDays')::int || ' days.' - END AS reason, - region, - account_id - FROM - aws_backup_recovery_point; + language: sql + primary_resource: aws_backup_recovery_point + definition: | + SELECT + recovery_point_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN (lifecycle -> 'DeleteAfterDays') IS NULL THEN 'ok' + WHEN (lifecycle -> 'DeleteAfterDays')::int >= 35 THEN 'ok' + ELSE 'alarm' + END as status, + CASE + WHEN (lifecycle -> 'DeleteAfterDays') IS NULL + THEN split_part(recovery_point_arn, ':', -1) || ' retention period set to never expire.' + ELSE split_part(recovery_point_arn, ':', -1) || ' recovery point has a retention period of ' || (lifecycle -> 'DeleteAfterDays')::int || ' days.' + END AS reason, + region, + account_id + FROM + aws_backup_recovery_point; severity: medium tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/Backup - soc_2: - - 'true' + category: + - Compliance + cisa_cyber_essentials: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/Backup + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_backup_vault_region_configured.yaml b/compliance/controls/aws/aws_backup_vault_region_configured.yaml index 9476b345f..01c75af29 100644 --- a/compliance/controls/aws/aws_backup_vault_region_configured.yaml +++ b/compliance/controls/aws/aws_backup_vault_region_configured.yaml @@ -1,38 +1,39 @@ id: aws_backup_vault_region_configured title: Backup vaults should exist in a region +type: control description: Ensure that there exists at least one backup vault in a region. The rule is non-compliant if there are no backup vaults in a region. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_backup_vault - definition: | - WITH count_vaults AS ( - SELECT - region, - account_id, - COUNT(*) AS count - FROM - aws_backup_vault - GROUP BY - region, - account_id - ) - SELECT - 'arn:' || r.partition || '::' || r.region || ':' || r.account_id AS resource, - r.platform_integration_id AS platform_integration_id, - r.platform_resource_id AS platform_resource_id, - CASE - WHEN v.count > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN v.count > 0 THEN v.count || ' backup vault(s) exist in region ' || r.region || '.' - ELSE 'No backup vault exists in region ' || r.region || '.' - END AS reason - FROM - aws_region AS r - LEFT JOIN count_vaults AS v ON r.account_id = v.account_id AND r.region = v.region; + language: sql + primary_resource: aws_backup_vault + definition: | + WITH count_vaults AS ( + SELECT + region, + account_id, + COUNT(*) AS count + FROM + aws_backup_vault + GROUP BY + region, + account_id + ) + SELECT + 'arn:' || r.partition || '::' || r.region || ':' || r.account_id AS resource, + r.platform_integration_id AS platform_integration_id, + r.platform_resource_id AS platform_resource_id, + CASE + WHEN v.count > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN v.count > 0 THEN v.count || ' backup vault(s) exist in region ' || r.region || '.' + ELSE 'No backup vault exists in region ' || r.region || '.' + END AS reason + FROM + aws_region AS r + LEFT JOIN count_vaults AS v ON r.account_id = v.account_id AND r.region = v.region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_10_1.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_10_1.yaml index 867e9b8bd..026f32b2a 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_10_1.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_10_1.yaml @@ -1,20 +1,21 @@ id: aws_cis_compute_service_v100_10_1 title: 10.1 Ensure you are using VPC Endpoints for source code access +type: control description: App Runner needs access to your application source, so it can't be encrypted. Therefore, be sure to secure the connection between your development or deployment environment and App Runner. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_11_1.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_11_1.yaml index e9a450a9a..4a4e89e05 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_11_1.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_11_1.yaml @@ -1,20 +1,21 @@ id: aws_cis_compute_service_v100_11_1 title: 11.1 Ensure communications between your applications and clients is encrypted +type: control description: SimSpace Weaver doesn't manage communications between your apps and the clients. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_10.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_10.yaml index 2df1e67a6..2792ad76b 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_10.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_10.yaml @@ -1,26 +1,27 @@ id: aws_cis_compute_service_v100_2_10 title: 2.10 Ensure unused ENIs are removed +type: control description: Identify and delete any unused Amazon AWS Elastic Network Interfaces in order to adhere to best practices and to avoid reaching the service limit. An AWS Elastic Network Interface (ENI) is pronounced unused when is not attached anymore to an EC2 instance. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_network_interface - definition: | - SELECT - network_interface_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN status = 'available' AND attached_instance_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN status = 'available' AND attached_instance_id IS NULL THEN title || ' not in use.' - ELSE title || ' in use.' - END AS reason - FROM - aws_ec2_network_interface; + language: sql + primary_resource: aws_ec2_network_interface + definition: | + SELECT + network_interface_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN status = 'available' AND attached_instance_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN status = 'available' AND attached_instance_id IS NULL THEN title || ' not in use.' + ELSE title || ' in use.' + END AS reason + FROM + aws_ec2_network_interface; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_11.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_11.yaml index 07b8b0787..289e16c52 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_11.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_11.yaml @@ -1,27 +1,28 @@ id: aws_cis_compute_service_v100_2_11 title: 2.11 Ensure instances stopped for over 90 days are removed +type: control description: Enable this rule to help with the baseline configuration of Amazon Elastic Compute Cloud (Amazon EC2) instances by checking whether Amazon EC2 instances have been stopped for more than the allowed number of days, according to your organization's standards. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN instance_state NOT IN ('stopped', 'stopping') THEN 'skip' - WHEN state_transition_time <= (current_date - INTERVAL '90' day) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN instance_state NOT IN ('stopped', 'stopping') THEN title || ' is in ' || instance_state || ' state.' - ELSE title || ' stopped since ' || TO_CHAR(state_transition_time, 'DD-Mon-YYYY') || ' (' || EXTRACT(day FROM current_timestamp - state_transition_time) || ' days).' - END AS reason - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN instance_state NOT IN ('stopped', 'stopping') THEN 'skip' + WHEN state_transition_time <= (current_date - INTERVAL '90' day) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN instance_state NOT IN ('stopped', 'stopping') THEN title || ' is in ' || instance_state || ' state.' + ELSE title || ' stopped since ' || TO_CHAR(state_transition_time, 'DD-Mon-YYYY') || ' (' || EXTRACT(day FROM current_timestamp - state_transition_time) || ' days).' + END AS reason + FROM + aws_ec2_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_12.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_12.yaml index 9ca850d8f..80d50f76c 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_12.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_12.yaml @@ -1,40 +1,41 @@ id: aws_cis_compute_service_v100_2_12 title: 2.12 Ensure EBS volumes attached to an EC2 instance is marked for deletion upon instance termination +type: control description: This rule ensures that Amazon Elastic Block Store volumes that are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances are marked for deletion when an instance is terminated. If an Amazon EBS volume isn't deleted when the instance that it's attached to is terminated, it may violate the concept of least functionality. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - WITH ebs_volume_with_delete_on_termination_enabled AS ( - SELECT - COUNT(*) AS count, - arn - FROM - aws_ec2_instance, - jsonb_array_elements(block_device_mappings) AS p - WHERE - p -> 'Ebs' ->> 'DeleteOnTermination' = 'false' - GROUP BY - arn - ) - SELECT - i.arn AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN e.count > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN e.count > 0 THEN 'EBS volume(s) attached to ' || title || ' has delete on termination disabled.' - ELSE 'EBS volume(s) attached to ' || title || ' has delete on termination enabled.' - END AS reason - FROM - aws_ec2_instance AS i - LEFT JOIN ebs_volume_with_delete_on_termination_enabled AS e - ON e.arn = i.arn; + language: sql + primary_resource: aws_ec2_instance + definition: | + WITH ebs_volume_with_delete_on_termination_enabled AS ( + SELECT + COUNT(*) AS count, + arn + FROM + aws_ec2_instance, + jsonb_array_elements(block_device_mappings) AS p + WHERE + p -> 'Ebs' ->> 'DeleteOnTermination' = 'false' + GROUP BY + arn + ) + SELECT + i.arn AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN e.count > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN e.count > 0 THEN 'EBS volume(s) attached to ' || title || ' has delete on termination disabled.' + ELSE 'EBS volume(s) attached to ' || title || ' has delete on termination enabled.' + END AS reason + FROM + aws_ec2_instance AS i + LEFT JOIN ebs_volume_with_delete_on_termination_enabled AS e + ON e.arn = i.arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_13.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_13.yaml index 094176f7e..b489e1a33 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_13.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_13.yaml @@ -1,30 +1,31 @@ id: aws_cis_compute_service_v100_2_13 title: 2.13 Ensure Secrets and Sensitive Data are not stored directly in EC2 User Data +type: control description: User Data can be specified when launching an ec2 instance. Examples include specifying parameters for configuring the instance or including a simple script. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN user_data LIKE ANY (ARRAY ['%pass%', '%secret%', '%token%', '%key%']) - OR user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN user_data LIKE ANY (ARRAY ['%pass%', '%secret%', '%token%', '%key%']) - OR user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' - THEN instance_id || ' potential secret found in user data.' - ELSE instance_id || ' no secrets found in user data.' - END AS reason - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN user_data LIKE ANY (ARRAY ['%pass%', '%secret%', '%token%', '%key%']) + OR user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN user_data LIKE ANY (ARRAY ['%pass%', '%secret%', '%token%', '%key%']) + OR user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' + THEN instance_id || ' potential secret found in user data.' + ELSE instance_id || ' no secrets found in user data.' + END AS reason + FROM + aws_ec2_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_14.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_14.yaml index d54375955..b2617caed 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_14.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_14.yaml @@ -1,40 +1,41 @@ id: aws_cis_compute_service_v100_2_14 title: 2.14 Ensure EC2 Auto Scaling Groups Propagate Tags to EC2 Instances that it launches +type: control description: Tags can help with managing, identifying, organizing, searching for, and filtering resources. Additionally, tags can help with security and compliance. Tags can be propagated from an Auto Scaling group to the EC2 instances that it launches. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_autoscaling_group - definition: | - WITH propagate_tags_to_ec2_instance AS ( - SELECT - autoscaling_group_arn, - COUNT(*) AS count - FROM - aws_ec2_autoscaling_group, - jsonb_array_elements(tags_src) AS t - WHERE - t ->> 'PropagateAtLaunch' = 'false' - GROUP BY - autoscaling_group_arn - ) - SELECT - p.autoscaling_group_arn AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN count > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN count > 0 THEN title || ' does not propagate all tags to the EC2 instance' - ELSE title || ' propagate all tags to the EC2 instance.' - END AS reason - FROM - aws_ec2_autoscaling_group AS p - LEFT JOIN propagate_tags_to_ec2_instance AS i - ON i.autoscaling_group_arn = p.autoscaling_group_arn; + language: sql + primary_resource: aws_ec2_autoscaling_group + definition: | + WITH propagate_tags_to_ec2_instance AS ( + SELECT + autoscaling_group_arn, + COUNT(*) AS count + FROM + aws_ec2_autoscaling_group, + jsonb_array_elements(tags_src) AS t + WHERE + t ->> 'PropagateAtLaunch' = 'false' + GROUP BY + autoscaling_group_arn + ) + SELECT + p.autoscaling_group_arn AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN count > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN count > 0 THEN title || ' does not propagate all tags to the EC2 instance' + ELSE title || ' propagate all tags to the EC2 instance.' + END AS reason + FROM + aws_ec2_autoscaling_group AS p + LEFT JOIN propagate_tags_to_ec2_instance AS i + ON i.autoscaling_group_arn = p.autoscaling_group_arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_1_1.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_1_1.yaml index c3d12f0d8..4e255540b 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_1_1.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_1_1.yaml @@ -1,20 +1,21 @@ id: aws_cis_compute_service_v100_2_1_1 title: 2.1.1 Ensure Consistent Naming Convention is used for Organizational AMI +type: control description: The naming convention for AMI (Amazon Machine Images) should be documented and followed for any AMI's created. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_1_2.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_1_2.yaml index c7e2a7efa..efa1a21fb 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_1_2.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_1_2.yaml @@ -1,48 +1,49 @@ id: aws_cis_compute_service_v100_2_1_2 title: 2.1.2 Ensure Images (AMI's) are encrypted +type: control description: Amazon Machine Images should utilize EBS Encrypted snapshots integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_ami - definition: | - WITH encryption_status AS ( - SELECT - image_id AS resource, - region, - account_id, - platform_integration_id, - platform_resource_id, - tags, - _ctx, - BOOL_AND(COALESCE((mapping -> 'Ebs' ->> 'Encrypted')::text = 'true', FALSE)) AS all_encrypted - FROM - aws_ec2_ami - CROSS JOIN jsonb_array_elements(block_device_mappings) AS mapping - GROUP BY - image_id, - region, - account_id, - tags, - _ctx, - platform_integration_id, - platform_resource_id - ) - SELECT - resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN all_encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN all_encrypted THEN resource || ' all EBS volumes are encrypted.' - ELSE resource || ' all EBS volumes are not encrypted.' - END AS reason - FROM - encryption_status; + language: sql + primary_resource: aws_ec2_ami + definition: | + WITH encryption_status AS ( + SELECT + image_id AS resource, + region, + account_id, + platform_integration_id, + platform_resource_id, + tags, + _ctx, + BOOL_AND(COALESCE((mapping -> 'Ebs' ->> 'Encrypted')::text = 'true', FALSE)) AS all_encrypted + FROM + aws_ec2_ami + CROSS JOIN jsonb_array_elements(block_device_mappings) AS mapping + GROUP BY + image_id, + region, + account_id, + tags, + _ctx, + platform_integration_id, + platform_resource_id + ) + SELECT + resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN all_encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN all_encrypted THEN resource || ' all EBS volumes are encrypted.' + ELSE resource || ' all EBS volumes are not encrypted.' + END AS reason + FROM + encryption_status; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_1_3.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_1_3.yaml index cf9e99d47..1543d6345 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_1_3.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_1_3.yaml @@ -1,20 +1,21 @@ id: aws_cis_compute_service_v100_2_1_3 title: 2.1.3 Ensure Only Approved AMIs (Images) are Used +type: control description: Ensure that all base AMIs utilized are approved for use by your organization. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_1_4.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_1_4.yaml index 5f673f059..ab43163ac 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_1_4.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_1_4.yaml @@ -1,24 +1,25 @@ id: aws_cis_compute_service_v100_2_1_4 title: 2.1.4 Ensure Images (AMI) are not older than 90 days +type: control description: Ensure that your AMIs are not older than 90 days. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_ami - definition: | - SELECT - image_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN creation_date >= (CURRENT_DATE - INTERVAL '90 days') THEN 'ok' - ELSE 'alarm' - END AS status, - title || ' created ' || TO_CHAR(creation_date, 'DD-Mon-YYYY') || - ' (' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - creation_date) || ' days).' AS reason - FROM - aws_ec2_ami; + language: sql + primary_resource: aws_ec2_ami + definition: | + SELECT + image_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN creation_date >= (CURRENT_DATE - INTERVAL '90 days') THEN 'ok' + ELSE 'alarm' + END AS status, + title || ' created ' || TO_CHAR(creation_date, 'DD-Mon-YYYY') || + ' (' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - creation_date) || ' days).' AS reason + FROM + aws_ec2_ami; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_1_5.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_1_5.yaml index 17078af3d..7d620e086 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_1_5.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_1_5.yaml @@ -1,26 +1,27 @@ id: aws_cis_compute_service_v100_2_1_5 title: 2.1.5 Ensure Images are not Publicly Available +type: control description: EC2 allows you to make an AMI public, sharing it with all AWS accounts. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_ami - definition: | - SELECT - 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':image/' || image_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN public THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN public THEN title || ' publicly accessible.' - ELSE title || ' not publicly accessible.' - END AS reason - FROM - aws_ec2_ami; + language: sql + primary_resource: aws_ec2_ami + definition: | + SELECT + 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':image/' || image_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN public THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN public THEN title || ' publicly accessible.' + ELSE title || ' not publicly accessible.' + END AS reason + FROM + aws_ec2_ami; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_2_1.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_2_1.yaml index b113b343f..25a6e7551 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_2_1.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_2_1.yaml @@ -1,26 +1,27 @@ id: aws_cis_compute_service_v100_2_2_1 title: 2.2.1 Ensure EBS volume encryption is enabled +type: control description: Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_volume - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encrypted THEN volume_id || ' encrypted.' - ELSE volume_id || ' not encrypted.' - END AS reason - FROM - aws_ebs_volume; + language: sql + primary_resource: aws_ebs_volume + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encrypted THEN volume_id || ' encrypted.' + ELSE volume_id || ' not encrypted.' + END AS reason + FROM + aws_ebs_volume; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_2_2.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_2_2.yaml index f76b5fc48..5c12fcafc 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_2_2.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_2_2.yaml @@ -1,26 +1,27 @@ id: aws_cis_compute_service_v100_2_2_2 title: 2.2.2 Ensure public access to EBS Snapshots is disabled +type: control description: To protect your data disable the public mode of EBS snapshots. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_snapshot - definition: | - SELECT - 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':snapshot/' || snapshot_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN create_volume_permissions @> '[{"Group": "all", "UserId": null}]' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN create_volume_permissions @> '[{"Group": "all", "UserId": null}]' THEN title || ' is publicly restorable.' - ELSE title || ' is not publicly restorable.' - END AS reason - FROM - aws_ebs_snapshot; + language: sql + primary_resource: aws_ebs_snapshot + definition: | + SELECT + 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':snapshot/' || snapshot_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN create_volume_permissions @> '[{"Group": "all", "UserId": null}]' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN create_volume_permissions @> '[{"Group": "all", "UserId": null}]' THEN title || ' is publicly restorable.' + ELSE title || ' is not publicly restorable.' + END AS reason + FROM + aws_ebs_snapshot; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_2_3.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_2_3.yaml index 69a4adc3f..4530b7c0b 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_2_3.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_2_3.yaml @@ -1,26 +1,27 @@ id: aws_cis_compute_service_v100_2_2_3 title: 2.2.3 Ensure EBS volume snapshots are encrypted +type: control description: Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_snapshot - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encrypted THEN title || ' encryption enabled.' - ELSE title || ' encryption disabled.' - END AS reason - FROM - aws_ebs_snapshot; + language: sql + primary_resource: aws_ebs_snapshot + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encrypted THEN title || ' encryption enabled.' + ELSE title || ' encryption disabled.' + END AS reason + FROM + aws_ebs_snapshot; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_2_4.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_2_4.yaml index 4e3206d8b..d3ba32980 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_2_4.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_2_4.yaml @@ -1,26 +1,27 @@ id: aws_cis_compute_service_v100_2_2_4 title: 2.2.4 Ensure unused EBS volumes are removed +type: control description: Identify any unused Elastic Block Store (EBS) volumes in your AWS account and remove them. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_volume - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN state = 'in-use' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN state = 'in-use' THEN title || ' attached to EC2 instance.' - ELSE title || ' not attached to EC2 instance.' - END AS reason - FROM - aws_ebs_volume; + language: sql + primary_resource: aws_ebs_volume + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN state = 'in-use' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN state = 'in-use' THEN title || ' attached to EC2 instance.' + ELSE title || ' not attached to EC2 instance.' + END AS reason + FROM + aws_ebs_volume; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_3.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_3.yaml index 8d2904a64..69e1ae655 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_3.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_3.yaml @@ -1,41 +1,42 @@ id: aws_cis_compute_service_v100_2_3 title: 2.3 Ensure Tag Policies are enabled +type: control description: Tag policies help you standardize tags on all tagged resources across your organization. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_organizations_policy - definition: | - WITH tag_policy_enabled AS ( - SELECT - _ctx, - account_id, - region, - COUNT(*) AS count - FROM - aws_organizations_policy - WHERE - type = 'TAG_POLICY' - GROUP BY - _ctx, - region, - account_id - ) - SELECT - account_id AS resource, - _ctx.platform_integration_id AS platform_integration_id, - _ctx.platform_resource_id AS platform_resource_id, - CASE - WHEN count > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN count > 0 THEN 'Organizational tag policies are enabled.' - ELSE 'Organizational tag policies are disabled.' - END AS reason - FROM - tag_policy_enabled; + language: sql + primary_resource: aws_organizations_policy + definition: | + WITH tag_policy_enabled AS ( + SELECT + _ctx, + account_id, + region, + COUNT(*) AS count + FROM + aws_organizations_policy + WHERE + type = 'TAG_POLICY' + GROUP BY + _ctx, + region, + account_id + ) + SELECT + account_id AS resource, + _ctx.platform_integration_id AS platform_integration_id, + _ctx.platform_resource_id AS platform_resource_id, + CASE + WHEN count > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN count > 0 THEN 'Organizational tag policies are enabled.' + ELSE 'Organizational tag policies are disabled.' + END AS reason + FROM + tag_policy_enabled; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_4.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_4.yaml index dcaed53a4..ed9fe13a9 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_4.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_4.yaml @@ -1,20 +1,21 @@ id: aws_cis_compute_service_v100_2_4 title: 2.4 Ensure an Organizational EC2 Tag Policy has been created +type: control description: A tag policy enables you to define tag compliance rules to help you maintain consistency in the tags attached to your organization's resources. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_5.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_5.yaml index 05dbbf386..934418190 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_5.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_5.yaml @@ -1,24 +1,25 @@ id: aws_cis_compute_service_v100_2_5 title: 2.5 Ensure no AWS EC2 Instances are older than 180 days +type: control description: Identify any running AWS EC2 instances older than 180 days. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - instance_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - launch_time, - CASE - WHEN launch_time >= (CURRENT_DATE - INTERVAL '180 days') THEN 'ok' - ELSE 'alarm' - END AS status, - title || ' created ' || TO_CHAR(launch_time, 'DD-Mon-YYYY') || ' (' || EXTRACT(day FROM CURRENT_TIMESTAMP - launch_time) || ' days).' AS reason - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + instance_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + launch_time, + CASE + WHEN launch_time >= (CURRENT_DATE - INTERVAL '180 days') THEN 'ok' + ELSE 'alarm' + END AS status, + title || ' created ' || TO_CHAR(launch_time, 'DD-Mon-YYYY') || ' (' || EXTRACT(day FROM CURRENT_TIMESTAMP - launch_time) || ' days).' AS reason + FROM + aws_ec2_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_6.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_6.yaml index 2ca7c1faa..2ac6d6186 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_6.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_6.yaml @@ -1,26 +1,27 @@ id: aws_cis_compute_service_v100_2_6 title: 2.6 Ensure detailed monitoring is enable for production EC2 Instances +type: control description: Ensure that detailed monitoring is enabled for your Amazon EC2 instances. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN monitoring_state = 'enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN monitoring_state = 'enabled' THEN instance_id || ' detailed monitoring enabled.' - ELSE instance_id || ' detailed monitoring disabled.' - END AS reason - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN monitoring_state = 'enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN monitoring_state = 'enabled' THEN instance_id || ' detailed monitoring enabled.' + ELSE instance_id || ' detailed monitoring disabled.' + END AS reason + FROM + aws_ec2_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_8.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_8.yaml index 5abc3ffbc..936dc37be 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_8.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_8.yaml @@ -1,26 +1,27 @@ id: aws_cis_compute_service_v100_2_8 title: 2.8 Ensure the Use of IMDSv2 is Enforced on All Existing Instances +type: control description: Ensure the Instance Metadata Service Version 2 (IMDSv2) method is enabled on all running instances. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN metadata_options ->> 'HttpTokens' = 'optional' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN metadata_options ->> 'HttpTokens' = 'optional' THEN title || ' not configured to use Instance Metadata Service Version 2 (IMDSv2).' - ELSE title || ' configured to use Instance Metadata Service Version 2 (IMDSv2).' - END AS reason - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN metadata_options ->> 'HttpTokens' = 'optional' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN metadata_options ->> 'HttpTokens' = 'optional' THEN title || ' not configured to use Instance Metadata Service Version 2 (IMDSv2).' + ELSE title || ' configured to use Instance Metadata Service Version 2 (IMDSv2).' + END AS reason + FROM + aws_ec2_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_9.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_9.yaml index 4e5b5003d..622146b33 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_9.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_9.yaml @@ -1,30 +1,31 @@ id: aws_cis_compute_service_v100_2_9 title: 2.9 Ensure use of AWS Systems Manager to manage EC2 instances +type: control description: An inventory and management of Amazon Elastic Compute Cloud (Amazon EC2) instances is made possible with AWS Systems Manager. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - i.arn AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN i.instance_state = 'stopped' THEN 'info' - WHEN m.instance_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN i.instance_state = 'stopped' THEN i.title || ' is in stopped state.' - WHEN m.instance_id IS NULL THEN i.title || ' not managed by AWS SSM.' - ELSE i.title || ' managed by AWS SSM.' - END AS reason - FROM - aws_ec2_instance i - LEFT JOIN - aws_ssm_managed_instance m ON m.instance_id = i.instance_id; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + i.arn AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN i.instance_state = 'stopped' THEN 'info' + WHEN m.instance_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN i.instance_state = 'stopped' THEN i.title || ' is in stopped state.' + WHEN m.instance_id IS NULL THEN i.title || ' not managed by AWS SSM.' + ELSE i.title || ' managed by AWS SSM.' + END AS reason + FROM + aws_ec2_instance i + LEFT JOIN + aws_ssm_managed_instance m ON m.instance_id = i.instance_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_3_1.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_3_1.yaml index 8db4d6259..a0c9f13ba 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_3_1.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_3_1.yaml @@ -1,20 +1,21 @@ id: aws_cis_compute_service_v100_3_1 title: 3.1 Apply updates to any apps running in Lightsail +type: control description: Amazon Lightsail is a virtual private server (VPS) provider and is the easiest way to get started with AWS for developers, small businesses, students, and other users who need a solution to build and host their applications on cloud. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_3_10.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_3_10.yaml index 75ba8f658..c441228a4 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_3_10.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_3_10.yaml @@ -1,20 +1,21 @@ id: aws_cis_compute_service_v100_3_10 title: 3.10 Enable storage bucket access logging +type: control description: Access logging provides detailed records for the requests that are made to this bucket. This information can include the request type, the resources that are specified in the request, and the time and date that the request was processed. Access logs are useful for many applications. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_3_11.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_3_11.yaml index 690092ca2..7d3379a3c 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_3_11.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_3_11.yaml @@ -1,20 +1,21 @@ id: aws_cis_compute_service_v100_3_11 title: 3.11 Ensure your Windows Server based lightsail instances are updated with the latest security patches +type: control description: Windows server based Lightsail instances are still managed by the consumer and any security updates or patches have to be installed and maintained by the user. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_3_12.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_3_12.yaml index 95261d5f5..346333d08 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_3_12.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_3_12.yaml @@ -1,20 +1,21 @@ id: aws_cis_compute_service_v100_3_12 title: 3.12 Change the auto-generated password for Windows based instances +type: control description: When you create a Windows Server-based instance, Lightsail randomly generates a long password that is hard to guess. You use this password uniquely with your new instance. You can use the default password to connect quickly to your instance using remote desktop (RDP). You are always logged in as the Administrator on your Lightsail instance. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_3_2.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_3_2.yaml index a6f671d76..340c53291 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_3_2.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_3_2.yaml @@ -1,20 +1,21 @@ id: aws_cis_compute_service_v100_3_2 title: 3.2 Change default Administrator login names and passwords for applications +type: control description: Change the default settings for the administrator login names and passwords of the application software that you install on Lightsail instances. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'INFO' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'INFO' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_3_3.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_3_3.yaml index d1b70ec54..9ad467f1b 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_3_3.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_3_3.yaml @@ -1,57 +1,58 @@ id: aws_cis_compute_service_v100_3_3 title: 3.3 Disable SSH and RDP ports for Lightsail instances when not needed +type: control description: Any ports enable within Lightsail by default are open and exposed to the world. For SSH and RDP access you should remove and disable these ports when not is use. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_lightsail_instance - definition: | - WITH open_ports AS ( - SELECT - i.name, - jsonb_array_elements(i.networking -> 'Ports') AS port - FROM - aws_lightsail_instance i - ), - port_cidrs AS ( - SELECT - op.name, - (op.port ->> 'FromPort')::int AS from_port, - (op.port ->> 'ToPort')::int AS to_port, - op.port ->> 'Protocol' AS protocol, - jsonb_array_elements_text(op.port -> 'Cidrs') AS cidr, - jsonb_array_elements_text(op.port -> 'Ipv6Cidrs') AS ipv6_cidr - FROM - open_ports op - ), - insecure_ports AS ( - SELECT - name - FROM - port_cidrs - WHERE - from_port IN (22, 3389, 80) - AND to_port IN (22, 3389, 80) - AND protocol = 'tcp' - AND (cidr = '0.0.0.0/0' OR ipv6_cidr = '::/0') - ) - SELECT - i.name AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN p.name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.name IS NULL THEN i.name || ' does not have SSH (22) or RDP (3389) or HTTP (80) ports open to 0.0.0.0/0 or ::/0.' - ELSE i.name || ' has SSH (22) or RDP (3389) or HTTP (80) ports open to 0.0.0.0/0 or ::/0.' - END AS reason, - i.tags - FROM - aws_lightsail_instance i - LEFT JOIN insecure_ports p ON i.name = p.name; + language: sql + primary_resource: aws_lightsail_instance + definition: | + WITH open_ports AS ( + SELECT + i.name, + jsonb_array_elements(i.networking -> 'Ports') AS port + FROM + aws_lightsail_instance i + ), + port_cidrs AS ( + SELECT + op.name, + (op.port ->> 'FromPort')::int AS from_port, + (op.port ->> 'ToPort')::int AS to_port, + op.port ->> 'Protocol' AS protocol, + jsonb_array_elements_text(op.port -> 'Cidrs') AS cidr, + jsonb_array_elements_text(op.port -> 'Ipv6Cidrs') AS ipv6_cidr + FROM + open_ports op + ), + insecure_ports AS ( + SELECT + name + FROM + port_cidrs + WHERE + from_port IN (22, 3389, 80) + AND to_port IN (22, 3389, 80) + AND protocol = 'tcp' + AND (cidr = '0.0.0.0/0' OR ipv6_cidr = '::/0') + ) + SELECT + i.name AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN p.name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.name IS NULL THEN i.name || ' does not have SSH (22) or RDP (3389) or HTTP (80) ports open to 0.0.0.0/0 or ::/0.' + ELSE i.name || ' has SSH (22) or RDP (3389) or HTTP (80) ports open to 0.0.0.0/0 or ::/0.' + END AS reason, + i.tags + FROM + aws_lightsail_instance i + LEFT JOIN insecure_ports p ON i.name = p.name; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_3_5.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_3_5.yaml index 18d899625..256d83c1c 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_3_5.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_3_5.yaml @@ -1,56 +1,57 @@ id: aws_cis_compute_service_v100_3_5 title: 3.5 Ensure RDP is restricted to only IP address that should have this access +type: control description: Any ports enable within Lightsail by default are open and exposed to the world. For SSH and RDP access you should identify which IP address need access. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_lightsail_instance - definition: | - WITH open_ports AS ( - SELECT - name, - jsonb_array_elements(networking -> 'Ports') AS port - FROM - aws_lightsail_instance - ), - port_cidrs AS ( - SELECT - op.name, - (op.port ->> 'FromPort')::int AS from_port, - (op.port ->> 'ToPort')::int AS to_port, - op.port ->> 'Protocol' AS protocol, - jsonb_array_elements_text(op.port -> 'Cidrs') AS cidr - FROM - open_ports op - ), - unrestricted_rdp_ports AS ( - SELECT - name - FROM - port_cidrs - WHERE - from_port = 3389 - AND to_port = 3389 - AND protocol = 'tcp' - AND cidr = '0.0.0.0/0' - ) - SELECT - i.name AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN urp.name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN urp.name IS NULL THEN i.name || ' has RDP (3389) restricted to specific IP addresses.' - ELSE i.name || ' has RDP (3389) open to the world (0.0.0.0/0).' - END AS reason, - i.tags - FROM - aws_lightsail_instance i - LEFT JOIN unrestricted_rdp_ports urp ON i.name = urp.name; + language: sql + primary_resource: aws_lightsail_instance + definition: | + WITH open_ports AS ( + SELECT + name, + jsonb_array_elements(networking -> 'Ports') AS port + FROM + aws_lightsail_instance + ), + port_cidrs AS ( + SELECT + op.name, + (op.port ->> 'FromPort')::int AS from_port, + (op.port ->> 'ToPort')::int AS to_port, + op.port ->> 'Protocol' AS protocol, + jsonb_array_elements_text(op.port -> 'Cidrs') AS cidr + FROM + open_ports op + ), + unrestricted_rdp_ports AS ( + SELECT + name + FROM + port_cidrs + WHERE + from_port = 3389 + AND to_port = 3389 + AND protocol = 'tcp' + AND cidr = '0.0.0.0/0' + ) + SELECT + i.name AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN urp.name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN urp.name IS NULL THEN i.name || ' has RDP (3389) restricted to specific IP addresses.' + ELSE i.name || ' has RDP (3389) open to the world (0.0.0.0/0).' + END AS reason, + i.tags + FROM + aws_lightsail_instance i + LEFT JOIN unrestricted_rdp_ports urp ON i.name = urp.name; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_3_6.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_3_6.yaml index ce542e988..7a98f841d 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_3_6.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_3_6.yaml @@ -1,26 +1,27 @@ id: aws_cis_compute_service_v100_3_6 title: 3.6 Disable IPv6 Networking if not in use within your organization +type: control description: Any protocols enable within Lightsail by default that aren't being used should be disabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_lightsail_instance - definition: | - SELECT - name AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN ip_v6_addresses IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN ip_v6_addresses IS NULL THEN name || ' has IPv6 networking disabled.' - ELSE name || ' has IPv6 networking enabled.' - END AS reason - FROM - aws_lightsail_instance; + language: sql + primary_resource: aws_lightsail_instance + definition: | + SELECT + name AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN ip_v6_addresses IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN ip_v6_addresses IS NULL THEN name || ' has IPv6 networking disabled.' + ELSE name || ' has IPv6 networking enabled.' + END AS reason + FROM + aws_lightsail_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_3_7.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_3_7.yaml index 2e6fb24dd..5151cbc9b 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_3_7.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_3_7.yaml @@ -1,20 +1,21 @@ id: aws_cis_compute_service_v100_3_7 title: 3.7 Ensure you are using an IAM policy to manage access to buckets in Lightsail +type: control description: The following policy grants a user access to manage a specific bucket in the Amazon Lightsail object storage service. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_3_8.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_3_8.yaml index fb1537c9e..d49506290 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_3_8.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_3_8.yaml @@ -1,20 +1,21 @@ id: aws_cis_compute_service_v100_3_8 title: 3.8 Ensure Lightsail instances are attached to the buckets +type: control description: Attaching an Amazon Lightsail instance to a Lightsail storage bucket gives it full programmatic access to the bucket and its objects. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_3_9.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_3_9.yaml index 524b62aff..6ce5926b0 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_3_9.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_3_9.yaml @@ -1,20 +1,21 @@ id: aws_cis_compute_service_v100_3_9 title: 3.9 Ensure that your Lightsail buckets are not publicly accessible +type: control description: You can make all objects private, public (read-only) or private while making individual objects public (read-only). By default when creating a bucket the permissions are set to 'All objects are private'. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_4_1.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_4_1.yaml index 765287d1d..81e4fa995 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_4_1.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_4_1.yaml @@ -1,20 +1,21 @@ id: aws_cis_compute_service_v100_4_1 title: 4.1 Ensure AWS Config is enabled for Lambda and serverless +type: control description: With AWS Config, you can track configuration changes to the Lambda functions (including deleted functions), runtime environments, tags, handler name, code size, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_4_10.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_4_10.yaml index 7c495ef39..7f5095994 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_4_10.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_4_10.yaml @@ -1,20 +1,21 @@ id: aws_cis_compute_service_v100_4_10 title: 4.10 Ensure Lambda functions do not allow unknown cross account access via permission policies +type: control description: Ensure that all your Amazon Lambda functions are configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross-account access. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_4_11.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_4_11.yaml index b9a71683a..1e600f1a5 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_4_11.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_4_11.yaml @@ -1,20 +1,21 @@ id: aws_cis_compute_service_v100_4_11 title: 4.11 Ensure that the runtime environment versions used for your Lambda functions do not have end of support dates +type: control description: Always using a recent version of the execution environment configured for your Amazon Lambda functions adheres to best practices for the newest software features, the latest security patches and bug fixes, and performance and reliability. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_4_12.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_4_12.yaml index fb145a92d..97c4cfc42 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_4_12.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_4_12.yaml @@ -1,26 +1,27 @@ id: aws_cis_compute_service_v100_4_12 title: 4.12 Ensure encryption in transit is enabled for Lambda environment variables +type: control description: As you can set your own environmental variables for Lambda it is important to also encrypt them for in transit protection. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_lambda_function - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN kms_key_arn IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN kms_key_arn IS NULL THEN title || ' encryption is disabled.' - ELSE title || ' encryption is enabled.' - END AS reason - FROM - aws_lambda_function; + language: sql + primary_resource: aws_lambda_function + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN kms_key_arn IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN kms_key_arn IS NULL THEN title || ' encryption is disabled.' + ELSE title || ' encryption is enabled.' + END AS reason + FROM + aws_lambda_function; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_4_2.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_4_2.yaml index 1d1bd3232..b4758289f 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_4_2.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_4_2.yaml @@ -1,34 +1,35 @@ id: aws_cis_compute_service_v100_4_2 title: 4.2 Ensure Cloudwatch Lambda insights is enabled +type: control description: Ensure that Amazon CloudWatch Lambda Insights is enabled for your Amazon Lambda functions for enhanced monitoring. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_lambda_function - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(layers) AS l - WHERE l ->> 'Arn' LIKE '%:layer:LambdaInsightsExtension:%' - ) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(layers) AS l - WHERE l ->> 'Arn' LIKE '%:layer:LambdaInsightsExtension:%' - ) THEN title || ' CloudWatch Insights enabled.' - ELSE title || ' CloudWatch Insights disabled.' - END AS reason - FROM - aws_lambda_function; + language: sql + primary_resource: aws_lambda_function + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(layers) AS l + WHERE l ->> 'Arn' LIKE '%:layer:LambdaInsightsExtension:%' + ) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(layers) AS l + WHERE l ->> 'Arn' LIKE '%:layer:LambdaInsightsExtension:%' + ) THEN title || ' CloudWatch Insights enabled.' + ELSE title || ' CloudWatch Insights disabled.' + END AS reason + FROM + aws_lambda_function; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_4_3.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_4_3.yaml index 16f229968..47265a46d 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_4_3.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_4_3.yaml @@ -1,20 +1,21 @@ id: aws_cis_compute_service_v100_4_3 title: 4.3 Ensure AWS Secrets manager is configured and being used by Lambda for databases +type: control description: Lambda functions often have to access a database or other services within your environment. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_4_4.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_4_4.yaml index 4647521ce..442a6d7ae 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_4_4.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_4_4.yaml @@ -1,20 +1,21 @@ id: aws_cis_compute_service_v100_4_4 title: 4.4 Ensure least privilege is used with Lambda function access +type: control description: Lambda is fully integrated with IAM, allowing you to control precisely what each Lambda function can do within the AWS Cloud. As you develop a Lambda function, you expand the scope of this policy to enable access to other resources. For example, for a function that processes objects put into an S3 bucket, it requires read access to objects stored in that bucket. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_4_5.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_4_5.yaml index f80b0ddac..669c40cfd 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_4_5.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_4_5.yaml @@ -1,20 +1,21 @@ id: aws_cis_compute_service_v100_4_5 title: 4.5 Ensure every Lambda function has its own IAM Role +type: control description: Every Lambda function should have a one to one IAM execution role and the roles should not be shared between functions. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_4_6.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_4_6.yaml index 283bca320..deb8310eb 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_4_6.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_4_6.yaml @@ -1,44 +1,45 @@ id: aws_cis_compute_service_v100_4_6 title: 4.6 Ensure Lambda functions are not exposed to everyone +type: control description: A publicly accessible Amazon Lambda function is open to the public and can be reviewed by anyone. To protect against unauthorized users that are sending requests to invoke these functions they need to be changed so they are not exposed to the public integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_lambda_function - definition: | - WITH wildcard_action_policies AS ( - SELECT - arn, - COUNT(*) AS statements_num - FROM - aws_lambda_function, - JSONB_ARRAY_ELEMENTS(policy_std -> 'Statement') AS s - WHERE - s ->> 'Effect' = 'Allow' - AND ( - (s -> 'Principal' -> 'AWS') = '["*"]' - OR s ->> 'Principal' = '*' - ) - GROUP BY - arn + language: sql + primary_resource: aws_lambda_function + definition: | + WITH wildcard_action_policies AS ( + SELECT + arn, + COUNT(*) AS statements_num + FROM + aws_lambda_function, + JSONB_ARRAY_ELEMENTS(policy_std -> 'Statement') AS s + WHERE + s ->> 'Effect' = 'Allow' + AND ( + (s -> 'Principal' -> 'AWS') = '["*"]' + OR s ->> 'Principal' = '*' ) - SELECT - f.arn AS resource, - f.platform_integration_id AS platform_integration_id, - f.platform_resource_id AS platform_resource_id, - CASE - WHEN p.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.arn IS NULL THEN title || ' does not allow public access.' - ELSE title || ' contains ' || COALESCE(p.statements_num, 0) || - ' statements that allows public access.' - END AS reason - FROM - aws_lambda_function AS f - LEFT JOIN wildcard_action_policies AS p ON p.arn = f.arn; + GROUP BY + arn + ) + SELECT + f.arn AS resource, + f.platform_integration_id AS platform_integration_id, + f.platform_resource_id AS platform_resource_id, + CASE + WHEN p.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.arn IS NULL THEN title || ' does not allow public access.' + ELSE title || ' contains ' || COALESCE(p.statements_num, 0) || + ' statements that allows public access.' + END AS reason + FROM + aws_lambda_function AS f + LEFT JOIN wildcard_action_policies AS p ON p.arn = f.arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_4_7.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_4_7.yaml index a6396a8c2..35b400552 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_4_7.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_4_7.yaml @@ -1,20 +1,21 @@ id: aws_cis_compute_service_v100_4_7 title: 4.7 Ensure Lambda functions are referencing active execution +type: control description: In order to have the necessary permissions to access the AWS cloud services and resources Amazon Lambda functions should be associated with active(available) execution roles. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_4_8.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_4_8.yaml index 10ed7e772..13083e2f3 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_4_8.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_4_8.yaml @@ -1,20 +1,21 @@ id: aws_cis_compute_service_v100_4_8 title: 4.8 Ensure that Code Signing is enabled for Lambda functions +type: control description: Ensure that all your Amazon Lambda functions are configured to use the Code Signing feature in order to restrict the deployment of unverified code. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_4_9.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_4_9.yaml index 244923b34..6e95d25c9 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_4_9.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_4_9.yaml @@ -1,20 +1,21 @@ id: aws_cis_compute_service_v100_4_9 title: 4.9 Ensure there are no Lambda functions with admin privileges within your AWS account +type: control description: Ensure that your Amazon Lambda functions don't have administrative permissions potentially giving the function access to all AWS cloud services and resources. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_5_1.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_5_1.yaml index e7daf78dc..b7ddb6076 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_5_1.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_5_1.yaml @@ -1,20 +1,21 @@ id: aws_cis_compute_service_v100_5_1 title: 5.1 Ensure AWS Batch is configured with AWS Cloudwatch Logs +type: control description: You can configure Batch jobs to send log information to CloudWatch Logs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_5_2.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_5_2.yaml index cbe2ea9c2..33a424d1e 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_5_2.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_5_2.yaml @@ -1,20 +1,21 @@ id: aws_cis_compute_service_v100_5_2 title: 5.2 Ensure Batch roles are configured for cross-service confused deputy prevention +type: control description: The Cross-service confused deputy problem is a security issue where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_6_1.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_6_1.yaml index 7d2407741..446b7780a 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_6_1.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_6_1.yaml @@ -1,20 +1,21 @@ id: aws_cis_compute_service_v100_6_1 title: 6.1 Ensure Managed Platform updates is configured +type: control description: AWS Elastic Beanstalk regularly releases platform updates to provide fixes, software updates, and new features. With managed platform updates, you can configure your environment to automatically upgrade to the latest version of a platform during a scheduled maintenance window. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_6_2.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_6_2.yaml index 00bcc477d..3e421d4da 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_6_2.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_6_2.yaml @@ -1,40 +1,41 @@ id: aws_cis_compute_service_v100_6_2 title: 6.2 Ensure Persistent logs is setup and configured to S3 +type: control description: Elastic Beanstalk can be configured to automatically stream logs to the CloudWatch service. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elastic_beanstalk_environment - definition: | - WITH beanstalk_environment_logs_enabled AS ( - SELECT - DISTINCT e.arn - FROM - aws_elastic_beanstalk_environment AS e, - JSONB_ARRAY_ELEMENTS(e.configuration_settings) AS c, - JSONB_ARRAY_ELEMENTS(c -> 'OptionSettings') AS s - WHERE - s ->> 'OptionName' = 'StreamLogs' - AND s ->> 'Value' = 'true' - GROUP BY - arn - ) - SELECT - e.arn AS resource, - e.platform_integration_id AS platform_integration_id, - e.platform_resource_id AS platform_resource_id, - CASE - WHEN l.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN l.arn IS NOT NULL THEN title || ' send logs to AWS CloudWatch.' - ELSE title || ' does not send logs to AWS CloudWatch.' - END AS reason - FROM - aws_elastic_beanstalk_environment AS e - LEFT JOIN beanstalk_environment_logs_enabled AS l ON e.arn = l.arn; + language: sql + primary_resource: aws_elastic_beanstalk_environment + definition: | + WITH beanstalk_environment_logs_enabled AS ( + SELECT + DISTINCT e.arn + FROM + aws_elastic_beanstalk_environment AS e, + JSONB_ARRAY_ELEMENTS(e.configuration_settings) AS c, + JSONB_ARRAY_ELEMENTS(c -> 'OptionSettings') AS s + WHERE + s ->> 'OptionName' = 'StreamLogs' + AND s ->> 'Value' = 'true' + GROUP BY + arn + ) + SELECT + e.arn AS resource, + e.platform_integration_id AS platform_integration_id, + e.platform_resource_id AS platform_resource_id, + CASE + WHEN l.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN l.arn IS NOT NULL THEN title || ' send logs to AWS CloudWatch.' + ELSE title || ' does not send logs to AWS CloudWatch.' + END AS reason + FROM + aws_elastic_beanstalk_environment AS e + LEFT JOIN beanstalk_environment_logs_enabled AS l ON e.arn = l.arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_6_3.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_6_3.yaml index 6c68bfe92..e0d292970 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_6_3.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_6_3.yaml @@ -1,20 +1,21 @@ id: aws_cis_compute_service_v100_6_3 title: 6.3 Ensure access logs are enabled +type: control description: When you enable load balancing, your AWS Elastic Beanstalk environment is equipped with an Elastic Load Balancing load balancer to distribute traffic among the instances in your environment. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_6_4.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_6_4.yaml index 535030515..ddf04cbc9 100644 --- a/compliance/controls/aws/aws_cis_compute_service_v100_6_4.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_6_4.yaml @@ -1,20 +1,21 @@ id: aws_cis_compute_service_v100_6_4 title: 6.4 Ensure that HTTPS is enabled on load balancer +type: control description: The simplest way to use HTTPS with an Elastic Beanstalk environment is to assign a server certificate to your environment's load balancer. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_1_1.yaml b/compliance/controls/aws/aws_cis_v120_1_1.yaml index bf17af515..7d37843a0 100644 --- a/compliance/controls/aws/aws_cis_v120_1_1.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_1.yaml @@ -1,20 +1,21 @@ id: aws_cis_v120_1_1 title: 1.1 Avoid the use of the "root" account +type: control description: The "root" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_1_11.yaml b/compliance/controls/aws/aws_cis_v120_1_11.yaml index 7cf7a912e..9590fbac4 100644 --- a/compliance/controls/aws/aws_cis_v120_1_11.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_11.yaml @@ -1,28 +1,29 @@ id: aws_cis_v120_1_11 title: 1.11 Ensure IAM password policy expires passwords within 90 days or less +type: control description: IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN max_password_age <= 90 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN max_password_age IS NULL THEN 'Password expiration not set.' - ELSE 'Password expiration set to ' || max_password_age || ' days.' - END AS reason - FROM - aws_account AS a - LEFT JOIN - aws_iam_account_password_policy AS pol ON a.account_id = pol.account_id; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN max_password_age <= 90 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN max_password_age IS NULL THEN 'Password expiration not set.' + ELSE 'Password expiration set to ' || max_password_age || ' days.' + END AS reason + FROM + aws_account AS a + LEFT JOIN + aws_iam_account_password_policy AS pol ON a.account_id = pol.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_1_12.yaml b/compliance/controls/aws/aws_cis_v120_1_12.yaml index a9486a760..3d8a36b34 100644 --- a/compliance/controls/aws/aws_cis_v120_1_12.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_12.yaml @@ -1,26 +1,27 @@ id: aws_cis_v120_1_12 title: 1.12 Ensure no root account access key exists +type: control description: The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_account_summary - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN account_access_keys_present > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN account_access_keys_present > 0 THEN 'Root user access keys exist.' - ELSE 'No root user access keys exist.' - END AS reason - FROM - aws_iam_account_summary; + language: sql + primary_resource: aws_iam_account_summary + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN account_access_keys_present > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN account_access_keys_present > 0 THEN 'Root user access keys exist.' + ELSE 'No root user access keys exist.' + END AS reason + FROM + aws_iam_account_summary; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_1_13.yaml b/compliance/controls/aws/aws_cis_v120_1_13.yaml index 14911e4af..d1b63d7ca 100644 --- a/compliance/controls/aws/aws_cis_v120_1_13.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_13.yaml @@ -1,26 +1,27 @@ id: aws_cis_v120_1_13 title: 1.13 Ensure MFA is enabled for the "root" account +type: control description: The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_account_summary - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN account_mfa_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN account_mfa_enabled THEN 'MFA enabled for root account.' - ELSE 'MFA not enabled for root account.' - END AS reason - FROM - aws_iam_account_summary; + language: sql + primary_resource: aws_iam_account_summary + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN account_mfa_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN account_mfa_enabled THEN 'MFA enabled for root account.' + ELSE 'MFA not enabled for root account.' + END AS reason + FROM + aws_iam_account_summary; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_1_15.yaml b/compliance/controls/aws/aws_cis_v120_1_15.yaml index 513c0cf02..ac2f32a4a 100644 --- a/compliance/controls/aws/aws_cis_v120_1_15.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_15.yaml @@ -1,38 +1,39 @@ id: aws_cis_v120_1_15 title: 1.15 Ensure security questions are registered in the AWS account +type: control description: The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '1.15' - cis_level: - - '1' - cis_section_id: - - '1' - cis_type: - - not_scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/IAM + category: + - Compliance + cis: + - "true" + cis_item_id: + - "1.15" + cis_level: + - "1" + cis_section_id: + - "1" + cis_type: + - not_scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/IAM diff --git a/compliance/controls/aws/aws_cis_v120_1_16.yaml b/compliance/controls/aws/aws_cis_v120_1_16.yaml index 7a0d0c83a..ad50528fc 100644 --- a/compliance/controls/aws/aws_cis_v120_1_16.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_16.yaml @@ -1,23 +1,24 @@ id: aws_cis_v120_1_16 title: 1.16 Ensure IAM policies are attached only to groups or roles +type: control description: By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN attached_policy_arns IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - name || ' has ' || COALESCE(jsonb_array_length(attached_policy_arns), 0) || ' attached policies.' AS reason - FROM - aws_iam_user; + language: sql + primary_resource: aws_iam_user + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN attached_policy_arns IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + name || ' has ' || COALESCE(jsonb_array_length(attached_policy_arns), 0) || ' attached policies.' AS reason + FROM + aws_iam_user; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_1_17.yaml b/compliance/controls/aws/aws_cis_v120_1_17.yaml index 8d091d56b..d8d4c047e 100644 --- a/compliance/controls/aws/aws_cis_v120_1_17.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_17.yaml @@ -1,20 +1,21 @@ id: aws_cis_v120_1_17 title: 1.17 Maintain current contact details +type: control description: Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy or indicative of likely security compromise is observed by the AWS Abuse team. Contact details should not be for a single individual, as circumstances may arise where that individual is unavailable. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_1_18.yaml b/compliance/controls/aws/aws_cis_v120_1_18.yaml index 97ceca958..83300ad31 100644 --- a/compliance/controls/aws/aws_cis_v120_1_18.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_18.yaml @@ -1,50 +1,51 @@ id: aws_cis_v120_1_18 title: Ensure alternate security contact is registered for the AWS Account +type: control description: Checks if the AWS Account has an alternate security contact registered. If the account is in GovCloud (aws-us-gov), manual verification is advised. Otherwise, if no security contact is set, an alarm is raised. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH alternate_security_contact AS ( - SELECT - name, - account_id - FROM - aws_account_alternate_contact - WHERE - contact_type = 'SECURITY' - ), - account AS ( - SELECT - arn, - partition, - title, - account_id, - _ctx, - platform_integration_id, - platform_resource_id - FROM - aws_account - ) - SELECT - arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.partition = 'aws-us-gov' THEN 'info' - WHEN c.name IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.partition = 'aws-us-gov' THEN a.title || ' in GovCloud, manual verification required.' - WHEN c.name IS NOT NULL THEN a.title || ' has security contact ' || c.name || ' registered.' - ELSE a.title || ' security contact not registered.' - END AS reason - FROM - account AS a - JOIN alternate_security_contact AS c ON c.account_id = a.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH alternate_security_contact AS ( + SELECT + name, + account_id + FROM + aws_account_alternate_contact + WHERE + contact_type = 'SECURITY' + ), + account AS ( + SELECT + arn, + partition, + title, + account_id, + _ctx, + platform_integration_id, + platform_resource_id + FROM + aws_account + ) + SELECT + arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.partition = 'aws-us-gov' THEN 'info' + WHEN c.name IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.partition = 'aws-us-gov' THEN a.title || ' in GovCloud, manual verification required.' + WHEN c.name IS NOT NULL THEN a.title || ' has security contact ' || c.name || ' registered.' + ELSE a.title || ' security contact not registered.' + END AS reason + FROM + account AS a + JOIN alternate_security_contact AS c ON c.account_id = a.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_1_19.yaml b/compliance/controls/aws/aws_cis_v120_1_19.yaml index b8d10c717..94429c421 100644 --- a/compliance/controls/aws/aws_cis_v120_1_19.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_19.yaml @@ -1,20 +1,21 @@ id: aws_cis_v120_1_19 title: 1.19 Ensure IAM instance roles are used for AWS resource access from instances +type: control description: AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. "AWS Access" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_1_2.yaml b/compliance/controls/aws/aws_cis_v120_1_2.yaml index ffb38a336..11aa387b2 100644 --- a/compliance/controls/aws/aws_cis_v120_1_2.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_2.yaml @@ -1,27 +1,28 @@ id: aws_cis_v120_1_2 title: 1.2 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password +type: control description: Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN password_enabled AND NOT mfa_active THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT password_enabled THEN user_name || ' password login disabled.' - WHEN password_enabled AND NOT mfa_active THEN user_name || ' password login enabled but no MFA device configured.' - ELSE user_name || ' password login enabled and MFA device configured.' - END AS reason - FROM - aws_iam_credential_report; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN password_enabled AND NOT mfa_active THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT password_enabled THEN user_name || ' password login disabled.' + WHEN password_enabled AND NOT mfa_active THEN user_name || ' password login enabled but no MFA device configured.' + ELSE user_name || ' password login enabled and MFA device configured.' + END AS reason + FROM + aws_iam_credential_report; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_1_20.yaml b/compliance/controls/aws/aws_cis_v120_1_20.yaml index 7bc6e9db7..eff56dee7 100644 --- a/compliance/controls/aws/aws_cis_v120_1_20.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_20.yaml @@ -1,51 +1,52 @@ id: aws_cis_v120_1_20 title: 1.20 Ensure a support role has been created to manage incidents with AWS Support +type: control description: AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_role - definition: | - WITH support_role_count AS ( - SELECT - 'arn:' || a.partition || ':::' || a.account_id AS resource, - COUNT(policy_arn) AS count, - a.account_id, - a._ctx, - a.platform_integration_id, - a.platform_resource_id - FROM - aws_account AS a - LEFT JOIN aws_iam_role AS r - ON r.account_id = a.account_id - LEFT JOIN jsonb_array_elements_text(attached_policy_arns) AS policy_arn - ON TRUE - WHERE - SPLIT_PART(policy_arn, '/', 2) = 'AWSSupportAccess' - OR policy_arn IS NULL - GROUP BY - a.account_id, - a.partition, - a._ctx, - a.platform_integration_id, - a.platform_resource_id - ) - SELECT - resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN count > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN count = 1 THEN 'AWSSupportAccess policy attached to 1 role.' - WHEN count > 1 THEN 'AWSSupportAccess policy attached to ' || count || ' roles.' - ELSE 'AWSSupportAccess policy not attached to any role.' - END AS reason - FROM - support_role_count; + language: sql + primary_resource: aws_iam_role + definition: | + WITH support_role_count AS ( + SELECT + 'arn:' || a.partition || ':::' || a.account_id AS resource, + COUNT(policy_arn) AS count, + a.account_id, + a._ctx, + a.platform_integration_id, + a.platform_resource_id + FROM + aws_account AS a + LEFT JOIN aws_iam_role AS r + ON r.account_id = a.account_id + LEFT JOIN jsonb_array_elements_text(attached_policy_arns) AS policy_arn + ON TRUE + WHERE + SPLIT_PART(policy_arn, '/', 2) = 'AWSSupportAccess' + OR policy_arn IS NULL + GROUP BY + a.account_id, + a.partition, + a._ctx, + a.platform_integration_id, + a.platform_resource_id + ) + SELECT + resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN count > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN count = 1 THEN 'AWSSupportAccess policy attached to 1 role.' + WHEN count > 1 THEN 'AWSSupportAccess policy attached to ' || count || ' roles.' + ELSE 'AWSSupportAccess policy not attached to any role.' + END AS reason + FROM + support_role_count; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_1_21.yaml b/compliance/controls/aws/aws_cis_v120_1_21.yaml index 9eaa2dd1a..656d4e617 100644 --- a/compliance/controls/aws/aws_cis_v120_1_21.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_21.yaml @@ -1,32 +1,33 @@ id: aws_cis_v120_1_21 title: 1.21 Do not setup access keys during initial user setup for all IAM users that have a console password +type: control description: AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN password_enabled - AND extract(epoch FROM (access_key_1_last_rotated - user_creation_time)) < 10 - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT password_enabled THEN user_name || ' password login disabled.' - WHEN access_key_1_last_rotated IS NULL THEN user_name || ' has no access keys.' - WHEN password_enabled - AND extract(epoch FROM (access_key_1_last_rotated - user_creation_time)) < 10 - THEN user_name || ' has access key created during user creation and password login enabled.' - ELSE user_name || ' has access key not created during user creation.' - END AS reason - FROM - aws_iam_credential_report; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN password_enabled + AND extract(epoch FROM (access_key_1_last_rotated - user_creation_time)) < 10 + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT password_enabled THEN user_name || ' password login disabled.' + WHEN access_key_1_last_rotated IS NULL THEN user_name || ' has no access keys.' + WHEN password_enabled + AND extract(epoch FROM (access_key_1_last_rotated - user_creation_time)) < 10 + THEN user_name || ' has access key created during user creation and password login enabled.' + ELSE user_name || ' has access key not created during user creation.' + END AS reason + FROM + aws_iam_credential_report; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_1_22.yaml b/compliance/controls/aws/aws_cis_v120_1_22.yaml index 7658c6a4f..744acf2fd 100644 --- a/compliance/controls/aws/aws_cis_v120_1_22.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_22.yaml @@ -1,52 +1,53 @@ id: aws_cis_v120_1_22 title: 1.22 Ensure IAM policies that allow full "*:*" administrative privileges are not created +type: control description: IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege—that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_policy - definition: | - WITH star_access_policies AS ( - SELECT - arn, - is_aws_managed, - COUNT(*) AS num_bad_statements - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Resource') AS resource, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - s ->> 'Effect' = 'Allow' - AND resource = '*' - AND ( - action = '*' - OR action = '*:*' - ) - AND is_attached - GROUP BY - arn, - is_aws_managed + language: sql + primary_resource: aws_iam_policy + definition: | + WITH star_access_policies AS ( + SELECT + arn, + is_aws_managed, + COUNT(*) AS num_bad_statements + FROM + aws_iam_policy, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Resource') AS resource, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + s ->> 'Effect' = 'Allow' + AND resource = '*' + AND ( + action = '*' + OR action = '*:*' ) - SELECT - p.arn AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN s.arn IS NOT NULL AND s.is_aws_managed THEN 'info' - WHEN s.arn IS NULL THEN 'ok' - ELSE 'alarm' - END status, - CASE - WHEN s.arn IS NOT NULL AND s.is_aws_managed THEN p.name || ' is an AWS managed policy with ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' - ELSE p.name || ' contains ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' - END AS reason - FROM - aws_iam_policy AS p - LEFT JOIN star_access_policies AS s ON p.arn = s.arn - WHERE - p.is_attached; + AND is_attached + GROUP BY + arn, + is_aws_managed + ) + SELECT + p.arn AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN s.arn IS NOT NULL AND s.is_aws_managed THEN 'info' + WHEN s.arn IS NULL THEN 'ok' + ELSE 'alarm' + END status, + CASE + WHEN s.arn IS NOT NULL AND s.is_aws_managed THEN p.name || ' is an AWS managed policy with ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' + ELSE p.name || ' contains ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' + END AS reason + FROM + aws_iam_policy AS p + LEFT JOIN star_access_policies AS s ON p.arn = s.arn + WHERE + p.is_attached; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_1_3.yaml b/compliance/controls/aws/aws_cis_v120_1_3.yaml index 30bdcfb31..ba366ccda 100644 --- a/compliance/controls/aws/aws_cis_v120_1_3.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_3.yaml @@ -1,73 +1,74 @@ id: aws_cis_v120_1_3 title: 1.3 Ensure credentials unused for 90 days or greater are disabled +type: control description: AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 90 or greater days be removed or deactivated. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN user_name = '' - THEN 'info' - WHEN password_enabled - AND password_last_used IS NULL - AND password_last_changed < (CURRENT_DATE - INTERVAL '90' DAY) - THEN 'alarm' - WHEN password_enabled - AND password_last_used < (CURRENT_DATE - INTERVAL '90' DAY) - THEN 'alarm' - WHEN access_key_1_active - AND access_key_1_last_used_date IS NULL - AND access_key_1_last_rotated < (CURRENT_DATE - INTERVAL '90' DAY) - THEN 'alarm' - WHEN access_key_1_active - AND access_key_1_last_used_date < (CURRENT_DATE - INTERVAL '90' DAY) - THEN 'alarm' - WHEN access_key_2_active - AND access_key_2_last_used_date IS NULL - AND access_key_2_last_rotated < (CURRENT_DATE - INTERVAL '90' DAY) - THEN 'alarm' - WHEN access_key_2_active - AND access_key_2_last_used_date < (CURRENT_DATE - INTERVAL '90' DAY) - THEN 'alarm' - ELSE 'ok' - END status, - user_name || - CASE - WHEN NOT password_enabled - THEN ' password not enabled,' - WHEN password_enabled - AND password_last_used IS NULL - THEN ' password created ' || TO_CHAR(password_last_changed, 'DD-Mon-YYYY') || ' never used,' - ELSE - ' password used ' || TO_CHAR(password_last_used, 'DD-Mon-YYYY') || ',' - END || - CASE - WHEN NOT access_key_1_active - THEN ' key 1 not enabled,' - WHEN access_key_1_active - AND access_key_1_last_used_date IS NULL - THEN ' key 1 created ' || TO_CHAR(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,' - ELSE - ' key 1 used ' || TO_CHAR(access_key_1_last_used_date, 'DD-Mon-YYYY') || ',' - END || - CASE - WHEN NOT access_key_2_active - THEN ' key 2 not enabled.' - WHEN access_key_2_active - AND access_key_2_last_used_date IS NULL - THEN ' key 2 created ' || TO_CHAR(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.' - ELSE - ' key 2 used ' || TO_CHAR(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.' - END - AS reason - FROM - aws_iam_credential_report; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN user_name = '' + THEN 'info' + WHEN password_enabled + AND password_last_used IS NULL + AND password_last_changed < (CURRENT_DATE - INTERVAL '90' DAY) + THEN 'alarm' + WHEN password_enabled + AND password_last_used < (CURRENT_DATE - INTERVAL '90' DAY) + THEN 'alarm' + WHEN access_key_1_active + AND access_key_1_last_used_date IS NULL + AND access_key_1_last_rotated < (CURRENT_DATE - INTERVAL '90' DAY) + THEN 'alarm' + WHEN access_key_1_active + AND access_key_1_last_used_date < (CURRENT_DATE - INTERVAL '90' DAY) + THEN 'alarm' + WHEN access_key_2_active + AND access_key_2_last_used_date IS NULL + AND access_key_2_last_rotated < (CURRENT_DATE - INTERVAL '90' DAY) + THEN 'alarm' + WHEN access_key_2_active + AND access_key_2_last_used_date < (CURRENT_DATE - INTERVAL '90' DAY) + THEN 'alarm' + ELSE 'ok' + END status, + user_name || + CASE + WHEN NOT password_enabled + THEN ' password not enabled,' + WHEN password_enabled + AND password_last_used IS NULL + THEN ' password created ' || TO_CHAR(password_last_changed, 'DD-Mon-YYYY') || ' never used,' + ELSE + ' password used ' || TO_CHAR(password_last_used, 'DD-Mon-YYYY') || ',' + END || + CASE + WHEN NOT access_key_1_active + THEN ' key 1 not enabled,' + WHEN access_key_1_active + AND access_key_1_last_used_date IS NULL + THEN ' key 1 created ' || TO_CHAR(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,' + ELSE + ' key 1 used ' || TO_CHAR(access_key_1_last_used_date, 'DD-Mon-YYYY') || ',' + END || + CASE + WHEN NOT access_key_2_active + THEN ' key 2 not enabled.' + WHEN access_key_2_active + AND access_key_2_last_used_date IS NULL + THEN ' key 2 created ' || TO_CHAR(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.' + ELSE + ' key 2 used ' || TO_CHAR(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.' + END + AS reason + FROM + aws_iam_credential_report; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_1_4.yaml b/compliance/controls/aws/aws_cis_v120_1_4.yaml index d6cbc105b..b49191410 100644 --- a/compliance/controls/aws/aws_cis_v120_1_4.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_4.yaml @@ -1,24 +1,25 @@ id: aws_cis_v120_1_4 title: 1.4 Ensure access keys are rotated every 90 days or less +type: control description: Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_access_key - definition: | - SELECT - 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN create_date <= (current_date - interval '90' DAY) THEN 'alarm' - ELSE 'ok' - END status, - user_name || ' ' || access_key_id || ' created ' || TO_CHAR(create_date, 'DD-Mon-YYYY') || - ' (' || EXTRACT(DAY FROM current_timestamp - create_date) || ' days).' AS reason - FROM - aws_iam_access_key; + language: sql + primary_resource: aws_iam_access_key + definition: | + SELECT + 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN create_date <= (current_date - interval '90' DAY) THEN 'alarm' + ELSE 'ok' + END status, + user_name || ' ' || access_key_id || ' created ' || TO_CHAR(create_date, 'DD-Mon-YYYY') || + ' (' || EXTRACT(DAY FROM current_timestamp - create_date) || ' days).' AS reason + FROM + aws_iam_access_key; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_1_8.yaml b/compliance/controls/aws/aws_cis_v120_1_8.yaml index bc96b7cd8..2a343c94c 100644 --- a/compliance/controls/aws/aws_cis_v120_1_8.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_8.yaml @@ -1,29 +1,30 @@ id: aws_cis_v120_1_8 title: 1.8 Ensure IAM password policy require at least one number +type: control description: Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one number. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN require_numbers THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN minimum_password_length IS NULL THEN 'No password policy set.' - WHEN require_numbers THEN 'Number required.' - ELSE 'Number not required.' - END AS reason - FROM - aws_account AS a - LEFT JOIN - aws_iam_account_password_policy AS pol ON a.account_id = pol.account_id; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN require_numbers THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN minimum_password_length IS NULL THEN 'No password policy set.' + WHEN require_numbers THEN 'Number required.' + ELSE 'Number not required.' + END AS reason + FROM + aws_account AS a + LEFT JOIN + aws_iam_account_password_policy AS pol ON a.account_id = pol.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_2_2.yaml b/compliance/controls/aws/aws_cis_v120_2_2.yaml index f37894c68..1d35cc83c 100644 --- a/compliance/controls/aws/aws_cis_v120_2_2.yaml +++ b/compliance/controls/aws/aws_cis_v120_2_2.yaml @@ -1,28 +1,29 @@ id: aws_cis_v120_2_2 title: 2.2 Ensure CloudTrail log file validation is enabled. +type: control description: CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN log_file_validation_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN log_file_validation_enabled THEN title || ' log file validation enabled.' - ELSE title || ' log file validation disabled.' - END AS reason - FROM - aws_cloudtrail_trail - WHERE - region = home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN log_file_validation_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN log_file_validation_enabled THEN title || ' log file validation enabled.' + ELSE title || ' log file validation disabled.' + END AS reason + FROM + aws_cloudtrail_trail + WHERE + region = home_region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_2_3.yaml b/compliance/controls/aws/aws_cis_v120_2_3.yaml index 41547550b..c286706d2 100644 --- a/compliance/controls/aws/aws_cis_v120_2_3.yaml +++ b/compliance/controls/aws/aws_cis_v120_2_3.yaml @@ -1,64 +1,65 @@ id: aws_cis_v120_2_3 title: 2.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible +type: control description: CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - WITH public_bucket_data AS ( - SELECT - t.s3_bucket_name AS name, - b.arn, - t.region, - t.account_id, - t.tags, - t._ctx, - t.platform_integration_id, - t.platform_resource_id, - COUNT(acl_grant) FILTER (WHERE acl_grant -> 'Grantee' ->> 'URI' LIKE '%acs.amazonaws.com/groups/global/AllUsers') AS all_user_grants, - COUNT(acl_grant) FILTER (WHERE acl_grant -> 'Grantee' ->> 'URI' LIKE '%acs.amazonaws.com/groups/global/AuthenticatedUsers') AS auth_user_grants, - COUNT(s) FILTER (WHERE s ->> 'Effect' = 'Allow' AND p = '*') AS anon_statements - FROM - aws_cloudtrail_trail AS t - LEFT JOIN aws_s3_bucket AS b ON t.s3_bucket_name = b.name - LEFT JOIN jsonb_array_elements(acl -> 'Grants') AS acl_grant ON TRUE - LEFT JOIN jsonb_array_elements(policy_std -> 'Statement') AS s ON TRUE - LEFT JOIN jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p ON TRUE - GROUP BY - t.s3_bucket_name, - b.arn, - t.region, - t.account_id, - t.tags, - t._ctx, - t.platform_integration_id, - t.platform_resource_id - ) - SELECT - CASE - WHEN arn IS NULL THEN 'arn:aws:s3::' || name - ELSE arn - END AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN arn IS NULL THEN 'skip' - WHEN all_user_grants > 0 THEN 'alarm' - WHEN auth_user_grants > 0 THEN 'alarm' - WHEN anon_statements > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN arn IS NULL THEN name || ' not found in account ' || account_id || '.' - WHEN all_user_grants > 0 THEN name || ' grants access to AllUsers in ACL.' - WHEN auth_user_grants > 0 THEN name || ' grants access to AuthenticatedUsers in ACL.' - WHEN anon_statements > 0 THEN name || ' grants access to AWS:*" in bucket policy.' - ELSE name || ' does not grant anonymous access in ACL or bucket policy.' - END AS reason - FROM - public_bucket_data; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + WITH public_bucket_data AS ( + SELECT + t.s3_bucket_name AS name, + b.arn, + t.region, + t.account_id, + t.tags, + t._ctx, + t.platform_integration_id, + t.platform_resource_id, + COUNT(acl_grant) FILTER (WHERE acl_grant -> 'Grantee' ->> 'URI' LIKE '%acs.amazonaws.com/groups/global/AllUsers') AS all_user_grants, + COUNT(acl_grant) FILTER (WHERE acl_grant -> 'Grantee' ->> 'URI' LIKE '%acs.amazonaws.com/groups/global/AuthenticatedUsers') AS auth_user_grants, + COUNT(s) FILTER (WHERE s ->> 'Effect' = 'Allow' AND p = '*') AS anon_statements + FROM + aws_cloudtrail_trail AS t + LEFT JOIN aws_s3_bucket AS b ON t.s3_bucket_name = b.name + LEFT JOIN jsonb_array_elements(acl -> 'Grants') AS acl_grant ON TRUE + LEFT JOIN jsonb_array_elements(policy_std -> 'Statement') AS s ON TRUE + LEFT JOIN jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p ON TRUE + GROUP BY + t.s3_bucket_name, + b.arn, + t.region, + t.account_id, + t.tags, + t._ctx, + t.platform_integration_id, + t.platform_resource_id + ) + SELECT + CASE + WHEN arn IS NULL THEN 'arn:aws:s3::' || name + ELSE arn + END AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN arn IS NULL THEN 'skip' + WHEN all_user_grants > 0 THEN 'alarm' + WHEN auth_user_grants > 0 THEN 'alarm' + WHEN anon_statements > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN arn IS NULL THEN name || ' not found in account ' || account_id || '.' + WHEN all_user_grants > 0 THEN name || ' grants access to AllUsers in ACL.' + WHEN auth_user_grants > 0 THEN name || ' grants access to AuthenticatedUsers in ACL.' + WHEN anon_statements > 0 THEN name || ' grants access to AWS:*" in bucket policy.' + ELSE name || ' does not grant anonymous access in ACL or bucket policy.' + END AS reason + FROM + public_bucket_data; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_2_4.yaml b/compliance/controls/aws/aws_cis_v120_2_4.yaml index 051a3eb77..7bf7d771b 100644 --- a/compliance/controls/aws/aws_cis_v120_2_4.yaml +++ b/compliance/controls/aws/aws_cis_v120_2_4.yaml @@ -1,28 +1,29 @@ id: aws_cis_v120_2_4 title: 2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs +type: control description: AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN log_group_arn != 'null' AND (latest_delivery_time > current_date - 1) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN log_group_arn != 'null' AND (latest_delivery_time > current_date - 1) THEN title || ' integrated with CloudWatch logs.' - ELSE title || ' not integrated with CloudWatch logs.' - END AS reason - FROM - aws_cloudtrail_trail - WHERE - region = home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN log_group_arn != 'null' AND (latest_delivery_time > current_date - 1) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN log_group_arn != 'null' AND (latest_delivery_time > current_date - 1) THEN title || ' integrated with CloudWatch logs.' + ELSE title || ' not integrated with CloudWatch logs.' + END AS reason + FROM + aws_cloudtrail_trail + WHERE + region = home_region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_2_5.yaml b/compliance/controls/aws/aws_cis_v120_2_5.yaml index 1dd2d2c85..d3d6c8c3d 100644 --- a/compliance/controls/aws/aws_cis_v120_2_5.yaml +++ b/compliance/controls/aws/aws_cis_v120_2_5.yaml @@ -1,64 +1,65 @@ id: aws_cis_v120_2_5 title: 2.5 Ensure AWS Config is enabled in all regions +type: control description: AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended to enable AWS Config be enabled in all regions. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_config_configuration_recorder - definition: | - WITH global_recorders AS ( - SELECT - COUNT(*) AS global_config_recorders - FROM - aws_config_configuration_recorder - WHERE - recording_group -> 'IncludeGlobalResourceTypes' = 'true' - AND recording_group -> 'AllSupported' = 'true' - AND status ->> 'Recording' = 'true' - AND status ->> 'LastStatus' = 'SUCCESS' - ) - SELECT - 'arn:aws::' || a.region || ':' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, + language: sql + primary_resource: aws_config_configuration_recorder + definition: | + WITH global_recorders AS ( + SELECT + COUNT(*) AS global_config_recorders + FROM + aws_config_configuration_recorder + WHERE + recording_group -> 'IncludeGlobalResourceTypes' = 'true' + AND recording_group -> 'AllSupported' = 'true' + AND status ->> 'Recording' = 'true' + AND status ->> 'LastStatus' = 'SUCCESS' + ) + SELECT + 'arn:aws::' || a.region || ':' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN g.global_config_recorders >= 1 + AND status ->> 'Recording' = 'true' + AND status ->> 'LastStatus' = 'SUCCESS' + THEN 'ok' + WHEN a.opt_in_status = 'not-opted-in' THEN 'skip' + ELSE 'alarm' + END AS status, + CASE + WHEN a.opt_in_status = 'not-opted-in' THEN a.region || ' region is disabled.' + ELSE CASE - WHEN g.global_config_recorders >= 1 - AND status ->> 'Recording' = 'true' - AND status ->> 'LastStatus' = 'SUCCESS' - THEN 'ok' - WHEN a.opt_in_status = 'not-opted-in' THEN 'skip' - ELSE 'alarm' - END AS status, + WHEN recording_group -> 'IncludeGlobalResourceTypes' = 'true' + THEN a.region || ' IncludeGlobalResourceTypes enabled,' + ELSE a.region || ' IncludeGlobalResourceTypes disabled,' + END || CASE - WHEN a.opt_in_status = 'not-opted-in' THEN a.region || ' region is disabled.' - ELSE - CASE - WHEN recording_group -> 'IncludeGlobalResourceTypes' = 'true' - THEN a.region || ' IncludeGlobalResourceTypes enabled,' - ELSE a.region || ' IncludeGlobalResourceTypes disabled,' - END || - CASE - WHEN recording_group -> 'AllSupported' = 'true' - THEN ' AllSupported enabled,' - ELSE ' AllSupported disabled,' - END || - CASE - WHEN status ->> 'Recording' = 'true' - THEN ' Recording enabled' - ELSE ' Recording disabled' - END || - CASE - WHEN status ->> 'LastStatus' = 'SUCCESS' - THEN ' and LastStatus is SUCCESS.' - ELSE ' and LastStatus is not SUCCESS.' - END - END AS reason - FROM - global_recorders AS g, - aws_region AS a - LEFT JOIN aws_config_configuration_recorder AS r - ON r.account_id = a.account_id AND r.region = a.name + WHEN recording_group -> 'AllSupported' = 'true' + THEN ' AllSupported enabled,' + ELSE ' AllSupported disabled,' + END || + CASE + WHEN status ->> 'Recording' = 'true' + THEN ' Recording enabled' + ELSE ' Recording disabled' + END || + CASE + WHEN status ->> 'LastStatus' = 'SUCCESS' + THEN ' and LastStatus is SUCCESS.' + ELSE ' and LastStatus is not SUCCESS.' + END + END AS reason + FROM + global_recorders AS g, + aws_region AS a + LEFT JOIN aws_config_configuration_recorder AS r + ON r.account_id = a.account_id AND r.region = a.name severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_2_6.yaml b/compliance/controls/aws/aws_cis_v120_2_6.yaml index 2c566fd28..7fb6db2d1 100644 --- a/compliance/controls/aws/aws_cis_v120_2_6.yaml +++ b/compliance/controls/aws/aws_cis_v120_2_6.yaml @@ -1,30 +1,31 @@ id: aws_cis_v120_2_6 title: 2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket +type: control description: S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - t.arn AS resource, - t.platform_integration_id AS platform_integration_id, - t.platform_resource_id AS platform_resource_id, - CASE - WHEN b.logging IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.logging IS NOT NULL THEN t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging enabled.' - ELSE t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging disabled.' - END AS reason - FROM - aws_cloudtrail_trail t - INNER JOIN - aws_s3_bucket b ON t.s3_bucket_name = b.name - WHERE - t.region = t.home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + t.arn AS resource, + t.platform_integration_id AS platform_integration_id, + t.platform_resource_id AS platform_resource_id, + CASE + WHEN b.logging IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.logging IS NOT NULL THEN t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging enabled.' + ELSE t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging disabled.' + END AS reason + FROM + aws_cloudtrail_trail t + INNER JOIN + aws_s3_bucket b ON t.s3_bucket_name = b.name + WHERE + t.region = t.home_region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_2_7.yaml b/compliance/controls/aws/aws_cis_v120_2_7.yaml index 84100e4ee..f2fc079c1 100644 --- a/compliance/controls/aws/aws_cis_v120_2_7.yaml +++ b/compliance/controls/aws/aws_cis_v120_2_7.yaml @@ -1,28 +1,29 @@ id: aws_cis_v120_2_7 title: 2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs +type: control description: AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN kms_key_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN kms_key_id IS NULL THEN title || ' logs are not encrypted at rest.' - ELSE title || ' logs are encrypted at rest.' - END AS reason - FROM - aws_cloudtrail_trail - WHERE - region = home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN kms_key_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN kms_key_id IS NULL THEN title || ' logs are not encrypted at rest.' + ELSE title || ' logs are encrypted at rest.' + END AS reason + FROM + aws_cloudtrail_trail + WHERE + region = home_region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_2_8.yaml b/compliance/controls/aws/aws_cis_v120_2_8.yaml index 884568a09..2f0b1cd49 100644 --- a/compliance/controls/aws/aws_cis_v120_2_8.yaml +++ b/compliance/controls/aws/aws_cis_v120_2_8.yaml @@ -1,34 +1,35 @@ id: aws_cis_v120_2_8 title: 2.8 Ensure rotation for customer created CMKs is enabled +type: control description: AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_kms_key - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN origin = 'EXTERNAL' THEN 'skip' - WHEN key_state = 'PendingDeletion' THEN 'skip' - WHEN key_state = 'Disabled' THEN 'skip' - WHEN NOT key_rotation_enabled THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN origin = 'EXTERNAL' THEN title || ' has imported key material.' - WHEN key_state = 'PendingDeletion' THEN title || ' is pending deletion.' - WHEN key_state = 'Disabled' THEN title || ' is disabled.' - WHEN NOT key_rotation_enabled THEN title || ' key rotation disabled.' - ELSE title || ' key rotation enabled.' - END AS reason - FROM - aws_kms_key - WHERE - key_manager = 'CUSTOMER'; + language: sql + primary_resource: aws_kms_key + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN origin = 'EXTERNAL' THEN 'skip' + WHEN key_state = 'PendingDeletion' THEN 'skip' + WHEN key_state = 'Disabled' THEN 'skip' + WHEN NOT key_rotation_enabled THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN origin = 'EXTERNAL' THEN title || ' has imported key material.' + WHEN key_state = 'PendingDeletion' THEN title || ' is pending deletion.' + WHEN key_state = 'Disabled' THEN title || ' is disabled.' + WHEN NOT key_rotation_enabled THEN title || ' key rotation disabled.' + ELSE title || ' key rotation enabled.' + END AS reason + FROM + aws_kms_key + WHERE + key_manager = 'CUSTOMER'; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_2_9.yaml b/compliance/controls/aws/aws_cis_v120_2_9.yaml index 8bb8dc00b..f4711439f 100644 --- a/compliance/controls/aws/aws_cis_v120_2_9.yaml +++ b/compliance/controls/aws/aws_cis_v120_2_9.yaml @@ -1,55 +1,56 @@ id: aws_cis_v120_2_9 title: 2.9 Ensure VPC flow logging is enabled in all VPCs +type: control description: VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc - definition: | - WITH vpcs AS ( - SELECT - arn, - account_id, - platform_resource_id, - platform_integration_id, - region, - owner_id, - vpc_id, - tags, - _ctx - FROM - aws_vpc - ORDER BY - vpc_id - ), - flowlogs AS ( - SELECT - resource_id, - account_id, - region - FROM - aws_vpc_flow_log - ORDER BY - resource_id - ) - SELECT - v.arn AS resource, - v.platform_integration_id AS platform_integration_id, - v.platform_resource_id AS platform_resource_id, - CASE - WHEN v.account_id <> v.owner_id THEN 'skip' - WHEN f.resource_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN v.account_id <> v.owner_id THEN v.vpc_id || ' is a shared VPC.' - WHEN f.resource_id IS NOT NULL THEN v.vpc_id || ' flow logging enabled.' - ELSE v.vpc_id || ' flow logging disabled.' - END AS reason - FROM - vpcs AS v - LEFT JOIN flowlogs AS f ON v.vpc_id = f.resource_id; + language: sql + primary_resource: aws_vpc + definition: | + WITH vpcs AS ( + SELECT + arn, + account_id, + platform_resource_id, + platform_integration_id, + region, + owner_id, + vpc_id, + tags, + _ctx + FROM + aws_vpc + ORDER BY + vpc_id + ), + flowlogs AS ( + SELECT + resource_id, + account_id, + region + FROM + aws_vpc_flow_log + ORDER BY + resource_id + ) + SELECT + v.arn AS resource, + v.platform_integration_id AS platform_integration_id, + v.platform_resource_id AS platform_resource_id, + CASE + WHEN v.account_id <> v.owner_id THEN 'skip' + WHEN f.resource_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN v.account_id <> v.owner_id THEN v.vpc_id || ' is a shared VPC.' + WHEN f.resource_id IS NOT NULL THEN v.vpc_id || ' flow logging enabled.' + ELSE v.vpc_id || ' flow logging disabled.' + END AS reason + FROM + vpcs AS v + LEFT JOIN flowlogs AS f ON v.vpc_id = f.resource_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_3_11.yaml b/compliance/controls/aws/aws_cis_v120_3_11.yaml index cc8f2f5d7..4d25412fd 100644 --- a/compliance/controls/aws/aws_cis_v120_3_11.yaml +++ b/compliance/controls/aws/aws_cis_v120_3_11.yaml @@ -1,90 +1,91 @@ id: aws_cis_v120_3_11 title: 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) +type: control description: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - WITH trails AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - ORDER BY - trail_name - ), - alarms AS ( - SELECT - metric_name, - action_arn AS topic_arn - FROM - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn - ORDER BY - metric_name - ), - topic_subscriptions AS ( - SELECT - subscription_arn, - topic_arn - FROM - aws_sns_topic_subscription - ORDER BY - subscription_arn - ), - metric_filters AS ( - SELECT - filter.name AS filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - FROM - aws_cloudwatch_log_metric_filter AS filter - WHERE - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateNetworkAcl.+\$\.eventName\s*=\s*CreateNetworkAclEntry.+\$\.eventName\s*=\s*DeleteNetworkAcl.+\$\.eventName\s*=\s*DeleteNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclAssociation' - ORDER BY - filter_name - ), - filter_data AS ( - SELECT - t.account_id, - t.trail_name, - f.filter_name - FROM - trails AS t - JOIN - metric_filters AS f ON f.log_group_name = t.log_group_name - JOIN - alarms AS alarm ON alarm.metric_name = f.metric_transformation_name - JOIN - topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - f.platform_integration_id AS platform_integration_id, - f.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for changes to NACLs.' - ELSE filter_name || ' forwards events for changes to NACLs.' - END AS reason - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + WITH trails AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + ORDER BY + trail_name + ), + alarms AS ( + SELECT + metric_name, + action_arn AS topic_arn + FROM + aws_cloudwatch_alarm, + jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn + ORDER BY + metric_name + ), + topic_subscriptions AS ( + SELECT + subscription_arn, + topic_arn + FROM + aws_sns_topic_subscription + ORDER BY + subscription_arn + ), + metric_filters AS ( + SELECT + filter.name AS filter_name, + filter_pattern, + log_group_name, + metric_transformation_name + FROM + aws_cloudwatch_log_metric_filter AS filter + WHERE + filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateNetworkAcl.+\$\.eventName\s*=\s*CreateNetworkAclEntry.+\$\.eventName\s*=\s*DeleteNetworkAcl.+\$\.eventName\s*=\s*DeleteNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclAssociation' + ORDER BY + filter_name + ), + filter_data AS ( + SELECT + t.account_id, + t.trail_name, + f.filter_name + FROM + trails AS t + JOIN + metric_filters AS f ON f.log_group_name = t.log_group_name + JOIN + alarms AS alarm ON alarm.metric_name = f.metric_transformation_name + JOIN + topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + f.platform_integration_id AS platform_integration_id, + f.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for changes to NACLs.' + ELSE filter_name || ' forwards events for changes to NACLs.' + END AS reason + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_3_12.yaml b/compliance/controls/aws/aws_cis_v120_3_12.yaml index 18d67c534..29978beca 100644 --- a/compliance/controls/aws/aws_cis_v120_3_12.yaml +++ b/compliance/controls/aws/aws_cis_v120_3_12.yaml @@ -1,90 +1,91 @@ id: aws_cis_v120_3_12 title: 3.12 Ensure a log metric filter and alarm exist for changes to network gateways +type: control description: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - WITH trails AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) AS log_group_name - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - ORDER BY - trail_name - ), - alarms AS ( - SELECT - metric_name, - action_arn AS topic_arn - FROM - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn - ORDER BY - metric_name - ), - topic_subscriptions AS ( - SELECT - subscription_arn, - topic_arn - FROM - aws_sns_topic_subscription - ORDER BY - subscription_arn - ), - metric_filters AS ( - SELECT - filter.name AS filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - FROM - aws_cloudwatch_log_metric_filter AS filter - WHERE - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateCustomerGateway.+\$\.eventName\s*=\s*DeleteCustomerGateway.+\$\.eventName\s*=\s*AttachInternetGateway.+\$\.eventName\s*=\s*CreateInternetGateway.+\$\.eventName\s*=\s*DeleteInternetGateway.+\$\.eventName\s*=\s*DetachInternetGateway' - ORDER BY - filter_name - ), - filter_data AS ( - SELECT - t.account_id, - t.trail_name, - f.filter_name - FROM - trails AS t - JOIN - metric_filters AS f ON f.log_group_name = t.log_group_name - JOIN - alarms AS alarm ON alarm.metric_name = f.metric_transformation_name - JOIN - topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - f.platform_integration_id AS platform_integration_id, - f.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for changes to network gateways.' - ELSE filter_name || ' forwards events for changes to network gateways.' - END AS reason - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + WITH trails AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + split_part(trail.log_group_arn, ':', 7) AS log_group_name + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + ORDER BY + trail_name + ), + alarms AS ( + SELECT + metric_name, + action_arn AS topic_arn + FROM + aws_cloudwatch_alarm, + jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn + ORDER BY + metric_name + ), + topic_subscriptions AS ( + SELECT + subscription_arn, + topic_arn + FROM + aws_sns_topic_subscription + ORDER BY + subscription_arn + ), + metric_filters AS ( + SELECT + filter.name AS filter_name, + filter_pattern, + log_group_name, + metric_transformation_name + FROM + aws_cloudwatch_log_metric_filter AS filter + WHERE + filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateCustomerGateway.+\$\.eventName\s*=\s*DeleteCustomerGateway.+\$\.eventName\s*=\s*AttachInternetGateway.+\$\.eventName\s*=\s*CreateInternetGateway.+\$\.eventName\s*=\s*DeleteInternetGateway.+\$\.eventName\s*=\s*DetachInternetGateway' + ORDER BY + filter_name + ), + filter_data AS ( + SELECT + t.account_id, + t.trail_name, + f.filter_name + FROM + trails AS t + JOIN + metric_filters AS f ON f.log_group_name = t.log_group_name + JOIN + alarms AS alarm ON alarm.metric_name = f.metric_transformation_name + JOIN + topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + f.platform_integration_id AS platform_integration_id, + f.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for changes to network gateways.' + ELSE filter_name || ' forwards events for changes to network gateways.' + END AS reason + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_3_13.yaml b/compliance/controls/aws/aws_cis_v120_3_13.yaml index 368cbd21a..dcbe7801b 100644 --- a/compliance/controls/aws/aws_cis_v120_3_13.yaml +++ b/compliance/controls/aws/aws_cis_v120_3_13.yaml @@ -1,90 +1,91 @@ id: aws_cis_v120_3_13 title: 3.13 Ensure a log metric filter and alarm exist for route table changes +type: control description: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - WITH trails AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) AS log_group_name - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - ORDER BY - trail_name - ), - alarms AS ( - SELECT - metric_name, - action_arn AS topic_arn - FROM - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn - ORDER BY - metric_name - ), - topic_subscriptions AS ( - SELECT - subscription_arn, - topic_arn - FROM - aws_sns_topic_subscription - ORDER BY - subscription_arn - ), - metric_filters AS ( - SELECT - filter.name AS filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - FROM - aws_cloudwatch_log_metric_filter AS filter - WHERE - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateRoute.+\$\.eventName\s*=\s*CreateRouteTable.+\$\.eventName\s*=\s*ReplaceRoute.+\$\.eventName\s*=\s*ReplaceRouteTableAssociation.+\$\.eventName\s*=\s*DeleteRouteTable.+\$\.eventName\s*=\s*DeleteRoute.+\$\.eventName\s*=\s*DisassociateRouteTable' - ORDER BY - filter_name - ), - filter_data AS ( - SELECT - t.account_id, - t.trail_name, - f.filter_name - FROM - trails AS t - JOIN - metric_filters AS f ON f.log_group_name = t.log_group_name - JOIN - alarms AS alarm ON alarm.metric_name = f.metric_transformation_name - JOIN - topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - t.platform_integration_id AS platform_integration_id, - t.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for route table changes.' - ELSE filter_name || ' forwards events for route table changes.' - END AS reason - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + WITH trails AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + split_part(trail.log_group_arn, ':', 7) AS log_group_name + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + ORDER BY + trail_name + ), + alarms AS ( + SELECT + metric_name, + action_arn AS topic_arn + FROM + aws_cloudwatch_alarm, + jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn + ORDER BY + metric_name + ), + topic_subscriptions AS ( + SELECT + subscription_arn, + topic_arn + FROM + aws_sns_topic_subscription + ORDER BY + subscription_arn + ), + metric_filters AS ( + SELECT + filter.name AS filter_name, + filter_pattern, + log_group_name, + metric_transformation_name + FROM + aws_cloudwatch_log_metric_filter AS filter + WHERE + filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateRoute.+\$\.eventName\s*=\s*CreateRouteTable.+\$\.eventName\s*=\s*ReplaceRoute.+\$\.eventName\s*=\s*ReplaceRouteTableAssociation.+\$\.eventName\s*=\s*DeleteRouteTable.+\$\.eventName\s*=\s*DeleteRoute.+\$\.eventName\s*=\s*DisassociateRouteTable' + ORDER BY + filter_name + ), + filter_data AS ( + SELECT + t.account_id, + t.trail_name, + f.filter_name + FROM + trails AS t + JOIN + metric_filters AS f ON f.log_group_name = t.log_group_name + JOIN + alarms AS alarm ON alarm.metric_name = f.metric_transformation_name + JOIN + topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + t.platform_integration_id AS platform_integration_id, + t.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for route table changes.' + ELSE filter_name || ' forwards events for route table changes.' + END AS reason + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_3_14.yaml b/compliance/controls/aws/aws_cis_v120_3_14.yaml index 0c1f15370..73935f978 100644 --- a/compliance/controls/aws/aws_cis_v120_3_14.yaml +++ b/compliance/controls/aws/aws_cis_v120_3_14.yaml @@ -1,90 +1,91 @@ id: aws_cis_v120_3_14 title: 3.14 Ensure a log metric filter and alarm exist for VPC changes +type: control description: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - WITH trails AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name - FROM - aws_cloudtrail_trail AS trail, - JSONB_ARRAY_ELEMENTS(trail.event_selectors) AS se - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - ORDER BY - trail_name - ), - alarms AS ( - SELECT - metric_name, - action_arn AS topic_arn - FROM - aws_cloudwatch_alarm, - JSONB_ARRAY_ELEMENTS_TEXT(aws_cloudwatch_alarm.alarm_actions) AS action_arn - ORDER BY - metric_name - ), - topic_subscriptions AS ( - SELECT - subscription_arn, - topic_arn - FROM - aws_sns_topic_subscription - ORDER BY - subscription_arn - ), - metric_filters AS ( - SELECT - filter.name AS filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - FROM - aws_cloudwatch_log_metric_filter AS filter - WHERE - filter.filter_pattern ~ '\s*\$.eventName\s*=\s*CreateVpc.+\$.eventName\s*=\s*DeleteVpc.+\$.eventName\s*=\s*ModifyVpcAttribute.+\$.eventName\s*=\s*AcceptVpcPeeringConnection.+\$.eventName\s*=\s*CreateVpcPeeringConnection.+\$.eventName\s*=\s*DeleteVpcPeeringConnection.+\$.eventName\s*=\s*RejectVpcPeeringConnection.+\$.eventName\s*=\s*AttachClassicLinkVpc.+\$.eventName\s*=\s*DetachClassicLinkVpc.+\$.eventName\s*=\s*DisableVpcClassicLink.+\$.eventName\s*=\s*EnableVpcClassicLink' - ORDER BY - filter_name - ), - filter_data AS ( - SELECT - t.account_id, - t.trail_name, - f.filter_name - FROM - trails AS t - JOIN - metric_filters AS f ON f.log_group_name = t.log_group_name - JOIN - alarms AS alarm ON alarm.metric_name = f.metric_transformation_name - JOIN - topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - t.platform_integration_id AS platform_integration_id, - t.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for VPC changes.' - ELSE filter_name || ' forwards events for VPC changes.' - END AS reason - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + WITH trails AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name + FROM + aws_cloudtrail_trail AS trail, + JSONB_ARRAY_ELEMENTS(trail.event_selectors) AS se + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + ORDER BY + trail_name + ), + alarms AS ( + SELECT + metric_name, + action_arn AS topic_arn + FROM + aws_cloudwatch_alarm, + JSONB_ARRAY_ELEMENTS_TEXT(aws_cloudwatch_alarm.alarm_actions) AS action_arn + ORDER BY + metric_name + ), + topic_subscriptions AS ( + SELECT + subscription_arn, + topic_arn + FROM + aws_sns_topic_subscription + ORDER BY + subscription_arn + ), + metric_filters AS ( + SELECT + filter.name AS filter_name, + filter_pattern, + log_group_name, + metric_transformation_name + FROM + aws_cloudwatch_log_metric_filter AS filter + WHERE + filter.filter_pattern ~ '\s*\$.eventName\s*=\s*CreateVpc.+\$.eventName\s*=\s*DeleteVpc.+\$.eventName\s*=\s*ModifyVpcAttribute.+\$.eventName\s*=\s*AcceptVpcPeeringConnection.+\$.eventName\s*=\s*CreateVpcPeeringConnection.+\$.eventName\s*=\s*DeleteVpcPeeringConnection.+\$.eventName\s*=\s*RejectVpcPeeringConnection.+\$.eventName\s*=\s*AttachClassicLinkVpc.+\$.eventName\s*=\s*DetachClassicLinkVpc.+\$.eventName\s*=\s*DisableVpcClassicLink.+\$.eventName\s*=\s*EnableVpcClassicLink' + ORDER BY + filter_name + ), + filter_data AS ( + SELECT + t.account_id, + t.trail_name, + f.filter_name + FROM + trails AS t + JOIN + metric_filters AS f ON f.log_group_name = t.log_group_name + JOIN + alarms AS alarm ON alarm.metric_name = f.metric_transformation_name + JOIN + topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + t.platform_integration_id AS platform_integration_id, + t.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for VPC changes.' + ELSE filter_name || ' forwards events for VPC changes.' + END AS reason + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_3_5.yaml b/compliance/controls/aws/aws_cis_v120_3_5.yaml index 44e475eb6..ba250a3b7 100644 --- a/compliance/controls/aws/aws_cis_v120_3_5.yaml +++ b/compliance/controls/aws/aws_cis_v120_3_5.yaml @@ -1,90 +1,91 @@ id: aws_cis_v120_3_5 title: 3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes +type: control description: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH trails AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) AS log_group_name - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - ORDER BY - trail_name - ), - alarms AS ( - SELECT - metric_name, - action_arn AS topic_arn - FROM - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn - ORDER BY - metric_name - ), - topic_subscriptions AS ( - SELECT - subscription_arn, - topic_arn - FROM - aws_sns_topic_subscription - ORDER BY - subscription_arn - ), - metric_filters AS ( - SELECT - filter.name AS filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - FROM - aws_cloudwatch_log_metric_filter AS filter - WHERE - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging' - ORDER BY - filter_name - ), - filter_data AS ( - SELECT - t.account_id, - t.trail_name, - f.filter_name - FROM - trails AS t - JOIN - metric_filters AS f ON f.log_group_name = t.log_group_name - JOIN - alarms AS alarm ON alarm.metric_name = f.metric_transformation_name - JOIN - topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for CloudTrail configuration changes.' - ELSE filter_name || ' forwards events for CloudTrail configuration changes.' - END AS reason - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH trails AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + split_part(trail.log_group_arn, ':', 7) AS log_group_name + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + ORDER BY + trail_name + ), + alarms AS ( + SELECT + metric_name, + action_arn AS topic_arn + FROM + aws_cloudwatch_alarm, + jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn + ORDER BY + metric_name + ), + topic_subscriptions AS ( + SELECT + subscription_arn, + topic_arn + FROM + aws_sns_topic_subscription + ORDER BY + subscription_arn + ), + metric_filters AS ( + SELECT + filter.name AS filter_name, + filter_pattern, + log_group_name, + metric_transformation_name + FROM + aws_cloudwatch_log_metric_filter AS filter + WHERE + filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging' + ORDER BY + filter_name + ), + filter_data AS ( + SELECT + t.account_id, + t.trail_name, + f.filter_name + FROM + trails AS t + JOIN + metric_filters AS f ON f.log_group_name = t.log_group_name + JOIN + alarms AS alarm ON alarm.metric_name = f.metric_transformation_name + JOIN + topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for CloudTrail configuration changes.' + ELSE filter_name || ' forwards events for CloudTrail configuration changes.' + END AS reason + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_4_1.yaml b/compliance/controls/aws/aws_cis_v120_4_1.yaml index 769aec439..a98f224bf 100644 --- a/compliance/controls/aws/aws_cis_v120_4_1.yaml +++ b/compliance/controls/aws/aws_cis_v120_4_1.yaml @@ -1,45 +1,46 @@ id: aws_cis_v120_4_1 title: 4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 +type: control description: Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 22. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH ingress_ssh_rules AS ( - SELECT - group_id, - COUNT(*) AS num_ssh_rules - FROM - aws_vpc_security_group_rule - WHERE - type = 'ingress' - AND cidr_ipv4 = '0.0.0.0/0' - AND ( - (ip_protocol = '-1' AND from_port IS NULL) - OR ( - from_port >= 22 AND to_port <= 22 - ) - ) - GROUP BY - group_id + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH ingress_ssh_rules AS ( + SELECT + group_id, + COUNT(*) AS num_ssh_rules + FROM + aws_vpc_security_group_rule + WHERE + type = 'ingress' + AND cidr_ipv4 = '0.0.0.0/0' + AND ( + (ip_protocol = '-1' AND from_port IS NULL) + OR ( + from_port >= 22 AND to_port <= 22 + ) ) - SELECT - arn AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN ingress_ssh_rules.group_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN ingress_ssh_rules.group_id IS NULL THEN sg.group_id || ' ingress restricted for SSH from 0.0.0.0/0.' - ELSE sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing SSH from 0.0.0.0/0.' - END AS reason - FROM - aws_vpc_security_group AS sg - LEFT JOIN ingress_ssh_rules ON ingress_ssh_rules.group_id = sg.group_id; + GROUP BY + group_id + ) + SELECT + arn AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN ingress_ssh_rules.group_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN ingress_ssh_rules.group_id IS NULL THEN sg.group_id || ' ingress restricted for SSH from 0.0.0.0/0.' + ELSE sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing SSH from 0.0.0.0/0.' + END AS reason + FROM + aws_vpc_security_group AS sg + LEFT JOIN ingress_ssh_rules ON ingress_ssh_rules.group_id = sg.group_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_4_2.yaml b/compliance/controls/aws/aws_cis_v120_4_2.yaml index d64818a5b..d1f7cf50d 100644 --- a/compliance/controls/aws/aws_cis_v120_4_2.yaml +++ b/compliance/controls/aws/aws_cis_v120_4_2.yaml @@ -1,43 +1,44 @@ id: aws_cis_v120_4_2 title: 4.2 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 +type: control description: Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH ingress_rdp_rules AS ( - SELECT - group_id, - COUNT(*) AS num_rdp_rules - FROM - aws_vpc_security_group_rule - WHERE - type = 'ingress' - AND cidr_ipv4 = '0.0.0.0/0' - AND ( - (ip_protocol = '-1' AND from_port IS NULL) - OR (from_port >= 3389 AND to_port <= 3389) - ) - GROUP BY - group_id + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH ingress_rdp_rules AS ( + SELECT + group_id, + COUNT(*) AS num_rdp_rules + FROM + aws_vpc_security_group_rule + WHERE + type = 'ingress' + AND cidr_ipv4 = '0.0.0.0/0' + AND ( + (ip_protocol = '-1' AND from_port IS NULL) + OR (from_port >= 3389 AND to_port <= 3389) ) - SELECT - arn AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN ingress_rdp_rules.group_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN ingress_rdp_rules.group_id IS NULL THEN sg.group_id || ' ingress restricted for RDP from 0.0.0.0/0.' - ELSE sg.group_id || ' contains ' || ingress_rdp_rules.num_rdp_rules || ' ingress rule(s) allowing RDP from 0.0.0.0/0.' - END AS reason - FROM - aws_vpc_security_group AS sg - LEFT JOIN ingress_rdp_rules ON ingress_rdp_rules.group_id = sg.group_id; + GROUP BY + group_id + ) + SELECT + arn AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN ingress_rdp_rules.group_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN ingress_rdp_rules.group_id IS NULL THEN sg.group_id || ' ingress restricted for RDP from 0.0.0.0/0.' + ELSE sg.group_id || ' contains ' || ingress_rdp_rules.num_rdp_rules || ' ingress rule(s) allowing RDP from 0.0.0.0/0.' + END AS reason + FROM + aws_vpc_security_group AS sg + LEFT JOIN ingress_rdp_rules ON ingress_rdp_rules.group_id = sg.group_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v120_4_4.yaml b/compliance/controls/aws/aws_cis_v120_4_4.yaml index ba2da3e9e..e17d2c083 100644 --- a/compliance/controls/aws/aws_cis_v120_4_4.yaml +++ b/compliance/controls/aws/aws_cis_v120_4_4.yaml @@ -1,20 +1,21 @@ id: aws_cis_v120_4_4 title: 4.4 Ensure routing tables for VPC peering are "least access" +type: control description: Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_1_1.yaml b/compliance/controls/aws/aws_cis_v130_1_1.yaml index b73343580..ad7766f6d 100644 --- a/compliance/controls/aws/aws_cis_v130_1_1.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_1.yaml @@ -1,20 +1,21 @@ id: aws_cis_v130_1_1 title: 1.1 Maintain current contact details +type: control description: Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_1_10.yaml b/compliance/controls/aws/aws_cis_v130_1_10.yaml index 409bc4eff..baa8960a0 100644 --- a/compliance/controls/aws/aws_cis_v130_1_10.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_10.yaml @@ -1,27 +1,28 @@ id: aws_cis_v130_1_10 title: 1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password +type: control description: Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN password_enabled AND NOT mfa_active THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT password_enabled THEN user_name || ' password login disabled.' - WHEN password_enabled AND NOT mfa_active THEN user_name || ' password login enabled but no MFA device configured.' - ELSE user_name || ' password login enabled and MFA device configured.' - END AS reason - FROM - aws_iam_credential_report; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN password_enabled AND NOT mfa_active THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT password_enabled THEN user_name || ' password login disabled.' + WHEN password_enabled AND NOT mfa_active THEN user_name || ' password login enabled but no MFA device configured.' + ELSE user_name || ' password login enabled and MFA device configured.' + END AS reason + FROM + aws_iam_credential_report; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_1_11.yaml b/compliance/controls/aws/aws_cis_v130_1_11.yaml index 25ad97bc4..d98a735da 100644 --- a/compliance/controls/aws/aws_cis_v130_1_11.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_11.yaml @@ -1,29 +1,30 @@ id: aws_cis_v130_1_11 title: 1.11 Do not setup access keys during initial user setup for all IAM users that have a console password +type: control description: AWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM User credentials you have to determine what type of access they require. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN password_enabled AND (EXTRACT(EPOCH FROM (access_key_1_last_rotated - user_creation_time)) < 10) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT password_enabled THEN user_name || ' password login disabled.' - WHEN access_key_1_last_rotated IS NULL THEN user_name || ' has no access keys.' - WHEN password_enabled AND (EXTRACT(EPOCH FROM (access_key_1_last_rotated - user_creation_time)) < 10) - THEN user_name || ' has access key created during user creation and password login enabled.' - ELSE user_name || ' has access key not created during user creation.' - END AS reason - FROM - aws_iam_credential_report; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN password_enabled AND (EXTRACT(EPOCH FROM (access_key_1_last_rotated - user_creation_time)) < 10) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT password_enabled THEN user_name || ' password login disabled.' + WHEN access_key_1_last_rotated IS NULL THEN user_name || ' has no access keys.' + WHEN password_enabled AND (EXTRACT(EPOCH FROM (access_key_1_last_rotated - user_creation_time)) < 10) + THEN user_name || ' has access key created during user creation and password login enabled.' + ELSE user_name || ' has access key not created during user creation.' + END AS reason + FROM + aws_iam_credential_report; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_1_12.yaml b/compliance/controls/aws/aws_cis_v130_1_12.yaml index b3ebb98e3..800c62270 100644 --- a/compliance/controls/aws/aws_cis_v130_1_12.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_12.yaml @@ -1,60 +1,61 @@ id: aws_cis_v130_1_12 title: 1.12 Ensure credentials unused for 90 days or greater are disabled +type: control description: AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 90 or greater days be deactivated or removed. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN user_name = '' - THEN 'info' - WHEN password_enabled AND password_last_used IS NULL AND password_last_changed < (CURRENT_DATE - INTERVAL '90' DAY) - THEN 'alarm' - WHEN password_enabled AND password_last_used < (CURRENT_DATE - INTERVAL '90' DAY) - THEN 'alarm' - WHEN access_key_1_active AND access_key_1_last_used_date IS NULL AND access_key_1_last_rotated < (CURRENT_DATE - INTERVAL '90' DAY) - THEN 'alarm' - WHEN access_key_1_active AND access_key_1_last_used_date < (CURRENT_DATE - INTERVAL '90' DAY) - THEN 'alarm' - WHEN access_key_2_active AND access_key_2_last_used_date IS NULL AND access_key_2_last_rotated < (CURRENT_DATE - INTERVAL '90' DAY) - THEN 'alarm' - WHEN access_key_2_active AND access_key_2_last_used_date < (CURRENT_DATE - INTERVAL '90' DAY) - THEN 'alarm' - ELSE 'ok' - END status, - user_name || - CASE - WHEN NOT password_enabled - THEN ' password not enabled,' - WHEN password_enabled AND password_last_used IS NULL - THEN ' password created ' || TO_CHAR(password_last_changed, 'DD-Mon-YYYY') || ' never used,' - ELSE - ' password used ' || TO_CHAR(password_last_used, 'DD-Mon-YYYY') || ',' - END || - CASE - WHEN NOT access_key_1_active - THEN ' key 1 not enabled,' - WHEN access_key_1_active AND access_key_1_last_used_date IS NULL - THEN ' key 1 created ' || TO_CHAR(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,' - ELSE - ' key 1 used ' || TO_CHAR(access_key_1_last_used_date, 'DD-Mon-YYYY') || ',' - END || - CASE - WHEN NOT access_key_2_active - THEN ' key 2 not enabled.' - WHEN access_key_2_active AND access_key_2_last_used_date IS NULL - THEN ' key 2 created ' || TO_CHAR(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.' - ELSE - ' key 2 used ' || TO_CHAR(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - aws_iam_credential_report; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN user_name = '' + THEN 'info' + WHEN password_enabled AND password_last_used IS NULL AND password_last_changed < (CURRENT_DATE - INTERVAL '90' DAY) + THEN 'alarm' + WHEN password_enabled AND password_last_used < (CURRENT_DATE - INTERVAL '90' DAY) + THEN 'alarm' + WHEN access_key_1_active AND access_key_1_last_used_date IS NULL AND access_key_1_last_rotated < (CURRENT_DATE - INTERVAL '90' DAY) + THEN 'alarm' + WHEN access_key_1_active AND access_key_1_last_used_date < (CURRENT_DATE - INTERVAL '90' DAY) + THEN 'alarm' + WHEN access_key_2_active AND access_key_2_last_used_date IS NULL AND access_key_2_last_rotated < (CURRENT_DATE - INTERVAL '90' DAY) + THEN 'alarm' + WHEN access_key_2_active AND access_key_2_last_used_date < (CURRENT_DATE - INTERVAL '90' DAY) + THEN 'alarm' + ELSE 'ok' + END status, + user_name || + CASE + WHEN NOT password_enabled + THEN ' password not enabled,' + WHEN password_enabled AND password_last_used IS NULL + THEN ' password created ' || TO_CHAR(password_last_changed, 'DD-Mon-YYYY') || ' never used,' + ELSE + ' password used ' || TO_CHAR(password_last_used, 'DD-Mon-YYYY') || ',' + END || + CASE + WHEN NOT access_key_1_active + THEN ' key 1 not enabled,' + WHEN access_key_1_active AND access_key_1_last_used_date IS NULL + THEN ' key 1 created ' || TO_CHAR(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,' + ELSE + ' key 1 used ' || TO_CHAR(access_key_1_last_used_date, 'DD-Mon-YYYY') || ',' + END || + CASE + WHEN NOT access_key_2_active + THEN ' key 2 not enabled.' + WHEN access_key_2_active AND access_key_2_last_used_date IS NULL + THEN ' key 2 created ' || TO_CHAR(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.' + ELSE + ' key 2 used ' || TO_CHAR(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + aws_iam_credential_report; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_1_13.yaml b/compliance/controls/aws/aws_cis_v130_1_13.yaml index d607625a5..e0fe756c8 100644 --- a/compliance/controls/aws/aws_cis_v130_1_13.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_13.yaml @@ -1,35 +1,36 @@ id: aws_cis_v130_1_13 title: 1.13 Ensure there is only one active access key available for any single IAM user +type: control description: Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API. One of the best ways to protect your account is to not allow users to have multiple access keys. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - SELECT - u.arn AS resource, - u.platform_integration_id AS platform_integration_id, - u.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(k.*) > 1 THEN 'alarm' - ELSE 'ok' - END AS status, - u.name || ' has ' || COUNT(k.*) || ' active access key(s).' AS reason - FROM - aws_iam_user AS u - LEFT JOIN - aws_iam_access_key AS k - ON - u.name = k.user_name AND u.account_id = k.account_id - WHERE - k.status = 'Active' OR k.status IS NULL - GROUP BY - u.arn, - u.name, - u.account_id, - u.tags, - u._ctx; + language: sql + primary_resource: aws_iam_user + definition: | + SELECT + u.arn AS resource, + u.platform_integration_id AS platform_integration_id, + u.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(k.*) > 1 THEN 'alarm' + ELSE 'ok' + END AS status, + u.name || ' has ' || COUNT(k.*) || ' active access key(s).' AS reason + FROM + aws_iam_user AS u + LEFT JOIN + aws_iam_access_key AS k + ON + u.name = k.user_name AND u.account_id = k.account_id + WHERE + k.status = 'Active' OR k.status IS NULL + GROUP BY + u.arn, + u.name, + u.account_id, + u.tags, + u._ctx; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_1_14.yaml b/compliance/controls/aws/aws_cis_v130_1_14.yaml index 7fa9209d2..73075b38c 100644 --- a/compliance/controls/aws/aws_cis_v130_1_14.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_14.yaml @@ -1,24 +1,25 @@ id: aws_cis_v130_1_14 title: 1.14 Ensure access keys are rotated every 90 days or less +type: control description: Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_access_key - definition: | - SELECT - 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN create_date <= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' - ELSE 'ok' - END AS status, - user_name || ' ' || access_key_id || ' created ' || TO_CHAR(create_date , 'DD-Mon-YYYY') || - ' (' || EXTRACT(day FROM CURRENT_TIMESTAMP - create_date) || ' days).' AS reason - FROM - aws_iam_access_key; + language: sql + primary_resource: aws_iam_access_key + definition: | + SELECT + 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN create_date <= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' + ELSE 'ok' + END AS status, + user_name || ' ' || access_key_id || ' created ' || TO_CHAR(create_date , 'DD-Mon-YYYY') || + ' (' || EXTRACT(day FROM CURRENT_TIMESTAMP - create_date) || ' days).' AS reason + FROM + aws_iam_access_key; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_1_15.yaml b/compliance/controls/aws/aws_cis_v130_1_15.yaml index 2c44476c9..82562f5a5 100644 --- a/compliance/controls/aws/aws_cis_v130_1_15.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_15.yaml @@ -1,24 +1,25 @@ id: aws_cis_v130_1_15 title: 1.15 Ensure IAM Users Receive Permissions Only Through Groups -description: 'IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended.' +type: control +description: "IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended." integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN inline_policies IS NULL AND attached_policy_arns IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - name || ' has ' || COALESCE(jsonb_array_length(inline_policies), 0) || ' inline and ' || - COALESCE(jsonb_array_length(attached_policy_arns), 0) || ' directly attached policies.' AS reason - FROM - aws_iam_user; + language: sql + primary_resource: aws_iam_user + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN inline_policies IS NULL AND attached_policy_arns IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + name || ' has ' || COALESCE(jsonb_array_length(inline_policies), 0) || ' inline and ' || + COALESCE(jsonb_array_length(attached_policy_arns), 0) || ' directly attached policies.' AS reason + FROM + aws_iam_user; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_1_16.yaml b/compliance/controls/aws/aws_cis_v130_1_16.yaml index 5931b3710..b06ebc473 100644 --- a/compliance/controls/aws/aws_cis_v130_1_16.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_16.yaml @@ -1,52 +1,53 @@ id: aws_cis_v130_1_16 title: 1.16 Ensure IAM policies that allow full "*:*" administrative privileges are not attached +type: control description: IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege - that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_policy - definition: | - WITH star_access_policies AS ( - SELECT - arn, - is_aws_managed, - COUNT(*) AS num_bad_statements - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Resource') AS resource, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - s ->> 'Effect' = 'Allow' - AND resource = '*' - AND ( - action = '*' - OR action = '*:*' - ) - AND is_attached - GROUP BY - arn, - is_aws_managed + language: sql + primary_resource: aws_iam_policy + definition: | + WITH star_access_policies AS ( + SELECT + arn, + is_aws_managed, + COUNT(*) AS num_bad_statements + FROM + aws_iam_policy, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Resource') AS resource, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + s ->> 'Effect' = 'Allow' + AND resource = '*' + AND ( + action = '*' + OR action = '*:*' ) - SELECT - p.arn AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN s.arn IS NOT NULL AND s.is_aws_managed THEN 'info' - WHEN s.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN s.arn IS NOT NULL AND s.is_aws_managed THEN p.name || ' is an AWS managed policy with ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' - ELSE p.name || ' contains ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' - END AS reason - FROM - aws_iam_policy AS p - LEFT JOIN star_access_policies AS s ON p.arn = s.arn - WHERE - p.is_attached; + AND is_attached + GROUP BY + arn, + is_aws_managed + ) + SELECT + p.arn AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN s.arn IS NOT NULL AND s.is_aws_managed THEN 'info' + WHEN s.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN s.arn IS NOT NULL AND s.is_aws_managed THEN p.name || ' is an AWS managed policy with ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' + ELSE p.name || ' contains ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' + END AS reason + FROM + aws_iam_policy AS p + LEFT JOIN star_access_policies AS s ON p.arn = s.arn + WHERE + p.is_attached; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_1_17.yaml b/compliance/controls/aws/aws_cis_v130_1_17.yaml index 16b04e7a8..e6c03484e 100644 --- a/compliance/controls/aws/aws_cis_v130_1_17.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_17.yaml @@ -1,45 +1,46 @@ id: aws_cis_v130_1_17 title: 1.17 Ensure a support role has been created to manage incidents with AWS Support +type: control description: AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH support_role_count AS ( - SELECT - 'arn:' || a.partition || ':::' || a.account_id AS resource, - COUNT(policy_arn), - a.account_id, - a._ctx - FROM - aws_account AS a - LEFT JOIN aws_iam_role AS r ON r.account_id = a.account_id - LEFT JOIN jsonb_array_elements_text(attached_policy_arns) AS policy_arn ON TRUE - WHERE - SPLIT_PART(policy_arn, '/', 2) = 'AWSSupportAccess' - OR policy_arn IS NULL - GROUP BY - a.account_id, - a.partition, - a._ctx - ) - SELECT - resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT = 1 THEN 'AWSSupportAccess policy attached to 1 role.' - WHEN COUNT > 1 THEN 'AWSSupportAccess policy attached to ' || COUNT || ' roles.' - ELSE 'AWSSupportAccess policy not attached to any role.' - END AS reason - FROM - support_role_count; + language: sql + primary_resource: aws_account + definition: | + WITH support_role_count AS ( + SELECT + 'arn:' || a.partition || ':::' || a.account_id AS resource, + COUNT(policy_arn), + a.account_id, + a._ctx + FROM + aws_account AS a + LEFT JOIN aws_iam_role AS r ON r.account_id = a.account_id + LEFT JOIN jsonb_array_elements_text(attached_policy_arns) AS policy_arn ON TRUE + WHERE + SPLIT_PART(policy_arn, '/', 2) = 'AWSSupportAccess' + OR policy_arn IS NULL + GROUP BY + a.account_id, + a.partition, + a._ctx + ) + SELECT + resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT = 1 THEN 'AWSSupportAccess policy attached to 1 role.' + WHEN COUNT > 1 THEN 'AWSSupportAccess policy attached to ' || COUNT || ' roles.' + ELSE 'AWSSupportAccess policy not attached to any role.' + END AS reason + FROM + support_role_count; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_1_18.yaml b/compliance/controls/aws/aws_cis_v130_1_18.yaml index 3b3c31de3..5a883cf62 100644 --- a/compliance/controls/aws/aws_cis_v130_1_18.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_18.yaml @@ -1,20 +1,21 @@ id: aws_cis_v130_1_18 title: 1.18 Ensure IAM instance roles are used for AWS resource access from instances +type: control description: AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. "AWS Access" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_1_19.yaml b/compliance/controls/aws/aws_cis_v130_1_19.yaml index 8bab936fa..0cda11173 100644 --- a/compliance/controls/aws/aws_cis_v130_1_19.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_19.yaml @@ -1,28 +1,29 @@ id: aws_cis_v130_1_19 title: 1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed +type: control description: To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_server_certificate - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN expiration < (CURRENT_DATE - INTERVAL '1' SECOND) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN expiration < (CURRENT_DATE - INTERVAL '1' SECOND) THEN - name || ' expired ' || TO_CHAR(expiration, 'DD-Mon-YYYY') || '.' - ELSE - name || ' valid until ' || TO_CHAR(expiration, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - aws_iam_server_certificate; + language: sql + primary_resource: aws_iam_server_certificate + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN expiration < (CURRENT_DATE - INTERVAL '1' SECOND) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN expiration < (CURRENT_DATE - INTERVAL '1' SECOND) THEN + name || ' expired ' || TO_CHAR(expiration, 'DD-Mon-YYYY') || '.' + ELSE + name || ' valid until ' || TO_CHAR(expiration, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + aws_iam_server_certificate; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_1_2.yaml b/compliance/controls/aws/aws_cis_v130_1_2.yaml index 831efb294..97035273f 100644 --- a/compliance/controls/aws/aws_cis_v130_1_2.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_2.yaml @@ -1,50 +1,51 @@ id: aws_cis_v130_1_2 title: 1.2 Ensure security contact information is registered +type: control description: AWS provides customers with the option of specifying the contact information for accounts security team. It is recommended that this information be provided. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH alternate_security_contact AS ( - SELECT - name, - account_id - FROM - aws_account_alternate_contact - WHERE - contact_type = 'SECURITY' - ), - account AS ( - SELECT - arn, - partition, - title, - account_id, - _ctx - FROM - aws_account - ) - SELECT - arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.partition = 'aws-us-gov' THEN 'info' - WHEN c.name IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.partition = 'aws-us-gov' THEN a.title || ' in GovCloud, manual verification required.' - WHEN c.name IS NOT NULL THEN a.title || ' has security contact ' || c.name || ' registered.' - ELSE a.title || ' security contact not registered.' - END AS reason - FROM - account AS a, - alternate_security_contact AS c - WHERE - c.account_id = a.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH alternate_security_contact AS ( + SELECT + name, + account_id + FROM + aws_account_alternate_contact + WHERE + contact_type = 'SECURITY' + ), + account AS ( + SELECT + arn, + partition, + title, + account_id, + _ctx + FROM + aws_account + ) + SELECT + arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.partition = 'aws-us-gov' THEN 'info' + WHEN c.name IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.partition = 'aws-us-gov' THEN a.title || ' in GovCloud, manual verification required.' + WHEN c.name IS NOT NULL THEN a.title || ' has security contact ' || c.name || ' registered.' + ELSE a.title || ' security contact not registered.' + END AS reason + FROM + account AS a, + alternate_security_contact AS c + WHERE + c.account_id = a.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_1_20.yaml b/compliance/controls/aws/aws_cis_v130_1_20.yaml index a1d5f6861..b9db43728 100644 --- a/compliance/controls/aws/aws_cis_v130_1_20.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_20.yaml @@ -1,43 +1,44 @@ id: aws_cis_v130_1_20 title: 1.20 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' +type: control description: Amazon S3 provides Block public access (bucket settings) and Block public access (account settings) to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principle with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, Block public access (bucket settings) prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, Block public access (account settings) prevents all buckets, and contained objects, from becoming publicly accessible across the entire account. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - SELECT - arn AS resource, - bucket.platform_integration_id AS platform_integration_id, - bucket.platform_resource_id AS platform_resource_id, - CASE - WHEN (bucket.block_public_acls OR s3account.block_public_acls) - AND (bucket.block_public_policy OR s3account.block_public_policy) - AND (bucket.ignore_public_acls OR s3account.ignore_public_acls) - AND (bucket.restrict_public_buckets OR s3account.restrict_public_buckets) - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (bucket.block_public_acls OR s3account.block_public_acls) - AND (bucket.block_public_policy OR s3account.block_public_policy) - AND (bucket.ignore_public_acls OR s3account.ignore_public_acls) - AND (bucket.restrict_public_buckets OR s3account.restrict_public_buckets) - THEN name || ' all public access blocks enabled.' - ELSE name || ' not enabled for: ' || - concat_ws(', ', - CASE WHEN NOT (bucket.block_public_acls OR s3account.block_public_acls) THEN 'block_public_acls' END, - CASE WHEN NOT (bucket.block_public_policy OR s3account.block_public_policy) THEN 'block_public_policy' END, - CASE WHEN NOT (bucket.ignore_public_acls OR s3account.ignore_public_acls) THEN 'ignore_public_acls' END, - CASE WHEN NOT (bucket.restrict_public_buckets OR s3account.restrict_public_buckets) THEN 'restrict_public_buckets' END - ) || '.' - END AS reason - FROM - aws_s3_bucket AS bucket, - aws_s3_account_settings AS s3account - WHERE - s3account.account_id = bucket.account_id; + language: sql + primary_resource: aws_s3_bucket + definition: | + SELECT + arn AS resource, + bucket.platform_integration_id AS platform_integration_id, + bucket.platform_resource_id AS platform_resource_id, + CASE + WHEN (bucket.block_public_acls OR s3account.block_public_acls) + AND (bucket.block_public_policy OR s3account.block_public_policy) + AND (bucket.ignore_public_acls OR s3account.ignore_public_acls) + AND (bucket.restrict_public_buckets OR s3account.restrict_public_buckets) + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (bucket.block_public_acls OR s3account.block_public_acls) + AND (bucket.block_public_policy OR s3account.block_public_policy) + AND (bucket.ignore_public_acls OR s3account.ignore_public_acls) + AND (bucket.restrict_public_buckets OR s3account.restrict_public_buckets) + THEN name || ' all public access blocks enabled.' + ELSE name || ' not enabled for: ' || + concat_ws(', ', + CASE WHEN NOT (bucket.block_public_acls OR s3account.block_public_acls) THEN 'block_public_acls' END, + CASE WHEN NOT (bucket.block_public_policy OR s3account.block_public_policy) THEN 'block_public_policy' END, + CASE WHEN NOT (bucket.ignore_public_acls OR s3account.ignore_public_acls) THEN 'ignore_public_acls' END, + CASE WHEN NOT (bucket.restrict_public_buckets OR s3account.restrict_public_buckets) THEN 'restrict_public_buckets' END + ) || '.' + END AS reason + FROM + aws_s3_bucket AS bucket, + aws_s3_account_settings AS s3account + WHERE + s3account.account_id = bucket.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_1_21.yaml b/compliance/controls/aws/aws_cis_v130_1_21.yaml index 5d83b717b..ee912fac8 100644 --- a/compliance/controls/aws/aws_cis_v130_1_21.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_21.yaml @@ -1,31 +1,32 @@ id: aws_cis_v130_1_21 title: 1.21 Ensure that IAM Access analyzer is enabled +type: control description: Enable IAM Access analyzer for IAM policies about all resources. IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_accessanalyzer_analyzer - definition: | - SELECT - 'arn:' || r.partition || '::' || r.region || ':' || r.account_id AS resource, - r.platform_integration_id AS platform_integration_id, - r.platform_resource_id AS platform_resource_id, - CASE - WHEN r.opt_in_status = 'not-opted-in' THEN 'skip' - WHEN aa.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN r.opt_in_status = 'not-opted-in' THEN r.region || ' region is disabled.' - WHEN aa.arn IS NOT NULL THEN aa.name || ' enabled in ' || r.region || '.' - ELSE 'Access Analyzer not enabled in ' || r.region || '.' - END AS reason - FROM - aws_region AS r - LEFT JOIN aws_accessanalyzer_analyzer AS aa - ON r.account_id = aa.account_id - AND r.region = aa.region; + language: sql + primary_resource: aws_accessanalyzer_analyzer + definition: | + SELECT + 'arn:' || r.partition || '::' || r.region || ':' || r.account_id AS resource, + r.platform_integration_id AS platform_integration_id, + r.platform_resource_id AS platform_resource_id, + CASE + WHEN r.opt_in_status = 'not-opted-in' THEN 'skip' + WHEN aa.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN r.opt_in_status = 'not-opted-in' THEN r.region || ' region is disabled.' + WHEN aa.arn IS NOT NULL THEN aa.name || ' enabled in ' || r.region || '.' + ELSE 'Access Analyzer not enabled in ' || r.region || '.' + END AS reason + FROM + aws_region AS r + LEFT JOIN aws_accessanalyzer_analyzer AS aa + ON r.account_id = aa.account_id + AND r.region = aa.region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_1_22.yaml b/compliance/controls/aws/aws_cis_v130_1_22.yaml index 3b519bdfb..d678b67f0 100644 --- a/compliance/controls/aws/aws_cis_v130_1_22.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_22.yaml @@ -1,20 +1,21 @@ id: aws_cis_v130_1_22 title: 1.22 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments +type: control description: In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provide via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_1_3.yaml b/compliance/controls/aws/aws_cis_v130_1_3.yaml index d6e9181fd..0cb341a68 100644 --- a/compliance/controls/aws/aws_cis_v130_1_3.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_3.yaml @@ -1,20 +1,21 @@ id: aws_cis_v130_1_3 title: 1.3 Ensure security questions are registered in the AWS account +type: control description: The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_1_4.yaml b/compliance/controls/aws/aws_cis_v130_1_4.yaml index 496866a4b..608978c80 100644 --- a/compliance/controls/aws/aws_cis_v130_1_4.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_4.yaml @@ -1,26 +1,27 @@ id: aws_cis_v130_1_4 title: 1.4 Ensure no root user account access key exists +type: control description: The root user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root user account be removed. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_account_summary - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN account_access_keys_present > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN account_access_keys_present > 0 THEN 'Root user access keys exist.' - ELSE 'No root user access keys exist.' - END AS reason - FROM - aws_iam_account_summary; + language: sql + primary_resource: aws_iam_account_summary + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN account_access_keys_present > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN account_access_keys_present > 0 THEN 'Root user access keys exist.' + ELSE 'No root user access keys exist.' + END AS reason + FROM + aws_iam_account_summary; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_1_5.yaml b/compliance/controls/aws/aws_cis_v130_1_5.yaml index 96280acad..b3e85bd18 100644 --- a/compliance/controls/aws/aws_cis_v130_1_5.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_5.yaml @@ -1,26 +1,27 @@ id: aws_cis_v130_1_5 title: 1.5 Ensure MFA is enabled for the "root user" account +type: control description: The root user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_account_summary - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN account_mfa_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN account_mfa_enabled THEN 'MFA enabled for root account.' - ELSE 'MFA not enabled for root account.' - END AS reason - FROM - aws_iam_account_summary; + language: sql + primary_resource: aws_iam_account_summary + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN account_mfa_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN account_mfa_enabled THEN 'MFA enabled for root account.' + ELSE 'MFA not enabled for root account.' + END AS reason + FROM + aws_iam_account_summary; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_1_7.yaml b/compliance/controls/aws/aws_cis_v130_1_7.yaml index 27506b9a7..9e7b6aa4c 100644 --- a/compliance/controls/aws/aws_cis_v130_1_7.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_7.yaml @@ -1,38 +1,39 @@ id: aws_cis_v130_1_7 title: 1.7 Eliminate use of the root user for administrative and daily tasks +type: control description: With the creation of an AWS account, a root user is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN password_last_used >= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' - WHEN access_key_1_last_used_date <= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' - WHEN access_key_2_last_used_date <= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN password_last_used IS NULL THEN 'Root never logged in with password.' - ELSE 'Root password used ' || TO_CHAR(password_last_used , 'DD-Mon-YYYY') || ' (' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - password_last_used) || ' days).' - END || - CASE - WHEN access_key_1_last_used_date IS NULL THEN ' Access Key 1 never used.' - ELSE ' Access Key 1 used ' || TO_CHAR(access_key_1_last_used_date , 'DD-Mon-YYYY') || ' (' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - access_key_1_last_used_date) || ' days).' - END || - CASE - WHEN access_key_2_last_used_date IS NULL THEN ' Access Key 2 never used.' - ELSE ' Access Key 2 used ' || TO_CHAR(access_key_2_last_used_date , 'DD-Mon-YYYY') || ' (' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - access_key_2_last_used_date) || ' days).' - END AS reason - FROM - aws_iam_credential_report - WHERE - user_name = ''; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN password_last_used >= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' + WHEN access_key_1_last_used_date <= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' + WHEN access_key_2_last_used_date <= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN password_last_used IS NULL THEN 'Root never logged in with password.' + ELSE 'Root password used ' || TO_CHAR(password_last_used , 'DD-Mon-YYYY') || ' (' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - password_last_used) || ' days).' + END || + CASE + WHEN access_key_1_last_used_date IS NULL THEN ' Access Key 1 never used.' + ELSE ' Access Key 1 used ' || TO_CHAR(access_key_1_last_used_date , 'DD-Mon-YYYY') || ' (' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - access_key_1_last_used_date) || ' days).' + END || + CASE + WHEN access_key_2_last_used_date IS NULL THEN ' Access Key 2 never used.' + ELSE ' Access Key 2 used ' || TO_CHAR(access_key_2_last_used_date , 'DD-Mon-YYYY') || ' (' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - access_key_2_last_used_date) || ' days).' + END AS reason + FROM + aws_iam_credential_report + WHERE + user_name = ''; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_1_8.yaml b/compliance/controls/aws/aws_cis_v130_1_8.yaml index c56044943..cf60574de 100644 --- a/compliance/controls/aws/aws_cis_v130_1_8.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_8.yaml @@ -1,30 +1,31 @@ id: aws_cis_v130_1_8 title: 1.8 Ensure IAM password policy requires minimum length of 14 or greater +type: control description: Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure passwords are at least a given length. It is recommended that the password policy require a minimum password length of 14. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN minimum_password_length >= 14 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN minimum_password_length IS NULL THEN 'No password policy set.' - ELSE 'Minimum password length set to ' || minimum_password_length || '.' - END AS reason - FROM - aws_account AS a - LEFT JOIN - aws_iam_account_password_policy AS pol - ON - a.account_id = pol.account_id; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN minimum_password_length >= 14 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN minimum_password_length IS NULL THEN 'No password policy set.' + ELSE 'Minimum password length set to ' || minimum_password_length || '.' + END AS reason + FROM + aws_account AS a + LEFT JOIN + aws_iam_account_password_policy AS pol + ON + a.account_id = pol.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_2_1_1.yaml b/compliance/controls/aws/aws_cis_v130_2_1_1.yaml index 825d744de..a186fb55c 100644 --- a/compliance/controls/aws/aws_cis_v130_2_1_1.yaml +++ b/compliance/controls/aws/aws_cis_v130_2_1_1.yaml @@ -1,26 +1,27 @@ id: aws_cis_v130_2_1_1 title: 2.1.1 Ensure all S3 buckets employ encryption-at-rest +type: control description: Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN server_side_encryption_configuration IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN server_side_encryption_configuration IS NOT NULL THEN name || ' default encryption enabled.' - ELSE name || ' default encryption disabled.' - END AS reason - FROM - aws_s3_bucket; + language: sql + primary_resource: aws_s3_bucket + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN server_side_encryption_configuration IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN server_side_encryption_configuration IS NOT NULL THEN name || ' default encryption enabled.' + ELSE name || ' default encryption disabled.' + END AS reason + FROM + aws_s3_bucket; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_2_1_2.yaml b/compliance/controls/aws/aws_cis_v130_2_1_2.yaml index 1a8a094d7..fbe18b348 100644 --- a/compliance/controls/aws/aws_cis_v130_2_1_2.yaml +++ b/compliance/controls/aws/aws_cis_v130_2_1_2.yaml @@ -1,46 +1,47 @@ id: aws_cis_v130_2_1_2 title: 2.1.2 Ensure S3 Bucket Policy allows HTTPS requests +type: control description: At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH ssl_ok AS ( - SELECT - DISTINCT name, - arn, - 'ok' AS status - FROM - aws_s3_bucket, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p, - jsonb_array_elements_text(s -> 'Action') AS a, - jsonb_array_elements_text(s -> 'Resource') AS r, - jsonb_array_elements_text( - s -> 'Condition' -> 'Bool' -> 'aws:securetransport' - ) AS ssl - WHERE - p = '*' - AND s ->> 'Effect' = 'Deny' - AND ssl::bool = false - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN ok.status = 'ok' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN ok.status = 'ok' THEN b.name || ' bucket policy enforces HTTPS.' - ELSE b.name || ' bucket policy does not enforce HTTPS.' - END AS reason - FROM - aws_s3_bucket AS b - LEFT JOIN ssl_ok AS ok ON ok.name = b.name; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH ssl_ok AS ( + SELECT + DISTINCT name, + arn, + 'ok' AS status + FROM + aws_s3_bucket, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p, + jsonb_array_elements_text(s -> 'Action') AS a, + jsonb_array_elements_text(s -> 'Resource') AS r, + jsonb_array_elements_text( + s -> 'Condition' -> 'Bool' -> 'aws:securetransport' + ) AS ssl + WHERE + p = '*' + AND s ->> 'Effect' = 'Deny' + AND ssl::bool = false + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN ok.status = 'ok' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN ok.status = 'ok' THEN b.name || ' bucket policy enforces HTTPS.' + ELSE b.name || ' bucket policy does not enforce HTTPS.' + END AS reason + FROM + aws_s3_bucket AS b + LEFT JOIN ssl_ok AS ok ON ok.name = b.name; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_2_2_1.yaml b/compliance/controls/aws/aws_cis_v130_2_2_1.yaml index eed144565..2c50c41a9 100644 --- a/compliance/controls/aws/aws_cis_v130_2_2_1.yaml +++ b/compliance/controls/aws/aws_cis_v130_2_2_1.yaml @@ -1,26 +1,27 @@ id: aws_cis_v130_2_2_1 title: 2.2.1 Ensure EBS volume encryption is enabled +type: control description: Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_volume - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encrypted THEN volume_id || ' encrypted.' - ELSE volume_id || ' not encrypted.' - END AS reason - FROM - aws_ebs_volume; + language: sql + primary_resource: aws_ebs_volume + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encrypted THEN volume_id || ' encrypted.' + ELSE volume_id || ' not encrypted.' + END AS reason + FROM + aws_ebs_volume; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_3_10.yaml b/compliance/controls/aws/aws_cis_v130_3_10.yaml index ced701e24..bf7199182 100644 --- a/compliance/controls/aws/aws_cis_v130_3_10.yaml +++ b/compliance/controls/aws/aws_cis_v130_3_10.yaml @@ -1,47 +1,48 @@ id: aws_cis_v130_3_10 title: 3.10 Ensure that Object-level logging for write events is enabled for S3 bucket +type: control description: S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH s3_selectors AS ( - SELECT - name AS trail_name, - is_multi_region_trail, - bucket_selector - FROM - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) AS event_selector, - jsonb_array_elements(event_selector -> 'DataResources') AS data_resource, - jsonb_array_elements_text(data_resource -> 'Values') AS bucket_selector - WHERE - is_multi_region_trail - AND data_resource ->> 'Type' = 'AWS::S3::Object' - AND event_selector ->> 'ReadWriteType' IN ('WriteOnly', 'All') - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(bucket_selector) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(bucket_selector) > 0 THEN b.name || ' object-level write events logging enabled.' - ELSE b.name || ' object-level write events logging disabled.' - END AS reason - FROM - aws_s3_bucket AS b - LEFT JOIN - s3_selectors - ON bucket_selector LIKE (b.arn || '%') - OR bucket_selector = 'arn:aws:s3' - GROUP BY - b.account_id, b.region, b.arn, b.name, b.tags, b._ctx; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH s3_selectors AS ( + SELECT + name AS trail_name, + is_multi_region_trail, + bucket_selector + FROM + aws_cloudtrail_trail, + jsonb_array_elements(event_selectors) AS event_selector, + jsonb_array_elements(event_selector -> 'DataResources') AS data_resource, + jsonb_array_elements_text(data_resource -> 'Values') AS bucket_selector + WHERE + is_multi_region_trail + AND data_resource ->> 'Type' = 'AWS::S3::Object' + AND event_selector ->> 'ReadWriteType' IN ('WriteOnly', 'All') + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(bucket_selector) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(bucket_selector) > 0 THEN b.name || ' object-level write events logging enabled.' + ELSE b.name || ' object-level write events logging disabled.' + END AS reason + FROM + aws_s3_bucket AS b + LEFT JOIN + s3_selectors + ON bucket_selector LIKE (b.arn || '%') + OR bucket_selector = 'arn:aws:s3' + GROUP BY + b.account_id, b.region, b.arn, b.name, b.tags, b._ctx; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_3_11.yaml b/compliance/controls/aws/aws_cis_v130_3_11.yaml index 783765d5d..be98e30fe 100644 --- a/compliance/controls/aws/aws_cis_v130_3_11.yaml +++ b/compliance/controls/aws/aws_cis_v130_3_11.yaml @@ -1,46 +1,47 @@ id: aws_cis_v130_3_11 title: 3.11 Ensure that Object-level logging for read events is enabled for S3 bucket +type: control description: S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH s3_selectors AS ( - SELECT - name AS trail_name, - is_multi_region_trail, - bucket_selector - FROM - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) AS event_selector, - jsonb_array_elements(event_selector -> 'DataResources') AS data_resource, - jsonb_array_elements_text(data_resource -> 'Values') AS bucket_selector - WHERE - is_multi_region_trail - AND data_resource ->> 'Type' = 'AWS::S3::Object' - AND event_selector ->> 'ReadWriteType' IN ('ReadOnly', 'All') - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(bucket_selector) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(bucket_selector) > 0 THEN b.name || ' object-level read events logging enabled.' - ELSE b.name || ' object-level read events logging disabled.' - END AS reason - FROM - aws_s3_bucket AS b - LEFT JOIN - s3_selectors ON bucket_selector LIKE (b.arn || '%') - OR bucket_selector = 'arn:aws:s3' - GROUP BY - b.account_id, b.region, b.arn, b.name, b.tags, b._ctx; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH s3_selectors AS ( + SELECT + name AS trail_name, + is_multi_region_trail, + bucket_selector + FROM + aws_cloudtrail_trail, + jsonb_array_elements(event_selectors) AS event_selector, + jsonb_array_elements(event_selector -> 'DataResources') AS data_resource, + jsonb_array_elements_text(data_resource -> 'Values') AS bucket_selector + WHERE + is_multi_region_trail + AND data_resource ->> 'Type' = 'AWS::S3::Object' + AND event_selector ->> 'ReadWriteType' IN ('ReadOnly', 'All') + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(bucket_selector) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(bucket_selector) > 0 THEN b.name || ' object-level read events logging enabled.' + ELSE b.name || ' object-level read events logging disabled.' + END AS reason + FROM + aws_s3_bucket AS b + LEFT JOIN + s3_selectors ON bucket_selector LIKE (b.arn || '%') + OR bucket_selector = 'arn:aws:s3' + GROUP BY + b.account_id, b.region, b.arn, b.name, b.tags, b._ctx; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_3_2.yaml b/compliance/controls/aws/aws_cis_v130_3_2.yaml index 0ee57ea64..775ca5671 100644 --- a/compliance/controls/aws/aws_cis_v130_3_2.yaml +++ b/compliance/controls/aws/aws_cis_v130_3_2.yaml @@ -1,28 +1,29 @@ id: aws_cis_v130_3_2 title: 3.2 Ensure CloudTrail log file validation is enabled. +type: control description: CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN log_file_validation_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN log_file_validation_enabled THEN title || ' log file validation enabled.' - ELSE title || ' log file validation disabled.' - END AS reason - FROM - aws_cloudtrail_trail - WHERE - region = home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN log_file_validation_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN log_file_validation_enabled THEN title || ' log file validation enabled.' + ELSE title || ' log file validation disabled.' + END AS reason + FROM + aws_cloudtrail_trail + WHERE + region = home_region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_3_3.yaml b/compliance/controls/aws/aws_cis_v130_3_3.yaml index 8be3aebea..c6d1fb5c1 100644 --- a/compliance/controls/aws/aws_cis_v130_3_3.yaml +++ b/compliance/controls/aws/aws_cis_v130_3_3.yaml @@ -1,64 +1,65 @@ id: aws_cis_v130_3_3 title: 3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible +type: control description: CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - WITH public_bucket_data AS ( - SELECT - t.s3_bucket_name AS name, - b.arn, - t.region, - t.account_id, - t.tags, - t._ctx, - COUNT(acl_grant) FILTER (WHERE acl_grant -> 'Grantee' ->> 'URI' LIKE '%acs.amazonaws.com/groups/global/AllUsers') AS all_user_grants, - COUNT(acl_grant) FILTER (WHERE acl_grant -> 'Grantee' ->> 'URI' LIKE '%acs.amazonaws.com/groups/global/AuthenticatedUsers') AS auth_user_grants, - COUNT(s) FILTER (WHERE s ->> 'Effect' = 'Allow' AND p = '*') AS anon_statements - FROM - aws_cloudtrail_trail AS t - LEFT JOIN aws_s3_bucket AS b - ON t.s3_bucket_name = b.name - LEFT JOIN jsonb_array_elements(acl -> 'Grants') AS acl_grant - ON TRUE - LEFT JOIN jsonb_array_elements(policy_std -> 'Statement') AS s - ON TRUE - LEFT JOIN jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p - ON TRUE - GROUP BY - t.s3_bucket_name, - b.arn, - t.region, - t.account_id, - t.tags, - t._ctx - ) - SELECT - CASE - WHEN arn IS NULL THEN 'arn:aws:s3::' || name - ELSE arn - END AS resource, - t.platform_integration_id AS platform_integration_id, - t.platform_resource_id AS platform_resource_id, - CASE - WHEN arn IS NULL THEN 'skip' - WHEN all_user_grants > 0 THEN 'alarm' - WHEN auth_user_grants > 0 THEN 'alarm' - WHEN anon_statements > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN arn IS NULL THEN name || ' not found in account ' || account_id || '.' - WHEN all_user_grants > 0 THEN name || ' grants access to AllUsers in ACL.' - WHEN auth_user_grants > 0 THEN name || ' grants access to AuthenticatedUsers in ACL.' - WHEN anon_statements > 0 THEN name || ' grants access to AWS:*" in bucket policy.' - ELSE name || ' does not grant anonymous access in ACL or bucket policy.' - END AS reason - FROM - public_bucket_data; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + WITH public_bucket_data AS ( + SELECT + t.s3_bucket_name AS name, + b.arn, + t.region, + t.account_id, + t.tags, + t._ctx, + COUNT(acl_grant) FILTER (WHERE acl_grant -> 'Grantee' ->> 'URI' LIKE '%acs.amazonaws.com/groups/global/AllUsers') AS all_user_grants, + COUNT(acl_grant) FILTER (WHERE acl_grant -> 'Grantee' ->> 'URI' LIKE '%acs.amazonaws.com/groups/global/AuthenticatedUsers') AS auth_user_grants, + COUNT(s) FILTER (WHERE s ->> 'Effect' = 'Allow' AND p = '*') AS anon_statements + FROM + aws_cloudtrail_trail AS t + LEFT JOIN aws_s3_bucket AS b + ON t.s3_bucket_name = b.name + LEFT JOIN jsonb_array_elements(acl -> 'Grants') AS acl_grant + ON TRUE + LEFT JOIN jsonb_array_elements(policy_std -> 'Statement') AS s + ON TRUE + LEFT JOIN jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p + ON TRUE + GROUP BY + t.s3_bucket_name, + b.arn, + t.region, + t.account_id, + t.tags, + t._ctx + ) + SELECT + CASE + WHEN arn IS NULL THEN 'arn:aws:s3::' || name + ELSE arn + END AS resource, + t.platform_integration_id AS platform_integration_id, + t.platform_resource_id AS platform_resource_id, + CASE + WHEN arn IS NULL THEN 'skip' + WHEN all_user_grants > 0 THEN 'alarm' + WHEN auth_user_grants > 0 THEN 'alarm' + WHEN anon_statements > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN arn IS NULL THEN name || ' not found in account ' || account_id || '.' + WHEN all_user_grants > 0 THEN name || ' grants access to AllUsers in ACL.' + WHEN auth_user_grants > 0 THEN name || ' grants access to AuthenticatedUsers in ACL.' + WHEN anon_statements > 0 THEN name || ' grants access to AWS:*" in bucket policy.' + ELSE name || ' does not grant anonymous access in ACL or bucket policy.' + END AS reason + FROM + public_bucket_data; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_3_4.yaml b/compliance/controls/aws/aws_cis_v130_3_4.yaml index 95aedccb3..d691437e2 100644 --- a/compliance/controls/aws/aws_cis_v130_3_4.yaml +++ b/compliance/controls/aws/aws_cis_v130_3_4.yaml @@ -1,28 +1,29 @@ id: aws_cis_v130_3_4 title: 3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs +type: control description: AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN log_group_arn != 'null' AND (latest_delivery_time > CURRENT_DATE - 1) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN log_group_arn != 'null' AND (latest_delivery_time > CURRENT_DATE - 1) THEN title || ' integrated with CloudWatch logs.' - ELSE title || ' not integrated with CloudWatch logs.' - END AS reason - FROM - aws_cloudtrail_trail - WHERE - region = home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN log_group_arn != 'null' AND (latest_delivery_time > CURRENT_DATE - 1) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN log_group_arn != 'null' AND (latest_delivery_time > CURRENT_DATE - 1) THEN title || ' integrated with CloudWatch logs.' + ELSE title || ' not integrated with CloudWatch logs.' + END AS reason + FROM + aws_cloudtrail_trail + WHERE + region = home_region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_3_5.yaml b/compliance/controls/aws/aws_cis_v130_3_5.yaml index 0c9283b43..d8cc9959c 100644 --- a/compliance/controls/aws/aws_cis_v130_3_5.yaml +++ b/compliance/controls/aws/aws_cis_v130_3_5.yaml @@ -1,67 +1,68 @@ id: aws_cis_v130_3_5 title: 3.5 Ensure AWS Config is enabled in all regions +type: control description: AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended to enable AWS Config in all regions. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_config_configuration_recorder - definition: | - WITH global_recorders AS ( - SELECT - COUNT(*) AS global_config_recorders - FROM - aws_config_configuration_recorder - WHERE - recording_group -> 'IncludeGlobalResourceTypes' = 'true' - AND recording_group -> 'AllSupported' = 'true' - AND status ->> 'Recording' = 'true' - AND status ->> 'LastStatus' = 'SUCCESS' - ) - SELECT - 'arn:aws::' || a.region || ':' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN g.global_config_recorders >= 1 - AND status ->> 'Recording' = 'true' - AND status ->> 'LastStatus' = 'SUCCESS' - THEN 'ok' - WHEN a.opt_in_status = 'not-opted-in' - THEN 'skip' - ELSE 'alarm' - END AS status, + language: sql + primary_resource: aws_config_configuration_recorder + definition: | + WITH global_recorders AS ( + SELECT + COUNT(*) AS global_config_recorders + FROM + aws_config_configuration_recorder + WHERE + recording_group -> 'IncludeGlobalResourceTypes' = 'true' + AND recording_group -> 'AllSupported' = 'true' + AND status ->> 'Recording' = 'true' + AND status ->> 'LastStatus' = 'SUCCESS' + ) + SELECT + 'arn:aws::' || a.region || ':' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN g.global_config_recorders >= 1 + AND status ->> 'Recording' = 'true' + AND status ->> 'LastStatus' = 'SUCCESS' + THEN 'ok' + WHEN a.opt_in_status = 'not-opted-in' + THEN 'skip' + ELSE 'alarm' + END AS status, + CASE + WHEN a.opt_in_status = 'not-opted-in' + THEN a.region || ' region is disabled.' + ELSE CASE - WHEN a.opt_in_status = 'not-opted-in' - THEN a.region || ' region is disabled.' - ELSE - CASE - WHEN recording_group -> 'IncludeGlobalResourceTypes' = 'true' - THEN a.region || ' IncludeGlobalResourceTypes enabled,' - ELSE a.region || ' IncludeGlobalResourceTypes disabled,' - END || - CASE - WHEN recording_group -> 'AllSupported' = 'true' - THEN ' AllSupported enabled,' - ELSE ' AllSupported disabled,' - END || - CASE - WHEN status ->> 'Recording' = 'true' - THEN ' Recording enabled' - ELSE ' Recording disabled' - END || - CASE - WHEN status ->> 'LastStatus' = 'SUCCESS' - THEN ' and LastStatus is SUCCESS.' - ELSE ' and LastStatus is not SUCCESS.' - END - END AS reason - FROM - global_recorders AS g, - aws_region AS a - LEFT JOIN aws_config_configuration_recorder AS r - ON r.account_id = a.account_id - AND r.region = a.name; + WHEN recording_group -> 'IncludeGlobalResourceTypes' = 'true' + THEN a.region || ' IncludeGlobalResourceTypes enabled,' + ELSE a.region || ' IncludeGlobalResourceTypes disabled,' + END || + CASE + WHEN recording_group -> 'AllSupported' = 'true' + THEN ' AllSupported enabled,' + ELSE ' AllSupported disabled,' + END || + CASE + WHEN status ->> 'Recording' = 'true' + THEN ' Recording enabled' + ELSE ' Recording disabled' + END || + CASE + WHEN status ->> 'LastStatus' = 'SUCCESS' + THEN ' and LastStatus is SUCCESS.' + ELSE ' and LastStatus is not SUCCESS.' + END + END AS reason + FROM + global_recorders AS g, + aws_region AS a + LEFT JOIN aws_config_configuration_recorder AS r + ON r.account_id = a.account_id + AND r.region = a.name; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_3_6.yaml b/compliance/controls/aws/aws_cis_v130_3_6.yaml index 130d92e43..386712562 100644 --- a/compliance/controls/aws/aws_cis_v130_3_6.yaml +++ b/compliance/controls/aws/aws_cis_v130_3_6.yaml @@ -1,29 +1,30 @@ id: aws_cis_v130_3_6 title: 3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket +type: control description: S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - t.arn AS resource, - t.platform_integration_id AS platform_integration_id, - t.platform_resource_id AS platform_resource_id, - CASE - WHEN b.logging IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.logging IS NOT NULL THEN t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging enabled.' - ELSE t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging disabled.' - END AS reason - FROM - aws_cloudtrail_trail t - INNER JOIN aws_s3_bucket b ON t.s3_bucket_name = b.name - WHERE - t.region = t.home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + t.arn AS resource, + t.platform_integration_id AS platform_integration_id, + t.platform_resource_id AS platform_resource_id, + CASE + WHEN b.logging IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.logging IS NOT NULL THEN t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging enabled.' + ELSE t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging disabled.' + END AS reason + FROM + aws_cloudtrail_trail t + INNER JOIN aws_s3_bucket b ON t.s3_bucket_name = b.name + WHERE + t.region = t.home_region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_3_7.yaml b/compliance/controls/aws/aws_cis_v130_3_7.yaml index e87b3a3de..0d7ec9034 100644 --- a/compliance/controls/aws/aws_cis_v130_3_7.yaml +++ b/compliance/controls/aws/aws_cis_v130_3_7.yaml @@ -1,28 +1,29 @@ id: aws_cis_v130_3_7 title: 3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs +type: control description: AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN kms_key_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN kms_key_id IS NULL THEN title || ' logs are not encrypted at rest.' - ELSE title || ' logs are encrypted at rest.' - END AS reason - FROM - aws_cloudtrail_trail - WHERE - region = home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN kms_key_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN kms_key_id IS NULL THEN title || ' logs are not encrypted at rest.' + ELSE title || ' logs are encrypted at rest.' + END AS reason + FROM + aws_cloudtrail_trail + WHERE + region = home_region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_3_8.yaml b/compliance/controls/aws/aws_cis_v130_3_8.yaml index f78c8dd7f..f92ac1d0c 100644 --- a/compliance/controls/aws/aws_cis_v130_3_8.yaml +++ b/compliance/controls/aws/aws_cis_v130_3_8.yaml @@ -1,34 +1,35 @@ id: aws_cis_v130_3_8 title: 3.8 Ensure rotation for customer created CMKs is enabled +type: control description: AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_kms_key - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN origin = 'EXTERNAL' THEN 'skip' - WHEN key_state = 'PendingDeletion' THEN 'skip' - WHEN key_state = 'Disabled' THEN 'skip' - WHEN NOT key_rotation_enabled THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN origin = 'EXTERNAL' THEN title || ' has imported key material.' - WHEN key_state = 'PendingDeletion' THEN title || ' is pending deletion.' - WHEN key_state = 'Disabled' THEN title || ' is disabled.' - WHEN NOT key_rotation_enabled THEN title || ' key rotation disabled.' - ELSE title || ' key rotation enabled.' - END AS reason - FROM - aws_kms_key - WHERE - key_manager = 'CUSTOMER'; + language: sql + primary_resource: aws_kms_key + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN origin = 'EXTERNAL' THEN 'skip' + WHEN key_state = 'PendingDeletion' THEN 'skip' + WHEN key_state = 'Disabled' THEN 'skip' + WHEN NOT key_rotation_enabled THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN origin = 'EXTERNAL' THEN title || ' has imported key material.' + WHEN key_state = 'PendingDeletion' THEN title || ' is pending deletion.' + WHEN key_state = 'Disabled' THEN title || ' is disabled.' + WHEN NOT key_rotation_enabled THEN title || ' key rotation disabled.' + ELSE title || ' key rotation enabled.' + END AS reason + FROM + aws_kms_key + WHERE + key_manager = 'CUSTOMER'; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_4_13.yaml b/compliance/controls/aws/aws_cis_v130_4_13.yaml index c13d0c708..e9c743ff8 100644 --- a/compliance/controls/aws/aws_cis_v130_4_13.yaml +++ b/compliance/controls/aws/aws_cis_v130_4_13.yaml @@ -1,96 +1,97 @@ id: aws_cis_v130_4_13 title: 4.13 Ensure a log metric filter and alarm exist for route table changes +type: control description: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH trails AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) AS log_group_name - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - ORDER BY - trail_name - ), - alarms AS ( - SELECT - metric_name, - action_arn AS topic_arn - FROM - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn - ORDER BY - metric_name - ), - topic_subscriptions AS ( - SELECT - subscription_arn, - topic_arn - FROM - aws_sns_topic_subscription - ORDER BY - subscription_arn - ), - metric_filters AS ( - SELECT - filter.name AS filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - FROM - aws_cloudwatch_log_metric_filter AS filter - WHERE - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateRoute\s+' - || filter.filter_pattern ~ '\$\.eventName\s*=\s*CreateRouteTable\s+' - || filter.filter_pattern ~ '\$\.eventName\s*=\s*ReplaceRoute\s+' - || filter.filter_pattern ~ '\$\.eventName\s*=\s*ReplaceRouteTableAssociation\s+' - || filter.filter_pattern ~ '\$\.eventName\s*=\s*DeleteRouteTable\s+' - || filter.filter_pattern ~ '\$\.eventName\s*=\s*DeleteRoute\s+' - || filter.filter_pattern ~ '\$\.eventName\s*=\s*DisassociateRouteTable' - ORDER BY - filter_name - ), - filter_data AS ( - SELECT - t.account_id, - t.trail_name, - f.filter_name - FROM - trails AS t - JOIN - metric_filters AS f ON f.log_group_name = t.log_group_name - JOIN - alarms AS alarm ON alarm.metric_name = f.metric_transformation_name - JOIN - topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for route table changes.' - ELSE filter_name || ' forwards events for route table changes.' - END AS reason - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH trails AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + split_part(trail.log_group_arn, ':', 7) AS log_group_name + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + ORDER BY + trail_name + ), + alarms AS ( + SELECT + metric_name, + action_arn AS topic_arn + FROM + aws_cloudwatch_alarm, + jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn + ORDER BY + metric_name + ), + topic_subscriptions AS ( + SELECT + subscription_arn, + topic_arn + FROM + aws_sns_topic_subscription + ORDER BY + subscription_arn + ), + metric_filters AS ( + SELECT + filter.name AS filter_name, + filter_pattern, + log_group_name, + metric_transformation_name + FROM + aws_cloudwatch_log_metric_filter AS filter + WHERE + filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateRoute\s+' + || filter.filter_pattern ~ '\$\.eventName\s*=\s*CreateRouteTable\s+' + || filter.filter_pattern ~ '\$\.eventName\s*=\s*ReplaceRoute\s+' + || filter.filter_pattern ~ '\$\.eventName\s*=\s*ReplaceRouteTableAssociation\s+' + || filter.filter_pattern ~ '\$\.eventName\s*=\s*DeleteRouteTable\s+' + || filter.filter_pattern ~ '\$\.eventName\s*=\s*DeleteRoute\s+' + || filter.filter_pattern ~ '\$\.eventName\s*=\s*DisassociateRouteTable' + ORDER BY + filter_name + ), + filter_data AS ( + SELECT + t.account_id, + t.trail_name, + f.filter_name + FROM + trails AS t + JOIN + metric_filters AS f ON f.log_group_name = t.log_group_name + JOIN + alarms AS alarm ON alarm.metric_name = f.metric_transformation_name + JOIN + topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for route table changes.' + ELSE filter_name || ' forwards events for route table changes.' + END AS reason + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_4_3.yaml b/compliance/controls/aws/aws_cis_v130_4_3.yaml index 7bbcdeb9a..5b7ad0520 100644 --- a/compliance/controls/aws/aws_cis_v130_4_3.yaml +++ b/compliance/controls/aws/aws_cis_v130_4_3.yaml @@ -1,90 +1,91 @@ id: aws_cis_v130_4_3 title: 4.3 Ensure a log metric filter and alarm exist for usage of "root" account +type: control description: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - WITH trails AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) AS log_group_name - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - ORDER BY - trail_name - ), - alarms AS ( - SELECT - metric_name, - action_arn AS topic_arn - FROM - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn - ORDER BY - metric_name - ), - topic_subscriptions AS ( - SELECT - subscription_arn, - topic_arn - FROM - aws_sns_topic_subscription - ORDER BY - subscription_arn - ), - metric_filters AS ( - SELECT - filter.name AS filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - FROM - aws_cloudwatch_log_metric_filter AS filter - WHERE - filter.filter_pattern ~ '\s*\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"' - ORDER BY - filter_name - ), - filter_data AS ( - SELECT - t.account_id, - t.trail_name, - f.filter_name - FROM - trails AS t - JOIN - metric_filters AS f ON f.log_group_name = t.log_group_name - JOIN - alarms AS alarm ON alarm.metric_name = f.metric_transformation_name - JOIN - topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - f.platform_integration_id AS platform_integration_id, - f.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for usage of "root" account.' - ELSE filter_name || ' forwards events for usage of "root" account.' - END AS reason - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + WITH trails AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + split_part(trail.log_group_arn, ':', 7) AS log_group_name + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + ORDER BY + trail_name + ), + alarms AS ( + SELECT + metric_name, + action_arn AS topic_arn + FROM + aws_cloudwatch_alarm, + jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn + ORDER BY + metric_name + ), + topic_subscriptions AS ( + SELECT + subscription_arn, + topic_arn + FROM + aws_sns_topic_subscription + ORDER BY + subscription_arn + ), + metric_filters AS ( + SELECT + filter.name AS filter_name, + filter_pattern, + log_group_name, + metric_transformation_name + FROM + aws_cloudwatch_log_metric_filter AS filter + WHERE + filter.filter_pattern ~ '\s*\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"' + ORDER BY + filter_name + ), + filter_data AS ( + SELECT + t.account_id, + t.trail_name, + f.filter_name + FROM + trails AS t + JOIN + metric_filters AS f ON f.log_group_name = t.log_group_name + JOIN + alarms AS alarm ON alarm.metric_name = f.metric_transformation_name + JOIN + topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + f.platform_integration_id AS platform_integration_id, + f.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for usage of "root" account.' + ELSE filter_name || ' forwards events for usage of "root" account.' + END AS reason + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_4_8.yaml b/compliance/controls/aws/aws_cis_v130_4_8.yaml index 8cbd55617..22113e5b4 100644 --- a/compliance/controls/aws/aws_cis_v130_4_8.yaml +++ b/compliance/controls/aws/aws_cis_v130_4_8.yaml @@ -1,90 +1,91 @@ id: aws_cis_v130_4_8 title: 4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes +type: control description: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - WITH trails AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name - FROM - aws_cloudtrail_trail AS trail, - JSONB_ARRAY_ELEMENTS(trail.event_selectors) AS se - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - ORDER BY - trail_name - ), - alarms AS ( - SELECT - metric_name, - action_arn AS topic_arn - FROM - aws_cloudwatch_alarm, - JSONB_ARRAY_ELEMENTS_TEXT(aws_cloudwatch_alarm.alarm_actions) AS action_arn - ORDER BY - metric_name - ), - topic_subscriptions AS ( - SELECT - subscription_arn, - topic_arn - FROM - aws_sns_topic_subscription - ORDER BY - subscription_arn - ), - metric_filters AS ( - SELECT - filter.name AS filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - FROM - aws_cloudwatch_log_metric_filter AS filter - WHERE - filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*s3.amazonaws.com.+\$\.eventName\s*=\s*PutBucketAcl.+\$\.eventName\s*=\s*PutBucketPolicy.+\$\.eventName\s*=\s*PutBucketCors.+\$\.eventName\s*=\s*PutBucketLifecycle.+\$\.eventName\s*=\s*PutBucketReplication.+\$\.eventName\s*=\s*DeleteBucketPolicy.+\$\.eventName\s*=\s*DeleteBucketCors.+\$\.eventName\s*=\s*DeleteBucketLifecycle.+\$\.eventName\s*=\s*DeleteBucketReplication' - ORDER BY - filter_name - ), - filter_data AS ( - SELECT - t.account_id, - t.trail_name, - f.filter_name - FROM - trails AS t - JOIN - metric_filters AS f ON f.log_group_name = t.log_group_name - JOIN - alarms AS alarm ON alarm.metric_name = f.metric_transformation_name - JOIN - topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - f.platform_integration_id AS platform_integration_id, - f.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for S3 bucket policy changes.' - ELSE filter_name || ' forwards events for S3 bucket policy changes.' - END AS reason - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + WITH trails AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name + FROM + aws_cloudtrail_trail AS trail, + JSONB_ARRAY_ELEMENTS(trail.event_selectors) AS se + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + ORDER BY + trail_name + ), + alarms AS ( + SELECT + metric_name, + action_arn AS topic_arn + FROM + aws_cloudwatch_alarm, + JSONB_ARRAY_ELEMENTS_TEXT(aws_cloudwatch_alarm.alarm_actions) AS action_arn + ORDER BY + metric_name + ), + topic_subscriptions AS ( + SELECT + subscription_arn, + topic_arn + FROM + aws_sns_topic_subscription + ORDER BY + subscription_arn + ), + metric_filters AS ( + SELECT + filter.name AS filter_name, + filter_pattern, + log_group_name, + metric_transformation_name + FROM + aws_cloudwatch_log_metric_filter AS filter + WHERE + filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*s3.amazonaws.com.+\$\.eventName\s*=\s*PutBucketAcl.+\$\.eventName\s*=\s*PutBucketPolicy.+\$\.eventName\s*=\s*PutBucketCors.+\$\.eventName\s*=\s*PutBucketLifecycle.+\$\.eventName\s*=\s*PutBucketReplication.+\$\.eventName\s*=\s*DeleteBucketPolicy.+\$\.eventName\s*=\s*DeleteBucketCors.+\$\.eventName\s*=\s*DeleteBucketLifecycle.+\$\.eventName\s*=\s*DeleteBucketReplication' + ORDER BY + filter_name + ), + filter_data AS ( + SELECT + t.account_id, + t.trail_name, + f.filter_name + FROM + trails AS t + JOIN + metric_filters AS f ON f.log_group_name = t.log_group_name + JOIN + alarms AS alarm ON alarm.metric_name = f.metric_transformation_name + JOIN + topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + f.platform_integration_id AS platform_integration_id, + f.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for S3 bucket policy changes.' + ELSE filter_name || ' forwards events for S3 bucket policy changes.' + END AS reason + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_5_2.yaml b/compliance/controls/aws/aws_cis_v130_5_2.yaml index d91585696..c79bd7dda 100644 --- a/compliance/controls/aws/aws_cis_v130_5_2.yaml +++ b/compliance/controls/aws/aws_cis_v130_5_2.yaml @@ -1,54 +1,55 @@ id: aws_cis_v130_5_2 title: 5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports +type: control description: Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH bad_rules AS ( - SELECT - group_id, - COUNT(*) AS num_bad_rules - FROM - aws_vpc_security_group_rule - WHERE - type = 'ingress' - AND ( - cidr_ipv4 = '0.0.0.0/0' - OR cidr_ipv6 = '::/0' - ) - AND ( - (ip_protocol = '-1' - AND from_port IS NULL) - OR ( - from_port >= 22 - AND to_port <= 22 - ) - OR ( - from_port >= 3389 - AND to_port <= 3389 - ) - ) - GROUP BY - group_id + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH bad_rules AS ( + SELECT + group_id, + COUNT(*) AS num_bad_rules + FROM + aws_vpc_security_group_rule + WHERE + type = 'ingress' + AND ( + cidr_ipv4 = '0.0.0.0/0' + OR cidr_ipv6 = '::/0' ) - SELECT - arn AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN bad_rules.group_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN bad_rules.group_id IS NULL THEN sg.group_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - ELSE sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - END AS reason - FROM - aws_vpc_security_group AS sg - LEFT JOIN bad_rules ON bad_rules.group_id = sg.group_id; + AND ( + (ip_protocol = '-1' + AND from_port IS NULL) + OR ( + from_port >= 22 + AND to_port <= 22 + ) + OR ( + from_port >= 3389 + AND to_port <= 3389 + ) + ) + GROUP BY + group_id + ) + SELECT + arn AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN bad_rules.group_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN bad_rules.group_id IS NULL THEN sg.group_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' + ELSE sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' + END AS reason + FROM + aws_vpc_security_group AS sg + LEFT JOIN bad_rules ON bad_rules.group_id = sg.group_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v130_5_4.yaml b/compliance/controls/aws/aws_cis_v130_5_4.yaml index a0deb2d4f..5657a1a26 100644 --- a/compliance/controls/aws/aws_cis_v130_5_4.yaml +++ b/compliance/controls/aws/aws_cis_v130_5_4.yaml @@ -1,20 +1,21 @@ id: aws_cis_v130_5_4 title: 5.4 Ensure routing tables for VPC peering are 'least access' +type: control description: A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_1_1.yaml b/compliance/controls/aws/aws_cis_v140_1_1.yaml index dd7f6cc49..f2c506d03 100644 --- a/compliance/controls/aws/aws_cis_v140_1_1.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_1.yaml @@ -1,20 +1,21 @@ id: aws_cis_v140_1_1 title: 1.1 Maintain current contact details +type: control description: Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_1_10.yaml b/compliance/controls/aws/aws_cis_v140_1_10.yaml index 3ee93dd35..4a211c140 100644 --- a/compliance/controls/aws/aws_cis_v140_1_10.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_10.yaml @@ -1,27 +1,28 @@ id: aws_cis_v140_1_10 title: 1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password +type: control description: Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN password_enabled AND NOT mfa_active THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT password_enabled THEN user_name || ' password login disabled.' - WHEN password_enabled AND NOT mfa_active THEN user_name || ' password login enabled but no MFA device configured.' - ELSE user_name || ' password login enabled and MFA device configured.' - END AS reason - FROM - aws_iam_credential_report; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN password_enabled AND NOT mfa_active THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT password_enabled THEN user_name || ' password login disabled.' + WHEN password_enabled AND NOT mfa_active THEN user_name || ' password login enabled but no MFA device configured.' + ELSE user_name || ' password login enabled and MFA device configured.' + END AS reason + FROM + aws_iam_credential_report; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_1_11.yaml b/compliance/controls/aws/aws_cis_v140_1_11.yaml index 888d4ef0a..c704f0aea 100644 --- a/compliance/controls/aws/aws_cis_v140_1_11.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_11.yaml @@ -1,34 +1,35 @@ id: aws_cis_v140_1_11 title: 1.11 Do not setup access keys during initial user setup for all IAM users that have a console password +type: control description: AWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM User credentials you have to determine what type of access they require. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN password_enabled - AND (EXTRACT(EPOCH FROM (access_key_1_last_rotated - user_creation_time)) < 10) - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT password_enabled - THEN user_name || ' password login disabled.' - WHEN access_key_1_last_rotated IS NULL - THEN user_name || ' has no access keys.' - WHEN password_enabled - AND (EXTRACT(EPOCH FROM (access_key_1_last_rotated - user_creation_time)) < 10) - THEN user_name || ' has access key created during user creation and password login enabled.' - ELSE user_name || ' has access key not created during user creation.' - END AS reason - FROM - aws_iam_credential_report; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN password_enabled + AND (EXTRACT(EPOCH FROM (access_key_1_last_rotated - user_creation_time)) < 10) + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT password_enabled + THEN user_name || ' password login disabled.' + WHEN access_key_1_last_rotated IS NULL + THEN user_name || ' has no access keys.' + WHEN password_enabled + AND (EXTRACT(EPOCH FROM (access_key_1_last_rotated - user_creation_time)) < 10) + THEN user_name || ' has access key created during user creation and password login enabled.' + ELSE user_name || ' has access key not created during user creation.' + END AS reason + FROM + aws_iam_credential_report; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_1_12.yaml b/compliance/controls/aws/aws_cis_v140_1_12.yaml index 66a44602e..81681e4cf 100644 --- a/compliance/controls/aws/aws_cis_v140_1_12.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_12.yaml @@ -1,44 +1,45 @@ id: aws_cis_v140_1_12 title: 1.12 Ensure credentials unused for 45 days or greater are disabled +type: control description: AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN user_name = '' THEN 'info' - WHEN password_enabled AND password_last_used IS NULL AND password_last_changed < (CURRENT_DATE - INTERVAL '45' DAY) THEN 'alarm' - WHEN password_enabled AND password_last_used < (CURRENT_DATE - INTERVAL '45' DAY) THEN 'alarm' - WHEN access_key_1_active AND access_key_1_last_used_date IS NULL AND access_key_1_last_rotated < (CURRENT_DATE - INTERVAL '45' DAY) THEN 'alarm' - WHEN access_key_1_active AND access_key_1_last_used_date < (CURRENT_DATE - INTERVAL '45' DAY) THEN 'alarm' - WHEN access_key_2_active AND access_key_2_last_used_date IS NULL AND access_key_2_last_rotated < (CURRENT_DATE - INTERVAL '45' DAY) THEN 'alarm' - WHEN access_key_2_active AND access_key_2_last_used_date < (CURRENT_DATE - INTERVAL '45' DAY) THEN 'alarm' - ELSE 'ok' - END AS status, - user_name || - CASE - WHEN NOT password_enabled THEN ' password not enabled,' - WHEN password_enabled AND password_last_used IS NULL THEN ' password created ' || TO_CHAR(password_last_changed, 'DD-Mon-YYYY') || ' never used,' - ELSE ' password used ' || TO_CHAR(password_last_used, 'DD-Mon-YYYY') || ',' - END || - CASE - WHEN NOT access_key_1_active THEN ' key 1 not enabled,' - WHEN access_key_1_active AND access_key_1_last_used_date IS NULL THEN ' key 1 created ' || TO_CHAR(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,' - ELSE ' key 1 used ' || TO_CHAR(access_key_1_last_used_date, 'DD-Mon-YYYY') || ',' - END || - CASE - WHEN NOT access_key_2_active THEN ' key 2 not enabled.' - WHEN access_key_2_active AND access_key_2_last_used_date IS NULL THEN ' key 2 created ' || TO_CHAR(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.' - ELSE ' key 2 used ' || TO_CHAR(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - aws_iam_credential_report; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN user_name = '' THEN 'info' + WHEN password_enabled AND password_last_used IS NULL AND password_last_changed < (CURRENT_DATE - INTERVAL '45' DAY) THEN 'alarm' + WHEN password_enabled AND password_last_used < (CURRENT_DATE - INTERVAL '45' DAY) THEN 'alarm' + WHEN access_key_1_active AND access_key_1_last_used_date IS NULL AND access_key_1_last_rotated < (CURRENT_DATE - INTERVAL '45' DAY) THEN 'alarm' + WHEN access_key_1_active AND access_key_1_last_used_date < (CURRENT_DATE - INTERVAL '45' DAY) THEN 'alarm' + WHEN access_key_2_active AND access_key_2_last_used_date IS NULL AND access_key_2_last_rotated < (CURRENT_DATE - INTERVAL '45' DAY) THEN 'alarm' + WHEN access_key_2_active AND access_key_2_last_used_date < (CURRENT_DATE - INTERVAL '45' DAY) THEN 'alarm' + ELSE 'ok' + END AS status, + user_name || + CASE + WHEN NOT password_enabled THEN ' password not enabled,' + WHEN password_enabled AND password_last_used IS NULL THEN ' password created ' || TO_CHAR(password_last_changed, 'DD-Mon-YYYY') || ' never used,' + ELSE ' password used ' || TO_CHAR(password_last_used, 'DD-Mon-YYYY') || ',' + END || + CASE + WHEN NOT access_key_1_active THEN ' key 1 not enabled,' + WHEN access_key_1_active AND access_key_1_last_used_date IS NULL THEN ' key 1 created ' || TO_CHAR(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,' + ELSE ' key 1 used ' || TO_CHAR(access_key_1_last_used_date, 'DD-Mon-YYYY') || ',' + END || + CASE + WHEN NOT access_key_2_active THEN ' key 2 not enabled.' + WHEN access_key_2_active AND access_key_2_last_used_date IS NULL THEN ' key 2 created ' || TO_CHAR(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.' + ELSE ' key 2 used ' || TO_CHAR(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + aws_iam_credential_report; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_1_13.yaml b/compliance/controls/aws/aws_cis_v140_1_13.yaml index 31200bf9b..c03a2f632 100644 --- a/compliance/controls/aws/aws_cis_v140_1_13.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_13.yaml @@ -1,37 +1,38 @@ id: aws_cis_v140_1_13 title: 1.13 Ensure there is only one active access key available for any single IAM user +type: control description: Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - SELECT - u.arn AS resource, - u.platform_integration_id AS platform_integration_id, - u.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(k.*) > 1 THEN 'alarm' - ELSE 'ok' - END AS status, - u.name || ' has ' || COUNT(k.*) || ' active access key(s).' AS reason - FROM - aws_iam_user AS u - LEFT JOIN - aws_iam_access_key AS k - ON u.name = k.user_name - AND u.account_id = k.account_id - WHERE - k.status = 'Active' OR k.status IS NULL - GROUP BY - u.arn, - u.name, - u.account_id, - u.tags, - u._ctx, - u.platform_integration_id, - u.platform_resource_id; + language: sql + primary_resource: aws_iam_user + definition: | + SELECT + u.arn AS resource, + u.platform_integration_id AS platform_integration_id, + u.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(k.*) > 1 THEN 'alarm' + ELSE 'ok' + END AS status, + u.name || ' has ' || COUNT(k.*) || ' active access key(s).' AS reason + FROM + aws_iam_user AS u + LEFT JOIN + aws_iam_access_key AS k + ON u.name = k.user_name + AND u.account_id = k.account_id + WHERE + k.status = 'Active' OR k.status IS NULL + GROUP BY + u.arn, + u.name, + u.account_id, + u.tags, + u._ctx, + u.platform_integration_id, + u.platform_resource_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_1_14.yaml b/compliance/controls/aws/aws_cis_v140_1_14.yaml index 6d65c365f..402ff562a 100644 --- a/compliance/controls/aws/aws_cis_v140_1_14.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_14.yaml @@ -1,24 +1,25 @@ id: aws_cis_v140_1_14 title: 1.14 Ensure access keys are rotated every 90 days or less +type: control description: Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_access_key - definition: | - SELECT - 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN create_date <= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' - ELSE 'ok' - END AS status, - user_name || ' ' || access_key_id || ' created ' || TO_CHAR(create_date , 'DD-Mon-YYYY') || - ' (' || EXTRACT(DAY FROM current_timestamp - create_date) || ' days).' AS reason - FROM - aws_iam_access_key; + language: sql + primary_resource: aws_iam_access_key + definition: | + SELECT + 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN create_date <= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' + ELSE 'ok' + END AS status, + user_name || ' ' || access_key_id || ' created ' || TO_CHAR(create_date , 'DD-Mon-YYYY') || + ' (' || EXTRACT(DAY FROM current_timestamp - create_date) || ' days).' AS reason + FROM + aws_iam_access_key; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_1_15.yaml b/compliance/controls/aws/aws_cis_v140_1_15.yaml index 855707f72..f05730d2f 100644 --- a/compliance/controls/aws/aws_cis_v140_1_15.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_15.yaml @@ -1,24 +1,25 @@ id: aws_cis_v140_1_15 title: 1.15 Ensure IAM Users Receive Permissions Only Through Groups -description: 'IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended.' +type: control +description: "IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended." integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN inline_policies IS NULL AND attached_policy_arns IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - name || ' has ' || COALESCE(jsonb_array_length(inline_policies), 0) || ' inline and ' || - COALESCE(jsonb_array_length(attached_policy_arns), 0) || ' directly attached policies.' AS reason - FROM - aws_iam_user; + language: sql + primary_resource: aws_iam_user + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN inline_policies IS NULL AND attached_policy_arns IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + name || ' has ' || COALESCE(jsonb_array_length(inline_policies), 0) || ' inline and ' || + COALESCE(jsonb_array_length(attached_policy_arns), 0) || ' directly attached policies.' AS reason + FROM + aws_iam_user; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_1_16.yaml b/compliance/controls/aws/aws_cis_v140_1_16.yaml index b94c0550c..97c0be8c4 100644 --- a/compliance/controls/aws/aws_cis_v140_1_16.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_16.yaml @@ -1,52 +1,53 @@ id: aws_cis_v140_1_16 title: 1.16 Ensure IAM policies that allow full "*:*" administrative privileges are not attached +type: control description: IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_policy - definition: | - WITH star_access_policies AS ( - SELECT - arn, - is_aws_managed, - COUNT(*) AS num_bad_statements - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Resource') AS resource, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - s ->> 'Effect' = 'Allow' - AND resource = '*' - AND ( - action = '*' - OR action = '*:*' - ) - AND is_attached - GROUP BY - arn, - is_aws_managed + language: sql + primary_resource: aws_iam_policy + definition: | + WITH star_access_policies AS ( + SELECT + arn, + is_aws_managed, + COUNT(*) AS num_bad_statements + FROM + aws_iam_policy, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Resource') AS resource, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + s ->> 'Effect' = 'Allow' + AND resource = '*' + AND ( + action = '*' + OR action = '*:*' ) - SELECT - p.arn AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN s.arn IS NOT NULL AND s.is_aws_managed THEN 'info' - WHEN s.arn IS NULL THEN 'ok' - ELSE 'alarm' - END status, - CASE - WHEN s.arn IS NOT NULL AND s.is_aws_managed THEN p.name || ' is an AWS managed policy with ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' - ELSE p.name || ' contains ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' - END AS reason - FROM - aws_iam_policy AS p - LEFT JOIN star_access_policies AS s ON p.arn = s.arn - WHERE - p.is_attached; + AND is_attached + GROUP BY + arn, + is_aws_managed + ) + SELECT + p.arn AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN s.arn IS NOT NULL AND s.is_aws_managed THEN 'info' + WHEN s.arn IS NULL THEN 'ok' + ELSE 'alarm' + END status, + CASE + WHEN s.arn IS NOT NULL AND s.is_aws_managed THEN p.name || ' is an AWS managed policy with ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' + ELSE p.name || ' contains ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' + END AS reason + FROM + aws_iam_policy AS p + LEFT JOIN star_access_policies AS s ON p.arn = s.arn + WHERE + p.is_attached; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_1_17.yaml b/compliance/controls/aws/aws_cis_v140_1_17.yaml index bf3323c72..4d078d861 100644 --- a/compliance/controls/aws/aws_cis_v140_1_17.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_17.yaml @@ -1,49 +1,50 @@ id: aws_cis_v140_1_17 title: 1.17 Ensure a support role has been created to manage incidents with AWS Support +type: control description: AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH support_role_count AS ( - SELECT - 'arn:' || a.partition || ':::' || a.account_id AS resource, - COUNT(policy_arn), - a.account_id, - a._ctx, - a.platform_integration_id, - a.platform_resource_id - FROM - aws_account AS a - LEFT JOIN aws_iam_role AS r ON r.account_id = a.account_id - LEFT JOIN jsonb_array_elements_text(attached_policy_arns) AS policy_arn ON TRUE - WHERE - SPLIT_PART(policy_arn, '/', 2) = 'AWSSupportAccess' - OR policy_arn IS NULL - GROUP BY - a.account_id, - a.partition, - a._ctx, - a.platform_integration_id, - a.platform_resource_id - ) - SELECT - resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT = 1 THEN 'AWSSupportAccess policy attached to 1 role.' - WHEN COUNT > 1 THEN 'AWSSupportAccess policy attached to ' || COUNT || ' roles.' - ELSE 'AWSSupportAccess policy not attached to any role.' - END AS reason - FROM - support_role_count; + language: sql + primary_resource: aws_account + definition: | + WITH support_role_count AS ( + SELECT + 'arn:' || a.partition || ':::' || a.account_id AS resource, + COUNT(policy_arn), + a.account_id, + a._ctx, + a.platform_integration_id, + a.platform_resource_id + FROM + aws_account AS a + LEFT JOIN aws_iam_role AS r ON r.account_id = a.account_id + LEFT JOIN jsonb_array_elements_text(attached_policy_arns) AS policy_arn ON TRUE + WHERE + SPLIT_PART(policy_arn, '/', 2) = 'AWSSupportAccess' + OR policy_arn IS NULL + GROUP BY + a.account_id, + a.partition, + a._ctx, + a.platform_integration_id, + a.platform_resource_id + ) + SELECT + resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT = 1 THEN 'AWSSupportAccess policy attached to 1 role.' + WHEN COUNT > 1 THEN 'AWSSupportAccess policy attached to ' || COUNT || ' roles.' + ELSE 'AWSSupportAccess policy not attached to any role.' + END AS reason + FROM + support_role_count; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_1_18.yaml b/compliance/controls/aws/aws_cis_v140_1_18.yaml index d5e206cf1..661dcf183 100644 --- a/compliance/controls/aws/aws_cis_v140_1_18.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_18.yaml @@ -1,20 +1,21 @@ id: aws_cis_v140_1_18 title: 1.18 Ensure IAM instance roles are used for AWS resource access from instances +type: control description: AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. "AWS Access" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_1_19.yaml b/compliance/controls/aws/aws_cis_v140_1_19.yaml index c8912fcbd..1e5f4a6ec 100644 --- a/compliance/controls/aws/aws_cis_v140_1_19.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_19.yaml @@ -1,28 +1,29 @@ id: aws_cis_v140_1_19 title: 1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed +type: control description: To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_server_certificate - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN expiration < (current_date - INTERVAL '1' SECOND) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN expiration < (current_date - INTERVAL '1' SECOND) THEN - name || ' expired ' || TO_CHAR(expiration, 'DD-Mon-YYYY') || '.' - ELSE - name || ' valid until ' || TO_CHAR(expiration, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - aws_iam_server_certificate; + language: sql + primary_resource: aws_iam_server_certificate + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN expiration < (current_date - INTERVAL '1' SECOND) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN expiration < (current_date - INTERVAL '1' SECOND) THEN + name || ' expired ' || TO_CHAR(expiration, 'DD-Mon-YYYY') || '.' + ELSE + name || ' valid until ' || TO_CHAR(expiration, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + aws_iam_server_certificate; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_1_2.yaml b/compliance/controls/aws/aws_cis_v140_1_2.yaml index bd684e5d3..9446e6831 100644 --- a/compliance/controls/aws/aws_cis_v140_1_2.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_2.yaml @@ -1,53 +1,54 @@ id: aws_cis_v140_1_2 title: 1.2 Ensure security contact information is registered +type: control description: AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH alternate_security_contact AS ( - SELECT - name, - account_id - FROM - aws_account_alternate_contact - WHERE - contact_type = 'SECURITY' - ), - account AS ( - SELECT - arn, - partition, - title, - account_id, - _ctx, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id - FROM - aws_account - ) - SELECT - arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.partition = 'aws-us-gov' THEN 'info' - -- Name is a required field if setting a security contact - WHEN c.name IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.partition = 'aws-us-gov' THEN a.title || ' in GovCloud, manual verification required.' - WHEN c.name IS NOT NULL THEN a.title || ' has security contact ' || c.name || ' registered.' - ELSE a.title || ' security contact not registered.' - END AS reason - FROM - account AS a, - alternate_security_contact AS c - WHERE - c.account_id = a.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH alternate_security_contact AS ( + SELECT + name, + account_id + FROM + aws_account_alternate_contact + WHERE + contact_type = 'SECURITY' + ), + account AS ( + SELECT + arn, + partition, + title, + account_id, + _ctx, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id + FROM + aws_account + ) + SELECT + arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.partition = 'aws-us-gov' THEN 'info' + -- Name is a required field if setting a security contact + WHEN c.name IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.partition = 'aws-us-gov' THEN a.title || ' in GovCloud, manual verification required.' + WHEN c.name IS NOT NULL THEN a.title || ' has security contact ' || c.name || ' registered.' + ELSE a.title || ' security contact not registered.' + END AS reason + FROM + account AS a, + alternate_security_contact AS c + WHERE + c.account_id = a.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_1_20.yaml b/compliance/controls/aws/aws_cis_v140_1_20.yaml index 81bfdcbcb..b95331ea5 100644 --- a/compliance/controls/aws/aws_cis_v140_1_20.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_20.yaml @@ -1,30 +1,31 @@ id: aws_cis_v140_1_20 title: 1.20 Ensure that IAM Access analyzer is enabled for all regions +type: control description: Enable IAM Access analyzer for IAM policies about all resources in each region. IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Access Analyzer analyzes only policies that are applied to resources in the same AWS Region. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_region - definition: | - SELECT - 'arn:' || r.partition || '::' || r.region || ':' || r.account_id AS resource, - r.platform_integration_id AS platform_integration_id, - r.platform_resource_id AS platform_resource_id, - CASE - WHEN r.opt_in_status = 'not-opted-in' THEN 'skip' - WHEN aa.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN r.opt_in_status = 'not-opted-in' THEN r.region || ' region is disabled.' - WHEN aa.arn IS NOT NULL THEN aa.name || ' enabled in ' || r.region || '.' - ELSE 'Access Analyzer not enabled in ' || r.region || '.' - END AS reason - FROM - aws_region AS r - LEFT JOIN - aws_accessanalyzer_analyzer AS aa ON r.account_id = aa.account_id AND r.region = aa.region; + language: sql + primary_resource: aws_region + definition: | + SELECT + 'arn:' || r.partition || '::' || r.region || ':' || r.account_id AS resource, + r.platform_integration_id AS platform_integration_id, + r.platform_resource_id AS platform_resource_id, + CASE + WHEN r.opt_in_status = 'not-opted-in' THEN 'skip' + WHEN aa.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN r.opt_in_status = 'not-opted-in' THEN r.region || ' region is disabled.' + WHEN aa.arn IS NOT NULL THEN aa.name || ' enabled in ' || r.region || '.' + ELSE 'Access Analyzer not enabled in ' || r.region || '.' + END AS reason + FROM + aws_region AS r + LEFT JOIN + aws_accessanalyzer_analyzer AS aa ON r.account_id = aa.account_id AND r.region = aa.region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_1_21.yaml b/compliance/controls/aws/aws_cis_v140_1_21.yaml index 6cb8d5e71..bbcd04a26 100644 --- a/compliance/controls/aws/aws_cis_v140_1_21.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_21.yaml @@ -1,20 +1,21 @@ id: aws_cis_v140_1_21 title: 1.21 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments +type: control description: In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provide via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_1_3.yaml b/compliance/controls/aws/aws_cis_v140_1_3.yaml index 251e94d37..b003bae61 100644 --- a/compliance/controls/aws/aws_cis_v140_1_3.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_3.yaml @@ -1,20 +1,21 @@ id: aws_cis_v140_1_3 title: 1.3 Ensure security questions are registered in the AWS account +type: control description: The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_1_4.yaml b/compliance/controls/aws/aws_cis_v140_1_4.yaml index cc882ddcd..3cb2f8721 100644 --- a/compliance/controls/aws/aws_cis_v140_1_4.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_4.yaml @@ -1,26 +1,27 @@ id: aws_cis_v140_1_4 title: 1.4 Ensure no 'root' user account access key exists +type: control description: The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the 'root' user account be removed. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_account_summary - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN account_access_keys_present > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN account_access_keys_present > 0 THEN 'Root user access keys exist.' - ELSE 'No root user access keys exist.' - END AS reason - FROM - aws_iam_account_summary; + language: sql + primary_resource: aws_iam_account_summary + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN account_access_keys_present > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN account_access_keys_present > 0 THEN 'Root user access keys exist.' + ELSE 'No root user access keys exist.' + END AS reason + FROM + aws_iam_account_summary; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_1_5.yaml b/compliance/controls/aws/aws_cis_v140_1_5.yaml index 59d302304..5ba366f4e 100644 --- a/compliance/controls/aws/aws_cis_v140_1_5.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_5.yaml @@ -1,26 +1,27 @@ id: aws_cis_v140_1_5 title: 1.5 Ensure MFA is enabled for the 'root' user account +type: control description: The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_account_summary - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN account_mfa_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN account_mfa_enabled THEN 'MFA enabled for root account.' - ELSE 'MFA not enabled for root account.' - END AS reason - FROM - aws_iam_account_summary; + language: sql + primary_resource: aws_iam_account_summary + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN account_mfa_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN account_mfa_enabled THEN 'MFA enabled for root account.' + ELSE 'MFA not enabled for root account.' + END AS reason + FROM + aws_iam_account_summary; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_1_7.yaml b/compliance/controls/aws/aws_cis_v140_1_7.yaml index 9f88ee45b..b48de7535 100644 --- a/compliance/controls/aws/aws_cis_v140_1_7.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_7.yaml @@ -1,38 +1,39 @@ id: aws_cis_v140_1_7 title: 1.7 Eliminate use of the 'root' user for administrative and daily tasks +type: control description: With the creation of an AWS account, a 'root user' is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN password_last_used >= (current_date - INTERVAL '90' day) THEN 'alarm' - WHEN access_key_1_last_used_date <= (current_date - INTERVAL '90' day) THEN 'alarm' - WHEN access_key_2_last_used_date <= (current_date - INTERVAL '90' day) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN password_last_used IS NULL THEN 'Root never logged in with password.' - ELSE 'Root password used ' || to_char(password_last_used, 'DD-Mon-YYYY') || ' (' || extract(day FROM current_timestamp - password_last_used) || ' days).' - END || - CASE - WHEN access_key_1_last_used_date IS NULL THEN ' Access Key 1 never used.' - ELSE ' Access Key 1 used ' || to_char(access_key_1_last_used_date, 'DD-Mon-YYYY') || ' (' || extract(day FROM current_timestamp - access_key_1_last_used_date) || ' days).' - END || - CASE - WHEN access_key_2_last_used_date IS NULL THEN ' Access Key 2 never used.' - ELSE ' Access Key 2 used ' || to_char(access_key_2_last_used_date, 'DD-Mon-YYYY') || ' (' || extract(day FROM current_timestamp - access_key_2_last_used_date) || ' days).' - END AS reason - FROM - aws_iam_credential_report - WHERE - user_name = ''; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN password_last_used >= (current_date - INTERVAL '90' day) THEN 'alarm' + WHEN access_key_1_last_used_date <= (current_date - INTERVAL '90' day) THEN 'alarm' + WHEN access_key_2_last_used_date <= (current_date - INTERVAL '90' day) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN password_last_used IS NULL THEN 'Root never logged in with password.' + ELSE 'Root password used ' || to_char(password_last_used, 'DD-Mon-YYYY') || ' (' || extract(day FROM current_timestamp - password_last_used) || ' days).' + END || + CASE + WHEN access_key_1_last_used_date IS NULL THEN ' Access Key 1 never used.' + ELSE ' Access Key 1 used ' || to_char(access_key_1_last_used_date, 'DD-Mon-YYYY') || ' (' || extract(day FROM current_timestamp - access_key_1_last_used_date) || ' days).' + END || + CASE + WHEN access_key_2_last_used_date IS NULL THEN ' Access Key 2 never used.' + ELSE ' Access Key 2 used ' || to_char(access_key_2_last_used_date, 'DD-Mon-YYYY') || ' (' || extract(day FROM current_timestamp - access_key_2_last_used_date) || ' days).' + END AS reason + FROM + aws_iam_credential_report + WHERE + user_name = ''; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_2_1_1.yaml b/compliance/controls/aws/aws_cis_v140_2_1_1.yaml index 8224210b7..ccbabd852 100644 --- a/compliance/controls/aws/aws_cis_v140_2_1_1.yaml +++ b/compliance/controls/aws/aws_cis_v140_2_1_1.yaml @@ -1,26 +1,27 @@ id: aws_cis_v140_2_1_1 title: 2.1.1 Ensure all S3 buckets employ encryption-at-rest +type: control description: Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN server_side_encryption_configuration IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN server_side_encryption_configuration IS NOT NULL THEN name || ' default encryption enabled.' - ELSE name || ' default encryption disabled.' - END AS reason - FROM - aws_s3_bucket; + language: sql + primary_resource: aws_s3_bucket + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN server_side_encryption_configuration IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN server_side_encryption_configuration IS NOT NULL THEN name || ' default encryption enabled.' + ELSE name || ' default encryption disabled.' + END AS reason + FROM + aws_s3_bucket; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_2_1_2.yaml b/compliance/controls/aws/aws_cis_v140_2_1_2.yaml index eb47ec274..cf1962ca2 100644 --- a/compliance/controls/aws/aws_cis_v140_2_1_2.yaml +++ b/compliance/controls/aws/aws_cis_v140_2_1_2.yaml @@ -1,47 +1,48 @@ id: aws_cis_v140_2_1_2 title: 2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests +type: control description: At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH ssl_ok AS ( - SELECT - DISTINCT name, - arn, - 'ok' AS status - FROM - aws_s3_bucket, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p, - jsonb_array_elements_text(s -> 'Action') AS a, - jsonb_array_elements_text(s -> 'Resource') AS r, - jsonb_array_elements_text( - s -> 'Condition' -> 'Bool' -> 'aws:securetransport' - ) AS ssl - WHERE - p = '*' - AND s ->> 'Effect' = 'Deny' - AND ssl::bool = FALSE - ) - - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN ok.status = 'ok' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN ok.status = 'ok' THEN b.name || ' bucket policy enforces HTTPS.' - ELSE b.name || ' bucket policy does not enforce HTTPS.' - END AS reason - FROM - aws_s3_bucket AS b - LEFT JOIN ssl_ok AS ok ON ok.name = b.name; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH ssl_ok AS ( + SELECT + DISTINCT name, + arn, + 'ok' AS status + FROM + aws_s3_bucket, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p, + jsonb_array_elements_text(s -> 'Action') AS a, + jsonb_array_elements_text(s -> 'Resource') AS r, + jsonb_array_elements_text( + s -> 'Condition' -> 'Bool' -> 'aws:securetransport' + ) AS ssl + WHERE + p = '*' + AND s ->> 'Effect' = 'Deny' + AND ssl::bool = FALSE + ) + + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN ok.status = 'ok' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN ok.status = 'ok' THEN b.name || ' bucket policy enforces HTTPS.' + ELSE b.name || ' bucket policy does not enforce HTTPS.' + END AS reason + FROM + aws_s3_bucket AS b + LEFT JOIN ssl_ok AS ok ON ok.name = b.name; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_2_1_3.yaml b/compliance/controls/aws/aws_cis_v140_2_1_3.yaml index 8861b59a4..523b5c54c 100644 --- a/compliance/controls/aws/aws_cis_v140_2_1_3.yaml +++ b/compliance/controls/aws/aws_cis_v140_2_1_3.yaml @@ -1,26 +1,27 @@ id: aws_cis_v140_2_1_3 title: 2.1.3 Ensure MFA Delete is enabled on S3 buckets +type: control description: Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN versioning_mfa_delete THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN versioning_mfa_delete THEN name || ' MFA delete enabled.' - ELSE name || ' MFA delete disabled.' - END AS reason - FROM - aws_s3_bucket; + language: sql + primary_resource: aws_s3_bucket + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN versioning_mfa_delete THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN versioning_mfa_delete THEN name || ' MFA delete enabled.' + ELSE name || ' MFA delete disabled.' + END AS reason + FROM + aws_s3_bucket; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_2_1_4.yaml b/compliance/controls/aws/aws_cis_v140_2_1_4.yaml index 336c86ea3..bbdbcdb7a 100644 --- a/compliance/controls/aws/aws_cis_v140_2_1_4.yaml +++ b/compliance/controls/aws/aws_cis_v140_2_1_4.yaml @@ -1,40 +1,41 @@ id: aws_cis_v140_2_1_4 title: 2.1.4 Ensure all data in Amazon S3 has been discovered, classified and secured when required +type: control description: Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH bucket_list AS ( - SELECT - TRIM(b::TEXT, '"' ) AS bucket_name - FROM - aws_macie2_classification_job, - JSONB_ARRAY_ELEMENTS(s3_job_definition -> 'BucketDefinitions') AS d, - JSONB_ARRAY_ELEMENTS(d -> 'Buckets') AS b - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN b.region = ANY(ARRAY['us-gov-east-1', 'us-gov-west-1']) THEN 'skip' - WHEN l.bucket_name IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.region = ANY(ARRAY['us-gov-east-1', 'us-gov-west-1']) THEN - b.title || ' not protected by Macie as Macie is not supported in ' || b.region || '.' - WHEN l.bucket_name IS NOT NULL THEN - b.title || ' protected by Macie.' - ELSE - b.title || ' not protected by Macie.' - END AS reason - FROM - aws_s3_bucket AS b - LEFT JOIN bucket_list AS l ON b.name = l.bucket_name; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH bucket_list AS ( + SELECT + TRIM(b::TEXT, '"' ) AS bucket_name + FROM + aws_macie2_classification_job, + JSONB_ARRAY_ELEMENTS(s3_job_definition -> 'BucketDefinitions') AS d, + JSONB_ARRAY_ELEMENTS(d -> 'Buckets') AS b + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN b.region = ANY(ARRAY['us-gov-east-1', 'us-gov-west-1']) THEN 'skip' + WHEN l.bucket_name IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.region = ANY(ARRAY['us-gov-east-1', 'us-gov-west-1']) THEN + b.title || ' not protected by Macie as Macie is not supported in ' || b.region || '.' + WHEN l.bucket_name IS NOT NULL THEN + b.title || ' protected by Macie.' + ELSE + b.title || ' not protected by Macie.' + END AS reason + FROM + aws_s3_bucket AS b + LEFT JOIN bucket_list AS l ON b.name = l.bucket_name; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_2_2_1.yaml b/compliance/controls/aws/aws_cis_v140_2_2_1.yaml index c7b4ad6e5..072042073 100644 --- a/compliance/controls/aws/aws_cis_v140_2_2_1.yaml +++ b/compliance/controls/aws/aws_cis_v140_2_2_1.yaml @@ -1,26 +1,27 @@ id: aws_cis_v140_2_2_1 title: 2.2.1 Ensure EBS volume encryption is enabled +type: control description: Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_volume - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encrypted THEN volume_id || ' encrypted.' - ELSE volume_id || ' not encrypted.' - END AS reason - FROM - aws_ebs_volume; + language: sql + primary_resource: aws_ebs_volume + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encrypted THEN volume_id || ' encrypted.' + ELSE volume_id || ' not encrypted.' + END AS reason + FROM + aws_ebs_volume; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_2_3_1.yaml b/compliance/controls/aws/aws_cis_v140_2_3_1.yaml index 8bfda5a96..4fc9fd222 100644 --- a/compliance/controls/aws/aws_cis_v140_2_3_1.yaml +++ b/compliance/controls/aws/aws_cis_v140_2_3_1.yaml @@ -1,26 +1,27 @@ id: aws_cis_v140_2_3_1 title: 2.3.1 Ensure that encryption is enabled for RDS Instances +type: control description: Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN storage_encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN storage_encrypted THEN title || ' encrypted at rest.' - ELSE title || ' not encrypted at rest.' - END AS reason - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN storage_encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN storage_encrypted THEN title || ' encrypted at rest.' + ELSE title || ' not encrypted at rest.' + END AS reason + FROM + aws_rds_db_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_3_10.yaml b/compliance/controls/aws/aws_cis_v140_3_10.yaml index a7a026e53..516c2626e 100644 --- a/compliance/controls/aws/aws_cis_v140_3_10.yaml +++ b/compliance/controls/aws/aws_cis_v140_3_10.yaml @@ -1,48 +1,49 @@ id: aws_cis_v140_3_10 title: 3.10 Ensure that Object-level logging for write events is enabled for S3 bucket +type: control description: S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH s3_selectors AS ( - SELECT - name AS trail_name, - is_multi_region_trail, - bucket_selector - FROM - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) AS event_selector, - jsonb_array_elements(event_selector -> 'DataResources') AS data_resource, - jsonb_array_elements_text(data_resource -> 'Values') AS bucket_selector - WHERE - is_multi_region_trail - AND data_resource ->> 'Type' = 'AWS::S3::Object' - AND event_selector ->> 'ReadWriteType' IN ('WriteOnly', 'All') - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(bucket_selector) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(bucket_selector) > 0 - THEN b.name || ' object-level write events logging enabled.' - ELSE b.name || ' object-level write events logging disabled.' - END AS reason - FROM - aws_s3_bucket AS b - LEFT JOIN - s3_selectors - ON bucket_selector LIKE (b.arn || '%') - OR bucket_selector = 'arn:aws:s3' - GROUP BY - b.account_id, b.region, b.arn, b.name, b.tags, b._ctx; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH s3_selectors AS ( + SELECT + name AS trail_name, + is_multi_region_trail, + bucket_selector + FROM + aws_cloudtrail_trail, + jsonb_array_elements(event_selectors) AS event_selector, + jsonb_array_elements(event_selector -> 'DataResources') AS data_resource, + jsonb_array_elements_text(data_resource -> 'Values') AS bucket_selector + WHERE + is_multi_region_trail + AND data_resource ->> 'Type' = 'AWS::S3::Object' + AND event_selector ->> 'ReadWriteType' IN ('WriteOnly', 'All') + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(bucket_selector) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(bucket_selector) > 0 + THEN b.name || ' object-level write events logging enabled.' + ELSE b.name || ' object-level write events logging disabled.' + END AS reason + FROM + aws_s3_bucket AS b + LEFT JOIN + s3_selectors + ON bucket_selector LIKE (b.arn || '%') + OR bucket_selector = 'arn:aws:s3' + GROUP BY + b.account_id, b.region, b.arn, b.name, b.tags, b._ctx; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_3_11.yaml b/compliance/controls/aws/aws_cis_v140_3_11.yaml index ddeb20393..10c0103a5 100644 --- a/compliance/controls/aws/aws_cis_v140_3_11.yaml +++ b/compliance/controls/aws/aws_cis_v140_3_11.yaml @@ -1,47 +1,48 @@ id: aws_cis_v140_3_11 title: 3.11 Ensure that Object-level logging for read events is enabled for S3 bucket +type: control description: S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH s3_selectors AS ( - SELECT - name AS trail_name, - is_multi_region_trail, - bucket_selector - FROM - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) AS event_selector, - jsonb_array_elements(event_selector -> 'DataResources') AS data_resource, - jsonb_array_elements_text(data_resource -> 'Values') AS bucket_selector - WHERE - is_multi_region_trail - AND data_resource ->> 'Type' = 'AWS::S3::Object' - AND event_selector ->> 'ReadWriteType' IN ('ReadOnly', 'All') - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(bucket_selector) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(bucket_selector) > 0 THEN b.name || ' object-level read events logging enabled.' - ELSE b.name || ' object-level read events logging disabled.' - END AS reason - FROM - aws_s3_bucket AS b - LEFT JOIN - s3_selectors - ON bucket_selector LIKE (b.arn || '%') - OR bucket_selector = 'arn:aws:s3' - GROUP BY - b.account_id, b.region, b.arn, b.name, b.tags, b._ctx; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH s3_selectors AS ( + SELECT + name AS trail_name, + is_multi_region_trail, + bucket_selector + FROM + aws_cloudtrail_trail, + jsonb_array_elements(event_selectors) AS event_selector, + jsonb_array_elements(event_selector -> 'DataResources') AS data_resource, + jsonb_array_elements_text(data_resource -> 'Values') AS bucket_selector + WHERE + is_multi_region_trail + AND data_resource ->> 'Type' = 'AWS::S3::Object' + AND event_selector ->> 'ReadWriteType' IN ('ReadOnly', 'All') + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(bucket_selector) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(bucket_selector) > 0 THEN b.name || ' object-level read events logging enabled.' + ELSE b.name || ' object-level read events logging disabled.' + END AS reason + FROM + aws_s3_bucket AS b + LEFT JOIN + s3_selectors + ON bucket_selector LIKE (b.arn || '%') + OR bucket_selector = 'arn:aws:s3' + GROUP BY + b.account_id, b.region, b.arn, b.name, b.tags, b._ctx; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_3_2.yaml b/compliance/controls/aws/aws_cis_v140_3_2.yaml index 337c469d4..6a1002715 100644 --- a/compliance/controls/aws/aws_cis_v140_3_2.yaml +++ b/compliance/controls/aws/aws_cis_v140_3_2.yaml @@ -1,28 +1,29 @@ id: aws_cis_v140_3_2 title: 3.2 Ensure CloudTrail log file validation is enabled +type: control description: CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN log_file_validation_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN log_file_validation_enabled THEN title || ' log file validation enabled.' - ELSE title || ' log file validation disabled.' - END AS reason - FROM - aws_cloudtrail_trail - WHERE - region = home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN log_file_validation_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN log_file_validation_enabled THEN title || ' log file validation enabled.' + ELSE title || ' log file validation disabled.' + END AS reason + FROM + aws_cloudtrail_trail + WHERE + region = home_region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_3_3.yaml b/compliance/controls/aws/aws_cis_v140_3_3.yaml index 601e9c81f..2c485257f 100644 --- a/compliance/controls/aws/aws_cis_v140_3_3.yaml +++ b/compliance/controls/aws/aws_cis_v140_3_3.yaml @@ -1,64 +1,65 @@ id: aws_cis_v140_3_3 title: 3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible +type: control description: CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH public_bucket_data AS ( - SELECT - t.s3_bucket_name AS name, - b.arn, - t.region, - t.account_id, - t.tags, - t._ctx, - t.platform_integration_id, - t.platform_resource_id, - COUNT(acl_grant) FILTER (WHERE acl_grant -> 'Grantee' ->> 'URI' LIKE '%acs.amazonaws.com/groups/global/AllUsers') AS all_user_grants, - COUNT(acl_grant) FILTER (WHERE acl_grant -> 'Grantee' ->> 'URI' LIKE '%acs.amazonaws.com/groups/global/AuthenticatedUsers') AS auth_user_grants, - COUNT(s) FILTER (WHERE s ->> 'Effect' = 'Allow' AND p = '*') AS anon_statements - FROM - aws_cloudtrail_trail AS t - LEFT JOIN aws_s3_bucket AS b ON t.s3_bucket_name = b.name - LEFT JOIN jsonb_array_elements(acl -> 'Grants') AS acl_grant ON true - LEFT JOIN jsonb_array_elements(policy_std -> 'Statement') AS s ON true - LEFT JOIN jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p ON true - GROUP BY - t.s3_bucket_name, - b.arn, - t.region, - t.account_id, - t.tags, - t._ctx, - t.platform_integration_id, - t.platform_resource_id - ) - SELECT - CASE - WHEN arn IS NULL THEN 'arn:aws:s3::' || name - ELSE arn - END AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN arn IS NULL THEN 'skip' - WHEN all_user_grants > 0 THEN 'alarm' - WHEN auth_user_grants > 0 THEN 'alarm' - WHEN anon_statements > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN arn IS NULL THEN name || ' not found in account ' || account_id || '.' - WHEN all_user_grants > 0 THEN name || ' grants access to AllUsers in ACL.' - WHEN auth_user_grants > 0 THEN name || ' grants access to AuthenticatedUsers in ACL.' - WHEN anon_statements > 0 THEN name || ' grants access to AWS:* in bucket policy.' - ELSE name || ' does not grant anonymous access in ACL or bucket policy.' - END AS reason - FROM - public_bucket_data; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH public_bucket_data AS ( + SELECT + t.s3_bucket_name AS name, + b.arn, + t.region, + t.account_id, + t.tags, + t._ctx, + t.platform_integration_id, + t.platform_resource_id, + COUNT(acl_grant) FILTER (WHERE acl_grant -> 'Grantee' ->> 'URI' LIKE '%acs.amazonaws.com/groups/global/AllUsers') AS all_user_grants, + COUNT(acl_grant) FILTER (WHERE acl_grant -> 'Grantee' ->> 'URI' LIKE '%acs.amazonaws.com/groups/global/AuthenticatedUsers') AS auth_user_grants, + COUNT(s) FILTER (WHERE s ->> 'Effect' = 'Allow' AND p = '*') AS anon_statements + FROM + aws_cloudtrail_trail AS t + LEFT JOIN aws_s3_bucket AS b ON t.s3_bucket_name = b.name + LEFT JOIN jsonb_array_elements(acl -> 'Grants') AS acl_grant ON true + LEFT JOIN jsonb_array_elements(policy_std -> 'Statement') AS s ON true + LEFT JOIN jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p ON true + GROUP BY + t.s3_bucket_name, + b.arn, + t.region, + t.account_id, + t.tags, + t._ctx, + t.platform_integration_id, + t.platform_resource_id + ) + SELECT + CASE + WHEN arn IS NULL THEN 'arn:aws:s3::' || name + ELSE arn + END AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN arn IS NULL THEN 'skip' + WHEN all_user_grants > 0 THEN 'alarm' + WHEN auth_user_grants > 0 THEN 'alarm' + WHEN anon_statements > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN arn IS NULL THEN name || ' not found in account ' || account_id || '.' + WHEN all_user_grants > 0 THEN name || ' grants access to AllUsers in ACL.' + WHEN auth_user_grants > 0 THEN name || ' grants access to AuthenticatedUsers in ACL.' + WHEN anon_statements > 0 THEN name || ' grants access to AWS:* in bucket policy.' + ELSE name || ' does not grant anonymous access in ACL or bucket policy.' + END AS reason + FROM + public_bucket_data; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_3_4.yaml b/compliance/controls/aws/aws_cis_v140_3_4.yaml index c90818bc9..acb7ba1cc 100644 --- a/compliance/controls/aws/aws_cis_v140_3_4.yaml +++ b/compliance/controls/aws/aws_cis_v140_3_4.yaml @@ -1,28 +1,29 @@ id: aws_cis_v140_3_4 title: 3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs +type: control description: AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN log_group_arn != 'null' AND (latest_delivery_time > CURRENT_DATE - 1) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN log_group_arn != 'null' AND (latest_delivery_time > CURRENT_DATE - 1) THEN title || ' integrated with CloudWatch logs.' - ELSE title || ' not integrated with CloudWatch logs.' - END AS reason - FROM - aws_cloudtrail_trail - WHERE - region = home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN log_group_arn != 'null' AND (latest_delivery_time > CURRENT_DATE - 1) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN log_group_arn != 'null' AND (latest_delivery_time > CURRENT_DATE - 1) THEN title || ' integrated with CloudWatch logs.' + ELSE title || ' not integrated with CloudWatch logs.' + END AS reason + FROM + aws_cloudtrail_trail + WHERE + region = home_region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_3_5.yaml b/compliance/controls/aws/aws_cis_v140_3_5.yaml index f58df55d3..23e8a67b8 100644 --- a/compliance/controls/aws/aws_cis_v140_3_5.yaml +++ b/compliance/controls/aws/aws_cis_v140_3_5.yaml @@ -1,65 +1,66 @@ id: aws_cis_v140_3_5 title: 3.5 Ensure AWS Config is enabled in all regions +type: control description: AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_region - definition: | - WITH global_recorders AS ( - SELECT - COUNT(*) AS global_config_recorders - FROM - aws_config_configuration_recorder - WHERE - recording_group -> 'IncludeGlobalResourceTypes' = 'true' - AND recording_group -> 'AllSupported' = 'true' - AND status ->> 'Recording' = 'true' - AND status ->> 'LastStatus' = 'SUCCESS' - ) - SELECT - 'arn:aws::' || a.region || ':' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN - g.global_config_recorders >= 1 - AND status ->> 'Recording' = 'true' - AND status ->> 'LastStatus' = 'SUCCESS' - THEN 'ok' - WHEN a.opt_in_status = 'not-opted-in' THEN 'skip' - ELSE 'alarm' - END AS status, - CASE - WHEN a.opt_in_status = 'not-opted-in' THEN a.region || ' region is disabled.' - ELSE - CASE - WHEN recording_group -> 'IncludeGlobalResourceTypes' = 'true' - THEN a.region || ' IncludeGlobalResourceTypes enabled,' - ELSE a.region || ' IncludeGlobalResourceTypes disabled,' - END || - CASE - WHEN recording_group -> 'AllSupported' = 'true' - THEN ' AllSupported enabled,' - ELSE ' AllSupported disabled,' - END || - CASE - WHEN status ->> 'Recording' = 'true' - THEN ' Recording enabled' - ELSE ' Recording disabled' - END || - CASE - WHEN status ->> 'LastStatus' = 'SUCCESS' - THEN ' and LastStatus is SUCCESS.' - ELSE ' and LastStatus is not SUCCESS.' - END - END AS reason - FROM - global_recorders AS g, - aws_region AS a - LEFT JOIN aws_config_configuration_recorder AS r - ON r.account_id = a.account_id AND r.region = a.name; + language: sql + primary_resource: aws_region + definition: | + WITH global_recorders AS ( + SELECT + COUNT(*) AS global_config_recorders + FROM + aws_config_configuration_recorder + WHERE + recording_group -> 'IncludeGlobalResourceTypes' = 'true' + AND recording_group -> 'AllSupported' = 'true' + AND status ->> 'Recording' = 'true' + AND status ->> 'LastStatus' = 'SUCCESS' + ) + SELECT + 'arn:aws::' || a.region || ':' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN + g.global_config_recorders >= 1 + AND status ->> 'Recording' = 'true' + AND status ->> 'LastStatus' = 'SUCCESS' + THEN 'ok' + WHEN a.opt_in_status = 'not-opted-in' THEN 'skip' + ELSE 'alarm' + END AS status, + CASE + WHEN a.opt_in_status = 'not-opted-in' THEN a.region || ' region is disabled.' + ELSE + CASE + WHEN recording_group -> 'IncludeGlobalResourceTypes' = 'true' + THEN a.region || ' IncludeGlobalResourceTypes enabled,' + ELSE a.region || ' IncludeGlobalResourceTypes disabled,' + END || + CASE + WHEN recording_group -> 'AllSupported' = 'true' + THEN ' AllSupported enabled,' + ELSE ' AllSupported disabled,' + END || + CASE + WHEN status ->> 'Recording' = 'true' + THEN ' Recording enabled' + ELSE ' Recording disabled' + END || + CASE + WHEN status ->> 'LastStatus' = 'SUCCESS' + THEN ' and LastStatus is SUCCESS.' + ELSE ' and LastStatus is not SUCCESS.' + END + END AS reason + FROM + global_recorders AS g, + aws_region AS a + LEFT JOIN aws_config_configuration_recorder AS r + ON r.account_id = a.account_id AND r.region = a.name; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_3_6.yaml b/compliance/controls/aws/aws_cis_v140_3_6.yaml index 191f11916..976943603 100644 --- a/compliance/controls/aws/aws_cis_v140_3_6.yaml +++ b/compliance/controls/aws/aws_cis_v140_3_6.yaml @@ -1,31 +1,32 @@ id: aws_cis_v140_3_6 title: 3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket +type: control description: S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - t.arn AS resource, - t.platform_integration_id AS platform_integration_id, - t.platform_resource_id AS platform_resource_id, - CASE - WHEN b.logging IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.logging IS NOT NULL - THEN t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging enabled.' - ELSE t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging disabled.' - END AS reason - FROM - aws_cloudtrail_trail t - INNER JOIN - aws_s3_bucket b ON t.s3_bucket_name = b.name - WHERE - t.region = t.home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + t.arn AS resource, + t.platform_integration_id AS platform_integration_id, + t.platform_resource_id AS platform_resource_id, + CASE + WHEN b.logging IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.logging IS NOT NULL + THEN t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging enabled.' + ELSE t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging disabled.' + END AS reason + FROM + aws_cloudtrail_trail t + INNER JOIN + aws_s3_bucket b ON t.s3_bucket_name = b.name + WHERE + t.region = t.home_region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_3_7.yaml b/compliance/controls/aws/aws_cis_v140_3_7.yaml index 8d9b34da6..b8b4fdf2d 100644 --- a/compliance/controls/aws/aws_cis_v140_3_7.yaml +++ b/compliance/controls/aws/aws_cis_v140_3_7.yaml @@ -1,28 +1,29 @@ id: aws_cis_v140_3_7 title: 3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs +type: control description: AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN kms_key_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN kms_key_id IS NULL THEN title || ' logs are not encrypted at rest.' - ELSE title || ' logs are encrypted at rest.' - END AS reason - FROM - aws_cloudtrail_trail - WHERE - region = home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN kms_key_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN kms_key_id IS NULL THEN title || ' logs are not encrypted at rest.' + ELSE title || ' logs are encrypted at rest.' + END AS reason + FROM + aws_cloudtrail_trail + WHERE + region = home_region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_3_8.yaml b/compliance/controls/aws/aws_cis_v140_3_8.yaml index 05ae96d89..8a50b5245 100644 --- a/compliance/controls/aws/aws_cis_v140_3_8.yaml +++ b/compliance/controls/aws/aws_cis_v140_3_8.yaml @@ -1,34 +1,35 @@ id: aws_cis_v140_3_8 title: 3.8 Ensure rotation for customer created CMKs is enabled +type: control description: AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_kms_key - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN origin = 'EXTERNAL' THEN 'skip' - WHEN key_state = 'PendingDeletion' THEN 'skip' - WHEN key_state = 'Disabled' THEN 'skip' - WHEN NOT key_rotation_enabled THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN origin = 'EXTERNAL' THEN title || ' has imported key material.' - WHEN key_state = 'PendingDeletion' THEN title || ' is pending deletion.' - WHEN key_state = 'Disabled' THEN title || ' is disabled.' - WHEN NOT key_rotation_enabled THEN title || ' key rotation disabled.' - ELSE title || ' key rotation enabled.' - END AS reason - FROM - aws_kms_key - WHERE - key_manager = 'CUSTOMER'; + language: sql + primary_resource: aws_kms_key + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN origin = 'EXTERNAL' THEN 'skip' + WHEN key_state = 'PendingDeletion' THEN 'skip' + WHEN key_state = 'Disabled' THEN 'skip' + WHEN NOT key_rotation_enabled THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN origin = 'EXTERNAL' THEN title || ' has imported key material.' + WHEN key_state = 'PendingDeletion' THEN title || ' is pending deletion.' + WHEN key_state = 'Disabled' THEN title || ' is disabled.' + WHEN NOT key_rotation_enabled THEN title || ' key rotation disabled.' + ELSE title || ' key rotation enabled.' + END AS reason + FROM + aws_kms_key + WHERE + key_manager = 'CUSTOMER'; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_3_9.yaml b/compliance/controls/aws/aws_cis_v140_3_9.yaml index f6c13a12d..9049db1a0 100644 --- a/compliance/controls/aws/aws_cis_v140_3_9.yaml +++ b/compliance/controls/aws/aws_cis_v140_3_9.yaml @@ -1,55 +1,56 @@ id: aws_cis_v140_3_9 title: 3.9 Ensure VPC flow logging is enabled in all VPCs +type: control description: VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc - definition: | - WITH vpcs AS ( - SELECT - arn, - account_id, - region, - owner_id, - vpc_id, - tags, - _ctx, - platform_integration_id, - platform_resource_id - FROM - aws_vpc - ORDER BY - vpc_id - ), - flowlogs AS ( - SELECT - resource_id, - account_id, - region - FROM - aws_vpc_flow_log - ORDER BY - resource_id - ) - SELECT - v.arn AS resource, - v.platform_integration_id AS platform_integration_id, - v.platform_resource_id AS platform_resource_id, - CASE - WHEN v.account_id <> v.owner_id THEN 'skip' - WHEN f.resource_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN v.account_id <> v.owner_id THEN v.vpc_id || ' is a shared VPC.' - WHEN f.resource_id IS NOT NULL THEN v.vpc_id || ' flow logging enabled.' - ELSE v.vpc_id || ' flow logging disabled.' - END AS reason - FROM - vpcs AS v - LEFT JOIN flowlogs AS f ON v.vpc_id = f.resource_id; + language: sql + primary_resource: aws_vpc + definition: | + WITH vpcs AS ( + SELECT + arn, + account_id, + region, + owner_id, + vpc_id, + tags, + _ctx, + platform_integration_id, + platform_resource_id + FROM + aws_vpc + ORDER BY + vpc_id + ), + flowlogs AS ( + SELECT + resource_id, + account_id, + region + FROM + aws_vpc_flow_log + ORDER BY + resource_id + ) + SELECT + v.arn AS resource, + v.platform_integration_id AS platform_integration_id, + v.platform_resource_id AS platform_resource_id, + CASE + WHEN v.account_id <> v.owner_id THEN 'skip' + WHEN f.resource_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN v.account_id <> v.owner_id THEN v.vpc_id || ' is a shared VPC.' + WHEN f.resource_id IS NOT NULL THEN v.vpc_id || ' flow logging enabled.' + ELSE v.vpc_id || ' flow logging disabled.' + END AS reason + FROM + vpcs AS v + LEFT JOIN flowlogs AS f ON v.vpc_id = f.resource_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_4_14.yaml b/compliance/controls/aws/aws_cis_v140_4_14.yaml index c204eb352..057b9d92e 100644 --- a/compliance/controls/aws/aws_cis_v140_4_14.yaml +++ b/compliance/controls/aws/aws_cis_v140_4_14.yaml @@ -1,91 +1,92 @@ id: aws_cis_v140_4_14 title: 4.14 Ensure a log metric filter and alarm exist for VPC changes +type: control description: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH trails AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) AS log_group_name - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - ORDER BY - trail_name - ), - alarms AS ( - SELECT - metric_name, - action_arn AS topic_arn - FROM - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn - ORDER BY - metric_name - ), - topic_subscriptions AS ( - SELECT - subscription_arn, - topic_arn - FROM - aws_sns_topic_subscription - ORDER BY - subscription_arn - ), - metric_filters AS ( - SELECT - filter.name AS filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - FROM - aws_cloudwatch_log_metric_filter AS filter - WHERE - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateVpc.+\$\.eventName\s*=\s*DeleteVpc.+\$\.eventName\s*=\s*ModifyVpcAttribute.+\$\.eventName\s*=\s*AcceptVpcPeeringConnection.+\$\.eventName\s*=\s*CreateVpcPeeringConnection.+\$\.eventName\s*=\s*DeleteVpcPeeringConnection.+\$\.eventName\s*=\s*RejectVpcPeeringConnection.+\$\.eventName\s*=\s*AttachClassicLinkVpc.+\$\.eventName\s*=\s*DetachClassicLinkVpc.+\$\.eventName\s*=\s*DisableVpcClassicLink.+\$\.eventName\s*=\s*EnableVpcClassicLink' - ORDER BY - filter_name - ), - filter_data AS ( - SELECT - t.account_id, - t.trail_name, - f.filter_name - FROM - trails AS t - JOIN - metric_filters AS f ON f.log_group_name = t.log_group_name - JOIN - alarms AS alarm ON alarm.metric_name = f.metric_transformation_name - JOIN - topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for VPC changes.' - ELSE f.filter_name || ' forwards events for VPC changes.' - END AS reason - FROM - aws_account AS a - LEFT JOIN - filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH trails AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + split_part(trail.log_group_arn, ':', 7) AS log_group_name + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + ORDER BY + trail_name + ), + alarms AS ( + SELECT + metric_name, + action_arn AS topic_arn + FROM + aws_cloudwatch_alarm, + jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn + ORDER BY + metric_name + ), + topic_subscriptions AS ( + SELECT + subscription_arn, + topic_arn + FROM + aws_sns_topic_subscription + ORDER BY + subscription_arn + ), + metric_filters AS ( + SELECT + filter.name AS filter_name, + filter_pattern, + log_group_name, + metric_transformation_name + FROM + aws_cloudwatch_log_metric_filter AS filter + WHERE + filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateVpc.+\$\.eventName\s*=\s*DeleteVpc.+\$\.eventName\s*=\s*ModifyVpcAttribute.+\$\.eventName\s*=\s*AcceptVpcPeeringConnection.+\$\.eventName\s*=\s*CreateVpcPeeringConnection.+\$\.eventName\s*=\s*DeleteVpcPeeringConnection.+\$\.eventName\s*=\s*RejectVpcPeeringConnection.+\$\.eventName\s*=\s*AttachClassicLinkVpc.+\$\.eventName\s*=\s*DetachClassicLinkVpc.+\$\.eventName\s*=\s*DisableVpcClassicLink.+\$\.eventName\s*=\s*EnableVpcClassicLink' + ORDER BY + filter_name + ), + filter_data AS ( + SELECT + t.account_id, + t.trail_name, + f.filter_name + FROM + trails AS t + JOIN + metric_filters AS f ON f.log_group_name = t.log_group_name + JOIN + alarms AS alarm ON alarm.metric_name = f.metric_transformation_name + JOIN + topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for VPC changes.' + ELSE f.filter_name || ' forwards events for VPC changes.' + END AS reason + FROM + aws_account AS a + LEFT JOIN + filter_data AS f ON a.account_id = f.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_4_5.yaml b/compliance/controls/aws/aws_cis_v140_4_5.yaml index 470019ae6..a9b982388 100644 --- a/compliance/controls/aws/aws_cis_v140_4_5.yaml +++ b/compliance/controls/aws/aws_cis_v140_4_5.yaml @@ -1,90 +1,91 @@ id: aws_cis_v140_4_5 title: 4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes +type: control description: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH trails AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) AS log_group_name - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - ORDER BY - trail_name - ), - alarms AS ( - SELECT - metric_name, - action_arn AS topic_arn - FROM - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn - ORDER BY - metric_name - ), - topic_subscriptions AS ( - SELECT - subscription_arn, - topic_arn - FROM - aws_sns_topic_subscription - ORDER BY - subscription_arn - ), - metric_filters AS ( - SELECT - filter.name AS filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - FROM - aws_cloudwatch_log_metric_filter AS filter - WHERE - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging' - ORDER BY - filter_name - ), - filter_data AS ( - SELECT - t.account_id, - t.trail_name, - f.filter_name - FROM - trails AS t - JOIN - metric_filters AS f ON f.log_group_name = t.log_group_name - JOIN - alarms AS alarm ON alarm.metric_name = f.metric_transformation_name - JOIN - topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for CloudTrail configuration changes.' - ELSE filter_name || ' forwards events for CloudTrail configuration changes.' - END AS reason - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH trails AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + split_part(trail.log_group_arn, ':', 7) AS log_group_name + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + ORDER BY + trail_name + ), + alarms AS ( + SELECT + metric_name, + action_arn AS topic_arn + FROM + aws_cloudwatch_alarm, + jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn + ORDER BY + metric_name + ), + topic_subscriptions AS ( + SELECT + subscription_arn, + topic_arn + FROM + aws_sns_topic_subscription + ORDER BY + subscription_arn + ), + metric_filters AS ( + SELECT + filter.name AS filter_name, + filter_pattern, + log_group_name, + metric_transformation_name + FROM + aws_cloudwatch_log_metric_filter AS filter + WHERE + filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging' + ORDER BY + filter_name + ), + filter_data AS ( + SELECT + t.account_id, + t.trail_name, + f.filter_name + FROM + trails AS t + JOIN + metric_filters AS f ON f.log_group_name = t.log_group_name + JOIN + alarms AS alarm ON alarm.metric_name = f.metric_transformation_name + JOIN + topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for CloudTrail configuration changes.' + ELSE filter_name || ' forwards events for CloudTrail configuration changes.' + END AS reason + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_4_7.yaml b/compliance/controls/aws/aws_cis_v140_4_7.yaml index 1214af49d..2900c78f2 100644 --- a/compliance/controls/aws/aws_cis_v140_4_7.yaml +++ b/compliance/controls/aws/aws_cis_v140_4_7.yaml @@ -1,90 +1,91 @@ id: aws_cis_v140_4_7 title: 4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs +type: control description: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH trails AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name - FROM - aws_cloudtrail_trail AS trail, - JSONB_ARRAY_ELEMENTS(trail.event_selectors) AS se - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - ORDER BY - trail_name - ), - alarms AS ( - SELECT - metric_name, - action_arn AS topic_arn - FROM - aws_cloudwatch_alarm, - JSONB_ARRAY_ELEMENTS_TEXT(aws_cloudwatch_alarm.alarm_actions) AS action_arn - ORDER BY - metric_name - ), - topic_subscriptions AS ( - SELECT - subscription_arn, - topic_arn - FROM - aws_sns_topic_subscription - ORDER BY - subscription_arn - ), - metric_filters AS ( - SELECT - filter.name AS filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - FROM - aws_cloudwatch_log_metric_filter AS filter - WHERE - filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*kms.amazonaws.com.+\$\.eventName\s*=\s*DisableKey.+\$\.eventName\s*=\s*ScheduleKeyDeletion' - ORDER BY - filter_name - ), - filter_data AS ( - SELECT - t.account_id, - t.trail_name, - f.filter_name - FROM - trails AS t - JOIN - metric_filters AS f ON f.log_group_name = t.log_group_name - JOIN - alarms AS alarm ON alarm.metric_name = f.metric_transformation_name - JOIN - topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for disabling/deletion of CMKs.' - ELSE filter_name || ' forwards events for disabling/deletion of CMKs.' - END AS reason - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH trails AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name + FROM + aws_cloudtrail_trail AS trail, + JSONB_ARRAY_ELEMENTS(trail.event_selectors) AS se + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + ORDER BY + trail_name + ), + alarms AS ( + SELECT + metric_name, + action_arn AS topic_arn + FROM + aws_cloudwatch_alarm, + JSONB_ARRAY_ELEMENTS_TEXT(aws_cloudwatch_alarm.alarm_actions) AS action_arn + ORDER BY + metric_name + ), + topic_subscriptions AS ( + SELECT + subscription_arn, + topic_arn + FROM + aws_sns_topic_subscription + ORDER BY + subscription_arn + ), + metric_filters AS ( + SELECT + filter.name AS filter_name, + filter_pattern, + log_group_name, + metric_transformation_name + FROM + aws_cloudwatch_log_metric_filter AS filter + WHERE + filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*kms.amazonaws.com.+\$\.eventName\s*=\s*DisableKey.+\$\.eventName\s*=\s*ScheduleKeyDeletion' + ORDER BY + filter_name + ), + filter_data AS ( + SELECT + t.account_id, + t.trail_name, + f.filter_name + FROM + trails AS t + JOIN + metric_filters AS f ON f.log_group_name = t.log_group_name + JOIN + alarms AS alarm ON alarm.metric_name = f.metric_transformation_name + JOIN + topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for disabling/deletion of CMKs.' + ELSE filter_name || ' forwards events for disabling/deletion of CMKs.' + END AS reason + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_4_8.yaml b/compliance/controls/aws/aws_cis_v140_4_8.yaml index 73104762d..bf3114557 100644 --- a/compliance/controls/aws/aws_cis_v140_4_8.yaml +++ b/compliance/controls/aws/aws_cis_v140_4_8.yaml @@ -1,90 +1,91 @@ id: aws_cis_v140_4_8 title: 4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes +type: control description: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH trails AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) AS log_group_name - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - ORDER BY - trail_name - ), - alarms AS ( - SELECT - metric_name, - action_arn AS topic_arn - FROM - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn - ORDER BY - metric_name - ), - topic_subscriptions AS ( - SELECT - subscription_arn, - topic_arn - FROM - aws_sns_topic_subscription - ORDER BY - subscription_arn - ), - metric_filters AS ( - SELECT - filter.name AS filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - FROM - aws_cloudwatch_log_metric_filter AS filter - WHERE - filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*s3.amazonaws.com.+\$\.eventName\s*=\s*PutBucketAcl.+\$\.eventName\s*=\s*PutBucketPolicy.+\$\.eventName\s*=\s*PutBucketCors.+\$\.eventName\s*=\s*PutBucketLifecycle.+\$\.eventName\s*=\s*PutBucketReplication.+\$\.eventName\s*=\s*DeleteBucketPolicy.+\$\.eventName\s*=\s*DeleteBucketCors.+\$\.eventName\s*=\s*DeleteBucketLifecycle.+\$\.eventName\s*=\s*DeleteBucketReplication' - ORDER BY - filter_name - ), - filter_data AS ( - SELECT - t.account_id, - t.trail_name, - f.filter_name - FROM - trails AS t - JOIN - metric_filters AS f ON f.log_group_name = t.log_group_name - JOIN - alarms AS alarm ON alarm.metric_name = f.metric_transformation_name - JOIN - topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for S3 bucket policy changes.' - ELSE filter_name || ' forwards events for S3 bucket policy changes.' - END AS reason - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH trails AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + split_part(trail.log_group_arn, ':', 7) AS log_group_name + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + ORDER BY + trail_name + ), + alarms AS ( + SELECT + metric_name, + action_arn AS topic_arn + FROM + aws_cloudwatch_alarm, + jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn + ORDER BY + metric_name + ), + topic_subscriptions AS ( + SELECT + subscription_arn, + topic_arn + FROM + aws_sns_topic_subscription + ORDER BY + subscription_arn + ), + metric_filters AS ( + SELECT + filter.name AS filter_name, + filter_pattern, + log_group_name, + metric_transformation_name + FROM + aws_cloudwatch_log_metric_filter AS filter + WHERE + filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*s3.amazonaws.com.+\$\.eventName\s*=\s*PutBucketAcl.+\$\.eventName\s*=\s*PutBucketPolicy.+\$\.eventName\s*=\s*PutBucketCors.+\$\.eventName\s*=\s*PutBucketLifecycle.+\$\.eventName\s*=\s*PutBucketReplication.+\$\.eventName\s*=\s*DeleteBucketPolicy.+\$\.eventName\s*=\s*DeleteBucketCors.+\$\.eventName\s*=\s*DeleteBucketLifecycle.+\$\.eventName\s*=\s*DeleteBucketReplication' + ORDER BY + filter_name + ), + filter_data AS ( + SELECT + t.account_id, + t.trail_name, + f.filter_name + FROM + trails AS t + JOIN + metric_filters AS f ON f.log_group_name = t.log_group_name + JOIN + alarms AS alarm ON alarm.metric_name = f.metric_transformation_name + JOIN + topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for S3 bucket policy changes.' + ELSE filter_name || ' forwards events for S3 bucket policy changes.' + END AS reason + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_5_1.yaml b/compliance/controls/aws/aws_cis_v140_5_1.yaml index 2f7b6810d..8111ca403 100644 --- a/compliance/controls/aws/aws_cis_v140_5_1.yaml +++ b/compliance/controls/aws/aws_cis_v140_5_1.yaml @@ -1,85 +1,86 @@ id: aws_cis_v140_5_1 title: 5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports +type: control description: The Network Access Control List (NACL) function provides stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_network_acl - definition: | - WITH bad_rules AS ( - SELECT - network_acl_id, - COUNT(*) AS num_bad_rules, - tags, - region, - account_id - FROM - aws_vpc_network_acl, - jsonb_array_elements(entries) AS att - WHERE - att ->> 'Egress' = 'false' - AND ( - att ->> 'CidrBlock' = '0.0.0.0/0' - OR att ->> 'Ipv6CidrBlock' = '::/0' - ) - AND att ->> 'RuleAction' = 'allow' - AND ( - ( - att ->> 'Protocol' = '-1' - AND att ->> 'PortRange' IS NULL - ) - OR ( - (att -> 'PortRange' ->> 'From')::int <= 22 - AND (att -> 'PortRange' ->> 'To')::int >= 22 - AND att ->> 'Protocol' IN ('6', '17') - ) - OR ( - (att -> 'PortRange' ->> 'From')::int <= 3389 - AND (att -> 'PortRange' ->> 'To')::int >= 3389 - AND att ->> 'Protocol' IN ('6', '17') - ) - ) - GROUP BY - network_acl_id, - region, - account_id, - tags - ORDER BY - network_acl_id, - region, - account_id, - tags - ), - aws_vpc_network_acls AS ( - SELECT - network_acl_id, - tags, - partition, - region, - account_id - FROM - aws_vpc_network_acl - ORDER BY - network_acl_id, - region, - account_id + language: sql + primary_resource: aws_vpc_network_acl + definition: | + WITH bad_rules AS ( + SELECT + network_acl_id, + COUNT(*) AS num_bad_rules, + tags, + region, + account_id + FROM + aws_vpc_network_acl, + jsonb_array_elements(entries) AS att + WHERE + att ->> 'Egress' = 'false' + AND ( + att ->> 'CidrBlock' = '0.0.0.0/0' + OR att ->> 'Ipv6CidrBlock' = '::/0' ) - SELECT - 'arn:' || acl.partition || ':ec2:' || acl.region || ':' || acl.account_id || ':network-acl/' || acl.network_acl_id AS resource, - acl.platform_integration_id AS platform_integration_id, - acl.platform_resource_id AS platform_resource_id, - CASE - WHEN bad_rules.network_acl_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN bad_rules.network_acl_id IS NULL THEN acl.network_acl_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - ELSE acl.network_acl_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) allowing ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - END AS reason - FROM - aws_vpc_network_acl AS acl - LEFT JOIN bad_rules ON bad_rules.network_acl_id = acl.network_acl_id; + AND att ->> 'RuleAction' = 'allow' + AND ( + ( + att ->> 'Protocol' = '-1' + AND att ->> 'PortRange' IS NULL + ) + OR ( + (att -> 'PortRange' ->> 'From')::int <= 22 + AND (att -> 'PortRange' ->> 'To')::int >= 22 + AND att ->> 'Protocol' IN ('6', '17') + ) + OR ( + (att -> 'PortRange' ->> 'From')::int <= 3389 + AND (att -> 'PortRange' ->> 'To')::int >= 3389 + AND att ->> 'Protocol' IN ('6', '17') + ) + ) + GROUP BY + network_acl_id, + region, + account_id, + tags + ORDER BY + network_acl_id, + region, + account_id, + tags + ), + aws_vpc_network_acls AS ( + SELECT + network_acl_id, + tags, + partition, + region, + account_id + FROM + aws_vpc_network_acl + ORDER BY + network_acl_id, + region, + account_id + ) + SELECT + 'arn:' || acl.partition || ':ec2:' || acl.region || ':' || acl.account_id || ':network-acl/' || acl.network_acl_id AS resource, + acl.platform_integration_id AS platform_integration_id, + acl.platform_resource_id AS platform_resource_id, + CASE + WHEN bad_rules.network_acl_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN bad_rules.network_acl_id IS NULL THEN acl.network_acl_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' + ELSE acl.network_acl_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) allowing ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' + END AS reason + FROM + aws_vpc_network_acl AS acl + LEFT JOIN bad_rules ON bad_rules.network_acl_id = acl.network_acl_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_5_2.yaml b/compliance/controls/aws/aws_cis_v140_5_2.yaml index 49ac6bb88..d71665d1f 100644 --- a/compliance/controls/aws/aws_cis_v140_5_2.yaml +++ b/compliance/controls/aws/aws_cis_v140_5_2.yaml @@ -1,54 +1,55 @@ id: aws_cis_v140_5_2 title: 5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports +type: control description: Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH bad_rules AS ( - SELECT - group_id, - COUNT(*) AS num_bad_rules - FROM - aws_vpc_security_group_rule - WHERE - type = 'ingress' - AND ( - cidr_ipv4 = '0.0.0.0/0' - OR cidr_ipv6 = '::/0' - ) - AND ( - (ip_protocol = '-1' -- all traffic - AND from_port IS NULL) - OR ( - from_port >= 22 - AND to_port <= 22 - ) - OR ( - from_port >= 3389 - AND to_port <= 3389 - ) - ) - GROUP BY - group_id + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH bad_rules AS ( + SELECT + group_id, + COUNT(*) AS num_bad_rules + FROM + aws_vpc_security_group_rule + WHERE + type = 'ingress' + AND ( + cidr_ipv4 = '0.0.0.0/0' + OR cidr_ipv6 = '::/0' ) - SELECT - arn AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN bad_rules.group_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN bad_rules.group_id IS NULL THEN sg.group_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - ELSE sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - END AS reason - FROM - aws_vpc_security_group AS sg - LEFT JOIN bad_rules ON bad_rules.group_id = sg.group_id; + AND ( + (ip_protocol = '-1' -- all traffic + AND from_port IS NULL) + OR ( + from_port >= 22 + AND to_port <= 22 + ) + OR ( + from_port >= 3389 + AND to_port <= 3389 + ) + ) + GROUP BY + group_id + ) + SELECT + arn AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN bad_rules.group_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN bad_rules.group_id IS NULL THEN sg.group_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' + ELSE sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' + END AS reason + FROM + aws_vpc_security_group AS sg + LEFT JOIN bad_rules ON bad_rules.group_id = sg.group_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v140_5_4.yaml b/compliance/controls/aws/aws_cis_v140_5_4.yaml index f1268652e..ac3cf2891 100644 --- a/compliance/controls/aws/aws_cis_v140_5_4.yaml +++ b/compliance/controls/aws/aws_cis_v140_5_4.yaml @@ -1,20 +1,21 @@ id: aws_cis_v140_5_4 title: 5.4 Ensure routing tables for VPC peering are "least access" +type: control description: Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_1_1.yaml b/compliance/controls/aws/aws_cis_v150_1_1.yaml index 84c586c25..110496c13 100644 --- a/compliance/controls/aws/aws_cis_v150_1_1.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_1.yaml @@ -1,20 +1,21 @@ id: aws_cis_v150_1_1 title: 1.1 Maintain current contact details +type: control description: Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_1_10.yaml b/compliance/controls/aws/aws_cis_v150_1_10.yaml index 8eb0a0eef..92bca2751 100644 --- a/compliance/controls/aws/aws_cis_v150_1_10.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_10.yaml @@ -1,27 +1,28 @@ id: aws_cis_v150_1_10 title: 1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password +type: control description: Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN password_enabled AND NOT mfa_active THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT password_enabled THEN user_name || ' password login disabled.' - WHEN password_enabled AND NOT mfa_active THEN user_name || ' password login enabled but no MFA device configured.' - ELSE user_name || ' password login enabled and MFA device configured.' - END AS reason - FROM - aws_iam_credential_report; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN password_enabled AND NOT mfa_active THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT password_enabled THEN user_name || ' password login disabled.' + WHEN password_enabled AND NOT mfa_active THEN user_name || ' password login enabled but no MFA device configured.' + ELSE user_name || ' password login enabled and MFA device configured.' + END AS reason + FROM + aws_iam_credential_report; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_1_11.yaml b/compliance/controls/aws/aws_cis_v150_1_11.yaml index be32aaddf..f02528d0d 100644 --- a/compliance/controls/aws/aws_cis_v150_1_11.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_11.yaml @@ -1,30 +1,31 @@ id: aws_cis_v150_1_11 title: 1.11 Do not setup access keys during initial user setup for all IAM users that have a console password +type: control description: AWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM User credentials you have to determine what type of access they require. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN password_enabled - AND extract(epoch FROM (access_key_1_last_rotated - user_creation_time)) < 10 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT password_enabled THEN user_name || ' password login disabled.' - WHEN access_key_1_last_rotated IS NULL THEN user_name || ' has no access keys.' - WHEN password_enabled - AND extract(epoch FROM (access_key_1_last_rotated - user_creation_time)) < 10 THEN user_name || ' has access key created during user creation and password login enabled.' - ELSE user_name || ' has access key not created during user creation.' - END AS reason - FROM - aws_iam_credential_report; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN password_enabled + AND extract(epoch FROM (access_key_1_last_rotated - user_creation_time)) < 10 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT password_enabled THEN user_name || ' password login disabled.' + WHEN access_key_1_last_rotated IS NULL THEN user_name || ' has no access keys.' + WHEN password_enabled + AND extract(epoch FROM (access_key_1_last_rotated - user_creation_time)) < 10 THEN user_name || ' has access key created during user creation and password login enabled.' + ELSE user_name || ' has access key not created during user creation.' + END AS reason + FROM + aws_iam_credential_report; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_1_12.yaml b/compliance/controls/aws/aws_cis_v150_1_12.yaml index 68cb4e2ff..cdef85fe8 100644 --- a/compliance/controls/aws/aws_cis_v150_1_12.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_12.yaml @@ -1,61 +1,62 @@ id: aws_cis_v150_1_12 title: 1.12 Ensure credentials unused for 45 days or greater are disabled +type: control description: AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN user_name = '' - THEN 'info' - WHEN password_enabled AND password_last_used IS NULL AND password_last_changed < (CURRENT_DATE - INTERVAL '45' DAY) - THEN 'alarm' - WHEN password_enabled AND password_last_used < (CURRENT_DATE - INTERVAL '45' DAY) - THEN 'alarm' - WHEN access_key_1_active AND access_key_1_last_used_date IS NULL AND access_key_1_last_rotated < (CURRENT_DATE - INTERVAL '45' DAY) - THEN 'alarm' - WHEN access_key_1_active AND access_key_1_last_used_date < (CURRENT_DATE - INTERVAL '45' DAY) - THEN 'alarm' - WHEN access_key_2_active AND access_key_2_last_used_date IS NULL AND access_key_2_last_rotated < (CURRENT_DATE - INTERVAL '45' DAY) - THEN 'alarm' - WHEN access_key_2_active AND access_key_2_last_used_date < (CURRENT_DATE - INTERVAL '45' DAY) - THEN 'alarm' - ELSE 'ok' - END AS status, - user_name || - CASE - WHEN NOT password_enabled - THEN ' password not enabled,' - WHEN password_enabled AND password_last_used IS NULL - THEN ' password created ' || TO_CHAR(password_last_changed, 'DD-Mon-YYYY') || ' never used,' - ELSE - ' password used ' || TO_CHAR(password_last_used, 'DD-Mon-YYYY') || ',' - END || - CASE - WHEN NOT access_key_1_active - THEN ' key 1 not enabled,' - WHEN access_key_1_active AND access_key_1_last_used_date IS NULL - THEN ' key 1 created ' || TO_CHAR(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,' - ELSE - ' key 1 used ' || TO_CHAR(access_key_1_last_used_date, 'DD-Mon-YYYY') || ',' - END || - CASE - WHEN NOT access_key_2_active - THEN ' key 2 not enabled.' - WHEN access_key_2_active AND access_key_2_last_used_date IS NULL - THEN ' key 2 created ' || TO_CHAR(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.' - ELSE - ' key 2 used ' || TO_CHAR(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.' - END - AS reason - FROM - aws_iam_credential_report; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN user_name = '' + THEN 'info' + WHEN password_enabled AND password_last_used IS NULL AND password_last_changed < (CURRENT_DATE - INTERVAL '45' DAY) + THEN 'alarm' + WHEN password_enabled AND password_last_used < (CURRENT_DATE - INTERVAL '45' DAY) + THEN 'alarm' + WHEN access_key_1_active AND access_key_1_last_used_date IS NULL AND access_key_1_last_rotated < (CURRENT_DATE - INTERVAL '45' DAY) + THEN 'alarm' + WHEN access_key_1_active AND access_key_1_last_used_date < (CURRENT_DATE - INTERVAL '45' DAY) + THEN 'alarm' + WHEN access_key_2_active AND access_key_2_last_used_date IS NULL AND access_key_2_last_rotated < (CURRENT_DATE - INTERVAL '45' DAY) + THEN 'alarm' + WHEN access_key_2_active AND access_key_2_last_used_date < (CURRENT_DATE - INTERVAL '45' DAY) + THEN 'alarm' + ELSE 'ok' + END AS status, + user_name || + CASE + WHEN NOT password_enabled + THEN ' password not enabled,' + WHEN password_enabled AND password_last_used IS NULL + THEN ' password created ' || TO_CHAR(password_last_changed, 'DD-Mon-YYYY') || ' never used,' + ELSE + ' password used ' || TO_CHAR(password_last_used, 'DD-Mon-YYYY') || ',' + END || + CASE + WHEN NOT access_key_1_active + THEN ' key 1 not enabled,' + WHEN access_key_1_active AND access_key_1_last_used_date IS NULL + THEN ' key 1 created ' || TO_CHAR(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,' + ELSE + ' key 1 used ' || TO_CHAR(access_key_1_last_used_date, 'DD-Mon-YYYY') || ',' + END || + CASE + WHEN NOT access_key_2_active + THEN ' key 2 not enabled.' + WHEN access_key_2_active AND access_key_2_last_used_date IS NULL + THEN ' key 2 created ' || TO_CHAR(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.' + ELSE + ' key 2 used ' || TO_CHAR(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.' + END + AS reason + FROM + aws_iam_credential_report; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_1_13.yaml b/compliance/controls/aws/aws_cis_v150_1_13.yaml index bbcfac797..7e1004b40 100644 --- a/compliance/controls/aws/aws_cis_v150_1_13.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_13.yaml @@ -1,37 +1,38 @@ id: aws_cis_v150_1_13 title: 1.13 Ensure there is only one active access key available for any single IAM user +type: control description: Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - SELECT - u.arn AS resource, - u.platform_integration_id AS platform_integration_id, - u.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(k.*) > 1 THEN 'alarm' - ELSE 'ok' - END AS status, - u.name || ' has ' || COUNT(k.*) || ' active access key(s).' AS reason - FROM - aws_iam_user AS u - LEFT JOIN aws_iam_access_key AS k - ON u.name = k.user_name - AND u.account_id = k.account_id - WHERE - k.status = 'Active' - OR k.status IS NULL - GROUP BY - u.arn, - u.name, - u.account_id, - u.tags, - u._ctx, - u.platform_integration_id, - u.platform_resource_id; + language: sql + primary_resource: aws_iam_user + definition: | + SELECT + u.arn AS resource, + u.platform_integration_id AS platform_integration_id, + u.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(k.*) > 1 THEN 'alarm' + ELSE 'ok' + END AS status, + u.name || ' has ' || COUNT(k.*) || ' active access key(s).' AS reason + FROM + aws_iam_user AS u + LEFT JOIN aws_iam_access_key AS k + ON u.name = k.user_name + AND u.account_id = k.account_id + WHERE + k.status = 'Active' + OR k.status IS NULL + GROUP BY + u.arn, + u.name, + u.account_id, + u.tags, + u._ctx, + u.platform_integration_id, + u.platform_resource_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_1_14.yaml b/compliance/controls/aws/aws_cis_v150_1_14.yaml index fe5e24943..367815842 100644 --- a/compliance/controls/aws/aws_cis_v150_1_14.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_14.yaml @@ -1,23 +1,24 @@ id: aws_cis_v150_1_14 title: 1.14 Ensure access keys are rotated every 90 days or less +type: control description: Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_access_key - definition: | - SELECT - 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN create_date <= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' - ELSE 'ok' - END status, - user_name || ' ' || access_key_id || ' created ' || TO_CHAR(create_date, 'DD-Mon-YYYY') || ' (' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - create_date) || ' days).' AS reason - FROM - aws_iam_access_key; + language: sql + primary_resource: aws_iam_access_key + definition: | + SELECT + 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN create_date <= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' + ELSE 'ok' + END status, + user_name || ' ' || access_key_id || ' created ' || TO_CHAR(create_date, 'DD-Mon-YYYY') || ' (' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - create_date) || ' days).' AS reason + FROM + aws_iam_access_key; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_1_15.yaml b/compliance/controls/aws/aws_cis_v150_1_15.yaml index 9a757d7c2..f1fc71fd5 100644 --- a/compliance/controls/aws/aws_cis_v150_1_15.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_15.yaml @@ -1,24 +1,25 @@ id: aws_cis_v150_1_15 title: 1.15 Ensure IAM Users Receive Permissions Only Through Groups -description: 'IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended.' +type: control +description: "IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended." integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN inline_policies IS NULL AND attached_policy_arns IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - name || ' has ' || COALESCE(jsonb_array_length(inline_policies), 0) || ' inline and ' || - COALESCE(jsonb_array_length(attached_policy_arns), 0) || ' directly attached policies.' AS reason - FROM - aws_iam_user; + language: sql + primary_resource: aws_iam_user + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN inline_policies IS NULL AND attached_policy_arns IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + name || ' has ' || COALESCE(jsonb_array_length(inline_policies), 0) || ' inline and ' || + COALESCE(jsonb_array_length(attached_policy_arns), 0) || ' directly attached policies.' AS reason + FROM + aws_iam_user; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_1_16.yaml b/compliance/controls/aws/aws_cis_v150_1_16.yaml index 6e934c6c0..e2d37bf81 100644 --- a/compliance/controls/aws/aws_cis_v150_1_16.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_16.yaml @@ -1,52 +1,53 @@ id: aws_cis_v150_1_16 title: 1.16 Ensure IAM policies that allow full "*:*" administrative privileges are not attached +type: control description: IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege - that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_policy - definition: | - WITH star_access_policies AS ( - SELECT - arn, - is_aws_managed, - COUNT(*) AS num_bad_statements - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Resource') AS resource, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - s ->> 'Effect' = 'Allow' - AND resource = '*' - AND ( - action = '*' - OR action = '*:*' - ) - AND is_attached - GROUP BY - arn, - is_aws_managed + language: sql + primary_resource: aws_iam_policy + definition: | + WITH star_access_policies AS ( + SELECT + arn, + is_aws_managed, + COUNT(*) AS num_bad_statements + FROM + aws_iam_policy, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Resource') AS resource, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + s ->> 'Effect' = 'Allow' + AND resource = '*' + AND ( + action = '*' + OR action = '*:*' ) - SELECT - p.arn AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN s.arn IS NOT NULL AND s.is_aws_managed THEN 'info' - WHEN s.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN s.arn IS NOT NULL AND s.is_aws_managed THEN p.name || ' is an AWS managed policy with ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' - ELSE p.name || ' contains ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' - END AS reason - FROM - aws_iam_policy AS p - LEFT JOIN star_access_policies AS s ON p.arn = s.arn - WHERE - p.is_attached; + AND is_attached + GROUP BY + arn, + is_aws_managed + ) + SELECT + p.arn AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN s.arn IS NOT NULL AND s.is_aws_managed THEN 'info' + WHEN s.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN s.arn IS NOT NULL AND s.is_aws_managed THEN p.name || ' is an AWS managed policy with ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' + ELSE p.name || ' contains ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' + END AS reason + FROM + aws_iam_policy AS p + LEFT JOIN star_access_policies AS s ON p.arn = s.arn + WHERE + p.is_attached; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_1_17.yaml b/compliance/controls/aws/aws_cis_v150_1_17.yaml index 4247a53f1..9b6ba5b79 100644 --- a/compliance/controls/aws/aws_cis_v150_1_17.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_17.yaml @@ -1,51 +1,52 @@ id: aws_cis_v150_1_17 title: 1.17 Ensure a support role has been created to manage incidents with AWS Support +type: control description: AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH support_role_count AS ( - SELECT - 'arn:' || a.partition || ':::' || a.account_id AS resource, - COUNT(policy_arn), - a.account_id, - a._ctx, - a.platform_integration_id, - a.platform_resource_id - FROM - aws_account AS a - LEFT JOIN - aws_iam_role AS r ON r.account_id = a.account_id - LEFT JOIN - jsonb_array_elements_text(attached_policy_arns) AS policy_arn ON true - WHERE - split_part(policy_arn, '/', 2) = 'AWSSupportAccess' - OR policy_arn IS NULL - GROUP BY - a.account_id, - a.partition, - a._ctx, - a.platform_integration_id, - a.platform_resource_id - ) - SELECT - resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT = 1 THEN 'AWSSupportAccess policy attached to 1 role.' - WHEN COUNT > 1 THEN 'AWSSupportAccess policy attached to ' || COUNT || ' roles.' - ELSE 'AWSSupportAccess policy not attached to any role.' - END AS reason - FROM - support_role_count; + language: sql + primary_resource: aws_account + definition: | + WITH support_role_count AS ( + SELECT + 'arn:' || a.partition || ':::' || a.account_id AS resource, + COUNT(policy_arn), + a.account_id, + a._ctx, + a.platform_integration_id, + a.platform_resource_id + FROM + aws_account AS a + LEFT JOIN + aws_iam_role AS r ON r.account_id = a.account_id + LEFT JOIN + jsonb_array_elements_text(attached_policy_arns) AS policy_arn ON true + WHERE + split_part(policy_arn, '/', 2) = 'AWSSupportAccess' + OR policy_arn IS NULL + GROUP BY + a.account_id, + a.partition, + a._ctx, + a.platform_integration_id, + a.platform_resource_id + ) + SELECT + resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT = 1 THEN 'AWSSupportAccess policy attached to 1 role.' + WHEN COUNT > 1 THEN 'AWSSupportAccess policy attached to ' || COUNT || ' roles.' + ELSE 'AWSSupportAccess policy not attached to any role.' + END AS reason + FROM + support_role_count; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_1_18.yaml b/compliance/controls/aws/aws_cis_v150_1_18.yaml index d27737fdf..bb000e979 100644 --- a/compliance/controls/aws/aws_cis_v150_1_18.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_18.yaml @@ -1,20 +1,21 @@ id: aws_cis_v150_1_18 title: 1.18 Ensure IAM instance roles are used for AWS resource access from instances +type: control description: AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. "AWS Access" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_1_19.yaml b/compliance/controls/aws/aws_cis_v150_1_19.yaml index a2ce6a4c8..0fcbb1a1a 100644 --- a/compliance/controls/aws/aws_cis_v150_1_19.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_19.yaml @@ -1,28 +1,29 @@ id: aws_cis_v150_1_19 title: 1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed +type: control description: To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_server_certificate - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN expiration < (current_date - INTERVAL '1' SECOND) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN expiration < (current_date - INTERVAL '1' SECOND) THEN - name || ' expired ' || TO_CHAR(expiration, 'DD-Mon-YYYY') || '.' - ELSE - name || ' valid until ' || TO_CHAR(expiration, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - aws_iam_server_certificate; + language: sql + primary_resource: aws_iam_server_certificate + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN expiration < (current_date - INTERVAL '1' SECOND) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN expiration < (current_date - INTERVAL '1' SECOND) THEN + name || ' expired ' || TO_CHAR(expiration, 'DD-Mon-YYYY') || '.' + ELSE + name || ' valid until ' || TO_CHAR(expiration, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + aws_iam_server_certificate; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_1_2.yaml b/compliance/controls/aws/aws_cis_v150_1_2.yaml index d5190636c..dc1c99d32 100644 --- a/compliance/controls/aws/aws_cis_v150_1_2.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_2.yaml @@ -1,53 +1,54 @@ id: aws_cis_v150_1_2 title: 1.2 Ensure security contact information is registered +type: control description: AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH alternate_security_contact AS ( - SELECT - name, - account_id - FROM - aws_account_alternate_contact - WHERE - contact_type = 'SECURITY' - ), - account AS ( - SELECT - arn, - partition, - title, - account_id, - _ctx, - platform_integration_id, - platform_resource_id - FROM - aws_account - ) - SELECT - arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.partition = 'aws-us-gov' THEN 'info' - WHEN c.name IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.partition = 'aws-us-gov' THEN a.title || ' in GovCloud, manual verification required.' - WHEN c.name IS NOT NULL THEN a.title || ' has security contact ' || c.name || ' registered.' - ELSE a.title || ' security contact not registered.' - END AS reason - FROM - account AS a - JOIN - alternate_security_contact AS c - ON - c.account_id = a.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH alternate_security_contact AS ( + SELECT + name, + account_id + FROM + aws_account_alternate_contact + WHERE + contact_type = 'SECURITY' + ), + account AS ( + SELECT + arn, + partition, + title, + account_id, + _ctx, + platform_integration_id, + platform_resource_id + FROM + aws_account + ) + SELECT + arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.partition = 'aws-us-gov' THEN 'info' + WHEN c.name IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.partition = 'aws-us-gov' THEN a.title || ' in GovCloud, manual verification required.' + WHEN c.name IS NOT NULL THEN a.title || ' has security contact ' || c.name || ' registered.' + ELSE a.title || ' security contact not registered.' + END AS reason + FROM + account AS a + JOIN + alternate_security_contact AS c + ON + c.account_id = a.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_1_21.yaml b/compliance/controls/aws/aws_cis_v150_1_21.yaml index 4b1bf8460..38af86075 100644 --- a/compliance/controls/aws/aws_cis_v150_1_21.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_21.yaml @@ -1,20 +1,21 @@ id: aws_cis_v150_1_21 title: 1.21 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments +type: control description: In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provided via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_1_3.yaml b/compliance/controls/aws/aws_cis_v150_1_3.yaml index 3c9b2d59b..eeb733d96 100644 --- a/compliance/controls/aws/aws_cis_v150_1_3.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_3.yaml @@ -1,20 +1,21 @@ id: aws_cis_v150_1_3 title: 1.3 Ensure security questions are registered in the AWS account +type: control description: The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_1_4.yaml b/compliance/controls/aws/aws_cis_v150_1_4.yaml index ff8aa767f..aafe40949 100644 --- a/compliance/controls/aws/aws_cis_v150_1_4.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_4.yaml @@ -1,26 +1,27 @@ id: aws_cis_v150_1_4 title: 1.4 Ensure no 'root' user account access key exists +type: control description: The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the 'root' user account be removed. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_account_summary - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN account_access_keys_present > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN account_access_keys_present > 0 THEN 'Root user access keys exist.' - ELSE 'No root user access keys exist.' - END AS reason - FROM - aws_iam_account_summary; + language: sql + primary_resource: aws_iam_account_summary + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN account_access_keys_present > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN account_access_keys_present > 0 THEN 'Root user access keys exist.' + ELSE 'No root user access keys exist.' + END AS reason + FROM + aws_iam_account_summary; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_1_5.yaml b/compliance/controls/aws/aws_cis_v150_1_5.yaml index a6a88b2ab..2f51b810b 100644 --- a/compliance/controls/aws/aws_cis_v150_1_5.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_5.yaml @@ -1,26 +1,27 @@ id: aws_cis_v150_1_5 title: 1.5 Ensure MFA is enabled for the 'root' user account +type: control description: The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_account_summary - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN account_mfa_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN account_mfa_enabled THEN 'MFA enabled for root account.' - ELSE 'MFA not enabled for root account.' - END AS reason - FROM - aws_iam_account_summary; + language: sql + primary_resource: aws_iam_account_summary + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN account_mfa_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN account_mfa_enabled THEN 'MFA enabled for root account.' + ELSE 'MFA not enabled for root account.' + END AS reason + FROM + aws_iam_account_summary; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_1_7.yaml b/compliance/controls/aws/aws_cis_v150_1_7.yaml index 632090270..f714fc07d 100644 --- a/compliance/controls/aws/aws_cis_v150_1_7.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_7.yaml @@ -1,38 +1,39 @@ id: aws_cis_v150_1_7 title: 1.7 Eliminate use of the 'root' user for administrative and daily tasks +type: control description: With the creation of an AWS account, a 'root user' is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN password_last_used >= (current_date - INTERVAL '90' day) THEN 'alarm' - WHEN access_key_1_last_used_date <= (current_date - INTERVAL '90' day) THEN 'alarm' - WHEN access_key_2_last_used_date <= (current_date - INTERVAL '90' day) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN password_last_used IS NULL THEN 'Root never logged in with password.' - ELSE 'Root password used ' || TO_CHAR(password_last_used , 'DD-Mon-YYYY') || ' (' || EXTRACT(day FROM current_timestamp - password_last_used) || ' days).' - END || - CASE - WHEN access_key_1_last_used_date IS NULL THEN ' Access Key 1 never used.' - ELSE ' Access Key 1 used ' || TO_CHAR(access_key_1_last_used_date , 'DD-Mon-YYYY') || ' (' || EXTRACT(day FROM current_timestamp - access_key_1_last_used_date) || ' days).' - END || - CASE - WHEN access_key_2_last_used_date IS NULL THEN ' Access Key 2 never used.' - ELSE ' Access Key 2 used ' || TO_CHAR(access_key_2_last_used_date , 'DD-Mon-YYYY') || ' (' || EXTRACT(day FROM current_timestamp - access_key_2_last_used_date) || ' days).' - END AS reason - FROM - aws_iam_credential_report - WHERE - user_name = ''; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN password_last_used >= (current_date - INTERVAL '90' day) THEN 'alarm' + WHEN access_key_1_last_used_date <= (current_date - INTERVAL '90' day) THEN 'alarm' + WHEN access_key_2_last_used_date <= (current_date - INTERVAL '90' day) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN password_last_used IS NULL THEN 'Root never logged in with password.' + ELSE 'Root password used ' || TO_CHAR(password_last_used , 'DD-Mon-YYYY') || ' (' || EXTRACT(day FROM current_timestamp - password_last_used) || ' days).' + END || + CASE + WHEN access_key_1_last_used_date IS NULL THEN ' Access Key 1 never used.' + ELSE ' Access Key 1 used ' || TO_CHAR(access_key_1_last_used_date , 'DD-Mon-YYYY') || ' (' || EXTRACT(day FROM current_timestamp - access_key_1_last_used_date) || ' days).' + END || + CASE + WHEN access_key_2_last_used_date IS NULL THEN ' Access Key 2 never used.' + ELSE ' Access Key 2 used ' || TO_CHAR(access_key_2_last_used_date , 'DD-Mon-YYYY') || ' (' || EXTRACT(day FROM current_timestamp - access_key_2_last_used_date) || ' days).' + END AS reason + FROM + aws_iam_credential_report + WHERE + user_name = ''; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_1_8.yaml b/compliance/controls/aws/aws_cis_v150_1_8.yaml index 6eceb01ff..81233e62e 100644 --- a/compliance/controls/aws/aws_cis_v150_1_8.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_8.yaml @@ -1,30 +1,31 @@ id: aws_cis_v150_1_8 title: 1.8 Ensure IAM password policy requires minimum length of 14 or greater +type: control description: Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN minimum_password_length >= 14 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN minimum_password_length IS NULL THEN 'No password policy set.' - ELSE 'Minimum password length set to ' || minimum_password_length || '.' - END AS reason - FROM - aws_account AS a - LEFT JOIN - aws_iam_account_password_policy AS pol - ON - a.account_id = pol.account_id; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN minimum_password_length >= 14 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN minimum_password_length IS NULL THEN 'No password policy set.' + ELSE 'Minimum password length set to ' || minimum_password_length || '.' + END AS reason + FROM + aws_account AS a + LEFT JOIN + aws_iam_account_password_policy AS pol + ON + a.account_id = pol.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_1_9.yaml b/compliance/controls/aws/aws_cis_v150_1_9.yaml index 249375827..a7a114bcb 100644 --- a/compliance/controls/aws/aws_cis_v150_1_9.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_9.yaml @@ -1,31 +1,32 @@ id: aws_cis_v150_1_9 title: 1.9 Ensure IAM password policy prevents password reuse +type: control description: IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN password_reuse_prevention >= 24 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN minimum_password_length IS NULL THEN 'No password policy set.' - WHEN password_reuse_prevention IS NULL THEN 'Password reuse prevention not set.' - ELSE 'Password reuse prevention set to ' || password_reuse_prevention || '.' - END AS reason - FROM - aws_account AS a - LEFT JOIN - aws_iam_account_password_policy AS pol - ON - a.account_id = pol.account_id; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN password_reuse_prevention >= 24 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN minimum_password_length IS NULL THEN 'No password policy set.' + WHEN password_reuse_prevention IS NULL THEN 'Password reuse prevention not set.' + ELSE 'Password reuse prevention set to ' || password_reuse_prevention || '.' + END AS reason + FROM + aws_account AS a + LEFT JOIN + aws_iam_account_password_policy AS pol + ON + a.account_id = pol.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_2_1_1.yaml b/compliance/controls/aws/aws_cis_v150_2_1_1.yaml index 8493a8b78..962c68ddf 100644 --- a/compliance/controls/aws/aws_cis_v150_2_1_1.yaml +++ b/compliance/controls/aws/aws_cis_v150_2_1_1.yaml @@ -1,26 +1,27 @@ id: aws_cis_v150_2_1_1 title: 2.1.1 Ensure all S3 buckets employ encryption-at-rest +type: control description: Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN server_side_encryption_configuration IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN server_side_encryption_configuration IS NOT NULL THEN name || ' default encryption enabled.' - ELSE name || ' default encryption disabled.' - END AS reason - FROM - aws_s3_bucket; + language: sql + primary_resource: aws_s3_bucket + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN server_side_encryption_configuration IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN server_side_encryption_configuration IS NOT NULL THEN name || ' default encryption enabled.' + ELSE name || ' default encryption disabled.' + END AS reason + FROM + aws_s3_bucket; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_2_1_2.yaml b/compliance/controls/aws/aws_cis_v150_2_1_2.yaml index f9a02bf00..8cb7d5c50 100644 --- a/compliance/controls/aws/aws_cis_v150_2_1_2.yaml +++ b/compliance/controls/aws/aws_cis_v150_2_1_2.yaml @@ -1,46 +1,47 @@ id: aws_cis_v150_2_1_2 title: 2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests +type: control description: At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH ssl_ok AS ( - SELECT - DISTINCT name, - arn, - 'ok' AS status - FROM - aws_s3_bucket, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p, - jsonb_array_elements_text(s -> 'Action') AS a, - jsonb_array_elements_text(s -> 'Resource') AS r, - jsonb_array_elements_text( - s -> 'Condition' -> 'Bool' -> 'aws:securetransport' - ) AS ssl - WHERE - p = '*' - AND s ->> 'Effect' = 'Deny' - AND ssl::bool = FALSE - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN ok.status = 'ok' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN ok.status = 'ok' THEN b.name || ' bucket policy enforces HTTPS.' - ELSE b.name || ' bucket policy does not enforce HTTPS.' - END AS reason - FROM - aws_s3_bucket AS b - LEFT JOIN ssl_ok AS ok ON ok.name = b.name; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH ssl_ok AS ( + SELECT + DISTINCT name, + arn, + 'ok' AS status + FROM + aws_s3_bucket, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p, + jsonb_array_elements_text(s -> 'Action') AS a, + jsonb_array_elements_text(s -> 'Resource') AS r, + jsonb_array_elements_text( + s -> 'Condition' -> 'Bool' -> 'aws:securetransport' + ) AS ssl + WHERE + p = '*' + AND s ->> 'Effect' = 'Deny' + AND ssl::bool = FALSE + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN ok.status = 'ok' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN ok.status = 'ok' THEN b.name || ' bucket policy enforces HTTPS.' + ELSE b.name || ' bucket policy does not enforce HTTPS.' + END AS reason + FROM + aws_s3_bucket AS b + LEFT JOIN ssl_ok AS ok ON ok.name = b.name; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_2_1_3.yaml b/compliance/controls/aws/aws_cis_v150_2_1_3.yaml index ad9b94d3a..4d8787805 100644 --- a/compliance/controls/aws/aws_cis_v150_2_1_3.yaml +++ b/compliance/controls/aws/aws_cis_v150_2_1_3.yaml @@ -1,26 +1,27 @@ id: aws_cis_v150_2_1_3 title: 2.1.3 Ensure MFA Delete is enabled on S3 buckets +type: control description: Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN versioning_mfa_delete THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN versioning_mfa_delete THEN name || ' MFA delete enabled.' - ELSE name || ' MFA delete disabled.' - END AS reason - FROM - aws_s3_bucket; + language: sql + primary_resource: aws_s3_bucket + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN versioning_mfa_delete THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN versioning_mfa_delete THEN name || ' MFA delete enabled.' + ELSE name || ' MFA delete disabled.' + END AS reason + FROM + aws_s3_bucket; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_2_1_4.yaml b/compliance/controls/aws/aws_cis_v150_2_1_4.yaml index 1ebd0ae36..bf5838ab4 100644 --- a/compliance/controls/aws/aws_cis_v150_2_1_4.yaml +++ b/compliance/controls/aws/aws_cis_v150_2_1_4.yaml @@ -1,37 +1,38 @@ id: aws_cis_v150_2_1_4 title: 2.1.4 Ensure all data in Amazon S3 has been discovered, classified and secured when required +type: control description: Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH bucket_list AS ( - SELECT - TRIM(b::text, '"') AS bucket_name - FROM - aws_macie2_classification_job, - jsonb_array_elements(s3_job_definition -> 'BucketDefinitions') AS d, - jsonb_array_elements(d -> 'Buckets') AS b - ) + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH bucket_list AS ( SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN b.region = ANY(ARRAY['us-gov-east-1', 'us-gov-west-1']) THEN 'skip' - WHEN l.bucket_name IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.region = ANY(ARRAY['us-gov-east-1', 'us-gov-west-1']) THEN b.title || ' not protected by Macie as Macie is not supported in ' || b.region || '.' - WHEN l.bucket_name IS NOT NULL THEN b.title || ' protected by Macie.' - ELSE b.title || ' not protected by Macie.' - END AS reason + TRIM(b::text, '"') AS bucket_name FROM - aws_s3_bucket AS b - LEFT JOIN bucket_list AS l ON b.name = l.bucket_name; + aws_macie2_classification_job, + jsonb_array_elements(s3_job_definition -> 'BucketDefinitions') AS d, + jsonb_array_elements(d -> 'Buckets') AS b + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN b.region = ANY(ARRAY['us-gov-east-1', 'us-gov-west-1']) THEN 'skip' + WHEN l.bucket_name IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.region = ANY(ARRAY['us-gov-east-1', 'us-gov-west-1']) THEN b.title || ' not protected by Macie as Macie is not supported in ' || b.region || '.' + WHEN l.bucket_name IS NOT NULL THEN b.title || ' protected by Macie.' + ELSE b.title || ' not protected by Macie.' + END AS reason + FROM + aws_s3_bucket AS b + LEFT JOIN bucket_list AS l ON b.name = l.bucket_name; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_2_2_1.yaml b/compliance/controls/aws/aws_cis_v150_2_2_1.yaml index c5326f528..52d7a72e8 100644 --- a/compliance/controls/aws/aws_cis_v150_2_2_1.yaml +++ b/compliance/controls/aws/aws_cis_v150_2_2_1.yaml @@ -1,26 +1,27 @@ id: aws_cis_v150_2_2_1 title: 2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions +type: control description: Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_volume - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encrypted THEN volume_id || ' encrypted.' - ELSE volume_id || ' not encrypted.' - END AS reason - FROM - aws_ebs_volume; + language: sql + primary_resource: aws_ebs_volume + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encrypted THEN volume_id || ' encrypted.' + ELSE volume_id || ' not encrypted.' + END AS reason + FROM + aws_ebs_volume; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_2_3_1.yaml b/compliance/controls/aws/aws_cis_v150_2_3_1.yaml index 0e6fc6874..1fbc4940d 100644 --- a/compliance/controls/aws/aws_cis_v150_2_3_1.yaml +++ b/compliance/controls/aws/aws_cis_v150_2_3_1.yaml @@ -1,26 +1,27 @@ id: aws_cis_v150_2_3_1 title: 2.3.1 Ensure that encryption is enabled for RDS Instances +type: control description: Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN storage_encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN storage_encrypted THEN title || ' encrypted at rest.' - ELSE title || ' not encrypted at rest.' - END AS reason - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN storage_encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN storage_encrypted THEN title || ' encrypted at rest.' + ELSE title || ' not encrypted at rest.' + END AS reason + FROM + aws_rds_db_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_2_3_2.yaml b/compliance/controls/aws/aws_cis_v150_2_3_2.yaml index 47cdc0472..3cb9a4671 100644 --- a/compliance/controls/aws/aws_cis_v150_2_3_2.yaml +++ b/compliance/controls/aws/aws_cis_v150_2_3_2.yaml @@ -1,26 +1,27 @@ id: aws_cis_v150_2_3_2 title: 2.3.2 Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances +type: control description: Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN auto_minor_version_upgrade THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN auto_minor_version_upgrade THEN title || ' automatic minor version upgrades enabled.' - ELSE title || ' automatic minor version upgrades not enabled.' - END AS reason - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN auto_minor_version_upgrade THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN auto_minor_version_upgrade THEN title || ' automatic minor version upgrades enabled.' + ELSE title || ' automatic minor version upgrades not enabled.' + END AS reason + FROM + aws_rds_db_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_2_3_3.yaml b/compliance/controls/aws/aws_cis_v150_2_3_3.yaml index e6955dea8..4907edcd8 100644 --- a/compliance/controls/aws/aws_cis_v150_2_3_3.yaml +++ b/compliance/controls/aws/aws_cis_v150_2_3_3.yaml @@ -1,26 +1,27 @@ id: aws_cis_v150_2_3_3 title: 2.3.3 Ensure that public access is not given to RDS Instance +type: control description: Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN publicly_accessible THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN publicly_accessible THEN title || ' publicly accessible.' - ELSE title || ' not publicly accessible.' - END AS reason - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN publicly_accessible THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN publicly_accessible THEN title || ' publicly accessible.' + ELSE title || ' not publicly accessible.' + END AS reason + FROM + aws_rds_db_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_2_4_1.yaml b/compliance/controls/aws/aws_cis_v150_2_4_1.yaml index c65bbdba7..9618fe7cf 100644 --- a/compliance/controls/aws/aws_cis_v150_2_4_1.yaml +++ b/compliance/controls/aws/aws_cis_v150_2_4_1.yaml @@ -1,26 +1,27 @@ id: aws_cis_v150_2_4_1 title: 2.4.1 Ensure that encryption is enabled for EFS file systems +type: control description: EFS data should be encrypted at rest using AWS KMS (Key Management Service). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_efs_file_system - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encrypted THEN title || ' encrypted at rest.' - ELSE title || ' not encrypted at rest.' - END AS reason - FROM - aws_efs_file_system; + language: sql + primary_resource: aws_efs_file_system + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encrypted THEN title || ' encrypted at rest.' + ELSE title || ' not encrypted at rest.' + END AS reason + FROM + aws_efs_file_system; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_3_10.yaml b/compliance/controls/aws/aws_cis_v150_3_10.yaml index 2d22128b1..fc82fe243 100644 --- a/compliance/controls/aws/aws_cis_v150_3_10.yaml +++ b/compliance/controls/aws/aws_cis_v150_3_10.yaml @@ -1,52 +1,53 @@ id: aws_cis_v150_3_10 title: 3.10 Ensure that Object-level logging for write events is enabled for S3 bucket +type: control description: S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH s3_selectors AS ( - SELECT - name AS trail_name, - is_multi_region_trail, - bucket_selector - FROM - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) AS event_selector, - jsonb_array_elements(event_selector -> 'DataResources') AS data_resource, - jsonb_array_elements_text(data_resource -> 'Values') AS bucket_selector - WHERE - is_multi_region_trail - AND data_resource ->> 'Type' = 'AWS::S3::Object' - AND event_selector ->> 'ReadWriteType' IN ('WriteOnly', 'All') - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(bucket_selector) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(bucket_selector) > 0 THEN b.name || ' object-level write events logging enabled.' - ELSE b.name || ' object-level write events logging disabled.' - END AS reason - FROM - aws_s3_bucket AS b - LEFT JOIN - s3_selectors - ON bucket_selector LIKE (b.arn || '%') - OR bucket_selector = 'arn:aws:s3' - GROUP BY - b.account_id, - b.region, - b.arn, - b.name, - b.tags, - b._ctx; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH s3_selectors AS ( + SELECT + name AS trail_name, + is_multi_region_trail, + bucket_selector + FROM + aws_cloudtrail_trail, + jsonb_array_elements(event_selectors) AS event_selector, + jsonb_array_elements(event_selector -> 'DataResources') AS data_resource, + jsonb_array_elements_text(data_resource -> 'Values') AS bucket_selector + WHERE + is_multi_region_trail + AND data_resource ->> 'Type' = 'AWS::S3::Object' + AND event_selector ->> 'ReadWriteType' IN ('WriteOnly', 'All') + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(bucket_selector) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(bucket_selector) > 0 THEN b.name || ' object-level write events logging enabled.' + ELSE b.name || ' object-level write events logging disabled.' + END AS reason + FROM + aws_s3_bucket AS b + LEFT JOIN + s3_selectors + ON bucket_selector LIKE (b.arn || '%') + OR bucket_selector = 'arn:aws:s3' + GROUP BY + b.account_id, + b.region, + b.arn, + b.name, + b.tags, + b._ctx; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_3_11.yaml b/compliance/controls/aws/aws_cis_v150_3_11.yaml index c61a5c227..35361b013 100644 --- a/compliance/controls/aws/aws_cis_v150_3_11.yaml +++ b/compliance/controls/aws/aws_cis_v150_3_11.yaml @@ -1,47 +1,48 @@ id: aws_cis_v150_3_11 title: 3.11 Ensure that Object-level logging for read events is enabled for S3 bucket +type: control description: S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH s3_selectors AS ( - SELECT - name AS trail_name, - is_multi_region_trail, - bucket_selector - FROM - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) AS event_selector, - jsonb_array_elements(event_selector -> 'DataResources') AS data_resource, - jsonb_array_elements_text(data_resource -> 'Values') AS bucket_selector - WHERE - is_multi_region_trail - AND data_resource ->> 'Type' = 'AWS::S3::Object' - AND event_selector ->> 'ReadWriteType' IN ('ReadOnly', 'All') - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(bucket_selector) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(bucket_selector) > 0 THEN b.name || ' object-level read events logging enabled.' - ELSE b.name || ' object-level read events logging disabled.' - END AS reason - FROM - aws_s3_bucket AS b - LEFT JOIN - s3_selectors - ON bucket_selector LIKE (b.arn || '%') - OR bucket_selector = 'arn:aws:s3' - GROUP BY - b.account_id, b.region, b.arn, b.name, b.tags, b._ctx; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH s3_selectors AS ( + SELECT + name AS trail_name, + is_multi_region_trail, + bucket_selector + FROM + aws_cloudtrail_trail, + jsonb_array_elements(event_selectors) AS event_selector, + jsonb_array_elements(event_selector -> 'DataResources') AS data_resource, + jsonb_array_elements_text(data_resource -> 'Values') AS bucket_selector + WHERE + is_multi_region_trail + AND data_resource ->> 'Type' = 'AWS::S3::Object' + AND event_selector ->> 'ReadWriteType' IN ('ReadOnly', 'All') + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(bucket_selector) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(bucket_selector) > 0 THEN b.name || ' object-level read events logging enabled.' + ELSE b.name || ' object-level read events logging disabled.' + END AS reason + FROM + aws_s3_bucket AS b + LEFT JOIN + s3_selectors + ON bucket_selector LIKE (b.arn || '%') + OR bucket_selector = 'arn:aws:s3' + GROUP BY + b.account_id, b.region, b.arn, b.name, b.tags, b._ctx; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_3_2.yaml b/compliance/controls/aws/aws_cis_v150_3_2.yaml index b2535ba55..663a0979a 100644 --- a/compliance/controls/aws/aws_cis_v150_3_2.yaml +++ b/compliance/controls/aws/aws_cis_v150_3_2.yaml @@ -1,28 +1,29 @@ id: aws_cis_v150_3_2 title: 3.2 Ensure CloudTrail log file validation is enabled +type: control description: CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN log_file_validation_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN log_file_validation_enabled THEN title || ' log file validation enabled.' - ELSE title || ' log file validation disabled.' - END AS reason - FROM - aws_cloudtrail_trail - WHERE - region = home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN log_file_validation_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN log_file_validation_enabled THEN title || ' log file validation enabled.' + ELSE title || ' log file validation disabled.' + END AS reason + FROM + aws_cloudtrail_trail + WHERE + region = home_region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_3_3.yaml b/compliance/controls/aws/aws_cis_v150_3_3.yaml index b62470764..6ed0562fd 100644 --- a/compliance/controls/aws/aws_cis_v150_3_3.yaml +++ b/compliance/controls/aws/aws_cis_v150_3_3.yaml @@ -1,64 +1,65 @@ id: aws_cis_v150_3_3 title: 3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible +type: control description: CloudTrail logs a record of every API call made in your AWS account. These logs files are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH public_bucket_data AS ( - SELECT - t.s3_bucket_name AS name, - b.arn, - t.region, - t.account_id, - t.tags, - t._ctx, - COUNT(acl_grant) FILTER (WHERE acl_grant -> 'Grantee' ->> 'URI' LIKE '%acs.amazonaws.com/groups/global/AllUsers') AS all_user_grants, - COUNT(acl_grant) FILTER (WHERE acl_grant -> 'Grantee' ->> 'URI' LIKE '%acs.amazonaws.com/groups/global/AuthenticatedUsers') AS auth_user_grants, - COUNT(s) FILTER (WHERE s ->> 'Effect' = 'Allow' AND p = '*' ) AS anon_statements, - t.platform_integration_id AS platform_integration_id, - t.platform_resource_id AS platform_resource_id - FROM - aws_cloudtrail_trail AS t - LEFT JOIN aws_s3_bucket AS b ON t.s3_bucket_name = b.name - LEFT JOIN jsonb_array_elements(acl -> 'Grants') AS acl_grant ON TRUE - LEFT JOIN jsonb_array_elements(policy_std -> 'Statement') AS s ON TRUE - LEFT JOIN jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p ON TRUE - GROUP BY - t.s3_bucket_name, - b.arn, - t.region, - t.account_id, - t.tags, - t._ctx, - t.platform_integration_id, - t.platform_resource_id - ) - SELECT - CASE - WHEN arn IS NULL THEN 'arn:aws:s3::' || name - ELSE arn - END AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN arn IS NULL THEN 'skip' - WHEN all_user_grants > 0 THEN 'alarm' - WHEN auth_user_grants > 0 THEN 'alarm' - WHEN anon_statements > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN arn IS NULL THEN name || ' not found in account ' || account_id || '.' - WHEN all_user_grants > 0 THEN name || ' grants access to AllUsers in ACL.' - WHEN auth_user_grants > 0 THEN name || ' grants access to AuthenticatedUsers in ACL.' - WHEN anon_statements > 0 THEN name || ' grants access to AWS:*" in bucket policy.' - ELSE name || ' does not grant anonymous access in ACL or bucket policy.' - END AS reason - FROM - public_bucket_data; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH public_bucket_data AS ( + SELECT + t.s3_bucket_name AS name, + b.arn, + t.region, + t.account_id, + t.tags, + t._ctx, + COUNT(acl_grant) FILTER (WHERE acl_grant -> 'Grantee' ->> 'URI' LIKE '%acs.amazonaws.com/groups/global/AllUsers') AS all_user_grants, + COUNT(acl_grant) FILTER (WHERE acl_grant -> 'Grantee' ->> 'URI' LIKE '%acs.amazonaws.com/groups/global/AuthenticatedUsers') AS auth_user_grants, + COUNT(s) FILTER (WHERE s ->> 'Effect' = 'Allow' AND p = '*' ) AS anon_statements, + t.platform_integration_id AS platform_integration_id, + t.platform_resource_id AS platform_resource_id + FROM + aws_cloudtrail_trail AS t + LEFT JOIN aws_s3_bucket AS b ON t.s3_bucket_name = b.name + LEFT JOIN jsonb_array_elements(acl -> 'Grants') AS acl_grant ON TRUE + LEFT JOIN jsonb_array_elements(policy_std -> 'Statement') AS s ON TRUE + LEFT JOIN jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p ON TRUE + GROUP BY + t.s3_bucket_name, + b.arn, + t.region, + t.account_id, + t.tags, + t._ctx, + t.platform_integration_id, + t.platform_resource_id + ) + SELECT + CASE + WHEN arn IS NULL THEN 'arn:aws:s3::' || name + ELSE arn + END AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN arn IS NULL THEN 'skip' + WHEN all_user_grants > 0 THEN 'alarm' + WHEN auth_user_grants > 0 THEN 'alarm' + WHEN anon_statements > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN arn IS NULL THEN name || ' not found in account ' || account_id || '.' + WHEN all_user_grants > 0 THEN name || ' grants access to AllUsers in ACL.' + WHEN auth_user_grants > 0 THEN name || ' grants access to AuthenticatedUsers in ACL.' + WHEN anon_statements > 0 THEN name || ' grants access to AWS:*" in bucket policy.' + ELSE name || ' does not grant anonymous access in ACL or bucket policy.' + END AS reason + FROM + public_bucket_data; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_3_4.yaml b/compliance/controls/aws/aws_cis_v150_3_4.yaml index 42f0d31ed..420bb7b9a 100644 --- a/compliance/controls/aws/aws_cis_v150_3_4.yaml +++ b/compliance/controls/aws/aws_cis_v150_3_4.yaml @@ -1,28 +1,29 @@ id: aws_cis_v150_3_4 title: 3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs +type: control description: AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN log_group_arn != 'null' AND (latest_delivery_time > current_date - 1) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN log_group_arn != 'null' AND (latest_delivery_time > current_date - 1) THEN title || ' integrated with CloudWatch logs.' - ELSE title || ' not integrated with CloudWatch logs.' - END AS reason - FROM - aws_cloudtrail_trail - WHERE - region = home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN log_group_arn != 'null' AND (latest_delivery_time > current_date - 1) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN log_group_arn != 'null' AND (latest_delivery_time > current_date - 1) THEN title || ' integrated with CloudWatch logs.' + ELSE title || ' not integrated with CloudWatch logs.' + END AS reason + FROM + aws_cloudtrail_trail + WHERE + region = home_region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_3_5.yaml b/compliance/controls/aws/aws_cis_v150_3_5.yaml index edcb01946..e6c452666 100644 --- a/compliance/controls/aws/aws_cis_v150_3_5.yaml +++ b/compliance/controls/aws/aws_cis_v150_3_5.yaml @@ -1,63 +1,64 @@ id: aws_cis_v150_3_5 title: 3.5 Ensure AWS Config is enabled in all regions +type: control description: AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_config_configuration_recorder - definition: | - WITH global_recorders AS ( - SELECT - COUNT(*) AS global_config_recorders - FROM - aws_config_configuration_recorder - WHERE - recording_group -> 'IncludeGlobalResourceTypes' = 'true' - AND recording_group -> 'AllSupported' = 'true' - AND status ->> 'Recording' = 'true' - AND status ->> 'LastStatus' = 'SUCCESS' - ) - - SELECT - 'arn:aws::' || a.region || ':' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, + language: sql + primary_resource: aws_config_configuration_recorder + definition: | + WITH global_recorders AS ( + SELECT + COUNT(*) AS global_config_recorders + FROM + aws_config_configuration_recorder + WHERE + recording_group -> 'IncludeGlobalResourceTypes' = 'true' + AND recording_group -> 'AllSupported' = 'true' + AND status ->> 'Recording' = 'true' + AND status ->> 'LastStatus' = 'SUCCESS' + ) + + SELECT + 'arn:aws::' || a.region || ':' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN + g.global_config_recorders >= 1 + AND status ->> 'Recording' = 'true' + AND status ->> 'LastStatus' = 'SUCCESS' + THEN 'ok' + WHEN a.opt_in_status = 'not-opted-in' THEN 'skip' + ELSE 'alarm' + END AS status, + CASE + WHEN a.opt_in_status = 'not-opted-in' THEN a.region || ' region is disabled.' + ELSE CASE - WHEN - g.global_config_recorders >= 1 - AND status ->> 'Recording' = 'true' - AND status ->> 'LastStatus' = 'SUCCESS' - THEN 'ok' - WHEN a.opt_in_status = 'not-opted-in' THEN 'skip' - ELSE 'alarm' - END AS status, + WHEN recording_group -> 'IncludeGlobalResourceTypes' = 'true' THEN a.region || ' IncludeGlobalResourceTypes enabled,' + ELSE a.region || ' IncludeGlobalResourceTypes disabled,' + END || CASE - WHEN a.opt_in_status = 'not-opted-in' THEN a.region || ' region is disabled.' - ELSE - CASE - WHEN recording_group -> 'IncludeGlobalResourceTypes' = 'true' THEN a.region || ' IncludeGlobalResourceTypes enabled,' - ELSE a.region || ' IncludeGlobalResourceTypes disabled,' - END || - CASE - WHEN recording_group -> 'AllSupported' = 'true' THEN ' AllSupported enabled,' - ELSE ' AllSupported disabled,' - END || - CASE - WHEN status ->> 'Recording' = 'true' THEN ' Recording enabled' - ELSE ' Recording disabled' - END || - CASE - WHEN status ->> 'LastStatus' = 'SUCCESS' THEN ' and LastStatus is SUCCESS.' - ELSE ' and LastStatus is not SUCCESS.' - END - END AS reason - - FROM - global_recorders AS g, - aws_region AS a - LEFT JOIN aws_config_configuration_recorder AS r - ON r.account_id = a.account_id AND r.region = a.name; + WHEN recording_group -> 'AllSupported' = 'true' THEN ' AllSupported enabled,' + ELSE ' AllSupported disabled,' + END || + CASE + WHEN status ->> 'Recording' = 'true' THEN ' Recording enabled' + ELSE ' Recording disabled' + END || + CASE + WHEN status ->> 'LastStatus' = 'SUCCESS' THEN ' and LastStatus is SUCCESS.' + ELSE ' and LastStatus is not SUCCESS.' + END + END AS reason + + FROM + global_recorders AS g, + aws_region AS a + LEFT JOIN aws_config_configuration_recorder AS r + ON r.account_id = a.account_id AND r.region = a.name; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_3_6.yaml b/compliance/controls/aws/aws_cis_v150_3_6.yaml index d4349e556..c8a836be2 100644 --- a/compliance/controls/aws/aws_cis_v150_3_6.yaml +++ b/compliance/controls/aws/aws_cis_v150_3_6.yaml @@ -1,31 +1,32 @@ id: aws_cis_v150_3_6 title: 3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket +type: control description: S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - t.arn AS resource, - t.platform_integration_id AS platform_integration_id, - t.platform_resource_id AS platform_resource_id, - CASE - WHEN b.logging IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.logging IS NOT NULL THEN t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging enabled.' - ELSE t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging disabled.' - END AS reason - FROM - aws_cloudtrail_trail t - INNER JOIN - aws_s3_bucket b - ON t.s3_bucket_name = b.name - WHERE - t.region = t.home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + t.arn AS resource, + t.platform_integration_id AS platform_integration_id, + t.platform_resource_id AS platform_resource_id, + CASE + WHEN b.logging IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.logging IS NOT NULL THEN t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging enabled.' + ELSE t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging disabled.' + END AS reason + FROM + aws_cloudtrail_trail t + INNER JOIN + aws_s3_bucket b + ON t.s3_bucket_name = b.name + WHERE + t.region = t.home_region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_3_7.yaml b/compliance/controls/aws/aws_cis_v150_3_7.yaml index 5c5536a39..431e889b0 100644 --- a/compliance/controls/aws/aws_cis_v150_3_7.yaml +++ b/compliance/controls/aws/aws_cis_v150_3_7.yaml @@ -1,28 +1,29 @@ id: aws_cis_v150_3_7 title: 3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs +type: control description: AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN kms_key_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN kms_key_id IS NULL THEN title || ' logs are not encrypted at rest.' - ELSE title || ' logs are encrypted at rest.' - END AS reason - FROM - aws_cloudtrail_trail - WHERE - region = home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN kms_key_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN kms_key_id IS NULL THEN title || ' logs are not encrypted at rest.' + ELSE title || ' logs are encrypted at rest.' + END AS reason + FROM + aws_cloudtrail_trail + WHERE + region = home_region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_3_8.yaml b/compliance/controls/aws/aws_cis_v150_3_8.yaml index 06d00fe8a..647cba50f 100644 --- a/compliance/controls/aws/aws_cis_v150_3_8.yaml +++ b/compliance/controls/aws/aws_cis_v150_3_8.yaml @@ -1,34 +1,35 @@ id: aws_cis_v150_3_8 title: 3.8 Ensure rotation for customer created symmetric CMKs is enabled +type: control description: AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled for symmetric keys. Key rotation can not be enabled for any asymmetric CMK. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_kms_key - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN origin = 'EXTERNAL' THEN 'skip' - WHEN key_state = 'PendingDeletion' THEN 'skip' - WHEN key_state = 'Disabled' THEN 'skip' - WHEN NOT key_rotation_enabled THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN origin = 'EXTERNAL' THEN title || ' has imported key material.' - WHEN key_state = 'PendingDeletion' THEN title || ' is pending deletion.' - WHEN key_state = 'Disabled' THEN title || ' is disabled.' - WHEN NOT key_rotation_enabled THEN title || ' key rotation disabled.' - ELSE title || ' key rotation enabled.' - END AS reason - FROM - aws_kms_key - WHERE - key_manager = 'CUSTOMER'; + language: sql + primary_resource: aws_kms_key + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN origin = 'EXTERNAL' THEN 'skip' + WHEN key_state = 'PendingDeletion' THEN 'skip' + WHEN key_state = 'Disabled' THEN 'skip' + WHEN NOT key_rotation_enabled THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN origin = 'EXTERNAL' THEN title || ' has imported key material.' + WHEN key_state = 'PendingDeletion' THEN title || ' is pending deletion.' + WHEN key_state = 'Disabled' THEN title || ' is disabled.' + WHEN NOT key_rotation_enabled THEN title || ' key rotation disabled.' + ELSE title || ' key rotation enabled.' + END AS reason + FROM + aws_kms_key + WHERE + key_manager = 'CUSTOMER'; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_3_9.yaml b/compliance/controls/aws/aws_cis_v150_3_9.yaml index e89126f50..937085a71 100644 --- a/compliance/controls/aws/aws_cis_v150_3_9.yaml +++ b/compliance/controls/aws/aws_cis_v150_3_9.yaml @@ -1,55 +1,56 @@ id: aws_cis_v150_3_9 title: 3.9 Ensure VPC flow logging is enabled in all VPCs +type: control description: VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc - definition: | - WITH vpcs AS ( - SELECT - arn, - account_id, - region, - owner_id, - vpc_id, - tags, - _ctx, - platform_integration_id, - platform_resource_id - FROM - aws_vpc - ORDER BY - vpc_id - ), - flowlogs AS ( - SELECT - resource_id, - account_id, - region - FROM - aws_vpc_flow_log - ORDER BY - resource_id - ) - SELECT - v.arn AS resource, - v.platform_integration_id AS platform_integration_id, - v.platform_resource_id AS platform_resource_id, - CASE - WHEN v.account_id <> v.owner_id THEN 'skip' - WHEN f.resource_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN v.account_id <> v.owner_id THEN v.vpc_id || ' is a shared VPC.' - WHEN f.resource_id IS NOT NULL THEN v.vpc_id || ' flow logging enabled.' - ELSE v.vpc_id || ' flow logging disabled.' - END AS reason - FROM - vpcs AS v - LEFT JOIN flowlogs AS f ON v.vpc_id = f.resource_id; + language: sql + primary_resource: aws_vpc + definition: | + WITH vpcs AS ( + SELECT + arn, + account_id, + region, + owner_id, + vpc_id, + tags, + _ctx, + platform_integration_id, + platform_resource_id + FROM + aws_vpc + ORDER BY + vpc_id + ), + flowlogs AS ( + SELECT + resource_id, + account_id, + region + FROM + aws_vpc_flow_log + ORDER BY + resource_id + ) + SELECT + v.arn AS resource, + v.platform_integration_id AS platform_integration_id, + v.platform_resource_id AS platform_resource_id, + CASE + WHEN v.account_id <> v.owner_id THEN 'skip' + WHEN f.resource_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN v.account_id <> v.owner_id THEN v.vpc_id || ' is a shared VPC.' + WHEN f.resource_id IS NOT NULL THEN v.vpc_id || ' flow logging enabled.' + ELSE v.vpc_id || ' flow logging disabled.' + END AS reason + FROM + vpcs AS v + LEFT JOIN flowlogs AS f ON v.vpc_id = f.resource_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_4_10.yaml b/compliance/controls/aws/aws_cis_v150_4_10.yaml index 09f718df9..b23c037ea 100644 --- a/compliance/controls/aws/aws_cis_v150_4_10.yaml +++ b/compliance/controls/aws/aws_cis_v150_4_10.yaml @@ -1,90 +1,91 @@ id: aws_cis_v150_4_10 title: 4.10 Ensure a log metric filter and alarm exist for security group changes +type: control description: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH trails AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) AS log_group_name - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - ORDER BY - trail_name - ), - alarms AS ( - SELECT - metric_name, - action_arn AS topic_arn - FROM - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn - ORDER BY - metric_name - ), - topic_subscriptions AS ( - SELECT - subscription_arn, - topic_arn - FROM - aws_sns_topic_subscription - ORDER BY - subscription_arn - ), - metric_filters AS ( - SELECT - filter.name AS filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - FROM - aws_cloudwatch_log_metric_filter AS filter - WHERE - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*AuthorizeSecurityGroupIngress.+\$\.eventName\s*=\s*AuthorizeSecurityGroupEgress.+\$\.eventName\s*=\s*RevokeSecurityGroupIngress.+\$\.eventName\s*=\s*RevokeSecurityGroupEgress.+\$\.eventName\s*=\s*CreateSecurityGroup.+\$\.eventName\s*=\s*DeleteSecurityGroup' - ORDER BY - filter_name - ), - filter_data AS ( - SELECT - t.account_id, - t.trail_name, - f.filter_name - FROM - trails AS t - JOIN - metric_filters AS f ON f.log_group_name = t.log_group_name - JOIN - alarms AS alarm ON alarm.metric_name = f.metric_transformation_name - JOIN - topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for security group changes.' - ELSE filter_name || ' forwards events for security group changes.' - END AS reason - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH trails AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + split_part(trail.log_group_arn, ':', 7) AS log_group_name + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + ORDER BY + trail_name + ), + alarms AS ( + SELECT + metric_name, + action_arn AS topic_arn + FROM + aws_cloudwatch_alarm, + jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn + ORDER BY + metric_name + ), + topic_subscriptions AS ( + SELECT + subscription_arn, + topic_arn + FROM + aws_sns_topic_subscription + ORDER BY + subscription_arn + ), + metric_filters AS ( + SELECT + filter.name AS filter_name, + filter_pattern, + log_group_name, + metric_transformation_name + FROM + aws_cloudwatch_log_metric_filter AS filter + WHERE + filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*AuthorizeSecurityGroupIngress.+\$\.eventName\s*=\s*AuthorizeSecurityGroupEgress.+\$\.eventName\s*=\s*RevokeSecurityGroupIngress.+\$\.eventName\s*=\s*RevokeSecurityGroupEgress.+\$\.eventName\s*=\s*CreateSecurityGroup.+\$\.eventName\s*=\s*DeleteSecurityGroup' + ORDER BY + filter_name + ), + filter_data AS ( + SELECT + t.account_id, + t.trail_name, + f.filter_name + FROM + trails AS t + JOIN + metric_filters AS f ON f.log_group_name = t.log_group_name + JOIN + alarms AS alarm ON alarm.metric_name = f.metric_transformation_name + JOIN + topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for security group changes.' + ELSE filter_name || ' forwards events for security group changes.' + END AS reason + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_4_14.yaml b/compliance/controls/aws/aws_cis_v150_4_14.yaml index 548ab6abe..526381cd4 100644 --- a/compliance/controls/aws/aws_cis_v150_4_14.yaml +++ b/compliance/controls/aws/aws_cis_v150_4_14.yaml @@ -1,90 +1,91 @@ id: aws_cis_v150_4_14 title: 4.14 Ensure a log metric filter and alarm exist for VPC changes +type: control description: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - WITH trails AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) AS log_group_name - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - ORDER BY - trail_name - ), - alarms AS ( - SELECT - metric_name, - action_arn AS topic_arn - FROM - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn - ORDER BY - metric_name - ), - topic_subscriptions AS ( - SELECT - subscription_arn, - topic_arn - FROM - aws_sns_topic_subscription - ORDER BY - subscription_arn - ), - metric_filters AS ( - SELECT - filter.name AS filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - FROM - aws_cloudwatch_log_metric_filter AS filter - WHERE - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateVpc.+\$\.eventName\s*=\s*DeleteVpc.+\$\.eventName\s*=\s*ModifyVpcAttribute.+\$\.eventName\s*=\s*AcceptVpcPeeringConnection.+\$\.eventName\s*=\s*CreateVpcPeeringConnection.+\$\.eventName\s*=\s*DeleteVpcPeeringConnection.+\$\.eventName\s*=\s*RejectVpcPeeringConnection.+\$\.eventName\s*=\s*AttachClassicLinkVpc.+\$\.eventName\s*=\s*DetachClassicLinkVpc.+\$\.eventName\s*=\s*DisableVpcClassicLink.+\$\.eventName\s*=\s*EnableVpcClassicLink' - ORDER BY - filter_name - ), - filter_data AS ( - SELECT - t.account_id, - t.trail_name, - f.filter_name - FROM - trails AS t - JOIN - metric_filters AS f ON f.log_group_name = t.log_group_name - JOIN - alarms AS alarm ON alarm.metric_name = f.metric_transformation_name - JOIN - topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - t.platform_integration_id AS platform_integration_id, - t.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for VPC changes.' - ELSE filter_name || ' forwards events for VPC changes.' - END AS reason - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + WITH trails AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + split_part(trail.log_group_arn, ':', 7) AS log_group_name + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + ORDER BY + trail_name + ), + alarms AS ( + SELECT + metric_name, + action_arn AS topic_arn + FROM + aws_cloudwatch_alarm, + jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn + ORDER BY + metric_name + ), + topic_subscriptions AS ( + SELECT + subscription_arn, + topic_arn + FROM + aws_sns_topic_subscription + ORDER BY + subscription_arn + ), + metric_filters AS ( + SELECT + filter.name AS filter_name, + filter_pattern, + log_group_name, + metric_transformation_name + FROM + aws_cloudwatch_log_metric_filter AS filter + WHERE + filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateVpc.+\$\.eventName\s*=\s*DeleteVpc.+\$\.eventName\s*=\s*ModifyVpcAttribute.+\$\.eventName\s*=\s*AcceptVpcPeeringConnection.+\$\.eventName\s*=\s*CreateVpcPeeringConnection.+\$\.eventName\s*=\s*DeleteVpcPeeringConnection.+\$\.eventName\s*=\s*RejectVpcPeeringConnection.+\$\.eventName\s*=\s*AttachClassicLinkVpc.+\$\.eventName\s*=\s*DetachClassicLinkVpc.+\$\.eventName\s*=\s*DisableVpcClassicLink.+\$\.eventName\s*=\s*EnableVpcClassicLink' + ORDER BY + filter_name + ), + filter_data AS ( + SELECT + t.account_id, + t.trail_name, + f.filter_name + FROM + trails AS t + JOIN + metric_filters AS f ON f.log_group_name = t.log_group_name + JOIN + alarms AS alarm ON alarm.metric_name = f.metric_transformation_name + JOIN + topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + t.platform_integration_id AS platform_integration_id, + t.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for VPC changes.' + ELSE filter_name || ' forwards events for VPC changes.' + END AS reason + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_4_16.yaml b/compliance/controls/aws/aws_cis_v150_4_16.yaml index 526bd230e..6a47fa200 100644 --- a/compliance/controls/aws/aws_cis_v150_4_16.yaml +++ b/compliance/controls/aws/aws_cis_v150_4_16.yaml @@ -1,31 +1,32 @@ id: aws_cis_v150_4_16 title: 4.16 Ensure AWS Security Hub is enabled +type: control description: Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues. When you enable Security Hub, it begins to consume, aggregate, organize, and prioritize findings from AWS services that you have enabled, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. You can also enable integrations with AWS partner security products. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_securityhub_hub - definition: | - SELECT - 'arn:' || r.partition || '::' || r.region || ':' || r.account_id AS resource, - r.platform_integration_id AS platform_integration_id, - r.platform_resource_id AS platform_resource_id, - CASE - WHEN r.region = ANY(ARRAY['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'ap-northeast-3']) THEN 'skip' - WHEN r.opt_in_status = 'not-opted-in' THEN 'skip' - WHEN h.hub_arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN r.region = ANY(ARRAY['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'ap-northeast-3']) THEN r.region || ' region not supported.' - WHEN r.opt_in_status = 'not-opted-in' THEN r.region || ' region is disabled.' - WHEN h.hub_arn IS NOT NULL THEN 'Security Hub enabled in ' || r.region || '.' - ELSE 'Security Hub disabled in ' || r.region || '.' - END AS reason - FROM - aws_region AS r - LEFT JOIN aws_securityhub_hub AS h ON r.account_id = h.account_id AND r.name = h.region; + language: sql + primary_resource: aws_securityhub_hub + definition: | + SELECT + 'arn:' || r.partition || '::' || r.region || ':' || r.account_id AS resource, + r.platform_integration_id AS platform_integration_id, + r.platform_resource_id AS platform_resource_id, + CASE + WHEN r.region = ANY(ARRAY['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'ap-northeast-3']) THEN 'skip' + WHEN r.opt_in_status = 'not-opted-in' THEN 'skip' + WHEN h.hub_arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN r.region = ANY(ARRAY['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'ap-northeast-3']) THEN r.region || ' region not supported.' + WHEN r.opt_in_status = 'not-opted-in' THEN r.region || ' region is disabled.' + WHEN h.hub_arn IS NOT NULL THEN 'Security Hub enabled in ' || r.region || '.' + ELSE 'Security Hub disabled in ' || r.region || '.' + END AS reason + FROM + aws_region AS r + LEFT JOIN aws_securityhub_hub AS h ON r.account_id = h.account_id AND r.name = h.region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_4_3.yaml b/compliance/controls/aws/aws_cis_v150_4_3.yaml index d2b6e6518..d02662c08 100644 --- a/compliance/controls/aws/aws_cis_v150_4_3.yaml +++ b/compliance/controls/aws/aws_cis_v150_4_3.yaml @@ -1,88 +1,89 @@ id: aws_cis_v150_4_3 title: 4.3 Ensure a log metric filter and alarm exist for usage of 'root' account +type: control description: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH trails AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - ORDER BY - trail_name - ), - alarms AS ( - SELECT - metric_name, - action_arn AS topic_arn - FROM - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn - ORDER BY - metric_name - ), - topic_subscriptions AS ( - SELECT - subscription_arn, - topic_arn - FROM - aws_sns_topic_subscription - ORDER BY - subscription_arn - ), - metric_filters AS ( - SELECT - filter.name AS filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - FROM - aws_cloudwatch_log_metric_filter AS filter - WHERE - filter.filter_pattern ~ '\s*\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"' - ORDER BY - filter_name - ), - filter_data AS ( - SELECT - t.account_id, - t.trail_name, - f.filter_name - FROM - trails AS t - JOIN metric_filters AS f ON f.log_group_name = t.log_group_name - JOIN alarms AS alarm ON alarm.metric_name = f.metric_transformation_name - JOIN topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for usage of "root" account.' - ELSE filter_name || ' forwards events for usage of "root" account.' - END AS reason, - a.account_id - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH trails AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + ORDER BY + trail_name + ), + alarms AS ( + SELECT + metric_name, + action_arn AS topic_arn + FROM + aws_cloudwatch_alarm, + jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn + ORDER BY + metric_name + ), + topic_subscriptions AS ( + SELECT + subscription_arn, + topic_arn + FROM + aws_sns_topic_subscription + ORDER BY + subscription_arn + ), + metric_filters AS ( + SELECT + filter.name AS filter_name, + filter_pattern, + log_group_name, + metric_transformation_name + FROM + aws_cloudwatch_log_metric_filter AS filter + WHERE + filter.filter_pattern ~ '\s*\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"' + ORDER BY + filter_name + ), + filter_data AS ( + SELECT + t.account_id, + t.trail_name, + f.filter_name + FROM + trails AS t + JOIN metric_filters AS f ON f.log_group_name = t.log_group_name + JOIN alarms AS alarm ON alarm.metric_name = f.metric_transformation_name + JOIN topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for usage of "root" account.' + ELSE filter_name || ' forwards events for usage of "root" account.' + END AS reason, + a.account_id + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_4_5.yaml b/compliance/controls/aws/aws_cis_v150_4_5.yaml index 161abd97a..69662ae74 100644 --- a/compliance/controls/aws/aws_cis_v150_4_5.yaml +++ b/compliance/controls/aws/aws_cis_v150_4_5.yaml @@ -1,90 +1,91 @@ id: aws_cis_v150_4_5 title: 4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes +type: control description: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH trails AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - ORDER BY - trail_name - ), - alarms AS ( - SELECT - metric_name, - action_arn AS topic_arn - FROM - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn - ORDER BY - metric_name - ), - topic_subscriptions AS ( - SELECT - subscription_arn, - topic_arn - FROM - aws_sns_topic_subscription - ORDER BY - subscription_arn - ), - metric_filters AS ( - SELECT - filter.name AS filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - FROM - aws_cloudwatch_log_metric_filter AS filter - WHERE - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging' - ORDER BY - filter_name - ), - filter_data AS ( - SELECT - t.account_id, - t.trail_name, - f.filter_name - FROM - trails AS t - JOIN - metric_filters AS f ON f.log_group_name = t.log_group_name - JOIN - alarms AS alarm ON alarm.metric_name = f.metric_transformation_name - JOIN - topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for CloudTrail configuration changes.' - ELSE filter_name || ' forwards events for CloudTrail configuration changes.' - END AS reason - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id + language: sql + primary_resource: aws_account + definition: | + WITH trails AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + ORDER BY + trail_name + ), + alarms AS ( + SELECT + metric_name, + action_arn AS topic_arn + FROM + aws_cloudwatch_alarm, + jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn + ORDER BY + metric_name + ), + topic_subscriptions AS ( + SELECT + subscription_arn, + topic_arn + FROM + aws_sns_topic_subscription + ORDER BY + subscription_arn + ), + metric_filters AS ( + SELECT + filter.name AS filter_name, + filter_pattern, + log_group_name, + metric_transformation_name + FROM + aws_cloudwatch_log_metric_filter AS filter + WHERE + filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging' + ORDER BY + filter_name + ), + filter_data AS ( + SELECT + t.account_id, + t.trail_name, + f.filter_name + FROM + trails AS t + JOIN + metric_filters AS f ON f.log_group_name = t.log_group_name + JOIN + alarms AS alarm ON alarm.metric_name = f.metric_transformation_name + JOIN + topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for CloudTrail configuration changes.' + ELSE filter_name || ' forwards events for CloudTrail configuration changes.' + END AS reason + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_4_7.yaml b/compliance/controls/aws/aws_cis_v150_4_7.yaml index 8cfc6e6d8..0901d7e1f 100644 --- a/compliance/controls/aws/aws_cis_v150_4_7.yaml +++ b/compliance/controls/aws/aws_cis_v150_4_7.yaml @@ -1,90 +1,91 @@ id: aws_cis_v150_4_7 title: 4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs +type: control description: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer-created CMKs that have changed state to disabled or scheduled deletion. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH trails AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name - FROM - aws_cloudtrail_trail AS trail, - JSONB_ARRAY_ELEMENTS(trail.event_selectors) AS se - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - ORDER BY - trail_name - ), - alarms AS ( - SELECT - metric_name, - action_arn AS topic_arn - FROM - aws_cloudwatch_alarm, - JSONB_ARRAY_ELEMENTS_TEXT(aws_cloudwatch_alarm.alarm_actions) AS action_arn - ORDER BY - metric_name - ), - topic_subscriptions AS ( - SELECT - subscription_arn, - topic_arn - FROM - aws_sns_topic_subscription - ORDER BY - subscription_arn - ), - metric_filters AS ( - SELECT - filter.name AS filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - FROM - aws_cloudwatch_log_metric_filter AS filter - WHERE - filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*kms.amazonaws.com.+\$\.eventName\s*=\s*DisableKey.+\$\.eventName\s*=\s*ScheduleKeyDeletion' - ORDER BY - filter_name - ), - filter_data AS ( - SELECT - t.account_id, - t.trail_name, - f.filter_name - FROM - trails AS t - JOIN - metric_filters AS f ON f.log_group_name = t.log_group_name - JOIN - alarms AS alarm ON alarm.metric_name = f.metric_transformation_name - JOIN - topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for disabling/deletion of CMKs.' - ELSE filter_name || ' forwards events for disabling/deletion of CMKs.' - END AS reason - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH trails AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name + FROM + aws_cloudtrail_trail AS trail, + JSONB_ARRAY_ELEMENTS(trail.event_selectors) AS se + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + ORDER BY + trail_name + ), + alarms AS ( + SELECT + metric_name, + action_arn AS topic_arn + FROM + aws_cloudwatch_alarm, + JSONB_ARRAY_ELEMENTS_TEXT(aws_cloudwatch_alarm.alarm_actions) AS action_arn + ORDER BY + metric_name + ), + topic_subscriptions AS ( + SELECT + subscription_arn, + topic_arn + FROM + aws_sns_topic_subscription + ORDER BY + subscription_arn + ), + metric_filters AS ( + SELECT + filter.name AS filter_name, + filter_pattern, + log_group_name, + metric_transformation_name + FROM + aws_cloudwatch_log_metric_filter AS filter + WHERE + filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*kms.amazonaws.com.+\$\.eventName\s*=\s*DisableKey.+\$\.eventName\s*=\s*ScheduleKeyDeletion' + ORDER BY + filter_name + ), + filter_data AS ( + SELECT + t.account_id, + t.trail_name, + f.filter_name + FROM + trails AS t + JOIN + metric_filters AS f ON f.log_group_name = t.log_group_name + JOIN + alarms AS alarm ON alarm.metric_name = f.metric_transformation_name + JOIN + topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for disabling/deletion of CMKs.' + ELSE filter_name || ' forwards events for disabling/deletion of CMKs.' + END AS reason + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_4_8.yaml b/compliance/controls/aws/aws_cis_v150_4_8.yaml index 0d72071c5..6148d0329 100644 --- a/compliance/controls/aws/aws_cis_v150_4_8.yaml +++ b/compliance/controls/aws/aws_cis_v150_4_8.yaml @@ -1,92 +1,93 @@ id: aws_cis_v150_4_8 title: 4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes +type: control description: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH trails AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - ORDER BY - trail_name - ), - alarms AS ( - SELECT - metric_name, - action_arn AS topic_arn - FROM - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn - ORDER BY - metric_name - ), - topic_subscriptions AS ( - SELECT - subscription_arn, - topic_arn - FROM - aws_sns_topic_subscription - ORDER BY - subscription_arn - ), - metric_filters AS ( - SELECT - filter.name AS filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - FROM - aws_cloudwatch_log_metric_filter AS filter - WHERE - filter.filter_pattern ~ '\s*\$.eventSource\s*=\s*s3.amazonaws.com.+ - \$.eventName\s*=\s*PutBucketAcl.+\$.eventName\s*=\s*PutBucketPolicy.+ - \$.eventName\s*=\s*PutBucketCors.+\$.eventName\s*=\s*PutBucketLifecycle.+ - \$.eventName\s*=\s*PutBucketReplication.+\$.eventName\s*=\s*DeleteBucketPolicy.+ - \$.eventName\s*=\s*DeleteBucketCors.+\$.eventName\s*=\s*DeleteBucketLifecycle.+ - \$.eventName\s*=\s*DeleteBucketReplication' - ORDER BY - filter_name - ), - filter_data AS ( - SELECT - t.account_id, - t.trail_name, - f.filter_name - FROM - trails AS t - JOIN metric_filters AS f ON f.log_group_name = t.log_group_name - JOIN alarms AS alarm ON alarm.metric_name = f.metric_transformation_name - JOIN topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for S3 bucket policy changes.' - ELSE filter_name || ' forwards events for S3 bucket policy changes.' - END AS reason - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id + language: sql + primary_resource: aws_account + definition: | + WITH trails AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + ORDER BY + trail_name + ), + alarms AS ( + SELECT + metric_name, + action_arn AS topic_arn + FROM + aws_cloudwatch_alarm, + jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn + ORDER BY + metric_name + ), + topic_subscriptions AS ( + SELECT + subscription_arn, + topic_arn + FROM + aws_sns_topic_subscription + ORDER BY + subscription_arn + ), + metric_filters AS ( + SELECT + filter.name AS filter_name, + filter_pattern, + log_group_name, + metric_transformation_name + FROM + aws_cloudwatch_log_metric_filter AS filter + WHERE + filter.filter_pattern ~ '\s*\$.eventSource\s*=\s*s3.amazonaws.com.+ + \$.eventName\s*=\s*PutBucketAcl.+\$.eventName\s*=\s*PutBucketPolicy.+ + \$.eventName\s*=\s*PutBucketCors.+\$.eventName\s*=\s*PutBucketLifecycle.+ + \$.eventName\s*=\s*PutBucketReplication.+\$.eventName\s*=\s*DeleteBucketPolicy.+ + \$.eventName\s*=\s*DeleteBucketCors.+\$.eventName\s*=\s*DeleteBucketLifecycle.+ + \$.eventName\s*=\s*DeleteBucketReplication' + ORDER BY + filter_name + ), + filter_data AS ( + SELECT + t.account_id, + t.trail_name, + f.filter_name + FROM + trails AS t + JOIN metric_filters AS f ON f.log_group_name = t.log_group_name + JOIN alarms AS alarm ON alarm.metric_name = f.metric_transformation_name + JOIN topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for S3 bucket policy changes.' + ELSE filter_name || ' forwards events for S3 bucket policy changes.' + END AS reason + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_5_2.yaml b/compliance/controls/aws/aws_cis_v150_5_2.yaml index 2ba2795d9..57202d5ef 100644 --- a/compliance/controls/aws/aws_cis_v150_5_2.yaml +++ b/compliance/controls/aws/aws_cis_v150_5_2.yaml @@ -1,61 +1,62 @@ id: aws_cis_v150_5_2 title: 5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports +type: control description: Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH bad_rules AS ( - SELECT - group_id, - COUNT(*) AS num_bad_rules - FROM - aws_vpc_security_group_rule - WHERE - type = 'ingress' - AND ( - cidr_ipv4 = '0.0.0.0/0' - OR cidr_ipv6 = '::/0' - ) - AND ( - (ip_protocol = '-1' -- all traffic - AND from_port IS NULL) - OR (from_port >= 22 AND to_port <= 22) - OR (from_port >= 3389 AND to_port <= 3389) - ) - GROUP BY - group_id - ), - security_groups AS ( - SELECT - arn, - tags, - region, - account_id, - group_id, - _ctx - FROM - aws_vpc_security_group - ORDER BY - group_id + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH bad_rules AS ( + SELECT + group_id, + COUNT(*) AS num_bad_rules + FROM + aws_vpc_security_group_rule + WHERE + type = 'ingress' + AND ( + cidr_ipv4 = '0.0.0.0/0' + OR cidr_ipv6 = '::/0' ) - SELECT - arn AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN bad_rules.group_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN bad_rules.group_id IS NULL THEN sg.group_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - ELSE sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - END AS reason - FROM - security_groups AS sg - LEFT JOIN bad_rules ON bad_rules.group_id = sg.group_id; + AND ( + (ip_protocol = '-1' -- all traffic + AND from_port IS NULL) + OR (from_port >= 22 AND to_port <= 22) + OR (from_port >= 3389 AND to_port <= 3389) + ) + GROUP BY + group_id + ), + security_groups AS ( + SELECT + arn, + tags, + region, + account_id, + group_id, + _ctx + FROM + aws_vpc_security_group + ORDER BY + group_id + ) + SELECT + arn AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN bad_rules.group_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN bad_rules.group_id IS NULL THEN sg.group_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' + ELSE sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' + END AS reason + FROM + security_groups AS sg + LEFT JOIN bad_rules ON bad_rules.group_id = sg.group_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_5_3.yaml b/compliance/controls/aws/aws_cis_v150_5_3.yaml index a37ba565d..b83bc2e6c 100644 --- a/compliance/controls/aws/aws_cis_v150_5_3.yaml +++ b/compliance/controls/aws/aws_cis_v150_5_3.yaml @@ -1,46 +1,47 @@ id: aws_cis_v150_5_3 title: 5.3 Ensure no security groups allow ingress from ::/0 to remote server administration ports +type: control description: Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH bad_rules AS ( - SELECT - group_id, - COUNT(*) AS num_bad_rules - FROM - aws_vpc_security_group_rule - WHERE - type = 'ingress' - AND ( - cidr_ipv6 = '::/0' - ) - AND ( - (ip_protocol = '-1' AND from_port IS NULL) - OR (from_port >= 22 AND to_port <= 22) - OR (from_port >= 3389 AND to_port <= 3389) - ) - GROUP BY - group_id + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH bad_rules AS ( + SELECT + group_id, + COUNT(*) AS num_bad_rules + FROM + aws_vpc_security_group_rule + WHERE + type = 'ingress' + AND ( + cidr_ipv6 = '::/0' ) - SELECT - arn AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN bad_rules.group_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN bad_rules.group_id IS NULL THEN sg.group_id || ' does not allow ingress to port 22 or 3389 from ::/0.' - ELSE sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to port 22 or 3389 from ::/0.' - END AS reason - FROM - aws_vpc_security_group AS sg - LEFT JOIN bad_rules ON bad_rules.group_id = sg.group_id; + AND ( + (ip_protocol = '-1' AND from_port IS NULL) + OR (from_port >= 22 AND to_port <= 22) + OR (from_port >= 3389 AND to_port <= 3389) + ) + GROUP BY + group_id + ) + SELECT + arn AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN bad_rules.group_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN bad_rules.group_id IS NULL THEN sg.group_id || ' does not allow ingress to port 22 or 3389 from ::/0.' + ELSE sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to port 22 or 3389 from ::/0.' + END AS reason + FROM + aws_vpc_security_group AS sg + LEFT JOIN bad_rules ON bad_rules.group_id = sg.group_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_5_4.yaml b/compliance/controls/aws/aws_cis_v150_5_4.yaml index f48c78c59..44c905689 100644 --- a/compliance/controls/aws/aws_cis_v150_5_4.yaml +++ b/compliance/controls/aws/aws_cis_v150_5_4.yaml @@ -1,33 +1,34 @@ id: aws_cis_v150_5_4 title: 5.4 Ensure the default security group of every VPC restricts all traffic +type: control description: A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - SELECT - arn AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN jsonb_array_length(ip_permissions) = 0 AND jsonb_array_length(ip_permissions_egress) = 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN jsonb_array_length(ip_permissions) > 0 AND jsonb_array_length(ip_permissions_egress) > 0 - THEN 'Default security group ' || group_id || ' has inbound and outbound rules.' - WHEN jsonb_array_length(ip_permissions) > 0 AND jsonb_array_length(ip_permissions_egress) = 0 - THEN 'Default security group ' || group_id || ' has inbound rules.' - WHEN jsonb_array_length(ip_permissions) = 0 AND jsonb_array_length(ip_permissions_egress) > 0 - THEN 'Default security group ' || group_id || ' has outbound rules.' - ELSE 'Default security group ' || group_id || ' has no inbound or outbound rules.' - END AS reason - FROM - aws_vpc_security_group - WHERE - group_name = 'default'; + language: sql + primary_resource: aws_vpc_security_group + definition: | + SELECT + arn AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN jsonb_array_length(ip_permissions) = 0 AND jsonb_array_length(ip_permissions_egress) = 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN jsonb_array_length(ip_permissions) > 0 AND jsonb_array_length(ip_permissions_egress) > 0 + THEN 'Default security group ' || group_id || ' has inbound and outbound rules.' + WHEN jsonb_array_length(ip_permissions) > 0 AND jsonb_array_length(ip_permissions_egress) = 0 + THEN 'Default security group ' || group_id || ' has inbound rules.' + WHEN jsonb_array_length(ip_permissions) = 0 AND jsonb_array_length(ip_permissions_egress) > 0 + THEN 'Default security group ' || group_id || ' has outbound rules.' + ELSE 'Default security group ' || group_id || ' has no inbound or outbound rules.' + END AS reason + FROM + aws_vpc_security_group + WHERE + group_name = 'default'; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v150_5_5.yaml b/compliance/controls/aws/aws_cis_v150_5_5.yaml index 5b77f1b7f..e9c13def4 100644 --- a/compliance/controls/aws/aws_cis_v150_5_5.yaml +++ b/compliance/controls/aws/aws_cis_v150_5_5.yaml @@ -1,20 +1,21 @@ id: aws_cis_v150_5_5 title: 5.5 Ensure routing tables for VPC peering are "least access" +type: control description: Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_1_1.yaml b/compliance/controls/aws/aws_cis_v200_1_1.yaml index abefedd4b..e607da0bf 100644 --- a/compliance/controls/aws/aws_cis_v200_1_1.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_1.yaml @@ -1,20 +1,21 @@ id: aws_cis_v200_1_1 title: 1.1 Maintain current contact details +type: control description: Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_1_10.yaml b/compliance/controls/aws/aws_cis_v200_1_10.yaml index 4a427d5f2..f8891ee8c 100644 --- a/compliance/controls/aws/aws_cis_v200_1_10.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_10.yaml @@ -1,27 +1,28 @@ id: aws_cis_v200_1_10 title: 1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password +type: control description: Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN password_enabled AND NOT mfa_active THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT password_enabled THEN user_name || ' password login disabled.' - WHEN password_enabled AND NOT mfa_active THEN user_name || ' password login enabled but no MFA device configured.' - ELSE user_name || ' password login enabled and MFA device configured.' - END AS reason - FROM - aws_iam_credential_report; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN password_enabled AND NOT mfa_active THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT password_enabled THEN user_name || ' password login disabled.' + WHEN password_enabled AND NOT mfa_active THEN user_name || ' password login enabled but no MFA device configured.' + ELSE user_name || ' password login enabled and MFA device configured.' + END AS reason + FROM + aws_iam_credential_report; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_1_11.yaml b/compliance/controls/aws/aws_cis_v200_1_11.yaml index 9eb4484c2..f6c4a22fa 100644 --- a/compliance/controls/aws/aws_cis_v200_1_11.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_11.yaml @@ -1,29 +1,30 @@ id: aws_cis_v200_1_11 title: 1.11 Do not setup access keys during initial user setup for all IAM users that have a console password +type: control description: AWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM User credentials you have to determine what type of access they require. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN password_enabled AND (EXTRACT(epoch FROM (access_key_1_last_rotated - user_creation_time)) < 10) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT password_enabled THEN user_name || ' password login disabled.' - WHEN access_key_1_last_rotated IS NULL THEN user_name || ' has no access keys.' - WHEN password_enabled AND (EXTRACT(epoch FROM (access_key_1_last_rotated - user_creation_time)) < 10) - THEN user_name || ' has access key created during user creation and password login enabled.' - ELSE user_name || ' has access key not created during user creation.' - END AS reason - FROM - aws_iam_credential_report; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN password_enabled AND (EXTRACT(epoch FROM (access_key_1_last_rotated - user_creation_time)) < 10) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT password_enabled THEN user_name || ' password login disabled.' + WHEN access_key_1_last_rotated IS NULL THEN user_name || ' has no access keys.' + WHEN password_enabled AND (EXTRACT(epoch FROM (access_key_1_last_rotated - user_creation_time)) < 10) + THEN user_name || ' has access key created during user creation and password login enabled.' + ELSE user_name || ' has access key not created during user creation.' + END AS reason + FROM + aws_iam_credential_report; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_1_12.yaml b/compliance/controls/aws/aws_cis_v200_1_12.yaml index a6d73c192..285b82875 100644 --- a/compliance/controls/aws/aws_cis_v200_1_12.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_12.yaml @@ -1,60 +1,61 @@ id: aws_cis_v200_1_12 title: 1.12 Ensure credentials unused for 45 days or greater are disabled +type: control description: AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN user_name = '' - THEN 'info' - WHEN password_enabled AND password_last_used IS NULL AND password_last_changed < (CURRENT_DATE - INTERVAL '45' DAY) - THEN 'alarm' - WHEN password_enabled AND password_last_used < (CURRENT_DATE - INTERVAL '45' DAY) - THEN 'alarm' - WHEN access_key_1_active AND access_key_1_last_used_date IS NULL AND access_key_1_last_rotated < (CURRENT_DATE - INTERVAL '45' DAY) - THEN 'alarm' - WHEN access_key_1_active AND access_key_1_last_used_date < (CURRENT_DATE - INTERVAL '45' DAY) - THEN 'alarm' - WHEN access_key_2_active AND access_key_2_last_used_date IS NULL AND access_key_2_last_rotated < (CURRENT_DATE - INTERVAL '45' DAY) - THEN 'alarm' - WHEN access_key_2_active AND access_key_2_last_used_date < (CURRENT_DATE - INTERVAL '45' DAY) - THEN 'alarm' - ELSE 'ok' - END status, - user_name || - CASE - WHEN NOT password_enabled - THEN ' password not enabled,' - WHEN password_enabled AND password_last_used IS NULL - THEN ' password created ' || TO_CHAR(password_last_changed, 'DD-Mon-YYYY') || ' never used,' - ELSE - ' password used ' || TO_CHAR(password_last_used, 'DD-Mon-YYYY') || ',' - END || - CASE - WHEN NOT access_key_1_active - THEN ' key 1 not enabled,' - WHEN access_key_1_active AND access_key_1_last_used_date IS NULL - THEN ' key 1 created ' || TO_CHAR(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,' - ELSE - ' key 1 used ' || TO_CHAR(access_key_1_last_used_date, 'DD-Mon-YYYY') || ',' - END || - CASE - WHEN NOT access_key_2_active - THEN ' key 2 not enabled.' - WHEN access_key_2_active AND access_key_2_last_used_date IS NULL - THEN ' key 2 created ' || TO_CHAR(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.' - ELSE - ' key 2 used ' || TO_CHAR(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - aws_iam_credential_report; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN user_name = '' + THEN 'info' + WHEN password_enabled AND password_last_used IS NULL AND password_last_changed < (CURRENT_DATE - INTERVAL '45' DAY) + THEN 'alarm' + WHEN password_enabled AND password_last_used < (CURRENT_DATE - INTERVAL '45' DAY) + THEN 'alarm' + WHEN access_key_1_active AND access_key_1_last_used_date IS NULL AND access_key_1_last_rotated < (CURRENT_DATE - INTERVAL '45' DAY) + THEN 'alarm' + WHEN access_key_1_active AND access_key_1_last_used_date < (CURRENT_DATE - INTERVAL '45' DAY) + THEN 'alarm' + WHEN access_key_2_active AND access_key_2_last_used_date IS NULL AND access_key_2_last_rotated < (CURRENT_DATE - INTERVAL '45' DAY) + THEN 'alarm' + WHEN access_key_2_active AND access_key_2_last_used_date < (CURRENT_DATE - INTERVAL '45' DAY) + THEN 'alarm' + ELSE 'ok' + END status, + user_name || + CASE + WHEN NOT password_enabled + THEN ' password not enabled,' + WHEN password_enabled AND password_last_used IS NULL + THEN ' password created ' || TO_CHAR(password_last_changed, 'DD-Mon-YYYY') || ' never used,' + ELSE + ' password used ' || TO_CHAR(password_last_used, 'DD-Mon-YYYY') || ',' + END || + CASE + WHEN NOT access_key_1_active + THEN ' key 1 not enabled,' + WHEN access_key_1_active AND access_key_1_last_used_date IS NULL + THEN ' key 1 created ' || TO_CHAR(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,' + ELSE + ' key 1 used ' || TO_CHAR(access_key_1_last_used_date, 'DD-Mon-YYYY') || ',' + END || + CASE + WHEN NOT access_key_2_active + THEN ' key 2 not enabled.' + WHEN access_key_2_active AND access_key_2_last_used_date IS NULL + THEN ' key 2 created ' || TO_CHAR(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.' + ELSE + ' key 2 used ' || TO_CHAR(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + aws_iam_credential_report; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_1_13.yaml b/compliance/controls/aws/aws_cis_v200_1_13.yaml index f0e434b4a..2f1d45eee 100644 --- a/compliance/controls/aws/aws_cis_v200_1_13.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_13.yaml @@ -1,33 +1,34 @@ id: aws_cis_v200_1_13 title: 1.13 Ensure there is only one active access key available for any single IAM user +type: control description: Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - SELECT - u.arn AS resource, - u.platform_integration_id AS platform_integration_id, - u.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(k.*) > 1 THEN 'alarm' - ELSE 'ok' - END AS status, - u.name || ' has ' || COUNT(k.*) || ' active access key(s).' AS reason - FROM - aws_iam_user AS u - LEFT JOIN aws_iam_access_key AS k - ON u.name = k.user_name AND u.account_id = k.account_id - WHERE - k.status = 'Active' OR k.status IS NULL - GROUP BY - u.arn, - u.name, - u.account_id, - u.tags, - u._ctx; + language: sql + primary_resource: aws_iam_user + definition: | + SELECT + u.arn AS resource, + u.platform_integration_id AS platform_integration_id, + u.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(k.*) > 1 THEN 'alarm' + ELSE 'ok' + END AS status, + u.name || ' has ' || COUNT(k.*) || ' active access key(s).' AS reason + FROM + aws_iam_user AS u + LEFT JOIN aws_iam_access_key AS k + ON u.name = k.user_name AND u.account_id = k.account_id + WHERE + k.status = 'Active' OR k.status IS NULL + GROUP BY + u.arn, + u.name, + u.account_id, + u.tags, + u._ctx; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_1_14.yaml b/compliance/controls/aws/aws_cis_v200_1_14.yaml index 571708e3a..31af804b6 100644 --- a/compliance/controls/aws/aws_cis_v200_1_14.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_14.yaml @@ -1,25 +1,26 @@ id: aws_cis_v200_1_14 title: 1.14 Ensure access keys are rotated every 90 days or less +type: control description: Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_access_key - definition: | - SELECT - 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN create_date <= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' - ELSE 'ok' - END AS status, - user_name || ' ' || access_key_id || ' created ' || TO_CHAR(create_date, 'DD-Mon-YYYY') || - ' (' || EXTRACT(DAY FROM current_timestamp - create_date) || ' days).' - AS reason - FROM - aws_iam_access_key; + language: sql + primary_resource: aws_iam_access_key + definition: | + SELECT + 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN create_date <= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' + ELSE 'ok' + END AS status, + user_name || ' ' || access_key_id || ' created ' || TO_CHAR(create_date, 'DD-Mon-YYYY') || + ' (' || EXTRACT(DAY FROM current_timestamp - create_date) || ' days).' + AS reason + FROM + aws_iam_access_key; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_1_15.yaml b/compliance/controls/aws/aws_cis_v200_1_15.yaml index 6bec87915..b77e68c34 100644 --- a/compliance/controls/aws/aws_cis_v200_1_15.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_15.yaml @@ -1,24 +1,25 @@ id: aws_cis_v200_1_15 title: 1.15 Ensure IAM Users Receive Permissions Only Through Groups -description: 'IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended.' +type: control +description: "IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended." integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN inline_policies IS NULL AND attached_policy_arns IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - name || ' has ' || COALESCE(jsonb_array_length(inline_policies), 0) || ' inline and ' || - COALESCE(jsonb_array_length(attached_policy_arns), 0) || ' directly attached policies.' AS reason - FROM - aws_iam_user; + language: sql + primary_resource: aws_iam_user + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN inline_policies IS NULL AND attached_policy_arns IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + name || ' has ' || COALESCE(jsonb_array_length(inline_policies), 0) || ' inline and ' || + COALESCE(jsonb_array_length(attached_policy_arns), 0) || ' directly attached policies.' AS reason + FROM + aws_iam_user; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_1_16.yaml b/compliance/controls/aws/aws_cis_v200_1_16.yaml index d53242ebf..d53d03d0d 100644 --- a/compliance/controls/aws/aws_cis_v200_1_16.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_16.yaml @@ -1,54 +1,55 @@ id: aws_cis_v200_1_16 title: 1.16 Ensure IAM policies that allow full "*:*" administrative privileges are not attached +type: control description: IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege - that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_policy - definition: | - WITH star_access_policies AS ( - SELECT - arn, - is_aws_managed, - COUNT(*) AS num_bad_statements - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Resource') AS resource, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - s ->> 'Effect' = 'Allow' - AND resource = '*' - AND ( - action = '*' - OR action = '*:*' - ) - AND is_attached - GROUP BY - arn, - is_aws_managed + language: sql + primary_resource: aws_iam_policy + definition: | + WITH star_access_policies AS ( + SELECT + arn, + is_aws_managed, + COUNT(*) AS num_bad_statements + FROM + aws_iam_policy, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Resource') AS resource, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + s ->> 'Effect' = 'Allow' + AND resource = '*' + AND ( + action = '*' + OR action = '*:*' ) - SELECT - p.arn AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN s.arn IS NOT NULL AND s.is_aws_managed THEN 'info' - WHEN s.arn IS NULL THEN 'ok' - ELSE 'alarm' - END status, - CASE - WHEN s.arn IS NOT NULL AND s.is_aws_managed THEN - p.name || ' is an AWS managed policy with ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' - ELSE - p.name || ' contains ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' - END AS reason - FROM - aws_iam_policy AS p - LEFT JOIN star_access_policies AS s ON p.arn = s.arn - WHERE - p.is_attached; + AND is_attached + GROUP BY + arn, + is_aws_managed + ) + SELECT + p.arn AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN s.arn IS NOT NULL AND s.is_aws_managed THEN 'info' + WHEN s.arn IS NULL THEN 'ok' + ELSE 'alarm' + END status, + CASE + WHEN s.arn IS NOT NULL AND s.is_aws_managed THEN + p.name || ' is an AWS managed policy with ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' + ELSE + p.name || ' contains ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' + END AS reason + FROM + aws_iam_policy AS p + LEFT JOIN star_access_policies AS s ON p.arn = s.arn + WHERE + p.is_attached; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_1_17.yaml b/compliance/controls/aws/aws_cis_v200_1_17.yaml index cf9379cca..12efe489f 100644 --- a/compliance/controls/aws/aws_cis_v200_1_17.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_17.yaml @@ -1,47 +1,48 @@ id: aws_cis_v200_1_17 title: 1.17 Ensure a support role has been created to manage incidents with AWS Support +type: control description: AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_role - definition: | - WITH support_role_count AS ( - SELECT - 'arn:' || a.partition || ':::' || a.account_id AS resource, - COUNT(policy_arn), - a.account_id, - a._ctx - FROM - aws_account AS a - LEFT JOIN aws_iam_role AS r - ON r.account_id = a.account_id - LEFT JOIN jsonb_array_elements_text(attached_policy_arns) AS policy_arn - ON TRUE - WHERE - SPLIT_PART(policy_arn, '/', 2) = 'AWSSupportAccess' - OR policy_arn IS NULL - GROUP BY - a.account_id, - a.partition, - a._ctx - ) - SELECT - resource, - (SELECT platform_integration_id FROM aws_account WHERE account_id = support_role_count.account_id) AS platform_integration_id, - (SELECT platform_resource_id FROM aws_account WHERE account_id = support_role_count.account_id) AS platform_resource_id, - CASE - WHEN count > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN count = 1 THEN 'AWSSupportAccess policy attached to 1 role.' - WHEN count > 1 THEN 'AWSSupportAccess policy attached to ' || count || ' roles.' - ELSE 'AWSSupportAccess policy not attached to any role.' - END AS reason - FROM - support_role_count; + language: sql + primary_resource: aws_iam_role + definition: | + WITH support_role_count AS ( + SELECT + 'arn:' || a.partition || ':::' || a.account_id AS resource, + COUNT(policy_arn), + a.account_id, + a._ctx + FROM + aws_account AS a + LEFT JOIN aws_iam_role AS r + ON r.account_id = a.account_id + LEFT JOIN jsonb_array_elements_text(attached_policy_arns) AS policy_arn + ON TRUE + WHERE + SPLIT_PART(policy_arn, '/', 2) = 'AWSSupportAccess' + OR policy_arn IS NULL + GROUP BY + a.account_id, + a.partition, + a._ctx + ) + SELECT + resource, + (SELECT platform_integration_id FROM aws_account WHERE account_id = support_role_count.account_id) AS platform_integration_id, + (SELECT platform_resource_id FROM aws_account WHERE account_id = support_role_count.account_id) AS platform_resource_id, + CASE + WHEN count > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN count = 1 THEN 'AWSSupportAccess policy attached to 1 role.' + WHEN count > 1 THEN 'AWSSupportAccess policy attached to ' || count || ' roles.' + ELSE 'AWSSupportAccess policy not attached to any role.' + END AS reason + FROM + support_role_count; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_1_18.yaml b/compliance/controls/aws/aws_cis_v200_1_18.yaml index 0d65aae90..0c11be85f 100644 --- a/compliance/controls/aws/aws_cis_v200_1_18.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_18.yaml @@ -1,20 +1,21 @@ id: aws_cis_v200_1_18 title: 1.18 Ensure IAM instance roles are used for AWS resource access from instances +type: control description: AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. "AWS Access" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_1_19.yaml b/compliance/controls/aws/aws_cis_v200_1_19.yaml index 2925a11a1..6eb46c5db 100644 --- a/compliance/controls/aws/aws_cis_v200_1_19.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_19.yaml @@ -1,28 +1,29 @@ id: aws_cis_v200_1_19 title: 1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed +type: control description: To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_server_certificate - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN expiration < (CURRENT_DATE - INTERVAL '1' SECOND) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN expiration < (CURRENT_DATE - INTERVAL '1' SECOND) THEN - name || ' expired ' || TO_CHAR(expiration, 'DD-Mon-YYYY') || '.' - ELSE - name || ' valid until ' || TO_CHAR(expiration, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - aws_iam_server_certificate; + language: sql + primary_resource: aws_iam_server_certificate + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN expiration < (CURRENT_DATE - INTERVAL '1' SECOND) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN expiration < (CURRENT_DATE - INTERVAL '1' SECOND) THEN + name || ' expired ' || TO_CHAR(expiration, 'DD-Mon-YYYY') || '.' + ELSE + name || ' valid until ' || TO_CHAR(expiration, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + aws_iam_server_certificate; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_1_2.yaml b/compliance/controls/aws/aws_cis_v200_1_2.yaml index e4d88134e..2ecb9ec28 100644 --- a/compliance/controls/aws/aws_cis_v200_1_2.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_2.yaml @@ -1,51 +1,52 @@ id: aws_cis_v200_1_2 title: 1.2 Ensure security contact information is registered +type: control description: AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH alternate_security_contact AS ( - SELECT - name, - account_id - FROM - aws_account_alternate_contact - WHERE - contact_type = 'SECURITY' - ), - account AS ( - SELECT - arn, - partition, - title, - account_id, - _ctx - FROM - aws_account - ) - SELECT - arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.partition = 'aws-us-gov' THEN 'info' - -- Name is a required field if setting a security contact - WHEN c.name IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.partition = 'aws-us-gov' THEN a.title || ' in GovCloud, manual verification required.' - WHEN c.name IS NOT NULL THEN a.title || ' has security contact ' || c.name || ' registered.' - ELSE a.title || ' security contact not registered.' - END AS reason - FROM - account AS a, - alternate_security_contact AS c - WHERE - c.account_id = a.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH alternate_security_contact AS ( + SELECT + name, + account_id + FROM + aws_account_alternate_contact + WHERE + contact_type = 'SECURITY' + ), + account AS ( + SELECT + arn, + partition, + title, + account_id, + _ctx + FROM + aws_account + ) + SELECT + arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.partition = 'aws-us-gov' THEN 'info' + -- Name is a required field if setting a security contact + WHEN c.name IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.partition = 'aws-us-gov' THEN a.title || ' in GovCloud, manual verification required.' + WHEN c.name IS NOT NULL THEN a.title || ' has security contact ' || c.name || ' registered.' + ELSE a.title || ' security contact not registered.' + END AS reason + FROM + account AS a, + alternate_security_contact AS c + WHERE + c.account_id = a.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_1_20.yaml b/compliance/controls/aws/aws_cis_v200_1_20.yaml index 471536b3d..9900c6aba 100644 --- a/compliance/controls/aws/aws_cis_v200_1_20.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_20.yaml @@ -1,33 +1,34 @@ id: aws_cis_v200_1_20 title: 1.20 Ensure that IAM Access analyzer is enabled for all regions +type: control description: Enable IAM Access analyzer for IAM policies about all resources in each region. IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Access Analyzer analyzes only policies that are applied to resources in the same AWS Region. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_region - definition: | - SELECT - 'arn:' || r.partition || '::' || r.region || ':' || r.account_id AS resource, - r.platform_integration_id AS platform_integration_id, - r.platform_resource_id AS platform_resource_id, - CASE - WHEN r.opt_in_status = 'not-opted-in' THEN 'skip' - WHEN aa.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN r.opt_in_status = 'not-opted-in' THEN r.region || ' region is disabled.' - WHEN aa.arn IS NOT NULL THEN aa.name || ' enabled in ' || r.region || '.' - ELSE 'Access Analyzer not enabled in ' || r.region || '.' - END AS reason - FROM - aws_region AS r - LEFT JOIN - aws_accessanalyzer_analyzer AS aa - ON - r.account_id = aa.account_id - AND r.region = aa.region; + language: sql + primary_resource: aws_region + definition: | + SELECT + 'arn:' || r.partition || '::' || r.region || ':' || r.account_id AS resource, + r.platform_integration_id AS platform_integration_id, + r.platform_resource_id AS platform_resource_id, + CASE + WHEN r.opt_in_status = 'not-opted-in' THEN 'skip' + WHEN aa.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN r.opt_in_status = 'not-opted-in' THEN r.region || ' region is disabled.' + WHEN aa.arn IS NOT NULL THEN aa.name || ' enabled in ' || r.region || '.' + ELSE 'Access Analyzer not enabled in ' || r.region || '.' + END AS reason + FROM + aws_region AS r + LEFT JOIN + aws_accessanalyzer_analyzer AS aa + ON + r.account_id = aa.account_id + AND r.region = aa.region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_1_21.yaml b/compliance/controls/aws/aws_cis_v200_1_21.yaml index ad3316c5f..e4efb5968 100644 --- a/compliance/controls/aws/aws_cis_v200_1_21.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_21.yaml @@ -1,20 +1,21 @@ id: aws_cis_v200_1_21 title: 1.21 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments +type: control description: In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provide via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_1_3.yaml b/compliance/controls/aws/aws_cis_v200_1_3.yaml index 3ef5f8d60..78b23d3fa 100644 --- a/compliance/controls/aws/aws_cis_v200_1_3.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_3.yaml @@ -1,20 +1,21 @@ id: aws_cis_v200_1_3 title: 1.3 Ensure security questions are registered in the AWS account +type: control description: The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_1_4.yaml b/compliance/controls/aws/aws_cis_v200_1_4.yaml index e19eefb52..0a41ef57c 100644 --- a/compliance/controls/aws/aws_cis_v200_1_4.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_4.yaml @@ -1,26 +1,27 @@ id: aws_cis_v200_1_4 title: 1.4 Ensure no 'root' user account access key exists +type: control description: The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the 'root' user account be deleted. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_account_summary - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN account_access_keys_present > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN account_access_keys_present > 0 THEN 'Root user access keys exist.' - ELSE 'No root user access keys exist.' - END AS reason - FROM - aws_iam_account_summary; + language: sql + primary_resource: aws_iam_account_summary + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN account_access_keys_present > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN account_access_keys_present > 0 THEN 'Root user access keys exist.' + ELSE 'No root user access keys exist.' + END AS reason + FROM + aws_iam_account_summary; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_1_5.yaml b/compliance/controls/aws/aws_cis_v200_1_5.yaml index c665577e4..258a6881f 100644 --- a/compliance/controls/aws/aws_cis_v200_1_5.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_5.yaml @@ -1,26 +1,27 @@ id: aws_cis_v200_1_5 title: 1.5 Ensure MFA is enabled for the 'root' user account +type: control description: The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_account_summary - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN account_mfa_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN account_mfa_enabled THEN 'MFA enabled for root account.' - ELSE 'MFA not enabled for root account.' - END AS reason - FROM - aws_iam_account_summary; + language: sql + primary_resource: aws_iam_account_summary + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN account_mfa_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN account_mfa_enabled THEN 'MFA enabled for root account.' + ELSE 'MFA not enabled for root account.' + END AS reason + FROM + aws_iam_account_summary; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_1_7.yaml b/compliance/controls/aws/aws_cis_v200_1_7.yaml index 189160ce8..30f1ddf2f 100644 --- a/compliance/controls/aws/aws_cis_v200_1_7.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_7.yaml @@ -1,38 +1,39 @@ id: aws_cis_v200_1_7 title: 1.7 Eliminate use of the 'root' user for administrative and daily tasks +type: control description: With the creation of an AWS account, a 'root user' is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN password_last_used >= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' - WHEN access_key_1_last_used_date <= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' - WHEN access_key_2_last_used_date <= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN password_last_used IS NULL THEN 'Root never logged in with password.' - ELSE 'Root password used ' || TO_CHAR(password_last_used, 'DD-Mon-YYYY') || ' (' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - password_last_used) || ' days).' - END || - CASE - WHEN access_key_1_last_used_date IS NULL THEN ' Access Key 1 never used.' - ELSE ' Access Key 1 used ' || TO_CHAR(access_key_1_last_used_date, 'DD-Mon-YYYY') || ' (' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - access_key_1_last_used_date) || ' days).' - END || - CASE - WHEN access_key_2_last_used_date IS NULL THEN ' Access Key 2 never used.' - ELSE ' Access Key 2 used ' || TO_CHAR(access_key_2_last_used_date, 'DD-Mon-YYYY') || ' (' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - access_key_2_last_used_date) || ' days).' - END AS reason - FROM - aws_iam_credential_report - WHERE - user_name = ''; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN password_last_used >= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' + WHEN access_key_1_last_used_date <= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' + WHEN access_key_2_last_used_date <= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN password_last_used IS NULL THEN 'Root never logged in with password.' + ELSE 'Root password used ' || TO_CHAR(password_last_used, 'DD-Mon-YYYY') || ' (' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - password_last_used) || ' days).' + END || + CASE + WHEN access_key_1_last_used_date IS NULL THEN ' Access Key 1 never used.' + ELSE ' Access Key 1 used ' || TO_CHAR(access_key_1_last_used_date, 'DD-Mon-YYYY') || ' (' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - access_key_1_last_used_date) || ' days).' + END || + CASE + WHEN access_key_2_last_used_date IS NULL THEN ' Access Key 2 never used.' + ELSE ' Access Key 2 used ' || TO_CHAR(access_key_2_last_used_date, 'DD-Mon-YYYY') || ' (' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - access_key_2_last_used_date) || ' days).' + END AS reason + FROM + aws_iam_credential_report + WHERE + user_name = ''; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_1_8.yaml b/compliance/controls/aws/aws_cis_v200_1_8.yaml index c549cdeaa..a2daf6a4a 100644 --- a/compliance/controls/aws/aws_cis_v200_1_8.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_8.yaml @@ -1,29 +1,30 @@ id: aws_cis_v200_1_8 title: 1.8 Ensure IAM password policy requires minimum length of 14 or greater +type: control description: Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure passwords are at least a given length. It is recommended that the password policy require a minimum password length of 14. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN minimum_password_length >= 14 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN minimum_password_length IS NULL THEN 'No password policy set.' - ELSE 'Minimum password length set to ' || minimum_password_length || '.' - END AS reason - FROM - aws_account AS a - LEFT JOIN - aws_iam_account_password_policy AS pol - ON a.account_id = pol.account_id; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN minimum_password_length >= 14 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN minimum_password_length IS NULL THEN 'No password policy set.' + ELSE 'Minimum password length set to ' || minimum_password_length || '.' + END AS reason + FROM + aws_account AS a + LEFT JOIN + aws_iam_account_password_policy AS pol + ON a.account_id = pol.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_2_1_1.yaml b/compliance/controls/aws/aws_cis_v200_2_1_1.yaml index 62762c45b..ab5449c8d 100644 --- a/compliance/controls/aws/aws_cis_v200_2_1_1.yaml +++ b/compliance/controls/aws/aws_cis_v200_2_1_1.yaml @@ -1,46 +1,47 @@ id: aws_cis_v200_2_1_1 title: 2.1.1 Ensure S3 Bucket Policy is set to deny HTTP requests +type: control description: At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH ssl_ok AS ( - SELECT - DISTINCT name, - arn, - 'ok' AS status - FROM - aws_s3_bucket, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p, - jsonb_array_elements_text(s -> 'Action') AS a, - jsonb_array_elements_text(s -> 'Resource') AS r, - jsonb_array_elements_text( - s -> 'Condition' -> 'Bool' -> 'aws:securetransport' - ) AS ssl - WHERE - p = '*' - AND s ->> 'Effect' = 'Deny' - AND ssl::bool = FALSE - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN ok.status = 'ok' THEN 'ok' - ELSE 'alarm' - END status, - CASE - WHEN ok.status = 'ok' THEN b.name || ' bucket policy enforces HTTPS.' - ELSE b.name || ' bucket policy does not enforce HTTPS.' - END reason - FROM - aws_s3_bucket AS b - LEFT JOIN ssl_ok AS ok ON ok.name = b.name; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH ssl_ok AS ( + SELECT + DISTINCT name, + arn, + 'ok' AS status + FROM + aws_s3_bucket, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p, + jsonb_array_elements_text(s -> 'Action') AS a, + jsonb_array_elements_text(s -> 'Resource') AS r, + jsonb_array_elements_text( + s -> 'Condition' -> 'Bool' -> 'aws:securetransport' + ) AS ssl + WHERE + p = '*' + AND s ->> 'Effect' = 'Deny' + AND ssl::bool = FALSE + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN ok.status = 'ok' THEN 'ok' + ELSE 'alarm' + END status, + CASE + WHEN ok.status = 'ok' THEN b.name || ' bucket policy enforces HTTPS.' + ELSE b.name || ' bucket policy does not enforce HTTPS.' + END reason + FROM + aws_s3_bucket AS b + LEFT JOIN ssl_ok AS ok ON ok.name = b.name; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_2_1_2.yaml b/compliance/controls/aws/aws_cis_v200_2_1_2.yaml index c9a461603..ae86b9b87 100644 --- a/compliance/controls/aws/aws_cis_v200_2_1_2.yaml +++ b/compliance/controls/aws/aws_cis_v200_2_1_2.yaml @@ -1,26 +1,27 @@ id: aws_cis_v200_2_1_2 title: 2.1.2 Ensure MFA Delete is enabled on S3 buckets +type: control description: Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN versioning_mfa_delete THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN versioning_mfa_delete THEN name || ' MFA delete enabled.' - ELSE name || ' MFA delete disabled.' - END AS reason - FROM - aws_s3_bucket; + language: sql + primary_resource: aws_s3_bucket + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN versioning_mfa_delete THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN versioning_mfa_delete THEN name || ' MFA delete enabled.' + ELSE name || ' MFA delete disabled.' + END AS reason + FROM + aws_s3_bucket; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_2_1_3.yaml b/compliance/controls/aws/aws_cis_v200_2_1_3.yaml index f95c04e6f..43671bb13 100644 --- a/compliance/controls/aws/aws_cis_v200_2_1_3.yaml +++ b/compliance/controls/aws/aws_cis_v200_2_1_3.yaml @@ -1,37 +1,38 @@ id: aws_cis_v200_2_1_3 title: 2.1.3 Ensure all data in Amazon S3 has been discovered, classified, and secured when required +type: control description: Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified, and protected. Macie, along with other 3rd party tools, can automatically provide an inventory of Amazon S3 buckets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH bucket_list AS ( - SELECT - TRIM(b::text, '"' ) AS bucket_name - FROM - aws_macie2_classification_job, - jsonb_array_elements(s3_job_definition -> 'BucketDefinitions') AS d, - jsonb_array_elements(d -> 'Buckets') AS b - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN b.region = ANY(ARRAY['us-gov-east-1', 'us-gov-west-1']) THEN 'skip' - WHEN l.bucket_name IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.region = ANY(ARRAY['us-gov-east-1', 'us-gov-west-1']) THEN b.title || ' not protected by Macie as Macie is not supported in ' || b.region || '.' - WHEN l.bucket_name IS NOT NULL THEN b.title || ' protected by Macie.' - ELSE b.title || ' not protected by Macie.' - END AS reason - FROM - aws_s3_bucket AS b - LEFT JOIN bucket_list AS l ON b.name = l.bucket_name; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH bucket_list AS ( + SELECT + TRIM(b::text, '"' ) AS bucket_name + FROM + aws_macie2_classification_job, + jsonb_array_elements(s3_job_definition -> 'BucketDefinitions') AS d, + jsonb_array_elements(d -> 'Buckets') AS b + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN b.region = ANY(ARRAY['us-gov-east-1', 'us-gov-west-1']) THEN 'skip' + WHEN l.bucket_name IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.region = ANY(ARRAY['us-gov-east-1', 'us-gov-west-1']) THEN b.title || ' not protected by Macie as Macie is not supported in ' || b.region || '.' + WHEN l.bucket_name IS NOT NULL THEN b.title || ' protected by Macie.' + ELSE b.title || ' not protected by Macie.' + END AS reason + FROM + aws_s3_bucket AS b + LEFT JOIN bucket_list AS l ON b.name = l.bucket_name; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_2_1_4.yaml b/compliance/controls/aws/aws_cis_v200_2_1_4.yaml index 06365831e..28777cab3 100644 --- a/compliance/controls/aws/aws_cis_v200_2_1_4.yaml +++ b/compliance/controls/aws/aws_cis_v200_2_1_4.yaml @@ -1,43 +1,44 @@ id: aws_cis_v200_2_1_4 title: 2.1.4 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' +type: control description: Amazon S3 provides Block public access (bucket settings) and Block public access (account settings) to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principle with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, Block public access (bucket settings) prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, Block public access (account settings) prevents all buckets, and contained objects, from becoming publicly accessible across the entire account. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - SELECT - arn AS resource, - bucket.platform_integration_id AS platform_integration_id, - bucket.platform_resource_id AS platform_resource_id, - CASE - WHEN (bucket.block_public_acls OR s3account.block_public_acls) - AND (bucket.block_public_policy OR s3account.block_public_policy) - AND (bucket.ignore_public_acls OR s3account.ignore_public_acls) - AND (bucket.restrict_public_buckets OR s3account.restrict_public_buckets) - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (bucket.block_public_acls OR s3account.block_public_acls) - AND (bucket.block_public_policy OR s3account.block_public_policy) - AND (bucket.ignore_public_acls OR s3account.ignore_public_acls) - AND (bucket.restrict_public_buckets OR s3account.restrict_public_buckets) - THEN name || ' all public access blocks enabled.' - ELSE name || ' not enabled for: ' || - CONCAT_WS(', ', - CASE WHEN NOT (bucket.block_public_acls OR s3account.block_public_acls) THEN 'block_public_acls' END, - CASE WHEN NOT (bucket.block_public_policy OR s3account.block_public_policy) THEN 'block_public_policy' END, - CASE WHEN NOT (bucket.ignore_public_acls OR s3account.ignore_public_acls) THEN 'ignore_public_acls' END, - CASE WHEN NOT (bucket.restrict_public_buckets OR s3account.restrict_public_buckets) THEN 'restrict_public_buckets' END - ) || '.' - END AS reason - FROM - aws_s3_bucket AS bucket, - aws_s3_account_settings AS s3account - WHERE - s3account.account_id = bucket.account_id; + language: sql + primary_resource: aws_s3_bucket + definition: | + SELECT + arn AS resource, + bucket.platform_integration_id AS platform_integration_id, + bucket.platform_resource_id AS platform_resource_id, + CASE + WHEN (bucket.block_public_acls OR s3account.block_public_acls) + AND (bucket.block_public_policy OR s3account.block_public_policy) + AND (bucket.ignore_public_acls OR s3account.ignore_public_acls) + AND (bucket.restrict_public_buckets OR s3account.restrict_public_buckets) + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (bucket.block_public_acls OR s3account.block_public_acls) + AND (bucket.block_public_policy OR s3account.block_public_policy) + AND (bucket.ignore_public_acls OR s3account.ignore_public_acls) + AND (bucket.restrict_public_buckets OR s3account.restrict_public_buckets) + THEN name || ' all public access blocks enabled.' + ELSE name || ' not enabled for: ' || + CONCAT_WS(', ', + CASE WHEN NOT (bucket.block_public_acls OR s3account.block_public_acls) THEN 'block_public_acls' END, + CASE WHEN NOT (bucket.block_public_policy OR s3account.block_public_policy) THEN 'block_public_policy' END, + CASE WHEN NOT (bucket.ignore_public_acls OR s3account.ignore_public_acls) THEN 'ignore_public_acls' END, + CASE WHEN NOT (bucket.restrict_public_buckets OR s3account.restrict_public_buckets) THEN 'restrict_public_buckets' END + ) || '.' + END AS reason + FROM + aws_s3_bucket AS bucket, + aws_s3_account_settings AS s3account + WHERE + s3account.account_id = bucket.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_2_2_1.yaml b/compliance/controls/aws/aws_cis_v200_2_2_1.yaml index ed3ac8e92..6c79cb896 100644 --- a/compliance/controls/aws/aws_cis_v200_2_2_1.yaml +++ b/compliance/controls/aws/aws_cis_v200_2_2_1.yaml @@ -1,26 +1,27 @@ id: aws_cis_v200_2_2_1 title: 2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions +type: control description: Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_volume - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encrypted THEN volume_id || ' encrypted.' - ELSE volume_id || ' not encrypted.' - END AS reason - FROM - aws_ebs_volume; + language: sql + primary_resource: aws_ebs_volume + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encrypted THEN volume_id || ' encrypted.' + ELSE volume_id || ' not encrypted.' + END AS reason + FROM + aws_ebs_volume; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_2_3_1.yaml b/compliance/controls/aws/aws_cis_v200_2_3_1.yaml index dcbe621c7..d2e03a2ac 100644 --- a/compliance/controls/aws/aws_cis_v200_2_3_1.yaml +++ b/compliance/controls/aws/aws_cis_v200_2_3_1.yaml @@ -1,26 +1,27 @@ id: aws_cis_v200_2_3_1 title: 2.3.1 Ensure that encryption-at-rest is enabled for RDS Instances +type: control description: Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN storage_encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN storage_encrypted THEN title || ' encrypted at rest.' - ELSE title || ' not encrypted at rest.' - END AS reason - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN storage_encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN storage_encrypted THEN title || ' encrypted at rest.' + ELSE title || ' not encrypted at rest.' + END AS reason + FROM + aws_rds_db_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_2_3_2.yaml b/compliance/controls/aws/aws_cis_v200_2_3_2.yaml index e0d4dced3..84589984f 100644 --- a/compliance/controls/aws/aws_cis_v200_2_3_2.yaml +++ b/compliance/controls/aws/aws_cis_v200_2_3_2.yaml @@ -1,26 +1,27 @@ id: aws_cis_v200_2_3_2 title: 2.3.2 Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances +type: control description: Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN auto_minor_version_upgrade THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN auto_minor_version_upgrade THEN title || ' automatic minor version upgrades enabled.' - ELSE title || ' automatic minor version upgrades not enabled.' - END AS reason - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN auto_minor_version_upgrade THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN auto_minor_version_upgrade THEN title || ' automatic minor version upgrades enabled.' + ELSE title || ' automatic minor version upgrades not enabled.' + END AS reason + FROM + aws_rds_db_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_2_3_3.yaml b/compliance/controls/aws/aws_cis_v200_2_3_3.yaml index 98794d8f5..be9c86846 100644 --- a/compliance/controls/aws/aws_cis_v200_2_3_3.yaml +++ b/compliance/controls/aws/aws_cis_v200_2_3_3.yaml @@ -1,26 +1,27 @@ id: aws_cis_v200_2_3_3 title: 2.3.3 Ensure that public access is not given to RDS Instance +type: control description: Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN publicly_accessible THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN publicly_accessible THEN title || ' publicly accessible.' - ELSE title || ' not publicly accessible.' - END AS reason - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN publicly_accessible THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN publicly_accessible THEN title || ' publicly accessible.' + ELSE title || ' not publicly accessible.' + END AS reason + FROM + aws_rds_db_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_2_4_1.yaml b/compliance/controls/aws/aws_cis_v200_2_4_1.yaml index 4b12c699c..a767d4629 100644 --- a/compliance/controls/aws/aws_cis_v200_2_4_1.yaml +++ b/compliance/controls/aws/aws_cis_v200_2_4_1.yaml @@ -1,26 +1,27 @@ id: aws_cis_v200_2_4_1 title: 2.4.1 Ensure that encryption is enabled for EFS file systems +type: control description: EFS data should be encrypted at rest using AWS KMS (Key Management Service). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_efs_file_system - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encrypted THEN title || ' encrypted at rest.' - ELSE title || ' not encrypted at rest.' - END AS reason - FROM - aws_efs_file_system; + language: sql + primary_resource: aws_efs_file_system + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encrypted THEN title || ' encrypted at rest.' + ELSE title || ' not encrypted at rest.' + END AS reason + FROM + aws_efs_file_system; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_3_10.yaml b/compliance/controls/aws/aws_cis_v200_3_10.yaml index 4683d5a9c..617da3bce 100644 --- a/compliance/controls/aws/aws_cis_v200_3_10.yaml +++ b/compliance/controls/aws/aws_cis_v200_3_10.yaml @@ -1,45 +1,46 @@ id: aws_cis_v200_3_10 title: 3.10 Ensure that Object-level logging for write events is enabled for S3 bucket +type: control description: S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH s3_selectors AS ( - SELECT - name AS trail_name, - is_multi_region_trail, - bucket_selector - FROM - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) AS event_selector, - jsonb_array_elements(event_selector -> 'DataResources') AS data_resource, - jsonb_array_elements_text(data_resource -> 'Values') AS bucket_selector - WHERE - is_multi_region_trail - AND data_resource ->> 'Type' = 'AWS::S3::Object' - AND event_selector ->> 'ReadWriteType' IN ('WriteOnly', 'All') - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(bucket_selector) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(bucket_selector) > 0 THEN b.name || ' object-level write events logging enabled.' - ELSE b.name || ' object-level write events logging disabled.' - END AS reason - FROM - aws_s3_bucket AS b - LEFT JOIN - s3_selectors ON bucket_selector LIKE (b.arn || '%') OR bucket_selector = 'arn:aws:s3' - GROUP BY - b.account_id, b.region, b.arn, b.name, b.tags, b._ctx; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH s3_selectors AS ( + SELECT + name AS trail_name, + is_multi_region_trail, + bucket_selector + FROM + aws_cloudtrail_trail, + jsonb_array_elements(event_selectors) AS event_selector, + jsonb_array_elements(event_selector -> 'DataResources') AS data_resource, + jsonb_array_elements_text(data_resource -> 'Values') AS bucket_selector + WHERE + is_multi_region_trail + AND data_resource ->> 'Type' = 'AWS::S3::Object' + AND event_selector ->> 'ReadWriteType' IN ('WriteOnly', 'All') + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(bucket_selector) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(bucket_selector) > 0 THEN b.name || ' object-level write events logging enabled.' + ELSE b.name || ' object-level write events logging disabled.' + END AS reason + FROM + aws_s3_bucket AS b + LEFT JOIN + s3_selectors ON bucket_selector LIKE (b.arn || '%') OR bucket_selector = 'arn:aws:s3' + GROUP BY + b.account_id, b.region, b.arn, b.name, b.tags, b._ctx; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_3_11.yaml b/compliance/controls/aws/aws_cis_v200_3_11.yaml index e25623b1e..c04686f40 100644 --- a/compliance/controls/aws/aws_cis_v200_3_11.yaml +++ b/compliance/controls/aws/aws_cis_v200_3_11.yaml @@ -1,57 +1,58 @@ id: aws_cis_v200_3_11 title: 3.11 Ensure that Object-level logging for read events is enabled for S3 bucket +type: control description: S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH s3_selectors AS + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH s3_selectors AS + ( + SELECT + name AS trail_name, + is_multi_region_trail, + bucket_selector + FROM + aws_cloudtrail_trail, + jsonb_array_elements(event_selectors) AS event_selector, + jsonb_array_elements(event_selector -> 'DataResources') AS data_resource, + jsonb_array_elements_text(data_resource -> 'Values') AS bucket_selector + WHERE + is_multi_region_trail + AND data_resource ->> 'Type' = 'AWS::S3::Object' + AND event_selector ->> 'ReadWriteType' IN ( - SELECT - name AS trail_name, - is_multi_region_trail, - bucket_selector - FROM - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) AS event_selector, - jsonb_array_elements(event_selector -> 'DataResources') AS data_resource, - jsonb_array_elements_text(data_resource -> 'Values') AS bucket_selector - WHERE - is_multi_region_trail - AND data_resource ->> 'Type' = 'AWS::S3::Object' - AND event_selector ->> 'ReadWriteType' IN - ( - 'ReadOnly', - 'All' - ) + 'ReadOnly', + 'All' ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(bucket_selector) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(bucket_selector) > 0 THEN b.name || ' object-level read events logging enabled.' - ELSE b.name || ' object-level read events logging disabled.' - END AS reason - FROM - aws_s3_bucket AS b - LEFT JOIN - s3_selectors - ON bucket_selector LIKE (b.arn || '%') - OR bucket_selector = 'arn:aws:s3' - GROUP BY - b.account_id, - b.region, - b.arn, - b.name, - b.tags, - b._ctx; + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(bucket_selector) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(bucket_selector) > 0 THEN b.name || ' object-level read events logging enabled.' + ELSE b.name || ' object-level read events logging disabled.' + END AS reason + FROM + aws_s3_bucket AS b + LEFT JOIN + s3_selectors + ON bucket_selector LIKE (b.arn || '%') + OR bucket_selector = 'arn:aws:s3' + GROUP BY + b.account_id, + b.region, + b.arn, + b.name, + b.tags, + b._ctx; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_3_2.yaml b/compliance/controls/aws/aws_cis_v200_3_2.yaml index 2fef2e4df..d9bccbfc9 100644 --- a/compliance/controls/aws/aws_cis_v200_3_2.yaml +++ b/compliance/controls/aws/aws_cis_v200_3_2.yaml @@ -1,28 +1,29 @@ id: aws_cis_v200_3_2 title: 3.2 Ensure CloudTrail log file validation is enabled +type: control description: CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN log_file_validation_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN log_file_validation_enabled THEN title || ' log file validation enabled.' - ELSE title || ' log file validation disabled.' - END AS reason - FROM - aws_cloudtrail_trail - WHERE - region = home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN log_file_validation_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN log_file_validation_enabled THEN title || ' log file validation enabled.' + ELSE title || ' log file validation disabled.' + END AS reason + FROM + aws_cloudtrail_trail + WHERE + region = home_region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_3_3.yaml b/compliance/controls/aws/aws_cis_v200_3_3.yaml index 606c6066d..e89a3d364 100644 --- a/compliance/controls/aws/aws_cis_v200_3_3.yaml +++ b/compliance/controls/aws/aws_cis_v200_3_3.yaml @@ -1,60 +1,61 @@ id: aws_cis_v200_3_3 title: 3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible +type: control description: CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - WITH public_bucket_data AS ( - SELECT - t.s3_bucket_name AS name, - b.arn, - t.region, - t.account_id, - t.tags, - t._ctx, - COUNT(acl_grant) FILTER (WHERE acl_grant -> 'Grantee' ->> 'URI' LIKE '%acs.amazonaws.com/groups/global/AllUsers') AS all_user_grants, - COUNT(acl_grant) FILTER (WHERE acl_grant -> 'Grantee' ->> 'URI' LIKE '%acs.amazonaws.com/groups/global/AuthenticatedUsers') AS auth_user_grants, - COUNT(s) FILTER (WHERE s ->> 'Effect' = 'Allow' AND p = '*') AS anon_statements - FROM - aws_cloudtrail_trail AS t - LEFT JOIN aws_s3_bucket AS b ON t.s3_bucket_name = b.name - LEFT JOIN jsonb_array_elements(acl -> 'Grants') AS acl_grant ON true - LEFT JOIN jsonb_array_elements(policy_std -> 'Statement') AS s ON true - LEFT JOIN jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p ON true - GROUP BY - t.s3_bucket_name, - b.arn, - t.region, - t.account_id, - t.tags, - t._ctx - ) - SELECT - CASE - WHEN arn IS NULL THEN 'arn:aws:s3::' || name - ELSE arn - END AS resource, - t.platform_integration_id AS platform_integration_id, - t.platform_resource_id AS platform_resource_id, - CASE - WHEN arn IS NULL THEN 'skip' - WHEN all_user_grants > 0 THEN 'alarm' - WHEN auth_user_grants > 0 THEN 'alarm' - WHEN anon_statements > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN arn IS NULL THEN name || ' not found in account ' || account_id || '.' - WHEN all_user_grants > 0 THEN name || ' grants access to AllUsers in ACL.' - WHEN auth_user_grants > 0 THEN name || ' grants access to AuthenticatedUsers in ACL.' - WHEN anon_statements > 0 THEN name || ' grants access to AWS:*" in bucket policy.' - ELSE name || ' does not grant anonymous access in ACL or bucket policy.' - END AS reason - FROM - public_bucket_data; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + WITH public_bucket_data AS ( + SELECT + t.s3_bucket_name AS name, + b.arn, + t.region, + t.account_id, + t.tags, + t._ctx, + COUNT(acl_grant) FILTER (WHERE acl_grant -> 'Grantee' ->> 'URI' LIKE '%acs.amazonaws.com/groups/global/AllUsers') AS all_user_grants, + COUNT(acl_grant) FILTER (WHERE acl_grant -> 'Grantee' ->> 'URI' LIKE '%acs.amazonaws.com/groups/global/AuthenticatedUsers') AS auth_user_grants, + COUNT(s) FILTER (WHERE s ->> 'Effect' = 'Allow' AND p = '*') AS anon_statements + FROM + aws_cloudtrail_trail AS t + LEFT JOIN aws_s3_bucket AS b ON t.s3_bucket_name = b.name + LEFT JOIN jsonb_array_elements(acl -> 'Grants') AS acl_grant ON true + LEFT JOIN jsonb_array_elements(policy_std -> 'Statement') AS s ON true + LEFT JOIN jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p ON true + GROUP BY + t.s3_bucket_name, + b.arn, + t.region, + t.account_id, + t.tags, + t._ctx + ) + SELECT + CASE + WHEN arn IS NULL THEN 'arn:aws:s3::' || name + ELSE arn + END AS resource, + t.platform_integration_id AS platform_integration_id, + t.platform_resource_id AS platform_resource_id, + CASE + WHEN arn IS NULL THEN 'skip' + WHEN all_user_grants > 0 THEN 'alarm' + WHEN auth_user_grants > 0 THEN 'alarm' + WHEN anon_statements > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN arn IS NULL THEN name || ' not found in account ' || account_id || '.' + WHEN all_user_grants > 0 THEN name || ' grants access to AllUsers in ACL.' + WHEN auth_user_grants > 0 THEN name || ' grants access to AuthenticatedUsers in ACL.' + WHEN anon_statements > 0 THEN name || ' grants access to AWS:*" in bucket policy.' + ELSE name || ' does not grant anonymous access in ACL or bucket policy.' + END AS reason + FROM + public_bucket_data; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_3_4.yaml b/compliance/controls/aws/aws_cis_v200_3_4.yaml index 002e16f1d..a1f707cfb 100644 --- a/compliance/controls/aws/aws_cis_v200_3_4.yaml +++ b/compliance/controls/aws/aws_cis_v200_3_4.yaml @@ -1,28 +1,29 @@ id: aws_cis_v200_3_4 title: 3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs +type: control description: AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN log_group_arn != 'null' AND (latest_delivery_time > current_date - 1) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN log_group_arn != 'null' AND (latest_delivery_time > current_date - 1) THEN title || ' integrated with CloudWatch logs.' - ELSE title || ' not integrated with CloudWatch logs.' - END AS reason - FROM - aws_cloudtrail_trail - WHERE - region = home_region; + language: sql + primary_resource: "" + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN log_group_arn != 'null' AND (latest_delivery_time > current_date - 1) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN log_group_arn != 'null' AND (latest_delivery_time > current_date - 1) THEN title || ' integrated with CloudWatch logs.' + ELSE title || ' not integrated with CloudWatch logs.' + END AS reason + FROM + aws_cloudtrail_trail + WHERE + region = home_region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_3_5.yaml b/compliance/controls/aws/aws_cis_v200_3_5.yaml index b401db95e..a1f52d5f8 100644 --- a/compliance/controls/aws/aws_cis_v200_3_5.yaml +++ b/compliance/controls/aws/aws_cis_v200_3_5.yaml @@ -1,68 +1,69 @@ id: aws_cis_v200_3_5 title: 3.5 Ensure AWS Config is enabled in all regions +type: control description: AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_config_configuration_recorder - definition: | - WITH global_recorders AS ( - SELECT - COUNT(*) AS global_config_recorders - FROM - aws_config_configuration_recorder - WHERE - recording_group -> 'IncludeGlobalResourceTypes' = 'true' - AND recording_group -> 'AllSupported' = 'true' - AND status ->> 'Recording' = 'true' - AND status ->> 'LastStatus' = 'SUCCESS' - ) - SELECT - 'arn:aws::' || a.region || ':' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, + language: sql + primary_resource: aws_config_configuration_recorder + definition: | + WITH global_recorders AS ( + SELECT + COUNT(*) AS global_config_recorders + FROM + aws_config_configuration_recorder + WHERE + recording_group -> 'IncludeGlobalResourceTypes' = 'true' + AND recording_group -> 'AllSupported' = 'true' + AND status ->> 'Recording' = 'true' + AND status ->> 'LastStatus' = 'SUCCESS' + ) + SELECT + 'arn:aws::' || a.region || ':' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN g.global_config_recorders >= 1 + AND status ->> 'Recording' = 'true' + AND status ->> 'LastStatus' = 'SUCCESS' + THEN 'ok' + WHEN a.opt_in_status = 'not-opted-in' + THEN 'skip' + ELSE 'alarm' + END AS status, + CASE + WHEN a.opt_in_status = 'not-opted-in' + THEN a.region || ' region is disabled.' + ELSE CASE - WHEN g.global_config_recorders >= 1 - AND status ->> 'Recording' = 'true' - AND status ->> 'LastStatus' = 'SUCCESS' - THEN 'ok' - WHEN a.opt_in_status = 'not-opted-in' - THEN 'skip' - ELSE 'alarm' - END AS status, + WHEN recording_group -> 'IncludeGlobalResourceTypes' = 'true' + THEN a.region || ' IncludeGlobalResourceTypes enabled,' + ELSE a.region || ' IncludeGlobalResourceTypes disabled,' + END || CASE - WHEN a.opt_in_status = 'not-opted-in' - THEN a.region || ' region is disabled.' - ELSE - CASE - WHEN recording_group -> 'IncludeGlobalResourceTypes' = 'true' - THEN a.region || ' IncludeGlobalResourceTypes enabled,' - ELSE a.region || ' IncludeGlobalResourceTypes disabled,' - END || - CASE - WHEN recording_group -> 'AllSupported' = 'true' - THEN ' AllSupported enabled,' - ELSE ' AllSupported disabled,' - END || - CASE - WHEN status ->> 'Recording' = 'true' - THEN ' Recording enabled' - ELSE ' Recording disabled' - END || - CASE - WHEN status ->> 'LastStatus' = 'SUCCESS' - THEN ' and LastStatus is SUCCESS.' - ELSE ' and LastStatus is not SUCCESS.' - END - END AS reason - FROM - global_recorders AS g, - aws_region AS a - LEFT JOIN - aws_config_configuration_recorder AS r - ON r.account_id = a.account_id - AND r.region = a.name + WHEN recording_group -> 'AllSupported' = 'true' + THEN ' AllSupported enabled,' + ELSE ' AllSupported disabled,' + END || + CASE + WHEN status ->> 'Recording' = 'true' + THEN ' Recording enabled' + ELSE ' Recording disabled' + END || + CASE + WHEN status ->> 'LastStatus' = 'SUCCESS' + THEN ' and LastStatus is SUCCESS.' + ELSE ' and LastStatus is not SUCCESS.' + END + END AS reason + FROM + global_recorders AS g, + aws_region AS a + LEFT JOIN + aws_config_configuration_recorder AS r + ON r.account_id = a.account_id + AND r.region = a.name severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_3_6.yaml b/compliance/controls/aws/aws_cis_v200_3_6.yaml index 77079e68a..3086f1a92 100644 --- a/compliance/controls/aws/aws_cis_v200_3_6.yaml +++ b/compliance/controls/aws/aws_cis_v200_3_6.yaml @@ -1,29 +1,30 @@ id: aws_cis_v200_3_6 title: 3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket +type: control description: S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - t.arn AS resource, - t.platform_integration_id AS platform_integration_id, - t.platform_resource_id AS platform_resource_id, - CASE - WHEN b.logging IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.logging IS NOT NULL THEN t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging enabled.' - ELSE t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging disabled.' - END AS reason - FROM - aws_cloudtrail_trail t - INNER JOIN aws_s3_bucket b ON t.s3_bucket_name = b.name - WHERE - t.region = t.home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + t.arn AS resource, + t.platform_integration_id AS platform_integration_id, + t.platform_resource_id AS platform_resource_id, + CASE + WHEN b.logging IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.logging IS NOT NULL THEN t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging enabled.' + ELSE t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging disabled.' + END AS reason + FROM + aws_cloudtrail_trail t + INNER JOIN aws_s3_bucket b ON t.s3_bucket_name = b.name + WHERE + t.region = t.home_region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_3_7.yaml b/compliance/controls/aws/aws_cis_v200_3_7.yaml index 738e2f0a0..2de415871 100644 --- a/compliance/controls/aws/aws_cis_v200_3_7.yaml +++ b/compliance/controls/aws/aws_cis_v200_3_7.yaml @@ -1,28 +1,29 @@ id: aws_cis_v200_3_7 title: 3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs +type: control description: AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN kms_key_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN kms_key_id IS NULL THEN title || ' logs are not encrypted at rest.' - ELSE title || ' logs are encrypted at rest.' - END AS reason - FROM - aws_cloudtrail_trail - WHERE - region = home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN kms_key_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN kms_key_id IS NULL THEN title || ' logs are not encrypted at rest.' + ELSE title || ' logs are encrypted at rest.' + END AS reason + FROM + aws_cloudtrail_trail + WHERE + region = home_region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_3_8.yaml b/compliance/controls/aws/aws_cis_v200_3_8.yaml index 1886726b7..997dac516 100644 --- a/compliance/controls/aws/aws_cis_v200_3_8.yaml +++ b/compliance/controls/aws/aws_cis_v200_3_8.yaml @@ -1,34 +1,35 @@ id: aws_cis_v200_3_8 title: 3.8 Ensure rotation for customer created symmetric CMKs is enabled +type: control description: AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled for symmetric keys. Key rotation can not be enabled for any asymmetric CMK. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_kms_key - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN origin = 'EXTERNAL' THEN 'skip' - WHEN key_state = 'PendingDeletion' THEN 'skip' - WHEN key_state = 'Disabled' THEN 'skip' - WHEN NOT key_rotation_enabled THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN origin = 'EXTERNAL' THEN title || ' has imported key material.' - WHEN key_state = 'PendingDeletion' THEN title || ' is pending deletion.' - WHEN key_state = 'Disabled' THEN title || ' is disabled.' - WHEN NOT key_rotation_enabled THEN title || ' key rotation disabled.' - ELSE title || ' key rotation enabled.' - END AS reason - FROM - aws_kms_key - WHERE - key_manager = 'CUSTOMER'; + language: sql + primary_resource: aws_kms_key + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN origin = 'EXTERNAL' THEN 'skip' + WHEN key_state = 'PendingDeletion' THEN 'skip' + WHEN key_state = 'Disabled' THEN 'skip' + WHEN NOT key_rotation_enabled THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN origin = 'EXTERNAL' THEN title || ' has imported key material.' + WHEN key_state = 'PendingDeletion' THEN title || ' is pending deletion.' + WHEN key_state = 'Disabled' THEN title || ' is disabled.' + WHEN NOT key_rotation_enabled THEN title || ' key rotation disabled.' + ELSE title || ' key rotation enabled.' + END AS reason + FROM + aws_kms_key + WHERE + key_manager = 'CUSTOMER'; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_3_9.yaml b/compliance/controls/aws/aws_cis_v200_3_9.yaml index 01420586c..1bdef58fd 100644 --- a/compliance/controls/aws/aws_cis_v200_3_9.yaml +++ b/compliance/controls/aws/aws_cis_v200_3_9.yaml @@ -1,55 +1,56 @@ id: aws_cis_v200_3_9 title: 3.9 Ensure VPC flow logging is enabled in all VPCs +type: control description: VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc - definition: | - WITH vpcs AS ( - SELECT - arn, - account_id, - platform_integration_id, - platform_resource_id, - region, - owner_id, - vpc_id, - tags, - _ctx - FROM - aws_vpc - ORDER BY - vpc_id - ), - flowlogs AS ( - SELECT - resource_id, - account_id, - region - FROM - aws_vpc_flow_log - ORDER BY - resource_id - ) - SELECT - v.arn AS resource, - v.platform_integration_id AS platform_integration_id, - v.platform_resource_id AS platform_resource_id, - CASE - WHEN v.account_id <> v.owner_id THEN 'skip' - WHEN f.resource_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN v.account_id <> v.owner_id THEN v.vpc_id || ' is a shared VPC.' - WHEN f.resource_id IS NOT NULL THEN v.vpc_id || ' flow logging enabled.' - ELSE v.vpc_id || ' flow logging disabled.' - END AS reason - FROM - vpcs AS v - LEFT JOIN flowlogs AS f ON v.vpc_id = f.resource_id; + language: sql + primary_resource: aws_vpc + definition: | + WITH vpcs AS ( + SELECT + arn, + account_id, + platform_integration_id, + platform_resource_id, + region, + owner_id, + vpc_id, + tags, + _ctx + FROM + aws_vpc + ORDER BY + vpc_id + ), + flowlogs AS ( + SELECT + resource_id, + account_id, + region + FROM + aws_vpc_flow_log + ORDER BY + resource_id + ) + SELECT + v.arn AS resource, + v.platform_integration_id AS platform_integration_id, + v.platform_resource_id AS platform_resource_id, + CASE + WHEN v.account_id <> v.owner_id THEN 'skip' + WHEN f.resource_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN v.account_id <> v.owner_id THEN v.vpc_id || ' is a shared VPC.' + WHEN f.resource_id IS NOT NULL THEN v.vpc_id || ' flow logging enabled.' + ELSE v.vpc_id || ' flow logging disabled.' + END AS reason + FROM + vpcs AS v + LEFT JOIN flowlogs AS f ON v.vpc_id = f.resource_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_4_12.yaml b/compliance/controls/aws/aws_cis_v200_4_12.yaml index 67f5752d9..8b0b6c014 100644 --- a/compliance/controls/aws/aws_cis_v200_4_12.yaml +++ b/compliance/controls/aws/aws_cis_v200_4_12.yaml @@ -1,90 +1,91 @@ id: aws_cis_v200_4_12 title: 4.12 Ensure changes to network gateways are monitored +type: control description: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH trails AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) AS log_group_name - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - ORDER BY - trail_name - ), - alarms AS ( - SELECT - metric_name, - action_arn AS topic_arn - FROM - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn - ORDER BY - metric_name - ), - topic_subscriptions AS ( - SELECT - subscription_arn, - topic_arn - FROM - aws_sns_topic_subscription - ORDER BY - subscription_arn - ), - metric_filters AS ( - SELECT - filter.name AS filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - FROM - aws_cloudwatch_log_metric_filter AS filter - WHERE - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateCustomerGateway.+\$\.eventName\s*=\s*DeleteCustomerGateway.+\$\.eventName\s*=\s*AttachInternetGateway.+\$\.eventName\s*=\s*CreateInternetGateway.+\$\.eventName\s*=\s*DeleteInternetGateway.+\$\.eventName\s*=\s*DetachInternetGateway' - ORDER BY - filter_name - ), - filter_data AS ( - SELECT - t.account_id, - t.trail_name, - f.filter_name - FROM - trails AS t - JOIN - metric_filters AS f ON f.log_group_name = t.log_group_name - JOIN - alarms AS alarm ON alarm.metric_name = f.metric_transformation_name - JOIN - topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for changes to network gateways.' - ELSE filter_name || ' forwards events for changes to network gateways.' - END AS reason - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH trails AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + split_part(trail.log_group_arn, ':', 7) AS log_group_name + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + ORDER BY + trail_name + ), + alarms AS ( + SELECT + metric_name, + action_arn AS topic_arn + FROM + aws_cloudwatch_alarm, + jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn + ORDER BY + metric_name + ), + topic_subscriptions AS ( + SELECT + subscription_arn, + topic_arn + FROM + aws_sns_topic_subscription + ORDER BY + subscription_arn + ), + metric_filters AS ( + SELECT + filter.name AS filter_name, + filter_pattern, + log_group_name, + metric_transformation_name + FROM + aws_cloudwatch_log_metric_filter AS filter + WHERE + filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateCustomerGateway.+\$\.eventName\s*=\s*DeleteCustomerGateway.+\$\.eventName\s*=\s*AttachInternetGateway.+\$\.eventName\s*=\s*CreateInternetGateway.+\$\.eventName\s*=\s*DeleteInternetGateway.+\$\.eventName\s*=\s*DetachInternetGateway' + ORDER BY + filter_name + ), + filter_data AS ( + SELECT + t.account_id, + t.trail_name, + f.filter_name + FROM + trails AS t + JOIN + metric_filters AS f ON f.log_group_name = t.log_group_name + JOIN + alarms AS alarm ON alarm.metric_name = f.metric_transformation_name + JOIN + topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for changes to network gateways.' + ELSE filter_name || ' forwards events for changes to network gateways.' + END AS reason + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_4_3.yaml b/compliance/controls/aws/aws_cis_v200_4_3.yaml index 98efcb575..2c01a697c 100644 --- a/compliance/controls/aws/aws_cis_v200_4_3.yaml +++ b/compliance/controls/aws/aws_cis_v200_4_3.yaml @@ -1,91 +1,92 @@ id: aws_cis_v200_4_3 title: 4.3 Ensure usage of 'root' account is monitored +type: control description: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH trails AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) AS log_group_name - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - ORDER BY - trail_name - ), - alarms AS ( - SELECT - metric_name, - action_arn AS topic_arn - FROM - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn - ORDER BY - metric_name - ), - topic_subscriptions AS ( - SELECT - subscription_arn, - topic_arn - FROM - aws_sns_topic_subscription - ORDER BY - subscription_arn - ), - metric_filters AS ( - SELECT - filter.name AS filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - FROM - aws_cloudwatch_log_metric_filter AS filter - WHERE - filter.filter_pattern ~ '\s*\$.userIdentity.type\s*=\s*"Root".+\$.userIdentity.invokedBy NOT EXISTS.+\$.eventType\s*!=\s*"AwsServiceEvent"' - ORDER BY - filter_name - ), - filter_data AS ( - SELECT - t.account_id, - t.trail_name, - f.filter_name - FROM - trails AS t - JOIN - metric_filters AS f ON f.log_group_name = t.log_group_name - JOIN - alarms AS alarm ON alarm.metric_name = f.metric_transformation_name - JOIN - topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for usage of "root" account.' - ELSE filter_name || ' forwards events for usage of "root" account.' - END AS reason - FROM - aws_account AS a - LEFT JOIN - filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH trails AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + split_part(trail.log_group_arn, ':', 7) AS log_group_name + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + ORDER BY + trail_name + ), + alarms AS ( + SELECT + metric_name, + action_arn AS topic_arn + FROM + aws_cloudwatch_alarm, + jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn + ORDER BY + metric_name + ), + topic_subscriptions AS ( + SELECT + subscription_arn, + topic_arn + FROM + aws_sns_topic_subscription + ORDER BY + subscription_arn + ), + metric_filters AS ( + SELECT + filter.name AS filter_name, + filter_pattern, + log_group_name, + metric_transformation_name + FROM + aws_cloudwatch_log_metric_filter AS filter + WHERE + filter.filter_pattern ~ '\s*\$.userIdentity.type\s*=\s*"Root".+\$.userIdentity.invokedBy NOT EXISTS.+\$.eventType\s*!=\s*"AwsServiceEvent"' + ORDER BY + filter_name + ), + filter_data AS ( + SELECT + t.account_id, + t.trail_name, + f.filter_name + FROM + trails AS t + JOIN + metric_filters AS f ON f.log_group_name = t.log_group_name + JOIN + alarms AS alarm ON alarm.metric_name = f.metric_transformation_name + JOIN + topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for usage of "root" account.' + ELSE filter_name || ' forwards events for usage of "root" account.' + END AS reason + FROM + aws_account AS a + LEFT JOIN + filter_data AS f ON a.account_id = f.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_4_6.yaml b/compliance/controls/aws/aws_cis_v200_4_6.yaml index a33fe7bbe..45014ed2f 100644 --- a/compliance/controls/aws/aws_cis_v200_4_6.yaml +++ b/compliance/controls/aws/aws_cis_v200_4_6.yaml @@ -1,91 +1,92 @@ id: aws_cis_v200_4_6 title: 4.6 Ensure AWS Management Console authentication failures are monitored +type: control description: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - WITH trails AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se->>'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - ORDER BY - trail_name - ), - alarms AS ( - SELECT - metric_name, - action_arn AS topic_arn - FROM - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn - ORDER BY - metric_name - ), - topic_subscriptions AS ( - SELECT - subscription_arn, - topic_arn - FROM - aws_sns_topic_subscription - ORDER BY - subscription_arn - ), - metric_filters AS ( - SELECT - filter.name AS filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - FROM - aws_cloudwatch_log_metric_filter AS filter - WHERE - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*ConsoleLogin.+\$\.errorMessage\s*=\s*"Failed authentication"' - ORDER BY - filter_name - ), - filter_data AS ( - SELECT - t.account_id, - t.trail_name, - f.filter_name - FROM - trails AS t - JOIN - metric_filters AS f ON f.log_group_name = t.log_group_name - JOIN - alarms AS alarm ON alarm.metric_name = f.metric_transformation_name - JOIN - topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - f.account_id AS platform_integration_id, - f.trail_name AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for console authentication failures.' - ELSE f.filter_name || ' forwards events for console authentication failures.' - END AS reason - FROM - aws_account AS a - LEFT JOIN - filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + WITH trails AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se->>'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + ORDER BY + trail_name + ), + alarms AS ( + SELECT + metric_name, + action_arn AS topic_arn + FROM + aws_cloudwatch_alarm, + jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn + ORDER BY + metric_name + ), + topic_subscriptions AS ( + SELECT + subscription_arn, + topic_arn + FROM + aws_sns_topic_subscription + ORDER BY + subscription_arn + ), + metric_filters AS ( + SELECT + filter.name AS filter_name, + filter_pattern, + log_group_name, + metric_transformation_name + FROM + aws_cloudwatch_log_metric_filter AS filter + WHERE + filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*ConsoleLogin.+\$\.errorMessage\s*=\s*"Failed authentication"' + ORDER BY + filter_name + ), + filter_data AS ( + SELECT + t.account_id, + t.trail_name, + f.filter_name + FROM + trails AS t + JOIN + metric_filters AS f ON f.log_group_name = t.log_group_name + JOIN + alarms AS alarm ON alarm.metric_name = f.metric_transformation_name + JOIN + topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + f.account_id AS platform_integration_id, + f.trail_name AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for console authentication failures.' + ELSE f.filter_name || ' forwards events for console authentication failures.' + END AS reason + FROM + aws_account AS a + LEFT JOIN + filter_data AS f ON a.account_id = f.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_5_2.yaml b/compliance/controls/aws/aws_cis_v200_5_2.yaml index 489d64819..0766051e3 100644 --- a/compliance/controls/aws/aws_cis_v200_5_2.yaml +++ b/compliance/controls/aws/aws_cis_v200_5_2.yaml @@ -1,67 +1,68 @@ id: aws_cis_v200_5_2 title: 5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports +type: control description: Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389, using either the TCP (6), UDP (17) or ALL (-1) protocols. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH bad_rules AS ( - SELECT - group_id, - COUNT(*) AS num_bad_rules - FROM - aws_vpc_security_group_rule - WHERE - type = 'ingress' - AND ( - cidr_ipv4 = '0.0.0.0/0' - OR cidr_ipv6 = '::/0' - ) - AND ( - (ip_protocol = '-1' - AND from_port IS NULL) - OR ( - from_port = 22 - AND to_port = 22 - ) - OR ( - from_port = 3389 - AND to_port = 3389 - ) - ) - GROUP BY - group_id - ), - security_groups AS ( - SELECT - arn, - tags, - region, - account_id, - group_id, - _ctx - FROM - aws_vpc_security_group - ORDER BY - group_id + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH bad_rules AS ( + SELECT + group_id, + COUNT(*) AS num_bad_rules + FROM + aws_vpc_security_group_rule + WHERE + type = 'ingress' + AND ( + cidr_ipv4 = '0.0.0.0/0' + OR cidr_ipv6 = '::/0' ) - SELECT - arn AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN bad_rules.group_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN bad_rules.group_id IS NULL THEN sg.group_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - ELSE sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - END AS reason - FROM - security_groups AS sg - LEFT JOIN bad_rules ON bad_rules.group_id = sg.group_id; + AND ( + (ip_protocol = '-1' + AND from_port IS NULL) + OR ( + from_port = 22 + AND to_port = 22 + ) + OR ( + from_port = 3389 + AND to_port = 3389 + ) + ) + GROUP BY + group_id + ), + security_groups AS ( + SELECT + arn, + tags, + region, + account_id, + group_id, + _ctx + FROM + aws_vpc_security_group + ORDER BY + group_id + ) + SELECT + arn AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN bad_rules.group_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN bad_rules.group_id IS NULL THEN sg.group_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' + ELSE sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' + END AS reason + FROM + security_groups AS sg + LEFT JOIN bad_rules ON bad_rules.group_id = sg.group_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_5_3.yaml b/compliance/controls/aws/aws_cis_v200_5_3.yaml index f1344cdbe..bd5fbc27e 100644 --- a/compliance/controls/aws/aws_cis_v200_5_3.yaml +++ b/compliance/controls/aws/aws_cis_v200_5_3.yaml @@ -1,53 +1,54 @@ id: aws_cis_v200_5_3 title: 5.3 Ensure no security groups allow ingress from ::/0 to remote server administration ports +type: control description: Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH bad_rules AS ( - SELECT - group_id, - COUNT(*) AS num_bad_rules - FROM - aws_vpc_security_group_rule - WHERE - type = 'ingress' - AND ( - cidr_ipv6 = '::/0' - ) - AND ( - (ip_protocol = '-1' - AND from_port IS NULL) - OR ( - from_port >= 22 - AND to_port <= 22 - ) - OR ( - from_port >= 3389 - AND to_port <= 3389 - ) - ) - GROUP BY - group_id + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH bad_rules AS ( + SELECT + group_id, + COUNT(*) AS num_bad_rules + FROM + aws_vpc_security_group_rule + WHERE + type = 'ingress' + AND ( + cidr_ipv6 = '::/0' ) - SELECT - arn AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN bad_rules.group_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN bad_rules.group_id IS NULL THEN sg.group_id || ' does not allow ingress to port 22 or 3389 from ::/0.' - ELSE sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to port 22 or 3389 from ::/0.' - END AS reason - FROM - aws_vpc_security_group AS sg - LEFT JOIN bad_rules ON bad_rules.group_id = sg.group_id; + AND ( + (ip_protocol = '-1' + AND from_port IS NULL) + OR ( + from_port >= 22 + AND to_port <= 22 + ) + OR ( + from_port >= 3389 + AND to_port <= 3389 + ) + ) + GROUP BY + group_id + ) + SELECT + arn AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN bad_rules.group_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN bad_rules.group_id IS NULL THEN sg.group_id || ' does not allow ingress to port 22 or 3389 from ::/0.' + ELSE sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to port 22 or 3389 from ::/0.' + END AS reason + FROM + aws_vpc_security_group AS sg + LEFT JOIN bad_rules ON bad_rules.group_id = sg.group_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_5_4.yaml b/compliance/controls/aws/aws_cis_v200_5_4.yaml index 00c941f58..1491d8f21 100644 --- a/compliance/controls/aws/aws_cis_v200_5_4.yaml +++ b/compliance/controls/aws/aws_cis_v200_5_4.yaml @@ -1,34 +1,35 @@ id: aws_cis_v200_5_4 title: 5.4 Ensure the default security group of every VPC restricts all traffic +type: control description: A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN jsonb_array_length(ip_permissions) = 0 - AND jsonb_array_length(ip_permissions_egress) = 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN jsonb_array_length(ip_permissions) > 0 - AND jsonb_array_length(ip_permissions_egress) > 0 THEN 'Default security group ' || group_id || ' has inbound and outbound rules.' - WHEN jsonb_array_length(ip_permissions) > 0 - AND jsonb_array_length(ip_permissions_egress) = 0 THEN 'Default security group ' || group_id || ' has inbound rules.' - WHEN jsonb_array_length(ip_permissions) = 0 - AND jsonb_array_length(ip_permissions_egress) > 0 THEN 'Default security group ' || group_id || ' has outbound rules.' - ELSE 'Default security group ' || group_id || ' has no inbound or outbound rules.' - END AS reason - FROM - aws_vpc_security_group - WHERE - group_name = 'default'; + language: sql + primary_resource: aws_vpc_security_group + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN jsonb_array_length(ip_permissions) = 0 + AND jsonb_array_length(ip_permissions_egress) = 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN jsonb_array_length(ip_permissions) > 0 + AND jsonb_array_length(ip_permissions_egress) > 0 THEN 'Default security group ' || group_id || ' has inbound and outbound rules.' + WHEN jsonb_array_length(ip_permissions) > 0 + AND jsonb_array_length(ip_permissions_egress) = 0 THEN 'Default security group ' || group_id || ' has inbound rules.' + WHEN jsonb_array_length(ip_permissions) = 0 + AND jsonb_array_length(ip_permissions_egress) > 0 THEN 'Default security group ' || group_id || ' has outbound rules.' + ELSE 'Default security group ' || group_id || ' has no inbound or outbound rules.' + END AS reason + FROM + aws_vpc_security_group + WHERE + group_name = 'default'; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_5_5.yaml b/compliance/controls/aws/aws_cis_v200_5_5.yaml index 26a83eb71..873f21017 100644 --- a/compliance/controls/aws/aws_cis_v200_5_5.yaml +++ b/compliance/controls/aws/aws_cis_v200_5_5.yaml @@ -1,20 +1,21 @@ id: aws_cis_v200_5_5 title: 5.5 Ensure routing tables for VPC peering are "least access" +type: control description: Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v200_5_6.yaml b/compliance/controls/aws/aws_cis_v200_5_6.yaml index cc31a4381..090b24c27 100644 --- a/compliance/controls/aws/aws_cis_v200_5_6.yaml +++ b/compliance/controls/aws/aws_cis_v200_5_6.yaml @@ -1,26 +1,27 @@ id: aws_cis_v200_5_6 title: 5.6 Ensure that EC2 Metadata Service only allows IMDSv2 +type: control description: When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN metadata_options ->> 'HttpTokens' = 'optional' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN metadata_options ->> 'HttpTokens' = 'optional' THEN title || ' not configured to use Instance Metadata Service Version 2 (IMDSv2).' - ELSE title || ' configured to use Instance Metadata Service Version 2 (IMDSv2).' - END AS reason - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN metadata_options ->> 'HttpTokens' = 'optional' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN metadata_options ->> 'HttpTokens' = 'optional' THEN title || ' not configured to use Instance Metadata Service Version 2 (IMDSv2).' + ELSE title || ' configured to use Instance Metadata Service Version 2 (IMDSv2).' + END AS reason + FROM + aws_ec2_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_1_1.yaml b/compliance/controls/aws/aws_cis_v300_1_1.yaml index c51abfad6..7ac6c3ad3 100644 --- a/compliance/controls/aws/aws_cis_v300_1_1.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_1.yaml @@ -1,20 +1,21 @@ id: aws_cis_v300_1_1 title: 1.1 Maintain current contact details +type: control description: Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_1_10.yaml b/compliance/controls/aws/aws_cis_v300_1_10.yaml index 8615a1625..89b4c2e5e 100644 --- a/compliance/controls/aws/aws_cis_v300_1_10.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_10.yaml @@ -1,27 +1,28 @@ id: aws_cis_v300_1_10 title: 1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password +type: control description: Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN password_enabled AND NOT mfa_active THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT password_enabled THEN user_name || ' password login disabled.' - WHEN password_enabled AND NOT mfa_active THEN user_name || ' password login enabled but no MFA device configured.' - ELSE user_name || ' password login enabled and MFA device configured.' - END AS reason - FROM - aws_iam_credential_report; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN password_enabled AND NOT mfa_active THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT password_enabled THEN user_name || ' password login disabled.' + WHEN password_enabled AND NOT mfa_active THEN user_name || ' password login enabled but no MFA device configured.' + ELSE user_name || ' password login enabled and MFA device configured.' + END AS reason + FROM + aws_iam_credential_report; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_1_11.yaml b/compliance/controls/aws/aws_cis_v300_1_11.yaml index 1548bd81d..3b45ae071 100644 --- a/compliance/controls/aws/aws_cis_v300_1_11.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_11.yaml @@ -1,34 +1,35 @@ id: aws_cis_v300_1_11 title: 1.11 Do not setup access keys during initial user setup for all IAM users that have a console password +type: control description: AWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM User credentials you have to determine what type of access they require. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN password_enabled - AND (EXTRACT(EPOCH FROM (access_key_1_last_rotated - user_creation_time)) < 10) - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT password_enabled - THEN user_name || ' password login disabled.' - WHEN access_key_1_last_rotated IS NULL - THEN user_name || ' has no access keys.' - WHEN password_enabled - AND (EXTRACT(EPOCH FROM (access_key_1_last_rotated - user_creation_time)) < 10) - THEN user_name || ' has access key created during user creation and password login enabled.' - ELSE user_name || ' has access key not created during user creation.' - END AS reason - FROM - aws_iam_credential_report; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN password_enabled + AND (EXTRACT(EPOCH FROM (access_key_1_last_rotated - user_creation_time)) < 10) + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT password_enabled + THEN user_name || ' password login disabled.' + WHEN access_key_1_last_rotated IS NULL + THEN user_name || ' has no access keys.' + WHEN password_enabled + AND (EXTRACT(EPOCH FROM (access_key_1_last_rotated - user_creation_time)) < 10) + THEN user_name || ' has access key created during user creation and password login enabled.' + ELSE user_name || ' has access key not created during user creation.' + END AS reason + FROM + aws_iam_credential_report; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_1_12.yaml b/compliance/controls/aws/aws_cis_v300_1_12.yaml index 7a6e0d48b..40b3fde21 100644 --- a/compliance/controls/aws/aws_cis_v300_1_12.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_12.yaml @@ -1,60 +1,61 @@ id: aws_cis_v300_1_12 title: 1.12 Ensure credentials unused for 45 days or greater are disabled +type: control description: AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN user_name = '' - THEN 'info' - WHEN password_enabled AND password_last_used IS NULL AND password_last_changed < (CURRENT_DATE - INTERVAL '45' DAY) - THEN 'alarm' - WHEN password_enabled AND password_last_used < (CURRENT_DATE - INTERVAL '45' DAY) - THEN 'alarm' - WHEN access_key_1_active AND access_key_1_last_used_date IS NULL AND access_key_1_last_rotated < (CURRENT_DATE - INTERVAL '45' DAY) - THEN 'alarm' - WHEN access_key_1_active AND access_key_1_last_used_date < (CURRENT_DATE - INTERVAL '45' DAY) - THEN 'alarm' - WHEN access_key_2_active AND access_key_2_last_used_date IS NULL AND access_key_2_last_rotated < (CURRENT_DATE - INTERVAL '45' DAY) - THEN 'alarm' - WHEN access_key_2_active AND access_key_2_last_used_date < (CURRENT_DATE - INTERVAL '45' DAY) - THEN 'alarm' - ELSE 'ok' - END AS status, - user_name || - CASE - WHEN NOT password_enabled - THEN ' password not enabled,' - WHEN password_enabled AND password_last_used IS NULL - THEN ' password created ' || TO_CHAR(password_last_changed, 'DD-Mon-YYYY') || ' never used,' - ELSE - ' password used ' || TO_CHAR(password_last_used, 'DD-Mon-YYYY') || ',' - END || - CASE - WHEN NOT access_key_1_active - THEN ' key 1 not enabled,' - WHEN access_key_1_active AND access_key_1_last_used_date IS NULL - THEN ' key 1 created ' || TO_CHAR(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,' - ELSE - ' key 1 used ' || TO_CHAR(access_key_1_last_used_date, 'DD-Mon-YYYY') || ',' - END || - CASE - WHEN NOT access_key_2_active - THEN ' key 2 not enabled.' - WHEN access_key_2_active AND access_key_2_last_used_date IS NULL - THEN ' key 2 created ' || TO_CHAR(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.' - ELSE - ' key 2 used ' || TO_CHAR(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - aws_iam_credential_report; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN user_name = '' + THEN 'info' + WHEN password_enabled AND password_last_used IS NULL AND password_last_changed < (CURRENT_DATE - INTERVAL '45' DAY) + THEN 'alarm' + WHEN password_enabled AND password_last_used < (CURRENT_DATE - INTERVAL '45' DAY) + THEN 'alarm' + WHEN access_key_1_active AND access_key_1_last_used_date IS NULL AND access_key_1_last_rotated < (CURRENT_DATE - INTERVAL '45' DAY) + THEN 'alarm' + WHEN access_key_1_active AND access_key_1_last_used_date < (CURRENT_DATE - INTERVAL '45' DAY) + THEN 'alarm' + WHEN access_key_2_active AND access_key_2_last_used_date IS NULL AND access_key_2_last_rotated < (CURRENT_DATE - INTERVAL '45' DAY) + THEN 'alarm' + WHEN access_key_2_active AND access_key_2_last_used_date < (CURRENT_DATE - INTERVAL '45' DAY) + THEN 'alarm' + ELSE 'ok' + END AS status, + user_name || + CASE + WHEN NOT password_enabled + THEN ' password not enabled,' + WHEN password_enabled AND password_last_used IS NULL + THEN ' password created ' || TO_CHAR(password_last_changed, 'DD-Mon-YYYY') || ' never used,' + ELSE + ' password used ' || TO_CHAR(password_last_used, 'DD-Mon-YYYY') || ',' + END || + CASE + WHEN NOT access_key_1_active + THEN ' key 1 not enabled,' + WHEN access_key_1_active AND access_key_1_last_used_date IS NULL + THEN ' key 1 created ' || TO_CHAR(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,' + ELSE + ' key 1 used ' || TO_CHAR(access_key_1_last_used_date, 'DD-Mon-YYYY') || ',' + END || + CASE + WHEN NOT access_key_2_active + THEN ' key 2 not enabled.' + WHEN access_key_2_active AND access_key_2_last_used_date IS NULL + THEN ' key 2 created ' || TO_CHAR(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.' + ELSE + ' key 2 used ' || TO_CHAR(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + aws_iam_credential_report; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_1_14.yaml b/compliance/controls/aws/aws_cis_v300_1_14.yaml index 6802821a0..10220e6e6 100644 --- a/compliance/controls/aws/aws_cis_v300_1_14.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_14.yaml @@ -1,24 +1,25 @@ id: aws_cis_v300_1_14 title: 1.14 Ensure access keys are rotated every 90 days or less +type: control description: Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_access_key - definition: | - SELECT - 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN create_date <= (current_date - INTERVAL '90' DAY) THEN 'alarm' - ELSE 'ok' - END AS status, - user_name || ' ' || access_key_id || ' created ' || TO_CHAR(create_date, 'DD-Mon-YYYY') || - ' (' || EXTRACT(DAY FROM current_timestamp - create_date) || ' days).' AS reason - FROM - aws_iam_access_key; + language: sql + primary_resource: aws_iam_access_key + definition: | + SELECT + 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN create_date <= (current_date - INTERVAL '90' DAY) THEN 'alarm' + ELSE 'ok' + END AS status, + user_name || ' ' || access_key_id || ' created ' || TO_CHAR(create_date, 'DD-Mon-YYYY') || + ' (' || EXTRACT(DAY FROM current_timestamp - create_date) || ' days).' AS reason + FROM + aws_iam_access_key; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_1_15.yaml b/compliance/controls/aws/aws_cis_v300_1_15.yaml index de5efcd4f..861e4a940 100644 --- a/compliance/controls/aws/aws_cis_v300_1_15.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_15.yaml @@ -1,25 +1,26 @@ id: aws_cis_v300_1_15 title: 1.15 Ensure IAM Users Receive Permissions Only Through Groups -description: 'IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended.' +type: control +description: "IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended." integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN inline_policies IS NULL AND attached_policy_arns IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - name || ' has ' || COALESCE(jsonb_array_length(inline_policies), 0) || - ' inline and ' || COALESCE(jsonb_array_length(attached_policy_arns), 0) || - ' directly attached policies.' AS reason - FROM - aws_iam_user; + language: sql + primary_resource: aws_iam_user + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN inline_policies IS NULL AND attached_policy_arns IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + name || ' has ' || COALESCE(jsonb_array_length(inline_policies), 0) || + ' inline and ' || COALESCE(jsonb_array_length(attached_policy_arns), 0) || + ' directly attached policies.' AS reason + FROM + aws_iam_user; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_1_16.yaml b/compliance/controls/aws/aws_cis_v300_1_16.yaml index cef9cfc5c..c9077cb3a 100644 --- a/compliance/controls/aws/aws_cis_v300_1_16.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_16.yaml @@ -1,51 +1,52 @@ id: aws_cis_v300_1_16 title: 1.16 Ensure IAM policies that allow full "*:*" administrative privileges are not attached +type: control description: IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_policy - definition: | - WITH star_access_policies AS ( - SELECT - arn, - is_aws_managed, - COUNT(*) AS num_bad_statements - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Resource') AS resource, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - s ->> 'Effect' = 'Allow' - AND resource = '*' - AND ( - action = '*' OR action = '*:*' - ) - AND is_attached - GROUP BY - arn, - is_aws_managed + language: sql + primary_resource: aws_iam_policy + definition: | + WITH star_access_policies AS ( + SELECT + arn, + is_aws_managed, + COUNT(*) AS num_bad_statements + FROM + aws_iam_policy, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Resource') AS resource, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + s ->> 'Effect' = 'Allow' + AND resource = '*' + AND ( + action = '*' OR action = '*:*' ) - SELECT - p.arn AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN s.arn IS NOT NULL AND s.is_aws_managed THEN 'info' - WHEN s.arn IS NULL THEN 'ok' - ELSE 'alarm' - END status, - CASE - WHEN s.arn IS NOT NULL AND s.is_aws_managed THEN p.name || ' is an AWS managed policy with ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' - ELSE p.name || ' contains ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' - END AS reason - FROM - aws_iam_policy AS p - LEFT JOIN star_access_policies AS s ON p.arn = s.arn - WHERE - p.is_attached; + AND is_attached + GROUP BY + arn, + is_aws_managed + ) + SELECT + p.arn AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN s.arn IS NOT NULL AND s.is_aws_managed THEN 'info' + WHEN s.arn IS NULL THEN 'ok' + ELSE 'alarm' + END status, + CASE + WHEN s.arn IS NOT NULL AND s.is_aws_managed THEN p.name || ' is an AWS managed policy with ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' + ELSE p.name || ' contains ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' + END AS reason + FROM + aws_iam_policy AS p + LEFT JOIN star_access_policies AS s ON p.arn = s.arn + WHERE + p.is_attached; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_1_17.yaml b/compliance/controls/aws/aws_cis_v300_1_17.yaml index a809ac8ea..2bb497738 100644 --- a/compliance/controls/aws/aws_cis_v300_1_17.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_17.yaml @@ -1,49 +1,50 @@ id: aws_cis_v300_1_17 title: 1.17 Ensure a support role has been created to manage incidents with AWS Support +type: control description: AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH support_role_count AS ( - SELECT - 'arn:' || a.partition || ':::' || a.account_id AS resource, - COUNT(policy_arn), - a.account_id, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - a._ctx - FROM - aws_account AS a - LEFT JOIN aws_iam_role AS r ON r.account_id = a.account_id - LEFT JOIN jsonb_array_elements_text(attached_policy_arns) AS policy_arn ON TRUE - WHERE - SPLIT_PART(policy_arn, '/', 2) = 'AWSSupportAccess' - OR policy_arn IS NULL - GROUP BY - a.account_id, - a.partition, - a.platform_integration_id, - a.platform_resource_id, - a._ctx - ) - SELECT - resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN count > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN count = 1 THEN 'AWSSupportAccess policy attached to 1 role.' - WHEN count > 1 THEN 'AWSSupportAccess policy attached to ' || count || ' roles.' - ELSE 'AWSSupportAccess policy not attached to any role.' - END AS reason - FROM - support_role_count; + language: sql + primary_resource: aws_account + definition: | + WITH support_role_count AS ( + SELECT + 'arn:' || a.partition || ':::' || a.account_id AS resource, + COUNT(policy_arn), + a.account_id, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + a._ctx + FROM + aws_account AS a + LEFT JOIN aws_iam_role AS r ON r.account_id = a.account_id + LEFT JOIN jsonb_array_elements_text(attached_policy_arns) AS policy_arn ON TRUE + WHERE + SPLIT_PART(policy_arn, '/', 2) = 'AWSSupportAccess' + OR policy_arn IS NULL + GROUP BY + a.account_id, + a.partition, + a.platform_integration_id, + a.platform_resource_id, + a._ctx + ) + SELECT + resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN count > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN count = 1 THEN 'AWSSupportAccess policy attached to 1 role.' + WHEN count > 1 THEN 'AWSSupportAccess policy attached to ' || count || ' roles.' + ELSE 'AWSSupportAccess policy not attached to any role.' + END AS reason + FROM + support_role_count; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_1_18.yaml b/compliance/controls/aws/aws_cis_v300_1_18.yaml index 7112ebcf1..13771a912 100644 --- a/compliance/controls/aws/aws_cis_v300_1_18.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_18.yaml @@ -1,20 +1,21 @@ id: aws_cis_v300_1_18 title: 1.18 Ensure IAM instance roles are used for AWS resource access from instances +type: control description: AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. "AWS Access" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_1_19.yaml b/compliance/controls/aws/aws_cis_v300_1_19.yaml index bcd9f4071..b7a0b8969 100644 --- a/compliance/controls/aws/aws_cis_v300_1_19.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_19.yaml @@ -1,28 +1,29 @@ id: aws_cis_v300_1_19 title: 1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed +type: control description: To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_server_certificate - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN expiration < (current_date - INTERVAL '1' SECOND) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN expiration < (current_date - INTERVAL '1' SECOND) THEN - name || ' expired ' || TO_CHAR(expiration, 'DD-Mon-YYYY') || '.' - ELSE - name || ' valid until ' || TO_CHAR(expiration, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - aws_iam_server_certificate; + language: sql + primary_resource: aws_iam_server_certificate + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN expiration < (current_date - INTERVAL '1' SECOND) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN expiration < (current_date - INTERVAL '1' SECOND) THEN + name || ' expired ' || TO_CHAR(expiration, 'DD-Mon-YYYY') || '.' + ELSE + name || ' valid until ' || TO_CHAR(expiration, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + aws_iam_server_certificate; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_1_2.yaml b/compliance/controls/aws/aws_cis_v300_1_2.yaml index b6a4baf91..99ef8066f 100644 --- a/compliance/controls/aws/aws_cis_v300_1_2.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_2.yaml @@ -1,52 +1,53 @@ id: aws_cis_v300_1_2 title: 1.2 Ensure security contact information is registered +type: control description: AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH alternate_security_contact AS ( - SELECT - name, - account_id - FROM - aws_account_alternate_contact - WHERE - contact_type = 'SECURITY' - ), - account AS ( - SELECT - arn, - partition, - title, - account_id, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - _ctx - FROM - aws_account - ) - SELECT - arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.partition = 'aws-us-gov' THEN 'info' - WHEN c.name IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.partition = 'aws-us-gov' THEN a.title || ' in GovCloud, manual verification required.' - WHEN c.name IS NOT NULL THEN a.title || ' has security contact ' || c.name || ' registered.' - ELSE a.title || ' security contact not registered.' - END AS reason - FROM - account AS a, - alternate_security_contact AS c - WHERE - c.account_id = a.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH alternate_security_contact AS ( + SELECT + name, + account_id + FROM + aws_account_alternate_contact + WHERE + contact_type = 'SECURITY' + ), + account AS ( + SELECT + arn, + partition, + title, + account_id, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + _ctx + FROM + aws_account + ) + SELECT + arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.partition = 'aws-us-gov' THEN 'info' + WHEN c.name IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.partition = 'aws-us-gov' THEN a.title || ' in GovCloud, manual verification required.' + WHEN c.name IS NOT NULL THEN a.title || ' has security contact ' || c.name || ' registered.' + ELSE a.title || ' security contact not registered.' + END AS reason + FROM + account AS a, + alternate_security_contact AS c + WHERE + c.account_id = a.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_1_20.yaml b/compliance/controls/aws/aws_cis_v300_1_20.yaml index 16b582860..e85940bd8 100644 --- a/compliance/controls/aws/aws_cis_v300_1_20.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_20.yaml @@ -1,32 +1,33 @@ id: aws_cis_v300_1_20 title: 1.20 Ensure that IAM Access analyzer is enabled for all regions +type: control description: Enable IAM Access analyzer for IAM policies about all resources in each region. IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Access Analyzer analyzes only policies that are applied to resources in the same AWS Region. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_region - definition: | - SELECT - 'arn:' || r.partition || '::' || r.region || ':' || r.account_id AS resource, - r.platform_integration_id AS platform_integration_id, - r.platform_resource_id AS platform_resource_id, - CASE - WHEN r.opt_in_status = 'not-opted-in' THEN 'skip' - WHEN aa.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN r.opt_in_status = 'not-opted-in' THEN r.region || ' region is disabled.' - WHEN aa.arn IS NOT NULL THEN aa.name || ' enabled in ' || r.region || '.' - ELSE 'Access Analyzer not enabled in ' || r.region || '.' - END AS reason - FROM - aws_region AS r - LEFT JOIN - aws_accessanalyzer_analyzer AS aa - ON - r.account_id = aa.account_id AND r.region = aa.region; + language: sql + primary_resource: aws_region + definition: | + SELECT + 'arn:' || r.partition || '::' || r.region || ':' || r.account_id AS resource, + r.platform_integration_id AS platform_integration_id, + r.platform_resource_id AS platform_resource_id, + CASE + WHEN r.opt_in_status = 'not-opted-in' THEN 'skip' + WHEN aa.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN r.opt_in_status = 'not-opted-in' THEN r.region || ' region is disabled.' + WHEN aa.arn IS NOT NULL THEN aa.name || ' enabled in ' || r.region || '.' + ELSE 'Access Analyzer not enabled in ' || r.region || '.' + END AS reason + FROM + aws_region AS r + LEFT JOIN + aws_accessanalyzer_analyzer AS aa + ON + r.account_id = aa.account_id AND r.region = aa.region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_1_21.yaml b/compliance/controls/aws/aws_cis_v300_1_21.yaml index 0d9bcc3d7..36880c49b 100644 --- a/compliance/controls/aws/aws_cis_v300_1_21.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_21.yaml @@ -1,20 +1,21 @@ id: aws_cis_v300_1_21 title: 1.21 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments +type: control description: In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provide via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_1_3.yaml b/compliance/controls/aws/aws_cis_v300_1_3.yaml index 43db369e5..e214d58e7 100644 --- a/compliance/controls/aws/aws_cis_v300_1_3.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_3.yaml @@ -1,20 +1,21 @@ id: aws_cis_v300_1_3 title: 1.3 Ensure security questions are registered in the AWS account +type: control description: The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_1_4.yaml b/compliance/controls/aws/aws_cis_v300_1_4.yaml index 5cf14b2b1..2038e31ad 100644 --- a/compliance/controls/aws/aws_cis_v300_1_4.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_4.yaml @@ -1,26 +1,27 @@ id: aws_cis_v300_1_4 title: 1.4 Ensure no 'root' user account access key exists +type: control description: The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the 'root' user account be deleted. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_account_summary - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN account_access_keys_present > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN account_access_keys_present > 0 THEN 'Root user access keys exist.' - ELSE 'No root user access keys exist.' - END AS reason - FROM - aws_iam_account_summary; + language: sql + primary_resource: aws_iam_account_summary + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN account_access_keys_present > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN account_access_keys_present > 0 THEN 'Root user access keys exist.' + ELSE 'No root user access keys exist.' + END AS reason + FROM + aws_iam_account_summary; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_1_5.yaml b/compliance/controls/aws/aws_cis_v300_1_5.yaml index b332494d3..649d0744d 100644 --- a/compliance/controls/aws/aws_cis_v300_1_5.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_5.yaml @@ -1,26 +1,27 @@ id: aws_cis_v300_1_5 title: 1.5 Ensure MFA is enabled for the 'root' user account +type: control description: The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_account_summary - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN account_mfa_enabled THEN 'ok' - ELSE 'alarm' - END status, - CASE - WHEN account_mfa_enabled THEN 'MFA enabled for root account.' - ELSE 'MFA not enabled for root account.' - END reason - FROM - aws_iam_account_summary; + language: sql + primary_resource: aws_iam_account_summary + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN account_mfa_enabled THEN 'ok' + ELSE 'alarm' + END status, + CASE + WHEN account_mfa_enabled THEN 'MFA enabled for root account.' + ELSE 'MFA not enabled for root account.' + END reason + FROM + aws_iam_account_summary; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_1_6.yaml b/compliance/controls/aws/aws_cis_v300_1_6.yaml index c2e591c38..1f6f2e97d 100644 --- a/compliance/controls/aws/aws_cis_v300_1_6.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_6.yaml @@ -1,30 +1,31 @@ id: aws_cis_v300_1_6 title: 1.6 Ensure hardware MFA is enabled for the 'root' user account +type: control description: The 'root' user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root user account be protected with a hardware MFA. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_account_summary - definition: | - SELECT - 'arn:' || s.partition || ':::' || s.account_id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN s.account_mfa_enabled AND d.serial_number IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN s.account_mfa_enabled = FALSE THEN 'MFA not enabled for root account.' - WHEN d.serial_number IS NOT NULL THEN 'MFA enabled for root account, but the MFA associated is a virtual device.' - ELSE 'Hardware MFA device enabled for root account.' - END AS reason - FROM - aws_iam_account_summary AS s - LEFT JOIN - aws_iam_virtual_mfa_device AS d - ON (d.user ->> 'Arn') = 'arn:' || s.partition || ':iam::' || s.account_id || ':root'; + language: sql + primary_resource: aws_iam_account_summary + definition: | + SELECT + 'arn:' || s.partition || ':::' || s.account_id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN s.account_mfa_enabled AND d.serial_number IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN s.account_mfa_enabled = FALSE THEN 'MFA not enabled for root account.' + WHEN d.serial_number IS NOT NULL THEN 'MFA enabled for root account, but the MFA associated is a virtual device.' + ELSE 'Hardware MFA device enabled for root account.' + END AS reason + FROM + aws_iam_account_summary AS s + LEFT JOIN + aws_iam_virtual_mfa_device AS d + ON (d.user ->> 'Arn') = 'arn:' || s.partition || ':iam::' || s.account_id || ':root'; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_1_7.yaml b/compliance/controls/aws/aws_cis_v300_1_7.yaml index c3bafd902..b0292f60e 100644 --- a/compliance/controls/aws/aws_cis_v300_1_7.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_7.yaml @@ -1,38 +1,39 @@ id: aws_cis_v300_1_7 title: 1.7 Eliminate use of the 'root' user for administrative and daily tasks +type: control description: With the creation of an AWS account, a 'root user' is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN password_last_used >= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' - WHEN access_key_1_last_used_date <= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' - WHEN access_key_2_last_used_date <= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN password_last_used IS NULL THEN 'Root never logged in with password.' - ELSE 'Root password used ' || TO_CHAR(password_last_used, 'DD-Mon-YYYY') || ' (' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - password_last_used) || ' days).' - END || - CASE - WHEN access_key_1_last_used_date IS NULL THEN ' Access Key 1 never used.' - ELSE ' Access Key 1 used ' || TO_CHAR(access_key_1_last_used_date, 'DD-Mon-YYYY') || ' (' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - access_key_1_last_used_date) || ' days).' - END || - CASE - WHEN access_key_2_last_used_date IS NULL THEN ' Access Key 2 never used.' - ELSE ' Access Key 2 used ' || TO_CHAR(access_key_2_last_used_date, 'DD-Mon-YYYY') || ' (' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - access_key_2_last_used_date) || ' days).' - END AS reason - FROM - aws_iam_credential_report - WHERE - user_name = ''; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN password_last_used >= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' + WHEN access_key_1_last_used_date <= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' + WHEN access_key_2_last_used_date <= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN password_last_used IS NULL THEN 'Root never logged in with password.' + ELSE 'Root password used ' || TO_CHAR(password_last_used, 'DD-Mon-YYYY') || ' (' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - password_last_used) || ' days).' + END || + CASE + WHEN access_key_1_last_used_date IS NULL THEN ' Access Key 1 never used.' + ELSE ' Access Key 1 used ' || TO_CHAR(access_key_1_last_used_date, 'DD-Mon-YYYY') || ' (' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - access_key_1_last_used_date) || ' days).' + END || + CASE + WHEN access_key_2_last_used_date IS NULL THEN ' Access Key 2 never used.' + ELSE ' Access Key 2 used ' || TO_CHAR(access_key_2_last_used_date, 'DD-Mon-YYYY') || ' (' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - access_key_2_last_used_date) || ' days).' + END AS reason + FROM + aws_iam_credential_report + WHERE + user_name = ''; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_1_8.yaml b/compliance/controls/aws/aws_cis_v300_1_8.yaml index 941494564..a420f02b1 100644 --- a/compliance/controls/aws/aws_cis_v300_1_8.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_8.yaml @@ -1,28 +1,29 @@ id: aws_cis_v300_1_8 title: 1.8 Ensure IAM password policy requires minimum length of 14 or greater +type: control description: Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length of 14. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN minimum_password_length >= 14 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN minimum_password_length IS NULL THEN 'No password policy set.' - ELSE 'Minimum password length set to ' || minimum_password_length || '.' - END AS reason - FROM - aws_account AS a - LEFT JOIN - aws_iam_account_password_policy AS pol ON a.account_id = pol.account_id; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN minimum_password_length >= 14 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN minimum_password_length IS NULL THEN 'No password policy set.' + ELSE 'Minimum password length set to ' || minimum_password_length || '.' + END AS reason + FROM + aws_account AS a + LEFT JOIN + aws_iam_account_password_policy AS pol ON a.account_id = pol.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_2_1_1.yaml b/compliance/controls/aws/aws_cis_v300_2_1_1.yaml index 3264f9d00..3cb8ddd64 100644 --- a/compliance/controls/aws/aws_cis_v300_2_1_1.yaml +++ b/compliance/controls/aws/aws_cis_v300_2_1_1.yaml @@ -1,45 +1,46 @@ id: aws_cis_v300_2_1_1 title: 2.1.1 Ensure S3 Bucket Policy is set to deny HTTP requests +type: control description: At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH ssl_ok AS ( - SELECT - DISTINCT name, - arn, - 'ok' AS status - FROM - aws_s3_bucket, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p, - jsonb_array_elements_text(s -> 'Action') AS a, - jsonb_array_elements_text(s -> 'Resource') AS r, - jsonb_array_elements_text(s -> 'Condition' -> 'Bool' -> 'aws:securetransport') AS ssl - WHERE - p = '*' - AND s ->> 'Effect' = 'Deny' - AND ssl::bool = FALSE - ) - - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN ok.status = 'ok' THEN 'ok' - ELSE 'alarm' - END status, - CASE - WHEN ok.status = 'ok' THEN b.name || ' bucket policy enforces HTTPS.' - ELSE b.name || ' bucket policy does not enforce HTTPS.' - END reason - FROM - aws_s3_bucket AS b - LEFT JOIN ssl_ok AS ok ON ok.name = b.name; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH ssl_ok AS ( + SELECT + DISTINCT name, + arn, + 'ok' AS status + FROM + aws_s3_bucket, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p, + jsonb_array_elements_text(s -> 'Action') AS a, + jsonb_array_elements_text(s -> 'Resource') AS r, + jsonb_array_elements_text(s -> 'Condition' -> 'Bool' -> 'aws:securetransport') AS ssl + WHERE + p = '*' + AND s ->> 'Effect' = 'Deny' + AND ssl::bool = FALSE + ) + + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN ok.status = 'ok' THEN 'ok' + ELSE 'alarm' + END status, + CASE + WHEN ok.status = 'ok' THEN b.name || ' bucket policy enforces HTTPS.' + ELSE b.name || ' bucket policy does not enforce HTTPS.' + END reason + FROM + aws_s3_bucket AS b + LEFT JOIN ssl_ok AS ok ON ok.name = b.name; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_2_1_2.yaml b/compliance/controls/aws/aws_cis_v300_2_1_2.yaml index 7a9efd3f9..a66cbbd34 100644 --- a/compliance/controls/aws/aws_cis_v300_2_1_2.yaml +++ b/compliance/controls/aws/aws_cis_v300_2_1_2.yaml @@ -1,26 +1,27 @@ id: aws_cis_v300_2_1_2 title: 2.1.2 Ensure MFA Delete is enabled on S3 buckets +type: control description: Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN versioning_mfa_delete THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN versioning_mfa_delete THEN name || ' MFA delete enabled.' - ELSE name || ' MFA delete disabled.' - END AS reason - FROM - aws_s3_bucket; + language: sql + primary_resource: aws_s3_bucket + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN versioning_mfa_delete THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN versioning_mfa_delete THEN name || ' MFA delete enabled.' + ELSE name || ' MFA delete disabled.' + END AS reason + FROM + aws_s3_bucket; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_2_1_3.yaml b/compliance/controls/aws/aws_cis_v300_2_1_3.yaml index 3b6e95b7c..9f42cfed6 100644 --- a/compliance/controls/aws/aws_cis_v300_2_1_3.yaml +++ b/compliance/controls/aws/aws_cis_v300_2_1_3.yaml @@ -1,37 +1,38 @@ id: aws_cis_v300_2_1_3 title: 2.1.3 Ensure all data in Amazon S3 has been discovered, classified and secured when required +type: control description: Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH bucket_list AS ( - SELECT - TRIM(b::text, '"' ) AS bucket_name - FROM - aws_macie2_classification_job, - JSONB_ARRAY_ELEMENTS(s3_job_definition -> 'BucketDefinitions') AS d, - JSONB_ARRAY_ELEMENTS(d -> 'Buckets') AS b - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN b.region = ANY(ARRAY['us-gov-east-1', 'us-gov-west-1']) THEN 'skip' - WHEN l.bucket_name IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.region = ANY(ARRAY['us-gov-east-1', 'us-gov-west-1']) THEN b.title || ' not protected by Macie as Macie is not supported in ' || b.region || '.' - WHEN l.bucket_name IS NOT NULL THEN b.title || ' protected by Macie.' - ELSE b.title || ' not protected by Macie.' - END AS reason - FROM - aws_s3_bucket AS b - LEFT JOIN bucket_list AS l ON b.name = l.bucket_name; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH bucket_list AS ( + SELECT + TRIM(b::text, '"' ) AS bucket_name + FROM + aws_macie2_classification_job, + JSONB_ARRAY_ELEMENTS(s3_job_definition -> 'BucketDefinitions') AS d, + JSONB_ARRAY_ELEMENTS(d -> 'Buckets') AS b + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN b.region = ANY(ARRAY['us-gov-east-1', 'us-gov-west-1']) THEN 'skip' + WHEN l.bucket_name IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.region = ANY(ARRAY['us-gov-east-1', 'us-gov-west-1']) THEN b.title || ' not protected by Macie as Macie is not supported in ' || b.region || '.' + WHEN l.bucket_name IS NOT NULL THEN b.title || ' protected by Macie.' + ELSE b.title || ' not protected by Macie.' + END AS reason + FROM + aws_s3_bucket AS b + LEFT JOIN bucket_list AS l ON b.name = l.bucket_name; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_2_2_1.yaml b/compliance/controls/aws/aws_cis_v300_2_2_1.yaml index c6bbe318a..5ee0e05e5 100644 --- a/compliance/controls/aws/aws_cis_v300_2_2_1.yaml +++ b/compliance/controls/aws/aws_cis_v300_2_2_1.yaml @@ -1,26 +1,27 @@ id: aws_cis_v300_2_2_1 title: 2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions +type: control description: Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_volume - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encrypted THEN volume_id || ' encrypted.' - ELSE volume_id || ' not encrypted.' - END AS reason - FROM - aws_ebs_volume; + language: sql + primary_resource: aws_ebs_volume + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encrypted THEN volume_id || ' encrypted.' + ELSE volume_id || ' not encrypted.' + END AS reason + FROM + aws_ebs_volume; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_2_3_1.yaml b/compliance/controls/aws/aws_cis_v300_2_3_1.yaml index ba697d225..7d09c9d7d 100644 --- a/compliance/controls/aws/aws_cis_v300_2_3_1.yaml +++ b/compliance/controls/aws/aws_cis_v300_2_3_1.yaml @@ -1,26 +1,27 @@ id: aws_cis_v300_2_3_1 title: 2.3.1 Ensure that encryption-at-rest is enabled for RDS Instances +type: control description: Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN storage_encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN storage_encrypted THEN title || ' encrypted at rest.' - ELSE title || ' not encrypted at rest.' - END AS reason - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN storage_encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN storage_encrypted THEN title || ' encrypted at rest.' + ELSE title || ' not encrypted at rest.' + END AS reason + FROM + aws_rds_db_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_2_3_2.yaml b/compliance/controls/aws/aws_cis_v300_2_3_2.yaml index b8f69996a..1b5da06ee 100644 --- a/compliance/controls/aws/aws_cis_v300_2_3_2.yaml +++ b/compliance/controls/aws/aws_cis_v300_2_3_2.yaml @@ -1,26 +1,27 @@ id: aws_cis_v300_2_3_2 title: 2.3.2 Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances +type: control description: Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN auto_minor_version_upgrade THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN auto_minor_version_upgrade THEN title || ' automatic minor version upgrades enabled.' - ELSE title || ' automatic minor version upgrades not enabled.' - END AS reason - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN auto_minor_version_upgrade THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN auto_minor_version_upgrade THEN title || ' automatic minor version upgrades enabled.' + ELSE title || ' automatic minor version upgrades not enabled.' + END AS reason + FROM + aws_rds_db_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_2_3_3.yaml b/compliance/controls/aws/aws_cis_v300_2_3_3.yaml index 51f05a219..514b9184e 100644 --- a/compliance/controls/aws/aws_cis_v300_2_3_3.yaml +++ b/compliance/controls/aws/aws_cis_v300_2_3_3.yaml @@ -1,26 +1,27 @@ id: aws_cis_v300_2_3_3 title: 2.3.3 Ensure that public access is not given to RDS Instance +type: control description: Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN publicly_accessible THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN publicly_accessible THEN title || ' publicly accessible.' - ELSE title || ' not publicly accessible.' - END AS reason - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN publicly_accessible THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN publicly_accessible THEN title || ' publicly accessible.' + ELSE title || ' not publicly accessible.' + END AS reason + FROM + aws_rds_db_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_2_4_1.yaml b/compliance/controls/aws/aws_cis_v300_2_4_1.yaml index dd26e23ed..667bce82c 100644 --- a/compliance/controls/aws/aws_cis_v300_2_4_1.yaml +++ b/compliance/controls/aws/aws_cis_v300_2_4_1.yaml @@ -1,26 +1,27 @@ id: aws_cis_v300_2_4_1 title: 2.4.1 Ensure that encryption is enabled for EFS file systems +type: control description: EFS data should be encrypted at rest using AWS KMS (Key Management Service). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_efs_file_system - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encrypted THEN title || ' encrypted at rest.' - ELSE title || ' not encrypted at rest.' - END AS reason - FROM - aws_efs_file_system; + language: sql + primary_resource: aws_efs_file_system + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encrypted THEN title || ' encrypted at rest.' + ELSE title || ' not encrypted at rest.' + END AS reason + FROM + aws_efs_file_system; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_3_2.yaml b/compliance/controls/aws/aws_cis_v300_3_2.yaml index 4774576da..f2a90eb48 100644 --- a/compliance/controls/aws/aws_cis_v300_3_2.yaml +++ b/compliance/controls/aws/aws_cis_v300_3_2.yaml @@ -1,28 +1,29 @@ id: aws_cis_v300_3_2 title: 3.2 Ensure CloudTrail log file validation is enabled +type: control description: CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN log_file_validation_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN log_file_validation_enabled THEN title || ' log file validation enabled.' - ELSE title || ' log file validation disabled.' - END AS reason - FROM - aws_cloudtrail_trail - WHERE - region = home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN log_file_validation_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN log_file_validation_enabled THEN title || ' log file validation enabled.' + ELSE title || ' log file validation disabled.' + END AS reason + FROM + aws_cloudtrail_trail + WHERE + region = home_region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_3_3.yaml b/compliance/controls/aws/aws_cis_v300_3_3.yaml index b0673c07d..94ea8ba77 100644 --- a/compliance/controls/aws/aws_cis_v300_3_3.yaml +++ b/compliance/controls/aws/aws_cis_v300_3_3.yaml @@ -1,70 +1,71 @@ id: aws_cis_v300_3_3 title: 3.3 Ensure AWS Config is enabled in all regions +type: control description: AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_config_configuration_recorder - definition: | - WITH global_recorders AS ( - SELECT - COUNT(*) AS global_config_recorders - FROM - aws_config_configuration_recorder - WHERE - recording_group -> 'IncludeGlobalResourceTypes' = 'true' - AND recording_group -> 'AllSupported' = 'true' - AND status ->> 'Recording' = 'true' - AND status ->> 'LastStatus' = 'SUCCESS' - ) - - SELECT - 'arn:aws::' || a.region || ':' || a.account_id AS resource, - r.platform_integration_id AS platform_integration_id, - r.platform_resource_id AS platform_resource_id, + language: sql + primary_resource: aws_config_configuration_recorder + definition: | + WITH global_recorders AS ( + SELECT + COUNT(*) AS global_config_recorders + FROM + aws_config_configuration_recorder + WHERE + recording_group -> 'IncludeGlobalResourceTypes' = 'true' + AND recording_group -> 'AllSupported' = 'true' + AND status ->> 'Recording' = 'true' + AND status ->> 'LastStatus' = 'SUCCESS' + ) + + SELECT + 'arn:aws::' || a.region || ':' || a.account_id AS resource, + r.platform_integration_id AS platform_integration_id, + r.platform_resource_id AS platform_resource_id, + CASE + WHEN g.global_config_recorders >= 1 + AND status ->> 'Recording' = 'true' + AND status ->> 'LastStatus' = 'SUCCESS' + THEN 'OK' + WHEN a.opt_in_status = 'not-opted-in' + THEN 'SKIP' + ELSE 'ALARM' + END AS status, + CASE + WHEN a.opt_in_status = 'not-opted-in' + THEN a.region || ' region is disabled.' + ELSE CASE - WHEN g.global_config_recorders >= 1 - AND status ->> 'Recording' = 'true' - AND status ->> 'LastStatus' = 'SUCCESS' - THEN 'OK' - WHEN a.opt_in_status = 'not-opted-in' - THEN 'SKIP' - ELSE 'ALARM' - END AS status, + WHEN recording_group -> 'IncludeGlobalResourceTypes' = 'true' + THEN a.region || ' IncludeGlobalResourceTypes enabled,' + ELSE a.region || ' IncludeGlobalResourceTypes disabled,' + END || CASE - WHEN a.opt_in_status = 'not-opted-in' - THEN a.region || ' region is disabled.' - ELSE - CASE - WHEN recording_group -> 'IncludeGlobalResourceTypes' = 'true' - THEN a.region || ' IncludeGlobalResourceTypes enabled,' - ELSE a.region || ' IncludeGlobalResourceTypes disabled,' - END || - CASE - WHEN recording_group -> 'AllSupported' = 'true' - THEN ' AllSupported enabled,' - ELSE ' AllSupported disabled,' - END || - CASE - WHEN status ->> 'Recording' = 'true' - THEN ' Recording enabled' - ELSE ' Recording disabled' - END || - CASE - WHEN status ->> 'LastStatus' = 'SUCCESS' - THEN ' and LastStatus is SUCCESS.' - ELSE ' and LastStatus is not SUCCESS.' - END - END AS reason - FROM - global_recorders AS g, - aws_region AS a - LEFT JOIN - aws_config_configuration_recorder AS r - ON - r.account_id = a.account_id - AND r.region = a.name; + WHEN recording_group -> 'AllSupported' = 'true' + THEN ' AllSupported enabled,' + ELSE ' AllSupported disabled,' + END || + CASE + WHEN status ->> 'Recording' = 'true' + THEN ' Recording enabled' + ELSE ' Recording disabled' + END || + CASE + WHEN status ->> 'LastStatus' = 'SUCCESS' + THEN ' and LastStatus is SUCCESS.' + ELSE ' and LastStatus is not SUCCESS.' + END + END AS reason + FROM + global_recorders AS g, + aws_region AS a + LEFT JOIN + aws_config_configuration_recorder AS r + ON + r.account_id = a.account_id + AND r.region = a.name; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_3_4.yaml b/compliance/controls/aws/aws_cis_v300_3_4.yaml index eca09afc0..0f128ceeb 100644 --- a/compliance/controls/aws/aws_cis_v300_3_4.yaml +++ b/compliance/controls/aws/aws_cis_v300_3_4.yaml @@ -1,30 +1,31 @@ id: aws_cis_v300_3_4 title: 3.4 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket +type: control description: S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - t.arn AS resource, - t.platform_integration_id AS platform_integration_id, - t.platform_resource_id AS platform_resource_id, - CASE - WHEN b.logging IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.logging IS NOT NULL THEN t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging enabled.' - ELSE t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging disabled.' - END AS reason - FROM - aws_cloudtrail_trail t - INNER JOIN - aws_s3_bucket b ON t.s3_bucket_name = b.name - WHERE - t.region = t.home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + t.arn AS resource, + t.platform_integration_id AS platform_integration_id, + t.platform_resource_id AS platform_resource_id, + CASE + WHEN b.logging IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.logging IS NOT NULL THEN t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging enabled.' + ELSE t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging disabled.' + END AS reason + FROM + aws_cloudtrail_trail t + INNER JOIN + aws_s3_bucket b ON t.s3_bucket_name = b.name + WHERE + t.region = t.home_region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_3_5.yaml b/compliance/controls/aws/aws_cis_v300_3_5.yaml index 5a9df0477..713344367 100644 --- a/compliance/controls/aws/aws_cis_v300_3_5.yaml +++ b/compliance/controls/aws/aws_cis_v300_3_5.yaml @@ -1,28 +1,29 @@ id: aws_cis_v300_3_5 title: 3.5 Ensure CloudTrail logs are encrypted at rest using KMS CMKs +type: control description: AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN kms_key_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN kms_key_id IS NULL THEN title || ' logs are not encrypted at rest.' - ELSE title || ' logs are encrypted at rest.' - END AS reason - FROM - aws_cloudtrail_trail - WHERE - region = home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN kms_key_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN kms_key_id IS NULL THEN title || ' logs are not encrypted at rest.' + ELSE title || ' logs are encrypted at rest.' + END AS reason + FROM + aws_cloudtrail_trail + WHERE + region = home_region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_3_6.yaml b/compliance/controls/aws/aws_cis_v300_3_6.yaml index 888d96119..331377449 100644 --- a/compliance/controls/aws/aws_cis_v300_3_6.yaml +++ b/compliance/controls/aws/aws_cis_v300_3_6.yaml @@ -1,34 +1,35 @@ id: aws_cis_v300_3_6 title: 3.6 Ensure rotation for customer-created symmetric CMKs is enabled +type: control description: AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the customer-created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled for symmetric keys. Key rotation can not be enabled for any asymmetric CMK integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_kms_key - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN origin = 'EXTERNAL' THEN 'skip' - WHEN key_state = 'PendingDeletion' THEN 'skip' - WHEN key_state = 'Disabled' THEN 'skip' - WHEN NOT key_rotation_enabled THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN origin = 'EXTERNAL' THEN title || ' has imported key material.' - WHEN key_state = 'PendingDeletion' THEN title || ' is pending deletion.' - WHEN key_state = 'Disabled' THEN title || ' is disabled.' - WHEN NOT key_rotation_enabled THEN title || ' key rotation disabled.' - ELSE title || ' key rotation enabled.' - END AS reason - FROM - aws_kms_key - WHERE - key_manager = 'CUSTOMER'; + language: sql + primary_resource: aws_kms_key + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN origin = 'EXTERNAL' THEN 'skip' + WHEN key_state = 'PendingDeletion' THEN 'skip' + WHEN key_state = 'Disabled' THEN 'skip' + WHEN NOT key_rotation_enabled THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN origin = 'EXTERNAL' THEN title || ' has imported key material.' + WHEN key_state = 'PendingDeletion' THEN title || ' is pending deletion.' + WHEN key_state = 'Disabled' THEN title || ' is disabled.' + WHEN NOT key_rotation_enabled THEN title || ' key rotation disabled.' + ELSE title || ' key rotation enabled.' + END AS reason + FROM + aws_kms_key + WHERE + key_manager = 'CUSTOMER'; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_3_8.yaml b/compliance/controls/aws/aws_cis_v300_3_8.yaml index b1f78751c..f05ffc766 100644 --- a/compliance/controls/aws/aws_cis_v300_3_8.yaml +++ b/compliance/controls/aws/aws_cis_v300_3_8.yaml @@ -1,57 +1,58 @@ id: aws_cis_v300_3_8 title: 3.8 Ensure that Object-level logging for write events is enabled for S3 bucket +type: control description: S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH s3_selectors AS ( - SELECT - name AS trail_name, - is_multi_region_trail, - bucket_selector, - platform_integration_id, - platform_resource_id - FROM - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) AS event_selector, - jsonb_array_elements(event_selector -> 'DataResources') AS data_resource, - jsonb_array_elements_text(data_resource -> 'Values') AS bucket_selector - WHERE - is_multi_region_trail - AND data_resource ->> 'Type' = 'AWS::S3::Object' - AND event_selector ->> 'ReadWriteType' IN ('WriteOnly', 'All') - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(bucket_selector) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(bucket_selector) > 0 THEN b.name || ' object-level write events logging enabled.' - ELSE b.name || ' object-level write events logging disabled.' - END AS reason - FROM - aws_s3_bucket AS b - LEFT JOIN - s3_selectors - ON - bucket_selector LIKE (b.arn || '%') - OR bucket_selector = 'arn:aws:s3' - GROUP BY - b.account_id, - b.platform_integration_id, - b.platform_resource_id, - b.region, - b.arn, - b.name, - b.tags, - b._ctx; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH s3_selectors AS ( + SELECT + name AS trail_name, + is_multi_region_trail, + bucket_selector, + platform_integration_id, + platform_resource_id + FROM + aws_cloudtrail_trail, + jsonb_array_elements(event_selectors) AS event_selector, + jsonb_array_elements(event_selector -> 'DataResources') AS data_resource, + jsonb_array_elements_text(data_resource -> 'Values') AS bucket_selector + WHERE + is_multi_region_trail + AND data_resource ->> 'Type' = 'AWS::S3::Object' + AND event_selector ->> 'ReadWriteType' IN ('WriteOnly', 'All') + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(bucket_selector) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(bucket_selector) > 0 THEN b.name || ' object-level write events logging enabled.' + ELSE b.name || ' object-level write events logging disabled.' + END AS reason + FROM + aws_s3_bucket AS b + LEFT JOIN + s3_selectors + ON + bucket_selector LIKE (b.arn || '%') + OR bucket_selector = 'arn:aws:s3' + GROUP BY + b.account_id, + b.platform_integration_id, + b.platform_resource_id, + b.region, + b.arn, + b.name, + b.tags, + b._ctx; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_3_9.yaml b/compliance/controls/aws/aws_cis_v300_3_9.yaml index a0d98853a..dfbff7d0b 100644 --- a/compliance/controls/aws/aws_cis_v300_3_9.yaml +++ b/compliance/controls/aws/aws_cis_v300_3_9.yaml @@ -1,54 +1,55 @@ id: aws_cis_v300_3_9 title: 3.9 Ensure that Object-level logging for read events is enabled for S3 bucket +type: control description: S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH s3_selectors AS + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH s3_selectors AS + ( + SELECT + name AS trail_name, + is_multi_region_trail, + bucket_selector, + platform_integration_id, + platform_resource_id + FROM + aws_cloudtrail_trail, + jsonb_array_elements(event_selectors) AS event_selector, + jsonb_array_elements(event_selector -> 'DataResources') AS data_resource, + jsonb_array_elements_text(data_resource -> 'Values') AS bucket_selector + WHERE + is_multi_region_trail + AND data_resource ->> 'Type' = 'AWS::S3::Object' + AND event_selector ->> 'ReadWriteType' IN ( - SELECT - name AS trail_name, - is_multi_region_trail, - bucket_selector, - platform_integration_id, - platform_resource_id - FROM - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) AS event_selector, - jsonb_array_elements(event_selector -> 'DataResources') AS data_resource, - jsonb_array_elements_text(data_resource -> 'Values') AS bucket_selector - WHERE - is_multi_region_trail - AND data_resource ->> 'Type' = 'AWS::S3::Object' - AND event_selector ->> 'ReadWriteType' IN - ( - 'ReadOnly', - 'All' - ) + 'ReadOnly', + 'All' ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(bucket_selector) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(bucket_selector) > 0 THEN b.name || ' object-level read events logging enabled.' - ELSE b.name || ' object-level read events logging disabled.' - END AS reason - FROM - aws_s3_bucket AS b - LEFT JOIN - s3_selectors - ON bucket_selector LIKE (b.arn || '%') - OR bucket_selector = 'arn:aws:s3' - GROUP BY - b.account_id, b.platform_integration_id, b.platform_resource_id, b.region, b.arn, b.name, b.tags, b._ctx; + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(bucket_selector) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(bucket_selector) > 0 THEN b.name || ' object-level read events logging enabled.' + ELSE b.name || ' object-level read events logging disabled.' + END AS reason + FROM + aws_s3_bucket AS b + LEFT JOIN + s3_selectors + ON bucket_selector LIKE (b.arn || '%') + OR bucket_selector = 'arn:aws:s3' + GROUP BY + b.account_id, b.platform_integration_id, b.platform_resource_id, b.region, b.arn, b.name, b.tags, b._ctx; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_4_11.yaml b/compliance/controls/aws/aws_cis_v300_4_11.yaml index 301ea8751..8cd819559 100644 --- a/compliance/controls/aws/aws_cis_v300_4_11.yaml +++ b/compliance/controls/aws/aws_cis_v300_4_11.yaml @@ -1,90 +1,91 @@ id: aws_cis_v300_4_11 title: 4.11 Ensure Network Access Control Lists (NACL) changes are monitored +type: control description: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH trails AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) AS log_group_name - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - ORDER BY - trail_name - ), - alarms AS ( - SELECT - metric_name, - action_arn AS topic_arn - FROM - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn - ORDER BY - metric_name - ), - topic_subscriptions AS ( - SELECT - subscription_arn, - topic_arn - FROM - aws_sns_topic_subscription - ORDER BY - subscription_arn - ), - metric_filters AS ( - SELECT - filter.name AS filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - FROM - aws_cloudwatch_log_metric_filter AS filter - WHERE - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateNetworkAcl.+\$\.eventName\s*=\s*CreateNetworkAclEntry.+\$\.eventName\s*=\s*DeleteNetworkAcl.+\$\.eventName\s*=\s*DeleteNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclAssociation' - ORDER BY - filter_name - ), - filter_data AS ( - SELECT - t.account_id, - t.trail_name, - f.filter_name - FROM - trails AS t - JOIN - metric_filters AS f ON f.log_group_name = t.log_group_name - JOIN - alarms AS alarm ON alarm.metric_name = f.metric_transformation_name - JOIN - topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for changes to NACLs.' - ELSE filter_name || ' forwards events for changes to NACLs.' - END AS reason - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH trails AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + split_part(trail.log_group_arn, ':', 7) AS log_group_name + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + ORDER BY + trail_name + ), + alarms AS ( + SELECT + metric_name, + action_arn AS topic_arn + FROM + aws_cloudwatch_alarm, + jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn + ORDER BY + metric_name + ), + topic_subscriptions AS ( + SELECT + subscription_arn, + topic_arn + FROM + aws_sns_topic_subscription + ORDER BY + subscription_arn + ), + metric_filters AS ( + SELECT + filter.name AS filter_name, + filter_pattern, + log_group_name, + metric_transformation_name + FROM + aws_cloudwatch_log_metric_filter AS filter + WHERE + filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateNetworkAcl.+\$\.eventName\s*=\s*CreateNetworkAclEntry.+\$\.eventName\s*=\s*DeleteNetworkAcl.+\$\.eventName\s*=\s*DeleteNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclAssociation' + ORDER BY + filter_name + ), + filter_data AS ( + SELECT + t.account_id, + t.trail_name, + f.filter_name + FROM + trails AS t + JOIN + metric_filters AS f ON f.log_group_name = t.log_group_name + JOIN + alarms AS alarm ON alarm.metric_name = f.metric_transformation_name + JOIN + topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for changes to NACLs.' + ELSE filter_name || ' forwards events for changes to NACLs.' + END AS reason + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_4_12.yaml b/compliance/controls/aws/aws_cis_v300_4_12.yaml index 298bd5030..03efb6f6a 100644 --- a/compliance/controls/aws/aws_cis_v300_4_12.yaml +++ b/compliance/controls/aws/aws_cis_v300_4_12.yaml @@ -1,90 +1,91 @@ id: aws_cis_v300_4_12 title: 4.12 Ensure changes to network gateways are monitored +type: control description: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH trails AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) AS log_group_name - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - ORDER BY - trail_name - ), - alarms AS ( - SELECT - metric_name, - action_arn AS topic_arn - FROM - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn - ORDER BY - metric_name - ), - topic_subscriptions AS ( - SELECT - subscription_arn, - topic_arn - FROM - aws_sns_topic_subscription - ORDER BY - subscription_arn - ), - metric_filters AS ( - SELECT - filter.name AS filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - FROM - aws_cloudwatch_log_metric_filter AS filter - WHERE - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateCustomerGateway.+\$\.eventName\s*=\s*DeleteCustomerGateway.+\$\.eventName\s*=\s*AttachInternetGateway.+\$\.eventName\s*=\s*CreateInternetGateway.+\$\.eventName\s*=\s*DeleteInternetGateway.+\$\.eventName\s*=\s*DetachInternetGateway' - ORDER BY - filter_name - ), - filter_data AS ( - SELECT - t.account_id, - t.trail_name, - f.filter_name - FROM - trails AS t - JOIN - metric_filters AS f ON f.log_group_name = t.log_group_name - JOIN - alarms AS alarm ON alarm.metric_name = f.metric_transformation_name - JOIN - topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for changes to network gateways.' - ELSE filter_name || ' forwards events for changes to network gateways.' - END AS reason - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH trails AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + split_part(trail.log_group_arn, ':', 7) AS log_group_name + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + ORDER BY + trail_name + ), + alarms AS ( + SELECT + metric_name, + action_arn AS topic_arn + FROM + aws_cloudwatch_alarm, + jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn + ORDER BY + metric_name + ), + topic_subscriptions AS ( + SELECT + subscription_arn, + topic_arn + FROM + aws_sns_topic_subscription + ORDER BY + subscription_arn + ), + metric_filters AS ( + SELECT + filter.name AS filter_name, + filter_pattern, + log_group_name, + metric_transformation_name + FROM + aws_cloudwatch_log_metric_filter AS filter + WHERE + filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateCustomerGateway.+\$\.eventName\s*=\s*DeleteCustomerGateway.+\$\.eventName\s*=\s*AttachInternetGateway.+\$\.eventName\s*=\s*CreateInternetGateway.+\$\.eventName\s*=\s*DeleteInternetGateway.+\$\.eventName\s*=\s*DetachInternetGateway' + ORDER BY + filter_name + ), + filter_data AS ( + SELECT + t.account_id, + t.trail_name, + f.filter_name + FROM + trails AS t + JOIN + metric_filters AS f ON f.log_group_name = t.log_group_name + JOIN + alarms AS alarm ON alarm.metric_name = f.metric_transformation_name + JOIN + topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for changes to network gateways.' + ELSE filter_name || ' forwards events for changes to network gateways.' + END AS reason + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_4_14.yaml b/compliance/controls/aws/aws_cis_v300_4_14.yaml index 15eb0e477..9027bb3aa 100644 --- a/compliance/controls/aws/aws_cis_v300_4_14.yaml +++ b/compliance/controls/aws/aws_cis_v300_4_14.yaml @@ -1,90 +1,91 @@ id: aws_cis_v300_4_14 title: 4.14 Ensure VPC changes are monitored +type: control description: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - WITH trails AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) AS log_group_name - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - ORDER BY - trail_name - ), - alarms AS ( - SELECT - metric_name, - action_arn AS topic_arn - FROM - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn - ORDER BY - metric_name - ), - topic_subscriptions AS ( - SELECT - subscription_arn, - topic_arn - FROM - aws_sns_topic_subscription - ORDER BY - subscription_arn - ), - metric_filters AS ( - SELECT - filter.name AS filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - FROM - aws_cloudwatch_log_metric_filter AS filter - WHERE - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateVpc.+\$\.eventName\s*=\s*DeleteVpc.+\$\.eventName\s*=\s*ModifyVpcAttribute.+\$\.eventName\s*=\s*AcceptVpcPeeringConnection.+\$\.eventName\s*=\s*CreateVpcPeeringConnection.+\$\.eventName\s*=\s*DeleteVpcPeeringConnection.+\$\.eventName\s*=\s*RejectVpcPeeringConnection.+\$\.eventName\s*=\s*AttachClassicLinkVpc.+\$\.eventName\s*=\s*DetachClassicLinkVpc.+\$\.eventName\s*=\s*DisableVpcClassicLink.+\$\.eventName\s*=\s*EnableVpcClassicLink' - ORDER BY - filter_name - ), - filter_data AS ( - SELECT - t.account_id, - t.trail_name, - f.filter_name - FROM - trails AS t - JOIN - metric_filters AS f ON f.log_group_name = t.log_group_name - JOIN - alarms AS alarm ON alarm.metric_name = f.metric_transformation_name - JOIN - topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - f.account_id AS platform_integration_id, - f.trail_name AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for VPC changes.' - ELSE filter_name || ' forwards events for VPC changes.' - END AS reason - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + WITH trails AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + split_part(trail.log_group_arn, ':', 7) AS log_group_name + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + ORDER BY + trail_name + ), + alarms AS ( + SELECT + metric_name, + action_arn AS topic_arn + FROM + aws_cloudwatch_alarm, + jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) AS action_arn + ORDER BY + metric_name + ), + topic_subscriptions AS ( + SELECT + subscription_arn, + topic_arn + FROM + aws_sns_topic_subscription + ORDER BY + subscription_arn + ), + metric_filters AS ( + SELECT + filter.name AS filter_name, + filter_pattern, + log_group_name, + metric_transformation_name + FROM + aws_cloudwatch_log_metric_filter AS filter + WHERE + filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateVpc.+\$\.eventName\s*=\s*DeleteVpc.+\$\.eventName\s*=\s*ModifyVpcAttribute.+\$\.eventName\s*=\s*AcceptVpcPeeringConnection.+\$\.eventName\s*=\s*CreateVpcPeeringConnection.+\$\.eventName\s*=\s*DeleteVpcPeeringConnection.+\$\.eventName\s*=\s*RejectVpcPeeringConnection.+\$\.eventName\s*=\s*AttachClassicLinkVpc.+\$\.eventName\s*=\s*DetachClassicLinkVpc.+\$\.eventName\s*=\s*DisableVpcClassicLink.+\$\.eventName\s*=\s*EnableVpcClassicLink' + ORDER BY + filter_name + ), + filter_data AS ( + SELECT + t.account_id, + t.trail_name, + f.filter_name + FROM + trails AS t + JOIN + metric_filters AS f ON f.log_group_name = t.log_group_name + JOIN + alarms AS alarm ON alarm.metric_name = f.metric_transformation_name + JOIN + topic_subscriptions AS subscription ON subscription.topic_arn = alarm.topic_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + f.account_id AS platform_integration_id, + f.trail_name AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for VPC changes.' + ELSE filter_name || ' forwards events for VPC changes.' + END AS reason + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_5_2.yaml b/compliance/controls/aws/aws_cis_v300_5_2.yaml index c610c3034..736d24381 100644 --- a/compliance/controls/aws/aws_cis_v300_5_2.yaml +++ b/compliance/controls/aws/aws_cis_v300_5_2.yaml @@ -1,69 +1,70 @@ id: aws_cis_v300_5_2 title: 5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports +type: control description: Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389, using either the TCP (6), UDP (17) or ALL (-1) protocols. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH bad_rules AS ( - SELECT - group_id, - COUNT(*) AS num_bad_rules - FROM - aws_vpc_security_group_rule - WHERE - type = 'ingress' - AND ( - cidr_ipv4 = '0.0.0.0/0' - OR cidr_ipv6 = '::/0' + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH bad_rules AS ( + SELECT + group_id, + COUNT(*) AS num_bad_rules + FROM + aws_vpc_security_group_rule + WHERE + type = 'ingress' + AND ( + cidr_ipv4 = '0.0.0.0/0' + OR cidr_ipv6 = '::/0' + ) + AND ( + ( ip_protocol = '-1' + AND from_port IS NULL) + OR ( + from_port >= 22 + AND to_port <= 22 ) - AND ( - ( ip_protocol = '-1' - AND from_port IS NULL) - OR ( - from_port >= 22 - AND to_port <= 22 - ) - OR ( - from_port >= 3389 - AND to_port <= 3389 - ) + OR ( + from_port >= 3389 + AND to_port <= 3389 ) - GROUP BY - group_id - ), - security_groups AS ( - SELECT - arn, - tags, - region, - account_id, - group_id, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - _ctx - FROM - aws_vpc_security_group - ORDER BY - group_id ) - SELECT - arn AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN bad_rules.group_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN bad_rules.group_id IS NULL THEN sg.group_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - ELSE sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - END AS reason - FROM - security_groups AS sg - LEFT JOIN bad_rules ON bad_rules.group_id = sg.group_id; + GROUP BY + group_id + ), + security_groups AS ( + SELECT + arn, + tags, + region, + account_id, + group_id, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + _ctx + FROM + aws_vpc_security_group + ORDER BY + group_id + ) + SELECT + arn AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN bad_rules.group_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN bad_rules.group_id IS NULL THEN sg.group_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' + ELSE sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' + END AS reason + FROM + security_groups AS sg + LEFT JOIN bad_rules ON bad_rules.group_id = sg.group_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_5_3.yaml b/compliance/controls/aws/aws_cis_v300_5_3.yaml index 3cc0f242c..a3a2dd2ab 100644 --- a/compliance/controls/aws/aws_cis_v300_5_3.yaml +++ b/compliance/controls/aws/aws_cis_v300_5_3.yaml @@ -1,54 +1,55 @@ id: aws_cis_v300_5_3 title: 5.3 Ensure no security groups allow ingress from ::/0 to remote server administration ports +type: control description: Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH bad_rules AS ( - SELECT - group_id, - COUNT(*) AS num_bad_rules - FROM - aws_vpc_security_group_rule - WHERE - type = 'ingress' - AND ( - cidr_ipv6 = '::/0' + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH bad_rules AS ( + SELECT + group_id, + COUNT(*) AS num_bad_rules + FROM + aws_vpc_security_group_rule + WHERE + type = 'ingress' + AND ( + cidr_ipv6 = '::/0' + ) + AND ( + ( ip_protocol = '-1' -- all traffic + AND from_port IS NULL + ) + OR ( + from_port >= 22 + AND to_port <= 22 ) - AND ( - ( ip_protocol = '-1' -- all traffic - AND from_port IS NULL - ) - OR ( - from_port >= 22 - AND to_port <= 22 - ) - OR ( - from_port >= 3389 - AND to_port <= 3389 - ) + OR ( + from_port >= 3389 + AND to_port <= 3389 ) - GROUP BY - group_id ) - SELECT - arn AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN bad_rules.group_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN bad_rules.group_id IS NULL THEN sg.group_id || ' does not allow ingress to port 22 or 3389 from ::/0.' - ELSE sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to port 22 or 3389 from ::/0.' - END AS reason - FROM - aws_vpc_security_group AS sg - LEFT JOIN bad_rules ON bad_rules.group_id = sg.group_id; + GROUP BY + group_id + ) + SELECT + arn AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN bad_rules.group_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN bad_rules.group_id IS NULL THEN sg.group_id || ' does not allow ingress to port 22 or 3389 from ::/0.' + ELSE sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to port 22 or 3389 from ::/0.' + END AS reason + FROM + aws_vpc_security_group AS sg + LEFT JOIN bad_rules ON bad_rules.group_id = sg.group_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_5_5.yaml b/compliance/controls/aws/aws_cis_v300_5_5.yaml index 166c240a9..0ccb5095b 100644 --- a/compliance/controls/aws/aws_cis_v300_5_5.yaml +++ b/compliance/controls/aws/aws_cis_v300_5_5.yaml @@ -1,20 +1,21 @@ id: aws_cis_v300_5_5 title: 5.5 Ensure routing tables for VPC peering are "least access" +type: control description: Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason - FROM - aws_account; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason + FROM + aws_account; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cis_v300_5_6.yaml b/compliance/controls/aws/aws_cis_v300_5_6.yaml index 9dbacc10f..44424abf6 100644 --- a/compliance/controls/aws/aws_cis_v300_5_6.yaml +++ b/compliance/controls/aws/aws_cis_v300_5_6.yaml @@ -1,26 +1,27 @@ id: aws_cis_v300_5_6 title: 5.6 Ensure that EC2 Metadata Service only allows IMDSv2 +type: control description: When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN metadata_options ->> 'HttpTokens' = 'optional' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN metadata_options ->> 'HttpTokens' = 'optional' THEN title || ' not configured to use Instance Metadata Service Version 2 (IMDSv2).' - ELSE title || ' configured to use Instance Metadata Service Version 2 (IMDSv2).' - END AS reason - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN metadata_options ->> 'HttpTokens' = 'optional' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN metadata_options ->> 'HttpTokens' = 'optional' THEN title || ' not configured to use Instance Metadata Service Version 2 (IMDSv2).' + ELSE title || ' configured to use Instance Metadata Service Version 2 (IMDSv2).' + END AS reason + FROM + aws_ec2_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cloudformation_stack_drift_detection_check.yaml b/compliance/controls/aws/aws_cloudformation_stack_drift_detection_check.yaml index ddb5d79e1..27efef6cf 100644 --- a/compliance/controls/aws/aws_cloudformation_stack_drift_detection_check.yaml +++ b/compliance/controls/aws/aws_cloudformation_stack_drift_detection_check.yaml @@ -1,40 +1,41 @@ id: aws_cloudformation_stack_drift_detection_check title: CloudFormation stacks differ from the expected configuration +type: control description: Ensure that the actual configuration of a Cloud Formation stack differs, or has drifted, from the expected configuration, a stack is considered to have drifted if one or more of its resources differ from their expected configuration. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudformation_stack - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN stack_drift_status = 'IN_SYNC' THEN 'ok' - WHEN stack_drift_status = 'DRIFTED' THEN 'alarm' - ELSE 'skip' - END AS status, - CASE - WHEN stack_drift_status = 'IN_SYNC' THEN title || ' drift status is ' || stack_drift_status || '.' - WHEN stack_drift_status = 'DRIFTED' THEN title || ' drift status is ' || stack_drift_status || '.' - ELSE title || ' drift status is ' || stack_drift_status || '.' - END AS reason, - region, - account_id - FROM - aws_cloudformation_stack; + language: sql + primary_resource: aws_cloudformation_stack + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN stack_drift_status = 'IN_SYNC' THEN 'ok' + WHEN stack_drift_status = 'DRIFTED' THEN 'alarm' + ELSE 'skip' + END AS status, + CASE + WHEN stack_drift_status = 'IN_SYNC' THEN title || ' drift status is ' || stack_drift_status || '.' + WHEN stack_drift_status = 'DRIFTED' THEN title || ' drift status is ' || stack_drift_status || '.' + ELSE title || ' drift status is ' || stack_drift_status || '.' + END AS reason, + region, + account_id + FROM + aws_cloudformation_stack; severity: high tags: - category: - - Compliance - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/CloudFormation + category: + - Compliance + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/CloudFormation diff --git a/compliance/controls/aws/aws_cloudformation_stack_notifications_enabled.yaml b/compliance/controls/aws/aws_cloudformation_stack_notifications_enabled.yaml index b50bf814c..cb49d0d9e 100644 --- a/compliance/controls/aws/aws_cloudformation_stack_notifications_enabled.yaml +++ b/compliance/controls/aws/aws_cloudformation_stack_notifications_enabled.yaml @@ -1,40 +1,41 @@ id: aws_cloudformation_stack_notifications_enabled title: CloudFormation stacks should have notifications enabled +type: control description: Ensure CloudFormation stacks are associated with an SNS topic to receive notifications when an event occurs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudformation_stack - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN jsonb_array_length(notification_arns) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN jsonb_array_length(notification_arns) > 0 THEN title || ' notifications enabled.' - ELSE title || ' notifications disabled.' - END AS reason, - region, - account_id - FROM - aws_cloudformation_stack; + language: sql + primary_resource: aws_cloudformation_stack + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN jsonb_array_length(notification_arns) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN jsonb_array_length(notification_arns) > 0 THEN title || ' notifications enabled.' + ELSE title || ' notifications disabled.' + END AS reason, + region, + account_id + FROM + aws_cloudformation_stack; severity: low tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - application_monitoring - foundational_security_item_id: - - cloudformation_1 - plugin: - - aws - service: - - AWS/CloudFormation + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - application_monitoring + foundational_security_item_id: + - cloudformation_1 + plugin: + - aws + service: + - AWS/CloudFormation diff --git a/compliance/controls/aws/aws_cloudformation_stack_output_no_secrets.yaml b/compliance/controls/aws/aws_cloudformation_stack_output_no_secrets.yaml index 4f80d4538..134505ed1 100644 --- a/compliance/controls/aws/aws_cloudformation_stack_output_no_secrets.yaml +++ b/compliance/controls/aws/aws_cloudformation_stack_output_no_secrets.yaml @@ -1,56 +1,57 @@ id: aws_cloudformation_stack_output_no_secrets title: CloudFormation stacks outputs should not have any secrets +type: control description: Ensure CloudFormation stacks outputs do not contain secrets like user names, passwords, and tokens. It is recommended to remove secrets since outputs cannot be encrypted resulting in any entity with basic read-metadata-only and access to CloudFormation outputs having access to these secrets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudformation_stack - definition: | - WITH stack_output AS ( - SELECT - id, - jsonb_array_elements(outputs) -> 'OutputKey' AS k, - jsonb_array_elements(outputs) -> 'OutputValue' AS v, - region, - account_id, - tags, - _ctx, - outputs, - title, - platform_integration_id, - platform_resource_id - FROM - aws_cloudformation_stack - ), - stack_with_secrets AS ( - SELECT - DISTINCT id - FROM - stack_output - WHERE - LOWER(k::text) LIKE ANY (ARRAY ['%pass%', '%secret%', '%token%', '%key%']) - OR k::text ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' - OR LOWER(v::text) LIKE ANY (ARRAY ['%pass%', '%secret%', '%token%', '%key%']) - OR v::text ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' - ) - SELECT - c.id AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN c.outputs IS NULL THEN 'ok' - WHEN s.id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN c.outputs IS NULL THEN title || ' has no outputs.' - WHEN s.id IS NULL THEN title || ' no secrets found in outputs.' - ELSE title || ' has secrets in outputs.' - END AS reason - FROM - stack_output AS c - LEFT JOIN stack_with_secrets AS s ON c.id = s.id + language: sql + primary_resource: aws_cloudformation_stack + definition: | + WITH stack_output AS ( + SELECT + id, + jsonb_array_elements(outputs) -> 'OutputKey' AS k, + jsonb_array_elements(outputs) -> 'OutputValue' AS v, + region, + account_id, + tags, + _ctx, + outputs, + title, + platform_integration_id, + platform_resource_id + FROM + aws_cloudformation_stack + ), + stack_with_secrets AS ( + SELECT + DISTINCT id + FROM + stack_output + WHERE + LOWER(k::text) LIKE ANY (ARRAY ['%pass%', '%secret%', '%token%', '%key%']) + OR k::text ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' + OR LOWER(v::text) LIKE ANY (ARRAY ['%pass%', '%secret%', '%token%', '%key%']) + OR v::text ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' + ) + SELECT + c.id AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN c.outputs IS NULL THEN 'ok' + WHEN s.id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN c.outputs IS NULL THEN title || ' has no outputs.' + WHEN s.id IS NULL THEN title || ' no secrets found in outputs.' + ELSE title || ' has secrets in outputs.' + END AS reason + FROM + stack_output AS c + LEFT JOIN stack_with_secrets AS s ON c.id = s.id severity: low tags: {} diff --git a/compliance/controls/aws/aws_cloudformation_stack_rollback_enabled.yaml b/compliance/controls/aws/aws_cloudformation_stack_rollback_enabled.yaml index 5ad98c9a4..f5300b325 100644 --- a/compliance/controls/aws/aws_cloudformation_stack_rollback_enabled.yaml +++ b/compliance/controls/aws/aws_cloudformation_stack_rollback_enabled.yaml @@ -1,26 +1,27 @@ id: aws_cloudformation_stack_rollback_enabled title: CloudFormation stacks should have rollback enabled +type: control description: Ensure CloudFormation stacks have the rollback feature enabled. Rollback triggers enable you to have AWS CloudFormation monitor the state of your application during stack creation and updating, and to rollback that operation if the application breaches the threshold of any of the alarms you've specified. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudformation_stack - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN NOT disable_rollback THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN NOT disable_rollback THEN title || ' rollback enabled.' - ELSE title || ' rollback disabled.' - END AS reason - FROM - aws_cloudformation_stack; + language: sql + primary_resource: aws_cloudformation_stack + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN NOT disable_rollback THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN NOT disable_rollback THEN title || ' rollback enabled.' + ELSE title || ' rollback disabled.' + END AS reason + FROM + aws_cloudformation_stack; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cloudformation_stack_termination_protection_enabled.yaml b/compliance/controls/aws/aws_cloudformation_stack_termination_protection_enabled.yaml index a7f107f67..6961d85c0 100644 --- a/compliance/controls/aws/aws_cloudformation_stack_termination_protection_enabled.yaml +++ b/compliance/controls/aws/aws_cloudformation_stack_termination_protection_enabled.yaml @@ -1,26 +1,27 @@ id: aws_cloudformation_stack_termination_protection_enabled title: Cloudformation stacks termination protection should be enabled +type: control description: Ensure that AWS CloudFormation stacks have termination protection feature enabled in order to protect them from being accidentally deleted. The safety feature can be enabled when you create the CloudFormation stack or for existing stacks using the AWS API (UpdateTerminationProtection command). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudformation_stack - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN enable_termination_protection THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enable_termination_protection THEN title || ' termination protection enabled.' - ELSE title || ' termination protection disabled.' - END AS reason - FROM - aws_cloudformation_stack; + language: sql + primary_resource: aws_cloudformation_stack + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN enable_termination_protection THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enable_termination_protection THEN title || ' termination protection enabled.' + ELSE title || ' termination protection disabled.' + END AS reason + FROM + aws_cloudformation_stack; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cloudfront_distribution_configured_with_origin_failover.yaml b/compliance/controls/aws/aws_cloudfront_distribution_configured_with_origin_failover.yaml index 9ea280761..45a7b3e22 100644 --- a/compliance/controls/aws/aws_cloudfront_distribution_configured_with_origin_failover.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_configured_with_origin_failover.yaml @@ -1,40 +1,41 @@ id: aws_cloudfront_distribution_configured_with_origin_failover title: CloudFront distributions should have origin failover configured +type: control description: This control checks whether an AWS CloudFront distribution is configured with an origin group that has two or more origins. CloudFront origin failover can increase availability. Origin failover automatically redirects traffic to a secondary origin if the primary origin is unavailable or if it returns specific HTTP response status codes. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudfront_distribution - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN origin_groups ->> 'Items' IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN origin_groups ->> 'Items' IS NOT NULL THEN title || ' origin group is configured.' - ELSE title || ' origin group not configured.' - END AS reason, - region, - account_id - FROM - aws_cloudfront_distribution; + language: sql + primary_resource: aws_cloudfront_distribution + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN origin_groups ->> 'Items' IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN origin_groups ->> 'Items' IS NOT NULL THEN title || ' origin group is configured.' + ELSE title || ' origin group not configured.' + END AS reason, + region, + account_id + FROM + aws_cloudfront_distribution; severity: low tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - high_availability - foundational_security_item_id: - - cloudfront_4 - plugin: - - aws - service: - - AWS/CloudFront + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - high_availability + foundational_security_item_id: + - cloudfront_4 + plugin: + - aws + service: + - AWS/CloudFront diff --git a/compliance/controls/aws/aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled.yaml b/compliance/controls/aws/aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled.yaml index 11226fbf0..5442d3522 100644 --- a/compliance/controls/aws/aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled.yaml @@ -1,73 +1,74 @@ id: aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled title: CloudFront distributions should encrypt traffic to custom origins +type: control description: This control checks if AWS CloudFront distributions are encrypting traffic to custom origins. This control fails for a CloudFront distribution whose origin protocol policy allows 'http-only'. This control also fails if the distribution's origin protocol policy is 'match-viewer' while the viewer protocol policy is 'allow-all'. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudfront_distribution - definition: | - WITH viewer_protocol_policy_value AS ( - SELECT - DISTINCT arn - FROM - aws_cloudfront_distribution, - JSONB_ARRAY_ELEMENTS( - CASE JSONB_TYPEOF(cache_behaviors -> 'Items') - WHEN 'array' THEN (cache_behaviors -> 'Items') - ELSE NULL END - ) AS cb - WHERE - cb ->> 'ViewerProtocolPolicy' = 'allow-all' - ), - origin_protocol_policy_value AS ( - SELECT - DISTINCT arn, - o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' AS origin_protocol_policy - FROM - aws_cloudfront_distribution, - JSONB_ARRAY_ELEMENTS(origins) AS o - WHERE - o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' = 'http-only' - OR o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' = 'match-viewer' - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN o.arn IS NOT NULL AND o.origin_protocol_policy = 'http-only' THEN 'alarm' - WHEN o.arn IS NOT NULL AND o.origin_protocol_policy = 'match-viewer' AND - ( v.arn IS NOT NULL OR (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') ) - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN o.arn IS NOT NULL AND o.origin_protocol_policy = 'http-only' - THEN title || ' custom origins traffic not encrypted in transit.' - WHEN o.arn IS NOT NULL AND o.origin_protocol_policy = 'match-viewer' AND - (v.arn IS NOT NULL OR (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all')) - THEN title || ' custom origins traffic not encrypted in transit.' - ELSE title || ' custom origins traffic encrypted in transit.' - END AS reason, - region, - account_id - FROM - aws_cloudfront_distribution AS b - LEFT JOIN origin_protocol_policy_value AS o ON b.arn = o.arn - LEFT JOIN viewer_protocol_policy_value AS v ON b.arn = v.arn + language: sql + primary_resource: aws_cloudfront_distribution + definition: | + WITH viewer_protocol_policy_value AS ( + SELECT + DISTINCT arn + FROM + aws_cloudfront_distribution, + JSONB_ARRAY_ELEMENTS( + CASE JSONB_TYPEOF(cache_behaviors -> 'Items') + WHEN 'array' THEN (cache_behaviors -> 'Items') + ELSE NULL END + ) AS cb + WHERE + cb ->> 'ViewerProtocolPolicy' = 'allow-all' + ), + origin_protocol_policy_value AS ( + SELECT + DISTINCT arn, + o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' AS origin_protocol_policy + FROM + aws_cloudfront_distribution, + JSONB_ARRAY_ELEMENTS(origins) AS o + WHERE + o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' = 'http-only' + OR o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' = 'match-viewer' + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN o.arn IS NOT NULL AND o.origin_protocol_policy = 'http-only' THEN 'alarm' + WHEN o.arn IS NOT NULL AND o.origin_protocol_policy = 'match-viewer' AND + ( v.arn IS NOT NULL OR (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') ) + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN o.arn IS NOT NULL AND o.origin_protocol_policy = 'http-only' + THEN title || ' custom origins traffic not encrypted in transit.' + WHEN o.arn IS NOT NULL AND o.origin_protocol_policy = 'match-viewer' AND + (v.arn IS NOT NULL OR (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all')) + THEN title || ' custom origins traffic not encrypted in transit.' + ELSE title || ' custom origins traffic encrypted in transit.' + END AS reason, + region, + account_id + FROM + aws_cloudfront_distribution AS b + LEFT JOIN origin_protocol_policy_value AS o ON b.arn = o.arn + LEFT JOIN viewer_protocol_policy_value AS v ON b.arn = v.arn severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - encryption_of_data_in_transit - foundational_security_item_id: - - cloudfront_9 - plugin: - - aws - service: - - AWS/CloudFront + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - encryption_of_data_in_transit + foundational_security_item_id: + - cloudfront_9 + plugin: + - aws + service: + - AWS/CloudFront diff --git a/compliance/controls/aws/aws_cloudfront_distribution_default_root_object_configured.yaml b/compliance/controls/aws/aws_cloudfront_distribution_default_root_object_configured.yaml index 7c9874e06..8553fb3c1 100644 --- a/compliance/controls/aws/aws_cloudfront_distribution_default_root_object_configured.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_default_root_object_configured.yaml @@ -1,40 +1,41 @@ id: aws_cloudfront_distribution_default_root_object_configured title: CloudFront distributions should have a default root object configured +type: control description: This control checks whether an AWS CloudFront distribution is configured to return a specific object that is the default root object. The control fails if the CloudFront distribution does not have a default root object configured. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudfront_distribution - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN default_root_object = '' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN default_root_object = '' THEN title || ' default root object not configured.' - ELSE title || ' default root object configured.' - END AS reason, - region, - account_id - FROM - aws_cloudfront_distribution; + language: sql + primary_resource: aws_cloudfront_distribution + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN default_root_object = '' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN default_root_object = '' THEN title || ' default root object not configured.' + ELSE title || ' default root object configured.' + END AS reason, + region, + account_id + FROM + aws_cloudfront_distribution; severity: critical tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - resources_not_publicly_accessible - foundational_security_item_id: - - cloudfront_1 - plugin: - - aws - service: - - AWS/CloudFront + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - resources_not_publicly_accessible + foundational_security_item_id: + - cloudfront_1 + plugin: + - aws + service: + - AWS/CloudFront diff --git a/compliance/controls/aws/aws_cloudfront_distribution_encryption_in_transit_enabled.yaml b/compliance/controls/aws/aws_cloudfront_distribution_encryption_in_transit_enabled.yaml index eef589765..595633473 100644 --- a/compliance/controls/aws/aws_cloudfront_distribution_encryption_in_transit_enabled.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_encryption_in_transit_enabled.yaml @@ -1,59 +1,60 @@ id: aws_cloudfront_distribution_encryption_in_transit_enabled title: CloudFront distributions should require encryption in transit +type: control description: This control checks whether an AWS CloudFront distribution requires viewers to use HTTPS directly or whether it uses redirection. The control fails if ViewerProtocolPolicy is set to allow-all for defaultCacheBehavior or for cacheBehaviors. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudfront_distribution - definition: | - WITH data AS ( - SELECT - DISTINCT arn - FROM - aws_cloudfront_distribution, - jsonb_array_elements( - CASE jsonb_typeof(cache_behaviors -> 'Items') - WHEN 'array' THEN (cache_behaviors -> 'Items') - ELSE NULL - END - ) AS cb - WHERE - cb ->> 'ViewerProtocolPolicy' = 'allow-all' - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN d.arn IS NOT NULL - OR (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN d.arn IS NOT NULL - OR (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') - THEN title || ' data not encrypted in transit.' - ELSE title || ' data encrypted in transit.' - END AS reason, - b.region, - b.account_id - FROM - aws_cloudfront_distribution AS b - LEFT JOIN data AS d ON b.arn = d.arn; + language: sql + primary_resource: aws_cloudfront_distribution + definition: | + WITH data AS ( + SELECT + DISTINCT arn + FROM + aws_cloudfront_distribution, + jsonb_array_elements( + CASE jsonb_typeof(cache_behaviors -> 'Items') + WHEN 'array' THEN (cache_behaviors -> 'Items') + ELSE NULL + END + ) AS cb + WHERE + cb ->> 'ViewerProtocolPolicy' = 'allow-all' + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN d.arn IS NOT NULL + OR (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN d.arn IS NOT NULL + OR (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') + THEN title || ' data not encrypted in transit.' + ELSE title || ' data encrypted in transit.' + END AS reason, + b.region, + b.account_id + FROM + aws_cloudfront_distribution AS b + LEFT JOIN data AS d ON b.arn = d.arn; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - encryption_of_data_in_transit - foundational_security_item_id: - - cloudfront_3 - plugin: - - aws - service: - - AWS/CloudFront + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - encryption_of_data_in_transit + foundational_security_item_id: + - cloudfront_3 + plugin: + - aws + service: + - AWS/CloudFront diff --git a/compliance/controls/aws/aws_cloudfront_distribution_field_level_encryption_enabled.yaml b/compliance/controls/aws/aws_cloudfront_distribution_field_level_encryption_enabled.yaml index 56d852010..33e3263da 100644 --- a/compliance/controls/aws/aws_cloudfront_distribution_field_level_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_field_level_encryption_enabled.yaml @@ -1,26 +1,27 @@ id: aws_cloudfront_distribution_field_level_encryption_enabled title: CloudFront distributions should have field level encryption enabled +type: control description: This control checks whether an AWS CloudFront distribution has field-level encryption enabled. The control fails if CloudFront distribution field-level encryption is not enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudfront_distribution - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN default_cache_behavior ->> 'FieldLevelEncryptionId' = '' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN default_cache_behavior ->> 'FieldLevelEncryptionId' = '' THEN title || ' field level encryption disabled.' - ELSE title || ' field level encryption enabled.' - END AS reason - FROM - aws_cloudfront_distribution; + language: sql + primary_resource: aws_cloudfront_distribution + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN default_cache_behavior ->> 'FieldLevelEncryptionId' = '' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN default_cache_behavior ->> 'FieldLevelEncryptionId' = '' THEN title || ' field level encryption disabled.' + ELSE title || ' field level encryption enabled.' + END AS reason + FROM + aws_cloudfront_distribution; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cloudfront_distribution_geo_restrictions_enabled.yaml b/compliance/controls/aws/aws_cloudfront_distribution_geo_restrictions_enabled.yaml index 0b8388096..3fa182cf8 100644 --- a/compliance/controls/aws/aws_cloudfront_distribution_geo_restrictions_enabled.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_geo_restrictions_enabled.yaml @@ -1,26 +1,27 @@ id: aws_cloudfront_distribution_geo_restrictions_enabled title: CloudFront distributions should have geo restriction enabled +type: control description: Geographic restriction is used to restrict access to all of the files that are associated with a distribution at the country level. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudfront_distribution - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN restrictions -> 'GeoRestriction' ->> 'RestrictionType' = 'none' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN restrictions -> 'GeoRestriction' ->> 'RestrictionType' = 'none' THEN title || ' Geo Restriction disabled.' - ELSE title || ' Geo Restriction enabled.' - END AS reason - FROM - aws_cloudfront_distribution; + language: sql + primary_resource: aws_cloudfront_distribution + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN restrictions -> 'GeoRestriction' ->> 'RestrictionType' = 'none' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN restrictions -> 'GeoRestriction' ->> 'RestrictionType' = 'none' THEN title || ' Geo Restriction disabled.' + ELSE title || ' Geo Restriction enabled.' + END AS reason + FROM + aws_cloudfront_distribution; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cloudfront_distribution_latest_tls_version.yaml b/compliance/controls/aws/aws_cloudfront_distribution_latest_tls_version.yaml index 34aece6b1..c942ea7f6 100644 --- a/compliance/controls/aws/aws_cloudfront_distribution_latest_tls_version.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_latest_tls_version.yaml @@ -1,28 +1,29 @@ id: aws_cloudfront_distribution_latest_tls_version title: CloudFront distributions should have latest TLS version +type: control description: This control checks whether CloudFront distribution uses latest TLS version. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudfront_distribution - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN viewer_certificate ->> 'CertificateSource' = 'cloudfront' - AND viewer_certificate ->> 'MinimumProtocolVersion' = 'TLSv1.2_2021' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN viewer_certificate ->> 'CertificateSource' = 'cloudfront' - AND viewer_certificate ->> 'MinimumProtocolVersion' = 'TLSv1.2_2021' THEN title || ' uses latest TLS version.' - ELSE title || ' does not use latest TLS version.' - END AS reason - FROM - aws_cloudfront_distribution; + language: sql + primary_resource: aws_cloudfront_distribution + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN viewer_certificate ->> 'CertificateSource' = 'cloudfront' + AND viewer_certificate ->> 'MinimumProtocolVersion' = 'TLSv1.2_2021' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN viewer_certificate ->> 'CertificateSource' = 'cloudfront' + AND viewer_certificate ->> 'MinimumProtocolVersion' = 'TLSv1.2_2021' THEN title || ' uses latest TLS version.' + ELSE title || ' does not use latest TLS version.' + END AS reason + FROM + aws_cloudfront_distribution; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cloudfront_distribution_logging_enabled.yaml b/compliance/controls/aws/aws_cloudfront_distribution_logging_enabled.yaml index 3dd37145e..a16f6241a 100644 --- a/compliance/controls/aws/aws_cloudfront_distribution_logging_enabled.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_logging_enabled.yaml @@ -1,42 +1,43 @@ id: aws_cloudfront_distribution_logging_enabled title: CloudFront distributions access logs should be enabled +type: control description: This control checks if AWS CloudFront distributions are configured to capture information from AWS Simple Storage Service (AWS S3) server access logs. This rule is non-compliant if a CloudFront distribution does not have logging configured. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudfront_distribution - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN logging ->> 'Enabled' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN logging ->> 'Enabled' = 'true' THEN title || ' logging enabled.' - ELSE title || ' logging disabled.' - END AS reason, - region, - account_id - FROM - aws_cloudfront_distribution; + language: sql + primary_resource: aws_cloudfront_distribution + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN logging ->> 'Enabled' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN logging ->> 'Enabled' = 'true' THEN title || ' logging enabled.' + ELSE title || ' logging disabled.' + END AS reason, + region, + account_id + FROM + aws_cloudfront_distribution; severity: medium tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/CloudFront + category: + - Compliance + cis_controls_v8_ig1: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/CloudFront diff --git a/compliance/controls/aws/aws_cloudfront_distribution_no_deprecated_ssl_protocol.yaml b/compliance/controls/aws/aws_cloudfront_distribution_no_deprecated_ssl_protocol.yaml index 947a70684..b16baf19d 100644 --- a/compliance/controls/aws/aws_cloudfront_distribution_no_deprecated_ssl_protocol.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_no_deprecated_ssl_protocol.yaml @@ -1,51 +1,52 @@ id: aws_cloudfront_distribution_no_deprecated_ssl_protocol title: CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins +type: control description: This control checks if AWS CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and your custom origins. This control fails if a CloudFront distribution has a CustomOriginConfig where OriginSslProtocols includes SSLv3. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudfront_distribution - definition: | - WITH origin_ssl_protocols AS ( - SELECT - DISTINCT arn, - o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' AS origin_protocol_policy - FROM - aws_cloudfront_distribution, - jsonb_array_elements(origins) AS o - WHERE - o -> 'CustomOriginConfig' -> 'OriginSslProtocols' -> 'Items' @> '["SSLv3"]' - ) - SELECT - b.arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN o.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN o.arn IS NULL THEN title || ' does not have deprecated SSL protocols.' - ELSE title || ' has deprecated SSL protocols.' - END AS reason, - region, - account_id - FROM - aws_cloudfront_distribution AS b - LEFT JOIN origin_ssl_protocols AS o ON b.arn = o.arn; + language: sql + primary_resource: aws_cloudfront_distribution + definition: | + WITH origin_ssl_protocols AS ( + SELECT + DISTINCT arn, + o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' AS origin_protocol_policy + FROM + aws_cloudfront_distribution, + jsonb_array_elements(origins) AS o + WHERE + o -> 'CustomOriginConfig' -> 'OriginSslProtocols' -> 'Items' @> '["SSLv3"]' + ) + SELECT + b.arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN o.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN o.arn IS NULL THEN title || ' does not have deprecated SSL protocols.' + ELSE title || ' has deprecated SSL protocols.' + END AS reason, + region, + account_id + FROM + aws_cloudfront_distribution AS b + LEFT JOIN origin_ssl_protocols AS o ON b.arn = o.arn; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - encryption_of_data_in_transit - foundational_security_item_id: - - cloudfront_10 - plugin: - - aws - service: - - AWS/CloudFront + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - encryption_of_data_in_transit + foundational_security_item_id: + - cloudfront_10 + plugin: + - aws + service: + - AWS/CloudFront diff --git a/compliance/controls/aws/aws_cloudfront_distribution_no_non_existent_s3_origin.yaml b/compliance/controls/aws/aws_cloudfront_distribution_no_non_existent_s3_origin.yaml index df021291e..3496638a2 100644 --- a/compliance/controls/aws/aws_cloudfront_distribution_no_non_existent_s3_origin.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_no_non_existent_s3_origin.yaml @@ -1,62 +1,63 @@ id: aws_cloudfront_distribution_no_non_existent_s3_origin title: CloudFront distributions should not point to non-existent S3 origins +type: control description: This control checks whether AWS CloudFront distributions are pointing to non-existent AWS S3 origins. The control fails for a CloudFront distribution if the origin is configured to point to a non-existent bucket. This control only applies to CloudFront distributions where an S3 bucket without static website hosting is the S3 origin. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudfront_distribution - definition: | - WITH distribution_with_non_existent_bucket AS ( - SELECT - DISTINCT d.arn AS arn, - TO_JSONB(STRING_TO_ARRAY((STRING_AGG(SPLIT_PART(o ->> 'Id', '.s3', 1), ',')), ',')) AS bucket_name_list - FROM - aws_cloudfront_distribution AS d, - JSONB_ARRAY_ELEMENTS(d.origins) AS o - LEFT JOIN aws_s3_bucket AS b ON b.name = SPLIT_PART(o ->> 'Id', '.s3', 1) - WHERE - b.name IS NULL - AND o ->> 'DomainName' LIKE '%.s3.%' - GROUP BY - d.arn - ) - SELECT - DISTINCT b.arn AS resource, - d.platform_integration_id AS platform_integration_id, - d.platform_resource_id AS platform_resource_id, - CASE - WHEN b.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.arn IS NULL THEN title || ' does not point to any non-existent S3 origins.' - WHEN JSONB_ARRAY_LENGTH(b.bucket_name_list) > 0 THEN title || - CASE - WHEN JSONB_ARRAY_LENGTH(b.bucket_name_list) > 2 - THEN CONCAT(' point to non-existent S3 origins ', b.bucket_name_list #>> '{0}', ', ', b.bucket_name_list #>> '{1}', ' and ' || (JSONB_ARRAY_LENGTH(b.bucket_name_list) - 2)::TEXT || ' more.' ) - WHEN JSONB_ARRAY_LENGTH(b.bucket_name_list) = 2 - THEN CONCAT(' point to non-existent S3 origins ', b.bucket_name_list #>> '{0}', ' and ', b.bucket_name_list #>> '{1}', '.') - ELSE CONCAT(' point to non-existent S3 origin ', b.bucket_name_list #>> '{0}', '.') - END - END AS reason, - region, - account_id - FROM - aws_cloudfront_distribution AS d - LEFT JOIN distribution_with_non_existent_bucket AS b ON b.arn = d.arn; + language: sql + primary_resource: aws_cloudfront_distribution + definition: | + WITH distribution_with_non_existent_bucket AS ( + SELECT + DISTINCT d.arn AS arn, + TO_JSONB(STRING_TO_ARRAY((STRING_AGG(SPLIT_PART(o ->> 'Id', '.s3', 1), ',')), ',')) AS bucket_name_list + FROM + aws_cloudfront_distribution AS d, + JSONB_ARRAY_ELEMENTS(d.origins) AS o + LEFT JOIN aws_s3_bucket AS b ON b.name = SPLIT_PART(o ->> 'Id', '.s3', 1) + WHERE + b.name IS NULL + AND o ->> 'DomainName' LIKE '%.s3.%' + GROUP BY + d.arn + ) + SELECT + DISTINCT b.arn AS resource, + d.platform_integration_id AS platform_integration_id, + d.platform_resource_id AS platform_resource_id, + CASE + WHEN b.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.arn IS NULL THEN title || ' does not point to any non-existent S3 origins.' + WHEN JSONB_ARRAY_LENGTH(b.bucket_name_list) > 0 THEN title || + CASE + WHEN JSONB_ARRAY_LENGTH(b.bucket_name_list) > 2 + THEN CONCAT(' point to non-existent S3 origins ', b.bucket_name_list #>> '{0}', ', ', b.bucket_name_list #>> '{1}', ' and ' || (JSONB_ARRAY_LENGTH(b.bucket_name_list) - 2)::TEXT || ' more.' ) + WHEN JSONB_ARRAY_LENGTH(b.bucket_name_list) = 2 + THEN CONCAT(' point to non-existent S3 origins ', b.bucket_name_list #>> '{0}', ' and ', b.bucket_name_list #>> '{1}', '.') + ELSE CONCAT(' point to non-existent S3 origin ', b.bucket_name_list #>> '{0}', '.') + END + END AS reason, + region, + account_id + FROM + aws_cloudfront_distribution AS d + LEFT JOIN distribution_with_non_existent_bucket AS b ON b.arn = d.arn; severity: high tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - resource_configuration - foundational_security_item_id: - - cloudfront_12 - plugin: - - aws - service: - - AWS/CloudFront + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - resource_configuration + foundational_security_item_id: + - cloudfront_12 + plugin: + - aws + service: + - AWS/CloudFront diff --git a/compliance/controls/aws/aws_cloudfront_distribution_origin_access_identity_enabled.yaml b/compliance/controls/aws/aws_cloudfront_distribution_origin_access_identity_enabled.yaml index 31a4ad8b8..91e7c73eb 100644 --- a/compliance/controls/aws/aws_cloudfront_distribution_origin_access_identity_enabled.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_origin_access_identity_enabled.yaml @@ -1,45 +1,46 @@ id: aws_cloudfront_distribution_origin_access_identity_enabled title: CloudFront distributions should have origin access identity enabled +type: control description: This control checks whether an AWS CloudFront distribution with AWS S3 Origin type has Origin Access Identity (OAI) configured. The control fails if OAI is not configured. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudfront_distribution - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN o ->> 'DomainName' NOT LIKE '%s3.amazonaws.com' THEN 'skip' - WHEN o ->> 'DomainName' LIKE '%s3.amazonaws.com' - AND o -> 'S3OriginConfig' ->> 'OriginAccessIdentity' = '' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN o ->> 'DomainName' NOT LIKE '%s3.amazonaws.com' THEN title || ' origin type is not s3.' - WHEN o ->> 'DomainName' LIKE '%s3.amazonaws.com' - AND o -> 'S3OriginConfig' ->> 'OriginAccessIdentity' = '' THEN title || ' origin access identity not configured.' - ELSE title || ' origin access identity configured.' - END AS reason, - region, - account_id - FROM - aws_cloudfront_distribution, - jsonb_array_elements(origins) AS o; + language: sql + primary_resource: aws_cloudfront_distribution + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN o ->> 'DomainName' NOT LIKE '%s3.amazonaws.com' THEN 'skip' + WHEN o ->> 'DomainName' LIKE '%s3.amazonaws.com' + AND o -> 'S3OriginConfig' ->> 'OriginAccessIdentity' = '' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN o ->> 'DomainName' NOT LIKE '%s3.amazonaws.com' THEN title || ' origin type is not s3.' + WHEN o ->> 'DomainName' LIKE '%s3.amazonaws.com' + AND o -> 'S3OriginConfig' ->> 'OriginAccessIdentity' = '' THEN title || ' origin access identity not configured.' + ELSE title || ' origin access identity configured.' + END AS reason, + region, + account_id + FROM + aws_cloudfront_distribution, + jsonb_array_elements(origins) AS o; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - resource_policy_configuration - foundational_security_item_id: - - cloudfront_2 - plugin: - - aws - service: - - AWS/CloudFront + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - resource_policy_configuration + foundational_security_item_id: + - cloudfront_2 + plugin: + - aws + service: + - AWS/CloudFront diff --git a/compliance/controls/aws/aws_cloudfront_distribution_sni_enabled.yaml b/compliance/controls/aws/aws_cloudfront_distribution_sni_enabled.yaml index 9105a8a08..71901f0c5 100644 --- a/compliance/controls/aws/aws_cloudfront_distribution_sni_enabled.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_sni_enabled.yaml @@ -1,40 +1,41 @@ id: aws_cloudfront_distribution_sni_enabled title: CloudFront distributions should use SNI to serve HTTPS requests +type: control description: This control checks if AWS CloudFront distributions are using a custom SSL/TLS certificate and are configured to use SNI to serve HTTPS requests. This control fails if a custom SSL/TLS certificate is associated but the SSL/TLS support method is a dedicated IP address. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudfront_distribution - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN viewer_certificate ->> 'SSLSupportMethod' = 'sni-only' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN viewer_certificate ->> 'SSLSupportMethod' = 'sni-only' THEN title || ' SNI enabled.' - ELSE title || ' SNI disabled.' - END AS reason, - region, - account_id - FROM - aws_cloudfront_distribution; + language: sql + primary_resource: aws_cloudfront_distribution + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN viewer_certificate ->> 'SSLSupportMethod' = 'sni-only' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN viewer_certificate ->> 'SSLSupportMethod' = 'sni-only' THEN title || ' SNI enabled.' + ELSE title || ' SNI disabled.' + END AS reason, + region, + account_id + FROM + aws_cloudfront_distribution; severity: low tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - secure_network_configuration - foundational_security_item_id: - - cloudfront_8 - plugin: - - aws - service: - - AWS/CloudFront + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - secure_network_configuration + foundational_security_item_id: + - cloudfront_8 + plugin: + - aws + service: + - AWS/CloudFront diff --git a/compliance/controls/aws/aws_cloudfront_distribution_use_custom_ssl_certificate.yaml b/compliance/controls/aws/aws_cloudfront_distribution_use_custom_ssl_certificate.yaml index d75cd0572..a7307b2a9 100644 --- a/compliance/controls/aws/aws_cloudfront_distribution_use_custom_ssl_certificate.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_use_custom_ssl_certificate.yaml @@ -1,42 +1,43 @@ id: aws_cloudfront_distribution_use_custom_ssl_certificate title: CloudFront distributions should use custom SSL/TLS certificates +type: control description: This control checks whether CloudFront distributions are using the default SSL/TLS certificate CloudFront provides. This control passes if the CloudFront distribution uses a custom SSL/TLS certificate. This control fails if the CloudFront distribution uses the default SSL/TLS certificate. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudfront_distribution - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN viewer_certificate ->> 'ACMCertificateArn' IS NOT NULL - AND viewer_certificate ->> 'Certificate' IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN viewer_certificate ->> 'ACMCertificateArn' IS NOT NULL - AND viewer_certificate ->> 'Certificate' IS NOT NULL THEN title || ' uses custom SSL certificate.' - ELSE title || ' does not use custom SSL certificate.' - END AS reason, - region, - account_id - FROM - aws_cloudfront_distribution; + language: sql + primary_resource: aws_cloudfront_distribution + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN viewer_certificate ->> 'ACMCertificateArn' IS NOT NULL + AND viewer_certificate ->> 'Certificate' IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN viewer_certificate ->> 'ACMCertificateArn' IS NOT NULL + AND viewer_certificate ->> 'Certificate' IS NOT NULL THEN title || ' uses custom SSL certificate.' + ELSE title || ' does not use custom SSL certificate.' + END AS reason, + region, + account_id + FROM + aws_cloudfront_distribution; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - encryption_of_data_in_transi - foundational_security_item_id: - - cloudfront_7 - plugin: - - aws - service: - - AWS/CloudFront + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - encryption_of_data_in_transi + foundational_security_item_id: + - cloudfront_7 + plugin: + - aws + service: + - AWS/CloudFront diff --git a/compliance/controls/aws/aws_cloudfront_distribution_use_secure_cipher.yaml b/compliance/controls/aws/aws_cloudfront_distribution_use_secure_cipher.yaml index ef4b56a8b..19e71aa01 100644 --- a/compliance/controls/aws/aws_cloudfront_distribution_use_secure_cipher.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_use_secure_cipher.yaml @@ -1,37 +1,38 @@ id: aws_cloudfront_distribution_use_secure_cipher title: CloudFront distributions should use secure SSL cipher +type: control description: Ensure that CloudFront distributions do not have any insecure SSL ciphers. Using insecure and deprecated ciphers could make the SSL connection between the CloudFront and the origins vulnerable to exploits. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudfront_distribution - definition: | - WITH origin_protocols AS ( - SELECT - DISTINCT arn, - o -> 'CustomOriginConfig' ->> 'OriginSslProtocols' AS origin_ssl_policy - FROM - aws_cloudfront_distribution, - jsonb_array_elements(origins) AS o - WHERE - o -> 'CustomOriginConfig' -> 'OriginSslProtocols' -> 'Items' @> '["TLSv1.2%", "TLSv1.1%"]' - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN o.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN o.arn IS NOT NULL THEN title || ' use secure cipher.' - ELSE title || ' does not use secure cipher.' - END AS reason - FROM - aws_cloudfront_distribution AS b - LEFT JOIN origin_protocols AS o ON b.arn = o.arn; + language: sql + primary_resource: aws_cloudfront_distribution + definition: | + WITH origin_protocols AS ( + SELECT + DISTINCT arn, + o -> 'CustomOriginConfig' ->> 'OriginSslProtocols' AS origin_ssl_policy + FROM + aws_cloudfront_distribution, + jsonb_array_elements(origins) AS o + WHERE + o -> 'CustomOriginConfig' -> 'OriginSslProtocols' -> 'Items' @> '["TLSv1.2%", "TLSv1.1%"]' + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN o.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN o.arn IS NOT NULL THEN title || ' use secure cipher.' + ELSE title || ' does not use secure cipher.' + END AS reason + FROM + aws_cloudfront_distribution AS b + LEFT JOIN origin_protocols AS o ON b.arn = o.arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cloudfront_distribution_waf_enabled.yaml b/compliance/controls/aws/aws_cloudfront_distribution_waf_enabled.yaml index 6843b10a4..fbb8ab948 100644 --- a/compliance/controls/aws/aws_cloudfront_distribution_waf_enabled.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_waf_enabled.yaml @@ -1,40 +1,41 @@ id: aws_cloudfront_distribution_waf_enabled title: CloudFront distributions should have AWS WAF enabled +type: control description: This control checks whether CloudFront distributions are associated with either AWS WAF or AWS WAFv2 web ACLs. The control fails if the distribution is not associated with a web ACL. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudfront_distribution - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN web_acl_id <> '' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN web_acl_id <> '' THEN title || ' associated with WAF.' - ELSE title || ' not associated with WAF.' - END AS reason, - region, - account_id - FROM - aws_cloudfront_distribution; + language: sql + primary_resource: aws_cloudfront_distribution + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN web_acl_id <> '' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN web_acl_id <> '' THEN title || ' associated with WAF.' + ELSE title || ' not associated with WAF.' + END AS reason, + region, + account_id + FROM + aws_cloudfront_distribution; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - protective_services - foundational_security_item_id: - - cloudfront_6 - plugin: - - aws - service: - - AWS/CloudFront + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - protective_services + foundational_security_item_id: + - cloudfront_6 + plugin: + - aws + service: + - AWS/CloudFront diff --git a/compliance/controls/aws/aws_cloudtrail_bucket_not_public.yaml b/compliance/controls/aws/aws_cloudtrail_bucket_not_public.yaml index 9f8f0c1f6..b17833ce4 100644 --- a/compliance/controls/aws/aws_cloudtrail_bucket_not_public.yaml +++ b/compliance/controls/aws/aws_cloudtrail_bucket_not_public.yaml @@ -1,84 +1,85 @@ id: aws_cloudtrail_bucket_not_public title: Ensure the S3 bucket CloudTrail logs to is not publicly accessible +type: control description: CloudTrail logs a record of every API call made in your account. These log files are stored in an S3 bucket. Security Hub recommends that the S3 bucket policy, or access control list (ACL), be applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - WITH public_bucket_data AS ( - SELECT - t.s3_bucket_name AS name, - b.arn, - t.region, - t.account_id, - t.tags, - t.platform_integration_id AS platform_integration_id, - t.platform_resource_id AS platform_resource_id, - t._ctx, - COUNT(acl_grant) FILTER (WHERE acl_grant -> 'Grantee' ->> 'URI' LIKE '%acs.amazonaws.com/groups/global/AllUsers') AS all_user_grants, - COUNT(acl_grant) FILTER (WHERE acl_grant -> 'Grantee' ->> 'URI' LIKE '%acs.amazonaws.com/groups/global/AuthenticatedUsers') AS auth_user_grants, - COUNT(s) FILTER (WHERE s ->> 'Effect' = 'Allow' AND p = '*') AS anon_statements - FROM - aws_cloudtrail_trail AS t - LEFT JOIN aws_s3_bucket AS b ON t.s3_bucket_name = b.name - LEFT JOIN jsonb_array_elements(acl -> 'Grants') AS acl_grant ON TRUE - LEFT JOIN jsonb_array_elements(policy_std -> 'Statement') AS s ON TRUE - LEFT JOIN jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p ON TRUE - GROUP BY - t.s3_bucket_name, - b.arn, - t.region, - t.account_id, - t.tags, - t.platform_integration_id, - t.platform_resource_id, - t._ctx - ) - SELECT - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN arn IS NULL THEN 'arn:aws:s3::' || name - ELSE arn - END AS resource, - CASE - WHEN arn IS NULL THEN 'skip' - WHEN all_user_grants > 0 THEN 'alarm' - WHEN auth_user_grants > 0 THEN 'alarm' - WHEN anon_statements > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN arn IS NULL THEN name || ' not found in account ' || account_id || '.' - WHEN all_user_grants > 0 THEN name || ' grants access to AllUsers in ACL.' - WHEN auth_user_grants > 0 THEN name || ' grants access to AuthenticatedUsers in ACL.' - WHEN anon_statements > 0 THEN name || ' grants access to AWS:* in bucket policy.' - ELSE name || ' does not grant anonymous access in ACL or bucket policy.' - END AS reason, - region, - account_id - FROM - public_bucket_data; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + WITH public_bucket_data AS ( + SELECT + t.s3_bucket_name AS name, + b.arn, + t.region, + t.account_id, + t.tags, + t.platform_integration_id AS platform_integration_id, + t.platform_resource_id AS platform_resource_id, + t._ctx, + COUNT(acl_grant) FILTER (WHERE acl_grant -> 'Grantee' ->> 'URI' LIKE '%acs.amazonaws.com/groups/global/AllUsers') AS all_user_grants, + COUNT(acl_grant) FILTER (WHERE acl_grant -> 'Grantee' ->> 'URI' LIKE '%acs.amazonaws.com/groups/global/AuthenticatedUsers') AS auth_user_grants, + COUNT(s) FILTER (WHERE s ->> 'Effect' = 'Allow' AND p = '*') AS anon_statements + FROM + aws_cloudtrail_trail AS t + LEFT JOIN aws_s3_bucket AS b ON t.s3_bucket_name = b.name + LEFT JOIN jsonb_array_elements(acl -> 'Grants') AS acl_grant ON TRUE + LEFT JOIN jsonb_array_elements(policy_std -> 'Statement') AS s ON TRUE + LEFT JOIN jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p ON TRUE + GROUP BY + t.s3_bucket_name, + b.arn, + t.region, + t.account_id, + t.tags, + t.platform_integration_id, + t.platform_resource_id, + t._ctx + ) + SELECT + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN arn IS NULL THEN 'arn:aws:s3::' || name + ELSE arn + END AS resource, + CASE + WHEN arn IS NULL THEN 'skip' + WHEN all_user_grants > 0 THEN 'alarm' + WHEN auth_user_grants > 0 THEN 'alarm' + WHEN anon_statements > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN arn IS NULL THEN name || ' not found in account ' || account_id || '.' + WHEN all_user_grants > 0 THEN name || ' grants access to AllUsers in ACL.' + WHEN auth_user_grants > 0 THEN name || ' grants access to AuthenticatedUsers in ACL.' + WHEN anon_statements > 0 THEN name || ' grants access to AWS:* in bucket policy.' + ELSE name || ' does not grant anonymous access in ACL or bucket policy.' + END AS reason, + region, + account_id + FROM + public_bucket_data; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '2.3' - cis_level: - - '1' - cis_section_id: - - '2' - cis_type: - - scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/CloudTrail + category: + - Compliance + cis: + - "true" + cis_item_id: + - "2.3" + cis_level: + - "1" + cis_section_id: + - "2" + cis_type: + - scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/CloudTrail diff --git a/compliance/controls/aws/aws_cloudtrail_multi_region_read_write_enabled.yaml b/compliance/controls/aws/aws_cloudtrail_multi_region_read_write_enabled.yaml index bbfedd259..a7be9f356 100644 --- a/compliance/controls/aws/aws_cloudtrail_multi_region_read_write_enabled.yaml +++ b/compliance/controls/aws/aws_cloudtrail_multi_region_read_write_enabled.yaml @@ -1,62 +1,63 @@ id: aws_cloudtrail_multi_region_read_write_enabled title: CloudTrail trails should be enabled in all regions +type: control description: AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH event_selectors_trail_details AS ( - SELECT DISTINCT account_id - FROM aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) AS e - WHERE is_logging - AND is_multi_region_trail - AND e ->> 'ReadWriteType' = 'All' - ), - advanced_event_selectors_trail_details AS ( - SELECT DISTINCT account_id - FROM aws_cloudtrail_trail, - jsonb_array_elements_text(advanced_event_selectors) AS a - WHERE is_logging - AND is_multi_region_trail - AND advanced_event_selectors IS NOT NULL - AND (NOT a LIKE '%readOnly%') - ) - SELECT a.title AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN d.account_id IS NULL AND ad.account_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN d.account_id IS NULL AND ad.account_id IS NULL THEN 'cloudtrail disabled.' - ELSE 'cloudtrail enabled.' - END AS reason, - a.account_id - FROM aws_account AS a - LEFT JOIN event_selectors_trail_details AS d ON d.account_id = a.account_id - LEFT JOIN advanced_event_selectors_trail_details AS ad ON ad.account_id = a.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH event_selectors_trail_details AS ( + SELECT DISTINCT account_id + FROM aws_cloudtrail_trail, + jsonb_array_elements(event_selectors) AS e + WHERE is_logging + AND is_multi_region_trail + AND e ->> 'ReadWriteType' = 'All' + ), + advanced_event_selectors_trail_details AS ( + SELECT DISTINCT account_id + FROM aws_cloudtrail_trail, + jsonb_array_elements_text(advanced_event_selectors) AS a + WHERE is_logging + AND is_multi_region_trail + AND advanced_event_selectors IS NOT NULL + AND (NOT a LIKE '%readOnly%') + ) + SELECT a.title AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN d.account_id IS NULL AND ad.account_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN d.account_id IS NULL AND ad.account_id IS NULL THEN 'cloudtrail disabled.' + ELSE 'cloudtrail enabled.' + END AS reason, + a.account_id + FROM aws_account AS a + LEFT JOIN event_selectors_trail_details AS d ON d.account_id = a.account_id + LEFT JOIN advanced_event_selectors_trail_details AS ad ON ad.account_id = a.account_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '2.1' - cis_level: - - '1' - cis_section_id: - - '2' - cis_type: - - scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/CloudTrail + category: + - Compliance + cis: + - "true" + cis_item_id: + - "2.1" + cis_level: + - "1" + cis_section_id: + - "2" + cis_type: + - scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/CloudTrail diff --git a/compliance/controls/aws/aws_cloudtrail_multi_region_trail_enabled.yaml b/compliance/controls/aws/aws_cloudtrail_multi_region_trail_enabled.yaml index 1e7f26afb..3a55dd0b0 100644 --- a/compliance/controls/aws/aws_cloudtrail_multi_region_trail_enabled.yaml +++ b/compliance/controls/aws/aws_cloudtrail_multi_region_trail_enabled.yaml @@ -1,95 +1,96 @@ id: aws_cloudtrail_multi_region_trail_enabled title: At least one multi-region AWS CloudTrail should be present in an account +type: control description: AWS CloudTrail records AWS Management Console actions and API calls. You can identify which users and accounts called AWS, the source IP address from where the calls were made, and when the calls occurred. CloudTrail will deliver log files from all AWS Regions to your S3 bucket if MULTI_REGION_CLOUD_TRAIL_ENABLED is enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH multi_region_trails AS ( - SELECT - account_id, - COUNT(account_id) AS num_multregion_trails - FROM - aws_cloudtrail_trail - WHERE - is_multi_region_trail - AND region = home_region - AND is_logging - GROUP BY - account_id, - is_multi_region_trail - ), organization_trails AS ( - SELECT - is_organization_trail, - is_logging, - is_multi_region_trail, - account_id - FROM - aws_cloudtrail_trail - WHERE - is_organization_trail - ) - SELECT - DISTINCT a.arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN COALESCE(num_multregion_trails, 0) >= 1 THEN 'ok' - WHEN o.is_organization_trail AND o.is_logging AND o.is_multi_region_trail THEN 'ok' - WHEN o.is_organization_trail AND o.is_multi_region_trail AND o.is_logging IS NULL THEN 'info' - ELSE 'alarm' - END AS status, - CASE - WHEN COALESCE(num_multregion_trails, 0) >= 1 THEN a.title || ' has ' || COALESCE(num_multregion_trails, 0) || ' multi-region trail(s).' - WHEN o.is_organization_trail AND o.is_logging AND o.is_multi_region_trail THEN a.title || ' has multi-region trail(s).' - WHEN o.is_organization_trail AND o.is_multi_region_trail AND o.is_logging IS NULL THEN a.title || ' has organization trail, check organization account for cloudtrail logging status.' - ELSE a.title || ' does not have multi-region trail(s).' - END AS reason, - a.account_id - FROM - aws_account AS a - LEFT JOIN multi_region_trails AS b ON a.account_id = b.account_id - LEFT JOIN organization_trails AS o ON a.account_id = o.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH multi_region_trails AS ( + SELECT + account_id, + COUNT(account_id) AS num_multregion_trails + FROM + aws_cloudtrail_trail + WHERE + is_multi_region_trail + AND region = home_region + AND is_logging + GROUP BY + account_id, + is_multi_region_trail + ), organization_trails AS ( + SELECT + is_organization_trail, + is_logging, + is_multi_region_trail, + account_id + FROM + aws_cloudtrail_trail + WHERE + is_organization_trail + ) + SELECT + DISTINCT a.arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN COALESCE(num_multregion_trails, 0) >= 1 THEN 'ok' + WHEN o.is_organization_trail AND o.is_logging AND o.is_multi_region_trail THEN 'ok' + WHEN o.is_organization_trail AND o.is_multi_region_trail AND o.is_logging IS NULL THEN 'info' + ELSE 'alarm' + END AS status, + CASE + WHEN COALESCE(num_multregion_trails, 0) >= 1 THEN a.title || ' has ' || COALESCE(num_multregion_trails, 0) || ' multi-region trail(s).' + WHEN o.is_organization_trail AND o.is_logging AND o.is_multi_region_trail THEN a.title || ' has multi-region trail(s).' + WHEN o.is_organization_trail AND o.is_multi_region_trail AND o.is_logging IS NULL THEN a.title || ' has organization trail, check organization account for cloudtrail logging status.' + ELSE a.title || ' does not have multi-region trail(s).' + END AS reason, + a.account_id + FROM + aws_account AS a + LEFT JOIN multi_region_trails AS b ON a.account_id = b.account_id + LEFT JOIN organization_trails AS o ON a.account_id = o.account_id; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/CloudTrail - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/CloudTrail + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_cloudtrail_multi_region_trail_integrated_with_logs.yaml b/compliance/controls/aws/aws_cloudtrail_multi_region_trail_integrated_with_logs.yaml index 7760eb39d..9935ff121 100644 --- a/compliance/controls/aws/aws_cloudtrail_multi_region_trail_integrated_with_logs.yaml +++ b/compliance/controls/aws/aws_cloudtrail_multi_region_trail_integrated_with_logs.yaml @@ -1,29 +1,30 @@ id: aws_cloudtrail_multi_region_trail_integrated_with_logs title: CloudTrail multi region trails should be integrated with CloudWatch logs +type: control description: Ensure that CloudTrail multi region trail is integrated with CloudWatch logs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN log_group_arn != 'null' AND ((latest_delivery_time) > CURRENT_DATE - 1) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN log_group_arn != 'null' AND ((latest_delivery_time) > CURRENT_DATE - 1) THEN title || ' multi region trail integrated with CloudWatch logs.' - ELSE title || ' multi region trail not integrated with CloudWatch logs.' - END AS reason - FROM - aws_cloudtrail_trail - WHERE - region = home_region - AND is_multi_region_trail; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN log_group_arn != 'null' AND ((latest_delivery_time) > CURRENT_DATE - 1) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN log_group_arn != 'null' AND ((latest_delivery_time) > CURRENT_DATE - 1) THEN title || ' multi region trail integrated with CloudWatch logs.' + ELSE title || ' multi region trail not integrated with CloudWatch logs.' + END AS reason + FROM + aws_cloudtrail_trail + WHERE + region = home_region + AND is_multi_region_trail; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cloudtrail_s3_data_events_enabled.yaml b/compliance/controls/aws/aws_cloudtrail_s3_data_events_enabled.yaml index b8377abab..c47a509eb 100644 --- a/compliance/controls/aws/aws_cloudtrail_s3_data_events_enabled.yaml +++ b/compliance/controls/aws/aws_cloudtrail_s3_data_events_enabled.yaml @@ -1,96 +1,97 @@ id: aws_cloudtrail_s3_data_events_enabled title: All S3 buckets should log S3 data events in CloudTrail +type: control description: The collection of Simple Storage Service (AWS S3) data events helps in detecting any anomalous activity. The details include AWS account information that accessed an AWS S3 bucket, IP address, and time of event. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH s3_selectors AS ( - SELECT - name AS trail_name, - is_multi_region_trail, - bucket_selector - FROM - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) AS event_selector, - jsonb_array_elements(event_selector -> 'DataResources') AS data_resource, - jsonb_array_elements_text(data_resource -> 'Values') AS bucket_selector - WHERE - is_multi_region_trail - AND data_resource ->> 'Type' = 'AWS::S3::Object' - AND event_selector ->> 'ReadWriteType' = 'All' - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(bucket_selector) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(bucket_selector) > 0 - THEN b.name || ' object-level data events logging enabled.' - ELSE b.name || ' object-level data events logging disabled.' - END AS reason, - b.region, - b.account_id - FROM - aws_s3_bucket AS b - LEFT JOIN s3_selectors - ON bucket_selector LIKE (b.arn || '%') - OR bucket_selector = 'arn:aws:s3' - GROUP BY - b.account_id, - b.region, - b.arn, - b.name, - b.tags, - b.platform_integration_id, - b.platform_resource_id, - b._ctx; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH s3_selectors AS ( + SELECT + name AS trail_name, + is_multi_region_trail, + bucket_selector + FROM + aws_cloudtrail_trail, + jsonb_array_elements(event_selectors) AS event_selector, + jsonb_array_elements(event_selector -> 'DataResources') AS data_resource, + jsonb_array_elements_text(data_resource -> 'Values') AS bucket_selector + WHERE + is_multi_region_trail + AND data_resource ->> 'Type' = 'AWS::S3::Object' + AND event_selector ->> 'ReadWriteType' = 'All' + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(bucket_selector) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(bucket_selector) > 0 + THEN b.name || ' object-level data events logging enabled.' + ELSE b.name || ' object-level data events logging disabled.' + END AS reason, + b.region, + b.account_id + FROM + aws_s3_bucket AS b + LEFT JOIN s3_selectors + ON bucket_selector LIKE (b.arn || '%') + OR bucket_selector = 'arn:aws:s3' + GROUP BY + b.account_id, + b.region, + b.arn, + b.name, + b.tags, + b.platform_integration_id, + b.platform_resource_id, + b._ctx; severity: medium tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/CloudTrail - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/CloudTrail + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_cloudtrail_s3_logging_enabled.yaml b/compliance/controls/aws/aws_cloudtrail_s3_logging_enabled.yaml index 45916daaa..d70869245 100644 --- a/compliance/controls/aws/aws_cloudtrail_s3_logging_enabled.yaml +++ b/compliance/controls/aws/aws_cloudtrail_s3_logging_enabled.yaml @@ -1,54 +1,55 @@ id: aws_cloudtrail_s3_logging_enabled title: Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket +type: control description: S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - t.arn AS resource, - t.platform_integration_id AS platform_integration_id, - t.platform_resource_id AS platform_resource_id, - CASE - WHEN b.logging IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.logging IS NOT NULL THEN - t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging enabled.' - ELSE - t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging disabled.' - END AS reason, - t.region, - t.account_id - FROM - aws_cloudtrail_trail t - INNER JOIN - aws_s3_bucket b - ON - t.s3_bucket_name = b.name - WHERE - t.region = t.home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + t.arn AS resource, + t.platform_integration_id AS platform_integration_id, + t.platform_resource_id AS platform_resource_id, + CASE + WHEN b.logging IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.logging IS NOT NULL THEN + t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging enabled.' + ELSE + t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging disabled.' + END AS reason, + t.region, + t.account_id + FROM + aws_cloudtrail_trail t + INNER JOIN + aws_s3_bucket b + ON + t.s3_bucket_name = b.name + WHERE + t.region = t.home_region; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '2.6' - cis_level: - - '1' - cis_section_id: - - '2' - cis_type: - - scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/CloudTrail + category: + - Compliance + cis: + - "true" + cis_item_id: + - "2.6" + cis_level: + - "1" + cis_section_id: + - "2" + cis_type: + - scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/CloudTrail diff --git a/compliance/controls/aws/aws_cloudtrail_s3_object_read_events_audit_enabled.yaml b/compliance/controls/aws/aws_cloudtrail_s3_object_read_events_audit_enabled.yaml index dcd522f13..f4cd55017 100644 --- a/compliance/controls/aws/aws_cloudtrail_s3_object_read_events_audit_enabled.yaml +++ b/compliance/controls/aws/aws_cloudtrail_s3_object_read_events_audit_enabled.yaml @@ -1,84 +1,85 @@ id: aws_cloudtrail_s3_object_read_events_audit_enabled title: Ensure that Object-level logging for read events is enabled for S3 bucket +type: control description: This rule enables object-level logging for read events for S3 buckets. Object-level logging for read events helps in identifying the requestor who performed the read operation on the S3 bucket objects. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH s3_selectors AS ( - SELECT - name AS trail_name, - is_multi_region_trail, - bucket_selector - FROM - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) AS event_selector, - jsonb_array_elements( - CASE jsonb_typeof(event_selector -> 'DataResources') - WHEN 'array' THEN event_selector -> 'DataResources' - ELSE '[]' - END - ) AS data_resource, - jsonb_array_elements( - CASE jsonb_typeof(data_resource -> 'Values') - WHEN 'array' THEN data_resource -> 'Values' - ELSE '[]' - END - ) AS bucket_selector - WHERE - is_multi_region_trail - AND data_resource ->> 'Type' = 'AWS::S3::Object' - AND event_selector ->> 'ReadWriteType' IN ('ReadOnly', 'All') - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(bucket_selector) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(bucket_selector) > 0 THEN b.name || ' object-level read events logging enabled.' - ELSE b.name || ' object-level read events logging disabled.' - END AS reason, - region, - account_id - FROM - aws_s3_bucket AS b - LEFT JOIN - s3_selectors - ON bucket_selector::json::text LIKE ('%' || b.arn || '%') - OR bucket_selector::json::text = '\"arn:aws:s3\"' - GROUP BY - b.platform_integration_id, - b.platform_resource_id, - b.account_id, - b.region, - b.arn, - b.name, - b.tags, - b._ctx; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH s3_selectors AS ( + SELECT + name AS trail_name, + is_multi_region_trail, + bucket_selector + FROM + aws_cloudtrail_trail, + jsonb_array_elements(event_selectors) AS event_selector, + jsonb_array_elements( + CASE jsonb_typeof(event_selector -> 'DataResources') + WHEN 'array' THEN event_selector -> 'DataResources' + ELSE '[]' + END + ) AS data_resource, + jsonb_array_elements( + CASE jsonb_typeof(data_resource -> 'Values') + WHEN 'array' THEN data_resource -> 'Values' + ELSE '[]' + END + ) AS bucket_selector + WHERE + is_multi_region_trail + AND data_resource ->> 'Type' = 'AWS::S3::Object' + AND event_selector ->> 'ReadWriteType' IN ('ReadOnly', 'All') + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(bucket_selector) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(bucket_selector) > 0 THEN b.name || ' object-level read events logging enabled.' + ELSE b.name || ' object-level read events logging disabled.' + END AS reason, + region, + account_id + FROM + aws_s3_bucket AS b + LEFT JOIN + s3_selectors + ON bucket_selector::json::text LIKE ('%' || b.arn || '%') + OR bucket_selector::json::text = '\"arn:aws:s3\"' + GROUP BY + b.platform_integration_id, + b.platform_resource_id, + b.account_id, + b.region, + b.arn, + b.name, + b.tags, + b._ctx; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '3.11' - cis_level: - - '2' - cis_section_id: - - '3' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - aws - service: - - AWS/S3 + category: + - Compliance + cis: + - "true" + cis_item_id: + - "3.11" + cis_level: + - "2" + cis_section_id: + - "3" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - aws + service: + - AWS/S3 diff --git a/compliance/controls/aws/aws_cloudtrail_s3_object_write_events_audit_enabled.yaml b/compliance/controls/aws/aws_cloudtrail_s3_object_write_events_audit_enabled.yaml index 84720d05d..d79731993 100644 --- a/compliance/controls/aws/aws_cloudtrail_s3_object_write_events_audit_enabled.yaml +++ b/compliance/controls/aws/aws_cloudtrail_s3_object_write_events_audit_enabled.yaml @@ -1,75 +1,76 @@ id: aws_cloudtrail_s3_object_write_events_audit_enabled title: Ensure that Object-level logging for write events is enabled for S3 bucket +type: control description: This rule enables object-level logging for write events for S3 buckets. Object-level logging for write events helps in identifying the requestor who performed the write operation on the S3 bucket objects. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH s3_selectors AS + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH s3_selectors AS + ( + SELECT + name AS trail_name, + is_multi_region_trail, + bucket_selector + FROM + aws_cloudtrail_trail, + jsonb_array_elements(event_selectors) AS event_selector, + jsonb_array_elements(CASE jsonb_typeof(event_selector -> 'DataResources') + WHEN 'array' THEN event_selector -> 'DataResources' + ELSE '[]' END) AS data_resource, + jsonb_array_elements(CASE jsonb_typeof(data_resource -> 'Values') + WHEN 'array' THEN data_resource -> 'Values' + ELSE '[]' END) AS bucket_selector + WHERE + is_multi_region_trail + AND data_resource ->> 'Type' = 'AWS::S3::Object' + AND event_selector ->> 'ReadWriteType' IN ( - SELECT - name AS trail_name, - is_multi_region_trail, - bucket_selector - FROM - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) AS event_selector, - jsonb_array_elements(CASE jsonb_typeof(event_selector -> 'DataResources') - WHEN 'array' THEN event_selector -> 'DataResources' - ELSE '[]' END) AS data_resource, - jsonb_array_elements(CASE jsonb_typeof(data_resource -> 'Values') - WHEN 'array' THEN data_resource -> 'Values' - ELSE '[]' END) AS bucket_selector - WHERE - is_multi_region_trail - AND data_resource ->> 'Type' = 'AWS::S3::Object' - AND event_selector ->> 'ReadWriteType' IN - ( - 'WriteOnly', - 'All' - ) + 'WriteOnly', + 'All' ) - SELECT - b.arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(bucket_selector) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(bucket_selector) > 0 THEN b.name || ' object-level write events logging enabled.' - ELSE b.name || ' object-level write events logging disabled.' - END AS reason, - region, account_id - FROM - aws_s3_bucket AS b - LEFT JOIN - s3_selectors - ON bucket_selector::json::text LIKE ('%' || b.arn || '%') - OR bucket_selector::json::text = '\"arn:aws:s3\"' - GROUP BY - b.platform_integration_id, b.platform_resource_id, b.account_id, b.region, b.arn, b.name, b.tags, b._ctx; + ) + SELECT + b.arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(bucket_selector) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(bucket_selector) > 0 THEN b.name || ' object-level write events logging enabled.' + ELSE b.name || ' object-level write events logging disabled.' + END AS reason, + region, account_id + FROM + aws_s3_bucket AS b + LEFT JOIN + s3_selectors + ON bucket_selector::json::text LIKE ('%' || b.arn || '%') + OR bucket_selector::json::text = '\"arn:aws:s3\"' + GROUP BY + b.platform_integration_id, b.platform_resource_id, b.account_id, b.region, b.arn, b.name, b.tags, b._ctx; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '3.10' - cis_level: - - '2' - cis_section_id: - - '3' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - aws - service: - - AWS/S3 + category: + - Compliance + cis: + - "true" + cis_item_id: + - "3.10" + cis_level: + - "2" + cis_section_id: + - "3" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - aws + service: + - AWS/S3 diff --git a/compliance/controls/aws/aws_cloudtrail_security_trail_enabled.yaml b/compliance/controls/aws/aws_cloudtrail_security_trail_enabled.yaml index 1e7ca3df3..78e82f701 100644 --- a/compliance/controls/aws/aws_cloudtrail_security_trail_enabled.yaml +++ b/compliance/controls/aws/aws_cloudtrail_security_trail_enabled.yaml @@ -1,107 +1,108 @@ id: aws_cloudtrail_security_trail_enabled title: At least one trail should be enabled with security best practices +type: control description: This rule helps ensure the use of AWS recommended security best practices for AWS CloudTrail, by checking for the enablement of multiple settings. These include the use of log encryption, log validation, and enabling AWS CloudTrail in multiple regions. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - WITH trails_enabled AS ( - SELECT - DISTINCT arn, - is_logging, - event_selectors, - COALESCE( - jsonb_agg(g) FILTER (WHERE NOT (g = 'null')), - $$[]$$::jsonb - ) AS excludeManagementEventSources - FROM - aws_cloudtrail_trail - LEFT JOIN jsonb_array_elements(event_selectors) AS e ON TRUE - LEFT JOIN jsonb_array_elements_text(e -> 'ExcludeManagementEventSources') AS g ON TRUE - WHERE - home_region = region - GROUP BY arn, is_logging, event_selectors - ), - all_trails AS ( - SELECT - a.arn AS arn, - tags, - _ctx, - CASE - WHEN a.is_logging IS NULL THEN b.is_logging - ELSE a.is_logging - END AS is_logging, - CASE - WHEN a.event_selectors IS NULL THEN b.event_selectors - ELSE a.event_selectors - END AS event_selectors, - b.excludeManagementEventSources, - a.include_global_service_events, - a.is_multi_region_trail, - a.log_file_validation_enabled, - a.kms_key_id, - a.region, - a.account_id, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - a.title - FROM - aws_cloudtrail_trail AS a - LEFT JOIN trails_enabled AS b ON a.arn = b.arn - ) - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN NOT is_logging THEN 'alarm' - WHEN NOT include_global_service_events THEN 'alarm' - WHEN NOT is_multi_region_trail THEN 'alarm' - WHEN NOT log_file_validation_enabled THEN 'alarm' - WHEN kms_key_id IS NULL THEN 'alarm' - WHEN NOT (jsonb_array_length(event_selectors) = 1 AND event_selectors @> '[{"ReadWriteType":"All"}]') THEN 'alarm' - WHEN NOT (event_selectors @> '[{"IncludeManagementEvents":true}]') THEN 'alarm' - WHEN jsonb_array_length(excludeManagementEventSources) > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT is_logging THEN title || ' disabled.' - WHEN NOT include_global_service_events THEN title || ' not recording global service events.' - WHEN NOT is_multi_region_trail THEN title || ' not a muti-region trail.' - WHEN NOT log_file_validation_enabled THEN title || ' log file validation disabled.' - WHEN kms_key_id IS NULL THEN title || ' not encrypted with a KMS key.' - WHEN NOT (jsonb_array_length(event_selectors) = 1 AND event_selectors @> '[{"ReadWriteType":"All"}]') THEN title || ' not recording events for both reads and writes.' - WHEN NOT (event_selectors @> '[{"IncludeManagementEvents":true}]') THEN title || ' not recording management events.' - WHEN jsonb_array_length(excludeManagementEventSources) > 0 THEN title || ' excludes management events for ' || TRIM(excludeManagementEventSources::text, '[]') || '.' - ELSE title || ' meets all security best practices.' - END AS reason, - region, account_id - FROM - all_trails; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + WITH trails_enabled AS ( + SELECT + DISTINCT arn, + is_logging, + event_selectors, + COALESCE( + jsonb_agg(g) FILTER (WHERE NOT (g = 'null')), + $$[]$$::jsonb + ) AS excludeManagementEventSources + FROM + aws_cloudtrail_trail + LEFT JOIN jsonb_array_elements(event_selectors) AS e ON TRUE + LEFT JOIN jsonb_array_elements_text(e -> 'ExcludeManagementEventSources') AS g ON TRUE + WHERE + home_region = region + GROUP BY arn, is_logging, event_selectors + ), + all_trails AS ( + SELECT + a.arn AS arn, + tags, + _ctx, + CASE + WHEN a.is_logging IS NULL THEN b.is_logging + ELSE a.is_logging + END AS is_logging, + CASE + WHEN a.event_selectors IS NULL THEN b.event_selectors + ELSE a.event_selectors + END AS event_selectors, + b.excludeManagementEventSources, + a.include_global_service_events, + a.is_multi_region_trail, + a.log_file_validation_enabled, + a.kms_key_id, + a.region, + a.account_id, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + a.title + FROM + aws_cloudtrail_trail AS a + LEFT JOIN trails_enabled AS b ON a.arn = b.arn + ) + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN NOT is_logging THEN 'alarm' + WHEN NOT include_global_service_events THEN 'alarm' + WHEN NOT is_multi_region_trail THEN 'alarm' + WHEN NOT log_file_validation_enabled THEN 'alarm' + WHEN kms_key_id IS NULL THEN 'alarm' + WHEN NOT (jsonb_array_length(event_selectors) = 1 AND event_selectors @> '[{"ReadWriteType":"All"}]') THEN 'alarm' + WHEN NOT (event_selectors @> '[{"IncludeManagementEvents":true}]') THEN 'alarm' + WHEN jsonb_array_length(excludeManagementEventSources) > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT is_logging THEN title || ' disabled.' + WHEN NOT include_global_service_events THEN title || ' not recording global service events.' + WHEN NOT is_multi_region_trail THEN title || ' not a muti-region trail.' + WHEN NOT log_file_validation_enabled THEN title || ' log file validation disabled.' + WHEN kms_key_id IS NULL THEN title || ' not encrypted with a KMS key.' + WHEN NOT (jsonb_array_length(event_selectors) = 1 AND event_selectors @> '[{"ReadWriteType":"All"}]') THEN title || ' not recording events for both reads and writes.' + WHEN NOT (event_selectors @> '[{"IncludeManagementEvents":true}]') THEN title || ' not recording management events.' + WHEN jsonb_array_length(excludeManagementEventSources) > 0 THEN title || ' excludes management events for ' || TRIM(excludeManagementEventSources::text, '[]') || '.' + ELSE title || ' meets all security best practices.' + END AS reason, + region, account_id + FROM + all_trails; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/CloudTrail - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/CloudTrail + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_cloudtrail_trail_bucket_mfa_enabled.yaml b/compliance/controls/aws/aws_cloudtrail_trail_bucket_mfa_enabled.yaml index 0acc47fda..10088b287 100644 --- a/compliance/controls/aws/aws_cloudtrail_trail_bucket_mfa_enabled.yaml +++ b/compliance/controls/aws/aws_cloudtrail_trail_bucket_mfa_enabled.yaml @@ -1,32 +1,33 @@ id: aws_cloudtrail_trail_bucket_mfa_enabled title: CloudTrail trail S3 buckets MFA delete should be enabled +type: control description: Ensure that CloudTrail trail S3 buckets should have MFA delete enabled. MFA delete helps prevent accidental bucket deletions by requiring the user who initiates the delete action to prove physical possession of an MFA device with an MFA code and adding an extra layer of friction and security to the delete action. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - t.arn AS resource, - t.platform_integration_id AS platform_integration_id, - t.platform_resource_id AS platform_resource_id, - CASE - WHEN t.s3_bucket_name IS NULL THEN 'alarm' - WHEN b.versioning_mfa_delete THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN t.s3_bucket_name IS NULL THEN t.title || ' logging disabled.' - WHEN b.versioning_mfa_delete THEN t.title || t.s3_bucket_name || ' MFA enabled.' - ELSE t.title || t.s3_bucket_name || ' MFA disabled.' - END AS reason - FROM - aws_cloudtrail_trail t - LEFT JOIN - aws_s3_bucket b ON t.s3_bucket_name = b.name - WHERE - t.region = t.home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + t.arn AS resource, + t.platform_integration_id AS platform_integration_id, + t.platform_resource_id AS platform_resource_id, + CASE + WHEN t.s3_bucket_name IS NULL THEN 'alarm' + WHEN b.versioning_mfa_delete THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN t.s3_bucket_name IS NULL THEN t.title || ' logging disabled.' + WHEN b.versioning_mfa_delete THEN t.title || t.s3_bucket_name || ' MFA enabled.' + ELSE t.title || t.s3_bucket_name || ' MFA disabled.' + END AS reason + FROM + aws_cloudtrail_trail t + LEFT JOIN + aws_s3_bucket b ON t.s3_bucket_name = b.name + WHERE + t.region = t.home_region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cloudtrail_trail_enabled.yaml b/compliance/controls/aws/aws_cloudtrail_trail_enabled.yaml index ba386fc0c..711342055 100644 --- a/compliance/controls/aws/aws_cloudtrail_trail_enabled.yaml +++ b/compliance/controls/aws/aws_cloudtrail_trail_enabled.yaml @@ -1,78 +1,79 @@ id: aws_cloudtrail_trail_enabled title: At least one enabled trail should be present in a region +type: control description: AWS CloudTrail can help in non-repudiation by recording AWS Management Console actions and API calls. You can identify the users and AWS accounts that called an AWS service, the source IP address where the calls generated, and the timings of the calls. Details of captured data are seen within AWS CloudTrail Record Contents. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - WITH trails_enabled AS ( - SELECT - arn, - is_logging - FROM - aws_cloudtrail_trail - WHERE - home_region = region - ) - SELECT - a.arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.is_logging IS NULL AND a.is_logging THEN 'ok' - WHEN b.is_logging THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.is_logging IS NULL AND a.is_logging THEN a.title || ' enabled.' - WHEN b.is_logging THEN a.title || ' enabled.' - ELSE a.title || ' disabled.' - END AS reason, - a.region, - a.account_id - FROM - aws_cloudtrail_trail AS a - LEFT JOIN trails_enabled b ON a.arn = b.arn; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + WITH trails_enabled AS ( + SELECT + arn, + is_logging + FROM + aws_cloudtrail_trail + WHERE + home_region = region + ) + SELECT + a.arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.is_logging IS NULL AND a.is_logging THEN 'ok' + WHEN b.is_logging THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.is_logging IS NULL AND a.is_logging THEN a.title || ' enabled.' + WHEN b.is_logging THEN a.title || ' enabled.' + ELSE a.title || ' disabled.' + END AS reason, + a.region, + a.account_id + FROM + aws_cloudtrail_trail AS a + LEFT JOIN trails_enabled b ON a.arn = b.arn; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/CloudTrail - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/CloudTrail + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_cloudtrail_trail_enabled_account.yaml b/compliance/controls/aws/aws_cloudtrail_trail_enabled_account.yaml index df82f8aa8..aa04831d3 100644 --- a/compliance/controls/aws/aws_cloudtrail_trail_enabled_account.yaml +++ b/compliance/controls/aws/aws_cloudtrail_trail_enabled_account.yaml @@ -1,39 +1,40 @@ id: aws_cloudtrail_trail_enabled_account title: At least one CloudTrail trail should be enabled in the AWS account +type: control description: Ensure that at least one CloudTrail trail is enabled in the AWS account. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH trails_enabled_account AS ( - SELECT - account_id, - COUNT(*) AS num - FROM - aws_cloudtrail_trail - WHERE - home_region = region - AND is_logging - GROUP BY - account_id - ) - SELECT - a.arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.num > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.num > 0 THEN a.title || ' has ' || b.num || ' trails enabled.' - ELSE a.title || ' has no trail enabled.' - END AS reason - FROM - aws_account AS a - LEFT JOIN trails_enabled_account b ON a.account_id = b.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH trails_enabled_account AS ( + SELECT + account_id, + COUNT(*) AS num + FROM + aws_cloudtrail_trail + WHERE + home_region = region + AND is_logging + GROUP BY + account_id + ) + SELECT + a.arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.num > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.num > 0 THEN a.title || ' has ' || b.num || ' trails enabled.' + ELSE a.title || ' has no trail enabled.' + END AS reason + FROM + aws_account AS a + LEFT JOIN trails_enabled_account b ON a.account_id = b.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cloudtrail_trail_insight_selectors_and_logging_enabled.yaml b/compliance/controls/aws/aws_cloudtrail_trail_insight_selectors_and_logging_enabled.yaml index beb430a86..d0140b424 100644 --- a/compliance/controls/aws/aws_cloudtrail_trail_insight_selectors_and_logging_enabled.yaml +++ b/compliance/controls/aws/aws_cloudtrail_trail_insight_selectors_and_logging_enabled.yaml @@ -1,30 +1,31 @@ id: aws_cloudtrail_trail_insight_selectors_and_logging_enabled title: CloudTrail trails should have insight selectors and logging enabled +type: control description: CloudTrail Insights provides a powerful way to search and analyze CloudTrail log data using pre-built queries and machine learning algorithms. This can help to identify potential security threats and suspicious activity in near real-time, such as unauthorized access attempts, policy changes, or resource modifications. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN NOT is_logging THEN 'alarm' - WHEN is_logging AND has_insight_selectors THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN NOT is_logging THEN title || ' logging is disabled.' - WHEN is_logging AND has_insight_selectors THEN title || ' has insight selectors and logging enabled.' - ELSE title || ' does not have insight selectors enabled.' - END AS reason - FROM - aws_cloudtrail_trail - WHERE - region = home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN NOT is_logging THEN 'alarm' + WHEN is_logging AND has_insight_selectors THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN NOT is_logging THEN title || ' logging is disabled.' + WHEN is_logging AND has_insight_selectors THEN title || ' has insight selectors and logging enabled.' + ELSE title || ' does not have insight selectors enabled.' + END AS reason + FROM + aws_cloudtrail_trail + WHERE + region = home_region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cloudtrail_trail_integrated_with_logs.yaml b/compliance/controls/aws/aws_cloudtrail_trail_integrated_with_logs.yaml index 5b8d9695c..714cfc8f9 100644 --- a/compliance/controls/aws/aws_cloudtrail_trail_integrated_with_logs.yaml +++ b/compliance/controls/aws/aws_cloudtrail_trail_integrated_with_logs.yaml @@ -1,69 +1,70 @@ id: aws_cloudtrail_trail_integrated_with_logs title: CloudTrail trails should be integrated with CloudWatch logs +type: control description: Use AWS CloudWatch to centrally collect and manage log event activity. Inclusion of AWS CloudTrail data provides details of API call activity within your AWS account. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN log_group_arn != 'null' AND (latest_delivery_time > current_date - 1) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN log_group_arn != 'null' AND (latest_delivery_time > current_date - 1) - THEN title || ' integrated with CloudWatch logs.' - ELSE title || ' not integrated with CloudWatch logs.' - END AS reason, - region, - account_id - FROM - aws_cloudtrail_trail - WHERE - region = home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN log_group_arn != 'null' AND (latest_delivery_time > current_date - 1) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN log_group_arn != 'null' AND (latest_delivery_time > current_date - 1) + THEN title || ' integrated with CloudWatch logs.' + ELSE title || ' not integrated with CloudWatch logs.' + END AS reason, + region, + account_id + FROM + aws_cloudtrail_trail + WHERE + region = home_region; severity: low tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/CloudTrail - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/CloudTrail + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_cloudtrail_trail_logs_encrypted_with_kms_cmk.yaml b/compliance/controls/aws/aws_cloudtrail_trail_logs_encrypted_with_kms_cmk.yaml index 4ce4edcb7..152648418 100644 --- a/compliance/controls/aws/aws_cloudtrail_trail_logs_encrypted_with_kms_cmk.yaml +++ b/compliance/controls/aws/aws_cloudtrail_trail_logs_encrypted_with_kms_cmk.yaml @@ -1,68 +1,69 @@ id: aws_cloudtrail_trail_logs_encrypted_with_kms_cmk title: CloudTrail trail logs should be encrypted with KMS CMK +type: control description: To help protect sensitive data at rest, ensure encryption is enabled for your AWS CloudWatch Log Groups. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN kms_key_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN kms_key_id IS NULL THEN title || ' logs are not encrypted at rest.' - ELSE title || ' logs are encrypted at rest.' - END AS reason, - region, - account_id - FROM - aws_cloudtrail_trail - WHERE - region = home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN kms_key_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN kms_key_id IS NULL THEN title || ' logs are not encrypted at rest.' + ELSE title || ' logs are encrypted at rest.' + END AS reason, + region, + account_id + FROM + aws_cloudtrail_trail + WHERE + region = home_region; severity: medium tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/CloudTrail - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/CloudTrail + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_cloudtrail_trail_validation_enabled.yaml b/compliance/controls/aws/aws_cloudtrail_trail_validation_enabled.yaml index fc08d88b5..cea1337f6 100644 --- a/compliance/controls/aws/aws_cloudtrail_trail_validation_enabled.yaml +++ b/compliance/controls/aws/aws_cloudtrail_trail_validation_enabled.yaml @@ -1,64 +1,65 @@ id: aws_cloudtrail_trail_validation_enabled title: CloudTrail trail log file validation should be enabled -description: 'Utilize AWS CloudTrail log file validation to check the integrity of CloudTrail logs. Log file validation helps determine if a log file was modified or deleted or unchanged after CloudTrail delivered it. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.' +type: control +description: "Utilize AWS CloudTrail log file validation to check the integrity of CloudTrail logs. Log file validation helps determine if a log file was modified or deleted or unchanged after CloudTrail delivered it. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection." integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN log_file_validation_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN log_file_validation_enabled THEN title || ' log file validation enabled.' - ELSE title || ' log file validation disabled.' - END AS reason, - region, - account_id - FROM - aws_cloudtrail_trail - WHERE - region = home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN log_file_validation_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN log_file_validation_enabled THEN title || ' log file validation enabled.' + ELSE title || ' log file validation disabled.' + END AS reason, + region, + account_id + FROM + aws_cloudtrail_trail + WHERE + region = home_region; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/CloudTrail - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/CloudTrail + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_cloudwatch_alarm_action_enabled.yaml b/compliance/controls/aws/aws_cloudwatch_alarm_action_enabled.yaml index 03cf25be3..990858aaf 100644 --- a/compliance/controls/aws/aws_cloudwatch_alarm_action_enabled.yaml +++ b/compliance/controls/aws/aws_cloudwatch_alarm_action_enabled.yaml @@ -1,63 +1,64 @@ id: aws_cloudwatch_alarm_action_enabled title: CloudWatch alarm should have an action configured +type: control description: Checks if CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally checks if any actions match a named ARN. The rule is non-compliant if there is no action specified for the alarm or optional parameter. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudwatch_alarm - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN jsonb_array_length(alarm_actions) = 0 - AND jsonb_array_length(insufficient_data_actions) = 0 - AND jsonb_array_length(ok_actions) = 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN jsonb_array_length(alarm_actions) = 0 - AND jsonb_array_length(insufficient_data_actions) = 0 - AND jsonb_array_length(ok_actions) = 0 THEN title || ' no action enabled.' - WHEN jsonb_array_length(alarm_actions) != 0 THEN title || ' alarm action enabled.' - WHEN jsonb_array_length(insufficient_data_actions) != 0 THEN title || ' insufficient data action enabled.' - WHEN jsonb_array_length(ok_actions) != 0 THEN title || ' ok action enabled.' - ELSE 'ok' - END AS reason, - region, - account_id - FROM - aws_cloudwatch_alarm; + language: sql + primary_resource: aws_cloudwatch_alarm + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN jsonb_array_length(alarm_actions) = 0 + AND jsonb_array_length(insufficient_data_actions) = 0 + AND jsonb_array_length(ok_actions) = 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN jsonb_array_length(alarm_actions) = 0 + AND jsonb_array_length(insufficient_data_actions) = 0 + AND jsonb_array_length(ok_actions) = 0 THEN title || ' no action enabled.' + WHEN jsonb_array_length(alarm_actions) != 0 THEN title || ' alarm action enabled.' + WHEN jsonb_array_length(insufficient_data_actions) != 0 THEN title || ' insufficient data action enabled.' + WHEN jsonb_array_length(ok_actions) != 0 THEN title || ' ok action enabled.' + ELSE 'ok' + END AS reason, + region, + account_id + FROM + aws_cloudwatch_alarm; severity: medium tags: - category: - - Compliance - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/CloudWatch - soc_2: - - 'true' + category: + - Compliance + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/CloudWatch + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_cloudwatch_alarm_action_enabled_check.yaml b/compliance/controls/aws/aws_cloudwatch_alarm_action_enabled_check.yaml index cd3753939..65bd81665 100644 --- a/compliance/controls/aws/aws_cloudwatch_alarm_action_enabled_check.yaml +++ b/compliance/controls/aws/aws_cloudwatch_alarm_action_enabled_check.yaml @@ -1,40 +1,41 @@ id: aws_cloudwatch_alarm_action_enabled_check title: CloudWatch alarm action should be enabled +type: control description: Checks if AWS CloudWatch alarm actions are in enabled state. The rule is non-compliant if the CloudWatch alarm actions are not in enabled state. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudwatch_alarm - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN actions_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN actions_enabled THEN title || ' alarm actions enabled.' - ELSE title || ' alarm actions disabled.' - END AS reason, - region, - account_id - FROM - aws_cloudwatch_alarm; + language: sql + primary_resource: aws_cloudwatch_alarm + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN actions_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN actions_enabled THEN title || ' alarm actions enabled.' + ELSE title || ' alarm actions disabled.' + END AS reason, + region, + account_id + FROM + aws_cloudwatch_alarm; severity: medium tags: - category: - - Compliance - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/CloudWatch - soc_2: - - 'true' + category: + - Compliance + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/CloudWatch + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_cloudwatch_cross_account_sharing.yaml b/compliance/controls/aws/aws_cloudwatch_cross_account_sharing.yaml index 278a3596a..247c9dd63 100644 --- a/compliance/controls/aws/aws_cloudwatch_cross_account_sharing.yaml +++ b/compliance/controls/aws/aws_cloudwatch_cross_account_sharing.yaml @@ -1,39 +1,40 @@ id: aws_cloudwatch_cross_account_sharing title: CloudWatch should not allow cross-account sharing +type: control description: Ensure that your AWS CloudWatch is configured to allow access only to friendly AWS accounts in order to prevent unauthorized users from sharing their CloudWatch events. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH iam_role_cross_account_sharing_count AS ( - SELECT - arn, - REPLACE(REPLACE(REPLACE((a -> 'Principal' ->> 'AWS'), '[', ''), ']', ''), '"', '') AS cross_account_details, - account_id - FROM - aws_iam_role, - JSONB_ARRAY_ELEMENTS(assume_role_policy_std -> 'Statement') AS a - WHERE - name = 'CloudWatch-CrossAccountSharingRole' - ) - SELECT - a.arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN c.arn IS NULL THEN 'ok' - ELSE 'info' - END AS status, - CASE - WHEN c.arn IS NULL THEN 'CloudWatch does not allow cross-account sharing.' - ELSE 'CloudWatch allows cross-account sharing with ' || cross_account_details || '.' - END AS reason - FROM - aws_account AS a - LEFT JOIN iam_role_cross_account_sharing_count AS c - ON c.account_id = a.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH iam_role_cross_account_sharing_count AS ( + SELECT + arn, + REPLACE(REPLACE(REPLACE((a -> 'Principal' ->> 'AWS'), '[', ''), ']', ''), '"', '') AS cross_account_details, + account_id + FROM + aws_iam_role, + JSONB_ARRAY_ELEMENTS(assume_role_policy_std -> 'Statement') AS a + WHERE + name = 'CloudWatch-CrossAccountSharingRole' + ) + SELECT + a.arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN c.arn IS NULL THEN 'ok' + ELSE 'info' + END AS status, + CASE + WHEN c.arn IS NULL THEN 'CloudWatch does not allow cross-account sharing.' + ELSE 'CloudWatch allows cross-account sharing with ' || cross_account_details || '.' + END AS reason + FROM + aws_account AS a + LEFT JOIN iam_role_cross_account_sharing_count AS c + ON c.account_id = a.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_cloudwatch_log_group_retention_period_365.yaml b/compliance/controls/aws/aws_cloudwatch_log_group_retention_period_365.yaml index ebdf22b90..58fa97187 100644 --- a/compliance/controls/aws/aws_cloudwatch_log_group_retention_period_365.yaml +++ b/compliance/controls/aws/aws_cloudwatch_log_group_retention_period_365.yaml @@ -1,63 +1,64 @@ id: aws_cloudwatch_log_group_retention_period_365 title: Log group retention period should be at least 365 days +type: control description: Ensure a minimum duration of event log data is retained for your log groups to help with troubleshooting and forensics investigations. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudwatch_log_group - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN retention_in_days IS NULL OR retention_in_days < 365 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN retention_in_days IS NULL THEN title || ' retention period not set.' - WHEN retention_in_days < 365 THEN title || ' retention period less than 365 days.' - ELSE title || ' retention period 365 days or above.' - END AS reason, - region, - account_id - FROM - aws_cloudwatch_log_group; + language: sql + primary_resource: aws_cloudwatch_log_group + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN retention_in_days IS NULL OR retention_in_days < 365 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN retention_in_days IS NULL THEN title || ' retention period not set.' + WHEN retention_in_days < 365 THEN title || ' retention period less than 365 days.' + ELSE title || ' retention period 365 days or above.' + END AS reason, + region, + account_id + FROM + aws_cloudwatch_log_group; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/CloudWatch - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/CloudWatch + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_codebuild_project_artifact_encryption_enabled.yaml b/compliance/controls/aws/aws_codebuild_project_artifact_encryption_enabled.yaml index 88c20625e..a76bd9a7e 100644 --- a/compliance/controls/aws/aws_codebuild_project_artifact_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_codebuild_project_artifact_encryption_enabled.yaml @@ -1,56 +1,57 @@ id: aws_codebuild_project_artifact_encryption_enabled title: CodeBuild project artifact encryption should be enabled +type: control description: This control checks if a CodeBuild project has encryption enabled for all of its artifacts. The rule is non-compliant if 'encryptionDisabled' is set to 'true' for any primary or secondary (if present) artifact configurations. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_codebuild_project - definition: | - WITH secondary_artifact AS ( - SELECT - DISTINCT arn - FROM - aws_codebuild_project, - jsonb_array_elements(secondary_artifacts) AS a - WHERE - a -> 'EncryptionDisabled' = 'true' - ) - SELECT - a.arn AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN p.artifacts ->> 'EncryptionDisabled' = 'false' - AND (p.secondary_artifacts IS NULL OR a.arn IS NULL) - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.artifacts ->> 'EncryptionDisabled' = 'false' - AND (p.secondary_artifacts IS NULL OR a.arn IS NULL) - THEN p.title || ' all artifacts encryption enabled.' - ELSE p.title || ' all artifacts encryption not enabled.' - END AS reason, - p.region, - p.account_id - FROM - aws_codebuild_project AS p - LEFT JOIN secondary_artifact AS a ON a.arn = p.arn; + language: sql + primary_resource: aws_codebuild_project + definition: | + WITH secondary_artifact AS ( + SELECT + DISTINCT arn + FROM + aws_codebuild_project, + jsonb_array_elements(secondary_artifacts) AS a + WHERE + a -> 'EncryptionDisabled' = 'true' + ) + SELECT + a.arn AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN p.artifacts ->> 'EncryptionDisabled' = 'false' + AND (p.secondary_artifacts IS NULL OR a.arn IS NULL) + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.artifacts ->> 'EncryptionDisabled' = 'false' + AND (p.secondary_artifacts IS NULL OR a.arn IS NULL) + THEN p.title || ' all artifacts encryption enabled.' + ELSE p.title || ' all artifacts encryption not enabled.' + END AS reason, + p.region, + p.account_id + FROM + aws_codebuild_project AS p + LEFT JOIN secondary_artifact AS a ON a.arn = p.arn; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/CodeBuild + category: + - Compliance + cis_controls_v8_ig1: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/CodeBuild diff --git a/compliance/controls/aws/aws_codebuild_project_build_greater_then_90_days.yaml b/compliance/controls/aws/aws_codebuild_project_build_greater_then_90_days.yaml index 2374c362f..b0d22dfef 100644 --- a/compliance/controls/aws/aws_codebuild_project_build_greater_then_90_days.yaml +++ b/compliance/controls/aws/aws_codebuild_project_build_greater_then_90_days.yaml @@ -1,68 +1,69 @@ id: aws_codebuild_project_build_greater_then_90_days title: CodeBuild projects should not be unused for 90 days or greater +type: control description: Ensure CodeBuild projects are currently in use. It is recommended to remove the stale ones. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_codebuild_project - definition: | - WITH latest_codebuild_build AS ( - SELECT - project_name, - region, - account_id, - MIN(DATE_PART('day', NOW() - end_time)) AS build_time - FROM - aws_codebuild_build - GROUP BY - project_name, - region, - account_id - ), - codebuild_projects AS ( - SELECT - arn, - name, - region, - account_id, - title, - tags, - _ctx, - platform_integration_id, - platform_resource_id - FROM - aws_codebuild_project - GROUP BY - name, - tags, - arn, - title, - region, - account_id, - _ctx, - platform_integration_id, - platform_resource_id - ) - SELECT - p.arn AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN b.build_time IS NULL THEN 'alarm' - WHEN b.build_time < 90 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.build_time IS NULL THEN p.title || ' has no builds.' - ELSE p.title || ' was built ' || build_time || ' day(s) before.' - END AS reason - FROM - codebuild_projects AS p - LEFT JOIN latest_codebuild_build AS b - ON p.name = b.project_name - AND p.region = b.region - AND p.account_id = b.account_id; + language: sql + primary_resource: aws_codebuild_project + definition: | + WITH latest_codebuild_build AS ( + SELECT + project_name, + region, + account_id, + MIN(DATE_PART('day', NOW() - end_time)) AS build_time + FROM + aws_codebuild_build + GROUP BY + project_name, + region, + account_id + ), + codebuild_projects AS ( + SELECT + arn, + name, + region, + account_id, + title, + tags, + _ctx, + platform_integration_id, + platform_resource_id + FROM + aws_codebuild_project + GROUP BY + name, + tags, + arn, + title, + region, + account_id, + _ctx, + platform_integration_id, + platform_resource_id + ) + SELECT + p.arn AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN b.build_time IS NULL THEN 'alarm' + WHEN b.build_time < 90 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.build_time IS NULL THEN p.title || ' has no builds.' + ELSE p.title || ' was built ' || build_time || ' day(s) before.' + END AS reason + FROM + codebuild_projects AS p + LEFT JOIN latest_codebuild_build AS b + ON p.name = b.project_name + AND p.region = b.region + AND p.account_id = b.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_codebuild_project_environment_privileged_mode_disabled.yaml b/compliance/controls/aws/aws_codebuild_project_environment_privileged_mode_disabled.yaml index b37b009a7..dc790519c 100644 --- a/compliance/controls/aws/aws_codebuild_project_environment_privileged_mode_disabled.yaml +++ b/compliance/controls/aws/aws_codebuild_project_environment_privileged_mode_disabled.yaml @@ -1,40 +1,41 @@ id: aws_codebuild_project_environment_privileged_mode_disabled title: CodeBuild project environments should not have privileged mode enabled +type: control description: This control checks if an AWS CodeBuild project environment has privileged mode enabled. This control fails when an AWS CodeBuild project environment has privileged mode enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_codebuild_project - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN environment ->> 'PrivilegedMode' = 'true' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN environment ->> 'PrivilegedMode' = 'true' THEN title || ' environment privileged mode enabled.' - ELSE title || ' environment privileged mode disabled.' - END AS reason, - region, - account_id - FROM - aws_codebuild_project; + language: sql + primary_resource: aws_codebuild_project + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN environment ->> 'PrivilegedMode' = 'true' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN environment ->> 'PrivilegedMode' = 'true' THEN title || ' environment privileged mode enabled.' + ELSE title || ' environment privileged mode disabled.' + END AS reason, + region, + account_id + FROM + aws_codebuild_project; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/CodeBuild + category: + - Compliance + cis_controls_v8_ig1: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/CodeBuild diff --git a/compliance/controls/aws/aws_codebuild_project_logging_enabled.yaml b/compliance/controls/aws/aws_codebuild_project_logging_enabled.yaml index 8279f3caf..d2d21062a 100644 --- a/compliance/controls/aws/aws_codebuild_project_logging_enabled.yaml +++ b/compliance/controls/aws/aws_codebuild_project_logging_enabled.yaml @@ -1,44 +1,45 @@ id: aws_codebuild_project_logging_enabled title: CodeBuild projects should have logging enabled +type: control description: This control checks if an AWS CodeBuild project environment has at least one log option enabled. The rule is non-compliant if the status of all present log configurations is set to 'DISABLED'. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_codebuild_project - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN logs_config -> 'CloudWatchLogs' ->> 'Status' = 'ENABLED' - OR logs_config -> 'S3Logs' ->> 'Status' = 'ENABLED' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN logs_config -> 'CloudWatchLogs' ->> 'Status' = 'ENABLED' - OR logs_config -> 'S3Logs' ->> 'Status' = 'ENABLED' THEN title || ' logging enabled.' - ELSE title || ' logging disabled.' - END AS reason, - region, - account_id - FROM - aws_codebuild_project; + language: sql + primary_resource: aws_codebuild_project + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN logs_config -> 'CloudWatchLogs' ->> 'Status' = 'ENABLED' + OR logs_config -> 'S3Logs' ->> 'Status' = 'ENABLED' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN logs_config -> 'CloudWatchLogs' ->> 'Status' = 'ENABLED' + OR logs_config -> 'S3Logs' ->> 'Status' = 'ENABLED' THEN title || ' logging enabled.' + ELSE title || ' logging disabled.' + END AS reason, + region, + account_id + FROM + aws_codebuild_project; severity: medium tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/CodeBuild + category: + - Compliance + cis_controls_v8_ig1: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/CodeBuild diff --git a/compliance/controls/aws/aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values.yaml b/compliance/controls/aws/aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values.yaml index bf0dd229a..7c595a6b0 100644 --- a/compliance/controls/aws/aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values.yaml +++ b/compliance/controls/aws/aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values.yaml @@ -1,68 +1,69 @@ id: aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values title: CodeBuild project plaintext environment variables should not contain sensitive AWS values +type: control description: Ensure authentication credentials AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY do not exist within AWS CodeBuild project environments. Do not store these variables in clear text. Storing these variables in clear text leads to unintended data exposure and unauthorized access. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_codebuild_project - definition: | - WITH invalid_key_name AS ( - SELECT DISTINCT - arn, - name - FROM - aws_codebuild_project, - jsonb_array_elements(environment -> 'EnvironmentVariables') AS env - WHERE - env ->> 'Name' ILIKE ANY(ARRAY['%AWS_ACCESS_KEY_ID%', '%AWS_SECRET_ACCESS_KEY%', '%PASSWORD%']) - AND env ->> 'Type' = 'PLAINTEXT' - ) - SELECT - a.arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.arn IS NULL THEN a.title || ' has no plaintext environment variables with sensitive AWS values.' - ELSE a.title || ' has plaintext environment variables with sensitive AWS values.' - END AS reason, - a.region, - a.account_id - FROM - aws_codebuild_project AS a - LEFT JOIN invalid_key_name b ON a.arn = b.arn; + language: sql + primary_resource: aws_codebuild_project + definition: | + WITH invalid_key_name AS ( + SELECT DISTINCT + arn, + name + FROM + aws_codebuild_project, + jsonb_array_elements(environment -> 'EnvironmentVariables') AS env + WHERE + env ->> 'Name' ILIKE ANY(ARRAY['%AWS_ACCESS_KEY_ID%', '%AWS_SECRET_ACCESS_KEY%', '%PASSWORD%']) + AND env ->> 'Type' = 'PLAINTEXT' + ) + SELECT + a.arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.arn IS NULL THEN a.title || ' has no plaintext environment variables with sensitive AWS values.' + ELSE a.title || ' has plaintext environment variables with sensitive AWS values.' + END AS reason, + a.region, + a.account_id + FROM + aws_codebuild_project AS a + LEFT JOIN invalid_key_name b ON a.arn = b.arn; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/CodeBuild - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_53_rev_4: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/CodeBuild + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_codebuild_project_s3_logs_encryption_enabled.yaml b/compliance/controls/aws/aws_codebuild_project_s3_logs_encryption_enabled.yaml index dc9106cf2..fe5ddb84c 100644 --- a/compliance/controls/aws/aws_codebuild_project_s3_logs_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_codebuild_project_s3_logs_encryption_enabled.yaml @@ -1,40 +1,41 @@ id: aws_codebuild_project_s3_logs_encryption_enabled title: CodeBuild project S3 logs should be encrypted +type: control description: This control checks if S3 logs for a CodeBuild project are encrypted. The control fails if encryption is deactivated for S3 logs for a CodeBuild project. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_codebuild_project - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN NOT (logs_config -> 'S3Logs' ->> 'EncryptionDisabled')::bool THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN NOT (logs_config -> 'S3Logs' ->> 'EncryptionDisabled')::bool THEN title || ' S3Logs encryption enabled.' - ELSE title || ' S3Logs encryption disabled.' - END AS reason, - region, - account_id - FROM - aws_codebuild_project; + language: sql + primary_resource: aws_codebuild_project + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN NOT (logs_config -> 'S3Logs' ->> 'EncryptionDisabled')::bool THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN NOT (logs_config -> 'S3Logs' ->> 'EncryptionDisabled')::bool THEN title || ' S3Logs encryption enabled.' + ELSE title || ' S3Logs encryption disabled.' + END AS reason, + region, + account_id + FROM + aws_codebuild_project; severity: low tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - encryption_of_data_at_rest - foundational_security_item_id: - - codebuild_3 - plugin: - - aws - service: - - AWS/CodeBuild + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - encryption_of_data_at_rest + foundational_security_item_id: + - codebuild_3 + plugin: + - aws + service: + - AWS/CodeBuild diff --git a/compliance/controls/aws/aws_codebuild_project_source_repo_oauth_configured.yaml b/compliance/controls/aws/aws_codebuild_project_source_repo_oauth_configured.yaml index 6c933b1d8..7bb6293cc 100644 --- a/compliance/controls/aws/aws_codebuild_project_source_repo_oauth_configured.yaml +++ b/compliance/controls/aws/aws_codebuild_project_source_repo_oauth_configured.yaml @@ -1,61 +1,62 @@ id: aws_codebuild_project_source_repo_oauth_configured title: CodeBuild GitHub or Bitbucket source repository URLs should use OAuth +type: control description: Ensure the GitHub or Bitbucket source repository URL does not contain personal access tokens, user name and password within AWS Codebuild project environments. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_codebuild_project - definition: | - SELECT - p.arn AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN p.source ->> 'Type' NOT IN ('GITHUB', 'BITBUCKET') THEN 'skip' - WHEN c.auth_type = 'OAUTH' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.source ->> 'Type' = 'NO_SOURCE' THEN p.title || ' doesn''t have input source code.' - WHEN p.source ->> 'Type' NOT IN ('GITHUB', 'BITBUCKET') THEN p.title || ' source code isn''t in GitHub/Bitbucket repository.' - WHEN c.auth_type = 'OAUTH' THEN p.title || ' using OAuth to connect source repository.' - ELSE p.title || ' not using OAuth to connect source repository.' - END AS reason, - p.region, - p.account_id - FROM - aws_codebuild_project AS p - LEFT JOIN aws_codebuild_source_credential AS c - ON (p.region = c.region AND p.source ->> 'Type' = c.server_type); + language: sql + primary_resource: aws_codebuild_project + definition: | + SELECT + p.arn AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN p.source ->> 'Type' NOT IN ('GITHUB', 'BITBUCKET') THEN 'skip' + WHEN c.auth_type = 'OAUTH' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.source ->> 'Type' = 'NO_SOURCE' THEN p.title || ' doesn''t have input source code.' + WHEN p.source ->> 'Type' NOT IN ('GITHUB', 'BITBUCKET') THEN p.title || ' source code isn''t in GitHub/Bitbucket repository.' + WHEN c.auth_type = 'OAUTH' THEN p.title || ' using OAuth to connect source repository.' + ELSE p.title || ' not using OAuth to connect source repository.' + END AS reason, + p.region, + p.account_id + FROM + aws_codebuild_project AS p + LEFT JOIN aws_codebuild_source_credential AS c + ON (p.region = c.region AND p.source ->> 'Type' = c.server_type); severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/CodeBuild - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_53_rev_4: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/CodeBuild + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_codebuild_project_with_user_controlled_buildspec.yaml b/compliance/controls/aws/aws_codebuild_project_with_user_controlled_buildspec.yaml index c2d455640..363315347 100644 --- a/compliance/controls/aws/aws_codebuild_project_with_user_controlled_buildspec.yaml +++ b/compliance/controls/aws/aws_codebuild_project_with_user_controlled_buildspec.yaml @@ -1,26 +1,27 @@ id: aws_codebuild_project_with_user_controlled_buildspec title: CodeBuild projects should not use an user controlled buildspec +type: control description: This control checks if buildspec.yml is used from a trusted source which user cant interfere with. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_codebuild_project - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN split_part(source ->> 'Buildspec', '.', -1) = 'yml' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN split_part(source ->> 'Buildspec', '.', -1) = 'yml' THEN title || ' uses a user controlled buildspec.' - ELSE title || ' does not use a user controlled buildspec.' - END AS reason - FROM - aws_codebuild_project; + language: sql + primary_resource: aws_codebuild_project + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN split_part(source ->> 'Buildspec', '.', -1) = 'yml' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN split_part(source ->> 'Buildspec', '.', -1) = 'yml' THEN title || ' uses a user controlled buildspec.' + ELSE title || ' does not use a user controlled buildspec.' + END AS reason + FROM + aws_codebuild_project; severity: low tags: {} diff --git a/compliance/controls/aws/aws_config_configuration_recorder_no_failed_deliver_logs.yaml b/compliance/controls/aws/aws_config_configuration_recorder_no_failed_deliver_logs.yaml index db6b6cb11..60064212d 100644 --- a/compliance/controls/aws/aws_config_configuration_recorder_no_failed_deliver_logs.yaml +++ b/compliance/controls/aws/aws_config_configuration_recorder_no_failed_deliver_logs.yaml @@ -1,26 +1,27 @@ id: aws_config_configuration_recorder_no_failed_deliver_logs title: Config configuration recorder should not fail to deliver logs +type: control description: This control checks whether Config configuration recorder fails to deliver logs. This control is non-compliant if Config configuration recorder fails to deliver logs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_config_configuration_recorder - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN status ->> 'LastStatus' = 'FAILURE' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN status ->> 'LastStatus' = 'FAILURE' THEN title || ' has failed deliver logs.' - ELSE title || ' does not have failed deliver logs.' - END AS reason - FROM - aws_config_configuration_recorder; + language: sql + primary_resource: aws_config_configuration_recorder + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN status ->> 'LastStatus' = 'FAILURE' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN status ->> 'LastStatus' = 'FAILURE' THEN title || ' has failed deliver logs.' + ELSE title || ' does not have failed deliver logs.' + END AS reason + FROM + aws_config_configuration_recorder; severity: low tags: {} diff --git a/compliance/controls/aws/aws_config_enabled_all_regions.yaml b/compliance/controls/aws/aws_config_enabled_all_regions.yaml index 4c4f082df..6f6e3a46a 100644 --- a/compliance/controls/aws/aws_config_enabled_all_regions.yaml +++ b/compliance/controls/aws/aws_config_enabled_all_regions.yaml @@ -1,87 +1,88 @@ id: aws_config_enabled_all_regions title: AWS Config should be enabled +type: control description: This control checks whether AWS Config is enabled in the account for the local Region and is recording all resources. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH global_recorders AS ( - SELECT - COUNT(*) AS global_config_recorders - FROM - aws_config_configuration_recorder - WHERE - recording_group -> 'IncludeGlobalResourceTypes' = 'true' - AND recording_group -> 'AllSupported' = 'true' + language: sql + primary_resource: aws_account + definition: | + WITH global_recorders AS ( + SELECT + COUNT(*) AS global_config_recorders + FROM + aws_config_configuration_recorder + WHERE + recording_group -> 'IncludeGlobalResourceTypes' = 'true' + AND recording_group -> 'AllSupported' = 'true' + AND status ->> 'Recording' = 'true' + AND status ->> 'LastStatus' = 'SUCCESS' + ), + regions AS ( + SELECT + 'arn:aws::' || a.region || ':' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN + g.global_config_recorders >= 1 AND status ->> 'Recording' = 'true' AND status ->> 'LastStatus' = 'SUCCESS' - ), - regions AS ( - SELECT - 'arn:aws::' || a.region || ':' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN - g.global_config_recorders >= 1 - AND status ->> 'Recording' = 'true' - AND status ->> 'LastStatus' = 'SUCCESS' - THEN 0 - WHEN a.opt_in_status = 'not-opted-in' THEN 1 - ELSE 2 - END AS status, - a.region, a.account_id - FROM - global_recorders AS g, - aws_region AS a - LEFT JOIN aws_config_configuration_recorder AS r ON r.account_id = a.account_id AND r.region = a.name - ), - results AS ( - SELECT - account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_integration_id AS platform_resource_id, - CASE - WHEN MAX(status) = 2 THEN 'alarm' - WHEN MAX(status) = 1 THEN 'skip' - WHEN MAX(status) = 0 THEN 'ok' - END AS status, - CASE - WHEN MAX(status) = 2 THEN 'AWS Config is not enabled for this account on regions: [' || STRING_AGG(region, ',') || ']' - WHEN MAX(status) = 1 THEN 'Account is not opted in regions: [' || STRING_AGG(region, ',') || ']' - WHEN MAX(status) = 0 THEN 'AWS Config is enabled for this account on regions: [' || STRING_AGG(region, ',') || ']' - END AS reason - FROM regions - GROUP BY account_id, platform_integration_id - ) - SELECT - r.resource AS resource, - r.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - r.status AS status, - r.reason AS reason - FROM results AS r - JOIN aws_account AS a ON r.platform_integration_id = a.platform_integration_id + THEN 0 + WHEN a.opt_in_status = 'not-opted-in' THEN 1 + ELSE 2 + END AS status, + a.region, a.account_id + FROM + global_recorders AS g, + aws_region AS a + LEFT JOIN aws_config_configuration_recorder AS r ON r.account_id = a.account_id AND r.region = a.name + ), + results AS ( + SELECT + account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_integration_id AS platform_resource_id, + CASE + WHEN MAX(status) = 2 THEN 'alarm' + WHEN MAX(status) = 1 THEN 'skip' + WHEN MAX(status) = 0 THEN 'ok' + END AS status, + CASE + WHEN MAX(status) = 2 THEN 'AWS Config is not enabled for this account on regions: [' || STRING_AGG(region, ',') || ']' + WHEN MAX(status) = 1 THEN 'Account is not opted in regions: [' || STRING_AGG(region, ',') || ']' + WHEN MAX(status) = 0 THEN 'AWS Config is enabled for this account on regions: [' || STRING_AGG(region, ',') || ']' + END AS reason + FROM regions + GROUP BY account_id, platform_integration_id + ) + SELECT + r.resource AS resource, + r.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + r.status AS status, + r.reason AS reason + FROM results AS r + JOIN aws_account AS a ON r.platform_integration_id = a.platform_integration_id severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '2.5' - cis_level: - - '1' - cis_section_id: - - '2' - cis_type: - - scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/Config + category: + - Compliance + cis: + - "true" + cis_item_id: + - "2.5" + cis_level: + - "1" + cis_section_id: + - "2" + cis_type: + - scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/Config diff --git a/compliance/controls/aws/aws_dax_cluster_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_dax_cluster_encryption_at_rest_enabled.yaml index 0aaeb4ffc..a0ba0064e 100644 --- a/compliance/controls/aws/aws_dax_cluster_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_dax_cluster_encryption_at_rest_enabled.yaml @@ -1,40 +1,41 @@ id: aws_dax_cluster_encryption_at_rest_enabled title: DynamoDB Accelerator (DAX) clusters should be encrypted at rest +type: control description: This control checks whether a DAX cluster is encrypted at rest. Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. The encryption adds another set of access controls to limit the ability of unauthorized users to access to the data. For example, API permissions are required to decrypt the data before it can be read. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_dax_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN sse_description ->> 'Status' = 'ENABLED' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN sse_description ->> 'Status' = 'ENABLED' THEN title || ' encryption at rest enabled.' - ELSE title || ' encryption at rest not enabled.' - END AS reason, - region, - account_id - FROM - aws_dax_cluster; + language: sql + primary_resource: aws_dax_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN sse_description ->> 'Status' = 'ENABLED' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN sse_description ->> 'Status' = 'ENABLED' THEN title || ' encryption at rest enabled.' + ELSE title || ' encryption at rest not enabled.' + END AS reason, + region, + account_id + FROM + aws_dax_cluster; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - encryption_of_data_at_rest - foundational_security_item_id: - - dynamodb_3 - plugin: - - aws - service: - - AWS/DynamoDB + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - encryption_of_data_at_rest + foundational_security_item_id: + - dynamodb_3 + plugin: + - aws + service: + - AWS/DynamoDB diff --git a/compliance/controls/aws/aws_directory_service_certificate_expires_90_days.yaml b/compliance/controls/aws/aws_directory_service_certificate_expires_90_days.yaml index 75870b060..66d60c1df 100644 --- a/compliance/controls/aws/aws_directory_service_certificate_expires_90_days.yaml +++ b/compliance/controls/aws/aws_directory_service_certificate_expires_90_days.yaml @@ -1,24 +1,25 @@ id: aws_directory_service_certificate_expires_90_days title: Directory Service certificates should not expire within 90 days +type: control description: Is it recommended to monitor certificate expiration and implement automated alerts to notify the responsible team for timely certificate replacement or removal. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_directory_service_certificate - definition: | - SELECT - certificate_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN DATE(expiry_date_time) - DATE(CURRENT_DATE) >= 90 THEN 'ok' - ELSE 'alarm' - END AS status, - title || ' expires ' || TO_CHAR(expiry_date_time, 'DD-Mon-YYYY') || - ' (' || EXTRACT(DAY FROM expiry_date_time - CURRENT_DATE) || ' days).' AS reason - FROM - aws_directory_service_certificate; + language: sql + primary_resource: aws_directory_service_certificate + definition: | + SELECT + certificate_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN DATE(expiry_date_time) - DATE(CURRENT_DATE) >= 90 THEN 'ok' + ELSE 'alarm' + END AS status, + title || ' expires ' || TO_CHAR(expiry_date_time, 'DD-Mon-YYYY') || + ' (' || EXTRACT(DAY FROM expiry_date_time - CURRENT_DATE) || ' days).' AS reason + FROM + aws_directory_service_certificate; severity: low tags: {} diff --git a/compliance/controls/aws/aws_directory_service_directory_snapshots_limit_2.yaml b/compliance/controls/aws/aws_directory_service_directory_snapshots_limit_2.yaml index d9b7fb3e4..8f7b7b7a8 100644 --- a/compliance/controls/aws/aws_directory_service_directory_snapshots_limit_2.yaml +++ b/compliance/controls/aws/aws_directory_service_directory_snapshots_limit_2.yaml @@ -1,28 +1,29 @@ id: aws_directory_service_directory_snapshots_limit_2 title: Directory Service directories manual snapshots limit should not be less than 2 +type: control description: Ensure you keep track of the number of manual snapshots for your monitor to guarantee sufficient capacity when it becomes necessary. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_directory_service_directory - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN snapshot_limit ->> 'ManualSnapshotsLimitReached' = 'true' THEN 'alarm' - WHEN ( (snapshot_limit ->> 'ManualSnapshotsLimit')::int - (snapshot_limit ->> 'ManualSnapshotsCurrentCount')::int ) <= 2 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN snapshot_limit ->> 'ManualSnapshotsLimitReached' = 'true' THEN title || ' has reached ' || (snapshot_limit ->> 'ManualSnapshotsLimit') || ' snapshots limit.' - WHEN ( (snapshot_limit ->> 'ManualSnapshotsLimit')::int - (snapshot_limit ->> 'ManualSnapshotsCurrentCount')::int ) <= 2 THEN title || ' is about to reach its ' || (snapshot_limit ->> 'ManualSnapshotsLimit') || ' snapshot limit.' - ELSE title || ' is using ' || (snapshot_limit ->> 'ManualSnapshotsCurrentCount') || ' out of ' || (snapshot_limit ->> 'ManualSnapshotsLimit') || ' snapshots limit.' - END AS reason - FROM - aws_directory_service_directory; + language: sql + primary_resource: aws_directory_service_directory + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN snapshot_limit ->> 'ManualSnapshotsLimitReached' = 'true' THEN 'alarm' + WHEN ( (snapshot_limit ->> 'ManualSnapshotsLimit')::int - (snapshot_limit ->> 'ManualSnapshotsCurrentCount')::int ) <= 2 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN snapshot_limit ->> 'ManualSnapshotsLimitReached' = 'true' THEN title || ' has reached ' || (snapshot_limit ->> 'ManualSnapshotsLimit') || ' snapshots limit.' + WHEN ( (snapshot_limit ->> 'ManualSnapshotsLimit')::int - (snapshot_limit ->> 'ManualSnapshotsCurrentCount')::int ) <= 2 THEN title || ' is about to reach its ' || (snapshot_limit ->> 'ManualSnapshotsLimit') || ' snapshot limit.' + ELSE title || ' is using ' || (snapshot_limit ->> 'ManualSnapshotsCurrentCount') || ' out of ' || (snapshot_limit ->> 'ManualSnapshotsLimit') || ' snapshots limit.' + END AS reason + FROM + aws_directory_service_directory; severity: low tags: {} diff --git a/compliance/controls/aws/aws_directory_service_directory_sns_notifications_enabled.yaml b/compliance/controls/aws/aws_directory_service_directory_sns_notifications_enabled.yaml index 225e88d09..dc48bd2b5 100644 --- a/compliance/controls/aws/aws_directory_service_directory_sns_notifications_enabled.yaml +++ b/compliance/controls/aws/aws_directory_service_directory_sns_notifications_enabled.yaml @@ -1,26 +1,27 @@ id: aws_directory_service_directory_sns_notifications_enabled title: Directory Service directories should have SNS notification enabled +type: control description: This control verifies whether SNS messaging has been set up to receive email or text notifications for any changes in the directory's status. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_directory_service_directory - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN jsonb_array_length(event_topics) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN jsonb_array_length(event_topics) > 0 THEN title || ' SNS notifications enabled.' - ELSE title || ' SNS notifications disabled.' - END AS reason - FROM - aws_directory_service_directory; + language: sql + primary_resource: aws_directory_service_directory + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN jsonb_array_length(event_topics) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN jsonb_array_length(event_topics) > 0 THEN title || ' SNS notifications enabled.' + ELSE title || ' SNS notifications disabled.' + END AS reason + FROM + aws_directory_service_directory; severity: low tags: {} diff --git a/compliance/controls/aws/aws_dlm_ebs_snapshot_lifecycle_policy_enabled.yaml b/compliance/controls/aws/aws_dlm_ebs_snapshot_lifecycle_policy_enabled.yaml index 5e105fb9c..6beedd406 100644 --- a/compliance/controls/aws/aws_dlm_ebs_snapshot_lifecycle_policy_enabled.yaml +++ b/compliance/controls/aws/aws_dlm_ebs_snapshot_lifecycle_policy_enabled.yaml @@ -1,52 +1,53 @@ id: aws_dlm_ebs_snapshot_lifecycle_policy_enabled title: DLM EBS snapshot lifecycle policy should be enabled +type: control description: Ensure DLM EBS snapshot lifecycle policy is enabled in all the regions with EBS snapshots. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_snapshot - definition: | - WITH region_with_ebs_snapshots AS ( - SELECT - DISTINCT region, - partition, - account_id, - _ctx, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id - FROM - aws_ebs_snapshot - ), - dlm_ebs_lifecycle_policy AS ( - SELECT - region, - account_id, - COUNT(*) - FROM - aws_dlm_lifecycle_policy - WHERE - policy_details ->> 'PolicyType' LIKE 'EBS_SNAPSHOT%' - GROUP BY - region, - account_id - ) - SELECT - 'arn:' || r.partition || '::' || r.region || ':' || r.account_id AS resource, - r.platform_integration_id AS platform_integration_id, - r.platform_resource_id AS platform_resource_id, - CASE - WHEN p.region IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.region IS NOT NULL THEN 'EBS snapshot DLM policy exist in region ' || r.region || '.' - ELSE 'EBS snapshots DLM policy does not exist in region ' || r.region || '.' - END AS reason - FROM - region_with_ebs_snapshots AS r - LEFT JOIN dlm_ebs_lifecycle_policy AS p - ON p.region = r.region AND r.account_id = p.account_id; + language: sql + primary_resource: aws_ebs_snapshot + definition: | + WITH region_with_ebs_snapshots AS ( + SELECT + DISTINCT region, + partition, + account_id, + _ctx, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id + FROM + aws_ebs_snapshot + ), + dlm_ebs_lifecycle_policy AS ( + SELECT + region, + account_id, + COUNT(*) + FROM + aws_dlm_lifecycle_policy + WHERE + policy_details ->> 'PolicyType' LIKE 'EBS_SNAPSHOT%' + GROUP BY + region, + account_id + ) + SELECT + 'arn:' || r.partition || '::' || r.region || ':' || r.account_id AS resource, + r.platform_integration_id AS platform_integration_id, + r.platform_resource_id AS platform_resource_id, + CASE + WHEN p.region IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.region IS NOT NULL THEN 'EBS snapshot DLM policy exist in region ' || r.region || '.' + ELSE 'EBS snapshots DLM policy does not exist in region ' || r.region || '.' + END AS reason + FROM + region_with_ebs_snapshots AS r + LEFT JOIN dlm_ebs_lifecycle_policy AS p + ON p.region = r.region AND r.account_id = p.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_dms_certificate_not_expired.yaml b/compliance/controls/aws/aws_dms_certificate_not_expired.yaml index 89b60992a..481dd7eea 100644 --- a/compliance/controls/aws/aws_dms_certificate_not_expired.yaml +++ b/compliance/controls/aws/aws_dms_certificate_not_expired.yaml @@ -1,28 +1,29 @@ id: aws_dms_certificate_not_expired title: Ensure that all the expired DMS certificates are removed +type: control description: This control ensures that all expired DMS certificates are removed from AWS account. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_dms_certificate - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN valid_to_date < (current_date - INTERVAL '1' SECOND) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN valid_to_date < (current_date - INTERVAL '1' SECOND) THEN - title || ' expired ' || TO_CHAR(valid_to_date, 'DD-Mon-YYYY') || '.' - ELSE - title || ' valid until ' || TO_CHAR(valid_to_date, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - aws_dms_certificate; + language: sql + primary_resource: aws_dms_certificate + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN valid_to_date < (current_date - INTERVAL '1' SECOND) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN valid_to_date < (current_date - INTERVAL '1' SECOND) THEN + title || ' expired ' || TO_CHAR(valid_to_date, 'DD-Mon-YYYY') || '.' + ELSE + title || ' valid until ' || TO_CHAR(valid_to_date, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + aws_dms_certificate; severity: low tags: {} diff --git a/compliance/controls/aws/aws_dms_endpoint_ssl_configured.yaml b/compliance/controls/aws/aws_dms_endpoint_ssl_configured.yaml index 970b60d7d..b17795418 100644 --- a/compliance/controls/aws/aws_dms_endpoint_ssl_configured.yaml +++ b/compliance/controls/aws/aws_dms_endpoint_ssl_configured.yaml @@ -1,26 +1,27 @@ id: aws_dms_endpoint_ssl_configured title: DMS endpoints should use SSL +type: control description: This control checks whether an AWS DMS endpoint uses an SSL connection. The control fails if the endpoint doesn't use SSL. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_dms_endpoint - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN ssl_mode = 'none' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN ssl_mode = 'none' THEN title || ' SSL not configured.' - ELSE title || ' SSL configured.' - END AS reason - FROM - aws_dms_endpoint; + language: sql + primary_resource: aws_dms_endpoint + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN ssl_mode = 'none' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN ssl_mode = 'none' THEN title || ' SSL not configured.' + ELSE title || ' SSL configured.' + END AS reason + FROM + aws_dms_endpoint; severity: low tags: {} diff --git a/compliance/controls/aws/aws_dms_replication_instance_automatic_minor_version_upgrade_enabled.yaml b/compliance/controls/aws/aws_dms_replication_instance_automatic_minor_version_upgrade_enabled.yaml index ad3d8baab..d1fdac1ad 100644 --- a/compliance/controls/aws/aws_dms_replication_instance_automatic_minor_version_upgrade_enabled.yaml +++ b/compliance/controls/aws/aws_dms_replication_instance_automatic_minor_version_upgrade_enabled.yaml @@ -1,26 +1,27 @@ id: aws_dms_replication_instance_automatic_minor_version_upgrade_enabled title: DMS replication instances should have automatic minor version upgrade enabled +type: control description: This control checks if automatic minor version upgrade is enabled for an AWS DMS replication instance. The control fails if automatic minor version upgrade isn't enabled for a DMS replication instance. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_dms_replication_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN auto_minor_version_upgrade THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN auto_minor_version_upgrade THEN title || ' automatic minor version upgrade enabled.' - ELSE title || ' automatic minor version upgrade disabled.' - END AS reason - FROM - aws_dms_replication_instance; + language: sql + primary_resource: aws_dms_replication_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN auto_minor_version_upgrade THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN auto_minor_version_upgrade THEN title || ' automatic minor version upgrade enabled.' + ELSE title || ' automatic minor version upgrade disabled.' + END AS reason + FROM + aws_dms_replication_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_dms_replication_instance_not_publicly_accessible.yaml b/compliance/controls/aws/aws_dms_replication_instance_not_publicly_accessible.yaml index 38be7cc2b..3b5794d75 100644 --- a/compliance/controls/aws/aws_dms_replication_instance_not_publicly_accessible.yaml +++ b/compliance/controls/aws/aws_dms_replication_instance_not_publicly_accessible.yaml @@ -1,64 +1,65 @@ id: aws_dms_replication_instance_not_publicly_accessible title: DMS replication instances should not be publicly accessible +type: control description: Manage access to the AWS Cloud by ensuring DMS replication instances cannot be publicly accessed. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_dms_replication_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN publicly_accessible THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN publicly_accessible THEN title || ' publicly accessible.' - ELSE title || ' not publicly accessible.' - END AS reason, - region, - account_id - FROM - aws_dms_replication_instance; + language: sql + primary_resource: aws_dms_replication_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN publicly_accessible THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN publicly_accessible THEN title || ' publicly accessible.' + ELSE title || ' not publicly accessible.' + END AS reason, + region, + account_id + FROM + aws_dms_replication_instance; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/DMS - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/DMS + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_dms_replication_task_source_database_logging_enabled.yaml b/compliance/controls/aws/aws_dms_replication_task_source_database_logging_enabled.yaml index 7b8d79121..2a78df5c8 100644 --- a/compliance/controls/aws/aws_dms_replication_task_source_database_logging_enabled.yaml +++ b/compliance/controls/aws/aws_dms_replication_task_source_database_logging_enabled.yaml @@ -1,44 +1,45 @@ id: aws_dms_replication_task_source_database_logging_enabled title: DMS replication tasks for the source database should have logging enabled +type: control description: This control checks whether logging is enabled with the minimum severity level of LOGGER_SEVERITY_DEFAULT for DMS replication tasks SOURCE_CAPTURE and SOURCE_UNLOAD. The control fails if logging isn't enabled for these tasks or if the minimum severity level is less than LOGGER_SEVERITY_DEFAULT. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_dms_replication_task - definition: | - WITH replication_task_logging AS ( - SELECT - arn, - platform_integration_id, - platform_resource_id, - BOOL_OR(o ->> 'Id' = 'SOURCE_CAPTURE' AND o ->> 'Severity' IN ('LOGGER_SEVERITY_DEFAULT', 'LOGGER_SEVERITY_DEBUG', 'LOGGER_SEVERITY_DETAILED_DEBUG')) AS capture_logging_enabled, - BOOL_OR(o ->> 'Id' = 'SOURCE_UNLOAD' AND o ->> 'Severity' IN ('LOGGER_SEVERITY_DEFAULT', 'LOGGER_SEVERITY_DEBUG', 'LOGGER_SEVERITY_DETAILED_DEBUG')) AS unload_logging_enabled - FROM - aws_dms_replication_task, - JSONB_ARRAY_ELEMENTS(replication_task_settings -> 'Logging' -> 'LogComponents') AS o - GROUP BY - arn, - platform_integration_id, - platform_resource_id - ) - - SELECT - t.arn AS resource, - t.platform_integration_id AS platform_integration_id, - t.platform_resource_id AS platform_resource_id, - (replication_task_settings -> 'Logging' ->> 'EnableLogging')::BOOL AS logging_enabled, - CASE - WHEN (replication_task_settings -> 'Logging' ->> 'EnableLogging')::BOOL AND l.capture_logging_enabled AND l.unload_logging_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (replication_task_settings -> 'Logging' ->> 'EnableLogging')::BOOL AND l.capture_logging_enabled AND l.unload_logging_enabled THEN title || ' source database logging enabled.' - ELSE title || ' source database logging disabled.' - END AS reason - FROM - aws_dms_replication_task AS t - LEFT JOIN replication_task_logging AS l ON l.arn = t.arn; + language: sql + primary_resource: aws_dms_replication_task + definition: | + WITH replication_task_logging AS ( + SELECT + arn, + platform_integration_id, + platform_resource_id, + BOOL_OR(o ->> 'Id' = 'SOURCE_CAPTURE' AND o ->> 'Severity' IN ('LOGGER_SEVERITY_DEFAULT', 'LOGGER_SEVERITY_DEBUG', 'LOGGER_SEVERITY_DETAILED_DEBUG')) AS capture_logging_enabled, + BOOL_OR(o ->> 'Id' = 'SOURCE_UNLOAD' AND o ->> 'Severity' IN ('LOGGER_SEVERITY_DEFAULT', 'LOGGER_SEVERITY_DEBUG', 'LOGGER_SEVERITY_DETAILED_DEBUG')) AS unload_logging_enabled + FROM + aws_dms_replication_task, + JSONB_ARRAY_ELEMENTS(replication_task_settings -> 'Logging' -> 'LogComponents') AS o + GROUP BY + arn, + platform_integration_id, + platform_resource_id + ) + + SELECT + t.arn AS resource, + t.platform_integration_id AS platform_integration_id, + t.platform_resource_id AS platform_resource_id, + (replication_task_settings -> 'Logging' ->> 'EnableLogging')::BOOL AS logging_enabled, + CASE + WHEN (replication_task_settings -> 'Logging' ->> 'EnableLogging')::BOOL AND l.capture_logging_enabled AND l.unload_logging_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (replication_task_settings -> 'Logging' ->> 'EnableLogging')::BOOL AND l.capture_logging_enabled AND l.unload_logging_enabled THEN title || ' source database logging enabled.' + ELSE title || ' source database logging disabled.' + END AS reason + FROM + aws_dms_replication_task AS t + LEFT JOIN replication_task_logging AS l ON l.arn = t.arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_docdb_cluster_backup_retention_period_7_days.yaml b/compliance/controls/aws/aws_docdb_cluster_backup_retention_period_7_days.yaml index 0eb4dd4b4..f758fa66d 100644 --- a/compliance/controls/aws/aws_docdb_cluster_backup_retention_period_7_days.yaml +++ b/compliance/controls/aws/aws_docdb_cluster_backup_retention_period_7_days.yaml @@ -1,23 +1,24 @@ id: aws_docdb_cluster_backup_retention_period_7_days title: AWS DocumentDB clusters should have an adequate backup retention period +type: control description: This control checks whether an AWS DocumentDB cluster has a backup retention period greater than or equal to 7 days. The control fails if the backup retention period is less than 7 days. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_docdb_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN backup_retention_period >= 7 THEN 'ok' - ELSE 'alarm' - END AS status, - title || ' backup retention period is ' || backup_retention_period || ' day(s).' AS reason - FROM - aws_docdb_cluster; + language: sql + primary_resource: aws_docdb_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN backup_retention_period >= 7 THEN 'ok' + ELSE 'alarm' + END AS status, + title || ' backup retention period is ' || backup_retention_period || ' day(s).' AS reason + FROM + aws_docdb_cluster; severity: low tags: {} diff --git a/compliance/controls/aws/aws_docdb_cluster_deletion_protection_enabled.yaml b/compliance/controls/aws/aws_docdb_cluster_deletion_protection_enabled.yaml index 1ea1b96d7..be2e55146 100644 --- a/compliance/controls/aws/aws_docdb_cluster_deletion_protection_enabled.yaml +++ b/compliance/controls/aws/aws_docdb_cluster_deletion_protection_enabled.yaml @@ -1,26 +1,27 @@ id: aws_docdb_cluster_deletion_protection_enabled title: DocumentDB clusters should have deletion protection enabled +type: control description: Ensure DocumentDB clusters have deletion protection enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_docdb_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN deletion_protection THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN deletion_protection THEN title || ' deletion protection enabled.' - ELSE title || ' deletion protection disabled.' - END AS reason - FROM - aws_docdb_cluster; + language: sql + primary_resource: aws_docdb_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN deletion_protection THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN deletion_protection THEN title || ' deletion protection enabled.' + ELSE title || ' deletion protection disabled.' + END AS reason + FROM + aws_docdb_cluster; severity: low tags: {} diff --git a/compliance/controls/aws/aws_docdb_cluster_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_docdb_cluster_encryption_at_rest_enabled.yaml index 9e8ffa46c..ac6bc8a8a 100644 --- a/compliance/controls/aws/aws_docdb_cluster_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_docdb_cluster_encryption_at_rest_enabled.yaml @@ -1,26 +1,27 @@ id: aws_docdb_cluster_encryption_at_rest_enabled title: AWS DocumentDB clusters should be encrypted at rest +type: control description: This control checks whether an AWS DocumentDB cluster is encrypted at rest. The control fails if an AWS DocumentDB cluster isn't encrypted at rest. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_docdb_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN storage_encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN storage_encrypted THEN title || ' encrypted at rest.' - ELSE title || ' not encrypted at rest.' - END AS reason - FROM - aws_docdb_cluster; + language: sql + primary_resource: aws_docdb_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN storage_encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN storage_encrypted THEN title || ' encrypted at rest.' + ELSE title || ' not encrypted at rest.' + END AS reason + FROM + aws_docdb_cluster; severity: low tags: {} diff --git a/compliance/controls/aws/aws_docdb_cluster_instance_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_docdb_cluster_instance_encryption_at_rest_enabled.yaml index 55d34a24c..c34cd974b 100644 --- a/compliance/controls/aws/aws_docdb_cluster_instance_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_docdb_cluster_instance_encryption_at_rest_enabled.yaml @@ -1,26 +1,27 @@ id: aws_docdb_cluster_instance_encryption_at_rest_enabled title: DocumentDB instance should be encrypted at rest +type: control description: This control checks whether an DocumentDB instance is encrypted at rest. The control fails if an DocumentDB instance isn't encrypted at rest. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_docdb_cluster_instance - definition: | - SELECT - db_instance_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN storage_encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN storage_encrypted THEN title || ' encrypted at rest.' - ELSE title || ' not encrypted at rest.' - END AS reason - FROM - aws_docdb_cluster_instance; + language: sql + primary_resource: aws_docdb_cluster_instance + definition: | + SELECT + db_instance_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN storage_encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN storage_encrypted THEN title || ' encrypted at rest.' + ELSE title || ' not encrypted at rest.' + END AS reason + FROM + aws_docdb_cluster_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_docdb_cluster_instance_logging_enabled.yaml b/compliance/controls/aws/aws_docdb_cluster_instance_logging_enabled.yaml index 5231389ed..b3b75d0ab 100644 --- a/compliance/controls/aws/aws_docdb_cluster_instance_logging_enabled.yaml +++ b/compliance/controls/aws/aws_docdb_cluster_instance_logging_enabled.yaml @@ -1,31 +1,32 @@ id: aws_docdb_cluster_instance_logging_enabled title: DocumentDB instance logging should be enabled +type: control description: To help with logging and monitoring within your environment, ensure AWS DocumentDB instance logging is enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_docdb_cluster_instance - definition: | - SELECT - db_instance_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - engine, - CASE - WHEN engine LIKE 'docdb' - AND enabled_cloudwatch_logs_exports ?& ARRAY['error', 'slowquery'] - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN engine LIKE 'docdb' - AND enabled_cloudwatch_logs_exports ?& ARRAY['error', 'slowquery'] - THEN title || ' ' || engine || ' logging enabled.' - ELSE title || ' logging not enabled.' - END AS reason - FROM - aws_docdb_cluster_instance; + language: sql + primary_resource: aws_docdb_cluster_instance + definition: | + SELECT + db_instance_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + engine, + CASE + WHEN engine LIKE 'docdb' + AND enabled_cloudwatch_logs_exports ?& ARRAY['error', 'slowquery'] + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN engine LIKE 'docdb' + AND enabled_cloudwatch_logs_exports ?& ARRAY['error', 'slowquery'] + THEN title || ' ' || engine || ' logging enabled.' + ELSE title || ' logging not enabled.' + END AS reason + FROM + aws_docdb_cluster_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_drs_job_enabled.yaml b/compliance/controls/aws/aws_drs_job_enabled.yaml index 797cd490d..8796db1a9 100644 --- a/compliance/controls/aws/aws_drs_job_enabled.yaml +++ b/compliance/controls/aws/aws_drs_job_enabled.yaml @@ -1,40 +1,41 @@ id: aws_drs_job_enabled title: DRS jobs should be enabled +type: control description: Ensure that DRS is enabled with jobs. This rule is non-compliant if DRS is not enabled with jobs for a particular region. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_drs_job - definition: | - WITH drs_job_count AS ( - SELECT - COUNT(*) AS count, - region, - account_id, - _ctx - FROM - aws_drs_job - GROUP BY - region, - account_id, - _ctx - ) - SELECT - 'arn:' || r.partition || '::' || r.region || ':' || r.account_id AS resource, - r.platform_integration_id AS platform_integration_id, - r.platform_resource_id AS platform_resource_id, - CASE - WHEN drs_job_count.count = 0 OR drs_job_count.count IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN drs_job_count.count = 0 OR drs_job_count.count IS NULL THEN 'DRS job not enabled for region ' || r.region || '.' - ELSE 'DRS job enabled for region ' || r.region || '.' - END AS reason - FROM - aws_region AS r - LEFT JOIN drs_job_count ON r.region = drs_job_count.region; + language: sql + primary_resource: aws_drs_job + definition: | + WITH drs_job_count AS ( + SELECT + COUNT(*) AS count, + region, + account_id, + _ctx + FROM + aws_drs_job + GROUP BY + region, + account_id, + _ctx + ) + SELECT + 'arn:' || r.partition || '::' || r.region || ':' || r.account_id AS resource, + r.platform_integration_id AS platform_integration_id, + r.platform_resource_id AS platform_resource_id, + CASE + WHEN drs_job_count.count = 0 OR drs_job_count.count IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN drs_job_count.count = 0 OR drs_job_count.count IS NULL THEN 'DRS job not enabled for region ' || r.region || '.' + ELSE 'DRS job enabled for region ' || r.region || '.' + END AS reason + FROM + aws_region AS r + LEFT JOIN drs_job_count ON r.region = drs_job_count.region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_dynamodb_table_auto_scaling_enabled.yaml b/compliance/controls/aws/aws_dynamodb_table_auto_scaling_enabled.yaml index 62f282a83..fd3a0efb4 100644 --- a/compliance/controls/aws/aws_dynamodb_table_auto_scaling_enabled.yaml +++ b/compliance/controls/aws/aws_dynamodb_table_auto_scaling_enabled.yaml @@ -1,75 +1,76 @@ id: aws_dynamodb_table_auto_scaling_enabled title: DynamoDB table auto scaling should be enabled +type: control description: AWS DynamoDB auto scaling uses the AWS Application Auto Scaling service to adjust provisioned throughput capacity that automatically responds to actual traffic patterns. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_dynamodb_table - definition: | - WITH table_with_autocaling AS ( - SELECT - t.resource_id AS resource_id, - COUNT(t.resource_id) AS count - FROM - aws_appautoscaling_target AS t - WHERE - service_namespace = 'dynamodb' - GROUP BY - t.resource_id - ) - SELECT - d.arn AS resource, - d.platform_integration_id AS platform_integration_id, - d.platform_resource_id AS platform_resource_id, - CASE - WHEN d.billing_mode = 'PAY_PER_REQUEST' THEN 'ok' - WHEN t.resource_id IS NULL THEN 'alarm' - WHEN t.count < 2 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN d.billing_mode = 'PAY_PER_REQUEST' THEN d.title || ' on-demand mode enabled.' - WHEN t.resource_id IS NULL THEN d.title || ' autoscaling not enabled.' - WHEN t.count < 2 THEN d.title || ' auto scaling not enabled for both read and write capacity.' - ELSE d.title || ' autoscaling enabled for both read and write capacity.' - END AS reason, - d.region, - d.account_id - FROM - aws_dynamodb_table AS d - LEFT JOIN - table_with_autocaling AS t - ON - CONCAT('table/', d.name) = t.resource_id + language: sql + primary_resource: aws_dynamodb_table + definition: | + WITH table_with_autocaling AS ( + SELECT + t.resource_id AS resource_id, + COUNT(t.resource_id) AS count + FROM + aws_appautoscaling_target AS t + WHERE + service_namespace = 'dynamodb' + GROUP BY + t.resource_id + ) + SELECT + d.arn AS resource, + d.platform_integration_id AS platform_integration_id, + d.platform_resource_id AS platform_resource_id, + CASE + WHEN d.billing_mode = 'PAY_PER_REQUEST' THEN 'ok' + WHEN t.resource_id IS NULL THEN 'alarm' + WHEN t.count < 2 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN d.billing_mode = 'PAY_PER_REQUEST' THEN d.title || ' on-demand mode enabled.' + WHEN t.resource_id IS NULL THEN d.title || ' autoscaling not enabled.' + WHEN t.count < 2 THEN d.title || ' auto scaling not enabled for both read and write capacity.' + ELSE d.title || ' autoscaling enabled for both read and write capacity.' + END AS reason, + d.region, + d.account_id + FROM + aws_dynamodb_table AS d + LEFT JOIN + table_with_autocaling AS t + ON + CONCAT('table/', d.name) = t.resource_id severity: low tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/DynamoDB + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/DynamoDB diff --git a/compliance/controls/aws/aws_dynamodb_table_deletion_protection_enabled.yaml b/compliance/controls/aws/aws_dynamodb_table_deletion_protection_enabled.yaml index cece80890..29450fe37 100644 --- a/compliance/controls/aws/aws_dynamodb_table_deletion_protection_enabled.yaml +++ b/compliance/controls/aws/aws_dynamodb_table_deletion_protection_enabled.yaml @@ -1,26 +1,27 @@ id: aws_dynamodb_table_deletion_protection_enabled title: DynamoDB table should have deletion protection enabled +type: control description: This control checks whether an Amazon DynamoDB table has deletion protection enabled. The control fails if a DynamoDB table doesn't have deletion protection enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_dynamodb_table - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN deletion_protection_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN deletion_protection_enabled THEN title || ' deletion protection enabled.' - ELSE title || ' deletion protection disabled.' - END AS reason - FROM - aws_dynamodb_table; + language: sql + primary_resource: aws_dynamodb_table + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN deletion_protection_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN deletion_protection_enabled THEN title || ' deletion protection enabled.' + ELSE title || ' deletion protection disabled.' + END AS reason + FROM + aws_dynamodb_table; severity: low tags: {} diff --git a/compliance/controls/aws/aws_dynamodb_table_encrypted_with_kms.yaml b/compliance/controls/aws/aws_dynamodb_table_encrypted_with_kms.yaml index 1d66e53e0..ce4d8638c 100644 --- a/compliance/controls/aws/aws_dynamodb_table_encrypted_with_kms.yaml +++ b/compliance/controls/aws/aws_dynamodb_table_encrypted_with_kms.yaml @@ -1,58 +1,59 @@ id: aws_dynamodb_table_encrypted_with_kms title: DynamoDB table should be encrypted with AWS KMS +type: control description: Ensure that encryption is enabled for your AWS DynamoDB tables. Because sensitive data can exist at rest in these tables, enable encryption at rest to help protect that data. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_dynamodb_table - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN sse_description IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN sse_description IS NULL THEN title || ' not encrypted with KMS.' - ELSE title || ' encrypted with KMS.' - END AS reason, - region, - account_id - FROM - aws_dynamodb_table; + language: sql + primary_resource: aws_dynamodb_table + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN sse_description IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN sse_description IS NULL THEN title || ' not encrypted with KMS.' + ELSE title || ' encrypted with KMS.' + END AS reason, + region, + account_id + FROM + aws_dynamodb_table; severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/DynamoDB + category: + - Compliance + cisa_cyber_essentials: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/DynamoDB diff --git a/compliance/controls/aws/aws_dynamodb_table_encryption_enabled.yaml b/compliance/controls/aws/aws_dynamodb_table_encryption_enabled.yaml index 392ef983f..977e3341d 100644 --- a/compliance/controls/aws/aws_dynamodb_table_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_dynamodb_table_encryption_enabled.yaml @@ -1,48 +1,49 @@ id: aws_dynamodb_table_encryption_enabled title: DynamoDB table should have encryption enabled +type: control description: Ensure that encryption is enabled for your AWS DynamoDB tables. Because sensitive data can exist at rest in these tables, enable encryption at rest to help protect that data. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_dynamodb_table - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN sse_description IS NOT NULL AND sse_description ->> 'SSEType' = 'KMS' THEN 'ok' - WHEN sse_description IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN sse_description IS NOT NULL AND sse_description ->> 'SSEType' = 'KMS' - THEN title || ' encrypted with AWS KMS.' - WHEN sse_description IS NULL THEN title || ' encrypted with DynamoDB managed CMK.' - ELSE title || ' not encrypted with CMK.' - END AS reason, - region, account_id - FROM - aws_dynamodb_table; + language: sql + primary_resource: aws_dynamodb_table + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN sse_description IS NOT NULL AND sse_description ->> 'SSEType' = 'KMS' THEN 'ok' + WHEN sse_description IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN sse_description IS NOT NULL AND sse_description ->> 'SSEType' = 'KMS' + THEN title || ' encrypted with AWS KMS.' + WHEN sse_description IS NULL THEN title || ' encrypted with DynamoDB managed CMK.' + ELSE title || ' not encrypted with CMK.' + END AS reason, + region, account_id + FROM + aws_dynamodb_table; severity: high tags: - category: - - Compliance - gdpr: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/DynamoDB + category: + - Compliance + gdpr: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/DynamoDB diff --git a/compliance/controls/aws/aws_dynamodb_table_in_backup_plan.yaml b/compliance/controls/aws/aws_dynamodb_table_in_backup_plan.yaml index d24a0a331..1bfca141c 100644 --- a/compliance/controls/aws/aws_dynamodb_table_in_backup_plan.yaml +++ b/compliance/controls/aws/aws_dynamodb_table_in_backup_plan.yaml @@ -1,94 +1,95 @@ id: aws_dynamodb_table_in_backup_plan title: DynamoDB tables should be in a backup plan +type: control description: To help with data back-up processes, ensure your AWS DynamoDB tables are a part of an AWS Backup plan. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_dynamodb_table - definition: | - WITH mapped_with_id AS ( - SELECT - jsonb_agg(elems) AS mapped_ids - FROM - aws_backup_selection, - jsonb_array_elements(resources) AS elems - GROUP BY - backup_plan_id - ), - mapped_with_tags AS ( - SELECT - jsonb_agg(elems ->> 'ConditionKey') AS mapped_tags - FROM - aws_backup_selection, - jsonb_array_elements(list_of_tags) AS elems - GROUP BY - backup_plan_id - ), - backed_up_table AS ( - SELECT - t.name - FROM - aws_dynamodb_table AS t - JOIN mapped_with_id AS m ON m.mapped_ids ?| array[t.arn] - UNION - SELECT - t.name - FROM - aws_dynamodb_table AS t - JOIN mapped_with_tags AS m ON m.mapped_tags ?| array(SELECT jsonb_object_keys(tags)) - ) - SELECT - t.arn AS resource, - t.platform_integration_id AS platform_integration_id, - t.platform_resource_id AS platform_resource_id, - CASE - WHEN b.name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN b.name IS NULL THEN t.title || ' not in backup plan.' - ELSE t.title || ' in backup plan.' - END AS reason, - t.region, - t.account_id - FROM - aws_dynamodb_table AS t - LEFT JOIN backed_up_table AS b ON t.name = b.name; + language: sql + primary_resource: aws_dynamodb_table + definition: | + WITH mapped_with_id AS ( + SELECT + jsonb_agg(elems) AS mapped_ids + FROM + aws_backup_selection, + jsonb_array_elements(resources) AS elems + GROUP BY + backup_plan_id + ), + mapped_with_tags AS ( + SELECT + jsonb_agg(elems ->> 'ConditionKey') AS mapped_tags + FROM + aws_backup_selection, + jsonb_array_elements(list_of_tags) AS elems + GROUP BY + backup_plan_id + ), + backed_up_table AS ( + SELECT + t.name + FROM + aws_dynamodb_table AS t + JOIN mapped_with_id AS m ON m.mapped_ids ?| array[t.arn] + UNION + SELECT + t.name + FROM + aws_dynamodb_table AS t + JOIN mapped_with_tags AS m ON m.mapped_tags ?| array(SELECT jsonb_object_keys(tags)) + ) + SELECT + t.arn AS resource, + t.platform_integration_id AS platform_integration_id, + t.platform_resource_id AS platform_resource_id, + CASE + WHEN b.name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN b.name IS NULL THEN t.title || ' not in backup plan.' + ELSE t.title || ' in backup plan.' + END AS reason, + t.region, + t.account_id + FROM + aws_dynamodb_table AS t + LEFT JOIN backed_up_table AS b ON t.name = b.name; severity: medium tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/DynamoDB - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/DynamoDB + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_dynamodb_table_point_in_time_recovery_enabled.yaml b/compliance/controls/aws/aws_dynamodb_table_point_in_time_recovery_enabled.yaml index 13bc92a72..29cbfb0be 100644 --- a/compliance/controls/aws/aws_dynamodb_table_point_in_time_recovery_enabled.yaml +++ b/compliance/controls/aws/aws_dynamodb_table_point_in_time_recovery_enabled.yaml @@ -1,66 +1,67 @@ id: aws_dynamodb_table_point_in_time_recovery_enabled title: DynamoDB table point-in-time recovery should be enabled +type: control description: Enable this rule to check that information has been backed up. It also maintains the backups by ensuring that point-in-time recovery is enabled in AWS DynamoDB. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_dynamodb_table - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN LOWER(point_in_time_recovery_description ->> 'PointInTimeRecoveryStatus') = 'disabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN LOWER(point_in_time_recovery_description ->> 'PointInTimeRecoveryStatus') = 'disabled' THEN title || ' point-in-time recovery not enabled.' - ELSE title || ' point-in-time recovery enabled.' - END AS reason, - region, - account_id - FROM - aws_dynamodb_table; + language: sql + primary_resource: aws_dynamodb_table + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN LOWER(point_in_time_recovery_description ->> 'PointInTimeRecoveryStatus') = 'disabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN LOWER(point_in_time_recovery_description ->> 'PointInTimeRecoveryStatus') = 'disabled' THEN title || ' point-in-time recovery not enabled.' + ELSE title || ' point-in-time recovery enabled.' + END AS reason, + region, + account_id + FROM + aws_dynamodb_table; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/DynamoDB - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/DynamoDB + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_dynamodb_table_protected_by_backup_plan.yaml b/compliance/controls/aws/aws_dynamodb_table_protected_by_backup_plan.yaml index cb017156e..29c9b6634 100644 --- a/compliance/controls/aws/aws_dynamodb_table_protected_by_backup_plan.yaml +++ b/compliance/controls/aws/aws_dynamodb_table_protected_by_backup_plan.yaml @@ -1,66 +1,67 @@ id: aws_dynamodb_table_protected_by_backup_plan title: DynamoDB table should be protected by backup plan +type: control description: Ensure that AWS DynamoDB tables are protected by a backup plan. The rule is non-compliant if the DynamoDB Table is not covered by a backup plan. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_dynamodb_table - definition: | - WITH backup_protected_table AS ( - SELECT - resource_arn AS arn - FROM - aws_backup_protected_resource AS b - WHERE - resource_type = 'DynamoDB' - ) - SELECT - t.arn AS resource, - t.platform_integration_id AS platform_integration_id, - t.platform_resource_id AS platform_resource_id, - CASE - WHEN b.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.arn IS NOT NULL THEN t.title || ' is protected by backup plan.' - ELSE t.title || ' is not protected by backup plan.' - END AS reason, - t.region, - t.account_id - FROM - aws_dynamodb_table AS t - LEFT JOIN backup_protected_table AS b - ON t.arn = b.arn; + language: sql + primary_resource: aws_dynamodb_table + definition: | + WITH backup_protected_table AS ( + SELECT + resource_arn AS arn + FROM + aws_backup_protected_resource AS b + WHERE + resource_type = 'DynamoDB' + ) + SELECT + t.arn AS resource, + t.platform_integration_id AS platform_integration_id, + t.platform_resource_id AS platform_resource_id, + CASE + WHEN b.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.arn IS NOT NULL THEN t.title || ' is protected by backup plan.' + ELSE t.title || ' is not protected by backup plan.' + END AS reason, + t.region, + t.account_id + FROM + aws_dynamodb_table AS t + LEFT JOIN backup_protected_table AS b + ON t.arn = b.arn; severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/DynamoDB - soc_2: - - 'true' + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/DynamoDB + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_ebs_attached_volume_delete_on_termination_enabled.yaml b/compliance/controls/aws/aws_ebs_attached_volume_delete_on_termination_enabled.yaml index 8b8260e77..d7a0d7665 100644 --- a/compliance/controls/aws/aws_ebs_attached_volume_delete_on_termination_enabled.yaml +++ b/compliance/controls/aws/aws_ebs_attached_volume_delete_on_termination_enabled.yaml @@ -1,46 +1,47 @@ id: aws_ebs_attached_volume_delete_on_termination_enabled title: Attached EBS volumes should have delete on termination enabled +type: control description: This rule ensures that AWS Elastic Block Store volumes that are attached to AWS Elastic Compute Cloud (AWS EC2) instances are marked for deletion when an instance is terminated. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_volume - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN state != 'in-use' THEN 'skip' - WHEN attachment ->> 'DeleteOnTermination' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN state != 'in-use' THEN title || ' not attached to EC2 instance.' - WHEN attachment ->> 'DeleteOnTermination' = 'true' THEN title || ' attached to ' || (attachment ->> 'InstanceId') || ', delete on termination enabled.' - ELSE title || ' attached to ' || (attachment ->> 'InstanceId') || ', delete on termination disabled.' - END AS reason, - region, - account_id - FROM - aws_ebs_volume - LEFT JOIN - jsonb_array_elements(attachments) AS attachment ON true; + language: sql + primary_resource: aws_ebs_volume + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN state != 'in-use' THEN 'skip' + WHEN attachment ->> 'DeleteOnTermination' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN state != 'in-use' THEN title || ' not attached to EC2 instance.' + WHEN attachment ->> 'DeleteOnTermination' = 'true' THEN title || ' attached to ' || (attachment ->> 'InstanceId') || ', delete on termination enabled.' + ELSE title || ' attached to ' || (attachment ->> 'InstanceId') || ', delete on termination disabled.' + END AS reason, + region, + account_id + FROM + aws_ebs_volume + LEFT JOIN + jsonb_array_elements(attachments) AS attachment ON true; severity: medium tags: - audit_manager_control_tower: - - 'true' - category: - - Compliance - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - nist_800_53_rev_4: - - 'true' - plugin: - - aws - service: - - AWS/EBS + audit_manager_control_tower: + - "true" + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/EBS diff --git a/compliance/controls/aws/aws_ebs_attached_volume_encryption_enabled.yaml b/compliance/controls/aws/aws_ebs_attached_volume_encryption_enabled.yaml index 8d176ce88..e46050287 100644 --- a/compliance/controls/aws/aws_ebs_attached_volume_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_ebs_attached_volume_encryption_enabled.yaml @@ -1,68 +1,69 @@ id: aws_ebs_attached_volume_encryption_enabled title: Attached EBS volumes should have encryption enabled +type: control description: Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your AWS Elastic Block Store (AWS EBS) volumes. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_volume - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN state != 'in-use' THEN 'skip' - WHEN encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN state != 'in-use' THEN volume_id || ' not attached.' - WHEN encrypted THEN volume_id || ' encrypted.' - ELSE volume_id || ' not encrypted.' - END AS reason, - region, - account_id - FROM - aws_ebs_volume; + language: sql + primary_resource: aws_ebs_volume + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN state != 'in-use' THEN 'skip' + WHEN encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN state != 'in-use' THEN volume_id || ' not attached.' + WHEN encrypted THEN volume_id || ' encrypted.' + ELSE volume_id || ' not encrypted.' + END AS reason, + region, + account_id + FROM + aws_ebs_volume; severity: high tags: - audit_manager_control_tower: - - 'true' - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/EBS - soc_2: - - 'true' + audit_manager_control_tower: + - "true" + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/EBS + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_ebs_snapshot_encryption_enabled.yaml b/compliance/controls/aws/aws_ebs_snapshot_encryption_enabled.yaml index 2350af7f1..3b3c8e649 100644 --- a/compliance/controls/aws/aws_ebs_snapshot_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_ebs_snapshot_encryption_enabled.yaml @@ -1,26 +1,27 @@ id: aws_ebs_snapshot_encryption_enabled title: EBS snapshots should be encrypted +type: control description: Ensure that EBS snapshots are encrypted. This rule is non-compliant if the EBS snapshot is not encrypted. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_snapshot - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encrypted THEN title || ' encryption enabled.' - ELSE title || ' encryption disabled.' - END AS reason - FROM - aws_ebs_snapshot; + language: sql + primary_resource: aws_ebs_snapshot + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encrypted THEN title || ' encryption enabled.' + ELSE title || ' encryption disabled.' + END AS reason + FROM + aws_ebs_snapshot; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ebs_snapshot_not_publicly_restorable.yaml b/compliance/controls/aws/aws_ebs_snapshot_not_publicly_restorable.yaml index 5060ccc9b..72f95c711 100644 --- a/compliance/controls/aws/aws_ebs_snapshot_not_publicly_restorable.yaml +++ b/compliance/controls/aws/aws_ebs_snapshot_not_publicly_restorable.yaml @@ -1,64 +1,65 @@ id: aws_ebs_snapshot_not_publicly_restorable title: EBS snapshots should not be publicly restorable -description: '"Manage access to the AWS Cloud by ensuring EBS snapshots are not publicly restorable.' +type: control +description: "\"Manage access to the AWS Cloud by ensuring EBS snapshots are not publicly restorable." integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_snapshot - definition: | - SELECT - 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':snapshot/' || snapshot_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN create_volume_permissions @> '[{"Group": "all", "UserId": null}]' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN create_volume_permissions @> '[{"Group": "all", "UserId": null}]' THEN title || ' is publicly restorable.' - ELSE title || ' is not publicly restorable.' - END AS reason, - region, - account_id - FROM - aws_ebs_snapshot; + language: sql + primary_resource: aws_ebs_snapshot + definition: | + SELECT + 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':snapshot/' || snapshot_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN create_volume_permissions @> '[{"Group": "all", "UserId": null}]' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN create_volume_permissions @> '[{"Group": "all", "UserId": null}]' THEN title || ' is publicly restorable.' + ELSE title || ' is not publicly restorable.' + END AS reason, + region, + account_id + FROM + aws_ebs_snapshot; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/EBS - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/EBS + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_ebs_volume_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_ebs_volume_encryption_at_rest_enabled.yaml index 4cc42b742..f1501f385 100644 --- a/compliance/controls/aws/aws_ebs_volume_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_ebs_volume_encryption_at_rest_enabled.yaml @@ -1,44 +1,45 @@ id: aws_ebs_volume_encryption_at_rest_enabled title: EBS volume encryption at rest should be enabled +type: control description: Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your AWS Elastic Block Store (AWS EBS) volumes. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_volume - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encrypted THEN volume_id || ' encrypted.' - ELSE volume_id || ' not encrypted.' - END AS reason, - region, - account_id - FROM - aws_ebs_volume; + language: sql + primary_resource: aws_ebs_volume + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encrypted THEN volume_id || ' encrypted.' + ELSE volume_id || ' not encrypted.' + END AS reason, + region, + account_id + FROM + aws_ebs_volume; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - fedramp_moderate_rev_4: - - 'true' - gdpr: - - 'true' - nist_800_53_rev_5: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/EBS + category: + - Compliance + cis_controls_v8_ig1: + - "true" + fedramp_moderate_rev_4: + - "true" + gdpr: + - "true" + nist_800_53_rev_5: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/EBS diff --git a/compliance/controls/aws/aws_ebs_volume_in_backup_plan.yaml b/compliance/controls/aws/aws_ebs_volume_in_backup_plan.yaml index 2c3cd108f..b444e2141 100644 --- a/compliance/controls/aws/aws_ebs_volume_in_backup_plan.yaml +++ b/compliance/controls/aws/aws_ebs_volume_in_backup_plan.yaml @@ -1,103 +1,104 @@ id: aws_ebs_volume_in_backup_plan title: EBS volumes should be in a backup plan +type: control description: To help with data back-up processes, ensure your AWS Elastic Block Store (AWS EBS) volumes are a part of an AWS Backup plan. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_volume - definition: | - WITH mapped_with_id AS ( - SELECT - jsonb_agg(elems) AS mapped_ids - FROM - aws_backup_selection, - jsonb_array_elements(resources) AS elems - GROUP BY - backup_plan_id - ), - mapped_with_tags AS ( - SELECT - jsonb_agg(elems ->> 'ConditionKey') AS mapped_tags - FROM - aws_backup_selection, - jsonb_array_elements(list_of_tags) AS elems - GROUP BY - backup_plan_id - ), - backed_up_volume AS ( - SELECT - v.volume_id - FROM - aws_ebs_volume AS v - JOIN - mapped_with_id AS t - ON - t.mapped_ids ?| array[v.arn] - UNION - SELECT - v.volume_id - FROM - aws_ebs_volume AS v - JOIN - mapped_with_tags AS t - ON - t.mapped_tags ?| array(SELECT jsonb_object_keys(tags)) - ) - SELECT - v.arn AS resource, - v.platform_integration_id AS platform_integration_id, - v.platform_resource_id AS platform_resource_id, - CASE - WHEN b.volume_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN b.volume_id IS NULL THEN v.title || ' not in backup plan.' - ELSE v.title || ' in backup plan.' - END AS reason, - v.region, - v.account_id - FROM - aws_ebs_volume AS v - LEFT JOIN - backed_up_volume AS b - ON - v.volume_id = b.volume_id + language: sql + primary_resource: aws_ebs_volume + definition: | + WITH mapped_with_id AS ( + SELECT + jsonb_agg(elems) AS mapped_ids + FROM + aws_backup_selection, + jsonb_array_elements(resources) AS elems + GROUP BY + backup_plan_id + ), + mapped_with_tags AS ( + SELECT + jsonb_agg(elems ->> 'ConditionKey') AS mapped_tags + FROM + aws_backup_selection, + jsonb_array_elements(list_of_tags) AS elems + GROUP BY + backup_plan_id + ), + backed_up_volume AS ( + SELECT + v.volume_id + FROM + aws_ebs_volume AS v + JOIN + mapped_with_id AS t + ON + t.mapped_ids ?| array[v.arn] + UNION + SELECT + v.volume_id + FROM + aws_ebs_volume AS v + JOIN + mapped_with_tags AS t + ON + t.mapped_tags ?| array(SELECT jsonb_object_keys(tags)) + ) + SELECT + v.arn AS resource, + v.platform_integration_id AS platform_integration_id, + v.platform_resource_id AS platform_resource_id, + CASE + WHEN b.volume_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN b.volume_id IS NULL THEN v.title || ' not in backup plan.' + ELSE v.title || ' in backup plan.' + END AS reason, + v.region, + v.account_id + FROM + aws_ebs_volume AS v + LEFT JOIN + backed_up_volume AS b + ON + v.volume_id = b.volume_id severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/EBS - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/EBS + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_ebs_volume_protected_by_backup_plan.yaml b/compliance/controls/aws/aws_ebs_volume_protected_by_backup_plan.yaml index 1b7965479..a6c7fb838 100644 --- a/compliance/controls/aws/aws_ebs_volume_protected_by_backup_plan.yaml +++ b/compliance/controls/aws/aws_ebs_volume_protected_by_backup_plan.yaml @@ -1,65 +1,66 @@ id: aws_ebs_volume_protected_by_backup_plan title: EBS volumes should be protected by a backup plan +type: control description: Ensure that AWS Elastic Block Store (AWS EBS) volumes are protected by a backup plan. The rule is non-compliant if the AWS EBS volume is not covered by a backup plan. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_volume - definition: | - WITH backup_protected_volume AS ( - SELECT - resource_arn AS arn - FROM - aws_backup_protected_resource AS b - WHERE - resource_type = 'EBS' - ) - SELECT - v.arn AS resource, - v.platform_integration_id AS platform_integration_id, - v.platform_resource_id AS platform_resource_id, - CASE - WHEN b.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.arn IS NOT NULL THEN v.title || ' is protected by backup plan.' - ELSE v.title || ' is not protected by backup plan.' - END AS reason, - v.region, - v.account_id - FROM - aws_ebs_volume AS v - LEFT JOIN backup_protected_volume AS b ON v.arn = b.arn; + language: sql + primary_resource: aws_ebs_volume + definition: | + WITH backup_protected_volume AS ( + SELECT + resource_arn AS arn + FROM + aws_backup_protected_resource AS b + WHERE + resource_type = 'EBS' + ) + SELECT + v.arn AS resource, + v.platform_integration_id AS platform_integration_id, + v.platform_resource_id AS platform_resource_id, + CASE + WHEN b.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.arn IS NOT NULL THEN v.title || ' is protected by backup plan.' + ELSE v.title || ' is not protected by backup plan.' + END AS reason, + v.region, + v.account_id + FROM + aws_ebs_volume AS v + LEFT JOIN backup_protected_volume AS b ON v.arn = b.arn; severity: high tags: - category: - - Compliance - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/EBS - soc_2: - - 'true' + category: + - Compliance + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/EBS + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_ebs_volume_snapshot_exists.yaml b/compliance/controls/aws/aws_ebs_volume_snapshot_exists.yaml index 2037443f5..293c58388 100644 --- a/compliance/controls/aws/aws_ebs_volume_snapshot_exists.yaml +++ b/compliance/controls/aws/aws_ebs_volume_snapshot_exists.yaml @@ -1,36 +1,37 @@ id: aws_ebs_volume_snapshot_exists title: EBS volume snapshots should exist +type: control description: Ensure that EBS volume snapshots exist. This rule is non-compliant if the EBS volume does not have any snapshot. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_volume - definition: | - WITH volume_with_snapshots AS ( - SELECT - volume_id, - COUNT(*) AS snap_count - FROM - aws_ebs_snapshot - GROUP BY - volume_id - ) - SELECT - v.arn AS resource, - v.platform_integration_id AS platform_integration_id, - v.platform_resource_id AS platform_resource_id, - CASE - WHEN s.volume_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN s.volume_id IS NOT NULL THEN v.title || ' has ' || s.snap_count || ' snapshot(s).' - ELSE v.title || ' does not have snapshot.' - END AS reason - FROM - aws_ebs_volume AS v - LEFT JOIN volume_with_snapshots AS s ON s.volume_id = v.volume_id; + language: sql + primary_resource: aws_ebs_volume + definition: | + WITH volume_with_snapshots AS ( + SELECT + volume_id, + COUNT(*) AS snap_count + FROM + aws_ebs_snapshot + GROUP BY + volume_id + ) + SELECT + v.arn AS resource, + v.platform_integration_id AS platform_integration_id, + v.platform_resource_id AS platform_resource_id, + CASE + WHEN s.volume_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN s.volume_id IS NOT NULL THEN v.title || ' has ' || s.snap_count || ' snapshot(s).' + ELSE v.title || ' does not have snapshot.' + END AS reason + FROM + aws_ebs_volume AS v + LEFT JOIN volume_with_snapshots AS s ON s.volume_id = v.volume_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ebs_volume_unused.yaml b/compliance/controls/aws/aws_ebs_volume_unused.yaml index a70628fb9..d6cb23753 100644 --- a/compliance/controls/aws/aws_ebs_volume_unused.yaml +++ b/compliance/controls/aws/aws_ebs_volume_unused.yaml @@ -1,54 +1,55 @@ id: aws_ebs_volume_unused title: EBS volumes should be attached to EC2 instances +type: control description: Checks if EBS volumes are attached to EC2 instances. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_volume - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN state = 'in-use' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN state = 'in-use' THEN title || ' attached to EC2 instance.' - ELSE title || ' not attached to EC2 instance.' - END AS reason, - region, - account_id - FROM - aws_ebs_volume; + language: sql + primary_resource: aws_ebs_volume + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN state = 'in-use' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN state = 'in-use' THEN title || ' attached to EC2 instance.' + ELSE title || ' not attached to EC2 instance.' + END AS reason, + region, + account_id + FROM + aws_ebs_volume; severity: low tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - score_tags: - - Optimization - service: - - AWS/EBS + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + score_tags: + - Optimization + service: + - AWS/EBS diff --git a/compliance/controls/aws/aws_ec2_ami_ebs_encryption_enabled.yaml b/compliance/controls/aws/aws_ec2_ami_ebs_encryption_enabled.yaml index b052eef20..328f9ddc9 100644 --- a/compliance/controls/aws/aws_ec2_ami_ebs_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_ec2_ami_ebs_encryption_enabled.yaml @@ -1,45 +1,46 @@ id: aws_ec2_ami_ebs_encryption_enabled title: Ensure Images (AMI's) are encrypted +type: control description: Amazon Machine Images should utilize EBS Encrypted snapshots. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_ami - definition: | - WITH encryption_status AS ( - SELECT - image_id AS resource, - region, - account_id, - tags, - _ctx, - BOOL_AND(COALESCE((mapping -> 'Ebs' ->> 'Encrypted')::text = 'true', FALSE)) AS all_encrypted - FROM - aws_ec2_ami - CROSS JOIN - jsonb_array_elements(block_device_mappings) AS mapping - GROUP BY - image_id, - region, - account_id, - tags, - _ctx - ) - SELECT - resource, - e.account_id AS platform_integration_id, - e.resource AS platform_resource_id, - CASE - WHEN all_encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN all_encrypted THEN resource || ' all EBS volumes are encrypted.' - ELSE resource || ' all EBS volumes are not encrypted.' - END AS reason - FROM - encryption_status e; + language: sql + primary_resource: aws_ec2_ami + definition: | + WITH encryption_status AS ( + SELECT + image_id AS resource, + region, + account_id, + tags, + _ctx, + BOOL_AND(COALESCE((mapping -> 'Ebs' ->> 'Encrypted')::text = 'true', FALSE)) AS all_encrypted + FROM + aws_ec2_ami + CROSS JOIN + jsonb_array_elements(block_device_mappings) AS mapping + GROUP BY + image_id, + region, + account_id, + tags, + _ctx + ) + SELECT + resource, + e.account_id AS platform_integration_id, + e.resource AS platform_resource_id, + CASE + WHEN all_encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN all_encrypted THEN resource || ' all EBS volumes are encrypted.' + ELSE resource || ' all EBS volumes are not encrypted.' + END AS reason + FROM + encryption_status e; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ec2_ami_not_older_than_90_days.yaml b/compliance/controls/aws/aws_ec2_ami_not_older_than_90_days.yaml index 1e3b95ffe..2d7b086a4 100644 --- a/compliance/controls/aws/aws_ec2_ami_not_older_than_90_days.yaml +++ b/compliance/controls/aws/aws_ec2_ami_not_older_than_90_days.yaml @@ -1,23 +1,24 @@ id: aws_ec2_ami_not_older_than_90_days title: Ensure Images (AMI) are not older than 90 days +type: control description: Ensure that your AMIs are not older than 90 days. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_ami - definition: | - SELECT - image_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN creation_date >= (current_date - INTERVAL '90 days') THEN 'ok' - ELSE 'alarm' - END AS status, - title || ' created ' || TO_CHAR(creation_date, 'DD-Mon-YYYY') || ' (' || EXTRACT(day FROM current_timestamp - creation_date) || ' days).' AS reason - FROM - aws_ec2_ami; + language: sql + primary_resource: aws_ec2_ami + definition: | + SELECT + image_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN creation_date >= (current_date - INTERVAL '90 days') THEN 'ok' + ELSE 'alarm' + END AS status, + title || ' created ' || TO_CHAR(creation_date, 'DD-Mon-YYYY') || ' (' || EXTRACT(day FROM current_timestamp - creation_date) || ' days).' AS reason + FROM + aws_ec2_ami; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ec2_ami_not_older_than_90_days_rego.yaml b/compliance/controls/aws/aws_ec2_ami_not_older_than_90_days_rego.yaml index 9ad65787f..d05a68f1b 100644 --- a/compliance/controls/aws/aws_ec2_ami_not_older_than_90_days_rego.yaml +++ b/compliance/controls/aws/aws_ec2_ami_not_older_than_90_days_rego.yaml @@ -1,47 +1,14 @@ id: aws_ec2_ami_not_older_than_90_days_rego title: Ensure Images (AMI) are not older than 90 days +type: control description: Ensure that your AMIs are not older than 90 days. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: rego - primary_resource: aws_ec2_ami - rego_policies: - - | - package aws_ec2_ami_not_older_than_90_days_rego - import future.keywords.in - - # Define the result rule - result[obj] { - some ami in opencomply.aws_ec2_ami({}) - - # Populate the fields in the result object - obj := { - "resource": ami.image_id, - "platform_integration_id": ami.platform_integration_id, - "platform_resource_id": ami.platform_resource_id, - "status": status(ami.creation_date), - "reason": sprintf("%s created %s (%d days).", [ - ami.title, - time.format(ami.creation_date), - days_since_creation(ami.creation_date) - ]) - } - } - - # Determine the status based on the creation_date - status(creation_date) = "ok" { - creation_date >= time.now_ns() - (90 * 24 * 60 * 60 * 1e9) # 90 days in nanoseconds - } - status(creation_date) = "alarm" { - creation_date < time.now_ns() - (90 * 24 * 60 * 60 * 1e9) - } - days_since_creation(creation_date) = days { - now := time.now_ns() - days := floor((now - creation_date) / (24 * 60 * 60 * 1e9)) # Convert nanoseconds to days - } - definition: | - data.aws_ec2_ami_not_older_than_90_days_rego.result + language: rego + primary_resource: aws_ec2_ami + definition: | + data.aws_ec2_ami_not_older_than_90_days_rego.result severity: low tags: {} diff --git a/compliance/controls/aws/aws_ec2_ami_restrict_public_access.yaml b/compliance/controls/aws/aws_ec2_ami_restrict_public_access.yaml index 4b2d4ae51..490c18989 100644 --- a/compliance/controls/aws/aws_ec2_ami_restrict_public_access.yaml +++ b/compliance/controls/aws/aws_ec2_ami_restrict_public_access.yaml @@ -1,26 +1,27 @@ id: aws_ec2_ami_restrict_public_access title: EC2 AMIs should restrict public access +type: control description: This control checks whether EC2 AMIs are set as private or not. The control fails if the EC2 AMIs are set as public. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_ami - definition: | - SELECT - 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':image/' || image_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN public THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN public THEN title || ' publicly accessible.' - ELSE title || ' not publicly accessible.' - END AS reason - FROM - aws_ec2_ami; + language: sql + primary_resource: aws_ec2_ami + definition: | + SELECT + 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':image/' || image_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN public THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN public THEN title || ' publicly accessible.' + ELSE title || ' not publicly accessible.' + END AS reason + FROM + aws_ec2_ami; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ec2_classic_lb_connection_draining_enabled.yaml b/compliance/controls/aws/aws_ec2_classic_lb_connection_draining_enabled.yaml index b3e110ad6..cc248fa33 100644 --- a/compliance/controls/aws/aws_ec2_classic_lb_connection_draining_enabled.yaml +++ b/compliance/controls/aws/aws_ec2_classic_lb_connection_draining_enabled.yaml @@ -1,40 +1,41 @@ id: aws_ec2_classic_lb_connection_draining_enabled title: Classic Load Balancers should have connection draining enabled +type: control description: This control checks whether Classic Load Balancers have connection draining enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_classic_load_balancer - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN connection_draining_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN connection_draining_enabled THEN title || ' connection draining enabled.' - ELSE title || ' connection draining disabled.' - END AS reason, - region, - account_id - FROM - aws_ec2_classic_load_balancer; + language: sql + primary_resource: aws_ec2_classic_load_balancer + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN connection_draining_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN connection_draining_enabled THEN title || ' connection draining enabled.' + ELSE title || ' connection draining disabled.' + END AS reason, + region, + account_id + FROM + aws_ec2_classic_load_balancer; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - resilience - foundational_security_item_id: - - elb_7 - plugin: - - aws - service: - - AWS/ELB + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - resilience + foundational_security_item_id: + - elb_7 + plugin: + - aws + service: + - AWS/ELB diff --git a/compliance/controls/aws/aws_ec2_classic_lb_connection_draining_enabled_rego.yaml b/compliance/controls/aws/aws_ec2_classic_lb_connection_draining_enabled_rego.yaml index c79aa8ef0..618759631 100644 --- a/compliance/controls/aws/aws_ec2_classic_lb_connection_draining_enabled_rego.yaml +++ b/compliance/controls/aws/aws_ec2_classic_lb_connection_draining_enabled_rego.yaml @@ -1,57 +1,26 @@ id: aws_ec2_classic_lb_connection_draining_enabled_rego title: Classic Load Balancers should have connection draining enabled +type: control description: This control checks whether Classic Load Balancers have connection draining enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: language: rego primary_resource: aws_ec2_classic_load_balancer - rego_policies: - - | - package aws_ec2_classic_lb_connection_draining_enabled_rego - import future.keywords.in - - status(lb) = "ok" { - lb.connection_draining_enabled == true - } - status(lb) = "alarm" { - lb.connection_draining_enabled == false - } - - reason(lb) = sprintf("%s connection draining enabled.", [lb.title]) { - lb.connection_draining_enabled == true - } - reason(lb) = sprintf("%s connection draining disabled.", [lb.title]) { - lb.connection_draining_enabled == false - } - - result[obj] { - some lb in opencomply.aws_ec2_classic_load_balancer({}) - - obj = { - "resource": lb.arn, - "platform_integration_id": lb.platform_integration_id, - "platform_resource_id": lb.platform_resource_id, - "status": status(lb), - "reason": reason(lb), - "region": lb.region, - "account_id": lb.account_id, - } - } definition: | data.aws_ec2_classic_lb_connection_draining_enabled_rego.result severity: medium tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - resilience + - resilience foundational_security_item_id: - - elb_7 + - elb_7 plugin: - - aws + - aws service: - - AWS/ELB + - AWS/ELB diff --git a/compliance/controls/aws/aws_ec2_client_vpn_endpoint_client_connection_logging_enabled.yaml b/compliance/controls/aws/aws_ec2_client_vpn_endpoint_client_connection_logging_enabled.yaml index b4d5117c7..35d1bf2a2 100644 --- a/compliance/controls/aws/aws_ec2_client_vpn_endpoint_client_connection_logging_enabled.yaml +++ b/compliance/controls/aws/aws_ec2_client_vpn_endpoint_client_connection_logging_enabled.yaml @@ -1,26 +1,27 @@ id: aws_ec2_client_vpn_endpoint_client_connection_logging_enabled title: EC2 Client VPN endpoints should have client connection logging enabled +type: control description: This control checks whether an AWS Client VPN endpoint has client connection logging enabled. The control fails if the endpoint doesn't have client connection logging enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_client_vpn_endpoint - definition: | - SELECT - client_vpn_endpoint_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN (connection_log_options ->> 'Enabled')::bool THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (connection_log_options ->> 'Enabled')::bool THEN title || ' client connection logging enabled.' - ELSE title || ' client connection logging disabled.' - END AS reason - FROM - aws_ec2_client_vpn_endpoint; + language: sql + primary_resource: aws_ec2_client_vpn_endpoint + definition: | + SELECT + client_vpn_endpoint_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN (connection_log_options ->> 'Enabled')::bool THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (connection_log_options ->> 'Enabled')::bool THEN title || ' client connection logging enabled.' + ELSE title || ' client connection logging disabled.' + END AS reason + FROM + aws_ec2_client_vpn_endpoint; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ec2_ebs_default_encryption_enabled.yaml b/compliance/controls/aws/aws_ec2_ebs_default_encryption_enabled.yaml index 267773792..96eeee26b 100644 --- a/compliance/controls/aws/aws_ec2_ebs_default_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_ec2_ebs_default_encryption_enabled.yaml @@ -1,60 +1,61 @@ id: aws_ec2_ebs_default_encryption_enabled title: EBS default encryption should be enabled +type: control description: To help protect data at rest, ensure that encryption is enabled for your AWS Elastic Block Store (AWS EBS) volumes. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_regional_settings - definition: | - SELECT - 'arn:' || partition || '::' || region || ':' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN NOT default_ebs_encryption_enabled THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT default_ebs_encryption_enabled THEN region || ' default EBS encryption disabled.' - ELSE region || ' default EBS encryption enabled.' - END AS reason, - region, - account_id - FROM - aws_ec2_regional_settings; + language: sql + primary_resource: aws_ec2_regional_settings + definition: | + SELECT + 'arn:' || partition || '::' || region || ':' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN NOT default_ebs_encryption_enabled THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT default_ebs_encryption_enabled THEN region || ' default EBS encryption disabled.' + ELSE region || ' default EBS encryption enabled.' + END AS reason, + region, + account_id + FROM + aws_ec2_regional_settings; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/EC2 - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/EC2 + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_ec2_instance_attached_ebs_volume_delete_on_termination_enabled.yaml b/compliance/controls/aws/aws_ec2_instance_attached_ebs_volume_delete_on_termination_enabled.yaml index 31de803b6..054d42374 100644 --- a/compliance/controls/aws/aws_ec2_instance_attached_ebs_volume_delete_on_termination_enabled.yaml +++ b/compliance/controls/aws/aws_ec2_instance_attached_ebs_volume_delete_on_termination_enabled.yaml @@ -1,40 +1,41 @@ id: aws_ec2_instance_attached_ebs_volume_delete_on_termination_enabled title: Ensure EBS volumes attached to an EC2 instance is marked for deletion upon instance termination +type: control description: This rule ensures that Amazon Elastic Block Store volumes that are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances are marked for deletion when an instance is terminated. If an Amazon EBS volume isn't deleted when the instance that it's attached to is terminated, it may violate the concept of least functionality. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - WITH ebs_volume_with_delete_on_termination_enabled AS ( - SELECT - COUNT(*) AS count, - arn - FROM - aws_ec2_instance, - jsonb_array_elements(block_device_mappings) AS p - WHERE - p -> 'Ebs' ->> 'DeleteOnTermination' = 'false' - GROUP BY - arn - ) - - SELECT - i.arn AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN e.count > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN e.count > 0 THEN ' EBS volume(s) attached to ' || title || ' has delete on termination disabled.' - ELSE ' EBS volume(s) attached to ' || title || ' has delete on termination enabled.' - END AS reason - FROM - aws_ec2_instance AS i - LEFT JOIN ebs_volume_with_delete_on_termination_enabled AS e ON e.arn = i.arn; + language: sql + primary_resource: aws_ec2_instance + definition: | + WITH ebs_volume_with_delete_on_termination_enabled AS ( + SELECT + COUNT(*) AS count, + arn + FROM + aws_ec2_instance, + jsonb_array_elements(block_device_mappings) AS p + WHERE + p -> 'Ebs' ->> 'DeleteOnTermination' = 'false' + GROUP BY + arn + ) + + SELECT + i.arn AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN e.count > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN e.count > 0 THEN ' EBS volume(s) attached to ' || title || ' has delete on termination disabled.' + ELSE ' EBS volume(s) attached to ' || title || ' has delete on termination enabled.' + END AS reason + FROM + aws_ec2_instance AS i + LEFT JOIN ebs_volume_with_delete_on_termination_enabled AS e ON e.arn = i.arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ec2_instance_detailed_monitoring_enabled.yaml b/compliance/controls/aws/aws_ec2_instance_detailed_monitoring_enabled.yaml index e2cde88ff..dded8d012 100644 --- a/compliance/controls/aws/aws_ec2_instance_detailed_monitoring_enabled.yaml +++ b/compliance/controls/aws/aws_ec2_instance_detailed_monitoring_enabled.yaml @@ -1,48 +1,49 @@ id: aws_ec2_instance_detailed_monitoring_enabled title: EC2 instance detailed monitoring should be enabled +type: control description: Enable this rule to help improve AWS Elastic Compute Cloud (AWS EC2) instance monitoring on the AWS EC2 console, which displays monitoring graphs with a 1-minute period for the instance. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN monitoring_state = 'enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN monitoring_state = 'enabled' THEN instance_id || ' detailed monitoring enabled.' - ELSE instance_id || ' detailed monitoring disabled.' - END AS reason, - region, - account_id - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN monitoring_state = 'enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN monitoring_state = 'enabled' THEN instance_id || ' detailed monitoring enabled.' + ELSE instance_id || ' detailed monitoring disabled.' + END AS reason, + region, + account_id + FROM + aws_ec2_instance; severity: low tags: - category: - - Compliance - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/EC2 - soc_2: - - 'true' + category: + - Compliance + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/EC2 + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_ec2_instance_ebs_optimized.yaml b/compliance/controls/aws/aws_ec2_instance_ebs_optimized.yaml index 00f949ec1..7c78f0d17 100644 --- a/compliance/controls/aws/aws_ec2_instance_ebs_optimized.yaml +++ b/compliance/controls/aws/aws_ec2_instance_ebs_optimized.yaml @@ -1,62 +1,63 @@ id: aws_ec2_instance_ebs_optimized title: EC2 instance should have EBS optimization enabled +type: control description: An optimized instance in AWS Elastic Block Store (AWS EBS) provides additional, dedicated capacity for AWS EBS I/O operations. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN ebs_optimized THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN ebs_optimized THEN title || ' EBS optimization enabled.' - ELSE title || ' EBS optimization disabled.' - END AS reason, - region, - account_id - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN ebs_optimized THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN ebs_optimized THEN title || ' EBS optimization enabled.' + ELSE title || ' EBS optimization disabled.' + END AS reason, + region, + account_id + FROM + aws_ec2_instance; severity: medium tags: - audit_manager_control_tower: - - 'true' - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/EC2 - soc_2: - - 'true' + audit_manager_control_tower: + - "true" + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/EC2 + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_ec2_instance_iam_profile_attached.yaml b/compliance/controls/aws/aws_ec2_instance_iam_profile_attached.yaml index d6586b0ee..64282da6f 100644 --- a/compliance/controls/aws/aws_ec2_instance_iam_profile_attached.yaml +++ b/compliance/controls/aws/aws_ec2_instance_iam_profile_attached.yaml @@ -1,48 +1,49 @@ id: aws_ec2_instance_iam_profile_attached title: EC2 instances should have IAM profile attached +type: control description: Ensure that an AWS Elastic Compute Cloud (AWS EC2) instance has an Identity and Access Management (IAM) profile attached to it. This rule is non-compliant if no IAM profile is attached to the AWS EC2 instance. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN iam_instance_profile_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN iam_instance_profile_id IS NOT NULL THEN title || ' IAM profile attached.' - ELSE title || ' IAM profile not attached.' - END AS reason, - region, - account_id - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN iam_instance_profile_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN iam_instance_profile_id IS NOT NULL THEN title || ' IAM profile attached.' + ELSE title || ' IAM profile not attached.' + END AS reason, + region, + account_id + FROM + aws_ec2_instance; severity: medium tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/EC2 + category: + - Compliance + cis_controls_v8_ig1: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/EC2 diff --git a/compliance/controls/aws/aws_ec2_instance_in_vpc.yaml b/compliance/controls/aws/aws_ec2_instance_in_vpc.yaml index fd2ea1e0b..d0d4cbb8d 100644 --- a/compliance/controls/aws/aws_ec2_instance_in_vpc.yaml +++ b/compliance/controls/aws/aws_ec2_instance_in_vpc.yaml @@ -1,66 +1,67 @@ id: aws_ec2_instance_in_vpc title: EC2 instances should be in a VPC +type: control description: Deploy AWS Elastic Compute Cloud (AWS EC2) instances within an AWS Virtual Private Cloud (AWS VPC) to enable secure communication between an instance and other services within the amazon VPC, without requiring an internet gateway, NAT device, or VPN connection. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN vpc_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN vpc_id IS NULL THEN title || ' not in VPC.' - ELSE title || ' in VPC.' - END AS reason, - region, - account_id - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN vpc_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN vpc_id IS NULL THEN title || ' not in VPC.' + ELSE title || ' in VPC.' + END AS reason, + region, + account_id + FROM + aws_ec2_instance; severity: medium tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - score_tags: - - Exposed Endpoints - service: - - AWS/EC2 - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + score_tags: + - Exposed Endpoints + service: + - AWS/EC2 + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_ec2_instance_no_amazon_key_pair.yaml b/compliance/controls/aws/aws_ec2_instance_no_amazon_key_pair.yaml index d09dbf65a..11b599ced 100644 --- a/compliance/controls/aws/aws_ec2_instance_no_amazon_key_pair.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_amazon_key_pair.yaml @@ -1,38 +1,39 @@ id: aws_ec2_instance_no_amazon_key_pair title: EC2 instances should not use key pairs in running state +type: control description: This control checks whether running EC2 instances are using key pairs. The control fails if a running EC2 instance uses a key pair. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN instance_state <> 'running' THEN 'skip' - WHEN key_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN instance_state <> 'running' THEN title || ' is in ' || instance_state || ' state.' - WHEN key_name IS NULL THEN title || ' not launched using amazon key pairs.' - ELSE title || ' launched using amazon key pairs.' - END AS reason, - region, - account_id - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN instance_state <> 'running' THEN 'skip' + WHEN key_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN instance_state <> 'running' THEN title || ' is in ' || instance_state || ' state.' + WHEN key_name IS NULL THEN title || ' not launched using amazon key pairs.' + ELSE title || ' launched using amazon key pairs.' + END AS reason, + region, + account_id + FROM + aws_ec2_instance; severity: low tags: - category: - - Compliance - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/EC2 + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/EC2 diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_passrole_and_lambda_invoke_function_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_passrole_and_lambda_invoke_function_access.yaml index 7a11011fd..42720eddb 100644 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_passrole_and_lambda_invoke_function_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_passrole_and_lambda_invoke_function_access.yaml @@ -1,52 +1,53 @@ id: aws_ec2_instance_no_iam_passrole_and_lambda_invoke_function_access title: EC2 instance IAM should not allow pass role and lambda invoke function access. +type: control description: This control ensures that EC2 instance IAM role does not allow pass role and lambda invoke function access. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - WITH iam_roles AS ( - SELECT - r.arn AS role_arn, - i.arn AS instance_arn - FROM - aws_iam_role AS r, - jsonb_array_elements_text(instance_profile_arns) AS p - LEFT JOIN aws_ec2_instance AS i ON p = i.iam_instance_profile_arn - WHERE - i.arn IS NOT NULL - ), iam_role_with_permission AS ( - SELECT - arn - FROM - aws_iam_role, - jsonb_array_elements(assume_role_policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Principal' -> 'Service') AS service, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - arn IN (SELECT role_arn FROM iam_roles) - AND s ->> 'Effect' = 'Allow' - AND service = 'ec2.amazonaws.com' - AND action IN ('iam:passrole', 'lambda:createfunction', 'lambda:invokefunction', '*:*') - ) - SELECT - i.arn AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN p.arn IS NULL THEN 'ok' - ELSE 'alarm' - END status, - CASE - WHEN p.arn IS NULL THEN title || ' has no IAM pass role and lambda invoke function access.' - ELSE title || ' has IAM pass role and lambda invoke function access.' - END AS reason - FROM - aws_ec2_instance AS i - LEFT JOIN iam_roles AS r ON r.instance_arn = i.arn - LEFT JOIN iam_role_with_permission AS p ON p.arn = r.role_arn; + language: sql + primary_resource: aws_ec2_instance + definition: | + WITH iam_roles AS ( + SELECT + r.arn AS role_arn, + i.arn AS instance_arn + FROM + aws_iam_role AS r, + jsonb_array_elements_text(instance_profile_arns) AS p + LEFT JOIN aws_ec2_instance AS i ON p = i.iam_instance_profile_arn + WHERE + i.arn IS NOT NULL + ), iam_role_with_permission AS ( + SELECT + arn + FROM + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') AS service, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + arn IN (SELECT role_arn FROM iam_roles) + AND s ->> 'Effect' = 'Allow' + AND service = 'ec2.amazonaws.com' + AND action IN ('iam:passrole', 'lambda:createfunction', 'lambda:invokefunction', '*:*') + ) + SELECT + i.arn AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN p.arn IS NULL THEN 'ok' + ELSE 'alarm' + END status, + CASE + WHEN p.arn IS NULL THEN title || ' has no IAM pass role and lambda invoke function access.' + ELSE title || ' has IAM pass role and lambda invoke function access.' + END AS reason + FROM + aws_ec2_instance AS i + LEFT JOIN iam_roles AS r ON r.instance_arn = i.arn + LEFT JOIN iam_role_with_permission AS p ON p.arn = r.role_arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_role_attached_with_credentials_exposure_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_role_attached_with_credentials_exposure_access.yaml index b5db10d2a..839f1f3c8 100644 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_role_attached_with_credentials_exposure_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_role_attached_with_credentials_exposure_access.yaml @@ -1,84 +1,85 @@ id: aws_ec2_instance_no_iam_role_attached_with_credentials_exposure_access title: EC2 instance IAM role should not be attached with credentials exposure access +type: control description: This control ensures that EC2 instance IAM role should not be attached with credentials exposure access. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - WITH iam_roles AS ( - SELECT - r.arn AS role_arn, - i.arn AS instance_arn - FROM - aws_iam_role AS r, - jsonb_array_elements_text(instance_profile_arns) AS p - LEFT JOIN - aws_ec2_instance AS i ON p = i.iam_instance_profile_arn - WHERE - i.arn IS NOT NULL - ), iam_role_with_permission AS ( - SELECT - arn - FROM - aws_iam_role, - jsonb_array_elements(assume_role_policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Principal' -> 'Service') AS service, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - arn IN (SELECT role_arn FROM iam_roles) - AND s ->> 'Effect' = 'Allow' - AND service = 'ec2.amazonaws.com' - AND action IN ( - 'chime:createapikey', - 'codepipeline:pollforjobs', - 'cognito-identity:getopenidtoken', - 'cognito-identity:getopenidtokenfordeveloperidentity', - 'cognito-identity:getcredentialsforidentity', - 'connect:getfederationtoken', - 'connect:getfederationtokens', - 'ec2:getpassworddata', - 'ecr:getauthorizationtoken', - 'gamelift:requestuploadcredentials', - 'iam:createaccesskey', - 'iam:createloginprofile', - 'iam:createservicespecificcredential', - 'iam:resetservicespecificcredential', - 'iam:updateaccesskey', - 'lightsail:getinstanceaccessdetails', - 'lightsail:getrelationaldatabasemasteruserpassword', - 'rds-db:connect', - 'redshift:getclustercredentials', - 'sso:getrolecredentials', - 'mediapackage:rotatechannelcredentials', - 'mediapackage:rotateingestendpointcredentials', - 'sts:assumerole', - 'sts:assumerolewithsaml', - 'sts:assumerolewithwebidentity', - 'sts:getfederationtoken', - 'sts:getsessiontoken', - '*:*' - ) + language: sql + primary_resource: aws_ec2_instance + definition: | + WITH iam_roles AS ( + SELECT + r.arn AS role_arn, + i.arn AS instance_arn + FROM + aws_iam_role AS r, + jsonb_array_elements_text(instance_profile_arns) AS p + LEFT JOIN + aws_ec2_instance AS i ON p = i.iam_instance_profile_arn + WHERE + i.arn IS NOT NULL + ), iam_role_with_permission AS ( + SELECT + arn + FROM + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') AS service, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + arn IN (SELECT role_arn FROM iam_roles) + AND s ->> 'Effect' = 'Allow' + AND service = 'ec2.amazonaws.com' + AND action IN ( + 'chime:createapikey', + 'codepipeline:pollforjobs', + 'cognito-identity:getopenidtoken', + 'cognito-identity:getopenidtokenfordeveloperidentity', + 'cognito-identity:getcredentialsforidentity', + 'connect:getfederationtoken', + 'connect:getfederationtokens', + 'ec2:getpassworddata', + 'ecr:getauthorizationtoken', + 'gamelift:requestuploadcredentials', + 'iam:createaccesskey', + 'iam:createloginprofile', + 'iam:createservicespecificcredential', + 'iam:resetservicespecificcredential', + 'iam:updateaccesskey', + 'lightsail:getinstanceaccessdetails', + 'lightsail:getrelationaldatabasemasteruserpassword', + 'rds-db:connect', + 'redshift:getclustercredentials', + 'sso:getrolecredentials', + 'mediapackage:rotatechannelcredentials', + 'mediapackage:rotateingestendpointcredentials', + 'sts:assumerole', + 'sts:assumerolewithsaml', + 'sts:assumerolewithwebidentity', + 'sts:getfederationtoken', + 'sts:getsessiontoken', + '*:*' ) - SELECT - i.arn AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN p.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.arn IS NULL THEN title || ' has no IAM role attached with credentials exposure permissions.' - ELSE title || ' has IAM role attached with credentials exposure permissions.' - END AS reason - FROM - aws_ec2_instance AS i - LEFT JOIN - iam_roles AS r ON r.instance_arn = i.arn - LEFT JOIN - iam_role_with_permission AS p ON p.arn = r.role_arn; + ) + SELECT + i.arn AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN p.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.arn IS NULL THEN title || ' has no IAM role attached with credentials exposure permissions.' + ELSE title || ' has IAM role attached with credentials exposure permissions.' + END AS reason + FROM + aws_ec2_instance AS i + LEFT JOIN + iam_roles AS r ON r.instance_arn = i.arn + LEFT JOIN + iam_role_with_permission AS p ON p.arn = r.role_arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_alter_critical_s3_permissions_configuration.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_alter_critical_s3_permissions_configuration.yaml index 634379b73..1c194a377 100644 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_alter_critical_s3_permissions_configuration.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_alter_critical_s3_permissions_configuration.yaml @@ -1,54 +1,55 @@ id: aws_ec2_instance_no_iam_role_with_alter_critical_s3_permissions_configuration title: EC2 instance IAM role should not allow to alter critical S3 permissions configuration +type: control description: This control ensures that EC2 instance IAM role does not allow to alter critical s3 permissions configuration. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - WITH iam_roles AS ( - SELECT - r.arn AS role_arn, - i.arn AS instance_arn - FROM - aws_iam_role AS r, - JSONB_ARRAY_ELEMENTS_TEXT(instance_profile_arns) AS p - LEFT JOIN aws_ec2_instance AS i ON p = i.iam_instance_profile_arn - WHERE - i.arn IS NOT NULL - ), iam_role_with_permission AS ( - SELECT - arn - FROM - aws_iam_role, - JSONB_ARRAY_ELEMENTS(assume_role_policy_std -> 'Statement') AS s, - JSONB_ARRAY_ELEMENTS_TEXT(s -> 'Principal' -> 'Service') AS service, - JSONB_ARRAY_ELEMENTS_TEXT(s -> 'Action') AS action - WHERE - arn IN (SELECT role_arn FROM iam_roles) - AND s ->> 'Effect' = 'Allow' - AND service = 'ec2.amazonaws.com' - AND action IN ( - 's3:PutObjectRetention', 's3:PutLifecycleConfiguration', 's3:PutBucketPolicy', 's3:PutBucketVersioning', '*:*' - ) + language: sql + primary_resource: aws_ec2_instance + definition: | + WITH iam_roles AS ( + SELECT + r.arn AS role_arn, + i.arn AS instance_arn + FROM + aws_iam_role AS r, + JSONB_ARRAY_ELEMENTS_TEXT(instance_profile_arns) AS p + LEFT JOIN aws_ec2_instance AS i ON p = i.iam_instance_profile_arn + WHERE + i.arn IS NOT NULL + ), iam_role_with_permission AS ( + SELECT + arn + FROM + aws_iam_role, + JSONB_ARRAY_ELEMENTS(assume_role_policy_std -> 'Statement') AS s, + JSONB_ARRAY_ELEMENTS_TEXT(s -> 'Principal' -> 'Service') AS service, + JSONB_ARRAY_ELEMENTS_TEXT(s -> 'Action') AS action + WHERE + arn IN (SELECT role_arn FROM iam_roles) + AND s ->> 'Effect' = 'Allow' + AND service = 'ec2.amazonaws.com' + AND action IN ( + 's3:PutObjectRetention', 's3:PutLifecycleConfiguration', 's3:PutBucketPolicy', 's3:PutBucketVersioning', '*:*' ) - SELECT - i.arn AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN p.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.arn IS NULL THEN title || ' has no IAM role with alter critical S3 permissions configuration.' - ELSE title || ' has IAM role with alter critical S3 permissions configuration.' - END AS reason - FROM - aws_ec2_instance AS i - LEFT JOIN iam_roles AS r ON r.instance_arn = i.arn - LEFT JOIN iam_role_with_permission AS p ON p.arn = r.role_arn; + ) + SELECT + i.arn AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN p.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.arn IS NULL THEN title || ' has no IAM role with alter critical S3 permissions configuration.' + ELSE title || ' has IAM role with alter critical S3 permissions configuration.' + END AS reason + FROM + aws_ec2_instance AS i + LEFT JOIN iam_roles AS r ON r.instance_arn = i.arn + LEFT JOIN iam_role_with_permission AS p ON p.arn = r.role_arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_cloud_log_tampering_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_cloud_log_tampering_access.yaml index d57de099e..8788f1467 100644 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_cloud_log_tampering_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_cloud_log_tampering_access.yaml @@ -1,88 +1,89 @@ id: aws_ec2_instance_no_iam_role_with_cloud_log_tampering_access title: EC2 instance IAM role should not allow cloud log tampering access +type: control description: This control ensures that EC2 instance IAM roles do not allow cloud log tampering access. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - WITH iam_roles AS ( + language: sql + primary_resource: aws_ec2_instance + definition: | + WITH iam_roles AS ( + SELECT + r.arn AS role_arn, + i.arn AS instance_arn + FROM + aws_iam_role AS r, + jsonb_array_elements_text(instance_profile_arns) AS p + LEFT JOIN aws_ec2_instance AS i ON p = i.iam_instance_profile_arn + WHERE + i.arn IS NOT NULL + ), + iam_role_with_permission AS ( + SELECT + arn + FROM + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') AS service, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + arn IN ( SELECT - r.arn AS role_arn, - i.arn AS instance_arn + role_arn FROM - aws_iam_role AS r, - jsonb_array_elements_text(instance_profile_arns) AS p - LEFT JOIN aws_ec2_instance AS i ON p = i.iam_instance_profile_arn - WHERE - i.arn IS NOT NULL - ), - iam_role_with_permission AS ( - SELECT - arn - FROM - aws_iam_role, - jsonb_array_elements(assume_role_policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Principal' -> 'Service') AS service, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - arn IN ( - SELECT - role_arn - FROM - iam_roles - ) - AND s ->> 'Effect' = 'Allow' - AND service = 'ec2.amazonaws.com' - AND action IN ( - 'chime:createapikey', - 'codepipeline:pollforjobs', - 'cognito-identity:getopenidtoken', - 'cognito-identity:getopenidtokenfordeveloperidentity', - 'cognito-identity:getcredentialsforidentity', - 'connect:getfederationtoken', - 'connect:getfederationtokens', - 'ec2:getpassworddata', - 'ecr:getauthorizationtoken', - 'gamelift:requestuploadcredentials', - 'iam:createaccesskey', - 'iam:createloginprofile', - 'iam:createservicespecificcredential', - 'iam:resetservicespecificcredential', - 'iam:updateaccesskey', - 'lightsail:getinstanceaccessdetails', - 'lightsail:getrelationaldatabasemasteruserpassword', - 'rds-db:connect', - 'redshift:getclustercredentials', - 'sso:getrolecredentials', - 'mediapackage:rotatechannelcredentials', - 'mediapackage:rotateingestendpointcredentials', - 'sts:assumerole', - 'sts:assumerolewithsaml', - 'sts:assumerolewithwebidentity', - 'sts:getfederationtoken', - 'sts:getsessiontoken', - '*:*' - ) + iam_roles + ) + AND s ->> 'Effect' = 'Allow' + AND service = 'ec2.amazonaws.com' + AND action IN ( + 'chime:createapikey', + 'codepipeline:pollforjobs', + 'cognito-identity:getopenidtoken', + 'cognito-identity:getopenidtokenfordeveloperidentity', + 'cognito-identity:getcredentialsforidentity', + 'connect:getfederationtoken', + 'connect:getfederationtokens', + 'ec2:getpassworddata', + 'ecr:getauthorizationtoken', + 'gamelift:requestuploadcredentials', + 'iam:createaccesskey', + 'iam:createloginprofile', + 'iam:createservicespecificcredential', + 'iam:resetservicespecificcredential', + 'iam:updateaccesskey', + 'lightsail:getinstanceaccessdetails', + 'lightsail:getrelationaldatabasemasteruserpassword', + 'rds-db:connect', + 'redshift:getclustercredentials', + 'sso:getrolecredentials', + 'mediapackage:rotatechannelcredentials', + 'mediapackage:rotateingestendpointcredentials', + 'sts:assumerole', + 'sts:assumerolewithsaml', + 'sts:assumerolewithwebidentity', + 'sts:getfederationtoken', + 'sts:getsessiontoken', + '*:*' ) - SELECT - i.arn AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN p.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.arn IS NULL THEN title || ' has no IAM role attached with credentials exposure permissions.' - ELSE title || ' has IAM role attached with credentials exposure permissions.' - END AS reason, - i.account_id - FROM - aws_ec2_instance AS i - LEFT JOIN iam_roles AS r ON r.instance_arn = i.arn - LEFT JOIN iam_role_with_permission AS p ON p.arn = r.role_arn; + ) + SELECT + i.arn AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN p.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.arn IS NULL THEN title || ' has no IAM role attached with credentials exposure permissions.' + ELSE title || ' has IAM role attached with credentials exposure permissions.' + END AS reason, + i.account_id + FROM + aws_ec2_instance AS i + LEFT JOIN iam_roles AS r ON r.instance_arn = i.arn + LEFT JOIN iam_role_with_permission AS p ON p.arn = r.role_arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_data_destruction_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_data_destruction_access.yaml index 985fa2596..d4e3a4432 100644 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_data_destruction_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_data_destruction_access.yaml @@ -1,64 +1,65 @@ id: aws_ec2_instance_no_iam_role_with_data_destruction_access title: EC2 instance IAM role should not allow data destruction access +type: control description: This control ensures that EC2 instance IAM role does not allow data destruction access. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - WITH iam_roles AS ( - SELECT - r.arn AS role_arn, - i.arn AS instance_arn - FROM - aws_iam_role AS r, - jsonb_array_elements_text(instance_profile_arns) AS p - LEFT JOIN aws_ec2_instance AS i ON p = i.iam_instance_profile_arn - WHERE - i.arn IS NOT NULL - ), iam_role_with_permission AS ( - SELECT - arn - FROM - aws_iam_role, - jsonb_array_elements(assume_role_policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Principal' -> 'Service') AS service, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - arn IN (SELECT role_arn FROM iam_roles) - AND s ->> 'Effect' = 'Allow' - AND service = 'ec2.amazonaws.com' - AND ( - action IN ( - 's3:deletebucket', - 'rds:deletedbcluster', - 'rds:deletedbinstance', - 'rds:deleteDBSnapshot', - 'rds:deletedbclustersnapshot', - 'rds:deleteglobalcluster', - 'ec2:deletesnapshot', - 'ec2:deletevolume', - '*:*' - ) - ) + language: sql + primary_resource: aws_ec2_instance + definition: | + WITH iam_roles AS ( + SELECT + r.arn AS role_arn, + i.arn AS instance_arn + FROM + aws_iam_role AS r, + jsonb_array_elements_text(instance_profile_arns) AS p + LEFT JOIN aws_ec2_instance AS i ON p = i.iam_instance_profile_arn + WHERE + i.arn IS NOT NULL + ), iam_role_with_permission AS ( + SELECT + arn + FROM + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') AS service, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + arn IN (SELECT role_arn FROM iam_roles) + AND s ->> 'Effect' = 'Allow' + AND service = 'ec2.amazonaws.com' + AND ( + action IN ( + 's3:deletebucket', + 'rds:deletedbcluster', + 'rds:deletedbinstance', + 'rds:deleteDBSnapshot', + 'rds:deletedbclustersnapshot', + 'rds:deleteglobalcluster', + 'ec2:deletesnapshot', + 'ec2:deletevolume', + '*:*' + ) ) - SELECT - i.arn AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN p.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.arn IS NULL THEN title || ' has no data destruction access.' - ELSE title || ' has data destruction access.' - END AS reason - FROM - aws_ec2_instance AS i - LEFT JOIN iam_roles AS r ON r.instance_arn = i.arn - LEFT JOIN iam_role_with_permission AS p ON p.arn = r.role_arn; + ) + SELECT + i.arn AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN p.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.arn IS NULL THEN title || ' has no data destruction access.' + ELSE title || ' has data destruction access.' + END AS reason + FROM + aws_ec2_instance AS i + LEFT JOIN iam_roles AS r ON r.instance_arn = i.arn + LEFT JOIN iam_role_with_permission AS p ON p.arn = r.role_arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_destruction_kms_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_destruction_kms_access.yaml index 20f2dcde0..6645b3eac 100644 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_destruction_kms_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_destruction_kms_access.yaml @@ -1,52 +1,53 @@ id: aws_ec2_instance_no_iam_role_with_destruction_kms_access title: EC2 instance IAM role should not allow destruction KMS access +type: control description: This control ensures that EC2 instance IAM roles do not allow destruction KMS access. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - WITH iam_roles AS ( - SELECT - r.arn AS role_arn, - i.arn AS instance_arn - FROM - aws_iam_role AS r, - jsonb_array_elements_text(instance_profile_arns) AS p - LEFT JOIN aws_ec2_instance AS i ON p = i.iam_instance_profile_arn - WHERE - i.arn IS NOT NULL - ), iam_role_with_permission AS ( - SELECT - arn - FROM - aws_iam_role, - jsonb_array_elements(assume_role_policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Principal' -> 'Service') AS service, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - arn IN (SELECT role_arn FROM iam_roles) - AND s ->> 'Effect' = 'Allow' - AND service = 'ec2.amazonaws.com' - AND action IN ('secretsmanager:getsecretvalue', 'kms:decrypt', '*:*') - ) - SELECT - i.arn AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN p.arn IS NULL THEN 'ok' - ELSE 'alarm' - END status, - CASE - WHEN p.arn IS NULL THEN title || ' has no IAM role with destruction KMS permission.' - ELSE title || ' has IAM role with destruction KMS permission.' - END AS reason - FROM - aws_ec2_instance AS i - LEFT JOIN iam_roles AS r ON r.instance_arn = i.arn - LEFT JOIN iam_role_with_permission AS p ON p.arn = r.role_arn; + language: sql + primary_resource: aws_ec2_instance + definition: | + WITH iam_roles AS ( + SELECT + r.arn AS role_arn, + i.arn AS instance_arn + FROM + aws_iam_role AS r, + jsonb_array_elements_text(instance_profile_arns) AS p + LEFT JOIN aws_ec2_instance AS i ON p = i.iam_instance_profile_arn + WHERE + i.arn IS NOT NULL + ), iam_role_with_permission AS ( + SELECT + arn + FROM + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') AS service, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + arn IN (SELECT role_arn FROM iam_roles) + AND s ->> 'Effect' = 'Allow' + AND service = 'ec2.amazonaws.com' + AND action IN ('secretsmanager:getsecretvalue', 'kms:decrypt', '*:*') + ) + SELECT + i.arn AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN p.arn IS NULL THEN 'ok' + ELSE 'alarm' + END status, + CASE + WHEN p.arn IS NULL THEN title || ' has no IAM role with destruction KMS permission.' + ELSE title || ' has IAM role with destruction KMS permission.' + END AS reason + FROM + aws_ec2_instance AS i + LEFT JOIN iam_roles AS r ON r.instance_arn = i.arn + LEFT JOIN iam_role_with_permission AS p ON p.arn = r.role_arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_destruction_rds_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_destruction_rds_access.yaml index 1ee0a14b2..7c54ec38d 100644 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_destruction_rds_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_destruction_rds_access.yaml @@ -1,52 +1,53 @@ id: aws_ec2_instance_no_iam_role_with_destruction_rds_access title: EC2 instance IAM role should not allow destruction RDS access +type: control description: This control ensures that EC2 instance IAM roles do not allow destruction RDS access. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - WITH iam_roles AS ( - SELECT - r.arn AS role_arn, - i.arn AS instance_arn - FROM - aws_iam_role AS r, - jsonb_array_elements_text(instance_profile_arns) AS p - LEFT JOIN aws_ec2_instance AS i ON p = i.iam_instance_profile_arn - WHERE - i.arn IS NOT NULL - ), iam_role_with_permission AS ( - SELECT - arn - FROM - aws_iam_role, - jsonb_array_elements(assume_role_policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Principal' -> 'Service') AS service, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - arn IN (SELECT role_arn FROM iam_roles) - AND s ->> 'Effect' = 'Allow' - AND service = 'ec2.amazonaws.com' - AND action IN ('rds-data:ExecuteStatement', 'rds-data:BatchExecuteStatement', '*:*') - ) - SELECT - i.arn AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN p.arn IS NULL THEN 'ok' - ELSE 'alarm' - END status, - CASE - WHEN p.arn IS NULL THEN title || ' has no IAM role with destruction RDS permission.' - ELSE title || ' has IAM role with destruction RDS permission.' - END AS reason - FROM - aws_ec2_instance AS i - LEFT JOIN iam_roles AS r ON r.instance_arn = i.arn - LEFT JOIN iam_role_with_permission AS p ON p.arn = r.role_arn; + language: sql + primary_resource: aws_ec2_instance + definition: | + WITH iam_roles AS ( + SELECT + r.arn AS role_arn, + i.arn AS instance_arn + FROM + aws_iam_role AS r, + jsonb_array_elements_text(instance_profile_arns) AS p + LEFT JOIN aws_ec2_instance AS i ON p = i.iam_instance_profile_arn + WHERE + i.arn IS NOT NULL + ), iam_role_with_permission AS ( + SELECT + arn + FROM + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') AS service, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + arn IN (SELECT role_arn FROM iam_roles) + AND s ->> 'Effect' = 'Allow' + AND service = 'ec2.amazonaws.com' + AND action IN ('rds-data:ExecuteStatement', 'rds-data:BatchExecuteStatement', '*:*') + ) + SELECT + i.arn AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN p.arn IS NULL THEN 'ok' + ELSE 'alarm' + END status, + CASE + WHEN p.arn IS NULL THEN title || ' has no IAM role with destruction RDS permission.' + ELSE title || ' has IAM role with destruction RDS permission.' + END AS reason + FROM + aws_ec2_instance AS i + LEFT JOIN iam_roles AS r ON r.instance_arn = i.arn + LEFT JOIN iam_role_with_permission AS p ON p.arn = r.role_arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_elastic_ip_hijacking_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_elastic_ip_hijacking_access.yaml index 4c5cf2b40..90f98cc7a 100644 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_elastic_ip_hijacking_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_elastic_ip_hijacking_access.yaml @@ -1,88 +1,89 @@ id: aws_ec2_instance_no_iam_role_with_elastic_ip_hijacking_access title: EC2 instance IAM role should not allow elastic IP hijacking access. +type: control description: This control ensures that EC2 instance IAM role does not allow elastic IP hijacking access. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - WITH iam_roles AS ( + language: sql + primary_resource: aws_ec2_instance + definition: | + WITH iam_roles AS ( + SELECT + r.arn AS role_arn, + i.arn AS instance_arn + FROM + aws_iam_role AS r, + jsonb_array_elements_text(instance_profile_arns) AS p + LEFT JOIN aws_ec2_instance AS i ON p = i.iam_instance_profile_arn + WHERE + i.arn IS NOT NULL + ), + iam_role_with_permission AS ( + SELECT + arn + FROM + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') AS service, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + arn IN ( SELECT - r.arn AS role_arn, - i.arn AS instance_arn + role_arn FROM - aws_iam_role AS r, - jsonb_array_elements_text(instance_profile_arns) AS p - LEFT JOIN aws_ec2_instance AS i ON p = i.iam_instance_profile_arn - WHERE - i.arn IS NOT NULL - ), - iam_role_with_permission AS ( - SELECT - arn - FROM - aws_iam_role, - jsonb_array_elements(assume_role_policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Principal' -> 'Service') AS service, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - arn IN ( - SELECT - role_arn - FROM - iam_roles - ) - AND s ->> 'Effect' = 'Allow' - AND service = 'ec2.amazonaws.com' - AND action IN ( - 'chime:createapikey', - 'codepipeline:pollforjobs', - 'cognito-identity:getopenidtoken', - 'cognito-identity:getopenidtokenfordeveloperidentity', - 'cognito-identity:getcredentialsforidentity', - 'connect:getfederationtoken', - 'connect:getfederationtokens', - 'ec2:getpassworddata', - 'ecr:getauthorizationtoken', - 'gamelift:requestuploadcredentials', - 'iam:createaccesskey', - 'iam:createloginprofile', - 'iam:createservicespecificcredential', - 'iam:resetservicespecificcredential', - 'iam:updateaccesskey', - 'lightsail:getinstanceaccessdetails', - 'lightsail:getrelationaldatabasemasteruserpassword', - 'rds-db:connect', - 'redshift:getclustercredentials', - 'sso:getrolecredentials', - 'mediapackage:rotatechannelcredentials', - 'mediapackage:rotateingestendpointcredentials', - 'sts:assumerole', - 'sts:assumerolewithsaml', - 'sts:assumerolewithwebidentity', - 'sts:getfederationtoken', - 'sts:getsessiontoken', - '*:*' - ) + iam_roles + ) + AND s ->> 'Effect' = 'Allow' + AND service = 'ec2.amazonaws.com' + AND action IN ( + 'chime:createapikey', + 'codepipeline:pollforjobs', + 'cognito-identity:getopenidtoken', + 'cognito-identity:getopenidtokenfordeveloperidentity', + 'cognito-identity:getcredentialsforidentity', + 'connect:getfederationtoken', + 'connect:getfederationtokens', + 'ec2:getpassworddata', + 'ecr:getauthorizationtoken', + 'gamelift:requestuploadcredentials', + 'iam:createaccesskey', + 'iam:createloginprofile', + 'iam:createservicespecificcredential', + 'iam:resetservicespecificcredential', + 'iam:updateaccesskey', + 'lightsail:getinstanceaccessdetails', + 'lightsail:getrelationaldatabasemasteruserpassword', + 'rds-db:connect', + 'redshift:getclustercredentials', + 'sso:getrolecredentials', + 'mediapackage:rotatechannelcredentials', + 'mediapackage:rotateingestendpointcredentials', + 'sts:assumerole', + 'sts:assumerolewithsaml', + 'sts:assumerolewithwebidentity', + 'sts:getfederationtoken', + 'sts:getsessiontoken', + '*:*' ) - SELECT - i.arn AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN p.arn IS NULL THEN 'ok' - ELSE 'alarm' - END status, - CASE - WHEN p.arn IS NULL THEN title || ' has no IAM role attached with credentials exposure permissions.' - ELSE title || ' has IAM role attached with credentials exposure permissions.' - END AS reason, - i.account_id - FROM - aws_ec2_instance AS i - LEFT JOIN iam_roles AS r ON r.instance_arn = i.arn - LEFT JOIN iam_role_with_permission AS p ON p.arn = r.role_arn; + ) + SELECT + i.arn AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN p.arn IS NULL THEN 'ok' + ELSE 'alarm' + END status, + CASE + WHEN p.arn IS NULL THEN title || ' has no IAM role attached with credentials exposure permissions.' + ELSE title || ' has IAM role attached with credentials exposure permissions.' + END AS reason, + i.account_id + FROM + aws_ec2_instance AS i + LEFT JOIN iam_roles AS r ON r.instance_arn = i.arn + LEFT JOIN iam_role_with_permission AS p ON p.arn = r.role_arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_management_level_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_management_level_access.yaml index 17c3ff18e..8f251bbf4 100644 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_management_level_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_management_level_access.yaml @@ -1,79 +1,80 @@ id: aws_ec2_instance_no_iam_role_with_management_level_access title: EC2 instance IAM role should not allow management level access +type: control description: This control ensures that EC2 instance IAM role does not allow management level access. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - WITH iam_roles AS ( - SELECT - r.arn AS role_arn, - i.arn AS instance_arn - FROM - aws_iam_role AS r, - jsonb_array_elements_text(instance_profile_arns) AS p - LEFT JOIN aws_ec2_instance AS i ON p = i.iam_instance_profile_arn - WHERE - i.arn IS NOT NULL - ), iam_role_with_permission AS ( - SELECT - arn - FROM - aws_iam_role, - jsonb_array_elements(assume_role_policy_std->'Statement') AS s, - jsonb_array_elements_text(s->'Principal'->'Service') AS service, - jsonb_array_elements_text(s->'Action') AS action - WHERE - arn IN (SELECT role_arn FROM iam_roles) - AND s->>'Effect' = 'Allow' - AND service = 'ec2.amazonaws.com' - AND ( - action IN ( - 'iam:attachgrouppolicy', - 'iam:attachrolepolicy', - 'iam:attachuserpolicy', - 'iam:createpolicy', - 'iam:createpolicyversion', - 'iam:deleteaccountpasswordpolicy', - 'iam:deletegrouppolicy', - 'iam:deletepolicy', - 'iam:deletepolicyversion', - 'iam:deleterolepermissionsboundary', - 'iam:deleterolepolicy', - 'iam:deleteuserpermissionsboundary', - 'iam:deleteuserpolicy', - 'iam:detachgrouppolicy', - 'iam:detachrolepolicy', - 'iam:detachuserpolicy', - 'iam:putgrouppolicy', - 'iam:putrolepermissionsboundary', - 'iam:putrolepolicy', - 'iam:putuserpermissionsboundary', - 'iam:putuserpolicy', - 'iam:setdefaultpolicyversion', - 'iam:updateassumerolerolicy', - '*:*' - ) - ) + language: sql + primary_resource: aws_ec2_instance + definition: | + WITH iam_roles AS ( + SELECT + r.arn AS role_arn, + i.arn AS instance_arn + FROM + aws_iam_role AS r, + jsonb_array_elements_text(instance_profile_arns) AS p + LEFT JOIN aws_ec2_instance AS i ON p = i.iam_instance_profile_arn + WHERE + i.arn IS NOT NULL + ), iam_role_with_permission AS ( + SELECT + arn + FROM + aws_iam_role, + jsonb_array_elements(assume_role_policy_std->'Statement') AS s, + jsonb_array_elements_text(s->'Principal'->'Service') AS service, + jsonb_array_elements_text(s->'Action') AS action + WHERE + arn IN (SELECT role_arn FROM iam_roles) + AND s->>'Effect' = 'Allow' + AND service = 'ec2.amazonaws.com' + AND ( + action IN ( + 'iam:attachgrouppolicy', + 'iam:attachrolepolicy', + 'iam:attachuserpolicy', + 'iam:createpolicy', + 'iam:createpolicyversion', + 'iam:deleteaccountpasswordpolicy', + 'iam:deletegrouppolicy', + 'iam:deletepolicy', + 'iam:deletepolicyversion', + 'iam:deleterolepermissionsboundary', + 'iam:deleterolepolicy', + 'iam:deleteuserpermissionsboundary', + 'iam:deleteuserpolicy', + 'iam:detachgrouppolicy', + 'iam:detachrolepolicy', + 'iam:detachuserpolicy', + 'iam:putgrouppolicy', + 'iam:putrolepermissionsboundary', + 'iam:putrolepolicy', + 'iam:putuserpermissionsboundary', + 'iam:putuserpolicy', + 'iam:setdefaultpolicyversion', + 'iam:updateassumerolerolicy', + '*:*' + ) ) - SELECT - i.arn AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN p.arn IS NULL THEN 'ok' - ELSE 'alarm' - END status, - CASE - WHEN p.arn IS NULL THEN title || ' has no management level access.' - ELSE title || ' has management level access.' - END AS reason - FROM - aws_ec2_instance AS i - LEFT JOIN iam_roles AS r ON r.instance_arn = i.arn - LEFT JOIN iam_role_with_permission AS p ON p.arn = r.role_arn; + ) + SELECT + i.arn AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN p.arn IS NULL THEN 'ok' + ELSE 'alarm' + END status, + CASE + WHEN p.arn IS NULL THEN title || ' has no management level access.' + ELSE title || ' has management level access.' + END AS reason + FROM + aws_ec2_instance AS i + LEFT JOIN iam_roles AS r ON r.instance_arn = i.arn + LEFT JOIN iam_role_with_permission AS p ON p.arn = r.role_arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_new_group_creation_with_attached_policy_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_new_group_creation_with_attached_policy_access.yaml index 8018191ef..07242c25b 100644 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_new_group_creation_with_attached_policy_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_new_group_creation_with_attached_policy_access.yaml @@ -1,56 +1,57 @@ id: aws_ec2_instance_no_iam_role_with_new_group_creation_with_attached_policy_access title: EC2 instance IAM role should not allow new group creation with attached policy access +type: control description: This control ensures that EC2 instance IAM role does not allow new group creation with attached policy access. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - WITH iam_roles AS ( - SELECT - r.arn AS role_arn, - i.arn AS instance_arn - FROM - aws_iam_role AS r, - jsonb_array_elements_text(instance_profile_arns) AS p - LEFT JOIN aws_ec2_instance AS i - ON p = i.iam_instance_profile_arn - WHERE - i.arn IS NOT NULL - ), iam_role_with_permission AS ( - SELECT - arn - FROM - aws_iam_role, - jsonb_array_elements(assume_role_policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Principal' -> 'Service') AS service, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - arn IN (SELECT role_arn FROM iam_roles) - AND s ->> 'Effect' = 'Allow' - AND service = 'ec2.amazonaws.com' - AND action = 'iam:creategroup' - AND action = 'iam:attachgrouppolicy' - ) - SELECT - i.arn AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN p.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.arn IS NULL THEN title || ' has no new group creation access with attached policy.' - ELSE title || ' has new group creation access with attached policy.' - END AS reason - FROM - aws_ec2_instance AS i - LEFT JOIN iam_roles AS r - ON r.instance_arn = i.arn - LEFT JOIN iam_role_with_permission AS p - ON p.arn = r.role_arn; + language: sql + primary_resource: aws_ec2_instance + definition: | + WITH iam_roles AS ( + SELECT + r.arn AS role_arn, + i.arn AS instance_arn + FROM + aws_iam_role AS r, + jsonb_array_elements_text(instance_profile_arns) AS p + LEFT JOIN aws_ec2_instance AS i + ON p = i.iam_instance_profile_arn + WHERE + i.arn IS NOT NULL + ), iam_role_with_permission AS ( + SELECT + arn + FROM + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') AS service, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + arn IN (SELECT role_arn FROM iam_roles) + AND s ->> 'Effect' = 'Allow' + AND service = 'ec2.amazonaws.com' + AND action = 'iam:creategroup' + AND action = 'iam:attachgrouppolicy' + ) + SELECT + i.arn AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN p.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.arn IS NULL THEN title || ' has no new group creation access with attached policy.' + ELSE title || ' has new group creation access with attached policy.' + END AS reason + FROM + aws_ec2_instance AS i + LEFT JOIN iam_roles AS r + ON r.instance_arn = i.arn + LEFT JOIN iam_role_with_permission AS p + ON p.arn = r.role_arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_new_role_creation_with_attached_policy_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_new_role_creation_with_attached_policy_access.yaml index bb9b7da1a..c487ed88b 100644 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_new_role_creation_with_attached_policy_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_new_role_creation_with_attached_policy_access.yaml @@ -1,54 +1,55 @@ id: aws_ec2_instance_no_iam_role_with_new_role_creation_with_attached_policy_access title: EC2 instance IAM role should not allow new role creation with attached policy access +type: control description: This control ensures that EC2 instance IAM role does not allow new role creation with attached policy access. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - WITH iam_roles AS ( - SELECT - r.arn AS role_arn, - i.arn AS instance_arn - FROM - aws_iam_role AS r, - jsonb_array_elements_text(instance_profile_arns) AS p - LEFT JOIN aws_ec2_instance AS i ON p = i.iam_instance_profile_arn - WHERE - i.arn IS NOT NULL - ), - iam_role_with_permission AS ( - SELECT - arn - FROM - aws_iam_role, - jsonb_array_elements(assume_role_policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Principal' -> 'Service') AS service, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - arn IN (SELECT role_arn FROM iam_roles) - AND s ->> 'Effect' = 'Allow' - AND service = 'ec2.amazonaws.com' - AND action = 'iam:createrole' - AND action = 'iam:attachrolepolicy' - ) - SELECT - i.arn AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN p.arn IS NULL THEN 'ok' - ELSE 'alarm' - END status, - CASE - WHEN p.arn IS NULL THEN title || ' has no new role creation access with attached policy.' - ELSE title || ' has new role creation access with attached policy.' - END AS reason - FROM - aws_ec2_instance AS i - LEFT JOIN iam_roles AS r ON r.instance_arn = i.arn - LEFT JOIN iam_role_with_permission AS p ON p.arn = r.role_arn; + language: sql + primary_resource: aws_ec2_instance + definition: | + WITH iam_roles AS ( + SELECT + r.arn AS role_arn, + i.arn AS instance_arn + FROM + aws_iam_role AS r, + jsonb_array_elements_text(instance_profile_arns) AS p + LEFT JOIN aws_ec2_instance AS i ON p = i.iam_instance_profile_arn + WHERE + i.arn IS NOT NULL + ), + iam_role_with_permission AS ( + SELECT + arn + FROM + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') AS service, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + arn IN (SELECT role_arn FROM iam_roles) + AND s ->> 'Effect' = 'Allow' + AND service = 'ec2.amazonaws.com' + AND action = 'iam:createrole' + AND action = 'iam:attachrolepolicy' + ) + SELECT + i.arn AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN p.arn IS NULL THEN 'ok' + ELSE 'alarm' + END status, + CASE + WHEN p.arn IS NULL THEN title || ' has no new role creation access with attached policy.' + ELSE title || ' has new role creation access with attached policy.' + END AS reason + FROM + aws_ec2_instance AS i + LEFT JOIN iam_roles AS r ON r.instance_arn = i.arn + LEFT JOIN iam_role_with_permission AS p ON p.arn = r.role_arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_org_write_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_org_write_access.yaml index ce2c14d35..62d279976 100644 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_org_write_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_org_write_access.yaml @@ -1,82 +1,83 @@ id: aws_ec2_instance_no_iam_role_with_org_write_access title: EC2 instance IAM role should not allow organization write access +type: control description: This control ensures that EC2 instance IAM role does not allow organization write access. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - WITH iam_roles AS ( - SELECT - r.arn AS role_arn, - i.arn AS instance_arn - FROM - aws_iam_role AS r, - jsonb_array_elements_text(instance_profile_arns) AS p - LEFT JOIN aws_ec2_instance AS i ON p = i.iam_instance_profile_arn - WHERE - i.arn IS NOT NULL - ), iam_role_with_permission AS ( - SELECT - arn - FROM - aws_iam_role, - jsonb_array_elements(assume_role_policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Principal' -> 'Service') AS service, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - arn IN (SELECT role_arn FROM iam_roles) - AND s ->> 'Effect' = 'Allow' - AND service = 'ec2.amazonaws.com' - AND ( - action IN ( - 'organizations:AcceptHandshake', - 'organizations:AttachPolicy', - 'organizations:CancelHandshake', - 'organizations:CreateAccount', - 'organizations:CreateGovCloudAccount', - 'organizations:CreateOrganization', - 'organizations:CreateOrganizationalUnit', - 'organizations:CreatePolicy', - 'organizations:DeclineHandshake', - 'organizations:DeleteOrganization', - 'organizations:DeleteOrganizationalUnit', - 'organizations:DeletePolicy', - 'organizations:DeregisterDelegatedAdministrator', - 'organizations:DetachPolicy', - 'organizations:DisableAWSServiceAccess', - 'organizations:DisablePolicyType', - 'organizations:EnableAWSServiceAccess', - 'organizations:EnableAllFeatures', - 'organizations:EnablePolicyType', - 'organizations:InviteAccountToOrganization', - 'organizations:LeaveOrganization', - 'organizations:MoveAccount', - 'organizations:RegisterDelegatedAdministrator', - 'organizations:RemoveAccountFromOrganization', - 'organizations:UpdateOrganizationalUnit', - 'organizations:UpdatePolicy', - '*:*' - ) - ) + language: sql + primary_resource: aws_ec2_instance + definition: | + WITH iam_roles AS ( + SELECT + r.arn AS role_arn, + i.arn AS instance_arn + FROM + aws_iam_role AS r, + jsonb_array_elements_text(instance_profile_arns) AS p + LEFT JOIN aws_ec2_instance AS i ON p = i.iam_instance_profile_arn + WHERE + i.arn IS NOT NULL + ), iam_role_with_permission AS ( + SELECT + arn + FROM + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') AS service, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + arn IN (SELECT role_arn FROM iam_roles) + AND s ->> 'Effect' = 'Allow' + AND service = 'ec2.amazonaws.com' + AND ( + action IN ( + 'organizations:AcceptHandshake', + 'organizations:AttachPolicy', + 'organizations:CancelHandshake', + 'organizations:CreateAccount', + 'organizations:CreateGovCloudAccount', + 'organizations:CreateOrganization', + 'organizations:CreateOrganizationalUnit', + 'organizations:CreatePolicy', + 'organizations:DeclineHandshake', + 'organizations:DeleteOrganization', + 'organizations:DeleteOrganizationalUnit', + 'organizations:DeletePolicy', + 'organizations:DeregisterDelegatedAdministrator', + 'organizations:DetachPolicy', + 'organizations:DisableAWSServiceAccess', + 'organizations:DisablePolicyType', + 'organizations:EnableAWSServiceAccess', + 'organizations:EnableAllFeatures', + 'organizations:EnablePolicyType', + 'organizations:InviteAccountToOrganization', + 'organizations:LeaveOrganization', + 'organizations:MoveAccount', + 'organizations:RegisterDelegatedAdministrator', + 'organizations:RemoveAccountFromOrganization', + 'organizations:UpdateOrganizationalUnit', + 'organizations:UpdatePolicy', + '*:*' + ) ) - SELECT - i.arn AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN p.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.arn IS NULL THEN title || ' has no organization write access.' - ELSE title || ' has organization write access.' - END AS reason - FROM - aws_ec2_instance AS i - LEFT JOIN iam_roles AS r ON r.instance_arn = i.arn - LEFT JOIN iam_role_with_permission AS p ON p.arn = r.role_arn; + ) + SELECT + i.arn AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN p.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.arn IS NULL THEN title || ' has no organization write access.' + ELSE title || ' has organization write access.' + END AS reason + FROM + aws_ec2_instance AS i + LEFT JOIN iam_roles AS r ON r.instance_arn = i.arn + LEFT JOIN iam_role_with_permission AS p ON p.arn = r.role_arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_privilege_escalation_risk_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_privilege_escalation_risk_access.yaml index 2b3658711..3dc80e966 100644 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_privilege_escalation_risk_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_privilege_escalation_risk_access.yaml @@ -1,63 +1,64 @@ id: aws_ec2_instance_no_iam_role_with_privilege_escalation_risk_access title: EC2 instance IAM role should not allow privilege escalation risk access +type: control description: This control ensures that EC2 instance IAM role does not allow privilege escalation risk access. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - WITH iam_roles AS ( - SELECT - r.arn AS role_arn, - i.arn AS instance_arn - FROM - aws_iam_role AS r, - jsonb_array_elements_text(instance_profile_arns) AS p - LEFT JOIN aws_ec2_instance AS i - ON p = i.iam_instance_profile_arn - WHERE - i.arn IS NOT NULL - ), iam_role_with_permission AS ( - SELECT - arn - FROM - aws_iam_role, - jsonb_array_elements(assume_role_policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Principal' -> 'Service') AS service, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - arn IN (SELECT role_arn FROM iam_roles) - AND s ->> 'Effect' = 'Allow' - AND service = 'ec2.amazonaws.com' - AND ( - action IN ( - 'iam:createpolicy', 'iam:createpolicyversion', 'iam:SetDefaultpolicyversion', - 'iam:passrole', 'iam:createaccessKey', 'iam:createloginprofile', - 'iam:updateloginprofile', 'iam:attachuserpolicy', 'iam:attachgrouppolicy', - 'iam:attachrolepolicy', 'iam:putuserpolicy', 'iam:putgrouppolicy', - 'iam:putrolepolicy', 'iam:addusertogroup', 'iam:updateassumerolepolicy', '*:*' - ) - ) + language: sql + primary_resource: aws_ec2_instance + definition: | + WITH iam_roles AS ( + SELECT + r.arn AS role_arn, + i.arn AS instance_arn + FROM + aws_iam_role AS r, + jsonb_array_elements_text(instance_profile_arns) AS p + LEFT JOIN aws_ec2_instance AS i + ON p = i.iam_instance_profile_arn + WHERE + i.arn IS NOT NULL + ), iam_role_with_permission AS ( + SELECT + arn + FROM + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') AS service, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + arn IN (SELECT role_arn FROM iam_roles) + AND s ->> 'Effect' = 'Allow' + AND service = 'ec2.amazonaws.com' + AND ( + action IN ( + 'iam:createpolicy', 'iam:createpolicyversion', 'iam:SetDefaultpolicyversion', + 'iam:passrole', 'iam:createaccessKey', 'iam:createloginprofile', + 'iam:updateloginprofile', 'iam:attachuserpolicy', 'iam:attachgrouppolicy', + 'iam:attachrolepolicy', 'iam:putuserpolicy', 'iam:putgrouppolicy', + 'iam:putrolepolicy', 'iam:addusertogroup', 'iam:updateassumerolepolicy', '*:*' + ) ) - SELECT - i.arn AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN p.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.arn IS NULL THEN title || ' has no privilege escalation access.' - ELSE title || ' has privilege escalation access.' - END AS reason - FROM - aws_ec2_instance AS i - LEFT JOIN iam_roles AS r - ON r.instance_arn = i.arn - LEFT JOIN iam_role_with_permission AS p - ON p.arn = r.role_arn; + ) + SELECT + i.arn AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN p.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.arn IS NULL THEN title || ' has no privilege escalation access.' + ELSE title || ' has privilege escalation access.' + END AS reason + FROM + aws_ec2_instance AS i + LEFT JOIN iam_roles AS r + ON r.instance_arn = i.arn + LEFT JOIN iam_role_with_permission AS p + ON p.arn = r.role_arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_security_group_write_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_security_group_write_access.yaml index d3345fb14..cdf64565f 100644 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_security_group_write_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_security_group_write_access.yaml @@ -1,69 +1,70 @@ id: aws_ec2_instance_no_iam_role_with_security_group_write_access title: EC2 instance IAM role should not allow security group write access +type: control description: This control ensures that EC2 instance IAM roles do not allow security group write access. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - WITH iam_roles AS ( - SELECT - r.arn AS role_arn, - i.arn AS instance_arn - FROM - aws_iam_role AS r, - jsonb_array_elements_text(instance_profile_arns) AS p - LEFT JOIN aws_ec2_instance AS i ON p = i.iam_instance_profile_arn - WHERE - i.arn IS NOT NULL - ), iam_role_with_permission AS ( - SELECT - arn - FROM - aws_iam_role, - jsonb_array_elements(assume_role_policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Principal' -> 'Service') AS service, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - arn IN (SELECT role_arn FROM iam_roles) - AND s ->> 'Effect' = 'Allow' - AND service = 'ec2.amazonaws.com' - AND action IN ( - 'rds:createdbsecuritygroup', - 'rds:deletedbsecuritygroup', - 'rds:revokedbsecuritygroupingress', - 'ec2:authorizesecuritygroupegress', - 'ec2:authorizesecuritygroupingress', - 'ec2:createsecuritygroup', - 'ec2:deletesecuritygroup', - 'ec2:modifysecuritygrouprules', - 'ec2:revokesecuritygroupegress', - 'ec2:revokesecuritygroupingress', - 'elasticloadbalancing:applysecuritygroupsToLoadbalancer', - 'elasticloadbalancing:setsecuritygroups', - 'redshift:authorizeclustersecuritygroupingress', - 'redshift:createclustersecuritygroup', - 'redshift:deleteclustersecuritygroup', - '*:*' - ) + language: sql + primary_resource: aws_ec2_instance + definition: | + WITH iam_roles AS ( + SELECT + r.arn AS role_arn, + i.arn AS instance_arn + FROM + aws_iam_role AS r, + jsonb_array_elements_text(instance_profile_arns) AS p + LEFT JOIN aws_ec2_instance AS i ON p = i.iam_instance_profile_arn + WHERE + i.arn IS NOT NULL + ), iam_role_with_permission AS ( + SELECT + arn + FROM + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') AS service, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + arn IN (SELECT role_arn FROM iam_roles) + AND s ->> 'Effect' = 'Allow' + AND service = 'ec2.amazonaws.com' + AND action IN ( + 'rds:createdbsecuritygroup', + 'rds:deletedbsecuritygroup', + 'rds:revokedbsecuritygroupingress', + 'ec2:authorizesecuritygroupegress', + 'ec2:authorizesecuritygroupingress', + 'ec2:createsecuritygroup', + 'ec2:deletesecuritygroup', + 'ec2:modifysecuritygrouprules', + 'ec2:revokesecuritygroupegress', + 'ec2:revokesecuritygroupingress', + 'elasticloadbalancing:applysecuritygroupsToLoadbalancer', + 'elasticloadbalancing:setsecuritygroups', + 'redshift:authorizeclustersecuritygroupingress', + 'redshift:createclustersecuritygroup', + 'redshift:deleteclustersecuritygroup', + '*:*' ) - SELECT - i.arn AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN p.arn IS NULL THEN 'ok' - ELSE 'alarm' - END status, - CASE - WHEN p.arn IS NULL THEN title || ' has no IAM role with security group write access.' - ELSE title || ' has IAM role with security group write access.' - END AS reason - FROM - aws_ec2_instance AS i - LEFT JOIN iam_roles AS r ON r.instance_arn = i.arn - LEFT JOIN iam_role_with_permission AS p ON p.arn = r.role_arn; + ) + SELECT + i.arn AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN p.arn IS NULL THEN 'ok' + ELSE 'alarm' + END status, + CASE + WHEN p.arn IS NULL THEN title || ' has no IAM role with security group write access.' + ELSE title || ' has IAM role with security group write access.' + END AS reason + FROM + aws_ec2_instance AS i + LEFT JOIN iam_roles AS r ON r.instance_arn = i.arn + LEFT JOIN iam_role_with_permission AS p ON p.arn = r.role_arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration.yaml index d5e1d9226..58ae9b5a7 100644 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration.yaml @@ -1,79 +1,80 @@ id: aws_ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration title: EC2 instance IAM role should not allow write permission on critical S3 configuration +type: control description: This control ensures that EC2 instance IAM roles do not allow write permission on critical S3 configuration. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - WITH iam_roles AS ( + language: sql + primary_resource: aws_ec2_instance + definition: | + WITH iam_roles AS ( + SELECT + r.arn AS role_arn, + i.arn AS instance_arn + FROM + aws_iam_role AS r, + jsonb_array_elements_text(instance_profile_arns) AS p + LEFT JOIN + aws_ec2_instance AS i ON p = i.iam_instance_profile_arn + WHERE + i.arn IS NOT NULL + ), + iam_role_with_permission AS ( + SELECT + arn + FROM + aws_iam_role, + jsonb_array_elements(assume_role_policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Principal' -> 'Service') AS service, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + arn IN ( SELECT - r.arn AS role_arn, - i.arn AS instance_arn + role_arn FROM - aws_iam_role AS r, - jsonb_array_elements_text(instance_profile_arns) AS p - LEFT JOIN - aws_ec2_instance AS i ON p = i.iam_instance_profile_arn - WHERE - i.arn IS NOT NULL - ), - iam_role_with_permission AS ( - SELECT - arn - FROM - aws_iam_role, - jsonb_array_elements(assume_role_policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Principal' -> 'Service') AS service, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - arn IN ( - SELECT - role_arn - FROM - iam_roles - ) - AND s ->> 'Effect' = 'Allow' - AND service = 'ec2.amazonaws.com' - AND action IN ( - 'rds:createdbsecuritygroup', - 'rds:deletedbsecuritygroup', - 'rds:revokedbsecuritygroupingress', - 'ec2:authorizesecuritygroupegress', - 'ec2:authorizesecuritygroupingress', - 'ec2:createsecuritygroup', - 'ec2:deletesecuritygroup', - 'ec2:modifysecuritygrouprules', - 'ec2:revokesecuritygroupegress', - 'ec2:revokesecuritygroupingress', - 'elasticloadbalancing:applysecuritygroupsToLoadbalancer', - 'elasticloadbalancing:setsecuritygroups', - 'redshift:authorizeclustersecuritygroupingress', - 'redshift:createclustersecuritygroup', - 'redshift:deleteclustersecuritygroup', - '*:*' - ) + iam_roles + ) + AND s ->> 'Effect' = 'Allow' + AND service = 'ec2.amazonaws.com' + AND action IN ( + 'rds:createdbsecuritygroup', + 'rds:deletedbsecuritygroup', + 'rds:revokedbsecuritygroupingress', + 'ec2:authorizesecuritygroupegress', + 'ec2:authorizesecuritygroupingress', + 'ec2:createsecuritygroup', + 'ec2:deletesecuritygroup', + 'ec2:modifysecuritygrouprules', + 'ec2:revokesecuritygroupegress', + 'ec2:revokesecuritygroupingress', + 'elasticloadbalancing:applysecuritygroupsToLoadbalancer', + 'elasticloadbalancing:setsecuritygroups', + 'redshift:authorizeclustersecuritygroupingress', + 'redshift:createclustersecuritygroup', + 'redshift:deleteclustersecuritygroup', + '*:*' ) - SELECT - i.arn AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN p.arn IS NULL THEN 'ok' - ELSE 'alarm' - END status, - CASE - WHEN p.arn IS NULL THEN title || ' has no IAM role with security group write access.' - ELSE title || ' has IAM role with security group write access.' - END AS reason, - i.account_id - FROM - aws_ec2_instance AS i - LEFT JOIN - iam_roles AS r ON r.instance_arn = i.arn - LEFT JOIN - iam_role_with_permission AS p ON p.arn = r.role_arn; + ) + SELECT + i.arn AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN p.arn IS NULL THEN 'ok' + ELSE 'alarm' + END status, + CASE + WHEN p.arn IS NULL THEN title || ' has no IAM role with security group write access.' + ELSE title || ' has IAM role with security group write access.' + END AS reason, + i.account_id + FROM + aws_ec2_instance AS i + LEFT JOIN + iam_roles AS r ON r.instance_arn = i.arn + LEFT JOIN + iam_role_with_permission AS p ON p.arn = r.role_arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_with_write_level_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_with_write_level_access.yaml index 19d06f694..df74ccf74 100644 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_with_write_level_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_with_write_level_access.yaml @@ -1,150 +1,151 @@ id: aws_ec2_instance_no_iam_with_write_level_access title: EC2 instance IAM role should not allow write level access +type: control description: This control ensures that EC2 instance IAM role does not allow write level access. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - WITH iam_roles AS ( - SELECT r.arn AS role_arn, - i.arn AS instance_arn - FROM aws_iam_role AS r, - jsonb_array_elements_text(instance_profile_arns) AS p - LEFT JOIN aws_ec2_instance AS i - ON p = i.iam_instance_profile_arn - WHERE i.arn IS NOT NULL - ), - iam_role_with_permission AS ( - SELECT arn - FROM aws_iam_role, - jsonb_array_elements(assume_role_policy_std->'Statement') AS s, - jsonb_array_elements_text(s->'Principal'->'Service') AS service, - jsonb_array_elements_text(s->'Action') AS action - WHERE arn IN ( - SELECT role_arn - FROM iam_roles - ) - AND s->>'Effect' = 'Allow' - AND service = 'ec2.amazonaws.com' - AND ( - ( - action IN ( - 'iam:addclientidtoopenidconnectprovider', - 'iam:addroletoinstanceprofile', - 'iam:addusertogroup', - 'iam:changepassword', - 'iam:createaccesskey', - 'iam:createaccountalias', - 'iam:creategroup', - 'iam:createinstanceprofile', - 'iam:createloginprofile', - 'iam:createopenidconnectprovider', - 'iam:createrole', - 'iam:createsamlprovider', - 'iam:createservicelinkedrole', - 'iam:createservicespecificcredential', - 'iam:createuser', - 'iam:createvirtualmfadevice', - 'iam:deactivatemfadevice', - 'iam:deleteaccesskey', - 'iam:deleteaccountalias', - 'iam:deletegroup', - 'iam:deleteinstanceprofile', - 'iam:deleteloginprofile', - 'iam:deleteopenidconnectprovider', - 'iam:deleterole', - 'iam:deletesamlprovider', - 'iam:deletesshpublickey', - 'iam:deleteservercertificate', - 'iam:deleteservicelinkedrole', - 'iam:deleteservicespecificcredential', - 'iam:deletesigningcertificate', - 'iam:deleteUser', - 'iam:deletevirtualmfadevice', - 'iam:enablemfadevice', - 'iam:passrole', - 'iam:removeclientidfromopenidconnectprovider', - 'iam:removerolefrominstanceprofile', - 'iam:removeuserfromgroup', - 'iam:resetservicespecificcredential', - 'iam:resyncmfadevice', - 'iam:setsecuritytokenservicepreferences', - 'iam:updateaccesskey', - 'iam:updateaccountpasswordpolicy', - 'iam:updategroup', - 'iam:updateloginprofile', - 'iam:updateopenidconnectproviderthumbprint', - 'iam:updaterole', - 'iam:updateroledescription', - 'iam:updatesamlprovider', - 'iam:updatesshpublicKey', - 'iam:updateservercertificate', - 'iam:updateservicespecificcredential', - 'iam:updatesigningcertificate', - 'iam:updateuser', - 'iam:uploadsshpublicKey', - 'iam:uploadservercertificate', - 'iam:uploadsigningcertificate', - '*:*' - ) + language: sql + primary_resource: aws_ec2_instance + definition: | + WITH iam_roles AS ( + SELECT r.arn AS role_arn, + i.arn AS instance_arn + FROM aws_iam_role AS r, + jsonb_array_elements_text(instance_profile_arns) AS p + LEFT JOIN aws_ec2_instance AS i + ON p = i.iam_instance_profile_arn + WHERE i.arn IS NOT NULL + ), + iam_role_with_permission AS ( + SELECT arn + FROM aws_iam_role, + jsonb_array_elements(assume_role_policy_std->'Statement') AS s, + jsonb_array_elements_text(s->'Principal'->'Service') AS service, + jsonb_array_elements_text(s->'Action') AS action + WHERE arn IN ( + SELECT role_arn + FROM iam_roles + ) + AND s->>'Effect' = 'Allow' + AND service = 'ec2.amazonaws.com' + AND ( + ( + action IN ( + 'iam:addclientidtoopenidconnectprovider', + 'iam:addroletoinstanceprofile', + 'iam:addusertogroup', + 'iam:changepassword', + 'iam:createaccesskey', + 'iam:createaccountalias', + 'iam:creategroup', + 'iam:createinstanceprofile', + 'iam:createloginprofile', + 'iam:createopenidconnectprovider', + 'iam:createrole', + 'iam:createsamlprovider', + 'iam:createservicelinkedrole', + 'iam:createservicespecificcredential', + 'iam:createuser', + 'iam:createvirtualmfadevice', + 'iam:deactivatemfadevice', + 'iam:deleteaccesskey', + 'iam:deleteaccountalias', + 'iam:deletegroup', + 'iam:deleteinstanceprofile', + 'iam:deleteloginprofile', + 'iam:deleteopenidconnectprovider', + 'iam:deleterole', + 'iam:deletesamlprovider', + 'iam:deletesshpublickey', + 'iam:deleteservercertificate', + 'iam:deleteservicelinkedrole', + 'iam:deleteservicespecificcredential', + 'iam:deletesigningcertificate', + 'iam:deleteUser', + 'iam:deletevirtualmfadevice', + 'iam:enablemfadevice', + 'iam:passrole', + 'iam:removeclientidfromopenidconnectprovider', + 'iam:removerolefrominstanceprofile', + 'iam:removeuserfromgroup', + 'iam:resetservicespecificcredential', + 'iam:resyncmfadevice', + 'iam:setsecuritytokenservicepreferences', + 'iam:updateaccesskey', + 'iam:updateaccountpasswordpolicy', + 'iam:updategroup', + 'iam:updateloginprofile', + 'iam:updateopenidconnectproviderthumbprint', + 'iam:updaterole', + 'iam:updateroledescription', + 'iam:updatesamlprovider', + 'iam:updatesshpublicKey', + 'iam:updateservercertificate', + 'iam:updateservicespecificcredential', + 'iam:updatesigningcertificate', + 'iam:updateuser', + 'iam:uploadsshpublicKey', + 'iam:uploadservercertificate', + 'iam:uploadsigningcertificate', + '*:*' ) ) - ) - SELECT i.arn AS resource, - CASE - WHEN p.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.arn IS NULL THEN title || ' has no IAM writ level access.' - ELSE title || ' has IAM write level access.' - END AS reason, - i.platform_integration_id, - i.platform_resource_id, - i.account_id - FROM aws_ec2_instance AS i - LEFT JOIN iam_roles AS r - ON r.instance_arn = i.arn - LEFT JOIN iam_role_with_permission AS p - ON p.arn = r.role_arn; + ) + ) + SELECT i.arn AS resource, + CASE + WHEN p.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.arn IS NULL THEN title || ' has no IAM writ level access.' + ELSE title || ' has IAM write level access.' + END AS reason, + i.platform_integration_id, + i.platform_resource_id, + i.account_id + FROM aws_ec2_instance AS i + LEFT JOIN iam_roles AS r + ON r.instance_arn = i.arn + LEFT JOIN iam_role_with_permission AS p + ON p.arn = r.role_arn; severity: critical tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/EC2 - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/EC2 + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_ec2_instance_no_launch_wizard_security_group.yaml b/compliance/controls/aws/aws_ec2_instance_no_launch_wizard_security_group.yaml index 1cbd416e8..06b6df469 100644 --- a/compliance/controls/aws/aws_ec2_instance_no_launch_wizard_security_group.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_launch_wizard_security_group.yaml @@ -1,37 +1,38 @@ id: aws_ec2_instance_no_launch_wizard_security_group title: EC2 instances should not be attached to 'launch wizard' security groups +type: control description: Ensure EC2 instances provisioned in your AWS account are not associated with security groups that have their name prefixed with 'launch-wizard', in order to enforce using secure and custom security groups that exercise the principle of least privilege. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - WITH launch_wizard_sg_attached_instance AS ( - SELECT - DISTINCT arn AS arn - FROM - aws_ec2_instance, - jsonb_array_elements(security_groups) AS sg - WHERE - sg ->> 'GroupName' LIKE 'launch-wizard%' - ) - SELECT - i.arn AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN sg.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN sg.arn IS NULL THEN i.title || ' not associated with launch-wizard security group.' - ELSE i.title || ' associated with launch-wizard security group.' - END AS reason - FROM - aws_ec2_instance AS i - LEFT JOIN - launch_wizard_sg_attached_instance AS sg ON i.arn = sg.arn; + language: sql + primary_resource: aws_ec2_instance + definition: | + WITH launch_wizard_sg_attached_instance AS ( + SELECT + DISTINCT arn AS arn + FROM + aws_ec2_instance, + jsonb_array_elements(security_groups) AS sg + WHERE + sg ->> 'GroupName' LIKE 'launch-wizard%' + ) + SELECT + i.arn AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN sg.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN sg.arn IS NULL THEN i.title || ' not associated with launch-wizard security group.' + ELSE i.title || ' associated with launch-wizard security group.' + END AS reason + FROM + aws_ec2_instance AS i + LEFT JOIN + launch_wizard_sg_attached_instance AS sg ON i.arn = sg.arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ec2_instance_not_older_than_180_days.yaml b/compliance/controls/aws/aws_ec2_instance_not_older_than_180_days.yaml index e50fc65e7..ed78c873f 100644 --- a/compliance/controls/aws/aws_ec2_instance_not_older_than_180_days.yaml +++ b/compliance/controls/aws/aws_ec2_instance_not_older_than_180_days.yaml @@ -1,24 +1,25 @@ id: aws_ec2_instance_not_older_than_180_days title: Ensure no AWS EC2 Instances are older than 180 days -description: '"Identify any running AWS EC2 instances older than 180 days.' +type: control +description: "\"Identify any running AWS EC2 instances older than 180 days." integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - instance_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - launch_time, - CASE - WHEN launch_time >= (current_date - INTERVAL '180 days') THEN 'ok' - ELSE 'alarm' - END AS status, - title || ' created ' || TO_CHAR(launch_time, 'DD-Mon-YYYY') || ' (' || EXTRACT(day FROM CURRENT_TIMESTAMP - launch_time) || ' days).' AS reason - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + instance_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + launch_time, + CASE + WHEN launch_time >= (current_date - INTERVAL '180 days') THEN 'ok' + ELSE 'alarm' + END AS status, + title || ' created ' || TO_CHAR(launch_time, 'DD-Mon-YYYY') || ' (' || EXTRACT(day FROM CURRENT_TIMESTAMP - launch_time) || ' days).' AS reason + FROM + aws_ec2_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ec2_instance_not_publicly_accessible.yaml b/compliance/controls/aws/aws_ec2_instance_not_publicly_accessible.yaml index 1fddd8ba9..378d98291 100644 --- a/compliance/controls/aws/aws_ec2_instance_not_publicly_accessible.yaml +++ b/compliance/controls/aws/aws_ec2_instance_not_publicly_accessible.yaml @@ -1,64 +1,65 @@ id: aws_ec2_instance_not_publicly_accessible title: EC2 instances should not have a public IP address -description: '"Manage access to the AWS Cloud by ensuring AWS Elastic Compute Cloud (AWS EC2) instances cannot be publicly accessed.' +type: control +description: "\"Manage access to the AWS Cloud by ensuring AWS Elastic Compute Cloud (AWS EC2) instances cannot be publicly accessed." integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN public_ip_address IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN public_ip_address IS NULL THEN instance_id || ' not publicly accessible.' - ELSE instance_id || ' publicly accessible.' - END AS reason, - region, - account_id - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN public_ip_address IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN public_ip_address IS NULL THEN instance_id || ' not publicly accessible.' + ELSE instance_id || ' publicly accessible.' + END AS reason, + region, + account_id + FROM + aws_ec2_instance; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/EC2 - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/EC2 + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_ec2_instance_not_use_multiple_enis.yaml b/compliance/controls/aws/aws_ec2_instance_not_use_multiple_enis.yaml index 050e62b6c..4cf2b5956 100644 --- a/compliance/controls/aws/aws_ec2_instance_not_use_multiple_enis.yaml +++ b/compliance/controls/aws/aws_ec2_instance_not_use_multiple_enis.yaml @@ -1,37 +1,38 @@ id: aws_ec2_instance_not_use_multiple_enis title: EC2 instances should not use multiple ENIs +type: control description: This control checks whether an EC2 instance uses multiple Elastic Network Interfaces (ENIs) or Elastic Fabric Adapters (EFAs). This control passes if a single network adapter is used. The control includes an optional parameter list to identify the allowed ENIs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN jsonb_array_length(network_interfaces) = 1 THEN 'ok' - ELSE 'alarm' - END AS status, - title || ' has ' || jsonb_array_length(network_interfaces) || ' ENI(s) attached.' AS reason, - region, - account_id - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN jsonb_array_length(network_interfaces) = 1 THEN 'ok' + ELSE 'alarm' + END AS status, + title || ' has ' || jsonb_array_length(network_interfaces) || ' ENI(s) attached.' AS reason, + region, + account_id + FROM + aws_ec2_instance; severity: low tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - network_security - foundational_security_item_id: - - ec2_17 - plugin: - - aws - service: - - AWS/EC2 + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - network_security + foundational_security_item_id: + - ec2_17 + plugin: + - aws + service: + - AWS/EC2 diff --git a/compliance/controls/aws/aws_ec2_instance_protected_by_backup_plan.yaml b/compliance/controls/aws/aws_ec2_instance_protected_by_backup_plan.yaml index d46e5120e..d6d8c5696 100644 --- a/compliance/controls/aws/aws_ec2_instance_protected_by_backup_plan.yaml +++ b/compliance/controls/aws/aws_ec2_instance_protected_by_backup_plan.yaml @@ -1,67 +1,68 @@ id: aws_ec2_instance_protected_by_backup_plan title: EC2 instances should be protected by backup plan +type: control description: Ensure that AWS Elastic Compute Cloud (AWS EC2) instances are protected by a backup plan. The rule is non-compliant if the AWS EC2 instance is not covered by a backup plan. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - WITH backup_protected_instance AS ( - SELECT - resource_arn AS arn - FROM - aws_backup_protected_resource AS b - WHERE - resource_type = 'EC2' - ) - SELECT - i.arn AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN b.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.arn IS NOT NULL THEN i.title || ' is protected by backup plan.' - ELSE i.title || ' is not protected by backup plan.' - END AS reason, - i.region, - i.account_id - FROM - aws_ec2_instance AS i - LEFT JOIN backup_protected_instance AS b ON i.arn = b.arn; + language: sql + primary_resource: aws_ec2_instance + definition: | + WITH backup_protected_instance AS ( + SELECT + resource_arn AS arn + FROM + aws_backup_protected_resource AS b + WHERE + resource_type = 'EC2' + ) + SELECT + i.arn AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN b.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.arn IS NOT NULL THEN i.title || ' is protected by backup plan.' + ELSE i.title || ' is not protected by backup plan.' + END AS reason, + i.region, + i.account_id + FROM + aws_ec2_instance AS i + LEFT JOIN backup_protected_instance AS b ON i.arn = b.arn; severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/EC2 - soc_2: - - 'true' + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/EC2 + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_ec2_instance_publicly_accessible_iam_profile_attached.yaml b/compliance/controls/aws/aws_ec2_instance_publicly_accessible_iam_profile_attached.yaml index 636ccc04f..6b61b7950 100644 --- a/compliance/controls/aws/aws_ec2_instance_publicly_accessible_iam_profile_attached.yaml +++ b/compliance/controls/aws/aws_ec2_instance_publicly_accessible_iam_profile_attached.yaml @@ -1,28 +1,29 @@ id: aws_ec2_instance_publicly_accessible_iam_profile_attached title: Public EC2 instances should have IAM profile attached +type: control description: Ensure AWS Elastic Compute Cloud (AWS EC2) public instances have an Identity and Access Management (IAM) profile attached to them. This rule is non-compliant if no IAM profile is attached to a public AWS EC2 instance. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN iam_instance_profile_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN iam_instance_profile_id IS NOT NULL THEN title || ' IAM profile attached.' - ELSE title || ' IAM profile not attached.' - END AS reason - FROM - aws_ec2_instance - WHERE - public_ip_address IS NOT NULL; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN iam_instance_profile_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN iam_instance_profile_id IS NOT NULL THEN title || ' IAM profile attached.' + ELSE title || ' IAM profile not attached.' + END AS reason + FROM + aws_ec2_instance + WHERE + public_ip_address IS NOT NULL; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ec2_instance_ssm_managed.yaml b/compliance/controls/aws/aws_ec2_instance_ssm_managed.yaml index 8e0ef8631..148a3c0d6 100644 --- a/compliance/controls/aws/aws_ec2_instance_ssm_managed.yaml +++ b/compliance/controls/aws/aws_ec2_instance_ssm_managed.yaml @@ -1,70 +1,71 @@ id: aws_ec2_instance_ssm_managed title: EC2 instances should be managed by AWS Systems Manager +type: control description: An inventory of the software platforms and applications within the organization is possible by managing AWS Elastic Compute Cloud (AWS EC2) instances with AWS Systems Manager. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - i.arn AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN i.instance_state = 'stopped' THEN 'info' - WHEN m.instance_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN i.instance_state = 'stopped' THEN i.title || ' is in stopped state.' - WHEN m.instance_id IS NULL THEN i.title || ' not managed by AWS SSM.' - ELSE i.title || ' managed by AWS SSM.' - END AS reason, - i.region, - i.account_id - FROM - aws_ec2_instance i - LEFT JOIN - aws_ssm_managed_instance m - ON - m.instance_id = i.instance_id; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + i.arn AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN i.instance_state = 'stopped' THEN 'info' + WHEN m.instance_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN i.instance_state = 'stopped' THEN i.title || ' is in stopped state.' + WHEN m.instance_id IS NULL THEN i.title || ' not managed by AWS SSM.' + ELSE i.title || ' managed by AWS SSM.' + END AS reason, + i.region, + i.account_id + FROM + aws_ec2_instance i + LEFT JOIN + aws_ssm_managed_instance m + ON + m.instance_id = i.instance_id; severity: low tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/SSM - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/SSM + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_ec2_instance_termination_protection_enabled.yaml b/compliance/controls/aws/aws_ec2_instance_termination_protection_enabled.yaml index ddad2c7df..8fb5f5287 100644 --- a/compliance/controls/aws/aws_ec2_instance_termination_protection_enabled.yaml +++ b/compliance/controls/aws/aws_ec2_instance_termination_protection_enabled.yaml @@ -1,26 +1,27 @@ id: aws_ec2_instance_termination_protection_enabled title: AWS EC2 instances should have termination protection enabled +type: control description: This control checks whether termination protection is enabled for EC2 instances. The control fails if termination protection is not enabled for an EC2 instance. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN disable_api_termination THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN disable_api_termination THEN instance_id || ' termination protection enabled.' - ELSE instance_id || ' termination protection disabled.' - END AS reason - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN disable_api_termination THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN disable_api_termination THEN instance_id || ' termination protection enabled.' + ELSE instance_id || ' termination protection disabled.' + END AS reason + FROM + aws_ec2_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ec2_instance_user_data_no_secrets.yaml b/compliance/controls/aws/aws_ec2_instance_user_data_no_secrets.yaml index 122def254..c5580f107 100644 --- a/compliance/controls/aws/aws_ec2_instance_user_data_no_secrets.yaml +++ b/compliance/controls/aws/aws_ec2_instance_user_data_no_secrets.yaml @@ -1,30 +1,31 @@ id: aws_ec2_instance_user_data_no_secrets title: EC2 instances user data should not have secrets +type: control description: User data is a metadata field of an EC2 instance that allows custom code to run after the instance is launched. It contains code which is exposed to any entity which has the most basic access to EC2, even read-only configurations. It is recommended to not use secrets in user data. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN user_data LIKE ANY (ARRAY ['%pass%', '%secret%', '%token%', '%key%']) - OR user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN user_data LIKE ANY (ARRAY ['%pass%', '%secret%', '%token%', '%key%']) - OR user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' - THEN instance_id || ' potential secret found in user data.' - ELSE instance_id || ' no secrets found in user data.' - END AS reason - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN user_data LIKE ANY (ARRAY ['%pass%', '%secret%', '%token%', '%key%']) + OR user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN user_data LIKE ANY (ARRAY ['%pass%', '%secret%', '%token%', '%key%']) + OR user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' + THEN instance_id || ' potential secret found in user data.' + ELSE instance_id || ' no secrets found in user data.' + END AS reason + FROM + aws_ec2_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ec2_instance_uses_imdsv2.yaml b/compliance/controls/aws/aws_ec2_instance_uses_imdsv2.yaml index 263daff38..055955e7b 100644 --- a/compliance/controls/aws/aws_ec2_instance_uses_imdsv2.yaml +++ b/compliance/controls/aws/aws_ec2_instance_uses_imdsv2.yaml @@ -1,50 +1,51 @@ id: aws_ec2_instance_uses_imdsv2 title: EC2 instances should use IMDSv2 +type: control description: Ensure the Instance Metadata Service Version 2 (IMDSv2) method is enabled to help protect access and control of AWS Elastic Compute Cloud (AWS EC2) instance metadata. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN metadata_options ->> 'HttpTokens' = 'optional' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN metadata_options ->> 'HttpTokens' = 'optional' THEN title || ' not configured to use Instance Metadata Service Version 2 (IMDSv2).' - ELSE title || ' configured to use Instance Metadata Service Version 2 (IMDSv2).' - END AS reason, - region, - account_id - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN metadata_options ->> 'HttpTokens' = 'optional' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN metadata_options ->> 'HttpTokens' = 'optional' THEN title || ' not configured to use Instance Metadata Service Version 2 (IMDSv2).' + ELSE title || ' configured to use Instance Metadata Service Version 2 (IMDSv2).' + END AS reason, + region, + account_id + FROM + aws_ec2_instance; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/EC2 + category: + - Compliance + cis_controls_v8_ig1: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/EC2 diff --git a/compliance/controls/aws/aws_ec2_instance_virtualization_type_no_paravirtual.yaml b/compliance/controls/aws/aws_ec2_instance_virtualization_type_no_paravirtual.yaml index 3d9e07007..902455e80 100644 --- a/compliance/controls/aws/aws_ec2_instance_virtualization_type_no_paravirtual.yaml +++ b/compliance/controls/aws/aws_ec2_instance_virtualization_type_no_paravirtual.yaml @@ -1,37 +1,38 @@ id: aws_ec2_instance_virtualization_type_no_paravirtual title: Paravirtual EC2 instance types should not be used +type: control description: This control checks whether the virtualization type of an EC2 instance is paravirtual. The control fails if the virtualizationType of the EC2 instance is set to paravirtual. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN virtualization_type = 'paravirtual' THEN 'alarm' - ELSE 'ok' - END AS status, - title || ' virtualization type is ' || virtualization_type || '.' AS reason, - region, - account_id - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN virtualization_type = 'paravirtual' THEN 'alarm' + ELSE 'ok' + END AS status, + title || ' virtualization type is ' || virtualization_type || '.' AS reason, + region, + account_id + FROM + aws_ec2_instance; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - vulnerability_patch_and_version_management - foundational_security_item_id: - - ec2_24 - plugin: - - aws - service: - - AWS/EC2 + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - vulnerability_patch_and_version_management + foundational_security_item_id: + - ec2_24 + plugin: + - aws + service: + - AWS/EC2 diff --git a/compliance/controls/aws/aws_ec2_launch_template_not_publicly_accessible.yaml b/compliance/controls/aws/aws_ec2_launch_template_not_publicly_accessible.yaml index 841e57954..8a7d80307 100644 --- a/compliance/controls/aws/aws_ec2_launch_template_not_publicly_accessible.yaml +++ b/compliance/controls/aws/aws_ec2_launch_template_not_publicly_accessible.yaml @@ -1,58 +1,59 @@ id: aws_ec2_launch_template_not_publicly_accessible title: AWS EC2 launch templates should not assign public IPs to network interfaces +type: control description: This control checks if AWS EC2 launch templates are configured to assign public IP addresses to network interfaces upon launch. The control fails if an EC2 launch template is configured to assign a public IP address to network interfaces or if there is at least one network interface that has a public IP address. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_launch_template - definition: | - WITH public_launch_templates AS ( - SELECT - i.tags ->> 'aws:ec2launchtemplate:id' AS public_launch_template_id - FROM - aws_ec2_instance AS i, - JSONB_ARRAY_ELEMENTS(launch_template_data -> 'NetworkInterfaces') AS nic - WHERE - (nic -> 'AssociatePublicIpAddress')::BOOL - ), - launch_templates_associated_instance AS ( - SELECT - DISTINCT tags ->> 'aws:ec2launchtemplate:id' AS launch_template_id - FROM - aws_ec2_instance - ) - SELECT - t.launch_template_id AS resource, - t.platform_integration_id AS platform_integration_id, - t.platform_resource_id AS platform_resource_id, - CASE - WHEN i.launch_template_id IS NULL THEN 'skip' - WHEN t.launch_template_id IN (SELECT public_launch_template_id FROM public_launch_templates) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN i.launch_template_id IS NULL THEN t.title || ' does not launch any instance.' - WHEN t.launch_template_id IN (SELECT public_launch_template_id FROM public_launch_templates) THEN t.title || ' publicly accessible.' - ELSE t.title || ' not publicly accessible.' - END AS reason, - t.region, - t.account_id - FROM - aws_ec2_launch_template AS t - LEFT JOIN launch_templates_associated_instance AS i ON i.launch_template_id = t.launch_template_id; + language: sql + primary_resource: aws_ec2_launch_template + definition: | + WITH public_launch_templates AS ( + SELECT + i.tags ->> 'aws:ec2launchtemplate:id' AS public_launch_template_id + FROM + aws_ec2_instance AS i, + JSONB_ARRAY_ELEMENTS(launch_template_data -> 'NetworkInterfaces') AS nic + WHERE + (nic -> 'AssociatePublicIpAddress')::BOOL + ), + launch_templates_associated_instance AS ( + SELECT + DISTINCT tags ->> 'aws:ec2launchtemplate:id' AS launch_template_id + FROM + aws_ec2_instance + ) + SELECT + t.launch_template_id AS resource, + t.platform_integration_id AS platform_integration_id, + t.platform_resource_id AS platform_resource_id, + CASE + WHEN i.launch_template_id IS NULL THEN 'skip' + WHEN t.launch_template_id IN (SELECT public_launch_template_id FROM public_launch_templates) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN i.launch_template_id IS NULL THEN t.title || ' does not launch any instance.' + WHEN t.launch_template_id IN (SELECT public_launch_template_id FROM public_launch_templates) THEN t.title || ' publicly accessible.' + ELSE t.title || ' not publicly accessible.' + END AS reason, + t.region, + t.account_id + FROM + aws_ec2_launch_template AS t + LEFT JOIN launch_templates_associated_instance AS i ON i.launch_template_id = t.launch_template_id; severity: high tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - resources_not_publicly_accessible - foundational_security_item_id: - - ec2_25 - plugin: - - aws - service: - - AWS/EC2 + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - resources_not_publicly_accessible + foundational_security_item_id: + - ec2_25 + plugin: + - aws + service: + - AWS/EC2 diff --git a/compliance/controls/aws/aws_ec2_network_interface_unused.yaml b/compliance/controls/aws/aws_ec2_network_interface_unused.yaml index 56ebbd222..d04ca56f3 100644 --- a/compliance/controls/aws/aws_ec2_network_interface_unused.yaml +++ b/compliance/controls/aws/aws_ec2_network_interface_unused.yaml @@ -1,26 +1,27 @@ id: aws_ec2_network_interface_unused title: Ensure unused ENIs are removed +type: control description: Identify and delete any unused Amazon AWS Elastic Network Interfaces in order to adhere to best practices and to avoid reaching the service limit. An AWS Elastic Network Interface (ENI) is pronounced unused when is not attached anymore to an EC2 instance. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_network_interface - definition: | - SELECT - network_interface_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN status = 'available' AND attached_instance_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN status = 'available' AND attached_instance_id IS NULL THEN title || ' not in use.' - ELSE title || ' in use.' - END AS reason - FROM - aws_ec2_network_interface; + language: sql + primary_resource: aws_ec2_network_interface + definition: | + SELECT + network_interface_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN status = 'available' AND attached_instance_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN status = 'available' AND attached_instance_id IS NULL THEN title || ' not in use.' + ELSE title || ' in use.' + END AS reason + FROM + aws_ec2_network_interface; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ec2_stopped_instance_30_days.yaml b/compliance/controls/aws/aws_ec2_stopped_instance_30_days.yaml index 0be279509..81fb42259 100644 --- a/compliance/controls/aws/aws_ec2_stopped_instance_30_days.yaml +++ b/compliance/controls/aws/aws_ec2_stopped_instance_30_days.yaml @@ -1,59 +1,60 @@ id: aws_ec2_stopped_instance_30_days title: EC2 stopped instances should be removed in 30 days +type: control description: Enable this rule to help with the baseline configuration of AWS Elastic Compute Cloud (AWS EC2) instances by checking whether AWS EC2 instances have been stopped for more than the allowed number of days, according to your organization's standards. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN instance_state NOT IN ('stopped', 'stopping') THEN 'skip' - WHEN state_transition_time <= (current_date - INTERVAL '30' DAY) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN instance_state NOT IN ('stopped', 'stopping') THEN title || ' is in ' || instance_state || ' state.' - ELSE title || ' stopped since ' || TO_CHAR(state_transition_time, 'DD-Mon-YYYY') || ' (' || EXTRACT(DAY FROM current_timestamp - state_transition_time) || ' days).' - END AS reason, - region, - account_id - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN instance_state NOT IN ('stopped', 'stopping') THEN 'skip' + WHEN state_transition_time <= (current_date - INTERVAL '30' DAY) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN instance_state NOT IN ('stopped', 'stopping') THEN title || ' is in ' || instance_state || ' state.' + ELSE title || ' stopped since ' || TO_CHAR(state_transition_time, 'DD-Mon-YYYY') || ' (' || EXTRACT(DAY FROM current_timestamp - state_transition_time) || ' days).' + END AS reason, + region, + account_id + FROM + aws_ec2_instance; severity: medium tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/EC2 + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/EC2 diff --git a/compliance/controls/aws/aws_ec2_stopped_instance_90_days.yaml b/compliance/controls/aws/aws_ec2_stopped_instance_90_days.yaml index 35c1a9a39..c06a63025 100644 --- a/compliance/controls/aws/aws_ec2_stopped_instance_90_days.yaml +++ b/compliance/controls/aws/aws_ec2_stopped_instance_90_days.yaml @@ -1,27 +1,28 @@ id: aws_ec2_stopped_instance_90_days title: Ensure instances stopped for over 90 days are removed +type: control description: Enable this rule to help with the baseline configuration of Amazon Elastic Compute Cloud (Amazon EC2) instances by checking whether Amazon EC2 instances have been stopped for more than the allowed number of days, according to your organization's standards. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN instance_state NOT IN ('stopped', 'stopping') THEN 'skip' - WHEN state_transition_time <= (current_date - INTERVAL '90' DAY) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN instance_state NOT IN ('stopped', 'stopping') THEN title || ' is in ' || instance_state || ' state.' - ELSE title || ' stopped since ' || TO_CHAR(state_transition_time, 'DD-Mon-YYYY') || ' (' || EXTRACT(DAY FROM current_timestamp - state_transition_time) || ' days).' - END AS reason - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN instance_state NOT IN ('stopped', 'stopping') THEN 'skip' + WHEN state_transition_time <= (current_date - INTERVAL '90' DAY) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN instance_state NOT IN ('stopped', 'stopping') THEN title || ' is in ' || instance_state || ' state.' + ELSE title || ' stopped since ' || TO_CHAR(state_transition_time, 'DD-Mon-YYYY') || ' (' || EXTRACT(DAY FROM current_timestamp - state_transition_time) || ' days).' + END AS reason + FROM + aws_ec2_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ec2_transit_gateway_auto_cross_account_attachment_disabled.yaml b/compliance/controls/aws/aws_ec2_transit_gateway_auto_cross_account_attachment_disabled.yaml index a594a0523..5565049c5 100644 --- a/compliance/controls/aws/aws_ec2_transit_gateway_auto_cross_account_attachment_disabled.yaml +++ b/compliance/controls/aws/aws_ec2_transit_gateway_auto_cross_account_attachment_disabled.yaml @@ -1,40 +1,41 @@ id: aws_ec2_transit_gateway_auto_cross_account_attachment_disabled title: EC2 transit gateways should have auto accept shared attachments disabled +type: control description: Ensure transit gateways have auto accept shared attachments feature disabled. If this setting is disabled, then any VPC that attempts to attach to a transit gateway will need to request authorization, and the account that owns the transit gateway will need to accept the authorization. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_transit_gateway - definition: | - SELECT - transit_gateway_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN auto_accept_shared_attachments = 'enable' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN auto_accept_shared_attachments = 'enable' THEN title || ' automatic shared account attachment enabled.' - ELSE title || ' automatic shared account attachment disabled.' - END AS reason, - region, - account_id - FROM - aws_ec2_transit_gateway; + language: sql + primary_resource: aws_ec2_transit_gateway + definition: | + SELECT + transit_gateway_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN auto_accept_shared_attachments = 'enable' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN auto_accept_shared_attachments = 'enable' THEN title || ' automatic shared account attachment enabled.' + ELSE title || ' automatic shared account attachment disabled.' + END AS reason, + region, + account_id + FROM + aws_ec2_transit_gateway; severity: high tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - secure_network_configuration - foundational_security_item_id: - - ec2_23 - plugin: - - aws - service: - - AWS/EC2 + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - secure_network_configuration + foundational_security_item_id: + - ec2_23 + plugin: + - aws + service: + - AWS/EC2 diff --git a/compliance/controls/aws/aws_ecr_repository_image_scan_on_push_enabled.yaml b/compliance/controls/aws/aws_ecr_repository_image_scan_on_push_enabled.yaml index 3badebe9b..bcd160bf7 100644 --- a/compliance/controls/aws/aws_ecr_repository_image_scan_on_push_enabled.yaml +++ b/compliance/controls/aws/aws_ecr_repository_image_scan_on_push_enabled.yaml @@ -1,40 +1,41 @@ id: aws_ecr_repository_image_scan_on_push_enabled title: ECR repositories should have image scan on push enabled +type: control description: Ensure AWS Elastic Container Registry (ECR) repositories have image scanning enabled. The rule is non-compliant if image scanning is not enabled for the ECR repository. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecr_repository - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN image_scanning_configuration ->> 'ScanOnPush' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN image_scanning_configuration ->> 'ScanOnPush' = 'true' THEN title || ' scan on push enabled.' - ELSE title || ' scan on push disabled.' - END AS reason, - region, - account_id - FROM - aws_ecr_repository; + language: sql + primary_resource: aws_ecr_repository + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN image_scanning_configuration ->> 'ScanOnPush' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN image_scanning_configuration ->> 'ScanOnPush' = 'true' THEN title || ' scan on push enabled.' + ELSE title || ' scan on push disabled.' + END AS reason, + region, + account_id + FROM + aws_ecr_repository; severity: high tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - vulnerability_patch_and_version_management - foundational_security_item_id: - - ecr_1 - plugin: - - aws - service: - - AWS/ECR + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - vulnerability_patch_and_version_management + foundational_security_item_id: + - ecr_1 + plugin: + - aws + service: + - AWS/ECR diff --git a/compliance/controls/aws/aws_ecr_repository_lifecycle_policy_configured.yaml b/compliance/controls/aws/aws_ecr_repository_lifecycle_policy_configured.yaml index da408989d..52cf3ab93 100644 --- a/compliance/controls/aws/aws_ecr_repository_lifecycle_policy_configured.yaml +++ b/compliance/controls/aws/aws_ecr_repository_lifecycle_policy_configured.yaml @@ -1,40 +1,41 @@ id: aws_ecr_repository_lifecycle_policy_configured title: ECR repositories should have lifecycle policies configured +type: control description: This control checks if ECR repositories have lifecycle policy configured. This rule fails if ECR repository lifecycle policy is not enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecr_repository - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN lifecycle_policy -> 'rules' IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN lifecycle_policy -> 'rules' IS NOT NULL THEN title || ' lifecycle policy configured.' - ELSE title || ' lifecycle policy not configured.' - END AS reason, - region, - account_id - FROM - aws_ecr_repository; + language: sql + primary_resource: aws_ecr_repository + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN lifecycle_policy -> 'rules' IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN lifecycle_policy -> 'rules' IS NOT NULL THEN title || ' lifecycle policy configured.' + ELSE title || ' lifecycle policy not configured.' + END AS reason, + region, + account_id + FROM + aws_ecr_repository; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - resource_configuration - foundational_security_item_id: - - ecr_3 - plugin: - - aws - service: - - AWS/ECR + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - resource_configuration + foundational_security_item_id: + - ecr_3 + plugin: + - aws + service: + - AWS/ECR diff --git a/compliance/controls/aws/aws_ecr_repository_prohibit_public_access.yaml b/compliance/controls/aws/aws_ecr_repository_prohibit_public_access.yaml index 0acbeeea4..5af3f5846 100644 --- a/compliance/controls/aws/aws_ecr_repository_prohibit_public_access.yaml +++ b/compliance/controls/aws/aws_ecr_repository_prohibit_public_access.yaml @@ -1,44 +1,45 @@ id: aws_ecr_repository_prohibit_public_access title: ECR repositories should prohibit public access +type: control description: Ensure there are no ECR repositories set as public. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecr_repository - definition: | - WITH open_access_ecr_repo AS ( - SELECT - DISTINCT arn - FROM - aws_ecr_repository, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p, - string_to_array(p, ':') AS pa, - jsonb_array_elements_text(s -> 'Action') AS a - WHERE - s ->> 'Effect' = 'Allow' - AND ( - p = '*' - ) + language: sql + primary_resource: aws_ecr_repository + definition: | + WITH open_access_ecr_repo AS ( + SELECT + DISTINCT arn + FROM + aws_ecr_repository, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p, + string_to_array(p, ':') AS pa, + jsonb_array_elements_text(s -> 'Action') AS a + WHERE + s ->> 'Effect' = 'Allow' + AND ( + p = '*' ) - SELECT - r.arn AS resource, - r.platform_integration_id AS platform_integration_id, - r.platform_resource_id AS platform_resource_id, - CASE - WHEN o.arn IS NOT NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN o.arn IS NOT NULL THEN r.title || ' allows public access.' - ELSE r.title || ' does not allow public access.' - END AS reason - FROM - aws_ecr_repository AS r - LEFT JOIN open_access_ecr_repo AS o ON r.arn = o.arn - GROUP BY - resource, status, reason, r.region, r.account_id, r.tags, r._ctx, r.platform_integration_id, r.platform_resource_id; + ) + SELECT + r.arn AS resource, + r.platform_integration_id AS platform_integration_id, + r.platform_resource_id AS platform_resource_id, + CASE + WHEN o.arn IS NOT NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN o.arn IS NOT NULL THEN r.title || ' allows public access.' + ELSE r.title || ' does not allow public access.' + END AS reason + FROM + aws_ecr_repository AS r + LEFT JOIN open_access_ecr_repo AS o ON r.arn = o.arn + GROUP BY + resource, status, reason, r.region, r.account_id, r.tags, r._ctx, r.platform_integration_id, r.platform_resource_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ecr_repository_tag_immutability_enabled.yaml b/compliance/controls/aws/aws_ecr_repository_tag_immutability_enabled.yaml index de796e085..531a52d39 100644 --- a/compliance/controls/aws/aws_ecr_repository_tag_immutability_enabled.yaml +++ b/compliance/controls/aws/aws_ecr_repository_tag_immutability_enabled.yaml @@ -1,40 +1,41 @@ id: aws_ecr_repository_tag_immutability_enabled title: ECR private repositories should have tag immutability configured +type: control description: This control checks whether a private ECR repository has tag immutability enabled. This control fails if a private ECR repository has tag immutability disabled. This rule passes if tag immutability is enabled and has the value IMMUTABLE. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecr_repository - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN image_tag_mutability = 'IMMUTABLE' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN image_tag_mutability = 'IMMUTABLE' THEN title || ' tag immutability enabled.' - ELSE title || ' tag immutability disabled.' - END AS reason, - region, - account_id - FROM - aws_ecr_repository; + language: sql + primary_resource: aws_ecr_repository + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN image_tag_mutability = 'IMMUTABLE' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN image_tag_mutability = 'IMMUTABLE' THEN title || ' tag immutability enabled.' + ELSE title || ' tag immutability disabled.' + END AS reason, + region, + account_id + FROM + aws_ecr_repository; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - tagging - foundational_security_item_id: - - ecr_2 - plugin: - - aws - service: - - AWS/ECR + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - tagging + foundational_security_item_id: + - ecr_2 + plugin: + - aws + service: + - AWS/ECR diff --git a/compliance/controls/aws/aws_ecs_cluster_container_insights_enabled.yaml b/compliance/controls/aws/aws_ecs_cluster_container_insights_enabled.yaml index 093c1dbbe..6f1038fd1 100644 --- a/compliance/controls/aws/aws_ecs_cluster_container_insights_enabled.yaml +++ b/compliance/controls/aws/aws_ecs_cluster_container_insights_enabled.yaml @@ -1,41 +1,42 @@ id: aws_ecs_cluster_container_insights_enabled title: ECS clusters should have container insights enabled +type: control description: This control checks if ECS clusters use Container Insights. This control fails if Container Insights are not set up for a cluster. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecs_cluster - definition: | - SELECT - cluster_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN s ->> 'Name' = 'containerInsights' AND s ->> 'Value' = 'enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN s ->> 'Name' = 'containerInsights' AND s ->> 'Value' = 'enabled' THEN title || ' Container Insights enabled.' - ELSE title || ' Container Insights disabled.' - END AS reason, - region, - account_id - FROM - aws_ecs_cluster AS c, - jsonb_array_elements(settings) AS s; + language: sql + primary_resource: aws_ecs_cluster + definition: | + SELECT + cluster_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN s ->> 'Name' = 'containerInsights' AND s ->> 'Value' = 'enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN s ->> 'Name' = 'containerInsights' AND s ->> 'Value' = 'enabled' THEN title || ' Container Insights enabled.' + ELSE title || ' Container Insights disabled.' + END AS reason, + region, + account_id + FROM + aws_ecs_cluster AS c, + jsonb_array_elements(settings) AS s; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - logging - foundational_security_item_id: - - ecs_12 - plugin: - - aws - service: - - AWS/ECS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - logging + foundational_security_item_id: + - ecs_12 + plugin: + - aws + service: + - AWS/ECS diff --git a/compliance/controls/aws/aws_ecs_cluster_container_instance_agent_connected.yaml b/compliance/controls/aws/aws_ecs_cluster_container_instance_agent_connected.yaml index 143287b13..d5b7670d6 100644 --- a/compliance/controls/aws/aws_ecs_cluster_container_instance_agent_connected.yaml +++ b/compliance/controls/aws/aws_ecs_cluster_container_instance_agent_connected.yaml @@ -1,41 +1,42 @@ id: aws_ecs_cluster_container_instance_agent_connected title: ECS cluster container instances should have connected agent +type: control description: This control checks if ECS cluster container instances have connected agent. This control fails if the agent is not connected. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecs_cluster - definition: | - WITH unconnected_agent_instance AS ( - SELECT - DISTINCT cluster_arn - FROM - aws_ecs_container_instance - WHERE - agent_connected = FALSE - AND status = 'ACTIVE' - ) - SELECT - c.cluster_arn AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN c.registered_container_instances_count = 0 THEN 'skip' - WHEN i.cluster_arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN c.registered_container_instances_count = 0 THEN title || ' has no container instance registered.' - WHEN i.cluster_arn IS NULL THEN title || ' container instance has connected agent.' - ELSE title || ' container instance is either draining or has unconnected agents.' - END AS reason - FROM - aws_ecs_cluster AS c - LEFT JOIN - unconnected_agent_instance AS i - ON - c.cluster_arn = i.cluster_arn; + language: sql + primary_resource: aws_ecs_cluster + definition: | + WITH unconnected_agent_instance AS ( + SELECT + DISTINCT cluster_arn + FROM + aws_ecs_container_instance + WHERE + agent_connected = FALSE + AND status = 'ACTIVE' + ) + SELECT + c.cluster_arn AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN c.registered_container_instances_count = 0 THEN 'skip' + WHEN i.cluster_arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN c.registered_container_instances_count = 0 THEN title || ' has no container instance registered.' + WHEN i.cluster_arn IS NULL THEN title || ' container instance has connected agent.' + ELSE title || ' container instance is either draining or has unconnected agents.' + END AS reason + FROM + aws_ecs_cluster AS c + LEFT JOIN + unconnected_agent_instance AS i + ON + c.cluster_arn = i.cluster_arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ecs_cluster_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_ecs_cluster_encryption_at_rest_enabled.yaml index af4f2ae15..f0176c101 100644 --- a/compliance/controls/aws/aws_ecs_cluster_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_ecs_cluster_encryption_at_rest_enabled.yaml @@ -1,42 +1,43 @@ id: aws_ecs_cluster_encryption_at_rest_enabled title: ECS clusters encryption at rest should be enabled +type: control description: This control checks whether ECS Clustes have encryption at rest enabled. The check fails if encryption at rest is not enabled as sensitive data should be protected. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecs_cluster - definition: | - WITH unencrypted_volumes AS ( - SELECT - DISTINCT cluster_arn - FROM - aws_ecs_container_instance AS i, - aws_ec2_instance AS e, - JSONB_ARRAY_ELEMENTS(block_device_mappings) AS b, - aws_ebs_volume AS v - WHERE - i.ec2_instance_id = e.instance_id - AND b -> 'Ebs' ->> 'VolumeId' = v.volume_id - AND NOT v.encrypted - ) - SELECT - c.cluster_arn AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN c.registered_container_instances_count = 0 THEN 'skip' - WHEN v.cluster_arn IS NOT NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN c.registered_container_instances_count = 0 THEN c.title || ' has no container instance registered.' - WHEN v.cluster_arn IS NOT NULL THEN c.title || ' encryption at rest disabled.' - ELSE c.title || ' encryption at rest enabled.' - END AS reason - FROM - aws_ecs_cluster AS c - LEFT JOIN unencrypted_volumes AS v ON v.cluster_arn = c.cluster_arn; + language: sql + primary_resource: aws_ecs_cluster + definition: | + WITH unencrypted_volumes AS ( + SELECT + DISTINCT cluster_arn + FROM + aws_ecs_container_instance AS i, + aws_ec2_instance AS e, + JSONB_ARRAY_ELEMENTS(block_device_mappings) AS b, + aws_ebs_volume AS v + WHERE + i.ec2_instance_id = e.instance_id + AND b -> 'Ebs' ->> 'VolumeId' = v.volume_id + AND NOT v.encrypted + ) + SELECT + c.cluster_arn AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN c.registered_container_instances_count = 0 THEN 'skip' + WHEN v.cluster_arn IS NOT NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN c.registered_container_instances_count = 0 THEN c.title || ' has no container instance registered.' + WHEN v.cluster_arn IS NOT NULL THEN c.title || ' encryption at rest disabled.' + ELSE c.title || ' encryption at rest enabled.' + END AS reason + FROM + aws_ecs_cluster AS c + LEFT JOIN unencrypted_volumes AS v ON v.cluster_arn = c.cluster_arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ecs_cluster_no_active_services_count.yaml b/compliance/controls/aws/aws_ecs_cluster_no_active_services_count.yaml index 9f0752372..5ce7584fe 100644 --- a/compliance/controls/aws/aws_ecs_cluster_no_active_services_count.yaml +++ b/compliance/controls/aws/aws_ecs_cluster_no_active_services_count.yaml @@ -1,26 +1,27 @@ id: aws_ecs_cluster_no_active_services_count title: ECS cluster should be configured with active services +type: control description: This control checks if ECS cluster have active services. This control fails if ECS cluster does not have any active services. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecs_cluster - definition: | - SELECT - cluster_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN active_services_count > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN active_services_count > 0 THEN title || ' has ' || active_services_count || ' active service(s).' - ELSE title || ' has no active service.' - END AS reason - FROM - aws_ecs_cluster; + language: sql + primary_resource: aws_ecs_cluster + definition: | + SELECT + cluster_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN active_services_count > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN active_services_count > 0 THEN title || ' has ' || active_services_count || ' active service(s).' + ELSE title || ' has no active service.' + END AS reason + FROM + aws_ecs_cluster; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ecs_cluster_no_registered_container_instance.yaml b/compliance/controls/aws/aws_ecs_cluster_no_registered_container_instance.yaml index df795b67a..80acc8840 100644 --- a/compliance/controls/aws/aws_ecs_cluster_no_registered_container_instance.yaml +++ b/compliance/controls/aws/aws_ecs_cluster_no_registered_container_instance.yaml @@ -1,26 +1,27 @@ id: aws_ecs_cluster_no_registered_container_instance title: At least one instance should be registered with ECS cluster +type: control description: This control ensures that at least one container instance is registered with an ECS cluster. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecs_cluster - definition: | - SELECT - cluster_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN registered_container_instances_count = 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN registered_container_instances_count = 0 THEN title || ' has no container instance registered.' - ELSE title || ' has ' || registered_container_instances_count || ' container instance(s) registered.' - END AS reason - FROM - aws_ecs_cluster; + language: sql + primary_resource: aws_ecs_cluster + definition: | + SELECT + cluster_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN registered_container_instances_count = 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN registered_container_instances_count = 0 THEN title || ' has no container instance registered.' + ELSE title || ' has ' || registered_container_instances_count || ' container instance(s) registered.' + END AS reason + FROM + aws_ecs_cluster; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ecs_service_fargate_using_latest_platform_version.yaml b/compliance/controls/aws/aws_ecs_service_fargate_using_latest_platform_version.yaml index 57b680874..70ac13f98 100644 --- a/compliance/controls/aws/aws_ecs_service_fargate_using_latest_platform_version.yaml +++ b/compliance/controls/aws/aws_ecs_service_fargate_using_latest_platform_version.yaml @@ -1,42 +1,43 @@ id: aws_ecs_service_fargate_using_latest_platform_version title: ECS Fargate services should run on the latest Fargate platform version +type: control description: This control checks if AWS ECS Fargate services are running the latest Fargate platform version. This control fails if the platform version is not the latest. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecs_service - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN launch_type <> 'FARGATE' THEN 'skip' - WHEN platform_version = 'LATEST' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN launch_type <> 'FARGATE' THEN title || ' is ' || launch_type || ' service.' - WHEN platform_version = 'LATEST' THEN title || ' running on the latest Fargate platform version.' - ELSE title || ' not running on the latest Fargate platform version.' - END AS reason, - region, - account_id - FROM - aws_ecs_service; + language: sql + primary_resource: aws_ecs_service + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN launch_type <> 'FARGATE' THEN 'skip' + WHEN platform_version = 'LATEST' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN launch_type <> 'FARGATE' THEN title || ' is ' || launch_type || ' service.' + WHEN platform_version = 'LATEST' THEN title || ' running on the latest Fargate platform version.' + ELSE title || ' not running on the latest Fargate platform version.' + END AS reason, + region, + account_id + FROM + aws_ecs_service; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - vulnerability_patch_and_version_management - foundational_security_item_id: - - ecs_10 - plugin: - - aws - service: - - AWS/ECS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - vulnerability_patch_and_version_management + foundational_security_item_id: + - ecs_10 + plugin: + - aws + service: + - AWS/ECS diff --git a/compliance/controls/aws/aws_ecs_service_load_balancer_attached.yaml b/compliance/controls/aws/aws_ecs_service_load_balancer_attached.yaml index 1a89a2af0..8e8b3370d 100644 --- a/compliance/controls/aws/aws_ecs_service_load_balancer_attached.yaml +++ b/compliance/controls/aws/aws_ecs_service_load_balancer_attached.yaml @@ -1,26 +1,27 @@ id: aws_ecs_service_load_balancer_attached title: ECS services should be attached to a load balancer +type: control description: ECS service can be configured to use Elastic Load Balancing to distribute traffic evenly across the tasks in your service. It is recommended to use Application Load Balancers for your AWS ECS services so that you can take advantage of these latest features, unless your service requires a feature that is only available with Network Load Balancers or Classic Load Balancers. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecs_service - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN jsonb_array_length(load_balancers) = 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN jsonb_array_length(load_balancers) = 0 THEN title || ' has no load balancer attached.' - ELSE title || ' has ' || jsonb_array_length(load_balancers) || ' load balancer(s) attached.' - END AS reason - FROM - aws_ecs_service; + language: sql + primary_resource: aws_ecs_service + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN jsonb_array_length(load_balancers) = 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN jsonb_array_length(load_balancers) = 0 THEN title || ' has no load balancer attached.' + ELSE title || ' has ' || jsonb_array_length(load_balancers) || ' load balancer(s) attached.' + END AS reason + FROM + aws_ecs_service; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ecs_service_not_publicly_accessible.yaml b/compliance/controls/aws/aws_ecs_service_not_publicly_accessible.yaml index f15e669e3..16344b1fe 100644 --- a/compliance/controls/aws/aws_ecs_service_not_publicly_accessible.yaml +++ b/compliance/controls/aws/aws_ecs_service_not_publicly_accessible.yaml @@ -1,55 +1,56 @@ id: aws_ecs_service_not_publicly_accessible title: AWS ECS services should not have public IP addresses assigned to them automatically +type: control description: This control checks whether AWS ECS services are configured to automatically assign public IP addresses. This control fails if AssignPublicIP is enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecs_service - definition: | - WITH service_awsvpc_mode_task_definition AS ( - SELECT - a.service_name AS service_name, - b.task_definition_arn AS task_definition - FROM - aws_ecs_service AS a - LEFT JOIN aws_ecs_task_definition AS b - ON a.task_definition = b.task_definition_arn - WHERE - b.network_mode = 'awsvpc' - ) - SELECT - a.arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.service_name IS NULL THEN 'skip' - WHEN network_configuration -> 'AwsvpcConfiguration' ->> 'AssignPublicIp' = 'DISABLED' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.service_name IS NULL THEN a.title || ' task definition not host network mode.' - WHEN network_configuration -> 'AwsvpcConfiguration' ->> 'AssignPublicIp' = 'DISABLED' THEN a.title || ' not publicly accessible.' - ELSE a.title || ' publicly accessible.' - END AS reason, - region, - account_id - FROM - aws_ecs_service AS a - LEFT JOIN service_awsvpc_mode_task_definition AS b - ON a.service_name = b.service_name + language: sql + primary_resource: aws_ecs_service + definition: | + WITH service_awsvpc_mode_task_definition AS ( + SELECT + a.service_name AS service_name, + b.task_definition_arn AS task_definition + FROM + aws_ecs_service AS a + LEFT JOIN aws_ecs_task_definition AS b + ON a.task_definition = b.task_definition_arn + WHERE + b.network_mode = 'awsvpc' + ) + SELECT + a.arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.service_name IS NULL THEN 'skip' + WHEN network_configuration -> 'AwsvpcConfiguration' ->> 'AssignPublicIp' = 'DISABLED' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.service_name IS NULL THEN a.title || ' task definition not host network mode.' + WHEN network_configuration -> 'AwsvpcConfiguration' ->> 'AssignPublicIp' = 'DISABLED' THEN a.title || ' not publicly accessible.' + ELSE a.title || ' publicly accessible.' + END AS reason, + region, + account_id + FROM + aws_ecs_service AS a + LEFT JOIN service_awsvpc_mode_task_definition AS b + ON a.service_name = b.service_name severity: high tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - resources_not_publicly_accessible - foundational_security_item_id: - - ecs_2 - plugin: - - aws - service: - - AWS/ECS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - resources_not_publicly_accessible + foundational_security_item_id: + - ecs_2 + plugin: + - aws + service: + - AWS/ECS diff --git a/compliance/controls/aws/aws_ecs_task_definition_container_environment_no_secret.yaml b/compliance/controls/aws/aws_ecs_task_definition_container_environment_no_secret.yaml index 5fa407054..6cb9df502 100644 --- a/compliance/controls/aws/aws_ecs_task_definition_container_environment_no_secret.yaml +++ b/compliance/controls/aws/aws_ecs_task_definition_container_environment_no_secret.yaml @@ -1,74 +1,75 @@ id: aws_ecs_task_definition_container_environment_no_secret title: ECS task definition containers should not have secrets passed as environment variables +type: control description: This control checks if the key value of any variables in the environment parameter of container definitions includes AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, or ECS_ENGINE_AUTH_DATA. This control fails if a single environment variable in any container definition equals AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, or ECS_ENGINE_AUTH_DATA. This control does not cover environmental variables passed in from other locations such as AWS S3. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecs_task_definition - definition: | - WITH definitions_with_secret_environment_variable AS ( - SELECT DISTINCT - task_definition_arn AS arn - FROM - aws_ecs_task_definition, - jsonb_array_elements(container_definitions) AS c, - jsonb_array_elements( - CASE jsonb_typeof(c -> 'Environment') - WHEN 'array' THEN (c -> 'Environment') - ELSE NULL - END - ) AS s - WHERE - s ->> 'Name' LIKE ANY (ARRAY ['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'ECS_ENGINE_AUTH_DATA']) - - UNION - - SELECT DISTINCT - task_definition_arn AS arn - FROM - aws_ecs_task_definition, - jsonb_array_elements(container_definitions) AS c, - jsonb_array_elements( - CASE jsonb_typeof(c -> 'Secrets') - WHEN 'array' THEN (c -> 'Secrets') - ELSE NULL - END - ) AS s - WHERE - s ->> 'Name' LIKE ANY (ARRAY ['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'ECS_ENGINE_AUTH_DATA']) - ) - - SELECT - d.task_definition_arn AS resource, - d.platform_integration_id AS platform_integration_id, - d.platform_resource_id AS platform_resource_id, - CASE - WHEN e.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN e.arn IS NULL THEN d.title || ' container environment variables does not have secrets.' - ELSE d.title || ' container environment variables have secrets.' - END AS reason, - region, - account_id - FROM - aws_ecs_task_definition AS d - LEFT JOIN definitions_with_secret_environment_variable AS e - ON d.task_definition_arn = e.arn; + language: sql + primary_resource: aws_ecs_task_definition + definition: | + WITH definitions_with_secret_environment_variable AS ( + SELECT DISTINCT + task_definition_arn AS arn + FROM + aws_ecs_task_definition, + jsonb_array_elements(container_definitions) AS c, + jsonb_array_elements( + CASE jsonb_typeof(c -> 'Environment') + WHEN 'array' THEN (c -> 'Environment') + ELSE NULL + END + ) AS s + WHERE + s ->> 'Name' LIKE ANY (ARRAY ['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'ECS_ENGINE_AUTH_DATA']) + + UNION + + SELECT DISTINCT + task_definition_arn AS arn + FROM + aws_ecs_task_definition, + jsonb_array_elements(container_definitions) AS c, + jsonb_array_elements( + CASE jsonb_typeof(c -> 'Secrets') + WHEN 'array' THEN (c -> 'Secrets') + ELSE NULL + END + ) AS s + WHERE + s ->> 'Name' LIKE ANY (ARRAY ['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'ECS_ENGINE_AUTH_DATA']) + ) + + SELECT + d.task_definition_arn AS resource, + d.platform_integration_id AS platform_integration_id, + d.platform_resource_id AS platform_resource_id, + CASE + WHEN e.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN e.arn IS NULL THEN d.title || ' container environment variables does not have secrets.' + ELSE d.title || ' container environment variables have secrets.' + END AS reason, + region, + account_id + FROM + aws_ecs_task_definition AS d + LEFT JOIN definitions_with_secret_environment_variable AS e + ON d.task_definition_arn = e.arn; severity: high tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - credentials_not_hard_coded - foundational_security_item_id: - - ecs_8 - plugin: - - aws - service: - - AWS/ECS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - credentials_not_hard_coded + foundational_security_item_id: + - ecs_8 + plugin: + - aws + service: + - AWS/ECS diff --git a/compliance/controls/aws/aws_ecs_task_definition_container_non_privileged.yaml b/compliance/controls/aws/aws_ecs_task_definition_container_non_privileged.yaml index 721ab5a37..0f700eb83 100644 --- a/compliance/controls/aws/aws_ecs_task_definition_container_non_privileged.yaml +++ b/compliance/controls/aws/aws_ecs_task_definition_container_non_privileged.yaml @@ -1,53 +1,54 @@ id: aws_ecs_task_definition_container_non_privileged title: ECS containers should run as non-privileged +type: control description: This control checks if the privileged parameter in the container definition of AWS ECS Task Definitions is set to true. The control fails if this parameter is equal to true. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecs_task_definition - definition: | - WITH privileged_container_definition AS ( - SELECT DISTINCT - task_definition_arn AS arn - FROM - aws_ecs_task_definition, - jsonb_array_elements(container_definitions) AS c - WHERE - c ->> 'Privileged' = 'true' - ) - SELECT - d.task_definition_arn AS resource, - d.platform_integration_id AS platform_integration_id, - d.platform_resource_id AS platform_resource_id, - CASE - WHEN c.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN c.arn IS NULL THEN d.title || ' does not have elevated privileges.' - ELSE d.title || ' has elevated privileges.' - END AS reason, - region, - account_id - FROM - aws_ecs_task_definition AS d - LEFT JOIN - privileged_container_definition AS c - ON - d.task_definition_arn = c.arn; + language: sql + primary_resource: aws_ecs_task_definition + definition: | + WITH privileged_container_definition AS ( + SELECT DISTINCT + task_definition_arn AS arn + FROM + aws_ecs_task_definition, + jsonb_array_elements(container_definitions) AS c + WHERE + c ->> 'Privileged' = 'true' + ) + SELECT + d.task_definition_arn AS resource, + d.platform_integration_id AS platform_integration_id, + d.platform_resource_id AS platform_resource_id, + CASE + WHEN c.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN c.arn IS NULL THEN d.title || ' does not have elevated privileges.' + ELSE d.title || ' has elevated privileges.' + END AS reason, + region, + account_id + FROM + aws_ecs_task_definition AS d + LEFT JOIN + privileged_container_definition AS c + ON + d.task_definition_arn = c.arn; severity: high tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - root_user_access_restrictions - foundational_security_item_id: - - ecs_4 - plugin: - - aws - service: - - AWS/ECS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - root_user_access_restrictions + foundational_security_item_id: + - ecs_4 + plugin: + - aws + service: + - AWS/ECS diff --git a/compliance/controls/aws/aws_ecs_task_definition_container_readonly_root_filesystem.yaml b/compliance/controls/aws/aws_ecs_task_definition_container_readonly_root_filesystem.yaml index 9695a4698..7571739e0 100644 --- a/compliance/controls/aws/aws_ecs_task_definition_container_readonly_root_filesystem.yaml +++ b/compliance/controls/aws/aws_ecs_task_definition_container_readonly_root_filesystem.yaml @@ -1,53 +1,54 @@ id: aws_ecs_task_definition_container_readonly_root_filesystem title: ECS containers should be limited to read-only access to root filesystems +type: control description: This control checks if ECS containers are limited to read-only access to mounted root filesystems. This control fails if the ReadonlyRootFilesystem parameter in the container definition of ECS task definitions is set to false. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecs_task_definition - definition: | - WITH privileged_container_definition AS ( - SELECT DISTINCT - task_definition_arn AS arn - FROM - aws_ecs_task_definition, - jsonb_array_elements(container_definitions) AS c - WHERE - c ->> 'ReadonlyRootFilesystem' = 'true' - ) - SELECT - d.task_definition_arn AS resource, - d.platform_integration_id AS platform_integration_id, - d.platform_resource_id AS platform_resource_id, - CASE - WHEN c.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN c.arn IS NOT NULL THEN d.title || ' containers limited to read-only access to root filesystems.' - ELSE d.title || ' containers not limited to read-only access to root filesystems.' - END AS reason, - region, - account_id - FROM - aws_ecs_task_definition AS d - LEFT JOIN - privileged_container_definition AS c - ON - d.task_definition_arn = c.arn; + language: sql + primary_resource: aws_ecs_task_definition + definition: | + WITH privileged_container_definition AS ( + SELECT DISTINCT + task_definition_arn AS arn + FROM + aws_ecs_task_definition, + jsonb_array_elements(container_definitions) AS c + WHERE + c ->> 'ReadonlyRootFilesystem' = 'true' + ) + SELECT + d.task_definition_arn AS resource, + d.platform_integration_id AS platform_integration_id, + d.platform_resource_id AS platform_resource_id, + CASE + WHEN c.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN c.arn IS NOT NULL THEN d.title || ' containers limited to read-only access to root filesystems.' + ELSE d.title || ' containers not limited to read-only access to root filesystems.' + END AS reason, + region, + account_id + FROM + aws_ecs_task_definition AS d + LEFT JOIN + privileged_container_definition AS c + ON + d.task_definition_arn = c.arn; severity: high tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - secure_access_management - foundational_security_item_id: - - ecs_5 - plugin: - - aws - service: - - AWS/ECS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - secure_access_management + foundational_security_item_id: + - ecs_5 + plugin: + - aws + service: + - AWS/ECS diff --git a/compliance/controls/aws/aws_ecs_task_definition_logging_enabled.yaml b/compliance/controls/aws/aws_ecs_task_definition_logging_enabled.yaml index 1384fb2b7..1a0adee73 100644 --- a/compliance/controls/aws/aws_ecs_task_definition_logging_enabled.yaml +++ b/compliance/controls/aws/aws_ecs_task_definition_logging_enabled.yaml @@ -1,37 +1,38 @@ id: aws_ecs_task_definition_logging_enabled title: ECS task definitions should have logging enabled +type: control description: Ensure logging is enabled for task definitions so that you can access your containerized application logs for debugging and auditing purposes. On top of centralized logging, these log drivers often include additional capabilities that are useful for operation. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecs_task_definition - definition: | - WITH task_definitions_logging_enabled AS ( - SELECT - DISTINCT task_definition_arn AS arn - FROM - aws_ecs_task_definition, - jsonb_array_elements(container_definitions) AS c - WHERE - c ->> 'LogConfiguration' IS NOT NULL - ) - SELECT - a.task_definition_arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.arn IS NOT NULL THEN a.title || ' logging enabled.' - ELSE a.title || ' logging disabled.' - END AS reason - FROM - aws_ecs_task_definition AS a - LEFT JOIN task_definitions_logging_enabled AS b - ON a.task_definition_arn = b.arn; + language: sql + primary_resource: aws_ecs_task_definition + definition: | + WITH task_definitions_logging_enabled AS ( + SELECT + DISTINCT task_definition_arn AS arn + FROM + aws_ecs_task_definition, + jsonb_array_elements(container_definitions) AS c + WHERE + c ->> 'LogConfiguration' IS NOT NULL + ) + SELECT + a.task_definition_arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.arn IS NOT NULL THEN a.title || ' logging enabled.' + ELSE a.title || ' logging disabled.' + END AS reason + FROM + aws_ecs_task_definition AS a + LEFT JOIN task_definitions_logging_enabled AS b + ON a.task_definition_arn = b.arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ecs_task_definition_no_host_pid_mode.yaml b/compliance/controls/aws/aws_ecs_task_definition_no_host_pid_mode.yaml index 409a87d5b..2c3ae4df9 100644 --- a/compliance/controls/aws/aws_ecs_task_definition_no_host_pid_mode.yaml +++ b/compliance/controls/aws/aws_ecs_task_definition_no_host_pid_mode.yaml @@ -1,40 +1,41 @@ id: aws_ecs_task_definition_no_host_pid_mode title: ECS task definitions should not share the host's process namespace +type: control description: This control checks if AWS ECS task definitions are configured to share a host's process namespace with its containers. The control fails if the task definition shares the host's process namespace with the containers running on it. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecs_task_definition - definition: | - SELECT - task_definition_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN pid_mode = 'host' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN pid_mode = 'host' THEN title || ' shares the host process namespace.' - ELSE title || ' does not share the host process namespace.' - END AS reason, - region, - account_id - FROM - aws_ecs_task_definition; + language: sql + primary_resource: aws_ecs_task_definition + definition: | + SELECT + task_definition_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN pid_mode = 'host' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN pid_mode = 'host' THEN title || ' shares the host process namespace.' + ELSE title || ' does not share the host process namespace.' + END AS reason, + region, + account_id + FROM + aws_ecs_task_definition; severity: high tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - resource_configuration - foundational_security_item_id: - - ecs_3 - plugin: - - aws - service: - - AWS/ECS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - resource_configuration + foundational_security_item_id: + - ecs_3 + plugin: + - aws + service: + - AWS/ECS diff --git a/compliance/controls/aws/aws_ecs_task_definition_no_root_user.yaml b/compliance/controls/aws/aws_ecs_task_definition_no_root_user.yaml index 500afbcc8..856e54d9f 100644 --- a/compliance/controls/aws/aws_ecs_task_definition_no_root_user.yaml +++ b/compliance/controls/aws/aws_ecs_task_definition_no_root_user.yaml @@ -1,39 +1,40 @@ id: aws_ecs_task_definition_no_root_user title: ECS task definitions should not use root user. +type: control description: This control checks if ECS task definitions have root user. This control fails if the ECS task definitions have root user. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecs_task_definition - definition: | - WITH root_user_task_definition AS ( - SELECT DISTINCT - task_definition_arn AS arn - FROM - aws_ecs_task_definition, - jsonb_array_elements(container_definitions) AS c - WHERE - c ->> 'User' = 'root' - ) - SELECT - a.task_definition_arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.arn IS NOT NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN b.arn IS NOT NULL THEN a.title || ' have root user.' - ELSE a.title || ' does not have root user.' - END AS reason - FROM - aws_ecs_task_definition AS a - LEFT JOIN - root_user_task_definition AS b - ON - a.task_definition_arn = b.arn; + language: sql + primary_resource: aws_ecs_task_definition + definition: | + WITH root_user_task_definition AS ( + SELECT DISTINCT + task_definition_arn AS arn + FROM + aws_ecs_task_definition, + jsonb_array_elements(container_definitions) AS c + WHERE + c ->> 'User' = 'root' + ) + SELECT + a.task_definition_arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.arn IS NOT NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN b.arn IS NOT NULL THEN a.title || ' have root user.' + ELSE a.title || ' does not have root user.' + END AS reason + FROM + aws_ecs_task_definition AS a + LEFT JOIN + root_user_task_definition AS b + ON + a.task_definition_arn = b.arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ecs_task_definition_user_for_host_mode_check.yaml b/compliance/controls/aws/aws_ecs_task_definition_user_for_host_mode_check.yaml index a4a8361bd..ff1fa5b76 100644 --- a/compliance/controls/aws/aws_ecs_task_definition_user_for_host_mode_check.yaml +++ b/compliance/controls/aws/aws_ecs_task_definition_user_for_host_mode_check.yaml @@ -1,73 +1,74 @@ id: aws_ecs_task_definition_user_for_host_mode_check title: ECS task definition container definitions should be checked for host mode +type: control description: Check if AWS Elastic Container Service (AWS ECS) task definition with host networking mode has 'privileged' or 'user' container definitions. The rule is non-compliant for task definitions with host network mode and container definitions of privileged. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecs_task_definition - definition: | - WITH host_network_task_definition AS ( - SELECT - DISTINCT task_definition_arn AS arn - FROM - aws_ecs_task_definition, - jsonb_array_elements(container_definitions) AS c - WHERE - network_mode = 'host' - AND (c ->> 'Privileged' IS NOT NULL - AND c ->> 'Privileged' <> 'false' - ) - AND (c ->> 'User' IS NOT NULL - AND c ->> 'User' <> 'root' - ) + language: sql + primary_resource: aws_ecs_task_definition + definition: | + WITH host_network_task_definition AS ( + SELECT + DISTINCT task_definition_arn AS arn + FROM + aws_ecs_task_definition, + jsonb_array_elements(container_definitions) AS c + WHERE + network_mode = 'host' + AND (c ->> 'Privileged' IS NOT NULL + AND c ->> 'Privileged' <> 'false' ) - SELECT - a.task_definition_arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.network_mode IS NULL OR a.network_mode <> 'host' THEN 'skip' - WHEN b.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.network_mode IS NULL OR a.network_mode <> 'host' THEN a.title || ' not host network mode.' - WHEN b.arn IS NOT NULL THEN a.title || ' have secure host network mode.' - ELSE a.title || ' not have secure host network mode.' - END AS reason, - region, - account_id - FROM - aws_ecs_task_definition AS a - LEFT JOIN host_network_task_definition AS b - ON a.task_definition_arn = b.arn; + AND (c ->> 'User' IS NOT NULL + AND c ->> 'User' <> 'root' + ) + ) + SELECT + a.task_definition_arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.network_mode IS NULL OR a.network_mode <> 'host' THEN 'skip' + WHEN b.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.network_mode IS NULL OR a.network_mode <> 'host' THEN a.title || ' not host network mode.' + WHEN b.arn IS NOT NULL THEN a.title || ' have secure host network mode.' + ELSE a.title || ' not have secure host network mode.' + END AS reason, + region, + account_id + FROM + aws_ecs_task_definition AS a + LEFT JOIN host_network_task_definition AS b + ON a.task_definition_arn = b.arn; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/ECS + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/ECS diff --git a/compliance/controls/aws/aws_efs_access_point_enforce_root_directory.yaml b/compliance/controls/aws/aws_efs_access_point_enforce_root_directory.yaml index f7c058111..cb82ba2db 100644 --- a/compliance/controls/aws/aws_efs_access_point_enforce_root_directory.yaml +++ b/compliance/controls/aws/aws_efs_access_point_enforce_root_directory.yaml @@ -1,40 +1,41 @@ id: aws_efs_access_point_enforce_root_directory title: EFS access points should enforce a root directory +type: control description: This control checks if AWS EFS access points are configured to enforce a root directory. The control fails if the value of Path is set to / (the default root directory of the file system). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_efs_access_point - definition: | - SELECT - access_point_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN root_directory ->> 'Path' = '/' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN root_directory ->> 'Path' = '/' THEN title || ' not configured to enforce a root directory.' - ELSE title || ' configured to enforce a root directory.' - END AS reason, - region, - account_id - FROM - aws_efs_access_point; + language: sql + primary_resource: aws_efs_access_point + definition: | + SELECT + access_point_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN root_directory ->> 'Path' = '/' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN root_directory ->> 'Path' = '/' THEN title || ' not configured to enforce a root directory.' + ELSE title || ' configured to enforce a root directory.' + END AS reason, + region, + account_id + FROM + aws_efs_access_point; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - secure_access_management - foundational_security_item_id: - - efs_3 - plugin: - - aws - service: - - AWS/EFS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - secure_access_management + foundational_security_item_id: + - efs_3 + plugin: + - aws + service: + - AWS/EFS diff --git a/compliance/controls/aws/aws_efs_access_point_enforce_user_identity.yaml b/compliance/controls/aws/aws_efs_access_point_enforce_user_identity.yaml index 73ff5a430..8c4f1e440 100644 --- a/compliance/controls/aws/aws_efs_access_point_enforce_user_identity.yaml +++ b/compliance/controls/aws/aws_efs_access_point_enforce_user_identity.yaml @@ -1,40 +1,41 @@ id: aws_efs_access_point_enforce_user_identity title: EFS access points should enforce a user identity +type: control description: This control checks whether AWS EFS access points are configured to enforce a user identity. This control fails if a POSIX user identity is not defined while creating the EFS access point. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_efs_access_point - definition: | - SELECT - access_point_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN posix_user IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN posix_user IS NULL THEN title || ' does not enforce a user identity.' - ELSE title || ' enforces a user identity.' - END AS reason, - region, - account_id - FROM - aws_efs_access_point; + language: sql + primary_resource: aws_efs_access_point + definition: | + SELECT + access_point_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN posix_user IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN posix_user IS NULL THEN title || ' does not enforce a user identity.' + ELSE title || ' enforces a user identity.' + END AS reason, + region, + account_id + FROM + aws_efs_access_point; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - secure_access_management - foundational_security_item_id: - - efs_4 - plugin: - - aws - service: - - AWS/EFS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - secure_access_management + foundational_security_item_id: + - efs_4 + plugin: + - aws + service: + - AWS/EFS diff --git a/compliance/controls/aws/aws_efs_file_system_encrypt_data_at_rest.yaml b/compliance/controls/aws/aws_efs_file_system_encrypt_data_at_rest.yaml index 9e3c25692..c880005ee 100644 --- a/compliance/controls/aws/aws_efs_file_system_encrypt_data_at_rest.yaml +++ b/compliance/controls/aws/aws_efs_file_system_encrypt_data_at_rest.yaml @@ -1,46 +1,47 @@ id: aws_efs_file_system_encrypt_data_at_rest title: EFS file system encryption at rest should be enabled +type: control description: Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your AWS Elastic File System (EFS). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_efs_file_system - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encrypted THEN title || ' encrypted at rest.' - ELSE title || ' not encrypted at rest.' - END AS reason, - region, - account_id - FROM - aws_efs_file_system; + language: sql + primary_resource: aws_efs_file_system + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encrypted THEN title || ' encrypted at rest.' + ELSE title || ' not encrypted at rest.' + END AS reason, + region, + account_id + FROM + aws_efs_file_system; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 2.4.1 - cis_level: - - '1' - cis_section_id: - - '2.4' - cis_type: - - manual - cis_version: - - v1.5.0 - plugin: - - aws - service: - - AWS/EFS + category: + - Compliance + cis: + - "true" + cis_item_id: + - 2.4.1 + cis_level: + - "1" + cis_section_id: + - "2.4" + cis_type: + - manual + cis_version: + - v1.5.0 + plugin: + - aws + service: + - AWS/EFS diff --git a/compliance/controls/aws/aws_efs_file_system_encrypted_with_cmk.yaml b/compliance/controls/aws/aws_efs_file_system_encrypted_with_cmk.yaml index d2a12e1e4..e6edb9798 100644 --- a/compliance/controls/aws/aws_efs_file_system_encrypted_with_cmk.yaml +++ b/compliance/controls/aws/aws_efs_file_system_encrypted_with_cmk.yaml @@ -1,51 +1,52 @@ id: aws_efs_file_system_encrypted_with_cmk title: EFS file systems should be encrypted with CMK +type: control description: Ensure AWS Elastic File Systems (AWS EFS) are encrypted using CMK. The rule is non-compliant if the EFS File System is not encrypted using CMK. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_efs_file_system - definition: | - WITH encrypted_fs AS ( - SELECT - fs.arn AS arn, - key_manager - FROM - aws_efs_file_system AS fs - LEFT JOIN aws_kms_key AS k ON fs.kms_key_id = k.arn - WHERE - enabled - ) - SELECT - f.arn AS resource, - f.platform_integration_id AS platform_integration_id, - f.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT encrypted THEN 'alarm' - WHEN encrypted AND e.key_manager = 'CUSTOMER' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN NOT encrypted THEN title || ' not encrypted.' - WHEN encrypted AND e.key_manager = 'CUSTOMER' THEN title || ' encrypted with CMK.' - ELSE title || ' not encrypted with CMK.' - END AS reason, - region, - account_id - FROM - aws_efs_file_system AS f - LEFT JOIN encrypted_fs AS e ON f.arn = e.arn + language: sql + primary_resource: aws_efs_file_system + definition: | + WITH encrypted_fs AS ( + SELECT + fs.arn AS arn, + key_manager + FROM + aws_efs_file_system AS fs + LEFT JOIN aws_kms_key AS k ON fs.kms_key_id = k.arn + WHERE + enabled + ) + SELECT + f.arn AS resource, + f.platform_integration_id AS platform_integration_id, + f.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT encrypted THEN 'alarm' + WHEN encrypted AND e.key_manager = 'CUSTOMER' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN NOT encrypted THEN title || ' not encrypted.' + WHEN encrypted AND e.key_manager = 'CUSTOMER' THEN title || ' encrypted with CMK.' + ELSE title || ' not encrypted with CMK.' + END AS reason, + region, + account_id + FROM + aws_efs_file_system AS f + LEFT JOIN encrypted_fs AS e ON f.arn = e.arn severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - other_checks: - - 'true' - plugin: - - aws - service: - - AWS/EFS + category: + - Compliance + cisa_cyber_essentials: + - "true" + other_checks: + - "true" + plugin: + - aws + service: + - AWS/EFS diff --git a/compliance/controls/aws/aws_efs_file_system_enforces_ssl.yaml b/compliance/controls/aws/aws_efs_file_system_enforces_ssl.yaml index 63debc716..87ff78c81 100644 --- a/compliance/controls/aws/aws_efs_file_system_enforces_ssl.yaml +++ b/compliance/controls/aws/aws_efs_file_system_enforces_ssl.yaml @@ -1,46 +1,47 @@ id: aws_efs_file_system_enforces_ssl title: EFS file systems should enforce SSL +type: control description: To help protect data in transit, ensure that your EFS file systems require requests to use Secure Socket Layer (SSL). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_efs_file_system - definition: | - WITH ssl_ok AS ( - SELECT - DISTINCT name, - arn, - 'ok' AS status - FROM - aws_efs_file_system, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p, - jsonb_array_elements_text(s -> 'Action') AS a, - jsonb_array_elements_text( - s -> 'Condition' -> 'Bool' -> 'aws:securetransport' - ) AS ssl - WHERE - p = '*' - AND s ->> 'Effect' = 'Deny' - AND ssl::bool = false - ) - SELECT - f.arn AS resource, - f.platform_integration_id AS platform_integration_id, - f.platform_resource_id AS platform_resource_id, - CASE - WHEN ok.status = 'ok' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN ok.status = 'ok' THEN f.title || ' policy enforces HTTPS.' - ELSE f.title || ' policy does not enforce HTTPS.' - END AS reason - FROM - aws_efs_file_system AS f - LEFT JOIN ssl_ok AS ok - ON ok.name = f.name; + language: sql + primary_resource: aws_efs_file_system + definition: | + WITH ssl_ok AS ( + SELECT + DISTINCT name, + arn, + 'ok' AS status + FROM + aws_efs_file_system, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p, + jsonb_array_elements_text(s -> 'Action') AS a, + jsonb_array_elements_text( + s -> 'Condition' -> 'Bool' -> 'aws:securetransport' + ) AS ssl + WHERE + p = '*' + AND s ->> 'Effect' = 'Deny' + AND ssl::bool = false + ) + SELECT + f.arn AS resource, + f.platform_integration_id AS platform_integration_id, + f.platform_resource_id AS platform_resource_id, + CASE + WHEN ok.status = 'ok' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN ok.status = 'ok' THEN f.title || ' policy enforces HTTPS.' + ELSE f.title || ' policy does not enforce HTTPS.' + END AS reason + FROM + aws_efs_file_system AS f + LEFT JOIN ssl_ok AS ok + ON ok.name = f.name; severity: low tags: {} diff --git a/compliance/controls/aws/aws_efs_file_system_in_backup_plan.yaml b/compliance/controls/aws/aws_efs_file_system_in_backup_plan.yaml index 24892c721..3197ebd7f 100644 --- a/compliance/controls/aws/aws_efs_file_system_in_backup_plan.yaml +++ b/compliance/controls/aws/aws_efs_file_system_in_backup_plan.yaml @@ -1,26 +1,27 @@ id: aws_efs_file_system_in_backup_plan title: EFS file systems should be in a backup plan +type: control description: To help with data back-up processes, ensure your AWS Elastic File System (AWS EFS) file systems are a part of an AWS Backup plan. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_efs_file_system - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN automatic_backups = 'enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN automatic_backups = 'enabled' THEN title || ' automatic backups enabled.' - ELSE title || ' automatic backups not enabled.' - END AS reason - FROM - aws_efs_file_system; + language: sql + primary_resource: aws_efs_file_system + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN automatic_backups = 'enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN automatic_backups = 'enabled' THEN title || ' automatic backups enabled.' + ELSE title || ' automatic backups not enabled.' + END AS reason + FROM + aws_efs_file_system; severity: low tags: {} diff --git a/compliance/controls/aws/aws_efs_file_system_protected_by_backup_plan.yaml b/compliance/controls/aws/aws_efs_file_system_protected_by_backup_plan.yaml index 6107312a9..4a44d4933 100644 --- a/compliance/controls/aws/aws_efs_file_system_protected_by_backup_plan.yaml +++ b/compliance/controls/aws/aws_efs_file_system_protected_by_backup_plan.yaml @@ -1,69 +1,70 @@ id: aws_efs_file_system_protected_by_backup_plan title: EFS file systems should be protected by backup plan +type: control description: Ensure that AWS Elastic File System (AWS EFS) File Systems are protected by a backup plan. The rule is non-compliant if the EFS File System is not covered by a backup plan. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_efs_file_system - definition: | - WITH backup_protected_file_system AS ( - SELECT - resource_arn AS arn - FROM - aws_backup_protected_resource AS b - WHERE - resource_type = 'EFS' - ) - - SELECT - f.arn AS resource, - f.platform_integration_id AS platform_integration_id, - f.platform_resource_id AS platform_resource_id, - CASE - WHEN b.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.arn IS NOT NULL THEN f.title || ' is protected by backup plan.' - ELSE f.title || ' is not protected by backup plan.' - END AS reason, - f.region, - f.account_id - FROM - aws_efs_file_system AS f - LEFT JOIN - backup_protected_file_system AS b - ON - f.arn = b.arn; + language: sql + primary_resource: aws_efs_file_system + definition: | + WITH backup_protected_file_system AS ( + SELECT + resource_arn AS arn + FROM + aws_backup_protected_resource AS b + WHERE + resource_type = 'EFS' + ) + + SELECT + f.arn AS resource, + f.platform_integration_id AS platform_integration_id, + f.platform_resource_id AS platform_resource_id, + CASE + WHEN b.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.arn IS NOT NULL THEN f.title || ' is protected by backup plan.' + ELSE f.title || ' is not protected by backup plan.' + END AS reason, + f.region, + f.account_id + FROM + aws_efs_file_system AS f + LEFT JOIN + backup_protected_file_system AS b + ON + f.arn = b.arn; severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/EFS - soc_2: - - 'true' + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/EFS + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_efs_file_system_restrict_public_access.yaml b/compliance/controls/aws/aws_efs_file_system_restrict_public_access.yaml index 40160be86..9262b75c1 100644 --- a/compliance/controls/aws/aws_efs_file_system_restrict_public_access.yaml +++ b/compliance/controls/aws/aws_efs_file_system_restrict_public_access.yaml @@ -1,44 +1,45 @@ id: aws_efs_file_system_restrict_public_access title: EFS file systems should restrict public access +type: control description: Manage access to resources in the AWS Cloud by ensuring AWS EFS file systems cannot be publicly accessed. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_efs_file_system - definition: | - WITH wildcard_action_policies AS ( - SELECT - arn, - COUNT(*) AS statements_num - FROM - aws_efs_file_system, - jsonb_array_elements(policy_std -> 'Statement') AS s - WHERE - s ->> 'Effect' = 'Allow' - AND ( - (s -> 'Principal' -> 'AWS') = '["*"]' - OR s ->> 'Principal' = '*' - ) - GROUP BY - arn + language: sql + primary_resource: aws_efs_file_system + definition: | + WITH wildcard_action_policies AS ( + SELECT + arn, + COUNT(*) AS statements_num + FROM + aws_efs_file_system, + jsonb_array_elements(policy_std -> 'Statement') AS s + WHERE + s ->> 'Effect' = 'Allow' + AND ( + (s -> 'Principal' -> 'AWS') = '["*"]' + OR s ->> 'Principal' = '*' ) - SELECT - f.arn AS resource, - f.platform_integration_id AS platform_integration_id, - f.platform_resource_id AS platform_resource_id, - CASE - WHEN p.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.arn IS NULL THEN title || ' does not allow public access.' - ELSE title || ' contains ' || COALESCE(p.statements_num, 0) || - ' statements that allow public access.' - END AS reason - FROM - aws_efs_file_system AS f - LEFT JOIN wildcard_action_policies AS p ON p.arn = f.arn; + GROUP BY + arn + ) + SELECT + f.arn AS resource, + f.platform_integration_id AS platform_integration_id, + f.platform_resource_id AS platform_resource_id, + CASE + WHEN p.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.arn IS NULL THEN title || ' does not allow public access.' + ELSE title || ' contains ' || COALESCE(p.statements_num, 0) || + ' statements that allow public access.' + END AS reason + FROM + aws_efs_file_system AS f + LEFT JOIN wildcard_action_policies AS p ON p.arn = f.arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_eks_cluster_control_plane_audit_logging_enabled.yaml b/compliance/controls/aws/aws_eks_cluster_control_plane_audit_logging_enabled.yaml index 480b146e4..e2fa1b346 100644 --- a/compliance/controls/aws/aws_eks_cluster_control_plane_audit_logging_enabled.yaml +++ b/compliance/controls/aws/aws_eks_cluster_control_plane_audit_logging_enabled.yaml @@ -1,43 +1,44 @@ id: aws_eks_cluster_control_plane_audit_logging_enabled title: EKS clusters should have control plane audit logging enabled +type: control description: AWS EKS clusters should have control plane audit logging enabled. These logs make it easy to secure and run clusters. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_eks_cluster - definition: | - WITH control_panel_audit_logging AS ( - SELECT - DISTINCT arn, - log -> 'Types' AS log_type - FROM - aws_eks_cluster, - jsonb_array_elements(logging -> 'ClusterLogging') AS log - WHERE - log ->> 'Enabled' = 'true' - AND (log -> 'Types') @> '["api", "audit", "authenticator", "controllerManager", "scheduler"]' - ) - SELECT - c.arn AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, + language: sql + primary_resource: aws_eks_cluster + definition: | + WITH control_panel_audit_logging AS ( + SELECT + DISTINCT arn, + log -> 'Types' AS log_type + FROM + aws_eks_cluster, + jsonb_array_elements(logging -> 'ClusterLogging') AS log + WHERE + log ->> 'Enabled' = 'true' + AND (log -> 'Types') @> '["api", "audit", "authenticator", "controllerManager", "scheduler"]' + ) + SELECT + c.arn AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN l.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN l.arn IS NOT NULL THEN c.title || ' control plane audit logging enabled for all log types.' + ELSE CASE - WHEN l.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN l.arn IS NOT NULL THEN c.title || ' control plane audit logging enabled for all log types.' - ELSE - CASE - WHEN logging -> 'ClusterLogging' @> '[{"Enabled": true}]' THEN c.title || ' control plane audit logging not enabled for all log types.' - ELSE c.title || ' control plane audit logging not enabled.' - END - END AS reason - FROM - aws_eks_cluster AS c - LEFT JOIN control_panel_audit_logging AS l - ON l.arn = c.arn; + WHEN logging -> 'ClusterLogging' @> '[{"Enabled": true}]' THEN c.title || ' control plane audit logging not enabled for all log types.' + ELSE c.title || ' control plane audit logging not enabled.' + END + END AS reason + FROM + aws_eks_cluster AS c + LEFT JOIN control_panel_audit_logging AS l + ON l.arn = c.arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_eks_cluster_endpoint_public_access_restricted.yaml b/compliance/controls/aws/aws_eks_cluster_endpoint_public_access_restricted.yaml index 0e592ef42..1506390be 100644 --- a/compliance/controls/aws/aws_eks_cluster_endpoint_public_access_restricted.yaml +++ b/compliance/controls/aws/aws_eks_cluster_endpoint_public_access_restricted.yaml @@ -1,36 +1,37 @@ id: aws_eks_cluster_endpoint_public_access_restricted title: EKS clusters endpoint public access should be restricted +type: control description: EKS clusters endpoint with private access allows communication between your nodes and the API server stays within. This control is non-compliant if clusters endpoint public access is enabled as cluster API server is accessible from the internet. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_eks_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN resources_vpc_config ->> 'EndpointPrivateAccess' = 'true' - AND resources_vpc_config ->> 'EndpointPublicAccess' = 'false' - THEN 'ok' - WHEN resources_vpc_config ->> 'EndpointPublicAccess' = 'true' - AND resources_vpc_config -> 'PublicAccessCidrs' @> '["0.0.0.0/0"]' - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN resources_vpc_config ->> 'EndpointPrivateAccess' = 'true' - AND resources_vpc_config ->> 'EndpointPublicAccess' = 'false' - THEN title || ' endpoint access is private.' - WHEN resources_vpc_config ->> 'EndpointPublicAccess' = 'true' - AND resources_vpc_config -> 'PublicAccessCidrs' @> '["0.0.0.0/0"]' - THEN title || ' endpoint access is public.' - ELSE title || ' endpoint public access is restricted.' - END AS reason - FROM - aws_eks_cluster; + language: sql + primary_resource: aws_eks_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN resources_vpc_config ->> 'EndpointPrivateAccess' = 'true' + AND resources_vpc_config ->> 'EndpointPublicAccess' = 'false' + THEN 'ok' + WHEN resources_vpc_config ->> 'EndpointPublicAccess' = 'true' + AND resources_vpc_config -> 'PublicAccessCidrs' @> '["0.0.0.0/0"]' + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN resources_vpc_config ->> 'EndpointPrivateAccess' = 'true' + AND resources_vpc_config ->> 'EndpointPublicAccess' = 'false' + THEN title || ' endpoint access is private.' + WHEN resources_vpc_config ->> 'EndpointPublicAccess' = 'true' + AND resources_vpc_config -> 'PublicAccessCidrs' @> '["0.0.0.0/0"]' + THEN title || ' endpoint access is public.' + ELSE title || ' endpoint public access is restricted.' + END AS reason + FROM + aws_eks_cluster; severity: low tags: {} diff --git a/compliance/controls/aws/aws_eks_cluster_endpoint_restrict_public_access.yaml b/compliance/controls/aws/aws_eks_cluster_endpoint_restrict_public_access.yaml index 833e8371a..6e74072ee 100644 --- a/compliance/controls/aws/aws_eks_cluster_endpoint_restrict_public_access.yaml +++ b/compliance/controls/aws/aws_eks_cluster_endpoint_restrict_public_access.yaml @@ -1,42 +1,43 @@ id: aws_eks_cluster_endpoint_restrict_public_access title: EKS clusters endpoint should restrict public access +type: control description: Ensure whether AWS Elastic Kubernetes Service (AWS EKS) endpoint is not publicly accessible. The rule is compliant if the endpoint is publicly accessible. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_eks_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN resources_vpc_config ->> 'EndpointPublicAccess' = 'true' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN resources_vpc_config ->> 'EndpointPublicAccess' = 'true' THEN title || ' endpoint publicly accessible.' - ELSE title || ' endpoint not publicly accessible.' - END AS reason, - region, - account_id - FROM - aws_eks_cluster; + language: sql + primary_resource: aws_eks_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN resources_vpc_config ->> 'EndpointPublicAccess' = 'true' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN resources_vpc_config ->> 'EndpointPublicAccess' = 'true' THEN title || ' endpoint publicly accessible.' + ELSE title || ' endpoint not publicly accessible.' + END AS reason, + region, + account_id + FROM + aws_eks_cluster; severity: low tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/EKS + category: + - Compliance + cis_controls_v8_ig1: + - "true" + nist_800_171_rev_2: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/EKS diff --git a/compliance/controls/aws/aws_eks_cluster_no_default_vpc.yaml b/compliance/controls/aws/aws_eks_cluster_no_default_vpc.yaml index 1599a6bc2..77fd47874 100644 --- a/compliance/controls/aws/aws_eks_cluster_no_default_vpc.yaml +++ b/compliance/controls/aws/aws_eks_cluster_no_default_vpc.yaml @@ -1,38 +1,39 @@ id: aws_eks_cluster_no_default_vpc title: EKS clusters should not be configured within a default VPC +type: control description: Ensure to configure a new VPC for your EKS cluster as default VPC comes with a default configuration that lacks the proper security controls. Your network should be well configured and should follow the least privilege principle, meaning only the necessary privileges are granted. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_eks_cluster - definition: | - WITH default_vpc_cluster AS ( - SELECT - DISTINCT c.arn - FROM - aws_eks_cluster AS c - LEFT JOIN - aws_vpc AS v ON v.vpc_id = c.resources_vpc_config ->> 'VpcId' - WHERE - v.is_default - ) - SELECT - c.arn AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN v.arn IS NOT NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN v.arn IS NOT NULL THEN title || ' uses default VPC.' - ELSE title || ' does not use default VPC.' - END AS reason - FROM - aws_eks_cluster AS c - LEFT JOIN - default_vpc_cluster AS v ON v.arn = c.arn; + language: sql + primary_resource: aws_eks_cluster + definition: | + WITH default_vpc_cluster AS ( + SELECT + DISTINCT c.arn + FROM + aws_eks_cluster AS c + LEFT JOIN + aws_vpc AS v ON v.vpc_id = c.resources_vpc_config ->> 'VpcId' + WHERE + v.is_default + ) + SELECT + c.arn AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN v.arn IS NOT NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN v.arn IS NOT NULL THEN title || ' uses default VPC.' + ELSE title || ' does not use default VPC.' + END AS reason + FROM + aws_eks_cluster AS c + LEFT JOIN + default_vpc_cluster AS v ON v.arn = c.arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_eks_cluster_no_multiple_security_groups.yaml b/compliance/controls/aws/aws_eks_cluster_no_multiple_security_groups.yaml index a9e08243c..e019ed29b 100644 --- a/compliance/controls/aws/aws_eks_cluster_no_multiple_security_groups.yaml +++ b/compliance/controls/aws/aws_eks_cluster_no_multiple_security_groups.yaml @@ -1,23 +1,24 @@ id: aws_eks_cluster_no_multiple_security_groups title: EKS clusters should not use multiple security groups +type: control description: This controls ensures that EKS clusters is not using multiple security groups. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_eks_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN jsonb_array_length(resources_vpc_config -> 'SecurityGroupIds') > 1 THEN 'alarm' - ELSE 'ok' - END AS status, - title || ' has ' || jsonb_array_length(resources_vpc_config -> 'SecurityGroupIds') || ' security group(s).' AS reason - FROM - aws_eks_cluster; + language: sql + primary_resource: aws_eks_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN jsonb_array_length(resources_vpc_config -> 'SecurityGroupIds') > 1 THEN 'alarm' + ELSE 'ok' + END AS status, + title || ' has ' || jsonb_array_length(resources_vpc_config -> 'SecurityGroupIds') || ' security group(s).' AS reason + FROM + aws_eks_cluster; severity: low tags: {} diff --git a/compliance/controls/aws/aws_eks_cluster_secrets_encrypted.yaml b/compliance/controls/aws/aws_eks_cluster_secrets_encrypted.yaml index 4eb149633..4bc54883a 100644 --- a/compliance/controls/aws/aws_eks_cluster_secrets_encrypted.yaml +++ b/compliance/controls/aws/aws_eks_cluster_secrets_encrypted.yaml @@ -1,56 +1,57 @@ id: aws_eks_cluster_secrets_encrypted title: EKS clusters should be configured to have kubernetes secrets encrypted using KMS +type: control description: Ensure that AWS Elastic Kubernetes Service clusters are configured to have Kubernetes secrets encrypted using AWS Key Management Service (KMS) keys. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_eks_cluster - definition: | - WITH eks_secrets_encrypted AS ( - SELECT - DISTINCT arn AS arn - FROM - aws_eks_cluster, - jsonb_array_elements(encryption_config) AS e - WHERE - e -> 'Resources' @> '["secrets"]' - ) - SELECT - a.arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN encryption_config IS NULL THEN 'alarm' - WHEN b.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption_config IS NULL THEN a.title || ' encryption not enabled.' - WHEN b.arn IS NOT NULL THEN a.title || ' encrypted with EKS secrets.' - ELSE a.title || ' not encrypted with EKS secrets.' - END AS reason, - region, - account_id - FROM - aws_eks_cluster AS a - LEFT JOIN eks_secrets_encrypted AS b ON a.arn = b.arn; + language: sql + primary_resource: aws_eks_cluster + definition: | + WITH eks_secrets_encrypted AS ( + SELECT + DISTINCT arn AS arn + FROM + aws_eks_cluster, + jsonb_array_elements(encryption_config) AS e + WHERE + e -> 'Resources' @> '["secrets"]' + ) + SELECT + a.arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN encryption_config IS NULL THEN 'alarm' + WHEN b.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption_config IS NULL THEN a.title || ' encryption not enabled.' + WHEN b.arn IS NOT NULL THEN a.title || ' encrypted with EKS secrets.' + ELSE a.title || ' not encrypted with EKS secrets.' + END AS reason, + region, + account_id + FROM + aws_eks_cluster AS a + LEFT JOIN eks_secrets_encrypted AS b ON a.arn = b.arn; severity: high tags: - category: - - Compliance - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/EKS + category: + - Compliance + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/EKS diff --git a/compliance/controls/aws/aws_eks_cluster_with_latest_kubernetes_version.yaml b/compliance/controls/aws/aws_eks_cluster_with_latest_kubernetes_version.yaml index 3fc98d5f2..1aeb7e7b9 100644 --- a/compliance/controls/aws/aws_eks_cluster_with_latest_kubernetes_version.yaml +++ b/compliance/controls/aws/aws_eks_cluster_with_latest_kubernetes_version.yaml @@ -1,40 +1,41 @@ id: aws_eks_cluster_with_latest_kubernetes_version title: EKS clusters should run on a supported Kubernetes version +type: control description: This control checks whether an AWS EKS cluster is running on a supported Kubernetes version. The control fails if the EKS cluster is running on an unsupported version. If your application doesn't require a specific version of Kubernetes, we recommend that you use the latest available Kubernetes version that's supported by EKS for your clusters. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_eks_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN (version)::decimal >= 1.19 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (version)::decimal >= 1.19 THEN title || ' runs on a supported kubernetes version.' - ELSE title || ' does not run on a supported kubernetes version.' - END AS reason, - region, - account_id - FROM - aws_eks_cluster; + language: sql + primary_resource: aws_eks_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN (version)::decimal >= 1.19 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (version)::decimal >= 1.19 THEN title || ' runs on a supported kubernetes version.' + ELSE title || ' does not run on a supported kubernetes version.' + END AS reason, + region, + account_id + FROM + aws_eks_cluster; severity: high tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - vulnerability_patch_and_version_management - foundational_security_item_id: - - eks_2 - plugin: - - aws - service: - - AWS/EKS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - vulnerability_patch_and_version_management + foundational_security_item_id: + - eks_2 + plugin: + - aws + service: + - AWS/EKS diff --git a/compliance/controls/aws/aws_elastic_beanstalk_enhanced_health_reporting_enabled.yaml b/compliance/controls/aws/aws_elastic_beanstalk_enhanced_health_reporting_enabled.yaml index 076a02f28..6c7ad26c3 100644 --- a/compliance/controls/aws/aws_elastic_beanstalk_enhanced_health_reporting_enabled.yaml +++ b/compliance/controls/aws/aws_elastic_beanstalk_enhanced_health_reporting_enabled.yaml @@ -1,44 +1,45 @@ id: aws_elastic_beanstalk_enhanced_health_reporting_enabled title: Elastic Beanstalk enhanced health reporting should be enabled +type: control description: AWS Elastic Beanstalk enhanced health reporting enables a more rapid response to changes in the health of the underlying infrastructure. These changes could result in a lack of availability of the application. Elastic Beanstalk enhanced health reporting provides a status descriptor to gauge the severity of the identified issues and identify possible causes to investigate. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elastic_beanstalk_environment - definition: | - SELECT - application_name AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN health_status IS NOT NULL AND health IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN health_status IS NOT NULL AND health IS NOT NULL THEN application_name || ' enhanced health check enabled.' - ELSE application_name || ' enhanced health check disabled.' - END AS reason, - region, - account_id - FROM - aws_elastic_beanstalk_environment; + language: sql + primary_resource: aws_elastic_beanstalk_environment + definition: | + SELECT + application_name AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN health_status IS NOT NULL AND health IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN health_status IS NOT NULL AND health IS NOT NULL THEN application_name || ' enhanced health check enabled.' + ELSE application_name || ' enhanced health check disabled.' + END AS reason, + region, + account_id + FROM + aws_elastic_beanstalk_environment; severity: medium tags: - category: - - Compliance - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/ElasticBeanstalk + category: + - Compliance + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/ElasticBeanstalk diff --git a/compliance/controls/aws/aws_elastic_beanstalk_environment_logs_to_cloudwatch.yaml b/compliance/controls/aws/aws_elastic_beanstalk_environment_logs_to_cloudwatch.yaml index b87201e4b..149993e74 100644 --- a/compliance/controls/aws/aws_elastic_beanstalk_environment_logs_to_cloudwatch.yaml +++ b/compliance/controls/aws/aws_elastic_beanstalk_environment_logs_to_cloudwatch.yaml @@ -1,40 +1,41 @@ id: aws_elastic_beanstalk_environment_logs_to_cloudwatch title: Elastic Beanstalk should stream logs to CloudWatch +type: control description: This control checks whether an Elastic Beanstalk environment is configured to send logs to CloudWatch Logs. The control fails if an Elastic Beanstalk environment isn't configured to send logs to CloudWatch Logs. Optionally, you can provide a custom value for the RetentionInDays parameter if you want the control to pass only if logs are retained for the specified number of days before expiration. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elastic_beanstalk_environment - definition: | - WITH beanstalk_environment_logs_enabled AS ( - SELECT - DISTINCT e.arn - FROM - aws_elastic_beanstalk_environment AS e, - jsonb_array_elements(e.configuration_settings) AS c, - jsonb_array_elements(c -> 'OptionSettings') AS s - WHERE - s ->> 'OptionName' = 'StreamLogs' - AND s ->> 'Value' = 'true' - GROUP BY - arn - ) - SELECT - e.arn AS resource, - e.platform_integration_id AS platform_integration_id, - e.platform_resource_id AS platform_resource_id, - CASE - WHEN l.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN l.arn IS NOT NULL THEN title || ' send logs to AWS CloudWatch.' - ELSE title || ' does not send logs to AWS CloudWatch.' - END AS reason - FROM - aws_elastic_beanstalk_environment AS e - LEFT JOIN beanstalk_environment_logs_enabled AS l ON e.arn = l.arn; + language: sql + primary_resource: aws_elastic_beanstalk_environment + definition: | + WITH beanstalk_environment_logs_enabled AS ( + SELECT + DISTINCT e.arn + FROM + aws_elastic_beanstalk_environment AS e, + jsonb_array_elements(e.configuration_settings) AS c, + jsonb_array_elements(c -> 'OptionSettings') AS s + WHERE + s ->> 'OptionName' = 'StreamLogs' + AND s ->> 'Value' = 'true' + GROUP BY + arn + ) + SELECT + e.arn AS resource, + e.platform_integration_id AS platform_integration_id, + e.platform_resource_id AS platform_resource_id, + CASE + WHEN l.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN l.arn IS NOT NULL THEN title || ' send logs to AWS CloudWatch.' + ELSE title || ' does not send logs to AWS CloudWatch.' + END AS reason + FROM + aws_elastic_beanstalk_environment AS e + LEFT JOIN beanstalk_environment_logs_enabled AS l ON e.arn = l.arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_elastic_beanstalk_environment_managed_updates_enabled.yaml b/compliance/controls/aws/aws_elastic_beanstalk_environment_managed_updates_enabled.yaml index 5026f7999..4dec83510 100644 --- a/compliance/controls/aws/aws_elastic_beanstalk_environment_managed_updates_enabled.yaml +++ b/compliance/controls/aws/aws_elastic_beanstalk_environment_managed_updates_enabled.yaml @@ -1,41 +1,42 @@ id: aws_elastic_beanstalk_environment_managed_updates_enabled title: Elastic Beanstalk environment should have managed updates enabled +type: control description: This control checks whether managed platform updates in an AWS Elastic Beanstalk environment is enabled. The rule is COMPLIANT if the value for ManagedActionsEnabled is set to true. The rule is NON_COMPLIANT if the value for ManagedActionsEnabled is set to false, or if a parameter is provided and its value does not match the existing configurations. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elastic_beanstalk_environment - definition: | - WITH beanstalk_environment_logs_enabled AS ( - SELECT - DISTINCT e.arn - FROM - aws_elastic_beanstalk_environment AS e, - jsonb_array_elements(e.configuration_settings) AS c, - jsonb_array_elements(c -> 'OptionSettings') AS s - WHERE - s ->> 'OptionName' = 'ManagedActionsEnabled' - AND s ->> 'Value' = 'true' - GROUP BY - e.arn - ) - SELECT - e.arn AS resource, - e.platform_integration_id AS platform_integration_id, - e.platform_resource_id AS platform_resource_id, - CASE - WHEN l.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN l.arn IS NOT NULL THEN title || ' managed actions Enabled.' - ELSE title || ' managed actions disabled.' - END AS reason - FROM - aws_elastic_beanstalk_environment AS e - LEFT JOIN beanstalk_environment_logs_enabled AS l - ON e.arn = l.arn; + language: sql + primary_resource: aws_elastic_beanstalk_environment + definition: | + WITH beanstalk_environment_logs_enabled AS ( + SELECT + DISTINCT e.arn + FROM + aws_elastic_beanstalk_environment AS e, + jsonb_array_elements(e.configuration_settings) AS c, + jsonb_array_elements(c -> 'OptionSettings') AS s + WHERE + s ->> 'OptionName' = 'ManagedActionsEnabled' + AND s ->> 'Value' = 'true' + GROUP BY + e.arn + ) + SELECT + e.arn AS resource, + e.platform_integration_id AS platform_integration_id, + e.platform_resource_id AS platform_resource_id, + CASE + WHEN l.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN l.arn IS NOT NULL THEN title || ' managed actions Enabled.' + ELSE title || ' managed actions disabled.' + END AS reason + FROM + aws_elastic_beanstalk_environment AS e + LEFT JOIN beanstalk_environment_logs_enabled AS l + ON e.arn = l.arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_elasticache_cluster_auto_minor_version_upgrade_enabled.yaml b/compliance/controls/aws/aws_elasticache_cluster_auto_minor_version_upgrade_enabled.yaml index 1cac18684..5ab18e69f 100644 --- a/compliance/controls/aws/aws_elasticache_cluster_auto_minor_version_upgrade_enabled.yaml +++ b/compliance/controls/aws/aws_elasticache_cluster_auto_minor_version_upgrade_enabled.yaml @@ -1,40 +1,41 @@ id: aws_elasticache_cluster_auto_minor_version_upgrade_enabled title: Minor version upgrades should be automatically applied to ElastiCache for Redis cache clusters +type: control description: This control evaluates whether ElastiCache for Redis automatically applies minor version upgrades to cache clusters. This control fails if ElastiCache for Redis cache clusters do not have minor version upgrades automatically applied. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticache_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN auto_minor_version_upgrade THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN auto_minor_version_upgrade THEN title || ' automatic minor version upgrades enabled.' - ELSE title || ' automatic minor version upgrades disabled.' - END AS reason, - region, - account_id - FROM - aws_elasticache_cluster; + language: sql + primary_resource: aws_elasticache_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN auto_minor_version_upgrade THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN auto_minor_version_upgrade THEN title || ' automatic minor version upgrades enabled.' + ELSE title || ' automatic minor version upgrades disabled.' + END AS reason, + region, + account_id + FROM + aws_elasticache_cluster; severity: high tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - vulnerability_patch_and_version_management - foundational_security_item_id: - - elasticache_2 - plugin: - - aws - service: - - AWS/ElastiCache + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - vulnerability_patch_and_version_management + foundational_security_item_id: + - elasticache_2 + plugin: + - aws + service: + - AWS/ElastiCache diff --git a/compliance/controls/aws/aws_elasticache_cluster_no_default_subnet_group.yaml b/compliance/controls/aws/aws_elasticache_cluster_no_default_subnet_group.yaml index 44c7ce9cc..13b55e191 100644 --- a/compliance/controls/aws/aws_elasticache_cluster_no_default_subnet_group.yaml +++ b/compliance/controls/aws/aws_elasticache_cluster_no_default_subnet_group.yaml @@ -1,40 +1,41 @@ id: aws_elasticache_cluster_no_default_subnet_group title: ElastiCache clusters should not use the default subnet group +type: control description: This control checks if ElastiCache clusters are configured with a custom subnet group. The control fails for an ElastiCache cluster if CacheSubnetGroupName has the value default. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticache_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN cache_subnet_group_name = 'default' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN cache_subnet_group_name = 'default' THEN title || ' not configured with a custom subnet group.' - ELSE title || ' configured with a custom subnet group.' - END AS reason, - region, - account_id - FROM - aws_elasticache_cluster; + language: sql + primary_resource: aws_elasticache_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN cache_subnet_group_name = 'default' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN cache_subnet_group_name = 'default' THEN title || ' not configured with a custom subnet group.' + ELSE title || ' configured with a custom subnet group.' + END AS reason, + region, + account_id + FROM + aws_elasticache_cluster; severity: high tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - secure_network_configuration - foundational_security_item_id: - - elasticache_7 - plugin: - - aws - service: - - AWS/ElastiCache + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - secure_network_configuration + foundational_security_item_id: + - elasticache_7 + plugin: + - aws + service: + - AWS/ElastiCache diff --git a/compliance/controls/aws/aws_elasticache_cluster_no_public_subnet.yaml b/compliance/controls/aws/aws_elasticache_cluster_no_public_subnet.yaml index 1fc75f7af..daa0935fc 100644 --- a/compliance/controls/aws/aws_elasticache_cluster_no_public_subnet.yaml +++ b/compliance/controls/aws/aws_elasticache_cluster_no_public_subnet.yaml @@ -1,88 +1,89 @@ id: aws_elasticache_cluster_no_public_subnet title: ElastiCache clusters should not use public_subnet +type: control description: This control checks if ElastiCache clusters are configured with public subnet as there is a risk of exposing sensitive data. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticache_cluster - definition: | - WITH subnets_with_explicit_route AS ( - SELECT DISTINCT (a ->> 'SubnetId') AS all_sub - FROM aws_vpc_route_table AS t, - jsonb_array_elements(associations) AS a - WHERE a ->> 'SubnetId' IS NOT NULL - ), - public_subnets_with_explicit_route AS ( - SELECT DISTINCT a ->> 'SubnetId' AS SubnetId - FROM aws_vpc_route_table AS t, - jsonb_array_elements(associations) AS a, - jsonb_array_elements(routes) AS r - WHERE r ->> 'DestinationCidrBlock' = '0.0.0.0/0' - AND ( - r ->> 'GatewayId' LIKE 'igw-%' - OR r ->> 'NatGatewayId' LIKE 'nat-%' - ) - AND a ->> 'SubnetId' IS NOT NULL - ), - public_subnets_with_implicit_route AS ( - SELECT DISTINCT route_table_id, - vpc_id, - region - FROM aws_vpc_route_table AS t, - jsonb_array_elements(associations) AS a, - jsonb_array_elements(routes) AS r - WHERE a ->> 'Main' = 'true' - AND r ->> 'DestinationCidrBlock' = '0.0.0.0/0' - AND ( - r ->> 'GatewayId' LIKE 'igw-%' - OR r ->> 'NatGatewayId' LIKE 'nat-%' - ) - ), - subnet_accessibility AS ( - SELECT subnet_id, - vpc_id, - CASE - WHEN s.subnet_id IN (SELECT all_sub - FROM subnets_with_explicit_route - WHERE all_sub NOT IN (SELECT SubnetId - FROM public_subnets_with_explicit_route)) - THEN 'private' - WHEN p.SubnetId IS NOT NULL - OR s.vpc_id IN (SELECT vpc_id - FROM public_subnets_with_implicit_route) - THEN 'public' - ELSE 'private' - END AS access - FROM aws_vpc_subnet AS s - LEFT JOIN public_subnets_with_explicit_route AS p - ON p.SubnetId = s.subnet_id - ), - cluster_public_subnet AS ( - SELECT DISTINCT arn, - cache_subnet_group_name - FROM aws_elasticache_subnet_group, - jsonb_array_elements(subnets) AS s - LEFT JOIN subnet_accessibility AS a - ON a.subnet_id = s ->> 'SubnetIdentifier' - WHERE a.access = 'public' + language: sql + primary_resource: aws_elasticache_cluster + definition: | + WITH subnets_with_explicit_route AS ( + SELECT DISTINCT (a ->> 'SubnetId') AS all_sub + FROM aws_vpc_route_table AS t, + jsonb_array_elements(associations) AS a + WHERE a ->> 'SubnetId' IS NOT NULL + ), + public_subnets_with_explicit_route AS ( + SELECT DISTINCT a ->> 'SubnetId' AS SubnetId + FROM aws_vpc_route_table AS t, + jsonb_array_elements(associations) AS a, + jsonb_array_elements(routes) AS r + WHERE r ->> 'DestinationCidrBlock' = '0.0.0.0/0' + AND ( + r ->> 'GatewayId' LIKE 'igw-%' + OR r ->> 'NatGatewayId' LIKE 'nat-%' ) - SELECT c.arn AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN s.cache_subnet_group_name IS NOT NULL - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN s.cache_subnet_group_name IS NOT NULL - THEN c.title || ' has public subnet.' - ELSE c.title || ' has private subnet.' - END AS reason - FROM aws_elasticache_cluster AS c - LEFT JOIN cluster_public_subnet AS s - ON s.cache_subnet_group_name = c.cache_subnet_group_name; + AND a ->> 'SubnetId' IS NOT NULL + ), + public_subnets_with_implicit_route AS ( + SELECT DISTINCT route_table_id, + vpc_id, + region + FROM aws_vpc_route_table AS t, + jsonb_array_elements(associations) AS a, + jsonb_array_elements(routes) AS r + WHERE a ->> 'Main' = 'true' + AND r ->> 'DestinationCidrBlock' = '0.0.0.0/0' + AND ( + r ->> 'GatewayId' LIKE 'igw-%' + OR r ->> 'NatGatewayId' LIKE 'nat-%' + ) + ), + subnet_accessibility AS ( + SELECT subnet_id, + vpc_id, + CASE + WHEN s.subnet_id IN (SELECT all_sub + FROM subnets_with_explicit_route + WHERE all_sub NOT IN (SELECT SubnetId + FROM public_subnets_with_explicit_route)) + THEN 'private' + WHEN p.SubnetId IS NOT NULL + OR s.vpc_id IN (SELECT vpc_id + FROM public_subnets_with_implicit_route) + THEN 'public' + ELSE 'private' + END AS access + FROM aws_vpc_subnet AS s + LEFT JOIN public_subnets_with_explicit_route AS p + ON p.SubnetId = s.subnet_id + ), + cluster_public_subnet AS ( + SELECT DISTINCT arn, + cache_subnet_group_name + FROM aws_elasticache_subnet_group, + jsonb_array_elements(subnets) AS s + LEFT JOIN subnet_accessibility AS a + ON a.subnet_id = s ->> 'SubnetIdentifier' + WHERE a.access = 'public' + ) + SELECT c.arn AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN s.cache_subnet_group_name IS NOT NULL + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN s.cache_subnet_group_name IS NOT NULL + THEN c.title || ' has public subnet.' + ELSE c.title || ' has private subnet.' + END AS reason + FROM aws_elasticache_cluster AS c + LEFT JOIN cluster_public_subnet AS s + ON s.cache_subnet_group_name = c.cache_subnet_group_name; severity: low tags: {} diff --git a/compliance/controls/aws/aws_elasticache_redis_cluster_automatic_backup_retention_15_days.yaml b/compliance/controls/aws/aws_elasticache_redis_cluster_automatic_backup_retention_15_days.yaml index 0482c7440..f46378333 100644 --- a/compliance/controls/aws/aws_elasticache_redis_cluster_automatic_backup_retention_15_days.yaml +++ b/compliance/controls/aws/aws_elasticache_redis_cluster_automatic_backup_retention_15_days.yaml @@ -1,67 +1,68 @@ id: aws_elasticache_redis_cluster_automatic_backup_retention_15_days title: ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater +type: control description: When automatic backups are enabled, AWS ElastiCache creates a backup of the cluster on a daily basis. The backup can be retained for a number of days as specified by your organization. Automatic backups can help guard against data loss. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticache_replication_group - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN snapshot_retention_limit < 15 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN snapshot_retention_limit = 0 THEN title || ' automatic backups not enabled.' - WHEN snapshot_retention_limit < 15 THEN title || ' automatic backup retention period is less than 15 days.' - ELSE title || ' automatic backup retention period is more than 15 days.' - END AS reason, - region, - account_id - FROM - aws_elasticache_replication_group; + language: sql + primary_resource: aws_elasticache_replication_group + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN snapshot_retention_limit < 15 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN snapshot_retention_limit = 0 THEN title || ' automatic backups not enabled.' + WHEN snapshot_retention_limit < 15 THEN title || ' automatic backup retention period is less than 15 days.' + ELSE title || ' automatic backup retention period is more than 15 days.' + END AS reason, + region, + account_id + FROM + aws_elasticache_replication_group; severity: low tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/ElastiCache - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/ElastiCache + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_elasticache_replication_group_auto_failover_enabled.yaml b/compliance/controls/aws/aws_elasticache_replication_group_auto_failover_enabled.yaml index 21570fabd..b1595a334 100644 --- a/compliance/controls/aws/aws_elasticache_replication_group_auto_failover_enabled.yaml +++ b/compliance/controls/aws/aws_elasticache_replication_group_auto_failover_enabled.yaml @@ -1,40 +1,41 @@ id: aws_elasticache_replication_group_auto_failover_enabled title: ElastiCache for Redis replication groups should have automatic failover enabled +type: control description: This control checks if ElastiCache for Redis replication groups have automatic failover enabled. This control fails if automatic failover isn't enabled for a Redis replication group. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticache_replication_group - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN automatic_failover = 'enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN automatic_failover = 'enabled' THEN title || ' automatic failover enabled.' - ELSE title || ' automatic failover disabled.' - END AS reason, - region, - account_id - FROM - aws_elasticache_replication_group; + language: sql + primary_resource: aws_elasticache_replication_group + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN automatic_failover = 'enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN automatic_failover = 'enabled' THEN title || ' automatic failover enabled.' + ELSE title || ' automatic failover disabled.' + END AS reason, + region, + account_id + FROM + aws_elasticache_replication_group; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - high_availability - foundational_security_item_id: - - elasticache_3 - plugin: - - aws - service: - - AWS/ElastiCache + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - high_availability + foundational_security_item_id: + - elasticache_3 + plugin: + - aws + service: + - AWS/ElastiCache diff --git a/compliance/controls/aws/aws_elasticache_replication_group_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_elasticache_replication_group_encryption_at_rest_enabled.yaml index 23f3f2e37..df9602e12 100644 --- a/compliance/controls/aws/aws_elasticache_replication_group_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_elasticache_replication_group_encryption_at_rest_enabled.yaml @@ -1,40 +1,41 @@ id: aws_elasticache_replication_group_encryption_at_rest_enabled title: ElastiCache for Redis replication groups should be encrypted at rest +type: control description: This control checks if ElastiCache for Redis replication groups are encrypted at rest. This control fails if an ElastiCache for Redis replication group isn't encrypted at rest. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticache_replication_group - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN at_rest_encryption_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN at_rest_encryption_enabled THEN title || ' encryption at rest enabled.' - ELSE title || ' encryption at rest disabled.' - END AS reason, - region, - account_id - FROM - aws_elasticache_replication_group; + language: sql + primary_resource: aws_elasticache_replication_group + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN at_rest_encryption_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN at_rest_encryption_enabled THEN title || ' encryption at rest enabled.' + ELSE title || ' encryption at rest disabled.' + END AS reason, + region, + account_id + FROM + aws_elasticache_replication_group; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - encryption_of_data_at_rest - foundational_security_item_id: - - elasticache_4 - plugin: - - aws - service: - - AWS/ElastiCache + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - encryption_of_data_at_rest + foundational_security_item_id: + - elasticache_4 + plugin: + - aws + service: + - AWS/ElastiCache diff --git a/compliance/controls/aws/aws_elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk.yaml b/compliance/controls/aws/aws_elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk.yaml index 642d7c566..4edf822d7 100644 --- a/compliance/controls/aws/aws_elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk.yaml +++ b/compliance/controls/aws/aws_elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk.yaml @@ -1,56 +1,57 @@ id: aws_elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk title: ElastiCache for Redis replication groups should be encrypted with CMK +type: control description: Ensure ElastiCache for Redis replication group are encrypted using CMK. The rule is non-compliant if the ElastiCache for Redis replication group is not encrypted using CMK. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticache_replication_group - definition: | - WITH aws_elasticache_replication_groups AS ( - SELECT - arn, - at_rest_encryption_enabled, - title, - kms_key_id, - region, - account_id, - _ctx, - platform_integration_id, - platform_resource_id - FROM - aws_elasticache_replication_group - ORDER BY - arn - ), - kms_keys AS ( - SELECT - k.arn, - k.region, - k.account_id, - k.enabled - FROM - aws_kms_key AS k - ) - SELECT - r.arn AS resource, - r.platform_integration_id AS platform_integration_id, - r.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT at_rest_encryption_enabled THEN 'alarm' - WHEN at_rest_encryption_enabled AND kms_key_id IS NULL THEN 'alarm' - WHEN at_rest_encryption_enabled AND kms_key_id IS NOT NULL AND k.enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN NOT at_rest_encryption_enabled THEN r.title || ' encryption at rest disabled.' - WHEN at_rest_encryption_enabled AND kms_key_id IS NULL THEN r.title || ' encryption at rest not enabled with CMK.' - WHEN at_rest_encryption_enabled AND kms_key_id IS NOT NULL AND k.enabled THEN r.title || ' encryption at rest enabled with CMK.' - ELSE r.title || ' encryption at rest enabled with disabled CMK.' - END AS reason - FROM - aws_elasticache_replication_groups AS r - LEFT JOIN kms_keys AS k ON k.arn = r.kms_key_id; + language: sql + primary_resource: aws_elasticache_replication_group + definition: | + WITH aws_elasticache_replication_groups AS ( + SELECT + arn, + at_rest_encryption_enabled, + title, + kms_key_id, + region, + account_id, + _ctx, + platform_integration_id, + platform_resource_id + FROM + aws_elasticache_replication_group + ORDER BY + arn + ), + kms_keys AS ( + SELECT + k.arn, + k.region, + k.account_id, + k.enabled + FROM + aws_kms_key AS k + ) + SELECT + r.arn AS resource, + r.platform_integration_id AS platform_integration_id, + r.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT at_rest_encryption_enabled THEN 'alarm' + WHEN at_rest_encryption_enabled AND kms_key_id IS NULL THEN 'alarm' + WHEN at_rest_encryption_enabled AND kms_key_id IS NOT NULL AND k.enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN NOT at_rest_encryption_enabled THEN r.title || ' encryption at rest disabled.' + WHEN at_rest_encryption_enabled AND kms_key_id IS NULL THEN r.title || ' encryption at rest not enabled with CMK.' + WHEN at_rest_encryption_enabled AND kms_key_id IS NOT NULL AND k.enabled THEN r.title || ' encryption at rest enabled with CMK.' + ELSE r.title || ' encryption at rest enabled with disabled CMK.' + END AS reason + FROM + aws_elasticache_replication_groups AS r + LEFT JOIN kms_keys AS k ON k.arn = r.kms_key_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_elasticache_replication_group_encryption_in_transit_enabled.yaml b/compliance/controls/aws/aws_elasticache_replication_group_encryption_in_transit_enabled.yaml index 2aad07367..b33db0504 100644 --- a/compliance/controls/aws/aws_elasticache_replication_group_encryption_in_transit_enabled.yaml +++ b/compliance/controls/aws/aws_elasticache_replication_group_encryption_in_transit_enabled.yaml @@ -1,40 +1,41 @@ id: aws_elasticache_replication_group_encryption_in_transit_enabled title: ElastiCache for Redis replication groups should be encrypted in transit +type: control description: This control checks if ElastiCache for Redis replication groups are encrypted in transit. This control fails if an ElastiCache for Redis replication group isn't encrypted in transit. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticache_replication_group - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN transit_encryption_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN transit_encryption_enabled THEN title || ' encryption in transit enabled.' - ELSE title || ' encryption in transit disabled.' - END AS reason, - region, - account_id - FROM - aws_elasticache_replication_group; + language: sql + primary_resource: aws_elasticache_replication_group + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN transit_encryption_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN transit_encryption_enabled THEN title || ' encryption in transit enabled.' + ELSE title || ' encryption in transit disabled.' + END AS reason, + region, + account_id + FROM + aws_elasticache_replication_group; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - encryption_of_data_in_transit - foundational_security_item_id: - - elasticache_5 - plugin: - - aws - service: - - AWS/ElastiCache + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - encryption_of_data_in_transit + foundational_security_item_id: + - elasticache_5 + plugin: + - aws + service: + - AWS/ElastiCache diff --git a/compliance/controls/aws/aws_elasticache_replication_group_redis_auth_enabled.yaml b/compliance/controls/aws/aws_elasticache_replication_group_redis_auth_enabled.yaml index 0f73e22a6..cfbf96523 100644 --- a/compliance/controls/aws/aws_elasticache_replication_group_redis_auth_enabled.yaml +++ b/compliance/controls/aws/aws_elasticache_replication_group_redis_auth_enabled.yaml @@ -1,51 +1,52 @@ id: aws_elasticache_replication_group_redis_auth_enabled title: ElastiCache for Redis replication groups before version 6.0 should use Redis Auth +type: control description: This control checks if ElastiCache for Redis replication groups has Redis Auth enabled. The control fails for an ElastiCache for Redis replication group if the Redis version of its nodes is below 6.0 and AuthToken isn't in use. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticache_replication_group - definition: | - WITH elasticache_cluster_node_version AS ( - SELECT - DISTINCT replication_group_id, - engine_version - FROM - aws_elasticache_cluster - ) - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN regexp_split_to_array(v.engine_version, '.')::int[] >= regexp_split_to_array('6.0', '.')::int[] THEN 'skip' - WHEN regexp_split_to_array(v.engine_version, '.')::int[] < regexp_split_to_array('6.0', '.')::int[] AND eg.auth_token_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN regexp_split_to_array(v.engine_version, '.')::int[] >= regexp_split_to_array('6.0', '.')::int[] THEN eg.title || ' node version is ' || engine_version || '.' - WHEN regexp_split_to_array(v.engine_version, '.')::int[] < regexp_split_to_array('6.0', '.')::int[] AND eg.auth_token_enabled THEN eg.title || ' has Redis AUTH enabled.' - ELSE eg.title || ' has Redis AUTH disabled.' - END AS reason, - eg.region, - eg.account_id - FROM - aws_elasticache_replication_group AS eg - LEFT JOIN elasticache_cluster_node_version AS v - ON eg.replication_group_id = v.replication_group_id; + language: sql + primary_resource: aws_elasticache_replication_group + definition: | + WITH elasticache_cluster_node_version AS ( + SELECT + DISTINCT replication_group_id, + engine_version + FROM + aws_elasticache_cluster + ) + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN regexp_split_to_array(v.engine_version, '.')::int[] >= regexp_split_to_array('6.0', '.')::int[] THEN 'skip' + WHEN regexp_split_to_array(v.engine_version, '.')::int[] < regexp_split_to_array('6.0', '.')::int[] AND eg.auth_token_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN regexp_split_to_array(v.engine_version, '.')::int[] >= regexp_split_to_array('6.0', '.')::int[] THEN eg.title || ' node version is ' || engine_version || '.' + WHEN regexp_split_to_array(v.engine_version, '.')::int[] < regexp_split_to_array('6.0', '.')::int[] AND eg.auth_token_enabled THEN eg.title || ' has Redis AUTH enabled.' + ELSE eg.title || ' has Redis AUTH disabled.' + END AS reason, + eg.region, + eg.account_id + FROM + aws_elasticache_replication_group AS eg + LEFT JOIN elasticache_cluster_node_version AS v + ON eg.replication_group_id = v.replication_group_id; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - secure_access_management - foundational_security_item_id: - - elasticache_6 - plugin: - - aws - service: - - AWS/ElastiCache + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - secure_access_management + foundational_security_item_id: + - elasticache_6 + plugin: + - aws + service: + - AWS/ElastiCache diff --git a/compliance/controls/aws/aws_elb_application_classic_lb_logging_enabled.yaml b/compliance/controls/aws/aws_elb_application_classic_lb_logging_enabled.yaml index e1dd82080..00d6f745f 100644 --- a/compliance/controls/aws/aws_elb_application_classic_lb_logging_enabled.yaml +++ b/compliance/controls/aws/aws_elb_application_classic_lb_logging_enabled.yaml @@ -1,87 +1,88 @@ id: aws_elb_application_classic_lb_logging_enabled title: ELB application and classic load balancer logging should be enabled +type: control description: Elastic Load Balancing activity is a central point of communication within an environment. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: '' - definition: | - ( - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'aws_ec2_application_load_balancer' AS platform_table_name, - CASE - WHEN load_balancer_attributes @> '[{"Key": "access_logs.s3.enabled", "Value": "true"}]' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN load_balancer_attributes @> '[{"Key": "access_logs.s3.enabled", "Value": "true"}]' THEN title || ' logging enabled.' - ELSE title || ' logging disabled.' - END AS reason, - region, - account_id - FROM aws_ec2_application_load_balancer - ) - UNION - ( - SELECT - 'arn:' || partition || ':elasticloadbalancing:' || region || ':' || account_id || ':loadbalancer/' || title AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'aws_ec2_classic_load_balancer' AS platform_table_name, - CASE - WHEN access_log_enabled = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN access_log_enabled = 'true' THEN title || ' logging enabled.' - ELSE title || ' logging disabled.' - END AS reason, - region, - account_id - FROM aws_ec2_classic_load_balancer - ); + language: sql + primary_resource: "" + definition: | + ( + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'aws_ec2_application_load_balancer' AS platform_table_name, + CASE + WHEN load_balancer_attributes @> '[{"Key": "access_logs.s3.enabled", "Value": "true"}]' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN load_balancer_attributes @> '[{"Key": "access_logs.s3.enabled", "Value": "true"}]' THEN title || ' logging enabled.' + ELSE title || ' logging disabled.' + END AS reason, + region, + account_id + FROM aws_ec2_application_load_balancer + ) + UNION + ( + SELECT + 'arn:' || partition || ':elasticloadbalancing:' || region || ':' || account_id || ':loadbalancer/' || title AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'aws_ec2_classic_load_balancer' AS platform_table_name, + CASE + WHEN access_log_enabled = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN access_log_enabled = 'true' THEN title || ' logging enabled.' + ELSE title || ' logging disabled.' + END AS reason, + region, + account_id + FROM aws_ec2_classic_load_balancer + ); severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/ELB - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/ELB + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_elb_application_classic_network_lb_prohibit_public_access.yaml b/compliance/controls/aws/aws_elb_application_classic_network_lb_prohibit_public_access.yaml index acccba7a7..93d6b9f09 100644 --- a/compliance/controls/aws/aws_elb_application_classic_network_lb_prohibit_public_access.yaml +++ b/compliance/controls/aws/aws_elb_application_classic_network_lb_prohibit_public_access.yaml @@ -1,66 +1,67 @@ id: aws_elb_application_classic_network_lb_prohibit_public_access title: ELB load balancers should prohibit public access +type: control description: An internet facing load balancer has a publicly resolvable DNS name, so it can route requests from clients over the internet to the EC2 instances that are registered with the load balancer. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_application_load_balancer - definition: | - WITH all_lb_details AS ( - SELECT - arn, - scheme, - title, - region, - account_id, - tags, - _ctx, - platform_integration_id, - platform_resource_id - FROM - aws_ec2_application_load_balancer - UNION - SELECT - arn, - scheme, - title, - region, - account_id, - tags, - _ctx, - platform_integration_id, - platform_resource_id - FROM - aws_ec2_network_load_balancer - UNION - SELECT - arn, - scheme, - title, - region, - account_id, - tags, - _ctx, - platform_integration_id, - platform_resource_id - FROM - aws_ec2_classic_load_balancer - ) - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN scheme = 'internet-facing' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN scheme = 'internet-facing' THEN title || ' publicly accessible.' - ELSE title || ' not publicly accessible.' - END AS reason - FROM - all_lb_details; + language: sql + primary_resource: aws_ec2_application_load_balancer + definition: | + WITH all_lb_details AS ( + SELECT + arn, + scheme, + title, + region, + account_id, + tags, + _ctx, + platform_integration_id, + platform_resource_id + FROM + aws_ec2_application_load_balancer + UNION + SELECT + arn, + scheme, + title, + region, + account_id, + tags, + _ctx, + platform_integration_id, + platform_resource_id + FROM + aws_ec2_network_load_balancer + UNION + SELECT + arn, + scheme, + title, + region, + account_id, + tags, + _ctx, + platform_integration_id, + platform_resource_id + FROM + aws_ec2_classic_load_balancer + ) + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN scheme = 'internet-facing' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN scheme = 'internet-facing' THEN title || ' publicly accessible.' + ELSE title || ' not publicly accessible.' + END AS reason + FROM + all_lb_details; severity: low tags: {} diff --git a/compliance/controls/aws/aws_elb_application_gateway_network_lb_multiple_az_configured.yaml b/compliance/controls/aws/aws_elb_application_gateway_network_lb_multiple_az_configured.yaml index 7376e791a..fc3c03658 100644 --- a/compliance/controls/aws/aws_elb_application_gateway_network_lb_multiple_az_configured.yaml +++ b/compliance/controls/aws/aws_elb_application_gateway_network_lb_multiple_az_configured.yaml @@ -1,68 +1,69 @@ id: aws_elb_application_gateway_network_lb_multiple_az_configured title: ELB application, network, and gateway load balancers should span multiple availability zones +type: control description: This control checks whether an Elastic Load Balancer V2 (Application, Network, or Gateway Load Balancer) has registered instances from multiple Availability Zones. The control fails if an Elastic Load Balancer V2 has instances registered in fewer than two Availability Zones. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'aws_ec2_application_load_balancer' AS platform_table_name, - CASE - WHEN jsonb_array_length(availability_zones) < 2 THEN 'alarm' - ELSE 'ok' - END AS status, - title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' AS reason, - region, - account_id - FROM - aws_ec2_application_load_balancer - UNION - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'aws_ec2_network_load_balancer' AS platform_table_name, - CASE - WHEN jsonb_array_length(availability_zones) < 2 THEN 'alarm' - ELSE 'ok' - END AS status, - title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' AS reason, - region, - account_id - FROM - aws_ec2_network_load_balancer - UNION - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'aws_ec2_gateway_load_balancer' AS platform_table_name, - CASE - WHEN jsonb_array_length(availability_zones) < 2 THEN 'alarm' - ELSE 'ok' - END AS status, - title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' AS reason, - region, - account_id - FROM - aws_ec2_gateway_load_balancer; + language: sql + primary_resource: "" + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'aws_ec2_application_load_balancer' AS platform_table_name, + CASE + WHEN jsonb_array_length(availability_zones) < 2 THEN 'alarm' + ELSE 'ok' + END AS status, + title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' AS reason, + region, + account_id + FROM + aws_ec2_application_load_balancer + UNION + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'aws_ec2_network_load_balancer' AS platform_table_name, + CASE + WHEN jsonb_array_length(availability_zones) < 2 THEN 'alarm' + ELSE 'ok' + END AS status, + title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' AS reason, + region, + account_id + FROM + aws_ec2_network_load_balancer + UNION + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'aws_ec2_gateway_load_balancer' AS platform_table_name, + CASE + WHEN jsonb_array_length(availability_zones) < 2 THEN 'alarm' + ELSE 'ok' + END AS status, + title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' AS reason, + region, + account_id + FROM + aws_ec2_gateway_load_balancer; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - high_availability - foundational_security_item_id: - - elb_13 - plugin: - - aws - service: - - AWS/ELB + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - high_availability + foundational_security_item_id: + - elb_13 + plugin: + - aws + service: + - AWS/ELB diff --git a/compliance/controls/aws/aws_elb_application_lb_deletion_protection_enabled.yaml b/compliance/controls/aws/aws_elb_application_lb_deletion_protection_enabled.yaml index 59f5e646b..a86977eae 100644 --- a/compliance/controls/aws/aws_elb_application_lb_deletion_protection_enabled.yaml +++ b/compliance/controls/aws/aws_elb_application_lb_deletion_protection_enabled.yaml @@ -1,56 +1,57 @@ id: aws_elb_application_lb_deletion_protection_enabled title: ELB application load balancer deletion protection should be enabled +type: control description: This rule ensures that Elastic Load Balancing has deletion protection enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_application_load_balancer - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN load_balancer_attributes @> '[{"Key": "deletion_protection.enabled", "Value": "true"}]' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN load_balancer_attributes @> '[{"Key": "deletion_protection.enabled", "Value": "true"}]' THEN title || ' deletion protection enabled.' - ELSE title || ' deletion protection disabled.' - END AS reason, - region, - account_id - FROM - aws_ec2_application_load_balancer; + language: sql + primary_resource: aws_ec2_application_load_balancer + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN load_balancer_attributes @> '[{"Key": "deletion_protection.enabled", "Value": "true"}]' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN load_balancer_attributes @> '[{"Key": "deletion_protection.enabled", "Value": "true"}]' THEN title || ' deletion protection enabled.' + ELSE title || ' deletion protection disabled.' + END AS reason, + region, + account_id + FROM + aws_ec2_application_load_balancer; severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/ELB + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/ELB diff --git a/compliance/controls/aws/aws_elb_application_lb_desync_mitigation_mode.yaml b/compliance/controls/aws/aws_elb_application_lb_desync_mitigation_mode.yaml index 37fd6c415..90d2aaabe 100644 --- a/compliance/controls/aws/aws_elb_application_lb_desync_mitigation_mode.yaml +++ b/compliance/controls/aws/aws_elb_application_lb_desync_mitigation_mode.yaml @@ -1,49 +1,50 @@ id: aws_elb_application_lb_desync_mitigation_mode title: ELB application load balancers should be configured with defensive or strictest desync mitigation mode +type: control description: This control checks whether an Application Load Balancer is configured with defensive or strictest desync mitigation mode. The control fails if an Application Load Balancer is not configured with defensive or strictest desync mitigation mode. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_application_load_balancer - definition: | - WITH app_lb_desync_mitigation_mode AS ( - SELECT - arn, - l ->> 'Key', - l ->> 'Value' AS v - FROM - aws_ec2_application_load_balancer, - jsonb_array_elements(load_balancer_attributes) AS l - WHERE - l ->> 'Key' = 'routing.http.desync_mitigation_mode' - ) - SELECT - a.arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN m.v = ANY(ARRAY['defensive', 'strictest']) THEN 'ok' - ELSE 'alarm' - END AS status, - title || ' has ' || m.v || ' desync mitigation mode.' AS reason, - region, - account_id - FROM - aws_ec2_application_load_balancer AS a - LEFT JOIN app_lb_desync_mitigation_mode AS m ON a.arn = m.arn; + language: sql + primary_resource: aws_ec2_application_load_balancer + definition: | + WITH app_lb_desync_mitigation_mode AS ( + SELECT + arn, + l ->> 'Key', + l ->> 'Value' AS v + FROM + aws_ec2_application_load_balancer, + jsonb_array_elements(load_balancer_attributes) AS l + WHERE + l ->> 'Key' = 'routing.http.desync_mitigation_mode' + ) + SELECT + a.arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN m.v = ANY(ARRAY['defensive', 'strictest']) THEN 'ok' + ELSE 'alarm' + END AS status, + title || ' has ' || m.v || ' desync mitigation mode.' AS reason, + region, + account_id + FROM + aws_ec2_application_load_balancer AS a + LEFT JOIN app_lb_desync_mitigation_mode AS m ON a.arn = m.arn; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - data_integrity - foundational_security_item_id: - - elb_12 - plugin: - - aws - service: - - AWS/ELB + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - data_integrity + foundational_security_item_id: + - elb_12 + plugin: + - aws + service: + - AWS/ELB diff --git a/compliance/controls/aws/aws_elb_application_lb_drop_http_headers.yaml b/compliance/controls/aws/aws_elb_application_lb_drop_http_headers.yaml index 8e62ece34..faf1b7edd 100644 --- a/compliance/controls/aws/aws_elb_application_lb_drop_http_headers.yaml +++ b/compliance/controls/aws/aws_elb_application_lb_drop_http_headers.yaml @@ -1,54 +1,55 @@ id: aws_elb_application_lb_drop_http_headers title: ELB application load balancers should drop HTTP headers +type: control description: Ensure that your Elastic Load Balancers (ELB) are configured to drop http headers. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_application_load_balancer - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN load_balancer_attributes @> '[{"Key": "routing.http.drop_invalid_header_fields.enabled", "Value": "true"}]' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN load_balancer_attributes @> '[{"Key": "routing.http.drop_invalid_header_fields.enabled", "Value": "true"}]' THEN title || ' configured to drop http headers.' - ELSE title || ' not configured to drop http headers.' - END AS reason, - region, - account_id - FROM - aws_ec2_application_load_balancer; + language: sql + primary_resource: aws_ec2_application_load_balancer + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN load_balancer_attributes @> '[{"Key": "routing.http.drop_invalid_header_fields.enabled", "Value": "true"}]' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN load_balancer_attributes @> '[{"Key": "routing.http.drop_invalid_header_fields.enabled", "Value": "true"}]' THEN title || ' configured to drop http headers.' + ELSE title || ' not configured to drop http headers.' + END AS reason, + region, + account_id + FROM + aws_ec2_application_load_balancer; severity: medium tags: - category: - - Compliance - fedramp_low_rev_4: - - 'true' - gdpr: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/ELB - soc_2: - - 'true' + category: + - Compliance + fedramp_low_rev_4: + - "true" + gdpr: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/ELB + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_elb_application_lb_redirect_http_request_to_https.yaml b/compliance/controls/aws/aws_elb_application_lb_redirect_http_request_to_https.yaml index ef21eb4f6..13fd6f7b2 100644 --- a/compliance/controls/aws/aws_elb_application_lb_redirect_http_request_to_https.yaml +++ b/compliance/controls/aws/aws_elb_application_lb_redirect_http_request_to_https.yaml @@ -1,80 +1,81 @@ id: aws_elb_application_lb_redirect_http_request_to_https title: ELB application load balancers should redirect HTTP requests to HTTPS +type: control description: To help protect data in transit, ensure that your Application Load Balancer automatically redirects unencrypted HTTP requests to HTTPS. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_application_load_balancer - definition: | - WITH detailed_listeners AS ( - SELECT - arn, - load_balancer_arn, - protocol - FROM - aws_ec2_load_balancer_listener, - jsonb_array_elements(default_actions) AS ac - WHERE - split_part(arn, '/', 2) = 'app' - AND protocol = 'HTTP' - AND ac ->> 'Type' = 'redirect' - AND ac -> 'RedirectConfig' ->> 'Protocol' = 'HTTPS' - ) - SELECT - a.arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.load_balancer_arn IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN b.load_balancer_arn IS NOT NULL THEN a.title || ' associated with HTTP redirection.' - ELSE a.title || ' not associated with HTTP redirection.' - END AS reason, - a.region, - a.account_id - FROM - aws_ec2_application_load_balancer a - LEFT JOIN detailed_listeners b - ON a.arn = b.load_balancer_arn + language: sql + primary_resource: aws_ec2_application_load_balancer + definition: | + WITH detailed_listeners AS ( + SELECT + arn, + load_balancer_arn, + protocol + FROM + aws_ec2_load_balancer_listener, + jsonb_array_elements(default_actions) AS ac + WHERE + split_part(arn, '/', 2) = 'app' + AND protocol = 'HTTP' + AND ac ->> 'Type' = 'redirect' + AND ac -> 'RedirectConfig' ->> 'Protocol' = 'HTTPS' + ) + SELECT + a.arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.load_balancer_arn IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN b.load_balancer_arn IS NOT NULL THEN a.title || ' associated with HTTP redirection.' + ELSE a.title || ' not associated with HTTP redirection.' + END AS reason, + a.region, + a.account_id + FROM + aws_ec2_application_load_balancer a + LEFT JOIN detailed_listeners b + ON a.arn = b.load_balancer_arn severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/ELB - soc_2: - - 'true' + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/ELB + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_elb_application_lb_waf_enabled.yaml b/compliance/controls/aws/aws_elb_application_lb_waf_enabled.yaml index 49dcef050..39b7ff1c9 100644 --- a/compliance/controls/aws/aws_elb_application_lb_waf_enabled.yaml +++ b/compliance/controls/aws/aws_elb_application_lb_waf_enabled.yaml @@ -1,56 +1,57 @@ id: aws_elb_application_lb_waf_enabled title: ELB application load balancers should have Web Application Firewall (WAF) enabled +type: control description: Ensure AWS WAF is enabled on Elastic Load Balancers (ELB) to help protect web applications. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_application_load_balancer - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN load_balancer_attributes @> '[{"Key":"waf.fail_open.enabled","Value":"true"}]' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN load_balancer_attributes @> '[{"Key":"waf.fail_open.enabled","Value":"true"}]' THEN title || ' WAF enabled.' - ELSE title || ' WAF disabled.' - END AS reason, - region, - account_id - FROM - aws_ec2_application_load_balancer; + language: sql + primary_resource: aws_ec2_application_load_balancer + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN load_balancer_attributes @> '[{"Key":"waf.fail_open.enabled","Value":"true"}]' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN load_balancer_attributes @> '[{"Key":"waf.fail_open.enabled","Value":"true"}]' THEN title || ' WAF enabled.' + ELSE title || ' WAF disabled.' + END AS reason, + region, + account_id + FROM + aws_ec2_application_load_balancer; severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/ELB - soc_2: - - 'true' + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/ELB + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_elb_application_lb_with_outbound_rule.yaml b/compliance/controls/aws/aws_elb_application_lb_with_outbound_rule.yaml index 1cf7541fb..42725306c 100644 --- a/compliance/controls/aws/aws_elb_application_lb_with_outbound_rule.yaml +++ b/compliance/controls/aws/aws_elb_application_lb_with_outbound_rule.yaml @@ -1,51 +1,52 @@ id: aws_elb_application_lb_with_outbound_rule title: ELB application load balancers should have at least one outbound rule +type: control description: Ensure application load balancers have at least one outbound rule in all the attached security groups. A security group without any outbound rule rejects all outgoing traffic. This means that all outgoing traffic originating from your cloud assets (instances, containers, etc.) will be dropped when it reaches the ELB layer. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_application_load_balancer - definition: | - WITH sg_with_outbound AS ( - SELECT - arn, - sg - FROM - aws_ec2_application_load_balancer, - jsonb_array_elements_text(security_groups) AS sg - LEFT JOIN aws_vpc_security_group_rule AS sgr ON sg = sgr.group_id - WHERE - sgr.type = 'egress' - GROUP BY - sg, arn - ), - application_lb_without_outbound AS ( - SELECT - DISTINCT arn - FROM - aws_ec2_application_load_balancer, - jsonb_array_elements_text(security_groups) AS s - WHERE - s NOT IN (SELECT sg FROM sg_with_outbound) - ) - SELECT - DISTINCT a.arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.security_groups IS NULL THEN 'alarm' - WHEN o.arn IS NOT NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN a.security_groups IS NULL THEN a.title || ' does not have security group attached.' - WHEN o.arn IS NOT NULL THEN a.title || ' all attached security groups do not have outbound rule(s).' - ELSE a.title || ' all attached security groups have outbound rule(s).' - END AS reason - FROM - aws_ec2_application_load_balancer AS a - LEFT JOIN application_lb_without_outbound AS o ON a.arn = o.arn; + language: sql + primary_resource: aws_ec2_application_load_balancer + definition: | + WITH sg_with_outbound AS ( + SELECT + arn, + sg + FROM + aws_ec2_application_load_balancer, + jsonb_array_elements_text(security_groups) AS sg + LEFT JOIN aws_vpc_security_group_rule AS sgr ON sg = sgr.group_id + WHERE + sgr.type = 'egress' + GROUP BY + sg, arn + ), + application_lb_without_outbound AS ( + SELECT + DISTINCT arn + FROM + aws_ec2_application_load_balancer, + jsonb_array_elements_text(security_groups) AS s + WHERE + s NOT IN (SELECT sg FROM sg_with_outbound) + ) + SELECT + DISTINCT a.arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.security_groups IS NULL THEN 'alarm' + WHEN o.arn IS NOT NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN a.security_groups IS NULL THEN a.title || ' does not have security group attached.' + WHEN o.arn IS NOT NULL THEN a.title || ' all attached security groups do not have outbound rule(s).' + ELSE a.title || ' all attached security groups have outbound rule(s).' + END AS reason + FROM + aws_ec2_application_load_balancer AS a + LEFT JOIN application_lb_without_outbound AS o ON a.arn = o.arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_elb_application_network_lb_use_listeners.yaml b/compliance/controls/aws/aws_elb_application_network_lb_use_listeners.yaml index fa644e456..02d301de5 100644 --- a/compliance/controls/aws/aws_elb_application_network_lb_use_listeners.yaml +++ b/compliance/controls/aws/aws_elb_application_network_lb_use_listeners.yaml @@ -1,53 +1,54 @@ id: aws_elb_application_network_lb_use_listeners title: ELB application and network load balancers should use listeners +type: control description: Ensure that application and network load balancer must have one or more listeners. A listener is a process that checks for connection requests, using the protocol and port that you configure. The rules that you define for a listener determine how the load balancer routes requests to its registered targets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_network_load_balancer - definition: | - WITH load_balancers AS ( - SELECT - n.arn, - n.title, - n.region, - n.account_id, - n.platform_integration_id, - n.platform_resource_id, - tags, - _ctx - FROM - aws_ec2_network_load_balancer AS n - UNION - SELECT - a.arn, - a.title, - a.region, - a.account_id, - a.platform_integration_id, - a.platform_resource_id, - tags, - _ctx - FROM - aws_ec2_application_load_balancer AS a - ) - SELECT - DISTINCT lb.arn AS resource, - lb.platform_integration_id AS platform_integration_id, - lb.platform_resource_id AS platform_resource_id, - CASE - WHEN l.load_balancer_arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN l.load_balancer_arn IS NOT NULL THEN lb.title || ' uses listener.' - ELSE lb.title || ' does not use listener.' - END AS reason - FROM - load_balancers AS lb - LEFT JOIN aws_ec2_load_balancer_listener AS l - ON lb.arn = l.load_balancer_arn; + language: sql + primary_resource: aws_ec2_network_load_balancer + definition: | + WITH load_balancers AS ( + SELECT + n.arn, + n.title, + n.region, + n.account_id, + n.platform_integration_id, + n.platform_resource_id, + tags, + _ctx + FROM + aws_ec2_network_load_balancer AS n + UNION + SELECT + a.arn, + a.title, + a.region, + a.account_id, + a.platform_integration_id, + a.platform_resource_id, + tags, + _ctx + FROM + aws_ec2_application_load_balancer AS a + ) + SELECT + DISTINCT lb.arn AS resource, + lb.platform_integration_id AS platform_integration_id, + lb.platform_resource_id AS platform_resource_id, + CASE + WHEN l.load_balancer_arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN l.load_balancer_arn IS NOT NULL THEN lb.title || ' uses listener.' + ELSE lb.title || ' does not use listener.' + END AS reason + FROM + load_balancers AS lb + LEFT JOIN aws_ec2_load_balancer_listener AS l + ON lb.arn = l.load_balancer_arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_elb_application_network_lb_use_ssl_certificate.yaml b/compliance/controls/aws/aws_elb_application_network_lb_use_ssl_certificate.yaml index d64d0aa1a..fffbc1c43 100644 --- a/compliance/controls/aws/aws_elb_application_network_lb_use_ssl_certificate.yaml +++ b/compliance/controls/aws/aws_elb_application_network_lb_use_ssl_certificate.yaml @@ -1,99 +1,100 @@ id: aws_elb_application_network_lb_use_ssl_certificate title: ELB application and network load balancers should only use SSL or HTTPS listeners +type: control description: Ensure that Application Load Balancers and Network Load Balancers are configured to use certificates from AWS Certificate Manager (ACM). This rule is compliant if at least 1 load balancer is configured without a certificate from ACM. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: '' - definition: | - WITH listeners_without_certificate AS ( - SELECT - load_balancer_arn, - COUNT(*) AS count - FROM - aws_ec2_load_balancer_listener - WHERE arn NOT IN ( - SELECT - arn - FROM - aws_ec2_load_balancer_listener, - jsonb_array_elements(certificates) AS c - WHERE - c ->> 'CertificateArn' LIKE 'arn:aws:acm%' - ) - GROUP BY - load_balancer_arn - ), - all_application_network_load_balancer AS ( - SELECT - arn, - account_id, - region, - title, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'aws_ec2_application_load_balancer' AS platform_table_name, - _ctx - FROM - aws_ec2_application_load_balancer - UNION - SELECT - arn, - account_id, - region, - title, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'aws_ec2_network_load_balancer' AS platform_table_name, - _ctx - FROM - aws_ec2_network_load_balancer - ) + language: sql + primary_resource: "" + definition: | + WITH listeners_without_certificate AS ( + SELECT + load_balancer_arn, + COUNT(*) AS count + FROM + aws_ec2_load_balancer_listener + WHERE arn NOT IN ( SELECT - a.arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - a.platform_table_name AS platform_table_name, - CASE - WHEN b.load_balancer_arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.load_balancer_arn IS NULL THEN a.title || ' uses certificates provided by ACM.' - ELSE a.title || ' has ' || b.count || ' listeners which do not use certificates provided by ACM.' - END AS reason, - a.region, - a.account_id + arn FROM - all_application_network_load_balancer AS a - LEFT JOIN listeners_without_certificate AS b ON a.arn = b.load_balancer_arn; + aws_ec2_load_balancer_listener, + jsonb_array_elements(certificates) AS c + WHERE + c ->> 'CertificateArn' LIKE 'arn:aws:acm%' + ) + GROUP BY + load_balancer_arn + ), + all_application_network_load_balancer AS ( + SELECT + arn, + account_id, + region, + title, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'aws_ec2_application_load_balancer' AS platform_table_name, + _ctx + FROM + aws_ec2_application_load_balancer + UNION + SELECT + arn, + account_id, + region, + title, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'aws_ec2_network_load_balancer' AS platform_table_name, + _ctx + FROM + aws_ec2_network_load_balancer + ) + SELECT + a.arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + a.platform_table_name AS platform_table_name, + CASE + WHEN b.load_balancer_arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.load_balancer_arn IS NULL THEN a.title || ' uses certificates provided by ACM.' + ELSE a.title || ' has ' || b.count || ' listeners which do not use certificates provided by ACM.' + END AS reason, + a.region, + a.account_id + FROM + all_application_network_load_balancer AS a + LEFT JOIN listeners_without_certificate AS b ON a.arn = b.load_balancer_arn; severity: low tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/ELB + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/ELB diff --git a/compliance/controls/aws/aws_elb_classic_lb_cross_zone_load_balancing_enabled.yaml b/compliance/controls/aws/aws_elb_classic_lb_cross_zone_load_balancing_enabled.yaml index cde3439fe..30a113d38 100644 --- a/compliance/controls/aws/aws_elb_classic_lb_cross_zone_load_balancing_enabled.yaml +++ b/compliance/controls/aws/aws_elb_classic_lb_cross_zone_load_balancing_enabled.yaml @@ -1,56 +1,57 @@ id: aws_elb_classic_lb_cross_zone_load_balancing_enabled title: ELB classic load balancers should have cross-zone load balancing enabled +type: control description: Enable cross-zone load balancing for your Elastic Load Balancers (ELBs) to help maintain adequate capacity and availability. The cross-zone load balancing reduces the need to maintain equivalent numbers of instances in each enabled availability zone. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_classic_load_balancer - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN cross_zone_load_balancing_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN cross_zone_load_balancing_enabled THEN title || ' cross-zone load balancing enabled.' - ELSE title || ' cross-zone load balancing disabled.' - END AS reason, - region, - account_id - FROM - aws_ec2_classic_load_balancer; + language: sql + primary_resource: aws_ec2_classic_load_balancer + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN cross_zone_load_balancing_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN cross_zone_load_balancing_enabled THEN title || ' cross-zone load balancing enabled.' + ELSE title || ' cross-zone load balancing disabled.' + END AS reason, + region, + account_id + FROM + aws_ec2_classic_load_balancer; severity: low tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/ELB + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/ELB diff --git a/compliance/controls/aws/aws_elb_classic_lb_desync_mitigation_mode.yaml b/compliance/controls/aws/aws_elb_classic_lb_desync_mitigation_mode.yaml index 6065e5453..8e8854d6c 100644 --- a/compliance/controls/aws/aws_elb_classic_lb_desync_mitigation_mode.yaml +++ b/compliance/controls/aws/aws_elb_classic_lb_desync_mitigation_mode.yaml @@ -1,50 +1,51 @@ id: aws_elb_classic_lb_desync_mitigation_mode title: ELB classic load balancers should be configured with defensive or strictest desync mitigation mode +type: control description: This control checks whether a Classic Load Balancer is configured with defensive or strictest desync mitigation mode. This control will fail if the Classic Load Balancer is not configured with defensive or strictest desync mitigation mode. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_classic_load_balancer - definition: | - WITH app_lb_desync_mitigation_mode AS ( - SELECT - arn, - a ->> 'Key', - a ->> 'Value' AS v - FROM - aws_ec2_classic_load_balancer, - jsonb_array_elements(additional_attributes) AS a - WHERE - a ->> 'Key' = 'elb.http.desyncmitigationmode' - ) - SELECT - c.arn AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN m.v = ANY(ARRAY['defensive', 'strictest']) THEN 'ok' - ELSE 'alarm' - END AS status, - title || ' has ' || m.v || ' desync mitigation mode.' AS reason, - region, - account_id - FROM - aws_ec2_classic_load_balancer AS c - LEFT JOIN app_lb_desync_mitigation_mode AS m - ON c.arn = m.arn; + language: sql + primary_resource: aws_ec2_classic_load_balancer + definition: | + WITH app_lb_desync_mitigation_mode AS ( + SELECT + arn, + a ->> 'Key', + a ->> 'Value' AS v + FROM + aws_ec2_classic_load_balancer, + jsonb_array_elements(additional_attributes) AS a + WHERE + a ->> 'Key' = 'elb.http.desyncmitigationmode' + ) + SELECT + c.arn AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN m.v = ANY(ARRAY['defensive', 'strictest']) THEN 'ok' + ELSE 'alarm' + END AS status, + title || ' has ' || m.v || ' desync mitigation mode.' AS reason, + region, + account_id + FROM + aws_ec2_classic_load_balancer AS c + LEFT JOIN app_lb_desync_mitigation_mode AS m + ON c.arn = m.arn; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - data_integrity - foundational_security_item_id: - - elb_14 - plugin: - - aws - service: - - AWS/ELB + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - data_integrity + foundational_security_item_id: + - elb_14 + plugin: + - aws + service: + - AWS/ELB diff --git a/compliance/controls/aws/aws_elb_classic_lb_multiple_az_configured.yaml b/compliance/controls/aws/aws_elb_classic_lb_multiple_az_configured.yaml index 9d56da884..22a3964ea 100644 --- a/compliance/controls/aws/aws_elb_classic_lb_multiple_az_configured.yaml +++ b/compliance/controls/aws/aws_elb_classic_lb_multiple_az_configured.yaml @@ -1,37 +1,38 @@ id: aws_elb_classic_lb_multiple_az_configured title: ELB classic load balancers should span multiple availability zones +type: control description: This control checks whether a Classic Load Balancer has been configured to span multiple Availability Zones. The control fails if the Classic Load Balancer does not span multiple Availability Zones. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_classic_load_balancer - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN jsonb_array_length(availability_zones) < 2 THEN 'alarm' - ELSE 'ok' - END AS status, - title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' AS reason, - region, - account_id - FROM - aws_ec2_classic_load_balancer; + language: sql + primary_resource: aws_ec2_classic_load_balancer + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN jsonb_array_length(availability_zones) < 2 THEN 'alarm' + ELSE 'ok' + END AS status, + title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' AS reason, + region, + account_id + FROM + aws_ec2_classic_load_balancer; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - high_availability - foundational_security_item_id: - - elb_10 - plugin: - - aws - service: - - AWS/ELB + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - high_availability + foundational_security_item_id: + - elb_10 + plugin: + - aws + service: + - AWS/ELB diff --git a/compliance/controls/aws/aws_elb_classic_lb_no_registered_instance.yaml b/compliance/controls/aws/aws_elb_classic_lb_no_registered_instance.yaml index 9aa972fe8..989926a19 100644 --- a/compliance/controls/aws/aws_elb_classic_lb_no_registered_instance.yaml +++ b/compliance/controls/aws/aws_elb_classic_lb_no_registered_instance.yaml @@ -1,23 +1,24 @@ id: aws_elb_classic_lb_no_registered_instance title: ELB classic load balancers should have at least one registered instance +type: control description: This control checks whether an ELB classic load balancer has registered instances. The control fails if an ELB classic load balancer has zero instances registered. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_classic_load_balancer - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN jsonb_array_length(instances) = 0 THEN 'alarm' - ELSE 'ok' - END AS status, - title || ' has ' || jsonb_array_length(instances) || ' instance(s) registered.' AS reason - FROM - aws_ec2_classic_load_balancer; + language: sql + primary_resource: aws_ec2_classic_load_balancer + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN jsonb_array_length(instances) = 0 THEN 'alarm' + ELSE 'ok' + END AS status, + title || ' has ' || jsonb_array_length(instances) || ' instance(s) registered.' AS reason + FROM + aws_ec2_classic_load_balancer; severity: low tags: {} diff --git a/compliance/controls/aws/aws_elb_classic_lb_use_ssl_certificate.yaml b/compliance/controls/aws/aws_elb_classic_lb_use_ssl_certificate.yaml index f1cb3e41e..9d0d59c4f 100644 --- a/compliance/controls/aws/aws_elb_classic_lb_use_ssl_certificate.yaml +++ b/compliance/controls/aws/aws_elb_classic_lb_use_ssl_certificate.yaml @@ -1,78 +1,79 @@ id: aws_elb_classic_lb_use_ssl_certificate title: ELB classic load balancers should use SSL certificates +type: control description: Because sensitive data can exist and to help protect data at transit, ensure encryption is enabled for your Elastic Load Balancing. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_classic_load_balancer - definition: | - WITH detailed_classic_listeners AS ( - SELECT - name, - platform_resource_id - FROM - aws_ec2_classic_load_balancer, - jsonb_array_elements(listener_descriptions) AS listener_description - WHERE - listener_description -> 'Listener' ->> 'Protocol' IN ('HTTPS', 'SSL', 'TLS') - AND listener_description -> 'Listener' ->> 'SSLCertificateId' LIKE 'arn:aws:acm%' - ) - SELECT - 'arn:' || a.partition || ':elasticloadbalancing:' || a.region || ':' || a.account_id || ':loadbalancer/' || a.name AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.listener_descriptions IS NULL THEN 'skip' - WHEN b.name IS NOT NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN a.listener_descriptions IS NULL THEN a.title || ' has no listener.' - WHEN b.name IS NOT NULL THEN a.title || ' does not use certificates provided by ACM.' - ELSE a.title || ' uses certificates provided by ACM.' - END AS reason, - region, - account_id - FROM - aws_ec2_classic_load_balancer AS a - LEFT JOIN detailed_classic_listeners AS b ON a.platform_resource_id = b.platform_resource_id + language: sql + primary_resource: aws_ec2_classic_load_balancer + definition: | + WITH detailed_classic_listeners AS ( + SELECT + name, + platform_resource_id + FROM + aws_ec2_classic_load_balancer, + jsonb_array_elements(listener_descriptions) AS listener_description + WHERE + listener_description -> 'Listener' ->> 'Protocol' IN ('HTTPS', 'SSL', 'TLS') + AND listener_description -> 'Listener' ->> 'SSLCertificateId' LIKE 'arn:aws:acm%' + ) + SELECT + 'arn:' || a.partition || ':elasticloadbalancing:' || a.region || ':' || a.account_id || ':loadbalancer/' || a.name AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.listener_descriptions IS NULL THEN 'skip' + WHEN b.name IS NOT NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN a.listener_descriptions IS NULL THEN a.title || ' has no listener.' + WHEN b.name IS NOT NULL THEN a.title || ' does not use certificates provided by ACM.' + ELSE a.title || ' uses certificates provided by ACM.' + END AS reason, + region, + account_id + FROM + aws_ec2_classic_load_balancer AS a + LEFT JOIN detailed_classic_listeners AS b ON a.platform_resource_id = b.platform_resource_id severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/ELB - soc_2: - - 'true' + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/ELB + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_elb_classic_lb_use_tls_https_listeners.yaml b/compliance/controls/aws/aws_elb_classic_lb_use_tls_https_listeners.yaml index bd7dca8a2..8388a0d77 100644 --- a/compliance/controls/aws/aws_elb_classic_lb_use_tls_https_listeners.yaml +++ b/compliance/controls/aws/aws_elb_classic_lb_use_tls_https_listeners.yaml @@ -1,66 +1,67 @@ id: aws_elb_classic_lb_use_tls_https_listeners title: ELB classic load balancers should only use SSL or HTTPS listeners +type: control description: Ensure that your Elastic Load Balancers (ELBs) are configured with SSL or HTTPS listeners. Because sensitive data can exist, enable encryption in transit to help protect that data. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_classic_load_balancer - definition: | - SELECT - 'arn:' || partition || ':elasticloadbalancing:' || region || ':' || account_id || ':loadbalancer/' || title AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN listener_description -> 'Listener' ->> 'Protocol' IN ('HTTPS', 'SSL', 'TLS') THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN listener_description -> 'Listener' ->> 'Protocol' = 'HTTPS' THEN title || ' configured with HTTPS protocol.' - WHEN listener_description -> 'Listener' ->> 'Protocol' = 'SSL' THEN title || ' configured with TLS protocol.' - ELSE title || ' configured with ' || (listener_description -> 'Listener' ->> 'Protocol') || ' protocol.' - END AS reason, - region, - account_id - FROM - aws_ec2_classic_load_balancer, - jsonb_array_elements(listener_descriptions) AS listener_description; + language: sql + primary_resource: aws_ec2_classic_load_balancer + definition: | + SELECT + 'arn:' || partition || ':elasticloadbalancing:' || region || ':' || account_id || ':loadbalancer/' || title AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN listener_description -> 'Listener' ->> 'Protocol' IN ('HTTPS', 'SSL', 'TLS') THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN listener_description -> 'Listener' ->> 'Protocol' = 'HTTPS' THEN title || ' configured with HTTPS protocol.' + WHEN listener_description -> 'Listener' ->> 'Protocol' = 'SSL' THEN title || ' configured with TLS protocol.' + ELSE title || ' configured with ' || (listener_description -> 'Listener' ->> 'Protocol') || ' protocol.' + END AS reason, + region, + account_id + FROM + aws_ec2_classic_load_balancer, + jsonb_array_elements(listener_descriptions) AS listener_description; severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/ELB - soc_2: - - 'true' + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/ELB + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_elb_classic_lb_with_inbound_rule.yaml b/compliance/controls/aws/aws_elb_classic_lb_with_inbound_rule.yaml index 5501a9aec..0b94f73da 100644 --- a/compliance/controls/aws/aws_elb_classic_lb_with_inbound_rule.yaml +++ b/compliance/controls/aws/aws_elb_classic_lb_with_inbound_rule.yaml @@ -1,50 +1,51 @@ id: aws_elb_classic_lb_with_inbound_rule title: ELB classic load balancers should have at least one inbound rule +type: control description: Ensure classic load balancer have at least one inbound rule in all the attached security groups. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_classic_load_balancer - definition: | - WITH sg_with_inbound AS ( - SELECT - arn, - sg - FROM - aws_ec2_classic_load_balancer, - jsonb_array_elements_text(security_groups) AS sg - LEFT JOIN aws_vpc_security_group_rule AS sgr ON sg = sgr.group_id - WHERE - sgr.type = 'ingress' - GROUP BY - sg, arn - ), classic_lb_without_inbound AS ( - SELECT - DISTINCT arn - FROM - aws_ec2_classic_load_balancer, - jsonb_array_elements_text(security_groups) AS s - WHERE - s NOT IN (SELECT sg FROM sg_with_inbound) - ) - SELECT - DISTINCT c.arn AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN c.security_groups IS NULL THEN 'alarm' - WHEN i.arn IS NOT NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN c.security_groups IS NULL THEN c.title || ' does not have security group attached.' - WHEN i.arn IS NOT NULL THEN c.title || ' all attached security groups do not have inbound rule(s).' - ELSE c.title || ' all attached security groups have inbound rule(s).' - END AS reason - FROM - aws_ec2_classic_load_balancer AS c - LEFT JOIN classic_lb_without_inbound AS i ON c.arn = i.arn; + language: sql + primary_resource: aws_ec2_classic_load_balancer + definition: | + WITH sg_with_inbound AS ( + SELECT + arn, + sg + FROM + aws_ec2_classic_load_balancer, + jsonb_array_elements_text(security_groups) AS sg + LEFT JOIN aws_vpc_security_group_rule AS sgr ON sg = sgr.group_id + WHERE + sgr.type = 'ingress' + GROUP BY + sg, arn + ), classic_lb_without_inbound AS ( + SELECT + DISTINCT arn + FROM + aws_ec2_classic_load_balancer, + jsonb_array_elements_text(security_groups) AS s + WHERE + s NOT IN (SELECT sg FROM sg_with_inbound) + ) + SELECT + DISTINCT c.arn AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN c.security_groups IS NULL THEN 'alarm' + WHEN i.arn IS NOT NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN c.security_groups IS NULL THEN c.title || ' does not have security group attached.' + WHEN i.arn IS NOT NULL THEN c.title || ' all attached security groups do not have inbound rule(s).' + ELSE c.title || ' all attached security groups have inbound rule(s).' + END AS reason + FROM + aws_ec2_classic_load_balancer AS c + LEFT JOIN classic_lb_without_inbound AS i ON c.arn = i.arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_elb_classic_lb_with_outbound_rule.yaml b/compliance/controls/aws/aws_elb_classic_lb_with_outbound_rule.yaml index 9d8ae9008..d980d9d35 100644 --- a/compliance/controls/aws/aws_elb_classic_lb_with_outbound_rule.yaml +++ b/compliance/controls/aws/aws_elb_classic_lb_with_outbound_rule.yaml @@ -1,51 +1,52 @@ id: aws_elb_classic_lb_with_outbound_rule title: ELB classic load balancers should have at least one outbound rule +type: control description: Ensure classic load balancers have at least one outbound rule in all the attached security groups. A security group without any outbound rule rejects all outgoing traffic. This means that all outgoing traffic originating from your cloud assets (instances, containers, etc.) will be dropped when it reaches the ELB layer. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_classic_load_balancer - definition: | - WITH sg_with_outbound AS ( - SELECT - arn, - sg - FROM - aws_ec2_classic_load_balancer, - JSONB_ARRAY_ELEMENTS_TEXT(security_groups) AS sg - LEFT JOIN aws_vpc_security_group_rule AS sgr ON sg = sgr.group_id - WHERE - sgr.type = 'egress' - GROUP BY - sg, - arn - ), classic_lb_without_outbound AS ( - SELECT - DISTINCT arn - FROM - aws_ec2_classic_load_balancer, - JSONB_ARRAY_ELEMENTS_TEXT(security_groups) AS s - WHERE - s NOT IN (SELECT sg FROM sg_with_outbound) - ) - SELECT - DISTINCT c.arn AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN c.security_groups IS NULL THEN 'alarm' - WHEN o.arn IS NOT NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN c.security_groups IS NULL THEN c.title || ' does not have security group attached.' - WHEN o.arn IS NOT NULL THEN c.title || ' all attached security groups do not have outbound rule(s).' - ELSE c.title || ' all attached security groups have outbound rule(s).' - END AS reason - FROM - aws_ec2_classic_load_balancer AS c - LEFT JOIN classic_lb_without_outbound AS o ON c.arn = o.arn; + language: sql + primary_resource: aws_ec2_classic_load_balancer + definition: | + WITH sg_with_outbound AS ( + SELECT + arn, + sg + FROM + aws_ec2_classic_load_balancer, + JSONB_ARRAY_ELEMENTS_TEXT(security_groups) AS sg + LEFT JOIN aws_vpc_security_group_rule AS sgr ON sg = sgr.group_id + WHERE + sgr.type = 'egress' + GROUP BY + sg, + arn + ), classic_lb_without_outbound AS ( + SELECT + DISTINCT arn + FROM + aws_ec2_classic_load_balancer, + JSONB_ARRAY_ELEMENTS_TEXT(security_groups) AS s + WHERE + s NOT IN (SELECT sg FROM sg_with_outbound) + ) + SELECT + DISTINCT c.arn AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN c.security_groups IS NULL THEN 'alarm' + WHEN o.arn IS NOT NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN c.security_groups IS NULL THEN c.title || ' does not have security group attached.' + WHEN o.arn IS NOT NULL THEN c.title || ' all attached security groups do not have outbound rule(s).' + ELSE c.title || ' all attached security groups have outbound rule(s).' + END AS reason + FROM + aws_ec2_classic_load_balancer AS c + LEFT JOIN classic_lb_without_outbound AS o ON c.arn = o.arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_elb_listener_use_secure_ssl_cipher.yaml b/compliance/controls/aws/aws_elb_listener_use_secure_ssl_cipher.yaml index 1f6c8802f..052f6d71b 100644 --- a/compliance/controls/aws/aws_elb_listener_use_secure_ssl_cipher.yaml +++ b/compliance/controls/aws/aws_elb_listener_use_secure_ssl_cipher.yaml @@ -1,26 +1,27 @@ id: aws_elb_listener_use_secure_ssl_cipher title: ELB listeners should use secure SSL cipher +type: control description: Ensure that ELB listeners do not have any insecure SSL ciphers. Using insecure and deprecated ciphers for your ELB Predefined Security Policy or Custom Security Policy could make the SSL connection between the client and the load balancer vulnerable to exploits. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_load_balancer_listener - definition: | - SELECT - load_balancer_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN ssl_policy LIKE ANY(ARRAY['ELBSecurityPolicy-TLS-1-2-2017-01', 'ELBSecurityPolicy-TLS-1-1-2017-01']) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN ssl_policy LIKE ANY(ARRAY['ELBSecurityPolicy-TLS-1-2-2017-01', 'ELBSecurityPolicy-TLS-1-1-2017-01']) THEN title || ' uses secure SSL cipher.' - ELSE title || ' uses insecure SSL cipher.' - END AS reason - FROM - aws_ec2_load_balancer_listener; + language: sql + primary_resource: aws_ec2_load_balancer_listener + definition: | + SELECT + load_balancer_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN ssl_policy LIKE ANY(ARRAY['ELBSecurityPolicy-TLS-1-2-2017-01', 'ELBSecurityPolicy-TLS-1-1-2017-01']) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN ssl_policy LIKE ANY(ARRAY['ELBSecurityPolicy-TLS-1-2-2017-01', 'ELBSecurityPolicy-TLS-1-1-2017-01']) THEN title || ' uses secure SSL cipher.' + ELSE title || ' uses insecure SSL cipher.' + END AS reason + FROM + aws_ec2_load_balancer_listener; severity: low tags: {} diff --git a/compliance/controls/aws/aws_elb_network_lb_tls_listener_security_policy_configured.yaml b/compliance/controls/aws/aws_elb_network_lb_tls_listener_security_policy_configured.yaml index 32e5e14d9..428aa99b8 100644 --- a/compliance/controls/aws/aws_elb_network_lb_tls_listener_security_policy_configured.yaml +++ b/compliance/controls/aws/aws_elb_network_lb_tls_listener_security_policy_configured.yaml @@ -1,57 +1,58 @@ id: aws_elb_network_lb_tls_listener_security_policy_configured title: ELB network load balancers should have TLS listener security policy configured +type: control description: Ensure that your Network Load Balancers (NLBs) are configured with a TLS listener security policy. Using insecure ciphers for your NLB Predefined or Custom Security Policy could make the TLS connection between the client and the load balancer vulnerable to exploits. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_network_load_balancer - definition: | - WITH tls_listeners AS ( - SELECT - DISTINCT load_balancer_arn - FROM - aws_ec2_load_balancer_listener - WHERE - protocol = 'TLS' - AND ssl_policy NOT IN ( - 'ELBSecurityPolicy-2016-08', - 'ELBSecurityPolicy-FS-2018-0', - 'ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06', - 'ELBSecurityPolicy-TLS13-1-2-2021-06' - ) - GROUP BY - load_balancer_arn - ), nwl_without_tls_listener AS ( - SELECT - load_balancer_arn, - COUNT(*) - FROM - aws_ec2_load_balancer_listener - WHERE - protocol = 'TLS' - GROUP BY - load_balancer_arn + language: sql + primary_resource: aws_ec2_network_load_balancer + definition: | + WITH tls_listeners AS ( + SELECT + DISTINCT load_balancer_arn + FROM + aws_ec2_load_balancer_listener + WHERE + protocol = 'TLS' + AND ssl_policy NOT IN ( + 'ELBSecurityPolicy-2016-08', + 'ELBSecurityPolicy-FS-2018-0', + 'ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06', + 'ELBSecurityPolicy-TLS13-1-2-2021-06' ) - SELECT - lb.arn AS resource, - lb.platform_integration_id AS platform_integration_id, - lb.platform_resource_id AS platform_resource_id, - CASE - WHEN l.load_balancer_arn IS NOT NULL - AND lb.arn IN (SELECT load_balancer_arn FROM tls_listeners) THEN 'alarm' - WHEN l.load_balancer_arn IS NOT NULL THEN 'ok' - ELSE 'info' - END AS status, - CASE - WHEN l.load_balancer_arn IS NOT NULL - AND lb.arn IN (SELECT load_balancer_arn FROM tls_listeners) THEN lb.title || ' TLS listener security policy not updated.' - WHEN l.load_balancer_arn IS NOT NULL THEN lb.title || ' TLS listener security policy updated.' - ELSE lb.title || ' does not use TLS listener.' - END AS reason - FROM - aws_ec2_network_load_balancer AS lb - LEFT JOIN nwl_without_tls_listener AS l ON l.load_balancer_arn = lb.arn; + GROUP BY + load_balancer_arn + ), nwl_without_tls_listener AS ( + SELECT + load_balancer_arn, + COUNT(*) + FROM + aws_ec2_load_balancer_listener + WHERE + protocol = 'TLS' + GROUP BY + load_balancer_arn + ) + SELECT + lb.arn AS resource, + lb.platform_integration_id AS platform_integration_id, + lb.platform_resource_id AS platform_resource_id, + CASE + WHEN l.load_balancer_arn IS NOT NULL + AND lb.arn IN (SELECT load_balancer_arn FROM tls_listeners) THEN 'alarm' + WHEN l.load_balancer_arn IS NOT NULL THEN 'ok' + ELSE 'info' + END AS status, + CASE + WHEN l.load_balancer_arn IS NOT NULL + AND lb.arn IN (SELECT load_balancer_arn FROM tls_listeners) THEN lb.title || ' TLS listener security policy not updated.' + WHEN l.load_balancer_arn IS NOT NULL THEN lb.title || ' TLS listener security policy updated.' + ELSE lb.title || ' does not use TLS listener.' + END AS reason + FROM + aws_ec2_network_load_balancer AS lb + LEFT JOIN nwl_without_tls_listener AS l ON l.load_balancer_arn = lb.arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_elb_tls_listener_protocol_version.yaml b/compliance/controls/aws/aws_elb_tls_listener_protocol_version.yaml index a202f64ae..ae8411065 100644 --- a/compliance/controls/aws/aws_elb_tls_listener_protocol_version.yaml +++ b/compliance/controls/aws/aws_elb_tls_listener_protocol_version.yaml @@ -1,28 +1,29 @@ id: aws_elb_tls_listener_protocol_version title: ELB listeners SSL/TLS protocol version should be checked +type: control description: Using insecure ciphers for your ELB Predefined or Custom Security Policy, could make the SSL connection between the client and the load balancer vulnerable to exploits. TLS 1.0 was recommended to be disabled by PCI Council after June 30, 2016. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_load_balancer_listener - definition: | - SELECT - load_balancer_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN protocol <> 'HTTPS' THEN 'skip' - WHEN protocol = 'HTTPS' AND ssl_policy LIKE ANY (ARRAY['Protocol-SSLv3', 'Protocol-TLSv1']) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN protocol <> 'HTTPS' THEN title || ' uses protocol ' || protocol || '.' - WHEN ssl_policy LIKE ANY (ARRAY['Protocol-SSLv3', 'Protocol-TLSv1']) THEN title || ' uses insecure SSL or TLS cipher.' - ELSE title || ' uses secure SSL or TLS cipher.' - END AS reason - FROM - aws_ec2_load_balancer_listener; + language: sql + primary_resource: aws_ec2_load_balancer_listener + definition: | + SELECT + load_balancer_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN protocol <> 'HTTPS' THEN 'skip' + WHEN protocol = 'HTTPS' AND ssl_policy LIKE ANY (ARRAY['Protocol-SSLv3', 'Protocol-TLSv1']) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN protocol <> 'HTTPS' THEN title || ' uses protocol ' || protocol || '.' + WHEN ssl_policy LIKE ANY (ARRAY['Protocol-SSLv3', 'Protocol-TLSv1']) THEN title || ' uses insecure SSL or TLS cipher.' + ELSE title || ' uses secure SSL or TLS cipher.' + END AS reason + FROM + aws_ec2_load_balancer_listener; severity: low tags: {} diff --git a/compliance/controls/aws/aws_emr_account_public_access_blocked.yaml b/compliance/controls/aws/aws_emr_account_public_access_blocked.yaml index dd1335692..723eeb2b3 100644 --- a/compliance/controls/aws/aws_emr_account_public_access_blocked.yaml +++ b/compliance/controls/aws/aws_emr_account_public_access_blocked.yaml @@ -1,42 +1,43 @@ id: aws_emr_account_public_access_blocked title: EMR public access should be blocked at account level +type: control description: The block public access feature prevents a cluster in a public subnet from launching when any security group associated with the cluster has a rule that allows inbound traffic from IPv4 0.0.0.0/0 or IPv6 ::/0 (public access) on a port, unless the port has been specified as an exception - port 22 is an exception by default. This feature is enabled by default for each AWS Region in your AWS account and is not recommended to be turned off. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_emr_block_public_access_configuration - definition: | - WITH emr_port_configuration AS ( - SELECT - region, - account_id - FROM - aws_emr_block_public_access_configuration, - jsonb_array_elements(permitted_public_security_group_rule_ranges) AS r - WHERE - (r -> 'MaxRange')::int = 22 - AND (r -> 'MinRange')::int = 22 - AND block_public_security_group_rules - ) - SELECT - 'arn:' || c.partition || '::' || c.region || ':' || c.account_id AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT block_public_security_group_rules THEN 'alarm' - WHEN block_public_security_group_rules AND p.region IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN NOT block_public_security_group_rules THEN c.region || ' EMR block public access disabled.' - WHEN block_public_security_group_rules AND p.region IS NOT NULL THEN c.region || ' EMR block public access enabled.' - ELSE c.region || ' EMR block public access enabled for ports other than 22.' - END AS reason - FROM - aws_emr_block_public_access_configuration AS c - LEFT JOIN emr_port_configuration AS p - ON p.region = c.region AND p.account_id = c.account_id + language: sql + primary_resource: aws_emr_block_public_access_configuration + definition: | + WITH emr_port_configuration AS ( + SELECT + region, + account_id + FROM + aws_emr_block_public_access_configuration, + jsonb_array_elements(permitted_public_security_group_rule_ranges) AS r + WHERE + (r -> 'MaxRange')::int = 22 + AND (r -> 'MinRange')::int = 22 + AND block_public_security_group_rules + ) + SELECT + 'arn:' || c.partition || '::' || c.region || ':' || c.account_id AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT block_public_security_group_rules THEN 'alarm' + WHEN block_public_security_group_rules AND p.region IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN NOT block_public_security_group_rules THEN c.region || ' EMR block public access disabled.' + WHEN block_public_security_group_rules AND p.region IS NOT NULL THEN c.region || ' EMR block public access enabled.' + ELSE c.region || ' EMR block public access enabled for ports other than 22.' + END AS reason + FROM + aws_emr_block_public_access_configuration AS c + LEFT JOIN emr_port_configuration AS p + ON p.region = c.region AND p.account_id = c.account_id severity: low tags: {} diff --git a/compliance/controls/aws/aws_emr_cluster_encryption_at_rest_with_sse_kms.yaml b/compliance/controls/aws/aws_emr_cluster_encryption_at_rest_with_sse_kms.yaml index a3b83faa0..3109b625e 100644 --- a/compliance/controls/aws/aws_emr_cluster_encryption_at_rest_with_sse_kms.yaml +++ b/compliance/controls/aws/aws_emr_cluster_encryption_at_rest_with_sse_kms.yaml @@ -1,36 +1,37 @@ id: aws_emr_cluster_encryption_at_rest_with_sse_kms title: EMR clusters server side encryption (SSE KMS) enabled with KMS +type: control description: This control checks whether EMR clusters server side encryption (SSE KMS) is enabled with KMS. The check fails if encryption at rest is not enabled with SSE-KMS. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_emr_cluster - definition: | - SELECT - cluster_arn AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN s.name IS NULL THEN 'alarm' - WHEN NOT (encryption_configuration -> 'EnableAtRestEncryption')::bool THEN 'alarm' - WHEN (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'S3EncryptionConfiguration' ->> 'EncryptionMode') = 'SSE-KMS' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN s.name IS NULL THEN c.title || ' security configuration disabled.' - WHEN NOT (encryption_configuration -> 'EnableAtRestEncryption')::bool THEN c.title || ' encryption at rest disabled.' - WHEN (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'S3EncryptionConfiguration' ->> 'EncryptionMode') = 'SSE-KMS' THEN c.title || ' encryption at rest enabled with SSE KMS.' - ELSE c.title || ' encryption at rest not enabled with SSE KMS.' - END AS reason - FROM - aws_emr_cluster AS c - LEFT JOIN - aws_emr_security_configuration AS s - ON - c.security_configuration = s.name - AND s.region = s.region - AND s.account_id = c.account_id; + language: sql + primary_resource: aws_emr_cluster + definition: | + SELECT + cluster_arn AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN s.name IS NULL THEN 'alarm' + WHEN NOT (encryption_configuration -> 'EnableAtRestEncryption')::bool THEN 'alarm' + WHEN (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'S3EncryptionConfiguration' ->> 'EncryptionMode') = 'SSE-KMS' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN s.name IS NULL THEN c.title || ' security configuration disabled.' + WHEN NOT (encryption_configuration -> 'EnableAtRestEncryption')::bool THEN c.title || ' encryption at rest disabled.' + WHEN (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'S3EncryptionConfiguration' ->> 'EncryptionMode') = 'SSE-KMS' THEN c.title || ' encryption at rest enabled with SSE KMS.' + ELSE c.title || ' encryption at rest not enabled with SSE KMS.' + END AS reason + FROM + aws_emr_cluster AS c + LEFT JOIN + aws_emr_security_configuration AS s + ON + c.security_configuration = s.name + AND s.region = s.region + AND s.account_id = c.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_emr_cluster_kerberos_enabled.yaml b/compliance/controls/aws/aws_emr_cluster_kerberos_enabled.yaml index 9c8091346..e1fc43ab4 100644 --- a/compliance/controls/aws/aws_emr_cluster_kerberos_enabled.yaml +++ b/compliance/controls/aws/aws_emr_cluster_kerberos_enabled.yaml @@ -1,52 +1,53 @@ id: aws_emr_cluster_kerberos_enabled title: EMR cluster Kerberos should be enabled +type: control description: The access permissions and authorizations can be managed and incorporated with the principles of least privilege and separation of duties, by enabling Kerberos for AWS EMR clusters. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_emr_cluster - definition: | - SELECT - cluster_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN kerberos_attributes IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN kerberos_attributes IS NULL THEN title || ' Kerberos not enabled.' - ELSE title || ' Kerberos enabled.' - END AS reason, - region, - account_id - FROM - aws_emr_cluster; + language: sql + primary_resource: aws_emr_cluster + definition: | + SELECT + cluster_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN kerberos_attributes IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN kerberos_attributes IS NULL THEN title || ' Kerberos not enabled.' + ELSE title || ' Kerberos enabled.' + END AS reason, + region, + account_id + FROM + aws_emr_cluster; severity: medium tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/EMR - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/EMR + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_emr_cluster_local_disk_encrypted_with_cmk.yaml b/compliance/controls/aws/aws_emr_cluster_local_disk_encrypted_with_cmk.yaml index 86448744c..a173aeea5 100644 --- a/compliance/controls/aws/aws_emr_cluster_local_disk_encrypted_with_cmk.yaml +++ b/compliance/controls/aws/aws_emr_cluster_local_disk_encrypted_with_cmk.yaml @@ -1,38 +1,39 @@ id: aws_emr_cluster_local_disk_encrypted_with_cmk title: EMR cluster local disks should be encrypted with CMK +type: control description: Ensure EMR cluster local disk are encrypted using CMK. This control fails if an EMR cluster local disk isn't encrypted with CMK. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_emr_cluster - definition: | - SELECT - cluster_arn AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN s.name IS NULL THEN 'alarm' - WHEN (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration') IS NULL THEN 'alarm' - WHEN s.name IS NOT NULL - AND (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration') IS NOT NULL - AND (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration' ->> 'EncryptionKeyProviderType') = 'Custom' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN s.name IS NULL THEN c.title || ' security configuration disabled.' - WHEN (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration') IS NULL THEN c.title || ' local disk not encrypted.' - WHEN s.name IS NOT NULL - AND (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration') IS NOT NULL - AND (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration' ->> 'EncryptionKeyProviderType') = 'Custom' THEN c.title || ' local disk encrypted with CMK.' - ELSE c.title || ' local disk not encrypted with CMK.' - END AS reason - FROM - aws_emr_cluster AS c - LEFT JOIN aws_emr_security_configuration AS s - ON c.security_configuration = s.name - AND s.region = s.region - AND s.account_id = c.account_id; + language: sql + primary_resource: aws_emr_cluster + definition: | + SELECT + cluster_arn AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN s.name IS NULL THEN 'alarm' + WHEN (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration') IS NULL THEN 'alarm' + WHEN s.name IS NOT NULL + AND (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration') IS NOT NULL + AND (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration' ->> 'EncryptionKeyProviderType') = 'Custom' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN s.name IS NULL THEN c.title || ' security configuration disabled.' + WHEN (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration') IS NULL THEN c.title || ' local disk not encrypted.' + WHEN s.name IS NOT NULL + AND (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration') IS NOT NULL + AND (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration' ->> 'EncryptionKeyProviderType') = 'Custom' THEN c.title || ' local disk encrypted with CMK.' + ELSE c.title || ' local disk not encrypted with CMK.' + END AS reason + FROM + aws_emr_cluster AS c + LEFT JOIN aws_emr_security_configuration AS s + ON c.security_configuration = s.name + AND s.region = s.region + AND s.account_id = c.account_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_emr_cluster_master_nodes_no_public_ip.yaml b/compliance/controls/aws/aws_emr_cluster_master_nodes_no_public_ip.yaml index 3df8cd0ef..afbdb2fa6 100644 --- a/compliance/controls/aws/aws_emr_cluster_master_nodes_no_public_ip.yaml +++ b/compliance/controls/aws/aws_emr_cluster_master_nodes_no_public_ip.yaml @@ -1,70 +1,71 @@ id: aws_emr_cluster_master_nodes_no_public_ip title: EMR cluster master nodes should not have public IP addresses +type: control description: Manage access to the AWS Cloud by ensuring AWS EMR cluster master nodes cannot be publicly accessed. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_emr_cluster - definition: | - SELECT - c.cluster_arn AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN c.status ->> 'State' NOT IN ('RUNNING', 'WAITING') THEN 'skip' - WHEN s.map_public_ip_on_launch THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN c.status ->> 'State' NOT IN ('RUNNING', 'WAITING') THEN c.title || ' is in ' || (c.status ->> 'State') || ' state.' - WHEN s.map_public_ip_on_launch THEN c.title || ' master nodes assigned with public IP.' - ELSE c.title || ' master nodes not assigned with public IP.' - END AS reason, - c.region, - c.account_id - FROM - aws_emr_cluster AS c - LEFT JOIN - aws_vpc_subnet AS s - ON - c.ec2_instance_attributes ->> 'Ec2SubnetId' = s.subnet_id; + language: sql + primary_resource: aws_emr_cluster + definition: | + SELECT + c.cluster_arn AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN c.status ->> 'State' NOT IN ('RUNNING', 'WAITING') THEN 'skip' + WHEN s.map_public_ip_on_launch THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN c.status ->> 'State' NOT IN ('RUNNING', 'WAITING') THEN c.title || ' is in ' || (c.status ->> 'State') || ' state.' + WHEN s.map_public_ip_on_launch THEN c.title || ' master nodes assigned with public IP.' + ELSE c.title || ' master nodes not assigned with public IP.' + END AS reason, + c.region, + c.account_id + FROM + aws_emr_cluster AS c + LEFT JOIN + aws_vpc_subnet AS s + ON + c.ec2_instance_attributes ->> 'Ec2SubnetId' = s.subnet_id; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/EMR - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/EMR + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_emr_cluster_security_configuration_enabled.yaml b/compliance/controls/aws/aws_emr_cluster_security_configuration_enabled.yaml index 43ddf51cc..66fd51d08 100644 --- a/compliance/controls/aws/aws_emr_cluster_security_configuration_enabled.yaml +++ b/compliance/controls/aws/aws_emr_cluster_security_configuration_enabled.yaml @@ -1,26 +1,27 @@ id: aws_emr_cluster_security_configuration_enabled title: EMR clusters should have security configuration enabled +type: control description: Ensure EMR cluster have security configuration enabled. This control fails if security configuration is not enabled for EMR cluster. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_emr_cluster - definition: | - SELECT - cluster_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN security_configuration IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN security_configuration IS NOT NULL THEN title || ' security configuration enabled.' - ELSE title || ' security configuration disabled.' - END AS reason - FROM - aws_emr_cluster; + language: sql + primary_resource: aws_emr_cluster + definition: | + SELECT + cluster_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN security_configuration IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN security_configuration IS NOT NULL THEN title || ' security configuration enabled.' + ELSE title || ' security configuration disabled.' + END AS reason + FROM + aws_emr_cluster; severity: low tags: {} diff --git a/compliance/controls/aws/aws_es_domain_audit_logging_enabled.yaml b/compliance/controls/aws/aws_es_domain_audit_logging_enabled.yaml index 632f14703..229de85f1 100644 --- a/compliance/controls/aws/aws_es_domain_audit_logging_enabled.yaml +++ b/compliance/controls/aws/aws_es_domain_audit_logging_enabled.yaml @@ -1,46 +1,47 @@ id: aws_es_domain_audit_logging_enabled title: Elasticsearch domains should have audit logging enabled +type: control description: This control checks whether Elasticsearch domains have audit logging enabled. This control fails if an Elasticsearch domain does not have audit logging enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticsearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN - log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN - log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL - THEN title || ' audit logging enabled.' - ELSE title || ' audit logging disabled.' - END AS reason, - region, - account_id - FROM - aws_elasticsearch_domain; + language: sql + primary_resource: aws_elasticsearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN + log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN + log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL + THEN title || ' audit logging enabled.' + ELSE title || ' audit logging disabled.' + END AS reason, + region, + account_id + FROM + aws_elasticsearch_domain; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - logging - foundational_security_item_id: - - es_5 - plugin: - - aws - service: - - AWS/ES + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - logging + foundational_security_item_id: + - es_5 + plugin: + - aws + service: + - AWS/ES diff --git a/compliance/controls/aws/aws_es_domain_cognito_authentication_enabled.yaml b/compliance/controls/aws/aws_es_domain_cognito_authentication_enabled.yaml index 43e135e6f..5a4edce24 100644 --- a/compliance/controls/aws/aws_es_domain_cognito_authentication_enabled.yaml +++ b/compliance/controls/aws/aws_es_domain_cognito_authentication_enabled.yaml @@ -1,26 +1,27 @@ id: aws_es_domain_cognito_authentication_enabled title: Elasticsearch domains should have cognito authentication enabled +type: control description: AWS Elasticsearch service uses AWS Cognito to offer user name and password protection for Kibana. This control is non-compliant if AWS Cognito authentication is not enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticsearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN cognito_options ->> 'Enabled' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN cognito_options ->> 'Enabled' = 'true' THEN title || ' AWS Cognito authentication for Kibana enabled.' - ELSE title || ' AWS Cognito authentication for Kibana disabled.' - END AS reason - FROM - aws_elasticsearch_domain; + language: sql + primary_resource: aws_elasticsearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN cognito_options ->> 'Enabled' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN cognito_options ->> 'Enabled' = 'true' THEN title || ' AWS Cognito authentication for Kibana enabled.' + ELSE title || ' AWS Cognito authentication for Kibana disabled.' + END AS reason + FROM + aws_elasticsearch_domain; severity: low tags: {} diff --git a/compliance/controls/aws/aws_es_domain_data_nodes_min_3.yaml b/compliance/controls/aws/aws_es_domain_data_nodes_min_3.yaml index 703aafa0d..333fc9ab4 100644 --- a/compliance/controls/aws/aws_es_domain_data_nodes_min_3.yaml +++ b/compliance/controls/aws/aws_es_domain_data_nodes_min_3.yaml @@ -1,42 +1,43 @@ id: aws_es_domain_data_nodes_min_3 title: Elasticsearch domains should have at least three data nodes +type: control description: This control checks whether Elasticsearch domains are configured with at least three data nodes and zoneAwarenessEnabled is true. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticsearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN elasticsearch_cluster_config ->> 'ZoneAwarenessEnabled' = 'false' THEN 'alarm' - WHEN elasticsearch_cluster_config ->> 'ZoneAwarenessEnabled' = 'true' - AND (elasticsearch_cluster_config ->> 'InstanceCount')::integer >= 3 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN elasticsearch_cluster_config ->> 'ZoneAwarenessEnabled' = 'false' THEN title || ' zone awareness disabled.' - ELSE title || ' has ' || (elasticsearch_cluster_config ->> 'InstanceCount') || ' data node(s).' - END AS reason, - region, - account_id - FROM - aws_elasticsearch_domain; + language: sql + primary_resource: aws_elasticsearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN elasticsearch_cluster_config ->> 'ZoneAwarenessEnabled' = 'false' THEN 'alarm' + WHEN elasticsearch_cluster_config ->> 'ZoneAwarenessEnabled' = 'true' + AND (elasticsearch_cluster_config ->> 'InstanceCount')::integer >= 3 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN elasticsearch_cluster_config ->> 'ZoneAwarenessEnabled' = 'false' THEN title || ' zone awareness disabled.' + ELSE title || ' has ' || (elasticsearch_cluster_config ->> 'InstanceCount') || ' data node(s).' + END AS reason, + region, + account_id + FROM + aws_elasticsearch_domain; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - high_availability - foundational_security_item_id: - - es_6 - plugin: - - aws - service: - - AWS/ES + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - high_availability + foundational_security_item_id: + - es_6 + plugin: + - aws + service: + - AWS/ES diff --git a/compliance/controls/aws/aws_es_domain_dedicated_master_nodes_min_3.yaml b/compliance/controls/aws/aws_es_domain_dedicated_master_nodes_min_3.yaml index 137e4801c..db8fe0a93 100644 --- a/compliance/controls/aws/aws_es_domain_dedicated_master_nodes_min_3.yaml +++ b/compliance/controls/aws/aws_es_domain_dedicated_master_nodes_min_3.yaml @@ -1,43 +1,44 @@ id: aws_es_domain_dedicated_master_nodes_min_3 title: Elasticsearch domains should be configured with at least three dedicated master nodes +type: control description: This control checks whether Elasticsearch domains are configured with at least three dedicated master nodes. This control fails if the domain does not use dedicated master nodes. This control passes if Elasticsearch domains have five dedicated master nodes. However, using more than three master nodes might be unnecessary to mitigate the availability risk, and will result in additional cost. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticsearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN elasticsearch_cluster_config ->> 'DedicatedMasterEnabled' = 'false' THEN 'alarm' - WHEN - elasticsearch_cluster_config ->> 'DedicatedMasterEnabled' = 'true' - AND (elasticsearch_cluster_config ->> 'DedicatedMasterCount')::integer >= 3 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN elasticsearch_cluster_config ->> 'DedicatedMasterEnabled' = 'false' THEN title || ' dedicated master nodes disabled.' - ELSE title || ' has ' || (elasticsearch_cluster_config ->> 'DedicatedMasterCount') || ' dedicated master node(s).' - END AS reason, - region, - account_id - FROM - aws_elasticsearch_domain; + language: sql + primary_resource: aws_elasticsearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN elasticsearch_cluster_config ->> 'DedicatedMasterEnabled' = 'false' THEN 'alarm' + WHEN + elasticsearch_cluster_config ->> 'DedicatedMasterEnabled' = 'true' + AND (elasticsearch_cluster_config ->> 'DedicatedMasterCount')::integer >= 3 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN elasticsearch_cluster_config ->> 'DedicatedMasterEnabled' = 'false' THEN title || ' dedicated master nodes disabled.' + ELSE title || ' has ' || (elasticsearch_cluster_config ->> 'DedicatedMasterCount') || ' dedicated master node(s).' + END AS reason, + region, + account_id + FROM + aws_elasticsearch_domain; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - high_availability - foundational_security_item_id: - - es_7 - plugin: - - aws - service: - - AWS/ES + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - high_availability + foundational_security_item_id: + - es_7 + plugin: + - aws + service: + - AWS/ES diff --git a/compliance/controls/aws/aws_es_domain_encrypted_using_tls_1_2.yaml b/compliance/controls/aws/aws_es_domain_encrypted_using_tls_1_2.yaml index a0f645fbc..7c8b728d2 100644 --- a/compliance/controls/aws/aws_es_domain_encrypted_using_tls_1_2.yaml +++ b/compliance/controls/aws/aws_es_domain_encrypted_using_tls_1_2.yaml @@ -1,40 +1,41 @@ id: aws_es_domain_encrypted_using_tls_1_2 title: Connections to Elasticsearch domains should be encrypted using TLS 1.2 +type: control description: This control checks whether connections to Elasticsearch domains are required to use TLS 1.2. The check fails if the Elasticsearch domain TLSSecurityPolicy is not Policy-Min-TLS-1-2-2019-07. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticsearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN domain_endpoint_options ->> 'TLSSecurityPolicy' = 'Policy-Min-TLS-1-2-2019-07' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN domain_endpoint_options ->> 'TLSSecurityPolicy' = 'Policy-Min-TLS-1-2-2019-07' THEN title || ' encrypted using TLS 1.2.' - ELSE title || ' not encrypted using TLS 1.2.' - END AS reason, - region, - account_id - FROM - aws_elasticsearch_domain; + language: sql + primary_resource: aws_elasticsearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN domain_endpoint_options ->> 'TLSSecurityPolicy' = 'Policy-Min-TLS-1-2-2019-07' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN domain_endpoint_options ->> 'TLSSecurityPolicy' = 'Policy-Min-TLS-1-2-2019-07' THEN title || ' encrypted using TLS 1.2.' + ELSE title || ' not encrypted using TLS 1.2.' + END AS reason, + region, + account_id + FROM + aws_elasticsearch_domain; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - encryption_of_data_in_transit - foundational_security_item_id: - - es_8 - plugin: - - aws - service: - - AWS/ES + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - encryption_of_data_in_transit + foundational_security_item_id: + - es_8 + plugin: + - aws + service: + - AWS/ES diff --git a/compliance/controls/aws/aws_es_domain_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_es_domain_encryption_at_rest_enabled.yaml index 12a267647..c6d05a84d 100644 --- a/compliance/controls/aws/aws_es_domain_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_es_domain_encryption_at_rest_enabled.yaml @@ -1,64 +1,65 @@ id: aws_es_domain_encryption_at_rest_enabled title: ES domain encryption at rest should be enabled +type: control description: Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your AWS Elasticsearch Service (AWS ES) domains. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticsearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN encryption_at_rest_options ->> 'Enabled' = 'false' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN encryption_at_rest_options ->> 'Enabled' = 'false' THEN title || ' encryption at rest not enabled.' - ELSE title || ' encryption at rest enabled.' - END AS reason, - region, - account_id - FROM - aws_elasticsearch_domain; + language: sql + primary_resource: aws_elasticsearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN encryption_at_rest_options ->> 'Enabled' = 'false' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN encryption_at_rest_options ->> 'Enabled' = 'false' THEN title || ' encryption at rest not enabled.' + ELSE title || ' encryption at rest enabled.' + END AS reason, + region, + account_id + FROM + aws_elasticsearch_domain; severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/ES - soc_2: - - 'true' + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/ES + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_es_domain_error_logging_enabled.yaml b/compliance/controls/aws/aws_es_domain_error_logging_enabled.yaml index 85af91c7b..ed6cfa043 100644 --- a/compliance/controls/aws/aws_es_domain_error_logging_enabled.yaml +++ b/compliance/controls/aws/aws_es_domain_error_logging_enabled.yaml @@ -1,46 +1,47 @@ id: aws_es_domain_error_logging_enabled title: Elasticsearch domain error logging to CloudWatch Logs should be enabled +type: control description: This control checks whether Elasticsearch domains are configured to send error logs to CloudWatch Logs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticsearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN - log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL THEN 'ok' - ELSE - 'alarm' - END AS status, - CASE - WHEN - log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL THEN title || ' error logging enabled.' - ELSE - title || ' error logging disabled.' - END AS reason, - region, - account_id - FROM - aws_elasticsearch_domain; + language: sql + primary_resource: aws_elasticsearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN + log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL THEN 'ok' + ELSE + 'alarm' + END AS status, + CASE + WHEN + log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL THEN title || ' error logging enabled.' + ELSE + title || ' error logging disabled.' + END AS reason, + region, + account_id + FROM + aws_elasticsearch_domain; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - logging - foundational_security_item_id: - - es_4 - plugin: - - aws - service: - - AWS/ES + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - logging + foundational_security_item_id: + - es_4 + plugin: + - aws + service: + - AWS/ES diff --git a/compliance/controls/aws/aws_es_domain_in_vpc.yaml b/compliance/controls/aws/aws_es_domain_in_vpc.yaml index a27071304..ed07551c8 100644 --- a/compliance/controls/aws/aws_es_domain_in_vpc.yaml +++ b/compliance/controls/aws/aws_es_domain_in_vpc.yaml @@ -1,64 +1,65 @@ id: aws_es_domain_in_vpc title: ES domains should be in a VPC +type: control description: Manage access to the AWS Cloud by ensuring AWS Elasticsearch Service (AWS ES) Domains are within an AWS Virtual Private Cloud (AWS VPC). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticsearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN vpc_options ->> 'VPCId' IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN vpc_options ->> 'VPCId' IS NULL THEN title || ' not in VPC.' - ELSE title || ' in VPC ' || (vpc_options ->> 'VPCId') || '.' - END AS reason, - region, - account_id - FROM - aws_elasticsearch_domain; + language: sql + primary_resource: aws_elasticsearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN vpc_options ->> 'VPCId' IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN vpc_options ->> 'VPCId' IS NULL THEN title || ' not in VPC.' + ELSE title || ' in VPC ' || (vpc_options ->> 'VPCId') || '.' + END AS reason, + region, + account_id + FROM + aws_elasticsearch_domain; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/ES - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/ES + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_es_domain_internal_user_database_enabled.yaml b/compliance/controls/aws/aws_es_domain_internal_user_database_enabled.yaml index 2b23672ed..0af3a9e70 100644 --- a/compliance/controls/aws/aws_es_domain_internal_user_database_enabled.yaml +++ b/compliance/controls/aws/aws_es_domain_internal_user_database_enabled.yaml @@ -1,26 +1,27 @@ id: aws_es_domain_internal_user_database_enabled title: Elasticsearch domains should have internal user database enabled +type: control description: Ensure Elasticsearch domains have internal user database enabled. This control is non-compliant if a domain's internal user database is not enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticsearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN advanced_security_options ->> 'InternalUserDatabaseEnabled' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN advanced_security_options ->> 'InternalUserDatabaseEnabled' = 'true' THEN title || ' internal user database enabled.' - ELSE title || ' internal user database disabled.' - END AS reason - FROM - aws_elasticsearch_domain; + language: sql + primary_resource: aws_elasticsearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN advanced_security_options ->> 'InternalUserDatabaseEnabled' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN advanced_security_options ->> 'InternalUserDatabaseEnabled' = 'true' THEN title || ' internal user database enabled.' + ELSE title || ' internal user database disabled.' + END AS reason + FROM + aws_elasticsearch_domain; severity: low tags: {} diff --git a/compliance/controls/aws/aws_es_domain_logs_to_cloudwatch.yaml b/compliance/controls/aws/aws_es_domain_logs_to_cloudwatch.yaml index cd7dd5012..6a3cf9c24 100644 --- a/compliance/controls/aws/aws_es_domain_logs_to_cloudwatch.yaml +++ b/compliance/controls/aws/aws_es_domain_logs_to_cloudwatch.yaml @@ -1,84 +1,85 @@ id: aws_es_domain_logs_to_cloudwatch title: Elasticsearch domain should send logs to CloudWatch +type: control description: Ensure that AWS OpenSearch Service (OpenSearch Service) domains are configured to send logs to AWS CloudWatch Logs. The rule is compliant if a log is enabled for an OpenSearch Service domain. This rule is non-compliant if logging is not configured. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticsearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN - ( log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL - ) - AND - ( log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL - ) - AND - ( log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL - ) - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN - ( log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL - ) - AND - ( log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL - ) - AND - ( log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL - ) - THEN title || ' logging enabled for search, index, and error.' - ELSE title || ' logging not enabled for all search, index, and error.' - END AS reason, - region, - account_id - FROM - aws_elasticsearch_domain; + language: sql + primary_resource: aws_elasticsearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN + ( log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL + ) + AND + ( log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL + ) + AND + ( log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL + ) + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN + ( log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL + ) + AND + ( log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL + ) + AND + ( log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL + ) + THEN title || ' logging enabled for search, index, and error.' + ELSE title || ' logging not enabled for all search, index, and error.' + END AS reason, + region, + account_id + FROM + aws_elasticsearch_domain; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/ES - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/ES + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_es_domain_node_to_node_encryption_enabled.yaml b/compliance/controls/aws/aws_es_domain_node_to_node_encryption_enabled.yaml index 49e7449e3..539435e45 100644 --- a/compliance/controls/aws/aws_es_domain_node_to_node_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_es_domain_node_to_node_encryption_enabled.yaml @@ -1,66 +1,67 @@ id: aws_es_domain_node_to_node_encryption_enabled title: Elasticsearch domain node-to-node encryption should be enabled +type: control description: Ensure node-to-node encryption for AWS Elasticsearch Service is enabled. Node-to-node encryption enables TLS 1.2 encryption for all communications within the AWS Virtual Private Cloud (AWS VPC). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticsearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN region = ANY(ARRAY['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) THEN 'skip' - WHEN NOT enabled THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN region = ANY(ARRAY['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) THEN title || ' node-to-node encryption not supported in ' || region || '.' - WHEN NOT enabled THEN title || ' node-to-node encryption disabled.' - ELSE title || ' node-to-node encryption enabled.' - END AS reason, - region, - account_id - FROM - aws_elasticsearch_domain; + language: sql + primary_resource: aws_elasticsearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN region = ANY(ARRAY['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) THEN 'skip' + WHEN NOT enabled THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN region = ANY(ARRAY['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) THEN title || ' node-to-node encryption not supported in ' || region || '.' + WHEN NOT enabled THEN title || ' node-to-node encryption disabled.' + ELSE title || ' node-to-node encryption enabled.' + END AS reason, + region, + account_id + FROM + aws_elasticsearch_domain; severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/ES - soc_2: - - 'true' + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/ES + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_eventbridge_custom_bus_resource_based_policy_attached.yaml b/compliance/controls/aws/aws_eventbridge_custom_bus_resource_based_policy_attached.yaml index c6405fb7d..832eb4b22 100644 --- a/compliance/controls/aws/aws_eventbridge_custom_bus_resource_based_policy_attached.yaml +++ b/compliance/controls/aws/aws_eventbridge_custom_bus_resource_based_policy_attached.yaml @@ -1,28 +1,29 @@ id: aws_eventbridge_custom_bus_resource_based_policy_attached title: EventBridge custom event buses should have a resource-based policy attached +type: control description: This control checks if an Amazon EventBridge custom event bus has a resource-based policy attached. This control fails if the custom event bus doesn't have a resource-based policy. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_eventbridge_bus - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN name = 'default' THEN 'skip' - WHEN policy_std IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN name = 'default' THEN title || ' is default event bus.' - WHEN policy_std IS NOT NULL THEN title || ' has resource based policy attached.' - ELSE title || ' does not have resource based policy attached.' - END AS reason - FROM - aws_eventbridge_bus; + language: sql + primary_resource: aws_eventbridge_bus + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN name = 'default' THEN 'skip' + WHEN policy_std IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN name = 'default' THEN title || ' is default event bus.' + WHEN policy_std IS NOT NULL THEN title || ' has resource based policy attached.' + ELSE title || ' does not have resource based policy attached.' + END AS reason + FROM + aws_eventbridge_bus; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_account_1.yaml b/compliance/controls/aws/aws_foundational_security_account_1.yaml index 4935b7062..81feb7b07 100644 --- a/compliance/controls/aws/aws_foundational_security_account_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_account_1.yaml @@ -1,50 +1,51 @@ id: aws_foundational_security_account_1 title: 1 Security contact information should be provided for an AWS account +type: control description: This control checks if an Amazon Web Services (AWS) account has security contact information. The control fails if security contact information is not provided for the account. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH alternate_security_contact AS ( - SELECT - name, - account_id - FROM - aws_account_alternate_contact - WHERE - contact_type = 'SECURITY' - ), - account AS ( - SELECT - arn, - partition, - title, - account_id, - _ctx - FROM - aws_account - ) - SELECT - arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.partition = 'aws-us-gov' THEN 'info' - WHEN c.name IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.partition = 'aws-us-gov' THEN a.title || ' in GovCloud, manual verification required.' - WHEN c.name IS NOT NULL THEN a.title || ' has security contact ' || c.name || ' registered.' - ELSE a.title || ' security contact not registered.' - END AS reason - FROM - account AS a, - alternate_security_contact AS c - WHERE - c.account_id = a.account_id + language: sql + primary_resource: aws_account + definition: | + WITH alternate_security_contact AS ( + SELECT + name, + account_id + FROM + aws_account_alternate_contact + WHERE + contact_type = 'SECURITY' + ), + account AS ( + SELECT + arn, + partition, + title, + account_id, + _ctx + FROM + aws_account + ) + SELECT + arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.partition = 'aws-us-gov' THEN 'info' + WHEN c.name IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.partition = 'aws-us-gov' THEN a.title || ' in GovCloud, manual verification required.' + WHEN c.name IS NOT NULL THEN a.title || ' has security contact ' || c.name || ' registered.' + ELSE a.title || ' security contact not registered.' + END AS reason + FROM + account AS a, + alternate_security_contact AS c + WHERE + c.account_id = a.account_id severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_acm_1.yaml b/compliance/controls/aws/aws_foundational_security_acm_1.yaml index 2177421cb..0901faeda 100644 --- a/compliance/controls/aws/aws_foundational_security_acm_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_acm_1.yaml @@ -1,27 +1,28 @@ id: aws_foundational_security_acm_1 title: 1 Imported ACM certificates should be renewed after a specified time period +type: control description: This control checks whether ACM certificates in your account are marked for expiration within 30 days. It checks both imported certificates and certificates provided by AWS Certificate Manager. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_acm_certificate - definition: | - SELECT - certificate_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN renewal_eligibility = 'INELIGIBLE' THEN 'skip' - WHEN DATE(not_after) - DATE(current_date) >= 30 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN renewal_eligibility = 'INELIGIBLE' THEN title || ' not eligible for renewal.' - ELSE title || ' expires ' || TO_CHAR(not_after, 'DD-Mon-YYYY') || ' (' || EXTRACT(day FROM not_after - current_date) || ' days).' - END AS reason - FROM - aws_acm_certificate; + language: sql + primary_resource: aws_acm_certificate + definition: | + SELECT + certificate_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN renewal_eligibility = 'INELIGIBLE' THEN 'skip' + WHEN DATE(not_after) - DATE(current_date) >= 30 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN renewal_eligibility = 'INELIGIBLE' THEN title || ' not eligible for renewal.' + ELSE title || ' expires ' || TO_CHAR(not_after, 'DD-Mon-YYYY') || ' (' || EXTRACT(day FROM not_after - current_date) || ' days).' + END AS reason + FROM + aws_acm_certificate; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_acm_2.yaml b/compliance/controls/aws/aws_foundational_security_acm_2.yaml index ff4aff719..a62db5758 100644 --- a/compliance/controls/aws/aws_foundational_security_acm_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_acm_2.yaml @@ -1,28 +1,29 @@ id: aws_foundational_security_acm_2 title: RSA certificates managed by ACM should use a key length of at least 2,048 bits +type: control description: This control checks whether RSA certificates managed by AWS Certificate Manager use a key length of at least 2,048 bits. The control fails if the key length is smaller than 2,048 bits. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_acm_certificate - definition: | - SELECT - certificate_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN NOT key_algorithm LIKE 'RSA-%' THEN 'skip' - WHEN key_algorithm = 'RSA_1024' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT key_algorithm LIKE 'RSA-%' THEN title || ' is not a RSA certificate.' - WHEN key_algorithm = 'RSA_1024' THEN title || ' is using 1024 bits key length.' - ELSE title || ' is using ' || SPLIT_PART(key_algorithm, '-', 2) || ' bits key length.' - END AS reason - FROM - aws_acm_certificate; + language: sql + primary_resource: aws_acm_certificate + definition: | + SELECT + certificate_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN NOT key_algorithm LIKE 'RSA-%' THEN 'skip' + WHEN key_algorithm = 'RSA_1024' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT key_algorithm LIKE 'RSA-%' THEN title || ' is not a RSA certificate.' + WHEN key_algorithm = 'RSA_1024' THEN title || ' is using 1024 bits key length.' + ELSE title || ' is using ' || SPLIT_PART(key_algorithm, '-', 2) || ' bits key length.' + END AS reason + FROM + aws_acm_certificate; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_apigateway_1.yaml b/compliance/controls/aws/aws_foundational_security_apigateway_1.yaml index 6646d6e1f..9cf1fbd6a 100644 --- a/compliance/controls/aws/aws_foundational_security_apigateway_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_apigateway_1.yaml @@ -1,51 +1,52 @@ id: aws_foundational_security_apigateway_1 title: 1 API Gateway REST and WebSocket API logging should be enabled +type: control description: This control checks whether all stages of an Amazon API Gateway REST or WebSocket API have logging enabled. The control fails if logging is not enabled for all methods of a stage or if loggingLevel is neither ERROR nor INFO. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_api_gateway_stage - definition: | - WITH all_stages AS ( - SELECT - name AS stage_name, - 'arn:' || partition || ':apigateway:' || region || '::/apis/' || rest_api_id || '/stages/' || name AS arn, - method_settings -> '*/*' ->> 'LoggingLevel' AS log_level, - title, - region, - account_id, - tags, - _ctx - FROM - aws_api_gateway_stage - UNION - SELECT - stage_name, - 'arn:' || partition || ':apigateway:' || region || '::/apis/' || api_id || '/stages/' || stage_name AS arn, - default_route_logging_level AS log_level, - title, - region, - account_id, - tags, - _ctx - FROM - aws_api_gatewayv2_stage - ) - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN log_level IS NULL OR log_level = '' OR log_level = 'OFF' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN log_level IS NULL OR log_level = '' OR log_level = 'OFF' THEN title || ' logging not enabled.' - ELSE title || ' logging enabled.' - END AS reason - FROM - all_stages; + language: sql + primary_resource: aws_api_gateway_stage + definition: | + WITH all_stages AS ( + SELECT + name AS stage_name, + 'arn:' || partition || ':apigateway:' || region || '::/apis/' || rest_api_id || '/stages/' || name AS arn, + method_settings -> '*/*' ->> 'LoggingLevel' AS log_level, + title, + region, + account_id, + tags, + _ctx + FROM + aws_api_gateway_stage + UNION + SELECT + stage_name, + 'arn:' || partition || ':apigateway:' || region || '::/apis/' || api_id || '/stages/' || stage_name AS arn, + default_route_logging_level AS log_level, + title, + region, + account_id, + tags, + _ctx + FROM + aws_api_gatewayv2_stage + ) + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN log_level IS NULL OR log_level = '' OR log_level = 'OFF' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN log_level IS NULL OR log_level = '' OR log_level = 'OFF' THEN title || ' logging not enabled.' + ELSE title || ' logging enabled.' + END AS reason + FROM + all_stages; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_apigateway_2.yaml b/compliance/controls/aws/aws_foundational_security_apigateway_2.yaml index 712658a6c..366f5629e 100644 --- a/compliance/controls/aws/aws_foundational_security_apigateway_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_apigateway_2.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_apigateway_2 title: 2 API Gateway REST API stages should be configured to use SSL certificates for backend authentication +type: control description: This control checks whether Amazon API Gateway REST API stages have SSL certificates configured. Backend systems use these certificates to authenticate that incoming requests are from API Gateway. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_api_gateway_stage - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN client_certificate_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN client_certificate_id IS NULL THEN title || ' does not use SSL certificate.' - ELSE title || ' uses SSL certificate.' - END AS reason - FROM - aws_api_gateway_stage; + language: sql + primary_resource: aws_api_gateway_stage + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN client_certificate_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN client_certificate_id IS NULL THEN title || ' does not use SSL certificate.' + ELSE title || ' uses SSL certificate.' + END AS reason + FROM + aws_api_gateway_stage; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_apigateway_3.yaml b/compliance/controls/aws/aws_foundational_security_apigateway_3.yaml index d93527c57..188bcc346 100644 --- a/compliance/controls/aws/aws_foundational_security_apigateway_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_apigateway_3.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_apigateway_3 title: 3 API Gateway REST API stages should have AWS X-Ray tracing enabled +type: control description: This control checks whether AWS X-Ray active tracing is enabled for your Amazon API Gateway REST API stages. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_api_gateway_stage - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN tracing_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN tracing_enabled THEN title || ' X-Ray tracing enabled.' - ELSE title || ' X-Ray tracing disabled.' - END AS reason - FROM - aws_api_gateway_stage; + language: sql + primary_resource: aws_api_gateway_stage + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN tracing_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN tracing_enabled THEN title || ' X-Ray tracing enabled.' + ELSE title || ' X-Ray tracing disabled.' + END AS reason + FROM + aws_api_gateway_stage; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_apigateway_4.yaml b/compliance/controls/aws/aws_foundational_security_apigateway_4.yaml index 4a6274950..1bf602f9a 100644 --- a/compliance/controls/aws/aws_foundational_security_apigateway_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_apigateway_4.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_apigateway_4 title: 4 API Gateway should be associated with an AWS WAF web ACL +type: control description: This control checks whether an API Gateway stage uses an AWS WAF web access control list (ACL). This control fails if an AWS WAF web ACL is not attached to a REST API Gateway stage. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_api_gateway_stage - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN web_acl_arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN web_acl_arn IS NOT NULL THEN title || ' associated with WAF web ACL.' - ELSE title || ' not associated with WAF web ACL.' - END AS reason - FROM - aws_api_gateway_stage; + language: sql + primary_resource: aws_api_gateway_stage + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN web_acl_arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN web_acl_arn IS NOT NULL THEN title || ' associated with WAF web ACL.' + ELSE title || ' not associated with WAF web ACL.' + END AS reason + FROM + aws_api_gateway_stage; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_apigateway_5.yaml b/compliance/controls/aws/aws_foundational_security_apigateway_5.yaml index 4e9488b0d..bae44035b 100644 --- a/compliance/controls/aws/aws_foundational_security_apigateway_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_apigateway_5.yaml @@ -1,29 +1,30 @@ id: aws_foundational_security_apigateway_5 title: 5 API Gateway REST API cache data should be encrypted at rest +type: control description: This control checks whether all methods in API Gateway REST API stages that have cache enabled are encrypted. The control fails if any method in an API Gateway REST API stage is configured to cache and the cache is not encrypted. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_api_gateway_stage - definition: | - SELECT - 'arn:' || partition || ':apigateway:' || region || '::/apis/' || rest_api_id || '/stages/' || name AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN method_settings -> '*/*' ->> 'CachingEnabled' = 'true' - AND method_settings -> '*/*' ->> 'CacheDataEncrypted' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN method_settings -> '*/*' ->> 'CachingEnabled' = 'true' - AND method_settings -> '*/*' ->> 'CacheDataEncrypted' = 'true' - THEN title || ' API cache and encryption enabled.' - ELSE title || ' API cache and encryption not enabled.' - END AS reason - FROM - aws_api_gateway_stage; + language: sql + primary_resource: aws_api_gateway_stage + definition: | + SELECT + 'arn:' || partition || ':apigateway:' || region || '::/apis/' || rest_api_id || '/stages/' || name AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN method_settings -> '*/*' ->> 'CachingEnabled' = 'true' + AND method_settings -> '*/*' ->> 'CacheDataEncrypted' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN method_settings -> '*/*' ->> 'CachingEnabled' = 'true' + AND method_settings -> '*/*' ->> 'CacheDataEncrypted' = 'true' + THEN title || ' API cache and encryption enabled.' + ELSE title || ' API cache and encryption not enabled.' + END AS reason + FROM + aws_api_gateway_stage; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_apigateway_8.yaml b/compliance/controls/aws/aws_foundational_security_apigateway_8.yaml index c08a7dc4a..83fa3a0e6 100644 --- a/compliance/controls/aws/aws_foundational_security_apigateway_8.yaml +++ b/compliance/controls/aws/aws_foundational_security_apigateway_8.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_apigateway_8 title: 8 API Gateway routes should specify an authorization type +type: control description: This control checks if Amazon API Gateway routes have an authorization type. The control fails if the API Gateway route does not specify an authorization type. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_api_gatewayv2_route - definition: | - SELECT - 'arn:' || partition || ':apigateway:' || region || '::/apis/' || api_id || '/routes/' || route_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN authorization_type IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN authorization_type IS NULL THEN route_id || ' authorization type not configured.' - ELSE route_id || ' authorization type ' || authorization_type || ' configured.' - END AS reason - FROM - aws_api_gatewayv2_route; + language: sql + primary_resource: aws_api_gatewayv2_route + definition: | + SELECT + 'arn:' || partition || ':apigateway:' || region || '::/apis/' || api_id || '/routes/' || route_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN authorization_type IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN authorization_type IS NULL THEN route_id || ' authorization type not configured.' + ELSE route_id || ' authorization type ' || authorization_type || ' configured.' + END AS reason + FROM + aws_api_gatewayv2_route; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_apigateway_9.yaml b/compliance/controls/aws/aws_foundational_security_apigateway_9.yaml index 1979059eb..d67f20b2c 100644 --- a/compliance/controls/aws/aws_foundational_security_apigateway_9.yaml +++ b/compliance/controls/aws/aws_foundational_security_apigateway_9.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_apigateway_9 title: 9 Access logging should be configured for API Gateway V2 Stages +type: control description: This control checks if Amazon API Gateway V2 stages have access logging configured. This control fails if access log settings aren't defined. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_api_gatewayv2_stage - definition: | - SELECT - 'arn:' || partition || ':apigateway:' || region || '::/apis/' || api_id || '/stages/' || stage_name AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN access_log_settings IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN access_log_settings IS NULL THEN title || ' access logging disabled.' - ELSE title || ' access logging enabled.' - END AS reason - FROM - aws_api_gatewayv2_stage; + language: sql + primary_resource: aws_api_gatewayv2_stage + definition: | + SELECT + 'arn:' || partition || ':apigateway:' || region || '::/apis/' || api_id || '/stages/' || stage_name AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN access_log_settings IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN access_log_settings IS NULL THEN title || ' access logging disabled.' + ELSE title || ' access logging enabled.' + END AS reason + FROM + aws_api_gatewayv2_stage; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_appsync_2.yaml b/compliance/controls/aws/aws_foundational_security_appsync_2.yaml index d006df4b0..5e7476a6b 100644 --- a/compliance/controls/aws/aws_foundational_security_appsync_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_appsync_2.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_appsync_2 title: 2 AWS AppSync should have field-level logging enabled +type: control description: This control checks whether an AWS AppSync API has field-level logging turned on. The control fails if the field resolver log level is set to None. Unless you provide custom parameter values to indicate that a specific log type should be enabled, Security Hub produces a passed finding if the field resolver log level is either ERROR or ALL. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_appsync_graphql_api - definition: | - SELECT - name AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN log_config ->> 'FieldLogLevel' IN ('ERROR', 'ALL') THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN log_config ->> 'FieldLogLevel' IN ('ERROR', 'ALL') THEN title || ' field level logging enabled.' - ELSE name || ' field level logging disabled.' - END AS reason - FROM - aws_appsync_graphql_api; + language: sql + primary_resource: aws_appsync_graphql_api + definition: | + SELECT + name AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN log_config ->> 'FieldLogLevel' IN ('ERROR', 'ALL') THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN log_config ->> 'FieldLogLevel' IN ('ERROR', 'ALL') THEN title || ' field level logging enabled.' + ELSE name || ' field level logging disabled.' + END AS reason + FROM + aws_appsync_graphql_api; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_athena_1.yaml b/compliance/controls/aws/aws_foundational_security_athena_1.yaml index 4f651b0f1..2510aab7a 100644 --- a/compliance/controls/aws/aws_foundational_security_athena_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_athena_1.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_athena_1 title: 1 Athena workgroups should be encrypted at rest +type: control description: This control checks if an Athena workgroup is encrypted at rest. The control fails if an Athena workgroup isn't encrypted at rest. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_athena_workgroup - definition: | - SELECT - name AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN encryption_option IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption_option IS NOT NULL THEN name || ' encryption at rest enabled.' - ELSE name || ' encryption at rest disabled.' - END AS reason - FROM - aws_athena_workgroup; + language: sql + primary_resource: aws_athena_workgroup + definition: | + SELECT + name AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN encryption_option IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption_option IS NOT NULL THEN name || ' encryption at rest enabled.' + ELSE name || ' encryption at rest disabled.' + END AS reason + FROM + aws_athena_workgroup; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_autoscaling_1.yaml b/compliance/controls/aws/aws_foundational_security_autoscaling_1.yaml index 0d46c07cd..bd279ed90 100644 --- a/compliance/controls/aws/aws_foundational_security_autoscaling_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_autoscaling_1.yaml @@ -1,28 +1,29 @@ id: aws_foundational_security_autoscaling_1 title: 1 Auto Scaling groups associated with a load balancer should use load balancer health checks +type: control description: This control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. This ensures that the group can determine an instance's health based on additional tests provided by the load balancer. Using Elastic Load Balancing health checks can help support the availability of applications that use EC2 Auto Scaling groups. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_autoscaling_group - definition: | - SELECT - autoscaling_group_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN load_balancer_names IS NULL AND target_group_arns IS NULL THEN 'alarm' - WHEN health_check_type != 'ELB' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN load_balancer_names IS NULL AND target_group_arns IS NULL THEN title || ' not associated with a load balancer.' - WHEN health_check_type != 'ELB' THEN title || ' does not use ELB health check.' - ELSE title || ' uses ELB health check.' - END AS reason - FROM - aws_ec2_autoscaling_group; + language: sql + primary_resource: aws_ec2_autoscaling_group + definition: | + SELECT + autoscaling_group_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN load_balancer_names IS NULL AND target_group_arns IS NULL THEN 'alarm' + WHEN health_check_type != 'ELB' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN load_balancer_names IS NULL AND target_group_arns IS NULL THEN title || ' not associated with a load balancer.' + WHEN health_check_type != 'ELB' THEN title || ' does not use ELB health check.' + ELSE title || ' uses ELB health check.' + END AS reason + FROM + aws_ec2_autoscaling_group; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_autoscaling_2.yaml b/compliance/controls/aws/aws_foundational_security_autoscaling_2.yaml index 334cbdedf..90b833ee3 100644 --- a/compliance/controls/aws/aws_foundational_security_autoscaling_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_autoscaling_2.yaml @@ -1,23 +1,24 @@ id: aws_foundational_security_autoscaling_2 title: 2 Amazon EC2 Auto Scaling group should cover multiple Availability Zones +type: control description: This control checks whether an Auto Scaling group spans multiple Availability Zones. The control fails if an Auto Scaling group does not span multiple availability zones. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_autoscaling_group - definition: | - SELECT - autoscaling_group_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN jsonb_array_length(availability_zones) > 1 THEN 'ok' - ELSE 'alarm' - END AS status, - title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' AS reason - FROM - aws_ec2_autoscaling_group; + language: sql + primary_resource: aws_ec2_autoscaling_group + definition: | + SELECT + autoscaling_group_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN jsonb_array_length(availability_zones) > 1 THEN 'ok' + ELSE 'alarm' + END AS status, + title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' AS reason + FROM + aws_ec2_autoscaling_group; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_autoscaling_3.yaml b/compliance/controls/aws/aws_foundational_security_autoscaling_3.yaml index b7b4cb095..48530b71c 100644 --- a/compliance/controls/aws/aws_foundational_security_autoscaling_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_autoscaling_3.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_autoscaling_3 title: 3 Auto Scaling group should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2) +type: control description: This control checks whether IMDSv2 is enabled on all instances launched by Amazon EC2 Auto Scaling groups. The control fails if the Instance Metadata Service (IMDS) version is not included in the launch configuration or if both IMDSv1 and IMDSv2 are enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_launch_configuration - definition: | - SELECT - launch_configuration_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN metadata_options_http_tokens = 'required' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN metadata_options_http_tokens = 'required' THEN title || ' configured to use Instance Metadata Service Version 2 (IMDSv2).' - ELSE title || ' not configured to use Instance Metadata Service Version 2 (IMDSv2).' - END AS reason - FROM - aws_ec2_launch_configuration; + language: sql + primary_resource: aws_ec2_launch_configuration + definition: | + SELECT + launch_configuration_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN metadata_options_http_tokens = 'required' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN metadata_options_http_tokens = 'required' THEN title || ' configured to use Instance Metadata Service Version 2 (IMDSv2).' + ELSE title || ' not configured to use Instance Metadata Service Version 2 (IMDSv2).' + END AS reason + FROM + aws_ec2_launch_configuration; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_autoscaling_4.yaml b/compliance/controls/aws/aws_foundational_security_autoscaling_4.yaml index fc6aca7ed..0e91ac570 100644 --- a/compliance/controls/aws/aws_foundational_security_autoscaling_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_autoscaling_4.yaml @@ -1,27 +1,28 @@ id: aws_foundational_security_autoscaling_4 title: 4 Auto Scaling group launch configuration should not have metadata response hop limit greater than 1 +type: control description: This control checks the number of network hops that a metadata token can travel. The control fails if the metadata response hop limit is greater than 1. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_launch_configuration - definition: | - SELECT - launch_configuration_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN metadata_options_put_response_hop_limit IS NULL THEN 'ok' - WHEN metadata_options_put_response_hop_limit > 1 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN metadata_options_put_response_hop_limit IS NULL THEN title || ' metadata response hop limit set to default.' - ELSE title || ' has a metadata response hop limit of ' || metadata_options_put_response_hop_limit || '.' - END AS reason - FROM - aws_ec2_launch_configuration; + language: sql + primary_resource: aws_ec2_launch_configuration + definition: | + SELECT + launch_configuration_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN metadata_options_put_response_hop_limit IS NULL THEN 'ok' + WHEN metadata_options_put_response_hop_limit > 1 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN metadata_options_put_response_hop_limit IS NULL THEN title || ' metadata response hop limit set to default.' + ELSE title || ' has a metadata response hop limit of ' || metadata_options_put_response_hop_limit || '.' + END AS reason + FROM + aws_ec2_launch_configuration; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_autoscaling_5.yaml b/compliance/controls/aws/aws_foundational_security_autoscaling_5.yaml index 630358a7e..7a74c14a8 100644 --- a/compliance/controls/aws/aws_foundational_security_autoscaling_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_autoscaling_5.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_autoscaling_5 title: 5 Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses +type: control description: This control checks whether an Auto Scaling groups associated launch configuration assigns a public IP address to the group's instances. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_launch_configuration - definition: | - SELECT - launch_configuration_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN associate_public_ip_address THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN associate_public_ip_address THEN title || ' public IP enabled.' - ELSE title || ' public IP disabled.' - END AS reason - FROM - aws_ec2_launch_configuration; + language: sql + primary_resource: aws_ec2_launch_configuration + definition: | + SELECT + launch_configuration_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN associate_public_ip_address THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN associate_public_ip_address THEN title || ' public IP enabled.' + ELSE title || ' public IP disabled.' + END AS reason + FROM + aws_ec2_launch_configuration; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_autoscaling_6.yaml b/compliance/controls/aws/aws_foundational_security_autoscaling_6.yaml index 7deac2dab..18b998511 100644 --- a/compliance/controls/aws/aws_foundational_security_autoscaling_6.yaml +++ b/compliance/controls/aws/aws_foundational_security_autoscaling_6.yaml @@ -1,51 +1,52 @@ id: aws_foundational_security_autoscaling_6 title: 6 Auto Scaling groups should use multiple instance types in multiple Availability Zones +type: control description: This control checks whether an Amazon EC2 Auto Scaling group uses multiple instance types. The control fails if the Auto Scaling group has only one instance type defined. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_autoscaling_group - definition: | - WITH autoscaling_groups AS ( - SELECT - autoscaling_group_arn, - title, - mixed_instances_policy_launch_template_overrides, - region, - tags, - _ctx, - account_id - FROM - aws_ec2_autoscaling_group - ), - distinct_instance_types_count AS ( - SELECT - autoscaling_group_arn, - COUNT(DISTINCT(e -> 'InstanceType')) AS distinct_instance_types - FROM - autoscaling_groups, - jsonb_array_elements(mixed_instances_policy_launch_template_overrides) AS e - GROUP BY - autoscaling_group_arn, - title, - mixed_instances_policy_launch_template_overrides - ) - SELECT - a.autoscaling_group_arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.distinct_instance_types > 1 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.distinct_instance_types > 1 THEN title || ' uses ' || b.distinct_instance_types || ' instance types.' - ELSE title || ' does not use multiple instance types.' - END AS reason - FROM - autoscaling_groups AS a - LEFT JOIN distinct_instance_types_count AS b ON a.autoscaling_group_arn = b.autoscaling_group_arn; + language: sql + primary_resource: aws_ec2_autoscaling_group + definition: | + WITH autoscaling_groups AS ( + SELECT + autoscaling_group_arn, + title, + mixed_instances_policy_launch_template_overrides, + region, + tags, + _ctx, + account_id + FROM + aws_ec2_autoscaling_group + ), + distinct_instance_types_count AS ( + SELECT + autoscaling_group_arn, + COUNT(DISTINCT(e -> 'InstanceType')) AS distinct_instance_types + FROM + autoscaling_groups, + jsonb_array_elements(mixed_instances_policy_launch_template_overrides) AS e + GROUP BY + autoscaling_group_arn, + title, + mixed_instances_policy_launch_template_overrides + ) + SELECT + a.autoscaling_group_arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.distinct_instance_types > 1 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.distinct_instance_types > 1 THEN title || ' uses ' || b.distinct_instance_types || ' instance types.' + ELSE title || ' does not use multiple instance types.' + END AS reason + FROM + autoscaling_groups AS a + LEFT JOIN distinct_instance_types_count AS b ON a.autoscaling_group_arn = b.autoscaling_group_arn; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_autoscaling_9.yaml b/compliance/controls/aws/aws_foundational_security_autoscaling_9.yaml index 965411175..d11ca26c3 100644 --- a/compliance/controls/aws/aws_foundational_security_autoscaling_9.yaml +++ b/compliance/controls/aws/aws_foundational_security_autoscaling_9.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_autoscaling_9 title: 9 EC2 Auto Scaling groups should use EC2 launch templates +type: control description: This control checks whether an Amazon EC2 Auto Scaling group is created from an EC2 launch template. This control fails if an Amazon EC2 Auto Scaling group is not created with a launch template or if a launch template is not specified in a mixed instances policy. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_autoscaling_group - definition: | - SELECT - autoscaling_group_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN launch_template_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN launch_template_id IS NOT NULL THEN title || ' using an EC2 launch template.' - ELSE title || ' not using an EC2 launch template.' - END AS reason - FROM - aws_ec2_autoscaling_group; + language: sql + primary_resource: aws_ec2_autoscaling_group + definition: | + SELECT + autoscaling_group_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN launch_template_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN launch_template_id IS NOT NULL THEN title || ' using an EC2 launch template.' + ELSE title || ' not using an EC2 launch template.' + END AS reason + FROM + aws_ec2_autoscaling_group; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_backup_1.yaml b/compliance/controls/aws/aws_foundational_security_backup_1.yaml index bdf2e3a80..a6de2adab 100644 --- a/compliance/controls/aws/aws_foundational_security_backup_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_backup_1.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_backup_1 title: 1 AWS Backup recovery points should be encrypted at rest +type: control description: This control checks if an AWS Backup recovery point is encrypted at rest. The control fails if the recovery point isn't encrypted at rest. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_backup_recovery_point - definition: | - SELECT - recovery_point_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN is_encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN is_encrypted THEN recovery_point_arn || ' encryption enabled.' - ELSE recovery_point_arn || ' encryption disabled.' - END AS reason - FROM - aws_backup_recovery_point; + language: sql + primary_resource: aws_backup_recovery_point + definition: | + SELECT + recovery_point_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN is_encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN is_encrypted THEN recovery_point_arn || ' encryption enabled.' + ELSE recovery_point_arn || ' encryption disabled.' + END AS reason + FROM + aws_backup_recovery_point; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_cloudformation_1.yaml b/compliance/controls/aws/aws_foundational_security_cloudformation_1.yaml index ccd6aa454..4e5eb8fc5 100644 --- a/compliance/controls/aws/aws_foundational_security_cloudformation_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_cloudformation_1.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_cloudformation_1 title: 1 CloudFormation stacks should be integrated with Simple Notification Service (SNS) +type: control description: This control checks whether an Amazon Simple Notification Service notification is integrated with a CloudFormation stack. The control fails for a CloudFormation stack if there is no SNS notification associated with it. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudformation_stack - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN jsonb_array_length(notification_arns) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN jsonb_array_length(notification_arns) > 0 THEN title || ' notifications enabled.' - ELSE title || ' notifications disabled.' - END AS reason - FROM - aws_cloudformation_stack; + language: sql + primary_resource: aws_cloudformation_stack + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN jsonb_array_length(notification_arns) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN jsonb_array_length(notification_arns) > 0 THEN title || ' notifications enabled.' + ELSE title || ' notifications disabled.' + END AS reason + FROM + aws_cloudformation_stack; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_cloudfront_1.yaml b/compliance/controls/aws/aws_foundational_security_cloudfront_1.yaml index c3edc6191..8c63a300b 100644 --- a/compliance/controls/aws/aws_foundational_security_cloudfront_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_cloudfront_1.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_cloudfront_1 title: 1 CloudFront distributions should have a default root object configured +type: control description: This control checks whether an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The control fails if the CloudFront distribution does not have a default root object configured. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudfront_distribution - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN default_root_object = '' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN default_root_object = '' THEN title || ' default root object not configured.' - ELSE title || ' default root object configured.' - END AS reason - FROM - aws_cloudfront_distribution; + language: sql + primary_resource: aws_cloudfront_distribution + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN default_root_object = '' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN default_root_object = '' THEN title || ' default root object not configured.' + ELSE title || ' default root object configured.' + END AS reason + FROM + aws_cloudfront_distribution; severity: critical tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_cloudfront_10.yaml b/compliance/controls/aws/aws_foundational_security_cloudfront_10.yaml index bc59c3a9b..c7b9d520a 100644 --- a/compliance/controls/aws/aws_foundational_security_cloudfront_10.yaml +++ b/compliance/controls/aws/aws_foundational_security_cloudfront_10.yaml @@ -1,37 +1,38 @@ id: aws_foundational_security_cloudfront_10 title: 10 CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins +type: control description: This control checks if Amazon CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and your custom origins. This control fails if a CloudFront distribution has a CustomOriginConfig where OriginSslProtocols includes SSLv3. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudfront_distribution - definition: | - WITH origin_ssl_protocols AS ( - SELECT - DISTINCT arn, - o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' AS origin_protocol_policy - FROM - aws_cloudfront_distribution, - jsonb_array_elements(origins) AS o - WHERE - o -> 'CustomOriginConfig' -> 'OriginSslProtocols' -> 'Items' @> '["SSLv3"]' - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN o.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN o.arn IS NULL THEN title || ' does not have deprecated SSL protocols.' - ELSE title || ' has deprecated SSL protocols.' - END AS reason - FROM - aws_cloudfront_distribution AS b - LEFT JOIN origin_ssl_protocols AS o ON b.arn = o.arn; + language: sql + primary_resource: aws_cloudfront_distribution + definition: | + WITH origin_ssl_protocols AS ( + SELECT + DISTINCT arn, + o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' AS origin_protocol_policy + FROM + aws_cloudfront_distribution, + jsonb_array_elements(origins) AS o + WHERE + o -> 'CustomOriginConfig' -> 'OriginSslProtocols' -> 'Items' @> '["SSLv3"]' + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN o.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN o.arn IS NULL THEN title || ' does not have deprecated SSL protocols.' + ELSE title || ' has deprecated SSL protocols.' + END AS reason + FROM + aws_cloudfront_distribution AS b + LEFT JOIN origin_ssl_protocols AS o ON b.arn = o.arn; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_cloudfront_12.yaml b/compliance/controls/aws/aws_foundational_security_cloudfront_12.yaml index 02454b89f..995bc0a8d 100644 --- a/compliance/controls/aws/aws_foundational_security_cloudfront_12.yaml +++ b/compliance/controls/aws/aws_foundational_security_cloudfront_12.yaml @@ -1,49 +1,50 @@ id: aws_foundational_security_cloudfront_12 title: 12 CloudFront distributions should not point to non-existent S3 origins +type: control description: This control checks whether Amazon CloudFront distributions are pointing to non-existent Amazon S3 origins. The control fails for a CloudFront distribution if the origin is configured to point to a non-existent bucket. This control only applies to CloudFront distributions where an S3 bucket without static website hosting is the S3 origin. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudfront_distribution - definition: | - WITH distribution_with_non_existent_bucket AS ( - SELECT - DISTINCT d.arn AS arn, - TO_JSONB(STRING_TO_ARRAY((STRING_AGG(SPLIT_PART(o ->> 'Id', '.s3', 1), ',')), ',')) AS bucket_name_list - FROM - aws_cloudfront_distribution AS d, - JSONB_ARRAY_ELEMENTS(d.origins) AS o - LEFT JOIN aws_s3_bucket AS b ON b.name = SPLIT_PART(o ->> 'Id', '.s3', 1) - WHERE - b.name IS NULL - AND o ->> 'DomainName' LIKE '%.s3.%' - GROUP BY - d.arn - ) - SELECT - DISTINCT b.arn AS resource, - d.platform_integration_id AS platform_integration_id, - d.platform_resource_id AS platform_resource_id, - CASE - WHEN b.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.arn IS NULL THEN title || ' does not point to any non-existent S3 origins.' - WHEN JSONB_ARRAY_LENGTH(b.bucket_name_list) > 0 - THEN title || - CASE - WHEN JSONB_ARRAY_LENGTH(b.bucket_name_list) > 2 - THEN CONCAT(' point to non-existent S3 origins ', b.bucket_name_list #>> '{0}', ', ', b.bucket_name_list #>> '{1}', ' and ' || (JSONB_ARRAY_LENGTH(b.bucket_name_list) - 2)::TEXT || ' more.' ) - WHEN JSONB_ARRAY_LENGTH(b.bucket_name_list) = 2 - THEN CONCAT(' point to non-existent S3 origins ', b.bucket_name_list #>> '{0}', ' and ', b.bucket_name_list #>> '{1}', '.') - ELSE CONCAT(' point to non-existent S3 origin ', b.bucket_name_list #>> '{0}', '.') - END - END AS reason - FROM - aws_cloudfront_distribution AS d - LEFT JOIN distribution_with_non_existent_bucket AS b ON b.arn = d.arn; + language: sql + primary_resource: aws_cloudfront_distribution + definition: | + WITH distribution_with_non_existent_bucket AS ( + SELECT + DISTINCT d.arn AS arn, + TO_JSONB(STRING_TO_ARRAY((STRING_AGG(SPLIT_PART(o ->> 'Id', '.s3', 1), ',')), ',')) AS bucket_name_list + FROM + aws_cloudfront_distribution AS d, + JSONB_ARRAY_ELEMENTS(d.origins) AS o + LEFT JOIN aws_s3_bucket AS b ON b.name = SPLIT_PART(o ->> 'Id', '.s3', 1) + WHERE + b.name IS NULL + AND o ->> 'DomainName' LIKE '%.s3.%' + GROUP BY + d.arn + ) + SELECT + DISTINCT b.arn AS resource, + d.platform_integration_id AS platform_integration_id, + d.platform_resource_id AS platform_resource_id, + CASE + WHEN b.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.arn IS NULL THEN title || ' does not point to any non-existent S3 origins.' + WHEN JSONB_ARRAY_LENGTH(b.bucket_name_list) > 0 + THEN title || + CASE + WHEN JSONB_ARRAY_LENGTH(b.bucket_name_list) > 2 + THEN CONCAT(' point to non-existent S3 origins ', b.bucket_name_list #>> '{0}', ', ', b.bucket_name_list #>> '{1}', ' and ' || (JSONB_ARRAY_LENGTH(b.bucket_name_list) - 2)::TEXT || ' more.' ) + WHEN JSONB_ARRAY_LENGTH(b.bucket_name_list) = 2 + THEN CONCAT(' point to non-existent S3 origins ', b.bucket_name_list #>> '{0}', ' and ', b.bucket_name_list #>> '{1}', '.') + ELSE CONCAT(' point to non-existent S3 origin ', b.bucket_name_list #>> '{0}', '.') + END + END AS reason + FROM + aws_cloudfront_distribution AS d + LEFT JOIN distribution_with_non_existent_bucket AS b ON b.arn = d.arn; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_cloudfront_3.yaml b/compliance/controls/aws/aws_foundational_security_cloudfront_3.yaml index 05d15fd57..98238e029 100644 --- a/compliance/controls/aws/aws_foundational_security_cloudfront_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_cloudfront_3.yaml @@ -1,41 +1,42 @@ id: aws_foundational_security_cloudfront_3 title: 3 CloudFront distributions should require encryption in transit +type: control description: This control checks whether an Amazon CloudFront distribution requires viewers to use HTTPS directly or whether it uses redirection. The control fails if ViewerProtocolPolicy is set to allow-all for defaultCacheBehavior or for cacheBehaviors. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudfront_distribution - definition: | - WITH data AS ( - SELECT - DISTINCT arn - FROM - aws_cloudfront_distribution, - jsonb_array_elements( - CASE jsonb_typeof(cache_behaviors -> 'Items') - WHEN 'array' THEN (cache_behaviors -> 'Items') - ELSE NULL - END - ) AS cb - WHERE - cb ->> 'ViewerProtocolPolicy' = 'allow-all' - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN d.arn IS NOT NULL OR (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN d.arn IS NOT NULL OR (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') THEN title || ' data not encrypted in transit.' - ELSE title || ' data encrypted in transit.' - END AS reason - FROM - aws_cloudfront_distribution AS b - LEFT JOIN data AS d ON b.arn = d.arn; + language: sql + primary_resource: aws_cloudfront_distribution + definition: | + WITH data AS ( + SELECT + DISTINCT arn + FROM + aws_cloudfront_distribution, + jsonb_array_elements( + CASE jsonb_typeof(cache_behaviors -> 'Items') + WHEN 'array' THEN (cache_behaviors -> 'Items') + ELSE NULL + END + ) AS cb + WHERE + cb ->> 'ViewerProtocolPolicy' = 'allow-all' + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN d.arn IS NOT NULL OR (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN d.arn IS NOT NULL OR (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') THEN title || ' data not encrypted in transit.' + ELSE title || ' data encrypted in transit.' + END AS reason + FROM + aws_cloudfront_distribution AS b + LEFT JOIN data AS d ON b.arn = d.arn; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_cloudfront_4.yaml b/compliance/controls/aws/aws_foundational_security_cloudfront_4.yaml index 0e957def9..4cf08d072 100644 --- a/compliance/controls/aws/aws_foundational_security_cloudfront_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_cloudfront_4.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_cloudfront_4 title: 4 CloudFront distributions should have origin failover configured +type: control description: This control checks whether an Amazon CloudFront distribution is configured with an origin group that has two or more origins. CloudFront origin failover can increase availability. Origin failover automatically redirects traffic to a secondary origin if the primary origin is unavailable or if it returns specific HTTP response status codes. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudfront_distribution - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN origin_groups ->> 'Items' IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN origin_groups ->> 'Items' IS NOT NULL THEN title || ' origin group is configured.' - ELSE title || ' origin group not configured.' - END AS reason - FROM - aws_cloudfront_distribution; + language: sql + primary_resource: aws_cloudfront_distribution + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN origin_groups ->> 'Items' IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN origin_groups ->> 'Items' IS NOT NULL THEN title || ' origin group is configured.' + ELSE title || ' origin group not configured.' + END AS reason + FROM + aws_cloudfront_distribution; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_cloudfront_5.yaml b/compliance/controls/aws/aws_foundational_security_cloudfront_5.yaml index 831fd8dc4..1f7287031 100644 --- a/compliance/controls/aws/aws_foundational_security_cloudfront_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_cloudfront_5.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_cloudfront_5 title: 5 CloudFront distributions should have logging enabled +type: control description: This control checks whether server access logging is enabled on CloudFront distributions. The control fails if access logging is not enabled for a distribution. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudfront_distribution - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN logging ->> 'Enabled' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN logging ->> 'Enabled' = 'true' THEN title || ' logging enabled.' - ELSE title || ' logging disabled.' - END AS reason - FROM - aws_cloudfront_distribution; + language: sql + primary_resource: aws_cloudfront_distribution + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN logging ->> 'Enabled' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN logging ->> 'Enabled' = 'true' THEN title || ' logging enabled.' + ELSE title || ' logging disabled.' + END AS reason + FROM + aws_cloudfront_distribution; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_cloudfront_6.yaml b/compliance/controls/aws/aws_foundational_security_cloudfront_6.yaml index 6a9c037bc..07401f0dd 100644 --- a/compliance/controls/aws/aws_foundational_security_cloudfront_6.yaml +++ b/compliance/controls/aws/aws_foundational_security_cloudfront_6.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_cloudfront_6 title: 6 CloudFront distributions should have AWS WAF enabled +type: control description: This control checks whether CloudFront distributions are associated with either AWS WAF or AWS WAFv2 web ACLs. The control fails if the distribution is not associated with a web ACL. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudfront_distribution - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN web_acl_id <> '' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN web_acl_id <> '' THEN title || ' associated with WAF.' - ELSE title || ' not associated with WAF.' - END AS reason - FROM - aws_cloudfront_distribution; + language: sql + primary_resource: aws_cloudfront_distribution + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN web_acl_id <> '' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN web_acl_id <> '' THEN title || ' associated with WAF.' + ELSE title || ' not associated with WAF.' + END AS reason + FROM + aws_cloudfront_distribution; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_cloudfront_7.yaml b/compliance/controls/aws/aws_foundational_security_cloudfront_7.yaml index cb19f4d03..2f1f7230b 100644 --- a/compliance/controls/aws/aws_foundational_security_cloudfront_7.yaml +++ b/compliance/controls/aws/aws_foundational_security_cloudfront_7.yaml @@ -1,28 +1,29 @@ id: aws_foundational_security_cloudfront_7 title: 7 CloudFront distributions should use custom SSL/TLS certificates +type: control description: This control checks whether CloudFront distributions are using the default SSL/TLS certificate CloudFront provides. This control passes if the CloudFront distribution uses a custom SSL/TLS certificate. This control fails if the CloudFront distribution uses the default SSL/TLS certificate. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudfront_distribution - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN viewer_certificate ->> 'ACMCertificateArn' IS NOT NULL - AND viewer_certificate ->> 'Certificate' IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN viewer_certificate ->> 'ACMCertificateArn' IS NOT NULL - AND viewer_certificate ->> 'Certificate' IS NOT NULL THEN title || ' uses custom SSL certificate.' - ELSE title || ' does not use custom SSL certificate.' - END AS reason - FROM - aws_cloudfront_distribution; + language: sql + primary_resource: aws_cloudfront_distribution + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN viewer_certificate ->> 'ACMCertificateArn' IS NOT NULL + AND viewer_certificate ->> 'Certificate' IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN viewer_certificate ->> 'ACMCertificateArn' IS NOT NULL + AND viewer_certificate ->> 'Certificate' IS NOT NULL THEN title || ' uses custom SSL certificate.' + ELSE title || ' does not use custom SSL certificate.' + END AS reason + FROM + aws_cloudfront_distribution; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_cloudfront_8.yaml b/compliance/controls/aws/aws_foundational_security_cloudfront_8.yaml index 07ca06b78..e70ff2216 100644 --- a/compliance/controls/aws/aws_foundational_security_cloudfront_8.yaml +++ b/compliance/controls/aws/aws_foundational_security_cloudfront_8.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_cloudfront_8 title: 8 CloudFront distributions should use SNI to serve HTTPS requests +type: control description: This control checks if Amazon CloudFront distributions are using a custom SSL/TLS certificate and are configured to use SNI to serve HTTPS requests. This control fails if a custom SSL/TLS certificate is associated but the SSL/TLS support method is a dedicated IP address. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudfront_distribution - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN viewer_certificate ->> 'SSLSupportMethod' = 'sni-only' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN viewer_certificate ->> 'SSLSupportMethod' = 'sni-only' THEN title || ' SNI enabled.' - ELSE title || ' SNI disabled.' - END AS reason - FROM - aws_cloudfront_distribution; + language: sql + primary_resource: aws_cloudfront_distribution + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN viewer_certificate ->> 'SSLSupportMethod' = 'sni-only' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN viewer_certificate ->> 'SSLSupportMethod' = 'sni-only' THEN title || ' SNI enabled.' + ELSE title || ' SNI disabled.' + END AS reason + FROM + aws_cloudfront_distribution; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_cloudtrail_1.yaml b/compliance/controls/aws/aws_foundational_security_cloudtrail_1.yaml index f3f54664f..4911194b3 100644 --- a/compliance/controls/aws/aws_foundational_security_cloudtrail_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_cloudtrail_1.yaml @@ -1,56 +1,57 @@ id: aws_foundational_security_cloudtrail_1 title: 1 CloudTrail should be enabled and configured with at least one multi-Region trail +type: control description: This control checks that there is at least one multi-Region CloudTrail trail. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH multi_region_trails AS ( - SELECT - account_id, - COUNT(account_id) AS num_multregion_trails - FROM - aws_cloudtrail_trail - WHERE - is_multi_region_trail - AND region = home_region - AND is_logging - GROUP BY - account_id, - is_multi_region_trail - ), organization_trails AS ( - SELECT - is_organization_trail, - is_logging, - is_multi_region_trail, - account_id - FROM - aws_cloudtrail_trail - WHERE - is_organization_trail - ) - SELECT - DISTINCT a.arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN COALESCE(num_multregion_trails, 0) >= 1 THEN 'ok' - WHEN o.is_organization_trail AND o.is_logging AND o.is_multi_region_trail THEN 'ok' - WHEN o.is_organization_trail AND o.is_multi_region_trail AND o.is_logging IS NULL THEN 'info' - ELSE 'alarm' - END AS status, - CASE - WHEN COALESCE(num_multregion_trails, 0) >= 1 THEN a.title || ' has ' || COALESCE(num_multregion_trails, 0) || ' multi-region trail(s).' - WHEN o.is_organization_trail AND o.is_logging AND o.is_multi_region_trail THEN a.title || ' has multi-region trail(s).' - WHEN o.is_organization_trail AND o.is_multi_region_trail AND o.is_logging IS NULL THEN a.title || ' has organization trail, check organization account for cloudtrail logging status.' - ELSE a.title || ' does not have multi-region trail(s).' - END AS reason - FROM - aws_account AS a - LEFT JOIN multi_region_trails AS b ON a.account_id = b.account_id - LEFT JOIN organization_trails AS o ON a.account_id = o.account_id + language: sql + primary_resource: aws_account + definition: | + WITH multi_region_trails AS ( + SELECT + account_id, + COUNT(account_id) AS num_multregion_trails + FROM + aws_cloudtrail_trail + WHERE + is_multi_region_trail + AND region = home_region + AND is_logging + GROUP BY + account_id, + is_multi_region_trail + ), organization_trails AS ( + SELECT + is_organization_trail, + is_logging, + is_multi_region_trail, + account_id + FROM + aws_cloudtrail_trail + WHERE + is_organization_trail + ) + SELECT + DISTINCT a.arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN COALESCE(num_multregion_trails, 0) >= 1 THEN 'ok' + WHEN o.is_organization_trail AND o.is_logging AND o.is_multi_region_trail THEN 'ok' + WHEN o.is_organization_trail AND o.is_multi_region_trail AND o.is_logging IS NULL THEN 'info' + ELSE 'alarm' + END AS status, + CASE + WHEN COALESCE(num_multregion_trails, 0) >= 1 THEN a.title || ' has ' || COALESCE(num_multregion_trails, 0) || ' multi-region trail(s).' + WHEN o.is_organization_trail AND o.is_logging AND o.is_multi_region_trail THEN a.title || ' has multi-region trail(s).' + WHEN o.is_organization_trail AND o.is_multi_region_trail AND o.is_logging IS NULL THEN a.title || ' has organization trail, check organization account for cloudtrail logging status.' + ELSE a.title || ' does not have multi-region trail(s).' + END AS reason + FROM + aws_account AS a + LEFT JOIN multi_region_trails AS b ON a.account_id = b.account_id + LEFT JOIN organization_trails AS o ON a.account_id = o.account_id severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_cloudtrail_2.yaml b/compliance/controls/aws/aws_foundational_security_cloudtrail_2.yaml index 0afbbc14d..d0ada6159 100644 --- a/compliance/controls/aws/aws_foundational_security_cloudtrail_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_cloudtrail_2.yaml @@ -1,28 +1,29 @@ id: aws_foundational_security_cloudtrail_2 title: 2 CloudTrail should have encryption at rest enabled +type: control description: This control checks whether CloudTrail is configured to use the server-side encryption (SSE) AWS Key Management Service customer master key (CMK) encryption. The check passes if the KmsKeyId is defined. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN kms_key_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN kms_key_id IS NULL THEN title || ' logs are not encrypted at rest.' - ELSE title || ' logs are encrypted at rest.' - END AS reason - FROM - aws_cloudtrail_trail - WHERE - region = home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN kms_key_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN kms_key_id IS NULL THEN title || ' logs are not encrypted at rest.' + ELSE title || ' logs are encrypted at rest.' + END AS reason + FROM + aws_cloudtrail_trail + WHERE + region = home_region; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_cloudtrail_4.yaml b/compliance/controls/aws/aws_foundational_security_cloudtrail_4.yaml index 429bf3e6a..d32e2fb75 100644 --- a/compliance/controls/aws/aws_foundational_security_cloudtrail_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_cloudtrail_4.yaml @@ -1,28 +1,29 @@ id: aws_foundational_security_cloudtrail_4 title: 4 Ensure CloudTrail log file validation is enabled +type: control description: This control checks whether log file integrity validation is enabled on a CloudTrail trail. CloudTrail log file validation creates a digitally signed digest file that contains a hash of each log that CloudTrail writes to Amazon S3. You can use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN log_file_validation_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN log_file_validation_enabled THEN title || ' log file validation enabled.' - ELSE title || ' log file validation disabled.' - END AS reason - FROM - aws_cloudtrail_trail - WHERE - region = home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN log_file_validation_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN log_file_validation_enabled THEN title || ' log file validation enabled.' + ELSE title || ' log file validation disabled.' + END AS reason + FROM + aws_cloudtrail_trail + WHERE + region = home_region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_cloudtrail_5.yaml b/compliance/controls/aws/aws_foundational_security_cloudtrail_5.yaml index 2b244f4e3..b76589311 100644 --- a/compliance/controls/aws/aws_foundational_security_cloudtrail_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_cloudtrail_5.yaml @@ -1,28 +1,29 @@ id: aws_foundational_security_cloudtrail_5 title: 5 Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs +type: control description: This control checks whether CloudTrail trails are configured to send logs to CloudWatch Logs. The control fails if the CloudWatchLogsLogGroupArn property of the trail is empty. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN log_group_arn != 'null' AND (latest_delivery_time > current_date - 1) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN log_group_arn != 'null' AND (latest_delivery_time > current_date - 1) THEN title || ' integrated with CloudWatch logs.' - ELSE title || ' not integrated with CloudWatch logs.' - END AS reason - FROM - aws_cloudtrail_trail - WHERE - region = home_region; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN log_group_arn != 'null' AND (latest_delivery_time > current_date - 1) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN log_group_arn != 'null' AND (latest_delivery_time > current_date - 1) THEN title || ' integrated with CloudWatch logs.' + ELSE title || ' not integrated with CloudWatch logs.' + END AS reason + FROM + aws_cloudtrail_trail + WHERE + region = home_region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_codebuild_1.yaml b/compliance/controls/aws/aws_foundational_security_codebuild_1.yaml index 1b4fac5fd..2a927a0bb 100644 --- a/compliance/controls/aws/aws_foundational_security_codebuild_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_codebuild_1.yaml @@ -1,30 +1,31 @@ id: aws_foundational_security_codebuild_1 title: 1 CodeBuild Bitbucket source repository URLs should not contain sensitive credentials +type: control description: Authentication credentials should never be stored or transmitted in clear text or appear in the repository URL. Instead of personal access tokens or user name and password, you should use OAuth to grant authorization for accessing GitHub or Bitbucket repositories. Using personal access tokens or a user name and password could expose your credentials to unintended data exposure and unauthorized access. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_codebuild_project - definition: | - SELECT - p.arn AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN p.source ->> 'Type' NOT IN ('GITHUB', 'BITBUCKET') THEN 'skip' - WHEN c.auth_type = 'OAUTH' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.source ->> 'Type' = 'NO_SOURCE' THEN p.title || ' doesn''t have input source code.' - WHEN p.source ->> 'Type' NOT IN ('GITHUB', 'BITBUCKET') THEN p.title || ' source code isn''t in GitHub/Bitbucket repository.' - WHEN c.auth_type = 'OAUTH' THEN p.title || ' using OAuth to connect source repository.' - ELSE p.title || ' not using OAuth to connect source repository.' - END AS reason - FROM - aws_codebuild_project AS p - LEFT JOIN aws_codebuild_source_credential AS c ON (p.region = c.region AND p.source ->> 'Type' = c.server_type); + language: sql + primary_resource: aws_codebuild_project + definition: | + SELECT + p.arn AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN p.source ->> 'Type' NOT IN ('GITHUB', 'BITBUCKET') THEN 'skip' + WHEN c.auth_type = 'OAUTH' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.source ->> 'Type' = 'NO_SOURCE' THEN p.title || ' doesn''t have input source code.' + WHEN p.source ->> 'Type' NOT IN ('GITHUB', 'BITBUCKET') THEN p.title || ' source code isn''t in GitHub/Bitbucket repository.' + WHEN c.auth_type = 'OAUTH' THEN p.title || ' using OAuth to connect source repository.' + ELSE p.title || ' not using OAuth to connect source repository.' + END AS reason + FROM + aws_codebuild_project AS p + LEFT JOIN aws_codebuild_source_credential AS c ON (p.region = c.region AND p.source ->> 'Type' = c.server_type); severity: critical tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_codebuild_2.yaml b/compliance/controls/aws/aws_foundational_security_codebuild_2.yaml index 4781f6a57..8f4972d5f 100644 --- a/compliance/controls/aws/aws_foundational_security_codebuild_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_codebuild_2.yaml @@ -1,38 +1,39 @@ id: aws_foundational_security_codebuild_2 title: 2 CodeBuild project environment variables should not contain clear text credentials +type: control description: This control checks whether the project contains the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. Authentication credentials AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY should never be stored in clear text, as this could lead to unintended data exposure and unauthorized access. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_codebuild_project - definition: | - WITH invalid_key_name AS ( - SELECT - DISTINCT arn, - name - FROM - aws_codebuild_project, - jsonb_array_elements(environment -> 'EnvironmentVariables') AS env - WHERE - env ->> 'Name' ILIKE ANY(ARRAY['%AWS_ACCESS_KEY_ID%', '%AWS_SECRET_ACCESS_KEY%', '%PASSWORD%']) - AND env ->> 'Type' = 'PLAINTEXT' - ) - SELECT - a.arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.arn IS NULL THEN a.title || ' has no plaintext environment variables with sensitive AWS values.' - ELSE a.title || ' has plaintext environment variables with sensitive AWS values.' - END AS reason - FROM - aws_codebuild_project AS a - LEFT JOIN invalid_key_name b ON a.arn = b.arn; + language: sql + primary_resource: aws_codebuild_project + definition: | + WITH invalid_key_name AS ( + SELECT + DISTINCT arn, + name + FROM + aws_codebuild_project, + jsonb_array_elements(environment -> 'EnvironmentVariables') AS env + WHERE + env ->> 'Name' ILIKE ANY(ARRAY['%AWS_ACCESS_KEY_ID%', '%AWS_SECRET_ACCESS_KEY%', '%PASSWORD%']) + AND env ->> 'Type' = 'PLAINTEXT' + ) + SELECT + a.arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.arn IS NULL THEN a.title || ' has no plaintext environment variables with sensitive AWS values.' + ELSE a.title || ' has plaintext environment variables with sensitive AWS values.' + END AS reason + FROM + aws_codebuild_project AS a + LEFT JOIN invalid_key_name b ON a.arn = b.arn; severity: critical tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_codebuild_3.yaml b/compliance/controls/aws/aws_foundational_security_codebuild_3.yaml index e3ac04e1a..9544d0e85 100644 --- a/compliance/controls/aws/aws_foundational_security_codebuild_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_codebuild_3.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_codebuild_3 title: 3 CodeBuild S3 logs should be encrypted +type: control description: This control checks if Amazon S3 logs for an AWS CodeBuild project are encrypted. The control fails if encryption is deactivated for S3 logs for a CodeBuild project. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_codebuild_project - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN NOT (logs_config -> 'S3Logs' ->> 'EncryptionDisabled')::bool THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN NOT (logs_config -> 'S3Logs' ->> 'EncryptionDisabled')::bool THEN title || ' S3Logs encryption enabled.' - ELSE title || ' S3Logs encryption disabled.' - END AS reason - FROM - aws_codebuild_project; + language: sql + primary_resource: aws_codebuild_project + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN NOT (logs_config -> 'S3Logs' ->> 'EncryptionDisabled')::bool THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN NOT (logs_config -> 'S3Logs' ->> 'EncryptionDisabled')::bool THEN title || ' S3Logs encryption enabled.' + ELSE title || ' S3Logs encryption disabled.' + END AS reason + FROM + aws_codebuild_project; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_codebuild_4.yaml b/compliance/controls/aws/aws_foundational_security_codebuild_4.yaml index 3d62724ce..1dc3ac165 100644 --- a/compliance/controls/aws/aws_foundational_security_codebuild_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_codebuild_4.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_codebuild_4 title: 4 CodeBuild project environments should have a logging configuration +type: control description: This control checks whether a CodeBuild project environment has at least one log option, either to S3 or CloudWatch logs enabled. This control fails if a CodeBuild project environment does not have at least one log option enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_codebuild_project - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN logs_config -> 'CloudWatchLogs' ->> 'Status' = 'ENABLED' OR logs_config -> 'S3Logs' ->> 'Status' = 'ENABLED' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN logs_config -> 'CloudWatchLogs' ->> 'Status' = 'ENABLED' OR logs_config -> 'S3Logs' ->> 'Status' = 'ENABLED' THEN title || ' logging enabled.' - ELSE title || ' logging disabled.' - END AS reason - FROM - aws_codebuild_project; + language: sql + primary_resource: aws_codebuild_project + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN logs_config -> 'CloudWatchLogs' ->> 'Status' = 'ENABLED' OR logs_config -> 'S3Logs' ->> 'Status' = 'ENABLED' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN logs_config -> 'CloudWatchLogs' ->> 'Status' = 'ENABLED' OR logs_config -> 'S3Logs' ->> 'Status' = 'ENABLED' THEN title || ' logging enabled.' + ELSE title || ' logging disabled.' + END AS reason + FROM + aws_codebuild_project; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_codebuild_5.yaml b/compliance/controls/aws/aws_foundational_security_codebuild_5.yaml index dcdf50ae6..722bbe7f0 100644 --- a/compliance/controls/aws/aws_foundational_security_codebuild_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_codebuild_5.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_codebuild_5 title: 5 CodeBuild project environments should not have privileged mode enabled +type: control description: This control checks if an AWS CodeBuild project environment has privileged mode enabled. This control fails when an AWS CodeBuild project environment has privileged mode enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_codebuild_project - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN environment ->> 'PrivilegedMode' = 'true' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN environment ->> 'PrivilegedMode' = 'true' THEN title || ' environment privileged mode enabled.' - ELSE title || ' environment privileged mode disabled.' - END AS reason - FROM - aws_codebuild_project; + language: sql + primary_resource: aws_codebuild_project + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN environment ->> 'PrivilegedMode' = 'true' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN environment ->> 'PrivilegedMode' = 'true' THEN title || ' environment privileged mode enabled.' + ELSE title || ' environment privileged mode disabled.' + END AS reason + FROM + aws_codebuild_project; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_config_1.yaml b/compliance/controls/aws/aws_foundational_security_config_1.yaml index eff15863c..df6d68420 100644 --- a/compliance/controls/aws/aws_foundational_security_config_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_config_1.yaml @@ -1,67 +1,68 @@ id: aws_foundational_security_config_1 title: 1 AWS Config should be enabled +type: control description: This control checks whether AWS Config is enabled in the account for the local Region and is recording all resources. The AWS Config service performs configuration management of supported AWS resources in your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items, and any configuration changes between resources. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_config_configuration_recorder - definition: | - WITH global_recorders AS ( - SELECT - COUNT(*) AS global_config_recorders - FROM - aws_config_configuration_recorder - WHERE - recording_group -> 'IncludeGlobalResourceTypes' = 'true' - AND recording_group -> 'AllSupported' = 'true' - AND status ->> 'Recording' = 'true' - AND status ->> 'LastStatus' = 'SUCCESS' - ) - SELECT - 'arn:aws::' || a.region || ':' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, + language: sql + primary_resource: aws_config_configuration_recorder + definition: | + WITH global_recorders AS ( + SELECT + COUNT(*) AS global_config_recorders + FROM + aws_config_configuration_recorder + WHERE + recording_group -> 'IncludeGlobalResourceTypes' = 'true' + AND recording_group -> 'AllSupported' = 'true' + AND status ->> 'Recording' = 'true' + AND status ->> 'LastStatus' = 'SUCCESS' + ) + SELECT + 'arn:aws::' || a.region || ':' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN g.global_config_recorders >= 1 + AND status ->> 'Recording' = 'true' + AND status ->> 'LastStatus' = 'SUCCESS' + THEN 'ok' + WHEN a.opt_in_status = 'not-opted-in' + THEN 'skip' + ELSE 'alarm' + END AS status, + CASE + WHEN a.opt_in_status = 'not-opted-in' + THEN a.region || ' region is disabled.' + ELSE CASE - WHEN g.global_config_recorders >= 1 - AND status ->> 'Recording' = 'true' - AND status ->> 'LastStatus' = 'SUCCESS' - THEN 'ok' - WHEN a.opt_in_status = 'not-opted-in' - THEN 'skip' - ELSE 'alarm' - END AS status, + WHEN recording_group -> 'IncludeGlobalResourceTypes' = 'true' + THEN a.region || ' IncludeGlobalResourceTypes enabled,' + ELSE a.region || ' IncludeGlobalResourceTypes disabled,' + END || CASE - WHEN a.opt_in_status = 'not-opted-in' - THEN a.region || ' region is disabled.' - ELSE - CASE - WHEN recording_group -> 'IncludeGlobalResourceTypes' = 'true' - THEN a.region || ' IncludeGlobalResourceTypes enabled,' - ELSE a.region || ' IncludeGlobalResourceTypes disabled,' - END || - CASE - WHEN recording_group -> 'AllSupported' = 'true' - THEN ' AllSupported enabled,' - ELSE ' AllSupported disabled,' - END || - CASE - WHEN status ->> 'Recording' = 'true' - THEN ' Recording enabled' - ELSE ' Recording disabled' - END || - CASE - WHEN status ->> 'LastStatus' = 'SUCCESS' - THEN ' and LastStatus is SUCCESS.' - ELSE ' and LastStatus is not SUCCESS.' - END - END AS reason - FROM - global_recorders AS g, - aws_region AS a - LEFT JOIN aws_config_configuration_recorder AS r - ON r.account_id = a.account_id - AND r.region = a.name + WHEN recording_group -> 'AllSupported' = 'true' + THEN ' AllSupported enabled,' + ELSE ' AllSupported disabled,' + END || + CASE + WHEN status ->> 'Recording' = 'true' + THEN ' Recording enabled' + ELSE ' Recording disabled' + END || + CASE + WHEN status ->> 'LastStatus' = 'SUCCESS' + THEN ' and LastStatus is SUCCESS.' + ELSE ' and LastStatus is not SUCCESS.' + END + END AS reason + FROM + global_recorders AS g, + aws_region AS a + LEFT JOIN aws_config_configuration_recorder AS r + ON r.account_id = a.account_id + AND r.region = a.name severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_dms_1.yaml b/compliance/controls/aws/aws_foundational_security_dms_1.yaml index 0c9128b07..51d7df870 100644 --- a/compliance/controls/aws/aws_foundational_security_dms_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_dms_1.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_dms_1 title: 1 AWS Database Migration Service replication instances should not be public +type: control description: This control checks whether AWS DMS replication instances are public. To do this, it examines the value of the PubliclyAccessible field. A private replication instance has a private IP address that you cannot access outside of the replication network. A replication instance should have a private IP address when the source and target databases are in the same network. The network must also be connected to the replication instance's VPC using a VPN, AWS Direct Connect, or VPC peering. To learn more about public and private replication instances, see Public and private replication instances in the AWS Database Migration Service User Guide. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_dms_replication_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN publicly_accessible THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN publicly_accessible THEN title || ' publicly accessible.' - ELSE title || ' not publicly accessible.' - END AS reason - FROM - aws_dms_replication_instance; + language: sql + primary_resource: aws_dms_replication_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN publicly_accessible THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN publicly_accessible THEN title || ' publicly accessible.' + ELSE title || ' not publicly accessible.' + END AS reason + FROM + aws_dms_replication_instance; severity: critical tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_dms_6.yaml b/compliance/controls/aws/aws_foundational_security_dms_6.yaml index 8501be8f6..2308854da 100644 --- a/compliance/controls/aws/aws_foundational_security_dms_6.yaml +++ b/compliance/controls/aws/aws_foundational_security_dms_6.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_dms_6 title: 6 DMS replication instances should have automatic minor version upgrade enabled +type: control description: This control checks if automatic minor version upgrade is enabled for an AWS DMS replication instance. The control fails if automatic minor version upgrade isn't enabled for a DMS replication instance. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_dms_replication_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN auto_minor_version_upgrade THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN auto_minor_version_upgrade THEN title || ' automatic minor version upgrade enabled.' - ELSE title || ' automatic minor version upgrade disabled.' - END AS reason - FROM - aws_dms_replication_instance; + language: sql + primary_resource: aws_dms_replication_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN auto_minor_version_upgrade THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN auto_minor_version_upgrade THEN title || ' automatic minor version upgrade enabled.' + ELSE title || ' automatic minor version upgrade disabled.' + END AS reason + FROM + aws_dms_replication_instance; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_dms_8.yaml b/compliance/controls/aws/aws_foundational_security_dms_8.yaml index 39110ee24..05f107a43 100644 --- a/compliance/controls/aws/aws_foundational_security_dms_8.yaml +++ b/compliance/controls/aws/aws_foundational_security_dms_8.yaml @@ -1,43 +1,44 @@ id: aws_foundational_security_dms_8 title: 8 DMS replication tasks for the source database should have logging enabled +type: control description: This control checks whether logging is enabled with the minimum severity level of LOGGER_SEVERITY_DEFAULT for DMS replication tasks SOURCE_CAPTURE and SOURCE_UNLOAD. The control fails if logging isn't enabled for these tasks or if the minimum severity level is less than LOGGER_SEVERITY_DEFAULT. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_dms_replication_task - definition: | - WITH replication_task_logging AS ( - SELECT - arn, - BOOL_OR(o ->> 'Id' = 'SOURCE_CAPTURE' AND o ->> 'Severity' IN ('LOGGER_SEVERITY_DEFAULT', 'LOGGER_SEVERITY_DEBUG', 'LOGGER_SEVERITY_DETAILED_DEBUG')) AS capture_logging_enabled, - BOOL_OR(o ->> 'Id' = 'SOURCE_UNLOAD' AND o ->> 'Severity' IN ('LOGGER_SEVERITY_DEFAULT', 'LOGGER_SEVERITY_DEBUG', 'LOGGER_SEVERITY_DETAILED_DEBUG')) AS unload_logging_enabled - FROM - aws_dms_replication_task, - JSONB_ARRAY_ELEMENTS(replication_task_settings -> 'Logging' -> 'LogComponents') AS o - GROUP BY - arn - ) - SELECT - t.arn AS resource, - t.platform_integration_id AS platform_integration_id, - t.platform_resource_id AS platform_resource_id, - (replication_task_settings -> 'Logging' ->> 'EnableLogging')::BOOL AS logging_enabled, - CASE - WHEN (replication_task_settings -> 'Logging' ->> 'EnableLogging')::BOOL - AND l.capture_logging_enabled - AND l.unload_logging_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (replication_task_settings -> 'Logging' ->> 'EnableLogging')::BOOL - AND l.capture_logging_enabled - AND l.unload_logging_enabled THEN title || ' source database logging enabled.' - ELSE title || ' source database logging disabled.' - END AS reason - FROM - aws_dms_replication_task AS t - LEFT JOIN replication_task_logging AS l ON l.arn = t.arn; + language: sql + primary_resource: aws_dms_replication_task + definition: | + WITH replication_task_logging AS ( + SELECT + arn, + BOOL_OR(o ->> 'Id' = 'SOURCE_CAPTURE' AND o ->> 'Severity' IN ('LOGGER_SEVERITY_DEFAULT', 'LOGGER_SEVERITY_DEBUG', 'LOGGER_SEVERITY_DETAILED_DEBUG')) AS capture_logging_enabled, + BOOL_OR(o ->> 'Id' = 'SOURCE_UNLOAD' AND o ->> 'Severity' IN ('LOGGER_SEVERITY_DEFAULT', 'LOGGER_SEVERITY_DEBUG', 'LOGGER_SEVERITY_DETAILED_DEBUG')) AS unload_logging_enabled + FROM + aws_dms_replication_task, + JSONB_ARRAY_ELEMENTS(replication_task_settings -> 'Logging' -> 'LogComponents') AS o + GROUP BY + arn + ) + SELECT + t.arn AS resource, + t.platform_integration_id AS platform_integration_id, + t.platform_resource_id AS platform_resource_id, + (replication_task_settings -> 'Logging' ->> 'EnableLogging')::BOOL AS logging_enabled, + CASE + WHEN (replication_task_settings -> 'Logging' ->> 'EnableLogging')::BOOL + AND l.capture_logging_enabled + AND l.unload_logging_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (replication_task_settings -> 'Logging' ->> 'EnableLogging')::BOOL + AND l.capture_logging_enabled + AND l.unload_logging_enabled THEN title || ' source database logging enabled.' + ELSE title || ' source database logging disabled.' + END AS reason + FROM + aws_dms_replication_task AS t + LEFT JOIN replication_task_logging AS l ON l.arn = t.arn; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_dms_9.yaml b/compliance/controls/aws/aws_foundational_security_dms_9.yaml index 371ee0a83..40e2a0739 100644 --- a/compliance/controls/aws/aws_foundational_security_dms_9.yaml +++ b/compliance/controls/aws/aws_foundational_security_dms_9.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_dms_9 title: 9 DMS endpoints should use SSL +type: control description: This control checks whether an AWS DMS endpoint uses an SSL connection. The control fails if the endpoint doesn't use SSL. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_dms_endpoint - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN ssl_mode = 'none' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN ssl_mode = 'none' THEN title || ' SSL not configured.' - ELSE title || ' SSL configured.' - END AS reason - FROM - aws_dms_endpoint; + language: sql + primary_resource: aws_dms_endpoint + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN ssl_mode = 'none' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN ssl_mode = 'none' THEN title || ' SSL not configured.' + ELSE title || ' SSL configured.' + END AS reason + FROM + aws_dms_endpoint; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_docdb_1.yaml b/compliance/controls/aws/aws_foundational_security_docdb_1.yaml index 6ee336ebc..88220669d 100644 --- a/compliance/controls/aws/aws_foundational_security_docdb_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_docdb_1.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_docdb_1 title: 1 Amazon DocumentDB clusters should be encrypted at rest +type: control description: This control checks whether an Amazon DocumentDB cluster is encrypted at rest. The control fails if an Amazon DocumentDB cluster isn't encrypted at rest. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_docdb_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN storage_encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN storage_encrypted THEN title || ' encrypted at rest.' - ELSE title || ' not encrypted at rest.' - END AS reason - FROM - aws_docdb_cluster; + language: sql + primary_resource: aws_docdb_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN storage_encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN storage_encrypted THEN title || ' encrypted at rest.' + ELSE title || ' not encrypted at rest.' + END AS reason + FROM + aws_docdb_cluster; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_docdb_2.yaml b/compliance/controls/aws/aws_foundational_security_docdb_2.yaml index 2f55bc11b..8e1aaa27a 100644 --- a/compliance/controls/aws/aws_foundational_security_docdb_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_docdb_2.yaml @@ -1,23 +1,24 @@ id: aws_foundational_security_docdb_2 title: 2 Amazon DocumentDB clusters should have an adequate backup retention period +type: control description: This control checks whether an Amazon DocumentDB cluster has a backup retention period greater than or equal to 7 days. The control fails if the backup retention period is less than 7 days. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_docdb_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN backup_retention_period >= 7 THEN 'ok' - ELSE 'alarm' - END AS status, - title || ' backup retention period is ' || backup_retention_period || ' day(s).' AS reason - FROM - aws_docdb_cluster; + language: sql + primary_resource: aws_docdb_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN backup_retention_period >= 7 THEN 'ok' + ELSE 'alarm' + END AS status, + title || ' backup retention period is ' || backup_retention_period || ' day(s).' AS reason + FROM + aws_docdb_cluster; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_docdb_4.yaml b/compliance/controls/aws/aws_foundational_security_docdb_4.yaml index 08625d688..d0de34544 100644 --- a/compliance/controls/aws/aws_foundational_security_docdb_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_docdb_4.yaml @@ -1,28 +1,29 @@ id: aws_foundational_security_docdb_4 title: 4 Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs +type: control description: This control checks whether an Amazon DocumentDB cluster publishes audit logs to Amazon CloudWatch Logs. The control fails if the cluster doesn't publish audit logs to CloudWatch Logs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_docdb_cluster_instance - definition: | - SELECT - db_instance_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - engine, - CASE - WHEN engine LIKE 'docdb' AND enabled_cloudwatch_logs_exports ?& ARRAY ['error', 'slowquery'] THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN engine LIKE 'docdb' AND enabled_cloudwatch_logs_exports ?& ARRAY ['error', 'slowquery'] - THEN title || ' ' || engine || ' logging enabled.' - ELSE title || ' logging not enabled.' - END AS reason - FROM - aws_docdb_cluster_instance; + language: sql + primary_resource: aws_docdb_cluster_instance + definition: | + SELECT + db_instance_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + engine, + CASE + WHEN engine LIKE 'docdb' AND enabled_cloudwatch_logs_exports ?& ARRAY ['error', 'slowquery'] THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN engine LIKE 'docdb' AND enabled_cloudwatch_logs_exports ?& ARRAY ['error', 'slowquery'] + THEN title || ' ' || engine || ' logging enabled.' + ELSE title || ' logging not enabled.' + END AS reason + FROM + aws_docdb_cluster_instance; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_docdb_5.yaml b/compliance/controls/aws/aws_foundational_security_docdb_5.yaml index 7fc39909c..a42f87f40 100644 --- a/compliance/controls/aws/aws_foundational_security_docdb_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_docdb_5.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_docdb_5 title: 5 Amazon DocumentDB clusters should have deletion protection enabled +type: control description: This control checks whether an Amazon DocumentDB cluster has deletion protection enabled. The control fails if the cluster doesn't have deletion protection enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_docdb_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN deletion_protection THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN deletion_protection THEN title || ' deletion protection enabled.' - ELSE title || ' deletion protection disabled.' - END AS reason - FROM - aws_docdb_cluster; + language: sql + primary_resource: aws_docdb_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN deletion_protection THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN deletion_protection THEN title || ' deletion protection enabled.' + ELSE title || ' deletion protection disabled.' + END AS reason + FROM + aws_docdb_cluster; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_dynamodb_1.yaml b/compliance/controls/aws/aws_foundational_security_dynamodb_1.yaml index 8b70de7ef..19a0785c4 100644 --- a/compliance/controls/aws/aws_foundational_security_dynamodb_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_dynamodb_1.yaml @@ -1,44 +1,45 @@ id: aws_foundational_security_dynamodb_1 title: 1 DynamoDB tables should automatically scale capacity with demand +type: control description: This control checks whether an Amazon DynamoDB table can scale its read and write capacity as needed. This control passes if the table uses either on-demand capacity mode or provisioned mode with auto scaling configured. Scaling capacity with demand avoids throttling exceptions, which helps to maintain availability of your applications. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_dynamodb_table - definition: | - WITH table_with_autocaling AS ( - SELECT - t.resource_id AS resource_id, - COUNT(t.resource_id) AS count - FROM - aws_appautoscaling_target AS t - WHERE - service_namespace = 'dynamodb' - GROUP BY - t.resource_id - ) - SELECT - d.arn AS resource, - d.platform_integration_id AS platform_integration_id, - d.platform_resource_id AS platform_resource_id, - CASE - WHEN d.billing_mode = 'PAY_PER_REQUEST' THEN 'ok' - WHEN t.resource_id IS NULL THEN 'alarm' - WHEN t.count < 2 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN d.billing_mode = 'PAY_PER_REQUEST' THEN d.title || ' on-demand mode enabled.' - WHEN t.resource_id IS NULL THEN d.title || ' autoscaling not enabled.' - WHEN t.count < 2 THEN d.title || ' auto scaling not enabled for both read and write capacity.' - ELSE d.title || ' autoscaling enabled for both read and write capacity.' - END AS reason - FROM - aws_dynamodb_table AS d - LEFT JOIN - table_with_autocaling AS t - ON CONCAT('table/', d.name) = t.resource_id; + language: sql + primary_resource: aws_dynamodb_table + definition: | + WITH table_with_autocaling AS ( + SELECT + t.resource_id AS resource_id, + COUNT(t.resource_id) AS count + FROM + aws_appautoscaling_target AS t + WHERE + service_namespace = 'dynamodb' + GROUP BY + t.resource_id + ) + SELECT + d.arn AS resource, + d.platform_integration_id AS platform_integration_id, + d.platform_resource_id AS platform_resource_id, + CASE + WHEN d.billing_mode = 'PAY_PER_REQUEST' THEN 'ok' + WHEN t.resource_id IS NULL THEN 'alarm' + WHEN t.count < 2 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN d.billing_mode = 'PAY_PER_REQUEST' THEN d.title || ' on-demand mode enabled.' + WHEN t.resource_id IS NULL THEN d.title || ' autoscaling not enabled.' + WHEN t.count < 2 THEN d.title || ' auto scaling not enabled for both read and write capacity.' + ELSE d.title || ' autoscaling enabled for both read and write capacity.' + END AS reason + FROM + aws_dynamodb_table AS d + LEFT JOIN + table_with_autocaling AS t + ON CONCAT('table/', d.name) = t.resource_id; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_dynamodb_2.yaml b/compliance/controls/aws/aws_foundational_security_dynamodb_2.yaml index 435ffe1e6..68e5b3bbf 100644 --- a/compliance/controls/aws/aws_foundational_security_dynamodb_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_dynamodb_2.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_dynamodb_2 title: 2 DynamoDB tables should have point-in-time recovery enabled +type: control description: This control checks whether point-in-time recovery (PITR) is enabled for an Amazon DynamoDB table. Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. DynamoDB point-in-time recovery automates backups for DynamoDB tables. It reduces the time to recover from accidental delete or write operations. DynamoDB tables that have PITR enabled can be restored to any point in time in the last 35 days. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_dynamodb_table - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN LOWER(point_in_time_recovery_description ->> 'PointInTimeRecoveryStatus') = 'disabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN LOWER(point_in_time_recovery_description ->> 'PointInTimeRecoveryStatus') = 'disabled' THEN title || ' point-in-time recovery not enabled.' - ELSE title || ' point-in-time recovery enabled.' - END AS reason - FROM - aws_dynamodb_table; + language: sql + primary_resource: aws_dynamodb_table + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN LOWER(point_in_time_recovery_description ->> 'PointInTimeRecoveryStatus') = 'disabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN LOWER(point_in_time_recovery_description ->> 'PointInTimeRecoveryStatus') = 'disabled' THEN title || ' point-in-time recovery not enabled.' + ELSE title || ' point-in-time recovery enabled.' + END AS reason + FROM + aws_dynamodb_table; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_dynamodb_3.yaml b/compliance/controls/aws/aws_foundational_security_dynamodb_3.yaml index cd435ad1d..60a2e6f9b 100644 --- a/compliance/controls/aws/aws_foundational_security_dynamodb_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_dynamodb_3.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_dynamodb_3 title: 3 DynamoDB Accelerator (DAX) clusters should be encrypted at rest +type: control description: This control checks whether a DAX cluster is encrypted at rest. Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. The encryption adds another set of access controls to limit the ability of unauthorized users to access to the data. For example, API permissions are required to decrypt the data before it can be read. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_dax_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN sse_description ->> 'Status' = 'ENABLED' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN sse_description ->> 'Status' = 'ENABLED' THEN title || ' encryption at rest enabled.' - ELSE title || ' encryption at rest not enabled.' - END AS reason - FROM - aws_dax_cluster; + language: sql + primary_resource: aws_dax_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN sse_description ->> 'Status' = 'ENABLED' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN sse_description ->> 'Status' = 'ENABLED' THEN title || ' encryption at rest enabled.' + ELSE title || ' encryption at rest not enabled.' + END AS reason + FROM + aws_dax_cluster; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_dynamodb_6.yaml b/compliance/controls/aws/aws_foundational_security_dynamodb_6.yaml index 9ded11125..527c2fa32 100644 --- a/compliance/controls/aws/aws_foundational_security_dynamodb_6.yaml +++ b/compliance/controls/aws/aws_foundational_security_dynamodb_6.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_dynamodb_6 title: 6 DynamoDB tables should have deletion protection enabled +type: control description: This control checks whether an Amazon DynamoDB table has deletion protection enabled. The control fails if a DynamoDB table doesn't have deletion protection enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_dynamodb_table - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN deletion_protection_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN deletion_protection_enabled THEN title || ' deletion protection enabled.' - ELSE title || ' deletion protection disabled.' - END AS reason - FROM - aws_dynamodb_table; + language: sql + primary_resource: aws_dynamodb_table + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN deletion_protection_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN deletion_protection_enabled THEN title || ' deletion protection enabled.' + ELSE title || ' deletion protection disabled.' + END AS reason + FROM + aws_dynamodb_table; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ec2_1.yaml b/compliance/controls/aws/aws_foundational_security_ec2_1.yaml index 0a09713b6..c5d60971c 100644 --- a/compliance/controls/aws/aws_foundational_security_ec2_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_1.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_ec2_1 title: 1 Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone +type: control description: Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone. EBS snapshots are used to back up the data on your EBS volumes to Amazon S3 at a specific point in time. You can use the snapshots to restore previous states of EBS volumes. It is rarely acceptable to share a snapshot with the public. Typically the decision to share a snapshot publicly was made in error or without a complete understanding of the implications. This check helps ensure that all such sharing was fully planned and intentional. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_snapshot - definition: | - SELECT - 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':snapshot/' || snapshot_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN create_volume_permissions @> '[{"Group": "all", "UserId": null}]' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN create_volume_permissions @> '[{"Group": "all", "UserId": null}]' THEN title || ' is publicly restorable.' - ELSE title || ' is not publicly restorable.' - END AS reason - FROM - aws_ebs_snapshot; + language: sql + primary_resource: aws_ebs_snapshot + definition: | + SELECT + 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':snapshot/' || snapshot_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN create_volume_permissions @> '[{"Group": "all", "UserId": null}]' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN create_volume_permissions @> '[{"Group": "all", "UserId": null}]' THEN title || ' is publicly restorable.' + ELSE title || ' is not publicly restorable.' + END AS reason + FROM + aws_ebs_snapshot; severity: critical tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ec2_15.yaml b/compliance/controls/aws/aws_foundational_security_ec2_15.yaml index be3c9ab47..94478384e 100644 --- a/compliance/controls/aws/aws_foundational_security_ec2_15.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_15.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_ec2_15 title: 15 EC2 subnets should not automatically assign public IP addresses +type: control description: This control checks whether the assignment of public IPs in Amazon Virtual Private Cloud (Amazon VPC) subnets have MapPublicIpOnLaunch set to FALSE. The control passes if the flag is set to FALSE. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_subnet - definition: | - SELECT - subnet_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN map_public_ip_on_launch = 'false' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN map_public_ip_on_launch = 'false' THEN title || ' auto assign public IP disabled.' - ELSE title || ' auto assign public IP enabled.' - END AS reason - FROM - aws_vpc_subnet; + language: sql + primary_resource: aws_vpc_subnet + definition: | + SELECT + subnet_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN map_public_ip_on_launch = 'false' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN map_public_ip_on_launch = 'false' THEN title || ' auto assign public IP disabled.' + ELSE title || ' auto assign public IP enabled.' + END AS reason + FROM + aws_vpc_subnet; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ec2_16.yaml b/compliance/controls/aws/aws_foundational_security_ec2_16.yaml index be110274d..b11557fb1 100644 --- a/compliance/controls/aws/aws_foundational_security_ec2_16.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_16.yaml @@ -1,28 +1,29 @@ id: aws_foundational_security_ec2_16 title: 16 Unused network access control lists should be removed +type: control description: This control checks whether there are any unused network access control lists (ACLs). The control checks the item configuration of the resource AWS::EC2::NetworkAcl and determines the relationships of the network ACL. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_network_acl - definition: | - SELECT - network_acl_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN jsonb_array_length(associations) >= 1 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN jsonb_array_length(associations) >= 1 THEN - title || ' associated with subnet.' - ELSE - title || ' not associated with subnet.' - END AS reason - FROM - aws_vpc_network_acl; + language: sql + primary_resource: aws_vpc_network_acl + definition: | + SELECT + network_acl_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN jsonb_array_length(associations) >= 1 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN jsonb_array_length(associations) >= 1 THEN + title || ' associated with subnet.' + ELSE + title || ' not associated with subnet.' + END AS reason + FROM + aws_vpc_network_acl; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ec2_17.yaml b/compliance/controls/aws/aws_foundational_security_ec2_17.yaml index 1d5244f05..d32594204 100644 --- a/compliance/controls/aws/aws_foundational_security_ec2_17.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_17.yaml @@ -1,23 +1,24 @@ id: aws_foundational_security_ec2_17 title: 17 EC2 instances should not use multiple ENIs +type: control description: This control checks whether an EC2 instance uses multiple Elastic Network Interfaces (ENIs) or Elastic Fabric Adapters (EFAs). This control passes if a single network adapter is used. The control includes an optional parameter list to identify the allowed ENIs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN jsonb_array_length(network_interfaces) = 1 THEN 'ok' - ELSE 'alarm' - END AS status, - title || ' has ' || jsonb_array_length(network_interfaces) || ' ENI(s) attached.' AS reason - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN jsonb_array_length(network_interfaces) = 1 THEN 'ok' + ELSE 'alarm' + END AS status, + title || ' has ' || jsonb_array_length(network_interfaces) || ' ENI(s) attached.' AS reason + FROM + aws_ec2_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ec2_18.yaml b/compliance/controls/aws/aws_foundational_security_ec2_18.yaml index 03f4c77da..4b5052794 100644 --- a/compliance/controls/aws/aws_foundational_security_ec2_18.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_18.yaml @@ -1,40 +1,41 @@ id: aws_foundational_security_ec2_18 title: 18 Security groups should only allow unrestricted incoming traffic for authorized ports +type: control description: This control checks whether the security groups that are in use allow unrestricted incoming traffic. Optionally the rule checks whether the port numbers are listed in the authorizedTcpPorts parameter. The default values for authorizedTcpPorts are 80 and 443. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH ingress_unauthorized_ports AS ( - SELECT - group_id, - COUNT(*) - FROM - aws_vpc_security_group_rule - WHERE - type = 'ingress' - AND cidr_ipv4 = '0.0.0.0/0' - AND (from_port IS NULL OR from_port NOT IN (80, 443)) - GROUP BY - group_id - ) - SELECT - sg.arn AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN ingress_unauthorized_ports.count > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN ingress_unauthorized_ports.count > 0 THEN sg.title || ' having unrestricted incoming traffic other than default ports from 0.0.0.0/0 ' - ELSE sg.title || ' allows unrestricted incoming traffic for authorized default ports (80, 443).' - END AS reason - FROM - aws_vpc_security_group AS sg - LEFT JOIN ingress_unauthorized_ports ON ingress_unauthorized_ports.group_id = sg.group_id; + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH ingress_unauthorized_ports AS ( + SELECT + group_id, + COUNT(*) + FROM + aws_vpc_security_group_rule + WHERE + type = 'ingress' + AND cidr_ipv4 = '0.0.0.0/0' + AND (from_port IS NULL OR from_port NOT IN (80, 443)) + GROUP BY + group_id + ) + SELECT + sg.arn AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN ingress_unauthorized_ports.count > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN ingress_unauthorized_ports.count > 0 THEN sg.title || ' having unrestricted incoming traffic other than default ports from 0.0.0.0/0 ' + ELSE sg.title || ' allows unrestricted incoming traffic for authorized default ports (80, 443).' + END AS reason + FROM + aws_vpc_security_group AS sg + LEFT JOIN ingress_unauthorized_ports ON ingress_unauthorized_ports.group_id = sg.group_id; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ec2_19.yaml b/compliance/controls/aws/aws_foundational_security_ec2_19.yaml index dbc0a39ea..78f24d1f7 100644 --- a/compliance/controls/aws/aws_foundational_security_ec2_19.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_19.yaml @@ -1,61 +1,62 @@ id: aws_foundational_security_ec2_19 title: 19 Security groups should not allow unrestricted access to ports with high risk +type: control description: This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports that have the highest risk. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for those ports. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH ingress_ssh_rules AS ( - SELECT - group_id, - COUNT(*) AS num_ssh_rules - FROM - aws_vpc_security_group_rule - WHERE - type = 'ingress' - AND cidr_ipv4 = '0.0.0.0/0' - AND ( - (ip_protocol = '-1' AND from_port IS NULL) - OR (from_port >= 22 AND to_port <= 22) - OR (from_port >= 3389 AND to_port <= 3389) - OR (from_port >= 21 AND to_port <= 21) - OR (from_port >= 20 AND to_port <= 20) - OR (from_port >= 3306 AND to_port <= 3306) - OR (from_port >= 4333 AND to_port <= 4333) - OR (from_port >= 23 AND to_port <= 23) - OR (from_port >= 25 AND to_port <= 25) - OR (from_port >= 445 AND to_port <= 445) - OR (from_port >= 110 AND to_port <= 110) - OR (from_port >= 135 AND to_port <= 135) - OR (from_port >= 143 AND to_port <= 143) - OR (from_port >= 1433 AND to_port <= 3389) - OR (from_port >= 3389 AND to_port <= 1434) - OR (from_port >= 5432 AND to_port <= 5432) - OR (from_port >= 5500 AND to_port <= 5500) - OR (from_port >= 5601 AND to_port <= 5601) - OR (from_port >= 9200 AND to_port <= 9300) - OR (from_port >= 8080 AND to_port <= 8080) - ) - GROUP BY - group_id + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH ingress_ssh_rules AS ( + SELECT + group_id, + COUNT(*) AS num_ssh_rules + FROM + aws_vpc_security_group_rule + WHERE + type = 'ingress' + AND cidr_ipv4 = '0.0.0.0/0' + AND ( + (ip_protocol = '-1' AND from_port IS NULL) + OR (from_port >= 22 AND to_port <= 22) + OR (from_port >= 3389 AND to_port <= 3389) + OR (from_port >= 21 AND to_port <= 21) + OR (from_port >= 20 AND to_port <= 20) + OR (from_port >= 3306 AND to_port <= 3306) + OR (from_port >= 4333 AND to_port <= 4333) + OR (from_port >= 23 AND to_port <= 23) + OR (from_port >= 25 AND to_port <= 25) + OR (from_port >= 445 AND to_port <= 445) + OR (from_port >= 110 AND to_port <= 110) + OR (from_port >= 135 AND to_port <= 135) + OR (from_port >= 143 AND to_port <= 143) + OR (from_port >= 1433 AND to_port <= 3389) + OR (from_port >= 3389 AND to_port <= 1434) + OR (from_port >= 5432 AND to_port <= 5432) + OR (from_port >= 5500 AND to_port <= 5500) + OR (from_port >= 5601 AND to_port <= 5601) + OR (from_port >= 9200 AND to_port <= 9300) + OR (from_port >= 8080 AND to_port <= 8080) ) - SELECT - arn AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN ingress_ssh_rules.group_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN ingress_ssh_rules.group_id IS NULL THEN sg.group_id || ' ingress restricted for common ports from 0.0.0.0/0.' - ELSE sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing access for common ports from 0.0.0.0/0.' - END AS reason - FROM - aws_vpc_security_group AS sg - LEFT JOIN ingress_ssh_rules ON ingress_ssh_rules.group_id = sg.group_id; + GROUP BY + group_id + ) + SELECT + arn AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN ingress_ssh_rules.group_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN ingress_ssh_rules.group_id IS NULL THEN sg.group_id || ' ingress restricted for common ports from 0.0.0.0/0.' + ELSE sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing access for common ports from 0.0.0.0/0.' + END AS reason + FROM + aws_vpc_security_group AS sg + LEFT JOIN ingress_ssh_rules ON ingress_ssh_rules.group_id = sg.group_id; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ec2_2.yaml b/compliance/controls/aws/aws_foundational_security_ec2_2.yaml index 93f64e31c..d57bce51c 100644 --- a/compliance/controls/aws/aws_foundational_security_ec2_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_2.yaml @@ -1,33 +1,34 @@ id: aws_foundational_security_ec2_2 title: 2 VPC default security groups should not allow inbound or outbound traffic +type: control description: This control checks that the default security group of a VPC does not allow inbound or outbound traffic. The rules for the default security group allow all outbound and inbound traffic from network interfaces (and their associated instances) that are assigned to the same security group. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN jsonb_array_length(ip_permissions) = 0 AND jsonb_array_length(ip_permissions_egress) = 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN jsonb_array_length(ip_permissions) > 0 AND jsonb_array_length(ip_permissions_egress) > 0 - THEN 'Default security group ' || group_id || ' has inbound and outbound rules.' - WHEN jsonb_array_length(ip_permissions) > 0 AND jsonb_array_length(ip_permissions_egress) = 0 - THEN 'Default security group ' || group_id || ' has inbound rules.' - WHEN jsonb_array_length(ip_permissions) = 0 AND jsonb_array_length(ip_permissions_egress) > 0 - THEN 'Default security group ' || group_id || ' has outbound rules.' - ELSE 'Default security group ' || group_id || ' has no inbound or outbound rules.' - END AS reason - FROM - aws_vpc_security_group - WHERE - group_name = 'default'; + language: sql + primary_resource: aws_vpc_security_group + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN jsonb_array_length(ip_permissions) = 0 AND jsonb_array_length(ip_permissions_egress) = 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN jsonb_array_length(ip_permissions) > 0 AND jsonb_array_length(ip_permissions_egress) > 0 + THEN 'Default security group ' || group_id || ' has inbound and outbound rules.' + WHEN jsonb_array_length(ip_permissions) > 0 AND jsonb_array_length(ip_permissions_egress) = 0 + THEN 'Default security group ' || group_id || ' has inbound rules.' + WHEN jsonb_array_length(ip_permissions) = 0 AND jsonb_array_length(ip_permissions_egress) > 0 + THEN 'Default security group ' || group_id || ' has outbound rules.' + ELSE 'Default security group ' || group_id || ' has no inbound or outbound rules.' + END AS reason + FROM + aws_vpc_security_group + WHERE + group_name = 'default'; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ec2_20.yaml b/compliance/controls/aws/aws_foundational_security_ec2_20.yaml index dee0c3a1b..69c5ebcc8 100644 --- a/compliance/controls/aws/aws_foundational_security_ec2_20.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_20.yaml @@ -1,43 +1,44 @@ id: aws_foundational_security_ec2_20 title: 20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up +type: control description: This control checks that both VPN tunnels provided by AWS Site-to-Site VPN are in UP status. The control fails if one or both tunnels are in DOWN status. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_vpn_connection - definition: | - WITH filter_data AS ( - SELECT - arn, - COUNT(t ->> 'Status') - FROM - aws_vpc_vpn_connection, - jsonb_array_elements(vgw_telemetry) AS t - WHERE - t ->> 'Status' = 'UP' - GROUP BY - arn - ) - SELECT - a.arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.count IS NULL OR b.count < 2 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN b.count IS NULL THEN a.title || ' has both tunnels offline.' - WHEN b.count = 1 THEN a.title || ' has one tunnel offline.' - ELSE a.title || ' has both tunnels online.' - END AS reason - FROM - aws_vpc_vpn_connection AS a - LEFT JOIN - filter_data AS b - ON - a.arn = b.arn; + language: sql + primary_resource: aws_vpc_vpn_connection + definition: | + WITH filter_data AS ( + SELECT + arn, + COUNT(t ->> 'Status') + FROM + aws_vpc_vpn_connection, + jsonb_array_elements(vgw_telemetry) AS t + WHERE + t ->> 'Status' = 'UP' + GROUP BY + arn + ) + SELECT + a.arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.count IS NULL OR b.count < 2 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN b.count IS NULL THEN a.title || ' has both tunnels offline.' + WHEN b.count = 1 THEN a.title || ' has one tunnel offline.' + ELSE a.title || ' has both tunnels online.' + END AS reason + FROM + aws_vpc_vpn_connection AS a + LEFT JOIN + filter_data AS b + ON + a.arn = b.arn; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ec2_23.yaml b/compliance/controls/aws/aws_foundational_security_ec2_23.yaml index 739909fe4..842032271 100644 --- a/compliance/controls/aws/aws_foundational_security_ec2_23.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_23.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_ec2_23 title: 23 EC2 Transit Gateways should not automatically accept VPC attachment requests +type: control description: This control checks if EC2 Transit Gateways are automatically accepting shared VPC attachments. This control fails for a Transit Gateway that automatically accepts shared VPC attachment requests. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_transit_gateway - definition: | - SELECT - transit_gateway_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN auto_accept_shared_attachments = 'enable' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN auto_accept_shared_attachments = 'enable' THEN title || ' automatic shared account attachment enabled.' - ELSE title || ' automatic shared account attachment disabled.' - END AS reason - FROM - aws_ec2_transit_gateway; + language: sql + primary_resource: aws_ec2_transit_gateway + definition: | + SELECT + transit_gateway_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN auto_accept_shared_attachments = 'enable' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN auto_accept_shared_attachments = 'enable' THEN title || ' automatic shared account attachment enabled.' + ELSE title || ' automatic shared account attachment disabled.' + END AS reason + FROM + aws_ec2_transit_gateway; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ec2_24.yaml b/compliance/controls/aws/aws_foundational_security_ec2_24.yaml index 53d03b8b0..f03bc81bb 100644 --- a/compliance/controls/aws/aws_foundational_security_ec2_24.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_24.yaml @@ -1,23 +1,24 @@ id: aws_foundational_security_ec2_24 title: 24 Paravirtual EC2 instance types should not be used +type: control description: This control checks whether the virtualization type of an EC2 instance is paravirtual. The control fails if the virtualizationType of the EC2 instance is set to paravirtual. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN virtualization_type = 'paravirtual' THEN 'alarm' - ELSE 'ok' - END AS status, - title || ' virtualization type is ' || virtualization_type || '.' AS reason - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN virtualization_type = 'paravirtual' THEN 'alarm' + ELSE 'ok' + END AS status, + title || ' virtualization type is ' || virtualization_type || '.' AS reason + FROM + aws_ec2_instance; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ec2_3.yaml b/compliance/controls/aws/aws_foundational_security_ec2_3.yaml index 8fc5633c0..abeb6ea3b 100644 --- a/compliance/controls/aws/aws_foundational_security_ec2_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_3.yaml @@ -1,28 +1,29 @@ id: aws_foundational_security_ec2_3 title: 3 Attached EBS volumes should be encrypted at rest +type: control description: This control checks whether the EBS volumes that are in an attached state are encrypted. To pass this check, EBS volumes must be in use and encrypted. If the EBS volume is not attached, then it is not subject to this check. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_volume - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN state != 'in-use' THEN 'skip' - WHEN encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN state != 'in-use' THEN volume_id || ' not attached.' - WHEN encrypted THEN volume_id || ' encrypted.' - ELSE volume_id || ' not encrypted.' - END AS reason - FROM - aws_ebs_volume; + language: sql + primary_resource: aws_ebs_volume + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN state != 'in-use' THEN 'skip' + WHEN encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN state != 'in-use' THEN volume_id || ' not attached.' + WHEN encrypted THEN volume_id || ' encrypted.' + ELSE volume_id || ' not encrypted.' + END AS reason + FROM + aws_ebs_volume; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ec2_4.yaml b/compliance/controls/aws/aws_foundational_security_ec2_4.yaml index a3f25a6cc..9c54ce131 100644 --- a/compliance/controls/aws/aws_foundational_security_ec2_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_4.yaml @@ -1,27 +1,28 @@ id: aws_foundational_security_ec2_4 title: 4 Stopped EC2 instances should be removed after a specified time period +type: control description: This control checks whether any EC2 instances have been stopped for more than the allowed number of days. An EC2 instance fails this check if it is stopped for longer than the maximum allowed time period, which by default is 30 days. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN instance_state NOT IN ('stopped', 'stopping') THEN 'skip' - WHEN state_transition_time <= (CURRENT_DATE - INTERVAL '30' DAY) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN instance_state NOT IN ('stopped', 'stopping') THEN title || ' is in ' || instance_state || ' state.' - ELSE title || ' stopped since ' || TO_CHAR(state_transition_time , 'DD-Mon-YYYY') || ' (' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - state_transition_time) || ' days).' - END AS reason - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN instance_state NOT IN ('stopped', 'stopping') THEN 'skip' + WHEN state_transition_time <= (CURRENT_DATE - INTERVAL '30' DAY) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN instance_state NOT IN ('stopped', 'stopping') THEN title || ' is in ' || instance_state || ' state.' + ELSE title || ' stopped since ' || TO_CHAR(state_transition_time , 'DD-Mon-YYYY') || ' (' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - state_transition_time) || ' days).' + END AS reason + FROM + aws_ec2_instance; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ec2_51.yaml b/compliance/controls/aws/aws_foundational_security_ec2_51.yaml index 548a2816e..cf2fd6f6e 100644 --- a/compliance/controls/aws/aws_foundational_security_ec2_51.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_51.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_ec2_51 title: 51 EC2 Client VPN endpoints should have client connection logging enabled +type: control description: This control checks whether an AWS Client VPN endpoint has client connection logging enabled. The control fails if the endpoint doesn't have client connection logging enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_client_vpn_endpoint - definition: | - SELECT - client_vpn_endpoint_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN (connection_log_options ->> 'Enabled')::bool THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (connection_log_options ->> 'Enabled')::bool THEN title || ' client connection logging enabled.' - ELSE title || ' client connection logging disabled.' - END AS reason - FROM - aws_ec2_client_vpn_endpoint; + language: sql + primary_resource: aws_ec2_client_vpn_endpoint + definition: | + SELECT + client_vpn_endpoint_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN (connection_log_options ->> 'Enabled')::bool THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (connection_log_options ->> 'Enabled')::bool THEN title || ' client connection logging enabled.' + ELSE title || ' client connection logging disabled.' + END AS reason + FROM + aws_ec2_client_vpn_endpoint; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ec2_7.yaml b/compliance/controls/aws/aws_foundational_security_ec2_7.yaml index 7036a3503..e62479f28 100644 --- a/compliance/controls/aws/aws_foundational_security_ec2_7.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_7.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_ec2_7 title: 7 EBS default encryption should be enabled +type: control description: This control checks whether account-level encryption is enabled by default for Amazon Elastic Block Store (Amazon EBS). The control fails if the account level encryption is not enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_regional_settings - definition: | - SELECT - 'arn:' || partition || '::' || region || ':' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN NOT default_ebs_encryption_enabled THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT default_ebs_encryption_enabled THEN region || ' default EBS encryption disabled.' - ELSE region || ' default EBS encryption enabled.' - END AS reason - FROM - aws_ec2_regional_settings; + language: sql + primary_resource: aws_ec2_regional_settings + definition: | + SELECT + 'arn:' || partition || '::' || region || ':' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN NOT default_ebs_encryption_enabled THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT default_ebs_encryption_enabled THEN region || ' default EBS encryption disabled.' + ELSE region || ' default EBS encryption enabled.' + END AS reason + FROM + aws_ec2_regional_settings; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ec2_8.yaml b/compliance/controls/aws/aws_foundational_security_ec2_8.yaml index 62bad28af..a793c4455 100644 --- a/compliance/controls/aws/aws_foundational_security_ec2_8.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_8.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_ec2_8 title: 8 EC2 instances should use IMDSv2 +type: control description: This control checks whether your EC2 instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN metadata_options ->> 'HttpTokens' = 'optional' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN metadata_options ->> 'HttpTokens' = 'optional' THEN title || ' not configured to use Instance Metadata Service Version 2 (IMDSv2).' - ELSE title || ' configured to use Instance Metadata Service Version 2 (IMDSv2).' - END AS reason - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN metadata_options ->> 'HttpTokens' = 'optional' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN metadata_options ->> 'HttpTokens' = 'optional' THEN title || ' not configured to use Instance Metadata Service Version 2 (IMDSv2).' + ELSE title || ' configured to use Instance Metadata Service Version 2 (IMDSv2).' + END AS reason + FROM + aws_ec2_instance; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ec2_9.yaml b/compliance/controls/aws/aws_foundational_security_ec2_9.yaml index 3e3b4203c..17b7d32c2 100644 --- a/compliance/controls/aws/aws_foundational_security_ec2_9.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_9.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_ec2_9 title: 9 EC2 instances should not have a public IP address +type: control description: This control checks whether EC2 instances have a public IP address. The control fails if the publicIp field is present in the EC2 instance configuration item. This control applies to IPv4 addresses only. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN public_ip_address IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN public_ip_address IS NULL THEN instance_id || ' not publicly accessible.' - ELSE instance_id || ' publicly accessible.' - END AS reason - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN public_ip_address IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN public_ip_address IS NULL THEN instance_id || ' not publicly accessible.' + ELSE instance_id || ' publicly accessible.' + END AS reason + FROM + aws_ec2_instance; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ecr_1.yaml b/compliance/controls/aws/aws_foundational_security_ecr_1.yaml index 23ccf8686..3b12410e7 100644 --- a/compliance/controls/aws/aws_foundational_security_ecr_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_ecr_1.yaml @@ -1,40 +1,41 @@ id: aws_foundational_security_ecr_1 title: 1 ECR private repositories should have image scanning configured +type: control description: This control checks whether a private ECR repository has image scanning configured. This control fails if a private ECR repository doesn't have image scanning configured. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecr_repository - definition: | - WITH check_enhanced_scanning AS ( - SELECT - registry_id, - region - FROM - aws_ecr_registry_scanning_configuration, - jsonb_array_elements(scanning_configuration -> 'Rules') AS r - WHERE - r ->> 'ScanFrequency' = 'CONTINUOUS_SCAN' - OR r ->> 'ScanFrequency' = 'SCAN_ON_PUSH' - ) - SELECT - arn AS resource, - r.platform_integration_id AS platform_integration_id, - r.platform_resource_id AS platform_resource_id, - CASE - WHEN image_scanning_configuration ->> 'ScanOnPush' = 'true' OR s.registry_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN image_scanning_configuration ->> 'ScanOnPush' = 'true' OR s.registry_id IS NOT NULL THEN title || ' scan on push enabled.' - ELSE title || ' scan on push disabled.' - END AS reason - FROM - aws_ecr_repository AS r - LEFT JOIN check_enhanced_scanning AS s - ON s.registry_id = r.account_id - AND s.region = r.region; + language: sql + primary_resource: aws_ecr_repository + definition: | + WITH check_enhanced_scanning AS ( + SELECT + registry_id, + region + FROM + aws_ecr_registry_scanning_configuration, + jsonb_array_elements(scanning_configuration -> 'Rules') AS r + WHERE + r ->> 'ScanFrequency' = 'CONTINUOUS_SCAN' + OR r ->> 'ScanFrequency' = 'SCAN_ON_PUSH' + ) + SELECT + arn AS resource, + r.platform_integration_id AS platform_integration_id, + r.platform_resource_id AS platform_resource_id, + CASE + WHEN image_scanning_configuration ->> 'ScanOnPush' = 'true' OR s.registry_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN image_scanning_configuration ->> 'ScanOnPush' = 'true' OR s.registry_id IS NOT NULL THEN title || ' scan on push enabled.' + ELSE title || ' scan on push disabled.' + END AS reason + FROM + aws_ecr_repository AS r + LEFT JOIN check_enhanced_scanning AS s + ON s.registry_id = r.account_id + AND s.region = r.region; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ecr_2.yaml b/compliance/controls/aws/aws_foundational_security_ecr_2.yaml index 4f731b21d..8dd614b51 100644 --- a/compliance/controls/aws/aws_foundational_security_ecr_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_ecr_2.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_ecr_2 title: 2 ECR private repositories should have tag immutability configured +type: control description: This control checks whether a private ECR repository has tag immutability enabled. This control fails if a private ECR repository has tag immutability disabled. This rule passes if tag immutability is enabled and has the value IMMUTABLE. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecr_repository - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN image_tag_mutability = 'IMMUTABLE' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN image_tag_mutability = 'IMMUTABLE' THEN title || ' tag immutability enabled.' - ELSE title || ' tag immutability disabled.' - END AS reason - FROM - aws_ecr_repository; + language: sql + primary_resource: aws_ecr_repository + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN image_tag_mutability = 'IMMUTABLE' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN image_tag_mutability = 'IMMUTABLE' THEN title || ' tag immutability enabled.' + ELSE title || ' tag immutability disabled.' + END AS reason + FROM + aws_ecr_repository; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ecr_3.yaml b/compliance/controls/aws/aws_foundational_security_ecr_3.yaml index 6862fb91b..03be82887 100644 --- a/compliance/controls/aws/aws_foundational_security_ecr_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_ecr_3.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_ecr_3 title: 3 ECR repositories should have at least one lifecycle policy configured +type: control description: This control checks whether an Amazon ECR repository has at least one lifecycle policy configured. This control fails if an ECR repository does not have any lifecycle policies configured. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecr_repository - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN lifecycle_policy -> 'rules' IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN lifecycle_policy -> 'rules' IS NOT NULL THEN title || ' lifecycle policy configured.' - ELSE title || ' lifecycle policy not configured.' - END AS reason - FROM - aws_ecr_repository; + language: sql + primary_resource: aws_ecr_repository + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN lifecycle_policy -> 'rules' IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN lifecycle_policy -> 'rules' IS NOT NULL THEN title || ' lifecycle policy configured.' + ELSE title || ' lifecycle policy not configured.' + END AS reason + FROM + aws_ecr_repository; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ecs_1.yaml b/compliance/controls/aws/aws_foundational_security_ecs_1.yaml index b09aee644..b5ebfc0e9 100644 --- a/compliance/controls/aws/aws_foundational_security_ecs_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_ecs_1.yaml @@ -1,46 +1,47 @@ id: aws_foundational_security_ecs_1 title: 1 Amazon ECS task definitions should have secure networking modes and user definitions +type: control description: This control checks whether an Amazon ECS task definition that has host networking mode also has 'privileged' or 'user' container definitions. The control fails for task definitions that have host network mode and container definitions where privileged integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecs_task_definition - definition: | - WITH host_network_task_definition AS ( - SELECT - DISTINCT task_definition_arn AS arn - FROM - aws_ecs_task_definition, - jsonb_array_elements(container_definitions) AS c - WHERE - network_mode = 'host' - AND ( - c ->> 'Privileged' IS NOT NULL - AND c ->> 'Privileged' <> 'false' - ) - AND ( - c ->> 'User' IS NOT NULL - AND c ->> 'User' <> 'root' - ) + language: sql + primary_resource: aws_ecs_task_definition + definition: | + WITH host_network_task_definition AS ( + SELECT + DISTINCT task_definition_arn AS arn + FROM + aws_ecs_task_definition, + jsonb_array_elements(container_definitions) AS c + WHERE + network_mode = 'host' + AND ( + c ->> 'Privileged' IS NOT NULL + AND c ->> 'Privileged' <> 'false' ) - SELECT - a.task_definition_arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.network_mode IS NULL OR a.network_mode <> 'host' THEN 'skip' - WHEN b.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.network_mode IS NULL OR a.network_mode <> 'host' THEN a.title || ' not host network mode.' - WHEN b.arn IS NOT NULL THEN a.title || ' have secure host network mode.' - ELSE a.title || ' not have secure host network mode.' - END AS reason - FROM - aws_ecs_task_definition AS a - LEFT JOIN host_network_task_definition AS b ON a.task_definition_arn = b.arn; + AND ( + c ->> 'User' IS NOT NULL + AND c ->> 'User' <> 'root' + ) + ) + SELECT + a.task_definition_arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.network_mode IS NULL OR a.network_mode <> 'host' THEN 'skip' + WHEN b.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.network_mode IS NULL OR a.network_mode <> 'host' THEN a.title || ' not host network mode.' + WHEN b.arn IS NOT NULL THEN a.title || ' have secure host network mode.' + ELSE a.title || ' not have secure host network mode.' + END AS reason + FROM + aws_ecs_task_definition AS a + LEFT JOIN host_network_task_definition AS b ON a.task_definition_arn = b.arn; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ecs_10.yaml b/compliance/controls/aws/aws_foundational_security_ecs_10.yaml index 8b87b6e0f..c715390e9 100644 --- a/compliance/controls/aws/aws_foundational_security_ecs_10.yaml +++ b/compliance/controls/aws/aws_foundational_security_ecs_10.yaml @@ -1,28 +1,29 @@ id: aws_foundational_security_ecs_10 title: 10 Fargate services should run on the latest Fargate platform version +type: control description: This control checks if Amazon ECS Fargate services are running the latest Fargate platform version. This control fails if the platform version is not the latest. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecs_service - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN launch_type <> 'FARGATE' THEN 'skip' - WHEN platform_version = 'LATEST' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN launch_type <> 'FARGATE' THEN title || ' is ' || launch_type || ' service.' - WHEN platform_version = 'LATEST' THEN title || ' running on the latest fargate platform version.' - ELSE title || ' not running on the latest fargate platform version.' - END AS reason - FROM - aws_ecs_service; + language: sql + primary_resource: aws_ecs_service + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN launch_type <> 'FARGATE' THEN 'skip' + WHEN platform_version = 'LATEST' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN launch_type <> 'FARGATE' THEN title || ' is ' || launch_type || ' service.' + WHEN platform_version = 'LATEST' THEN title || ' running on the latest fargate platform version.' + ELSE title || ' not running on the latest fargate platform version.' + END AS reason + FROM + aws_ecs_service; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ecs_12.yaml b/compliance/controls/aws/aws_foundational_security_ecs_12.yaml index e4d757e0a..40732222b 100644 --- a/compliance/controls/aws/aws_foundational_security_ecs_12.yaml +++ b/compliance/controls/aws/aws_foundational_security_ecs_12.yaml @@ -1,27 +1,28 @@ id: aws_foundational_security_ecs_12 title: 12 ECS clusters should have Container Insights enabled +type: control description: This control checks if ECS clusters use Container Insights. This control fails if Container Insights are not set up for a cluster. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecs_cluster - definition: | - SELECT - cluster_arn AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN s ->> 'Name' = 'containerInsights' AND s ->> 'Value' = 'enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN s ->> 'Name' = 'containerInsights' AND s ->> 'Value' = 'enabled' THEN title || ' Container Insights enabled.' - ELSE title || ' Container Insights disabled.' - END AS reason - FROM - aws_ecs_cluster AS c, - jsonb_array_elements(settings) AS s; + language: sql + primary_resource: aws_ecs_cluster + definition: | + SELECT + cluster_arn AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN s ->> 'Name' = 'containerInsights' AND s ->> 'Value' = 'enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN s ->> 'Name' = 'containerInsights' AND s ->> 'Value' = 'enabled' THEN title || ' Container Insights enabled.' + ELSE title || ' Container Insights disabled.' + END AS reason + FROM + aws_ecs_cluster AS c, + jsonb_array_elements(settings) AS s; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ecs_2.yaml b/compliance/controls/aws/aws_foundational_security_ecs_2.yaml index 931f28c77..4b30da0f9 100644 --- a/compliance/controls/aws/aws_foundational_security_ecs_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_ecs_2.yaml @@ -1,41 +1,42 @@ id: aws_foundational_security_ecs_2 title: 2 Amazon ECS services should not have public IP addresses assigned to them automatically +type: control description: This control checks whether Amazon ECS services are configured to automatically assign public IP addresses. This control fails if AssignPublicIP is ENABLED. This control passes if AssignPublicIP is DISABLED. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecs_service - definition: | - WITH service_awsvpc_mode_task_definition AS ( - SELECT - a.service_name AS service_name, - b.task_definition_arn AS task_definition - FROM - aws_ecs_service AS a - LEFT JOIN aws_ecs_task_definition AS b - ON a.task_definition = b.task_definition_arn - WHERE - b.network_mode = 'awsvpc' - ) - SELECT - a.arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.service_name IS NULL THEN 'skip' - WHEN network_configuration -> 'AwsvpcConfiguration' ->> 'AssignPublicIp' = 'DISABLED' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.service_name IS NULL THEN a.title || ' task definition not host network mode.' - WHEN network_configuration -> 'AwsvpcConfiguration' ->> 'AssignPublicIp' = 'DISABLED' THEN a.title || ' not publicly accessible.' - ELSE a.title || ' publicly accessible.' - END AS reason - FROM - aws_ecs_service AS a - LEFT JOIN service_awsvpc_mode_task_definition AS b - ON a.service_name = b.service_name; + language: sql + primary_resource: aws_ecs_service + definition: | + WITH service_awsvpc_mode_task_definition AS ( + SELECT + a.service_name AS service_name, + b.task_definition_arn AS task_definition + FROM + aws_ecs_service AS a + LEFT JOIN aws_ecs_task_definition AS b + ON a.task_definition = b.task_definition_arn + WHERE + b.network_mode = 'awsvpc' + ) + SELECT + a.arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.service_name IS NULL THEN 'skip' + WHEN network_configuration -> 'AwsvpcConfiguration' ->> 'AssignPublicIp' = 'DISABLED' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.service_name IS NULL THEN a.title || ' task definition not host network mode.' + WHEN network_configuration -> 'AwsvpcConfiguration' ->> 'AssignPublicIp' = 'DISABLED' THEN a.title || ' not publicly accessible.' + ELSE a.title || ' publicly accessible.' + END AS reason + FROM + aws_ecs_service AS a + LEFT JOIN service_awsvpc_mode_task_definition AS b + ON a.service_name = b.service_name; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ecs_3.yaml b/compliance/controls/aws/aws_foundational_security_ecs_3.yaml index a1a21e980..284bbe9a7 100644 --- a/compliance/controls/aws/aws_foundational_security_ecs_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_ecs_3.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_ecs_3 title: 3 ECS task definitions should not share the host's process namespace +type: control description: This control checks if Amazon ECS task definitions are configured to share a host’s process namespace with its containers. The control fails if the task definition shares the host's process namespace with the containers running on it. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecs_task_definition - definition: | - SELECT - task_definition_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN pid_mode = 'host' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN pid_mode = 'host' THEN title || ' shares the host process namespace.' - ELSE title || ' does not share the host process namespace.' - END AS reason - FROM - aws_ecs_task_definition; + language: sql + primary_resource: aws_ecs_task_definition + definition: | + SELECT + task_definition_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN pid_mode = 'host' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN pid_mode = 'host' THEN title || ' shares the host process namespace.' + ELSE title || ' does not share the host process namespace.' + END AS reason + FROM + aws_ecs_task_definition; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ecs_4.yaml b/compliance/controls/aws/aws_foundational_security_ecs_4.yaml index 7015e0ac4..bd064effc 100644 --- a/compliance/controls/aws/aws_foundational_security_ecs_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_ecs_4.yaml @@ -1,37 +1,38 @@ id: aws_foundational_security_ecs_4 title: 4 ECS containers should run as non-privileged +type: control description: This control checks if the privileged parameter in the container definition of Amazon ECS Task Definitions is set to true. The control fails if this parameter is equal to true. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecs_task_definition - definition: | - WITH privileged_container_definition AS ( - SELECT - DISTINCT task_definition_arn AS arn - FROM - aws_ecs_task_definition, - jsonb_array_elements(container_definitions) AS c - WHERE - c ->> 'Privileged' = 'true' - ) - SELECT - d.task_definition_arn AS resource, - d.platform_integration_id AS platform_integration_id, - d.platform_resource_id AS platform_resource_id, - CASE - WHEN c.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN c.arn IS NULL THEN d.title || ' does not have elevated privileges.' - ELSE d.title || ' has elevated privileges.' - END AS reason - FROM - aws_ecs_task_definition AS d - LEFT JOIN privileged_container_definition AS c - ON d.task_definition_arn = c.arn; + language: sql + primary_resource: aws_ecs_task_definition + definition: | + WITH privileged_container_definition AS ( + SELECT + DISTINCT task_definition_arn AS arn + FROM + aws_ecs_task_definition, + jsonb_array_elements(container_definitions) AS c + WHERE + c ->> 'Privileged' = 'true' + ) + SELECT + d.task_definition_arn AS resource, + d.platform_integration_id AS platform_integration_id, + d.platform_resource_id AS platform_resource_id, + CASE + WHEN c.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN c.arn IS NULL THEN d.title || ' does not have elevated privileges.' + ELSE d.title || ' has elevated privileges.' + END AS reason + FROM + aws_ecs_task_definition AS d + LEFT JOIN privileged_container_definition AS c + ON d.task_definition_arn = c.arn; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ecs_5.yaml b/compliance/controls/aws/aws_foundational_security_ecs_5.yaml index 21f0360dc..3e62ea081 100644 --- a/compliance/controls/aws/aws_foundational_security_ecs_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_ecs_5.yaml @@ -1,37 +1,38 @@ id: aws_foundational_security_ecs_5 title: 5 ECS containers should be limited to read-only access to root filesystems +type: control description: This control checks if ECS containers are limited to read-only access to mounted root filesystems. This control fails if the ReadonlyRootFilesystem parameter in the container definition of ECS task definitions is set to false. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecs_task_definition - definition: | - WITH privileged_container_definition AS ( - SELECT - DISTINCT task_definition_arn AS arn - FROM - aws_ecs_task_definition, - jsonb_array_elements(container_definitions) AS c - WHERE - c ->> 'ReadonlyRootFilesystem' = 'true' - ) - SELECT - d.task_definition_arn AS resource, - d.platform_integration_id AS platform_integration_id, - d.platform_resource_id AS platform_resource_id, - CASE - WHEN c.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN c.arn IS NOT NULL THEN d.title || ' containers limited to read-only access to root filesystems.' - ELSE d.title || ' containers not limited to read-only access to root filesystems.' - END AS reason - FROM - aws_ecs_task_definition AS d - LEFT JOIN privileged_container_definition AS c - ON d.task_definition_arn = c.arn; + language: sql + primary_resource: aws_ecs_task_definition + definition: | + WITH privileged_container_definition AS ( + SELECT + DISTINCT task_definition_arn AS arn + FROM + aws_ecs_task_definition, + jsonb_array_elements(container_definitions) AS c + WHERE + c ->> 'ReadonlyRootFilesystem' = 'true' + ) + SELECT + d.task_definition_arn AS resource, + d.platform_integration_id AS platform_integration_id, + d.platform_resource_id AS platform_resource_id, + CASE + WHEN c.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN c.arn IS NOT NULL THEN d.title || ' containers limited to read-only access to root filesystems.' + ELSE d.title || ' containers not limited to read-only access to root filesystems.' + END AS reason + FROM + aws_ecs_task_definition AS d + LEFT JOIN privileged_container_definition AS c + ON d.task_definition_arn = c.arn; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ecs_8.yaml b/compliance/controls/aws/aws_foundational_security_ecs_8.yaml index 714a2982a..5db800d46 100644 --- a/compliance/controls/aws/aws_foundational_security_ecs_8.yaml +++ b/compliance/controls/aws/aws_foundational_security_ecs_8.yaml @@ -1,44 +1,45 @@ id: aws_foundational_security_ecs_8 title: 8 Secrets should not be passed as container environment variables +type: control description: This control checks if the key value of any variables in the environment parameter of container definitions includes AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, or ECS_ENGINE_AUTH_DATA. This control fails if a single environment variable in any container definition equals AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, or ECS_ENGINE_AUTH_DATA. This control does not cover environmental variables passed in from other locations such as Amazon S3. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecs_task_definition - definition: | - WITH definitions_with_secret_environment_variable AS ( - SELECT - DISTINCT task_definition_arn AS arn - FROM - aws_ecs_task_definition, - jsonb_array_elements(container_definitions) AS c, - jsonb_array_elements(c -> 'Environment') AS e, - jsonb_array_elements( - CASE jsonb_typeof(c -> 'Secrets') - WHEN 'array' THEN (c -> 'Secrets') - ELSE NULL - END - ) AS s - WHERE - e ->> 'Name' LIKE ANY (ARRAY ['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'ECS_ENGINE_AUTH_DATA']) - OR s ->> 'Name' LIKE ANY (ARRAY ['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'ECS_ENGINE_AUTH_DATA']) - ) - SELECT - d.task_definition_arn AS resource, - d.platform_integration_id AS platform_integration_id, - d.platform_resource_id AS platform_resource_id, - CASE - WHEN e.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN e.arn IS NULL THEN d.title || ' container environment variables does not have secrets.' - ELSE d.title || ' container environment variables have secrets.' - END AS reason - FROM - aws_ecs_task_definition AS d - LEFT JOIN definitions_with_secret_environment_variable AS e ON d.task_definition_arn = e.arn; + language: sql + primary_resource: aws_ecs_task_definition + definition: | + WITH definitions_with_secret_environment_variable AS ( + SELECT + DISTINCT task_definition_arn AS arn + FROM + aws_ecs_task_definition, + jsonb_array_elements(container_definitions) AS c, + jsonb_array_elements(c -> 'Environment') AS e, + jsonb_array_elements( + CASE jsonb_typeof(c -> 'Secrets') + WHEN 'array' THEN (c -> 'Secrets') + ELSE NULL + END + ) AS s + WHERE + e ->> 'Name' LIKE ANY (ARRAY ['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'ECS_ENGINE_AUTH_DATA']) + OR s ->> 'Name' LIKE ANY (ARRAY ['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'ECS_ENGINE_AUTH_DATA']) + ) + SELECT + d.task_definition_arn AS resource, + d.platform_integration_id AS platform_integration_id, + d.platform_resource_id AS platform_resource_id, + CASE + WHEN e.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN e.arn IS NULL THEN d.title || ' container environment variables does not have secrets.' + ELSE d.title || ' container environment variables have secrets.' + END AS reason + FROM + aws_ecs_task_definition AS d + LEFT JOIN definitions_with_secret_environment_variable AS e ON d.task_definition_arn = e.arn; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ecs_9.yaml b/compliance/controls/aws/aws_foundational_security_ecs_9.yaml index 95a43777c..f2a215ca8 100644 --- a/compliance/controls/aws/aws_foundational_security_ecs_9.yaml +++ b/compliance/controls/aws/aws_foundational_security_ecs_9.yaml @@ -1,37 +1,38 @@ id: aws_foundational_security_ecs_9 title: 9 ECS task definitions should have a logging configuration +type: control description: This control checks if the latest active Amazon ECS task definition has a logging configuration specified. The control fails if the task definition doesn't have the logConfiguration property defined or if the value for logDriver is null in at least one container definition. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecs_task_definition - definition: | - WITH task_definitions_logging_enabled AS ( - SELECT - DISTINCT task_definition_arn AS arn - FROM - aws_ecs_task_definition, - jsonb_array_elements(container_definitions) AS c - WHERE - c ->> 'LogConfiguration' IS NOT NULL - ) - SELECT - a.task_definition_arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.arn IS NOT NULL THEN 'OK' - ELSE 'ALARM' - END AS status, - CASE - WHEN b.arn IS NOT NULL THEN a.title || ' logging enabled.' - ELSE a.title || ' logging disabled.' - END AS reason - FROM - aws_ecs_task_definition AS a - LEFT JOIN task_definitions_logging_enabled AS b - ON a.task_definition_arn = b.arn; + language: sql + primary_resource: aws_ecs_task_definition + definition: | + WITH task_definitions_logging_enabled AS ( + SELECT + DISTINCT task_definition_arn AS arn + FROM + aws_ecs_task_definition, + jsonb_array_elements(container_definitions) AS c + WHERE + c ->> 'LogConfiguration' IS NOT NULL + ) + SELECT + a.task_definition_arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.arn IS NOT NULL THEN 'OK' + ELSE 'ALARM' + END AS status, + CASE + WHEN b.arn IS NOT NULL THEN a.title || ' logging enabled.' + ELSE a.title || ' logging disabled.' + END AS reason + FROM + aws_ecs_task_definition AS a + LEFT JOIN task_definitions_logging_enabled AS b + ON a.task_definition_arn = b.arn; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_efs_1.yaml b/compliance/controls/aws/aws_foundational_security_efs_1.yaml index 524588b94..5c79544be 100644 --- a/compliance/controls/aws/aws_foundational_security_efs_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_efs_1.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_efs_1 title: 1 Amazon EFS should be configured to encrypt file data at rest using AWS KMS +type: control description: This control checks whether Amazon Elastic File System is configured to encrypt the file data using AWS KMS. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_efs_file_system - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encrypted THEN title || ' encrypted at rest.' - ELSE title || ' not encrypted at rest.' - END AS reason - FROM - aws_efs_file_system; + language: sql + primary_resource: aws_efs_file_system + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encrypted THEN title || ' encrypted at rest.' + ELSE title || ' not encrypted at rest.' + END AS reason + FROM + aws_efs_file_system; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_efs_2.yaml b/compliance/controls/aws/aws_foundational_security_efs_2.yaml index c71c3b96e..5c317f3c6 100644 --- a/compliance/controls/aws/aws_foundational_security_efs_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_efs_2.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_efs_2 title: 2 Amazon EFS volumes should be in backup plans +type: control description: This control checks whether Amazon Elastic File System (Amazon EFS) file systems are added to the backup plans in AWS Backup. The control fails if Amazon EFS file systems are not included in the backup plans. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_efs_file_system - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN automatic_backups = 'enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN automatic_backups = 'enabled' THEN title || ' automatic backups enabled.' - ELSE title || ' automatic backups not enabled.' - END AS reason - FROM - aws_efs_file_system; + language: sql + primary_resource: aws_efs_file_system + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN automatic_backups = 'enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN automatic_backups = 'enabled' THEN title || ' automatic backups enabled.' + ELSE title || ' automatic backups not enabled.' + END AS reason + FROM + aws_efs_file_system; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_efs_3.yaml b/compliance/controls/aws/aws_foundational_security_efs_3.yaml index f982d07a6..312131255 100644 --- a/compliance/controls/aws/aws_foundational_security_efs_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_efs_3.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_efs_3 title: 3 EFS access points should enforce a root directory +type: control description: This control checks if Amazon EFS access points are configured to enforce a root directory. The control fails if the value of Path is set to / (the default root directory of the file system). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_efs_access_point - definition: | - SELECT - access_point_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN root_directory ->> 'Path' = '/' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN root_directory ->> 'Path' = '/' THEN title || ' not configured to enforce a root directory.' - ELSE title || ' configured to enforce a root directory.' - END AS reason - FROM - aws_efs_access_point; + language: sql + primary_resource: aws_efs_access_point + definition: | + SELECT + access_point_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN root_directory ->> 'Path' = '/' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN root_directory ->> 'Path' = '/' THEN title || ' not configured to enforce a root directory.' + ELSE title || ' configured to enforce a root directory.' + END AS reason + FROM + aws_efs_access_point; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_efs_4.yaml b/compliance/controls/aws/aws_foundational_security_efs_4.yaml index 5eb442d67..0b8351b1b 100644 --- a/compliance/controls/aws/aws_foundational_security_efs_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_efs_4.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_efs_4 title: 4 EFS access points should enforce a user identity +type: control description: This control checks whether Amazon EFS access points are configured to enforce a user identity. This control fails if a POSIX user identity is not defined while creating the EFS access point. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_efs_access_point - definition: | - SELECT - access_point_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN posix_user IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN posix_user IS NULL THEN title || ' does not enforce a user identity.' - ELSE title || ' enforces a user identity.' - END AS reason - FROM - aws_efs_access_point; + language: sql + primary_resource: aws_efs_access_point + definition: | + SELECT + access_point_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN posix_user IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN posix_user IS NULL THEN title || ' does not enforce a user identity.' + ELSE title || ' enforces a user identity.' + END AS reason + FROM + aws_efs_access_point; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_eks_1.yaml b/compliance/controls/aws/aws_foundational_security_eks_1.yaml index bf3d04ddd..cd0f78045 100644 --- a/compliance/controls/aws/aws_foundational_security_eks_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_eks_1.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_eks_1 title: 1 EKS cluster endpoints should not be publicly accessible +type: control description: This control checks whether an Amazon EKS cluster endpoint is publicly accessible. The control fails if an EKS cluster has an endpoint that is publicly accessible. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_eks_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN resources_vpc_config ->> 'EndpointPublicAccess' = 'true' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN resources_vpc_config ->> 'EndpointPublicAccess' = 'true' THEN title || ' endpoint publicly accessible.' - ELSE title || ' endpoint not publicly accessible.' - END AS reason - FROM - aws_eks_cluster; + language: sql + primary_resource: aws_eks_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN resources_vpc_config ->> 'EndpointPublicAccess' = 'true' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN resources_vpc_config ->> 'EndpointPublicAccess' = 'true' THEN title || ' endpoint publicly accessible.' + ELSE title || ' endpoint not publicly accessible.' + END AS reason + FROM + aws_eks_cluster; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_eks_2.yaml b/compliance/controls/aws/aws_foundational_security_eks_2.yaml index 0f3581c03..c0923225f 100644 --- a/compliance/controls/aws/aws_foundational_security_eks_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_eks_2.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_eks_2 title: 2 EKS clusters should run on a supported Kubernetes version +type: control description: This control checks whether an Amazon EKS cluster is running on a supported Kubernetes version. The control fails if the EKS cluster is running on an unsupported version. If your application doesn't require a specific version of Kubernetes, we recommend that you use the latest available Kubernetes version that's supported by EKS for your clusters. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_eks_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN (version)::decimal >= 1.19 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (version)::decimal >= 1.19 THEN title || ' runs on a supported kubernetes version.' - ELSE title || ' does not run on a supported kubernetes version.' - END AS reason - FROM - aws_eks_cluster; + language: sql + primary_resource: aws_eks_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN (version)::decimal >= 1.19 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (version)::decimal >= 1.19 THEN title || ' runs on a supported kubernetes version.' + ELSE title || ' does not run on a supported kubernetes version.' + END AS reason + FROM + aws_eks_cluster; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_eks_8.yaml b/compliance/controls/aws/aws_foundational_security_eks_8.yaml index d649234b6..3046b63c0 100644 --- a/compliance/controls/aws/aws_foundational_security_eks_8.yaml +++ b/compliance/controls/aws/aws_foundational_security_eks_8.yaml @@ -1,42 +1,43 @@ id: aws_foundational_security_eks_8 title: 8 EKS clusters should have audit logging enabled +type: control description: This control checks whether an Amazon EKS cluster has audit logging enabled. The control fails if audit logging isn't enabled for the cluster. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_eks_cluster - definition: | - WITH control_panel_audit_logging AS ( - SELECT - DISTINCT arn, - log -> 'Types' AS log_type - FROM - aws_eks_cluster, - jsonb_array_elements(logging -> 'ClusterLogging') AS log - WHERE - log ->> 'Enabled' = 'true' - AND (log -> 'Types') @> '["api", "audit", "authenticator", "controllerManager", "scheduler"]' - ) - SELECT - c.arn AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN l.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN l.arn IS NOT NULL THEN c.title || ' control plane audit logging enabled for all log types.' - ELSE - CASE - WHEN logging -> 'ClusterLogging' @> '[{"Enabled": true}]' THEN c.title || ' control plane audit logging not enabled for all log types.' - ELSE c.title || ' control plane audit logging not enabled.' - END - END AS reason - FROM - aws_eks_cluster AS c - LEFT JOIN control_panel_audit_logging AS l ON l.arn = c.arn; + language: sql + primary_resource: aws_eks_cluster + definition: | + WITH control_panel_audit_logging AS ( + SELECT + DISTINCT arn, + log -> 'Types' AS log_type + FROM + aws_eks_cluster, + jsonb_array_elements(logging -> 'ClusterLogging') AS log + WHERE + log ->> 'Enabled' = 'true' + AND (log -> 'Types') @> '["api", "audit", "authenticator", "controllerManager", "scheduler"]' + ) + SELECT + c.arn AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN l.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN l.arn IS NOT NULL THEN c.title || ' control plane audit logging enabled for all log types.' + ELSE + CASE + WHEN logging -> 'ClusterLogging' @> '[{"Enabled": true}]' THEN c.title || ' control plane audit logging not enabled for all log types.' + ELSE c.title || ' control plane audit logging not enabled.' + END + END AS reason + FROM + aws_eks_cluster AS c + LEFT JOIN control_panel_audit_logging AS l ON l.arn = c.arn; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_elasticache_1.yaml b/compliance/controls/aws/aws_foundational_security_elasticache_1.yaml index 0fabfa693..ea5bba6ca 100644 --- a/compliance/controls/aws/aws_foundational_security_elasticache_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_elasticache_1.yaml @@ -1,27 +1,28 @@ id: aws_foundational_security_elasticache_1 title: 1 ElastiCache for Redis clusters should have automatic backups scheduled +type: control description: This control evaluates if Amazon ElastiCache for Redis clusters have automatic backup scheduled. The control fails if the SnapshotRetentionLimit for the Redis cluster is less than 1. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticache_replication_group - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN snapshot_retention_limit < 15 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN snapshot_retention_limit = 0 THEN title || ' automatic backups not enabled.' - WHEN snapshot_retention_limit < 15 THEN title || ' automatic backup retention period is less than 15 days.' - ELSE title || ' automatic backup retention period is more than 15 days.' - END AS reason - FROM - aws_elasticache_replication_group; + language: sql + primary_resource: aws_elasticache_replication_group + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN snapshot_retention_limit < 15 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN snapshot_retention_limit = 0 THEN title || ' automatic backups not enabled.' + WHEN snapshot_retention_limit < 15 THEN title || ' automatic backup retention period is less than 15 days.' + ELSE title || ' automatic backup retention period is more than 15 days.' + END AS reason + FROM + aws_elasticache_replication_group; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_elasticache_2.yaml b/compliance/controls/aws/aws_foundational_security_elasticache_2.yaml index 91423e19b..0636f2c60 100644 --- a/compliance/controls/aws/aws_foundational_security_elasticache_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_elasticache_2.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_elasticache_2 title: 2 Minor version upgrades should be automatically applied to ElastiCache for Redis cache clusters +type: control description: This control evaluates whether ElastiCache for Redis automatically applies minor version upgrades to cache clusters. This control fails if ElastiCache for Redis cache clusters do not have minor version upgrades automatically applied. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticache_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN auto_minor_version_upgrade THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN auto_minor_version_upgrade THEN title || ' automatic minor version upgrades enabled.' - ELSE title || ' automatic minor version upgrades disabled.' - END AS reason - FROM - aws_elasticache_cluster; + language: sql + primary_resource: aws_elasticache_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN auto_minor_version_upgrade THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN auto_minor_version_upgrade THEN title || ' automatic minor version upgrades enabled.' + ELSE title || ' automatic minor version upgrades disabled.' + END AS reason + FROM + aws_elasticache_cluster; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_elasticache_3.yaml b/compliance/controls/aws/aws_foundational_security_elasticache_3.yaml index 6c47b5fc9..c0c8bcd16 100644 --- a/compliance/controls/aws/aws_foundational_security_elasticache_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_elasticache_3.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_elasticache_3 title: 3 ElastiCache for Redis replication groups should have automatic failover enabled +type: control description: This control checks if ElastiCache for Redis replication groups have automatic failover enabled. This control fails if automatic failover isn't enabled for a Redis replication group. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticache_replication_group - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN automatic_failover = 'enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN automatic_failover = 'enabled' THEN title || ' automatic failover enabled.' - ELSE title || ' automatic failover disabled.' - END AS reason - FROM - aws_elasticache_replication_group; + language: sql + primary_resource: aws_elasticache_replication_group + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN automatic_failover = 'enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN automatic_failover = 'enabled' THEN title || ' automatic failover enabled.' + ELSE title || ' automatic failover disabled.' + END AS reason + FROM + aws_elasticache_replication_group; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_elasticache_4.yaml b/compliance/controls/aws/aws_foundational_security_elasticache_4.yaml index 3da3429cb..4d3d738e0 100644 --- a/compliance/controls/aws/aws_foundational_security_elasticache_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_elasticache_4.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_elasticache_4 title: 4 ElastiCache for Redis replication groups should be encrypted at rest +type: control description: This control checks if ElastiCache for Redis replication groups are encrypted at rest. This control fails if an ElastiCache for Redis replication group isn't encrypted at rest. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticache_replication_group - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN at_rest_encryption_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN at_rest_encryption_enabled THEN title || ' encryption at rest enabled.' - ELSE title || ' encryption at rest disabled.' - END AS reason - FROM - aws_elasticache_replication_group; + language: sql + primary_resource: aws_elasticache_replication_group + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN at_rest_encryption_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN at_rest_encryption_enabled THEN title || ' encryption at rest enabled.' + ELSE title || ' encryption at rest disabled.' + END AS reason + FROM + aws_elasticache_replication_group; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_elasticache_5.yaml b/compliance/controls/aws/aws_foundational_security_elasticache_5.yaml index 3c8c9eb86..a2c83f2c3 100644 --- a/compliance/controls/aws/aws_foundational_security_elasticache_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_elasticache_5.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_elasticache_5 title: 5 ElastiCache for Redis replication groups should be encrypted in transit +type: control description: This control checks if ElastiCache for Redis replication groups are encrypted in transit. This control fails if an ElastiCache for Redis replication group isn't encrypted in transit. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticache_replication_group - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN transit_encryption_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN transit_encryption_enabled THEN title || ' encryption in transit enabled.' - ELSE title || ' encryption in transit disabled.' - END AS reason - FROM - aws_elasticache_replication_group; + language: sql + primary_resource: aws_elasticache_replication_group + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN transit_encryption_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN transit_encryption_enabled THEN title || ' encryption in transit enabled.' + ELSE title || ' encryption in transit disabled.' + END AS reason + FROM + aws_elasticache_replication_group; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_elasticache_6.yaml b/compliance/controls/aws/aws_foundational_security_elasticache_6.yaml index a6731551e..072ab5edc 100644 --- a/compliance/controls/aws/aws_foundational_security_elasticache_6.yaml +++ b/compliance/controls/aws/aws_foundational_security_elasticache_6.yaml @@ -1,36 +1,37 @@ id: aws_foundational_security_elasticache_6 title: 6 ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH +type: control description: This control checks if ElastiCache for Redis replication groups have Redis AUTH enabled. The control fails for an ElastiCache for Redis replication group if the Redis version of its nodes is below 6.0 and AuthToken isn't in use. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticache_replication_group - definition: | - WITH elasticache_cluster_node_version AS ( - SELECT - DISTINCT replication_group_id, - engine_version - FROM - aws_elasticache_cluster - ) - SELECT - arn AS resource, - eg.platform_integration_id AS platform_integration_id, - eg.platform_resource_id AS platform_resource_id, - CASE - WHEN regexp_split_to_array(v.engine_version, '.')::INT[] >= regexp_split_to_array('6.0', '.')::INT[] THEN 'skip' - WHEN regexp_split_to_array(v.engine_version, '.')::INT[] < regexp_split_to_array('6.0', '.')::INT[] AND eg.auth_token_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN regexp_split_to_array(v.engine_version, '.')::INT[] >= regexp_split_to_array('6.0', '.')::INT[] THEN eg.title || ' node version is ' || engine_version || '.' - WHEN regexp_split_to_array(v.engine_version, '.')::INT[] < regexp_split_to_array('6.0', '.')::INT[] AND eg.auth_token_enabled THEN eg.title || ' has Redis AUTH enabled.' - ELSE eg.title || ' has Redis AUTH disabled.' - END AS reason - FROM - aws_elasticache_replication_group AS eg - LEFT JOIN elasticache_cluster_node_version AS v ON eg.replication_group_id = v.replication_group_id; + language: sql + primary_resource: aws_elasticache_replication_group + definition: | + WITH elasticache_cluster_node_version AS ( + SELECT + DISTINCT replication_group_id, + engine_version + FROM + aws_elasticache_cluster + ) + SELECT + arn AS resource, + eg.platform_integration_id AS platform_integration_id, + eg.platform_resource_id AS platform_resource_id, + CASE + WHEN regexp_split_to_array(v.engine_version, '.')::INT[] >= regexp_split_to_array('6.0', '.')::INT[] THEN 'skip' + WHEN regexp_split_to_array(v.engine_version, '.')::INT[] < regexp_split_to_array('6.0', '.')::INT[] AND eg.auth_token_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN regexp_split_to_array(v.engine_version, '.')::INT[] >= regexp_split_to_array('6.0', '.')::INT[] THEN eg.title || ' node version is ' || engine_version || '.' + WHEN regexp_split_to_array(v.engine_version, '.')::INT[] < regexp_split_to_array('6.0', '.')::INT[] AND eg.auth_token_enabled THEN eg.title || ' has Redis AUTH enabled.' + ELSE eg.title || ' has Redis AUTH disabled.' + END AS reason + FROM + aws_elasticache_replication_group AS eg + LEFT JOIN elasticache_cluster_node_version AS v ON eg.replication_group_id = v.replication_group_id; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_elasticache_7.yaml b/compliance/controls/aws/aws_foundational_security_elasticache_7.yaml index 73393469c..357625f48 100644 --- a/compliance/controls/aws/aws_foundational_security_elasticache_7.yaml +++ b/compliance/controls/aws/aws_foundational_security_elasticache_7.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_elasticache_7 title: 7 ElastiCache clusters should not use the default subnet group +type: control description: This control checks if ElastiCache clusters are configured with a custom subnet group. The control fails for an ElastiCache cluster if CacheSubnetGroupName has the value default. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticache_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN cache_subnet_group_name = 'default' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN cache_subnet_group_name = 'default' THEN title || ' not configured with a custom subnet group.' - ELSE title || ' configured with a custom subnet group.' - END AS reason - FROM - aws_elasticache_cluster; + language: sql + primary_resource: aws_elasticache_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN cache_subnet_group_name = 'default' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN cache_subnet_group_name = 'default' THEN title || ' not configured with a custom subnet group.' + ELSE title || ' configured with a custom subnet group.' + END AS reason + FROM + aws_elasticache_cluster; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_elasticbeanstalk_1.yaml b/compliance/controls/aws/aws_foundational_security_elasticbeanstalk_1.yaml index 972fa7fa9..917cc90fe 100644 --- a/compliance/controls/aws/aws_foundational_security_elasticbeanstalk_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_elasticbeanstalk_1.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_elasticbeanstalk_1 title: 1 Elastic Beanstalk environments should have enhanced health reporting enabled +type: control description: This control checks whether enhanced health reporting is enabled for your AWS Elastic Beanstalk environments. Elastic Beanstalk enhanced health reporting enables a more rapid response to changes in the health of the underlying infrastructure. These changes could result in a lack of availability of the application. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elastic_beanstalk_environment - definition: | - SELECT - application_name AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN health_status IS NOT NULL AND health IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN health_status IS NOT NULL AND health IS NOT NULL THEN application_name || ' enhanced health check enabled.' - ELSE application_name || ' enhanced health check disabled.' - END AS reason - FROM - aws_elastic_beanstalk_environment; + language: sql + primary_resource: aws_elastic_beanstalk_environment + definition: | + SELECT + application_name AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN health_status IS NOT NULL AND health IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN health_status IS NOT NULL AND health IS NOT NULL THEN application_name || ' enhanced health check enabled.' + ELSE application_name || ' enhanced health check disabled.' + END AS reason + FROM + aws_elastic_beanstalk_environment; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_elasticbeanstalk_3.yaml b/compliance/controls/aws/aws_foundational_security_elasticbeanstalk_3.yaml index e232b8d97..29027f70a 100644 --- a/compliance/controls/aws/aws_foundational_security_elasticbeanstalk_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_elasticbeanstalk_3.yaml @@ -1,40 +1,41 @@ id: aws_foundational_security_elasticbeanstalk_3 title: 3 Elastic Beanstalk should stream logs to CloudWatch +type: control description: This control checks whether an Elastic Beanstalk environment is configured to send logs to CloudWatch Logs. The control fails if an Elastic Beanstalk environment isn't configured to send logs to CloudWatch Logs. Optionally, you can provide a custom value for the RetentionInDays parameter if you want the control to pass only if logs are retained for the specified number of days before expiration. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elastic_beanstalk_environment - definition: | - WITH beanstalk_environment_logs_enabled AS ( - SELECT - DISTINCT e.arn - FROM - aws_elastic_beanstalk_environment AS e, - jsonb_array_elements(e.configuration_settings) AS c, - jsonb_array_elements(c -> 'OptionSettings') AS s - WHERE - s ->> 'OptionName' = 'StreamLogs' - AND s ->> 'Value' = 'true' - GROUP BY - arn - ) - SELECT - e.arn AS resource, - e.platform_integration_id AS platform_integration_id, - e.platform_resource_id AS platform_resource_id, - CASE - WHEN l.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN l.arn IS NOT NULL THEN title || ' send logs to AWS CloudWatch.' - ELSE title || ' does not send logs to AWS CloudWatch.' - END AS reason - FROM - aws_elastic_beanstalk_environment AS e - LEFT JOIN beanstalk_environment_logs_enabled AS l ON e.arn = l.arn; + language: sql + primary_resource: aws_elastic_beanstalk_environment + definition: | + WITH beanstalk_environment_logs_enabled AS ( + SELECT + DISTINCT e.arn + FROM + aws_elastic_beanstalk_environment AS e, + jsonb_array_elements(e.configuration_settings) AS c, + jsonb_array_elements(c -> 'OptionSettings') AS s + WHERE + s ->> 'OptionName' = 'StreamLogs' + AND s ->> 'Value' = 'true' + GROUP BY + arn + ) + SELECT + e.arn AS resource, + e.platform_integration_id AS platform_integration_id, + e.platform_resource_id AS platform_resource_id, + CASE + WHEN l.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN l.arn IS NOT NULL THEN title || ' send logs to AWS CloudWatch.' + ELSE title || ' does not send logs to AWS CloudWatch.' + END AS reason + FROM + aws_elastic_beanstalk_environment AS e + LEFT JOIN beanstalk_environment_logs_enabled AS l ON e.arn = l.arn; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_elb_1.yaml b/compliance/controls/aws/aws_foundational_security_elb_1.yaml index 72c0c5515..59d21fc7c 100644 --- a/compliance/controls/aws/aws_foundational_security_elb_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_elb_1.yaml @@ -1,41 +1,42 @@ id: aws_foundational_security_elb_1 title: 1 Application Load Balancer should be configured to redirect all HTTP requests to HTTPS +type: control description: This control checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers. The control fails if any of the HTTP listeners of Application Load Balancers do not have HTTP to HTTPS redirection configured. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_application_load_balancer - definition: | - WITH detailed_listeners AS ( - SELECT - arn, - load_balancer_arn, - protocol - FROM - aws_ec2_load_balancer_listener, - jsonb_array_elements(default_actions) AS ac - WHERE - split_part(arn,'/',2) = 'app' - AND protocol = 'HTTP' - AND ac ->> 'Type' = 'redirect' - AND ac -> 'RedirectConfig' ->> 'Protocol' = 'HTTPS' - ) - SELECT - a.arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.load_balancer_arn IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN b.load_balancer_arn IS NOT NULL THEN a.title || ' associated with HTTP redirection.' - ELSE a.title || ' not associated with HTTP redirection.' - END AS reason - FROM - aws_ec2_application_load_balancer a - LEFT JOIN detailed_listeners b ON a.arn = b.load_balancer_arn; + language: sql + primary_resource: aws_ec2_application_load_balancer + definition: | + WITH detailed_listeners AS ( + SELECT + arn, + load_balancer_arn, + protocol + FROM + aws_ec2_load_balancer_listener, + jsonb_array_elements(default_actions) AS ac + WHERE + split_part(arn,'/',2) = 'app' + AND protocol = 'HTTP' + AND ac ->> 'Type' = 'redirect' + AND ac -> 'RedirectConfig' ->> 'Protocol' = 'HTTPS' + ) + SELECT + a.arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.load_balancer_arn IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN b.load_balancer_arn IS NOT NULL THEN a.title || ' associated with HTTP redirection.' + ELSE a.title || ' not associated with HTTP redirection.' + END AS reason + FROM + aws_ec2_application_load_balancer a + LEFT JOIN detailed_listeners b ON a.arn = b.load_balancer_arn; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_elb_10.yaml b/compliance/controls/aws/aws_foundational_security_elb_10.yaml index 8086e3b24..1d13ce18c 100644 --- a/compliance/controls/aws/aws_foundational_security_elb_10.yaml +++ b/compliance/controls/aws/aws_foundational_security_elb_10.yaml @@ -1,23 +1,24 @@ id: aws_foundational_security_elb_10 title: 10 Classic Load Balancers should span multiple Availability Zones +type: control description: This control checks whether a Classic Load Balancer has been configured to span multiple Availability Zones. The control fails if the Classic Load Balancer does not span multiple Availability Zones. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_classic_load_balancer - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN jsonb_array_length(availability_zones) < 2 THEN 'alarm' - ELSE 'ok' - END AS status, - title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' AS reason - FROM - aws_ec2_classic_load_balancer; + language: sql + primary_resource: aws_ec2_classic_load_balancer + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN jsonb_array_length(availability_zones) < 2 THEN 'alarm' + ELSE 'ok' + END AS status, + title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' AS reason + FROM + aws_ec2_classic_load_balancer; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_elb_12.yaml b/compliance/controls/aws/aws_foundational_security_elb_12.yaml index 216c9df52..beac9550d 100644 --- a/compliance/controls/aws/aws_foundational_security_elb_12.yaml +++ b/compliance/controls/aws/aws_foundational_security_elb_12.yaml @@ -1,35 +1,36 @@ id: aws_foundational_security_elb_12 title: 12 Application Load Balancers should be configured with defensive or strictest desync mitigation mode +type: control description: This control checks whether an Application Load Balancer is configured with defensive or strictest desync mitigation mode. The control fails if an Application Load Balancer is not configured with defensive or strictest desync mitigation mode. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_application_load_balancer - definition: | - WITH app_lb_desync_mitigation_mode AS ( - SELECT - arn, - l ->> 'Key' AS key, - l ->> 'Value' AS v - FROM - aws_ec2_application_load_balancer, - jsonb_array_elements(load_balancer_attributes) AS l - WHERE - l ->> 'Key' = 'routing.http.desync_mitigation_mode' - ) - SELECT - a.arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN m.v = ANY(ARRAY['defensive', 'strictest']) THEN 'ok' - ELSE 'alarm' - END AS status, - title || ' has ' || m.v || ' desync mitigation mode.' AS reason - FROM - aws_ec2_application_load_balancer AS a - LEFT JOIN app_lb_desync_mitigation_mode AS m ON a.arn = m.arn; + language: sql + primary_resource: aws_ec2_application_load_balancer + definition: | + WITH app_lb_desync_mitigation_mode AS ( + SELECT + arn, + l ->> 'Key' AS key, + l ->> 'Value' AS v + FROM + aws_ec2_application_load_balancer, + jsonb_array_elements(load_balancer_attributes) AS l + WHERE + l ->> 'Key' = 'routing.http.desync_mitigation_mode' + ) + SELECT + a.arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN m.v = ANY(ARRAY['defensive', 'strictest']) THEN 'ok' + ELSE 'alarm' + END AS status, + title || ' has ' || m.v || ' desync mitigation mode.' AS reason + FROM + aws_ec2_application_load_balancer AS a + LEFT JOIN app_lb_desync_mitigation_mode AS m ON a.arn = m.arn; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_elb_14.yaml b/compliance/controls/aws/aws_foundational_security_elb_14.yaml index 01cc7115d..d27b22f36 100644 --- a/compliance/controls/aws/aws_foundational_security_elb_14.yaml +++ b/compliance/controls/aws/aws_foundational_security_elb_14.yaml @@ -1,37 +1,38 @@ id: aws_foundational_security_elb_14 title: 14 Classic Load Balancers should be configured with defensive or strictest desync mitigation mode +type: control description: This control checks whether a Classic Load Balancer is configured with defensive or strictest desync mitigation mode. This control will fail if the Classic Load Balancer is not configured with defensive or strictest desync mitigation mode. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_classic_load_balancer - definition: | - WITH app_lb_desync_mitigation_mode AS ( - SELECT - arn, - a ->> 'Key', - a ->> 'Value' AS v - FROM - aws_ec2_classic_load_balancer, - jsonb_array_elements(additional_attributes) AS a - WHERE - a ->> 'Key' = 'elb.http.desyncmitigationmode' - ) - - SELECT - c.arn AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN m.v = ANY(ARRAY['defensive', 'strictest']) THEN 'ok' - ELSE 'alarm' - END AS status, - title || ' has ' || m.v || ' desync mitigation mode.' AS reason - FROM - aws_ec2_classic_load_balancer AS c - LEFT JOIN app_lb_desync_mitigation_mode AS m - ON c.arn = m.arn; + language: sql + primary_resource: aws_ec2_classic_load_balancer + definition: | + WITH app_lb_desync_mitigation_mode AS ( + SELECT + arn, + a ->> 'Key', + a ->> 'Value' AS v + FROM + aws_ec2_classic_load_balancer, + jsonb_array_elements(additional_attributes) AS a + WHERE + a ->> 'Key' = 'elb.http.desyncmitigationmode' + ) + + SELECT + c.arn AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN m.v = ANY(ARRAY['defensive', 'strictest']) THEN 'ok' + ELSE 'alarm' + END AS status, + title || ' has ' || m.v || ' desync mitigation mode.' AS reason + FROM + aws_ec2_classic_load_balancer AS c + LEFT JOIN app_lb_desync_mitigation_mode AS m + ON c.arn = m.arn; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_elb_2.yaml b/compliance/controls/aws/aws_foundational_security_elb_2.yaml index 5658a2ec3..0f1b8e966 100644 --- a/compliance/controls/aws/aws_foundational_security_elb_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_elb_2.yaml @@ -1,39 +1,40 @@ id: aws_foundational_security_elb_2 title: 2 Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager +type: control description: This control checks whether the Classic Load Balancer uses HTTPS/SSL certificates provided by AWS Certificate Manager (ACM). The control fails if the Classic Load Balancer configured with HTTPS/SSL listener does not use a certificate provided by ACM. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_classic_load_balancer - definition: | - WITH detailed_classic_listeners AS ( - SELECT - name - FROM - aws_ec2_classic_load_balancer, - jsonb_array_elements(listener_descriptions) AS listener_description - WHERE - listener_description -> 'Listener' ->> 'Protocol' IN ('HTTPS', 'SSL', 'TLS') - AND listener_description -> 'Listener' ->> 'SSLCertificateId' LIKE 'arn:aws:acm%' - ) - SELECT - 'arn:' || a.partition || ':elasticloadbalancing:' || a.region || ':' || a.account_id || ':loadbalancer/' || a.name AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.listener_descriptions IS NULL THEN 'skip' - WHEN b.name IS NOT NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN a.listener_descriptions IS NULL THEN a.title || ' has no listener.' - WHEN b.name IS NOT NULL THEN a.title || ' does not use certificates provided by ACM.' - ELSE a.title || ' uses certificates provided by ACM.' - END AS reason - FROM - aws_ec2_classic_load_balancer AS a - LEFT JOIN detailed_classic_listeners AS b ON a.name = b.name; + language: sql + primary_resource: aws_ec2_classic_load_balancer + definition: | + WITH detailed_classic_listeners AS ( + SELECT + name + FROM + aws_ec2_classic_load_balancer, + jsonb_array_elements(listener_descriptions) AS listener_description + WHERE + listener_description -> 'Listener' ->> 'Protocol' IN ('HTTPS', 'SSL', 'TLS') + AND listener_description -> 'Listener' ->> 'SSLCertificateId' LIKE 'arn:aws:acm%' + ) + SELECT + 'arn:' || a.partition || ':elasticloadbalancing:' || a.region || ':' || a.account_id || ':loadbalancer/' || a.name AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.listener_descriptions IS NULL THEN 'skip' + WHEN b.name IS NOT NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN a.listener_descriptions IS NULL THEN a.title || ' has no listener.' + WHEN b.name IS NOT NULL THEN a.title || ' does not use certificates provided by ACM.' + ELSE a.title || ' uses certificates provided by ACM.' + END AS reason + FROM + aws_ec2_classic_load_balancer AS a + LEFT JOIN detailed_classic_listeners AS b ON a.name = b.name; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_elb_4.yaml b/compliance/controls/aws/aws_foundational_security_elb_4.yaml index 9ee2ca425..dcd728539 100644 --- a/compliance/controls/aws/aws_foundational_security_elb_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_elb_4.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_elb_4 title: 4 Application load balancers should be configured to drop HTTP headers +type: control description: This control evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop invalid HTTP headers. The control fails if the value of routing.http.drop_invalid_header_fields.enabled is set to false. By default, ALBs are not configured to drop invalid HTTP header values. Removing these header values prevents HTTP desync attacks. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_application_load_balancer - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN load_balancer_attributes @> '[{"Key": "routing.http.drop_invalid_header_fields.enabled", "Value": "true"}]' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN load_balancer_attributes @> '[{"Key": "routing.http.drop_invalid_header_fields.enabled", "Value": "true"}]' THEN title || ' configured to drop http headers.' - ELSE title || ' not configured to drop http headers.' - END AS reason - FROM - aws_ec2_application_load_balancer; + language: sql + primary_resource: aws_ec2_application_load_balancer + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN load_balancer_attributes @> '[{"Key": "routing.http.drop_invalid_header_fields.enabled", "Value": "true"}]' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN load_balancer_attributes @> '[{"Key": "routing.http.drop_invalid_header_fields.enabled", "Value": "true"}]' THEN title || ' configured to drop http headers.' + ELSE title || ' not configured to drop http headers.' + END AS reason + FROM + aws_ec2_application_load_balancer; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_elb_6.yaml b/compliance/controls/aws/aws_foundational_security_elb_6.yaml index f29a9cfa9..b3dc97505 100644 --- a/compliance/controls/aws/aws_foundational_security_elb_6.yaml +++ b/compliance/controls/aws/aws_foundational_security_elb_6.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_elb_6 title: 6 Application Load Balancer deletion protection should be enabled +type: control description: This control checks whether an Application Load Balancer has deletion protection enabled. The control fails if deletion protection is not configured. Enable deletion protection to protect your Application Load Balancer from deletion. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_application_load_balancer - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN load_balancer_attributes @> '[{"Key": "deletion_protection.enabled", "Value": "true"}]' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN load_balancer_attributes @> '[{"Key": "deletion_protection.enabled", "Value": "true"}]' THEN title || ' deletion protection enabled.' - ELSE title || ' deletion protection disabled.' - END AS reason - FROM - aws_ec2_application_load_balancer; + language: sql + primary_resource: aws_ec2_application_load_balancer + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN load_balancer_attributes @> '[{"Key": "deletion_protection.enabled", "Value": "true"}]' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN load_balancer_attributes @> '[{"Key": "deletion_protection.enabled", "Value": "true"}]' THEN title || ' deletion protection enabled.' + ELSE title || ' deletion protection disabled.' + END AS reason + FROM + aws_ec2_application_load_balancer; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_elb_7.yaml b/compliance/controls/aws/aws_foundational_security_elb_7.yaml index e4a319a1b..b9bdd943f 100644 --- a/compliance/controls/aws/aws_foundational_security_elb_7.yaml +++ b/compliance/controls/aws/aws_foundational_security_elb_7.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_elb_7 title: 7 Classic Load Balancers should have connection draining enabled +type: control description: This control checks whether Classic Load Balancers have connection draining enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_classic_load_balancer - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN connection_draining_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN connection_draining_enabled THEN title || ' connection draining enabled.' - ELSE title || ' connection draining disabled.' - END AS reason - FROM - aws_ec2_classic_load_balancer; + language: sql + primary_resource: aws_ec2_classic_load_balancer + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN connection_draining_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN connection_draining_enabled THEN title || ' connection draining enabled.' + ELSE title || ' connection draining disabled.' + END AS reason + FROM + aws_ec2_classic_load_balancer; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_elb_9.yaml b/compliance/controls/aws/aws_foundational_security_elb_9.yaml index b0754e474..72353ed32 100644 --- a/compliance/controls/aws/aws_foundational_security_elb_9.yaml +++ b/compliance/controls/aws/aws_foundational_security_elb_9.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_elb_9 title: 9 Classic Load Balancers should have cross-zone load balancing enabled +type: control description: This control checks if cross-zone load balancing is enabled for the Classic Load Balancers (CLBs). This control fails if cross-zone load balancing is not enabled for a CLB. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_classic_load_balancer - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN cross_zone_load_balancing_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN cross_zone_load_balancing_enabled THEN title || ' cross-zone load balancing enabled.' - ELSE title || ' cross-zone load balancing disabled.' - END AS reason - FROM - aws_ec2_classic_load_balancer; + language: sql + primary_resource: aws_ec2_classic_load_balancer + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN cross_zone_load_balancing_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN cross_zone_load_balancing_enabled THEN title || ' cross-zone load balancing enabled.' + ELSE title || ' cross-zone load balancing disabled.' + END AS reason + FROM + aws_ec2_classic_load_balancer; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_emr_1.yaml b/compliance/controls/aws/aws_foundational_security_emr_1.yaml index acc75c3b8..00e3ba867 100644 --- a/compliance/controls/aws/aws_foundational_security_emr_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_emr_1.yaml @@ -1,32 +1,33 @@ id: aws_foundational_security_emr_1 title: 1 Amazon EMR cluster primary nodes should not have public IP addresses +type: control description: This control checks whether master nodes on Amazon EMR clusters have public IP addresses. The control fails if the master node has public IP addresses that are associated with any of its instances. Public IP addresses are designated in the PublicIp field of the NetworkInterfaces configuration for the instance. This control only checks Amazon EMR clusters that are in a RUNNING or WAITING state. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_emr_cluster - definition: | - SELECT - c.cluster_arn AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN c.status ->> 'State' NOT IN ('RUNNING', 'WAITING') THEN 'skip' - WHEN s.map_public_ip_on_launch THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN c.status ->> 'State' NOT IN ('RUNNING', 'WAITING') THEN c.title || ' is in ' || (c.status ->> 'State') || ' state.' - WHEN s.map_public_ip_on_launch THEN c.title || ' master nodes assigned with public IP.' - ELSE c.title || ' master nodes not assigned with public IP.' - END AS reason - FROM - aws_emr_cluster AS c - LEFT JOIN - aws_vpc_subnet AS s - ON - c.ec2_instance_attributes ->> 'Ec2SubnetId' = s.subnet_id; + language: sql + primary_resource: aws_emr_cluster + definition: | + SELECT + c.cluster_arn AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN c.status ->> 'State' NOT IN ('RUNNING', 'WAITING') THEN 'skip' + WHEN s.map_public_ip_on_launch THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN c.status ->> 'State' NOT IN ('RUNNING', 'WAITING') THEN c.title || ' is in ' || (c.status ->> 'State') || ' state.' + WHEN s.map_public_ip_on_launch THEN c.title || ' master nodes assigned with public IP.' + ELSE c.title || ' master nodes not assigned with public IP.' + END AS reason + FROM + aws_emr_cluster AS c + LEFT JOIN + aws_vpc_subnet AS s + ON + c.ec2_instance_attributes ->> 'Ec2SubnetId' = s.subnet_id; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_emr_2.yaml b/compliance/controls/aws/aws_foundational_security_emr_2.yaml index b02a2a1bd..6e82bce0f 100644 --- a/compliance/controls/aws/aws_foundational_security_emr_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_emr_2.yaml @@ -1,42 +1,43 @@ id: aws_foundational_security_emr_2 title: 2 Amazon EMR block public access setting should be enabled +type: control description: This control checks whether your account is configured with Amazon EMR block public access. The control fails if the block public access setting isn't enabled or if any port other than port 22 is allowed. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_emr_block_public_access_configuration - definition: | - WITH emr_port_configuration AS ( - SELECT - region, - account_id - FROM - aws_emr_block_public_access_configuration, - jsonb_array_elements(permitted_public_security_group_rule_ranges) AS r - WHERE - (r -> 'MaxRange')::int = 22 - AND (r -> 'MinRange')::int = 22 - AND block_public_security_group_rules - ) - SELECT - 'arn:' || c.partition || '::' || c.region || ':' || c.account_id AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT block_public_security_group_rules THEN 'alarm' - WHEN block_public_security_group_rules AND p.region IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN NOT block_public_security_group_rules THEN c.region || ' EMR block public access disabled.' - WHEN block_public_security_group_rules AND p.region IS NOT NULL THEN c.region || ' EMR block public access enabled.' - ELSE c.region || ' EMR block public access enabled for ports other than 22.' - END AS reason - FROM - aws_emr_block_public_access_configuration AS c - LEFT JOIN emr_port_configuration AS p - ON p.region = c.region AND p.account_id = c.account_id + language: sql + primary_resource: aws_emr_block_public_access_configuration + definition: | + WITH emr_port_configuration AS ( + SELECT + region, + account_id + FROM + aws_emr_block_public_access_configuration, + jsonb_array_elements(permitted_public_security_group_rule_ranges) AS r + WHERE + (r -> 'MaxRange')::int = 22 + AND (r -> 'MinRange')::int = 22 + AND block_public_security_group_rules + ) + SELECT + 'arn:' || c.partition || '::' || c.region || ':' || c.account_id AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT block_public_security_group_rules THEN 'alarm' + WHEN block_public_security_group_rules AND p.region IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN NOT block_public_security_group_rules THEN c.region || ' EMR block public access disabled.' + WHEN block_public_security_group_rules AND p.region IS NOT NULL THEN c.region || ' EMR block public access enabled.' + ELSE c.region || ' EMR block public access enabled for ports other than 22.' + END AS reason + FROM + aws_emr_block_public_access_configuration AS c + LEFT JOIN emr_port_configuration AS p + ON p.region = c.region AND p.account_id = c.account_id severity: critical tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_es_1.yaml b/compliance/controls/aws/aws_foundational_security_es_1.yaml index b0fbc9403..8ce499cdc 100644 --- a/compliance/controls/aws/aws_foundational_security_es_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_es_1.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_es_1 title: 1 Elasticsearch domains should have encryption at-rest enabled +type: control description: This control checks whether Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configuration enabled. The check fails if encryption at rest is not enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticsearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN encryption_at_rest_options ->> 'Enabled' = 'false' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN encryption_at_rest_options ->> 'Enabled' = 'false' THEN title || ' encryption at rest not enabled.' - ELSE title || ' encryption at rest enabled.' - END AS reason - FROM - aws_elasticsearch_domain; + language: sql + primary_resource: aws_elasticsearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN encryption_at_rest_options ->> 'Enabled' = 'false' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN encryption_at_rest_options ->> 'Enabled' = 'false' THEN title || ' encryption at rest not enabled.' + ELSE title || ' encryption at rest enabled.' + END AS reason + FROM + aws_elasticsearch_domain; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_es_2.yaml b/compliance/controls/aws/aws_foundational_security_es_2.yaml index 0d9c9aff7..59c39139d 100644 --- a/compliance/controls/aws/aws_foundational_security_es_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_es_2.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_es_2 title: 2 Elasticsearch domains should not be publicly accessible +type: control description: This control checks whether Amazon Elasticsearch Service domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public access. You should ensure that Amazon ES domains are not attached to public subnets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticsearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN vpc_options ->> 'VPCId' IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN vpc_options ->> 'VPCId' IS NULL THEN title || ' not in VPC.' - ELSE title || ' in VPC ' || (vpc_options ->> 'VPCId') || '.' - END AS reason - FROM - aws_elasticsearch_domain; + language: sql + primary_resource: aws_elasticsearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN vpc_options ->> 'VPCId' IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN vpc_options ->> 'VPCId' IS NULL THEN title || ' not in VPC.' + ELSE title || ' in VPC ' || (vpc_options ->> 'VPCId') || '.' + END AS reason + FROM + aws_elasticsearch_domain; severity: critical tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_es_3.yaml b/compliance/controls/aws/aws_foundational_security_es_3.yaml index 0c57e5206..a36abd2d0 100644 --- a/compliance/controls/aws/aws_foundational_security_es_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_es_3.yaml @@ -1,28 +1,29 @@ id: aws_foundational_security_es_3 title: 3 Amazon Elasticsearch Service domains should encrypt data sent between nodes +type: control description: This control checks whether Amazon ES domains have node-to-node encryption enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticsearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN region = ANY(ARRAY['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) THEN 'skip' - WHEN NOT enabled THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN region = ANY(ARRAY['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) THEN title || ' node-to-node encryption not supported in ' || region || '.' - WHEN NOT enabled THEN title || ' node-to-node encryption disabled.' - ELSE title || ' node-to-node encryption enabled.' - END AS reason - FROM - aws_elasticsearch_domain; + language: sql + primary_resource: aws_elasticsearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN region = ANY(ARRAY['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) THEN 'skip' + WHEN NOT enabled THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN region = ANY(ARRAY['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) THEN title || ' node-to-node encryption not supported in ' || region || '.' + WHEN NOT enabled THEN title || ' node-to-node encryption disabled.' + ELSE title || ' node-to-node encryption enabled.' + END AS reason + FROM + aws_elasticsearch_domain; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_es_4.yaml b/compliance/controls/aws/aws_foundational_security_es_4.yaml index 0d31b2f5a..5d87ecaa7 100644 --- a/compliance/controls/aws/aws_foundational_security_es_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_es_4.yaml @@ -1,30 +1,31 @@ id: aws_foundational_security_es_4 title: 4 Elasticsearch domain error logging to CloudWatch Logs should be enabled +type: control description: This control checks whether Elasticsearch domains are configured to send error logs to CloudWatch Logs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticsearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN - log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN - log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL THEN title || ' error logging enabled.' - ELSE title || ' error logging disabled.' - END AS reason - FROM - aws_elasticsearch_domain; + language: sql + primary_resource: aws_elasticsearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN + log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN + log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL THEN title || ' error logging enabled.' + ELSE title || ' error logging disabled.' + END AS reason + FROM + aws_elasticsearch_domain; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_es_5.yaml b/compliance/controls/aws/aws_foundational_security_es_5.yaml index 0647882a6..abcf7adc3 100644 --- a/compliance/controls/aws/aws_foundational_security_es_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_es_5.yaml @@ -1,30 +1,31 @@ id: aws_foundational_security_es_5 title: 5 Elasticsearch domains should have audit logging enabled +type: control description: This control checks whether Elasticsearch domains have audit logging enabled. This control fails if an Elasticsearch domain does not have audit logging enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticsearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN - log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN - log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL THEN title || ' audit logging enabled.' - ELSE title || ' audit logging disabled.' - END AS reason - FROM - aws_elasticsearch_domain; + language: sql + primary_resource: aws_elasticsearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN + log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN + log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL THEN title || ' audit logging enabled.' + ELSE title || ' audit logging disabled.' + END AS reason + FROM + aws_elasticsearch_domain; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_es_6.yaml b/compliance/controls/aws/aws_foundational_security_es_6.yaml index b5a4ba5e8..0db90fa29 100644 --- a/compliance/controls/aws/aws_foundational_security_es_6.yaml +++ b/compliance/controls/aws/aws_foundational_security_es_6.yaml @@ -1,29 +1,30 @@ id: aws_foundational_security_es_6 title: 6 Elasticsearch domains should have at least three data nodes +type: control description: This control checks whether Elasticsearch domains are configured with at least three data nodes and zoneAwarenessEnabled is true. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticsearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN elasticsearch_cluster_config ->> 'ZoneAwarenessEnabled' = 'false' THEN 'alarm' - WHEN - elasticsearch_cluster_config ->> 'ZoneAwarenessEnabled' = 'true' - AND (elasticsearch_cluster_config ->> 'InstanceCount')::integer >= 3 THEN 'ok' - ELSE 'alarm' - END status, - CASE - WHEN elasticsearch_cluster_config ->> 'ZoneAwarenessEnabled' = 'false' THEN title || ' zone awareness disabled.' - ELSE title || ' has ' || (elasticsearch_cluster_config ->> 'InstanceCount') || ' data node(s).' - END AS reason - FROM - aws_elasticsearch_domain; + language: sql + primary_resource: aws_elasticsearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN elasticsearch_cluster_config ->> 'ZoneAwarenessEnabled' = 'false' THEN 'alarm' + WHEN + elasticsearch_cluster_config ->> 'ZoneAwarenessEnabled' = 'true' + AND (elasticsearch_cluster_config ->> 'InstanceCount')::integer >= 3 THEN 'ok' + ELSE 'alarm' + END status, + CASE + WHEN elasticsearch_cluster_config ->> 'ZoneAwarenessEnabled' = 'false' THEN title || ' zone awareness disabled.' + ELSE title || ' has ' || (elasticsearch_cluster_config ->> 'InstanceCount') || ' data node(s).' + END AS reason + FROM + aws_elasticsearch_domain; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_es_7.yaml b/compliance/controls/aws/aws_foundational_security_es_7.yaml index 24421df9c..6900329d3 100644 --- a/compliance/controls/aws/aws_foundational_security_es_7.yaml +++ b/compliance/controls/aws/aws_foundational_security_es_7.yaml @@ -1,28 +1,29 @@ id: aws_foundational_security_es_7 title: 7 Elasticsearch domains should be configured with at least three dedicated master nodes +type: control description: This control checks whether Elasticsearch domains are configured with at least three dedicated master nodes. This control fails if the domain does not use dedicated master nodes. This control passes if Elasticsearch domains have five dedicated master nodes. However, using more than three master nodes might be unnecessary to mitigate the availability risk, and will result in additional cost. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticsearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN elasticsearch_cluster_config ->> 'DedicatedMasterEnabled' = 'false' THEN 'alarm' - WHEN elasticsearch_cluster_config ->> 'DedicatedMasterEnabled' = 'true' - AND (elasticsearch_cluster_config ->> 'DedicatedMasterCount')::integer >= 3 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN elasticsearch_cluster_config ->> 'DedicatedMasterEnabled' = 'false' THEN title || ' dedicated master nodes disabled.' - ELSE title || ' has ' || (elasticsearch_cluster_config ->> 'DedicatedMasterCount') || ' dedicated master node(s).' - END AS reason - FROM - aws_elasticsearch_domain; + language: sql + primary_resource: aws_elasticsearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN elasticsearch_cluster_config ->> 'DedicatedMasterEnabled' = 'false' THEN 'alarm' + WHEN elasticsearch_cluster_config ->> 'DedicatedMasterEnabled' = 'true' + AND (elasticsearch_cluster_config ->> 'DedicatedMasterCount')::integer >= 3 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN elasticsearch_cluster_config ->> 'DedicatedMasterEnabled' = 'false' THEN title || ' dedicated master nodes disabled.' + ELSE title || ' has ' || (elasticsearch_cluster_config ->> 'DedicatedMasterCount') || ' dedicated master node(s).' + END AS reason + FROM + aws_elasticsearch_domain; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_es_8.yaml b/compliance/controls/aws/aws_foundational_security_es_8.yaml index 53c519f0f..e69d94071 100644 --- a/compliance/controls/aws/aws_foundational_security_es_8.yaml +++ b/compliance/controls/aws/aws_foundational_security_es_8.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_es_8 title: 8 Connections to Elasticsearch domains should be encrypted using TLS 1.2 +type: control description: This control checks whether connections to Elasticsearch domains are required to use TLS 1.2. The check fails if the Elasticsearch domain TLSSecurityPolicy is not Policy-Min-TLS-1-2-2019-07. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_elasticsearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN domain_endpoint_options ->> 'TLSSecurityPolicy' = 'Policy-Min-TLS-1-2-2019-07' THEN 'ok' - ELSE 'alarm' - END status, - CASE - WHEN domain_endpoint_options ->> 'TLSSecurityPolicy' = 'Policy-Min-TLS-1-2-2019-07' THEN title || ' encrypted using TLS 1.2.' - ELSE title || ' not encrypted using TLS 1.2.' - END AS reason - FROM - aws_elasticsearch_domain; + language: sql + primary_resource: aws_elasticsearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN domain_endpoint_options ->> 'TLSSecurityPolicy' = 'Policy-Min-TLS-1-2-2019-07' THEN 'ok' + ELSE 'alarm' + END status, + CASE + WHEN domain_endpoint_options ->> 'TLSSecurityPolicy' = 'Policy-Min-TLS-1-2-2019-07' THEN title || ' encrypted using TLS 1.2.' + ELSE title || ' not encrypted using TLS 1.2.' + END AS reason + FROM + aws_elasticsearch_domain; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_eventbridge_3.yaml b/compliance/controls/aws/aws_foundational_security_eventbridge_3.yaml index 0a0078c8d..c43b2ab35 100644 --- a/compliance/controls/aws/aws_foundational_security_eventbridge_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_eventbridge_3.yaml @@ -1,28 +1,29 @@ id: aws_foundational_security_eventbridge_3 title: 3 EventBridge custom event buses should have a resource-based policy attached +type: control description: This control checks if an Amazon EventBridge custom event bus has a resource-based policy attached. This control fails if the custom event bus doesn't have a resource-based policy. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_eventbridge_bus - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN name = 'default' THEN 'skip' - WHEN policy_std IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN name = 'default' THEN title || ' is default event bus.' - WHEN policy_std IS NOT NULL THEN title || ' has resource based policy attached.' - ELSE title || ' does not have resource based policy attached.' - END AS reason - FROM - aws_eventbridge_bus; + language: sql + primary_resource: aws_eventbridge_bus + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN name = 'default' THEN 'skip' + WHEN policy_std IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN name = 'default' THEN title || ' is default event bus.' + WHEN policy_std IS NOT NULL THEN title || ' has resource based policy attached.' + ELSE title || ' does not have resource based policy attached.' + END AS reason + FROM + aws_eventbridge_bus; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_fsx_1.yaml b/compliance/controls/aws/aws_foundational_security_fsx_1.yaml index 48d5836bb..94bf34bf8 100644 --- a/compliance/controls/aws/aws_foundational_security_fsx_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_fsx_1.yaml @@ -1,32 +1,33 @@ id: aws_foundational_security_fsx_1 title: 1 FSx for OpenZFS file systems should be configured to copy tags to backups and volumes +type: control description: This control checks if an Amazon FSx for OpenZFS file system is configured to copy tags to backups and volumes. The control fails if the OpenZFS file system isn't configured to copy tags to backups and volumes. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_fsx_file_system - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN file_system_type <> 'OPENZFS' THEN 'skip' - WHEN (open_zfs_configuration ->> 'CopyTagsToBackups')::bool - AND (open_zfs_configuration ->> 'CopyTagsToVolumes')::bool THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN file_system_type <> 'OPENZFS' THEN title || ' is of ' || file_system_type || ' type file system.' - WHEN (open_zfs_configuration ->> 'CopyTagsToBackups')::bool - AND (open_zfs_configuration ->> 'CopyTagsToVolumes')::bool THEN title || ' copy tags to backup and volume enabled.' - WHEN (open_zfs_configuration ->> 'CopyTagsToBackups')::bool THEN title || ' copy tags to backup enabled but disabled for volume.' - WHEN (open_zfs_configuration ->> 'CopyTagsToVolumes')::bool THEN title || ' copy tags to volume enabled but disabled for backup.' - ELSE title || ' copy tags to backup and volume disabled.' - END AS reason - FROM - aws_fsx_file_system; + language: sql + primary_resource: aws_fsx_file_system + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN file_system_type <> 'OPENZFS' THEN 'skip' + WHEN (open_zfs_configuration ->> 'CopyTagsToBackups')::bool + AND (open_zfs_configuration ->> 'CopyTagsToVolumes')::bool THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN file_system_type <> 'OPENZFS' THEN title || ' is of ' || file_system_type || ' type file system.' + WHEN (open_zfs_configuration ->> 'CopyTagsToBackups')::bool + AND (open_zfs_configuration ->> 'CopyTagsToVolumes')::bool THEN title || ' copy tags to backup and volume enabled.' + WHEN (open_zfs_configuration ->> 'CopyTagsToBackups')::bool THEN title || ' copy tags to backup enabled but disabled for volume.' + WHEN (open_zfs_configuration ->> 'CopyTagsToVolumes')::bool THEN title || ' copy tags to volume enabled but disabled for backup.' + ELSE title || ' copy tags to backup and volume disabled.' + END AS reason + FROM + aws_fsx_file_system; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_iam_1.yaml b/compliance/controls/aws/aws_foundational_security_iam_1.yaml index d2cfa03c1..35cec7ab8 100644 --- a/compliance/controls/aws/aws_foundational_security_iam_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_iam_1.yaml @@ -1,46 +1,47 @@ id: aws_foundational_security_iam_1 title: 1 IAM policies should not allow full '*' administrative privileges +type: control description: "This control checks whether the default version of IAM policies (also known as customer managed policies) has administrator access that includes a statement with 'Effect': 'Allow' with 'Action': '*' over 'Resource': '*'. The control only checks the customer managed policies that you create. It does not check inline and AWS managed policies." integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_policy - definition: | - WITH star_access_policies AS ( - SELECT - arn, - COUNT(*) AS num_bad_statements - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Resource') AS resource, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - NOT is_aws_managed - AND s ->> 'Effect' = 'Allow' - AND resource = '*' - AND ( - (action = '*' - OR action = '*:*') - ) - AND is_attached - GROUP BY arn + language: sql + primary_resource: aws_iam_policy + definition: | + WITH star_access_policies AS ( + SELECT + arn, + COUNT(*) AS num_bad_statements + FROM + aws_iam_policy, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Resource') AS resource, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + NOT is_aws_managed + AND s ->> 'Effect' = 'Allow' + AND resource = '*' + AND ( + (action = '*' + OR action = '*:*') ) - SELECT - p.arn AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN s.arn IS NULL THEN 'ok' - ELSE 'alarm' - END status, - p.name || ' contains ' || COALESCE(s.num_bad_statements,0) || ' statements that allow action "*" on resource "*".' AS reason - FROM - aws_iam_policy AS p - LEFT JOIN star_access_policies AS s ON p.arn = s.arn - WHERE - NOT p.is_aws_managed; + AND is_attached + GROUP BY arn + ) + SELECT + p.arn AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN s.arn IS NULL THEN 'ok' + ELSE 'alarm' + END status, + p.name || ' contains ' || COALESCE(s.num_bad_statements,0) || ' statements that allow action "*" on resource "*".' AS reason + FROM + aws_iam_policy AS p + LEFT JOIN star_access_policies AS s ON p.arn = s.arn + WHERE + NOT p.is_aws_managed; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_iam_2.yaml b/compliance/controls/aws/aws_foundational_security_iam_2.yaml index 527aded16..0c1a89daa 100644 --- a/compliance/controls/aws/aws_foundational_security_iam_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_iam_2.yaml @@ -1,24 +1,25 @@ id: aws_foundational_security_iam_2 title: 2 IAM users should not have IAM policies attached +type: control description: This control checks that none of your IAM users have policies attached. Instead, IAM users must inherit permissions from IAM groups or roles. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN inline_policies IS NULL AND attached_policy_arns IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - name || ' has ' || COALESCE(JSONB_ARRAY_LENGTH(inline_policies), 0) || ' inline and ' || - COALESCE(JSONB_ARRAY_LENGTH(attached_policy_arns), 0) || ' directly attached policies.' AS reason - FROM - aws_iam_user; + language: sql + primary_resource: aws_iam_user + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN inline_policies IS NULL AND attached_policy_arns IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + name || ' has ' || COALESCE(JSONB_ARRAY_LENGTH(inline_policies), 0) || ' inline and ' || + COALESCE(JSONB_ARRAY_LENGTH(attached_policy_arns), 0) || ' directly attached policies.' AS reason + FROM + aws_iam_user; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_iam_21.yaml b/compliance/controls/aws/aws_foundational_security_iam_21.yaml index 3b5ccb0f9..48b465dc7 100644 --- a/compliance/controls/aws/aws_foundational_security_iam_21.yaml +++ b/compliance/controls/aws/aws_foundational_security_iam_21.yaml @@ -1,48 +1,49 @@ id: aws_foundational_security_iam_21 title: 21 IAM customer managed policies that you create should not allow wildcard actions for services +type: control description: "This control checks whether the IAM identity-based policies that you create have Allow statements that use the * wildcard to grant permissions for all actions on any service. The control fails if any policy statement includes 'Effect': 'Allow' with 'Action': 'Service:*'." integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_policy - definition: | - WITH wildcard_action_policies AS ( - SELECT - arn, - COUNT(*) AS statements_num - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Resource') AS resource, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - NOT is_aws_managed - AND s ->> 'Effect' = 'Allow' - AND resource = '*' - AND ( - action LIKE '%:*' - OR action = '*' - ) - GROUP BY - arn + language: sql + primary_resource: aws_iam_policy + definition: | + WITH wildcard_action_policies AS ( + SELECT + arn, + COUNT(*) AS statements_num + FROM + aws_iam_policy, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Resource') AS resource, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + NOT is_aws_managed + AND s ->> 'Effect' = 'Allow' + AND resource = '*' + AND ( + action LIKE '%:*' + OR action = '*' ) - SELECT - p.arn AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN w.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - p.name || ' contains ' || COALESCE(w.statements_num, 0) || - ' statements that allow action "*" on at least 1 AWS service on resource "*".' AS reason - FROM - aws_iam_policy AS p - LEFT JOIN wildcard_action_policies AS w - ON p.arn = w.arn - WHERE - NOT p.is_aws_managed; + GROUP BY + arn + ) + SELECT + p.arn AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN w.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + p.name || ' contains ' || COALESCE(w.statements_num, 0) || + ' statements that allow action "*" on at least 1 AWS service on resource "*".' AS reason + FROM + aws_iam_policy AS p + LEFT JOIN wildcard_action_policies AS w + ON p.arn = w.arn + WHERE + NOT p.is_aws_managed; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_iam_3.yaml b/compliance/controls/aws/aws_foundational_security_iam_3.yaml index b35c7e4b4..92de08f96 100644 --- a/compliance/controls/aws/aws_foundational_security_iam_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_iam_3.yaml @@ -1,24 +1,25 @@ id: aws_foundational_security_iam_3 title: 3 IAM users' access keys should be rotated every 90 days or less +type: control description: This control checks whether the active access keys are rotated within 90 days. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_access_key - definition: | - SELECT - 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN create_date <= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' - ELSE 'ok' - END AS status, - user_name || ' ' || access_key_id || ' created ' || TO_CHAR(create_date , 'DD-Mon-YYYY') || - ' (' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - create_date) || ' days).' AS reason - FROM - aws_iam_access_key; + language: sql + primary_resource: aws_iam_access_key + definition: | + SELECT + 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN create_date <= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' + ELSE 'ok' + END AS status, + user_name || ' ' || access_key_id || ' created ' || TO_CHAR(create_date , 'DD-Mon-YYYY') || + ' (' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - create_date) || ' days).' AS reason + FROM + aws_iam_access_key; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_iam_4.yaml b/compliance/controls/aws/aws_foundational_security_iam_4.yaml index 9b9a58a5e..84822db82 100644 --- a/compliance/controls/aws/aws_foundational_security_iam_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_iam_4.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_iam_4 title: 4 IAM root user access key should not exist +type: control description: This control checks whether the root user access key is present. The root account is the most privileged user in an AWS account. AWS access keys provide programmatic access to a given account. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_account_summary - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN account_access_keys_present > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN account_access_keys_present > 0 THEN 'Root user access keys exist.' - ELSE 'No root user access keys exist.' - END AS reason - FROM - aws_iam_account_summary; + language: sql + primary_resource: aws_iam_account_summary + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN account_access_keys_present > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN account_access_keys_present > 0 THEN 'Root user access keys exist.' + ELSE 'No root user access keys exist.' + END AS reason + FROM + aws_iam_account_summary; severity: critical tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_iam_5.yaml b/compliance/controls/aws/aws_foundational_security_iam_5.yaml index 97fd815fc..dc3a745ed 100644 --- a/compliance/controls/aws/aws_foundational_security_iam_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_iam_5.yaml @@ -1,27 +1,28 @@ id: aws_foundational_security_iam_5 title: 5 MFA should be enabled for all IAM users that have a console password +type: control description: This control checks whether AWS multi-factor authentication (MFA) is enabled for all IAM users that use a console password. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN password_enabled AND NOT mfa_active THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT password_enabled THEN user_name || ' password login disabled.' - WHEN password_enabled AND NOT mfa_active THEN user_name || ' password login enabled but no MFA device configured.' - ELSE user_name || ' password login enabled and MFA device configured.' - END AS reason - FROM - aws_iam_credential_report; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN password_enabled AND NOT mfa_active THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT password_enabled THEN user_name || ' password login disabled.' + WHEN password_enabled AND NOT mfa_active THEN user_name || ' password login enabled but no MFA device configured.' + ELSE user_name || ' password login enabled and MFA device configured.' + END AS reason + FROM + aws_iam_credential_report; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_iam_8.yaml b/compliance/controls/aws/aws_foundational_security_iam_8.yaml index ec34a54e6..784359d48 100644 --- a/compliance/controls/aws/aws_foundational_security_iam_8.yaml +++ b/compliance/controls/aws/aws_foundational_security_iam_8.yaml @@ -1,60 +1,61 @@ id: aws_foundational_security_iam_8 title: 8 Unused IAM user credentials should be removed +type: control description: This control checks whether your IAM users have passwords or active access keys that have not been used for 90 days. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN user_name = '' - THEN 'info' - WHEN password_enabled AND password_last_used IS NULL AND password_last_changed < (CURRENT_DATE - INTERVAL '90' DAY) - THEN 'alarm' - WHEN password_enabled AND password_last_used < (CURRENT_DATE - INTERVAL '90' DAY) - THEN 'alarm' - WHEN access_key_1_active AND access_key_1_last_used_date IS NULL AND access_key_1_last_rotated < (CURRENT_DATE - INTERVAL '90' DAY) - THEN 'alarm' - WHEN access_key_1_active AND access_key_1_last_used_date < (CURRENT_DATE - INTERVAL '90' DAY) - THEN 'alarm' - WHEN access_key_2_active AND access_key_2_last_used_date IS NULL AND access_key_2_last_rotated < (CURRENT_DATE - INTERVAL '90' DAY) - THEN 'alarm' - WHEN access_key_2_active AND access_key_2_last_used_date < (CURRENT_DATE - INTERVAL '90' DAY) - THEN 'alarm' - ELSE 'ok' - END AS status, - user_name || - CASE - WHEN NOT password_enabled - THEN ' password not enabled,' - WHEN password_enabled AND password_last_used IS NULL - THEN ' password created ' || TO_CHAR(password_last_changed, 'DD-Mon-YYYY') || ' never used,' - ELSE - ' password used ' || TO_CHAR(password_last_used, 'DD-Mon-YYYY') || ',' - END || - CASE - WHEN NOT access_key_1_active - THEN ' key 1 not enabled,' - WHEN access_key_1_active AND access_key_1_last_used_date IS NULL - THEN ' key 1 created ' || TO_CHAR(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,' - ELSE - ' key 1 used ' || TO_CHAR(access_key_1_last_used_date, 'DD-Mon-YYYY') || ',' - END || - CASE - WHEN NOT access_key_2_active - THEN ' key 2 not enabled.' - WHEN access_key_2_active AND access_key_2_last_used_date IS NULL - THEN ' key 2 created ' || TO_CHAR(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.' - ELSE - ' key 2 used ' || TO_CHAR(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.' - END - AS reason - FROM aws_iam_credential_report; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN user_name = '' + THEN 'info' + WHEN password_enabled AND password_last_used IS NULL AND password_last_changed < (CURRENT_DATE - INTERVAL '90' DAY) + THEN 'alarm' + WHEN password_enabled AND password_last_used < (CURRENT_DATE - INTERVAL '90' DAY) + THEN 'alarm' + WHEN access_key_1_active AND access_key_1_last_used_date IS NULL AND access_key_1_last_rotated < (CURRENT_DATE - INTERVAL '90' DAY) + THEN 'alarm' + WHEN access_key_1_active AND access_key_1_last_used_date < (CURRENT_DATE - INTERVAL '90' DAY) + THEN 'alarm' + WHEN access_key_2_active AND access_key_2_last_used_date IS NULL AND access_key_2_last_rotated < (CURRENT_DATE - INTERVAL '90' DAY) + THEN 'alarm' + WHEN access_key_2_active AND access_key_2_last_used_date < (CURRENT_DATE - INTERVAL '90' DAY) + THEN 'alarm' + ELSE 'ok' + END AS status, + user_name || + CASE + WHEN NOT password_enabled + THEN ' password not enabled,' + WHEN password_enabled AND password_last_used IS NULL + THEN ' password created ' || TO_CHAR(password_last_changed, 'DD-Mon-YYYY') || ' never used,' + ELSE + ' password used ' || TO_CHAR(password_last_used, 'DD-Mon-YYYY') || ',' + END || + CASE + WHEN NOT access_key_1_active + THEN ' key 1 not enabled,' + WHEN access_key_1_active AND access_key_1_last_used_date IS NULL + THEN ' key 1 created ' || TO_CHAR(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,' + ELSE + ' key 1 used ' || TO_CHAR(access_key_1_last_used_date, 'DD-Mon-YYYY') || ',' + END || + CASE + WHEN NOT access_key_2_active + THEN ' key 2 not enabled.' + WHEN access_key_2_active AND access_key_2_last_used_date IS NULL + THEN ' key 2 created ' || TO_CHAR(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.' + ELSE + ' key 2 used ' || TO_CHAR(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.' + END + AS reason + FROM aws_iam_credential_report; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_kinesis_1.yaml b/compliance/controls/aws/aws_foundational_security_kinesis_1.yaml index 4219ad08d..d6a3845e2 100644 --- a/compliance/controls/aws/aws_foundational_security_kinesis_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_kinesis_1.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_kinesis_1 title: 1 Kinesis Data Streams should be encrypted at rest +type: control description: This control checks if Kinesis Data Streams are encrypted at rest with server-side encryption. This control fails if a Kinesis stream is not encrypted at rest with server-side encryption. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_kinesis_stream - definition: | - SELECT - stream_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN encryption_type = 'KMS' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption_type = 'KMS' THEN title || ' server side encryption enabled.' - ELSE title || ' server side encryption disabled.' - END AS reason - FROM - aws_kinesis_stream; + language: sql + primary_resource: aws_kinesis_stream + definition: | + SELECT + stream_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN encryption_type = 'KMS' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption_type = 'KMS' THEN title || ' server side encryption enabled.' + ELSE title || ' server side encryption disabled.' + END AS reason + FROM + aws_kinesis_stream; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_kms_1.yaml b/compliance/controls/aws/aws_foundational_security_kms_1.yaml index 382538a6e..40a6d1951 100644 --- a/compliance/controls/aws/aws_foundational_security_kms_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_kms_1.yaml @@ -1,41 +1,42 @@ id: aws_foundational_security_kms_1 title: 1 IAM customer managed policies should not allow decryption actions on all KMS keys +type: control description: Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts. This control fails if the kms:Decrypt or kms:ReEncryptFrom actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_policy - definition: | - WITH policy_with_decrypt_grant AS ( - SELECT - DISTINCT arn - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS statement - WHERE - NOT is_aws_managed - AND statement ->> 'Effect' = 'Allow' - AND statement -> 'Resource' ?| ARRAY['*', 'arn:aws:kms:*:' || account_id || ':key/*', 'arn:aws:kms:*:' || account_id || ':alias/*'] - AND statement -> 'Action' ?| ARRAY['*', 'kms:*', 'kms:DECRYPT', 'kms:REENCRYPTFROM', 'kms:REENCRYPT*'] - ) - SELECT - i.arn AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN d.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN d.arn IS NULL THEN i.title || ' doesn''t allow decryption actions on all keys.' - ELSE i.title || ' allows decryption actions on all keys.' - END AS reason - FROM - aws_iam_policy i - LEFT JOIN policy_with_decrypt_grant d ON i.arn = d.arn - WHERE - NOT is_aws_managed; + language: sql + primary_resource: aws_iam_policy + definition: | + WITH policy_with_decrypt_grant AS ( + SELECT + DISTINCT arn + FROM + aws_iam_policy, + jsonb_array_elements(policy_std -> 'Statement') AS statement + WHERE + NOT is_aws_managed + AND statement ->> 'Effect' = 'Allow' + AND statement -> 'Resource' ?| ARRAY['*', 'arn:aws:kms:*:' || account_id || ':key/*', 'arn:aws:kms:*:' || account_id || ':alias/*'] + AND statement -> 'Action' ?| ARRAY['*', 'kms:*', 'kms:DECRYPT', 'kms:REENCRYPTFROM', 'kms:REENCRYPT*'] + ) + SELECT + i.arn AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN d.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN d.arn IS NULL THEN i.title || ' doesn''t allow decryption actions on all keys.' + ELSE i.title || ' allows decryption actions on all keys.' + END AS reason + FROM + aws_iam_policy i + LEFT JOIN policy_with_decrypt_grant d ON i.arn = d.arn + WHERE + NOT is_aws_managed; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_kms_3.yaml b/compliance/controls/aws/aws_foundational_security_kms_3.yaml index 71f8f1d88..49cdb44f3 100644 --- a/compliance/controls/aws/aws_foundational_security_kms_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_kms_3.yaml @@ -1,28 +1,29 @@ id: aws_foundational_security_kms_3 title: 3 AWS KMS keys should not be unintentionally deleted +type: control description: This control checks whether AWS KMS customer managed keys (CMK) are scheduled for deletion. The control fails if a CMK is scheduled for deletion. CMKs cannot be recovered once deleted. Data encrypted under a KMS CMK is also permanently unrecoverable if the CMK is deleted. If meaningful data has been encrypted under a CMK scheduled for deletion, consider decrypting the data or re-encrypting the data under a new CMK unless you are intentionally performing a cryptographic erasure. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_kms_key - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN key_state = 'PendingDeletion' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN key_state = 'PendingDeletion' THEN title || ' scheduled for deletion and will be deleted in ' || EXTRACT(DAY FROM deletion_date - CURRENT_TIMESTAMP) || ' day(s).' - ELSE title || ' not scheduled for deletion.' - END AS reason - FROM - aws_kms_key - WHERE - key_manager = 'CUSTOMER'; + language: sql + primary_resource: aws_kms_key + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN key_state = 'PendingDeletion' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN key_state = 'PendingDeletion' THEN title || ' scheduled for deletion and will be deleted in ' || EXTRACT(DAY FROM deletion_date - CURRENT_TIMESTAMP) || ' day(s).' + ELSE title || ' not scheduled for deletion.' + END AS reason + FROM + aws_kms_key + WHERE + key_manager = 'CUSTOMER'; severity: critical tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_lambda_1.yaml b/compliance/controls/aws/aws_foundational_security_lambda_1.yaml index cc4ef28e8..791475660 100644 --- a/compliance/controls/aws/aws_foundational_security_lambda_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_lambda_1.yaml @@ -1,44 +1,45 @@ id: aws_foundational_security_lambda_1 title: 1 Lambda function policies should prohibit public access +type: control description: This control checks whether the Lambda function resource-based policy prohibits public access outside of your account. The Lambda function should not be publicly accessible, as this may allow unintended access to your code stored in the function. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_lambda_function - definition: | - WITH wildcard_action_policies AS ( - SELECT - arn, - COUNT(*) AS statements_num - FROM - aws_lambda_function, - jsonb_array_elements(policy_std -> 'Statement') AS s - WHERE - s ->> 'Effect' = 'Allow' - AND ( - (s -> 'Principal' -> 'AWS') = '[\"*\"]' - OR s ->> 'Principal' = '*' - ) - GROUP BY - arn + language: sql + primary_resource: aws_lambda_function + definition: | + WITH wildcard_action_policies AS ( + SELECT + arn, + COUNT(*) AS statements_num + FROM + aws_lambda_function, + jsonb_array_elements(policy_std -> 'Statement') AS s + WHERE + s ->> 'Effect' = 'Allow' + AND ( + (s -> 'Principal' -> 'AWS') = '[\"*\"]' + OR s ->> 'Principal' = '*' ) - SELECT - f.arn AS resource, - f.platform_integration_id AS platform_integration_id, - f.platform_resource_id AS platform_resource_id, - CASE - WHEN p.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.arn IS NULL THEN title || ' does not allow public access.' - ELSE title || ' contains ' || COALESCE(p.statements_num, 0) || ' statements that allows public access.' - END AS reason - FROM - aws_lambda_function AS f - LEFT JOIN wildcard_action_policies AS p - ON p.arn = f.arn + GROUP BY + arn + ) + SELECT + f.arn AS resource, + f.platform_integration_id AS platform_integration_id, + f.platform_resource_id AS platform_resource_id, + CASE + WHEN p.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.arn IS NULL THEN title || ' does not allow public access.' + ELSE title || ' contains ' || COALESCE(p.statements_num, 0) || ' statements that allows public access.' + END AS reason + FROM + aws_lambda_function AS f + LEFT JOIN wildcard_action_policies AS p + ON p.arn = f.arn severity: critical tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_lambda_2.yaml b/compliance/controls/aws/aws_foundational_security_lambda_2.yaml index 36109c643..7535e62f1 100644 --- a/compliance/controls/aws/aws_foundational_security_lambda_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_lambda_2.yaml @@ -1,30 +1,31 @@ id: aws_foundational_security_lambda_2 title: 2 Lambda functions should use supported runtimes -description: 'This control checks that the Lambda function settings for runtimes match the expected values set for the latest runtimes for each supported language. This control checks for the following runtimes: nodejs20.x, nodejs18.x, nodejs16.x, python3.12, python3.11, python3.10, python3.9, python3.8, ruby3.3, ruby3.2, java21, java17, java11, java8.al2, dotnet8, dotnet6' +type: control +description: "This control checks that the Lambda function settings for runtimes match the expected values set for the latest runtimes for each supported language. This control checks for the following runtimes: nodejs20.x, nodejs18.x, nodejs16.x, python3.12, python3.11, python3.10, python3.9, python3.8, ruby3.3, ruby3.2, java21, java17, java11, java8.al2, dotnet8, dotnet6" integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_lambda_function - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN package_type <> 'Zip' THEN 'skip' - WHEN runtime LIKE ANY ($1) THEN 'ok' - WHEN runtime LIKE ANY ($2) THEN 'alarm' - ELSE 'info' - END AS status, - CASE - WHEN package_type <> 'Zip' THEN title || ' package type is ' || package_type || '.' - WHEN runtime LIKE ANY ($1) THEN title || ' uses latest runtime - ' || runtime || '.' - WHEN runtime LIKE ANY ($2) THEN title || ' uses ' || runtime || ' which is not the latest version.' - ELSE title || ' uses runtime ' || runtime || ' which is yet to be released.' - END AS reason - FROM - aws_lambda_function; + language: sql + primary_resource: aws_lambda_function + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN package_type <> 'Zip' THEN 'skip' + WHEN runtime LIKE ANY ($1) THEN 'ok' + WHEN runtime LIKE ANY ($2) THEN 'alarm' + ELSE 'info' + END AS status, + CASE + WHEN package_type <> 'Zip' THEN title || ' package type is ' || package_type || '.' + WHEN runtime LIKE ANY ($1) THEN title || ' uses latest runtime - ' || runtime || '.' + WHEN runtime LIKE ANY ($2) THEN title || ' uses ' || runtime || ' which is not the latest version.' + ELSE title || ' uses runtime ' || runtime || ' which is yet to be released.' + END AS reason + FROM + aws_lambda_function; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_msk_1.yaml b/compliance/controls/aws/aws_foundational_security_msk_1.yaml index 1f26558bc..e07b22f41 100644 --- a/compliance/controls/aws/aws_foundational_security_msk_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_msk_1.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_msk_1 title: 1 MSK clusters should be encrypted in transit among broker nodes +type: control description: This controls checks if an Amazon MSK cluster is encrypted in transit with HTTPS (TLS) among the broker nodes of the cluster. The control fails if plain text communication is enabled for a cluster broker node connection. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_msk_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN provisioned -> 'EncryptionInfo' -> 'EncryptionInTransit' ->> 'ClientBroker' = 'TLS' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN provisioned -> 'EncryptionInfo' -> 'EncryptionInTransit' ->> 'ClientBroker' = 'TLS' THEN title || ' encryption in transit enabled with TLS.' - ELSE title || ' encryption in transit enabled with plaintext.' - END AS reason - FROM - aws_msk_cluster; + language: sql + primary_resource: aws_msk_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN provisioned -> 'EncryptionInfo' -> 'EncryptionInTransit' ->> 'ClientBroker' = 'TLS' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN provisioned -> 'EncryptionInfo' -> 'EncryptionInTransit' ->> 'ClientBroker' = 'TLS' THEN title || ' encryption in transit enabled with TLS.' + ELSE title || ' encryption in transit enabled with plaintext.' + END AS reason + FROM + aws_msk_cluster; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_neptune_1.yaml b/compliance/controls/aws/aws_foundational_security_neptune_1.yaml index a9415b059..e9ee9efbd 100644 --- a/compliance/controls/aws/aws_foundational_security_neptune_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_neptune_1.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_neptune_1 title: 1 Neptune DB clusters should be encrypted at rest +type: control description: This control checks whether a Neptune DB cluster is encrypted at rest. The control fails if a Neptune DB cluster isn't encrypted at rest. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_neptune_db_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN storage_encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN storage_encrypted THEN title || ' encrypted at rest.' - ELSE title || ' not encrypted at rest.' - END AS reason - FROM - aws_neptune_db_cluster; + language: sql + primary_resource: aws_neptune_db_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN storage_encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN storage_encrypted THEN title || ' encrypted at rest.' + ELSE title || ' not encrypted at rest.' + END AS reason + FROM + aws_neptune_db_cluster; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_neptune_2.yaml b/compliance/controls/aws/aws_foundational_security_neptune_2.yaml index c979fd0a2..8454561dc 100644 --- a/compliance/controls/aws/aws_foundational_security_neptune_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_neptune_2.yaml @@ -1,27 +1,28 @@ id: aws_foundational_security_neptune_2 title: 2 Neptune DB clusters should publish audit logs to CloudWatch Logs +type: control description: This control checks whether a Neptune DB cluster publishes audit logs to Amazon CloudWatch Logs. The control fails if a Neptune DB cluster doesn't publish audit logs to CloudWatch Logs. EnableCloudWatchLogsExport should be set to Audit. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_neptune_db_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - engine, - CASE - WHEN enabled_cloudwatch_logs_exports @> '["audit"]' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enabled_cloudwatch_logs_exports @> '["audit"]' THEN title || ' audit logging enabled.' - ELSE title || ' audit logging disabled.' - END AS reason - FROM - aws_neptune_db_cluster; + language: sql + primary_resource: aws_neptune_db_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + engine, + CASE + WHEN enabled_cloudwatch_logs_exports @> '["audit"]' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enabled_cloudwatch_logs_exports @> '["audit"]' THEN title || ' audit logging enabled.' + ELSE title || ' audit logging disabled.' + END AS reason + FROM + aws_neptune_db_cluster; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_neptune_3.yaml b/compliance/controls/aws/aws_foundational_security_neptune_3.yaml index c1f06e1c4..1b636e2a8 100644 --- a/compliance/controls/aws/aws_foundational_security_neptune_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_neptune_3.yaml @@ -1,27 +1,28 @@ id: aws_foundational_security_neptune_3 title: 3 Neptune DB cluster snapshots should not be public +type: control description: This control checks whether a Neptune manual DB cluster snapshot is public. The control fails if a Neptune manual DB cluster snapshot is public. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_neptune_db_cluster_snapshot - definition: | - SELECT - db_cluster_snapshot_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN cluster_snapshot -> 'AttributeValues' = '["all"]' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN cluster_snapshot -> 'AttributeValues' = '["all"]' THEN title || ' publicly accessible.' - ELSE title || ' not publicly accessible.' - END AS reason - FROM - aws_neptune_db_cluster_snapshot, - jsonb_array_elements(db_cluster_snapshot_attributes) AS cluster_snapshot; + language: sql + primary_resource: aws_neptune_db_cluster_snapshot + definition: | + SELECT + db_cluster_snapshot_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN cluster_snapshot -> 'AttributeValues' = '["all"]' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN cluster_snapshot -> 'AttributeValues' = '["all"]' THEN title || ' publicly accessible.' + ELSE title || ' not publicly accessible.' + END AS reason + FROM + aws_neptune_db_cluster_snapshot, + jsonb_array_elements(db_cluster_snapshot_attributes) AS cluster_snapshot; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_neptune_4.yaml b/compliance/controls/aws/aws_foundational_security_neptune_4.yaml index 02579acd3..20ced911b 100644 --- a/compliance/controls/aws/aws_foundational_security_neptune_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_neptune_4.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_neptune_4 title: 4 Neptune DB clusters should have deletion protection enabled +type: control description: This control checks if a Neptune DB cluster has deletion protection enabled. The control fails if a Neptune DB cluster doesn't have deletion protection enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_neptune_db_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN deletion_protection THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN deletion_protection THEN title || ' deletion protection enabled.' - ELSE title || ' deletion protection disabled.' - END AS reason - FROM - aws_neptune_db_cluster; + language: sql + primary_resource: aws_neptune_db_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN deletion_protection THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN deletion_protection THEN title || ' deletion protection enabled.' + ELSE title || ' deletion protection disabled.' + END AS reason + FROM + aws_neptune_db_cluster; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_neptune_5.yaml b/compliance/controls/aws/aws_foundational_security_neptune_5.yaml index 4a4519fb6..eb1de2c94 100644 --- a/compliance/controls/aws/aws_foundational_security_neptune_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_neptune_5.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_neptune_5 title: 5 Neptune DB clusters should have automated backups enabled +type: control description: This control checks whether a Neptune DB cluster has automated backups enabled, and a backup retention period greater than or equal to 7 days. The control fails if backups aren't enabled for the Neptune DB cluster, or if the retention period is less than 7 days. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_neptune_db_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN backup_retention_period >= 7 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN backup_retention_period >= 7 THEN title || ' automated backups enabled.' - ELSE title || ' automated backups disabled.' - END AS reason - FROM - aws_neptune_db_cluster; + language: sql + primary_resource: aws_neptune_db_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN backup_retention_period >= 7 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN backup_retention_period >= 7 THEN title || ' automated backups enabled.' + ELSE title || ' automated backups disabled.' + END AS reason + FROM + aws_neptune_db_cluster; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_neptune_6.yaml b/compliance/controls/aws/aws_foundational_security_neptune_6.yaml index b8c753b44..8fcf32b2f 100644 --- a/compliance/controls/aws/aws_foundational_security_neptune_6.yaml +++ b/compliance/controls/aws/aws_foundational_security_neptune_6.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_neptune_6 title: 6 Neptune DB cluster snapshots should be encrypted at rest +type: control description: This control checks whether a Neptune DB cluster snapshot is encrypted at rest. The control fails if a Neptune DB cluster isn't encrypted at rest. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_neptune_db_cluster_snapshot - definition: | - SELECT - db_cluster_snapshot_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN storage_encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN storage_encrypted THEN title || ' encrypted at rest.' - ELSE title || ' not encrypted at rest.' - END AS reason - FROM - aws_neptune_db_cluster_snapshot; + language: sql + primary_resource: aws_neptune_db_cluster_snapshot + definition: | + SELECT + db_cluster_snapshot_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN storage_encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN storage_encrypted THEN title || ' encrypted at rest.' + ELSE title || ' not encrypted at rest.' + END AS reason + FROM + aws_neptune_db_cluster_snapshot; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_neptune_7.yaml b/compliance/controls/aws/aws_foundational_security_neptune_7.yaml index 05575878c..e55e8fd5d 100644 --- a/compliance/controls/aws/aws_foundational_security_neptune_7.yaml +++ b/compliance/controls/aws/aws_foundational_security_neptune_7.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_neptune_7 title: 7 Neptune DB clusters should have IAM database authentication enabled +type: control description: This control checks if a Neptune DB cluster has IAM database authentication enabled. The control fails if IAM database authentication isn't enabled for a Neptune DB cluster. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_neptune_db_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN iam_database_authentication_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN iam_database_authentication_enabled THEN title || ' IAM authentication enabled.' - ELSE title || ' IAM authentication disabled.' - END AS reason - FROM - aws_neptune_db_cluster; + language: sql + primary_resource: aws_neptune_db_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN iam_database_authentication_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN iam_database_authentication_enabled THEN title || ' IAM authentication enabled.' + ELSE title || ' IAM authentication disabled.' + END AS reason + FROM + aws_neptune_db_cluster; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_neptune_8.yaml b/compliance/controls/aws/aws_foundational_security_neptune_8.yaml index c1830d485..f85250808 100644 --- a/compliance/controls/aws/aws_foundational_security_neptune_8.yaml +++ b/compliance/controls/aws/aws_foundational_security_neptune_8.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_neptune_8 title: 8 Neptune DB clusters should be configured to copy tags to snapshots +type: control description: This control checks if a Neptune DB cluster is configured to copy all tags to snapshots when the snapshots are created. The control fails if a Neptune DB cluster isn't configured to copy tags to snapshots. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_neptune_db_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN copy_tags_to_snapshot THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN copy_tags_to_snapshot THEN title || ' copy tags to snapshot enabled.' - ELSE title || ' copy tags to snapshot disabled.' - END AS reason - FROM - aws_neptune_db_cluster; + language: sql + primary_resource: aws_neptune_db_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN copy_tags_to_snapshot THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN copy_tags_to_snapshot THEN title || ' copy tags to snapshot enabled.' + ELSE title || ' copy tags to snapshot disabled.' + END AS reason + FROM + aws_neptune_db_cluster; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_networkfirewall_2.yaml b/compliance/controls/aws/aws_foundational_security_networkfirewall_2.yaml index 8caf1e02c..1b19e1a00 100644 --- a/compliance/controls/aws/aws_foundational_security_networkfirewall_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_networkfirewall_2.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_networkfirewall_2 title: 2 Network Firewall logging should be enabled +type: control description: This control checks whether logging is enabled for an AWS Network Firewall firewall. The control fails if logging isn't enabled for at least one log type or if the logging destination doesn't exist. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_networkfirewall_firewall - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN jsonb_array_length(logging_configuration) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN jsonb_array_length(logging_configuration) > 0 THEN title || ' logging enabled.' - ELSE title || ' logging disabled.' - END AS reason - FROM - aws_networkfirewall_firewall; + language: sql + primary_resource: aws_networkfirewall_firewall + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN jsonb_array_length(logging_configuration) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN jsonb_array_length(logging_configuration) > 0 THEN title || ' logging enabled.' + ELSE title || ' logging disabled.' + END AS reason + FROM + aws_networkfirewall_firewall; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_networkfirewall_3.yaml b/compliance/controls/aws/aws_foundational_security_networkfirewall_3.yaml index 8d136a457..5cfa19453 100644 --- a/compliance/controls/aws/aws_foundational_security_networkfirewall_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_networkfirewall_3.yaml @@ -1,34 +1,35 @@ id: aws_foundational_security_networkfirewall_3 title: 3 Network Firewall policies should have at least one rule group associated +type: control description: This control checks whether a Network Firewall policy has any stateful or stateless rule groups associated. The control fails if stateless or stateful rule groups are not assigned. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_networkfirewall_firewall_policy - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN (firewall_policy ->> 'StatefulRuleGroupReferences' IS NULL - OR jsonb_array_length(firewall_policy -> 'StatefulRuleGroupReferences') = 0) - AND (firewall_policy ->> 'StatelessRuleGroupReferences' IS NULL - OR jsonb_array_length(firewall_policy -> 'StatelessRuleGroupReferences') = 0) - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (firewall_policy ->> 'StatefulRuleGroupReferences' IS NULL - OR jsonb_array_length(firewall_policy -> 'StatefulRuleGroupReferences') = 0) - AND (firewall_policy ->> 'StatelessRuleGroupReferences' IS NULL - OR jsonb_array_length(firewall_policy -> 'StatelessRuleGroupReferences') = 0) - THEN title || ' has no associated rule groups.' - ELSE title || ' has associated rule groups.' - END AS reason - FROM - aws_networkfirewall_firewall_policy; + language: sql + primary_resource: aws_networkfirewall_firewall_policy + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN (firewall_policy ->> 'StatefulRuleGroupReferences' IS NULL + OR jsonb_array_length(firewall_policy -> 'StatefulRuleGroupReferences') = 0) + AND (firewall_policy ->> 'StatelessRuleGroupReferences' IS NULL + OR jsonb_array_length(firewall_policy -> 'StatelessRuleGroupReferences') = 0) + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (firewall_policy ->> 'StatefulRuleGroupReferences' IS NULL + OR jsonb_array_length(firewall_policy -> 'StatefulRuleGroupReferences') = 0) + AND (firewall_policy ->> 'StatelessRuleGroupReferences' IS NULL + OR jsonb_array_length(firewall_policy -> 'StatelessRuleGroupReferences') = 0) + THEN title || ' has no associated rule groups.' + ELSE title || ' has associated rule groups.' + END AS reason + FROM + aws_networkfirewall_firewall_policy; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_networkfirewall_4.yaml b/compliance/controls/aws/aws_foundational_security_networkfirewall_4.yaml index daa3ec050..8a39d5e5b 100644 --- a/compliance/controls/aws/aws_foundational_security_networkfirewall_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_networkfirewall_4.yaml @@ -1,28 +1,29 @@ id: aws_foundational_security_networkfirewall_4 title: 4 The default stateless action for Network Firewall policies should be drop or forward for full packets +type: control description: A firewall policy defines how your firewall monitors and handles traffic in Amazon VPC. You configure stateless and stateful rule groups to filter packets and traffic flows. Defaulting to Pass can allow unintended traffic. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_networkfirewall_firewall_policy - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN (NOT (firewall_policy -> 'StatelessDefaultActions') ? 'aws:drop' - AND NOT (firewall_policy -> 'StatelessDefaultActions') ? 'aws:forward_to_sfe') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (NOT (firewall_policy -> 'StatelessDefaultActions') ? 'aws:drop' - AND NOT (firewall_policy -> 'StatelessDefaultActions') ? 'aws:forward_to_sfe') THEN title || ' stateless action is neither drop nor forward for full packets.' - ELSE title || ' stateless action is either drop or forward for full packets.' - END AS reason - FROM - aws_networkfirewall_firewall_policy; + language: sql + primary_resource: aws_networkfirewall_firewall_policy + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN (NOT (firewall_policy -> 'StatelessDefaultActions') ? 'aws:drop' + AND NOT (firewall_policy -> 'StatelessDefaultActions') ? 'aws:forward_to_sfe') THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (NOT (firewall_policy -> 'StatelessDefaultActions') ? 'aws:drop' + AND NOT (firewall_policy -> 'StatelessDefaultActions') ? 'aws:forward_to_sfe') THEN title || ' stateless action is neither drop nor forward for full packets.' + ELSE title || ' stateless action is either drop or forward for full packets.' + END AS reason + FROM + aws_networkfirewall_firewall_policy; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_networkfirewall_5.yaml b/compliance/controls/aws/aws_foundational_security_networkfirewall_5.yaml index d9dcd339f..3f4459c9b 100644 --- a/compliance/controls/aws/aws_foundational_security_networkfirewall_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_networkfirewall_5.yaml @@ -1,28 +1,29 @@ id: aws_foundational_security_networkfirewall_5 title: 5 The default stateless action for Network Firewall policies should be drop or forward for fragmented packets +type: control description: This control checks whether the default stateless action for fragmented packets for a Network Firewall policy is drop or forward. The control passes if Drop or Forward is selected, and fails if Pass is selected. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_networkfirewall_firewall_policy - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN (NOT (firewall_policy -> 'StatelessFragmentDefaultActions') ? 'aws:drop' - AND NOT (firewall_policy -> 'StatelessFragmentDefaultActions') ? 'aws:forward_to_sfe') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (NOT (firewall_policy -> 'StatelessFragmentDefaultActions') ? 'aws:drop' - AND NOT (firewall_policy -> 'StatelessFragmentDefaultActions') ? 'aws:forward_to_sfe') THEN title || ' stateless action is neither drop nor forward for fragmented packets.' - ELSE title || ' stateless action is either drop or forward for fragmented packets.' - END AS reason - FROM - aws_networkfirewall_firewall_policy; + language: sql + primary_resource: aws_networkfirewall_firewall_policy + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN (NOT (firewall_policy -> 'StatelessFragmentDefaultActions') ? 'aws:drop' + AND NOT (firewall_policy -> 'StatelessFragmentDefaultActions') ? 'aws:forward_to_sfe') THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (NOT (firewall_policy -> 'StatelessFragmentDefaultActions') ? 'aws:drop' + AND NOT (firewall_policy -> 'StatelessFragmentDefaultActions') ? 'aws:forward_to_sfe') THEN title || ' stateless action is neither drop nor forward for fragmented packets.' + ELSE title || ' stateless action is either drop or forward for fragmented packets.' + END AS reason + FROM + aws_networkfirewall_firewall_policy; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_networkfirewall_6.yaml b/compliance/controls/aws/aws_foundational_security_networkfirewall_6.yaml index 10f59f03c..fd0ee6cc4 100644 --- a/compliance/controls/aws/aws_foundational_security_networkfirewall_6.yaml +++ b/compliance/controls/aws/aws_foundational_security_networkfirewall_6.yaml @@ -1,27 +1,28 @@ id: aws_foundational_security_networkfirewall_6 title: 6 Stateless network firewall rule group should not be empty +type: control description: A rule group contains rules that define how your firewall processes traffic in your VPC. An empty stateless rule group when present in a firewall policy might give the impression that the rule group will process traffic. However, when the stateless rule group is empty, it does not process traffic. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_networkfirewall_rule_group - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN type = 'STATEFUL' THEN 'skip' - WHEN jsonb_array_length(rules_source -> 'StatelessRulesAndCustomActions' -> 'StatelessRules') > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN type = 'STATEFUL' THEN title || ' is a stateful rule group.' - ELSE title || ' has ' || jsonb_array_length(rules_source -> 'StatelessRulesAndCustomActions' -> 'StatelessRules') || ' rule(s).' - END AS reason - FROM - aws_networkfirewall_rule_group; + language: sql + primary_resource: aws_networkfirewall_rule_group + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN type = 'STATEFUL' THEN 'skip' + WHEN jsonb_array_length(rules_source -> 'StatelessRulesAndCustomActions' -> 'StatelessRules') > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN type = 'STATEFUL' THEN title || ' is a stateful rule group.' + ELSE title || ' has ' || jsonb_array_length(rules_source -> 'StatelessRulesAndCustomActions' -> 'StatelessRules') || ' rule(s).' + END AS reason + FROM + aws_networkfirewall_rule_group; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_networkfirewall_9.yaml b/compliance/controls/aws/aws_foundational_security_networkfirewall_9.yaml index 62e6ed8e6..3f6c4591d 100644 --- a/compliance/controls/aws/aws_foundational_security_networkfirewall_9.yaml +++ b/compliance/controls/aws/aws_foundational_security_networkfirewall_9.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_networkfirewall_9 title: 9 Network Firewall firewalls should have deletion protection enabled +type: control description: This control checks whether an AWS Network Firewall firewall has deletion protection enabled. The control fails if deletion protection isn't enabled for a firewall. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_networkfirewall_firewall - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN delete_protection THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN delete_protection THEN title || ' delete protection enabled.' - ELSE title || ' delete protection disabled.' - END AS reason - FROM - aws_networkfirewall_firewall; + language: sql + primary_resource: aws_networkfirewall_firewall + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN delete_protection THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN delete_protection THEN title || ' delete protection enabled.' + ELSE title || ' delete protection disabled.' + END AS reason + FROM + aws_networkfirewall_firewall; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_opensearch_1.yaml b/compliance/controls/aws/aws_foundational_security_opensearch_1.yaml index c009a41a0..8245411c0 100644 --- a/compliance/controls/aws/aws_foundational_security_opensearch_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_opensearch_1.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_opensearch_1 title: 1 OpenSearch domains should have encryption at rest enabled +type: control description: This control checks whether OpenSearch domains have encryption-at-rest configuration enabled. The check fails if encryption at rest is not enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN encryption_at_rest_options ->> 'Enabled' = 'false' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN encryption_at_rest_options ->> 'Enabled' = 'false' THEN title || ' encryption at rest disabled.' - ELSE title || ' encryption at rest enabled.' - END AS reason - FROM - aws_opensearch_domain; + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN encryption_at_rest_options ->> 'Enabled' = 'false' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN encryption_at_rest_options ->> 'Enabled' = 'false' THEN title || ' encryption at rest disabled.' + ELSE title || ' encryption at rest enabled.' + END AS reason + FROM + aws_opensearch_domain; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_opensearch_10.yaml b/compliance/controls/aws/aws_foundational_security_opensearch_10.yaml index 966677589..a613965e3 100644 --- a/compliance/controls/aws/aws_foundational_security_opensearch_10.yaml +++ b/compliance/controls/aws/aws_foundational_security_opensearch_10.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_opensearch_10 title: 10 OpenSearch domains should have the latest software update installed +type: control description: This control checks whether an Amazon OpenSearch Service domain has the latest software update installed. The control fails if a software update is available but not installed for the domain. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN service_software_options ->> 'UpdateAvailable' = 'false' THEN 'ok' - ELSE 'alarm' - END status, - CASE - WHEN service_software_options ->> 'UpdateAvailable' = 'false' THEN title || ' updated with latest service software version.' - ELSE title || ' not updated with latest service software version.' - END reason - FROM - aws_opensearch_domain; + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN service_software_options ->> 'UpdateAvailable' = 'false' THEN 'ok' + ELSE 'alarm' + END status, + CASE + WHEN service_software_options ->> 'UpdateAvailable' = 'false' THEN title || ' updated with latest service software version.' + ELSE title || ' not updated with latest service software version.' + END reason + FROM + aws_opensearch_domain; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_opensearch_2.yaml b/compliance/controls/aws/aws_foundational_security_opensearch_2.yaml index 231559626..08f52767f 100644 --- a/compliance/controls/aws/aws_foundational_security_opensearch_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_opensearch_2.yaml @@ -1,48 +1,49 @@ id: aws_foundational_security_opensearch_2 title: 2 OpenSearch domains should not be publicly accessible +type: control description: This control checks whether OpenSearch domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public access. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - WITH public_subnets AS ( - SELECT - DISTINCT a -> 'SubnetId' AS SubnetId - FROM - aws_vpc_route_table AS t, - jsonb_array_elements(associations) AS a, - jsonb_array_elements(routes) AS r - WHERE - r ->> 'DestinationCidrBlock' = '0.0.0.0/0' - AND r ->> 'GatewayId' LIKE 'igw-%' - ), opensearch_domain_with_public_subnet AS ( - SELECT - arn - FROM - aws_opensearch_domain, - jsonb_array_elements(vpc_options -> 'SubnetIds') AS s - WHERE - s IN (SELECT SubnetId FROM public_subnets) - ) - SELECT - d.arn AS resource, - d.platform_integration_id AS platform_integration_id, - d.platform_resource_id AS platform_resource_id, - CASE - WHEN d.vpc_options ->> 'VPCId' IS NULL THEN 'alarm' - WHEN d.vpc_options ->> 'VPCId' IS NOT NULL AND p.arn IS NOT NULL THEN 'alarm' - ELSE 'ok' - END status, - CASE - WHEN vpc_options ->> 'VPCId' IS NULL THEN title || ' not in VPC.' - WHEN d.vpc_options ->> 'VPCId' IS NOT NULL AND p.arn IS NOT NULL THEN title || ' attached to public subnet.' - ELSE title || ' in VPC ' || (vpc_options ->> 'VPCId') || '.' - END reason - FROM - aws_opensearch_domain AS d - LEFT JOIN opensearch_domain_with_public_subnet AS p ON d.arn = p.arn; + language: sql + primary_resource: aws_opensearch_domain + definition: | + WITH public_subnets AS ( + SELECT + DISTINCT a -> 'SubnetId' AS SubnetId + FROM + aws_vpc_route_table AS t, + jsonb_array_elements(associations) AS a, + jsonb_array_elements(routes) AS r + WHERE + r ->> 'DestinationCidrBlock' = '0.0.0.0/0' + AND r ->> 'GatewayId' LIKE 'igw-%' + ), opensearch_domain_with_public_subnet AS ( + SELECT + arn + FROM + aws_opensearch_domain, + jsonb_array_elements(vpc_options -> 'SubnetIds') AS s + WHERE + s IN (SELECT SubnetId FROM public_subnets) + ) + SELECT + d.arn AS resource, + d.platform_integration_id AS platform_integration_id, + d.platform_resource_id AS platform_resource_id, + CASE + WHEN d.vpc_options ->> 'VPCId' IS NULL THEN 'alarm' + WHEN d.vpc_options ->> 'VPCId' IS NOT NULL AND p.arn IS NOT NULL THEN 'alarm' + ELSE 'ok' + END status, + CASE + WHEN vpc_options ->> 'VPCId' IS NULL THEN title || ' not in VPC.' + WHEN d.vpc_options ->> 'VPCId' IS NOT NULL AND p.arn IS NOT NULL THEN title || ' attached to public subnet.' + ELSE title || ' in VPC ' || (vpc_options ->> 'VPCId') || '.' + END reason + FROM + aws_opensearch_domain AS d + LEFT JOIN opensearch_domain_with_public_subnet AS p ON d.arn = p.arn; severity: critical tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_opensearch_3.yaml b/compliance/controls/aws/aws_foundational_security_opensearch_3.yaml index dfb09eaa3..0d9b95c0f 100644 --- a/compliance/controls/aws/aws_foundational_security_opensearch_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_opensearch_3.yaml @@ -1,31 +1,32 @@ id: aws_foundational_security_opensearch_3 title: 3 OpenSearch domains should encrypt data sent between nodes +type: control description: This control checks whether OpenSearch domains have node-to-node encryption enabled. This control fails if node-to-node encryption is disabled on the domain. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN region = ANY(ARRAY['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) THEN 'skip' - WHEN node_to_node_encryption_options_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN region = ANY(ARRAY['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) THEN - title || ' node-to-node encryption not supported in ' || region || '.' - WHEN node_to_node_encryption_options_enabled THEN - title || ' node-to-node encryption enabled.' - ELSE - title || ' node-to-node encryption disabled.' - END AS reason - FROM - aws_opensearch_domain; + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN region = ANY(ARRAY['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) THEN 'skip' + WHEN node_to_node_encryption_options_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN region = ANY(ARRAY['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) THEN + title || ' node-to-node encryption not supported in ' || region || '.' + WHEN node_to_node_encryption_options_enabled THEN + title || ' node-to-node encryption enabled.' + ELSE + title || ' node-to-node encryption disabled.' + END AS reason + FROM + aws_opensearch_domain; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_opensearch_4.yaml b/compliance/controls/aws/aws_foundational_security_opensearch_4.yaml index c357647a3..ba963636c 100644 --- a/compliance/controls/aws/aws_foundational_security_opensearch_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_opensearch_4.yaml @@ -1,74 +1,75 @@ id: aws_foundational_security_opensearch_4 title: 4 OpenSearch domain error logging to CloudWatch Logs should be enabled +type: control description: This control checks whether OpenSearch domains are configured to send error logs to CloudWatch Logs. This control fails if error logging to CloudWatch is not enabled for a domain. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN log_publishing_options IS NULL THEN 'alarm' - WHEN - (log_publishing_options -> 'AUDIT_LOGS' IS NULL - OR log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'false' - OR (log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) - ) - AND - (log_publishing_options -> 'INDEX_SLOW_LOGS' IS NULL - OR log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'false' - OR (log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) - ) - AND - (log_publishing_options -> 'SEARCH_SLOW_LOGS' IS NULL - OR log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'false' - OR (log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) - ) - AND - (log_publishing_options -> 'ES_APPLICATION_LOGS' IS NULL - OR log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'false' - OR (log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) - ) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN log_publishing_options IS NULL THEN title || ' logging not enabled.' - WHEN - (log_publishing_options -> 'AUDIT_LOGS' IS NULL - OR log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'false' - OR (log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) - ) - AND - (log_publishing_options -> 'INDEX_SLOW_LOGS' IS NULL - OR log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'false' - OR (log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) - ) - AND - (log_publishing_options -> 'SEARCH_SLOW_LOGS' IS NULL - OR log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'false' - OR (log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) - ) - AND - (log_publishing_options -> 'ES_APPLICATION_LOGS' IS NULL - OR log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'false' - OR (log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) - ) THEN title || ' send logs to AWS CloudWatch.' - ELSE title || ' does not send logs to AWS CloudWatch.' - END AS reason - FROM - aws_opensearch_domain; + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN log_publishing_options IS NULL THEN 'alarm' + WHEN + (log_publishing_options -> 'AUDIT_LOGS' IS NULL + OR log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'false' + OR (log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) + ) + AND + (log_publishing_options -> 'INDEX_SLOW_LOGS' IS NULL + OR log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'false' + OR (log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) + ) + AND + (log_publishing_options -> 'SEARCH_SLOW_LOGS' IS NULL + OR log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'false' + OR (log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) + ) + AND + (log_publishing_options -> 'ES_APPLICATION_LOGS' IS NULL + OR log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'false' + OR (log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) + ) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN log_publishing_options IS NULL THEN title || ' logging not enabled.' + WHEN + (log_publishing_options -> 'AUDIT_LOGS' IS NULL + OR log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'false' + OR (log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) + ) + AND + (log_publishing_options -> 'INDEX_SLOW_LOGS' IS NULL + OR log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'false' + OR (log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) + ) + AND + (log_publishing_options -> 'SEARCH_SLOW_LOGS' IS NULL + OR log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'false' + OR (log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) + ) + AND + (log_publishing_options -> 'ES_APPLICATION_LOGS' IS NULL + OR log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'false' + OR (log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) + ) THEN title || ' send logs to AWS CloudWatch.' + ELSE title || ' does not send logs to AWS CloudWatch.' + END AS reason + FROM + aws_opensearch_domain; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_opensearch_5.yaml b/compliance/controls/aws/aws_foundational_security_opensearch_5.yaml index c625876c4..00ddccb0e 100644 --- a/compliance/controls/aws/aws_foundational_security_opensearch_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_opensearch_5.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_opensearch_5 title: 5 OpenSearch domains should have audit logging enabled +type: control description: This control checks whether OpenSearch domains have audit logging enabled. This control fails if an OpenSearch domain does not have audit logging enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN log_publishing_options -> 'AUDIT_LOGS' ->> 'Enabled' = 'true' THEN 'ok' - ELSE 'ok' - END AS status, - CASE - WHEN log_publishing_options -> 'AUDIT_LOGS' ->> 'Enabled' = 'true' THEN title || ' audit logging enabled.' - ELSE title || ' audit logging disabled.' - END AS reason - FROM - aws_opensearch_domain; + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN log_publishing_options -> 'AUDIT_LOGS' ->> 'Enabled' = 'true' THEN 'ok' + ELSE 'ok' + END AS status, + CASE + WHEN log_publishing_options -> 'AUDIT_LOGS' ->> 'Enabled' = 'true' THEN title || ' audit logging enabled.' + ELSE title || ' audit logging disabled.' + END AS reason + FROM + aws_opensearch_domain; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_opensearch_6.yaml b/compliance/controls/aws/aws_foundational_security_opensearch_6.yaml index f5bc6e236..6b94d842d 100644 --- a/compliance/controls/aws/aws_foundational_security_opensearch_6.yaml +++ b/compliance/controls/aws/aws_foundational_security_opensearch_6.yaml @@ -1,40 +1,41 @@ id: aws_foundational_security_opensearch_6 title: 6 OpenSearch domains should have at least three data nodes +type: control description: This control checks whether OpenSearch domains are configured with at least three data nodes and zoneAwarenessEnabled is true. This control fails for an OpenSearch domain if instanceCount is less than 3 or zoneAwarenessEnabled is false. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN cluster_config ->> 'ZoneAwarenessEnabled' = 'true' + AND cluster_config ->> 'InstanceCount' > '2' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN cluster_config ->> 'ZoneAwarenessEnabled' = 'true' + AND cluster_config ->> 'InstanceCount' > '2' THEN + title || ' zone awareness is ' || + CASE WHEN cluster_config ->> 'ZoneAwarenessEnabled' = 'true' - AND cluster_config ->> 'InstanceCount' > '2' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE + THEN 'enabled' + ELSE 'disabled' + END || ' with ' || (cluster_config ->> 'InstanceCount') || ' data node(s) configured.' + ELSE + title || ' zone awareness is ' || + CASE WHEN cluster_config ->> 'ZoneAwarenessEnabled' = 'true' - AND cluster_config ->> 'InstanceCount' > '2' THEN - title || ' zone awareness is ' || - CASE - WHEN cluster_config ->> 'ZoneAwarenessEnabled' = 'true' - THEN 'enabled' - ELSE 'disabled' - END || ' with ' || (cluster_config ->> 'InstanceCount') || ' data node(s) configured.' - ELSE - title || ' zone awareness is ' || - CASE - WHEN cluster_config ->> 'ZoneAwarenessEnabled' = 'true' - THEN 'enabled' - ELSE 'disabled' - END || ' with ' || (cluster_config ->> 'InstanceCount') || ' data node(s) configured.' - END AS reason - FROM - aws_opensearch_domain; + THEN 'enabled' + ELSE 'disabled' + END || ' with ' || (cluster_config ->> 'InstanceCount') || ' data node(s) configured.' + END AS reason + FROM + aws_opensearch_domain; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_opensearch_7.yaml b/compliance/controls/aws/aws_foundational_security_opensearch_7.yaml index 37a7d89e9..165a192d2 100644 --- a/compliance/controls/aws/aws_foundational_security_opensearch_7.yaml +++ b/compliance/controls/aws/aws_foundational_security_opensearch_7.yaml @@ -1,30 +1,31 @@ id: aws_foundational_security_opensearch_7 title: 7 OpenSearch domains should have fine-grained access control enabled +type: control description: This control checks whether OpenSearch domains have fine-grained access control enabled. The control fails if the fine-grained access control is not enabled. Fine-grained access control requires advanced-security-options in the OpenSearch parameter update-domain-config to be enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN advanced_security_options IS NULL - OR NOT (advanced_security_options -> 'Enabled')::boolean - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN advanced_security_options IS NULL - OR NOT (advanced_security_options -> 'Enabled')::boolean - THEN title || ' has fine-grained access control disabled.' - ELSE title || ' has fine-grained access control enabled.' - END AS reason - FROM - aws_opensearch_domain; + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN advanced_security_options IS NULL + OR NOT (advanced_security_options -> 'Enabled')::boolean + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN advanced_security_options IS NULL + OR NOT (advanced_security_options -> 'Enabled')::boolean + THEN title || ' has fine-grained access control disabled.' + ELSE title || ' has fine-grained access control enabled.' + END AS reason + FROM + aws_opensearch_domain; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_opensearch_8.yaml b/compliance/controls/aws/aws_foundational_security_opensearch_8.yaml index 36de04873..c3993243a 100644 --- a/compliance/controls/aws/aws_foundational_security_opensearch_8.yaml +++ b/compliance/controls/aws/aws_foundational_security_opensearch_8.yaml @@ -1,32 +1,33 @@ id: aws_foundational_security_opensearch_8 title: 8 Connections to OpenSearch domains should be encrypted using TLS 1.2 +type: control description: This control checks whether connections to OpenSearch domains are required to use TLS 1.2. The check fails if the OpenSearch domain TLSSecurityPolicy is not Policy-Min-TLS-1-2-2019-07. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN (domain_endpoint_options ->> 'EnforceHTTPS' = 'false') OR - (domain_endpoint_options ->> 'EnforceHTTPS' = 'true' AND - domain_endpoint_options ->> 'TLSSecurityPolicy' NOT IN ('tlsPolicies')) - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (domain_endpoint_options ->> 'EnforceHTTPS' = 'false') OR - (domain_endpoint_options ->> 'EnforceHTTPS' = 'true' AND - domain_endpoint_options ->> 'TLSSecurityPolicy' NOT IN ('tlsPolicies')) - THEN title || ' does not use HTTPS.' - ELSE title || ' uses HTTPS.' - END AS reason - FROM - aws_opensearch_domain; + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN (domain_endpoint_options ->> 'EnforceHTTPS' = 'false') OR + (domain_endpoint_options ->> 'EnforceHTTPS' = 'true' AND + domain_endpoint_options ->> 'TLSSecurityPolicy' NOT IN ('tlsPolicies')) + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (domain_endpoint_options ->> 'EnforceHTTPS' = 'false') OR + (domain_endpoint_options ->> 'EnforceHTTPS' = 'true' AND + domain_endpoint_options ->> 'TLSSecurityPolicy' NOT IN ('tlsPolicies')) + THEN title || ' does not use HTTPS.' + ELSE title || ' uses HTTPS.' + END AS reason + FROM + aws_opensearch_domain; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_pca_1.yaml b/compliance/controls/aws/aws_foundational_security_pca_1.yaml index e12964879..dfe2524a5 100644 --- a/compliance/controls/aws/aws_foundational_security_pca_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_pca_1.yaml @@ -1,28 +1,29 @@ id: aws_foundational_security_pca_1 title: 1 AWS Private CA root certificate authority should be disabled +type: control description: This control checks if AWS Private CA has a root certificate authority (CA) that is disabled. The control fails if the root CA is enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_acmpca_certificate_authority - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN type <> 'ROOT' THEN 'skip' - WHEN status = 'DISABLED' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN type <> 'ROOT' THEN title || ' is not root CA.' - WHEN status = 'DISABLED' THEN title || ' root CA disabled.' - ELSE title || ' root CA not disabled.' - END AS reason - FROM - aws_acmpca_certificate_authority; + language: sql + primary_resource: aws_acmpca_certificate_authority + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN type <> 'ROOT' THEN 'skip' + WHEN status = 'DISABLED' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN type <> 'ROOT' THEN title || ' is not root CA.' + WHEN status = 'DISABLED' THEN title || ' root CA disabled.' + ELSE title || ' root CA not disabled.' + END AS reason + FROM + aws_acmpca_certificate_authority; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_rds_10.yaml b/compliance/controls/aws/aws_foundational_security_rds_10.yaml index cbf0abecc..aeb362864 100644 --- a/compliance/controls/aws/aws_foundational_security_rds_10.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_10.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_rds_10 title: 10 IAM authentication should be configured for RDS instances +type: control description: This control checks whether an RDS DB instance has IAM database authentication enabled. IAM database authentication allows authentication to database instances with an authentication token instead of a password. Network traffic to and from the database is encrypted using SSL. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN iam_database_authentication_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN iam_database_authentication_enabled THEN title || ' IAM authentication enabled.' - ELSE title || ' IAM authentication not enabled.' - END AS reason - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN iam_database_authentication_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN iam_database_authentication_enabled THEN title || ' IAM authentication enabled.' + ELSE title || ' IAM authentication not enabled.' + END AS reason + FROM + aws_rds_db_instance; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_rds_11.yaml b/compliance/controls/aws/aws_foundational_security_rds_11.yaml index 8177ae7b6..8137fba24 100644 --- a/compliance/controls/aws/aws_foundational_security_rds_11.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_11.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_rds_11 title: 11 RDS instances should have automatic backups enabled +type: control description: This control checks whether Amazon Relational Database Service instances have automated backups enabled and the backup retention period is greater than or equal to seven days. The control fails if backups are not enabled, and if the retention period is less than 7 days. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN backup_retention_period < 1 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN backup_retention_period < 1 THEN title || ' backups not enabled.' - ELSE title || ' backups enabled.' - END AS reason - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN backup_retention_period < 1 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN backup_retention_period < 1 THEN title || ' backups not enabled.' + ELSE title || ' backups enabled.' + END AS reason + FROM + aws_rds_db_instance; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_rds_12.yaml b/compliance/controls/aws/aws_foundational_security_rds_12.yaml index 6594752b4..b210c952c 100644 --- a/compliance/controls/aws/aws_foundational_security_rds_12.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_12.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_rds_12 title: 12 IAM authentication should be configured for RDS clusters +type: control description: This control checks whether an RDS DB cluster has IAM database authentication enabled. IAM database authentication allows for password-free authentication to database instances. The authentication uses an authentication token. Network traffic to and from the database is encrypted using SSL. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN iam_database_authentication_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN iam_database_authentication_enabled THEN title || ' IAM authentication enabled.' - ELSE title || ' IAM authentication not enabled.' - END AS reason - FROM - aws_rds_db_cluster; + language: sql + primary_resource: aws_rds_db_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN iam_database_authentication_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN iam_database_authentication_enabled THEN title || ' IAM authentication enabled.' + ELSE title || ' IAM authentication not enabled.' + END AS reason + FROM + aws_rds_db_cluster; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_rds_13.yaml b/compliance/controls/aws/aws_foundational_security_rds_13.yaml index e161c6d76..c27674abb 100644 --- a/compliance/controls/aws/aws_foundational_security_rds_13.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_13.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_rds_13 title: 13 RDS automatic minor version upgrades should be enabled +type: control description: This control checks whether automatic minor version upgrades are enabled for the RDS database instance. Enabling automatic minor version upgrades ensures that the latest minor version updates to the relational database management system (RDBMS) are installed. These upgrades might include security patches and bug fixes. Keeping up to date with patch installation is an important step in securing systems. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN auto_minor_version_upgrade THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN auto_minor_version_upgrade THEN title || ' automatic minor version upgrades enabled.' - ELSE title || ' automatic minor version upgrades not enabled.' - END AS reason - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN auto_minor_version_upgrade THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN auto_minor_version_upgrade THEN title || ' automatic minor version upgrades enabled.' + ELSE title || ' automatic minor version upgrades not enabled.' + END AS reason + FROM + aws_rds_db_instance; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_rds_14.yaml b/compliance/controls/aws/aws_foundational_security_rds_14.yaml index 4e1a701f5..edf28dada 100644 --- a/compliance/controls/aws/aws_foundational_security_rds_14.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_14.yaml @@ -1,28 +1,29 @@ id: aws_foundational_security_rds_14 title: 14 Amazon Aurora clusters should have backtracking enabled +type: control description: This control checks whether Amazon Aurora clusters have backtracking enabled. Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. Aurora backtracking reduces the time to recover a database to a point in time. It does not require a database restore to do so. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN engine NOT ILIKE '%aurora-mysql%' THEN 'skip' - WHEN backtrack_window IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN engine NOT ILIKE '%aurora-mysql%' THEN title || ' not Aurora MySQL-compatible edition.' - WHEN backtrack_window IS NOT NULL THEN title || ' backtracking enabled.' - ELSE title || ' backtracking not enabled.' - END AS reason - FROM - aws_rds_db_cluster; + language: sql + primary_resource: aws_rds_db_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN engine NOT ILIKE '%aurora-mysql%' THEN 'skip' + WHEN backtrack_window IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN engine NOT ILIKE '%aurora-mysql%' THEN title || ' not Aurora MySQL-compatible edition.' + WHEN backtrack_window IS NOT NULL THEN title || ' backtracking enabled.' + ELSE title || ' backtracking not enabled.' + END AS reason + FROM + aws_rds_db_cluster; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_rds_15.yaml b/compliance/controls/aws/aws_foundational_security_rds_15.yaml index 84df56b5c..baeeb3f06 100644 --- a/compliance/controls/aws/aws_foundational_security_rds_15.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_15.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_rds_15 title: 15 RDS DB clusters should be configured for multiple Availability Zones +type: control description: This control checks whether high availability is enabled for your RDS DB clusters. RDS DB clusters should be configured for multiple Availability Zones to ensure availability of the data that is stored. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN multi_az THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN multi_az THEN title || ' Multi-AZ enabled.' - ELSE title || ' Multi-AZ disabled.' - END AS reason - FROM - aws_rds_db_cluster; + language: sql + primary_resource: aws_rds_db_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN multi_az THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN multi_az THEN title || ' Multi-AZ enabled.' + ELSE title || ' Multi-AZ disabled.' + END AS reason + FROM + aws_rds_db_cluster; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_rds_16.yaml b/compliance/controls/aws/aws_foundational_security_rds_16.yaml index a04786457..5988b95ad 100644 --- a/compliance/controls/aws/aws_foundational_security_rds_16.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_16.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_rds_16 title: 16 RDS DB clusters should be configured to copy tags to snapshots +type: control description: This control checks whether RDS DB clusters are configured to copy all tags to snapshots when the snapshots are created. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN copy_tags_to_snapshot THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN copy_tags_to_snapshot THEN title || ' copy tags to snapshot enabled.' - ELSE title || ' copy tags to snapshot disabled.' - END AS reason - FROM - aws_rds_db_cluster; + language: sql + primary_resource: aws_rds_db_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN copy_tags_to_snapshot THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN copy_tags_to_snapshot THEN title || ' copy tags to snapshot enabled.' + ELSE title || ' copy tags to snapshot disabled.' + END AS reason + FROM + aws_rds_db_cluster; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_rds_17.yaml b/compliance/controls/aws/aws_foundational_security_rds_17.yaml index 91b878eb9..8a7fb9558 100644 --- a/compliance/controls/aws/aws_foundational_security_rds_17.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_17.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_rds_17 title: 17 RDS DB instances should be configured to copy tags to snapshots +type: control description: This control checks whether RDS DB instances are configured to copy all tags to snapshots when the snapshots are created. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN copy_tags_to_snapshot THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN copy_tags_to_snapshot THEN title || ' copy tags to snapshot enabled.' - ELSE title || ' copy tags to snapshot disabled.' - END AS reason - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN copy_tags_to_snapshot THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN copy_tags_to_snapshot THEN title || ' copy tags to snapshot enabled.' + ELSE title || ' copy tags to snapshot disabled.' + END AS reason + FROM + aws_rds_db_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_rds_18.yaml b/compliance/controls/aws/aws_foundational_security_rds_18.yaml index f892692bf..fc07bcd0b 100644 --- a/compliance/controls/aws/aws_foundational_security_rds_18.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_18.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_rds_18 title: 18 RDS instances should be deployed in a VPC +type: control description: This control checks whether an RDS instance is deployed in a VPC (EC2-VPC). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN vpc_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN vpc_id IS NULL THEN title || ' is not in VPC.' - ELSE title || ' is in VPC ' || vpc_id || '.' - END AS reason - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN vpc_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN vpc_id IS NULL THEN title || ' is not in VPC.' + ELSE title || ' is in VPC ' || vpc_id || '.' + END AS reason + FROM + aws_rds_db_instance; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_rds_19.yaml b/compliance/controls/aws/aws_foundational_security_rds_19.yaml index c0785a351..cd4ba16c9 100644 --- a/compliance/controls/aws/aws_foundational_security_rds_19.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_19.yaml @@ -1,35 +1,36 @@ id: aws_foundational_security_rds_19 title: 19 Existing RDS event notification subscriptions should be configured for critical cluster events. +type: control description: This control checks whether an Amazon RDS event subscription exists that has notifications enabled for the following source type, event category key-value pairs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_event_subscription - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN source_type <> 'db-cluster' THEN 'skip' - WHEN source_type = 'db-cluster' - AND enabled - AND event_categories_list @> '["failure", "maintenance"]' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN source_type <> 'db-cluster' THEN - cust_subscription_id || ' event subscription of ' || source_type || ' type.' - WHEN source_type = 'db-cluster' - AND enabled - AND event_categories_list @> '["failure", "maintenance"]' THEN - cust_subscription_id || ' event subscription enabled for critical db cluster events.' - ELSE - cust_subscription_id || ' event subscription missing critical db cluster events.' - END AS reason - FROM - aws_rds_db_event_subscription; + language: sql + primary_resource: aws_rds_db_event_subscription + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN source_type <> 'db-cluster' THEN 'skip' + WHEN source_type = 'db-cluster' + AND enabled + AND event_categories_list @> '["failure", "maintenance"]' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN source_type <> 'db-cluster' THEN + cust_subscription_id || ' event subscription of ' || source_type || ' type.' + WHEN source_type = 'db-cluster' + AND enabled + AND event_categories_list @> '["failure", "maintenance"]' THEN + cust_subscription_id || ' event subscription enabled for critical db cluster events.' + ELSE + cust_subscription_id || ' event subscription missing critical db cluster events.' + END AS reason + FROM + aws_rds_db_event_subscription; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_rds_2.yaml b/compliance/controls/aws/aws_foundational_security_rds_2.yaml index e0f99a7c3..515aada3e 100644 --- a/compliance/controls/aws/aws_foundational_security_rds_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_2.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_rds_2 title: 2 RDS DB instances should prohibit public access, determined by the PubliclyAccessible configuration +type: control description: This control checks whether Amazon RDS instances are publicly accessible by evaluating the PubliclyAccessible field in the instance configuration item. Neptune DB instances and Amazon DocumentDB clusters do not have the PubliclyAccessible flag and cannot be evaluated. However, this control can still generate findings for these resources. You can suppress these findings. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN publicly_accessible THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN publicly_accessible THEN title || ' publicly accessible.' - ELSE title || ' not publicly accessible.' - END AS reason - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN publicly_accessible THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN publicly_accessible THEN title || ' publicly accessible.' + ELSE title || ' not publicly accessible.' + END AS reason + FROM + aws_rds_db_instance; severity: critical tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_rds_20.yaml b/compliance/controls/aws/aws_foundational_security_rds_20.yaml index 0c5766092..b0c497ef7 100644 --- a/compliance/controls/aws/aws_foundational_security_rds_20.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_20.yaml @@ -1,32 +1,33 @@ id: aws_foundational_security_rds_20 title: 20 Existing RDS event notification subscriptions should be configured for critical database instance events +type: control description: This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_event_subscription - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN source_type <> 'db-instance' THEN 'skip' - WHEN source_type = 'db-instance' - AND enabled - AND event_categories_list @> '["failure", "maintenance", "configuration change"]' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN source_type <> 'db-instance' THEN cust_subscription_id || ' event subscription of ' || source_type || ' type.' - WHEN source_type LIKE 'db-instance' - AND enabled - AND event_categories_list @> '["failure", "maintenance", "configuration change"]' THEN cust_subscription_id || ' event subscription enabled for critical instance events.' - ELSE cust_subscription_id || ' event subscription missing critical instance events.' - END AS reason - FROM - aws_rds_db_event_subscription; + language: sql + primary_resource: aws_rds_db_event_subscription + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN source_type <> 'db-instance' THEN 'skip' + WHEN source_type = 'db-instance' + AND enabled + AND event_categories_list @> '["failure", "maintenance", "configuration change"]' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN source_type <> 'db-instance' THEN cust_subscription_id || ' event subscription of ' || source_type || ' type.' + WHEN source_type LIKE 'db-instance' + AND enabled + AND event_categories_list @> '["failure", "maintenance", "configuration change"]' THEN cust_subscription_id || ' event subscription enabled for critical instance events.' + ELSE cust_subscription_id || ' event subscription missing critical instance events.' + END AS reason + FROM + aws_rds_db_event_subscription; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_rds_21.yaml b/compliance/controls/aws/aws_foundational_security_rds_21.yaml index f559abf0e..83e4883de 100644 --- a/compliance/controls/aws/aws_foundational_security_rds_21.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_21.yaml @@ -1,31 +1,32 @@ id: aws_foundational_security_rds_21 title: 21 An RDS event notifications subscription should be configured for critical database parameter group events +type: control description: This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_event_subscription - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN source_type <> 'db-parameter-group' THEN 'skip' - WHEN source_type = 'db-parameter-group' AND enabled AND event_categories_list @> '["maintenance", "failure"]' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN source_type <> 'db-parameter-group' THEN - cust_subscription_id || ' event subscription of ' || source_type || ' type.' - WHEN source_type = 'db-parameter-group' AND enabled AND event_categories_list @> '["configuration change"]' THEN - cust_subscription_id || ' event subscription enabled for critical database parameter group events.' - ELSE - cust_subscription_id || ' event subscription missing critical database parameter group events.' - END AS reason - FROM - aws_rds_db_event_subscription; + language: sql + primary_resource: aws_rds_db_event_subscription + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN source_type <> 'db-parameter-group' THEN 'skip' + WHEN source_type = 'db-parameter-group' AND enabled AND event_categories_list @> '["maintenance", "failure"]' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN source_type <> 'db-parameter-group' THEN + cust_subscription_id || ' event subscription of ' || source_type || ' type.' + WHEN source_type = 'db-parameter-group' AND enabled AND event_categories_list @> '["configuration change"]' THEN + cust_subscription_id || ' event subscription enabled for critical database parameter group events.' + ELSE + cust_subscription_id || ' event subscription missing critical database parameter group events.' + END AS reason + FROM + aws_rds_db_event_subscription; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_rds_22.yaml b/compliance/controls/aws/aws_foundational_security_rds_22.yaml index 1c604dd2a..3bfe57774 100644 --- a/compliance/controls/aws/aws_foundational_security_rds_22.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_22.yaml @@ -1,32 +1,33 @@ id: aws_foundational_security_rds_22 title: 22 An RDS event notifications subscription should be configured for critical database security group events +type: control description: This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_event_subscription - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN source_type <> 'db-security-group' THEN 'skip' - WHEN source_type = 'db-security-group' - AND enabled - AND event_categories_list @> '["failure", "configuration change"]' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN source_type <> 'db-security-group' THEN cust_subscription_id || ' event subscription of ' || source_type || ' type.' - WHEN source_type = 'db-security-group' - AND enabled - AND event_categories_list @> '["failure", "configuration change"]' THEN cust_subscription_id || ' event subscription enabled for critical database security group events.' - ELSE cust_subscription_id || ' event subscription missing critical database security group events.' - END AS reason - FROM - aws_rds_db_event_subscription; + language: sql + primary_resource: aws_rds_db_event_subscription + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN source_type <> 'db-security-group' THEN 'skip' + WHEN source_type = 'db-security-group' + AND enabled + AND event_categories_list @> '["failure", "configuration change"]' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN source_type <> 'db-security-group' THEN cust_subscription_id || ' event subscription of ' || source_type || ' type.' + WHEN source_type = 'db-security-group' + AND enabled + AND event_categories_list @> '["failure", "configuration change"]' THEN cust_subscription_id || ' event subscription enabled for critical database security group events.' + ELSE cust_subscription_id || ' event subscription missing critical database security group events.' + END AS reason + FROM + aws_rds_db_event_subscription; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_rds_24.yaml b/compliance/controls/aws/aws_foundational_security_rds_24.yaml index d8aff204c..81173a2f5 100644 --- a/compliance/controls/aws/aws_foundational_security_rds_24.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_24.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_rds_24 title: 24 RDS database clusters should use a custom administrator username +type: control description: This control checks whether an Amazon RDS database cluster has changed the admin username from its default value. This rule will fail if the admin username is set to the default value. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN master_user_name IN ('admin', 'postgres') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN master_user_name IN ('admin', 'postgres') THEN title || ' using default master user name.' - ELSE title || ' not using default master user name.' - END AS reason - FROM - aws_rds_db_cluster; + language: sql + primary_resource: aws_rds_db_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN master_user_name IN ('admin', 'postgres') THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN master_user_name IN ('admin', 'postgres') THEN title || ' using default master user name.' + ELSE title || ' not using default master user name.' + END AS reason + FROM + aws_rds_db_cluster; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_rds_25.yaml b/compliance/controls/aws/aws_foundational_security_rds_25.yaml index 29e978ae8..da9720745 100644 --- a/compliance/controls/aws/aws_foundational_security_rds_25.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_25.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_rds_25 title: 25 RDS database instances should use a custom administrator username +type: control description: This control checks whether you've changed the administrative username for Amazon Relational Database Service (Amazon RDS) database instances from the default value. The control fails if the administrative username is set to the default value. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN master_user_name IN ('admin', 'postgres') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN master_user_name IN ('admin', 'postgres') THEN title || ' using default master user name.' - ELSE title || ' not using default master user name.' - END AS reason - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN master_user_name IN ('admin', 'postgres') THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN master_user_name IN ('admin', 'postgres') THEN title || ' using default master user name.' + ELSE title || ' not using default master user name.' + END AS reason + FROM + aws_rds_db_instance; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_rds_27.yaml b/compliance/controls/aws/aws_foundational_security_rds_27.yaml index fedbd8cfa..521d2a3ba 100644 --- a/compliance/controls/aws/aws_foundational_security_rds_27.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_27.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_rds_27 title: 27 RDS DB clusters should be encrypted at rest +type: control description: This control checks if an RDS DB cluster is encrypted at rest. The control fails if an RDS DB cluster isn't encrypted at rest. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN storage_encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN storage_encrypted THEN title || ' encrypted at rest.' - ELSE title || ' not encrypted at rest.' - END AS reason - FROM - aws_rds_db_cluster; + language: sql + primary_resource: aws_rds_db_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN storage_encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN storage_encrypted THEN title || ' encrypted at rest.' + ELSE title || ' not encrypted at rest.' + END AS reason + FROM + aws_rds_db_cluster; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_rds_3.yaml b/compliance/controls/aws/aws_foundational_security_rds_3.yaml index 346bb29e9..6fc7d6f39 100644 --- a/compliance/controls/aws/aws_foundational_security_rds_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_3.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_rds_3 title: 3 RDS DB instances should have encryption at rest enabled +type: control description: This control checks whether storage encryption is enabled for your Amazon RDS DB instances. This control is intended for RDS DB instances. However, it can also generate findings for Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN storage_encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN storage_encrypted THEN title || ' encrypted at rest.' - ELSE title || ' not encrypted at rest.' - END AS reason - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN storage_encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN storage_encrypted THEN title || ' encrypted at rest.' + ELSE title || ' not encrypted at rest.' + END AS reason + FROM + aws_rds_db_instance; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_rds_34.yaml b/compliance/controls/aws/aws_foundational_security_rds_34.yaml index b8e7a4ce5..e1964276e 100644 --- a/compliance/controls/aws/aws_foundational_security_rds_34.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_34.yaml @@ -1,28 +1,29 @@ id: aws_foundational_security_rds_34 title: 34 Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs +type: control description: This control checks whether an Amazon Aurora MySQL DB cluster is configured to publish audit logs to Amazon CloudWatch Logs. The control fails if the cluster isn't configured to publish audit logs to CloudWatch Logs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN engine NOT ILIKE '%aurora-mysql%' THEN 'skip' - WHEN enabled_cloudwatch_logs_exports @> '["audit"]' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN engine NOT ILIKE '%aurora-mysql%' THEN title || ' is not Aurora MySQL-compatible edition.' - WHEN enabled_cloudwatch_logs_exports @> '["audit"]' THEN title || ' audit logging enabled.' - ELSE title || ' audit logging disabled.' - END AS reason - FROM - aws_rds_db_cluster; + language: sql + primary_resource: aws_rds_db_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN engine NOT ILIKE '%aurora-mysql%' THEN 'skip' + WHEN enabled_cloudwatch_logs_exports @> '["audit"]' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN engine NOT ILIKE '%aurora-mysql%' THEN title || ' is not Aurora MySQL-compatible edition.' + WHEN enabled_cloudwatch_logs_exports @> '["audit"]' THEN title || ' audit logging enabled.' + ELSE title || ' audit logging disabled.' + END AS reason + FROM + aws_rds_db_cluster; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_rds_35.yaml b/compliance/controls/aws/aws_foundational_security_rds_35.yaml index 8dd48bfc3..f100713fe 100644 --- a/compliance/controls/aws/aws_foundational_security_rds_35.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_35.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_rds_35 title: 35 RDS DB clusters should have automatic minor version upgrade enabled +type: control description: This control checks if automatic minor version upgrade is enabled for an Amazon RDS database cluster. The control fails if automatic minor version upgrade isn't enabled for an RDS cluster. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN auto_minor_version_upgrade THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN auto_minor_version_upgrade THEN title || ' automatic minor version upgrades enabled.' - ELSE title || ' automatic minor version upgrades disabled.' - END AS reason - FROM - aws_rds_db_cluster; + language: sql + primary_resource: aws_rds_db_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN auto_minor_version_upgrade THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN auto_minor_version_upgrade THEN title || ' automatic minor version upgrades enabled.' + ELSE title || ' automatic minor version upgrades disabled.' + END AS reason + FROM + aws_rds_db_cluster; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_rds_5.yaml b/compliance/controls/aws/aws_foundational_security_rds_5.yaml index 2beb6a0a2..4c562267c 100644 --- a/compliance/controls/aws/aws_foundational_security_rds_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_5.yaml @@ -1,28 +1,29 @@ id: aws_foundational_security_rds_5 title: 5 RDS DB instances should be configured with multiple Availability Zones +type: control description: This control checks whether high availability is enabled for your RDS DB instances. RDS DB instances should be configured for multiple Availability Zones (AZs). This ensures the availability of the data stored. Multi-AZ deployments allow for automated failover if there is an issue with Availability Zone availability and during regular RDS maintenance. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN engine ILIKE ANY (ARRAY ['%aurora-mysql%', '%aurora-postgres%']) THEN 'skip' - WHEN multi_az THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN engine ILIKE ANY (ARRAY ['%aurora-mysql%', '%aurora-postgres%']) THEN title || ' cluster instance.' - WHEN multi_az THEN title || ' Multi-AZ enabled.' - ELSE title || ' Multi-AZ disabled.' - END AS reason - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN engine ILIKE ANY (ARRAY ['%aurora-mysql%', '%aurora-postgres%']) THEN 'skip' + WHEN multi_az THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN engine ILIKE ANY (ARRAY ['%aurora-mysql%', '%aurora-postgres%']) THEN title || ' cluster instance.' + WHEN multi_az THEN title || ' Multi-AZ enabled.' + ELSE title || ' Multi-AZ disabled.' + END AS reason + FROM + aws_rds_db_instance; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_rds_7.yaml b/compliance/controls/aws/aws_foundational_security_rds_7.yaml index 5452994f6..29c7b72da 100644 --- a/compliance/controls/aws/aws_foundational_security_rds_7.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_7.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_rds_7 title: 7 RDS clusters should have deletion protection enabled +type: control description: This control checks whether RDS clusters have deletion protection enabled. This control is intended for RDS DB instances. However, it can also generate findings for Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_cluster - definition: | - SELECT - db_cluster_identifier AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN deletion_protection THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN deletion_protection THEN title || ' deletion protection enabled.' - ELSE title || ' deletion protection not enabled.' - END AS reason - FROM - aws_rds_db_cluster; + language: sql + primary_resource: aws_rds_db_cluster + definition: | + SELECT + db_cluster_identifier AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN deletion_protection THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN deletion_protection THEN title || ' deletion protection enabled.' + ELSE title || ' deletion protection not enabled.' + END AS reason + FROM + aws_rds_db_cluster; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_rds_8.yaml b/compliance/controls/aws/aws_foundational_security_rds_8.yaml index c45d5f71e..f5ab17bc7 100644 --- a/compliance/controls/aws/aws_foundational_security_rds_8.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_8.yaml @@ -1,28 +1,29 @@ id: aws_foundational_security_rds_8 title: 8 RDS DB instances should have deletion protection enabled -description: 'This control checks whether your RDS DB instances that use one of the listed database engines have deletion protection enabled. DatabaseEngines: mariadb,mysql,oracle-ee,oracle-se2,oracle-se1,oracle-se,postgres,sqlserver-ee,sqlserver-se,sqlserver-ex,sqlserver-web.' +type: control +description: "This control checks whether your RDS DB instances that use one of the listed database engines have deletion protection enabled. DatabaseEngines: mariadb,mysql,oracle-ee,oracle-se2,oracle-se1,oracle-se,postgres,sqlserver-ee,sqlserver-se,sqlserver-ex,sqlserver-web." integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN engine LIKE ANY(array['aurora%', 'docdb', 'neptune']) THEN 'skip' - WHEN deletion_protection THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN engine LIKE ANY(array['aurora%', 'docdb', 'neptune']) THEN title || ' has engine ' || engine || ' cluster, deletion protection is set at cluster level.' - WHEN deletion_protection THEN title || ' deletion protection enabled.' - ELSE title || ' deletion protection not enabled.' - END AS reason - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN engine LIKE ANY(array['aurora%', 'docdb', 'neptune']) THEN 'skip' + WHEN deletion_protection THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN engine LIKE ANY(array['aurora%', 'docdb', 'neptune']) THEN title || ' has engine ' || engine || ' cluster, deletion protection is set at cluster level.' + WHEN deletion_protection THEN title || ' deletion protection enabled.' + ELSE title || ' deletion protection not enabled.' + END AS reason + FROM + aws_rds_db_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_rds_9.yaml b/compliance/controls/aws/aws_foundational_security_rds_9.yaml index 1bba44d87..13e1c0617 100644 --- a/compliance/controls/aws/aws_foundational_security_rds_9.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_9.yaml @@ -1,41 +1,42 @@ id: aws_foundational_security_rds_9 title: 9 RDS DB instances should publish logs to CloudWatch Logs +type: control description: This control checks whether the logs of Amazon RDS are enabled and sent to CloudWatch Logs. RDS databases should have relevant logs enabled. Database logging provides detailed records of requests made to RDS. Database logs can assist with security and access audits and can help to diagnose availability issues. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN engine = 'docdb' THEN 'skip' - WHEN engine LIKE ANY (ARRAY ['mariadb', '%mysql']) AND enabled_cloudwatch_logs_exports ?& ARRAY ['audit','error','general','slowquery'] THEN 'ok' - WHEN engine LIKE ANY (ARRAY['%postgres%']) AND enabled_cloudwatch_logs_exports ?& ARRAY ['postgresql','upgrade'] THEN 'ok' - WHEN engine LIKE 'oracle%' AND enabled_cloudwatch_logs_exports ?& ARRAY ['alert', 'audit', 'trace', 'listener'] THEN 'ok' - WHEN engine = 'sqlserver-ex' AND enabled_cloudwatch_logs_exports ?& ARRAY ['error'] THEN 'ok' - WHEN engine LIKE 'sqlserver%' AND enabled_cloudwatch_logs_exports ?& ARRAY ['error', 'agent'] THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN engine = 'docdb' THEN title || ' is docdb instance.' - WHEN engine LIKE ANY (ARRAY ['mariadb', '%mysql']) AND enabled_cloudwatch_logs_exports ?& ARRAY ['audit','error','general','slowquery'] - THEN title || ' ' || engine || ' logging enabled.' - WHEN engine LIKE ANY (ARRAY['%postgres%']) AND enabled_cloudwatch_logs_exports ?& ARRAY ['postgresql','upgrade'] - THEN title || ' ' || engine || ' logging enabled.' - WHEN engine LIKE 'oracle%' AND enabled_cloudwatch_logs_exports ?& ARRAY ['alert', 'audit', 'trace', 'listener'] - THEN title || ' ' || engine || ' logging enabled.' - WHEN engine = 'sqlserver-ex' AND enabled_cloudwatch_logs_exports ?& ARRAY ['error'] - THEN title || ' ' || engine || ' logging enabled.' - WHEN engine LIKE 'sqlserver%' AND enabled_cloudwatch_logs_exports ?& ARRAY ['error', 'agent'] - THEN title || ' ' || engine || ' logging enabled.' - ELSE title || ' logging not enabled.' - END AS reason - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN engine = 'docdb' THEN 'skip' + WHEN engine LIKE ANY (ARRAY ['mariadb', '%mysql']) AND enabled_cloudwatch_logs_exports ?& ARRAY ['audit','error','general','slowquery'] THEN 'ok' + WHEN engine LIKE ANY (ARRAY['%postgres%']) AND enabled_cloudwatch_logs_exports ?& ARRAY ['postgresql','upgrade'] THEN 'ok' + WHEN engine LIKE 'oracle%' AND enabled_cloudwatch_logs_exports ?& ARRAY ['alert', 'audit', 'trace', 'listener'] THEN 'ok' + WHEN engine = 'sqlserver-ex' AND enabled_cloudwatch_logs_exports ?& ARRAY ['error'] THEN 'ok' + WHEN engine LIKE 'sqlserver%' AND enabled_cloudwatch_logs_exports ?& ARRAY ['error', 'agent'] THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN engine = 'docdb' THEN title || ' is docdb instance.' + WHEN engine LIKE ANY (ARRAY ['mariadb', '%mysql']) AND enabled_cloudwatch_logs_exports ?& ARRAY ['audit','error','general','slowquery'] + THEN title || ' ' || engine || ' logging enabled.' + WHEN engine LIKE ANY (ARRAY['%postgres%']) AND enabled_cloudwatch_logs_exports ?& ARRAY ['postgresql','upgrade'] + THEN title || ' ' || engine || ' logging enabled.' + WHEN engine LIKE 'oracle%' AND enabled_cloudwatch_logs_exports ?& ARRAY ['alert', 'audit', 'trace', 'listener'] + THEN title || ' ' || engine || ' logging enabled.' + WHEN engine = 'sqlserver-ex' AND enabled_cloudwatch_logs_exports ?& ARRAY ['error'] + THEN title || ' ' || engine || ' logging enabled.' + WHEN engine LIKE 'sqlserver%' AND enabled_cloudwatch_logs_exports ?& ARRAY ['error', 'agent'] + THEN title || ' ' || engine || ' logging enabled.' + ELSE title || ' logging not enabled.' + END AS reason + FROM + aws_rds_db_instance; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_redshift_1.yaml b/compliance/controls/aws/aws_foundational_security_redshift_1.yaml index a7e07b40a..025a3dd9f 100644 --- a/compliance/controls/aws/aws_foundational_security_redshift_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_redshift_1.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_redshift_1 title: 1 Amazon Redshift clusters should prohibit public access +type: control description: This control checks whether Amazon Redshift clusters are publicly accessible. It evaluates the PubliclyAccessible field in the cluster configuration item. The PubliclyAccessible attribute of the Amazon Redshift cluster configuration indicates whether the cluster is publicly accessible. When the cluster is configured with PubliclyAccessible set to true, it is an Internet-facing instance that has a publicly resolvable DNS name, which resolves to a public IP address. When the cluster is not publicly accessible, it is an internal instance with a DNS name that resolves to a private IP address. Unless you intend for your cluster to be publicly accessible, the cluster should not be configured with PubliclyAccessible set to true. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_redshift_cluster - definition: | - SELECT - cluster_namespace_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN publicly_accessible THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN publicly_accessible THEN title || ' publicly accessible.' - ELSE title || ' not publicly accessible.' - END AS reason - FROM - aws_redshift_cluster; + language: sql + primary_resource: aws_redshift_cluster + definition: | + SELECT + cluster_namespace_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN publicly_accessible THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN publicly_accessible THEN title || ' publicly accessible.' + ELSE title || ' not publicly accessible.' + END AS reason + FROM + aws_redshift_cluster; severity: critical tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_redshift_10.yaml b/compliance/controls/aws/aws_foundational_security_redshift_10.yaml index 89c95292d..87714b424 100644 --- a/compliance/controls/aws/aws_foundational_security_redshift_10.yaml +++ b/compliance/controls/aws/aws_foundational_security_redshift_10.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_redshift_10 title: 10 Redshift clusters should be encrypted at rest +type: control description: This control checks if Amazon Redshift clusters are encrypted at rest. The control fails if a Redshift cluster isn't encrypted at rest or if the encryption key is different from the provided key in the rule parameter. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_redshift_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN encrypted AND kms_key_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encrypted AND kms_key_id IS NOT NULL THEN title || ' encrypted with KMS.' - ELSE title || ' not encrypted with KMS' - END AS reason - FROM - aws_redshift_cluster; + language: sql + primary_resource: aws_redshift_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN encrypted AND kms_key_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encrypted AND kms_key_id IS NOT NULL THEN title || ' encrypted with KMS.' + ELSE title || ' not encrypted with KMS' + END AS reason + FROM + aws_redshift_cluster; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_redshift_2.yaml b/compliance/controls/aws/aws_foundational_security_redshift_2.yaml index ae283ce7e..625698b08 100644 --- a/compliance/controls/aws/aws_foundational_security_redshift_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_redshift_2.yaml @@ -1,39 +1,40 @@ id: aws_foundational_security_redshift_2 title: 2 Connections to Amazon Redshift clusters should be encrypted in transit +type: control description: This control checks whether connections to Amazon Redshift clusters are required to use encryption in transit. The check fails if the Amazon Redshift cluster parameter require_SSL is not set to 1. TLS can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over TLS should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_redshift_cluster - definition: | - WITH pg_with_ssl AS ( - SELECT - name AS pg_name, - p ->> 'ParameterName' AS parameter_name, - p ->> 'ParameterValue' AS parameter_value - FROM - aws_redshift_parameter_group, - JSONB_ARRAY_ELEMENTS(parameters) AS p - WHERE - p ->> 'ParameterName' = 'require_ssl' - AND p ->> 'ParameterValue' = 'true' - ) - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN cpg ->> 'ParameterGroupName' IN (SELECT pg_name FROM pg_with_ssl) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN cpg ->> 'ParameterGroupName' IN (SELECT pg_name FROM pg_with_ssl) THEN title || ' encryption in transit enabled.' - ELSE title || ' encryption in transit disabled.' - END AS reason - FROM - aws_redshift_cluster, - JSONB_ARRAY_ELEMENTS(cluster_parameter_groups) AS cpg; + language: sql + primary_resource: aws_redshift_cluster + definition: | + WITH pg_with_ssl AS ( + SELECT + name AS pg_name, + p ->> 'ParameterName' AS parameter_name, + p ->> 'ParameterValue' AS parameter_value + FROM + aws_redshift_parameter_group, + JSONB_ARRAY_ELEMENTS(parameters) AS p + WHERE + p ->> 'ParameterName' = 'require_ssl' + AND p ->> 'ParameterValue' = 'true' + ) + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN cpg ->> 'ParameterGroupName' IN (SELECT pg_name FROM pg_with_ssl) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN cpg ->> 'ParameterGroupName' IN (SELECT pg_name FROM pg_with_ssl) THEN title || ' encryption in transit enabled.' + ELSE title || ' encryption in transit disabled.' + END AS reason + FROM + aws_redshift_cluster, + JSONB_ARRAY_ELEMENTS(cluster_parameter_groups) AS cpg; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_redshift_3.yaml b/compliance/controls/aws/aws_foundational_security_redshift_3.yaml index 63bc59e48..a8cbef51d 100644 --- a/compliance/controls/aws/aws_foundational_security_redshift_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_redshift_3.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_redshift_3 title: 3 Amazon Redshift clusters should have automatic snapshots enabled +type: control description: This control checks whether Amazon Redshift clusters have automated snapshots enabled. It also checks whether the snapshot retention period is greater than or equal to seven. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_redshift_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN automated_snapshot_retention_period >= 7 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN automated_snapshot_retention_period >= 7 THEN title || ' automatic snapshots enabled with retention period greater than or equals 7 days.' - ELSE title || ' automatic snapshots enabled with retention period less than 7 days.' - END AS reason - FROM - aws_redshift_cluster; + language: sql + primary_resource: aws_redshift_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN automated_snapshot_retention_period >= 7 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN automated_snapshot_retention_period >= 7 THEN title || ' automatic snapshots enabled with retention period greater than or equals 7 days.' + ELSE title || ' automatic snapshots enabled with retention period less than 7 days.' + END AS reason + FROM + aws_redshift_cluster; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_redshift_4.yaml b/compliance/controls/aws/aws_foundational_security_redshift_4.yaml index 964768319..17d8f7c6b 100644 --- a/compliance/controls/aws/aws_foundational_security_redshift_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_redshift_4.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_redshift_4 title: 4 Amazon Redshift clusters should have audit logging enabled +type: control description: This control checks whether an Amazon Redshift cluster has audit logging enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_redshift_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN automated_snapshot_retention_period >= 7 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN automated_snapshot_retention_period >= 7 THEN title || ' automatic snapshots enabled with retention period greater than or equals 7 days.' - ELSE title || ' automatic snapshots enabled with retention period less than 7 days.' - END AS reason - FROM - aws_redshift_cluster; + language: sql + primary_resource: aws_redshift_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN automated_snapshot_retention_period >= 7 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN automated_snapshot_retention_period >= 7 THEN title || ' automatic snapshots enabled with retention period greater than or equals 7 days.' + ELSE title || ' automatic snapshots enabled with retention period less than 7 days.' + END AS reason + FROM + aws_redshift_cluster; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_redshift_6.yaml b/compliance/controls/aws/aws_foundational_security_redshift_6.yaml index 1dacecb98..8f124c158 100644 --- a/compliance/controls/aws/aws_foundational_security_redshift_6.yaml +++ b/compliance/controls/aws/aws_foundational_security_redshift_6.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_redshift_6 title: 6 Amazon Redshift should have automatic upgrades to major versions enabled +type: control description: This control checks whether automatic major version upgrades are enabled for the Amazon Redshift cluster. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_redshift_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN allow_version_upgrade THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN allow_version_upgrade THEN title || ' automatic upgrades to major versions enabled.' - ELSE title || ' automatic upgrades to major versions disabled.' - END AS reason - FROM - aws_redshift_cluster; + language: sql + primary_resource: aws_redshift_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN allow_version_upgrade THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN allow_version_upgrade THEN title || ' automatic upgrades to major versions enabled.' + ELSE title || ' automatic upgrades to major versions disabled.' + END AS reason + FROM + aws_redshift_cluster; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_redshift_7.yaml b/compliance/controls/aws/aws_foundational_security_redshift_7.yaml index ff7425fe4..e54bf696b 100644 --- a/compliance/controls/aws/aws_foundational_security_redshift_7.yaml +++ b/compliance/controls/aws/aws_foundational_security_redshift_7.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_redshift_7 title: 7 Amazon Redshift clusters should use enhanced VPC routing +type: control description: This control checks whether an Amazon Redshift cluster has EnhancedVpcRouting enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_redshift_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN enhanced_vpc_routing THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enhanced_vpc_routing THEN title || ' enhanced VPC routing enabled.' - ELSE title || ' enhanced VPC routing disabled.' - END AS reason - FROM - aws_redshift_cluster; + language: sql + primary_resource: aws_redshift_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN enhanced_vpc_routing THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enhanced_vpc_routing THEN title || ' enhanced VPC routing enabled.' + ELSE title || ' enhanced VPC routing disabled.' + END AS reason + FROM + aws_redshift_cluster; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_redshift_8.yaml b/compliance/controls/aws/aws_foundational_security_redshift_8.yaml index 4f048ffa4..82eb8c40b 100644 --- a/compliance/controls/aws/aws_foundational_security_redshift_8.yaml +++ b/compliance/controls/aws/aws_foundational_security_redshift_8.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_redshift_8 title: 8 Amazon Redshift clusters should not use the default Admin username +type: control description: This control checks whether a Amazon Redshift cluster has changed the admin username from its default value. This control will fail if the admin username for a Redshift cluster is set to awsuser. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_redshift_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN master_username = 'awsuser' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN master_username = 'awsuser' THEN title || ' using default master user name.' - ELSE title || ' not using default master user name.' - END AS reason - FROM - aws_redshift_cluster; + language: sql + primary_resource: aws_redshift_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN master_username = 'awsuser' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN master_username = 'awsuser' THEN title || ' using default master user name.' + ELSE title || ' not using default master user name.' + END AS reason + FROM + aws_redshift_cluster; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_redshift_9.yaml b/compliance/controls/aws/aws_foundational_security_redshift_9.yaml index 87079c422..2d6f6f9ad 100644 --- a/compliance/controls/aws/aws_foundational_security_redshift_9.yaml +++ b/compliance/controls/aws/aws_foundational_security_redshift_9.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_redshift_9 title: 9 Redshift clusters should not use the default database name +type: control description: This control checks whether an Amazon Redshift cluster has changed the database name from its default value. The control will fail if the database name for a Redshift cluster is set to dev. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_redshift_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN db_name = 'dev' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN db_name = 'dev' THEN title || ' using default database name.' - ELSE title || ' not using default database name.' - END AS reason - FROM - aws_redshift_cluster; + language: sql + primary_resource: aws_redshift_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN db_name = 'dev' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN db_name = 'dev' THEN title || ' using default database name.' + ELSE title || ' not using default database name.' + END AS reason + FROM + aws_redshift_cluster; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_route53_2.yaml b/compliance/controls/aws/aws_foundational_security_route53_2.yaml index 87546a0e1..0c0e641a4 100644 --- a/compliance/controls/aws/aws_foundational_security_route53_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_route53_2.yaml @@ -1,28 +1,29 @@ id: aws_foundational_security_route53_2 title: 2 Route 53 public hosted zones should log DNS queries +type: control description: This control checks if DNS query logging is enabled for an Amazon Route 53 public hosted zone. The control fails if DNS query logging isn't enabled for a Route 53 public hosted zone. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_route53_zone - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN private_zone THEN 'skip' - WHEN query_logging_configs IS NOT NULL OR jsonb_array_length(query_logging_configs) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN private_zone THEN title || ' is private hosted zone.' - WHEN query_logging_configs IS NOT NULL OR jsonb_array_length(query_logging_configs) > 0 THEN title || ' query logging to CloudWatch enabled.' - ELSE title || ' query logging to CloudWatch disabled.' - END AS reason - FROM - aws_route53_zone; + language: sql + primary_resource: aws_route53_zone + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN private_zone THEN 'skip' + WHEN query_logging_configs IS NOT NULL OR jsonb_array_length(query_logging_configs) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN private_zone THEN title || ' is private hosted zone.' + WHEN query_logging_configs IS NOT NULL OR jsonb_array_length(query_logging_configs) > 0 THEN title || ' query logging to CloudWatch enabled.' + ELSE title || ' query logging to CloudWatch disabled.' + END AS reason + FROM + aws_route53_zone; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_s3_1.yaml b/compliance/controls/aws/aws_foundational_security_s3_1.yaml index 94f2907d3..e5a4e8940 100644 --- a/compliance/controls/aws/aws_foundational_security_s3_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_s3_1.yaml @@ -1,40 +1,41 @@ id: aws_foundational_security_s3_1 title: 1 S3 Block Public Access setting should be enabled +type: control description: This control checks whether the following Amazon S3 public access block settings are configured at the account level integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_account_settings - definition: | - SELECT - 'arn' || ':' || 'aws' || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN block_public_acls - AND block_public_policy - AND ignore_public_acls - AND restrict_public_buckets - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN block_public_acls - AND block_public_policy - AND ignore_public_acls - AND restrict_public_buckets - THEN 'Account level public access blocks enabled.' - ELSE 'Account level public access blocks not enabled for: ' || - concat_ws(', ', - CASE WHEN NOT (block_public_acls) THEN 'block_public_acls' END, - CASE WHEN NOT (block_public_policy) THEN 'block_public_policy' END, - CASE WHEN NOT (ignore_public_acls) THEN 'ignore_public_acls' END, - CASE WHEN NOT (restrict_public_buckets) THEN 'restrict_public_buckets' END - ) || '.' - END AS reason - FROM - aws_s3_account_settings; + language: sql + primary_resource: aws_s3_account_settings + definition: | + SELECT + 'arn' || ':' || 'aws' || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN block_public_acls + AND block_public_policy + AND ignore_public_acls + AND restrict_public_buckets + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN block_public_acls + AND block_public_policy + AND ignore_public_acls + AND restrict_public_buckets + THEN 'Account level public access blocks enabled.' + ELSE 'Account level public access blocks not enabled for: ' || + concat_ws(', ', + CASE WHEN NOT (block_public_acls) THEN 'block_public_acls' END, + CASE WHEN NOT (block_public_policy) THEN 'block_public_policy' END, + CASE WHEN NOT (ignore_public_acls) THEN 'ignore_public_acls' END, + CASE WHEN NOT (restrict_public_buckets) THEN 'restrict_public_buckets' END + ) || '.' + END AS reason + FROM + aws_s3_account_settings; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_s3_10.yaml b/compliance/controls/aws/aws_foundational_security_s3_10.yaml index 0cab04ebd..7e4716256 100644 --- a/compliance/controls/aws/aws_foundational_security_s3_10.yaml +++ b/compliance/controls/aws/aws_foundational_security_s3_10.yaml @@ -1,38 +1,39 @@ id: aws_foundational_security_s3_10 title: 10 S3 buckets with versioning enabled should have lifecycle policies configured +type: control description: This control checks if Amazon Simple Storage Service (Amazon S3) version enabled buckets have lifecycle policy configured. This rule fails if Amazon S3 lifecycle policy is not enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH lifecycle_rules_enabled AS ( - SELECT - arn - FROM - aws_s3_bucket, - jsonb_array_elements(lifecycle_rules) AS r - WHERE - r ->> 'Status' = 'Enabled' - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT versioning_enabled THEN 'alarm' - WHEN versioning_enabled AND r.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN NOT versioning_enabled THEN name || ' versioning disabled.' - WHEN versioning_enabled AND r.arn IS NOT NULL THEN name || ' lifecycle policy configured.' - ELSE name || ' lifecycle policy not configured.' - END AS reason - FROM - aws_s3_bucket AS b - LEFT JOIN lifecycle_rules_enabled AS r ON r.arn = b.arn; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH lifecycle_rules_enabled AS ( + SELECT + arn + FROM + aws_s3_bucket, + jsonb_array_elements(lifecycle_rules) AS r + WHERE + r ->> 'Status' = 'Enabled' + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT versioning_enabled THEN 'alarm' + WHEN versioning_enabled AND r.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN NOT versioning_enabled THEN name || ' versioning disabled.' + WHEN versioning_enabled AND r.arn IS NOT NULL THEN name || ' lifecycle policy configured.' + ELSE name || ' lifecycle policy not configured.' + END AS reason + FROM + aws_s3_bucket AS b + LEFT JOIN lifecycle_rules_enabled AS r ON r.arn = b.arn; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_s3_11.yaml b/compliance/controls/aws/aws_foundational_security_s3_11.yaml index 506213cad..ac7103b63 100644 --- a/compliance/controls/aws/aws_foundational_security_s3_11.yaml +++ b/compliance/controls/aws/aws_foundational_security_s3_11.yaml @@ -1,34 +1,35 @@ id: aws_foundational_security_s3_11 title: 11 S3 buckets should have event notifications enabled +type: control description: This control checks whether S3 Event Notifications are enabled on an Amazon S3 bucket. This control fails if S3 Event Notifications are not enabled on a bucket. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN - event_notification_configuration ->> 'EventBridgeConfiguration' IS NULL - AND event_notification_configuration ->> 'LambdaFunctionConfigurations' IS NULL - AND event_notification_configuration ->> 'QueueConfigurations' IS NULL - AND event_notification_configuration ->> 'TopicConfigurations' IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN - event_notification_configuration ->> 'EventBridgeConfiguration' IS NULL - AND event_notification_configuration ->> 'LambdaFunctionConfigurations' IS NULL - AND event_notification_configuration ->> 'QueueConfigurations' IS NULL - AND event_notification_configuration ->> 'TopicConfigurations' IS NULL THEN title || ' event notifications disabled.' - ELSE title || ' event notifications enabled.' - END AS reason - FROM - aws_s3_bucket; + language: sql + primary_resource: aws_s3_bucket + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN + event_notification_configuration ->> 'EventBridgeConfiguration' IS NULL + AND event_notification_configuration ->> 'LambdaFunctionConfigurations' IS NULL + AND event_notification_configuration ->> 'QueueConfigurations' IS NULL + AND event_notification_configuration ->> 'TopicConfigurations' IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN + event_notification_configuration ->> 'EventBridgeConfiguration' IS NULL + AND event_notification_configuration ->> 'LambdaFunctionConfigurations' IS NULL + AND event_notification_configuration ->> 'QueueConfigurations' IS NULL + AND event_notification_configuration ->> 'TopicConfigurations' IS NULL THEN title || ' event notifications disabled.' + ELSE title || ' event notifications enabled.' + END AS reason + FROM + aws_s3_bucket; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_s3_12.yaml b/compliance/controls/aws/aws_foundational_security_s3_12.yaml index 90d91e7bc..f78e7376c 100644 --- a/compliance/controls/aws/aws_foundational_security_s3_12.yaml +++ b/compliance/controls/aws/aws_foundational_security_s3_12.yaml @@ -1,65 +1,66 @@ id: aws_foundational_security_s3_12 title: 12 S3 access control lists (ACLs) should not be used to manage user access to buckets +type: control description: This control checks whether Amazon S3 buckets provide user permissions via ACLs. The control fails if ACLs are configured for managing user access on S3 buckets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH bucket_acl_details AS ( - SELECT - arn, - title, - ARRAY[acl -> 'Owner' ->> 'ID'] AS bucket_owner, - array_agg(grantee_id) AS bucket_acl_permissions, - object_ownership_controls, - region, - account_id, - _ctx, - tags - FROM - aws_s3_bucket, - jsonb_path_query(acl, '$.Grants.Grantee.ID') AS grantee_id - GROUP BY - arn, - title, - acl, - region, - account_id, - object_ownership_controls, - _ctx, - tags - ), - bucket_acl_checks AS ( - SELECT - arn, - title, - TO_JSONB(bucket_acl_permissions) - bucket_owner AS additional_permissions, - object_ownership_controls, - region, - account_id, - _ctx, - tags - FROM - bucket_acl_details - ) - SELECT - arn AS resource, - account_id AS platform_integration_id, - arn AS platform_resource_id, - CASE - WHEN object_ownership_controls -> 'Rules' @> '[{"ObjectOwnership": "BucketOwnerEnforced"}]' THEN 'ok' - WHEN JSONB_ARRAY_LENGTH(additional_permissions) = 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN object_ownership_controls -> 'Rules' @> '[{"ObjectOwnership": "BucketOwnerEnforced"}]' THEN title || ' ACLs are disabled.' - WHEN JSONB_ARRAY_LENGTH(additional_permissions) = 0 THEN title || ' does not have ACLs for user access.' - ELSE title || ' has ACLs for user access.' - END AS reason - FROM - bucket_acl_checks; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH bucket_acl_details AS ( + SELECT + arn, + title, + ARRAY[acl -> 'Owner' ->> 'ID'] AS bucket_owner, + array_agg(grantee_id) AS bucket_acl_permissions, + object_ownership_controls, + region, + account_id, + _ctx, + tags + FROM + aws_s3_bucket, + jsonb_path_query(acl, '$.Grants.Grantee.ID') AS grantee_id + GROUP BY + arn, + title, + acl, + region, + account_id, + object_ownership_controls, + _ctx, + tags + ), + bucket_acl_checks AS ( + SELECT + arn, + title, + TO_JSONB(bucket_acl_permissions) - bucket_owner AS additional_permissions, + object_ownership_controls, + region, + account_id, + _ctx, + tags + FROM + bucket_acl_details + ) + SELECT + arn AS resource, + account_id AS platform_integration_id, + arn AS platform_resource_id, + CASE + WHEN object_ownership_controls -> 'Rules' @> '[{"ObjectOwnership": "BucketOwnerEnforced"}]' THEN 'ok' + WHEN JSONB_ARRAY_LENGTH(additional_permissions) = 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN object_ownership_controls -> 'Rules' @> '[{"ObjectOwnership": "BucketOwnerEnforced"}]' THEN title || ' ACLs are disabled.' + WHEN JSONB_ARRAY_LENGTH(additional_permissions) = 0 THEN title || ' does not have ACLs for user access.' + ELSE title || ' has ACLs for user access.' + END AS reason + FROM + bucket_acl_checks; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_s3_13.yaml b/compliance/controls/aws/aws_foundational_security_s3_13.yaml index 5ebb24155..f754a9580 100644 --- a/compliance/controls/aws/aws_foundational_security_s3_13.yaml +++ b/compliance/controls/aws/aws_foundational_security_s3_13.yaml @@ -1,36 +1,37 @@ id: aws_foundational_security_s3_13 title: 13 S3 buckets should have lifecycle policies configured +type: control description: This control checks if a lifecycle policy is configured for an Amazon S3 bucket. This control fails if a lifecycle policy is not configured for an S3 bucket. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH lifecycle_rules_enabled AS ( - SELECT - arn - FROM - aws_s3_bucket, - jsonb_array_elements(lifecycle_rules) AS r - WHERE - r ->> 'Status' = 'Enabled' - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN r.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN r.arn IS NOT NULL THEN name || ' lifecycle policy or rules configured.' - ELSE name || ' lifecycle policy or rules not configured.' - END AS reason - FROM - aws_s3_bucket AS b - LEFT JOIN lifecycle_rules_enabled AS r ON r.arn = b.arn; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH lifecycle_rules_enabled AS ( + SELECT + arn + FROM + aws_s3_bucket, + jsonb_array_elements(lifecycle_rules) AS r + WHERE + r ->> 'Status' = 'Enabled' + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN r.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN r.arn IS NOT NULL THEN name || ' lifecycle policy or rules configured.' + ELSE name || ' lifecycle policy or rules not configured.' + END AS reason + FROM + aws_s3_bucket AS b + LEFT JOIN lifecycle_rules_enabled AS r ON r.arn = b.arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_s3_19.yaml b/compliance/controls/aws/aws_foundational_security_s3_19.yaml index 38a9e1792..c0cb41a55 100644 --- a/compliance/controls/aws/aws_foundational_security_s3_19.yaml +++ b/compliance/controls/aws/aws_foundational_security_s3_19.yaml @@ -1,40 +1,41 @@ id: aws_foundational_security_s3_19 title: 19 S3 access points should have block public access settings enabled +type: control description: This control checks whether an Amazon S3 access point has block public access settings enabled. The control fails if block public access settings aren't enabled for the access point. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_access_point - definition: | - SELECT - access_point_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN block_public_acls - AND block_public_policy - AND ignore_public_acls - AND restrict_public_buckets - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN block_public_acls - AND block_public_policy - AND ignore_public_acls - AND restrict_public_buckets - THEN name || ' all public access blocks enabled.' - ELSE name || ' not enabled for: ' || - CONCAT_WS(', ', - CASE WHEN NOT block_public_acls THEN 'block_public_acls' END, - CASE WHEN NOT block_public_policy THEN 'block_public_policy' END, - CASE WHEN NOT ignore_public_acls THEN 'ignore_public_acls' END, - CASE WHEN NOT restrict_public_buckets THEN 'restrict_public_buckets' END - ) || '.' - END AS reason - FROM - aws_s3_access_point; + language: sql + primary_resource: aws_s3_access_point + definition: | + SELECT + access_point_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN block_public_acls + AND block_public_policy + AND ignore_public_acls + AND restrict_public_buckets + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN block_public_acls + AND block_public_policy + AND ignore_public_acls + AND restrict_public_buckets + THEN name || ' all public access blocks enabled.' + ELSE name || ' not enabled for: ' || + CONCAT_WS(', ', + CASE WHEN NOT block_public_acls THEN 'block_public_acls' END, + CASE WHEN NOT block_public_policy THEN 'block_public_policy' END, + CASE WHEN NOT ignore_public_acls THEN 'ignore_public_acls' END, + CASE WHEN NOT restrict_public_buckets THEN 'restrict_public_buckets' END + ) || '.' + END AS reason + FROM + aws_s3_access_point; severity: critical tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_s3_5.yaml b/compliance/controls/aws/aws_foundational_security_s3_5.yaml index 7c2aaf899..76b8b4f9f 100644 --- a/compliance/controls/aws/aws_foundational_security_s3_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_s3_5.yaml @@ -1,46 +1,47 @@ id: aws_foundational_security_s3_5 title: 5 S3 buckets should require requests to use Secure Socket Layer -description: 'This control checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL). S3 buckets should have policies that require all requests (Action: S3:*)to only accept transmission of data over HTTPS in the S3 resource policy, indicated by the condition key aws:SecureTransport.' +type: control +description: "This control checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL). S3 buckets should have policies that require all requests (Action: S3:*)to only accept transmission of data over HTTPS in the S3 resource policy, indicated by the condition key aws:SecureTransport." integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH ssl_ok AS ( - SELECT - DISTINCT name, - arn, - 'ok' AS status - FROM - aws_s3_bucket, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p, - jsonb_array_elements_text(s -> 'Action') AS a, - jsonb_array_elements_text(s -> 'Resource') AS r, - jsonb_array_elements_text( - s -> 'Condition' -> 'Bool' -> 'aws:SecureTransport' - ) AS ssl - WHERE - p = '*' - AND s ->> 'Effect' = 'Deny' - AND ssl::bool = false - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN ok.status = 'ok' THEN 'ok' - ELSE 'alarm' - END status, - CASE - WHEN ok.status = 'ok' THEN b.name || ' bucket policy enforces HTTPS.' - ELSE b.name || ' bucket policy does not enforce HTTPS.' - END reason - FROM - aws_s3_bucket AS b - LEFT JOIN ssl_ok AS ok ON ok.name = b.name; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH ssl_ok AS ( + SELECT + DISTINCT name, + arn, + 'ok' AS status + FROM + aws_s3_bucket, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p, + jsonb_array_elements_text(s -> 'Action') AS a, + jsonb_array_elements_text(s -> 'Resource') AS r, + jsonb_array_elements_text( + s -> 'Condition' -> 'Bool' -> 'aws:SecureTransport' + ) AS ssl + WHERE + p = '*' + AND s ->> 'Effect' = 'Deny' + AND ssl::bool = false + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN ok.status = 'ok' THEN 'ok' + ELSE 'alarm' + END status, + CASE + WHEN ok.status = 'ok' THEN b.name || ' bucket policy enforces HTTPS.' + ELSE b.name || ' bucket policy does not enforce HTTPS.' + END reason + FROM + aws_s3_bucket AS b + LEFT JOIN ssl_ok AS ok ON ok.name = b.name; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_s3_6.yaml b/compliance/controls/aws/aws_foundational_security_s3_6.yaml index 012fd6311..a85d237d4 100644 --- a/compliance/controls/aws/aws_foundational_security_s3_6.yaml +++ b/compliance/controls/aws/aws_foundational_security_s3_6.yaml @@ -1,50 +1,51 @@ id: aws_foundational_security_s3_6 title: 6 Amazon S3 permissions granted to other AWS accounts in bucket policies should be restricted +type: control description: This control checks whether the S3 bucket policy prevents principals from other AWS accounts from performing denied actions on resources in the S3 bucket. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH cross_account_buckets AS ( - SELECT DISTINCT - arn - FROM - aws_s3_bucket, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p, - string_to_array(p, ':') AS pa, - jsonb_array_elements_text(s -> 'Action') AS a - WHERE - s ->> 'Effect' = 'Allow' - AND ( - pa[5] != account_id - OR p = '*' - ) - AND a IN ( - 's3:deletebucketpolicy', - 's3:putbucketacl', - 's3:putbucketpolicy', - 's3:putencryptionconfiguration', - 's3:putobjectacl' - ) + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH cross_account_buckets AS ( + SELECT DISTINCT + arn + FROM + aws_s3_bucket, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p, + string_to_array(p, ':') AS pa, + jsonb_array_elements_text(s -> 'Action') AS a + WHERE + s ->> 'Effect' = 'Allow' + AND ( + pa[5] != account_id + OR p = '*' ) - SELECT - a.arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.arn IS NULL THEN title || ' restricts cross-account bucket access.' - ELSE title || ' allows cross-account bucket access.' - END AS reason - FROM - aws_s3_bucket a - LEFT JOIN cross_account_buckets b ON a.arn = b.arn; + AND a IN ( + 's3:deletebucketpolicy', + 's3:putbucketacl', + 's3:putbucketpolicy', + 's3:putencryptionconfiguration', + 's3:putobjectacl' + ) + ) + SELECT + a.arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.arn IS NULL THEN title || ' restricts cross-account bucket access.' + ELSE title || ' allows cross-account bucket access.' + END AS reason + FROM + aws_s3_bucket a + LEFT JOIN cross_account_buckets b ON a.arn = b.arn; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_s3_8.yaml b/compliance/controls/aws/aws_foundational_security_s3_8.yaml index ddec05930..e2f57bf32 100644 --- a/compliance/controls/aws/aws_foundational_security_s3_8.yaml +++ b/compliance/controls/aws/aws_foundational_security_s3_8.yaml @@ -1,40 +1,41 @@ id: aws_foundational_security_s3_8 title: 8 S3 Block Public Access setting should be enabled at the bucket level +type: control description: This control checks whether S3 buckets have bucket-level public access blocks applied. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN block_public_acls - AND block_public_policy - AND ignore_public_acls - AND restrict_public_buckets - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN block_public_acls - AND block_public_policy - AND ignore_public_acls - AND restrict_public_buckets - THEN name || ' all public access blocks enabled.' - ELSE name || ' not enabled for: ' || - concat_ws(', ', - CASE WHEN NOT block_public_acls THEN 'block_public_acls' END, - CASE WHEN NOT block_public_policy THEN 'block_public_policy' END, - CASE WHEN NOT ignore_public_acls THEN 'ignore_public_acls' END, - CASE WHEN NOT restrict_public_buckets THEN 'restrict_public_buckets' END - ) || '.' - END AS reason - FROM - aws_s3_bucket; + language: sql + primary_resource: aws_s3_bucket + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN block_public_acls + AND block_public_policy + AND ignore_public_acls + AND restrict_public_buckets + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN block_public_acls + AND block_public_policy + AND ignore_public_acls + AND restrict_public_buckets + THEN name || ' all public access blocks enabled.' + ELSE name || ' not enabled for: ' || + concat_ws(', ', + CASE WHEN NOT block_public_acls THEN 'block_public_acls' END, + CASE WHEN NOT block_public_policy THEN 'block_public_policy' END, + CASE WHEN NOT ignore_public_acls THEN 'ignore_public_acls' END, + CASE WHEN NOT restrict_public_buckets THEN 'restrict_public_buckets' END + ) || '.' + END AS reason + FROM + aws_s3_bucket; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_s3_9.yaml b/compliance/controls/aws/aws_foundational_security_s3_9.yaml index 6dae880c9..45050d0ce 100644 --- a/compliance/controls/aws/aws_foundational_security_s3_9.yaml +++ b/compliance/controls/aws/aws_foundational_security_s3_9.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_s3_9 title: 9 S3 bucket server access logging should be enabled +type: control description: When logging is enabled, Amazon S3 delivers access logs for a source bucket to a chosen target bucket. The target bucket must be in the same AWS Region as the source bucket and must not have a default retention period configuration. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN logging -> 'TargetBucket' IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN logging -> 'TargetBucket' IS NULL THEN title || ' logging disabled.' - ELSE title || ' logging enabled.' - END AS reason - FROM - aws_s3_bucket; + language: sql + primary_resource: aws_s3_bucket + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN logging -> 'TargetBucket' IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN logging -> 'TargetBucket' IS NULL THEN title || ' logging disabled.' + ELSE title || ' logging enabled.' + END AS reason + FROM + aws_s3_bucket; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_sagemaker_1.yaml b/compliance/controls/aws/aws_foundational_security_sagemaker_1.yaml index a40d2f5fe..aac350c16 100644 --- a/compliance/controls/aws/aws_foundational_security_sagemaker_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_sagemaker_1.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_sagemaker_1 title: 1 SageMaker notebook instances should not have direct internet access +type: control description: This control checks whether direct internet access is disabled for an SageMaker notebook instance. To do this, it checks whether the DirectInternetAccess field is disabled for the notebook instance. If you configure your SageMaker instance without a VPC, then by default direct internet access is enabled on your instance. You should configure your instance with a VPC and change the default setting to Disable — Access the internet through a VPC. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sagemaker_notebook_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN direct_internet_access = 'Enabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN direct_internet_access = 'Enabled' THEN title || ' direct internet access enabled.' - ELSE title || ' direct internet access disabled.' - END AS reason - FROM - aws_sagemaker_notebook_instance; + language: sql + primary_resource: aws_sagemaker_notebook_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN direct_internet_access = 'Enabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN direct_internet_access = 'Enabled' THEN title || ' direct internet access enabled.' + ELSE title || ' direct internet access disabled.' + END AS reason + FROM + aws_sagemaker_notebook_instance; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_sagemaker_2.yaml b/compliance/controls/aws/aws_foundational_security_sagemaker_2.yaml index 039acc68d..50022264a 100644 --- a/compliance/controls/aws/aws_foundational_security_sagemaker_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_sagemaker_2.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_sagemaker_2 title: 2 SageMaker notebook instances should be launched in a custom VPC +type: control description: This control checks if an Amazon SageMaker notebook instance is launched within a custom virtual private cloud (VPC). This control fails if a SageMaker notebook instance is not launched within a custom VPC or if it is launched in the SageMaker service VPC. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sagemaker_notebook_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN subnet_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN subnet_id IS NOT NULL THEN title || ' in VPC.' - ELSE title || ' not in VPC.' - END AS reason - FROM - aws_sagemaker_notebook_instance; + language: sql + primary_resource: aws_sagemaker_notebook_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN subnet_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN subnet_id IS NOT NULL THEN title || ' in VPC.' + ELSE title || ' not in VPC.' + END AS reason + FROM + aws_sagemaker_notebook_instance; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_sagemaker_3.yaml b/compliance/controls/aws/aws_foundational_security_sagemaker_3.yaml index 9884d8432..f34bd6fec 100644 --- a/compliance/controls/aws/aws_foundational_security_sagemaker_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_sagemaker_3.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_sagemaker_3 title: 3 Users should not have root access to SageMaker notebook instances +type: control description: This control checks whether root access is turned on for an Amazon SageMaker notebook instance. The control fails if root access is turned on for a SageMaker notebook instance. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sagemaker_notebook_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN root_access = 'Disabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN root_access = 'Disabled' THEN title || ' root access disabled.' - ELSE title || ' root access enabled.' - END AS reason - FROM - aws_sagemaker_notebook_instance; + language: sql + primary_resource: aws_sagemaker_notebook_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN root_access = 'Disabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN root_access = 'Disabled' THEN title || ' root access disabled.' + ELSE title || ' root access enabled.' + END AS reason + FROM + aws_sagemaker_notebook_instance; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_secretsmanager_1.yaml b/compliance/controls/aws/aws_foundational_security_secretsmanager_1.yaml index 9da5e4597..ec34e7265 100644 --- a/compliance/controls/aws/aws_foundational_security_secretsmanager_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_secretsmanager_1.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_secretsmanager_1 title: 1 Secrets Manager secrets should have automatic rotation enabled +type: control description: This control checks whether a secret stored in AWS Secrets Manager is configured with automatic rotation. Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_secretsmanager_secret - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN rotation_rules IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN rotation_rules IS NULL THEN title || ' automatic rotation not enabled.' - ELSE title || ' automatic rotation enabled.' - END AS reason - FROM - aws_secretsmanager_secret; + language: sql + primary_resource: aws_secretsmanager_secret + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN rotation_rules IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN rotation_rules IS NULL THEN title || ' automatic rotation not enabled.' + ELSE title || ' automatic rotation enabled.' + END AS reason + FROM + aws_secretsmanager_secret; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_secretsmanager_2.yaml b/compliance/controls/aws/aws_foundational_security_secretsmanager_2.yaml index dc0c1fc03..814ec37fb 100644 --- a/compliance/controls/aws/aws_foundational_security_secretsmanager_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_secretsmanager_2.yaml @@ -1,38 +1,39 @@ id: aws_foundational_security_secretsmanager_2 title: 2 Secrets Manager secrets configured with automatic rotation should rotate successfully +type: control description: This control checks whether an AWS Secrets Manager secret rotated successfully based on the rotation schedule. The control fails if RotationOccurringAsScheduled is false. The control does not evaluate secrets that do not have rotation configured. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_secretsmanager_secret - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN primary_region IS NOT NULL AND region != primary_region THEN 'skip' - WHEN rotation_rules IS NULL THEN 'alarm' - WHEN last_rotated_date IS NULL - AND (DATE(current_date) - DATE(created_date)) <= (rotation_rules -> 'AutomaticallyAfterDays')::integer THEN 'ok' - WHEN last_rotated_date IS NULL - AND (DATE(current_date) - DATE(created_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer THEN 'alarm' - WHEN last_rotated_date IS NOT NULL - AND (DATE(current_date) - DATE(last_rotated_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer THEN 'alarm' - END AS status, - CASE - WHEN primary_region IS NOT NULL AND region != primary_region THEN title || ' is a replica.' - WHEN rotation_rules IS NULL THEN title || ' rotation not enabled.' - WHEN last_rotated_date IS NULL - AND (DATE(current_date) - DATE(created_date)) <= (rotation_rules -> 'AutomaticallyAfterDays')::integer THEN title || ' scheduled for rotation.' - WHEN last_rotated_date IS NULL - AND (DATE(current_date) - DATE(created_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer THEN title || ' not rotated as per schedule.' - WHEN last_rotated_date IS NOT NULL - AND (DATE(current_date) - DATE(last_rotated_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer THEN title || ' not rotated as per schedule.' - END AS reason - FROM - aws_secretsmanager_secret; + language: sql + primary_resource: aws_secretsmanager_secret + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN primary_region IS NOT NULL AND region != primary_region THEN 'skip' + WHEN rotation_rules IS NULL THEN 'alarm' + WHEN last_rotated_date IS NULL + AND (DATE(current_date) - DATE(created_date)) <= (rotation_rules -> 'AutomaticallyAfterDays')::integer THEN 'ok' + WHEN last_rotated_date IS NULL + AND (DATE(current_date) - DATE(created_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer THEN 'alarm' + WHEN last_rotated_date IS NOT NULL + AND (DATE(current_date) - DATE(last_rotated_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer THEN 'alarm' + END AS status, + CASE + WHEN primary_region IS NOT NULL AND region != primary_region THEN title || ' is a replica.' + WHEN rotation_rules IS NULL THEN title || ' rotation not enabled.' + WHEN last_rotated_date IS NULL + AND (DATE(current_date) - DATE(created_date)) <= (rotation_rules -> 'AutomaticallyAfterDays')::integer THEN title || ' scheduled for rotation.' + WHEN last_rotated_date IS NULL + AND (DATE(current_date) - DATE(created_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer THEN title || ' not rotated as per schedule.' + WHEN last_rotated_date IS NOT NULL + AND (DATE(current_date) - DATE(last_rotated_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer THEN title || ' not rotated as per schedule.' + END AS reason + FROM + aws_secretsmanager_secret; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_secretsmanager_3.yaml b/compliance/controls/aws/aws_foundational_security_secretsmanager_3.yaml index a5b3c1c19..fffad5819 100644 --- a/compliance/controls/aws/aws_foundational_security_secretsmanager_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_secretsmanager_3.yaml @@ -1,28 +1,29 @@ id: aws_foundational_security_secretsmanager_3 title: 3 Remove unused Secrets Manager secrets +type: control description: This control checks whether an AWS Secrets Manager secret has been accessed within the specified time frame. The control fails if a secret is unused beyond the specified time frame. Unless you provide a custom parameter value for the access period, Security Hub uses a default value of 90 days integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_secretsmanager_secret - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN last_accessed_date IS NULL THEN 'alarm' - WHEN DATE(current_date) - DATE(last_accessed_date) <= 90 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN last_accessed_date IS NULL THEN title || ' never accessed.' - ELSE - title || ' last used ' || EXTRACT(DAY FROM current_timestamp - last_accessed_date) || ' day(s) ago.' - END AS reason - FROM - aws_secretsmanager_secret; + language: sql + primary_resource: aws_secretsmanager_secret + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN last_accessed_date IS NULL THEN 'alarm' + WHEN DATE(current_date) - DATE(last_accessed_date) <= 90 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN last_accessed_date IS NULL THEN title || ' never accessed.' + ELSE + title || ' last used ' || EXTRACT(DAY FROM current_timestamp - last_accessed_date) || ' day(s) ago.' + END AS reason + FROM + aws_secretsmanager_secret; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_secretsmanager_4.yaml b/compliance/controls/aws/aws_foundational_security_secretsmanager_4.yaml index c618c9c6d..c188bce11 100644 --- a/compliance/controls/aws/aws_foundational_security_secretsmanager_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_secretsmanager_4.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_secretsmanager_4 title: 4 Secrets Manager secrets should be rotated within a specified number of days +type: control description: This control checks whether your secrets have been rotated at least once within 90 days. Rotating secrets can help you to reduce the risk of an unauthorized use of your secrets in your AWS account. Examples include database credentials, passwords, third-party API keys, and even arbitrary text. If you do not change your secrets for a long period of time, the secrets are more likely to be compromised. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_secretsmanager_secret - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN rotation_rules IS NOT NULL AND rotation_lambda_arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN rotation_rules IS NOT NULL AND rotation_lambda_arn IS NOT NULL THEN title || ' scheduled for rotation using Lambda function.' - ELSE title || ' automatic rotation using Lambda function disabled.' - END AS reason - FROM - aws_secretsmanager_secret; + language: sql + primary_resource: aws_secretsmanager_secret + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN rotation_rules IS NOT NULL AND rotation_lambda_arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN rotation_rules IS NOT NULL AND rotation_lambda_arn IS NOT NULL THEN title || ' scheduled for rotation using Lambda function.' + ELSE title || ' automatic rotation using Lambda function disabled.' + END AS reason + FROM + aws_secretsmanager_secret; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_sfn_1.yaml b/compliance/controls/aws/aws_foundational_security_sfn_1.yaml index 6e3a696c0..a4651afc6 100644 --- a/compliance/controls/aws/aws_foundational_security_sfn_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_sfn_1.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_sfn_1 title: 1 Step Functions state machines should have logging turned on +type: control description: This controls checks whether an AWS Step Functions state machine has logging turned on. The control fails if a state machine doesn't have logging turned on. If you provide a custom value for the logLevel parameter, the control passes only if the state machine has the specified logging level turned on. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sfn_state_machine - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN logging_configuration ->> 'Level' = 'OFF' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN logging_configuration ->> 'Level' = 'OFF' THEN title || ' logging disabled.' - ELSE title || ' logging enabled.' - END AS reason - FROM - aws_sfn_state_machine; + language: sql + primary_resource: aws_sfn_state_machine + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN logging_configuration ->> 'Level' = 'OFF' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN logging_configuration ->> 'Level' = 'OFF' THEN title || ' logging disabled.' + ELSE title || ' logging enabled.' + END AS reason + FROM + aws_sfn_state_machine; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_sns_1.yaml b/compliance/controls/aws/aws_foundational_security_sns_1.yaml index 8b9b238cb..425184275 100644 --- a/compliance/controls/aws/aws_foundational_security_sns_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_sns_1.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_sns_1 title: SNS topics should be encrypted at rest using AWS KMS +type: control description: This control checks whether an SNS topic is encrypted at rest using AWS KMS. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sns_topic - definition: | - SELECT - topic_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN kms_master_key_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN kms_master_key_id IS NULL THEN title || ' encryption at rest disabled.' - ELSE title || ' encryption at rest enabled.' - END AS reason - FROM - aws_sns_topic; + language: sql + primary_resource: aws_sns_topic + definition: | + SELECT + topic_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN kms_master_key_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN kms_master_key_id IS NULL THEN title || ' encryption at rest disabled.' + ELSE title || ' encryption at rest enabled.' + END AS reason + FROM + aws_sns_topic; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_sns_2.yaml b/compliance/controls/aws/aws_foundational_security_sns_2.yaml index 1d8bf37e2..e128f691b 100644 --- a/compliance/controls/aws/aws_foundational_security_sns_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_sns_2.yaml @@ -1,34 +1,35 @@ id: aws_foundational_security_sns_2 title: 2 Logging of delivery status should be enabled for notification messages sent to a topic +type: control description: This control checks whether logging is enabled for the delivery status of notification messages sent to an Amazon SNS topic for the endpoints. This control fails if the delivery status notification for messages is not enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sns_topic - definition: | - SELECT - topic_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN application_failure_feedback_role_arn IS NULL - AND firehose_failure_feedback_role_arn IS NULL - AND http_failure_feedback_role_arn IS NULL - AND lambda_failure_feedback_role_arn IS NULL - AND sqs_failure_feedback_role_arn IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN application_failure_feedback_role_arn IS NULL - AND firehose_failure_feedback_role_arn IS NULL - AND http_failure_feedback_role_arn IS NULL - AND lambda_failure_feedback_role_arn IS NULL - AND sqs_failure_feedback_role_arn IS NULL THEN title || ' has delivery status logging for notification messages disabled.' - ELSE title || ' has delivery status logging for notification messages enabled.' - END AS reason - FROM - aws_sns_topic; + language: sql + primary_resource: aws_sns_topic + definition: | + SELECT + topic_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN application_failure_feedback_role_arn IS NULL + AND firehose_failure_feedback_role_arn IS NULL + AND http_failure_feedback_role_arn IS NULL + AND lambda_failure_feedback_role_arn IS NULL + AND sqs_failure_feedback_role_arn IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN application_failure_feedback_role_arn IS NULL + AND firehose_failure_feedback_role_arn IS NULL + AND http_failure_feedback_role_arn IS NULL + AND lambda_failure_feedback_role_arn IS NULL + AND sqs_failure_feedback_role_arn IS NULL THEN title || ' has delivery status logging for notification messages disabled.' + ELSE title || ' has delivery status logging for notification messages enabled.' + END AS reason + FROM + aws_sns_topic; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_sqs_1.yaml b/compliance/controls/aws/aws_foundational_security_sqs_1.yaml index 074cfd45f..01fbd1aa0 100644 --- a/compliance/controls/aws/aws_foundational_security_sqs_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_sqs_1.yaml @@ -1,28 +1,29 @@ id: aws_foundational_security_sqs_1 title: 1 Amazon SQS queues should be encrypted at rest +type: control description: This control checks whether Amazon SQS queues are encrypted at rest. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sqs_queue - definition: | - SELECT - queue_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN sqs_managed_sse_enabled THEN 'ok' - WHEN kms_master_key_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN sqs_managed_sse_enabled THEN title || ' secured with managed SQS-SSE.' - WHEN kms_master_key_id IS NULL THEN title || ' encryption at rest disabled.' - ELSE title || ' encryption at rest enabled.' - END AS reason - FROM - aws_sqs_queue; + language: sql + primary_resource: aws_sqs_queue + definition: | + SELECT + queue_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN sqs_managed_sse_enabled THEN 'ok' + WHEN kms_master_key_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN sqs_managed_sse_enabled THEN title || ' secured with managed SQS-SSE.' + WHEN kms_master_key_id IS NULL THEN title || ' encryption at rest disabled.' + ELSE title || ' encryption at rest enabled.' + END AS reason + FROM + aws_sqs_queue; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ssm_1.yaml b/compliance/controls/aws/aws_foundational_security_ssm_1.yaml index e165fdb5e..6c07115c8 100644 --- a/compliance/controls/aws/aws_foundational_security_ssm_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_ssm_1.yaml @@ -1,30 +1,31 @@ id: aws_foundational_security_ssm_1 title: 1 EC2 instances should be managed by AWS Systems Manager +type: control description: This control checks whether the EC2 instances in your account are managed by AWS Systems Manager. Systems Manager is an AWS service that you can use to view and control your AWS infrastructure. To help you to maintain security and compliance, Systems Manager scans your managed instances. A managed instance is a machine that is configured for use with Systems Manager. Systems Manager then reports or takes corrective action on any policy violations that it detects. Systems Manager also helps you to configure and maintain your managed instances. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - i.arn AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN i.instance_state = 'stopped' THEN 'info' - WHEN m.instance_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN i.instance_state = 'stopped' THEN i.title || ' is in stopped state.' - WHEN m.instance_id IS NULL THEN i.title || ' not managed by AWS SSM.' - ELSE i.title || ' managed by AWS SSM.' - END AS reason - FROM - aws_ec2_instance i - LEFT JOIN - aws_ssm_managed_instance m ON m.instance_id = i.instance_id; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + i.arn AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN i.instance_state = 'stopped' THEN 'info' + WHEN m.instance_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN i.instance_state = 'stopped' THEN i.title || ' is in stopped state.' + WHEN m.instance_id IS NULL THEN i.title || ' not managed by AWS SSM.' + ELSE i.title || ' managed by AWS SSM.' + END AS reason + FROM + aws_ec2_instance i + LEFT JOIN + aws_ssm_managed_instance m ON m.instance_id = i.instance_id; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ssm_2.yaml b/compliance/controls/aws/aws_foundational_security_ssm_2.yaml index a8e72a198..7ca6688c2 100644 --- a/compliance/controls/aws/aws_foundational_security_ssm_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_ssm_2.yaml @@ -1,32 +1,33 @@ id: aws_foundational_security_ssm_2 title: 2 All EC2 instances managed by Systems Manager should be compliant with patching requirements +type: control description: This control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or non compliant after the patch installation on the instance. It only checks instances that are managed by Systems Manager Patch Manager. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ssm_managed_instance - definition: | - SELECT - i.instance_id AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN c.status = '' THEN 'skip' - WHEN c.status = 'COMPLIANT' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN c.status = '' THEN 'Patch is not applicable for instance ' || i.title || '.' - WHEN c.status = 'COMPLIANT' THEN c.resource_id || ' patch ' || c.title || ' is compliant.' - ELSE c.resource_id || ' patch ' || c.title || ' is non-compliant.' - END AS reason - FROM - aws_ssm_managed_instance AS i, - aws_ssm_managed_instance_compliance AS c - WHERE - c.resource_id = i.instance_id - AND c.compliance_type = 'Patch'; + language: sql + primary_resource: aws_ssm_managed_instance + definition: | + SELECT + i.instance_id AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN c.status = '' THEN 'skip' + WHEN c.status = 'COMPLIANT' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN c.status = '' THEN 'Patch is not applicable for instance ' || i.title || '.' + WHEN c.status = 'COMPLIANT' THEN c.resource_id || ' patch ' || c.title || ' is compliant.' + ELSE c.resource_id || ' patch ' || c.title || ' is non-compliant.' + END AS reason + FROM + aws_ssm_managed_instance AS i, + aws_ssm_managed_instance_compliance AS c + WHERE + c.resource_id = i.instance_id + AND c.compliance_type = 'Patch'; severity: high tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ssm_3.yaml b/compliance/controls/aws/aws_foundational_security_ssm_3.yaml index 7d395355b..d3ae3a7d0 100644 --- a/compliance/controls/aws/aws_foundational_security_ssm_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_ssm_3.yaml @@ -1,30 +1,31 @@ id: aws_foundational_security_ssm_3 title: 3 Instances managed by Systems Manager should have an association compliance status of COMPLIANT +type: control description: This control checks whether the status of the AWS Systems Manager association compliance is COMPLIANT or non compliant after the association is run on an instance. The control passes if the association compliance status is COMPLIANT. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ssm_managed_instance - definition: | - SELECT - id AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN c.status = 'COMPLIANT' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN c.status = 'COMPLIANT' THEN c.resource_id || ' association ' || c.title || ' is compliant.' - ELSE c.resource_id || ' association ' || c.title || ' is non-compliant.' - END AS reason - FROM - aws_ssm_managed_instance AS i, - aws_ssm_managed_instance_compliance AS c - WHERE - c.resource_id = i.instance_id - AND c.compliance_type = 'Association'; + language: sql + primary_resource: aws_ssm_managed_instance + definition: | + SELECT + id AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN c.status = 'COMPLIANT' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN c.status = 'COMPLIANT' THEN c.resource_id || ' association ' || c.title || ' is compliant.' + ELSE c.resource_id || ' association ' || c.title || ' is non-compliant.' + END AS reason + FROM + aws_ssm_managed_instance AS i, + aws_ssm_managed_instance_compliance AS c + WHERE + c.resource_id = i.instance_id + AND c.compliance_type = 'Association'; severity: low tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_ssm_4.yaml b/compliance/controls/aws/aws_foundational_security_ssm_4.yaml index 314f5e97e..8aad4d34f 100644 --- a/compliance/controls/aws/aws_foundational_security_ssm_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_ssm_4.yaml @@ -1,28 +1,29 @@ id: aws_foundational_security_ssm_4 title: 4 SSM documents should not be public +type: control description: This control checks whether AWS Systems Manager documents that are owned by the account are public. This control fails if SSM documents with the owner Self are public. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ssm_document - definition: | - SELECT - 'arn:' || partition || ':ssm:' || region || ':' || account_id || ':document/' || name AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN account_ids :: jsonb ? 'all' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN account_ids :: jsonb ? 'all' THEN title || ' publicly accessible.' - ELSE title || ' not publicly accessible.' - END AS reason - FROM - aws_ssm_document - WHERE - owner_type = 'Self'; + language: sql + primary_resource: aws_ssm_document + definition: | + SELECT + 'arn:' || partition || ':ssm:' || region || ':' || account_id || ':document/' || name AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN account_ids :: jsonb ? 'all' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN account_ids :: jsonb ? 'all' THEN title || ' publicly accessible.' + ELSE title || ' not publicly accessible.' + END AS reason + FROM + aws_ssm_document + WHERE + owner_type = 'Self'; severity: critical tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_waf_1.yaml b/compliance/controls/aws/aws_foundational_security_waf_1.yaml index 20edc2331..7713d7fed 100644 --- a/compliance/controls/aws/aws_foundational_security_waf_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_waf_1.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_waf_1 title: 1 AWS WAF Classic Global Web ACL logging should be enabled +type: control description: This control checks whether logging is enabled for an AWS WAF global web ACL. This control fails if logging is not enabled for the web ACL. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_waf_web_acl - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN logging_configuration IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN logging_configuration IS NULL THEN title || ' logging disabled.' - ELSE title || ' logging enabled.' - END AS reason - FROM - aws_waf_web_acl; + language: sql + primary_resource: aws_waf_web_acl + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN logging_configuration IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN logging_configuration IS NULL THEN title || ' logging disabled.' + ELSE title || ' logging enabled.' + END AS reason + FROM + aws_waf_web_acl; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_waf_10.yaml b/compliance/controls/aws/aws_foundational_security_waf_10.yaml index 745916b4c..44e47ba3b 100644 --- a/compliance/controls/aws/aws_foundational_security_waf_10.yaml +++ b/compliance/controls/aws/aws_foundational_security_waf_10.yaml @@ -1,39 +1,40 @@ id: aws_foundational_security_waf_10 title: 10 AWS WAF web ACLs should have at least one rule or rule group +type: control description: This control checks whether a WAFV2 web access control list (web ACL) contains at least one WAF rule or WAF rule group. The control fails if a web ACL does not contain any WAF rules or rule groups. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_wafv2_web_acl - definition: | - WITH rule_group_count AS ( - SELECT - arn, - COUNT(*) AS rule_group_count - FROM - aws_wafv2_web_acl, - jsonb_array_elements(rules) AS r - WHERE - r -> 'Statement' -> 'RuleGroupReferenceStatement' ->> 'ARN' IS NOT NULL - GROUP BY - arn - ) - SELECT - a.arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN rules IS NULL OR jsonb_array_length(rules) = 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN rules IS NULL OR jsonb_array_length(rules) = 0 THEN title || ' has no attached rules.' - ELSE title || ' has ' || c.rule_group_count || ' rule group(s) and ' || (jsonb_array_length(rules) - c.rule_group_count) || ' rule(s) attached.' - END AS reason - FROM - aws_wafv2_web_acl AS a - LEFT JOIN rule_group_count AS c ON c.arn = a.arn; + language: sql + primary_resource: aws_wafv2_web_acl + definition: | + WITH rule_group_count AS ( + SELECT + arn, + COUNT(*) AS rule_group_count + FROM + aws_wafv2_web_acl, + jsonb_array_elements(rules) AS r + WHERE + r -> 'Statement' -> 'RuleGroupReferenceStatement' ->> 'ARN' IS NOT NULL + GROUP BY + arn + ) + SELECT + a.arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN rules IS NULL OR jsonb_array_length(rules) = 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN rules IS NULL OR jsonb_array_length(rules) = 0 THEN title || ' has no attached rules.' + ELSE title || ' has ' || c.rule_group_count || ' rule group(s) and ' || (jsonb_array_length(rules) - c.rule_group_count) || ' rule(s) attached.' + END AS reason + FROM + aws_wafv2_web_acl AS a + LEFT JOIN rule_group_count AS c ON c.arn = a.arn; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_waf_12.yaml b/compliance/controls/aws/aws_foundational_security_waf_12.yaml index d1fb8840a..5a62f65d4 100644 --- a/compliance/controls/aws/aws_foundational_security_waf_12.yaml +++ b/compliance/controls/aws/aws_foundational_security_waf_12.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_waf_12 title: 12 AWS WAF rules should have CloudWatch metrics enabled +type: control description: This control checks whether an AWS WAF rule or rule group has Amazon CloudWatch metrics enabled. The control fails if the rule or rule group doesn't have CloudWatch metrics enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_wafv2_rule_group - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN (visibility_config ->> 'CloudWatchMetricsEnabled')::bool THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (visibility_config ->> 'CloudWatchMetricsEnabled')::bool THEN title || ' logging enabled.' - ELSE title || ' logging disabled.' - END AS reason - FROM - aws_wafv2_rule_group; + language: sql + primary_resource: aws_wafv2_rule_group + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN (visibility_config ->> 'CloudWatchMetricsEnabled')::bool THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (visibility_config ->> 'CloudWatchMetricsEnabled')::bool THEN title || ' logging enabled.' + ELSE title || ' logging disabled.' + END AS reason + FROM + aws_wafv2_rule_group; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_waf_2.yaml b/compliance/controls/aws/aws_foundational_security_waf_2.yaml index 5c23f040f..be4043083 100644 --- a/compliance/controls/aws/aws_foundational_security_waf_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_waf_2.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_waf_2 title: 2 AWS WAF Classic Regional rules should have at least one condition +type: control description: This control checks whether an AWS WAF Regional rule has at least one condition. The control fails if no conditions are present within a rule. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_wafregional_rule - definition: | - SELECT - rule_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN predicates IS NULL OR jsonb_array_length(predicates) = 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN predicates IS NULL OR jsonb_array_length(predicates) = 0 THEN title || ' has no attached conditions.' - ELSE title || ' has ' || jsonb_array_length(predicates) || ' condition(s) attached.' - END AS reason - FROM - aws_wafregional_rule; + language: sql + primary_resource: aws_wafregional_rule + definition: | + SELECT + rule_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN predicates IS NULL OR jsonb_array_length(predicates) = 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN predicates IS NULL OR jsonb_array_length(predicates) = 0 THEN title || ' has no attached conditions.' + ELSE title || ' has ' || jsonb_array_length(predicates) || ' condition(s) attached.' + END AS reason + FROM + aws_wafregional_rule; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_waf_3.yaml b/compliance/controls/aws/aws_foundational_security_waf_3.yaml index 7175fc6a0..8031cf68a 100644 --- a/compliance/controls/aws/aws_foundational_security_waf_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_waf_3.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_waf_3 title: 3 AWS WAF Classic Regional rule groups should have at least one rule +type: control description: This control checks whether an AWS WAF Regional rule group has at least one rule. The control fails if no rules are present within a rule group. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_wafregional_rule_group - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN activated_rules IS NULL OR jsonb_array_length(activated_rules) = 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN activated_rules IS NULL OR jsonb_array_length(activated_rules) = 0 THEN title || ' has no attached rules.' - ELSE title || ' has ' || jsonb_array_length(activated_rules) || ' rule(s) attached.' - END AS reason - FROM - aws_wafregional_rule_group; + language: sql + primary_resource: aws_wafregional_rule_group + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN activated_rules IS NULL OR jsonb_array_length(activated_rules) = 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN activated_rules IS NULL OR jsonb_array_length(activated_rules) = 0 THEN title || ' has no attached rules.' + ELSE title || ' has ' || jsonb_array_length(activated_rules) || ' rule(s) attached.' + END AS reason + FROM + aws_wafregional_rule_group; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_waf_4.yaml b/compliance/controls/aws/aws_foundational_security_waf_4.yaml index 3e790db41..597bbb5fd 100644 --- a/compliance/controls/aws/aws_foundational_security_waf_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_waf_4.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_waf_4 title: 4 AWS WAF Classic Regional web ACLs should have at least one rule or rule group +type: control description: This control checks whether an AWS WAF Classic Regional web ACL contains any WAF rules or WAF rule groups. This control fails if a web ACL does not contain any WAF rules or rule groups. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_wafregional_web_acl - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN rules IS NULL OR jsonb_array_length(rules) = 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN rules IS NULL OR jsonb_array_length(rules) = 0 THEN title || ' has no attached rules.' - ELSE title || ' has ' || jsonb_array_length(rules) || ' rule(s) attached.' - END AS reason - FROM - aws_wafregional_web_acl; + language: sql + primary_resource: aws_wafregional_web_acl + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN rules IS NULL OR jsonb_array_length(rules) = 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN rules IS NULL OR jsonb_array_length(rules) = 0 THEN title || ' has no attached rules.' + ELSE title || ' has ' || jsonb_array_length(rules) || ' rule(s) attached.' + END AS reason + FROM + aws_wafregional_web_acl; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_waf_6.yaml b/compliance/controls/aws/aws_foundational_security_waf_6.yaml index fd225e8b7..4d14c6676 100644 --- a/compliance/controls/aws/aws_foundational_security_waf_6.yaml +++ b/compliance/controls/aws/aws_foundational_security_waf_6.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_waf_6 title: 6 AWS WAF Classic global rules should have at least one condition +type: control description: This control checks whether an AWS WAF global rule contains any conditions. The control fails if no conditions are present within a rule. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_waf_rule - definition: | - SELECT - rule_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN predicates IS NULL OR jsonb_array_length(predicates) = 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN predicates IS NULL OR jsonb_array_length(predicates) = 0 THEN title || ' has no attached conditions.' - ELSE title || ' has ' || jsonb_array_length(predicates) || ' attached conditions.' - END AS reason - FROM - aws_waf_rule; + language: sql + primary_resource: aws_waf_rule + definition: | + SELECT + rule_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN predicates IS NULL OR jsonb_array_length(predicates) = 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN predicates IS NULL OR jsonb_array_length(predicates) = 0 THEN title || ' has no attached conditions.' + ELSE title || ' has ' || jsonb_array_length(predicates) || ' attached conditions.' + END AS reason + FROM + aws_waf_rule; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_waf_7.yaml b/compliance/controls/aws/aws_foundational_security_waf_7.yaml index 7fb0e5f17..194b40849 100644 --- a/compliance/controls/aws/aws_foundational_security_waf_7.yaml +++ b/compliance/controls/aws/aws_foundational_security_waf_7.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_waf_7 title: 7 AWS WAF Classic global rule groups should have at least one rule +type: control description: This control checks whether an AWS WAF global rule group has at least one rule. The control fails if no rules are present within a rule group. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_waf_rule_group - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN activated_rules IS NULL OR jsonb_array_length(activated_rules) = 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN activated_rules IS NULL OR jsonb_array_length(activated_rules) = 0 THEN title || ' has no attached rules.' - ELSE title || ' has ' || jsonb_array_length(activated_rules) || ' rule(s) attached.' - END AS reason - FROM - aws_waf_rule_group; + language: sql + primary_resource: aws_waf_rule_group + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN activated_rules IS NULL OR jsonb_array_length(activated_rules) = 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN activated_rules IS NULL OR jsonb_array_length(activated_rules) = 0 THEN title || ' has no attached rules.' + ELSE title || ' has ' || jsonb_array_length(activated_rules) || ' rule(s) attached.' + END AS reason + FROM + aws_waf_rule_group; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_foundational_security_waf_8.yaml b/compliance/controls/aws/aws_foundational_security_waf_8.yaml index 769672a24..7cccd0f62 100644 --- a/compliance/controls/aws/aws_foundational_security_waf_8.yaml +++ b/compliance/controls/aws/aws_foundational_security_waf_8.yaml @@ -1,26 +1,27 @@ id: aws_foundational_security_waf_8 title: 8 AWS WAF Classic global web ACLs should have at least one rule or rule group +type: control description: This control checks whether an AWS WAF global web ACL contains at least one WAF rule or WAF rule group. The control fails if a web ACL does not contain any WAF rules or rule groups. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_waf_web_acl - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN rules IS NULL OR jsonb_array_length(rules) = 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN rules IS NULL OR jsonb_array_length(rules) = 0 THEN title || ' has no attached rules.' - ELSE title || ' has ' || jsonb_array_length(rules) || ' rule(s) attached.' - END AS reason - FROM - aws_waf_web_acl; + language: sql + primary_resource: aws_waf_web_acl + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN rules IS NULL OR jsonb_array_length(rules) = 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN rules IS NULL OR jsonb_array_length(rules) = 0 THEN title || ' has no attached rules.' + ELSE title || ' has ' || jsonb_array_length(rules) || ' rule(s) attached.' + END AS reason + FROM + aws_waf_web_acl; severity: medium tags: {} diff --git a/compliance/controls/aws/aws_fsx_file_system_copy_tags_to_backup_and_volume_enabled.yaml b/compliance/controls/aws/aws_fsx_file_system_copy_tags_to_backup_and_volume_enabled.yaml index 109e995e1..5a0d21f91 100644 --- a/compliance/controls/aws/aws_fsx_file_system_copy_tags_to_backup_and_volume_enabled.yaml +++ b/compliance/controls/aws/aws_fsx_file_system_copy_tags_to_backup_and_volume_enabled.yaml @@ -1,37 +1,38 @@ id: aws_fsx_file_system_copy_tags_to_backup_and_volume_enabled title: FSx for OpenZFS file systems should be configured to copy tags to backups and volumes +type: control description: This control checks if an Amazon FSx for OpenZFS file system is configured to copy tags to backups and volumes. The control fails if the OpenZFS file system isn't configured to copy tags to backups and volumes. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_fsx_file_system - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN file_system_type <> 'OPENZFS' THEN 'skip' - WHEN (open_zfs_configuration ->> 'CopyTagsToBackups')::bool - AND (open_zfs_configuration ->> 'CopyTagsToVolumes')::bool - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN file_system_type <> 'OPENZFS' - THEN title || ' is of ' || file_system_type || ' type file system.' - WHEN (open_zfs_configuration ->> 'CopyTagsToBackups')::bool - AND (open_zfs_configuration ->> 'CopyTagsToVolumes')::bool - THEN title || ' copy tags to backup and volume enabled.' - WHEN (open_zfs_configuration ->> 'CopyTagsToBackups')::bool - THEN title || ' copy tags to backup enabled but disabled for volume.' - WHEN (open_zfs_configuration ->> 'CopyTagsToVolumes')::bool - THEN title || ' copy tags to volume enabled but disabled for backup.' - ELSE title || ' copy tags to backup and volume disabled.' - END AS reason - FROM - aws_fsx_file_system; + language: sql + primary_resource: aws_fsx_file_system + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN file_system_type <> 'OPENZFS' THEN 'skip' + WHEN (open_zfs_configuration ->> 'CopyTagsToBackups')::bool + AND (open_zfs_configuration ->> 'CopyTagsToVolumes')::bool + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN file_system_type <> 'OPENZFS' + THEN title || ' is of ' || file_system_type || ' type file system.' + WHEN (open_zfs_configuration ->> 'CopyTagsToBackups')::bool + AND (open_zfs_configuration ->> 'CopyTagsToVolumes')::bool + THEN title || ' copy tags to backup and volume enabled.' + WHEN (open_zfs_configuration ->> 'CopyTagsToBackups')::bool + THEN title || ' copy tags to backup enabled but disabled for volume.' + WHEN (open_zfs_configuration ->> 'CopyTagsToVolumes')::bool + THEN title || ' copy tags to volume enabled but disabled for backup.' + ELSE title || ' copy tags to backup and volume disabled.' + END AS reason + FROM + aws_fsx_file_system; severity: low tags: {} diff --git a/compliance/controls/aws/aws_fsx_file_system_protected_by_backup_plan.yaml b/compliance/controls/aws/aws_fsx_file_system_protected_by_backup_plan.yaml index 259aaf4a9..ff8a28435 100644 --- a/compliance/controls/aws/aws_fsx_file_system_protected_by_backup_plan.yaml +++ b/compliance/controls/aws/aws_fsx_file_system_protected_by_backup_plan.yaml @@ -1,64 +1,65 @@ id: aws_fsx_file_system_protected_by_backup_plan title: FSx file system should be protected by backup plan +type: control description: Checks if AWS FSx File Systems are protected by a backup plan. The rule is non-compliant if the AWS FSx File System is not covered by a backup plan. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_fsx_file_system - definition: | - WITH backup_protected_fsx_file_system AS ( - SELECT - resource_arn AS arn - FROM - aws_backup_protected_resource AS b - WHERE - resource_type = 'FSx' - ) - SELECT - f.arn AS resource, - f.platform_integration_id AS platform_integration_id, - f.platform_resource_id AS platform_resource_id, - CASE - WHEN b.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.arn IS NOT NULL THEN f.title || ' is protected by backup plan.' - ELSE f.title || ' is not protected by backup plan.' - END AS reason, - f.region, - f.account_id - FROM - aws_fsx_file_system AS f - LEFT JOIN - backup_protected_fsx_file_system AS b - ON - f.arn = b.arn; + language: sql + primary_resource: aws_fsx_file_system + definition: | + WITH backup_protected_fsx_file_system AS ( + SELECT + resource_arn AS arn + FROM + aws_backup_protected_resource AS b + WHERE + resource_type = 'FSx' + ) + SELECT + f.arn AS resource, + f.platform_integration_id AS platform_integration_id, + f.platform_resource_id AS platform_resource_id, + CASE + WHEN b.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.arn IS NOT NULL THEN f.title || ' is protected by backup plan.' + ELSE f.title || ' is not protected by backup plan.' + END AS reason, + f.region, + f.account_id + FROM + aws_fsx_file_system AS f + LEFT JOIN + backup_protected_fsx_file_system AS b + ON + f.arn = b.arn; severity: high tags: - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - service: - - AWS/FSx - soc_2: - - 'true' + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + service: + - AWS/FSx + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_gatewayv2_stage_access_logging_enabled.yaml b/compliance/controls/aws/aws_gatewayv2_stage_access_logging_enabled.yaml index 968218110..993186454 100644 --- a/compliance/controls/aws/aws_gatewayv2_stage_access_logging_enabled.yaml +++ b/compliance/controls/aws/aws_gatewayv2_stage_access_logging_enabled.yaml @@ -1,40 +1,41 @@ id: aws_gatewayv2_stage_access_logging_enabled title: Access logging should be configured for API Gateway V2 Stages +type: control description: This control checks if AWS API Gateway V2 stages have access logging configured. This control fails if access log settings aren't defined. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_api_gatewayv2_stage - definition: | - SELECT - 'arn:' || partition || ':apigateway:' || region || '::/apis/' || api_id || '/stages/' || stage_name AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN access_log_settings IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN access_log_settings IS NULL THEN title || ' access logging disabled.' - ELSE title || ' access logging enabled.' - END AS reason, - region, - account_id - FROM - aws_api_gatewayv2_stage; + language: sql + primary_resource: aws_api_gatewayv2_stage + definition: | + SELECT + 'arn:' || partition || ':apigateway:' || region || '::/apis/' || api_id || '/stages/' || stage_name AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN access_log_settings IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN access_log_settings IS NULL THEN title || ' access logging disabled.' + ELSE title || ' access logging enabled.' + END AS reason, + region, + account_id + FROM + aws_api_gatewayv2_stage; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - logging - foundational_security_item_id: - - apigateway_9 - plugin: - - aws - service: - - AWS/APIGateway + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - logging + foundational_security_item_id: + - apigateway_9 + plugin: + - aws + service: + - AWS/APIGateway diff --git a/compliance/controls/aws/aws_glacier_vault_restrict_public_access.yaml b/compliance/controls/aws/aws_glacier_vault_restrict_public_access.yaml index 56a8f1b5a..1c017604e 100644 --- a/compliance/controls/aws/aws_glacier_vault_restrict_public_access.yaml +++ b/compliance/controls/aws/aws_glacier_vault_restrict_public_access.yaml @@ -1,44 +1,45 @@ id: aws_glacier_vault_restrict_public_access title: Glacier vault should restrict public access +type: control description: Manage access to resources in the AWS Cloud by ensuring AWS Glacier vault cannot be publicly accessed. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_glacier_vault - definition: | - WITH wildcard_action_policies AS ( - SELECT - vault_arn, - COUNT(*) AS statements_num - FROM - aws_glacier_vault, - jsonb_array_elements(policy_std -> 'Statement') AS s - WHERE - s ->> 'Effect' = 'Allow' - AND ( - (s -> 'Principal' -> 'AWS') = '["*"]' - OR s ->> 'Principal' = '*' - ) - GROUP BY - vault_arn + language: sql + primary_resource: aws_glacier_vault + definition: | + WITH wildcard_action_policies AS ( + SELECT + vault_arn, + COUNT(*) AS statements_num + FROM + aws_glacier_vault, + jsonb_array_elements(policy_std -> 'Statement') AS s + WHERE + s ->> 'Effect' = 'Allow' + AND ( + (s -> 'Principal' -> 'AWS') = '["*"]' + OR s ->> 'Principal' = '*' ) - SELECT - g.vault_arn AS resource, - g.platform_integration_id AS platform_integration_id, - g.platform_resource_id AS platform_resource_id, - CASE - WHEN p.vault_arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.vault_arn IS NULL THEN title || ' does not allow public access.' - ELSE title || ' contains ' || COALESCE(p.statements_num, 0) || - ' statements that allow public access.' - END AS reason - FROM - aws_glacier_vault AS g - LEFT JOIN wildcard_action_policies AS p ON p.vault_arn = g.vault_arn; + GROUP BY + vault_arn + ) + SELECT + g.vault_arn AS resource, + g.platform_integration_id AS platform_integration_id, + g.platform_resource_id AS platform_resource_id, + CASE + WHEN p.vault_arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.vault_arn IS NULL THEN title || ' does not allow public access.' + ELSE title || ' contains ' || COALESCE(p.statements_num, 0) || + ' statements that allow public access.' + END AS reason + FROM + aws_glacier_vault AS g + LEFT JOIN wildcard_action_policies AS p ON p.vault_arn = g.vault_arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_glue_connection_ssl_enabled.yaml b/compliance/controls/aws/aws_glue_connection_ssl_enabled.yaml index 38d3da633..5a8fb6ce1 100644 --- a/compliance/controls/aws/aws_glue_connection_ssl_enabled.yaml +++ b/compliance/controls/aws/aws_glue_connection_ssl_enabled.yaml @@ -1,26 +1,27 @@ id: aws_glue_connection_ssl_enabled title: Glue connection SSL should be enabled +type: control description: Ensure Glue connection encryption SSL is enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_glue_connection - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN connection_properties ->> 'JDBC_ENFORCE_SSL' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN connection_properties ->> 'JDBC_ENFORCE_SSL' = 'true' THEN name || ' SSL enabled.' - ELSE name || ' SSL disabled.' - END AS reason - FROM - aws_glue_connection; + language: sql + primary_resource: aws_glue_connection + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN connection_properties ->> 'JDBC_ENFORCE_SSL' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN connection_properties ->> 'JDBC_ENFORCE_SSL' = 'true' THEN name || ' SSL enabled.' + ELSE name || ' SSL disabled.' + END AS reason + FROM + aws_glue_connection; severity: low tags: {} diff --git a/compliance/controls/aws/aws_glue_data_catalog_encryption_settings_metadata_encryption_enabled.yaml b/compliance/controls/aws/aws_glue_data_catalog_encryption_settings_metadata_encryption_enabled.yaml index c2bebd77e..a2ef9d822 100644 --- a/compliance/controls/aws/aws_glue_data_catalog_encryption_settings_metadata_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_glue_data_catalog_encryption_settings_metadata_encryption_enabled.yaml @@ -1,28 +1,29 @@ id: aws_glue_data_catalog_encryption_settings_metadata_encryption_enabled title: Glue data catalog metadata encryption should be enabled +type: control description: Ensure Glue data catalog metadata encryption is enabled to protect sensitive information at rest. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_glue_data_catalog_encryption_settings - definition: | - SELECT - 'arn:' || partition || '::' || region || ':' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN encryption_at_rest IS NOT NULL - AND encryption_at_rest ->> 'CatalogEncryptionMode' != 'DISABLED' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption_at_rest IS NOT NULL - AND encryption_at_rest ->> 'CatalogEncryptionMode' != 'DISABLED' THEN 'Glue data catalog metadata encryption is enabled in ' || region || '.' - ELSE 'Glue data catalog metadata encryption is disabled in ' || region || '.' - END AS reason - FROM - aws_glue_data_catalog_encryption_settings; + language: sql + primary_resource: aws_glue_data_catalog_encryption_settings + definition: | + SELECT + 'arn:' || partition || '::' || region || ':' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN encryption_at_rest IS NOT NULL + AND encryption_at_rest ->> 'CatalogEncryptionMode' != 'DISABLED' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption_at_rest IS NOT NULL + AND encryption_at_rest ->> 'CatalogEncryptionMode' != 'DISABLED' THEN 'Glue data catalog metadata encryption is enabled in ' || region || '.' + ELSE 'Glue data catalog metadata encryption is disabled in ' || region || '.' + END AS reason + FROM + aws_glue_data_catalog_encryption_settings; severity: low tags: {} diff --git a/compliance/controls/aws/aws_glue_data_catalog_encryption_settings_password_encryption_enabled.yaml b/compliance/controls/aws/aws_glue_data_catalog_encryption_settings_password_encryption_enabled.yaml index 43bd8b8da..37f22ea0c 100644 --- a/compliance/controls/aws/aws_glue_data_catalog_encryption_settings_password_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_glue_data_catalog_encryption_settings_password_encryption_enabled.yaml @@ -1,28 +1,29 @@ id: aws_glue_data_catalog_encryption_settings_password_encryption_enabled title: Glue data catalog connection password encryption should be enabled +type: control description: Ensure Glue data catalog connection password encryption is enabled to protect sensitive information at rest. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_glue_data_catalog_encryption_settings - definition: | - SELECT - 'arn:' || partition || '::' || region || ':' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN connection_password_encryption IS NOT NULL - AND connection_password_encryption ->> 'ReturnConnectionPasswordEncrypted' != 'false' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN connection_password_encryption IS NOT NULL - AND connection_password_encryption ->> 'ReturnConnectionPasswordEncrypted' != 'false' THEN 'Glue data catalog connection password encryption enabled in ' || region || '.' - ELSE 'Glue data catalog connection password encryption disabled in ' || region || '.' - END AS reason - FROM - aws_glue_data_catalog_encryption_settings; + language: sql + primary_resource: aws_glue_data_catalog_encryption_settings + definition: | + SELECT + 'arn:' || partition || '::' || region || ':' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN connection_password_encryption IS NOT NULL + AND connection_password_encryption ->> 'ReturnConnectionPasswordEncrypted' != 'false' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN connection_password_encryption IS NOT NULL + AND connection_password_encryption ->> 'ReturnConnectionPasswordEncrypted' != 'false' THEN 'Glue data catalog connection password encryption enabled in ' || region || '.' + ELSE 'Glue data catalog connection password encryption disabled in ' || region || '.' + END AS reason + FROM + aws_glue_data_catalog_encryption_settings; severity: low tags: {} diff --git a/compliance/controls/aws/aws_glue_job_bookmarks_encryption_enabled.yaml b/compliance/controls/aws/aws_glue_job_bookmarks_encryption_enabled.yaml index f25d4be80..102b11774 100644 --- a/compliance/controls/aws/aws_glue_job_bookmarks_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_glue_job_bookmarks_encryption_enabled.yaml @@ -1,34 +1,35 @@ id: aws_glue_job_bookmarks_encryption_enabled title: Glue jobs bookmarks encryption should be enabled +type: control description: Ensure Glue job bookmarks have encryption enabled to protect sensitive information at rest. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_glue_job - definition: | - SELECT - j.arn AS resource, - j.platform_integration_id AS platform_integration_id, - j.platform_resource_id AS platform_resource_id, - CASE - WHEN job_bookmarks_encryption IS NOT NULL - AND job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN job_bookmarks_encryption IS NOT NULL - AND job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' - THEN j.title || ' job bookmarks encryption enabled.' - ELSE j.title || ' job bookmarks encryption disabled.' - END AS reason - FROM - aws_glue_job AS j - LEFT JOIN - aws_glue_security_configuration AS c - ON - j.security_configuration = c.name; + language: sql + primary_resource: aws_glue_job + definition: | + SELECT + j.arn AS resource, + j.platform_integration_id AS platform_integration_id, + j.platform_resource_id AS platform_resource_id, + CASE + WHEN job_bookmarks_encryption IS NOT NULL + AND job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN job_bookmarks_encryption IS NOT NULL + AND job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' + THEN j.title || ' job bookmarks encryption enabled.' + ELSE j.title || ' job bookmarks encryption disabled.' + END AS reason + FROM + aws_glue_job AS j + LEFT JOIN + aws_glue_security_configuration AS c + ON + j.security_configuration = c.name; severity: low tags: {} diff --git a/compliance/controls/aws/aws_guardduty_enabled.yaml b/compliance/controls/aws/aws_guardduty_enabled.yaml index 87c4c248c..9182497d6 100644 --- a/compliance/controls/aws/aws_guardduty_enabled.yaml +++ b/compliance/controls/aws/aws_guardduty_enabled.yaml @@ -1,72 +1,73 @@ id: aws_guardduty_enabled title: GuardDuty should be enabled +type: control description: AWS GuardDuty can help to monitor and detect potential cybersecurity events by using threat intelligence feeds. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_region - definition: | - SELECT - 'arn:' || r.partition || '::' || r.region || ':' || r.account_id AS resource, - r.platform_integration_id AS platform_integration_id, - r.platform_resource_id AS platform_resource_id, - CASE - WHEN r.region = ANY(ARRAY['af-south-1', 'ap-northeast-3', 'ap-southeast-3', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'me-south-1', 'us-gov-east-1']) THEN 'skip' - WHEN r.opt_in_status = 'not-opted-in' THEN 'skip' - WHEN status = 'ENABLED' AND master_account ->> 'AccountId' IS NULL THEN 'ok' - WHEN status = 'ENABLED' AND master_account ->> 'AccountId' IS NOT NULL THEN 'info' - ELSE 'alarm' - END AS status, - CASE - WHEN r.region = ANY(ARRAY['af-south-1', 'ap-northeast-3', 'ap-southeast-3', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'me-south-1', 'us-gov-east-1']) THEN r.region || ' region not supported.' - WHEN r.opt_in_status = 'not-opted-in' THEN r.region || ' region is disabled.' - WHEN status IS NULL THEN 'No GuardDuty detector found in ' || r.region || '.' - WHEN status = 'ENABLED' AND master_account ->> 'AccountId' IS NULL THEN r.region || ' detector ' || d.title || ' enabled.' - WHEN status = 'ENABLED' AND master_account ->> 'AccountId' IS NOT NULL THEN r.region || ' detector ' || d.title || ' is managed by account ' || (master_account ->> 'AccountId') || ' via delegated admin.' - ELSE r.region || ' detector ' || d.title || ' disabled.' - END AS reason, - r.region, - r.account_id - FROM - aws_region AS r - LEFT JOIN aws_guardduty_detector d ON r.account_id = d.account_id AND r.name = d.region; + language: sql + primary_resource: aws_region + definition: | + SELECT + 'arn:' || r.partition || '::' || r.region || ':' || r.account_id AS resource, + r.platform_integration_id AS platform_integration_id, + r.platform_resource_id AS platform_resource_id, + CASE + WHEN r.region = ANY(ARRAY['af-south-1', 'ap-northeast-3', 'ap-southeast-3', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'me-south-1', 'us-gov-east-1']) THEN 'skip' + WHEN r.opt_in_status = 'not-opted-in' THEN 'skip' + WHEN status = 'ENABLED' AND master_account ->> 'AccountId' IS NULL THEN 'ok' + WHEN status = 'ENABLED' AND master_account ->> 'AccountId' IS NOT NULL THEN 'info' + ELSE 'alarm' + END AS status, + CASE + WHEN r.region = ANY(ARRAY['af-south-1', 'ap-northeast-3', 'ap-southeast-3', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'me-south-1', 'us-gov-east-1']) THEN r.region || ' region not supported.' + WHEN r.opt_in_status = 'not-opted-in' THEN r.region || ' region is disabled.' + WHEN status IS NULL THEN 'No GuardDuty detector found in ' || r.region || '.' + WHEN status = 'ENABLED' AND master_account ->> 'AccountId' IS NULL THEN r.region || ' detector ' || d.title || ' enabled.' + WHEN status = 'ENABLED' AND master_account ->> 'AccountId' IS NOT NULL THEN r.region || ' detector ' || d.title || ' is managed by account ' || (master_account ->> 'AccountId') || ' via delegated admin.' + ELSE r.region || ' detector ' || d.title || ' disabled.' + END AS reason, + r.region, + r.account_id + FROM + aws_region AS r + LEFT JOIN aws_guardduty_detector d ON r.account_id = d.account_id AND r.name = d.region; severity: medium tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/GuardDuty - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_guardduty_finding_archived.yaml b/compliance/controls/aws/aws_guardduty_finding_archived.yaml index d11441954..e81088fa1 100644 --- a/compliance/controls/aws/aws_guardduty_finding_archived.yaml +++ b/compliance/controls/aws/aws_guardduty_finding_archived.yaml @@ -1,60 +1,61 @@ id: aws_guardduty_finding_archived title: GuardDuty findings should be archived -description: 'AWS GuardDuty helps you understand the impact of an incident by classifying findings by severity: low, medium, and high.' +type: control +description: "AWS GuardDuty helps you understand the impact of an incident by classifying findings by severity: low, medium, and high." integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_guardduty_finding - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN service ->> 'Archived' = 'false' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN service ->> 'Archived' = 'false' THEN title || ' not archived.' - ELSE title || ' archived.' - END AS reason, - region, - account_id - FROM - aws_guardduty_finding; + language: sql + primary_resource: aws_guardduty_finding + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN service ->> 'Archived' = 'false' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN service ->> 'Archived' = 'false' THEN title || ' not archived.' + ELSE title || ' archived.' + END AS reason, + region, + account_id + FROM + aws_guardduty_finding; severity: high tags: - category: - - Compliance - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/GuardDuty - soc_2: - - 'true' + category: + - Compliance + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/GuardDuty + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_guardduty_no_high_severity_findings.yaml b/compliance/controls/aws/aws_guardduty_no_high_severity_findings.yaml index 81c9f7f19..3689fa4d2 100644 --- a/compliance/controls/aws/aws_guardduty_no_high_severity_findings.yaml +++ b/compliance/controls/aws/aws_guardduty_no_high_severity_findings.yaml @@ -1,50 +1,51 @@ id: aws_guardduty_no_high_severity_findings title: GuardDuty Detector should not have high severity findings +type: control description: GuardDuty generates a finding whenever it detects unexpected and potentially malicious activity in your AWS environment. If critical findings are not addressed threats can spread in the environment. This rule is non-compliant if there are high severity findings. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_guardduty_detector - definition: | - WITH detectors AS ( - SELECT - detector_id, - arn, - title, - region, - account_id, - status, - platform_integration_id, - platform_resource_id - FROM - aws_guardduty_detector - ), finding_count AS ( - SELECT - f.detector_id, - COUNT(*) AS count - FROM - aws_guardduty_finding AS f - GROUP BY - f.detector_id - ) - SELECT - arn AS resource, - d.platform_integration_id AS platform_integration_id, - d.platform_resource_id AS platform_resource_id, - CASE - WHEN status <> 'ENABLED' THEN 'skip' - WHEN fc.count = 0 OR fc.count IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN status <> 'ENABLED' THEN d.detector_id || ' is disabled.' - WHEN fc.count = 0 OR fc.count IS NULL THEN d.detector_id || ' is enabled and does not have high severity findings.' - ELSE d.detector_id || ' is enabled and has ' || fc.count || ' high severity findings.' - END AS reason - FROM - detectors AS d - LEFT JOIN finding_count AS fc ON fc.detector_id = d.detector_id; + language: sql + primary_resource: aws_guardduty_detector + definition: | + WITH detectors AS ( + SELECT + detector_id, + arn, + title, + region, + account_id, + status, + platform_integration_id, + platform_resource_id + FROM + aws_guardduty_detector + ), finding_count AS ( + SELECT + f.detector_id, + COUNT(*) AS count + FROM + aws_guardduty_finding AS f + GROUP BY + f.detector_id + ) + SELECT + arn AS resource, + d.platform_integration_id AS platform_integration_id, + d.platform_resource_id AS platform_resource_id, + CASE + WHEN status <> 'ENABLED' THEN 'skip' + WHEN fc.count = 0 OR fc.count IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN status <> 'ENABLED' THEN d.detector_id || ' is disabled.' + WHEN fc.count = 0 OR fc.count IS NULL THEN d.detector_id || ' is enabled and does not have high severity findings.' + ELSE d.detector_id || ' is enabled and has ' || fc.count || ' high severity findings.' + END AS reason + FROM + detectors AS d + LEFT JOIN finding_count AS fc ON fc.detector_id = d.detector_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_iam_access_analyzer_enabled.yaml b/compliance/controls/aws/aws_iam_access_analyzer_enabled.yaml index dfaec2fd3..682efae4f 100644 --- a/compliance/controls/aws/aws_iam_access_analyzer_enabled.yaml +++ b/compliance/controls/aws/aws_iam_access_analyzer_enabled.yaml @@ -1,74 +1,75 @@ id: aws_iam_access_analyzer_enabled title: Ensure that IAM Access analyzer is enabled for all regions +type: control description: This control checks whether IAM Access analyzer is enabled for all regions. The control fails if IAM Access analyzer is not enabled for all regions. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH regions AS ( - SELECT - 'arn:' || r.partition || '::' || r.region || ':' || r.account_id AS resource, - r.platform_integration_id AS platform_integration_id, - r.platform_resource_id AS platform_resource_id, - CASE - WHEN r.opt_in_status = 'not-opted-in' THEN 1 - WHEN aa.arn IS NOT NULL THEN 0 - ELSE 2 - END AS status, - r.region, - r.account_id - FROM - aws_region AS r - LEFT JOIN aws_accessanalyzer_analyzer AS aa - ON r.account_id = aa.account_id AND r.region = aa.region - ), - results AS ( - SELECT - account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_integration_id AS platform_resource_id, - CASE - WHEN MAX(status) = 2 THEN 'alarm' - WHEN MAX(status) = 1 THEN 'skip' - WHEN MAX(status) = 0 THEN 'ok' - END AS status, - CASE - WHEN MAX(status) = 2 THEN 'IAM Access analyzer is not enabled for this account on regions: [' || STRING_AGG(region, ',') || ']' - WHEN MAX(status) = 1 THEN 'Account is not opted in regions: [' || STRING_AGG(region, ',') || ']' - WHEN MAX(status) = 0 THEN 'IAM Access analyzer is enabled for this account on regions: [' || STRING_AGG(region, ',') || ']' - END AS reason - FROM regions - GROUP BY account_id, platform_integration_id - ) - SELECT - r.resource AS resource, - r.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - r.status AS status, - r.reason AS reason - FROM results AS r - JOIN aws_account AS a - ON r.platform_integration_id = a.platform_integration_id + language: sql + primary_resource: aws_account + definition: | + WITH regions AS ( + SELECT + 'arn:' || r.partition || '::' || r.region || ':' || r.account_id AS resource, + r.platform_integration_id AS platform_integration_id, + r.platform_resource_id AS platform_resource_id, + CASE + WHEN r.opt_in_status = 'not-opted-in' THEN 1 + WHEN aa.arn IS NOT NULL THEN 0 + ELSE 2 + END AS status, + r.region, + r.account_id + FROM + aws_region AS r + LEFT JOIN aws_accessanalyzer_analyzer AS aa + ON r.account_id = aa.account_id AND r.region = aa.region + ), + results AS ( + SELECT + account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_integration_id AS platform_resource_id, + CASE + WHEN MAX(status) = 2 THEN 'alarm' + WHEN MAX(status) = 1 THEN 'skip' + WHEN MAX(status) = 0 THEN 'ok' + END AS status, + CASE + WHEN MAX(status) = 2 THEN 'IAM Access analyzer is not enabled for this account on regions: [' || STRING_AGG(region, ',') || ']' + WHEN MAX(status) = 1 THEN 'Account is not opted in regions: [' || STRING_AGG(region, ',') || ']' + WHEN MAX(status) = 0 THEN 'IAM Access analyzer is enabled for this account on regions: [' || STRING_AGG(region, ',') || ']' + END AS reason + FROM regions + GROUP BY account_id, platform_integration_id + ) + SELECT + r.resource AS resource, + r.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + r.status AS status, + r.reason AS reason + FROM results AS r + JOIN aws_account AS a + ON r.platform_integration_id = a.platform_integration_id severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '1.21' - cis_level: - - '1' - cis_section_id: - - '1' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - aws - service: - - AWS/IAM + category: + - Compliance + cis: + - "true" + cis_item_id: + - "1.21" + cis_level: + - "1" + cis_section_id: + - "1" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - aws + service: + - AWS/IAM diff --git a/compliance/controls/aws/aws_iam_account_password_policy_min_length_14.yaml b/compliance/controls/aws/aws_iam_account_password_policy_min_length_14.yaml index a98189d1c..9a1f60715 100644 --- a/compliance/controls/aws/aws_iam_account_password_policy_min_length_14.yaml +++ b/compliance/controls/aws/aws_iam_account_password_policy_min_length_14.yaml @@ -1,45 +1,46 @@ id: aws_iam_account_password_policy_min_length_14 title: Ensure IAM password policy requires a minimum length of 14 or greater +type: control description: Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords are at least a given length. Security Hub recommends that the password policy require a minimum password length of 14 characters. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN minimum_password_length >= 14 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN minimum_password_length IS NULL THEN 'No password policy set.' - ELSE 'Minimum password length set to ' || minimum_password_length || '.' - END AS reason, - a.account_id - FROM - aws_account AS a - LEFT JOIN - aws_iam_account_password_policy AS pol ON a.account_id = pol.account_id; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN minimum_password_length >= 14 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN minimum_password_length IS NULL THEN 'No password policy set.' + ELSE 'Minimum password length set to ' || minimum_password_length || '.' + END AS reason, + a.account_id + FROM + aws_account AS a + LEFT JOIN + aws_iam_account_password_policy AS pol ON a.account_id = pol.account_id; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - gdpr: - - 'true' - nist_800_53_rev_5: - - 'true' - plugin: - - aws - service: - - AWS/IAM + category: + - Compliance + cis_controls_v8_ig1: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + gdpr: + - "true" + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM diff --git a/compliance/controls/aws/aws_iam_account_password_policy_one_lowercase_letter.yaml b/compliance/controls/aws/aws_iam_account_password_policy_one_lowercase_letter.yaml index cd1c1430e..c4983ddfc 100644 --- a/compliance/controls/aws/aws_iam_account_password_policy_one_lowercase_letter.yaml +++ b/compliance/controls/aws/aws_iam_account_password_policy_one_lowercase_letter.yaml @@ -1,50 +1,51 @@ id: aws_iam_account_password_policy_one_lowercase_letter title: Ensure IAM password policy requires at least one lowercase letter +type: control description: Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one lowercase letter. Setting a password complexity policy increases account resiliency against brute force login attempts. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN require_lowercase_characters THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN minimum_password_length IS NULL THEN 'No password policy set.' - WHEN require_lowercase_characters THEN 'Lowercase character required.' - ELSE 'Lowercase character not required.' - END AS reason, - a.account_id - FROM - aws_account AS a - LEFT JOIN - aws_iam_account_password_policy AS pol - ON - a.account_id = pol.account_id; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN require_lowercase_characters THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN minimum_password_length IS NULL THEN 'No password policy set.' + WHEN require_lowercase_characters THEN 'Lowercase character required.' + ELSE 'Lowercase character not required.' + END AS reason, + a.account_id + FROM + aws_account AS a + LEFT JOIN + aws_iam_account_password_policy AS pol + ON + a.account_id = pol.account_id; severity: low tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '1.6' - cis_level: - - '1' - cis_section_id: - - '1' - cis_type: - - scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/IAM + category: + - Compliance + cis: + - "true" + cis_item_id: + - "1.6" + cis_level: + - "1" + cis_section_id: + - "1" + cis_type: + - scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/IAM diff --git a/compliance/controls/aws/aws_iam_account_password_policy_one_number.yaml b/compliance/controls/aws/aws_iam_account_password_policy_one_number.yaml index 63a787fd0..b231c2039 100644 --- a/compliance/controls/aws/aws_iam_account_password_policy_one_number.yaml +++ b/compliance/controls/aws/aws_iam_account_password_policy_one_number.yaml @@ -1,47 +1,48 @@ id: aws_iam_account_password_policy_one_number title: Ensure IAM password policy requires at least one number +type: control description: Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN require_numbers THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN minimum_password_length IS NULL THEN 'No password policy set.' - WHEN require_numbers THEN 'Number required.' - ELSE 'Number not required.' - END AS reason, - a.account_id - FROM - aws_account AS a - LEFT JOIN aws_iam_account_password_policy AS pol ON a.account_id = pol.account_id; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN require_numbers THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN minimum_password_length IS NULL THEN 'No password policy set.' + WHEN require_numbers THEN 'Number required.' + ELSE 'Number not required.' + END AS reason, + a.account_id + FROM + aws_account AS a + LEFT JOIN aws_iam_account_password_policy AS pol ON a.account_id = pol.account_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '1.8' - cis_level: - - '1' - cis_section_id: - - '1' - cis_type: - - scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/IAM + category: + - Compliance + cis: + - "true" + cis_item_id: + - "1.8" + cis_level: + - "1" + cis_section_id: + - "1" + cis_type: + - scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/IAM diff --git a/compliance/controls/aws/aws_iam_account_password_policy_one_symbol.yaml b/compliance/controls/aws/aws_iam_account_password_policy_one_symbol.yaml index d070a8a3e..b278a7487 100644 --- a/compliance/controls/aws/aws_iam_account_password_policy_one_symbol.yaml +++ b/compliance/controls/aws/aws_iam_account_password_policy_one_symbol.yaml @@ -1,48 +1,49 @@ id: aws_iam_account_password_policy_one_symbol title: Ensure IAM password policy requires at least one symbol +type: control description: Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one symbol. Setting a password complexity policy increases account resiliency against brute force login attempts. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN require_symbols THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN minimum_password_length IS NULL THEN 'No password policy set.' - WHEN require_symbols THEN 'Symbol required.' - ELSE 'Symbol not required.' - END AS reason, - a.account_id - FROM - aws_account AS a - LEFT JOIN aws_iam_account_password_policy AS pol - ON a.account_id = pol.account_id; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN require_symbols THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN minimum_password_length IS NULL THEN 'No password policy set.' + WHEN require_symbols THEN 'Symbol required.' + ELSE 'Symbol not required.' + END AS reason, + a.account_id + FROM + aws_account AS a + LEFT JOIN aws_iam_account_password_policy AS pol + ON a.account_id = pol.account_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '1.7' - cis_level: - - '1' - cis_section_id: - - '1' - cis_type: - - scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/IAM + category: + - Compliance + cis: + - "true" + cis_item_id: + - "1.7" + cis_level: + - "1" + cis_section_id: + - "1" + cis_type: + - scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/IAM diff --git a/compliance/controls/aws/aws_iam_account_password_policy_one_uppercase_letter.yaml b/compliance/controls/aws/aws_iam_account_password_policy_one_uppercase_letter.yaml index f2a6198a8..cfa7aad06 100644 --- a/compliance/controls/aws/aws_iam_account_password_policy_one_uppercase_letter.yaml +++ b/compliance/controls/aws/aws_iam_account_password_policy_one_uppercase_letter.yaml @@ -1,48 +1,49 @@ id: aws_iam_account_password_policy_one_uppercase_letter title: Ensure IAM password policy requires at least one uppercase letter +type: control description: Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN require_uppercase_characters THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN minimum_password_length IS NULL THEN 'No password policy set.' - WHEN require_uppercase_characters THEN 'Uppercase character required.' - ELSE 'Uppercase character not required.' - END AS reason, - a.account_id - FROM - aws_account AS a - LEFT JOIN - aws_iam_account_password_policy AS pol ON a.account_id = pol.account_id; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN require_uppercase_characters THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN minimum_password_length IS NULL THEN 'No password policy set.' + WHEN require_uppercase_characters THEN 'Uppercase character required.' + ELSE 'Uppercase character not required.' + END AS reason, + a.account_id + FROM + aws_account AS a + LEFT JOIN + aws_iam_account_password_policy AS pol ON a.account_id = pol.account_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '1.5' - cis_level: - - '1' - cis_section_id: - - '1' - cis_type: - - scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/IAM + category: + - Compliance + cis: + - "true" + cis_item_id: + - "1.5" + cis_level: + - "1" + cis_section_id: + - "1" + cis_type: + - scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/IAM diff --git a/compliance/controls/aws/aws_iam_account_password_policy_reuse_24.yaml b/compliance/controls/aws/aws_iam_account_password_policy_reuse_24.yaml index 6bbc9abfd..af169aede 100644 --- a/compliance/controls/aws/aws_iam_account_password_policy_reuse_24.yaml +++ b/compliance/controls/aws/aws_iam_account_password_policy_reuse_24.yaml @@ -1,50 +1,51 @@ id: aws_iam_account_password_policy_reuse_24 title: Ensure IAM password policy prevents password reuse +type: control description: This control checks whether the number of passwords to remember is set to 24. The control fails if the value is not 24. IAM password policies can prevent the reuse of a given password by the same user. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN password_reuse_prevention >= 24 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN minimum_password_length IS NULL THEN 'No password policy set.' - WHEN password_reuse_prevention IS NULL THEN 'Password reuse prevention not set.' - ELSE 'Password reuse prevention set to ' || password_reuse_prevention || '.' - END AS reason, - a.account_id - FROM - aws_account AS a - LEFT JOIN - aws_iam_account_password_policy AS pol - ON - a.account_id = pol.account_id; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN password_reuse_prevention >= 24 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN minimum_password_length IS NULL THEN 'No password policy set.' + WHEN password_reuse_prevention IS NULL THEN 'Password reuse prevention not set.' + ELSE 'Password reuse prevention set to ' || password_reuse_prevention || '.' + END AS reason, + a.account_id + FROM + aws_account AS a + LEFT JOIN + aws_iam_account_password_policy AS pol + ON + a.account_id = pol.account_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '1.10' - cis_level: - - '1' - cis_section_id: - - '1' - cis_type: - - scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/IAM + category: + - Compliance + cis: + - "true" + cis_item_id: + - "1.10" + cis_level: + - "1" + cis_section_id: + - "1" + cis_type: + - scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/IAM diff --git a/compliance/controls/aws/aws_iam_account_password_policy_strong_min_length_8.yaml b/compliance/controls/aws/aws_iam_account_password_policy_strong_min_length_8.yaml index c9f79cc65..7a694b2f0 100644 --- a/compliance/controls/aws/aws_iam_account_password_policy_strong_min_length_8.yaml +++ b/compliance/controls/aws/aws_iam_account_password_policy_strong_min_length_8.yaml @@ -1,54 +1,55 @@ id: aws_iam_account_password_policy_strong_min_length_8 title: Password policies for IAM users should have strong configurations with minimum length of 8 or greater +type: control description: This control checks whether the account password policy for IAM users uses the recommended configurations. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN - minimum_password_length >= 8 - AND require_lowercase_characters = 'true' - AND require_uppercase_characters = 'true' - AND require_numbers = 'true' - AND require_symbols = 'true' - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN minimum_password_length IS NULL THEN 'No password policy set.' - WHEN - minimum_password_length >= 8 - AND require_lowercase_characters = 'true' - AND require_uppercase_characters = 'true' - AND require_numbers = 'true' - AND require_symbols = 'true' - THEN 'Strong password policies configured.' - ELSE 'Strong password policies not configured.' - END AS reason, - a.account_id - FROM - aws_account AS a - LEFT JOIN aws_iam_account_password_policy AS pol - ON a.account_id = pol.account_id; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN + minimum_password_length >= 8 + AND require_lowercase_characters = 'true' + AND require_uppercase_characters = 'true' + AND require_numbers = 'true' + AND require_symbols = 'true' + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN minimum_password_length IS NULL THEN 'No password policy set.' + WHEN + minimum_password_length >= 8 + AND require_lowercase_characters = 'true' + AND require_uppercase_characters = 'true' + AND require_numbers = 'true' + AND require_symbols = 'true' + THEN 'Strong password policies configured.' + ELSE 'Strong password policies not configured.' + END AS reason, + a.account_id + FROM + aws_account AS a + LEFT JOIN aws_iam_account_password_policy AS pol + ON a.account_id = pol.account_id; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - secure_access_management - foundational_security_item_id: - - iam_7 - plugin: - - aws - service: - - AWS/IAM + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - secure_access_management + foundational_security_item_id: + - iam_7 + plugin: + - aws + service: + - AWS/IAM diff --git a/compliance/controls/aws/aws_iam_account_password_policy_strong_min_reuse_24.yaml b/compliance/controls/aws/aws_iam_account_password_policy_strong_min_reuse_24.yaml index 4ccaa86a5..f6784ef6d 100644 --- a/compliance/controls/aws/aws_iam_account_password_policy_strong_min_reuse_24.yaml +++ b/compliance/controls/aws/aws_iam_account_password_policy_strong_min_reuse_24.yaml @@ -1,69 +1,70 @@ id: aws_iam_account_password_policy_strong_min_reuse_24 title: IAM password policies for users should have strong configurations +type: control description: The identities and the credentials are issued, managed, and verified based on an organizational IAM password policy. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN - minimum_password_length >= 14 - AND password_reuse_prevention >= 24 - AND require_lowercase_characters = 'true' - AND require_uppercase_characters = 'true' - AND require_numbers = 'true' - AND require_symbols = 'true' - AND max_password_age <= 90 - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN minimum_password_length IS NULL THEN 'No password policy set.' - WHEN - minimum_password_length >= 14 - AND password_reuse_prevention >= 24 - AND require_lowercase_characters = 'true' - AND require_uppercase_characters = 'true' - AND require_numbers = 'true' - AND require_symbols = 'true' - AND max_password_age <= 90 - THEN 'Strong password policies configured.' - ELSE 'Strong password policies not configured.' - END AS reason, - a.account_id - FROM - aws_account AS a - LEFT JOIN aws_iam_account_password_policy AS pol ON a.account_id = pol.account_id; + language: sql + primary_resource: aws_account + definition: | + SELECT + 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN + minimum_password_length >= 14 + AND password_reuse_prevention >= 24 + AND require_lowercase_characters = 'true' + AND require_uppercase_characters = 'true' + AND require_numbers = 'true' + AND require_symbols = 'true' + AND max_password_age <= 90 + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN minimum_password_length IS NULL THEN 'No password policy set.' + WHEN + minimum_password_length >= 14 + AND password_reuse_prevention >= 24 + AND require_lowercase_characters = 'true' + AND require_uppercase_characters = 'true' + AND require_numbers = 'true' + AND require_symbols = 'true' + AND max_password_age <= 90 + THEN 'Strong password policies configured.' + ELSE 'Strong password policies not configured.' + END AS reason, + a.account_id + FROM + aws_account AS a + LEFT JOIN aws_iam_account_password_policy AS pol ON a.account_id = pol.account_id; severity: medium tags: - category: - - Compliance - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/IAM - soc_2: - - 'true' + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/IAM + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_iam_all_policy_no_service_wild_card.yaml b/compliance/controls/aws/aws_iam_all_policy_no_service_wild_card.yaml index 3e4d7a550..7b462fd70 100644 --- a/compliance/controls/aws/aws_iam_all_policy_no_service_wild_card.yaml +++ b/compliance/controls/aws/aws_iam_all_policy_no_service_wild_card.yaml @@ -1,47 +1,48 @@ id: aws_iam_all_policy_no_service_wild_card title: Ensure IAM policy should not grant full access to service +type: control description: Checks if AWS Identity and Access Management (IAM) policies grant permissions to all actions on individual AWS resources. The rule is non-compliant if the managed IAM policy allows full access to at least 1 AWS service. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_policy - definition: | - WITH wildcard_action_policies AS ( - SELECT - arn, - COUNT(*) AS statements_num - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Resource') AS resource, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - NOT is_aws_managed - AND s ->> 'Effect' = 'Allow' - AND resource = '*' - AND ( - action LIKE '%:*' - OR action = '*' - ) - GROUP BY - arn + language: sql + primary_resource: aws_iam_policy + definition: | + WITH wildcard_action_policies AS ( + SELECT + arn, + COUNT(*) AS statements_num + FROM + aws_iam_policy, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Resource') AS resource, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + NOT is_aws_managed + AND s ->> 'Effect' = 'Allow' + AND resource = '*' + AND ( + action LIKE '%:*' + OR action = '*' ) - SELECT - p.arn AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN w.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - p.name || ' contains ' || COALESCE(w.statements_num, 0) || - ' statements that allow action "*" on at least 1 AWS service on resource "*".' AS reason - FROM - aws_iam_policy AS p - LEFT JOIN wildcard_action_policies AS w ON p.arn = w.arn - WHERE - NOT p.is_aws_managed; + GROUP BY + arn + ) + SELECT + p.arn AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN w.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + p.name || ' contains ' || COALESCE(w.statements_num, 0) || + ' statements that allow action "*" on at least 1 AWS service on resource "*".' AS reason + FROM + aws_iam_policy AS p + LEFT JOIN wildcard_action_policies AS w ON p.arn = w.arn + WHERE + NOT p.is_aws_managed; severity: low tags: {} diff --git a/compliance/controls/aws/aws_iam_custom_policy_unattached_no_star_star.yaml b/compliance/controls/aws/aws_iam_custom_policy_unattached_no_star_star.yaml index 4003dea27..2621ba474 100644 --- a/compliance/controls/aws/aws_iam_custom_policy_unattached_no_star_star.yaml +++ b/compliance/controls/aws/aws_iam_custom_policy_unattached_no_star_star.yaml @@ -1,49 +1,50 @@ id: aws_iam_custom_policy_unattached_no_star_star title: IAM unattached custom policy should not have statements with admin access +type: control description: "AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, restricting policies from containing 'Effect': 'Allow' with 'Action': '*' over 'Resource': '*'." integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_policy - definition: | - WITH bad_policies AS ( - SELECT - arn, - COUNT(*) AS num_bad_statements - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Resource') AS resource, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - NOT is_aws_managed - AND NOT is_attached - AND s ->> 'Effect' = 'Allow' - AND resource = '*' - AND ( - action = '*' - OR action = '*:*' - ) - GROUP BY - arn + language: sql + primary_resource: aws_iam_policy + definition: | + WITH bad_policies AS ( + SELECT + arn, + COUNT(*) AS num_bad_statements + FROM + aws_iam_policy, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Resource') AS resource, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + NOT is_aws_managed + AND NOT is_attached + AND s ->> 'Effect' = 'Allow' + AND resource = '*' + AND ( + action = '*' + OR action = '*:*' ) - SELECT - p.arn AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN bad.arn IS NULL THEN 'ok' - ELSE 'alarm' - END status, - p.name || ' contains ' || COALESCE(bad.num_bad_statements, 0) || - ' statements that allow action "*" on resource "*".' AS reason - FROM - aws_iam_policy AS p - LEFT JOIN bad_policies AS bad ON p.arn = bad.arn - WHERE - NOT p.is_aws_managed - AND NOT is_attached; + GROUP BY + arn + ) + SELECT + p.arn AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN bad.arn IS NULL THEN 'ok' + ELSE 'alarm' + END status, + p.name || ' contains ' || COALESCE(bad.num_bad_statements, 0) || + ' statements that allow action "*" on resource "*".' AS reason + FROM + aws_iam_policy AS p + LEFT JOIN bad_policies AS bad ON p.arn = bad.arn + WHERE + NOT p.is_aws_managed + AND NOT is_attached; severity: low tags: {} diff --git a/compliance/controls/aws/aws_iam_group_not_empty.yaml b/compliance/controls/aws/aws_iam_group_not_empty.yaml index 2d2a3e92f..6a667d009 100644 --- a/compliance/controls/aws/aws_iam_group_not_empty.yaml +++ b/compliance/controls/aws/aws_iam_group_not_empty.yaml @@ -1,55 +1,56 @@ id: aws_iam_group_not_empty title: IAM groups should have at least one user +type: control description: AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, by ensuring that IAM groups have at least one IAM user. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_group - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN users IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN users IS NULL THEN title || ' not associated with any IAM user.' - ELSE title || ' associated with IAM user.' - END AS reason, - account_id - FROM - aws_iam_group; + language: sql + primary_resource: aws_iam_group + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN users IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN users IS NULL THEN title || ' not associated with any IAM user.' + ELSE title || ' associated with IAM user.' + END AS reason, + account_id + FROM + aws_iam_group; severity: low tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/IAM - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/IAM + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_iam_group_user_role_no_inline_policies.yaml b/compliance/controls/aws/aws_iam_group_user_role_no_inline_policies.yaml index a090de6ef..b31a8a547 100644 --- a/compliance/controls/aws/aws_iam_group_user_role_no_inline_policies.yaml +++ b/compliance/controls/aws/aws_iam_group_user_role_no_inline_policies.yaml @@ -1,87 +1,88 @@ id: aws_iam_group_user_role_no_inline_policies title: IAM groups, users, and roles should not have any inline policies +type: control description: Ensure an AWS Identity and Access Management (IAM) user, IAM role or IAM group does not have an inline policy to control access to systems and assets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'aws_iam_user' AS platform_table_name, - CASE - WHEN inline_policies IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - 'User ' || title || ' has ' || COALESCE(jsonb_array_length(inline_policies), 0) || ' inline policies.' AS reason, - account_id - FROM - aws_iam_user - UNION - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'aws_iam_role' AS platform_table_name, - CASE - WHEN inline_policies IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - 'Role ' || title || ' has ' || COALESCE(jsonb_array_length(inline_policies), 0) || ' inline policies.' AS reason, - account_id - FROM - aws_iam_role - WHERE - arn NOT LIKE '%service-role/%' - UNION - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'aws_iam_group' AS platform_table_name, - CASE - WHEN inline_policies IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - 'Group ' || title || ' has ' || COALESCE(jsonb_array_length(inline_policies), 0) || ' inline policies.' AS reason, - account_id - FROM - aws_iam_group; + language: sql + primary_resource: "" + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'aws_iam_user' AS platform_table_name, + CASE + WHEN inline_policies IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + 'User ' || title || ' has ' || COALESCE(jsonb_array_length(inline_policies), 0) || ' inline policies.' AS reason, + account_id + FROM + aws_iam_user + UNION + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'aws_iam_role' AS platform_table_name, + CASE + WHEN inline_policies IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + 'Role ' || title || ' has ' || COALESCE(jsonb_array_length(inline_policies), 0) || ' inline policies.' AS reason, + account_id + FROM + aws_iam_role + WHERE + arn NOT LIKE '%service-role/%' + UNION + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'aws_iam_group' AS platform_table_name, + CASE + WHEN inline_policies IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + 'Group ' || title || ' has ' || COALESCE(jsonb_array_length(inline_policies), 0) || ' inline policies.' AS reason, + account_id + FROM + aws_iam_group; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/IAM - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/IAM + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_iam_inline_policy_no_administrative_privileges.yaml b/compliance/controls/aws/aws_iam_inline_policy_no_administrative_privileges.yaml index 9ce983d42..88edb4bb5 100644 --- a/compliance/controls/aws/aws_iam_inline_policy_no_administrative_privileges.yaml +++ b/compliance/controls/aws/aws_iam_inline_policy_no_administrative_privileges.yaml @@ -1,86 +1,87 @@ id: aws_iam_inline_policy_no_administrative_privileges title: IAM inline policy should not have administrative privileges +type: control description: Ensure that no inline IAM policies exist that allow administrative privileges. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - WITH full_administrative_privilege_policies AS ( - SELECT - arn, - inline_policies_std, - name, - account_id, - region, - _ctx, - 'iam_user' AS type, - platform_integration_id, - platform_resource_id - FROM - aws_iam_user - UNION - SELECT - arn, - inline_policies_std, - name, - account_id, - region, - _ctx, - 'iam_role' AS type, - platform_integration_id, - platform_resource_id - FROM - aws_iam_role - UNION - SELECT - arn, - inline_policies_std, - name, - account_id, - region, - _ctx, - 'iam_group' AS type, - platform_integration_id, - platform_resource_id - FROM - aws_iam_group - ), - bad_policies AS ( - SELECT - arn, - COUNT(*) AS statements_num - FROM - full_administrative_privilege_policies, - jsonb_array_elements(inline_policies_std) AS policy_std, - jsonb_array_elements(policy_std -> 'PolicyDocument' -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Resource') AS resource, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - s ->> 'Effect' = 'Allow' - AND resource = '*' - AND ( - (action = '*' - OR action = '*:*' - ) - ) - GROUP BY - arn + language: sql + primary_resource: aws_iam_user + definition: | + WITH full_administrative_privilege_policies AS ( + SELECT + arn, + inline_policies_std, + name, + account_id, + region, + _ctx, + 'iam_user' AS type, + platform_integration_id, + platform_resource_id + FROM + aws_iam_user + UNION + SELECT + arn, + inline_policies_std, + name, + account_id, + region, + _ctx, + 'iam_role' AS type, + platform_integration_id, + platform_resource_id + FROM + aws_iam_role + UNION + SELECT + arn, + inline_policies_std, + name, + account_id, + region, + _ctx, + 'iam_group' AS type, + platform_integration_id, + platform_resource_id + FROM + aws_iam_group + ), + bad_policies AS ( + SELECT + arn, + COUNT(*) AS statements_num + FROM + full_administrative_privilege_policies, + jsonb_array_elements(inline_policies_std) AS policy_std, + jsonb_array_elements(policy_std -> 'PolicyDocument' -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Resource') AS resource, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + s ->> 'Effect' = 'Allow' + AND resource = '*' + AND ( + (action = '*' + OR action = '*:*' + ) ) - SELECT - p.arn AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN bad.arn IS NULL THEN 'ok' - ELSE 'alarm' - END status, - p.name || ' contains ' || COALESCE(bad.statements_num, 0) || - ' statements that allow action "*" on resource "*".' AS reason - FROM - full_administrative_privilege_policies AS p - LEFT JOIN bad_policies AS bad ON p.arn = bad.arn; + GROUP BY + arn + ) + SELECT + p.arn AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN bad.arn IS NULL THEN 'ok' + ELSE 'alarm' + END status, + p.name || ' contains ' || COALESCE(bad.statements_num, 0) || + ' statements that allow action "*" on resource "*".' AS reason + FROM + full_administrative_privilege_policies AS p + LEFT JOIN bad_policies AS bad ON p.arn = bad.arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_iam_managed_policy_attached_to_role.yaml b/compliance/controls/aws/aws_iam_managed_policy_attached_to_role.yaml index 0d77e6920..2e8383ebf 100644 --- a/compliance/controls/aws/aws_iam_managed_policy_attached_to_role.yaml +++ b/compliance/controls/aws/aws_iam_managed_policy_attached_to_role.yaml @@ -1,49 +1,50 @@ id: aws_iam_managed_policy_attached_to_role title: IAM AWS managed policies should be attached to IAM role +type: control description: This control checks if all AWS managed policies specified in the list of managed policies are attached to the AWS Identity and Access Management (IAM) role. The rule is non-compliant if an AWS managed policy is not attached to the IAM role. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_policy - definition: | - WITH role_attached_policies AS ( - SELECT - jsonb_array_elements_text(attached_policy_arns) AS policy_arn - FROM - aws_iam_role - ) - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN arn IN (SELECT policy_arn FROM role_attached_policies) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN arn IN (SELECT policy_arn FROM role_attached_policies) THEN title || ' attached to IAM role.' - ELSE title || ' not attached to IAM role.' - END AS reason, - account_id - FROM - aws_iam_policy - WHERE - is_aws_managed; + language: sql + primary_resource: aws_iam_policy + definition: | + WITH role_attached_policies AS ( + SELECT + jsonb_array_elements_text(attached_policy_arns) AS policy_arn + FROM + aws_iam_role + ) + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN arn IN (SELECT policy_arn FROM role_attached_policies) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN arn IN (SELECT policy_arn FROM role_attached_policies) THEN title || ' attached to IAM role.' + ELSE title || ' not attached to IAM role.' + END AS reason, + account_id + FROM + aws_iam_policy + WHERE + is_aws_managed; severity: medium tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - gxp_21_cfr_part_11: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/IAM - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + gxp_21_cfr_part_11: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/IAM + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_iam_policy_all_attached_no_star_star.yaml b/compliance/controls/aws/aws_iam_policy_all_attached_no_star_star.yaml index 82f420774..ac8e69827 100644 --- a/compliance/controls/aws/aws_iam_policy_all_attached_no_star_star.yaml +++ b/compliance/controls/aws/aws_iam_policy_all_attached_no_star_star.yaml @@ -1,74 +1,75 @@ id: aws_iam_policy_all_attached_no_star_star title: Ensure IAM policies that allow full "*:*" administrative privileges are not attached +type: control description: IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_policy - definition: | - WITH star_access_policies AS ( - SELECT - arn, - is_aws_managed, - COUNT(*) AS num_bad_statements - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Resource') AS resource, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - s ->> 'Effect' = 'Allow' - AND resource = '*' - AND ( - action = '*' - OR action = '*:*' - ) - AND is_attached - GROUP BY - arn, - is_aws_managed + language: sql + primary_resource: aws_iam_policy + definition: | + WITH star_access_policies AS ( + SELECT + arn, + is_aws_managed, + COUNT(*) AS num_bad_statements + FROM + aws_iam_policy, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Resource') AS resource, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + s ->> 'Effect' = 'Allow' + AND resource = '*' + AND ( + action = '*' + OR action = '*:*' ) - SELECT - p.arn AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN s.arn IS NOT NULL AND s.is_aws_managed THEN 'info' - WHEN s.arn IS NULL THEN 'ok' - ELSE 'alarm' - END status, - CASE - WHEN s.arn IS NOT NULL AND s.is_aws_managed THEN - p.name || ' is an AWS managed policy with ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' - ELSE - p.name || ' contains ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' - END AS reason, - p.account_id - FROM - aws_iam_policy AS p - LEFT JOIN star_access_policies AS s - ON p.arn = s.arn - WHERE - p.is_attached; + AND is_attached + GROUP BY + arn, + is_aws_managed + ) + SELECT + p.arn AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN s.arn IS NOT NULL AND s.is_aws_managed THEN 'info' + WHEN s.arn IS NULL THEN 'ok' + ELSE 'alarm' + END status, + CASE + WHEN s.arn IS NOT NULL AND s.is_aws_managed THEN + p.name || ' is an AWS managed policy with ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' + ELSE + p.name || ' contains ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' + END AS reason, + p.account_id + FROM + aws_iam_policy AS p + LEFT JOIN star_access_policies AS s + ON p.arn = s.arn + WHERE + p.is_attached; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '1.22' - cis_level: - - '2' - cis_section_id: - - '1' - cis_type: - - scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/IAM + category: + - Compliance + cis: + - "true" + cis_item_id: + - "1.22" + cis_level: + - "2" + cis_section_id: + - "1" + cis_type: + - scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/IAM diff --git a/compliance/controls/aws/aws_iam_policy_custom_attached_no_star_star.yaml b/compliance/controls/aws/aws_iam_policy_custom_attached_no_star_star.yaml index 99285551d..b2add4f44 100644 --- a/compliance/controls/aws/aws_iam_policy_custom_attached_no_star_star.yaml +++ b/compliance/controls/aws/aws_iam_policy_custom_attached_no_star_star.yaml @@ -1,59 +1,60 @@ id: aws_iam_policy_custom_attached_no_star_star title: IAM policies should not allow full '*' administrative privileges +type: control description: "This control checks whether the default version of IAM policies (also known as customer managed policies) has administrator access that includes a statement with 'Effect': 'Allow' with 'Action': '*' over 'Resource': '*'. The control only checks the customer managed policies that you create. It does not check inline and AWS managed policies." integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_policy - definition: | - WITH star_access_policies AS ( - SELECT - arn, - COUNT(*) AS num_bad_statements - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Resource') AS resource, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - NOT is_aws_managed - AND s ->> 'Effect' = 'Allow' - AND resource = '*' - AND ( - action = '*' - OR action = '*:*' - ) - AND is_attached - GROUP BY arn + language: sql + primary_resource: aws_iam_policy + definition: | + WITH star_access_policies AS ( + SELECT + arn, + COUNT(*) AS num_bad_statements + FROM + aws_iam_policy, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Resource') AS resource, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + NOT is_aws_managed + AND s ->> 'Effect' = 'Allow' + AND resource = '*' + AND ( + action = '*' + OR action = '*:*' ) - SELECT - p.arn AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN s.arn IS NULL THEN 'ok' - ELSE 'alarm' - END status, - p.name || ' contains ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' AS reason, - p.account_id - FROM - aws_iam_policy AS p - LEFT JOIN star_access_policies AS s ON p.arn = s.arn - WHERE - NOT p.is_aws_managed; + AND is_attached + GROUP BY arn + ) + SELECT + p.arn AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN s.arn IS NULL THEN 'ok' + ELSE 'alarm' + END status, + p.name || ' contains ' || COALESCE(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' AS reason, + p.account_id + FROM + aws_iam_policy AS p + LEFT JOIN star_access_policies AS s ON p.arn = s.arn + WHERE + NOT p.is_aws_managed; severity: high tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - secure_access_management - foundational_security_item_id: - - iam_1 - plugin: - - aws - service: - - AWS/IAM + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - secure_access_management + foundational_security_item_id: + - iam_1 + plugin: + - aws + service: + - AWS/IAM diff --git a/compliance/controls/aws/aws_iam_policy_custom_no_assume_role.yaml b/compliance/controls/aws/aws_iam_policy_custom_no_assume_role.yaml index 0e2b97379..cfd541750 100644 --- a/compliance/controls/aws/aws_iam_policy_custom_no_assume_role.yaml +++ b/compliance/controls/aws/aws_iam_policy_custom_no_assume_role.yaml @@ -1,40 +1,41 @@ id: aws_iam_policy_custom_no_assume_role title: IAM roles should not have any assume role policies attached +type: control description: Role assume policies can provide access to roles in external AWS accounts. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - WITH filter_users AS ( - SELECT - user_id, - name, - policies - FROM - aws_iam_user, - JSONB_ARRAY_ELEMENTS_TEXT(inline_policies) AS policies - WHERE - policies LIKE '%AssumeRole%' - ) - SELECT - u.arn AS resource, - u.platform_integration_id AS platform_integration_id, - u.platform_resource_id AS platform_resource_id, - CASE - WHEN fu.user_id IS NOT NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN fu.user_id IS NOT NULL THEN u.name || ' custom policies allow STS Role assumption.' - ELSE u.name || ' custom policies does not allow STS Role assumption.' - END AS reason - FROM - aws_iam_user AS u - LEFT JOIN filter_users AS fu ON u.user_id = fu.user_id - ORDER BY - u.name; + language: sql + primary_resource: aws_iam_user + definition: | + WITH filter_users AS ( + SELECT + user_id, + name, + policies + FROM + aws_iam_user, + JSONB_ARRAY_ELEMENTS_TEXT(inline_policies) AS policies + WHERE + policies LIKE '%AssumeRole%' + ) + SELECT + u.arn AS resource, + u.platform_integration_id AS platform_integration_id, + u.platform_resource_id AS platform_resource_id, + CASE + WHEN fu.user_id IS NOT NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN fu.user_id IS NOT NULL THEN u.name || ' custom policies allow STS Role assumption.' + ELSE u.name || ' custom policies does not allow STS Role assumption.' + END AS reason + FROM + aws_iam_user AS u + LEFT JOIN filter_users AS fu ON u.user_id = fu.user_id + ORDER BY + u.name; severity: low tags: {} diff --git a/compliance/controls/aws/aws_iam_policy_custom_no_blocked_kms_actions.yaml b/compliance/controls/aws/aws_iam_policy_custom_no_blocked_kms_actions.yaml index ac2cb3936..5e8cadb8c 100644 --- a/compliance/controls/aws/aws_iam_policy_custom_no_blocked_kms_actions.yaml +++ b/compliance/controls/aws/aws_iam_policy_custom_no_blocked_kms_actions.yaml @@ -1,67 +1,68 @@ id: aws_iam_policy_custom_no_blocked_kms_actions title: Ensure managed IAM policies should not allow blocked actions on KMS keys +type: control description: Checks if the managed AWS Identity and Access Management (IAM) policies that you create do not allow blocked actions on AWS KMS keys. The rule is non-compliant if any blocked action is allowed on AWS KMS keys by the managed IAM policy. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_policy - definition: | - WITH kms_blocked_actions AS ( - SELECT - arn, - COUNT(*) AS statements_num - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Resource') AS resource, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - NOT is_aws_managed - AND s ->> 'Effect' = 'Allow' - AND action LIKE ANY(ARRAY['kms:decrypt', 'kms:reencryptfrom']) - GROUP BY - arn - ) - SELECT - p.arn AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN w.arn IS NULL THEN 'ok' - ELSE 'alarm' - END status, - p.name || ' contains ' || COALESCE(w.statements_num, 0) || ' statements that allow blocked actions on AWS KMS keys.' AS reason, - p.account_id - FROM - aws_iam_policy AS p - LEFT JOIN kms_blocked_actions AS w ON p.arn = w.arn - WHERE - NOT p.is_aws_managed; + language: sql + primary_resource: aws_iam_policy + definition: | + WITH kms_blocked_actions AS ( + SELECT + arn, + COUNT(*) AS statements_num + FROM + aws_iam_policy, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Resource') AS resource, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + NOT is_aws_managed + AND s ->> 'Effect' = 'Allow' + AND action LIKE ANY(ARRAY['kms:decrypt', 'kms:reencryptfrom']) + GROUP BY + arn + ) + SELECT + p.arn AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN w.arn IS NULL THEN 'ok' + ELSE 'alarm' + END status, + p.name || ' contains ' || COALESCE(w.statements_num, 0) || ' statements that allow blocked actions on AWS KMS keys.' AS reason, + p.account_id + FROM + aws_iam_policy AS p + LEFT JOIN kms_blocked_actions AS w ON p.arn = w.arn + WHERE + NOT p.is_aws_managed; severity: high tags: - category: - - Compliance - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/IAM + category: + - Compliance + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/IAM diff --git a/compliance/controls/aws/aws_iam_policy_custom_no_permissive_role_assumption.yaml b/compliance/controls/aws/aws_iam_policy_custom_no_permissive_role_assumption.yaml index cf79c2507..7570c371f 100644 --- a/compliance/controls/aws/aws_iam_policy_custom_no_permissive_role_assumption.yaml +++ b/compliance/controls/aws/aws_iam_policy_custom_no_permissive_role_assumption.yaml @@ -1,48 +1,49 @@ id: aws_iam_policy_custom_no_permissive_role_assumption title: IAM custom policy should not have overly permissive STS role assumption +type: control description: Ensure that no custom IAM policies exist which allow permissive role assumption. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_policy - definition: | - WITH bad_policies AS ( - SELECT - arn, - COUNT(*) AS num - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Resource') AS resource, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - NOT is_aws_managed - AND s ->> 'Effect' = 'Allow' - AND resource = '*' - AND ( - action = '*' - OR action = 'sts:*' - OR action = 'sts:AssumeRole' - ) - GROUP BY - arn + language: sql + primary_resource: aws_iam_policy + definition: | + WITH bad_policies AS ( + SELECT + arn, + COUNT(*) AS num + FROM + aws_iam_policy, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Resource') AS resource, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + NOT is_aws_managed + AND s ->> 'Effect' = 'Allow' + AND resource = '*' + AND ( + action = '*' + OR action = 'sts:*' + OR action = 'sts:AssumeRole' ) - SELECT - p.arn AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN b.arn IS NOT NULL THEN 'alarm' - ELSE 'ok' - END AS status, - p.name || ' contains ' || COALESCE(b.num, 0) || - ' statements that allow overly permissive STS role assumption.' AS reason - FROM - aws_iam_policy AS p - LEFT JOIN bad_policies AS b ON p.arn = b.arn - WHERE - NOT is_aws_managed; + GROUP BY + arn + ) + SELECT + p.arn AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN b.arn IS NOT NULL THEN 'alarm' + ELSE 'ok' + END AS status, + p.name || ' contains ' || COALESCE(b.num, 0) || + ' statements that allow overly permissive STS role assumption.' AS reason + FROM + aws_iam_policy AS p + LEFT JOIN bad_policies AS b ON p.arn = b.arn + WHERE + NOT is_aws_managed; severity: low tags: {} diff --git a/compliance/controls/aws/aws_iam_policy_inline_no_blocked_kms_actions.yaml b/compliance/controls/aws/aws_iam_policy_inline_no_blocked_kms_actions.yaml index bff975309..2994f1c75 100644 --- a/compliance/controls/aws/aws_iam_policy_inline_no_blocked_kms_actions.yaml +++ b/compliance/controls/aws/aws_iam_policy_inline_no_blocked_kms_actions.yaml @@ -1,102 +1,103 @@ id: aws_iam_policy_inline_no_blocked_kms_actions title: Ensure inline policies attached to IAM users, roles, and groups should not allow blocked actions on KMS keys +type: control description: Checks if the inline policies attached to IAM users, roles, and groups do not allow blocked actions on all AWS Key Management Service (KMS) keys. The rule is non-compliant if any blocked action is allowed on all KMS keys in an inline policy. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: '' - definition: | - WITH iam_resource_types AS ( - SELECT - arn, - inline_policies_std, - name, - account_id, - region, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'aws_iam_user' AS platform_table_name, - _ctx - FROM - aws_iam_user - UNION - SELECT - arn, - inline_policies_std, - name, - account_id, - region, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'aws_iam_role' AS platform_table_name, - _ctx - FROM - aws_iam_role - UNION - SELECT - arn, - inline_policies_std, - name, - account_id, - region, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'aws_iam_group' AS platform_table_name, - _ctx - FROM - aws_iam_group - ), - kms_blocked_actions AS ( - SELECT - arn, - COUNT(*) AS statements_num - FROM - iam_resource_types, - jsonb_array_elements(inline_policies_std) AS policy_std, - jsonb_array_elements(policy_std -> 'PolicyDocument' -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Resource') AS resource, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - s ->> 'Effect' = 'Allow' - AND action LIKE ANY(ARRAY['kms:decrypt','kms:decrypt*', 'kms:reencryptfrom', 'kms:*', 'kms:reencrypt*']) - GROUP BY - arn - ) - SELECT - u.arn AS resource, - u.platform_integration_id AS platform_integration_id, - u.platform_resource_id AS platform_resource_id, - u.platform_table_name AS platform_table_name, - CASE - WHEN w.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - u.name || ' contains ' || COALESCE(w.statements_num, 0) || ' inline policy statement(s) that allow blocked actions on AWS KMS keys.' AS reason, - u.account_id - FROM - iam_resource_types AS u - LEFT JOIN kms_blocked_actions AS w ON u.arn = w.arn; + language: sql + primary_resource: "" + definition: | + WITH iam_resource_types AS ( + SELECT + arn, + inline_policies_std, + name, + account_id, + region, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'aws_iam_user' AS platform_table_name, + _ctx + FROM + aws_iam_user + UNION + SELECT + arn, + inline_policies_std, + name, + account_id, + region, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'aws_iam_role' AS platform_table_name, + _ctx + FROM + aws_iam_role + UNION + SELECT + arn, + inline_policies_std, + name, + account_id, + region, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'aws_iam_group' AS platform_table_name, + _ctx + FROM + aws_iam_group + ), + kms_blocked_actions AS ( + SELECT + arn, + COUNT(*) AS statements_num + FROM + iam_resource_types, + jsonb_array_elements(inline_policies_std) AS policy_std, + jsonb_array_elements(policy_std -> 'PolicyDocument' -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Resource') AS resource, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + s ->> 'Effect' = 'Allow' + AND action LIKE ANY(ARRAY['kms:decrypt','kms:decrypt*', 'kms:reencryptfrom', 'kms:*', 'kms:reencrypt*']) + GROUP BY + arn + ) + SELECT + u.arn AS resource, + u.platform_integration_id AS platform_integration_id, + u.platform_resource_id AS platform_resource_id, + u.platform_table_name AS platform_table_name, + CASE + WHEN w.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + u.name || ' contains ' || COALESCE(w.statements_num, 0) || ' inline policy statement(s) that allow blocked actions on AWS KMS keys.' AS reason, + u.account_id + FROM + iam_resource_types AS u + LEFT JOIN kms_blocked_actions AS w ON u.arn = w.arn; severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/IAM + category: + - Compliance + cisa_cyber_essentials: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/IAM diff --git a/compliance/controls/aws/aws_iam_policy_no_full_access_to_cloudtrail.yaml b/compliance/controls/aws/aws_iam_policy_no_full_access_to_cloudtrail.yaml index abc6507c0..4bb6a4f12 100644 --- a/compliance/controls/aws/aws_iam_policy_no_full_access_to_cloudtrail.yaml +++ b/compliance/controls/aws/aws_iam_policy_no_full_access_to_cloudtrail.yaml @@ -1,44 +1,45 @@ id: aws_iam_policy_no_full_access_to_cloudtrail title: IAM policy should not grant full access to cloudtrail service +type: control description: CloudTrail is a critical service and IAM policies should follow least privilege model for this service in particular. This control is non-compliant if the managed IAM policy allows full access to cloudtrail service. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_policy - definition: | - WITH cloudtrail_full_access_policies AS ( - SELECT - arn, - COUNT(*) AS statements_num - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Resource') AS resource, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - NOT is_aws_managed - AND s ->> 'Effect' = 'Allow' - AND resource = '*' - AND action = 'cloudtrail:*' - GROUP BY - arn - ) - SELECT - p.arn AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN w.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - p.name || ' contains ' || COALESCE(w.statements_num, 0) || - ' statements that allow action "*" on cloudtrail service on resource "*".' AS reason - FROM - aws_iam_policy AS p - LEFT JOIN cloudtrail_full_access_policies AS w ON p.arn = w.arn - WHERE - NOT p.is_aws_managed; + language: sql + primary_resource: aws_iam_policy + definition: | + WITH cloudtrail_full_access_policies AS ( + SELECT + arn, + COUNT(*) AS statements_num + FROM + aws_iam_policy, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Resource') AS resource, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + NOT is_aws_managed + AND s ->> 'Effect' = 'Allow' + AND resource = '*' + AND action = 'cloudtrail:*' + GROUP BY + arn + ) + SELECT + p.arn AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN w.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + p.name || ' contains ' || COALESCE(w.statements_num, 0) || + ' statements that allow action "*" on cloudtrail service on resource "*".' AS reason + FROM + aws_iam_policy AS p + LEFT JOIN cloudtrail_full_access_policies AS w ON p.arn = w.arn + WHERE + NOT p.is_aws_managed; severity: low tags: {} diff --git a/compliance/controls/aws/aws_iam_policy_no_full_access_to_kms.yaml b/compliance/controls/aws/aws_iam_policy_no_full_access_to_kms.yaml index 6bf062c42..f3bd79f75 100644 --- a/compliance/controls/aws/aws_iam_policy_no_full_access_to_kms.yaml +++ b/compliance/controls/aws/aws_iam_policy_no_full_access_to_kms.yaml @@ -1,44 +1,45 @@ id: aws_iam_policy_no_full_access_to_kms title: IAM policy should not grant full access to KMS service +type: control description: KMS is a critical service and IAM policies should follow least privilege model for this service in particular. This control is non-compliant if the managed IAM policy allows full access to KMS service. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_policy - definition: | - WITH cloudtrail_full_access_policies AS ( - SELECT - arn, - COUNT(*) AS statements_num - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Resource') AS resource, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - NOT is_aws_managed - AND s ->> 'Effect' = 'Allow' - AND resource = '*' - AND action = 'cloudtrail:*' - GROUP BY - arn - ) - SELECT - p.arn AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN w.arn IS NULL THEN 'ok' - ELSE 'alarm' - END status, - p.name || ' contains ' || COALESCE(w.statements_num,0) || - ' statements that allow action "*" on cloudtrail service on resource "*".' AS reason - FROM - aws_iam_policy AS p - LEFT JOIN cloudtrail_full_access_policies AS w ON p.arn = w.arn - WHERE - NOT p.is_aws_managed; + language: sql + primary_resource: aws_iam_policy + definition: | + WITH cloudtrail_full_access_policies AS ( + SELECT + arn, + COUNT(*) AS statements_num + FROM + aws_iam_policy, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Resource') AS resource, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + NOT is_aws_managed + AND s ->> 'Effect' = 'Allow' + AND resource = '*' + AND action = 'cloudtrail:*' + GROUP BY + arn + ) + SELECT + p.arn AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN w.arn IS NULL THEN 'ok' + ELSE 'alarm' + END status, + p.name || ' contains ' || COALESCE(w.statements_num,0) || + ' statements that allow action "*" on cloudtrail service on resource "*".' AS reason + FROM + aws_iam_policy AS p + LEFT JOIN cloudtrail_full_access_policies AS w ON p.arn = w.arn + WHERE + NOT p.is_aws_managed; severity: low tags: {} diff --git a/compliance/controls/aws/aws_iam_policy_no_star_star.yaml b/compliance/controls/aws/aws_iam_policy_no_star_star.yaml index 2f4a11b47..dbac9b183 100644 --- a/compliance/controls/aws/aws_iam_policy_no_star_star.yaml +++ b/compliance/controls/aws/aws_iam_policy_no_star_star.yaml @@ -1,59 +1,60 @@ id: aws_iam_policy_no_star_star title: IAM policy should not have statements with admin access +type: control description: "AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, restricting policies from containing 'Effect': 'Allow' with 'Action': '*' over 'Resource': '*'." integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_policy - definition: | - WITH bad_policies AS ( - SELECT - arn, - COUNT(*) AS num_bad_statements - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Resource') AS resource, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - s ->> 'Effect' = 'Allow' - AND resource = '*' - AND ( - action = '*' - OR action = '*:*' - ) - GROUP BY - arn + language: sql + primary_resource: aws_iam_policy + definition: | + WITH bad_policies AS ( + SELECT + arn, + COUNT(*) AS num_bad_statements + FROM + aws_iam_policy, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Resource') AS resource, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + s ->> 'Effect' = 'Allow' + AND resource = '*' + AND ( + action = '*' + OR action = '*:*' ) - SELECT - p.arn AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN bad.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - p.name || ' contains ' || COALESCE(bad.num_bad_statements, 0) || - ' statements that allow action "*" on resource "*".' AS reason, - p.account_id - FROM - aws_iam_policy AS p - LEFT JOIN bad_policies AS bad ON p.arn = bad.arn - WHERE - p.arn NOT LIKE 'arn:aws:iam::aws:policy%' + GROUP BY + arn + ) + SELECT + p.arn AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN bad.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + p.name || ' contains ' || COALESCE(bad.num_bad_statements, 0) || + ' statements that allow action "*" on resource "*".' AS reason, + p.account_id + FROM + aws_iam_policy AS p + LEFT JOIN bad_policies AS bad ON p.arn = bad.arn + WHERE + p.arn NOT LIKE 'arn:aws:iam::aws:policy%' severity: low tags: - pci: - - 'true' - pci_item_id: - - iam_3 - pci_requirements: - - 7.2.1 - pci_version: - - v3.2.1 - plugin: - - aws - service: - - iam + pci: + - "true" + pci_item_id: + - iam_3 + pci_requirements: + - 7.2.1 + pci_version: + - v3.2.1 + plugin: + - aws + service: + - iam diff --git a/compliance/controls/aws/aws_iam_policy_unused.yaml b/compliance/controls/aws/aws_iam_policy_unused.yaml index 3aa421fb5..4e0f344d4 100644 --- a/compliance/controls/aws/aws_iam_policy_unused.yaml +++ b/compliance/controls/aws/aws_iam_policy_unused.yaml @@ -1,65 +1,66 @@ id: aws_iam_policy_unused title: IAM policy should be in use +type: control description: This control checks whether the IAM policy ARN is attached to an IAM user, or a group with one or more IAM users, or an IAM role with one or more trusted entity. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_policy - definition: | - WITH in_use_policies AS ( - SELECT - attached_policy_arns - FROM - aws_iam_user - UNION - SELECT - attached_policy_arns - FROM - aws_iam_group - WHERE - jsonb_array_length(users) > 0 - UNION - SELECT - attached_policy_arns - FROM - aws_iam_role - ) - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN arn IN ( - SELECT jsonb_array_elements_text(attached_policy_arns) - FROM in_use_policies - ) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN arn IN ( - SELECT jsonb_array_elements_text(attached_policy_arns) - FROM in_use_policies - ) THEN title || ' in use.' - ELSE title || ' not in use.' - END AS reason, - account_id - FROM - aws_iam_policy; + language: sql + primary_resource: aws_iam_policy + definition: | + WITH in_use_policies AS ( + SELECT + attached_policy_arns + FROM + aws_iam_user + UNION + SELECT + attached_policy_arns + FROM + aws_iam_group + WHERE + jsonb_array_length(users) > 0 + UNION + SELECT + attached_policy_arns + FROM + aws_iam_role + ) + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN arn IN ( + SELECT jsonb_array_elements_text(attached_policy_arns) + FROM in_use_policies + ) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN arn IN ( + SELECT jsonb_array_elements_text(attached_policy_arns) + FROM in_use_policies + ) THEN title || ' in use.' + ELSE title || ' not in use.' + END AS reason, + account_id + FROM + aws_iam_policy; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/IAM - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + nist_800_171_rev_2: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/IAM + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_iam_role_no_administrator_access_policy_attached.yaml b/compliance/controls/aws/aws_iam_role_no_administrator_access_policy_attached.yaml index 24433e143..7f7ae4b82 100644 --- a/compliance/controls/aws/aws_iam_role_no_administrator_access_policy_attached.yaml +++ b/compliance/controls/aws/aws_iam_role_no_administrator_access_policy_attached.yaml @@ -1,40 +1,41 @@ id: aws_iam_role_no_administrator_access_policy_attached title: Ensure IAM role not attached with Administratoraccess policy +type: control description: AWS IAM role should not be attached Administratoraccess policy. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_role - definition: | - WITH admin_roles AS ( - SELECT - arn, - name, - attachments - FROM - aws_iam_role, - JSONB_ARRAY_ELEMENTS_TEXT(attached_policy_arns) AS attachments - WHERE - SPLIT_PART(attachments, '/', 2) = 'AdministratorAccess' - ) - SELECT - r.arn AS resource, - r.platform_integration_id AS platform_integration_id, - r.platform_resource_id AS platform_resource_id, - CASE - WHEN ar.arn IS NOT NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN ar.arn IS NOT NULL THEN r.name || ' have AdministratorAccess policy attached.' - ELSE r.name || ' does not have AdministratorAccess policy attached.' - END AS reason - FROM - aws_iam_role AS r - LEFT JOIN admin_roles ar ON r.arn = ar.arn - ORDER BY - r.name; + language: sql + primary_resource: aws_iam_role + definition: | + WITH admin_roles AS ( + SELECT + arn, + name, + attachments + FROM + aws_iam_role, + JSONB_ARRAY_ELEMENTS_TEXT(attached_policy_arns) AS attachments + WHERE + SPLIT_PART(attachments, '/', 2) = 'AdministratorAccess' + ) + SELECT + r.arn AS resource, + r.platform_integration_id AS platform_integration_id, + r.platform_resource_id AS platform_resource_id, + CASE + WHEN ar.arn IS NOT NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN ar.arn IS NOT NULL THEN r.name || ' have AdministratorAccess policy attached.' + ELSE r.name || ' does not have AdministratorAccess policy attached.' + END AS reason + FROM + aws_iam_role AS r + LEFT JOIN admin_roles ar ON r.arn = ar.arn + ORDER BY + r.name; severity: low tags: {} diff --git a/compliance/controls/aws/aws_iam_role_should_not_have_trust_to_cognito_full_access.yaml b/compliance/controls/aws/aws_iam_role_should_not_have_trust_to_cognito_full_access.yaml index e4ae31680..5a9f8baba 100644 --- a/compliance/controls/aws/aws_iam_role_should_not_have_trust_to_cognito_full_access.yaml +++ b/compliance/controls/aws/aws_iam_role_should_not_have_trust_to_cognito_full_access.yaml @@ -1,50 +1,51 @@ id: aws_iam_role_should_not_have_trust_to_cognito_full_access title: AWS IAM role should not have permissive trust with the Cognito Identity service and "FullAccess" permissions -description: '' +type: control +description: "" integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_role - definition: | - WITH cognito_access AS ( - SELECT role_id, - COUNT(*) AS num_cognito_access - FROM aws_iam_role, - jsonb_array_elements(assume_role_policy->'Statement') AS stmt - WHERE stmt->'Principal'->>'Federated' = 'cognito-identity.amazonaws.com' - AND split_part(permissions_boundary_arn, '/', 2) LIKE '%FullAccess%' - GROUP BY role_id - HAVING COUNT(*) > 0 - ) - - SELECT role.arn AS resource, - role.platform_integration_id AS platform_integration_id, - role.platform_resource_id AS platform_resource_id, - CASE - WHEN cognito_access.role_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN cognito_access.role_id IS NULL THEN role.role_id || ' does not have cognito access' - ELSE role.role_id || ' contains ' || cognito_access.num_cognito_access || ' cognito access' - END AS reason, - role.region, - role.account_id - FROM aws_iam_role AS role - LEFT JOIN cognito_access ON cognito_access.role_id = role.role_id; + language: sql + primary_resource: aws_iam_role + definition: | + WITH cognito_access AS ( + SELECT role_id, + COUNT(*) AS num_cognito_access + FROM aws_iam_role, + jsonb_array_elements(assume_role_policy->'Statement') AS stmt + WHERE stmt->'Principal'->>'Federated' = 'cognito-identity.amazonaws.com' + AND split_part(permissions_boundary_arn, '/', 2) LIKE '%FullAccess%' + GROUP BY role_id + HAVING COUNT(*) > 0 + ) + + SELECT role.arn AS resource, + role.platform_integration_id AS platform_integration_id, + role.platform_resource_id AS platform_resource_id, + CASE + WHEN cognito_access.role_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN cognito_access.role_id IS NULL THEN role.role_id || ' does not have cognito access' + ELSE role.role_id || ' contains ' || cognito_access.num_cognito_access || ' cognito access' + END AS reason, + role.region, + role.account_id + FROM aws_iam_role AS role + LEFT JOIN cognito_access ON cognito_access.role_id = role.role_id; severity: critical tags: - category: [] - cis: [] - cis_item_id: [] - cis_level: [] - cis_section_id: [] - cis_type: [] - cis_version: [] - plugin: [] - service: [] - x-kaytu-explanation: [] - x-kaytu-noncompliance-cost: [] - x-kaytu-usefulness-example: [] + category: [] + cis: [] + cis_item_id: [] + cis_level: [] + cis_section_id: [] + cis_type: [] + cis_version: [] + plugin: [] + service: [] + x-kaytu-explanation: [] + x-kaytu-noncompliance-cost: [] + x-kaytu-usefulness-example: [] diff --git a/compliance/controls/aws/aws_iam_role_unused_60.yaml b/compliance/controls/aws/aws_iam_role_unused_60.yaml index 0ed193e9a..bfa5b2ff7 100644 --- a/compliance/controls/aws/aws_iam_role_unused_60.yaml +++ b/compliance/controls/aws/aws_iam_role_unused_60.yaml @@ -1,29 +1,30 @@ id: aws_iam_role_unused_60 title: IAM roles that have not been used in 60 days should be removed +type: control description: This control checks whether the IAM role has been used in 60 days. Unused accounts and roles increase the attack surface area. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_role - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN role_last_used_date <= (CURRENT_DATE - INTERVAL '60' DAY) OR role_last_used_date IS NULL - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN role_last_used_date IS NULL - THEN name || ' was never used.' - ELSE name || ' was last used ' || TO_CHAR(role_last_used_date , 'DD-Mon-YYYY') || - ' (' || EXTRACT(DAY FROM CURRENT_DATE - role_last_used_date) || ' days ago).' - END AS reason - FROM - aws_iam_role; + language: sql + primary_resource: aws_iam_role + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN role_last_used_date <= (CURRENT_DATE - INTERVAL '60' DAY) OR role_last_used_date IS NULL + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN role_last_used_date IS NULL + THEN name || ' was never used.' + ELSE name || ' was last used ' || TO_CHAR(role_last_used_date , 'DD-Mon-YYYY') || + ' (' || EXTRACT(DAY FROM CURRENT_DATE - role_last_used_date) || ' days ago).' + END AS reason + FROM + aws_iam_role; severity: low tags: {} diff --git a/compliance/controls/aws/aws_iam_root_last_used.yaml b/compliance/controls/aws/aws_iam_root_last_used.yaml index 0c132a0b8..ed53f89a3 100644 --- a/compliance/controls/aws/aws_iam_root_last_used.yaml +++ b/compliance/controls/aws/aws_iam_root_last_used.yaml @@ -1,57 +1,58 @@ id: aws_iam_root_last_used title: Eliminate use of the 'root' user for administrative and daily tasks +type: control description: This control checks whether the root user has been used in the last 90 days. The control fails if the root user has been used in the last 90 days. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN password_last_used >= (current_date - INTERVAL '90' day) THEN 'alarm' - WHEN access_key_1_last_used_date <= (current_date - INTERVAL '90' day) THEN 'alarm' - WHEN access_key_2_last_used_date <= (current_date - INTERVAL '90' day) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN password_last_used IS NULL THEN 'Root never logged in with password.' - ELSE 'Root password used ' || TO_CHAR(password_last_used, 'DD-Mon-YYYY') || ' (' || EXTRACT(day FROM current_timestamp - password_last_used) || ' days).' - END || - CASE - WHEN access_key_1_last_used_date IS NULL THEN ' Access Key 1 never used.' - ELSE ' Access Key 1 used ' || TO_CHAR(access_key_1_last_used_date, 'DD-Mon-YYYY') || ' (' || EXTRACT(day FROM current_timestamp - access_key_1_last_used_date) || ' days).' - END || - CASE - WHEN access_key_2_last_used_date IS NULL THEN ' Access Key 2 never used.' - ELSE ' Access Key 2 used ' || TO_CHAR(access_key_2_last_used_date, 'DD-Mon-YYYY') || ' (' || EXTRACT(day FROM current_timestamp - access_key_2_last_used_date) || ' days).' - END AS reason, - account_id - FROM - aws_iam_credential_report - WHERE - user_name = ''; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN password_last_used >= (current_date - INTERVAL '90' day) THEN 'alarm' + WHEN access_key_1_last_used_date <= (current_date - INTERVAL '90' day) THEN 'alarm' + WHEN access_key_2_last_used_date <= (current_date - INTERVAL '90' day) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN password_last_used IS NULL THEN 'Root never logged in with password.' + ELSE 'Root password used ' || TO_CHAR(password_last_used, 'DD-Mon-YYYY') || ' (' || EXTRACT(day FROM current_timestamp - password_last_used) || ' days).' + END || + CASE + WHEN access_key_1_last_used_date IS NULL THEN ' Access Key 1 never used.' + ELSE ' Access Key 1 used ' || TO_CHAR(access_key_1_last_used_date, 'DD-Mon-YYYY') || ' (' || EXTRACT(day FROM current_timestamp - access_key_1_last_used_date) || ' days).' + END || + CASE + WHEN access_key_2_last_used_date IS NULL THEN ' Access Key 2 never used.' + ELSE ' Access Key 2 used ' || TO_CHAR(access_key_2_last_used_date, 'DD-Mon-YYYY') || ' (' || EXTRACT(day FROM current_timestamp - access_key_2_last_used_date) || ' days).' + END AS reason, + account_id + FROM + aws_iam_credential_report + WHERE + user_name = ''; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '1.7' - cis_level: - - '1' - cis_section_id: - - '1' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - aws - service: - - AWS/IAM + category: + - Compliance + cis: + - "true" + cis_item_id: + - "1.7" + cis_level: + - "1" + cis_section_id: + - "1" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - aws + service: + - AWS/IAM diff --git a/compliance/controls/aws/aws_iam_root_user_hardware_mfa_enabled.yaml b/compliance/controls/aws/aws_iam_root_user_hardware_mfa_enabled.yaml index 85c8e0d8b..78d04d408 100644 --- a/compliance/controls/aws/aws_iam_root_user_hardware_mfa_enabled.yaml +++ b/compliance/controls/aws/aws_iam_root_user_hardware_mfa_enabled.yaml @@ -1,68 +1,69 @@ id: aws_iam_root_user_hardware_mfa_enabled title: IAM root user hardware MFA should be enabled +type: control description: Manage access to resources in the AWS Cloud by ensuring hardware MFA is enabled for the root user. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_account_summary - definition: | - SELECT - 'arn:' || s.partition || ':::' || s.account_id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN account_mfa_enabled AND serial_number IS NULL THEN 'ok' - ELSE 'alarm' - END status, - CASE - WHEN account_mfa_enabled = FALSE THEN 'MFA not enabled for root account.' - WHEN serial_number IS NOT NULL THEN 'MFA enabled for root account, but the MFA associated is a virtual device.' - ELSE 'Hardware MFA device enabled for root account.' - END reason, - s.account_id - FROM - aws_iam_account_summary AS s - LEFT JOIN - aws_iam_virtual_mfa_device - ON - serial_number = 'arn:' || s.partition || ':iam::' || s.account_id || ':mfa/root-account-mfa-device'; + language: sql + primary_resource: aws_iam_account_summary + definition: | + SELECT + 'arn:' || s.partition || ':::' || s.account_id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN account_mfa_enabled AND serial_number IS NULL THEN 'ok' + ELSE 'alarm' + END status, + CASE + WHEN account_mfa_enabled = FALSE THEN 'MFA not enabled for root account.' + WHEN serial_number IS NOT NULL THEN 'MFA enabled for root account, but the MFA associated is a virtual device.' + ELSE 'Hardware MFA device enabled for root account.' + END reason, + s.account_id + FROM + aws_iam_account_summary AS s + LEFT JOIN + aws_iam_virtual_mfa_device + ON + serial_number = 'arn:' || s.partition || ':iam::' || s.account_id || ':mfa/root-account-mfa-device'; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/IAM - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/IAM + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_iam_root_user_mfa_enabled.yaml b/compliance/controls/aws/aws_iam_root_user_mfa_enabled.yaml index 09be40561..13da3198d 100644 --- a/compliance/controls/aws/aws_iam_root_user_mfa_enabled.yaml +++ b/compliance/controls/aws/aws_iam_root_user_mfa_enabled.yaml @@ -1,63 +1,64 @@ id: aws_iam_root_user_mfa_enabled title: IAM root user MFA should be enabled +type: control description: Manage access to resources in the AWS Cloud by ensuring MFA is enabled for the root user. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_account_summary - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN account_mfa_enabled THEN 'ok' - ELSE 'alarm' - END status, - CASE - WHEN account_mfa_enabled THEN 'MFA enabled for root account.' - ELSE 'MFA not enabled for root account.' - END reason, - account_id - FROM - aws_iam_account_summary; + language: sql + primary_resource: aws_iam_account_summary + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN account_mfa_enabled THEN 'ok' + ELSE 'alarm' + END status, + CASE + WHEN account_mfa_enabled THEN 'MFA enabled for root account.' + ELSE 'MFA not enabled for root account.' + END reason, + account_id + FROM + aws_iam_account_summary; severity: critical tags: - audit_manager_control_tower: - - 'true' - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/IAM - soc_2: - - 'true' + audit_manager_control_tower: + - "true" + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/IAM + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_iam_root_user_no_access_keys.yaml b/compliance/controls/aws/aws_iam_root_user_no_access_keys.yaml index 0d35c2fee..f1c31f63c 100644 --- a/compliance/controls/aws/aws_iam_root_user_no_access_keys.yaml +++ b/compliance/controls/aws/aws_iam_root_user_no_access_keys.yaml @@ -1,65 +1,66 @@ id: aws_iam_root_user_no_access_keys title: IAM root user should not have access keys +type: control description: Access to systems and assets can be controlled by checking that the root user does not have access keys attached to their AWS Identity and Access Management (IAM) role. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_account_summary - definition: | - SELECT - 'arn:' || partition || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN account_access_keys_present > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN account_access_keys_present > 0 THEN 'Root user access keys exist.' - ELSE 'No root user access keys exist.' - END AS reason, - account_id - FROM - aws_iam_account_summary; + language: sql + primary_resource: aws_iam_account_summary + definition: | + SELECT + 'arn:' || partition || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN account_access_keys_present > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN account_access_keys_present > 0 THEN 'Root user access keys exist.' + ELSE 'No root user access keys exist.' + END AS reason, + account_id + FROM + aws_iam_account_summary; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/IAM - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/IAM + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_iam_security_audit_role.yaml b/compliance/controls/aws/aws_iam_security_audit_role.yaml index e15aa255c..18216a016 100644 --- a/compliance/controls/aws/aws_iam_security_audit_role.yaml +++ b/compliance/controls/aws/aws_iam_security_audit_role.yaml @@ -1,50 +1,51 @@ id: aws_iam_security_audit_role title: IAM Security Audit role should be created to conduct security audits +type: control description: Ensure IAM Security Audit role is created. By creating an IAM role with a security audit policy, a distinct segregation of responsibilities is established between the security team and other teams within the organization. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_role - definition: | - WITH security_audit_role_count AS ( - SELECT - 'arn:' || a.partition || ':::' || a.account_id AS resource, - COUNT(policy_arn), - a.account_id, - a._ctx, - a.platform_integration_id, - a.platform_resource_id - FROM - aws_account AS a - LEFT JOIN aws_iam_role AS r - ON r.account_id = a.account_id - LEFT JOIN jsonb_array_elements_text(attached_policy_arns) AS policy_arn - ON TRUE - WHERE - policy_arn = 'arn:aws:iam::aws:policy/SecurityAudit' - GROUP BY - a.account_id, - a.partition, - a._ctx, - a.platform_integration_id, - a.platform_resource_id - ) - SELECT - resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT = 1 THEN 'SecurityAudit policy attached to 1 role.' - WHEN COUNT > 1 THEN 'SecurityAudit policy attached to ' || COUNT || ' roles.' - ELSE 'SecurityAudit policy not attached to any role.' - END AS reason - FROM - security_audit_role_count; + language: sql + primary_resource: aws_iam_role + definition: | + WITH security_audit_role_count AS ( + SELECT + 'arn:' || a.partition || ':::' || a.account_id AS resource, + COUNT(policy_arn), + a.account_id, + a._ctx, + a.platform_integration_id, + a.platform_resource_id + FROM + aws_account AS a + LEFT JOIN aws_iam_role AS r + ON r.account_id = a.account_id + LEFT JOIN jsonb_array_elements_text(attached_policy_arns) AS policy_arn + ON TRUE + WHERE + policy_arn = 'arn:aws:iam::aws:policy/SecurityAudit' + GROUP BY + a.account_id, + a.partition, + a._ctx, + a.platform_integration_id, + a.platform_resource_id + ) + SELECT + resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT = 1 THEN 'SecurityAudit policy attached to 1 role.' + WHEN COUNT > 1 THEN 'SecurityAudit policy attached to ' || COUNT || ' roles.' + ELSE 'SecurityAudit policy not attached to any role.' + END AS reason + FROM + security_audit_role_count; severity: low tags: {} diff --git a/compliance/controls/aws/aws_iam_server_certificate_not_expired.yaml b/compliance/controls/aws/aws_iam_server_certificate_not_expired.yaml index 856a4af73..c7cd1ea6b 100644 --- a/compliance/controls/aws/aws_iam_server_certificate_not_expired.yaml +++ b/compliance/controls/aws/aws_iam_server_certificate_not_expired.yaml @@ -1,47 +1,48 @@ id: aws_iam_server_certificate_not_expired title: Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed +type: control description: To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_server_certificate - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN expiration < (current_date - INTERVAL '1' SECOND) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN expiration < (current_date - INTERVAL '1' SECOND) THEN - name || ' expired ' || TO_CHAR(expiration, 'DD-Mon-YYYY') || '.' - ELSE - name || ' valid until ' || TO_CHAR(expiration, 'DD-Mon-YYYY') || '.' - END AS reason, - account_id - FROM - aws_iam_server_certificate; + language: sql + primary_resource: aws_iam_server_certificate + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN expiration < (current_date - INTERVAL '1' SECOND) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN expiration < (current_date - INTERVAL '1' SECOND) THEN + name || ' expired ' || TO_CHAR(expiration, 'DD-Mon-YYYY') || '.' + ELSE + name || ' valid until ' || TO_CHAR(expiration, 'DD-Mon-YYYY') || '.' + END AS reason, + account_id + FROM + aws_iam_server_certificate; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '1.19' - cis_level: - - '1' - cis_section_id: - - '1' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - aws - service: - - AWS/IAM + category: + - Compliance + cis: + - "true" + cis_item_id: + - "1.19" + cis_level: + - "1" + cis_section_id: + - "1" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - aws + service: + - AWS/IAM diff --git a/compliance/controls/aws/aws_iam_support_role.yaml b/compliance/controls/aws/aws_iam_support_role.yaml index d53b4f06d..357b6ce23 100644 --- a/compliance/controls/aws/aws_iam_support_role.yaml +++ b/compliance/controls/aws/aws_iam_support_role.yaml @@ -1,70 +1,71 @@ id: aws_iam_support_role title: Ensure a support role has been created to manage incidents with AWS Support +type: control description: AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH support_role_count AS ( - SELECT - 'arn:' || a.partition || ':::' || a.account_id AS resource, - COUNT(policy_arn), - a.account_id, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - a._ctx - FROM - aws_account AS a - LEFT JOIN aws_iam_role AS r ON r.account_id = a.account_id - LEFT JOIN jsonb_array_elements_text(attached_policy_arns) AS policy_arn ON true - WHERE - SPLIT_PART(policy_arn, '/', 2) = 'AWSSupportAccess' - OR policy_arn IS NULL - GROUP BY - a.account_id, - a.partition, - a.platform_integration_id, - a.platform_resource_id, - a._ctx - ) - SELECT - resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT = 1 THEN 'AWSSupportAccess policy attached to 1 role.' - WHEN COUNT > 1 THEN 'AWSSupportAccess policy attached to ' || COUNT || ' roles.' - ELSE 'AWSSupportAccess policy not attached to any role.' - END AS reason, - account_id - FROM - support_role_count; + language: sql + primary_resource: aws_account + definition: | + WITH support_role_count AS ( + SELECT + 'arn:' || a.partition || ':::' || a.account_id AS resource, + COUNT(policy_arn), + a.account_id, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + a._ctx + FROM + aws_account AS a + LEFT JOIN aws_iam_role AS r ON r.account_id = a.account_id + LEFT JOIN jsonb_array_elements_text(attached_policy_arns) AS policy_arn ON true + WHERE + SPLIT_PART(policy_arn, '/', 2) = 'AWSSupportAccess' + OR policy_arn IS NULL + GROUP BY + a.account_id, + a.partition, + a.platform_integration_id, + a.platform_resource_id, + a._ctx + ) + SELECT + resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT = 1 THEN 'AWSSupportAccess policy attached to 1 role.' + WHEN COUNT > 1 THEN 'AWSSupportAccess policy attached to ' || COUNT || ' roles.' + ELSE 'AWSSupportAccess policy not attached to any role.' + END AS reason, + account_id + FROM + support_role_count; severity: low tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '1.20' - cis_level: - - '1' - cis_section_id: - - '1' - cis_type: - - scored - cis_version: - - v1.2.0 - plugin: - - aws - score_tags: - - Problem Identities - service: - - AWS/IAM + category: + - Compliance + cis: + - "true" + cis_item_id: + - "1.20" + cis_level: + - "1" + cis_section_id: + - "1" + cis_type: + - scored + cis_version: + - v1.2.0 + plugin: + - aws + score_tags: + - Problem Identities + service: + - AWS/IAM diff --git a/compliance/controls/aws/aws_iam_user_access_key_age_90.yaml b/compliance/controls/aws/aws_iam_user_access_key_age_90.yaml index 2fef3438d..6e480b274 100644 --- a/compliance/controls/aws/aws_iam_user_access_key_age_90.yaml +++ b/compliance/controls/aws/aws_iam_user_access_key_age_90.yaml @@ -1,43 +1,44 @@ id: aws_iam_user_access_key_age_90 title: IAM user access keys should be rotated at least every 90 days +type: control description: The credentials are audited for authorized devices, users, and processes by ensuring IAM access keys are rotated as per organizational policy. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_access_key - definition: | - SELECT - 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN create_date <= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' - ELSE 'ok' - END AS status, - user_name || ' ' || access_key_id || ' created ' || TO_CHAR(create_date, 'DD-Mon-YYYY') || - ' (' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - create_date) || ' days).' AS reason, - account_id - FROM - aws_iam_access_key; + language: sql + primary_resource: aws_iam_access_key + definition: | + SELECT + 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN create_date <= (CURRENT_DATE - INTERVAL '90' DAY) THEN 'alarm' + ELSE 'ok' + END AS status, + user_name || ' ' || access_key_id || ' created ' || TO_CHAR(create_date, 'DD-Mon-YYYY') || + ' (' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - create_date) || ' days).' AS reason, + account_id + FROM + aws_iam_access_key; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '1.4' - cis_level: - - '1' - cis_section_id: - - '1' - cis_type: - - scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/IAM + category: + - Compliance + cis: + - "true" + cis_item_id: + - "1.4" + cis_level: + - "1" + cis_section_id: + - "1" + cis_type: + - scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/IAM diff --git a/compliance/controls/aws/aws_iam_user_access_key_unused_45.yaml b/compliance/controls/aws/aws_iam_user_access_key_unused_45.yaml index b10de4e75..b76e36be7 100644 --- a/compliance/controls/aws/aws_iam_user_access_key_unused_45.yaml +++ b/compliance/controls/aws/aws_iam_user_access_key_unused_45.yaml @@ -1,38 +1,39 @@ id: aws_iam_user_access_key_unused_45 title: Ensure IAM users with access keys unused for 45 days or greater are disabled +type: control description: AWS IAM users can access AWS resources using access keys. It is recommended that access keys that have been unused in 45 or greater days be deactivated or removed. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN NOT access_key_1_active THEN 'ok' - WHEN access_key_1_active AND access_key_1_last_used_date IS NULL THEN 'alarm' - WHEN access_key_1_active AND access_key_1_last_used_date < (CURRENT_DATE - INTERVAL '45' DAY) THEN 'alarm' - WHEN NOT access_key_2_active THEN 'ok' - WHEN access_key_2_active AND access_key_2_last_used_date IS NULL THEN 'alarm' - WHEN access_key_2_active AND access_key_2_last_used_date < (CURRENT_DATE - INTERVAL '45' DAY) THEN 'alarm' - ELSE 'ok' - END AS status, - user_name || - CASE - WHEN NOT access_key_1_active THEN ' key 1 not enabled,' - WHEN access_key_1_active AND access_key_1_last_used_date IS NULL THEN ' key 1 created ' || TO_CHAR(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,' - ELSE ' key 1 used ' || TO_CHAR(access_key_1_last_used_date, 'DD-Mon-YYYY') || ',' - END || - CASE - WHEN NOT access_key_2_active THEN ' key 2 not enabled.' - WHEN access_key_2_active AND access_key_2_last_used_date IS NULL THEN ' key 2 created ' || TO_CHAR(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.' - ELSE ' key 2 used ' || TO_CHAR(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - aws_iam_credential_report; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN NOT access_key_1_active THEN 'ok' + WHEN access_key_1_active AND access_key_1_last_used_date IS NULL THEN 'alarm' + WHEN access_key_1_active AND access_key_1_last_used_date < (CURRENT_DATE - INTERVAL '45' DAY) THEN 'alarm' + WHEN NOT access_key_2_active THEN 'ok' + WHEN access_key_2_active AND access_key_2_last_used_date IS NULL THEN 'alarm' + WHEN access_key_2_active AND access_key_2_last_used_date < (CURRENT_DATE - INTERVAL '45' DAY) THEN 'alarm' + ELSE 'ok' + END AS status, + user_name || + CASE + WHEN NOT access_key_1_active THEN ' key 1 not enabled,' + WHEN access_key_1_active AND access_key_1_last_used_date IS NULL THEN ' key 1 created ' || TO_CHAR(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,' + ELSE ' key 1 used ' || TO_CHAR(access_key_1_last_used_date, 'DD-Mon-YYYY') || ',' + END || + CASE + WHEN NOT access_key_2_active THEN ' key 2 not enabled.' + WHEN access_key_2_active AND access_key_2_last_used_date IS NULL THEN ' key 2 created ' || TO_CHAR(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.' + ELSE ' key 2 used ' || TO_CHAR(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + aws_iam_credential_report; severity: low tags: {} diff --git a/compliance/controls/aws/aws_iam_user_access_keys_and_password_at_setup.yaml b/compliance/controls/aws/aws_iam_user_access_keys_and_password_at_setup.yaml index f7d9b3e56..1aea53f84 100644 --- a/compliance/controls/aws/aws_iam_user_access_keys_and_password_at_setup.yaml +++ b/compliance/controls/aws/aws_iam_user_access_keys_and_password_at_setup.yaml @@ -1,49 +1,50 @@ id: aws_iam_user_access_keys_and_password_at_setup title: Ensure IAM users are assigned access keys and passwords at setup +type: control description: This control checks whether the IAM users have access keys and passwords at setup. The control fails if the IAM users do not have access keys and passwords at setup. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN password_enabled AND (EXTRACT(EPOCH FROM (access_key_1_last_rotated - user_creation_time)) < 10) - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT password_enabled THEN user_name || ' password login disabled.' - WHEN access_key_1_last_rotated IS NULL THEN user_name || ' has no access keys.' - WHEN password_enabled AND (EXTRACT(EPOCH FROM (access_key_1_last_rotated - user_creation_time)) < 10) - THEN user_name || ' has access key created during user creation and password login enabled.' - ELSE user_name || ' has access key not created during user creation.' - END AS reason, - account_id - FROM - aws_iam_credential_report; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN password_enabled AND (EXTRACT(EPOCH FROM (access_key_1_last_rotated - user_creation_time)) < 10) + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT password_enabled THEN user_name || ' password login disabled.' + WHEN access_key_1_last_rotated IS NULL THEN user_name || ' has no access keys.' + WHEN password_enabled AND (EXTRACT(EPOCH FROM (access_key_1_last_rotated - user_creation_time)) < 10) + THEN user_name || ' has access key created during user creation and password login enabled.' + ELSE user_name || ' has access key not created during user creation.' + END AS reason, + account_id + FROM + aws_iam_credential_report; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '1.21' - cis_level: - - '1' - cis_section_id: - - '1' - cis_type: - - not_scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/IAM + category: + - Compliance + cis: + - "true" + cis_item_id: + - "1.21" + cis_level: + - "1" + cis_section_id: + - "1" + cis_type: + - not_scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/IAM diff --git a/compliance/controls/aws/aws_iam_user_console_access_mfa_enabled.yaml b/compliance/controls/aws/aws_iam_user_console_access_mfa_enabled.yaml index 3de5a51ce..d62fb56f1 100644 --- a/compliance/controls/aws/aws_iam_user_console_access_mfa_enabled.yaml +++ b/compliance/controls/aws/aws_iam_user_console_access_mfa_enabled.yaml @@ -1,66 +1,67 @@ id: aws_iam_user_console_access_mfa_enabled title: IAM users with console access should have MFA enabled +type: control description: Manage access to resources in the AWS Cloud by ensuring that MFA is enabled for all AWS Identity and Access Management (IAM) users that have a console password. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN password_enabled AND NOT mfa_active THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT password_enabled THEN user_name || ' password login disabled.' - WHEN password_enabled AND NOT mfa_active THEN user_name || ' password login enabled but no MFA device configured.' - ELSE user_name || ' password login enabled and MFA device configured.' - END AS reason, - account_id - FROM - aws_iam_credential_report; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN password_enabled AND NOT mfa_active THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT password_enabled THEN user_name || ' password login disabled.' + WHEN password_enabled AND NOT mfa_active THEN user_name || ' password login enabled but no MFA device configured.' + ELSE user_name || ' password login enabled and MFA device configured.' + END AS reason, + account_id + FROM + aws_iam_credential_report; severity: high tags: - audit_manager_control_tower: - - 'true' - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/IAM - soc_2: - - 'true' + audit_manager_control_tower: + - "true" + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/IAM + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_iam_user_console_access_unused_45.yaml b/compliance/controls/aws/aws_iam_user_console_access_unused_45.yaml index 793653bd6..eb9ca5b22 100644 --- a/compliance/controls/aws/aws_iam_user_console_access_unused_45.yaml +++ b/compliance/controls/aws/aws_iam_user_console_access_unused_45.yaml @@ -1,29 +1,30 @@ id: aws_iam_user_console_access_unused_45 title: Ensure IAM users with console access unused for 45 days or greater are disabled +type: control description: AWS IAM users can access AWS resources using console access. It is recommended that console access that have been unused in 45 or greater days be deactivated or removed. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN NOT password_enabled THEN 'ok' - WHEN password_enabled AND password_last_used IS NULL THEN 'alarm' - WHEN password_enabled AND password_last_used < (CURRENT_DATE - INTERVAL '45' DAY) THEN 'alarm' - ELSE 'ok' - END AS status, - user_name || - CASE - WHEN NOT password_enabled THEN ' password not enabled.' - WHEN password_enabled AND password_last_used IS NULL THEN ' password created ' || TO_CHAR(password_last_changed, 'DD-Mon-YYYY') || ' never used.' - ELSE ' password used ' || TO_CHAR(password_last_used, 'DD-Mon-YYYY') || '.' - END AS reason - FROM aws_iam_credential_report; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN NOT password_enabled THEN 'ok' + WHEN password_enabled AND password_last_used IS NULL THEN 'alarm' + WHEN password_enabled AND password_last_used < (CURRENT_DATE - INTERVAL '45' DAY) THEN 'alarm' + ELSE 'ok' + END AS status, + user_name || + CASE + WHEN NOT password_enabled THEN ' password not enabled.' + WHEN password_enabled AND password_last_used IS NULL THEN ' password created ' || TO_CHAR(password_last_changed, 'DD-Mon-YYYY') || ' never used.' + ELSE ' password used ' || TO_CHAR(password_last_used, 'DD-Mon-YYYY') || '.' + END AS reason + FROM aws_iam_credential_report; severity: low tags: {} diff --git a/compliance/controls/aws/aws_iam_user_group_role_cloudshell_fullaccess_restricted.yaml b/compliance/controls/aws/aws_iam_user_group_role_cloudshell_fullaccess_restricted.yaml index 73222a5fa..272ed351d 100644 --- a/compliance/controls/aws/aws_iam_user_group_role_cloudshell_fullaccess_restricted.yaml +++ b/compliance/controls/aws/aws_iam_user_group_role_cloudshell_fullaccess_restricted.yaml @@ -1,87 +1,88 @@ id: aws_iam_user_group_role_cloudshell_fullaccess_restricted title: Ensure access to AWSCloudShellFullAccess is restricted +type: control description: This control checks whether the AWSCloudShellFullAccess policy is attached to any IAM user, group, or role. The control fails if the policy is attached to any IAM user, group, or role. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'aws_iam_user' AS platform_table_name, - CASE - WHEN attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' - THEN 'alarm' - ELSE 'ok' - END status, - CASE - WHEN attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' - THEN 'User ' || title || ' has access to AWSCloudShellFullAccess.' - ELSE 'User ' || title || ' access to AWSCloudShellFullAccess is restricted.' - END AS reason, - account_id - FROM - aws_iam_user - UNION - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'aws_iam_role' AS platform_table_name, - CASE - WHEN attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' - THEN 'alarm' - ELSE 'ok' - END status, - CASE - WHEN attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' - THEN 'Role ' || title || ' has access to AWSCloudShellFullAccess.' - ELSE 'Role ' || title || ' access to AWSCloudShellFullAccess is restricted.' - END AS reason, - account_id - FROM - aws_iam_role - UNION - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'aws_iam_group' AS platform_table_name, - CASE - WHEN attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' - THEN 'alarm' - ELSE 'ok' - END status, - CASE - WHEN attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' - THEN 'Group ' || title || ' has access to AWSCloudShellFullAccess.' - ELSE 'Group ' || title || ' access to AWSCloudShellFullAccess is restricted.' - END AS reason, - account_id - FROM - aws_iam_group; + language: sql + primary_resource: "" + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'aws_iam_user' AS platform_table_name, + CASE + WHEN attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' + THEN 'alarm' + ELSE 'ok' + END status, + CASE + WHEN attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' + THEN 'User ' || title || ' has access to AWSCloudShellFullAccess.' + ELSE 'User ' || title || ' access to AWSCloudShellFullAccess is restricted.' + END AS reason, + account_id + FROM + aws_iam_user + UNION + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'aws_iam_role' AS platform_table_name, + CASE + WHEN attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' + THEN 'alarm' + ELSE 'ok' + END status, + CASE + WHEN attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' + THEN 'Role ' || title || ' has access to AWSCloudShellFullAccess.' + ELSE 'Role ' || title || ' access to AWSCloudShellFullAccess is restricted.' + END AS reason, + account_id + FROM + aws_iam_role + UNION + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'aws_iam_group' AS platform_table_name, + CASE + WHEN attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' + THEN 'alarm' + ELSE 'ok' + END status, + CASE + WHEN attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' + THEN 'Group ' || title || ' has access to AWSCloudShellFullAccess.' + ELSE 'Group ' || title || ' access to AWSCloudShellFullAccess is restricted.' + END AS reason, + account_id + FROM + aws_iam_group; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '1.22' - cis_level: - - '1' - cis_section_id: - - '1' - cis_type: - - manual - cis_version: - - v2.0.0 - - v2.0.0 - plugin: - - aws - service: - - AWS/IAM + category: + - Compliance + cis: + - "true" + cis_item_id: + - "1.22" + cis_level: + - "1" + cis_section_id: + - "1" + cis_type: + - manual + cis_version: + - v2.0.0 + - v2.0.0 + plugin: + - aws + service: + - AWS/IAM diff --git a/compliance/controls/aws/aws_iam_user_in_group.yaml b/compliance/controls/aws/aws_iam_user_in_group.yaml index 3c7795989..fe282c058 100644 --- a/compliance/controls/aws/aws_iam_user_in_group.yaml +++ b/compliance/controls/aws/aws_iam_user_in_group.yaml @@ -1,57 +1,58 @@ id: aws_iam_user_in_group title: IAM users should be in at least one group +type: control description: AWS Identity and Access Management (IAM) can help you restrict access permissions and authorizations, by ensuring IAM users are members of at least one group. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN jsonb_array_length(groups) = 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN jsonb_array_length(groups) = 0 THEN title || ' not associated with any IAM group.' - ELSE title || ' associated with IAM group.' - END AS reason, - account_id - FROM - aws_iam_user; + language: sql + primary_resource: aws_iam_user + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN jsonb_array_length(groups) = 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN jsonb_array_length(groups) = 0 THEN title || ' not associated with any IAM group.' + ELSE title || ' associated with IAM group.' + END AS reason, + account_id + FROM + aws_iam_user; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/IAM - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/IAM + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_iam_user_mfa_enabled.yaml b/compliance/controls/aws/aws_iam_user_mfa_enabled.yaml index 258d0a5c4..68ec9d42b 100644 --- a/compliance/controls/aws/aws_iam_user_mfa_enabled.yaml +++ b/compliance/controls/aws/aws_iam_user_mfa_enabled.yaml @@ -1,63 +1,64 @@ id: aws_iam_user_mfa_enabled title: IAM user MFA should be enabled +type: control description: Enable this rule to restrict access to resources in the AWS Cloud. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN NOT mfa_active THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT mfa_active THEN user_name || ' MFA device not configured.' - ELSE user_name || ' MFA device configured.' - END AS reason, - account_id - FROM - aws_iam_credential_report; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN NOT mfa_active THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT mfa_active THEN user_name || ' MFA device not configured.' + ELSE user_name || ' MFA device configured.' + END AS reason, + account_id + FROM + aws_iam_credential_report; severity: high tags: - audit_manager_control_tower: - - 'true' - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/IAM - soc_2: - - 'true' + audit_manager_control_tower: + - "true" + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/IAM + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_iam_user_no_inline_attached_policies.yaml b/compliance/controls/aws/aws_iam_user_no_inline_attached_policies.yaml index 3f8f66c06..5e861d3b5 100644 --- a/compliance/controls/aws/aws_iam_user_no_inline_attached_policies.yaml +++ b/compliance/controls/aws/aws_iam_user_no_inline_attached_policies.yaml @@ -1,63 +1,64 @@ id: aws_iam_user_no_inline_attached_policies title: IAM user should not have any inline or attached policies +type: control description: This rule ensures AWS Identity and Access Management (IAM) policies are attached only to groups or roles to control access to systems and assets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN inline_policies IS NULL AND attached_policy_arns IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - name || ' has ' || COALESCE(jsonb_array_length(inline_policies), 0) || ' inline and ' || - COALESCE(jsonb_array_length(attached_policy_arns), 0) || ' directly attached policies.' AS reason, - account_id - FROM - aws_iam_user; + language: sql + primary_resource: aws_iam_user + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN inline_policies IS NULL AND attached_policy_arns IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + name || ' has ' || COALESCE(jsonb_array_length(inline_policies), 0) || ' inline and ' || + COALESCE(jsonb_array_length(attached_policy_arns), 0) || ' directly attached policies.' AS reason, + account_id + FROM + aws_iam_user; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/IAM - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/IAM + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_iam_user_no_policies.yaml b/compliance/controls/aws/aws_iam_user_no_policies.yaml index 57ba6fa1b..19de1285b 100644 --- a/compliance/controls/aws/aws_iam_user_no_policies.yaml +++ b/compliance/controls/aws/aws_iam_user_no_policies.yaml @@ -1,44 +1,45 @@ id: aws_iam_user_no_policies title: Ensure IAM policies are attached only to groups or roles +type: control description: By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN attached_policy_arns IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - name || ' has ' || COALESCE(jsonb_array_length(attached_policy_arns), 0) || ' attached policies.' AS reason, - account_id - FROM - aws_iam_user; + language: sql + primary_resource: aws_iam_user + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN attached_policy_arns IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + name || ' has ' || COALESCE(jsonb_array_length(attached_policy_arns), 0) || ' attached policies.' AS reason, + account_id + FROM + aws_iam_user; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '1.16' - cis_level: - - '1' - cis_section_id: - - '1' - cis_type: - - scored - cis_version: - - v1.2.0 - plugin: - - aws - score_tags: - - Problem Identities - service: - - AWS/IAM + category: + - Compliance + cis: + - "true" + cis_item_id: + - "1.16" + cis_level: + - "1" + cis_section_id: + - "1" + cis_type: + - scored + cis_version: + - v1.2.0 + plugin: + - aws + score_tags: + - Problem Identities + service: + - AWS/IAM diff --git a/compliance/controls/aws/aws_iam_user_one_active_key.yaml b/compliance/controls/aws/aws_iam_user_one_active_key.yaml index eb8541cdb..d2667f8cf 100644 --- a/compliance/controls/aws/aws_iam_user_one_active_key.yaml +++ b/compliance/controls/aws/aws_iam_user_one_active_key.yaml @@ -1,57 +1,58 @@ id: aws_iam_user_one_active_key title: Ensure there is only one active access key available for any single IAM user +type: control description: Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - SELECT - u.arn AS resource, - u.platform_integration_id AS platform_integration_id, - u.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(k.*) > 1 THEN 'alarm' - ELSE 'ok' - END AS status, - u.name || ' has ' || COUNT(k.*) || ' active access key(s).' AS reason, - u.account_id - FROM - aws_iam_user AS u - LEFT JOIN - aws_iam_access_key AS k - ON - u.name = k.user_name - AND u.account_id = k.account_id - WHERE - k.status = 'Active' OR k.status IS NULL - GROUP BY - u.arn, - u.name, - u.account_id, - u.tags, - u.platform_integration_id, - u.platform_resource_id, - u._ctx; + language: sql + primary_resource: aws_iam_user + definition: | + SELECT + u.arn AS resource, + u.platform_integration_id AS platform_integration_id, + u.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(k.*) > 1 THEN 'alarm' + ELSE 'ok' + END AS status, + u.name || ' has ' || COUNT(k.*) || ' active access key(s).' AS reason, + u.account_id + FROM + aws_iam_user AS u + LEFT JOIN + aws_iam_access_key AS k + ON + u.name = k.user_name + AND u.account_id = k.account_id + WHERE + k.status = 'Active' OR k.status IS NULL + GROUP BY + u.arn, + u.name, + u.account_id, + u.tags, + u.platform_integration_id, + u.platform_resource_id, + u._ctx; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '1.13' - cis_level: - - '1' - cis_section_id: - - '1' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - aws - service: - - AWS/IAM + category: + - Compliance + cis: + - "true" + cis_item_id: + - "1.13" + cis_level: + - "1" + cis_section_id: + - "1" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - aws + service: + - AWS/IAM diff --git a/compliance/controls/aws/aws_iam_user_unused_credentials_45.yaml b/compliance/controls/aws/aws_iam_user_unused_credentials_45.yaml index c58a77aa9..12458fef8 100644 --- a/compliance/controls/aws/aws_iam_user_unused_credentials_45.yaml +++ b/compliance/controls/aws/aws_iam_user_unused_credentials_45.yaml @@ -1,88 +1,89 @@ id: aws_iam_user_unused_credentials_45 title: Ensure credentials unused for 45 days or greater are disabled +type: control description: AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN user_name = '' - THEN 'info' - WHEN password_enabled - AND password_last_used IS NULL - AND password_last_changed < (current_date - INTERVAL '45' DAY) - THEN 'alarm' - WHEN password_enabled - AND password_last_used < (current_date - INTERVAL '45' DAY) - THEN 'alarm' - WHEN access_key_1_active - AND access_key_1_last_used_date IS NULL - AND access_key_1_last_rotated < (current_date - INTERVAL '45' DAY) - THEN 'alarm' - WHEN access_key_1_active - AND access_key_1_last_used_date < (current_date - INTERVAL '45' DAY) - THEN 'alarm' - WHEN access_key_2_active - AND access_key_2_last_used_date IS NULL - AND access_key_2_last_rotated < (current_date - INTERVAL '45' DAY) - THEN 'alarm' - WHEN access_key_2_active - AND access_key_2_last_used_date < (current_date - INTERVAL '45' DAY) - THEN 'alarm' - ELSE 'ok' - END AS status, - user_name || - CASE - WHEN NOT password_enabled - THEN ' password not enabled,' - WHEN password_enabled - AND password_last_used IS NULL - THEN ' password created ' || TO_CHAR(password_last_changed, 'DD-Mon-YYYY') || ' never used,' - ELSE ' password used ' || TO_CHAR(password_last_used, 'DD-Mon-YYYY') || ',' - END || - CASE - WHEN NOT access_key_1_active - THEN ' key 1 not enabled,' - WHEN access_key_1_active - AND access_key_1_last_used_date IS NULL - THEN ' key 1 created ' || TO_CHAR(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,' - ELSE ' key 1 used ' || TO_CHAR(access_key_1_last_used_date, 'DD-Mon-YYYY') || ',' - END || - CASE - WHEN NOT access_key_2_active - THEN ' key 2 not enabled.' - WHEN access_key_2_active - AND access_key_2_last_used_date IS NULL - THEN ' key 2 created ' || TO_CHAR(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.' - ELSE ' key 2 used ' || TO_CHAR(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.' - END AS reason, - account_id - FROM - aws_iam_credential_report; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN user_name = '' + THEN 'info' + WHEN password_enabled + AND password_last_used IS NULL + AND password_last_changed < (current_date - INTERVAL '45' DAY) + THEN 'alarm' + WHEN password_enabled + AND password_last_used < (current_date - INTERVAL '45' DAY) + THEN 'alarm' + WHEN access_key_1_active + AND access_key_1_last_used_date IS NULL + AND access_key_1_last_rotated < (current_date - INTERVAL '45' DAY) + THEN 'alarm' + WHEN access_key_1_active + AND access_key_1_last_used_date < (current_date - INTERVAL '45' DAY) + THEN 'alarm' + WHEN access_key_2_active + AND access_key_2_last_used_date IS NULL + AND access_key_2_last_rotated < (current_date - INTERVAL '45' DAY) + THEN 'alarm' + WHEN access_key_2_active + AND access_key_2_last_used_date < (current_date - INTERVAL '45' DAY) + THEN 'alarm' + ELSE 'ok' + END AS status, + user_name || + CASE + WHEN NOT password_enabled + THEN ' password not enabled,' + WHEN password_enabled + AND password_last_used IS NULL + THEN ' password created ' || TO_CHAR(password_last_changed, 'DD-Mon-YYYY') || ' never used,' + ELSE ' password used ' || TO_CHAR(password_last_used, 'DD-Mon-YYYY') || ',' + END || + CASE + WHEN NOT access_key_1_active + THEN ' key 1 not enabled,' + WHEN access_key_1_active + AND access_key_1_last_used_date IS NULL + THEN ' key 1 created ' || TO_CHAR(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,' + ELSE ' key 1 used ' || TO_CHAR(access_key_1_last_used_date, 'DD-Mon-YYYY') || ',' + END || + CASE + WHEN NOT access_key_2_active + THEN ' key 2 not enabled.' + WHEN access_key_2_active + AND access_key_2_last_used_date IS NULL + THEN ' key 2 created ' || TO_CHAR(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.' + ELSE ' key 2 used ' || TO_CHAR(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.' + END AS reason, + account_id + FROM + aws_iam_credential_report; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '1.12' - cis_level: - - '1' - cis_section_id: - - '1' - cis_type: - - automated - cis_version: - - v1.4.0 - plugin: - - aws - service: - - AWS/IAM + category: + - Compliance + cis: + - "true" + cis_item_id: + - "1.12" + cis_level: + - "1" + cis_section_id: + - "1" + cis_type: + - automated + cis_version: + - v1.4.0 + plugin: + - aws + service: + - AWS/IAM diff --git a/compliance/controls/aws/aws_iam_user_unused_credentials_90.yaml b/compliance/controls/aws/aws_iam_user_unused_credentials_90.yaml index 2c943879d..64082025c 100644 --- a/compliance/controls/aws/aws_iam_user_unused_credentials_90.yaml +++ b/compliance/controls/aws/aws_iam_user_unused_credentials_90.yaml @@ -1,97 +1,98 @@ id: aws_iam_user_unused_credentials_90 title: IAM user credentials that have not been used in 90 days should be disabled +type: control description: AWS Identity and Access Management (IAM) can help you with access permissions and authorizations by checking for IAM passwords and access keys that are not used for a specified time period. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN user_name = '' - THEN 'info' - WHEN password_enabled AND password_last_used IS NULL AND password_last_changed < (current_date - INTERVAL '90' day) - THEN 'alarm' - WHEN password_enabled AND password_last_used < (current_date - INTERVAL '90' day) - THEN 'alarm' - WHEN access_key_1_active AND access_key_1_last_used_date IS NULL AND access_key_1_last_rotated < (current_date - INTERVAL '90' day) - THEN 'alarm' - WHEN access_key_1_active AND access_key_1_last_used_date < (current_date - INTERVAL '90' day) - THEN 'alarm' - WHEN access_key_2_active AND access_key_2_last_used_date IS NULL AND access_key_2_last_rotated < (current_date - INTERVAL '90' day) - THEN 'alarm' - WHEN access_key_2_active AND access_key_2_last_used_date < (current_date - INTERVAL '90' day) - THEN 'alarm' - ELSE 'ok' - END AS status, - user_name || - CASE - WHEN NOT password_enabled - THEN ' password not enabled,' - WHEN password_enabled AND password_last_used IS NULL - THEN ' password created ' || TO_CHAR(password_last_changed, 'DD-Mon-YYYY') || ' never used,' - ELSE - ' password used ' || TO_CHAR(password_last_used, 'DD-Mon-YYYY') || ',' - END || - CASE - WHEN NOT access_key_1_active - THEN ' key 1 not enabled,' - WHEN access_key_1_active AND access_key_1_last_used_date IS NULL - THEN ' key 1 created ' || TO_CHAR(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,' - ELSE - ' key 1 used ' || TO_CHAR(access_key_1_last_used_date, 'DD-Mon-YYYY') || ',' - END || - CASE - WHEN NOT access_key_2_active - THEN ' key 2 not enabled.' - WHEN access_key_2_active AND access_key_2_last_used_date IS NULL - THEN ' key 2 created ' || TO_CHAR(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.' - ELSE - ' key 2 used ' || TO_CHAR(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.' - END AS reason, - account_id - FROM - aws_iam_credential_report; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN user_name = '' + THEN 'info' + WHEN password_enabled AND password_last_used IS NULL AND password_last_changed < (current_date - INTERVAL '90' day) + THEN 'alarm' + WHEN password_enabled AND password_last_used < (current_date - INTERVAL '90' day) + THEN 'alarm' + WHEN access_key_1_active AND access_key_1_last_used_date IS NULL AND access_key_1_last_rotated < (current_date - INTERVAL '90' day) + THEN 'alarm' + WHEN access_key_1_active AND access_key_1_last_used_date < (current_date - INTERVAL '90' day) + THEN 'alarm' + WHEN access_key_2_active AND access_key_2_last_used_date IS NULL AND access_key_2_last_rotated < (current_date - INTERVAL '90' day) + THEN 'alarm' + WHEN access_key_2_active AND access_key_2_last_used_date < (current_date - INTERVAL '90' day) + THEN 'alarm' + ELSE 'ok' + END AS status, + user_name || + CASE + WHEN NOT password_enabled + THEN ' password not enabled,' + WHEN password_enabled AND password_last_used IS NULL + THEN ' password created ' || TO_CHAR(password_last_changed, 'DD-Mon-YYYY') || ' never used,' + ELSE + ' password used ' || TO_CHAR(password_last_used, 'DD-Mon-YYYY') || ',' + END || + CASE + WHEN NOT access_key_1_active + THEN ' key 1 not enabled,' + WHEN access_key_1_active AND access_key_1_last_used_date IS NULL + THEN ' key 1 created ' || TO_CHAR(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,' + ELSE + ' key 1 used ' || TO_CHAR(access_key_1_last_used_date, 'DD-Mon-YYYY') || ',' + END || + CASE + WHEN NOT access_key_2_active + THEN ' key 2 not enabled.' + WHEN access_key_2_active AND access_key_2_last_used_date IS NULL + THEN ' key 2 created ' || TO_CHAR(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.' + ELSE + ' key 2 used ' || TO_CHAR(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.' + END AS reason, + account_id + FROM + aws_iam_credential_report; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/IAM - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/IAM + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_iam_user_with_administrator_access_mfa_enabled.yaml b/compliance/controls/aws/aws_iam_user_with_administrator_access_mfa_enabled.yaml index 1370967f5..6af1dffba 100644 --- a/compliance/controls/aws/aws_iam_user_with_administrator_access_mfa_enabled.yaml +++ b/compliance/controls/aws/aws_iam_user_with_administrator_access_mfa_enabled.yaml @@ -1,42 +1,43 @@ id: aws_iam_user_with_administrator_access_mfa_enabled title: IAM administrator users should have MFA enabled +type: control description: Manage access to resources in the AWS Cloud by ensuring MFA is enabled for users with administrative privileges. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - WITH admin_users AS ( - SELECT - user_id, - name, - attachments - FROM - aws_iam_user, - jsonb_array_elements_text(attached_policy_arns) AS attachments - WHERE - split_part(attachments, '/', 2) = 'AdministratorAccess' - ) - SELECT - u.arn AS resource, - u.platform_integration_id AS platform_integration_id, - u.platform_resource_id AS platform_resource_id, - CASE - WHEN au.user_id IS NULL THEN 'skip' - WHEN au.user_id IS NOT NULL AND u.mfa_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN au.user_id IS NULL THEN u.name || ' does not have administrator access.' - WHEN au.user_id IS NOT NULL AND u.mfa_enabled THEN u.name || ' has MFA token enabled.' - ELSE u.name || ' has MFA token disabled.' - END AS reason - FROM - aws_iam_user AS u - LEFT JOIN admin_users au ON u.user_id = au.user_id - ORDER BY - u.name; + language: sql + primary_resource: aws_iam_user + definition: | + WITH admin_users AS ( + SELECT + user_id, + name, + attachments + FROM + aws_iam_user, + jsonb_array_elements_text(attached_policy_arns) AS attachments + WHERE + split_part(attachments, '/', 2) = 'AdministratorAccess' + ) + SELECT + u.arn AS resource, + u.platform_integration_id AS platform_integration_id, + u.platform_resource_id AS platform_resource_id, + CASE + WHEN au.user_id IS NULL THEN 'skip' + WHEN au.user_id IS NOT NULL AND u.mfa_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN au.user_id IS NULL THEN u.name || ' does not have administrator access.' + WHEN au.user_id IS NOT NULL AND u.mfa_enabled THEN u.name || ' has MFA token enabled.' + ELSE u.name || ' has MFA token disabled.' + END AS reason + FROM + aws_iam_user AS u + LEFT JOIN admin_users au ON u.user_id = au.user_id + ORDER BY + u.name; severity: low tags: {} diff --git a/compliance/controls/aws/aws_iam_users_with_api_keys_should_have_keys_rotated_every_x_days.yaml b/compliance/controls/aws/aws_iam_users_with_api_keys_should_have_keys_rotated_every_x_days.yaml index b8b03e84a..44a0657d9 100644 --- a/compliance/controls/aws/aws_iam_users_with_api_keys_should_have_keys_rotated_every_x_days.yaml +++ b/compliance/controls/aws/aws_iam_users_with_api_keys_should_have_keys_rotated_every_x_days.yaml @@ -1,50 +1,51 @@ id: aws_iam_users_with_api_keys_should_have_keys_rotated_every_x_days title: IAM Users with API Keys should have keys rotated every X days +type: control description: IAM Users with API Keys should have keys rotated every X days integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsIamUserKeyRotateDays - value: '' +- key: awsIamUserKeyRotateDays + value: "" policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_name AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - (DATE(current_timestamp) - DATE(access_key_1_last_rotated)), - (DATE(current_timestamp) - DATE(access_key_2_last_rotated)), + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_name AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + (DATE(current_timestamp) - DATE(access_key_1_last_rotated)), + (DATE(current_timestamp) - DATE(access_key_2_last_rotated)), + CASE + WHEN + (access_key_1_active AND + (DATE(current_timestamp) - DATE(access_key_1_last_rotated)) > '{{.awsIamUserKeyRotateDays}}'::int) OR + (access_key_2_active AND + (DATE(current_timestamp) - DATE(access_key_2_last_rotated)) > '{{.awsIamUserKeyRotateDays}}'::int) + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (access_key_1_active AND + (DATE(current_timestamp) - DATE(access_key_1_last_rotated)) > '{{.awsIamUserKeyRotateDays}}'::int) OR + (access_key_2_active AND + (DATE(current_timestamp) - DATE(access_key_2_last_rotated)) > '{{.awsIamUserKeyRotateDays}}'::int) + THEN CASE - WHEN - (access_key_1_active AND - (DATE(current_timestamp) - DATE(access_key_1_last_rotated)) > '{{.awsIamUserKeyRotateDays}}'::int) OR - (access_key_2_active AND - (DATE(current_timestamp) - DATE(access_key_2_last_rotated)) > '{{.awsIamUserKeyRotateDays}}'::int) - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (access_key_1_active AND - (DATE(current_timestamp) - DATE(access_key_1_last_rotated)) > '{{.awsIamUserKeyRotateDays}}'::int) OR - (access_key_2_active AND - (DATE(current_timestamp) - DATE(access_key_2_last_rotated)) > '{{.awsIamUserKeyRotateDays}}'::int) - THEN - CASE - WHEN (access_key_1_last_rotated IS NULL) THEN 'key last rotated in ' || (DATE(current_timestamp) - DATE(access_key_2_last_rotated)) || ' days' - WHEN (access_key_2_last_rotated IS NULL) THEN 'key last rotated in ' || (DATE(current_timestamp) - DATE(access_key_1_last_rotated)) || ' days' - ELSE 'key last rotated in ' || GREATEST((DATE(current_timestamp) - DATE(access_key_1_last_rotated)), (DATE(current_timestamp) - DATE(access_key_2_last_rotated))) || ' days' - END - ELSE 'keys rotated recently' - END AS reason, - region, - account_id - FROM - aws_iam_credential_report + WHEN (access_key_1_last_rotated IS NULL) THEN 'key last rotated in ' || (DATE(current_timestamp) - DATE(access_key_2_last_rotated)) || ' days' + WHEN (access_key_2_last_rotated IS NULL) THEN 'key last rotated in ' || (DATE(current_timestamp) - DATE(access_key_1_last_rotated)) || ' days' + ELSE 'key last rotated in ' || GREATEST((DATE(current_timestamp) - DATE(access_key_1_last_rotated)), (DATE(current_timestamp) - DATE(access_key_2_last_rotated))) || ' days' + END + ELSE 'keys rotated recently' + END AS reason, + region, + account_id + FROM + aws_iam_credential_report severity: medium tags: - category: - - Compliance - score_service_name: - - AWS Identity and Access Management (IAM) + category: + - Compliance + score_service_name: + - AWS Identity and Access Management (IAM) diff --git a/compliance/controls/aws/aws_iam_users_with_console_access_are_requried_to_have_MFA.yaml b/compliance/controls/aws/aws_iam_users_with_console_access_are_requried_to_have_MFA.yaml index 4d85e16df..7b90791b7 100644 --- a/compliance/controls/aws/aws_iam_users_with_console_access_are_requried_to_have_MFA.yaml +++ b/compliance/controls/aws/aws_iam_users_with_console_access_are_requried_to_have_MFA.yaml @@ -1,33 +1,34 @@ id: aws_iam_users_with_console_access_are_required_to_have_MFA title: IAM Users with Console Access are required to have MFA +type: control description: IAM Users with Console Access are required to have MFA integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - SELECT - user_arn AS resource, - CASE - WHEN NOT(mfa_active::bool) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT(mfa_active::bool) THEN 'MFA is not enabled for ' || user_name - ELSE user_name || ' has MFA' - END AS reason, - u.platform_resource_id, - u.platform_integration_id, - u.account_id - FROM - aws_iam_credential_report cr - INNER JOIN aws_iam_user u - ON cr.user_arn = u.arn - WHERE - NOT(login_profile ->> 'UserName' IS NULL) + language: sql + primary_resource: aws_iam_user + definition: | + SELECT + user_arn AS resource, + CASE + WHEN NOT(mfa_active::bool) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT(mfa_active::bool) THEN 'MFA is not enabled for ' || user_name + ELSE user_name || ' has MFA' + END AS reason, + u.platform_resource_id, + u.platform_integration_id, + u.account_id + FROM + aws_iam_credential_report cr + INNER JOIN aws_iam_user u + ON cr.user_arn = u.arn + WHERE + NOT(login_profile ->> 'UserName' IS NULL) severity: low tags: - score_service_name: - - AWS Identity and Access Management (IAM) + score_service_name: + - AWS Identity and Access Management (IAM) diff --git a/compliance/controls/aws/aws_kinesis_firehose_delivery_stream_server_side_encryption_enabled.yaml b/compliance/controls/aws/aws_kinesis_firehose_delivery_stream_server_side_encryption_enabled.yaml index 393887d6c..31bcdf37a 100644 --- a/compliance/controls/aws/aws_kinesis_firehose_delivery_stream_server_side_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_kinesis_firehose_delivery_stream_server_side_encryption_enabled.yaml @@ -1,26 +1,27 @@ id: aws_kinesis_firehose_delivery_stream_server_side_encryption_enabled title: Kinesis firehose delivery streams should have server side encryption enabled +type: control description: Enable server side encryption (SSE) of your Kinesis firehose delivery stream, in order to protect your data and metadata from breaches or unauthorized access, and fulfill compliance requirements for data-at-rest encryption within your organization. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_kinesis_firehose_delivery_stream - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN delivery_stream_encryption_configuration ->> 'Status' = 'ENABLED' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN delivery_stream_encryption_configuration ->> 'Status' = 'ENABLED' THEN title || ' server side encryption enabled.' - ELSE title || ' server side encryption disabled.' - END AS reason - FROM - aws_kinesis_firehose_delivery_stream; + language: sql + primary_resource: aws_kinesis_firehose_delivery_stream + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN delivery_stream_encryption_configuration ->> 'Status' = 'ENABLED' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN delivery_stream_encryption_configuration ->> 'Status' = 'ENABLED' THEN title || ' server side encryption enabled.' + ELSE title || ' server side encryption disabled.' + END AS reason + FROM + aws_kinesis_firehose_delivery_stream; severity: low tags: {} diff --git a/compliance/controls/aws/aws_kinesis_stream_encrypted_with_kms_cmk.yaml b/compliance/controls/aws/aws_kinesis_stream_encrypted_with_kms_cmk.yaml index dacee1ba0..9c0608473 100644 --- a/compliance/controls/aws/aws_kinesis_stream_encrypted_with_kms_cmk.yaml +++ b/compliance/controls/aws/aws_kinesis_stream_encrypted_with_kms_cmk.yaml @@ -1,26 +1,27 @@ id: aws_kinesis_stream_encrypted_with_kms_cmk title: Kinesis streams should be encrypted with CMK +type: control description: Ensure Kinesis streams are encrypted using CMK. Using KMS CMK, you gain full control over who can use the keys to access AWS Kinesis data (including the system metadata). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_kinesis_stream - definition: | - SELECT - stream_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN encryption_type = 'KMS' AND key_id <> 'alias/aws/kinesis' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption_type = 'KMS' AND key_id <> 'alias/aws/kinesis' THEN title || ' encrypted with CMK.' - ELSE title || ' not encrypted with CMK.' - END AS reason - FROM - aws_kinesis_stream; + language: sql + primary_resource: aws_kinesis_stream + definition: | + SELECT + stream_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN encryption_type = 'KMS' AND key_id <> 'alias/aws/kinesis' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption_type = 'KMS' AND key_id <> 'alias/aws/kinesis' THEN title || ' encrypted with CMK.' + ELSE title || ' not encrypted with CMK.' + END AS reason + FROM + aws_kinesis_stream; severity: low tags: {} diff --git a/compliance/controls/aws/aws_kinesis_stream_server_side_encryption_enabled.yaml b/compliance/controls/aws/aws_kinesis_stream_server_side_encryption_enabled.yaml index f840ca658..6ee3d3098 100644 --- a/compliance/controls/aws/aws_kinesis_stream_server_side_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_kinesis_stream_server_side_encryption_enabled.yaml @@ -1,40 +1,41 @@ id: aws_kinesis_stream_server_side_encryption_enabled title: Kinesis streams should have server side encryption enabled +type: control description: Enable server side encryption (SSE) of your AWS Kinesis Server data at rest, in order to protect your data and metadata from breaches or unauthorized access, and fulfill compliance requirements for data-at-rest encryption within your organization. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_kinesis_stream - definition: | - SELECT - stream_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN encryption_type = 'KMS' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption_type = 'KMS' THEN title || ' server side encryption enabled.' - ELSE title || ' server side encryption disabled.' - END AS reason, - region, - account_id - FROM - aws_kinesis_stream; + language: sql + primary_resource: aws_kinesis_stream + definition: | + SELECT + stream_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN encryption_type = 'KMS' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption_type = 'KMS' THEN title || ' server side encryption enabled.' + ELSE title || ' server side encryption disabled.' + END AS reason, + region, + account_id + FROM + aws_kinesis_stream; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - encryption_of_data_at_rest - foundational_security_item_id: - - kinesis_1 - plugin: - - aws - service: - - AWS/Kinesis + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - encryption_of_data_at_rest + foundational_security_item_id: + - kinesis_1 + plugin: + - aws + service: + - AWS/Kinesis diff --git a/compliance/controls/aws/aws_kms_cmk_policy_prohibit_public_access.yaml b/compliance/controls/aws/aws_kms_cmk_policy_prohibit_public_access.yaml index e9db4adeb..b99f5924e 100644 --- a/compliance/controls/aws/aws_kms_cmk_policy_prohibit_public_access.yaml +++ b/compliance/controls/aws/aws_kms_cmk_policy_prohibit_public_access.yaml @@ -1,46 +1,47 @@ id: aws_kms_cmk_policy_prohibit_public_access title: KMS CMK policies should prohibit public access +type: control description: Manage access to resources in the AWS Cloud by ensuring AWS KMS CMK cannot be publicly accessed. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_kms_key - definition: | - WITH wildcard_action_policies AS ( - SELECT - arn, - COUNT(*) AS statements_num - FROM - aws_kms_key, - jsonb_array_elements(policy_std -> 'Statement') AS s - WHERE - s ->> 'Effect' = 'Allow' - AND ( - (s -> 'Principal' -> 'AWS') = '[\"*\"]' - OR s ->> 'Principal' = '*' - ) - AND key_manager = 'CUSTOMER' - GROUP BY - arn + language: sql + primary_resource: aws_kms_key + definition: | + WITH wildcard_action_policies AS ( + SELECT + arn, + COUNT(*) AS statements_num + FROM + aws_kms_key, + jsonb_array_elements(policy_std -> 'Statement') AS s + WHERE + s ->> 'Effect' = 'Allow' + AND ( + (s -> 'Principal' -> 'AWS') = '[\"*\"]' + OR s ->> 'Principal' = '*' ) - SELECT - k.arn AS resource, - k.platform_integration_id AS platform_integration_id, - k.platform_resource_id AS platform_resource_id, - CASE - WHEN p.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.arn IS NULL THEN title || ' does not allow public access.' - ELSE title || ' contains ' || COALESCE(p.statements_num, 0) || ' statements that allow public access.' - END AS reason - FROM - aws_kms_key AS k - LEFT JOIN wildcard_action_policies AS p ON p.arn = k.arn - WHERE - key_manager = 'CUSTOMER'; + AND key_manager = 'CUSTOMER' + GROUP BY + arn + ) + SELECT + k.arn AS resource, + k.platform_integration_id AS platform_integration_id, + k.platform_resource_id AS platform_resource_id, + CASE + WHEN p.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.arn IS NULL THEN title || ' does not allow public access.' + ELSE title || ' contains ' || COALESCE(p.statements_num, 0) || ' statements that allow public access.' + END AS reason + FROM + aws_kms_key AS k + LEFT JOIN wildcard_action_policies AS p ON p.arn = k.arn + WHERE + key_manager = 'CUSTOMER'; severity: low tags: {} diff --git a/compliance/controls/aws/aws_kms_cmk_rotation_enabled.yaml b/compliance/controls/aws/aws_kms_cmk_rotation_enabled.yaml index 0b4ecf514..d61564c0a 100644 --- a/compliance/controls/aws/aws_kms_cmk_rotation_enabled.yaml +++ b/compliance/controls/aws/aws_kms_cmk_rotation_enabled.yaml @@ -1,64 +1,65 @@ id: aws_kms_cmk_rotation_enabled title: KMS CMK rotation should be enabled +type: control description: Enable key rotation to ensure that keys are rotated once they have reached the end of their crypto period. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_kms_key - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN origin = 'EXTERNAL' THEN 'skip' - WHEN key_state = 'PendingDeletion' THEN 'skip' - WHEN key_state = 'Disabled' THEN 'skip' - WHEN NOT key_rotation_enabled THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN origin = 'EXTERNAL' THEN title || ' has imported key material.' - WHEN key_state = 'PendingDeletion' THEN title || ' is pending deletion.' - WHEN key_state = 'Disabled' THEN title || ' is disabled.' - WHEN NOT key_rotation_enabled THEN title || ' key rotation disabled.' - ELSE title || ' key rotation enabled.' - END AS reason, - region, - account_id - FROM - aws_kms_key - WHERE - key_manager = 'CUSTOMER'; + language: sql + primary_resource: aws_kms_key + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN origin = 'EXTERNAL' THEN 'skip' + WHEN key_state = 'PendingDeletion' THEN 'skip' + WHEN key_state = 'Disabled' THEN 'skip' + WHEN NOT key_rotation_enabled THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN origin = 'EXTERNAL' THEN title || ' has imported key material.' + WHEN key_state = 'PendingDeletion' THEN title || ' is pending deletion.' + WHEN key_state = 'Disabled' THEN title || ' is disabled.' + WHEN NOT key_rotation_enabled THEN title || ' key rotation disabled.' + ELSE title || ' key rotation enabled.' + END AS reason, + region, + account_id + FROM + aws_kms_key + WHERE + key_manager = 'CUSTOMER'; severity: medium tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/KMS + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/KMS diff --git a/compliance/controls/aws/aws_kms_cmk_unused.yaml b/compliance/controls/aws/aws_kms_cmk_unused.yaml index d9bf7aba0..47c4dc671 100644 --- a/compliance/controls/aws/aws_kms_cmk_unused.yaml +++ b/compliance/controls/aws/aws_kms_cmk_unused.yaml @@ -1,30 +1,31 @@ id: aws_kms_cmk_unused title: KMS key should be in use +type: control description: This control checks whether there are any unused CMK (Customer Master Key) KMS (Key Management Service) keys. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_kms_key - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN NOT enabled AND key_state = 'PendingDeletion' THEN 'ok' - WHEN NOT enabled AND key_state <> 'PendingDeletion' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT enabled AND key_state = 'PendingDeletion' THEN title || ' scheduled for deletion in ' || EXTRACT(DAY FROM deletion_date - CURRENT_TIMESTAMP) || ' day(s).' - WHEN NOT enabled AND key_state <> 'PendingDeletion' THEN title || ' is unused.' - ELSE title || ' is in use.' - END AS reason - FROM - aws_kms_key - WHERE - key_manager = 'CUSTOMER'; + language: sql + primary_resource: aws_kms_key + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN NOT enabled AND key_state = 'PendingDeletion' THEN 'ok' + WHEN NOT enabled AND key_state <> 'PendingDeletion' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT enabled AND key_state = 'PendingDeletion' THEN title || ' scheduled for deletion in ' || EXTRACT(DAY FROM deletion_date - CURRENT_TIMESTAMP) || ' day(s).' + WHEN NOT enabled AND key_state <> 'PendingDeletion' THEN title || ' is unused.' + ELSE title || ' is in use.' + END AS reason + FROM + aws_kms_key + WHERE + key_manager = 'CUSTOMER'; severity: low tags: {} diff --git a/compliance/controls/aws/aws_kms_key_decryption_restricted_in_iam_customer_managed_policy.yaml b/compliance/controls/aws/aws_kms_key_decryption_restricted_in_iam_customer_managed_policy.yaml index e93dc9ee3..2a1eb2e08 100644 --- a/compliance/controls/aws/aws_kms_key_decryption_restricted_in_iam_customer_managed_policy.yaml +++ b/compliance/controls/aws/aws_kms_key_decryption_restricted_in_iam_customer_managed_policy.yaml @@ -1,55 +1,56 @@ id: aws_kms_key_decryption_restricted_in_iam_customer_managed_policy title: KMS key decryption should be restricted in IAM customer managed policy +type: control description: Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts. This control fails if the kms:Decrypt or kms:ReEncryptFrom actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_policy - definition: | - WITH policy_with_decrypt_grant AS ( - SELECT - DISTINCT arn - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS statement - WHERE - NOT is_aws_managed - AND statement ->> 'Effect' = 'Allow' - AND statement -> 'Resource' ?| ARRAY['*', 'arn:aws:kms:*:' || account_id || ':key/*', 'arn:aws:kms:*:' || account_id || ':alias/*'] - AND statement -> 'Action' ?| ARRAY['*', 'kms:*', 'kms:decrypt', 'kms:reencryptfrom', 'kms:reencrypt*'] - ) - SELECT - i.arn AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN d.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN d.arn IS NULL THEN i.title || ' doesn''t allow decryption actions on all keys.' - ELSE i.title || ' allows decryption actions on all keys.' - END AS reason, - i.account_id - FROM - aws_iam_policy i - LEFT JOIN policy_with_decrypt_grant d - ON i.arn = d.arn - WHERE - NOT is_aws_managed + language: sql + primary_resource: aws_iam_policy + definition: | + WITH policy_with_decrypt_grant AS ( + SELECT + DISTINCT arn + FROM + aws_iam_policy, + jsonb_array_elements(policy_std -> 'Statement') AS statement + WHERE + NOT is_aws_managed + AND statement ->> 'Effect' = 'Allow' + AND statement -> 'Resource' ?| ARRAY['*', 'arn:aws:kms:*:' || account_id || ':key/*', 'arn:aws:kms:*:' || account_id || ':alias/*'] + AND statement -> 'Action' ?| ARRAY['*', 'kms:*', 'kms:decrypt', 'kms:reencryptfrom', 'kms:reencrypt*'] + ) + SELECT + i.arn AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN d.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN d.arn IS NULL THEN i.title || ' doesn''t allow decryption actions on all keys.' + ELSE i.title || ' allows decryption actions on all keys.' + END AS reason, + i.account_id + FROM + aws_iam_policy i + LEFT JOIN policy_with_decrypt_grant d + ON i.arn = d.arn + WHERE + NOT is_aws_managed severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - secure_access_management - foundational_security_item_id: - - kms_1 - plugin: - - aws - service: - - AWS/KMS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - secure_access_management + foundational_security_item_id: + - kms_1 + plugin: + - aws + service: + - AWS/KMS diff --git a/compliance/controls/aws/aws_kms_key_decryption_restricted_in_iam_inline_policy.yaml b/compliance/controls/aws/aws_kms_key_decryption_restricted_in_iam_inline_policy.yaml index a65391d64..de532378b 100644 --- a/compliance/controls/aws/aws_kms_key_decryption_restricted_in_iam_inline_policy.yaml +++ b/compliance/controls/aws/aws_kms_key_decryption_restricted_in_iam_inline_policy.yaml @@ -1,115 +1,116 @@ id: aws_kms_key_decryption_restricted_in_iam_inline_policy title: KMS key decryption should be restricted in IAM inline policy +type: control description: Checks whether the inline policies that are embedded in your IAM identities (role, user, or group) allow the AWS KMS decryption actions on all KMS keys. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts. This control fails if kms:Decrypt or kms:ReEncryptFrom actions are allowed on all KMS keys in an inline policy. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: '' - definition: | - WITH user_with_decrypt_grant AS ( - SELECT - DISTINCT arn - FROM - aws_iam_user, - jsonb_array_elements(inline_policies_std) AS inline_policy, - jsonb_array_elements(inline_policy -> 'PolicyDocument' -> 'Statement') AS statement - WHERE - statement ->> 'Effect' = 'Allow' - AND statement -> 'Resource' ?| ARRAY['*', 'arn:aws:kms:*:' || account_id || ':key/*', 'arn:aws:kms:*:' || account_id || ':alias/*'] - AND statement -> 'Action' ?| ARRAY['*', 'kms:*', 'kms:decrypt', 'kms:deencrypt*', 'kms:reencryptfrom'] - ), - role_with_decrypt_grant AS ( - SELECT - DISTINCT arn - FROM - aws_iam_role, - jsonb_array_elements(inline_policies_std) AS inline_policy, - jsonb_array_elements(inline_policy -> 'PolicyDocument' -> 'Statement') AS statement - WHERE - statement ->> 'Effect' = 'Allow' - AND statement -> 'Resource' ?| ARRAY['*', 'arn:aws:kms:*:' || account_id || ':key/*', 'arn:aws:kms:*:' || account_id || ':alias/*'] - AND statement -> 'Action' ?| ARRAY['*', 'kms:*', 'kms:decrypt', 'kms:deencrypt*', 'kms:reencryptfrom'] - ), - group_with_decrypt_grant AS ( - SELECT - DISTINCT arn - FROM - aws_iam_group, - jsonb_array_elements(inline_policies_std) AS inline_policy, - jsonb_array_elements(inline_policy -> 'PolicyDocument' -> 'Statement') AS statement - WHERE - statement ->> 'Effect' = 'Allow' - AND statement -> 'Resource' ?| ARRAY['*', 'arn:aws:kms:*:' || account_id || ':key/*', 'arn:aws:kms:*:' || account_id || ':alias/*'] - AND statement -> 'Action' ?| ARRAY['*', 'kms:*', 'kms:decrypt', 'kms:deencrypt*', 'kms:reencryptfrom'] - ) - SELECT - i.arn AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - 'aws_iam_user' AS platform_table_name, - CASE - WHEN d.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN d.arn IS NULL THEN 'User ' || i.title || ' not allowed to perform decryption actions on all keys.' - ELSE 'User ' || i.title || ' allowed to perform decryption actions on all keys.' - END AS reason, - i.account_id - FROM - aws_iam_user i - LEFT JOIN user_with_decrypt_grant d ON i.arn = d.arn - UNION - SELECT - r.arn AS resource, - r.platform_integration_id AS platform_integration_id, - r.platform_resource_id AS platform_resource_id, - 'aws_iam_role' AS platform_table_name, - CASE - WHEN d.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN d.arn IS NULL THEN 'Role ' || r.title || ' not allowed to perform decryption actions on all keys.' - ELSE 'Role ' || r.title || ' allowed to perform decryption actions on all keys.' - END AS reason, - r.account_id - FROM - aws_iam_role r - LEFT JOIN role_with_decrypt_grant d ON r.arn = d.arn - WHERE - r.arn NOT LIKE '%service-role/%' - UNION - SELECT - g.arn AS resource, - g.platform_integration_id AS platform_integration_id, - g.platform_resource_id AS platform_resource_id, - 'aws_iam_group' AS platform_table_name, - CASE - WHEN d.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN d.arn IS NULL THEN 'Group ' || g.title || ' not allowed to perform decryption actions on all keys.' - ELSE 'Group ' || g.title || ' allowed to perform decryption actions on all keys.' - END AS reason, - g.account_id - FROM - aws_iam_group g - LEFT JOIN group_with_decrypt_grant d ON g.arn = d.arn; + language: sql + primary_resource: "" + definition: | + WITH user_with_decrypt_grant AS ( + SELECT + DISTINCT arn + FROM + aws_iam_user, + jsonb_array_elements(inline_policies_std) AS inline_policy, + jsonb_array_elements(inline_policy -> 'PolicyDocument' -> 'Statement') AS statement + WHERE + statement ->> 'Effect' = 'Allow' + AND statement -> 'Resource' ?| ARRAY['*', 'arn:aws:kms:*:' || account_id || ':key/*', 'arn:aws:kms:*:' || account_id || ':alias/*'] + AND statement -> 'Action' ?| ARRAY['*', 'kms:*', 'kms:decrypt', 'kms:deencrypt*', 'kms:reencryptfrom'] + ), + role_with_decrypt_grant AS ( + SELECT + DISTINCT arn + FROM + aws_iam_role, + jsonb_array_elements(inline_policies_std) AS inline_policy, + jsonb_array_elements(inline_policy -> 'PolicyDocument' -> 'Statement') AS statement + WHERE + statement ->> 'Effect' = 'Allow' + AND statement -> 'Resource' ?| ARRAY['*', 'arn:aws:kms:*:' || account_id || ':key/*', 'arn:aws:kms:*:' || account_id || ':alias/*'] + AND statement -> 'Action' ?| ARRAY['*', 'kms:*', 'kms:decrypt', 'kms:deencrypt*', 'kms:reencryptfrom'] + ), + group_with_decrypt_grant AS ( + SELECT + DISTINCT arn + FROM + aws_iam_group, + jsonb_array_elements(inline_policies_std) AS inline_policy, + jsonb_array_elements(inline_policy -> 'PolicyDocument' -> 'Statement') AS statement + WHERE + statement ->> 'Effect' = 'Allow' + AND statement -> 'Resource' ?| ARRAY['*', 'arn:aws:kms:*:' || account_id || ':key/*', 'arn:aws:kms:*:' || account_id || ':alias/*'] + AND statement -> 'Action' ?| ARRAY['*', 'kms:*', 'kms:decrypt', 'kms:deencrypt*', 'kms:reencryptfrom'] + ) + SELECT + i.arn AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + 'aws_iam_user' AS platform_table_name, + CASE + WHEN d.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN d.arn IS NULL THEN 'User ' || i.title || ' not allowed to perform decryption actions on all keys.' + ELSE 'User ' || i.title || ' allowed to perform decryption actions on all keys.' + END AS reason, + i.account_id + FROM + aws_iam_user i + LEFT JOIN user_with_decrypt_grant d ON i.arn = d.arn + UNION + SELECT + r.arn AS resource, + r.platform_integration_id AS platform_integration_id, + r.platform_resource_id AS platform_resource_id, + 'aws_iam_role' AS platform_table_name, + CASE + WHEN d.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN d.arn IS NULL THEN 'Role ' || r.title || ' not allowed to perform decryption actions on all keys.' + ELSE 'Role ' || r.title || ' allowed to perform decryption actions on all keys.' + END AS reason, + r.account_id + FROM + aws_iam_role r + LEFT JOIN role_with_decrypt_grant d ON r.arn = d.arn + WHERE + r.arn NOT LIKE '%service-role/%' + UNION + SELECT + g.arn AS resource, + g.platform_integration_id AS platform_integration_id, + g.platform_resource_id AS platform_resource_id, + 'aws_iam_group' AS platform_table_name, + CASE + WHEN d.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN d.arn IS NULL THEN 'Group ' || g.title || ' not allowed to perform decryption actions on all keys.' + ELSE 'Group ' || g.title || ' allowed to perform decryption actions on all keys.' + END AS reason, + g.account_id + FROM + aws_iam_group g + LEFT JOIN group_with_decrypt_grant d ON g.arn = d.arn; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - secure_access_management - foundational_security_item_id: - - kms_2 - plugin: - - aws - service: - - AWS/KMS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - secure_access_management + foundational_security_item_id: + - kms_2 + plugin: + - aws + service: + - AWS/KMS diff --git a/compliance/controls/aws/aws_kms_key_not_pending_deletion.yaml b/compliance/controls/aws/aws_kms_key_not_pending_deletion.yaml index 6fe994ea6..0b4c378a6 100644 --- a/compliance/controls/aws/aws_kms_key_not_pending_deletion.yaml +++ b/compliance/controls/aws/aws_kms_key_not_pending_deletion.yaml @@ -1,60 +1,61 @@ id: aws_kms_key_not_pending_deletion title: KMS keys should not be pending deletion +type: control description: To help protect data at rest, ensure necessary customer master keys (CMKs) are not scheduled for deletion in AWS Key Management Service (AWS KMS). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_kms_key - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN key_state = 'PendingDeletion' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN key_state = 'PendingDeletion' THEN title || ' scheduled for deletion and will be deleted in ' || EXTRACT(day FROM deletion_date - current_timestamp) || ' day(s).' - ELSE title || ' not scheduled for deletion.' - END AS reason, - region, - account_id - FROM - aws_kms_key - WHERE - key_manager = 'CUSTOMER'; + language: sql + primary_resource: aws_kms_key + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN key_state = 'PendingDeletion' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN key_state = 'PendingDeletion' THEN title || ' scheduled for deletion and will be deleted in ' || EXTRACT(day FROM deletion_date - current_timestamp) || ' day(s).' + ELSE title || ' not scheduled for deletion.' + END AS reason, + region, + account_id + FROM + aws_kms_key + WHERE + key_manager = 'CUSTOMER'; severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/KMS - soc_2: - - 'true' + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/KMS + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_lambda_function_cloudtrail_logging_enabled.yaml b/compliance/controls/aws/aws_lambda_function_cloudtrail_logging_enabled.yaml index a1f3087ce..a1e6f52f0 100644 --- a/compliance/controls/aws/aws_lambda_function_cloudtrail_logging_enabled.yaml +++ b/compliance/controls/aws/aws_lambda_function_cloudtrail_logging_enabled.yaml @@ -1,74 +1,75 @@ id: aws_lambda_function_cloudtrail_logging_enabled title: Lambda functions CloudTrail logging should be enabled +type: control description: Lambda functions logging is essential because once lambdas are triggered, all of the underlying compute resources are automatically managed for you. This control is compliant if CloudTrail logging is enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_lambda_function - definition: | - WITH function_logging_cloudtrails AS ( - SELECT - DISTINCT replace(replace(v::text, '"', ''), '/', '') AS lambda_arn, - d ->> 'Type' AS type - FROM - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) e, - jsonb_array_elements(e -> 'DataResources') AS d, - jsonb_array_elements(d -> 'Values') v - WHERE - d ->> 'Type' = 'AWS::Lambda::Function' - AND replace(replace(v::text, '"', ''), '/', '') <> 'arn:aws:lambda' - ), function_logging_region AS ( - SELECT - region AS cloudtrail_region, - replace(replace(v::text, '"', ''), '/', '') AS lambda_arn - FROM - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) e, - jsonb_array_elements(e -> 'DataResources') AS d, - jsonb_array_elements(d -> 'Values') v - WHERE - d ->> 'Type' = 'AWS::Lambda::Function' - AND replace(replace(v::text, '"', ''), '/', '') = 'arn:aws:lambda' - GROUP BY - region, - lambda_arn - ), function_logging_region_advance_es AS ( - SELECT - region AS cloudtrail_region - FROM - aws_cloudtrail_trail, - jsonb_array_elements(advanced_event_selectors) a, - jsonb_array_elements(a -> 'FieldSelectors') AS f, - jsonb_array_elements_text(f -> 'Equals') e - WHERE - e = 'AWS::Lambda::Function' - AND f ->> 'Field' != 'eventCategory' - GROUP BY - region - ) - SELECT - DISTINCT l.arn AS resource, - l.platform_integration_id AS platform_integration_id, - l.platform_resource_id AS platform_resource_id, - CASE - WHEN (l.arn = c.lambda_arn) - OR (r.lambda_arn = 'arn:aws:lambda' AND r.cloudtrail_region = l.region) - OR a.cloudtrail_region = l.region THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (l.arn = c.lambda_arn) - OR (r.lambda_arn = 'arn:aws:s3' AND r.cloudtrail_region = l.region) - OR a.cloudtrail_region = l.region THEN l.name || ' logging enabled.' - ELSE l.name || ' logging not enabled.' - END AS reason - FROM - aws_lambda_function AS l - LEFT JOIN function_logging_cloudtrails AS c ON l.arn = c.lambda_arn - LEFT JOIN function_logging_region AS r ON r.cloudtrail_region = l.region - LEFT JOIN function_logging_region_advance_es AS a ON a.cloudtrail_region = l.region; + language: sql + primary_resource: aws_lambda_function + definition: | + WITH function_logging_cloudtrails AS ( + SELECT + DISTINCT replace(replace(v::text, '"', ''), '/', '') AS lambda_arn, + d ->> 'Type' AS type + FROM + aws_cloudtrail_trail, + jsonb_array_elements(event_selectors) e, + jsonb_array_elements(e -> 'DataResources') AS d, + jsonb_array_elements(d -> 'Values') v + WHERE + d ->> 'Type' = 'AWS::Lambda::Function' + AND replace(replace(v::text, '"', ''), '/', '') <> 'arn:aws:lambda' + ), function_logging_region AS ( + SELECT + region AS cloudtrail_region, + replace(replace(v::text, '"', ''), '/', '') AS lambda_arn + FROM + aws_cloudtrail_trail, + jsonb_array_elements(event_selectors) e, + jsonb_array_elements(e -> 'DataResources') AS d, + jsonb_array_elements(d -> 'Values') v + WHERE + d ->> 'Type' = 'AWS::Lambda::Function' + AND replace(replace(v::text, '"', ''), '/', '') = 'arn:aws:lambda' + GROUP BY + region, + lambda_arn + ), function_logging_region_advance_es AS ( + SELECT + region AS cloudtrail_region + FROM + aws_cloudtrail_trail, + jsonb_array_elements(advanced_event_selectors) a, + jsonb_array_elements(a -> 'FieldSelectors') AS f, + jsonb_array_elements_text(f -> 'Equals') e + WHERE + e = 'AWS::Lambda::Function' + AND f ->> 'Field' != 'eventCategory' + GROUP BY + region + ) + SELECT + DISTINCT l.arn AS resource, + l.platform_integration_id AS platform_integration_id, + l.platform_resource_id AS platform_resource_id, + CASE + WHEN (l.arn = c.lambda_arn) + OR (r.lambda_arn = 'arn:aws:lambda' AND r.cloudtrail_region = l.region) + OR a.cloudtrail_region = l.region THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (l.arn = c.lambda_arn) + OR (r.lambda_arn = 'arn:aws:s3' AND r.cloudtrail_region = l.region) + OR a.cloudtrail_region = l.region THEN l.name || ' logging enabled.' + ELSE l.name || ' logging not enabled.' + END AS reason + FROM + aws_lambda_function AS l + LEFT JOIN function_logging_cloudtrails AS c ON l.arn = c.lambda_arn + LEFT JOIN function_logging_region AS r ON r.cloudtrail_region = l.region + LEFT JOIN function_logging_region_advance_es AS a ON a.cloudtrail_region = l.region; severity: low tags: {} diff --git a/compliance/controls/aws/aws_lambda_function_cloudwatch_insights_enabled.yaml b/compliance/controls/aws/aws_lambda_function_cloudwatch_insights_enabled.yaml index 8d60cc5f7..2bb554432 100644 --- a/compliance/controls/aws/aws_lambda_function_cloudwatch_insights_enabled.yaml +++ b/compliance/controls/aws/aws_lambda_function_cloudwatch_insights_enabled.yaml @@ -1,34 +1,35 @@ id: aws_lambda_function_cloudwatch_insights_enabled title: Ensure Cloudwatch Lambda insights is enabled +type: control description: Ensure that Amazon CloudWatch Lambda Insights is enabled for your Amazon Lambda functions for enhanced monitoring. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_lambda_function - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(layers) AS l - WHERE l ->> 'Arn' LIKE '%:layer:LambdaInsightsExtension:%' - ) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(layers) AS l - WHERE l ->> 'Arn' LIKE '%:layer:LambdaInsightsExtension:%' - ) THEN title || ' CloudWatch Insights enabled.' - ELSE title || ' CloudWatch Insights disabled.' - END AS reason - FROM - aws_lambda_function; + language: sql + primary_resource: aws_lambda_function + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(layers) AS l + WHERE l ->> 'Arn' LIKE '%:layer:LambdaInsightsExtension:%' + ) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(layers) AS l + WHERE l ->> 'Arn' LIKE '%:layer:LambdaInsightsExtension:%' + ) THEN title || ' CloudWatch Insights enabled.' + ELSE title || ' CloudWatch Insights disabled.' + END AS reason + FROM + aws_lambda_function; severity: low tags: {} diff --git a/compliance/controls/aws/aws_lambda_function_concurrent_execution_limit_configured.yaml b/compliance/controls/aws/aws_lambda_function_concurrent_execution_limit_configured.yaml index a1762a1eb..ae87c5f9b 100644 --- a/compliance/controls/aws/aws_lambda_function_concurrent_execution_limit_configured.yaml +++ b/compliance/controls/aws/aws_lambda_function_concurrent_execution_limit_configured.yaml @@ -1,50 +1,51 @@ id: aws_lambda_function_concurrent_execution_limit_configured title: Lambda functions concurrent execution limit configured +type: control description: Checks whether the AWS Lambda function is configured with function-level concurrent execution limit. The control is non-compliant if the Lambda function is not configured with function-level concurrent execution limit. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_lambda_function - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN reserved_concurrent_executions IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN reserved_concurrent_executions IS NULL THEN title || ' function-level concurrent execution limit not configured.' - ELSE title || ' function-level concurrent execution limit configured.' - END AS reason, - region, - account_id - FROM - aws_lambda_function; + language: sql + primary_resource: aws_lambda_function + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN reserved_concurrent_executions IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN reserved_concurrent_executions IS NULL THEN title || ' function-level concurrent execution limit not configured.' + ELSE title || ' function-level concurrent execution limit configured.' + END AS reason, + region, + account_id + FROM + aws_lambda_function; severity: medium tags: - category: - - Compliance - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/Lambda - soc_2: - - 'true' + category: + - Compliance + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/Lambda + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_lambda_function_cors_configuration.yaml b/compliance/controls/aws/aws_lambda_function_cors_configuration.yaml index 0f7db7616..1ae3bb2dc 100644 --- a/compliance/controls/aws/aws_lambda_function_cors_configuration.yaml +++ b/compliance/controls/aws/aws_lambda_function_cors_configuration.yaml @@ -1,28 +1,29 @@ id: aws_lambda_function_cors_configuration title: Lambda functions CORS configuration should not allow all origins +type: control description: Enable this rule to ensure that the CORS configuration for your Lambda functions does not allow all origins. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_lambda_function - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN url_config IS NULL THEN 'info' - WHEN url_config -> 'Cors' ->> 'AllowOrigins' = '[\"*\"]' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN url_config IS NULL THEN title || ' does not have a URL config.' - WHEN url_config -> 'Cors' ->> 'AllowOrigins' = '[\"*\"]' THEN title || ' CORS configuration allows all origins.' - ELSE title || ' CORS configuration does not allow all origins.' - END AS reason - FROM - aws_lambda_function; + language: sql + primary_resource: aws_lambda_function + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN url_config IS NULL THEN 'info' + WHEN url_config -> 'Cors' ->> 'AllowOrigins' = '[\"*\"]' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN url_config IS NULL THEN title || ' does not have a URL config.' + WHEN url_config -> 'Cors' ->> 'AllowOrigins' = '[\"*\"]' THEN title || ' CORS configuration allows all origins.' + ELSE title || ' CORS configuration does not allow all origins.' + END AS reason + FROM + aws_lambda_function; severity: low tags: {} diff --git a/compliance/controls/aws/aws_lambda_function_dead_letter_queue_configured.yaml b/compliance/controls/aws/aws_lambda_function_dead_letter_queue_configured.yaml index f5bb25b22..ebcca9be8 100644 --- a/compliance/controls/aws/aws_lambda_function_dead_letter_queue_configured.yaml +++ b/compliance/controls/aws/aws_lambda_function_dead_letter_queue_configured.yaml @@ -1,52 +1,53 @@ id: aws_lambda_function_dead_letter_queue_configured title: Lambda functions should be configured with a dead-letter queue +type: control description: Enable this rule to help notify the appropriate personnel through AWS Simple Queue Service (AWS SQS) or AWS Simple Notification Service (AWS SNS) when a function has failed. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_lambda_function - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN dead_letter_config_target_arn IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN dead_letter_config_target_arn IS NULL THEN title || ' configured with dead-letter queue.' - ELSE title || ' not configured with dead-letter queue.' - END AS reason, - region, - account_id - FROM - aws_lambda_function; + language: sql + primary_resource: aws_lambda_function + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN dead_letter_config_target_arn IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN dead_letter_config_target_arn IS NULL THEN title || ' configured with dead-letter queue.' + ELSE title || ' not configured with dead-letter queue.' + END AS reason, + region, + account_id + FROM + aws_lambda_function; severity: medium tags: - category: - - Compliance - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/Lambda - soc_2: - - 'true' + category: + - Compliance + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/Lambda + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_lambda_function_encryption_enabled.yaml b/compliance/controls/aws/aws_lambda_function_encryption_enabled.yaml index d99168346..24616e573 100644 --- a/compliance/controls/aws/aws_lambda_function_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_lambda_function_encryption_enabled.yaml @@ -1,26 +1,27 @@ id: aws_lambda_function_encryption_enabled title: Ensure encryption in transit is enabled for Lambda environment variables +type: control description: As you can set your own environmental variables for Lambda it is important to also encrypt them for in transit protection. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_lambda_function - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN kms_key_arn IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN kms_key_arn IS NULL THEN title || ' encryption is disabled.' - ELSE title || ' encryption is enabled.' - END AS reason - FROM - aws_lambda_function; + language: sql + primary_resource: aws_lambda_function + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN kms_key_arn IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN kms_key_arn IS NULL THEN title || ' encryption is disabled.' + ELSE title || ' encryption is enabled.' + END AS reason + FROM + aws_lambda_function; severity: low tags: {} diff --git a/compliance/controls/aws/aws_lambda_function_in_vpc.yaml b/compliance/controls/aws/aws_lambda_function_in_vpc.yaml index 3fdd2f77f..d86efd8a5 100644 --- a/compliance/controls/aws/aws_lambda_function_in_vpc.yaml +++ b/compliance/controls/aws/aws_lambda_function_in_vpc.yaml @@ -1,64 +1,65 @@ id: aws_lambda_function_in_vpc title: Lambda functions should be in a VPC +type: control description: Deploy AWS Lambda functions within an AWS Virtual Private Cloud (AWS VPC) for a secure communication between a function and other services within the AWS VPC. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_lambda_function - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN vpc_id IS NULL OR vpc_id = '' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN vpc_id IS NULL OR vpc_id = '' THEN title || ' is not in VPC.' - ELSE title || ' is in VPC ' || vpc_id || '.' - END AS reason, - region, - account_id - FROM - aws_lambda_function; + language: sql + primary_resource: aws_lambda_function + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN vpc_id IS NULL OR vpc_id = '' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN vpc_id IS NULL OR vpc_id = '' THEN title || ' is not in VPC.' + ELSE title || ' is in VPC ' || vpc_id || '.' + END AS reason, + region, + account_id + FROM + aws_lambda_function; severity: medium tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/Lambda - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/Lambda + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_lambda_function_multiple_az_configured.yaml b/compliance/controls/aws/aws_lambda_function_multiple_az_configured.yaml index c920679d3..0ed9f494c 100644 --- a/compliance/controls/aws/aws_lambda_function_multiple_az_configured.yaml +++ b/compliance/controls/aws/aws_lambda_function_multiple_az_configured.yaml @@ -1,51 +1,52 @@ id: aws_lambda_function_multiple_az_configured title: Lambda functions should operate in more than one availability zone +type: control description: This control checks if Lambda has more than one availability zone associated. The rule fails if only one availability zone is associated with Lambda. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_lambda_function - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN vpc_id IS NULL OR vpc_id = '' THEN 'skip' - ELSE CASE - WHEN ( - SELECT - COUNT(DISTINCT availability_zone_id) - FROM - aws_vpc_subnet - WHERE - subnet_id IN (SELECT jsonb_array_elements_text(vpc_subnet_ids)) - ) >= 2 - THEN 'ok' - ELSE 'alarm' - END - END AS status, - CASE - WHEN vpc_id IS NULL OR vpc_id = '' THEN title || ' is not in VPC.' - ELSE title || ' has ' || jsonb_array_length(vpc_subnet_ids) || ' availability zone(s).' - END AS reason, - region, - account_id - FROM - aws_lambda_function; + language: sql + primary_resource: aws_lambda_function + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN vpc_id IS NULL OR vpc_id = '' THEN 'skip' + ELSE CASE + WHEN ( + SELECT + COUNT(DISTINCT availability_zone_id) + FROM + aws_vpc_subnet + WHERE + subnet_id IN (SELECT jsonb_array_elements_text(vpc_subnet_ids)) + ) >= 2 + THEN 'ok' + ELSE 'alarm' + END + END AS status, + CASE + WHEN vpc_id IS NULL OR vpc_id = '' THEN title || ' is not in VPC.' + ELSE title || ' has ' || jsonb_array_length(vpc_subnet_ids) || ' availability zone(s).' + END AS reason, + region, + account_id + FROM + aws_lambda_function; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - high_availability - foundational_security_item_id: - - lambda_5 - plugin: - - aws - service: - - AWS/Lambda + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - high_availability + foundational_security_item_id: + - lambda_5 + plugin: + - aws + service: + - AWS/Lambda diff --git a/compliance/controls/aws/aws_lambda_function_restrict_public_access.yaml b/compliance/controls/aws/aws_lambda_function_restrict_public_access.yaml index c42aed8db..564075f87 100644 --- a/compliance/controls/aws/aws_lambda_function_restrict_public_access.yaml +++ b/compliance/controls/aws/aws_lambda_function_restrict_public_access.yaml @@ -1,90 +1,91 @@ id: aws_lambda_function_restrict_public_access title: Lambda functions should restrict public access +type: control description: Manage access to resources in the AWS Cloud by ensuring AWS Lambda functions cannot be publicly accessed. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_lambda_function - definition: | - WITH wildcard_action_policies AS ( - SELECT - b.arn, - COUNT(*) AS statements_num - FROM - aws_lambda_function AS b - CROSS JOIN LATERAL ( - SELECT - CASE - WHEN jsonb_typeof(b.policy_std -> 'Statement') = 'array' THEN b.policy_std -> 'Statement' - ELSE '[]'::jsonb - END AS statements_json - ) AS statements_array - CROSS JOIN LATERAL jsonb_array_elements(statements_array.statements_json) AS s - WHERE - s ->> 'Effect' = 'Allow' - AND ( - -- Check if Principal AWS is a JSON array containing "*" - (s -> 'Principal' -> 'AWS') @> '["*"]'::jsonb - OR s ->> 'Principal' = '*' - ) - GROUP BY - b.arn + language: sql + primary_resource: aws_lambda_function + definition: | + WITH wildcard_action_policies AS ( + SELECT + b.arn, + COUNT(*) AS statements_num + FROM + aws_lambda_function AS b + CROSS JOIN LATERAL ( + SELECT + CASE + WHEN jsonb_typeof(b.policy_std -> 'Statement') = 'array' THEN b.policy_std -> 'Statement' + ELSE '[]'::jsonb + END AS statements_json + ) AS statements_array + CROSS JOIN LATERAL jsonb_array_elements(statements_array.statements_json) AS s + WHERE + s ->> 'Effect' = 'Allow' + AND ( + -- Check if Principal AWS is a JSON array containing "*" + (s -> 'Principal' -> 'AWS') @> '["*"]'::jsonb + OR s ->> 'Principal' = '*' ) - SELECT - f.arn AS resource, - f.platform_integration_id AS platform_integration_id, - f.platform_resource_id AS platform_resource_id, - CASE - WHEN p.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.arn IS NULL THEN f.title || ' does not allow public access.' - ELSE f.title || ' contains ' || COALESCE(p.statements_num, 0) || ' statement(s) that allow public access.' - END AS reason, - f.region, - f.account_id - FROM - aws_lambda_function AS f - LEFT JOIN wildcard_action_policies AS p - ON p.arn = f.arn; + GROUP BY + b.arn + ) + SELECT + f.arn AS resource, + f.platform_integration_id AS platform_integration_id, + f.platform_resource_id AS platform_resource_id, + CASE + WHEN p.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.arn IS NULL THEN f.title || ' does not allow public access.' + ELSE f.title || ' contains ' || COALESCE(p.statements_num, 0) || ' statement(s) that allow public access.' + END AS reason, + f.region, + f.account_id + FROM + aws_lambda_function AS f + LEFT JOIN wildcard_action_policies AS p + ON p.arn = f.arn; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/Lambda - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/Lambda + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_lambda_function_restrict_public_url.yaml b/compliance/controls/aws/aws_lambda_function_restrict_public_url.yaml index 8fc43ab8f..c2201c7c3 100644 --- a/compliance/controls/aws/aws_lambda_function_restrict_public_url.yaml +++ b/compliance/controls/aws/aws_lambda_function_restrict_public_url.yaml @@ -1,28 +1,29 @@ id: aws_lambda_function_restrict_public_url title: Lambda functions should restrict public URL +type: control description: This control verifies that the Lambda function does not have a publicly accessible URL. Exposing services publicly could potentially make sensitive data accessible to malicious actors. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_lambda_function - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN url_config IS NULL THEN 'info' - WHEN url_config ->> 'AuthType' = 'AWS_IAM' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN url_config IS NULL THEN title || ' having no URL config.' - WHEN url_config ->> 'AuthType' = 'AWS_IAM' THEN title || ' restricts public function URL.' - ELSE title || ' public function URL configured.' - END AS reason - FROM - aws_lambda_function; + language: sql + primary_resource: aws_lambda_function + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN url_config IS NULL THEN 'info' + WHEN url_config ->> 'AuthType' = 'AWS_IAM' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN url_config IS NULL THEN title || ' having no URL config.' + WHEN url_config ->> 'AuthType' = 'AWS_IAM' THEN title || ' restricts public function URL.' + ELSE title || ' public function URL configured.' + END AS reason + FROM + aws_lambda_function; severity: low tags: {} diff --git a/compliance/controls/aws/aws_lambda_function_tracing_enabled.yaml b/compliance/controls/aws/aws_lambda_function_tracing_enabled.yaml index aa9bc375b..de4961f05 100644 --- a/compliance/controls/aws/aws_lambda_function_tracing_enabled.yaml +++ b/compliance/controls/aws/aws_lambda_function_tracing_enabled.yaml @@ -1,26 +1,27 @@ id: aws_lambda_function_tracing_enabled title: Lambda functions tracing should be enabled +type: control description: AWS X-Ray can be used to visualize the components of application, identify performance bottlenecks, and troubleshoot requests that resulted in an error. Lambda functions send trace data to X-Ray, and X-Ray processes the data to generate a service map and searchable trace summaries. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_lambda_function - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN tracing_config ->> 'Mode' = 'PassThrough' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN tracing_config ->> 'Mode' = 'PassThrough' THEN title || ' has tracing disabled.' - ELSE title || ' has tracing enabled.' - END AS reason - FROM - aws_lambda_function; + language: sql + primary_resource: aws_lambda_function + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN tracing_config ->> 'Mode' = 'PassThrough' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN tracing_config ->> 'Mode' = 'PassThrough' THEN title || ' has tracing disabled.' + ELSE title || ' has tracing enabled.' + END AS reason + FROM + aws_lambda_function; severity: low tags: {} diff --git a/compliance/controls/aws/aws_lambda_function_use_latest_runtime.yaml b/compliance/controls/aws/aws_lambda_function_use_latest_runtime.yaml index dc64a764f..12480df0d 100644 --- a/compliance/controls/aws/aws_lambda_function_use_latest_runtime.yaml +++ b/compliance/controls/aws/aws_lambda_function_use_latest_runtime.yaml @@ -1,42 +1,43 @@ id: aws_lambda_function_use_latest_runtime title: Lambda functions should use latest runtimes -description: 'This control checks that the Lambda function settings for runtimes match the expected values set for the latest runtimes for each supported language. This control checks for the following runtimes: nodejs20.x, nodejs18.x, nodejs16.x, python3.12, python3.11, python3.10, python3.9, python3.8, ruby3.3, ruby3.2, java21, java17, java11, java8.al2, dotnet8, dotnet6' +type: control +description: "This control checks that the Lambda function settings for runtimes match the expected values set for the latest runtimes for each supported language. This control checks for the following runtimes: nodejs20.x, nodejs18.x, nodejs16.x, python3.12, python3.11, python3.10, python3.9, python3.8, ruby3.3, ruby3.2, java21, java17, java11, java8.al2, dotnet8, dotnet6" integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_lambda_function - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN package_type <> 'Zip' THEN 'skip' - WHEN runtime IN ('nodejs16.x', 'nodejs14.x', 'nodejs12.x', 'nodejs10.x', 'python3.9', 'python3.8', 'python3.7', 'python3.6', 'ruby2.5', 'ruby2.7', 'java11', 'java8', 'java8.al2', 'go1.x', 'dotnetcore2.1', 'dotnetcore3.1', 'dotnet6') THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN package_type <> 'Zip' THEN title || ' package type is ' || package_type || '.' - WHEN runtime IN ('nodejs16.x', 'nodejs14.x', 'nodejs12.x', 'nodejs10.x', 'python3.9', 'python3.8', 'python3.7', 'python3.6', 'ruby2.5', 'ruby2.7', 'java11', 'java8', 'java8.al2', 'go1.x', 'dotnetcore2.1', 'dotnetcore3.1', 'dotnet6') THEN title || ' uses latest runtime - ' || runtime || '.' - ELSE title || ' uses ' || runtime || ' which is not the latest version.' - END AS reason, - region, - account_id - FROM - aws_lambda_function; + language: sql + primary_resource: aws_lambda_function + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN package_type <> 'Zip' THEN 'skip' + WHEN runtime IN ('nodejs16.x', 'nodejs14.x', 'nodejs12.x', 'nodejs10.x', 'python3.9', 'python3.8', 'python3.7', 'python3.6', 'ruby2.5', 'ruby2.7', 'java11', 'java8', 'java8.al2', 'go1.x', 'dotnetcore2.1', 'dotnetcore3.1', 'dotnet6') THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN package_type <> 'Zip' THEN title || ' package type is ' || package_type || '.' + WHEN runtime IN ('nodejs16.x', 'nodejs14.x', 'nodejs12.x', 'nodejs10.x', 'python3.9', 'python3.8', 'python3.7', 'python3.6', 'ruby2.5', 'ruby2.7', 'java11', 'java8', 'java8.al2', 'go1.x', 'dotnetcore2.1', 'dotnetcore3.1', 'dotnet6') THEN title || ' uses latest runtime - ' || runtime || '.' + ELSE title || ' uses ' || runtime || ' which is not the latest version.' + END AS reason, + region, + account_id + FROM + aws_lambda_function; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - secure_development - foundational_security_item_id: - - lambda_2 - plugin: - - aws - service: - - AWS/Lambda + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - secure_development + foundational_security_item_id: + - lambda_2 + plugin: + - aws + service: + - AWS/Lambda diff --git a/compliance/controls/aws/aws_lambda_function_variables_no_sensitive_data.yaml b/compliance/controls/aws/aws_lambda_function_variables_no_sensitive_data.yaml index 89bd8d303..3c2d3aa47 100644 --- a/compliance/controls/aws/aws_lambda_function_variables_no_sensitive_data.yaml +++ b/compliance/controls/aws/aws_lambda_function_variables_no_sensitive_data.yaml @@ -1,40 +1,41 @@ id: aws_lambda_function_variables_no_sensitive_data title: Lambda functions variable should not have any sensitive data +type: control description: Ensure functions environment variables is not having any sensitive data. Leveraging Secrets Manager enables secure provisioning of database credentials to Lambda functions while also ensuring the security of databases. This approach eliminates the need to hardcode secrets in code or pass them through environmental variables. Additionally, Secrets Manager facilitates the secure retrieval of credentials for establishing connections to databases and performing queries, enhancing overall security measures. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_lambda_function - definition: | - WITH function_vaiable_with_sensitive_data AS ( - SELECT DISTINCT - arn, - name - FROM - aws_lambda_function - JOIN jsonb_each_text(environment_variables) d ON true - WHERE - d.key ILIKE ANY (ARRAY['%pass%', '%secret%', '%token%', '%key%']) - OR d.key ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' - OR d.value ILIKE ANY (ARRAY['%pass%', '%secret%', '%token%', '%key%']) - OR d.value ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' - ) - SELECT - f.arn AS resource, - f.platform_integration_id AS platform_integration_id, - f.platform_resource_id AS platform_resource_id, - CASE - WHEN b.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.arn IS NULL THEN f.title || ' has no sensitive data.' - ELSE f.title || ' has potential sensitive data.' - END AS reason - FROM - aws_lambda_function AS f - LEFT JOIN function_vaiable_with_sensitive_data b ON f.arn = b.arn; + language: sql + primary_resource: aws_lambda_function + definition: | + WITH function_vaiable_with_sensitive_data AS ( + SELECT DISTINCT + arn, + name + FROM + aws_lambda_function + JOIN jsonb_each_text(environment_variables) d ON true + WHERE + d.key ILIKE ANY (ARRAY['%pass%', '%secret%', '%token%', '%key%']) + OR d.key ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' + OR d.value ILIKE ANY (ARRAY['%pass%', '%secret%', '%token%', '%key%']) + OR d.value ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' + ) + SELECT + f.arn AS resource, + f.platform_integration_id AS platform_integration_id, + f.platform_resource_id AS platform_resource_id, + CASE + WHEN b.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.arn IS NULL THEN f.title || ' has no sensitive data.' + ELSE f.title || ' has potential sensitive data.' + END AS reason + FROM + aws_lambda_function AS f + LEFT JOIN function_vaiable_with_sensitive_data b ON f.arn = b.arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_lightsail_instance_ipv6_networking_disabled.yaml b/compliance/controls/aws/aws_lightsail_instance_ipv6_networking_disabled.yaml index e9c59ead5..1f291bdc4 100644 --- a/compliance/controls/aws/aws_lightsail_instance_ipv6_networking_disabled.yaml +++ b/compliance/controls/aws/aws_lightsail_instance_ipv6_networking_disabled.yaml @@ -1,26 +1,27 @@ id: aws_lightsail_instance_ipv6_networking_disabled title: Disable IPv6 Networking if not in use within your organization +type: control description: Any protocols enable within Lightsail by default that aren't being used should be disabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_lightsail_instance - definition: | - SELECT - name AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN ip_v6_addresses IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN ip_v6_addresses IS NULL THEN name || ' has IPv6 networking disabled.' - ELSE name || ' has IPv6 networking enabled.' - END AS reason - FROM - aws_lightsail_instance; + language: sql + primary_resource: aws_lightsail_instance + definition: | + SELECT + name AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN ip_v6_addresses IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN ip_v6_addresses IS NULL THEN name || ' has IPv6 networking disabled.' + ELSE name || ' has IPv6 networking enabled.' + END AS reason + FROM + aws_lightsail_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_log_group_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_log_group_encryption_at_rest_enabled.yaml index 6d6c73820..7febd2a4d 100644 --- a/compliance/controls/aws/aws_log_group_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_log_group_encryption_at_rest_enabled.yaml @@ -1,64 +1,65 @@ id: aws_log_group_encryption_at_rest_enabled title: Log group encryption at rest should be enabled +type: control description: To help protect sensitive data at rest, ensure encryption is enabled for your AWS CloudWatch Log Group. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_cloudwatch_log_group - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN kms_key_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN kms_key_id IS NULL THEN title || ' not encrypted at rest.' - ELSE title || ' encrypted at rest.' - END AS reason, - region, - account_id - FROM - aws_cloudwatch_log_group; + language: sql + primary_resource: aws_cloudwatch_log_group + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN kms_key_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN kms_key_id IS NULL THEN title || ' not encrypted at rest.' + ELSE title || ' encrypted at rest.' + END AS reason, + region, + account_id + FROM + aws_cloudwatch_log_group; severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/CloudWatch - soc_2: - - 'true' + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/CloudWatch + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_log_metric_filter_bucket_policy.yaml b/compliance/controls/aws/aws_log_metric_filter_bucket_policy.yaml index f824c6894..9765dc8c8 100644 --- a/compliance/controls/aws/aws_log_metric_filter_bucket_policy.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_bucket_policy.yaml @@ -1,75 +1,76 @@ id: aws_log_metric_filter_bucket_policy title: Ensure a log metric filter and alarm exist for S3 bucket policy changes +type: control description: You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes to S3 bucket policies. Monitoring these changes might reduce time to detect and correct permissive policies on sensitive S3 buckets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH filter_data AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging AS is_logging, - SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name, - filter.name AS filter_name, - action_arn AS topic_arn, - alarm.metric_name, - subscription.subscription_arn, - filter.filter_pattern, - filter.metric_transformation_name - FROM - aws_cloudtrail_trail AS trail, - JSONB_ARRAY_ELEMENTS(trail.event_selectors) AS se, - aws_cloudwatch_log_metric_filter AS filter, - aws_cloudwatch_alarm AS alarm, - JSONB_ARRAY_ELEMENTS_TEXT(alarm.alarm_actions) AS action_arn, - aws_sns_topic_subscription AS subscription - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - AND filter.log_group_name = SPLIT_PART(trail.log_group_arn, ':', 7) - AND filter.filter_pattern ~ '\s*\$.eventSource\s*=\s*s3.amazonaws.com.+\$.eventName\s*=\s*PutBucketAcl.+\$.eventName\s*=\s*PutBucketPolicy.+\$.eventName\s*=\s*PutBucketCors.+\$.eventName\s*=\s*PutBucketLifecycle.+\$.eventName\s*=\s*PutBucketReplication.+\$.eventName\s*=\s*DeleteBucketPolicy.+\$.eventName\s*=\s*DeleteBucketCors.+\$.eventName\s*=\s*DeleteBucketLifecycle.+\$.eventName\s*=\s*DeleteBucketReplication' - AND alarm.metric_name LIKE filter.metric_transformation_name - AND subscription.topic_arn = action_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for S3 bucket policy changes.' - ELSE filter_name || ' forwards events for S3 bucket policy changes.' - END AS reason, - a.account_id - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH filter_data AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging AS is_logging, + SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name, + filter.name AS filter_name, + action_arn AS topic_arn, + alarm.metric_name, + subscription.subscription_arn, + filter.filter_pattern, + filter.metric_transformation_name + FROM + aws_cloudtrail_trail AS trail, + JSONB_ARRAY_ELEMENTS(trail.event_selectors) AS se, + aws_cloudwatch_log_metric_filter AS filter, + aws_cloudwatch_alarm AS alarm, + JSONB_ARRAY_ELEMENTS_TEXT(alarm.alarm_actions) AS action_arn, + aws_sns_topic_subscription AS subscription + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + AND filter.log_group_name = SPLIT_PART(trail.log_group_arn, ':', 7) + AND filter.filter_pattern ~ '\s*\$.eventSource\s*=\s*s3.amazonaws.com.+\$.eventName\s*=\s*PutBucketAcl.+\$.eventName\s*=\s*PutBucketPolicy.+\$.eventName\s*=\s*PutBucketCors.+\$.eventName\s*=\s*PutBucketLifecycle.+\$.eventName\s*=\s*PutBucketReplication.+\$.eventName\s*=\s*DeleteBucketPolicy.+\$.eventName\s*=\s*DeleteBucketCors.+\$.eventName\s*=\s*DeleteBucketLifecycle.+\$.eventName\s*=\s*DeleteBucketReplication' + AND alarm.metric_name LIKE filter.metric_transformation_name + AND subscription.topic_arn = action_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for S3 bucket policy changes.' + ELSE filter_name || ' forwards events for S3 bucket policy changes.' + END AS reason, + a.account_id + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '3.8' - cis_level: - - '1' - cis_section_id: - - '3' - cis_type: - - scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/CloudWatch + category: + - Compliance + cis: + - "true" + cis_item_id: + - "3.8" + cis_level: + - "1" + cis_section_id: + - "3" + cis_type: + - scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/CloudWatch diff --git a/compliance/controls/aws/aws_log_metric_filter_cloudtrail_configuration.yaml b/compliance/controls/aws/aws_log_metric_filter_cloudtrail_configuration.yaml index 27f8c1f4c..6e279586a 100644 --- a/compliance/controls/aws/aws_log_metric_filter_cloudtrail_configuration.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_cloudtrail_configuration.yaml @@ -1,74 +1,75 @@ id: aws_log_metric_filter_cloudtrail_configuration title: Ensure a log metric filter and alarm exist for CloudTrail configuration changes +type: control description: You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes to CloudTrail configuration settings. Monitoring these changes helps ensure sustained visibility to activities in the account. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH filter_data AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) AS log_group_name, - filter.name AS filter_name, - action_arn AS topic_arn, - alarm.metric_name, - subscription.subscription_arn, - filter.filter_pattern - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se, - aws_cloudwatch_log_metric_filter AS filter, - aws_cloudwatch_alarm AS alarm, - jsonb_array_elements_text(alarm.alarm_actions) AS action_arn, - aws_sns_topic_subscription AS subscription - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - AND filter.log_group_name = split_part(trail.log_group_arn, ':', 7) - AND filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging' - AND alarm.metric_name LIKE filter.metric_transformation_name - AND subscription.topic_arn = action_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for CloudTrail configuration changes.' - ELSE filter_name || ' forwards events for CloudTrail configuration changes.' - END AS reason, - a.account_id - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH filter_data AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + split_part(trail.log_group_arn, ':', 7) AS log_group_name, + filter.name AS filter_name, + action_arn AS topic_arn, + alarm.metric_name, + subscription.subscription_arn, + filter.filter_pattern + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se, + aws_cloudwatch_log_metric_filter AS filter, + aws_cloudwatch_alarm AS alarm, + jsonb_array_elements_text(alarm.alarm_actions) AS action_arn, + aws_sns_topic_subscription AS subscription + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + AND filter.log_group_name = split_part(trail.log_group_arn, ':', 7) + AND filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging' + AND alarm.metric_name LIKE filter.metric_transformation_name + AND subscription.topic_arn = action_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for CloudTrail configuration changes.' + ELSE filter_name || ' forwards events for CloudTrail configuration changes.' + END AS reason, + a.account_id + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '3.5' - cis_level: - - '1' - cis_section_id: - - '3' - cis_type: - - scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/CloudWatch + category: + - Compliance + cis: + - "true" + cis_item_id: + - "3.5" + cis_level: + - "1" + cis_section_id: + - "3" + cis_type: + - scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/CloudWatch diff --git a/compliance/controls/aws/aws_log_metric_filter_config_configuration.yaml b/compliance/controls/aws/aws_log_metric_filter_config_configuration.yaml index 458501581..ac94e2f48 100644 --- a/compliance/controls/aws/aws_log_metric_filter_config_configuration.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_config_configuration.yaml @@ -1,74 +1,75 @@ id: aws_log_metric_filter_config_configuration title: Ensure a log metric filter and alarm exist for AWS Config configuration changes +type: control description: You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes to AWS Config configuration settings. Monitoring these changes helps ensure sustained visibility of configuration items in the account integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH filter_data AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name, - filter.name AS filter_name, - action_arn AS topic_arn, - alarm.metric_name, - subscription.subscription_arn, - filter.filter_pattern - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se, - aws_cloudwatch_log_metric_filter AS filter, - aws_cloudwatch_alarm AS alarm, - jsonb_array_elements_text(alarm.alarm_actions) AS action_arn, - aws_sns_topic_subscription AS subscription - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - AND filter.log_group_name = SPLIT_PART(trail.log_group_arn, ':', 7) - AND filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*config.amazonaws.com.+\$\.eventName\s*=\s*StopConfigurationRecorder.+\$\.eventName\s*=\s*DeleteDeliveryChannel.+\$\.eventName\s*=\s*PutDeliveryChannel.+\$\.eventName\s*=\s*PutConfigurationRecorder' - AND alarm.metric_name LIKE filter.metric_transformation_name - AND subscription.topic_arn = action_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for AWS Config configuration changes.' - ELSE filter_name || ' forwards events for AWS Config configuration changes.' - END AS reason, - a.account_id - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH filter_data AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name, + filter.name AS filter_name, + action_arn AS topic_arn, + alarm.metric_name, + subscription.subscription_arn, + filter.filter_pattern + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se, + aws_cloudwatch_log_metric_filter AS filter, + aws_cloudwatch_alarm AS alarm, + jsonb_array_elements_text(alarm.alarm_actions) AS action_arn, + aws_sns_topic_subscription AS subscription + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + AND filter.log_group_name = SPLIT_PART(trail.log_group_arn, ':', 7) + AND filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*config.amazonaws.com.+\$\.eventName\s*=\s*StopConfigurationRecorder.+\$\.eventName\s*=\s*DeleteDeliveryChannel.+\$\.eventName\s*=\s*PutDeliveryChannel.+\$\.eventName\s*=\s*PutConfigurationRecorder' + AND alarm.metric_name LIKE filter.metric_transformation_name + AND subscription.topic_arn = action_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for AWS Config configuration changes.' + ELSE filter_name || ' forwards events for AWS Config configuration changes.' + END AS reason, + a.account_id + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '3.9' - cis_level: - - '2' - cis_section_id: - - '3' - cis_type: - - scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/CloudWatch + category: + - Compliance + cis: + - "true" + cis_item_id: + - "3.9" + cis_level: + - "2" + cis_section_id: + - "3" + cis_type: + - scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/CloudWatch diff --git a/compliance/controls/aws/aws_log_metric_filter_console_authentication_failure.yaml b/compliance/controls/aws/aws_log_metric_filter_console_authentication_failure.yaml index 598e9c35d..05f611bb1 100644 --- a/compliance/controls/aws/aws_log_metric_filter_console_authentication_failure.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_console_authentication_failure.yaml @@ -1,74 +1,75 @@ id: aws_log_metric_filter_console_authentication_failure title: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures +type: control description: You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for failed console authentication attempts. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH filter_data AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) AS log_group_name, - filter.name AS filter_name, - action_arn AS topic_arn, - alarm.metric_name, - subscription.subscription_arn, - filter.filter_pattern - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se, - aws_cloudwatch_log_metric_filter AS filter, - aws_cloudwatch_alarm AS alarm, - jsonb_array_elements_text(alarm.alarm_actions) AS action_arn, - aws_sns_topic_subscription AS subscription - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - AND filter.log_group_name = split_part(trail.log_group_arn, ':', 7) - AND filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*ConsoleLogin.+\$\.errorMessage\s*=\s*"Failed authentication"' - AND alarm.metric_name LIKE filter.metric_transformation_name - AND subscription.topic_arn = action_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for console authentication failures.' - ELSE filter_name || ' forwards events for console authentication failures.' - END AS reason, - a.account_id - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH filter_data AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + split_part(trail.log_group_arn, ':', 7) AS log_group_name, + filter.name AS filter_name, + action_arn AS topic_arn, + alarm.metric_name, + subscription.subscription_arn, + filter.filter_pattern + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se, + aws_cloudwatch_log_metric_filter AS filter, + aws_cloudwatch_alarm AS alarm, + jsonb_array_elements_text(alarm.alarm_actions) AS action_arn, + aws_sns_topic_subscription AS subscription + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + AND filter.log_group_name = split_part(trail.log_group_arn, ':', 7) + AND filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*ConsoleLogin.+\$\.errorMessage\s*=\s*"Failed authentication"' + AND alarm.metric_name LIKE filter.metric_transformation_name + AND subscription.topic_arn = action_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for console authentication failures.' + ELSE filter_name || ' forwards events for console authentication failures.' + END AS reason, + a.account_id + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '3.6' - cis_level: - - '2' - cis_section_id: - - '3' - cis_type: - - scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/CloudWatch + category: + - Compliance + cis: + - "true" + cis_item_id: + - "3.6" + cis_level: + - "2" + cis_section_id: + - "3" + cis_type: + - scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/CloudWatch diff --git a/compliance/controls/aws/aws_log_metric_filter_console_login_mfa.yaml b/compliance/controls/aws/aws_log_metric_filter_console_login_mfa.yaml index d13c3aab1..677eaa386 100644 --- a/compliance/controls/aws/aws_log_metric_filter_console_login_mfa.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_console_login_mfa.yaml @@ -1,74 +1,75 @@ id: aws_log_metric_filter_console_login_mfa title: Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA +type: control description: You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm console logins that aren't protected by MFA. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH filter_data AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name, - filter.name AS filter_name, - action_arn AS topic_arn, - alarm.metric_name, - subscription.subscription_arn, - filter.filter_pattern - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se, - aws_cloudwatch_log_metric_filter AS filter, - aws_cloudwatch_alarm AS alarm, - jsonb_array_elements_text(alarm.alarm_actions) AS action_arn, - aws_sns_topic_subscription AS subscription - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - AND filter.log_group_name = SPLIT_PART(trail.log_group_arn, ':', 7) - AND filter.filter_pattern ~ '\(\s*\$\.eventName\s*=\s*"ConsoleLogin"\)\s+&&\s+\(\s*\$.additionalEventData\.MFAUsed\s*!=\s*"Yes"\)' - AND alarm.metric_name LIKE filter.metric_transformation_name - AND subscription.topic_arn = action_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for console sign-in without MFA.' - ELSE filter_name || ' forwards events for console sign-in without MFA.' - END AS reason, - a.account_id - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH filter_data AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name, + filter.name AS filter_name, + action_arn AS topic_arn, + alarm.metric_name, + subscription.subscription_arn, + filter.filter_pattern + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se, + aws_cloudwatch_log_metric_filter AS filter, + aws_cloudwatch_alarm AS alarm, + jsonb_array_elements_text(alarm.alarm_actions) AS action_arn, + aws_sns_topic_subscription AS subscription + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + AND filter.log_group_name = SPLIT_PART(trail.log_group_arn, ':', 7) + AND filter.filter_pattern ~ '\(\s*\$\.eventName\s*=\s*"ConsoleLogin"\)\s+&&\s+\(\s*\$.additionalEventData\.MFAUsed\s*!=\s*"Yes"\)' + AND alarm.metric_name LIKE filter.metric_transformation_name + AND subscription.topic_arn = action_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for console sign-in without MFA.' + ELSE filter_name || ' forwards events for console sign-in without MFA.' + END AS reason, + a.account_id + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '3.2' - cis_level: - - '1' - cis_section_id: - - '3' - cis_type: - - scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/CloudWatch + category: + - Compliance + cis: + - "true" + cis_item_id: + - "3.2" + cis_level: + - "1" + cis_section_id: + - "3" + cis_type: + - scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/CloudWatch diff --git a/compliance/controls/aws/aws_log_metric_filter_disable_or_delete_cmk.yaml b/compliance/controls/aws/aws_log_metric_filter_disable_or_delete_cmk.yaml index 2f743f4bf..c7ae0f220 100644 --- a/compliance/controls/aws/aws_log_metric_filter_disable_or_delete_cmk.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_disable_or_delete_cmk.yaml @@ -1,74 +1,75 @@ id: aws_log_metric_filter_disable_or_delete_cmk title: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys +type: control description: You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for customer managed keys that have changed state to disabled or scheduled deletion. Data encrypted with disabled or deleted keys is no longer accessible. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH filter_data AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name, - filter.name AS filter_name, - action_arn AS topic_arn, - alarm.metric_name, - subscription.subscription_arn, - filter.filter_pattern - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se, - aws_cloudwatch_log_metric_filter AS filter, - aws_cloudwatch_alarm AS alarm, - jsonb_array_elements_text(alarm.alarm_actions) AS action_arn, - aws_sns_topic_subscription AS subscription - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - AND filter.log_group_name = SPLIT_PART(trail.log_group_arn, ':', 7) - AND filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*kms.amazonaws.com.+\$\.eventName\s*=\s*DisableKey.+\$\.eventName\s*=\s*ScheduleKeyDeletion' - AND alarm.metric_name LIKE filter.metric_transformation_name - AND subscription.topic_arn = action_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for disabling/deletion of CMKs.' - ELSE filter_name || ' forwards events for disabling/deletion of CMKs.' - END AS reason, - a.account_id - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH filter_data AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name, + filter.name AS filter_name, + action_arn AS topic_arn, + alarm.metric_name, + subscription.subscription_arn, + filter.filter_pattern + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se, + aws_cloudwatch_log_metric_filter AS filter, + aws_cloudwatch_alarm AS alarm, + jsonb_array_elements_text(alarm.alarm_actions) AS action_arn, + aws_sns_topic_subscription AS subscription + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + AND filter.log_group_name = SPLIT_PART(trail.log_group_arn, ':', 7) + AND filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*kms.amazonaws.com.+\$\.eventName\s*=\s*DisableKey.+\$\.eventName\s*=\s*ScheduleKeyDeletion' + AND alarm.metric_name LIKE filter.metric_transformation_name + AND subscription.topic_arn = action_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for disabling/deletion of CMKs.' + ELSE filter_name || ' forwards events for disabling/deletion of CMKs.' + END AS reason, + a.account_id + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '3.7' - cis_level: - - '2' - cis_section_id: - - '3' - cis_type: - - scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/CloudWatch + category: + - Compliance + cis: + - "true" + cis_item_id: + - "3.7" + cis_level: + - "2" + cis_section_id: + - "3" + cis_type: + - scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/CloudWatch diff --git a/compliance/controls/aws/aws_log_metric_filter_iam_policy.yaml b/compliance/controls/aws/aws_log_metric_filter_iam_policy.yaml index a105f45b6..7ab297034 100644 --- a/compliance/controls/aws/aws_log_metric_filter_iam_policy.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_iam_policy.yaml @@ -1,75 +1,76 @@ id: aws_log_metric_filter_iam_policy title: Ensure a log metric filter and alarm exist for IAM policy changes +type: control description: You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes made to IAM policies. Monitoring these changes helps ensure that authentication and authorization controls remain intact. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH filter_data AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging AS is_logging, - SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name, - filter.name AS filter_name, - action_arn AS topic_arn, - alarm.metric_name, - subscription.subscription_arn, - filter.filter_pattern, - filter.metric_transformation_name - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se, - aws_cloudwatch_log_metric_filter AS filter, - aws_cloudwatch_alarm AS alarm, - jsonb_array_elements_text(alarm.alarm_actions) AS action_arn, - aws_sns_topic_subscription AS subscription - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - AND filter.log_group_name = SPLIT_PART(trail.log_group_arn, ':', 7) - AND filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*DeleteGroupPolicy.+\$\.eventName\s*=\s*DeleteRolePolicy.+\$\.eventName\s*=\s*DeleteUserPolicy.+\$\.eventName\s*=\s*PutGroupPolicy.+\$\.eventName\s*=\s*PutRolePolicy.+\$\.eventName\s*=\s*PutUserPolicy.+\$\.eventName\s*=\s*CreatePolicy.+\$\.eventName\s*=\s*DeletePolicy.+\$\.eventName\s*=\s*CreatePolicyVersion.+\$\.eventName\s*=\s*DeletePolicyVersion.+\$\.eventName\s*=\s*AttachRolePolicy.+\$\.eventName\s*=\s*DetachRolePolicy.+\$\.eventName\s*=\s*AttachUserPolicy.+\$\.eventName\s*=\s*DetachUserPolicy.+\$\.eventName\s*=\s*AttachGroupPolicy.+\$\.eventName\s*=\s*DetachGroupPolicy' - AND alarm.metric_name LIKE filter.metric_transformation_name - AND subscription.topic_arn = action_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for IAM policy changes.' - ELSE filter_name || ' forwards events for IAM policy changes.' - END AS reason, - a.account_id - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH filter_data AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging AS is_logging, + SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name, + filter.name AS filter_name, + action_arn AS topic_arn, + alarm.metric_name, + subscription.subscription_arn, + filter.filter_pattern, + filter.metric_transformation_name + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se, + aws_cloudwatch_log_metric_filter AS filter, + aws_cloudwatch_alarm AS alarm, + jsonb_array_elements_text(alarm.alarm_actions) AS action_arn, + aws_sns_topic_subscription AS subscription + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + AND filter.log_group_name = SPLIT_PART(trail.log_group_arn, ':', 7) + AND filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*DeleteGroupPolicy.+\$\.eventName\s*=\s*DeleteRolePolicy.+\$\.eventName\s*=\s*DeleteUserPolicy.+\$\.eventName\s*=\s*PutGroupPolicy.+\$\.eventName\s*=\s*PutRolePolicy.+\$\.eventName\s*=\s*PutUserPolicy.+\$\.eventName\s*=\s*CreatePolicy.+\$\.eventName\s*=\s*DeletePolicy.+\$\.eventName\s*=\s*CreatePolicyVersion.+\$\.eventName\s*=\s*DeletePolicyVersion.+\$\.eventName\s*=\s*AttachRolePolicy.+\$\.eventName\s*=\s*DetachRolePolicy.+\$\.eventName\s*=\s*AttachUserPolicy.+\$\.eventName\s*=\s*DetachUserPolicy.+\$\.eventName\s*=\s*AttachGroupPolicy.+\$\.eventName\s*=\s*DetachGroupPolicy' + AND alarm.metric_name LIKE filter.metric_transformation_name + AND subscription.topic_arn = action_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for IAM policy changes.' + ELSE filter_name || ' forwards events for IAM policy changes.' + END AS reason, + a.account_id + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '3.4' - cis_level: - - '1' - cis_section_id: - - '3' - cis_type: - - scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/CloudWatch + category: + - Compliance + cis: + - "true" + cis_item_id: + - "3.4" + cis_level: + - "1" + cis_section_id: + - "3" + cis_type: + - scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/CloudWatch diff --git a/compliance/controls/aws/aws_log_metric_filter_network_acl.yaml b/compliance/controls/aws/aws_log_metric_filter_network_acl.yaml index cd835705e..50b46c057 100644 --- a/compliance/controls/aws/aws_log_metric_filter_network_acl.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_network_acl.yaml @@ -1,74 +1,75 @@ id: aws_log_metric_filter_network_acl title: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) +type: control description: You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets in a VPC. Security Hub recommends that you create a metric filter and alarm for changes to NACLs. Monitoring these changes helps ensure that AWS resources and services aren't unintentionally exposed. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH filter_data AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) AS log_group_name, - filter.name AS filter_name, - action_arn AS topic_arn, - alarm.metric_name, - subscription.subscription_arn, - filter.filter_pattern - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se, - aws_cloudwatch_log_metric_filter AS filter, - aws_cloudwatch_alarm AS alarm, - jsonb_array_elements_text(alarm.alarm_actions) AS action_arn, - aws_sns_topic_subscription AS subscription - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - AND filter.log_group_name = split_part(trail.log_group_arn, ':', 7) - AND filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*CreateNetworkAcl.+\\$\\.eventName\\s*=\\s*CreateNetworkAclEntry.+\\$\\.eventName\\s*=\\s*DeleteNetworkAcl.+\\$\\.eventName\\s*=\\s*DeleteNetworkAclEntry.+\\$\\.eventName\\s*=\\s*ReplaceNetworkAclEntry.+\\$\\.eventName\\s*=\\s*ReplaceNetworkAclAssociation' - AND alarm.metric_name LIKE filter.metric_transformation_name - AND subscription.topic_arn = action_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for changes to NACLs.' - ELSE filter_name || ' forwards events for changes to NACLs.' - END AS reason, - a.account_id - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH filter_data AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + split_part(trail.log_group_arn, ':', 7) AS log_group_name, + filter.name AS filter_name, + action_arn AS topic_arn, + alarm.metric_name, + subscription.subscription_arn, + filter.filter_pattern + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se, + aws_cloudwatch_log_metric_filter AS filter, + aws_cloudwatch_alarm AS alarm, + jsonb_array_elements_text(alarm.alarm_actions) AS action_arn, + aws_sns_topic_subscription AS subscription + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + AND filter.log_group_name = split_part(trail.log_group_arn, ':', 7) + AND filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*CreateNetworkAcl.+\\$\\.eventName\\s*=\\s*CreateNetworkAclEntry.+\\$\\.eventName\\s*=\\s*DeleteNetworkAcl.+\\$\\.eventName\\s*=\\s*DeleteNetworkAclEntry.+\\$\\.eventName\\s*=\\s*ReplaceNetworkAclEntry.+\\$\\.eventName\\s*=\\s*ReplaceNetworkAclAssociation' + AND alarm.metric_name LIKE filter.metric_transformation_name + AND subscription.topic_arn = action_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for changes to NACLs.' + ELSE filter_name || ' forwards events for changes to NACLs.' + END AS reason, + a.account_id + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '3.11' - cis_level: - - '2' - cis_section_id: - - '3' - cis_type: - - scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/CloudWatch + category: + - Compliance + cis: + - "true" + cis_item_id: + - "3.11" + cis_level: + - "2" + cis_section_id: + - "3" + cis_type: + - scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/CloudWatch diff --git a/compliance/controls/aws/aws_log_metric_filter_network_gateway.yaml b/compliance/controls/aws/aws_log_metric_filter_network_gateway.yaml index d33af1bc5..be060bccd 100644 --- a/compliance/controls/aws/aws_log_metric_filter_network_gateway.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_network_gateway.yaml @@ -1,75 +1,76 @@ id: aws_log_metric_filter_network_gateway title: Ensure a log metric filter and alarm exist for changes to network gateways +type: control description: You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send and receive traffic to a destination outside a VPC. Security Hub recommends that you create a metric filter and alarm for changes to network gateways. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH filter_data AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) AS log_group_name, - filter.name AS filter_name, - action_arn AS topic_arn, - alarm.metric_name, - alarm.name AS alarm_name, - subscription.subscription_arn, - filter.filter_pattern - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se, - aws_cloudwatch_log_metric_filter AS filter, - aws_cloudwatch_alarm AS alarm, - jsonb_array_elements_text(alarm.alarm_actions) AS action_arn, - aws_sns_topic_subscription AS subscription - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - AND filter.log_group_name = split_part(trail.log_group_arn, ':', 7) - AND filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateCustomerGateway.+\$\.eventName\s*=\s*DeleteCustomerGateway.+\$\.eventName\s*=\s*AttachInternetGateway.+\$\.eventName\s*=\s*CreateInternetGateway.+\$\.eventName\s*=\s*DeleteInternetGateway.+\$\.eventName\s*=\s*DetachInternetGateway' - AND alarm.metric_name LIKE filter.metric_transformation_name - AND subscription.topic_arn = action_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for changes to network gateways.' - ELSE filter_name || ' forwards events for changes to network gateways.' - END AS reason, - a.account_id - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH filter_data AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + split_part(trail.log_group_arn, ':', 7) AS log_group_name, + filter.name AS filter_name, + action_arn AS topic_arn, + alarm.metric_name, + alarm.name AS alarm_name, + subscription.subscription_arn, + filter.filter_pattern + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se, + aws_cloudwatch_log_metric_filter AS filter, + aws_cloudwatch_alarm AS alarm, + jsonb_array_elements_text(alarm.alarm_actions) AS action_arn, + aws_sns_topic_subscription AS subscription + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + AND filter.log_group_name = split_part(trail.log_group_arn, ':', 7) + AND filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateCustomerGateway.+\$\.eventName\s*=\s*DeleteCustomerGateway.+\$\.eventName\s*=\s*AttachInternetGateway.+\$\.eventName\s*=\s*CreateInternetGateway.+\$\.eventName\s*=\s*DeleteInternetGateway.+\$\.eventName\s*=\s*DetachInternetGateway' + AND alarm.metric_name LIKE filter.metric_transformation_name + AND subscription.topic_arn = action_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for changes to network gateways.' + ELSE filter_name || ' forwards events for changes to network gateways.' + END AS reason, + a.account_id + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '3.12' - cis_level: - - '1' - cis_section_id: - - '3' - cis_type: - - scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/CloudWatch + category: + - Compliance + cis: + - "true" + cis_item_id: + - "3.12" + cis_level: + - "1" + cis_section_id: + - "3" + cis_type: + - scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/CloudWatch diff --git a/compliance/controls/aws/aws_log_metric_filter_organization.yaml b/compliance/controls/aws/aws_log_metric_filter_organization.yaml index 42e228404..e42b194bd 100644 --- a/compliance/controls/aws/aws_log_metric_filter_organization.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_organization.yaml @@ -1,75 +1,76 @@ id: aws_log_metric_filter_organization title: Ensure AWS Organizations changes are monitored +type: control description: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for AWS Organizations changes made in the master AWS Account. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH filter_data AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name, - filter.name AS filter_name, - action_arn AS topic_arn, - alarm.metric_name, - alarm.name AS alarm_name, - subscription.subscription_arn, - filter.filter_pattern - FROM - aws_cloudtrail_trail AS trail, - JSONB_ARRAY_ELEMENTS(trail.event_selectors) AS se, - aws_cloudwatch_log_metric_filter AS filter, - aws_cloudwatch_alarm AS alarm, - JSONB_ARRAY_ELEMENTS_TEXT(alarm.alarm_actions) AS action_arn, - aws_sns_topic_subscription AS subscription - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - AND filter.log_group_name = SPLIT_PART(trail.log_group_arn, ':', 7) - AND filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*organizations.amazonaws.com.+\$\.eventName\s*=\s*"?AcceptHandshake"?.+\$\.eventName\s*=\s*"?AttachPolicy"?.+\$\.eventName\s*=\s*"?CreateAccount"?.+\$\.eventName\s*=\s*"?CreateOrganizationalUnit"?.+\$\.eventName\s*=\s*"?CreatePolicy"?.+\$\.eventName\s*=\s*"?DeclineHandshake"?.+\$\.eventName\s*=\s*"?DeleteOrganization"?.+\$\.eventName\s*=\s*"?DeleteOrganizationalUnit"?.+\$\.eventName\s*=\s*"?DeletePolicy"?.+\$\.eventName\s*=\s*"?DetachPolicy"?.+\$\.eventName\s*=\s*"?DisablePolicyType"?.+\$\.eventName\s*=\s*"?EnablePolicyType"?.+\$\.eventName\s*=\s*"?InviteAccountToOrganization"?.+\$\.eventName\s*=\s*"?LeaveOrganization"?.+\$\.eventName\s*=\s*"?MoveAccount"?.+\$\.eventName\s*=\s*"?RemoveAccountFromOrganization"?.+\$\.eventName\s*=\s*"?UpdatePolicy"?.+\$\.eventName\s*=\s*"?UpdateOrganizationalUnit"?' - AND alarm.metric_name LIKE filter.metric_transformation_name - AND subscription.topic_arn = action_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exists for AWS Organizations changes.' - ELSE filter_name || ' forwards relevant events for AWS Organizations changes.' - END AS reason, - a.account_id - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH filter_data AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name, + filter.name AS filter_name, + action_arn AS topic_arn, + alarm.metric_name, + alarm.name AS alarm_name, + subscription.subscription_arn, + filter.filter_pattern + FROM + aws_cloudtrail_trail AS trail, + JSONB_ARRAY_ELEMENTS(trail.event_selectors) AS se, + aws_cloudwatch_log_metric_filter AS filter, + aws_cloudwatch_alarm AS alarm, + JSONB_ARRAY_ELEMENTS_TEXT(alarm.alarm_actions) AS action_arn, + aws_sns_topic_subscription AS subscription + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + AND filter.log_group_name = SPLIT_PART(trail.log_group_arn, ':', 7) + AND filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*organizations.amazonaws.com.+\$\.eventName\s*=\s*"?AcceptHandshake"?.+\$\.eventName\s*=\s*"?AttachPolicy"?.+\$\.eventName\s*=\s*"?CreateAccount"?.+\$\.eventName\s*=\s*"?CreateOrganizationalUnit"?.+\$\.eventName\s*=\s*"?CreatePolicy"?.+\$\.eventName\s*=\s*"?DeclineHandshake"?.+\$\.eventName\s*=\s*"?DeleteOrganization"?.+\$\.eventName\s*=\s*"?DeleteOrganizationalUnit"?.+\$\.eventName\s*=\s*"?DeletePolicy"?.+\$\.eventName\s*=\s*"?DetachPolicy"?.+\$\.eventName\s*=\s*"?DisablePolicyType"?.+\$\.eventName\s*=\s*"?EnablePolicyType"?.+\$\.eventName\s*=\s*"?InviteAccountToOrganization"?.+\$\.eventName\s*=\s*"?LeaveOrganization"?.+\$\.eventName\s*=\s*"?MoveAccount"?.+\$\.eventName\s*=\s*"?RemoveAccountFromOrganization"?.+\$\.eventName\s*=\s*"?UpdatePolicy"?.+\$\.eventName\s*=\s*"?UpdateOrganizationalUnit"?' + AND alarm.metric_name LIKE filter.metric_transformation_name + AND subscription.topic_arn = action_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exists for AWS Organizations changes.' + ELSE filter_name || ' forwards relevant events for AWS Organizations changes.' + END AS reason, + a.account_id + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '4.15' - cis_level: - - '1' - cis_section_id: - - '4' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - aws - service: - - AWS/CloudWatch + category: + - Compliance + cis: + - "true" + cis_item_id: + - "4.15" + cis_level: + - "1" + cis_section_id: + - "4" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - aws + service: + - AWS/CloudWatch diff --git a/compliance/controls/aws/aws_log_metric_filter_root_login.yaml b/compliance/controls/aws/aws_log_metric_filter_root_login.yaml index cbece9563..8600a8a5e 100644 --- a/compliance/controls/aws/aws_log_metric_filter_root_login.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_root_login.yaml @@ -1,74 +1,75 @@ id: aws_log_metric_filter_root_login title: Ensure a log metric filter and alarm exist for usage of 'root' account +type: control description: You can do real-time monitoring of API calls directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for root login attempts. Monitoring for root account logins provides visibility into the use of a fully privileged account and an opportunity to reduce the use of it. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH filter_data AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name, - filter.name AS filter_name, - action_arn AS topic_arn, - alarm.metric_name, - subscription.subscription_arn, - filter.filter_pattern - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se, - aws_cloudwatch_log_metric_filter AS filter, - aws_cloudwatch_alarm AS alarm, - jsonb_array_elements_text(alarm.alarm_actions) AS action_arn, - aws_sns_topic_subscription AS subscription - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - AND filter.log_group_name = SPLIT_PART(trail.log_group_arn, ':', 7) - AND filter.filter_pattern ~ '\s*\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"' - AND alarm.metric_name LIKE filter.metric_transformation_name - AND subscription.topic_arn = action_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for usage of "root" account.' - ELSE filter_name || ' forwards events for usage of "root" account.' - END AS reason, - a.account_id - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH filter_data AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name, + filter.name AS filter_name, + action_arn AS topic_arn, + alarm.metric_name, + subscription.subscription_arn, + filter.filter_pattern + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se, + aws_cloudwatch_log_metric_filter AS filter, + aws_cloudwatch_alarm AS alarm, + jsonb_array_elements_text(alarm.alarm_actions) AS action_arn, + aws_sns_topic_subscription AS subscription + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + AND filter.log_group_name = SPLIT_PART(trail.log_group_arn, ':', 7) + AND filter.filter_pattern ~ '\s*\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"' + AND alarm.metric_name LIKE filter.metric_transformation_name + AND subscription.topic_arn = action_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for usage of "root" account.' + ELSE filter_name || ' forwards events for usage of "root" account.' + END AS reason, + a.account_id + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '3.3' - cis_level: - - '1' - cis_section_id: - - '3' - cis_type: - - scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/CloudWatch + category: + - Compliance + cis: + - "true" + cis_item_id: + - "3.3" + cis_level: + - "1" + cis_section_id: + - "3" + cis_type: + - scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/CloudWatch diff --git a/compliance/controls/aws/aws_log_metric_filter_route_table.yaml b/compliance/controls/aws/aws_log_metric_filter_route_table.yaml index a61e69ee7..4d03ef965 100644 --- a/compliance/controls/aws/aws_log_metric_filter_route_table.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_route_table.yaml @@ -1,75 +1,76 @@ id: aws_log_metric_filter_route_table title: Ensure a log metric filter and alarm exist for route table changes +type: control description: You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables route network traffic between subnets and to network gateways. Security Hub recommends that you create a metric filter and alarm for changes to route tables. Monitoring these changes helps ensure that all VPC traffic flows through an expected path. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH filter_data AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) AS log_group_name, - filter.name AS filter_name, - action_arn AS topic_arn, - alarm.metric_name, - alarm.name AS alarm_name, - subscription.subscription_arn, - filter.filter_pattern - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se, - aws_cloudwatch_log_metric_filter AS filter, - aws_cloudwatch_alarm AS alarm, - jsonb_array_elements_text(alarm.alarm_actions) AS action_arn, - aws_sns_topic_subscription AS subscription - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - AND filter.log_group_name = split_part(trail.log_group_arn, ':', 7) - AND filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateRoute.+\$\.eventName\s*=\s*CreateRouteTable.+\$\.eventName\s*=\s*ReplaceRoute.+\$\.eventName\s*=\s*ReplaceRouteTableAssociation.+\$\.eventName\s*=\s*DeleteRouteTable.+\$\.eventName\s*=\s*DeleteRoute.+\$\.eventName\s*=\s*DisassociateRouteTable' - AND alarm.metric_name LIKE filter.metric_transformation_name - AND subscription.topic_arn = action_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for route table changes.' - ELSE filter_name || ' forwards events for route table changes.' - END AS reason, - a.account_id - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH filter_data AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + split_part(trail.log_group_arn, ':', 7) AS log_group_name, + filter.name AS filter_name, + action_arn AS topic_arn, + alarm.metric_name, + alarm.name AS alarm_name, + subscription.subscription_arn, + filter.filter_pattern + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se, + aws_cloudwatch_log_metric_filter AS filter, + aws_cloudwatch_alarm AS alarm, + jsonb_array_elements_text(alarm.alarm_actions) AS action_arn, + aws_sns_topic_subscription AS subscription + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + AND filter.log_group_name = split_part(trail.log_group_arn, ':', 7) + AND filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateRoute.+\$\.eventName\s*=\s*CreateRouteTable.+\$\.eventName\s*=\s*ReplaceRoute.+\$\.eventName\s*=\s*ReplaceRouteTableAssociation.+\$\.eventName\s*=\s*DeleteRouteTable.+\$\.eventName\s*=\s*DeleteRoute.+\$\.eventName\s*=\s*DisassociateRouteTable' + AND alarm.metric_name LIKE filter.metric_transformation_name + AND subscription.topic_arn = action_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for route table changes.' + ELSE filter_name || ' forwards events for route table changes.' + END AS reason, + a.account_id + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '3.13' - cis_level: - - '1' - cis_section_id: - - '3' - cis_type: - - scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/CloudWatch + category: + - Compliance + cis: + - "true" + cis_item_id: + - "3.13" + cis_level: + - "1" + cis_section_id: + - "3" + cis_type: + - scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/CloudWatch diff --git a/compliance/controls/aws/aws_log_metric_filter_security_group.yaml b/compliance/controls/aws/aws_log_metric_filter_security_group.yaml index aa6aa84ab..1f0bdc5a0 100644 --- a/compliance/controls/aws/aws_log_metric_filter_security_group.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_security_group.yaml @@ -1,74 +1,75 @@ id: aws_log_metric_filter_security_group title: Ensure a log metric filter and alarm exist for security group changes +type: control description: You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security groups are a stateful packet filter that controls ingress and egress traffic in a VPC. Security Hub recommends that you create a metric filter and alarm for changes to security groups. Monitoring these changes helps ensure that resources and services aren't unintentionally exposed. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH filter_data AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name, - filter.name AS filter_name, - action_arn AS topic_arn, - alarm.metric_name, - subscription.subscription_arn, - filter.filter_pattern - FROM - aws_cloudtrail_trail AS trail, - JSONB_ARRAY_ELEMENTS(trail.event_selectors) AS se, - aws_cloudwatch_log_metric_filter AS filter, - aws_cloudwatch_alarm AS alarm, - JSONB_ARRAY_ELEMENTS_TEXT(alarm.alarm_actions) AS action_arn, - aws_sns_topic_subscription AS subscription - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - AND filter.log_group_name = SPLIT_PART(trail.log_group_arn, ':', 7) - AND filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*AuthorizeSecurityGroupIngress.+\$\.eventName\s*=\s*AuthorizeSecurityGroupEgress.+\$\.eventName\s*=\s*RevokeSecurityGroupIngress.+\$\.eventName\s*=\s*RevokeSecurityGroupEgress.+\$\.eventName\s*=\s*CreateSecurityGroup.+\$\.eventName\s*=\s*DeleteSecurityGroup' - AND alarm.metric_name LIKE filter.metric_transformation_name - AND subscription.topic_arn = action_arn - ) + language: sql + primary_resource: aws_account + definition: | + WITH filter_data AS ( SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for security group changes.' - ELSE filter_name || ' forwards events for security group changes.' - END AS reason, - a.account_id + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name, + filter.name AS filter_name, + action_arn AS topic_arn, + alarm.metric_name, + subscription.subscription_arn, + filter.filter_pattern FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + aws_cloudtrail_trail AS trail, + JSONB_ARRAY_ELEMENTS(trail.event_selectors) AS se, + aws_cloudwatch_log_metric_filter AS filter, + aws_cloudwatch_alarm AS alarm, + JSONB_ARRAY_ELEMENTS_TEXT(alarm.alarm_actions) AS action_arn, + aws_sns_topic_subscription AS subscription + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + AND filter.log_group_name = SPLIT_PART(trail.log_group_arn, ':', 7) + AND filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*AuthorizeSecurityGroupIngress.+\$\.eventName\s*=\s*AuthorizeSecurityGroupEgress.+\$\.eventName\s*=\s*RevokeSecurityGroupIngress.+\$\.eventName\s*=\s*RevokeSecurityGroupEgress.+\$\.eventName\s*=\s*CreateSecurityGroup.+\$\.eventName\s*=\s*DeleteSecurityGroup' + AND alarm.metric_name LIKE filter.metric_transformation_name + AND subscription.topic_arn = action_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for security group changes.' + ELSE filter_name || ' forwards events for security group changes.' + END AS reason, + a.account_id + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '3.10' - cis_level: - - '2' - cis_section_id: - - '3' - cis_type: - - scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/CloudWatch + category: + - Compliance + cis: + - "true" + cis_item_id: + - "3.10" + cis_level: + - "2" + cis_section_id: + - "3" + cis_type: + - scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/CloudWatch diff --git a/compliance/controls/aws/aws_log_metric_filter_unauthorized_api.yaml b/compliance/controls/aws/aws_log_metric_filter_unauthorized_api.yaml index 8333e4663..fcfb4b13c 100644 --- a/compliance/controls/aws/aws_log_metric_filter_unauthorized_api.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_unauthorized_api.yaml @@ -1,74 +1,75 @@ id: aws_log_metric_filter_unauthorized_api title: Ensure a log metric filter and alarm exist for unauthorized API calls +type: control description: Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH filter_data AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name, - filter.name AS filter_name, - action_arn AS topic_arn, - alarm.metric_name, - subscription.subscription_arn, - filter.filter_pattern - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se, - aws_cloudwatch_log_metric_filter AS filter, - aws_cloudwatch_alarm AS alarm, - jsonb_array_elements_text(alarm.alarm_actions) AS action_arn, - aws_sns_topic_subscription AS subscription - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - AND filter.log_group_name = SPLIT_PART(trail.log_group_arn, ':', 7) - AND filter.filter_pattern ~ '\$\.errorCode\s*=\s*"\*UnauthorizedOperation".+\$\.errorCode\s*=\s*"AccessDenied\*".+\$\.sourceIPAddress\s*!=\s*"delivery.logs.amazonaws.com".+\$\.eventName\s*!=\s*"HeadBucket"' - AND alarm.metric_name LIKE filter.metric_transformation_name - AND subscription.topic_arn = action_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for unauthorized API calls.' - ELSE filter_name || ' forwards events for unauthorized API calls.' - END AS reason, - a.account_id - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH filter_data AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name, + filter.name AS filter_name, + action_arn AS topic_arn, + alarm.metric_name, + subscription.subscription_arn, + filter.filter_pattern + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se, + aws_cloudwatch_log_metric_filter AS filter, + aws_cloudwatch_alarm AS alarm, + jsonb_array_elements_text(alarm.alarm_actions) AS action_arn, + aws_sns_topic_subscription AS subscription + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + AND filter.log_group_name = SPLIT_PART(trail.log_group_arn, ':', 7) + AND filter.filter_pattern ~ '\$\.errorCode\s*=\s*"\*UnauthorizedOperation".+\$\.errorCode\s*=\s*"AccessDenied\*".+\$\.sourceIPAddress\s*!=\s*"delivery.logs.amazonaws.com".+\$\.eventName\s*!=\s*"HeadBucket"' + AND alarm.metric_name LIKE filter.metric_transformation_name + AND subscription.topic_arn = action_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for unauthorized API calls.' + ELSE filter_name || ' forwards events for unauthorized API calls.' + END AS reason, + a.account_id + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '3.1' - cis_level: - - '1' - cis_section_id: - - '3' - cis_type: - - scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/CloudWatch + category: + - Compliance + cis: + - "true" + cis_item_id: + - "3.1" + cis_level: + - "1" + cis_section_id: + - "3" + cis_type: + - scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/CloudWatch diff --git a/compliance/controls/aws/aws_log_metric_filter_vpc.yaml b/compliance/controls/aws/aws_log_metric_filter_vpc.yaml index e64a295a8..f482e0d23 100644 --- a/compliance/controls/aws/aws_log_metric_filter_vpc.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_vpc.yaml @@ -1,75 +1,76 @@ id: aws_log_metric_filter_vpc title: Ensure a log metric filter and alarm exist for VPC changes +type: control description: You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. You can have more than one VPC in an account, and you can create a peer connection between two VPCs, enabling network traffic to route between VPCs. Security Hub recommends that you create a metric filter and alarm for changes to VPCs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH filter_data AS ( - SELECT - trail.account_id, - trail.name AS trail_name, - trail.is_logging, - SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name, - filter.name AS filter_name, - action_arn AS topic_arn, - alarm.metric_name, - alarm.name AS alarm_name, - subscription.subscription_arn, - filter.filter_pattern - FROM - aws_cloudtrail_trail AS trail, - jsonb_array_elements(trail.event_selectors) AS se, - aws_cloudwatch_log_metric_filter AS filter, - aws_cloudwatch_alarm AS alarm, - jsonb_array_elements_text(alarm.alarm_actions) AS action_arn, - aws_sns_topic_subscription AS subscription - WHERE - trail.is_multi_region_trail IS TRUE - AND trail.is_logging - AND se ->> 'ReadWriteType' = 'All' - AND trail.log_group_arn IS NOT NULL - AND filter.log_group_name = SPLIT_PART(trail.log_group_arn, ':', 7) - AND filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateVpc.+\$\.eventName\s*=\s*DeleteVpc.+\$\.eventName\s*=\s*ModifyVpcAttribute.+\$\.eventName\s*=\s*AcceptVpcPeeringConnection.+\$\.eventName\s*=\s*CreateVpcPeeringConnection.+\$\.eventName\s*=\s*DeleteVpcPeeringConnection.+\$\.eventName\s*=\s*RejectVpcPeeringConnection.+\$\.eventName\s*=\s*AttachClassicLinkVpc.+\$\.eventName\s*=\s*DetachClassicLinkVpc.+\$\.eventName\s*=\s*DisableVpcClassicLink.+\$\.eventName\s*=\s*EnableVpcClassicLink' - AND alarm.metric_name LIKE filter.metric_transformation_name - AND subscription.topic_arn = action_arn - ) - SELECT - DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN f.trail_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for VPC changes.' - ELSE filter_name || ' forwards events for VPC changes.' - END AS reason, - a.account_id - FROM - aws_account AS a - LEFT JOIN filter_data AS f ON a.account_id = f.account_id; + language: sql + primary_resource: aws_account + definition: | + WITH filter_data AS ( + SELECT + trail.account_id, + trail.name AS trail_name, + trail.is_logging, + SPLIT_PART(trail.log_group_arn, ':', 7) AS log_group_name, + filter.name AS filter_name, + action_arn AS topic_arn, + alarm.metric_name, + alarm.name AS alarm_name, + subscription.subscription_arn, + filter.filter_pattern + FROM + aws_cloudtrail_trail AS trail, + jsonb_array_elements(trail.event_selectors) AS se, + aws_cloudwatch_log_metric_filter AS filter, + aws_cloudwatch_alarm AS alarm, + jsonb_array_elements_text(alarm.alarm_actions) AS action_arn, + aws_sns_topic_subscription AS subscription + WHERE + trail.is_multi_region_trail IS TRUE + AND trail.is_logging + AND se ->> 'ReadWriteType' = 'All' + AND trail.log_group_arn IS NOT NULL + AND filter.log_group_name = SPLIT_PART(trail.log_group_arn, ':', 7) + AND filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateVpc.+\$\.eventName\s*=\s*DeleteVpc.+\$\.eventName\s*=\s*ModifyVpcAttribute.+\$\.eventName\s*=\s*AcceptVpcPeeringConnection.+\$\.eventName\s*=\s*CreateVpcPeeringConnection.+\$\.eventName\s*=\s*DeleteVpcPeeringConnection.+\$\.eventName\s*=\s*RejectVpcPeeringConnection.+\$\.eventName\s*=\s*AttachClassicLinkVpc.+\$\.eventName\s*=\s*DetachClassicLinkVpc.+\$\.eventName\s*=\s*DisableVpcClassicLink.+\$\.eventName\s*=\s*EnableVpcClassicLink' + AND alarm.metric_name LIKE filter.metric_transformation_name + AND subscription.topic_arn = action_arn + ) + SELECT + DISTINCT 'arn:' || a.partition || ':::' || a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN f.trail_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN f.trail_name IS NULL THEN 'No log metric filter and alarm exist for VPC changes.' + ELSE filter_name || ' forwards events for VPC changes.' + END AS reason, + a.account_id + FROM + aws_account AS a + LEFT JOIN filter_data AS f ON a.account_id = f.account_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '3.14' - cis_level: - - '1' - cis_section_id: - - '3' - cis_type: - - scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/CloudWatch + category: + - Compliance + cis: + - "true" + cis_item_id: + - "3.14" + cis_level: + - "1" + cis_section_id: + - "3" + cis_type: + - scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/CloudWatch diff --git a/compliance/controls/aws/aws_mandatory_sql_accessanalyzer_analyzer_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_accessanalyzer_analyzer_mandatory.yaml index 640031f72..426891ebb 100644 --- a/compliance/controls/aws/aws_mandatory_sql_accessanalyzer_analyzer_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_accessanalyzer_analyzer_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_accessanalyzer_analyzer_mandatory title: Access Analyzer analyzers should have mandatory tags +type: control description: Check if Access Analyzer analyzers have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_accessanalyzer_analyzer - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_accessanalyzer_analyzer - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_accessanalyzer_analyzer + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_accessanalyzer_analyzer + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_api_gateway_stage_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_api_gateway_stage_mandatory.yaml index 9d3f1bc9d..11c4789a3 100644 --- a/compliance/controls/aws/aws_mandatory_sql_api_gateway_stage_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_api_gateway_stage_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_api_gateway_stage_mandatory title: API Gateway stages should have mandatory tags +type: control description: Check if API Gateway stages have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_api_gateway_stage - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_api_gateway_stage - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_api_gateway_stage + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_api_gateway_stage + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_cloudfront_distribution_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_cloudfront_distribution_mandatory.yaml index 70f5c419f..61961a336 100644 --- a/compliance/controls/aws/aws_mandatory_sql_cloudfront_distribution_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_cloudfront_distribution_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_cloudfront_distribution_mandatory title: CloudFront distributions should have mandatory tags +type: control description: Check if CloudFront distributions have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_cloudfront_distribution - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_cloudfront_distribution - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_cloudfront_distribution + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_cloudfront_distribution + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_cloudtrail_trail_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_cloudtrail_trail_mandatory.yaml index e1a17d75f..c92e61d2a 100644 --- a/compliance/controls/aws/aws_mandatory_sql_cloudtrail_trail_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_cloudtrail_trail_mandatory.yaml @@ -1,50 +1,52 @@ id: aws_mandatory_sql_cloudtrail_trail_mandatory title: CloudTrail trails should have mandatory tags +type: control description: Check if CloudTrail trails have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_cloudtrail_trail - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array( - SELECT jsonb_object_keys(tags) - ) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_cloudtrail_trail - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'OK' - ELSE 'ALARM' - END AS status, - CASE - WHEN has_mandatory_tags THEN - title || ' has all mandatory tags.' - ELSE - title || ' is missing tags: ' || array_to_string(array( - SELECT jsonb_array_elements_text(missing_tags) - ), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_cloudtrail_trail + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - array( + SELECT jsonb_object_keys(tags) + ) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_cloudtrail_trail + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'OK' + ELSE 'ALARM' + END AS status, + CASE + WHEN has_mandatory_tags THEN + title || ' has all mandatory tags.' + ELSE + title || ' is missing tags: ' || array_to_string(array( + SELECT jsonb_array_elements_text(missing_tags) + ), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_cloudwatch_alarm_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_cloudwatch_alarm_mandatory.yaml index 5ee58d7c0..452dde766 100644 --- a/compliance/controls/aws/aws_mandatory_sql_cloudwatch_alarm_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_cloudwatch_alarm_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_cloudwatch_alarm_mandatory title: CloudWatch alarms should have mandatory tags +type: control description: Check if CloudWatch alarms have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_cloudwatch_alarm - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_cloudwatch_alarm - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_cloudwatch_alarm + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_cloudwatch_alarm + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_cloudwatch_log_group_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_cloudwatch_log_group_mandatory.yaml index 40d728780..1ca7e1bdd 100644 --- a/compliance/controls/aws/aws_mandatory_sql_cloudwatch_log_group_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_cloudwatch_log_group_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_cloudwatch_log_group_mandatory title: CloudWatch log groups should have mandatory tags +type: control description: Check if CloudWatch log groups have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_cloudwatch_log_group - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_cloudwatch_log_group - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_cloudwatch_log_group + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_cloudwatch_log_group + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_codebuild_project_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_codebuild_project_mandatory.yaml index f0d93f8e0..2cfe29118 100644 --- a/compliance/controls/aws/aws_mandatory_sql_codebuild_project_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_codebuild_project_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_codebuild_project_mandatory title: CodeBuild projects should have mandatory tags +type: control description: Check if CodeBuild projects have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_codebuild_project - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_codebuild_project - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_codebuild_project + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_codebuild_project + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_codecommit_repository_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_codecommit_repository_mandatory.yaml index b716d09c8..10c87772f 100644 --- a/compliance/controls/aws/aws_mandatory_sql_codecommit_repository_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_codecommit_repository_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_codecommit_repository_mandatory title: CodeCommit repositories should have mandatory tags +type: control description: Check if CodeCommit repositories have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_codecommit_repository - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_codecommit_repository - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_codecommit_repository + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_codecommit_repository + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_codepipeline_pipeline_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_codepipeline_pipeline_mandatory.yaml index 57d332393..6f94872f7 100644 --- a/compliance/controls/aws/aws_mandatory_sql_codepipeline_pipeline_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_codepipeline_pipeline_mandatory.yaml @@ -1,46 +1,48 @@ id: aws_mandatory_sql_codepipeline_pipeline_mandatory title: CodePipeline pipelines should have mandatory tags +type: control description: Check if CodePipeline pipelines have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_codepipeline_pipeline - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_codepipeline_pipeline - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags - THEN title || ' has all mandatory tags.' - ELSE - title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_codepipeline_pipeline + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_codepipeline_pipeline + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags + THEN title || ' has all mandatory tags.' + ELSE + title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_config_rule_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_config_rule_mandatory.yaml index 41a10bfef..abb645fc7 100644 --- a/compliance/controls/aws/aws_mandatory_sql_config_rule_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_config_rule_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_config_rule_mandatory title: Config rules should have mandatory tags +type: control description: Check if Config rules have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_config_rule - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_config_rule - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_config_rule + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_config_rule + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_dax_cluster_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_dax_cluster_mandatory.yaml index da45c4463..09a6ae4da 100644 --- a/compliance/controls/aws/aws_mandatory_sql_dax_cluster_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_dax_cluster_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_dax_cluster_mandatory title: DAX clusters should have mandatory tags +type: control description: Check if DAX clusters have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_dax_cluster - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_dax_cluster - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_dax_cluster + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_dax_cluster + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_directory_service_directory_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_directory_service_directory_mandatory.yaml index a1f3eb544..0f0a097ea 100644 --- a/compliance/controls/aws/aws_mandatory_sql_directory_service_directory_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_directory_service_directory_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_directory_service_directory_mandatory title: Directory Service directories should have mandatory tags +type: control description: Check if Directory Service directories have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_directory_service_directory - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_directory_service_directory - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_directory_service_directory + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_directory_service_directory + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_dms_replication_instance_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_dms_replication_instance_mandatory.yaml index 74e28ff40..069f6d85f 100644 --- a/compliance/controls/aws/aws_mandatory_sql_dms_replication_instance_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_dms_replication_instance_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_dms_replication_instance_mandatory title: DMS replication instances should have mandatory tags +type: control description: Check if Dms replication instances have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_dms_replication_instance - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_dms_replication_instance - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'OK' - ELSE 'ALARM' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_dms_replication_instance + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_dms_replication_instance + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'OK' + ELSE 'ALARM' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_dynamodb_table_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_dynamodb_table_mandatory.yaml index c332e3ce4..84a563f26 100644 --- a/compliance/controls/aws/aws_mandatory_sql_dynamodb_table_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_dynamodb_table_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_dynamodb_table_mandatory title: DynamoDB tables should have mandatory tags +type: control description: Check if DynamoDB tables have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_dynamodb_table - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_dynamodb_table - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_dynamodb_table + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_dynamodb_table + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_ebs_snapshot_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_ebs_snapshot_mandatory.yaml index 5181aac49..7c90b8764 100644 --- a/compliance/controls/aws/aws_mandatory_sql_ebs_snapshot_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_ebs_snapshot_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_ebs_snapshot_mandatory title: EBS snapshots should have mandatory tags +type: control description: Check if EBS snapshots have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_ebs_snapshot - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_ebs_snapshot - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_ebs_snapshot + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_ebs_snapshot + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_ebs_volume_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_ebs_volume_mandatory.yaml index 27815834e..2d517ce04 100644 --- a/compliance/controls/aws/aws_mandatory_sql_ebs_volume_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_ebs_volume_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_ebs_volume_mandatory title: EBS volumes should have mandatory tags +type: control description: Check if EBS volumes have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_ebs_volume - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_ebs_volume - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_ebs_volume + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_ebs_volume + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_ec2_application_load_balancer_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_ec2_application_load_balancer_mandatory.yaml index 197d2f2bd..d0e1438c4 100644 --- a/compliance/controls/aws/aws_mandatory_sql_ec2_application_load_balancer_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_ec2_application_load_balancer_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_ec2_application_load_balancer_mandatory title: EC2 application load balancers should have mandatory tags +type: control description: Check if EC2 application load balancers have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_ec2_application_load_balancer - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_ec2_application_load_balancer - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(array(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_ec2_application_load_balancer + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_ec2_application_load_balancer + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(array(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_ec2_classic_load_balancer_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_ec2_classic_load_balancer_mandatory.yaml index 55a611e08..f65fec229 100644 --- a/compliance/controls/aws/aws_mandatory_sql_ec2_classic_load_balancer_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_ec2_classic_load_balancer_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_ec2_classic_load_balancer_mandatory title: EC2 classic load balancers should have mandatory tags +type: control description: Check if EC2 classic load balancers have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_ec2_classic_load_balancer - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_ec2_classic_load_balancer - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_ec2_classic_load_balancer + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_ec2_classic_load_balancer + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_ec2_gateway_load_balancer_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_ec2_gateway_load_balancer_mandatory.yaml index e990a6337..aaf6f502c 100644 --- a/compliance/controls/aws/aws_mandatory_sql_ec2_gateway_load_balancer_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_ec2_gateway_load_balancer_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_ec2_gateway_load_balancer_mandatory title: EC2 gateway load balancers should have mandatory tags +type: control description: Check if EC2 gateway load balancers have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_ec2_gateway_load_balancer - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_ec2_gateway_load_balancer - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_ec2_gateway_load_balancer + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_ec2_gateway_load_balancer + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_ec2_instance_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_ec2_instance_mandatory.yaml index b02293f97..0cca699d1 100644 --- a/compliance/controls/aws/aws_mandatory_sql_ec2_instance_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_ec2_instance_mandatory.yaml @@ -1,45 +1,47 @@ id: aws_mandatory_sql_ec2_instance_mandatory title: EC2 instances should have mandatory tags +type: control description: Check if EC2 instances have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_ec2_instance - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags - THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_ec2_instance + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_ec2_instance + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags + THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_ec2_network_load_balancer_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_ec2_network_load_balancer_mandatory.yaml index ffeca01ee..3ae697a58 100644 --- a/compliance/controls/aws/aws_mandatory_sql_ec2_network_load_balancer_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_ec2_network_load_balancer_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_ec2_network_load_balancer_mandatory title: EC2 network load balancers should have mandatory tags +type: control description: Check if EC2 network load balancers have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_ec2_network_load_balancer - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_ec2_network_load_balancer - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_ec2_network_load_balancer + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_ec2_network_load_balancer + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_ec2_reserved_instance_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_ec2_reserved_instance_mandatory.yaml index c9be068ef..a93214d36 100644 --- a/compliance/controls/aws/aws_mandatory_sql_ec2_reserved_instance_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_ec2_reserved_instance_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_ec2_reserved_instance_mandatory title: EC2 reserved instances should have mandatory tags +type: control description: Check if EC2 reserved instances have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_ec2_reserved_instance - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_ec2_reserved_instance - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_ec2_reserved_instance + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_ec2_reserved_instance + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_ecr_repository_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_ecr_repository_mandatory.yaml index 52a8dcad7..5c5faa46b 100644 --- a/compliance/controls/aws/aws_mandatory_sql_ecr_repository_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_ecr_repository_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_ecr_repository_mandatory title: ECR repositories should have mandatory tags +type: control description: Check if ECR repositories have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_ecr_repository - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_ecr_repository - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_ecr_repository + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_ecr_repository + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_ecs_container_instance_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_ecs_container_instance_mandatory.yaml index 68d4950df..21b4f444f 100644 --- a/compliance/controls/aws/aws_mandatory_sql_ecs_container_instance_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_ecs_container_instance_mandatory.yaml @@ -1,50 +1,52 @@ id: aws_mandatory_sql_ecs_container_instance_mandatory title: ECS container instances should have mandatory tags +type: control description: Check if ECS container instances have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_ecs_container_instance - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY( - SELECT jsonb_object_keys(tags) - ) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_ecs_container_instance - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING( - ARRAY( - SELECT jsonb_array_elements_text(missing_tags) - ), ', ' - ) || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_ecs_container_instance + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY( + SELECT jsonb_object_keys(tags) + ) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_ecs_container_instance + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING( + ARRAY( + SELECT jsonb_array_elements_text(missing_tags) + ), ', ' + ) || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_ecs_service_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_ecs_service_mandatory.yaml index 58a957f00..81d08f324 100644 --- a/compliance/controls/aws/aws_mandatory_sql_ecs_service_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_ecs_service_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_ecs_service_mandatory title: ECS services should have mandatory tags +type: control description: Check if ECS services have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_ecs_service - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::TEXT[] AS has_mandatory_tags, - TO_JSONB('{{.awsMandatoryTags}}'::TEXT[]) - ARRAY(SELECT JSONB_OBJECT_KEYS(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_ecs_service - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT JSONB_ARRAY_ELEMENTS_TEXT(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_ecs_service + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::TEXT[] AS has_mandatory_tags, + TO_JSONB('{{.awsMandatoryTags}}'::TEXT[]) - ARRAY(SELECT JSONB_OBJECT_KEYS(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_ecs_service + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT JSONB_ARRAY_ELEMENTS_TEXT(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_efs_file_system_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_efs_file_system_mandatory.yaml index 4155a3f73..665e6ddf4 100644 --- a/compliance/controls/aws/aws_mandatory_sql_efs_file_system_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_efs_file_system_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_efs_file_system_mandatory title: EFS file systems should have mandatory tags +type: control description: Check if EFS file systems have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_efs_file_system - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_efs_file_system - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'OK' - ELSE 'ALARM' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_efs_file_system + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_efs_file_system + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'OK' + ELSE 'ALARM' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_eks_addon_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_eks_addon_mandatory.yaml index b96d59fb7..f72fb5a1e 100644 --- a/compliance/controls/aws/aws_mandatory_sql_eks_addon_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_eks_addon_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_eks_addon_mandatory title: EKS addons should have mandatory tags +type: control description: Check if EKS addons have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_eks_addon - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_eks_addon - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_eks_addon + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_eks_addon + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_eks_cluster_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_eks_cluster_mandatory.yaml index 42e536680..a98b1e55e 100644 --- a/compliance/controls/aws/aws_mandatory_sql_eks_cluster_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_eks_cluster_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_eks_cluster_mandatory title: EKS clusters should have mandatory tags +type: control description: Check if EKS clusters have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_eks_cluster - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_eks_cluster - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(array(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_eks_cluster + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_eks_cluster + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(array(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_elastic_beanstalk_application_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_elastic_beanstalk_application_mandatory.yaml index fe3167e48..d5ac4e2a6 100644 --- a/compliance/controls/aws/aws_mandatory_sql_elastic_beanstalk_application_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_elastic_beanstalk_application_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_elastic_beanstalk_application_mandatory title: Elastic beanstalk applications should have mandatory tags +type: control description: Check if Elastic beanstalk applications have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_elastic_beanstalk_application - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_elastic_beanstalk_application - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_elastic_beanstalk_application + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_elastic_beanstalk_application + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_elastic_beanstalk_environment_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_elastic_beanstalk_environment_mandatory.yaml index e3ca11245..95d0371a7 100644 --- a/compliance/controls/aws/aws_mandatory_sql_elastic_beanstalk_environment_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_elastic_beanstalk_environment_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_elastic_beanstalk_environment_mandatory title: Elastic beanstalk environments should have mandatory tags +type: control description: Check if Elastic beanstalk environments have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_elastic_beanstalk_environment - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_elastic_beanstalk_environment - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_elastic_beanstalk_environment + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_elastic_beanstalk_environment + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_elasticache_cluster_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_elasticache_cluster_mandatory.yaml index 2e7c2ac8a..67395cf61 100644 --- a/compliance/controls/aws/aws_mandatory_sql_elasticache_cluster_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_elasticache_cluster_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_elasticache_cluster_mandatory title: ElastiCache clusters should have mandatory tags +type: control description: Check if ElastiCache clusters have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_elasticache_cluster - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_elasticache_cluster - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(array(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_elasticache_cluster + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_elasticache_cluster + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(array(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_elasticsearch_domain_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_elasticsearch_domain_mandatory.yaml index b411a54d7..fcc792885 100644 --- a/compliance/controls/aws/aws_mandatory_sql_elasticsearch_domain_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_elasticsearch_domain_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_elasticsearch_domain_mandatory title: ElasticSearch domains should have mandatory tags +type: control description: Check if ElasticSearch domains have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_elasticsearch_domain - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_elasticsearch_domain - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_elasticsearch_domain + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_elasticsearch_domain + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_eventbridge_rule_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_eventbridge_rule_mandatory.yaml index 4c32598f3..832c442cf 100644 --- a/compliance/controls/aws/aws_mandatory_sql_eventbridge_rule_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_eventbridge_rule_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_eventbridge_rule_mandatory title: EventBridge rules should have mandatory tags +type: control description: Check if EventBridge rules have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_eventbridge_rule - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_eventbridge_rule - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_eventbridge_rule + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_eventbridge_rule + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_guardduty_detector_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_guardduty_detector_mandatory.yaml index b24ea1853..0aa40cace 100644 --- a/compliance/controls/aws/aws_mandatory_sql_guardduty_detector_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_guardduty_detector_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_guardduty_detector_mandatory title: GuardDuty detectors should have mandatory tags +type: control description: Check if GuardDuty detectors have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_guardduty_detector - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_guardduty_detector - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_guardduty_detector + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_guardduty_detector + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_iam_role_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_iam_role_mandatory.yaml index 6383c2fc7..0044c6a03 100644 --- a/compliance/controls/aws/aws_mandatory_sql_iam_role_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_iam_role_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_iam_role_mandatory title: IAM roles should have mandatory tags +type: control description: Check if IAM roles have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_iam_role - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_iam_role - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_iam_role + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_iam_role + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_iam_server_certificate_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_iam_server_certificate_mandatory.yaml index 042fed70c..d3530cade 100644 --- a/compliance/controls/aws/aws_mandatory_sql_iam_server_certificate_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_iam_server_certificate_mandatory.yaml @@ -1,50 +1,52 @@ id: aws_mandatory_sql_iam_server_certificate_mandatory title: IAM server certificates should have mandatory tags +type: control description: Check if IAM server certificates have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_iam_server_certificate - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY( - SELECT jsonb_object_keys(tags) - ) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_iam_server_certificate - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string( - ARRAY( - SELECT jsonb_array_elements_text(missing_tags) - ), ', ' - ) || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_iam_server_certificate + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY( + SELECT jsonb_object_keys(tags) + ) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_iam_server_certificate + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string( + ARRAY( + SELECT jsonb_array_elements_text(missing_tags) + ), ', ' + ) || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_iam_user_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_iam_user_mandatory.yaml index bd6aa38c0..a5536208b 100644 --- a/compliance/controls/aws/aws_mandatory_sql_iam_user_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_iam_user_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_iam_user_mandatory title: IAM users should have mandatory tags +type: control description: Check if IAM users have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_iam_user - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_iam_user - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_iam_user + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_iam_user + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_inspector_assessment_template_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_inspector_assessment_template_mandatory.yaml index 2e8c0f90e..e8e95af4c 100644 --- a/compliance/controls/aws/aws_mandatory_sql_inspector_assessment_template_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_inspector_assessment_template_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_inspector_assessment_template_mandatory title: Inspector assessment templates should have mandatory tags +type: control description: Check if Inspector assessment templates have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_inspector_assessment_template - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_inspector_assessment_template - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_inspector_assessment_template + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_inspector_assessment_template + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_kinesis_firehose_delivery_stream_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_kinesis_firehose_delivery_stream_mandatory.yaml index 6040259f9..04d12c9e1 100644 --- a/compliance/controls/aws/aws_mandatory_sql_kinesis_firehose_delivery_stream_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_kinesis_firehose_delivery_stream_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_kinesis_firehose_delivery_stream_mandatory title: Kinesis firehose delivery streams should have mandatory tags +type: control description: Check if Kinesis firehose delivery streams have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_kinesis_firehose_delivery_stream - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_kinesis_firehose_delivery_stream - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_kinesis_firehose_delivery_stream + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_kinesis_firehose_delivery_stream + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_kms_key_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_kms_key_mandatory.yaml index dfb523189..7f377ca75 100644 --- a/compliance/controls/aws/aws_mandatory_sql_kms_key_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_kms_key_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_kms_key_mandatory title: KMS keys should have mandatory tags +type: control description: Check if KMS keys have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_kms_key - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_kms_key - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_kms_key + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_kms_key + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_lambda_function_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_lambda_function_mandatory.yaml index 3254e382f..a384d3a2e 100644 --- a/compliance/controls/aws/aws_mandatory_sql_lambda_function_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_lambda_function_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_lambda_function_mandatory title: Lambda functions should have mandatory tags +type: control description: Check if Lambda functions have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_lambda_function - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_lambda_function - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_lambda_function + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_lambda_function + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_rds_db_cluster_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_rds_db_cluster_mandatory.yaml index 71ad23b31..9f15390ba 100644 --- a/compliance/controls/aws/aws_mandatory_sql_rds_db_cluster_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_rds_db_cluster_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_rds_db_cluster_mandatory title: RDS DB clusters should have mandatory tags +type: control description: Check if RDS DB clusters have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_rds_db_cluster - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_rds_db_cluster - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_rds_db_cluster + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_rds_db_cluster + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_rds_db_cluster_parameter_group_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_rds_db_cluster_parameter_group_mandatory.yaml index 6ea441957..1fe4fa4a8 100644 --- a/compliance/controls/aws/aws_mandatory_sql_rds_db_cluster_parameter_group_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_rds_db_cluster_parameter_group_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_rds_db_cluster_parameter_group_mandatory title: RDS DB cluster parameter groups should have mandatory tags +type: control description: Check if RDS DB cluster parameter groups have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_rds_db_cluster_parameter_group - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_rds_db_cluster_parameter_group - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_rds_db_cluster_parameter_group + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_rds_db_cluster_parameter_group + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_rds_db_cluster_snapshot_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_rds_db_cluster_snapshot_mandatory.yaml index e83b4a629..0de00eb73 100644 --- a/compliance/controls/aws/aws_mandatory_sql_rds_db_cluster_snapshot_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_rds_db_cluster_snapshot_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_rds_db_cluster_snapshot_mandatory title: RDS DB cluster snapshots should have mandatory tags +type: control description: Check if RDS DB cluster snapshots have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_rds_db_cluster_snapshot - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_rds_db_cluster_snapshot - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_rds_db_cluster_snapshot + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_rds_db_cluster_snapshot + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_rds_db_instance_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_rds_db_instance_mandatory.yaml index 187e071f5..cfca4555f 100644 --- a/compliance/controls/aws/aws_mandatory_sql_rds_db_instance_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_rds_db_instance_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_rds_db_instance_mandatory title: RDS DB instances should have mandatory tags +type: control description: Check if RDS DB instances have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_rds_db_instance - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_rds_db_instance + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_rds_db_instance + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_rds_db_option_group_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_rds_db_option_group_mandatory.yaml index 8c07d0ef7..36d028cca 100644 --- a/compliance/controls/aws/aws_mandatory_sql_rds_db_option_group_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_rds_db_option_group_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_rds_db_option_group_mandatory title: RDS DB option groups should have mandatory tags +type: control description: Check if RDS DB option groups have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_rds_db_option_group - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_rds_db_option_group - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_rds_db_option_group + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_rds_db_option_group + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_rds_db_parameter_group_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_rds_db_parameter_group_mandatory.yaml index fc87ed4b8..3df9f6874 100644 --- a/compliance/controls/aws/aws_mandatory_sql_rds_db_parameter_group_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_rds_db_parameter_group_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_rds_db_parameter_group_mandatory title: RDS DB parameter groups should have mandatory tags +type: control description: Check if RDS DB parameter groups have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_rds_db_parameter_group - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_rds_db_parameter_group - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'OK' - ELSE 'ALARM' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_rds_db_parameter_group + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_rds_db_parameter_group + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'OK' + ELSE 'ALARM' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_rds_db_snapshot_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_rds_db_snapshot_mandatory.yaml index b4e119aec..1d56cd31b 100644 --- a/compliance/controls/aws/aws_mandatory_sql_rds_db_snapshot_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_rds_db_snapshot_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_rds_db_snapshot_mandatory title: RDS DB snapshots should have mandatory tags +type: control description: Check if RDS DB snapshots have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_rds_db_snapshot - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT JSONB_OBJECT_KEYS(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_rds_db_snapshot - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT JSONB_ARRAY_ELEMENTS_TEXT(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_rds_db_snapshot + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT JSONB_OBJECT_KEYS(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_rds_db_snapshot + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT JSONB_ARRAY_ELEMENTS_TEXT(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_rds_db_subnet_group_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_rds_db_subnet_group_mandatory.yaml index e9c8add7f..790e7b812 100644 --- a/compliance/controls/aws/aws_mandatory_sql_rds_db_subnet_group_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_rds_db_subnet_group_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_rds_db_subnet_group_mandatory title: RDS DB subnet groups should have mandatory tags +type: control description: Check if RDS DB subnet groups have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_rds_db_subnet_group - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_rds_db_subnet_group - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_rds_db_subnet_group + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_rds_db_subnet_group + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_redshift_cluster_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_redshift_cluster_mandatory.yaml index b365827d8..f79571962 100644 --- a/compliance/controls/aws/aws_mandatory_sql_redshift_cluster_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_redshift_cluster_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_redshift_cluster_mandatory title: Redshift clusters should have mandatory tags +type: control description: Check if Redshift clusters have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_redshift_cluster - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_redshift_cluster - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_redshift_cluster + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_redshift_cluster + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_route53_domain_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_route53_domain_mandatory.yaml index 323437277..346769565 100644 --- a/compliance/controls/aws/aws_mandatory_sql_route53_domain_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_route53_domain_mandatory.yaml @@ -1,48 +1,50 @@ id: aws_mandatory_sql_route53_domain_mandatory title: Route53 domains should have mandatory tags +type: control description: Check if Route53 domains have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_route53_domain - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY( - SELECT jsonb_object_keys(tags) - ) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_route53_domain - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING( - ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ' - ) || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_route53_domain + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY( + SELECT jsonb_object_keys(tags) + ) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_route53_domain + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING( + ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ' + ) || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_route53_resolver_endpoint_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_route53_resolver_endpoint_mandatory.yaml index 2c70c10bd..3b038a984 100644 --- a/compliance/controls/aws/aws_mandatory_sql_route53_resolver_endpoint_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_route53_resolver_endpoint_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_route53_resolver_endpoint_mandatory title: Route 53 Resolver endpoints should have mandatory tags +type: control description: Check if Route 53 Resolver endpoints have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_route53_resolver_endpoint - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_route53_resolver_endpoint - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_route53_resolver_endpoint + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_route53_resolver_endpoint + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_s3_bucket_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_s3_bucket_mandatory.yaml index 39df4490b..080463ae0 100644 --- a/compliance/controls/aws/aws_mandatory_sql_s3_bucket_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_s3_bucket_mandatory.yaml @@ -1,45 +1,47 @@ id: aws_mandatory_sql_s3_bucket_mandatory title: S3 buckets should have mandatory tags +type: control description: Check if S3 buckets have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_s3_bucket - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string( - ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_s3_bucket + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string( + ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_sagemaker_endpoint_configuration_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_sagemaker_endpoint_configuration_mandatory.yaml index 707d69ab3..67da31511 100644 --- a/compliance/controls/aws/aws_mandatory_sql_sagemaker_endpoint_configuration_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_sagemaker_endpoint_configuration_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_sagemaker_endpoint_configuration_mandatory title: SageMaker endpoint configurations should have mandatory tags +type: control description: Check if SageMaker endpoint configurations have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_sagemaker_endpoint_configuration - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_sagemaker_endpoint_configuration - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_sagemaker_endpoint_configuration + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_sagemaker_endpoint_configuration + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_sagemaker_model_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_sagemaker_model_mandatory.yaml index 22a47e543..12c765b23 100644 --- a/compliance/controls/aws/aws_mandatory_sql_sagemaker_model_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_sagemaker_model_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_sagemaker_model_mandatory title: SageMaker models should have mandatory tags +type: control description: Check if SageMaker models have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_sagemaker_model - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_sagemaker_model - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_sagemaker_model + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_sagemaker_model + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_sagemaker_notebook_instance_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_sagemaker_notebook_instance_mandatory.yaml index f0e7de492..fa47c9b8d 100644 --- a/compliance/controls/aws/aws_mandatory_sql_sagemaker_notebook_instance_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_sagemaker_notebook_instance_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_sagemaker_notebook_instance_mandatory title: SageMaker notebook instances should have mandatory tags +type: control description: Check if SageMaker notebook instances have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_sagemaker_notebook_instance - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_sagemaker_notebook_instance - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_sagemaker_notebook_instance + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_sagemaker_notebook_instance + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_sagemaker_training_job_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_sagemaker_training_job_mandatory.yaml index cabedc8ad..01b4f6430 100644 --- a/compliance/controls/aws/aws_mandatory_sql_sagemaker_training_job_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_sagemaker_training_job_mandatory.yaml @@ -1,49 +1,51 @@ id: aws_mandatory_sql_sagemaker_training_job_mandatory title: SageMaker training jobs should have mandatory tags +type: control description: Check if SageMaker training jobs have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_sagemaker_training_job - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY( - SELECT jsonb_object_keys(tags) - ) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_sagemaker_training_job - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING( - ARRAY( - SELECT jsonb_array_elements_text(missing_tags) - ), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_sagemaker_training_job + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY( + SELECT jsonb_object_keys(tags) + ) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_sagemaker_training_job + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING( + ARRAY( + SELECT jsonb_array_elements_text(missing_tags) + ), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_secretsmanager_secret_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_secretsmanager_secret_mandatory.yaml index 19f9cbd75..c0858b3a9 100644 --- a/compliance/controls/aws/aws_mandatory_sql_secretsmanager_secret_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_secretsmanager_secret_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_secretsmanager_secret_mandatory title: Secrets Manager secrets should have mandatory tags +type: control description: Check if Secrets Manager secrets have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_secretsmanager_secret - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_secretsmanager_secret - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(array(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_secretsmanager_secret + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_secretsmanager_secret + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(array(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_ssm_parameter_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_ssm_parameter_mandatory.yaml index 4f8c66e3d..d758531bc 100644 --- a/compliance/controls/aws/aws_mandatory_sql_ssm_parameter_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_ssm_parameter_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_ssm_parameter_mandatory title: SSM parameters should have mandatory tags +type: control description: Check if SSM parameters have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_ssm_parameter - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_ssm_parameter - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_ssm_parameter + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_ssm_parameter + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_vpc_eip_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_vpc_eip_mandatory.yaml index 455aca5fa..0f2f84fe9 100644 --- a/compliance/controls/aws/aws_mandatory_sql_vpc_eip_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_vpc_eip_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_vpc_eip_mandatory title: VPC elastic IP addresses should have mandatory tags +type: control description: Check if VPC elastic IP addresses have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_vpc_eip - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_vpc_eip - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_vpc_eip + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_vpc_eip + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_vpc_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_vpc_mandatory.yaml index b6f58834a..276deb4f4 100644 --- a/compliance/controls/aws/aws_mandatory_sql_vpc_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_vpc_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_vpc_mandatory title: VPCs should have mandatory tags +type: control description: Check if VPCs have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_vpc - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_vpc - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_vpc + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_vpc + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_vpc_nat_gateway_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_vpc_nat_gateway_mandatory.yaml index af22f9bb5..51f39476d 100644 --- a/compliance/controls/aws/aws_mandatory_sql_vpc_nat_gateway_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_vpc_nat_gateway_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_vpc_nat_gateway_mandatory title: VPC NAT gateways should have mandatory tags +type: control description: Check if VPC NAT gateways have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_vpc_nat_gateway - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_vpc_nat_gateway - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_vpc_nat_gateway + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_vpc_nat_gateway + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_vpc_network_acl_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_vpc_network_acl_mandatory.yaml index aeb5b1975..4622f7d6c 100644 --- a/compliance/controls/aws/aws_mandatory_sql_vpc_network_acl_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_vpc_network_acl_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_vpc_network_acl_mandatory title: VPC network ACLs should have mandatory tags +type: control description: Check if VPC network ACLs have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_vpc_network_acl - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_vpc_network_acl - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_vpc_network_acl + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_vpc_network_acl + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_vpc_security_group_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_vpc_security_group_mandatory.yaml index bbb3f8a15..bb099922a 100644 --- a/compliance/controls/aws/aws_mandatory_sql_vpc_security_group_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_vpc_security_group_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_vpc_security_group_mandatory title: VPC security groups should have mandatory tags +type: control description: Check if VPC security groups have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_vpc_security_group - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_vpc_security_group + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_vpc_vpn_connection_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_vpc_vpn_connection_mandatory.yaml index 8bd3ea8fb..60caf9bf5 100644 --- a/compliance/controls/aws/aws_mandatory_sql_vpc_vpn_connection_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_vpc_vpn_connection_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_vpc_vpn_connection_mandatory title: VPC VPN connections should have mandatory tags +type: control description: Check if VPC VPN connections have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_vpc_vpn_connection - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_vpc_vpn_connection - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'OK' - ELSE 'ALARM' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_vpc_vpn_connection + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_vpc_vpn_connection + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'OK' + ELSE 'ALARM' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_wafv2_ip_set_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_wafv2_ip_set_mandatory.yaml index 6b0a99d8e..a9f829f77 100644 --- a/compliance/controls/aws/aws_mandatory_sql_wafv2_ip_set_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_wafv2_ip_set_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_wafv2_ip_set_mandatory title: WAFV2 ip sets should have mandatory tags +type: control description: Check if WAFV2 ip sets have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_wafv2_ip_set - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::TEXT[] AS has_mandatory_tags, - TO_JSONB('{{.awsMandatoryTags}}'::TEXT[]) - ARRAY(SELECT JSONB_OBJECT_KEYS(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_wafv2_ip_set - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT JSONB_ARRAY_ELEMENTS_TEXT(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_wafv2_ip_set + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::TEXT[] AS has_mandatory_tags, + TO_JSONB('{{.awsMandatoryTags}}'::TEXT[]) - ARRAY(SELECT JSONB_OBJECT_KEYS(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_wafv2_ip_set + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT JSONB_ARRAY_ELEMENTS_TEXT(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_wafv2_regex_pattern_set_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_wafv2_regex_pattern_set_mandatory.yaml index e51b74b35..fc01e4434 100644 --- a/compliance/controls/aws/aws_mandatory_sql_wafv2_regex_pattern_set_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_wafv2_regex_pattern_set_mandatory.yaml @@ -1,45 +1,47 @@ id: aws_mandatory_sql_wafv2_regex_pattern_set_mandatory title: WAFV2 regex pattern sets should have mandatory tags +type: control description: Check if WAFV2 regex pattern sets have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_wafv2_regex_pattern_set - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_wafv2_regex_pattern_set - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string( - ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_wafv2_regex_pattern_set + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_wafv2_regex_pattern_set + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string( + ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_wafv2_rule_group_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_wafv2_rule_group_mandatory.yaml index d8e48e4e2..dfc0ad795 100644 --- a/compliance/controls/aws/aws_mandatory_sql_wafv2_rule_group_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_wafv2_rule_group_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_wafv2_rule_group_mandatory title: WAFV2 rule groups should have mandatory tags +type: control description: Check if WAFV2 rule groups have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_wafv2_rule_group - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_wafv2_rule_group - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_wafv2_rule_group + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_wafv2_rule_group + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mandatory_sql_wafv2_web_acl_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_wafv2_web_acl_mandatory.yaml index 0e9544047..2c49c0fc5 100644 --- a/compliance/controls/aws/aws_mandatory_sql_wafv2_web_acl_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_wafv2_web_acl_mandatory.yaml @@ -1,44 +1,46 @@ id: aws_mandatory_sql_wafv2_web_acl_mandatory title: WAFV2 web acls should have mandatory tags +type: control description: Check if WAFV2 web acls have mandatory tags. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMandatoryTags +- key: awsMandatoryTags + value: "" policy: - language: sql - primary_resource: aws_wafv2_web_acl - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - region, - account_id, - tags, - _ctx - FROM - aws_wafv2_web_acl - ) - SELECT - platform_integration_id, - platform_resource_id, - arn AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - region, - account_id - FROM - analysis; + language: sql + primary_resource: aws_wafv2_web_acl + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + arn, + title, + tags ?& '{{.awsMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.awsMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + region, + account_id, + tags, + _ctx + FROM + aws_wafv2_web_acl + ) + SELECT + platform_integration_id, + platform_resource_id, + arn AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + region, + account_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/aws/aws_mq_broker_restrict_public_access.yaml b/compliance/controls/aws/aws_mq_broker_restrict_public_access.yaml index dfefed525..8ceaf04a1 100644 --- a/compliance/controls/aws/aws_mq_broker_restrict_public_access.yaml +++ b/compliance/controls/aws/aws_mq_broker_restrict_public_access.yaml @@ -1,26 +1,27 @@ id: aws_mq_broker_restrict_public_access title: MQ brokers should restrict public access +type: control description: Ensure whether MQ broker is not publicly accessible. The rule is compliant if the MQ broker is publicly accessible. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_mq_broker - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN publicly_accessible THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN publicly_accessible THEN title || ' publicly accessible.' - ELSE title || ' not publicly accessible.' - END AS reason - FROM - aws_mq_broker; + language: sql + primary_resource: aws_mq_broker + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN publicly_accessible THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN publicly_accessible THEN title || ' publicly accessible.' + ELSE title || ' not publicly accessible.' + END AS reason + FROM + aws_mq_broker; severity: low tags: {} diff --git a/compliance/controls/aws/aws_msk_cluster_encryption_in_transit_with_tls_enabled.yaml b/compliance/controls/aws/aws_msk_cluster_encryption_in_transit_with_tls_enabled.yaml index 944d6e724..5859a6ec0 100644 --- a/compliance/controls/aws/aws_msk_cluster_encryption_in_transit_with_tls_enabled.yaml +++ b/compliance/controls/aws/aws_msk_cluster_encryption_in_transit_with_tls_enabled.yaml @@ -1,26 +1,27 @@ id: aws_msk_cluster_encryption_in_transit_with_tls_enabled title: MSK clusters should be encrypted in transit among broker nodes +type: control description: This controls checks if an Amazon MSK cluster is encrypted in transit with HTTPS (TLS) among the broker nodes of the cluster. The control fails if plain text communication is enabled for a cluster broker node connection. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_msk_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN provisioned -> 'EncryptionInfo' -> 'EncryptionInTransit' ->> 'ClientBroker' = 'TLS' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN provisioned -> 'EncryptionInfo' -> 'EncryptionInTransit' ->> 'ClientBroker' = 'TLS' THEN title || ' encryption in transit enabled with TLS.' - ELSE title || ' encryption in transit enabled with plaintext.' - END AS reason - FROM - aws_msk_cluster; + language: sql + primary_resource: aws_msk_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN provisioned -> 'EncryptionInfo' -> 'EncryptionInTransit' ->> 'ClientBroker' = 'TLS' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN provisioned -> 'EncryptionInfo' -> 'EncryptionInTransit' ->> 'ClientBroker' = 'TLS' THEN title || ' encryption in transit enabled with TLS.' + ELSE title || ' encryption in transit enabled with plaintext.' + END AS reason + FROM + aws_msk_cluster; severity: low tags: {} diff --git a/compliance/controls/aws/aws_neptune_db_cluster_audit_logging_enabled.yaml b/compliance/controls/aws/aws_neptune_db_cluster_audit_logging_enabled.yaml index f0edd9659..9dde92bd5 100644 --- a/compliance/controls/aws/aws_neptune_db_cluster_audit_logging_enabled.yaml +++ b/compliance/controls/aws/aws_neptune_db_cluster_audit_logging_enabled.yaml @@ -1,27 +1,28 @@ id: aws_neptune_db_cluster_audit_logging_enabled title: Neptune DB clusters should publish audit logs to CloudWatch Logs +type: control description: This control checks whether a Neptune DB cluster publishes audit logs to AWS CloudWatch Logs. The control fails if a Neptune DB cluster doesn't publish audit logs to CloudWatch Logs. EnableCloudWatchLogsExport should be set to Audit. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_neptune_db_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - engine, - CASE - WHEN enabled_cloudwatch_logs_exports @> '["audit"]' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enabled_cloudwatch_logs_exports @> '["audit"]' THEN title || ' audit logging enabled.' - ELSE title || ' audit logging disabled.' - END AS reason - FROM - aws_neptune_db_cluster; + language: sql + primary_resource: aws_neptune_db_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + engine, + CASE + WHEN enabled_cloudwatch_logs_exports @> '["audit"]' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enabled_cloudwatch_logs_exports @> '["audit"]' THEN title || ' audit logging enabled.' + ELSE title || ' audit logging disabled.' + END AS reason + FROM + aws_neptune_db_cluster; severity: low tags: {} diff --git a/compliance/controls/aws/aws_neptune_db_cluster_automated_backup_enabled.yaml b/compliance/controls/aws/aws_neptune_db_cluster_automated_backup_enabled.yaml index 3fc893740..2b1613a1e 100644 --- a/compliance/controls/aws/aws_neptune_db_cluster_automated_backup_enabled.yaml +++ b/compliance/controls/aws/aws_neptune_db_cluster_automated_backup_enabled.yaml @@ -1,26 +1,27 @@ id: aws_neptune_db_cluster_automated_backup_enabled title: Neptune DB clusters should have automated backups enabled +type: control description: This control checks whether a Neptune DB cluster has automated backups enabled, and a backup retention period greater than or equal to 7 days. The control fails if backups aren't enabled for the Neptune DB cluster, or if the retention period is less than 7 days. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_neptune_db_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN backup_retention_period >= 7 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN backup_retention_period >= 7 THEN title || ' automated backups enabled.' - ELSE title || ' automated backups disabled.' - END AS reason - FROM - aws_neptune_db_cluster; + language: sql + primary_resource: aws_neptune_db_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN backup_retention_period >= 7 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN backup_retention_period >= 7 THEN title || ' automated backups enabled.' + ELSE title || ' automated backups disabled.' + END AS reason + FROM + aws_neptune_db_cluster; severity: low tags: {} diff --git a/compliance/controls/aws/aws_neptune_db_cluster_copy_tags_to_snapshot_enabled.yaml b/compliance/controls/aws/aws_neptune_db_cluster_copy_tags_to_snapshot_enabled.yaml index 9c32c8601..de443358c 100644 --- a/compliance/controls/aws/aws_neptune_db_cluster_copy_tags_to_snapshot_enabled.yaml +++ b/compliance/controls/aws/aws_neptune_db_cluster_copy_tags_to_snapshot_enabled.yaml @@ -1,26 +1,27 @@ id: aws_neptune_db_cluster_copy_tags_to_snapshot_enabled title: Neptune DB clusters should be configured to copy tags to snapshots +type: control description: This control checks if a Neptune DB cluster is configured to copy all tags to snapshots when the snapshots are created. The control fails if a Neptune DB cluster isn't configured to copy tags to snapshots. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_neptune_db_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN copy_tags_to_snapshot THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN copy_tags_to_snapshot THEN title || ' copy tags to snapshot enabled.' - ELSE title || ' copy tags to snapshot disabled.' - END AS reason - FROM - aws_neptune_db_cluster; + language: sql + primary_resource: aws_neptune_db_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN copy_tags_to_snapshot THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN copy_tags_to_snapshot THEN title || ' copy tags to snapshot enabled.' + ELSE title || ' copy tags to snapshot disabled.' + END AS reason + FROM + aws_neptune_db_cluster; severity: low tags: {} diff --git a/compliance/controls/aws/aws_neptune_db_cluster_deletion_protection_enabled.yaml b/compliance/controls/aws/aws_neptune_db_cluster_deletion_protection_enabled.yaml index e0e623e91..5ef2a78db 100644 --- a/compliance/controls/aws/aws_neptune_db_cluster_deletion_protection_enabled.yaml +++ b/compliance/controls/aws/aws_neptune_db_cluster_deletion_protection_enabled.yaml @@ -1,26 +1,27 @@ id: aws_neptune_db_cluster_deletion_protection_enabled title: Neptune DB clusters should have deletion protection enabled +type: control description: This control checks if a Neptune DB cluster has deletion protection enabled. The control fails if a Neptune DB cluster doesn't have deletion protection enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_neptune_db_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN deletion_protection THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN deletion_protection THEN title || ' deletion protection enabled.' - ELSE title || ' deletion protection disabled.' - END AS reason - FROM - aws_neptune_db_cluster; + language: sql + primary_resource: aws_neptune_db_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN deletion_protection THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN deletion_protection THEN title || ' deletion protection enabled.' + ELSE title || ' deletion protection disabled.' + END AS reason + FROM + aws_neptune_db_cluster; severity: low tags: {} diff --git a/compliance/controls/aws/aws_neptune_db_cluster_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_neptune_db_cluster_encryption_at_rest_enabled.yaml index 7288030a9..04eff9d84 100644 --- a/compliance/controls/aws/aws_neptune_db_cluster_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_neptune_db_cluster_encryption_at_rest_enabled.yaml @@ -1,26 +1,27 @@ id: aws_neptune_db_cluster_encryption_at_rest_enabled title: Neptune DB clusters should be encrypted at rest +type: control description: This control checks whether a Neptune DB cluster is encrypted at rest. The control fails if a Neptune DB cluster isn't encrypted at rest. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_neptune_db_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN storage_encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN storage_encrypted THEN title || ' encrypted at rest.' - ELSE title || ' not encrypted at rest.' - END AS reason - FROM - aws_neptune_db_cluster; + language: sql + primary_resource: aws_neptune_db_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN storage_encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN storage_encrypted THEN title || ' encrypted at rest.' + ELSE title || ' not encrypted at rest.' + END AS reason + FROM + aws_neptune_db_cluster; severity: low tags: {} diff --git a/compliance/controls/aws/aws_neptune_db_cluster_iam_authentication_enabled.yaml b/compliance/controls/aws/aws_neptune_db_cluster_iam_authentication_enabled.yaml index 8d7c1dfd5..82edac0e8 100644 --- a/compliance/controls/aws/aws_neptune_db_cluster_iam_authentication_enabled.yaml +++ b/compliance/controls/aws/aws_neptune_db_cluster_iam_authentication_enabled.yaml @@ -1,26 +1,27 @@ id: aws_neptune_db_cluster_iam_authentication_enabled title: Neptune DB clusters should have IAM database authentication enabled +type: control description: This control checks if a Neptune DB cluster has IAM database authentication enabled. The control fails if IAM database authentication isn't enabled for a Neptune DB cluster. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_neptune_db_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN iam_database_authentication_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN iam_database_authentication_enabled THEN title || ' IAM authentication enabled.' - ELSE title || ' IAM authentication disabled.' - END AS reason - FROM - aws_neptune_db_cluster; + language: sql + primary_resource: aws_neptune_db_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN iam_database_authentication_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN iam_database_authentication_enabled THEN title || ' IAM authentication enabled.' + ELSE title || ' IAM authentication disabled.' + END AS reason + FROM + aws_neptune_db_cluster; severity: low tags: {} diff --git a/compliance/controls/aws/aws_neptune_db_cluster_no_public_subnet.yaml b/compliance/controls/aws/aws_neptune_db_cluster_no_public_subnet.yaml index b5a729e83..a92a12412 100644 --- a/compliance/controls/aws/aws_neptune_db_cluster_no_public_subnet.yaml +++ b/compliance/controls/aws/aws_neptune_db_cluster_no_public_subnet.yaml @@ -1,77 +1,78 @@ id: aws_neptune_db_cluster_no_public_subnet title: Neptune DB clusters should not use public_subnet +type: control description: This control checks if Neptune DB clusters are configured with public subnet as there is a risk of exposing sensitive data. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_neptune_db_cluster - definition: | - WITH subnets_with_explicit_route AS ( - SELECT DISTINCT (a ->> 'SubnetId') AS all_sub - FROM aws_vpc_route_table AS t, - jsonb_array_elements(associations) AS a - WHERE a ->> 'SubnetId' IS NOT NULL - ), - public_subnets_with_explicit_route AS ( - SELECT DISTINCT a ->> 'SubnetId' AS SubnetId - FROM aws_vpc_route_table AS t, - jsonb_array_elements(associations) AS a, - jsonb_array_elements(routes) AS r - WHERE r ->> 'DestinationCidrBlock' = '0.0.0.0/0' - AND ( - r ->> 'GatewayId' LIKE 'igw-%' - OR r ->> 'NatGatewayId' LIKE 'nat-%' - ) - AND a ->> 'SubnetId' IS NOT NULL - ), - public_subnets_with_implicit_route AS ( - SELECT DISTINCT route_table_id, - vpc_id, - region - FROM aws_vpc_route_table AS t, - jsonb_array_elements(associations) AS a, - jsonb_array_elements(routes) AS r - WHERE a ->> 'Main' = 'true' - AND r ->> 'DestinationCidrBlock' = '0.0.0.0/0' - AND ( - r ->> 'GatewayId' LIKE 'igw-%' - OR r ->> 'NatGatewayId' LIKE 'nat-%' - ) - ), - subnet_accessibility AS ( - SELECT subnet_id, - vpc_id, - CASE - WHEN s.subnet_id IN (SELECT all_sub FROM subnets_with_explicit_route WHERE all_sub NOT IN (SELECT SubnetId FROM public_subnets_with_explicit_route)) THEN 'private' - WHEN p.SubnetId IS NOT NULL - OR s.vpc_id IN (SELECT vpc_id FROM public_subnets_with_implicit_route) THEN 'public' - ELSE 'private' - END AS access - FROM aws_vpc_subnet AS s - LEFT JOIN public_subnets_with_explicit_route AS p ON p.SubnetId = s.subnet_id - ), - cluster_public_subnet AS ( - SELECT DISTINCT arn, - name AS subnet_group_name - FROM aws_rds_db_subnet_group, - jsonb_array_elements(subnets) AS s - LEFT JOIN subnet_accessibility AS a ON a.subnet_id = s ->> 'SubnetIdentifier' - WHERE a.access = 'public' + language: sql + primary_resource: aws_neptune_db_cluster + definition: | + WITH subnets_with_explicit_route AS ( + SELECT DISTINCT (a ->> 'SubnetId') AS all_sub + FROM aws_vpc_route_table AS t, + jsonb_array_elements(associations) AS a + WHERE a ->> 'SubnetId' IS NOT NULL + ), + public_subnets_with_explicit_route AS ( + SELECT DISTINCT a ->> 'SubnetId' AS SubnetId + FROM aws_vpc_route_table AS t, + jsonb_array_elements(associations) AS a, + jsonb_array_elements(routes) AS r + WHERE r ->> 'DestinationCidrBlock' = '0.0.0.0/0' + AND ( + r ->> 'GatewayId' LIKE 'igw-%' + OR r ->> 'NatGatewayId' LIKE 'nat-%' ) - SELECT c.arn AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN s.subnet_group_name IS NOT NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN s.subnet_group_name IS NOT NULL THEN c.title || ' has public subnet.' - ELSE c.title || ' has private subnet.' - END AS reason - FROM aws_neptune_db_cluster AS c - LEFT JOIN cluster_public_subnet AS s ON s.subnet_group_name = c.db_subnet_group; + AND a ->> 'SubnetId' IS NOT NULL + ), + public_subnets_with_implicit_route AS ( + SELECT DISTINCT route_table_id, + vpc_id, + region + FROM aws_vpc_route_table AS t, + jsonb_array_elements(associations) AS a, + jsonb_array_elements(routes) AS r + WHERE a ->> 'Main' = 'true' + AND r ->> 'DestinationCidrBlock' = '0.0.0.0/0' + AND ( + r ->> 'GatewayId' LIKE 'igw-%' + OR r ->> 'NatGatewayId' LIKE 'nat-%' + ) + ), + subnet_accessibility AS ( + SELECT subnet_id, + vpc_id, + CASE + WHEN s.subnet_id IN (SELECT all_sub FROM subnets_with_explicit_route WHERE all_sub NOT IN (SELECT SubnetId FROM public_subnets_with_explicit_route)) THEN 'private' + WHEN p.SubnetId IS NOT NULL + OR s.vpc_id IN (SELECT vpc_id FROM public_subnets_with_implicit_route) THEN 'public' + ELSE 'private' + END AS access + FROM aws_vpc_subnet AS s + LEFT JOIN public_subnets_with_explicit_route AS p ON p.SubnetId = s.subnet_id + ), + cluster_public_subnet AS ( + SELECT DISTINCT arn, + name AS subnet_group_name + FROM aws_rds_db_subnet_group, + jsonb_array_elements(subnets) AS s + LEFT JOIN subnet_accessibility AS a ON a.subnet_id = s ->> 'SubnetIdentifier' + WHERE a.access = 'public' + ) + SELECT c.arn AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN s.subnet_group_name IS NOT NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN s.subnet_group_name IS NOT NULL THEN c.title || ' has public subnet.' + ELSE c.title || ' has private subnet.' + END AS reason + FROM aws_neptune_db_cluster AS c + LEFT JOIN cluster_public_subnet AS s ON s.subnet_group_name = c.db_subnet_group; severity: low tags: {} diff --git a/compliance/controls/aws/aws_neptune_db_cluster_snapshot_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_neptune_db_cluster_snapshot_encryption_at_rest_enabled.yaml index cec096f17..66976c892 100644 --- a/compliance/controls/aws/aws_neptune_db_cluster_snapshot_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_neptune_db_cluster_snapshot_encryption_at_rest_enabled.yaml @@ -1,26 +1,27 @@ id: aws_neptune_db_cluster_snapshot_encryption_at_rest_enabled title: Neptune DB cluster snapshots should be encrypted at rest +type: control description: This control checks whether a Neptune DB cluster snapshot is encrypted at rest. The control fails if a Neptune DB cluster isn't encrypted at rest. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_neptune_db_cluster_snapshot - definition: | - SELECT - db_cluster_snapshot_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN storage_encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN storage_encrypted THEN title || ' encrypted at rest.' - ELSE title || ' not encrypted at rest.' - END AS reason - FROM - aws_neptune_db_cluster_snapshot; + language: sql + primary_resource: aws_neptune_db_cluster_snapshot + definition: | + SELECT + db_cluster_snapshot_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN storage_encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN storage_encrypted THEN title || ' encrypted at rest.' + ELSE title || ' not encrypted at rest.' + END AS reason + FROM + aws_neptune_db_cluster_snapshot; severity: low tags: {} diff --git a/compliance/controls/aws/aws_neptune_db_cluster_snapshot_prohibit_public_access.yaml b/compliance/controls/aws/aws_neptune_db_cluster_snapshot_prohibit_public_access.yaml index 95df16096..b4163c420 100644 --- a/compliance/controls/aws/aws_neptune_db_cluster_snapshot_prohibit_public_access.yaml +++ b/compliance/controls/aws/aws_neptune_db_cluster_snapshot_prohibit_public_access.yaml @@ -1,27 +1,28 @@ id: aws_neptune_db_cluster_snapshot_prohibit_public_access title: Neptune DB cluster snapshots should not be public +type: control description: This control checks whether a Neptune manual DB cluster snapshot is public. The control fails if a Neptune manual DB cluster snapshot is public. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_neptune_db_cluster_snapshot - definition: | - SELECT - db_cluster_snapshot_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN cluster_snapshot -> 'AttributeValues' = '["all"]' THEN 'alarm' - ELSE 'ok' - END status, - CASE - WHEN cluster_snapshot -> 'AttributeValues' = '["all"]' THEN title || ' publicly accessible.' - ELSE title || ' not publicly accessible.' - END reason - FROM - aws_neptune_db_cluster_snapshot, - jsonb_array_elements(db_cluster_snapshot_attributes) AS cluster_snapshot; + language: sql + primary_resource: aws_neptune_db_cluster_snapshot + definition: | + SELECT + db_cluster_snapshot_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN cluster_snapshot -> 'AttributeValues' = '["all"]' THEN 'alarm' + ELSE 'ok' + END status, + CASE + WHEN cluster_snapshot -> 'AttributeValues' = '["all"]' THEN title || ' publicly accessible.' + ELSE title || ' not publicly accessible.' + END reason + FROM + aws_neptune_db_cluster_snapshot, + jsonb_array_elements(db_cluster_snapshot_attributes) AS cluster_snapshot; severity: low tags: {} diff --git a/compliance/controls/aws/aws_networkfirewall_firewall_deletion_protection_enabled.yaml b/compliance/controls/aws/aws_networkfirewall_firewall_deletion_protection_enabled.yaml index b6c1b43a1..6f4b73498 100644 --- a/compliance/controls/aws/aws_networkfirewall_firewall_deletion_protection_enabled.yaml +++ b/compliance/controls/aws/aws_networkfirewall_firewall_deletion_protection_enabled.yaml @@ -1,26 +1,27 @@ id: aws_networkfirewall_firewall_deletion_protection_enabled title: Network Firewall firewalls should have deletion protection enabled +type: control description: This control checks whether an AWS Network Firewall firewall has deletion protection enabled. The control fails if deletion protection isn't enabled for a firewall. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_networkfirewall_firewall - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN delete_protection THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN delete_protection THEN title || ' delete protection enabled.' - ELSE title || ' delete protection disabled.' - END AS reason - FROM - aws_networkfirewall_firewall; + language: sql + primary_resource: aws_networkfirewall_firewall + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN delete_protection THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN delete_protection THEN title || ' delete protection enabled.' + ELSE title || ' delete protection disabled.' + END AS reason + FROM + aws_networkfirewall_firewall; severity: low tags: {} diff --git a/compliance/controls/aws/aws_networkfirewall_firewall_in_vpc.yaml b/compliance/controls/aws/aws_networkfirewall_firewall_in_vpc.yaml index 6a72de44d..d7878fcf1 100644 --- a/compliance/controls/aws/aws_networkfirewall_firewall_in_vpc.yaml +++ b/compliance/controls/aws/aws_networkfirewall_firewall_in_vpc.yaml @@ -1,26 +1,27 @@ id: aws_networkfirewall_firewall_in_vpc title: Networkfirewall firewall should be in a VPC +type: control description: Deploy AWS Networkfirewall firewall within an AWS Virtual Private Cloud (AWS VPC) for a secure communication between a function and other services within the AWS VPC. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_networkfirewall_firewall - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN vpc_id IS NULL OR vpc_id = '' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN vpc_id IS NULL OR vpc_id = '' THEN title || ' is not in VPC.' - ELSE title || ' is in VPC ' || vpc_id || '.' - END AS reason - FROM - aws_networkfirewall_firewall; + language: sql + primary_resource: aws_networkfirewall_firewall + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN vpc_id IS NULL OR vpc_id = '' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN vpc_id IS NULL OR vpc_id = '' THEN title || ' is not in VPC.' + ELSE title || ' is in VPC ' || vpc_id || '.' + END AS reason + FROM + aws_networkfirewall_firewall; severity: low tags: {} diff --git a/compliance/controls/aws/aws_networkfirewall_firewall_logging_enabled.yaml b/compliance/controls/aws/aws_networkfirewall_firewall_logging_enabled.yaml index 2700cd5d8..455947f01 100644 --- a/compliance/controls/aws/aws_networkfirewall_firewall_logging_enabled.yaml +++ b/compliance/controls/aws/aws_networkfirewall_firewall_logging_enabled.yaml @@ -1,26 +1,27 @@ id: aws_networkfirewall_firewall_logging_enabled title: Network Firewall logging should be enabled +type: control description: This control checks whether logging is enabled for an AWS Network Firewall firewall. The control fails if logging isn't enabled for at least one log type or if the logging destination doesn't exist. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_networkfirewall_firewall - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN jsonb_array_length(logging_configuration) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN jsonb_array_length(logging_configuration) > 0 THEN title || ' logging enabled.' - ELSE title || ' logging disabled.' - END AS reason - FROM - aws_networkfirewall_firewall; + language: sql + primary_resource: aws_networkfirewall_firewall + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN jsonb_array_length(logging_configuration) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN jsonb_array_length(logging_configuration) > 0 THEN title || ' logging enabled.' + ELSE title || ' logging disabled.' + END AS reason + FROM + aws_networkfirewall_firewall; severity: low tags: {} diff --git a/compliance/controls/aws/aws_networkfirewall_firewall_policy_default_stateless_action_check_fragmented_packets.yaml b/compliance/controls/aws/aws_networkfirewall_firewall_policy_default_stateless_action_check_fragmented_packets.yaml index 4bab193e2..d21d8723c 100644 --- a/compliance/controls/aws/aws_networkfirewall_firewall_policy_default_stateless_action_check_fragmented_packets.yaml +++ b/compliance/controls/aws/aws_networkfirewall_firewall_policy_default_stateless_action_check_fragmented_packets.yaml @@ -1,42 +1,43 @@ id: aws_networkfirewall_firewall_policy_default_stateless_action_check_fragmented_packets title: The default stateless action for Network Firewall policies should be drop or forward for fragmented packets +type: control description: This control checks whether the default stateless action for fragmented packets for a Network Firewall policy is drop or forward. The control passes if Drop or Forward is selected, and fails if Pass is selected. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_networkfirewall_firewall_policy - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN (NOT (firewall_policy -> 'StatelessFragmentDefaultActions') ? 'aws:drop' - AND NOT (firewall_policy -> 'StatelessFragmentDefaultActions') ? 'aws:forward_to_sfe') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (NOT (firewall_policy -> 'StatelessFragmentDefaultActions') ? 'aws:drop' - AND NOT (firewall_policy -> 'StatelessFragmentDefaultActions') ? 'aws:forward_to_sfe') THEN title || ' stateless action is neither drop nor forward for fragmented packets.' - ELSE title || ' stateless action is either drop or forward for fragmented packets.' - END AS reason, - region, - account_id - FROM - aws_networkfirewall_firewall_policy; + language: sql + primary_resource: aws_networkfirewall_firewall_policy + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN (NOT (firewall_policy -> 'StatelessFragmentDefaultActions') ? 'aws:drop' + AND NOT (firewall_policy -> 'StatelessFragmentDefaultActions') ? 'aws:forward_to_sfe') THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (NOT (firewall_policy -> 'StatelessFragmentDefaultActions') ? 'aws:drop' + AND NOT (firewall_policy -> 'StatelessFragmentDefaultActions') ? 'aws:forward_to_sfe') THEN title || ' stateless action is neither drop nor forward for fragmented packets.' + ELSE title || ' stateless action is either drop or forward for fragmented packets.' + END AS reason, + region, + account_id + FROM + aws_networkfirewall_firewall_policy; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - secure_network_configuration - foundational_security_item_id: - - networkfirewall_5 - plugin: - - aws - service: - - AWS/NetworkFirewall + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - secure_network_configuration + foundational_security_item_id: + - networkfirewall_5 + plugin: + - aws + service: + - AWS/NetworkFirewall diff --git a/compliance/controls/aws/aws_networkfirewall_firewall_policy_default_stateless_action_check_full_packets.yaml b/compliance/controls/aws/aws_networkfirewall_firewall_policy_default_stateless_action_check_full_packets.yaml index 9b023715f..a79e44b13 100644 --- a/compliance/controls/aws/aws_networkfirewall_firewall_policy_default_stateless_action_check_full_packets.yaml +++ b/compliance/controls/aws/aws_networkfirewall_firewall_policy_default_stateless_action_check_full_packets.yaml @@ -1,44 +1,45 @@ id: aws_networkfirewall_firewall_policy_default_stateless_action_check_full_packets title: The default stateless action for Network Firewall policies should be drop or forward for full packets +type: control description: A firewall policy defines how your firewall monitors and handles traffic in AWS VPC. You configure stateless and stateful rule groups to filter packets and traffic flows. Defaulting to Pass can allow unintended traffic. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_networkfirewall_firewall_policy - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN (NOT (firewall_policy -> 'StatelessDefaultActions') ? 'aws:drop' - AND NOT (firewall_policy -> 'StatelessDefaultActions') ? 'aws:forward_to_sfe') - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (NOT (firewall_policy -> 'StatelessDefaultActions') ? 'aws:drop' - AND NOT (firewall_policy -> 'StatelessDefaultActions') ? 'aws:forward_to_sfe') - THEN title || ' stateless action is neither drop nor forward for full packets.' - ELSE title || ' stateless action is either drop or forward for full packets.' - END AS reason, - region, - account_id - FROM - aws_networkfirewall_firewall_policy; + language: sql + primary_resource: aws_networkfirewall_firewall_policy + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN (NOT (firewall_policy -> 'StatelessDefaultActions') ? 'aws:drop' + AND NOT (firewall_policy -> 'StatelessDefaultActions') ? 'aws:forward_to_sfe') + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (NOT (firewall_policy -> 'StatelessDefaultActions') ? 'aws:drop' + AND NOT (firewall_policy -> 'StatelessDefaultActions') ? 'aws:forward_to_sfe') + THEN title || ' stateless action is neither drop nor forward for full packets.' + ELSE title || ' stateless action is either drop or forward for full packets.' + END AS reason, + region, + account_id + FROM + aws_networkfirewall_firewall_policy; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - secure_network_configuration - foundational_security_item_id: - - networkfirewall_4 - plugin: - - aws - service: - - AWS/NetworkFirewall + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - secure_network_configuration + foundational_security_item_id: + - networkfirewall_4 + plugin: + - aws + service: + - AWS/NetworkFirewall diff --git a/compliance/controls/aws/aws_networkfirewall_firewall_policy_rule_group_not_empty.yaml b/compliance/controls/aws/aws_networkfirewall_firewall_policy_rule_group_not_empty.yaml index 20ed4fa23..b331a1c6f 100644 --- a/compliance/controls/aws/aws_networkfirewall_firewall_policy_rule_group_not_empty.yaml +++ b/compliance/controls/aws/aws_networkfirewall_firewall_policy_rule_group_not_empty.yaml @@ -1,42 +1,43 @@ id: aws_networkfirewall_firewall_policy_rule_group_not_empty title: Network Firewall policies should have at least one rule group associated +type: control description: This control checks whether a Network Firewall policy has any stateful or stateless rule groups associated. The control fails if stateless or stateful rule groups are not assigned. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_networkfirewall_firewall_policy - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN (firewall_policy ->> 'StatefulRuleGroupReferences' IS NULL OR jsonb_array_length(firewall_policy -> 'StatefulRuleGroupReferences') = 0) - AND (firewall_policy ->> 'StatelessRuleGroupReferences' IS NULL OR jsonb_array_length(firewall_policy -> 'StatelessRuleGroupReferences') = 0) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (firewall_policy ->> 'StatefulRuleGroupReferences' IS NULL OR jsonb_array_length(firewall_policy -> 'StatefulRuleGroupReferences') = 0) - AND (firewall_policy ->> 'StatelessRuleGroupReferences' IS NULL OR jsonb_array_length(firewall_policy -> 'StatelessRuleGroupReferences') = 0) THEN title || ' has no associated rule groups.' - ELSE title || ' has associated rule groups.' - END AS reason, - region, - account_id - FROM - aws_networkfirewall_firewall_policy; + language: sql + primary_resource: aws_networkfirewall_firewall_policy + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN (firewall_policy ->> 'StatefulRuleGroupReferences' IS NULL OR jsonb_array_length(firewall_policy -> 'StatefulRuleGroupReferences') = 0) + AND (firewall_policy ->> 'StatelessRuleGroupReferences' IS NULL OR jsonb_array_length(firewall_policy -> 'StatelessRuleGroupReferences') = 0) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (firewall_policy ->> 'StatefulRuleGroupReferences' IS NULL OR jsonb_array_length(firewall_policy -> 'StatefulRuleGroupReferences') = 0) + AND (firewall_policy ->> 'StatelessRuleGroupReferences' IS NULL OR jsonb_array_length(firewall_policy -> 'StatelessRuleGroupReferences') = 0) THEN title || ' has no associated rule groups.' + ELSE title || ' has associated rule groups.' + END AS reason, + region, + account_id + FROM + aws_networkfirewall_firewall_policy; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - secure_network_configuration - foundational_security_item_id: - - networkfirewall_3 - plugin: - - aws - service: - - AWS/NetworkFirewall + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - secure_network_configuration + foundational_security_item_id: + - networkfirewall_3 + plugin: + - aws + service: + - AWS/NetworkFirewall diff --git a/compliance/controls/aws/aws_networkfirewall_stateless_rule_group_not_empty.yaml b/compliance/controls/aws/aws_networkfirewall_stateless_rule_group_not_empty.yaml index d887793e3..98aa6334d 100644 --- a/compliance/controls/aws/aws_networkfirewall_stateless_rule_group_not_empty.yaml +++ b/compliance/controls/aws/aws_networkfirewall_stateless_rule_group_not_empty.yaml @@ -1,41 +1,42 @@ id: aws_networkfirewall_stateless_rule_group_not_empty title: Stateless network firewall rule group should not be empty +type: control description: A rule group contains rules that define how your firewall processes traffic in your VPC. An empty stateless rule group when present in a firewall policy might give the impression that the rule group will process traffic. However, when the stateless rule group is empty, it does not process traffic. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_networkfirewall_rule_group - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN type = 'STATEFUL' THEN 'skip' - WHEN jsonb_array_length(rules_source -> 'StatelessRulesAndCustomActions' -> 'StatelessRules') > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN type = 'STATEFUL' THEN title || ' is a stateful rule group.' - ELSE title || ' has ' || jsonb_array_length(rules_source -> 'StatelessRulesAndCustomActions' -> 'StatelessRules') || ' rule(s).' - END AS reason, - region, - account_id - FROM - aws_networkfirewall_rule_group; + language: sql + primary_resource: aws_networkfirewall_rule_group + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN type = 'STATEFUL' THEN 'skip' + WHEN jsonb_array_length(rules_source -> 'StatelessRulesAndCustomActions' -> 'StatelessRules') > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN type = 'STATEFUL' THEN title || ' is a stateful rule group.' + ELSE title || ' has ' || jsonb_array_length(rules_source -> 'StatelessRulesAndCustomActions' -> 'StatelessRules') || ' rule(s).' + END AS reason, + region, + account_id + FROM + aws_networkfirewall_rule_group; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - secure_network_configuration - foundational_security_item_id: - - networkfirewall_1 - plugin: - - aws - service: - - AWS/NetworkFirewall + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - secure_network_configuration + foundational_security_item_id: + - networkfirewall_1 + plugin: + - aws + service: + - AWS/NetworkFirewall diff --git a/compliance/controls/aws/aws_opensearch_domain_audit_logging_enabled.yaml b/compliance/controls/aws/aws_opensearch_domain_audit_logging_enabled.yaml index a37127de7..d811fb5f6 100644 --- a/compliance/controls/aws/aws_opensearch_domain_audit_logging_enabled.yaml +++ b/compliance/controls/aws/aws_opensearch_domain_audit_logging_enabled.yaml @@ -1,40 +1,41 @@ id: aws_opensearch_domain_audit_logging_enabled title: OpenSearch domains should have audit logging enabled. +type: control description: This control checks whether OpenSearch service domains have audit logging enabled. The rule is non-compliant if an OpenSearch service domain does not have audit logging enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN log_publishing_options -> 'AUDIT_LOGS' ->> 'Enabled' = 'true' THEN 'ok' - ELSE 'ok' - END AS status, - CASE - WHEN log_publishing_options -> 'AUDIT_LOGS' ->> 'Enabled' = 'true' THEN title || ' audit logging enabled.' - ELSE title || ' audit logging disabled.' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain; + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN log_publishing_options -> 'AUDIT_LOGS' ->> 'Enabled' = 'true' THEN 'ok' + ELSE 'ok' + END AS status, + CASE + WHEN log_publishing_options -> 'AUDIT_LOGS' ->> 'Enabled' = 'true' THEN title || ' audit logging enabled.' + ELSE title || ' audit logging disabled.' + END AS reason, + region, + account_id + FROM + aws_opensearch_domain; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - logging - foundational_security_item_id: - - opensearch_5 - plugin: - - aws - service: - - AWS/OpenSearch + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - logging + foundational_security_item_id: + - opensearch_5 + plugin: + - aws + service: + - AWS/OpenSearch diff --git a/compliance/controls/aws/aws_opensearch_domain_cognito_authentication_enabled_for_kibana.yaml b/compliance/controls/aws/aws_opensearch_domain_cognito_authentication_enabled_for_kibana.yaml index 316551770..0d84e8d54 100644 --- a/compliance/controls/aws/aws_opensearch_domain_cognito_authentication_enabled_for_kibana.yaml +++ b/compliance/controls/aws/aws_opensearch_domain_cognito_authentication_enabled_for_kibana.yaml @@ -1,26 +1,27 @@ id: aws_opensearch_domain_cognito_authentication_enabled_for_kibana title: OpenSearch domains cognito authentication should be enabled for kibana +type: control description: This control checks whether AWS OpenSearch domain has AWS Cognito authentication for Kibana enabled. AWS Cognito lets you easily add user sign-up and authentication to your mobile and web apps. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN cognito_options ->> 'Enabled' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN cognito_options ->> 'Enabled' = 'true' THEN title || ' cognito authentication enabled for kibana.' - ELSE title || ' cognito authentication disabled for kibana.' - END AS reason - FROM - aws_opensearch_domain; + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN cognito_options ->> 'Enabled' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN cognito_options ->> 'Enabled' = 'true' THEN title || ' cognito authentication enabled for kibana.' + ELSE title || ' cognito authentication disabled for kibana.' + END AS reason + FROM + aws_opensearch_domain; severity: low tags: {} diff --git a/compliance/controls/aws/aws_opensearch_domain_data_node_fault_tolerance.yaml b/compliance/controls/aws/aws_opensearch_domain_data_node_fault_tolerance.yaml index a09f5d201..8b540c4e9 100644 --- a/compliance/controls/aws/aws_opensearch_domain_data_node_fault_tolerance.yaml +++ b/compliance/controls/aws/aws_opensearch_domain_data_node_fault_tolerance.yaml @@ -1,48 +1,49 @@ id: aws_opensearch_domain_data_node_fault_tolerance title: OpenSearch domains should have at least three data nodes +type: control description: This control checks whether OpenSearch domains are configured with at least three data nodes and zoneAwarenessEnabled is true. This control fails for an OpenSearch domain if instanceCount is less than 3 or zoneAwarenessEnabled is false. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN cluster_config ->> 'ZoneAwarenessEnabled' = 'true' AND cluster_config ->> 'InstanceCount' > '2' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN cluster_config ->> 'ZoneAwarenessEnabled' = 'true' AND cluster_config ->> 'InstanceCount' > '2' THEN title || ' zone awareness is ' || CASE - WHEN cluster_config ->> 'ZoneAwarenessEnabled' = 'true' AND cluster_config ->> 'InstanceCount' > '2' THEN 'ok' - ELSE 'alarm' - END AS status, + WHEN cluster_config ->> 'ZoneAwarenessEnabled' = 'true' THEN 'enabled' + ELSE 'disabled' + END || ' with ' || (cluster_config ->> 'InstanceCount') || ' data node(s) configured.' + ELSE title || ' zone awareness is ' || CASE - WHEN cluster_config ->> 'ZoneAwarenessEnabled' = 'true' AND cluster_config ->> 'InstanceCount' > '2' THEN title || ' zone awareness is ' || - CASE - WHEN cluster_config ->> 'ZoneAwarenessEnabled' = 'true' THEN 'enabled' - ELSE 'disabled' - END || ' with ' || (cluster_config ->> 'InstanceCount') || ' data node(s) configured.' - ELSE title || ' zone awareness is ' || - CASE - WHEN cluster_config ->> 'ZoneAwarenessEnabled' = 'true' THEN 'enabled' - ELSE 'disabled' - END || ' with ' || (cluster_config ->> 'InstanceCount') || ' data node(s) configured.' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain; + WHEN cluster_config ->> 'ZoneAwarenessEnabled' = 'true' THEN 'enabled' + ELSE 'disabled' + END || ' with ' || (cluster_config ->> 'InstanceCount') || ' data node(s) configured.' + END AS reason, + region, + account_id + FROM + aws_opensearch_domain; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - high_availability - foundational_security_item_id: - - opensearch_6 - plugin: - - aws - service: - - AWS/OpenSearch + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - high_availability + foundational_security_item_id: + - opensearch_6 + plugin: + - aws + service: + - AWS/OpenSearch diff --git a/compliance/controls/aws/aws_opensearch_domain_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_opensearch_domain_encryption_at_rest_enabled.yaml index 0b004a033..0d5f7f50e 100644 --- a/compliance/controls/aws/aws_opensearch_domain_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_opensearch_domain_encryption_at_rest_enabled.yaml @@ -1,40 +1,41 @@ id: aws_opensearch_domain_encryption_at_rest_enabled title: OpenSearch domains should have encryption at rest enabled +type: control description: This control checks whether AWS OpenSearch domains have encryption-at-rest configuration enabled. The check fails if encryption at rest is not enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN encryption_at_rest_options ->> 'Enabled' = 'false' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN encryption_at_rest_options ->> 'Enabled' = 'false' THEN title || ' encryption at rest disabled.' - ELSE title || ' encryption at rest enabled.' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain; + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN encryption_at_rest_options ->> 'Enabled' = 'false' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN encryption_at_rest_options ->> 'Enabled' = 'false' THEN title || ' encryption at rest disabled.' + ELSE title || ' encryption at rest enabled.' + END AS reason, + region, + account_id + FROM + aws_opensearch_domain; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - encryption_of_data_at_rest - foundational_security_item_id: - - opensearch_1 - plugin: - - aws - service: - - AWS/OpenSearch + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - encryption_of_data_at_rest + foundational_security_item_id: + - opensearch_1 + plugin: + - aws + service: + - AWS/OpenSearch diff --git a/compliance/controls/aws/aws_opensearch_domain_fine_grained_access_enabled.yaml b/compliance/controls/aws/aws_opensearch_domain_fine_grained_access_enabled.yaml index b31a56e96..19d1fe2d0 100644 --- a/compliance/controls/aws/aws_opensearch_domain_fine_grained_access_enabled.yaml +++ b/compliance/controls/aws/aws_opensearch_domain_fine_grained_access_enabled.yaml @@ -1,40 +1,41 @@ id: aws_opensearch_domain_fine_grained_access_enabled title: OpenSearch domains should have fine-grained access control enabled +type: control description: This control checks whether OpenSearch domains have fine-grained access control enabled. The control fails if the fine-grained access control is not enabled. Fine-grained access control requires advanced-security-options in the OpenSearch parameter update-domain-config to be enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN advanced_security_options IS NULL OR NOT (advanced_security_options -> 'Enabled')::boolean THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN advanced_security_options IS NULL OR NOT (advanced_security_options -> 'Enabled')::boolean THEN title || ' has fine-grained access control disabled.' - ELSE title || ' has fine-grained access control enabled.' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain; + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN advanced_security_options IS NULL OR NOT (advanced_security_options -> 'Enabled')::boolean THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN advanced_security_options IS NULL OR NOT (advanced_security_options -> 'Enabled')::boolean THEN title || ' has fine-grained access control disabled.' + ELSE title || ' has fine-grained access control enabled.' + END AS reason, + region, + account_id + FROM + aws_opensearch_domain; severity: high tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - secure_access_management - foundational_security_item_id: - - opensearch_7 - plugin: - - aws - service: - - AWS/OpenSearch + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - secure_access_management + foundational_security_item_id: + - opensearch_7 + plugin: + - aws + service: + - AWS/OpenSearch diff --git a/compliance/controls/aws/aws_opensearch_domain_https_required.yaml b/compliance/controls/aws/aws_opensearch_domain_https_required.yaml index c1d7afb55..5fdf41de4 100644 --- a/compliance/controls/aws/aws_opensearch_domain_https_required.yaml +++ b/compliance/controls/aws/aws_opensearch_domain_https_required.yaml @@ -1,46 +1,47 @@ id: aws_opensearch_domain_https_required title: OpenSearch domains should use HTTPS +type: control description: This control checks whether connections to OpenSearch domains are using HTTPS. The rule is non-compliant if the OpenSearch domain 'EnforceHTTPS' is not 'true' or is 'true' and 'TLSSecurityPolicy' is not in 'tlsPolicies'. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN (domain_endpoint_options ->> 'EnforceHTTPS' = 'false') - OR (domain_endpoint_options ->> 'EnforceHTTPS' = 'true' - AND domain_endpoint_options ->> 'TLSSecurityPolicy' NOT IN ('tlsPolicies')) - THEN 'alarm' - ELSE 'ok' - END status, - CASE - WHEN (domain_endpoint_options ->> 'EnforceHTTPS' = 'false') - OR (domain_endpoint_options ->> 'EnforceHTTPS' = 'true' - AND domain_endpoint_options ->> 'TLSSecurityPolicy' NOT IN ('tlsPolicies')) - THEN title || ' does not use HTTPS.' - ELSE title || ' uses HTTPS.' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain; + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN (domain_endpoint_options ->> 'EnforceHTTPS' = 'false') + OR (domain_endpoint_options ->> 'EnforceHTTPS' = 'true' + AND domain_endpoint_options ->> 'TLSSecurityPolicy' NOT IN ('tlsPolicies')) + THEN 'alarm' + ELSE 'ok' + END status, + CASE + WHEN (domain_endpoint_options ->> 'EnforceHTTPS' = 'false') + OR (domain_endpoint_options ->> 'EnforceHTTPS' = 'true' + AND domain_endpoint_options ->> 'TLSSecurityPolicy' NOT IN ('tlsPolicies')) + THEN title || ' does not use HTTPS.' + ELSE title || ' uses HTTPS.' + END AS reason, + region, + account_id + FROM + aws_opensearch_domain; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - encryption_of_data_in_transit - foundational_security_item_id: - - opensearch_8 - plugin: - - aws - service: - - AWS/OpenSearch + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - encryption_of_data_in_transit + foundational_security_item_id: + - opensearch_8 + plugin: + - aws + service: + - AWS/OpenSearch diff --git a/compliance/controls/aws/aws_opensearch_domain_in_vpc.yaml b/compliance/controls/aws/aws_opensearch_domain_in_vpc.yaml index ea939feac..30db3b46f 100644 --- a/compliance/controls/aws/aws_opensearch_domain_in_vpc.yaml +++ b/compliance/controls/aws/aws_opensearch_domain_in_vpc.yaml @@ -1,55 +1,56 @@ id: aws_opensearch_domain_in_vpc title: OpenSearch domains should be in a VPC +type: control description: This control checks whether AWS OpenSearch domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public access. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - WITH public_subnets AS ( - SELECT DISTINCT a -> 'SubnetId' AS SubnetId - FROM aws_vpc_route_table AS t, - jsonb_array_elements(associations) AS a, - jsonb_array_elements(routes) AS r - WHERE r ->> 'DestinationCidrBlock' = '0.0.0.0/0' - AND r ->> 'GatewayId' LIKE 'igw-%' - ), opensearch_domain_with_public_subnet AS ( - SELECT arn - FROM aws_opensearch_domain, - jsonb_array_elements(vpc_options -> 'SubnetIds') AS s - WHERE s IN (SELECT SubnetId FROM public_subnets) - ) - SELECT d.arn AS resource, - d.platform_integration_id AS platform_integration_id, - d.platform_resource_id AS platform_resource_id, - CASE - WHEN d.vpc_options ->> 'VPCId' IS NULL THEN 'alarm' - WHEN d.vpc_options ->> 'VPCId' IS NOT NULL AND p.arn IS NOT NULL THEN 'alarm' - ELSE 'ok' - END status, - CASE - WHEN vpc_options ->> 'VPCId' IS NULL THEN title || ' not in VPC.' - WHEN d.vpc_options ->> 'VPCId' IS NOT NULL AND p.arn IS NOT NULL THEN title || ' attached to public subnet.' - ELSE title || ' in VPC ' || (vpc_options ->> 'VPCId') || '.' - END reason, - d.region, d.account_id - FROM aws_opensearch_domain AS d - LEFT JOIN opensearch_domain_with_public_subnet AS p ON d.arn = p.arn; + language: sql + primary_resource: aws_opensearch_domain + definition: | + WITH public_subnets AS ( + SELECT DISTINCT a -> 'SubnetId' AS SubnetId + FROM aws_vpc_route_table AS t, + jsonb_array_elements(associations) AS a, + jsonb_array_elements(routes) AS r + WHERE r ->> 'DestinationCidrBlock' = '0.0.0.0/0' + AND r ->> 'GatewayId' LIKE 'igw-%' + ), opensearch_domain_with_public_subnet AS ( + SELECT arn + FROM aws_opensearch_domain, + jsonb_array_elements(vpc_options -> 'SubnetIds') AS s + WHERE s IN (SELECT SubnetId FROM public_subnets) + ) + SELECT d.arn AS resource, + d.platform_integration_id AS platform_integration_id, + d.platform_resource_id AS platform_resource_id, + CASE + WHEN d.vpc_options ->> 'VPCId' IS NULL THEN 'alarm' + WHEN d.vpc_options ->> 'VPCId' IS NOT NULL AND p.arn IS NOT NULL THEN 'alarm' + ELSE 'ok' + END status, + CASE + WHEN vpc_options ->> 'VPCId' IS NULL THEN title || ' not in VPC.' + WHEN d.vpc_options ->> 'VPCId' IS NOT NULL AND p.arn IS NOT NULL THEN title || ' attached to public subnet.' + ELSE title || ' in VPC ' || (vpc_options ->> 'VPCId') || '.' + END reason, + d.region, d.account_id + FROM aws_opensearch_domain AS d + LEFT JOIN opensearch_domain_with_public_subnet AS p ON d.arn = p.arn; severity: critical tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - resources_within_vpc - foundational_security_item_id: - - opensearch_2 - plugin: - - aws - score_tags: - - Exposed Endpoints - service: - - AWS/OpenSearch + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - resources_within_vpc + foundational_security_item_id: + - opensearch_2 + plugin: + - aws + score_tags: + - Exposed Endpoints + service: + - AWS/OpenSearch diff --git a/compliance/controls/aws/aws_opensearch_domain_internal_user_database_disabled.yaml b/compliance/controls/aws/aws_opensearch_domain_internal_user_database_disabled.yaml index 390e1418f..7187304ca 100644 --- a/compliance/controls/aws/aws_opensearch_domain_internal_user_database_disabled.yaml +++ b/compliance/controls/aws/aws_opensearch_domain_internal_user_database_disabled.yaml @@ -1,26 +1,27 @@ id: aws_opensearch_domain_internal_user_database_disabled title: OpenSearch domains internal user database should be disabled +type: control description: Ensure that AWS OpenSearch domain has internal user database disabled. This control is non-compliant if the OpenSearch domain internal user database is enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN advanced_security_options ->> 'InternalUserDatabaseEnabled' = 'true' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN advanced_security_options ->> 'InternalUserDatabaseEnabled' = 'true' THEN title || ' internal user database enabled.' - ELSE title || ' internal user database disabled.' - END AS reason - FROM - aws_opensearch_domain; + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN advanced_security_options ->> 'InternalUserDatabaseEnabled' = 'true' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN advanced_security_options ->> 'InternalUserDatabaseEnabled' = 'true' THEN title || ' internal user database enabled.' + ELSE title || ' internal user database disabled.' + END AS reason + FROM + aws_opensearch_domain; severity: low tags: {} diff --git a/compliance/controls/aws/aws_opensearch_domain_logs_to_cloudwatch.yaml b/compliance/controls/aws/aws_opensearch_domain_logs_to_cloudwatch.yaml index 318c6289e..9f1fbd98b 100644 --- a/compliance/controls/aws/aws_opensearch_domain_logs_to_cloudwatch.yaml +++ b/compliance/controls/aws/aws_opensearch_domain_logs_to_cloudwatch.yaml @@ -1,87 +1,88 @@ id: aws_opensearch_domain_logs_to_cloudwatch title: OpenSearch domains logs to AWS CloudWatch Logs +type: control description: This control checks whether AWS OpenSearch Service domains are configured to send logs to CloudWatch logs. The rule is non-compliant if logging is not configured. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN log_publishing_options IS NULL THEN 'alarm' - WHEN - (log_publishing_options -> 'AUDIT_LOGS' IS NULL - OR log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'false' - OR (log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) - ) - AND - (log_publishing_options -> 'INDEX_SLOW_LOGS' IS NULL - OR log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'false' - OR (log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) - ) - AND - (log_publishing_options -> 'SEARCH_SLOW_LOGS' IS NULL - OR log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'false' - OR (log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) - ) - AND - (log_publishing_options -> 'ES_APPLICATION_LOGS' IS NULL - OR log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'false' - OR (log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) - ) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN log_publishing_options IS NULL THEN title || ' logging not enabled.' - WHEN - (log_publishing_options -> 'AUDIT_LOGS' IS NULL - OR log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'false' - OR (log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) - ) - AND - (log_publishing_options -> 'INDEX_SLOW_LOGS' IS NULL - OR log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'false' - OR (log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) - ) - AND - (log_publishing_options -> 'SEARCH_SLOW_LOGS' IS NULL - OR log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'false' - OR (log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) - ) - AND - (log_publishing_options -> 'ES_APPLICATION_LOGS' IS NULL - OR log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'false' - OR (log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' - AND log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) - ) THEN title || ' send logs to Amazon CloudWatch.' - ELSE title || ' does not send logs to Amazon CloudWatch.' - END AS reason, - region, account_id - FROM - aws_opensearch_domain; + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN log_publishing_options IS NULL THEN 'alarm' + WHEN + (log_publishing_options -> 'AUDIT_LOGS' IS NULL + OR log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'false' + OR (log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) + ) + AND + (log_publishing_options -> 'INDEX_SLOW_LOGS' IS NULL + OR log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'false' + OR (log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) + ) + AND + (log_publishing_options -> 'SEARCH_SLOW_LOGS' IS NULL + OR log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'false' + OR (log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) + ) + AND + (log_publishing_options -> 'ES_APPLICATION_LOGS' IS NULL + OR log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'false' + OR (log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) + ) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN log_publishing_options IS NULL THEN title || ' logging not enabled.' + WHEN + (log_publishing_options -> 'AUDIT_LOGS' IS NULL + OR log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'false' + OR (log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) + ) + AND + (log_publishing_options -> 'INDEX_SLOW_LOGS' IS NULL + OR log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'false' + OR (log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) + ) + AND + (log_publishing_options -> 'SEARCH_SLOW_LOGS' IS NULL + OR log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'false' + OR (log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) + ) + AND + (log_publishing_options -> 'ES_APPLICATION_LOGS' IS NULL + OR log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'false' + OR (log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' + AND log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' IS NOT NULL) + ) THEN title || ' send logs to Amazon CloudWatch.' + ELSE title || ' does not send logs to Amazon CloudWatch.' + END AS reason, + region, account_id + FROM + aws_opensearch_domain; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - logging - foundational_security_item_id: - - opensearch_4 - plugin: - - aws - service: - - AWS/OpenSearch + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - logging + foundational_security_item_id: + - opensearch_4 + plugin: + - aws + service: + - AWS/OpenSearch diff --git a/compliance/controls/aws/aws_opensearch_domain_node_to_node_encryption_enabled.yaml b/compliance/controls/aws/aws_opensearch_domain_node_to_node_encryption_enabled.yaml index 4f6a12f07..23cc28ef0 100644 --- a/compliance/controls/aws/aws_opensearch_domain_node_to_node_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_opensearch_domain_node_to_node_encryption_enabled.yaml @@ -1,45 +1,46 @@ id: aws_opensearch_domain_node_to_node_encryption_enabled title: OpenSearch domains node-to-node encryption should be enabled +type: control description: This control checks if AWS OpenSearch Service nodes are encrypted end to end. The rule is non-compliant if the node-to-node encryption is not enabled on the domain. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN region = ANY(ARRAY['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) THEN 'skip' - WHEN node_to_node_encryption_options_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN region = ANY(ARRAY['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) THEN - title || ' node-to-node encryption not supported in ' || region || '.' - WHEN node_to_node_encryption_options_enabled THEN - title || ' node-to-node encryption enabled.' - ELSE - title || ' node-to-node encryption disabled.' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain; + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN region = ANY(ARRAY['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) THEN 'skip' + WHEN node_to_node_encryption_options_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN region = ANY(ARRAY['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) THEN + title || ' node-to-node encryption not supported in ' || region || '.' + WHEN node_to_node_encryption_options_enabled THEN + title || ' node-to-node encryption enabled.' + ELSE + title || ' node-to-node encryption disabled.' + END AS reason, + region, + account_id + FROM + aws_opensearch_domain; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - encryption_of_data_in_transit - foundational_security_item_id: - - opensearch_3 - plugin: - - aws - service: - - AWS/OpenSearch + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - encryption_of_data_in_transit + foundational_security_item_id: + - opensearch_3 + plugin: + - aws + service: + - AWS/OpenSearch diff --git a/compliance/controls/aws/aws_opensearch_domain_updated_with_latest_service_software_version.yaml b/compliance/controls/aws/aws_opensearch_domain_updated_with_latest_service_software_version.yaml index 64617f068..0a1a73b63 100644 --- a/compliance/controls/aws/aws_opensearch_domain_updated_with_latest_service_software_version.yaml +++ b/compliance/controls/aws/aws_opensearch_domain_updated_with_latest_service_software_version.yaml @@ -1,26 +1,27 @@ id: aws_opensearch_domain_updated_with_latest_service_software_version title: OpenSearch domains should be updated to the latest service software version +type: control description: This control checks whether AWS OpenSearch domain has any updates available. This control is non-compliant if the OpenSearch domain has any updates available. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN service_software_options ->> 'UpdateAvailable' = 'false' THEN 'ok' - ELSE 'alarm' - END status, - CASE - WHEN service_software_options ->> 'UpdateAvailable' = 'false' THEN title || ' updated with latest service software version.' - ELSE title || ' not updated with latest service software version.' - END reason - FROM - aws_opensearch_domain; + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN service_software_options ->> 'UpdateAvailable' = 'false' THEN 'ok' + ELSE 'alarm' + END status, + CASE + WHEN service_software_options ->> 'UpdateAvailable' = 'false' THEN title || ' updated with latest service software version.' + ELSE title || ' not updated with latest service software version.' + END reason + FROM + aws_opensearch_domain; severity: low tags: {} diff --git a/compliance/controls/aws/aws_organizational_tag_policies_enabled.yaml b/compliance/controls/aws/aws_organizational_tag_policies_enabled.yaml index 2dfc1c67a..5165b6feb 100644 --- a/compliance/controls/aws/aws_organizational_tag_policies_enabled.yaml +++ b/compliance/controls/aws/aws_organizational_tag_policies_enabled.yaml @@ -1,44 +1,45 @@ id: aws_organizational_tag_policies_enabled title: Ensure Tag Policies are enabled +type: control description: Tag policies help you standardize tags on all tagged resources across your organization integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_organizations_policy - definition: | - WITH tag_policy_enabled AS ( - SELECT - _ctx, - account_id, - region, - COUNT(*) AS count, - platform_integration_id, - platform_resource_id - FROM - aws_organizations_policy - WHERE - type = 'TAG_POLICY' - GROUP BY - _ctx, - region, - account_id, - platform_integration_id, - platform_resource_id - ) - SELECT - platform_integration_id, - platform_resource_id, - CASE - WHEN count > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN count > 0 THEN 'Organizational tag policies are enabled.' - ELSE 'Organizational tag policies are disabled.' - END AS reason - FROM - tag_policy_enabled; + language: sql + primary_resource: aws_organizations_policy + definition: | + WITH tag_policy_enabled AS ( + SELECT + _ctx, + account_id, + region, + COUNT(*) AS count, + platform_integration_id, + platform_resource_id + FROM + aws_organizations_policy + WHERE + type = 'TAG_POLICY' + GROUP BY + _ctx, + region, + account_id, + platform_integration_id, + platform_resource_id + ) + SELECT + platform_integration_id, + platform_resource_id, + CASE + WHEN count > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN count > 0 THEN 'Organizational tag policies are enabled.' + ELSE 'Organizational tag policies are disabled.' + END AS reason + FROM + tag_policy_enabled; severity: low tags: {} diff --git a/compliance/controls/aws/aws_rds_db_cluster_aurora_backtracking_enabled.yaml b/compliance/controls/aws/aws_rds_db_cluster_aurora_backtracking_enabled.yaml index 4821d8c76..8ffa08d3d 100644 --- a/compliance/controls/aws/aws_rds_db_cluster_aurora_backtracking_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_cluster_aurora_backtracking_enabled.yaml @@ -1,42 +1,43 @@ id: aws_rds_db_cluster_aurora_backtracking_enabled title: RDS Aurora clusters should have backtracking enabled +type: control description: This control checks whether AWS Aurora clusters have backtracking enabled. Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. Aurora backtracking reduces the time to recover a database to a point in time. It does not require a database restore to so. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN engine NOT ILIKE '%aurora-mysql%' THEN 'skip' - WHEN backtrack_window IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN engine NOT ILIKE '%aurora-mysql%' THEN title || ' not Aurora MySQL-compatible edition.' - WHEN backtrack_window IS NOT NULL THEN title || ' backtracking enabled.' - ELSE title || ' backtracking not enabled.' - END AS reason, - region, - account_id - FROM - aws_rds_db_cluster; + language: sql + primary_resource: aws_rds_db_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN engine NOT ILIKE '%aurora-mysql%' THEN 'skip' + WHEN backtrack_window IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN engine NOT ILIKE '%aurora-mysql%' THEN title || ' not Aurora MySQL-compatible edition.' + WHEN backtrack_window IS NOT NULL THEN title || ' backtracking enabled.' + ELSE title || ' backtracking not enabled.' + END AS reason, + region, + account_id + FROM + aws_rds_db_cluster; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - backups_enabled - foundational_security_item_id: - - rds_14 - plugin: - - aws - service: - - AWS/RDS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - backups_enabled + foundational_security_item_id: + - rds_14 + plugin: + - aws + service: + - AWS/RDS diff --git a/compliance/controls/aws/aws_rds_db_cluster_aurora_mysql_audit_logging_enabled.yaml b/compliance/controls/aws/aws_rds_db_cluster_aurora_mysql_audit_logging_enabled.yaml index a52c0791b..caf9f5abb 100644 --- a/compliance/controls/aws/aws_rds_db_cluster_aurora_mysql_audit_logging_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_cluster_aurora_mysql_audit_logging_enabled.yaml @@ -1,28 +1,29 @@ id: aws_rds_db_cluster_aurora_mysql_audit_logging_enabled title: Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs +type: control description: This control checks whether an Amazon Aurora MySQL DB cluster is configured to publish audit logs to Amazon CloudWatch Logs. The control fails if the cluster isn't configured to publish audit logs to CloudWatch Logs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN engine NOT ILIKE '%aurora-mysql%' THEN 'skip' - WHEN enabled_cloudwatch_logs_exports @> '["audit"]' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN engine NOT ILIKE '%aurora-mysql%' THEN title || ' is not Aurora MySQL-compatible edition.' - WHEN enabled_cloudwatch_logs_exports @> '["audit"]' THEN title || ' audit logging enabled.' - ELSE title || ' audit logging disabled.' - END AS reason - FROM - aws_rds_db_cluster; + language: sql + primary_resource: aws_rds_db_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN engine NOT ILIKE '%aurora-mysql%' THEN 'skip' + WHEN enabled_cloudwatch_logs_exports @> '["audit"]' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN engine NOT ILIKE '%aurora-mysql%' THEN title || ' is not Aurora MySQL-compatible edition.' + WHEN enabled_cloudwatch_logs_exports @> '["audit"]' THEN title || ' audit logging enabled.' + ELSE title || ' audit logging disabled.' + END AS reason + FROM + aws_rds_db_cluster; severity: low tags: {} diff --git a/compliance/controls/aws/aws_rds_db_cluster_aurora_postgres_not_exposed_to_local_file_read_vulnerability.yaml b/compliance/controls/aws/aws_rds_db_cluster_aurora_postgres_not_exposed_to_local_file_read_vulnerability.yaml index 18bcd4682..f22730721 100644 --- a/compliance/controls/aws/aws_rds_db_cluster_aurora_postgres_not_exposed_to_local_file_read_vulnerability.yaml +++ b/compliance/controls/aws/aws_rds_db_cluster_aurora_postgres_not_exposed_to_local_file_read_vulnerability.yaml @@ -1,28 +1,29 @@ id: aws_rds_db_cluster_aurora_postgres_not_exposed_to_local_file_read_vulnerability title: RDS Aurora PostgreSQL clusters should not be exposed to local file read vulnerability +type: control description: This control checks whether AWS Aurora PostgreSQL clusters are exposed to local file read vulnerability by ensuring that AWS RDS PostgreSQL instances use a non-vulnerable version of the log_fdw. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN NOT engine ILIKE '%aurora-postgres%' THEN 'skip' - WHEN engine ILIKE '%aurora-postgres%' AND engine_version LIKE ANY (ARRAY ['10.11', '10.12', '10.13', '11.6', '11.7', '11.8']) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT engine ILIKE '%aurora-postgres%' THEN title || ' not Aurora PostgreSQL edition.' - WHEN engine ILIKE '%aurora-postgres%' AND engine_version LIKE ANY (ARRAY ['10.11', '10.12', '10.13', '11.6', '11.7', '11.8']) THEN title || ' exposed to local file read vulnerability.' - ELSE title || ' not exposed to local file read vulnerability.' - END AS reason - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN NOT engine ILIKE '%aurora-postgres%' THEN 'skip' + WHEN engine ILIKE '%aurora-postgres%' AND engine_version LIKE ANY (ARRAY ['10.11', '10.12', '10.13', '11.6', '11.7', '11.8']) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT engine ILIKE '%aurora-postgres%' THEN title || ' not Aurora PostgreSQL edition.' + WHEN engine ILIKE '%aurora-postgres%' AND engine_version LIKE ANY (ARRAY ['10.11', '10.12', '10.13', '11.6', '11.7', '11.8']) THEN title || ' exposed to local file read vulnerability.' + ELSE title || ' not exposed to local file read vulnerability.' + END AS reason + FROM + aws_rds_db_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_rds_db_cluster_aurora_protected_by_backup_plan.yaml b/compliance/controls/aws/aws_rds_db_cluster_aurora_protected_by_backup_plan.yaml index 0ba55f5d9..ac61bd2d8 100644 --- a/compliance/controls/aws/aws_rds_db_cluster_aurora_protected_by_backup_plan.yaml +++ b/compliance/controls/aws/aws_rds_db_cluster_aurora_protected_by_backup_plan.yaml @@ -1,69 +1,70 @@ id: aws_rds_db_cluster_aurora_protected_by_backup_plan title: RDS Aurora clusters should be protected by backup plan +type: control description: Checks if AWS Aurora DB clusters are protected by a backup plan. The rule is non-compliant if the AWS Relational Database Service (AWS RDS) Database Cluster is not protected by a backup plan. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_cluster - definition: | - WITH backup_protected_cluster AS ( - SELECT - resource_arn AS arn - FROM - aws_backup_protected_resource AS b - WHERE - resource_type = 'Aurora' - ) - SELECT - c.arn AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN c.engine NOT LIKE '%aurora%' THEN 'skip' - WHEN b.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN c.engine NOT LIKE '%aurora%' THEN c.title || ' not Aurora resources.' - WHEN b.arn IS NOT NULL THEN c.title || ' is protected by backup plan.' - ELSE c.title || ' is not protected by backup plan.' - END AS reason, - c.region, - c.account_id - FROM - aws_rds_db_cluster AS c - LEFT JOIN backup_protected_cluster AS b ON c.arn = b.arn + language: sql + primary_resource: aws_rds_db_cluster + definition: | + WITH backup_protected_cluster AS ( + SELECT + resource_arn AS arn + FROM + aws_backup_protected_resource AS b + WHERE + resource_type = 'Aurora' + ) + SELECT + c.arn AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN c.engine NOT LIKE '%aurora%' THEN 'skip' + WHEN b.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN c.engine NOT LIKE '%aurora%' THEN c.title || ' not Aurora resources.' + WHEN b.arn IS NOT NULL THEN c.title || ' is protected by backup plan.' + ELSE c.title || ' is not protected by backup plan.' + END AS reason, + c.region, + c.account_id + FROM + aws_rds_db_cluster AS c + LEFT JOIN backup_protected_cluster AS b ON c.arn = b.arn severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/RDS - soc_2: - - 'true' + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/RDS + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_rds_db_cluster_automatic_minor_version_upgrade_enabled.yaml b/compliance/controls/aws/aws_rds_db_cluster_automatic_minor_version_upgrade_enabled.yaml index 5d4e73a09..698cf9264 100644 --- a/compliance/controls/aws/aws_rds_db_cluster_automatic_minor_version_upgrade_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_cluster_automatic_minor_version_upgrade_enabled.yaml @@ -1,26 +1,27 @@ id: aws_rds_db_cluster_automatic_minor_version_upgrade_enabled title: RDS DB clusters should have automatic minor version upgrade enabled +type: control description: This control checks if automatic minor version upgrade is enabled for an Amazon RDS database cluster. The control fails if automatic minor version upgrade isn't enabled for an RDS cluster. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN auto_minor_version_upgrade THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN auto_minor_version_upgrade THEN title || ' automatic minor version upgrades enabled.' - ELSE title || ' automatic minor version upgrades disabled.' - END AS reason - FROM - aws_rds_db_cluster; + language: sql + primary_resource: aws_rds_db_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN auto_minor_version_upgrade THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN auto_minor_version_upgrade THEN title || ' automatic minor version upgrades enabled.' + ELSE title || ' automatic minor version upgrades disabled.' + END AS reason + FROM + aws_rds_db_cluster; severity: low tags: {} diff --git a/compliance/controls/aws/aws_rds_db_cluster_copy_tags_to_snapshot_enabled.yaml b/compliance/controls/aws/aws_rds_db_cluster_copy_tags_to_snapshot_enabled.yaml index 179dc9d1b..dbc497b7e 100644 --- a/compliance/controls/aws/aws_rds_db_cluster_copy_tags_to_snapshot_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_cluster_copy_tags_to_snapshot_enabled.yaml @@ -1,40 +1,41 @@ id: aws_rds_db_cluster_copy_tags_to_snapshot_enabled title: RDS DB clusters should be configured to copy tags to snapshots +type: control description: This control checks whether RDS DB clusters are configured to copy all tags to snapshots when the snapshots are created. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN copy_tags_to_snapshot THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN copy_tags_to_snapshot THEN title || ' copy tags to snapshot enabled.' - ELSE title || ' copy tags to snapshot disabled.' - END AS reason, - region, - account_id - FROM - aws_rds_db_cluster; + language: sql + primary_resource: aws_rds_db_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN copy_tags_to_snapshot THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN copy_tags_to_snapshot THEN title || ' copy tags to snapshot enabled.' + ELSE title || ' copy tags to snapshot disabled.' + END AS reason, + region, + account_id + FROM + aws_rds_db_cluster; severity: low tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - inventory - foundational_security_item_id: - - rds_16 - plugin: - - aws - service: - - AWS/RDS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - inventory + foundational_security_item_id: + - rds_16 + plugin: + - aws + service: + - AWS/RDS diff --git a/compliance/controls/aws/aws_rds_db_cluster_deletion_protection_enabled.yaml b/compliance/controls/aws/aws_rds_db_cluster_deletion_protection_enabled.yaml index 86d0ec638..40f81a8a2 100644 --- a/compliance/controls/aws/aws_rds_db_cluster_deletion_protection_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_cluster_deletion_protection_enabled.yaml @@ -1,40 +1,41 @@ id: aws_rds_db_cluster_deletion_protection_enabled title: RDS clusters should have deletion protection enabled +type: control description: This control checks whether RDS clusters have deletion protection enabled. This control is intended for RDS DB instances. However, it can also generate findings for Aurora DB instances, Neptune DB instances, and AWS DocumentDB clusters. If these findings are not useful, then you can suppress them. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_cluster - definition: | - SELECT - db_cluster_identifier AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN deletion_protection THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN deletion_protection THEN title || ' deletion protection enabled.' - ELSE title || ' deletion protection not enabled.' - END AS reason, - region, - account_id - FROM - aws_rds_db_cluster; + language: sql + primary_resource: aws_rds_db_cluster + definition: | + SELECT + db_cluster_identifier AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN deletion_protection THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN deletion_protection THEN title || ' deletion protection enabled.' + ELSE title || ' deletion protection not enabled.' + END AS reason, + region, + account_id + FROM + aws_rds_db_cluster; severity: low tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - data_deletion_protection - foundational_security_item_id: - - rds_7 - plugin: - - aws - service: - - AWS/RDS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - data_deletion_protection + foundational_security_item_id: + - rds_7 + plugin: + - aws + service: + - AWS/RDS diff --git a/compliance/controls/aws/aws_rds_db_cluster_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_rds_db_cluster_encryption_at_rest_enabled.yaml index 64e8ea9a7..28e57cac9 100644 --- a/compliance/controls/aws/aws_rds_db_cluster_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_cluster_encryption_at_rest_enabled.yaml @@ -1,26 +1,27 @@ id: aws_rds_db_cluster_encryption_at_rest_enabled title: RDS DB clusters should be encrypted at rest +type: control description: This control checks if an RDS DB cluster is encrypted at rest. The control fails if an RDS DB cluster isn't encrypted at rest. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN storage_encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN storage_encrypted THEN title || ' encrypted at rest.' - ELSE title || ' not encrypted at rest.' - END AS reason - FROM - aws_rds_db_cluster; + language: sql + primary_resource: aws_rds_db_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN storage_encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN storage_encrypted THEN title || ' encrypted at rest.' + ELSE title || ' not encrypted at rest.' + END AS reason + FROM + aws_rds_db_cluster; severity: low tags: {} diff --git a/compliance/controls/aws/aws_rds_db_cluster_events_subscription.yaml b/compliance/controls/aws/aws_rds_db_cluster_events_subscription.yaml index b90416266..612dbb9c9 100644 --- a/compliance/controls/aws/aws_rds_db_cluster_events_subscription.yaml +++ b/compliance/controls/aws/aws_rds_db_cluster_events_subscription.yaml @@ -1,42 +1,43 @@ id: aws_rds_db_cluster_events_subscription title: An RDS event notifications subscription should be configured for critical cluster events +type: control description: This control checks whether an AWS RDS event subscription exists that has notifications enabled for the following source type, event category key-value pairs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_event_subscription - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN source_type <> 'db-cluster' THEN 'skip' - WHEN source_type = 'db-cluster' AND enabled AND event_categories_list @> '["failure", "maintenance"]' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN source_type <> 'db-cluster' THEN cust_subscription_id || ' event subscription of ' || source_type || ' type.' - WHEN source_type = 'db-cluster' AND enabled AND event_categories_list @> '["failure", "maintenance"]' THEN cust_subscription_id || ' event subscription enabled for critical db cluster events.' - ELSE cust_subscription_id || ' event subscription missing critical db cluster events.' - END AS reason, - region, - account_id - FROM - aws_rds_db_event_subscription; + language: sql + primary_resource: aws_rds_db_event_subscription + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN source_type <> 'db-cluster' THEN 'skip' + WHEN source_type = 'db-cluster' AND enabled AND event_categories_list @> '["failure", "maintenance"]' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN source_type <> 'db-cluster' THEN cust_subscription_id || ' event subscription of ' || source_type || ' type.' + WHEN source_type = 'db-cluster' AND enabled AND event_categories_list @> '["failure", "maintenance"]' THEN cust_subscription_id || ' event subscription enabled for critical db cluster events.' + ELSE cust_subscription_id || ' event subscription missing critical db cluster events.' + END AS reason, + region, + account_id + FROM + aws_rds_db_event_subscription; severity: low tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - application_monitoring - foundational_security_item_id: - - rds_19 - plugin: - - aws - service: - - AWS/RDS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - application_monitoring + foundational_security_item_id: + - rds_19 + plugin: + - aws + service: + - AWS/RDS diff --git a/compliance/controls/aws/aws_rds_db_cluster_iam_authentication_enabled.yaml b/compliance/controls/aws/aws_rds_db_cluster_iam_authentication_enabled.yaml index 0a1c75f5a..899741787 100644 --- a/compliance/controls/aws/aws_rds_db_cluster_iam_authentication_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_cluster_iam_authentication_enabled.yaml @@ -1,40 +1,41 @@ id: aws_rds_db_cluster_iam_authentication_enabled title: IAM authentication should be configured for RDS clusters +type: control description: Checks if an AWS RDS Cluster has AWS Identity and Access Management (IAM) authentication enabled. The rule is non-compliant if an RDS Cluster does not have IAM authentication enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN iam_database_authentication_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN iam_database_authentication_enabled THEN title || ' IAM authentication enabled.' - ELSE title || ' IAM authentication not enabled.' - END AS reason, - region, - account_id - FROM - aws_rds_db_cluster; + language: sql + primary_resource: aws_rds_db_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN iam_database_authentication_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN iam_database_authentication_enabled THEN title || ' IAM authentication enabled.' + ELSE title || ' IAM authentication not enabled.' + END AS reason, + region, + account_id + FROM + aws_rds_db_cluster; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - passwordless_aauthentication - foundational_security_item_id: - - rds_12 - plugin: - - aws - service: - - AWS/RDS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - passwordless_aauthentication + foundational_security_item_id: + - rds_12 + plugin: + - aws + service: + - AWS/RDS diff --git a/compliance/controls/aws/aws_rds_db_cluster_multiple_az_enabled.yaml b/compliance/controls/aws/aws_rds_db_cluster_multiple_az_enabled.yaml index 6bbb7eb6d..c2fb73a8f 100644 --- a/compliance/controls/aws/aws_rds_db_cluster_multiple_az_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_cluster_multiple_az_enabled.yaml @@ -1,40 +1,41 @@ id: aws_rds_db_cluster_multiple_az_enabled title: RDS DB clusters should be configured for multiple Availability Zones +type: control description: This control checks whether high availability is enabled for your RDS DB clusters. RDS DB clusters should be configured for multiple Availability Zones to ensure availability of the data that is stored. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN multi_az THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN multi_az THEN title || ' Multi-AZ enabled.' - ELSE title || ' Multi-AZ disabled.' - END AS reason, - region, - account_id - FROM - aws_rds_db_cluster; + language: sql + primary_resource: aws_rds_db_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN multi_az THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN multi_az THEN title || ' Multi-AZ enabled.' + ELSE title || ' Multi-AZ disabled.' + END AS reason, + region, + account_id + FROM + aws_rds_db_cluster; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - high_availability - foundational_security_item_id: - - rds_15 - plugin: - - aws - service: - - AWS/RDS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - high_availability + foundational_security_item_id: + - rds_15 + plugin: + - aws + service: + - AWS/RDS diff --git a/compliance/controls/aws/aws_rds_db_cluster_no_default_admin_name.yaml b/compliance/controls/aws/aws_rds_db_cluster_no_default_admin_name.yaml index e81cf479e..6a82946f6 100644 --- a/compliance/controls/aws/aws_rds_db_cluster_no_default_admin_name.yaml +++ b/compliance/controls/aws/aws_rds_db_cluster_no_default_admin_name.yaml @@ -1,40 +1,41 @@ id: aws_rds_db_cluster_no_default_admin_name title: RDS database clusters should use a custom administrator username +type: control description: This control checks whether an AWS RDS database cluster has changed the admin username from its default value. This rule will fail if the admin username is set to the default value. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN master_user_name IN ('admin', 'postgres') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN master_user_name IN ('admin', 'postgres') THEN title || ' using default master user name.' - ELSE title || ' not using default master user name.' - END AS reason, - region, - account_id - FROM - aws_rds_db_cluster; + language: sql + primary_resource: aws_rds_db_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN master_user_name IN ('admin', 'postgres') THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN master_user_name IN ('admin', 'postgres') THEN title || ' using default master user name.' + ELSE title || ' not using default master user name.' + END AS reason, + region, + account_id + FROM + aws_rds_db_cluster; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - resource_configuration - foundational_security_item_id: - - rds_24 - plugin: - - aws - service: - - AWS/RDS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - resource_configuration + foundational_security_item_id: + - rds_24 + plugin: + - aws + service: + - AWS/RDS diff --git a/compliance/controls/aws/aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled.yaml b/compliance/controls/aws/aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled.yaml index e786cd7ef..80966d74d 100644 --- a/compliance/controls/aws/aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled.yaml @@ -1,77 +1,78 @@ id: aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled title: RDS DB instance and cluster enhanced monitoring should be enabled +type: control description: Enable AWS Relational Database Service (AWS RDS) to help monitor AWS RDS availability. This provides detailed visibility into the health of your AWS RDS database instances. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: '' - definition: | - ( - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'aws_rds_db_cluster' AS platform_table_name, - CASE - WHEN enabled_cloudwatch_logs_exports IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enabled_cloudwatch_logs_exports IS NOT NULL THEN title || ' enhanced monitoring enabled.' - ELSE title || ' enhanced monitoring not enabled.' - END AS reason, - region, - account_id - FROM - aws_rds_db_cluster - ) - UNION - ( - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'aws_rds_db_instance' AS platform_table_name, - CASE - WHEN class = 'db.m1.small' THEN 'skip' - WHEN enhanced_monitoring_resource_arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN class = 'db.m1.small' THEN title || ' enhanced monitoring not supported.' - WHEN enhanced_monitoring_resource_arn IS NOT NULL THEN title || ' enhanced monitoring enabled.' - ELSE title || ' enhanced monitoring not enabled.' - END AS reason, - region, - account_id - FROM - aws_rds_db_instance - ); + language: sql + primary_resource: "" + definition: | + ( + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'aws_rds_db_cluster' AS platform_table_name, + CASE + WHEN enabled_cloudwatch_logs_exports IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enabled_cloudwatch_logs_exports IS NOT NULL THEN title || ' enhanced monitoring enabled.' + ELSE title || ' enhanced monitoring not enabled.' + END AS reason, + region, + account_id + FROM + aws_rds_db_cluster + ) + UNION + ( + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'aws_rds_db_instance' AS platform_table_name, + CASE + WHEN class = 'db.m1.small' THEN 'skip' + WHEN enhanced_monitoring_resource_arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN class = 'db.m1.small' THEN title || ' enhanced monitoring not supported.' + WHEN enhanced_monitoring_resource_arn IS NOT NULL THEN title || ' enhanced monitoring enabled.' + ELSE title || ' enhanced monitoring not enabled.' + END AS reason, + region, + account_id + FROM + aws_rds_db_instance + ); severity: low tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/RDS + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/RDS diff --git a/compliance/controls/aws/aws_rds_db_instance_and_cluster_no_default_port.yaml b/compliance/controls/aws/aws_rds_db_instance_and_cluster_no_default_port.yaml index d44208b20..6bbf1e7f0 100644 --- a/compliance/controls/aws/aws_rds_db_instance_and_cluster_no_default_port.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_and_cluster_no_default_port.yaml @@ -1,73 +1,74 @@ id: aws_rds_db_instance_and_cluster_no_default_port title: RDS databases and clusters should not use a database engine default port +type: control description: This control checks whether the RDS cluster or instance uses a port other than the default port of the database engine. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: '' - definition: | - ( - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'aws_rds_db_cluster' AS platform_table_name, - CASE - WHEN engine SIMILAR TO '%(aurora|mysql|mariadb)%' AND port = '3306' THEN 'alarm' - WHEN engine LIKE '%postgres%' AND port = '5432' THEN 'alarm' - WHEN engine LIKE 'oracle%' AND port = '1521' THEN 'alarm' - WHEN engine LIKE 'sqlserver%' AND port = '1433' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN engine SIMILAR TO '%(aurora|mysql|mariadb)%' AND port = '3306' THEN title || ' ' || engine || ' uses a default port.' - WHEN engine LIKE '%postgres%' AND port = '5432' THEN title || ' ' || engine || ' uses a default port.' - WHEN engine LIKE 'oracle%' AND port = '1521' THEN title || ' ' || engine || ' uses a default port.' - WHEN engine LIKE 'sqlserver%' AND port = '1433' THEN title || ' ' || engine || ' uses a default port.' - ELSE title || ' doesnt use a default port.' - END AS reason, - region, account_id - FROM - aws_rds_db_cluster - ) - UNION - ( - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'aws_rds_db_instance' AS platform_table_name, - CASE - WHEN engine SIMILAR TO '%(aurora|mysql|mariadb)%' AND port = '3306' THEN 'alarm' - WHEN engine LIKE '%postgres%' AND port = '5432' THEN 'alarm' - WHEN engine LIKE 'oracle%' AND port = '1521' THEN 'alarm' - WHEN engine LIKE 'sqlserver%' AND port = '1433' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN engine SIMILAR TO '%(aurora|mysql|mariadb)%' AND port = '3306' THEN title || ' ' || engine || ' uses a default port.' - WHEN engine LIKE '%postgres%' AND port = '5432' THEN title || ' ' || engine || ' uses a default port.' - WHEN engine LIKE 'oracle%' AND port = '1521' THEN title || ' ' || engine || ' uses a default port.' - WHEN engine LIKE 'sqlserver%' AND port = '1433' THEN title || ' ' || engine || ' uses a default port.' - ELSE title || ' doesnt use a default port.' - END AS reason, - region, account_id - FROM - aws_rds_db_instance - ); + language: sql + primary_resource: "" + definition: | + ( + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'aws_rds_db_cluster' AS platform_table_name, + CASE + WHEN engine SIMILAR TO '%(aurora|mysql|mariadb)%' AND port = '3306' THEN 'alarm' + WHEN engine LIKE '%postgres%' AND port = '5432' THEN 'alarm' + WHEN engine LIKE 'oracle%' AND port = '1521' THEN 'alarm' + WHEN engine LIKE 'sqlserver%' AND port = '1433' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN engine SIMILAR TO '%(aurora|mysql|mariadb)%' AND port = '3306' THEN title || ' ' || engine || ' uses a default port.' + WHEN engine LIKE '%postgres%' AND port = '5432' THEN title || ' ' || engine || ' uses a default port.' + WHEN engine LIKE 'oracle%' AND port = '1521' THEN title || ' ' || engine || ' uses a default port.' + WHEN engine LIKE 'sqlserver%' AND port = '1433' THEN title || ' ' || engine || ' uses a default port.' + ELSE title || ' doesnt use a default port.' + END AS reason, + region, account_id + FROM + aws_rds_db_cluster + ) + UNION + ( + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'aws_rds_db_instance' AS platform_table_name, + CASE + WHEN engine SIMILAR TO '%(aurora|mysql|mariadb)%' AND port = '3306' THEN 'alarm' + WHEN engine LIKE '%postgres%' AND port = '5432' THEN 'alarm' + WHEN engine LIKE 'oracle%' AND port = '1521' THEN 'alarm' + WHEN engine LIKE 'sqlserver%' AND port = '1433' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN engine SIMILAR TO '%(aurora|mysql|mariadb)%' AND port = '3306' THEN title || ' ' || engine || ' uses a default port.' + WHEN engine LIKE '%postgres%' AND port = '5432' THEN title || ' ' || engine || ' uses a default port.' + WHEN engine LIKE 'oracle%' AND port = '1521' THEN title || ' ' || engine || ' uses a default port.' + WHEN engine LIKE 'sqlserver%' AND port = '1433' THEN title || ' ' || engine || ' uses a default port.' + ELSE title || ' doesnt use a default port.' + END AS reason, + region, account_id + FROM + aws_rds_db_instance + ); severity: low tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - secure_network_configuration - foundational_security_item_id: - - rds_23 - plugin: - - aws - service: - - AWS/RDS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - secure_network_configuration + foundational_security_item_id: + - rds_23 + plugin: + - aws + service: + - AWS/RDS diff --git a/compliance/controls/aws/aws_rds_db_instance_automatic_minor_version_upgrade_enabled.yaml b/compliance/controls/aws/aws_rds_db_instance_automatic_minor_version_upgrade_enabled.yaml index 5a9e28f7c..7b18c3ea8 100644 --- a/compliance/controls/aws/aws_rds_db_instance_automatic_minor_version_upgrade_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_automatic_minor_version_upgrade_enabled.yaml @@ -1,46 +1,47 @@ id: aws_rds_db_instance_automatic_minor_version_upgrade_enabled title: RDS DB instance automatic minor version upgrade should be enabled +type: control description: Ensure that AWS Relational Database Service (RDS) database instances are configured for automatic minor version upgrades. The rule is non-compliant if the value of 'autoMinorVersionUpgrade' is false. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN auto_minor_version_upgrade THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN auto_minor_version_upgrade THEN title || ' automatic minor version upgrades enabled.' - ELSE title || ' automatic minor version upgrades not enabled.' - END AS reason, - region, - account_id - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN auto_minor_version_upgrade THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN auto_minor_version_upgrade THEN title || ' automatic minor version upgrades enabled.' + ELSE title || ' automatic minor version upgrades not enabled.' + END AS reason, + region, + account_id + FROM + aws_rds_db_instance; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 2.3.2 - cis_level: - - '1' - cis_section_id: - - '2.3' - cis_type: - - automated - cis_version: - - v1.5.0 - plugin: - - aws - service: - - AWS/RDS + category: + - Compliance + cis: + - "true" + cis_item_id: + - 2.3.2 + cis_level: + - "1" + cis_section_id: + - "2.3" + cis_type: + - automated + cis_version: + - v1.5.0 + plugin: + - aws + service: + - AWS/RDS diff --git a/compliance/controls/aws/aws_rds_db_instance_backup_enabled.yaml b/compliance/controls/aws/aws_rds_db_instance_backup_enabled.yaml index 37fc36b87..1dc93dca5 100644 --- a/compliance/controls/aws/aws_rds_db_instance_backup_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_backup_enabled.yaml @@ -1,66 +1,67 @@ id: aws_rds_db_instance_backup_enabled title: RDS DB instance backup should be enabled +type: control description: The backup feature of AWS RDS creates backups of your databases and transaction logs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN backup_retention_period < 1 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN backup_retention_period < 1 THEN title || ' backups not enabled.' - ELSE title || ' backups enabled.' - END AS reason, - region, - account_id - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN backup_retention_period < 1 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN backup_retention_period < 1 THEN title || ' backups not enabled.' + ELSE title || ' backups enabled.' + END AS reason, + region, + account_id + FROM + aws_rds_db_instance; severity: low tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/RDS - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/RDS + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_rds_db_instance_backup_retention_period_less_than_7.yaml b/compliance/controls/aws/aws_rds_db_instance_backup_retention_period_less_than_7.yaml index 3f21c7912..a352ee134 100644 --- a/compliance/controls/aws/aws_rds_db_instance_backup_retention_period_less_than_7.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_backup_retention_period_less_than_7.yaml @@ -1,23 +1,24 @@ id: aws_rds_db_instance_backup_retention_period_less_than_7 title: RDS DB instances backup retention period should be greater than or equal to 7 +type: control description: Ensure RDS DB instance backup retention period is greater than or equal to 7. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN backup_retention_period < 7 THEN 'alarm' - ELSE 'ok' - END AS status, - title || ' backup retention period set to ' || backup_retention_period || '.' AS reason - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN backup_retention_period < 7 THEN 'alarm' + ELSE 'ok' + END AS status, + title || ' backup retention period set to ' || backup_retention_period || '.' AS reason + FROM + aws_rds_db_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_rds_db_instance_ca_certificate_expires_7_days.yaml b/compliance/controls/aws/aws_rds_db_instance_ca_certificate_expires_7_days.yaml index 8a0d5a2ba..cdf3e4e82 100644 --- a/compliance/controls/aws/aws_rds_db_instance_ca_certificate_expires_7_days.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_ca_certificate_expires_7_days.yaml @@ -1,26 +1,27 @@ id: aws_rds_db_instance_ca_certificate_expires_7_days title: RDS DB instances CA certificates should not expire within next 7 days +type: control description: Ensure RDS DB instances CA certificates are not getting expired within the next 7 days. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN EXTRACT(DAY FROM (TO_TIMESTAMP(certificate ->> 'ValidTill', 'YYYY-MM-DDTHH:MI:SS') - CURRENT_TIMESTAMP)) <= 7 - THEN 'alarm' - ELSE 'ok' - END AS status, - title || ' expires ' || TO_CHAR(TO_TIMESTAMP(certificate ->> 'ValidTill', 'YYYY-MM-DDTHH:MI:SS'), 'DD-Mon-YYYY') || - ' (' || EXTRACT(DAY FROM (TO_TIMESTAMP(certificate ->> 'ValidTill', 'YYYY-MM-DDTHH:MI:SS') - CURRENT_TIMESTAMP)) || ' days).' - AS reason - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN EXTRACT(DAY FROM (TO_TIMESTAMP(certificate ->> 'ValidTill', 'YYYY-MM-DDTHH:MI:SS') - CURRENT_TIMESTAMP)) <= 7 + THEN 'alarm' + ELSE 'ok' + END AS status, + title || ' expires ' || TO_CHAR(TO_TIMESTAMP(certificate ->> 'ValidTill', 'YYYY-MM-DDTHH:MI:SS'), 'DD-Mon-YYYY') || + ' (' || EXTRACT(DAY FROM (TO_TIMESTAMP(certificate ->> 'ValidTill', 'YYYY-MM-DDTHH:MI:SS') - CURRENT_TIMESTAMP)) || ' days).' + AS reason + FROM + aws_rds_db_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_rds_db_instance_cloudwatch_logs_enabled.yaml b/compliance/controls/aws/aws_rds_db_instance_cloudwatch_logs_enabled.yaml index 6ba1c66ca..49bb1d4e5 100644 --- a/compliance/controls/aws/aws_rds_db_instance_cloudwatch_logs_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_cloudwatch_logs_enabled.yaml @@ -1,26 +1,27 @@ id: aws_rds_db_instance_cloudwatch_logs_enabled title: RDS DB instances should be integrated with CloudWatch logs +type: control description: Use AWS CloudWatch to centrally collect and manage RDS DB instance activity. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN enabled_cloudwatch_logs_exports IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enabled_cloudwatch_logs_exports IS NOT NULL THEN title || ' integrated with CloudWatch logs.' - ELSE title || ' not integrated with CloudWatch logs.' - END AS reason - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN enabled_cloudwatch_logs_exports IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enabled_cloudwatch_logs_exports IS NOT NULL THEN title || ' integrated with CloudWatch logs.' + ELSE title || ' not integrated with CloudWatch logs.' + END AS reason + FROM + aws_rds_db_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_rds_db_instance_connections_encryption_enabled.yaml b/compliance/controls/aws/aws_rds_db_instance_connections_encryption_enabled.yaml index 87e1c656c..461f3e71b 100644 --- a/compliance/controls/aws/aws_rds_db_instance_connections_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_connections_encryption_enabled.yaml @@ -1,59 +1,60 @@ id: aws_rds_db_instance_connections_encryption_enabled title: RDS DB instances connections should be encrypted +type: control description: This control checks if RDS DB instance connections are encrypted. Secure Sockets Layer (SSL) is used to encrypt between client applications and AWS RDS DB instances running Microsoft SQL Server or PostgreSQL. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - WITH instance_pg AS ( - SELECT - g ->> 'DBParameterGroupName' AS pg_name, - i.engine, - i.title, - i.arn, - i.tags, - i.region, - i.account_id, - i._ctx, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id - FROM - aws_rds_db_instance AS i, - jsonb_array_elements(db_parameter_groups) AS g - ), pg_with_ssl_enabled AS ( - SELECT - g.name - FROM - instance_pg AS i, - aws_rds_db_parameter_group AS g, - jsonb_array_elements(parameters) AS p - WHERE - i.pg_name = g.name - AND g.account_id = i.account_id - AND g.region = i.region - AND p ->> 'ParameterName' = 'rds.force_ssl' - AND p ->> 'ParameterValue' = '1' - ) - SELECT - i.arn AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - i.engine, - CASE - WHEN i.engine NOT IN ('sqlserver', 'postgres') THEN 'skip' - WHEN p.name IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN i.engine NOT IN ('sqlserver', 'postgres') THEN title || ' has ' || engine || ' engine type.' - WHEN p.name IS NOT NULL THEN title || ' connections are SSL encrypted.' - ELSE title || ' connections are not SSL encrypted.' - END AS reason - FROM - instance_pg AS i - LEFT JOIN pg_with_ssl_enabled AS p ON p.name = i.pg_name + language: sql + primary_resource: aws_rds_db_instance + definition: | + WITH instance_pg AS ( + SELECT + g ->> 'DBParameterGroupName' AS pg_name, + i.engine, + i.title, + i.arn, + i.tags, + i.region, + i.account_id, + i._ctx, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id + FROM + aws_rds_db_instance AS i, + jsonb_array_elements(db_parameter_groups) AS g + ), pg_with_ssl_enabled AS ( + SELECT + g.name + FROM + instance_pg AS i, + aws_rds_db_parameter_group AS g, + jsonb_array_elements(parameters) AS p + WHERE + i.pg_name = g.name + AND g.account_id = i.account_id + AND g.region = i.region + AND p ->> 'ParameterName' = 'rds.force_ssl' + AND p ->> 'ParameterValue' = '1' + ) + SELECT + i.arn AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + i.engine, + CASE + WHEN i.engine NOT IN ('sqlserver', 'postgres') THEN 'skip' + WHEN p.name IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN i.engine NOT IN ('sqlserver', 'postgres') THEN title || ' has ' || engine || ' engine type.' + WHEN p.name IS NOT NULL THEN title || ' connections are SSL encrypted.' + ELSE title || ' connections are not SSL encrypted.' + END AS reason + FROM + instance_pg AS i + LEFT JOIN pg_with_ssl_enabled AS p ON p.name = i.pg_name severity: low tags: {} diff --git a/compliance/controls/aws/aws_rds_db_instance_copy_tags_to_snapshot_enabled.yaml b/compliance/controls/aws/aws_rds_db_instance_copy_tags_to_snapshot_enabled.yaml index 64a94b8ec..b8b297c04 100644 --- a/compliance/controls/aws/aws_rds_db_instance_copy_tags_to_snapshot_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_copy_tags_to_snapshot_enabled.yaml @@ -1,40 +1,41 @@ id: aws_rds_db_instance_copy_tags_to_snapshot_enabled title: RDS DB instances should be configured to copy tags to snapshots +type: control description: This control checks whether RDS DB instances are configured to copy all tags to snapshots when the snapshots are created. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN copy_tags_to_snapshot THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN copy_tags_to_snapshot THEN title || ' copy tags to snapshot enabled.' - ELSE title || ' copy tags to snapshot disabled.' - END AS reason, - region, - account_id - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN copy_tags_to_snapshot THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN copy_tags_to_snapshot THEN title || ' copy tags to snapshot enabled.' + ELSE title || ' copy tags to snapshot disabled.' + END AS reason, + region, + account_id + FROM + aws_rds_db_instance; severity: low tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - inventory - foundational_security_item_id: - - rds_17 - plugin: - - aws - service: - - AWS/RDS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - inventory + foundational_security_item_id: + - rds_17 + plugin: + - aws + service: + - AWS/RDS diff --git a/compliance/controls/aws/aws_rds_db_instance_deletion_protection_enabled.yaml b/compliance/controls/aws/aws_rds_db_instance_deletion_protection_enabled.yaml index 22d2118d0..21c77b783 100644 --- a/compliance/controls/aws/aws_rds_db_instance_deletion_protection_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_deletion_protection_enabled.yaml @@ -1,61 +1,62 @@ id: aws_rds_db_instance_deletion_protection_enabled title: RDS DB instances should have deletion protection enabled +type: control description: Ensure AWS Relational Database Service (AWS RDS) instances have deletion protection enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN engine LIKE ANY(ARRAY['aurora%', 'docdb', 'neptune']) THEN 'skip' - WHEN deletion_protection THEN 'ok' - ELSE 'alarm' - END status, - CASE - WHEN engine LIKE ANY(ARRAY['aurora%', 'docdb', 'neptune']) THEN - title || ' has engine ' || engine || ' cluster, deletion protection is set at cluster level.' - WHEN deletion_protection THEN - title || ' deletion protection enabled.' - ELSE - title || ' deletion protection not enabled.' - END reason, - region, - account_id - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN engine LIKE ANY(ARRAY['aurora%', 'docdb', 'neptune']) THEN 'skip' + WHEN deletion_protection THEN 'ok' + ELSE 'alarm' + END status, + CASE + WHEN engine LIKE ANY(ARRAY['aurora%', 'docdb', 'neptune']) THEN + title || ' has engine ' || engine || ' cluster, deletion protection is set at cluster level.' + WHEN deletion_protection THEN + title || ' deletion protection enabled.' + ELSE + title || ' deletion protection not enabled.' + END reason, + region, + account_id + FROM + aws_rds_db_instance; severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/RDS - soc_2: - - 'true' + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/RDS + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_rds_db_instance_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_rds_db_instance_encryption_at_rest_enabled.yaml index 91fae2d1a..0e442aedc 100644 --- a/compliance/controls/aws/aws_rds_db_instance_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_encryption_at_rest_enabled.yaml @@ -1,66 +1,67 @@ id: aws_rds_db_instance_encryption_at_rest_enabled title: RDS DB instance encryption at rest should be enabled +type: control description: To help protect data at rest, ensure that encryption is enabled for your AWS Relational Database Service (AWS RDS) instances. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN storage_encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN storage_encrypted THEN title || ' encrypted at rest.' - ELSE title || ' not encrypted at rest.' - END AS reason, - region, - account_id - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN storage_encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN storage_encrypted THEN title || ' encrypted at rest.' + ELSE title || ' not encrypted at rest.' + END AS reason, + region, + account_id + FROM + aws_rds_db_instance; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/RDS - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/RDS + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_rds_db_instance_events_subscription.yaml b/compliance/controls/aws/aws_rds_db_instance_events_subscription.yaml index bbe6909e1..536473fcf 100644 --- a/compliance/controls/aws/aws_rds_db_instance_events_subscription.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_events_subscription.yaml @@ -1,51 +1,52 @@ id: aws_rds_db_instance_events_subscription title: An RDS event notifications subscription should be configured for critical database instance events +type: control description: This control checks whether an AWS RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_event_subscription - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN source_type <> 'db-instance' THEN 'skip' - WHEN source_type = 'db-instance' - AND enabled - AND event_categories_list @> '["failure", "maintenance", "configuration change"]' - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN source_type <> 'db-instance' THEN - cust_subscription_id || ' event subscription of ' || source_type || ' type.' - WHEN source_type LIKE 'db-instance' - AND enabled - AND event_categories_list @> '["failure", "maintenance", "configuration change"]' - THEN - cust_subscription_id || ' event subscription enabled for critical instance events.' - ELSE - cust_subscription_id || ' event subscription missing critical instance events.' - END AS reason, - region, - account_id - FROM - aws_rds_db_event_subscription; + language: sql + primary_resource: aws_rds_db_event_subscription + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN source_type <> 'db-instance' THEN 'skip' + WHEN source_type = 'db-instance' + AND enabled + AND event_categories_list @> '["failure", "maintenance", "configuration change"]' + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN source_type <> 'db-instance' THEN + cust_subscription_id || ' event subscription of ' || source_type || ' type.' + WHEN source_type LIKE 'db-instance' + AND enabled + AND event_categories_list @> '["failure", "maintenance", "configuration change"]' + THEN + cust_subscription_id || ' event subscription enabled for critical instance events.' + ELSE + cust_subscription_id || ' event subscription missing critical instance events.' + END AS reason, + region, + account_id + FROM + aws_rds_db_event_subscription; severity: low tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - application_monitoring - foundational_security_item_id: - - rds_20 - plugin: - - aws - service: - - AWS/RDS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - application_monitoring + foundational_security_item_id: + - rds_20 + plugin: + - aws + service: + - AWS/RDS diff --git a/compliance/controls/aws/aws_rds_db_instance_iam_authentication_enabled.yaml b/compliance/controls/aws/aws_rds_db_instance_iam_authentication_enabled.yaml index fea2526f8..98b6d10ef 100644 --- a/compliance/controls/aws/aws_rds_db_instance_iam_authentication_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_iam_authentication_enabled.yaml @@ -1,40 +1,41 @@ id: aws_rds_db_instance_iam_authentication_enabled title: RDS DB instances should have IAM authentication enabled +type: control description: Checks if an AWS Relational Database Service (AWS RDS) instance has AWS Identity and Access Management (IAM) authentication enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN iam_database_authentication_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN iam_database_authentication_enabled THEN title || ' IAM authentication enabled.' - ELSE title || ' IAM authentication not enabled.' - END AS reason, - region, - account_id - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN iam_database_authentication_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN iam_database_authentication_enabled THEN title || ' IAM authentication enabled.' + ELSE title || ' IAM authentication not enabled.' + END AS reason, + region, + account_id + FROM + aws_rds_db_instance; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - passwordless_authentication - foundational_security_item_id: - - rds_10 - plugin: - - aws - service: - - AWS/RDS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - passwordless_authentication + foundational_security_item_id: + - rds_10 + plugin: + - aws + service: + - AWS/RDS diff --git a/compliance/controls/aws/aws_rds_db_instance_in_backup_plan.yaml b/compliance/controls/aws/aws_rds_db_instance_in_backup_plan.yaml index 2dfb90510..6ba4df756 100644 --- a/compliance/controls/aws/aws_rds_db_instance_in_backup_plan.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_in_backup_plan.yaml @@ -1,96 +1,97 @@ id: aws_rds_db_instance_in_backup_plan title: RDS DB instances should be in a backup plan +type: control description: To help with data back-up processes, ensure your AWS Relational Database Service (AWS RDS) instances are a part of an AWS Backup plan. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - WITH mapped_with_id AS ( - SELECT - jsonb_agg(elems) AS mapped_ids - FROM - aws_backup_selection, - jsonb_array_elements(resources) AS elems - GROUP BY - backup_plan_id - ), - mapped_with_tags AS ( - SELECT - jsonb_agg(elems ->> 'ConditionKey') AS mapped_tags - FROM - aws_backup_selection, - jsonb_array_elements(list_of_tags) AS elems - GROUP BY - backup_plan_id - ), - backed_up_instance AS ( - SELECT - i.db_instance_identifier - FROM - aws_rds_db_instance AS i - JOIN mapped_with_id AS t ON t.mapped_ids ?| ARRAY[i.arn] - UNION - SELECT - i.db_instance_identifier - FROM - aws_rds_db_instance AS i - JOIN mapped_with_tags AS t ON t.mapped_tags ?| ARRAY(SELECT jsonb_object_keys(tags)) - ) - SELECT - i.arn AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN b.db_instance_identifier IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN b.db_instance_identifier IS NULL THEN i.title || ' not in backup plan.' - ELSE i.title || ' in backup plan.' - END AS reason, - i.region, - i.account_id - FROM - aws_rds_db_instance AS i - LEFT JOIN backed_up_instance AS b ON i.db_instance_identifier = b.db_instance_identifier + language: sql + primary_resource: aws_rds_db_instance + definition: | + WITH mapped_with_id AS ( + SELECT + jsonb_agg(elems) AS mapped_ids + FROM + aws_backup_selection, + jsonb_array_elements(resources) AS elems + GROUP BY + backup_plan_id + ), + mapped_with_tags AS ( + SELECT + jsonb_agg(elems ->> 'ConditionKey') AS mapped_tags + FROM + aws_backup_selection, + jsonb_array_elements(list_of_tags) AS elems + GROUP BY + backup_plan_id + ), + backed_up_instance AS ( + SELECT + i.db_instance_identifier + FROM + aws_rds_db_instance AS i + JOIN mapped_with_id AS t ON t.mapped_ids ?| ARRAY[i.arn] + UNION + SELECT + i.db_instance_identifier + FROM + aws_rds_db_instance AS i + JOIN mapped_with_tags AS t ON t.mapped_tags ?| ARRAY(SELECT jsonb_object_keys(tags)) + ) + SELECT + i.arn AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN b.db_instance_identifier IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN b.db_instance_identifier IS NULL THEN i.title || ' not in backup plan.' + ELSE i.title || ' in backup plan.' + END AS reason, + i.region, + i.account_id + FROM + aws_rds_db_instance AS i + LEFT JOIN backed_up_instance AS b ON i.db_instance_identifier = b.db_instance_identifier severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - ffiec: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/RDS - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + ffiec: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/RDS + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_rds_db_instance_in_vpc.yaml b/compliance/controls/aws/aws_rds_db_instance_in_vpc.yaml index bdb78dfc5..382e2e385 100644 --- a/compliance/controls/aws/aws_rds_db_instance_in_vpc.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_in_vpc.yaml @@ -1,40 +1,41 @@ id: aws_rds_db_instance_in_vpc title: RDS instances should be deployed in a VPC +type: control description: This control checks whether an RDS instance is deployed in a VPC (EC2-VPC). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN vpc_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN vpc_id IS NULL THEN title || ' is not in VPC.' - ELSE title || ' is in VPC ' || vpc_id || '.' - END AS reason, - region, - account_id - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN vpc_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN vpc_id IS NULL THEN title || ' is not in VPC.' + ELSE title || ' is in VPC ' || vpc_id || '.' + END AS reason, + region, + account_id + FROM + aws_rds_db_instance; severity: high tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - resources_within_vpc - foundational_security_item_id: - - rds_18 - plugin: - - aws - service: - - AWS/RDS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - resources_within_vpc + foundational_security_item_id: + - rds_18 + plugin: + - aws + service: + - AWS/RDS diff --git a/compliance/controls/aws/aws_rds_db_instance_logging_enabled.yaml b/compliance/controls/aws/aws_rds_db_instance_logging_enabled.yaml index 9095549e7..068bef809 100644 --- a/compliance/controls/aws/aws_rds_db_instance_logging_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_logging_enabled.yaml @@ -1,91 +1,92 @@ id: aws_rds_db_instance_logging_enabled title: Database logging should be enabled +type: control description: To help with logging and monitoring within your environment, ensure AWS Relational Database Service (AWS RDS) logging is enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN engine = 'docdb' THEN 'skip' - WHEN engine LIKE ANY (ARRAY['mariadb', '%mysql']) - AND enabled_cloudwatch_logs_exports ?& ARRAY['audit', 'error', 'general', 'slowquery'] THEN 'ok' - WHEN engine LIKE ANY (ARRAY['%postgres%']) - AND enabled_cloudwatch_logs_exports ?& ARRAY['postgresql', 'upgrade'] THEN 'ok' - WHEN engine LIKE 'oracle%' - AND enabled_cloudwatch_logs_exports ?& ARRAY['alert', 'audit', 'trace', 'listener'] THEN 'ok' - WHEN engine = 'sqlserver-ex' - AND enabled_cloudwatch_logs_exports ?& ARRAY['error'] THEN 'ok' - WHEN engine LIKE 'sqlserver%' - AND enabled_cloudwatch_logs_exports ?& ARRAY['error', 'agent'] THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN engine = 'docdb' THEN title || ' is docdb instance.' - WHEN engine LIKE ANY (ARRAY['mariadb', '%mysql']) - AND enabled_cloudwatch_logs_exports ?& ARRAY['audit', 'error', 'general', 'slowquery'] - THEN title || ' ' || engine || ' logging enabled.' - WHEN engine LIKE ANY (ARRAY['%postgres%']) - AND enabled_cloudwatch_logs_exports ?& ARRAY['postgresql', 'upgrade'] - THEN title || ' ' || engine || ' logging enabled.' - WHEN engine LIKE 'oracle%' - AND enabled_cloudwatch_logs_exports ?& ARRAY['alert', 'audit', 'trace', 'listener'] - THEN title || ' ' || engine || ' logging enabled.' - WHEN engine = 'sqlserver-ex' - AND enabled_cloudwatch_logs_exports ?& ARRAY['error'] - THEN title || ' ' || engine || ' logging enabled.' - WHEN engine LIKE 'sqlserver%' - AND enabled_cloudwatch_logs_exports ?& ARRAY['error', 'agent'] - THEN title || ' ' || engine || ' logging enabled.' - ELSE title || ' logging not enabled.' - END AS reason, - region, - account_id - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN engine = 'docdb' THEN 'skip' + WHEN engine LIKE ANY (ARRAY['mariadb', '%mysql']) + AND enabled_cloudwatch_logs_exports ?& ARRAY['audit', 'error', 'general', 'slowquery'] THEN 'ok' + WHEN engine LIKE ANY (ARRAY['%postgres%']) + AND enabled_cloudwatch_logs_exports ?& ARRAY['postgresql', 'upgrade'] THEN 'ok' + WHEN engine LIKE 'oracle%' + AND enabled_cloudwatch_logs_exports ?& ARRAY['alert', 'audit', 'trace', 'listener'] THEN 'ok' + WHEN engine = 'sqlserver-ex' + AND enabled_cloudwatch_logs_exports ?& ARRAY['error'] THEN 'ok' + WHEN engine LIKE 'sqlserver%' + AND enabled_cloudwatch_logs_exports ?& ARRAY['error', 'agent'] THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN engine = 'docdb' THEN title || ' is docdb instance.' + WHEN engine LIKE ANY (ARRAY['mariadb', '%mysql']) + AND enabled_cloudwatch_logs_exports ?& ARRAY['audit', 'error', 'general', 'slowquery'] + THEN title || ' ' || engine || ' logging enabled.' + WHEN engine LIKE ANY (ARRAY['%postgres%']) + AND enabled_cloudwatch_logs_exports ?& ARRAY['postgresql', 'upgrade'] + THEN title || ' ' || engine || ' logging enabled.' + WHEN engine LIKE 'oracle%' + AND enabled_cloudwatch_logs_exports ?& ARRAY['alert', 'audit', 'trace', 'listener'] + THEN title || ' ' || engine || ' logging enabled.' + WHEN engine = 'sqlserver-ex' + AND enabled_cloudwatch_logs_exports ?& ARRAY['error'] + THEN title || ' ' || engine || ' logging enabled.' + WHEN engine LIKE 'sqlserver%' + AND enabled_cloudwatch_logs_exports ?& ARRAY['error', 'agent'] + THEN title || ' ' || engine || ' logging enabled.' + ELSE title || ' logging not enabled.' + END AS reason, + region, + account_id + FROM + aws_rds_db_instance; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/RDS - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/RDS + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_rds_db_instance_multiple_az_enabled.yaml b/compliance/controls/aws/aws_rds_db_instance_multiple_az_enabled.yaml index 2309cc7f7..74c2b08cd 100644 --- a/compliance/controls/aws/aws_rds_db_instance_multiple_az_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_multiple_az_enabled.yaml @@ -1,58 +1,59 @@ id: aws_rds_db_instance_multiple_az_enabled title: RDS DB instance multiple az should be enabled +type: control description: Multi-AZ support in AWS Relational Database Service (AWS RDS) provides enhanced availability and durability for database instances. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN engine ILIKE ANY (ARRAY ['%aurora-mysql%', '%aurora-postgres%']) THEN 'skip' - WHEN multi_az THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN engine ILIKE ANY (ARRAY ['%aurora-mysql%', '%aurora-postgres%']) THEN title || ' cluster instance.' - WHEN multi_az THEN title || ' Multi-AZ enabled.' - ELSE title || ' Multi-AZ disabled.' - END AS reason, - region, - account_id - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN engine ILIKE ANY (ARRAY ['%aurora-mysql%', '%aurora-postgres%']) THEN 'skip' + WHEN multi_az THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN engine ILIKE ANY (ARRAY ['%aurora-mysql%', '%aurora-postgres%']) THEN title || ' cluster instance.' + WHEN multi_az THEN title || ' Multi-AZ enabled.' + ELSE title || ' Multi-AZ disabled.' + END AS reason, + region, + account_id + FROM + aws_rds_db_instance; severity: low tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/RDS + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/RDS diff --git a/compliance/controls/aws/aws_rds_db_instance_no_default_admin_name.yaml b/compliance/controls/aws/aws_rds_db_instance_no_default_admin_name.yaml index fb4bd13af..9c8c10f76 100644 --- a/compliance/controls/aws/aws_rds_db_instance_no_default_admin_name.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_no_default_admin_name.yaml @@ -1,40 +1,41 @@ id: aws_rds_db_instance_no_default_admin_name title: RDS database instances should use a custom administrator username +type: control description: This control checks whether you've changed the administrative username for AWS Relational Database Service (AWS RDS) database instances from the default value. The control fails if the administrative username is set to the default value. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN master_user_name IN ('admin', 'postgres') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN master_user_name IN ('admin', 'postgres') THEN title || ' using default master user name.' - ELSE title || ' not using default master user name.' - END AS reason, - region, - account_id - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN master_user_name IN ('admin', 'postgres') THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN master_user_name IN ('admin', 'postgres') THEN title || ' using default master user name.' + ELSE title || ' not using default master user name.' + END AS reason, + region, + account_id + FROM + aws_rds_db_instance; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - resource_configuration - foundational_security_item_id: - - rds_25 - plugin: - - aws - service: - - AWS/RDS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - resource_configuration + foundational_security_item_id: + - rds_25 + plugin: + - aws + service: + - AWS/RDS diff --git a/compliance/controls/aws/aws_rds_db_instance_postgres_not_exposed_to_local_file_read_vulnerability.yaml b/compliance/controls/aws/aws_rds_db_instance_postgres_not_exposed_to_local_file_read_vulnerability.yaml index 94fd958cc..385ded9ba 100644 --- a/compliance/controls/aws/aws_rds_db_instance_postgres_not_exposed_to_local_file_read_vulnerability.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_postgres_not_exposed_to_local_file_read_vulnerability.yaml @@ -1,36 +1,37 @@ id: aws_rds_db_instance_postgres_not_exposed_to_local_file_read_vulnerability title: RDS PostgreSQL DB instances should not be exposed to local file read vulnerability +type: control description: This control checks whether AWS PostgreSQL DB instance are exposed to local file read vulnerability by ensuring that AWS RDS PostgreSQL instances use a non-vulnerable version of the log_fdw. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN NOT engine = 'postgres' THEN 'skip' - WHEN engine = 'postgres' AND engine_version LIKE ANY (ARRAY ['10.11', '10.12', '10.13', '11.6', '11.7', '11.8']) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT engine = 'postgres' THEN title || ' not PostgreSQL edition.' - WHEN engine = 'postgres' AND engine_version LIKE ANY (ARRAY - [ - '13.2','13.1','12.6','12.5','12.4','12.3','12.2','11.11','11.10','11.9', - '11.8','11.7','11.6','11.5','11.4','11.3','11.2','11.1','10.16','10.15', - '10.14','10.13','10.12','10.11','10.10','10.9','10.7','10.6','10.5', - '10.4','10.3','10.1','9.6.21','9.6.20','9.6.19','9.6.18','9.6.17', - '9.6.16','9.6.15','9.6.14','9.6.12','9.6.11','9.6.10','9.6.9','9.6.8', - '9.6.6','9.6.5','9.6.3','9.6.2','9.6.1','9.5','9.4','9.3' - ]) THEN title || ' exposed to local file read vulnerability.' - ELSE title || ' not exposed to local file read vulnerability.' - END AS reason - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN NOT engine = 'postgres' THEN 'skip' + WHEN engine = 'postgres' AND engine_version LIKE ANY (ARRAY ['10.11', '10.12', '10.13', '11.6', '11.7', '11.8']) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT engine = 'postgres' THEN title || ' not PostgreSQL edition.' + WHEN engine = 'postgres' AND engine_version LIKE ANY (ARRAY + [ + '13.2','13.1','12.6','12.5','12.4','12.3','12.2','11.11','11.10','11.9', + '11.8','11.7','11.6','11.5','11.4','11.3','11.2','11.1','10.16','10.15', + '10.14','10.13','10.12','10.11','10.10','10.9','10.7','10.6','10.5', + '10.4','10.3','10.1','9.6.21','9.6.20','9.6.19','9.6.18','9.6.17', + '9.6.16','9.6.15','9.6.14','9.6.12','9.6.11','9.6.10','9.6.9','9.6.8', + '9.6.6','9.6.5','9.6.3','9.6.2','9.6.1','9.5','9.4','9.3' + ]) THEN title || ' exposed to local file read vulnerability.' + ELSE title || ' not exposed to local file read vulnerability.' + END AS reason + FROM + aws_rds_db_instance; severity: low tags: {} diff --git a/compliance/controls/aws/aws_rds_db_instance_prohibit_public_access.yaml b/compliance/controls/aws/aws_rds_db_instance_prohibit_public_access.yaml index 3933c91cf..6cc79ae66 100644 --- a/compliance/controls/aws/aws_rds_db_instance_prohibit_public_access.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_prohibit_public_access.yaml @@ -1,66 +1,67 @@ id: aws_rds_db_instance_prohibit_public_access title: RDS DB instances should prohibit public access +type: control description: Manage access to resources in the AWS Cloud by ensuring that AWS Relational Database Service (AWS RDS) instances are not public. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN publicly_accessible THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN publicly_accessible THEN title || ' publicly accessible.' - ELSE title || ' not publicly accessible.' - END AS reason, - region, - account_id - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN publicly_accessible THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN publicly_accessible THEN title || ' publicly accessible.' + ELSE title || ' not publicly accessible.' + END AS reason, + region, + account_id + FROM + aws_rds_db_instance; severity: high tags: - audit_manager_control_tower: - - 'true' - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/RDS - soc_2: - - 'true' + audit_manager_control_tower: + - "true" + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/RDS + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_rds_db_instance_protected_by_backup_plan.yaml b/compliance/controls/aws/aws_rds_db_instance_protected_by_backup_plan.yaml index be0986370..98fbbbd3f 100644 --- a/compliance/controls/aws/aws_rds_db_instance_protected_by_backup_plan.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_protected_by_backup_plan.yaml @@ -1,67 +1,68 @@ id: aws_rds_db_instance_protected_by_backup_plan title: RDS DB instance should be protected by backup plan +type: control description: Ensure that AWS Relational Database Service (AWS RDS) instances are protected by a backup plan. The rule is non-compliant if the AWS RDS Database instance is not covered by a backup plan. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - WITH backup_protected_rds_instance AS ( - SELECT - resource_arn AS arn - FROM - aws_backup_protected_resource AS b - WHERE - resource_type = 'RDS' - ) - SELECT - r.arn AS resource, - r.platform_integration_id AS platform_integration_id, - r.platform_resource_id AS platform_resource_id, - CASE - WHEN b.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.arn IS NOT NULL THEN r.title || ' is protected by backup plan.' - ELSE r.title || ' is not protected by backup plan.' - END AS reason, - r.region, - r.account_id - FROM - aws_rds_db_instance AS r - LEFT JOIN backup_protected_rds_instance AS b ON r.arn = b.arn; + language: sql + primary_resource: aws_rds_db_instance + definition: | + WITH backup_protected_rds_instance AS ( + SELECT + resource_arn AS arn + FROM + aws_backup_protected_resource AS b + WHERE + resource_type = 'RDS' + ) + SELECT + r.arn AS resource, + r.platform_integration_id AS platform_integration_id, + r.platform_resource_id AS platform_resource_id, + CASE + WHEN b.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.arn IS NOT NULL THEN r.title || ' is protected by backup plan.' + ELSE r.title || ' is not protected by backup plan.' + END AS reason, + r.region, + r.account_id + FROM + aws_rds_db_instance AS r + LEFT JOIN backup_protected_rds_instance AS b ON r.arn = b.arn; severity: high tags: - category: - - Compliance - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/RDS - soc_2: - - 'true' + category: + - Compliance + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/RDS + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_rds_db_parameter_group_events_subscription.yaml b/compliance/controls/aws/aws_rds_db_parameter_group_events_subscription.yaml index 533ca7502..f78afa86d 100644 --- a/compliance/controls/aws/aws_rds_db_parameter_group_events_subscription.yaml +++ b/compliance/controls/aws/aws_rds_db_parameter_group_events_subscription.yaml @@ -1,46 +1,47 @@ id: aws_rds_db_parameter_group_events_subscription title: An RDS event notifications subscription should be configured for critical database parameter group events +type: control description: This control checks whether an AWS RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_event_subscription - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN source_type <> 'db-parameter-group' THEN 'skip' - WHEN source_type = 'db-parameter-group' - AND enabled - AND event_categories_list @> '["maintenance", "failure"]' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN source_type <> 'db-parameter-group' THEN cust_subscription_id || ' event subscription of ' || source_type || ' type.' - WHEN source_type = 'db-parameter-group' - AND enabled - AND event_categories_list @> '["configuration change"]' THEN cust_subscription_id || ' event subscription enabled for critical database parameter group events.' - ELSE cust_subscription_id || ' event subscription missing critical database parameter group events.' - END AS reason, - region, - account_id - FROM - aws_rds_db_event_subscription; + language: sql + primary_resource: aws_rds_db_event_subscription + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN source_type <> 'db-parameter-group' THEN 'skip' + WHEN source_type = 'db-parameter-group' + AND enabled + AND event_categories_list @> '["maintenance", "failure"]' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN source_type <> 'db-parameter-group' THEN cust_subscription_id || ' event subscription of ' || source_type || ' type.' + WHEN source_type = 'db-parameter-group' + AND enabled + AND event_categories_list @> '["configuration change"]' THEN cust_subscription_id || ' event subscription enabled for critical database parameter group events.' + ELSE cust_subscription_id || ' event subscription missing critical database parameter group events.' + END AS reason, + region, + account_id + FROM + aws_rds_db_event_subscription; severity: low tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - application_monitoring - foundational_security_item_id: - - rds_21 - plugin: - - aws - service: - - AWS/RDS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - application_monitoring + foundational_security_item_id: + - rds_21 + plugin: + - aws + service: + - AWS/RDS diff --git a/compliance/controls/aws/aws_rds_db_security_group_events_subscription.yaml b/compliance/controls/aws/aws_rds_db_security_group_events_subscription.yaml index 8e7b8f119..96fb95ea5 100644 --- a/compliance/controls/aws/aws_rds_db_security_group_events_subscription.yaml +++ b/compliance/controls/aws/aws_rds_db_security_group_events_subscription.yaml @@ -1,49 +1,50 @@ id: aws_rds_db_security_group_events_subscription title: An RDS event notifications subscription should be configured for critical database security group events +type: control description: This control checks whether an AWS RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_event_subscription - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN source_type <> 'db-security-group' THEN 'skip' - WHEN source_type = 'db-security-group' - AND enabled - AND event_categories_list @> '["failure", "configuration change"]' - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN source_type <> 'db-security-group' - THEN cust_subscription_id || ' event subscription of ' || source_type || ' type.' - WHEN source_type = 'db-security-group' - AND enabled - AND event_categories_list @> '["failure", "configuration change"]' - THEN cust_subscription_id || ' event subscription enabled for critical database security group events.' - ELSE cust_subscription_id || ' event subscription missing critical database security group events.' - END AS reason, - region, - account_id - FROM - aws_rds_db_event_subscription; + language: sql + primary_resource: aws_rds_db_event_subscription + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN source_type <> 'db-security-group' THEN 'skip' + WHEN source_type = 'db-security-group' + AND enabled + AND event_categories_list @> '["failure", "configuration change"]' + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN source_type <> 'db-security-group' + THEN cust_subscription_id || ' event subscription of ' || source_type || ' type.' + WHEN source_type = 'db-security-group' + AND enabled + AND event_categories_list @> '["failure", "configuration change"]' + THEN cust_subscription_id || ' event subscription enabled for critical database security group events.' + ELSE cust_subscription_id || ' event subscription missing critical database security group events.' + END AS reason, + region, + account_id + FROM + aws_rds_db_event_subscription; severity: low tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - application_monitoring - foundational_security_item_id: - - rds_22 - plugin: - - aws - service: - - AWS/RDS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - application_monitoring + foundational_security_item_id: + - rds_22 + plugin: + - aws + service: + - AWS/RDS diff --git a/compliance/controls/aws/aws_rds_db_snapshot_encrypted_at_rest.yaml b/compliance/controls/aws/aws_rds_db_snapshot_encrypted_at_rest.yaml index b3b8b7963..077ea49f0 100644 --- a/compliance/controls/aws/aws_rds_db_snapshot_encrypted_at_rest.yaml +++ b/compliance/controls/aws/aws_rds_db_snapshot_encrypted_at_rest.yaml @@ -1,87 +1,88 @@ id: aws_rds_db_snapshot_encrypted_at_rest title: RDS DB snapshots should be encrypted at rest +type: control description: Ensure that encryption is enabled for your AWS Relational Database Service (AWS RDS) snapshots. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: '' - definition: | - ( - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'aws_rds_db_cluster_snapshot' AS platform_table_name, - CASE - WHEN storage_encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN storage_encrypted THEN title || ' encrypted at rest.' - ELSE title || ' not encrypted at rest.' - END AS reason, - region, - account_id - FROM - aws_rds_db_cluster_snapshot - ) - UNION - ( - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'aws_rds_db_snapshot' AS platform_table_name, - CASE - WHEN encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encrypted THEN title || ' encrypted at rest.' - ELSE title || ' not encrypted at rest.' - END AS reason, - region, - account_id - FROM - aws_rds_db_snapshot - ); + language: sql + primary_resource: "" + definition: | + ( + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'aws_rds_db_cluster_snapshot' AS platform_table_name, + CASE + WHEN storage_encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN storage_encrypted THEN title || ' encrypted at rest.' + ELSE title || ' not encrypted at rest.' + END AS reason, + region, + account_id + FROM + aws_rds_db_cluster_snapshot + ) + UNION + ( + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'aws_rds_db_snapshot' AS platform_table_name, + CASE + WHEN encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encrypted THEN title || ' encrypted at rest.' + ELSE title || ' not encrypted at rest.' + END AS reason, + region, + account_id + FROM + aws_rds_db_snapshot + ); severity: high tags: - audit_manager_control_tower: - - 'true' - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_moderate_rev_4: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/RDS - soc_2: - - 'true' + audit_manager_control_tower: + - "true" + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_moderate_rev_4: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/RDS + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_rds_db_snapshot_prohibit_public_access.yaml b/compliance/controls/aws/aws_rds_db_snapshot_prohibit_public_access.yaml index be92a403a..46c0d81a8 100644 --- a/compliance/controls/aws/aws_rds_db_snapshot_prohibit_public_access.yaml +++ b/compliance/controls/aws/aws_rds_db_snapshot_prohibit_public_access.yaml @@ -1,91 +1,92 @@ id: aws_rds_db_snapshot_prohibit_public_access title: RDS snapshots should prohibit public access +type: control description: Manage access to resources in the AWS Cloud by ensuring that AWS Relational Database Service (AWS RDS) instances are not public. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: '' - definition: | - ( - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'aws_rds_db_cluster_snapshot' AS platform_table_name, - CASE - WHEN cluster_snapshot -> 'AttributeValues' = '["all"]' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN cluster_snapshot -> 'AttributeValues' = '["all"]' THEN title || ' publicly restorable.' - ELSE title || ' not publicly restorable.' - END AS reason, - region, - account_id - FROM - aws_rds_db_cluster_snapshot, - jsonb_array_elements(db_cluster_snapshot_attributes) AS cluster_snapshot - ) - UNION - ( - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'aws_rds_db_snapshot' AS platform_table_name, - CASE - WHEN database_snapshot -> 'AttributeValues' = '["all"]' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN database_snapshot -> 'AttributeValues' = '["all"]' THEN title || ' publicly restorable.' - ELSE title || ' not publicly restorable.' - END AS reason, - region, - account_id - FROM - aws_rds_db_snapshot, - jsonb_array_elements(db_snapshot_attributes) AS database_snapshot - ); + language: sql + primary_resource: "" + definition: | + ( + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'aws_rds_db_cluster_snapshot' AS platform_table_name, + CASE + WHEN cluster_snapshot -> 'AttributeValues' = '["all"]' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN cluster_snapshot -> 'AttributeValues' = '["all"]' THEN title || ' publicly restorable.' + ELSE title || ' not publicly restorable.' + END AS reason, + region, + account_id + FROM + aws_rds_db_cluster_snapshot, + jsonb_array_elements(db_cluster_snapshot_attributes) AS cluster_snapshot + ) + UNION + ( + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'aws_rds_db_snapshot' AS platform_table_name, + CASE + WHEN database_snapshot -> 'AttributeValues' = '["all"]' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN database_snapshot -> 'AttributeValues' = '["all"]' THEN title || ' publicly restorable.' + ELSE title || ' not publicly restorable.' + END AS reason, + region, + account_id + FROM + aws_rds_db_snapshot, + jsonb_array_elements(db_snapshot_attributes) AS database_snapshot + ); severity: high tags: - audit_manager_control_tower: - - 'true' - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/RDS - soc_2: - - 'true' + audit_manager_control_tower: + - "true" + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/RDS + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_redshift_cluster_audit_logging_enabled.yaml b/compliance/controls/aws/aws_redshift_cluster_audit_logging_enabled.yaml index c29f969e1..11d284ede 100644 --- a/compliance/controls/aws/aws_redshift_cluster_audit_logging_enabled.yaml +++ b/compliance/controls/aws/aws_redshift_cluster_audit_logging_enabled.yaml @@ -1,42 +1,43 @@ id: aws_redshift_cluster_audit_logging_enabled title: AWS Redshift audit logging should be enabled +type: control description: This control ensures if redshift clusters are logging audits to a specific bucket. The rule is non-compliant if audit logging is not enabled for a redshift cluster or if the 'bucketNames' parameter is provided but the audit logging destination does not match. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_redshift_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN logging_status ->> 'LoggingEnabled' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN logging_status ->> 'LoggingEnabled' = 'true' THEN title || ' logging enabled.' - ELSE title || ' logging disabled.' - END AS reason, - region, - account_id - FROM - aws_redshift_cluster; + language: sql + primary_resource: aws_redshift_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN logging_status ->> 'LoggingEnabled' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN logging_status ->> 'LoggingEnabled' = 'true' THEN title || ' logging enabled.' + ELSE title || ' logging disabled.' + END AS reason, + region, + account_id + FROM + aws_redshift_cluster; severity: high tags: - category: - - Compliance - gxp_21_cfr_part_11: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/Redshift - soc_2: - - 'true' + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/Redshift + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_redshift_cluster_automatic_snapshots_min_7_days.yaml b/compliance/controls/aws/aws_redshift_cluster_automatic_snapshots_min_7_days.yaml index b03ccb889..9cf77b871 100644 --- a/compliance/controls/aws/aws_redshift_cluster_automatic_snapshots_min_7_days.yaml +++ b/compliance/controls/aws/aws_redshift_cluster_automatic_snapshots_min_7_days.yaml @@ -1,66 +1,67 @@ id: aws_redshift_cluster_automatic_snapshots_min_7_days title: AWS Redshift clusters should have automatic snapshots enabled +type: control description: This control checks whether AWS Redshift clusters have automated snapshots enabled. It also checks whether the snapshot retention period is greater than or equal to seven. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_redshift_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN automated_snapshot_retention_period >= 7 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN automated_snapshot_retention_period >= 7 THEN title || ' automatic snapshots enabled with retention period greater than equals 7 days.' - ELSE title || ' automatic snapshots enabled with retention period less than 7 days.' - END AS reason, - region, - account_id - FROM - aws_redshift_cluster; + language: sql + primary_resource: aws_redshift_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN automated_snapshot_retention_period >= 7 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN automated_snapshot_retention_period >= 7 THEN title || ' automatic snapshots enabled with retention period greater than equals 7 days.' + ELSE title || ' automatic snapshots enabled with retention period less than 7 days.' + END AS reason, + region, + account_id + FROM + aws_redshift_cluster; severity: medium tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/Redshift - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/Redshift + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_redshift_cluster_automatic_upgrade_major_versions_enabled.yaml b/compliance/controls/aws/aws_redshift_cluster_automatic_upgrade_major_versions_enabled.yaml index 3b7b7269a..93cc39b44 100644 --- a/compliance/controls/aws/aws_redshift_cluster_automatic_upgrade_major_versions_enabled.yaml +++ b/compliance/controls/aws/aws_redshift_cluster_automatic_upgrade_major_versions_enabled.yaml @@ -1,40 +1,41 @@ id: aws_redshift_cluster_automatic_upgrade_major_versions_enabled title: AWS Redshift should have automatic upgrades to major versions enabled +type: control description: This control checks whether automatic major version upgrades are enabled for the AWS Redshift cluster. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_redshift_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN allow_version_upgrade THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN allow_version_upgrade THEN title || ' automatic upgrades to major versions enabled.' - ELSE title || ' automatic upgrades to major versions disabled.' - END AS reason, - region, - account_id - FROM - aws_redshift_cluster; + language: sql + primary_resource: aws_redshift_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN allow_version_upgrade THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN allow_version_upgrade THEN title || ' automatic upgrades to major versions enabled.' + ELSE title || ' automatic upgrades to major versions disabled.' + END AS reason, + region, + account_id + FROM + aws_redshift_cluster; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - vulnerability_and_patch_management - foundational_security_item_id: - - redshift_6 - plugin: - - aws - service: - - AWS/Redshift + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - vulnerability_and_patch_management + foundational_security_item_id: + - redshift_6 + plugin: + - aws + service: + - AWS/Redshift diff --git a/compliance/controls/aws/aws_redshift_cluster_encryption_in_transit_enabled.yaml b/compliance/controls/aws/aws_redshift_cluster_encryption_in_transit_enabled.yaml index 04df43382..aabc96b2d 100644 --- a/compliance/controls/aws/aws_redshift_cluster_encryption_in_transit_enabled.yaml +++ b/compliance/controls/aws/aws_redshift_cluster_encryption_in_transit_enabled.yaml @@ -1,77 +1,78 @@ id: aws_redshift_cluster_encryption_in_transit_enabled title: Redshift cluster encryption in transit should be enabled +type: control description: Ensure that your AWS Redshift clusters require TLS/SSL encryption to connect to SQL clients. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_redshift_cluster - definition: | - WITH pg_with_ssl AS ( - SELECT - name AS pg_name, - p ->> 'ParameterName' AS parameter_name, - p ->> 'ParameterValue' AS parameter_value - FROM - aws_redshift_parameter_group, - jsonb_array_elements(parameters) AS p - WHERE - p ->> 'ParameterName' = 'require_ssl' - AND p ->> 'ParameterValue' = 'true' - ) - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN cpg ->> 'ParameterGroupName' IN (SELECT pg_name FROM pg_with_ssl) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN cpg ->> 'ParameterGroupName' IN (SELECT pg_name FROM pg_with_ssl) THEN title || ' encryption in transit enabled.' - ELSE title || ' encryption in transit disabled.' - END AS reason, - region, - account_id - FROM - aws_redshift_cluster, - jsonb_array_elements(cluster_parameter_groups) AS cpg; + language: sql + primary_resource: aws_redshift_cluster + definition: | + WITH pg_with_ssl AS ( + SELECT + name AS pg_name, + p ->> 'ParameterName' AS parameter_name, + p ->> 'ParameterValue' AS parameter_value + FROM + aws_redshift_parameter_group, + jsonb_array_elements(parameters) AS p + WHERE + p ->> 'ParameterName' = 'require_ssl' + AND p ->> 'ParameterValue' = 'true' + ) + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN cpg ->> 'ParameterGroupName' IN (SELECT pg_name FROM pg_with_ssl) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN cpg ->> 'ParameterGroupName' IN (SELECT pg_name FROM pg_with_ssl) THEN title || ' encryption in transit enabled.' + ELSE title || ' encryption in transit disabled.' + END AS reason, + region, + account_id + FROM + aws_redshift_cluster, + jsonb_array_elements(cluster_parameter_groups) AS cpg; severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/Redshift - soc_2: - - 'true' + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/Redshift + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_redshift_cluster_encryption_logging_enabled.yaml b/compliance/controls/aws/aws_redshift_cluster_encryption_logging_enabled.yaml index 0352b0e18..d8339b86b 100644 --- a/compliance/controls/aws/aws_redshift_cluster_encryption_logging_enabled.yaml +++ b/compliance/controls/aws/aws_redshift_cluster_encryption_logging_enabled.yaml @@ -1,70 +1,71 @@ id: aws_redshift_cluster_encryption_logging_enabled title: Redshift cluster audit logging and encryption should be enabled +type: control description: To protect data at rest, ensure that encryption is enabled for your AWS Redshift clusters. You must also ensure that required configurations are deployed on AWS Redshift clusters. The audit logging should be enabled to provide information about connections and user activities in the database. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_redshift_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN NOT encrypted THEN 'alarm' - WHEN NOT (logging_status ->> 'LoggingEnabled')::BOOLEAN THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT encrypted THEN title || ' not encrypted.' - WHEN NOT (logging_status ->> 'LoggingEnabled')::BOOLEAN THEN title || ' audit logging not enabled.' - ELSE title || ' audit logging and encryption enabled.' - END AS reason, - region, - account_id - FROM - aws_redshift_cluster; + language: sql + primary_resource: aws_redshift_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN NOT encrypted THEN 'alarm' + WHEN NOT (logging_status ->> 'LoggingEnabled')::BOOLEAN THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT encrypted THEN title || ' not encrypted.' + WHEN NOT (logging_status ->> 'LoggingEnabled')::BOOLEAN THEN title || ' audit logging not enabled.' + ELSE title || ' audit logging and encryption enabled.' + END AS reason, + region, + account_id + FROM + aws_redshift_cluster; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/Redshift - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/Redshift + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_redshift_cluster_enhanced_vpc_routing_enabled.yaml b/compliance/controls/aws/aws_redshift_cluster_enhanced_vpc_routing_enabled.yaml index 7f9f5c48f..0b43c1ed2 100644 --- a/compliance/controls/aws/aws_redshift_cluster_enhanced_vpc_routing_enabled.yaml +++ b/compliance/controls/aws/aws_redshift_cluster_enhanced_vpc_routing_enabled.yaml @@ -1,46 +1,47 @@ id: aws_redshift_cluster_enhanced_vpc_routing_enabled title: AWS Redshift enhanced VPC routing should be enabled +type: control description: Ensure that AWS Redshift cluster has 'enhancedVpcRouting' enabled. The rule is non-compliant if 'enhancedVpcRouting' is not enabled or if the configuration.enhancedVpcRouting field is 'false'. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_redshift_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN enhanced_vpc_routing THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enhanced_vpc_routing THEN title || ' enhanced VPC routing enabled.' - ELSE title || ' enhanced VPC routing disabled.' - END AS reason, - region, - account_id - FROM - aws_redshift_cluster; + language: sql + primary_resource: aws_redshift_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN enhanced_vpc_routing THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enhanced_vpc_routing THEN title || ' enhanced VPC routing enabled.' + ELSE title || ' enhanced VPC routing disabled.' + END AS reason, + region, + account_id + FROM + aws_redshift_cluster; severity: medium tags: - category: - - Compliance - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/Redshift + category: + - Compliance + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/Redshift diff --git a/compliance/controls/aws/aws_redshift_cluster_kms_enabled.yaml b/compliance/controls/aws/aws_redshift_cluster_kms_enabled.yaml index 560744c11..16a8ebd92 100644 --- a/compliance/controls/aws/aws_redshift_cluster_kms_enabled.yaml +++ b/compliance/controls/aws/aws_redshift_cluster_kms_enabled.yaml @@ -1,54 +1,55 @@ id: aws_redshift_cluster_kms_enabled title: AWS Redshift clusters should be encrypted with KMS +type: control description: Ensure that AWS Redshift clusters are using a specified AWS Key Management Service (AWS KMS) key for encryption. The rule is compliant if encryption is enabled and the cluster is encrypted with the key provided in the kmsKeyArn parameter. The rule is non-compliant if the cluster is not encrypted or encrypted with another key. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_redshift_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN encrypted AND kms_key_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encrypted AND kms_key_id IS NOT NULL THEN title || ' encrypted with KMS.' - ELSE title || ' not encrypted with KMS.' - END AS reason, - region, - account_id - FROM - aws_redshift_cluster; + language: sql + primary_resource: aws_redshift_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN encrypted AND kms_key_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encrypted AND kms_key_id IS NOT NULL THEN title || ' encrypted with KMS.' + ELSE title || ' not encrypted with KMS.' + END AS reason, + region, + account_id + FROM + aws_redshift_cluster; severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/Redshift + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/Redshift diff --git a/compliance/controls/aws/aws_redshift_cluster_maintenance_settings_check.yaml b/compliance/controls/aws/aws_redshift_cluster_maintenance_settings_check.yaml index 259f675f4..a8488a670 100644 --- a/compliance/controls/aws/aws_redshift_cluster_maintenance_settings_check.yaml +++ b/compliance/controls/aws/aws_redshift_cluster_maintenance_settings_check.yaml @@ -1,50 +1,51 @@ id: aws_redshift_cluster_maintenance_settings_check title: AWS Redshift should have required maintenance settings +type: control description: Ensure whether AWS Redshift clusters have the specified maintenance settings. Redshift clusters `allowVersionUpgrade` should be set to `true` and `automatedSnapshotRetentionPeriod` should be greater than 7. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_redshift_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN allow_version_upgrade AND automated_snapshot_retention_period >= 7 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN allow_version_upgrade AND automated_snapshot_retention_period >= 7 THEN title || ' has the required maintenance settings.' - ELSE title || ' does not have required maintenance settings.' - END AS reason, - region, - account_id - FROM - aws_redshift_cluster; + language: sql + primary_resource: aws_redshift_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN allow_version_upgrade AND automated_snapshot_retention_period >= 7 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN allow_version_upgrade AND automated_snapshot_retention_period >= 7 THEN title || ' has the required maintenance settings.' + ELSE title || ' does not have required maintenance settings.' + END AS reason, + region, + account_id + FROM + aws_redshift_cluster; severity: medium tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - ffiec: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/Redshift + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + ffiec: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/Redshift diff --git a/compliance/controls/aws/aws_redshift_cluster_no_default_admin_name.yaml b/compliance/controls/aws/aws_redshift_cluster_no_default_admin_name.yaml index fa67a555a..5c1d33faf 100644 --- a/compliance/controls/aws/aws_redshift_cluster_no_default_admin_name.yaml +++ b/compliance/controls/aws/aws_redshift_cluster_no_default_admin_name.yaml @@ -1,40 +1,41 @@ id: aws_redshift_cluster_no_default_admin_name title: AWS Redshift clusters should not use the default Admin username +type: control description: This control checks whether a AWS Redshift cluster has changed the admin username from its default value. This control will fail if the admin username for a Redshift cluster is set to awsuser. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_redshift_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN master_username = 'awsuser' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN master_username = 'awsuser' THEN title || ' using default master user name.' - ELSE title || ' not using default master user name.' - END AS reason, - region, - account_id - FROM - aws_redshift_cluster; + language: sql + primary_resource: aws_redshift_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN master_username = 'awsuser' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN master_username = 'awsuser' THEN title || ' using default master user name.' + ELSE title || ' not using default master user name.' + END AS reason, + region, + account_id + FROM + aws_redshift_cluster; severity: high tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - resource_configuration - foundational_security_item_id: - - redshift_8 - plugin: - - aws - service: - - AWS/Redshift + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - resource_configuration + foundational_security_item_id: + - redshift_8 + plugin: + - aws + service: + - AWS/Redshift diff --git a/compliance/controls/aws/aws_redshift_cluster_no_default_database_name.yaml b/compliance/controls/aws/aws_redshift_cluster_no_default_database_name.yaml index 33174ea18..d2091dae2 100644 --- a/compliance/controls/aws/aws_redshift_cluster_no_default_database_name.yaml +++ b/compliance/controls/aws/aws_redshift_cluster_no_default_database_name.yaml @@ -1,40 +1,41 @@ id: aws_redshift_cluster_no_default_database_name title: Redshift clusters should not use the default database name +type: control description: This control checks whether an AWS Redshift cluster has changed the database name from its default value. The control will fail if the database name for a Redshift cluster is set to dev. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_redshift_cluster - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN db_name = 'dev' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN db_name = 'dev' THEN title || ' using default database name.' - ELSE title || ' not using default database name.' - END AS reason, - region, - account_id - FROM - aws_redshift_cluster; + language: sql + primary_resource: aws_redshift_cluster + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN db_name = 'dev' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN db_name = 'dev' THEN title || ' using default database name.' + ELSE title || ' not using default database name.' + END AS reason, + region, + account_id + FROM + aws_redshift_cluster; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - resource_configuration - foundational_security_item_id: - - redshift_9 - plugin: - - aws - service: - - AWS/Redshift + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - resource_configuration + foundational_security_item_id: + - redshift_9 + plugin: + - aws + service: + - AWS/Redshift diff --git a/compliance/controls/aws/aws_redshift_cluster_prohibit_public_access.yaml b/compliance/controls/aws/aws_redshift_cluster_prohibit_public_access.yaml index 19a6f70fa..e975c5e66 100644 --- a/compliance/controls/aws/aws_redshift_cluster_prohibit_public_access.yaml +++ b/compliance/controls/aws/aws_redshift_cluster_prohibit_public_access.yaml @@ -1,64 +1,65 @@ id: aws_redshift_cluster_prohibit_public_access title: Redshift clusters should prohibit public access +type: control description: Manage access to resources in the AWS Cloud by ensuring that AWS Redshift clusters are not public. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_redshift_cluster - definition: | - SELECT - cluster_namespace_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN publicly_accessible THEN 'alarm' - ELSE 'ok' - END status, - CASE - WHEN publicly_accessible THEN title || ' publicly accessible.' - ELSE title || ' not publicly accessible.' - END reason, - region, - account_id - FROM - aws_redshift_cluster; + language: sql + primary_resource: aws_redshift_cluster + definition: | + SELECT + cluster_namespace_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN publicly_accessible THEN 'alarm' + ELSE 'ok' + END status, + CASE + WHEN publicly_accessible THEN title || ' publicly accessible.' + ELSE title || ' not publicly accessible.' + END reason, + region, + account_id + FROM + aws_redshift_cluster; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/Redshift - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/Redshift + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_root_accounts_needs_to_have_mfa.yaml b/compliance/controls/aws/aws_root_accounts_needs_to_have_mfa.yaml index ec2afc4ce..e0e3f7459 100644 --- a/compliance/controls/aws/aws_root_accounts_needs_to_have_mfa.yaml +++ b/compliance/controls/aws/aws_root_accounts_needs_to_have_mfa.yaml @@ -1,34 +1,35 @@ id: aws_root_accounts_needs_to_have_mfa title: AWS Root Accounts needs to have MFA +type: control description: AWS Root Account cannot have API Keys integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_name AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN NOT mfa_active THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT mfa_active THEN 'root account MFA is not activated' - ELSE 'root account MFA is activated' - END AS reason, - region, - account_id - FROM - aws_iam_credential_report - WHERE - user_name = ''; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_name AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN NOT mfa_active THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT mfa_active THEN 'root account MFA is not activated' + ELSE 'root account MFA is activated' + END AS reason, + region, + account_id + FROM + aws_iam_credential_report + WHERE + user_name = ''; severity: medium tags: - category: - - Compliance - score_service_name: - - AWS Identity and Access Management (IAM) + category: + - Compliance + score_service_name: + - AWS Identity and Access Management (IAM) diff --git a/compliance/controls/aws/aws_route53_domain_auto_renew_enabled.yaml b/compliance/controls/aws/aws_route53_domain_auto_renew_enabled.yaml index c4e7d1e9c..a80bd68ae 100644 --- a/compliance/controls/aws/aws_route53_domain_auto_renew_enabled.yaml +++ b/compliance/controls/aws/aws_route53_domain_auto_renew_enabled.yaml @@ -1,26 +1,27 @@ id: aws_route53_domain_auto_renew_enabled title: Route 53 domains auto renew should be enabled +type: control description: This control ensures that AWS Route 53 Auto Renew feature is enabled to automatically renew your domain names as the expiration date approaches. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_route53_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN auto_renew THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN auto_renew THEN title || ' auto renew enabled.' - ELSE title || ' auto renew disabled.' - END AS reason - FROM - aws_route53_domain; + language: sql + primary_resource: aws_route53_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN auto_renew THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN auto_renew THEN title || ' auto renew enabled.' + ELSE title || ' auto renew disabled.' + END AS reason + FROM + aws_route53_domain; severity: low tags: {} diff --git a/compliance/controls/aws/aws_route53_domain_expires_30_days.yaml b/compliance/controls/aws/aws_route53_domain_expires_30_days.yaml index c7f112771..8c1f0b2af 100644 --- a/compliance/controls/aws/aws_route53_domain_expires_30_days.yaml +++ b/compliance/controls/aws/aws_route53_domain_expires_30_days.yaml @@ -1,23 +1,24 @@ id: aws_route53_domain_expires_30_days title: Route 53 domains should not expire within next 30 days +type: control description: This control ensures that all the domain names registered with AWS Route 53 or transferred to AWS Route 53 are renewed 30 days before their validity period ends. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_route53_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN DATE(expiration_date) - DATE(current_date) >= 30 THEN 'ok' - ELSE 'alarm' - END AS status, - title || ' set to expire in ' || EXTRACT(DAY FROM expiration_date - current_date) || ' days.' AS reason - FROM - aws_route53_domain; + language: sql + primary_resource: aws_route53_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN DATE(expiration_date) - DATE(current_date) >= 30 THEN 'ok' + ELSE 'alarm' + END AS status, + title || ' set to expire in ' || EXTRACT(DAY FROM expiration_date - current_date) || ' days.' AS reason + FROM + aws_route53_domain; severity: low tags: {} diff --git a/compliance/controls/aws/aws_route53_domain_expires_7_days.yaml b/compliance/controls/aws/aws_route53_domain_expires_7_days.yaml index c6ccd88cb..dab720c66 100644 --- a/compliance/controls/aws/aws_route53_domain_expires_7_days.yaml +++ b/compliance/controls/aws/aws_route53_domain_expires_7_days.yaml @@ -1,23 +1,24 @@ id: aws_route53_domain_expires_7_days title: Route 53 domains should not expire within next 7 days +type: control description: This controls ensures that all the domain names registered with AWS Route 53 or transferred to AWS Route 53 are renewed 7 days before their validity period ends. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_route53_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN DATE(expiration_date) - DATE(current_date) >= 7 THEN 'ok' - ELSE 'alarm' - END AS status, - title || ' set to expire in ' || EXTRACT(DAY FROM expiration_date - current_date) || ' days.' AS reason - FROM - aws_route53_domain; + language: sql + primary_resource: aws_route53_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN DATE(expiration_date) - DATE(current_date) >= 7 THEN 'ok' + ELSE 'alarm' + END AS status, + title || ' set to expire in ' || EXTRACT(DAY FROM expiration_date - current_date) || ' days.' AS reason + FROM + aws_route53_domain; severity: low tags: {} diff --git a/compliance/controls/aws/aws_route53_domain_not_expired.yaml b/compliance/controls/aws/aws_route53_domain_not_expired.yaml index ed6c9cc6c..e52104493 100644 --- a/compliance/controls/aws/aws_route53_domain_not_expired.yaml +++ b/compliance/controls/aws/aws_route53_domain_not_expired.yaml @@ -1,26 +1,27 @@ id: aws_route53_domain_not_expired title: Route 53 domains should not be expired +type: control description: This control identifies any expired domain names registered with AWS Route 53. When the expired domain names are not restored promptly, they will become available for others to register. Restoring on time your Route 53 expired domains will allow you to reestablish full control over their registration. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_route53_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN expiration_date < (CURRENT_DATE - INTERVAL '1' MINUTE) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN expiration_date < (CURRENT_DATE - INTERVAL '1' MINUTE) THEN title || ' expired on ' || TO_CHAR(expiration_date, 'DD-Mon-YYYY') || '.' - ELSE title || ' set to expire in ' || EXTRACT(DAY FROM expiration_date - CURRENT_DATE) || ' days.' - END AS reason - FROM - aws_route53_domain; + language: sql + primary_resource: aws_route53_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN expiration_date < (CURRENT_DATE - INTERVAL '1' MINUTE) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN expiration_date < (CURRENT_DATE - INTERVAL '1' MINUTE) THEN title || ' expired on ' || TO_CHAR(expiration_date, 'DD-Mon-YYYY') || '.' + ELSE title || ' set to expire in ' || EXTRACT(DAY FROM expiration_date - CURRENT_DATE) || ' days.' + END AS reason + FROM + aws_route53_domain; severity: low tags: {} diff --git a/compliance/controls/aws/aws_route53_domain_privacy_protection_enabled.yaml b/compliance/controls/aws/aws_route53_domain_privacy_protection_enabled.yaml index c50cb7e0c..9fb6269cd 100644 --- a/compliance/controls/aws/aws_route53_domain_privacy_protection_enabled.yaml +++ b/compliance/controls/aws/aws_route53_domain_privacy_protection_enabled.yaml @@ -1,26 +1,27 @@ id: aws_route53_domain_privacy_protection_enabled title: Route53 domains privacy protection should be enabled +type: control description: Ensure that your AWS Route 53 domains have Privacy Protection feature enabled in order to hide all their contact information from WHOIS queries and reduce the amount of spam received. The feature allows you to conceal your personal phone number, email and physical address for the domain names registered and/or transferred to AWS Route 53 service. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_route53_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN admin_privacy THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN admin_privacy THEN title || ' privacy protection enabled.' - ELSE title || ' privacy protection disabled.' - END AS reason - FROM - aws_route53_domain; + language: sql + primary_resource: aws_route53_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN admin_privacy THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN admin_privacy THEN title || ' privacy protection enabled.' + ELSE title || ' privacy protection disabled.' + END AS reason + FROM + aws_route53_domain; severity: low tags: {} diff --git a/compliance/controls/aws/aws_route53_domain_transfer_lock_enabled.yaml b/compliance/controls/aws/aws_route53_domain_transfer_lock_enabled.yaml index 621aed04f..ad293bcab 100644 --- a/compliance/controls/aws/aws_route53_domain_transfer_lock_enabled.yaml +++ b/compliance/controls/aws/aws_route53_domain_transfer_lock_enabled.yaml @@ -1,26 +1,27 @@ id: aws_route53_domain_transfer_lock_enabled title: Route 53 domains should have transfer lock enabled +type: control description: Ensure Route 53 registered domains are locked to prevent any unauthorized transfers to another domain name registrar. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_route53_domain - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN transfer_lock THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN transfer_lock THEN title || ' transfer lock enabled.' - ELSE title || ' transfer lock disabled.' - END AS reason - FROM - aws_route53_domain; + language: sql + primary_resource: aws_route53_domain + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN transfer_lock THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN transfer_lock THEN title || ' transfer lock enabled.' + ELSE title || ' transfer lock disabled.' + END AS reason + FROM + aws_route53_domain; severity: low tags: {} diff --git a/compliance/controls/aws/aws_route53_zone_query_logging_enabled.yaml b/compliance/controls/aws/aws_route53_zone_query_logging_enabled.yaml index 35b89fed2..6a13a6759 100644 --- a/compliance/controls/aws/aws_route53_zone_query_logging_enabled.yaml +++ b/compliance/controls/aws/aws_route53_zone_query_logging_enabled.yaml @@ -1,28 +1,29 @@ id: aws_route53_zone_query_logging_enabled title: Route 53 zones should have query logging enabled +type: control description: Ensure Route 53 zones have query logging enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_route53_zone - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN private_zone THEN 'skip' - WHEN query_logging_configs IS NOT NULL OR jsonb_array_length(query_logging_configs) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN private_zone THEN title || ' is private hosted zone.' - WHEN query_logging_configs IS NOT NULL OR jsonb_array_length(query_logging_configs) > 0 THEN title || ' query logging to CloudWatch enabled.' - ELSE title || ' query logging to CloudWatch disabled.' - END AS reason - FROM - aws_route53_zone; + language: sql + primary_resource: aws_route53_zone + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN private_zone THEN 'skip' + WHEN query_logging_configs IS NOT NULL OR jsonb_array_length(query_logging_configs) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN private_zone THEN title || ' is private hosted zone.' + WHEN query_logging_configs IS NOT NULL OR jsonb_array_length(query_logging_configs) > 0 THEN title || ' query logging to CloudWatch enabled.' + ELSE title || ' query logging to CloudWatch disabled.' + END AS reason + FROM + aws_route53_zone; severity: low tags: {} diff --git a/compliance/controls/aws/aws_s3_access_point_restrict_public_access.yaml b/compliance/controls/aws/aws_s3_access_point_restrict_public_access.yaml index 472b463ce..c6a705981 100644 --- a/compliance/controls/aws/aws_s3_access_point_restrict_public_access.yaml +++ b/compliance/controls/aws/aws_s3_access_point_restrict_public_access.yaml @@ -1,40 +1,41 @@ id: aws_s3_access_point_restrict_public_access title: S3 access points should have block public access settings enabled +type: control description: This control checks whether an Amazon S3 access point has block public access settings enabled. The control fails if block public access settings aren't enabled for the access point. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_access_point - definition: | - SELECT - access_point_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN block_public_acls - AND block_public_policy - AND ignore_public_acls - AND restrict_public_buckets - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN block_public_acls - AND block_public_policy - AND ignore_public_acls - AND restrict_public_buckets - THEN name || ' all public access blocks enabled.' - ELSE name || ' not enabled for: ' || - CONCAT_WS(', ', - CASE WHEN NOT block_public_acls THEN 'block_public_acls' END, - CASE WHEN NOT block_public_policy THEN 'block_public_policy' END, - CASE WHEN NOT ignore_public_acls THEN 'ignore_public_acls' END, - CASE WHEN NOT restrict_public_buckets THEN 'restrict_public_buckets' END - ) || '.' - END AS reason - FROM - aws_s3_access_point; + language: sql + primary_resource: aws_s3_access_point + definition: | + SELECT + access_point_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN block_public_acls + AND block_public_policy + AND ignore_public_acls + AND restrict_public_buckets + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN block_public_acls + AND block_public_policy + AND ignore_public_acls + AND restrict_public_buckets + THEN name || ' all public access blocks enabled.' + ELSE name || ' not enabled for: ' || + CONCAT_WS(', ', + CASE WHEN NOT block_public_acls THEN 'block_public_acls' END, + CASE WHEN NOT block_public_policy THEN 'block_public_policy' END, + CASE WHEN NOT ignore_public_acls THEN 'ignore_public_acls' END, + CASE WHEN NOT restrict_public_buckets THEN 'restrict_public_buckets' END + ) || '.' + END AS reason + FROM + aws_s3_access_point; severity: low tags: {} diff --git a/compliance/controls/aws/aws_s3_bucket_acls_should_prohibit_user_access.yaml b/compliance/controls/aws/aws_s3_bucket_acls_should_prohibit_user_access.yaml index a60551c7e..fd57fc911 100644 --- a/compliance/controls/aws/aws_s3_bucket_acls_should_prohibit_user_access.yaml +++ b/compliance/controls/aws/aws_s3_bucket_acls_should_prohibit_user_access.yaml @@ -1,85 +1,86 @@ id: aws_s3_bucket_acls_should_prohibit_user_access title: S3 buckets access control lists (ACLs) should not be used to manage user access to buckets +type: control description: This control checks whether AWS S3 buckets provide user permissions via ACLs. The control fails if ACLs are configured for managing user access on S3 buckets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH bucket_acl_details AS ( - SELECT - arn, - title, - ARRAY[acl -> 'Owner' ->> 'ID'] AS bucket_owner, - ARRAY_AGG(grantee_id) AS bucket_acl_permissions, - object_ownership_controls, - region, - account_id, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - _ctx, - tags - FROM - aws_s3_bucket, - JSONB_PATH_QUERY(acl, '$.Grants.Grantee.ID') AS grantee_id - GROUP BY - arn, - title, - acl, - region, - account_id, - object_ownership_controls, - platform_integration_id, - platform_resource_id, - _ctx, - tags - ), - bucket_acl_checks AS ( - SELECT - arn, - title, - TO_JSONB(bucket_acl_permissions) - bucket_owner AS additional_permissions, - object_ownership_controls, - region, - account_id, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - _ctx, - tags - FROM - bucket_acl_details - ) - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN object_ownership_controls -> 'Rules' @> '[{"ObjectOwnership": "BucketOwnerEnforced"}]' THEN 'ok' - WHEN JSONB_ARRAY_LENGTH(additional_permissions) = 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN object_ownership_controls -> 'Rules' @> '[{"ObjectOwnership": "BucketOwnerEnforced"}]' THEN title || ' ACLs are disabled.' - WHEN JSONB_ARRAY_LENGTH(additional_permissions) = 0 THEN title || ' does not have ACLs for user access.' - ELSE title || ' has ACLs for user access.' - END AS reason, - region, - account_id - FROM - bucket_acl_checks; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH bucket_acl_details AS ( + SELECT + arn, + title, + ARRAY[acl -> 'Owner' ->> 'ID'] AS bucket_owner, + ARRAY_AGG(grantee_id) AS bucket_acl_permissions, + object_ownership_controls, + region, + account_id, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + _ctx, + tags + FROM + aws_s3_bucket, + JSONB_PATH_QUERY(acl, '$.Grants.Grantee.ID') AS grantee_id + GROUP BY + arn, + title, + acl, + region, + account_id, + object_ownership_controls, + platform_integration_id, + platform_resource_id, + _ctx, + tags + ), + bucket_acl_checks AS ( + SELECT + arn, + title, + TO_JSONB(bucket_acl_permissions) - bucket_owner AS additional_permissions, + object_ownership_controls, + region, + account_id, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + _ctx, + tags + FROM + bucket_acl_details + ) + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN object_ownership_controls -> 'Rules' @> '[{"ObjectOwnership": "BucketOwnerEnforced"}]' THEN 'ok' + WHEN JSONB_ARRAY_LENGTH(additional_permissions) = 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN object_ownership_controls -> 'Rules' @> '[{"ObjectOwnership": "BucketOwnerEnforced"}]' THEN title || ' ACLs are disabled.' + WHEN JSONB_ARRAY_LENGTH(additional_permissions) = 0 THEN title || ' does not have ACLs for user access.' + ELSE title || ' has ACLs for user access.' + END AS reason, + region, + account_id + FROM + bucket_acl_checks; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - access_control - foundational_security_item_id: - - s3_12 - plugin: - - aws - service: - - AWS/S3 + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - access_control + foundational_security_item_id: + - s3_12 + plugin: + - aws + service: + - AWS/S3 diff --git a/compliance/controls/aws/aws_s3_bucket_cross_region_replication_enabled.yaml b/compliance/controls/aws/aws_s3_bucket_cross_region_replication_enabled.yaml index 4eaf06673..0a3c6b3b1 100644 --- a/compliance/controls/aws/aws_s3_bucket_cross_region_replication_enabled.yaml +++ b/compliance/controls/aws/aws_s3_bucket_cross_region_replication_enabled.yaml @@ -1,75 +1,76 @@ id: aws_s3_bucket_cross_region_replication_enabled title: S3 bucket cross-region replication should be enabled +type: control description: AWS Simple Storage Service (AWS S3) Cross-Region Replication (CRR) supports maintaining adequate capacity and availability. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH bucket_with_replication AS ( - SELECT - name, - r ->> 'Status' AS rep_status - FROM - aws_s3_bucket, - jsonb_array_elements(replication -> 'Rules') AS r - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN b.name = r.name AND r.rep_status = 'Enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.name = r.name AND r.rep_status = 'Enabled' THEN b.title || ' enabled with cross-region replication.' - ELSE b.title || ' not enabled with cross-region replication.' - END AS reason, - b.region, - b.account_id - FROM - aws_s3_bucket b - LEFT JOIN bucket_with_replication r ON b.name = r.name; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH bucket_with_replication AS ( + SELECT + name, + r ->> 'Status' AS rep_status + FROM + aws_s3_bucket, + jsonb_array_elements(replication -> 'Rules') AS r + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN b.name = r.name AND r.rep_status = 'Enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.name = r.name AND r.rep_status = 'Enabled' THEN b.title || ' enabled with cross-region replication.' + ELSE b.title || ' not enabled with cross-region replication.' + END AS reason, + b.region, + b.account_id + FROM + aws_s3_bucket b + LEFT JOIN bucket_with_replication r ON b.name = r.name; severity: low tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/S3 - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/S3 + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_s3_bucket_default_encryption_enabled.yaml b/compliance/controls/aws/aws_s3_bucket_default_encryption_enabled.yaml index 4ae0e54d0..07142d169 100644 --- a/compliance/controls/aws/aws_s3_bucket_default_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_s3_bucket_default_encryption_enabled.yaml @@ -1,64 +1,65 @@ id: aws_s3_bucket_default_encryption_enabled title: S3 bucket default encryption should be enabled +type: control description: To help protect data at rest, ensure encryption is enabled for your AWS Simple Storage Service (AWS S3) buckets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN server_side_encryption_configuration IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN server_side_encryption_configuration IS NOT NULL THEN name || ' default encryption enabled.' - ELSE name || ' default encryption disabled.' - END AS reason, - region, - account_id - FROM - aws_s3_bucket; + language: sql + primary_resource: aws_s3_bucket + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN server_side_encryption_configuration IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN server_side_encryption_configuration IS NOT NULL THEN name || ' default encryption enabled.' + ELSE name || ' default encryption disabled.' + END AS reason, + region, + account_id + FROM + aws_s3_bucket; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_moderate_rev_4: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/S3 - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_moderate_rev_4: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/S3 + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_s3_bucket_default_encryption_enabled_kms.yaml b/compliance/controls/aws/aws_s3_bucket_default_encryption_enabled_kms.yaml index 3adc6fb8b..156198fdf 100644 --- a/compliance/controls/aws/aws_s3_bucket_default_encryption_enabled_kms.yaml +++ b/compliance/controls/aws/aws_s3_bucket_default_encryption_enabled_kms.yaml @@ -1,73 +1,74 @@ id: aws_s3_bucket_default_encryption_enabled_kms title: S3 bucket default encryption should be enabled with KMS +type: control description: To help protect data at rest, ensure encryption is enabled for your AWS Simple Storage Service (AWS S3) buckets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH data AS ( - SELECT - DISTINCT name - FROM - aws_s3_bucket, - jsonb_array_elements(server_side_encryption_configuration -> 'Rules') AS rules - WHERE - rules -> 'ApplyServerSideEncryptionByDefault' ->> 'KMSMasterKeyID' IS NOT NULL - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN d.name IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN d.name IS NOT NULL THEN b.name || ' default encryption with KMS enabled.' - ELSE b.name || ' default encryption with KMS disabled.' - END AS reason, - b.region, - b.account_id - FROM - aws_s3_bucket AS b - LEFT JOIN - data AS d ON b.name = d.name; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH data AS ( + SELECT + DISTINCT name + FROM + aws_s3_bucket, + jsonb_array_elements(server_side_encryption_configuration -> 'Rules') AS rules + WHERE + rules -> 'ApplyServerSideEncryptionByDefault' ->> 'KMSMasterKeyID' IS NOT NULL + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN d.name IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN d.name IS NOT NULL THEN b.name || ' default encryption with KMS enabled.' + ELSE b.name || ' default encryption with KMS disabled.' + END AS reason, + b.region, + b.account_id + FROM + aws_s3_bucket AS b + LEFT JOIN + data AS d ON b.name = d.name; severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/S3 + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/S3 diff --git a/compliance/controls/aws/aws_s3_bucket_enforces_ssl.yaml b/compliance/controls/aws/aws_s3_bucket_enforces_ssl.yaml index 2f4741346..3a7b64235 100644 --- a/compliance/controls/aws/aws_s3_bucket_enforces_ssl.yaml +++ b/compliance/controls/aws/aws_s3_bucket_enforces_ssl.yaml @@ -1,84 +1,85 @@ id: aws_s3_bucket_enforces_ssl title: S3 buckets should enforce SSL +type: control description: To help protect data in transit, ensure that your AWS Simple Storage Service (AWS S3) buckets require requests to use Secure Socket Layer (SSL). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH ssl_ok AS ( - SELECT - DISTINCT name, - arn, - 'ok' AS status - FROM - aws_s3_bucket, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p, - jsonb_array_elements_text(s -> 'Action') AS a, - jsonb_array_elements_text(s -> 'Resource') AS r, - jsonb_array_elements_text(s -> 'Condition' -> 'Bool' -> 'aws:securetransport') AS ssl - WHERE - p = '*' - AND s ->> 'Effect' = 'Deny' - AND ssl::bool = FALSE - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN ok.status = 'ok' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN ok.status = 'ok' THEN b.name || ' bucket policy enforces HTTPS.' - ELSE b.name || ' bucket policy does not enforce HTTPS.' - END AS reason, - b.region, - b.account_id - FROM - aws_s3_bucket AS b - LEFT JOIN ssl_ok AS ok ON ok.name = b.name; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH ssl_ok AS ( + SELECT + DISTINCT name, + arn, + 'ok' AS status + FROM + aws_s3_bucket, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p, + jsonb_array_elements_text(s -> 'Action') AS a, + jsonb_array_elements_text(s -> 'Resource') AS r, + jsonb_array_elements_text(s -> 'Condition' -> 'Bool' -> 'aws:securetransport') AS ssl + WHERE + p = '*' + AND s ->> 'Effect' = 'Deny' + AND ssl::bool = FALSE + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN ok.status = 'ok' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN ok.status = 'ok' THEN b.name || ' bucket policy enforces HTTPS.' + ELSE b.name || ' bucket policy does not enforce HTTPS.' + END AS reason, + b.region, + b.account_id + FROM + aws_s3_bucket AS b + LEFT JOIN ssl_ok AS ok ON ok.name = b.name; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/S3 - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/S3 + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_s3_bucket_event_notifications_enabled.yaml b/compliance/controls/aws/aws_s3_bucket_event_notifications_enabled.yaml index b3171ac05..cd1f2d6ee 100644 --- a/compliance/controls/aws/aws_s3_bucket_event_notifications_enabled.yaml +++ b/compliance/controls/aws/aws_s3_bucket_event_notifications_enabled.yaml @@ -1,46 +1,47 @@ id: aws_s3_bucket_event_notifications_enabled title: S3 buckets should have event notifications enabled +type: control description: This control checks whether S3 Event Notifications are enabled on an AWS S3 bucket. This control fails if S3 Event Notifications are not enabled on a bucket. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN event_notification_configuration ->> 'EventBridgeConfiguration' IS NULL - AND event_notification_configuration ->> 'LambdaFunctionConfigurations' IS NULL - AND event_notification_configuration ->> 'QueueConfigurations' IS NULL - AND event_notification_configuration ->> 'TopicConfigurations' IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN event_notification_configuration ->> 'EventBridgeConfiguration' IS NULL - AND event_notification_configuration ->> 'LambdaFunctionConfigurations' IS NULL - AND event_notification_configuration ->> 'QueueConfigurations' IS NULL - AND event_notification_configuration ->> 'TopicConfigurations' IS NULL THEN title || ' event notifications disabled.' - ELSE title || ' event notifications enabled.' - END AS reason, - region, - account_id - FROM - aws_s3_bucket; + language: sql + primary_resource: aws_s3_bucket + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN event_notification_configuration ->> 'EventBridgeConfiguration' IS NULL + AND event_notification_configuration ->> 'LambdaFunctionConfigurations' IS NULL + AND event_notification_configuration ->> 'QueueConfigurations' IS NULL + AND event_notification_configuration ->> 'TopicConfigurations' IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN event_notification_configuration ->> 'EventBridgeConfiguration' IS NULL + AND event_notification_configuration ->> 'LambdaFunctionConfigurations' IS NULL + AND event_notification_configuration ->> 'QueueConfigurations' IS NULL + AND event_notification_configuration ->> 'TopicConfigurations' IS NULL THEN title || ' event notifications disabled.' + ELSE title || ' event notifications enabled.' + END AS reason, + region, + account_id + FROM + aws_s3_bucket; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - logging - foundational_security_item_id: - - s3_11 - plugin: - - aws - service: - - AWS/S3 + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - logging + foundational_security_item_id: + - s3_11 + plugin: + - aws + service: + - AWS/S3 diff --git a/compliance/controls/aws/aws_s3_bucket_lifecycle_policy_enabled.yaml b/compliance/controls/aws/aws_s3_bucket_lifecycle_policy_enabled.yaml index 15426e9bd..6e633b449 100644 --- a/compliance/controls/aws/aws_s3_bucket_lifecycle_policy_enabled.yaml +++ b/compliance/controls/aws/aws_s3_bucket_lifecycle_policy_enabled.yaml @@ -1,50 +1,51 @@ id: aws_s3_bucket_lifecycle_policy_enabled title: S3 buckets should have lifecycle policies configured +type: control description: This control checks if AWS Simple Storage Service (AWS S3) buckets have lifecycle policy configured. This rule fails if AWS S3 lifecycle policy is not enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH lifecycle_rules_enabled AS ( - SELECT - arn - FROM - aws_s3_bucket, - jsonb_array_elements(lifecycle_rules) AS r - WHERE - r ->> 'Status' = 'Enabled' - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN r.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN r.arn IS NOT NULL THEN name || ' lifecycle policy or rules configured.' - ELSE name || ' lifecycle policy or rules not configured.' - END AS reason, - b.region, - b.account_id - FROM - aws_s3_bucket AS b - LEFT JOIN lifecycle_rules_enabled AS r ON r.arn = b.arn; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH lifecycle_rules_enabled AS ( + SELECT + arn + FROM + aws_s3_bucket, + jsonb_array_elements(lifecycle_rules) AS r + WHERE + r ->> 'Status' = 'Enabled' + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN r.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN r.arn IS NOT NULL THEN name || ' lifecycle policy or rules configured.' + ELSE name || ' lifecycle policy or rules not configured.' + END AS reason, + b.region, + b.account_id + FROM + aws_s3_bucket AS b + LEFT JOIN lifecycle_rules_enabled AS r ON r.arn = b.arn; severity: low tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - data_protection - foundational_security_item_id: - - s3_13 - plugin: - - aws - service: - - AWS/S3 + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - data_protection + foundational_security_item_id: + - s3_13 + plugin: + - aws + service: + - AWS/S3 diff --git a/compliance/controls/aws/aws_s3_bucket_logging_enabled.yaml b/compliance/controls/aws/aws_s3_bucket_logging_enabled.yaml index 1de3ef30f..5cbfccd47 100644 --- a/compliance/controls/aws/aws_s3_bucket_logging_enabled.yaml +++ b/compliance/controls/aws/aws_s3_bucket_logging_enabled.yaml @@ -1,64 +1,65 @@ id: aws_s3_bucket_logging_enabled title: S3 bucket logging should be enabled +type: control description: AWS Simple Storage Service (AWS S3) server access logging provides a method to monitor the network for potential cybersecurity events. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN logging -> 'TargetBucket' IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN logging -> 'TargetBucket' IS NULL THEN title || ' logging disabled.' - ELSE title || ' logging enabled.' - END AS reason, - region, - account_id - FROM - aws_s3_bucket; + language: sql + primary_resource: aws_s3_bucket + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN logging -> 'TargetBucket' IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN logging -> 'TargetBucket' IS NULL THEN title || ' logging disabled.' + ELSE title || ' logging enabled.' + END AS reason, + region, + account_id + FROM + aws_s3_bucket; severity: low tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/S3 - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/S3 + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_s3_bucket_mfa_delete_enabled.yaml b/compliance/controls/aws/aws_s3_bucket_mfa_delete_enabled.yaml index f65dc8564..91304011c 100644 --- a/compliance/controls/aws/aws_s3_bucket_mfa_delete_enabled.yaml +++ b/compliance/controls/aws/aws_s3_bucket_mfa_delete_enabled.yaml @@ -1,46 +1,47 @@ id: aws_s3_bucket_mfa_delete_enabled title: Ensure MFA Delete is enabled on S3 buckets +type: control description: Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN versioning_mfa_delete THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN versioning_mfa_delete THEN name || ' MFA delete enabled.' - ELSE name || ' MFA delete disabled.' - END AS reason, - region, - account_id - FROM - aws_s3_bucket; + language: sql + primary_resource: aws_s3_bucket + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN versioning_mfa_delete THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN versioning_mfa_delete THEN name || ' MFA delete enabled.' + ELSE name || ' MFA delete disabled.' + END AS reason, + region, + account_id + FROM + aws_s3_bucket; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 2.1.3 - cis_level: - - '1' - cis_section_id: - - '2.1' - cis_type: - - automated - cis_version: - - v1.4.0 - plugin: - - aws - service: - - AWS/S3 + category: + - Compliance + cis: + - "true" + cis_item_id: + - 2.1.3 + cis_level: + - "1" + cis_section_id: + - "2.1" + cis_type: + - automated + cis_version: + - v1.4.0 + plugin: + - aws + service: + - AWS/S3 diff --git a/compliance/controls/aws/aws_s3_bucket_not_accessible_to_all_authenticated_user.yaml b/compliance/controls/aws/aws_s3_bucket_not_accessible_to_all_authenticated_user.yaml index 614e89ce8..17f163c41 100644 --- a/compliance/controls/aws/aws_s3_bucket_not_accessible_to_all_authenticated_user.yaml +++ b/compliance/controls/aws/aws_s3_bucket_not_accessible_to_all_authenticated_user.yaml @@ -1,36 +1,37 @@ id: aws_s3_bucket_not_accessible_to_all_authenticated_user title: S3 bucket ACLs should not be accessible to all authenticated user +type: control description: This control checks whether AWS S3 bucket ACL allow access to all authenticated users. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH public_acl AS ( - SELECT - DISTINCT name - FROM - aws_s3_bucket, - jsonb_array_elements(acl -> 'Grants') AS grants - WHERE - grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers' - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN p.name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.name IS NULL THEN b.title || ' not accessible to all authenticated user.' - ELSE b.title || ' accessible to all authenticated user.' - END AS reason - FROM - aws_s3_bucket AS b - LEFT JOIN public_acl AS p ON b.name = p.name; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH public_acl AS ( + SELECT + DISTINCT name + FROM + aws_s3_bucket, + jsonb_array_elements(acl -> 'Grants') AS grants + WHERE + grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers' + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN p.name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.name IS NULL THEN b.title || ' not accessible to all authenticated user.' + ELSE b.title || ' accessible to all authenticated user.' + END AS reason + FROM + aws_s3_bucket AS b + LEFT JOIN public_acl AS p ON b.name = p.name; severity: low tags: {} diff --git a/compliance/controls/aws/aws_s3_bucket_object_lock_enabled.yaml b/compliance/controls/aws/aws_s3_bucket_object_lock_enabled.yaml index 26850747f..1b40f80ba 100644 --- a/compliance/controls/aws/aws_s3_bucket_object_lock_enabled.yaml +++ b/compliance/controls/aws/aws_s3_bucket_object_lock_enabled.yaml @@ -1,52 +1,53 @@ id: aws_s3_bucket_object_lock_enabled title: S3 bucket object lock should be enabled +type: control description: Ensure that your AWS Simple Storage Service (AWS S3) bucket has lock enabled, by default. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN object_lock_configuration IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN object_lock_configuration IS NULL THEN title || ' object lock not enabled.' - ELSE title || ' object lock enabled.' - END AS reason, - region, - account_id - FROM - aws_s3_bucket; + language: sql + primary_resource: aws_s3_bucket + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN object_lock_configuration IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN object_lock_configuration IS NULL THEN title || ' object lock not enabled.' + ELSE title || ' object lock enabled.' + END AS reason, + region, + account_id + FROM + aws_s3_bucket; severity: high tags: - category: - - Compliance - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/S3 - soc_2: - - 'true' + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/S3 + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_s3_bucket_policy_restrict_public_access.yaml b/compliance/controls/aws/aws_s3_bucket_policy_restrict_public_access.yaml index 0482c2fa7..93a1a9e81 100644 --- a/compliance/controls/aws/aws_s3_bucket_policy_restrict_public_access.yaml +++ b/compliance/controls/aws/aws_s3_bucket_policy_restrict_public_access.yaml @@ -1,62 +1,63 @@ id: aws_s3_bucket_policy_restrict_public_access title: S3 bucket policy should prohibit public access +type: control description: This control checks that the access granted by the S3 bucket is restricted by any of the principals, federated users, service principals, IP addresses, or VPCs that you provide. The rule is compliant if a bucket policy is not present. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH public_buckets AS ( - SELECT DISTINCT arn AS arn - FROM aws_s3_bucket - WHERE NOT block_public_acls - UNION ALL - SELECT arn AS arn - FROM aws_s3_bucket, - jsonb_array_elements(policy_std->'Statement') AS s, - jsonb_array_elements_text(s->'Principal'->'AWS') AS p - WHERE ( - p = '*' - AND s->>'Effect' = 'Allow' - ) - ) - - SELECT b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN b.policy_std IS NULL THEN 'info' - WHEN p.arn IS NOT NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN b.policy_std IS NULL THEN title || ' does not have defined policy or insufficient access to the policy.' - WHEN p.arn IS NOT NULL THEN title || ' publicly accessible.' - ELSE title || ' not publicly accessible.' - END AS reason, - region, - account_id - FROM aws_s3_bucket AS b - LEFT JOIN public_buckets AS p ON p.arn = b.arn; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH public_buckets AS ( + SELECT DISTINCT arn AS arn + FROM aws_s3_bucket + WHERE NOT block_public_acls + UNION ALL + SELECT arn AS arn + FROM aws_s3_bucket, + jsonb_array_elements(policy_std->'Statement') AS s, + jsonb_array_elements_text(s->'Principal'->'AWS') AS p + WHERE ( + p = '*' + AND s->>'Effect' = 'Allow' + ) + ) + + SELECT b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN b.policy_std IS NULL THEN 'info' + WHEN p.arn IS NOT NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN b.policy_std IS NULL THEN title || ' does not have defined policy or insufficient access to the policy.' + WHEN p.arn IS NOT NULL THEN title || ' publicly accessible.' + ELSE title || ' not publicly accessible.' + END AS reason, + region, + account_id + FROM aws_s3_bucket AS b + LEFT JOIN public_buckets AS p ON p.arn = b.arn; severity: high tags: - category: - - Compliance - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/S3 - soc_2: - - 'true' + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/S3 + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_s3_bucket_policy_restricts_cross_account_permission_changes.yaml b/compliance/controls/aws/aws_s3_bucket_policy_restricts_cross_account_permission_changes.yaml index 3051454d5..4a1653e08 100644 --- a/compliance/controls/aws/aws_s3_bucket_policy_restricts_cross_account_permission_changes.yaml +++ b/compliance/controls/aws/aws_s3_bucket_policy_restricts_cross_account_permission_changes.yaml @@ -1,62 +1,63 @@ id: aws_s3_bucket_policy_restricts_cross_account_permission_changes title: AWS S3 permissions granted to other AWS accounts in bucket policies should be restricted +type: control description: This control checks whether the S3 bucket policy prevents principals from other AWS accounts from performing denied actions on resources in the S3 bucket. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH cross_account_buckets AS ( - SELECT - DISTINCT arn - FROM - aws_s3_bucket, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p, - string_to_array(p, ':') AS pa, - jsonb_array_elements_text(s -> 'Action') AS a - WHERE - s ->> 'Effect' = 'Allow' - AND ( - pa [5] != account_id - OR p = '*' - ) - AND a IN ( - 's3:deletebucketpolicy', - 's3:putbucketacl', - 's3:putbucketpolicy', - 's3:putencryptionconfiguration', - 's3:putobjectacl' - ) + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH cross_account_buckets AS ( + SELECT + DISTINCT arn + FROM + aws_s3_bucket, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p, + string_to_array(p, ':') AS pa, + jsonb_array_elements_text(s -> 'Action') AS a + WHERE + s ->> 'Effect' = 'Allow' + AND ( + pa [5] != account_id + OR p = '*' ) - SELECT - a.arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.arn IS NULL THEN title || ' restricts cross-account bucket access.' - ELSE title || ' allows cross-account bucket access.' - END AS reason, - a.region, - a.account_id - FROM - aws_s3_bucket a - LEFT JOIN cross_account_buckets b ON a.arn = b.arn; + AND a IN ( + 's3:deletebucketpolicy', + 's3:putbucketacl', + 's3:putbucketpolicy', + 's3:putencryptionconfiguration', + 's3:putobjectacl' + ) + ) + SELECT + a.arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.arn IS NULL THEN title || ' restricts cross-account bucket access.' + ELSE title || ' allows cross-account bucket access.' + END AS reason, + a.region, + a.account_id + FROM + aws_s3_bucket a + LEFT JOIN cross_account_buckets b ON a.arn = b.arn; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/S3 + category: + - Compliance + cis_controls_v8_ig1: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/S3 diff --git a/compliance/controls/aws/aws_s3_bucket_protected_by_macie.yaml b/compliance/controls/aws/aws_s3_bucket_protected_by_macie.yaml index 9f20260b9..34de41d88 100644 --- a/compliance/controls/aws/aws_s3_bucket_protected_by_macie.yaml +++ b/compliance/controls/aws/aws_s3_bucket_protected_by_macie.yaml @@ -1,57 +1,58 @@ id: aws_s3_bucket_protected_by_macie title: Ensure all data in AWS S3 has been discovered, classified and secured when required +type: control description: AWS S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of AWS S3 buckets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH bucket_list AS ( - SELECT - TRIM(b::text, '"') AS bucket_name - FROM - aws_macie2_classification_job, - jsonb_array_elements(s3_job_definition -> 'BucketDefinitions') AS d, - jsonb_array_elements(d -> 'Buckets') AS b - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN b.region = ANY(ARRAY['us-gov-east-1', 'us-gov-west-1']) THEN 'skip' - WHEN l.bucket_name IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.region = ANY(ARRAY['us-gov-east-1', 'us-gov-west-1']) THEN b.title || ' not protected by Macie as Macie is not supported in ' || b.region || '.' - WHEN l.bucket_name IS NOT NULL THEN b.title || ' protected by Macie.' - ELSE b.title || ' not protected by Macie.' - END AS reason, - b.region, - b.account_id - FROM - aws_s3_bucket AS b - LEFT JOIN bucket_list AS l ON b.name = l.bucket_name; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH bucket_list AS ( + SELECT + TRIM(b::text, '"') AS bucket_name + FROM + aws_macie2_classification_job, + jsonb_array_elements(s3_job_definition -> 'BucketDefinitions') AS d, + jsonb_array_elements(d -> 'Buckets') AS b + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN b.region = ANY(ARRAY['us-gov-east-1', 'us-gov-west-1']) THEN 'skip' + WHEN l.bucket_name IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.region = ANY(ARRAY['us-gov-east-1', 'us-gov-west-1']) THEN b.title || ' not protected by Macie as Macie is not supported in ' || b.region || '.' + WHEN l.bucket_name IS NOT NULL THEN b.title || ' protected by Macie.' + ELSE b.title || ' not protected by Macie.' + END AS reason, + b.region, + b.account_id + FROM + aws_s3_bucket AS b + LEFT JOIN bucket_list AS l ON b.name = l.bucket_name; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 2.1.4 - cis_level: - - '2' - cis_section_id: - - '2.1' - cis_type: - - manual - cis_version: - - v1.4.0 - plugin: - - aws - service: - - AWS/S3 + category: + - Compliance + cis: + - "true" + cis_item_id: + - 2.1.4 + cis_level: + - "2" + cis_section_id: + - "2.1" + cis_type: + - manual + cis_version: + - v1.4.0 + plugin: + - aws + service: + - AWS/S3 diff --git a/compliance/controls/aws/aws_s3_bucket_restrict_public_read_access.yaml b/compliance/controls/aws/aws_s3_bucket_restrict_public_read_access.yaml index b6c675385..d03d22cbb 100644 --- a/compliance/controls/aws/aws_s3_bucket_restrict_public_read_access.yaml +++ b/compliance/controls/aws/aws_s3_bucket_restrict_public_read_access.yaml @@ -1,123 +1,123 @@ id: aws_s3_bucket_restrict_public_read_access title: S3 buckets should prohibit public read access +type: control description: Manage access to resources in the AWS Cloud by only allowing authorized users, processes, and devices access to AWS Simple Storage Service (AWS S3) buckets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH public_acl AS ( - SELECT DISTINCT b.name - FROM aws_s3_bucket AS b - CROSS JOIN LATERAL ( - SELECT - CASE - WHEN jsonb_typeof(b.acl -> 'Grants') = 'array' THEN b.acl -> 'Grants' - ELSE '[]'::jsonb - END AS grants_json - ) AS grants_array - CROSS JOIN LATERAL jsonb_array_elements(grants_array.grants_json) AS grants - WHERE - (grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AllUsers' - OR grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers') - AND ( - grants ->> 'Permission' IN ('FULL_CONTROL', 'READ_ACP', 'READ') - ) - ), - read_access_policy AS ( - SELECT DISTINCT b.name - FROM aws_s3_bucket AS b - CROSS JOIN LATERAL ( - SELECT - CASE - WHEN jsonb_typeof(b.policy_std -> 'Statement') = 'array' THEN b.policy_std -> 'Statement' - ELSE '[]'::jsonb - END AS statements_json - ) AS statements_array - CROSS JOIN LATERAL jsonb_array_elements(statements_array.statements_json) AS s - CROSS JOIN LATERAL ( - SELECT - CASE - WHEN jsonb_typeof(s -> 'Action') = 'array' THEN s -> 'Action' - WHEN jsonb_typeof(s -> 'Action') = 'string' THEN jsonb_build_array(s -> 'Action') - ELSE '[]'::jsonb - END AS actions_json - ) AS actions_array - CROSS JOIN LATERAL jsonb_array_elements_text(actions_array.actions_json) AS action - WHERE - s ->> 'Effect' = 'Allow' - AND ( - -- Check if Principal AWS is a JSON array containing "*" - (s -> 'Principal' -> 'AWS') @> '["*"]'::jsonb - OR s ->> 'Principal' = '*' - ) - AND ( - action IN ('*', '*:*', 's3:*') - OR action ILIKE 's3:get%' - OR action ILIKE 's3:list%' - ) + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH public_acl AS ( + SELECT DISTINCT b.name + FROM aws_s3_bucket AS b + CROSS JOIN LATERAL ( + SELECT + CASE + WHEN jsonb_typeof(b.acl -> 'Grants') = 'array' THEN b.acl -> 'Grants' + ELSE '[]'::jsonb + END AS grants_json + ) AS grants_array + CROSS JOIN LATERAL jsonb_array_elements(grants_array.grants_json) AS grants + WHERE + (grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AllUsers' + OR grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers') + AND ( + grants ->> 'Permission' IN ('FULL_CONTROL', 'READ_ACP', 'READ') ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN (b.block_public_acls OR a.name IS NULL) AND NOT b.bucket_policy_is_public THEN 'ok' - WHEN (b.block_public_acls OR a.name IS NULL) AND (b.bucket_policy_is_public AND b.block_public_policy) THEN 'ok' - WHEN (b.block_public_acls OR a.name IS NULL) AND (b.bucket_policy_is_public AND p.name IS NULL) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (b.block_public_acls OR a.name IS NULL) AND NOT b.bucket_policy_is_public THEN b.title || ' not publicly readable.' - WHEN (b.block_public_acls OR a.name IS NULL) AND (b.bucket_policy_is_public AND b.block_public_policy) THEN b.title || ' not publicly readable.' - WHEN (b.block_public_acls OR a.name IS NULL) AND (b.bucket_policy_is_public AND p.name IS NULL) THEN b.title || ' not publicly readable.' - ELSE b.title || ' publicly readable.' - END AS reason, - b.region, - b.account_id + ), + read_access_policy AS ( + SELECT DISTINCT b.name FROM aws_s3_bucket AS b - LEFT JOIN public_acl AS a ON b.name = a.name - LEFT JOIN read_access_policy AS p ON b.name = p.name; + CROSS JOIN LATERAL ( + SELECT + CASE + WHEN jsonb_typeof(b.policy_std -> 'Statement') = 'array' THEN b.policy_std -> 'Statement' + ELSE '[]'::jsonb + END AS statements_json + ) AS statements_array + CROSS JOIN LATERAL jsonb_array_elements(statements_array.statements_json) AS s + CROSS JOIN LATERAL ( + SELECT + CASE + WHEN jsonb_typeof(s -> 'Action') = 'array' THEN s -> 'Action' + WHEN jsonb_typeof(s -> 'Action') = 'string' THEN jsonb_build_array(s -> 'Action') + ELSE '[]'::jsonb + END AS actions_json + ) AS actions_array + CROSS JOIN LATERAL jsonb_array_elements_text(actions_array.actions_json) AS action + WHERE + s ->> 'Effect' = 'Allow' + AND ( + -- Check if Principal AWS is a JSON array containing "*" + (s -> 'Principal' -> 'AWS') @> '["*"]'::jsonb + OR s ->> 'Principal' = '*' + ) + AND ( + action IN ('*', '*:*', 's3:*') + OR action ILIKE 's3:get%' + OR action ILIKE 's3:list%' + ) + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN (b.block_public_acls OR a.name IS NULL) AND NOT b.bucket_policy_is_public THEN 'ok' + WHEN (b.block_public_acls OR a.name IS NULL) AND (b.bucket_policy_is_public AND b.block_public_policy) THEN 'ok' + WHEN (b.block_public_acls OR a.name IS NULL) AND (b.bucket_policy_is_public AND p.name IS NULL) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (b.block_public_acls OR a.name IS NULL) AND NOT b.bucket_policy_is_public THEN b.title || ' not publicly readable.' + WHEN (b.block_public_acls OR a.name IS NULL) AND (b.bucket_policy_is_public AND b.block_public_policy) THEN b.title || ' not publicly readable.' + WHEN (b.block_public_acls OR a.name IS NULL) AND (b.bucket_policy_is_public AND p.name IS NULL) THEN b.title || ' not publicly readable.' + ELSE b.title || ' publicly readable.' + END AS reason, + b.region, + b.account_id + FROM aws_s3_bucket AS b + LEFT JOIN public_acl AS a ON b.name = a.name + LEFT JOIN read_access_policy AS p ON b.name = p.name; severity: high tags: - audit_manager_control_tower: - - 'true' - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/S3 - soc_2: - - 'true' - + audit_manager_control_tower: + - "true" + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/S3 + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_s3_bucket_restrict_public_write_access.yaml b/compliance/controls/aws/aws_s3_bucket_restrict_public_write_access.yaml index 2e7463a85..c9332c375 100644 --- a/compliance/controls/aws/aws_s3_bucket_restrict_public_write_access.yaml +++ b/compliance/controls/aws/aws_s3_bucket_restrict_public_write_access.yaml @@ -1,121 +1,122 @@ id: aws_s3_bucket_restrict_public_write_access title: S3 buckets should prohibit public write access +type: control description: Manage access to resources in the AWS Cloud by only allowing authorized users, processes, and devices access to AWS Simple Storage Service (AWS S3) buckets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH public_acl AS ( - SELECT DISTINCT b.name - FROM aws_s3_bucket AS b - CROSS JOIN LATERAL ( - SELECT - CASE - WHEN jsonb_typeof(b.acl -> 'Grants') = 'array' THEN b.acl -> 'Grants' - ELSE '[]'::jsonb - END AS grants_json - ) AS grants_array - CROSS JOIN LATERAL jsonb_array_elements(grants_array.grants_json) AS grants - WHERE (grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AllUsers' - OR grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers') - AND (grants ->> 'Permission' IN ('FULL_CONTROL', 'WRITE_ACP', 'WRITE')) - ), - write_access_policy AS ( - SELECT DISTINCT b.name - FROM aws_s3_bucket AS b - CROSS JOIN LATERAL ( - SELECT - CASE - WHEN jsonb_typeof(b.policy_std -> 'Statement') = 'array' THEN b.policy_std -> 'Statement' - ELSE '[]'::jsonb - END AS statements_json - ) AS statements_array - CROSS JOIN LATERAL jsonb_array_elements(statements_array.statements_json) AS s - CROSS JOIN LATERAL ( - SELECT - CASE - WHEN jsonb_typeof(s -> 'Action') = 'array' THEN s -> 'Action' - WHEN jsonb_typeof(s -> 'Action') = 'string' THEN jsonb_build_array(s -> 'Action') - ELSE '[]'::jsonb - END AS actions_json - ) AS actions_array - CROSS JOIN LATERAL jsonb_array_elements_text(actions_array.actions_json) AS action - WHERE s ->> 'Effect' = 'Allow' - AND ( - (jsonb_typeof(s -> 'Principal') = 'object' AND (s -> 'Principal' -> 'AWS') = '["*"]'::jsonb) - OR s ->> 'Principal' = '*' - ) - AND ( - action IN ('*', '*:*', 's3:*') - OR action ILIKE 's3:put%' - OR action ILIKE 's3:delete%' - OR action ILIKE 's3:create%' - OR action ILIKE 's3:update%' - OR action ILIKE 's3:replicate%' - OR action ILIKE 's3:restore%' - ) - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN (b.block_public_acls OR a.name IS NULL) AND NOT b.bucket_policy_is_public THEN 'ok' - WHEN (b.block_public_acls OR a.name IS NULL) AND (b.bucket_policy_is_public AND b.block_public_policy) THEN 'ok' - WHEN b.bucket_policy_is_public AND p.name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (b.block_public_acls OR a.name IS NULL) AND NOT b.bucket_policy_is_public THEN b.title || ' not publicly writable.' - WHEN (b.block_public_acls OR a.name IS NULL) AND (b.bucket_policy_is_public AND b.block_public_policy) THEN b.title || ' not publicly writable.' - WHEN b.bucket_policy_is_public AND p.name IS NULL THEN b.title || ' not publicly writable.' - ELSE b.title || ' publicly writable.' - END AS reason, - b.region, - b.account_id + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH public_acl AS ( + SELECT DISTINCT b.name FROM aws_s3_bucket AS b - LEFT JOIN public_acl AS a ON b.name = a.name - LEFT JOIN write_access_policy AS p ON b.name = p.name; + CROSS JOIN LATERAL ( + SELECT + CASE + WHEN jsonb_typeof(b.acl -> 'Grants') = 'array' THEN b.acl -> 'Grants' + ELSE '[]'::jsonb + END AS grants_json + ) AS grants_array + CROSS JOIN LATERAL jsonb_array_elements(grants_array.grants_json) AS grants + WHERE (grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AllUsers' + OR grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers') + AND (grants ->> 'Permission' IN ('FULL_CONTROL', 'WRITE_ACP', 'WRITE')) + ), + write_access_policy AS ( + SELECT DISTINCT b.name + FROM aws_s3_bucket AS b + CROSS JOIN LATERAL ( + SELECT + CASE + WHEN jsonb_typeof(b.policy_std -> 'Statement') = 'array' THEN b.policy_std -> 'Statement' + ELSE '[]'::jsonb + END AS statements_json + ) AS statements_array + CROSS JOIN LATERAL jsonb_array_elements(statements_array.statements_json) AS s + CROSS JOIN LATERAL ( + SELECT + CASE + WHEN jsonb_typeof(s -> 'Action') = 'array' THEN s -> 'Action' + WHEN jsonb_typeof(s -> 'Action') = 'string' THEN jsonb_build_array(s -> 'Action') + ELSE '[]'::jsonb + END AS actions_json + ) AS actions_array + CROSS JOIN LATERAL jsonb_array_elements_text(actions_array.actions_json) AS action + WHERE s ->> 'Effect' = 'Allow' + AND ( + (jsonb_typeof(s -> 'Principal') = 'object' AND (s -> 'Principal' -> 'AWS') = '["*"]'::jsonb) + OR s ->> 'Principal' = '*' + ) + AND ( + action IN ('*', '*:*', 's3:*') + OR action ILIKE 's3:put%' + OR action ILIKE 's3:delete%' + OR action ILIKE 's3:create%' + OR action ILIKE 's3:update%' + OR action ILIKE 's3:replicate%' + OR action ILIKE 's3:restore%' + ) + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN (b.block_public_acls OR a.name IS NULL) AND NOT b.bucket_policy_is_public THEN 'ok' + WHEN (b.block_public_acls OR a.name IS NULL) AND (b.bucket_policy_is_public AND b.block_public_policy) THEN 'ok' + WHEN b.bucket_policy_is_public AND p.name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (b.block_public_acls OR a.name IS NULL) AND NOT b.bucket_policy_is_public THEN b.title || ' not publicly writable.' + WHEN (b.block_public_acls OR a.name IS NULL) AND (b.bucket_policy_is_public AND b.block_public_policy) THEN b.title || ' not publicly writable.' + WHEN b.bucket_policy_is_public AND p.name IS NULL THEN b.title || ' not publicly writable.' + ELSE b.title || ' publicly writable.' + END AS reason, + b.region, + b.account_id + FROM aws_s3_bucket AS b + LEFT JOIN public_acl AS a ON b.name = a.name + LEFT JOIN write_access_policy AS p ON b.name = p.name; severity: high tags: - audit_manager_control_tower: - - 'true' - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/S3 - soc_2: - - 'true' + audit_manager_control_tower: + - "true" + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/S3 + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_s3_bucket_static_website_hosting_disabled.yaml b/compliance/controls/aws/aws_s3_bucket_static_website_hosting_disabled.yaml index 0124047fc..da3df6eef 100644 --- a/compliance/controls/aws/aws_s3_bucket_static_website_hosting_disabled.yaml +++ b/compliance/controls/aws/aws_s3_bucket_static_website_hosting_disabled.yaml @@ -1,26 +1,27 @@ id: aws_s3_bucket_static_website_hosting_disabled title: S3 buckets static website hosting should be disabled +type: control description: Enabling static website on a S3 bucket requires to grant public read access to the bucket. There is a potential risk of exposure when you turn off block public access settings to make your bucket public. This is recommend to not configure static website on S3 bucket. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN website_configuration -> 'IndexDocument' ->> 'Suffix' IS NOT NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN website_configuration -> 'IndexDocument' ->> 'Suffix' IS NOT NULL THEN name || ' static website hosting enabled.' - ELSE name || ' static website hosting disabled.' - END AS reason - FROM - aws_s3_bucket; + language: sql + primary_resource: aws_s3_bucket + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN website_configuration -> 'IndexDocument' ->> 'Suffix' IS NOT NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN website_configuration -> 'IndexDocument' ->> 'Suffix' IS NOT NULL THEN name || ' static website hosting enabled.' + ELSE name || ' static website hosting disabled.' + END AS reason + FROM + aws_s3_bucket; severity: low tags: {} diff --git a/compliance/controls/aws/aws_s3_bucket_versioning_and_lifecycle_policy_enabled.yaml b/compliance/controls/aws/aws_s3_bucket_versioning_and_lifecycle_policy_enabled.yaml index 4c20bdbad..0a71df302 100644 --- a/compliance/controls/aws/aws_s3_bucket_versioning_and_lifecycle_policy_enabled.yaml +++ b/compliance/controls/aws/aws_s3_bucket_versioning_and_lifecycle_policy_enabled.yaml @@ -1,52 +1,53 @@ id: aws_s3_bucket_versioning_and_lifecycle_policy_enabled title: S3 buckets with versioning enabled should have lifecycle policies configured +type: control description: This control checks if AWS Simple Storage Service (AWS S3) version enabled buckets have lifecycle policy configured. This rule fails if AWS S3 lifecycle policy is not enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - WITH lifecycle_rules_enabled AS ( - SELECT - arn - FROM - aws_s3_bucket, - jsonb_array_elements(lifecycle_rules) AS r - WHERE - r ->> 'Status' = 'Enabled' - ) - SELECT - b.arn AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT versioning_enabled THEN 'alarm' - WHEN versioning_enabled AND r.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN NOT versioning_enabled THEN name || ' versioning disabled.' - WHEN versioning_enabled AND r.arn IS NOT NULL THEN name || ' lifecycle policy configured.' - ELSE name || ' lifecycle policy not configured.' - END AS reason, - b.region, - b.account_id - FROM - aws_s3_bucket AS b - LEFT JOIN lifecycle_rules_enabled AS r ON r.arn = b.arn; + language: sql + primary_resource: aws_s3_bucket + definition: | + WITH lifecycle_rules_enabled AS ( + SELECT + arn + FROM + aws_s3_bucket, + jsonb_array_elements(lifecycle_rules) AS r + WHERE + r ->> 'Status' = 'Enabled' + ) + SELECT + b.arn AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT versioning_enabled THEN 'alarm' + WHEN versioning_enabled AND r.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN NOT versioning_enabled THEN name || ' versioning disabled.' + WHEN versioning_enabled AND r.arn IS NOT NULL THEN name || ' lifecycle policy configured.' + ELSE name || ' lifecycle policy not configured.' + END AS reason, + b.region, + b.account_id + FROM + aws_s3_bucket AS b + LEFT JOIN lifecycle_rules_enabled AS r ON r.arn = b.arn; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - logging - foundational_security_item_id: - - s3_10 - plugin: - - aws - service: - - AWS/S3 + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - logging + foundational_security_item_id: + - s3_10 + plugin: + - aws + service: + - AWS/S3 diff --git a/compliance/controls/aws/aws_s3_bucket_versioning_enabled.yaml b/compliance/controls/aws/aws_s3_bucket_versioning_enabled.yaml index b3b404161..0e7fe7481 100644 --- a/compliance/controls/aws/aws_s3_bucket_versioning_enabled.yaml +++ b/compliance/controls/aws/aws_s3_bucket_versioning_enabled.yaml @@ -1,68 +1,69 @@ id: aws_s3_bucket_versioning_enabled title: S3 bucket versioning should be enabled +type: control description: AWS Simple Storage Service (AWS S3) bucket versioning helps keep multiple variants of an object in the same AWS S3 bucket. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN versioning_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN versioning_enabled THEN name || ' versioning enabled.' - ELSE name || ' versioning disabled.' - END AS reason, - region, - account_id - FROM - aws_s3_bucket; + language: sql + primary_resource: aws_s3_bucket + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN versioning_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN versioning_enabled THEN name || ' versioning enabled.' + ELSE name || ' versioning disabled.' + END AS reason, + region, + account_id + FROM + aws_s3_bucket; severity: low tags: - audit_manager_control_tower: - - 'true' - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/S3 - soc_2: - - 'true' + audit_manager_control_tower: + - "true" + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/S3 + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_s3_public_access_block_account.yaml b/compliance/controls/aws/aws_s3_public_access_block_account.yaml index 660362158..b21f7369a 100644 --- a/compliance/controls/aws/aws_s3_public_access_block_account.yaml +++ b/compliance/controls/aws/aws_s3_public_access_block_account.yaml @@ -1,75 +1,76 @@ id: aws_s3_public_access_block_account title: S3 public access should be blocked at account level +type: control description: Manage access to resources in the AWS Cloud by ensuring that AWS Simple Storage Service (AWS S3) buckets cannot be publicly accessed. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_account_settings - definition: | - SELECT - 'arn' || ':' || 'aws' || ':::' || account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN block_public_acls - AND block_public_policy - AND ignore_public_acls - AND restrict_public_buckets - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN block_public_acls - AND block_public_policy - AND ignore_public_acls - AND restrict_public_buckets - THEN 'Account level public access blocks enabled.' - ELSE 'Account level public access blocks not enabled for: ' || - CONCAT_WS(', ', - CASE WHEN NOT (block_public_acls) THEN 'block_public_acls' END, - CASE WHEN NOT (block_public_policy) THEN 'block_public_policy' END, - CASE WHEN NOT (ignore_public_acls) THEN 'ignore_public_acls' END, - CASE WHEN NOT (restrict_public_buckets) THEN 'restrict_public_buckets' END - ) || '.' - END AS reason, - account_id - FROM - aws_s3_account_settings; + language: sql + primary_resource: aws_s3_account_settings + definition: | + SELECT + 'arn' || ':' || 'aws' || ':::' || account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN block_public_acls + AND block_public_policy + AND ignore_public_acls + AND restrict_public_buckets + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN block_public_acls + AND block_public_policy + AND ignore_public_acls + AND restrict_public_buckets + THEN 'Account level public access blocks enabled.' + ELSE 'Account level public access blocks not enabled for: ' || + CONCAT_WS(', ', + CASE WHEN NOT (block_public_acls) THEN 'block_public_acls' END, + CASE WHEN NOT (block_public_policy) THEN 'block_public_policy' END, + CASE WHEN NOT (ignore_public_acls) THEN 'ignore_public_acls' END, + CASE WHEN NOT (restrict_public_buckets) THEN 'restrict_public_buckets' END + ) || '.' + END AS reason, + account_id + FROM + aws_s3_account_settings; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/S3 - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/S3 + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_s3_public_access_block_bucket.yaml b/compliance/controls/aws/aws_s3_public_access_block_bucket.yaml index e55b5ba7d..7f0492083 100644 --- a/compliance/controls/aws/aws_s3_public_access_block_bucket.yaml +++ b/compliance/controls/aws/aws_s3_public_access_block_bucket.yaml @@ -1,64 +1,65 @@ id: aws_s3_public_access_block_bucket title: S3 public access should be blocked at bucket levels +type: control description: Ensure that AWS Simple Storage Service (AWS S3) buckets are publicly accessible. This rule is non-compliant if an AWS S3 bucket is not listed in the excludedPublicBuckets parameter and bucket level settings are public. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN block_public_acls - AND block_public_policy - AND ignore_public_acls - AND restrict_public_buckets - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN block_public_acls - AND block_public_policy - AND ignore_public_acls - AND restrict_public_buckets - THEN name || ' all public access blocks enabled.' - ELSE name || ' not enabled for: ' || - concat_ws(', ', - CASE WHEN NOT block_public_acls THEN 'block_public_acls' END, - CASE WHEN NOT block_public_policy THEN 'block_public_policy' END, - CASE WHEN NOT ignore_public_acls THEN 'ignore_public_acls' END, - CASE WHEN NOT restrict_public_buckets THEN 'restrict_public_buckets' END - ) || '.' - END AS reason, - region, - account_id - FROM - aws_s3_bucket; + language: sql + primary_resource: aws_s3_bucket + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN block_public_acls + AND block_public_policy + AND ignore_public_acls + AND restrict_public_buckets + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN block_public_acls + AND block_public_policy + AND ignore_public_acls + AND restrict_public_buckets + THEN name || ' all public access blocks enabled.' + ELSE name || ' not enabled for: ' || + concat_ws(', ', + CASE WHEN NOT block_public_acls THEN 'block_public_acls' END, + CASE WHEN NOT block_public_policy THEN 'block_public_policy' END, + CASE WHEN NOT ignore_public_acls THEN 'ignore_public_acls' END, + CASE WHEN NOT restrict_public_buckets THEN 'restrict_public_buckets' END + ) || '.' + END AS reason, + region, + account_id + FROM + aws_s3_bucket; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/S3 + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/S3 diff --git a/compliance/controls/aws/aws_s3_public_access_block_bucket_account.yaml b/compliance/controls/aws/aws_s3_public_access_block_bucket_account.yaml index 23e9421eb..39c7b3e50 100644 --- a/compliance/controls/aws/aws_s3_public_access_block_bucket_account.yaml +++ b/compliance/controls/aws/aws_s3_public_access_block_bucket_account.yaml @@ -1,63 +1,64 @@ id: aws_s3_public_access_block_bucket_account title: S3 public access should be blocked at account and bucket levels +type: control description: Manage access to resources in the AWS Cloud by ensuring that AWS Simple Storage Service (AWS S3) buckets cannot be publicly accessed. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_s3_bucket - definition: | - SELECT - bucket.arn AS resource, - bucket.platform_integration_id AS platform_integration_id, - bucket.platform_resource_id AS platform_resource_id, - CASE - WHEN (bucket.block_public_acls OR s3account.block_public_acls) - AND (bucket.block_public_policy OR s3account.block_public_policy) - AND (bucket.ignore_public_acls OR s3account.ignore_public_acls) - AND (bucket.restrict_public_buckets OR s3account.restrict_public_buckets) - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (bucket.block_public_acls OR s3account.block_public_acls) - AND (bucket.block_public_policy OR s3account.block_public_policy) - AND (bucket.ignore_public_acls OR s3account.ignore_public_acls) - AND (bucket.restrict_public_buckets OR s3account.restrict_public_buckets) - THEN name || ' all public access blocks enabled.' - ELSE name || ' not enabled for: ' || - CONCAT_WS(', ', - CASE WHEN NOT (bucket.block_public_acls OR s3account.block_public_acls) THEN 'block_public_acls' END, - CASE WHEN NOT (bucket.block_public_policy OR s3account.block_public_policy) THEN 'block_public_policy' END, - CASE WHEN NOT (bucket.ignore_public_acls OR s3account.ignore_public_acls) THEN 'ignore_public_acls' END, - CASE WHEN NOT (bucket.restrict_public_buckets OR s3account.restrict_public_buckets) THEN 'restrict_public_buckets' END - ) || '.' - END AS reason, - bucket.region, - bucket.account_id - FROM - aws_s3_bucket AS bucket, - aws_s3_account_settings AS s3account - WHERE - s3account.account_id = bucket.account_id; + language: sql + primary_resource: aws_s3_bucket + definition: | + SELECT + bucket.arn AS resource, + bucket.platform_integration_id AS platform_integration_id, + bucket.platform_resource_id AS platform_resource_id, + CASE + WHEN (bucket.block_public_acls OR s3account.block_public_acls) + AND (bucket.block_public_policy OR s3account.block_public_policy) + AND (bucket.ignore_public_acls OR s3account.ignore_public_acls) + AND (bucket.restrict_public_buckets OR s3account.restrict_public_buckets) + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (bucket.block_public_acls OR s3account.block_public_acls) + AND (bucket.block_public_policy OR s3account.block_public_policy) + AND (bucket.ignore_public_acls OR s3account.ignore_public_acls) + AND (bucket.restrict_public_buckets OR s3account.restrict_public_buckets) + THEN name || ' all public access blocks enabled.' + ELSE name || ' not enabled for: ' || + CONCAT_WS(', ', + CASE WHEN NOT (bucket.block_public_acls OR s3account.block_public_acls) THEN 'block_public_acls' END, + CASE WHEN NOT (bucket.block_public_policy OR s3account.block_public_policy) THEN 'block_public_policy' END, + CASE WHEN NOT (bucket.ignore_public_acls OR s3account.ignore_public_acls) THEN 'ignore_public_acls' END, + CASE WHEN NOT (bucket.restrict_public_buckets OR s3account.restrict_public_buckets) THEN 'restrict_public_buckets' END + ) || '.' + END AS reason, + bucket.region, + bucket.account_id + FROM + aws_s3_bucket AS bucket, + aws_s3_account_settings AS s3account + WHERE + s3account.account_id = bucket.account_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '1.20' - cis_level: - - '1' - cis_section_id: - - '1' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - aws - service: - - AWS/S3 + category: + - Compliance + cis: + - "true" + cis_item_id: + - "1.20" + cis_level: + - "1" + cis_section_id: + - "1" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - aws + service: + - AWS/S3 diff --git a/compliance/controls/aws/aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled.yaml index 062d286dd..3685cf00a 100644 --- a/compliance/controls/aws/aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled.yaml @@ -1,64 +1,65 @@ id: aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled title: SageMaker endpoint configuration encryption should be enabled +type: control description: To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your SageMaker endpoint. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sagemaker_endpoint_configuration - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN kms_key_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN kms_key_id IS NULL THEN title || ' encryption at rest disabled.' - ELSE title || ' encryption at rest enabled.' - END AS reason, - region, - account_id - FROM - aws_sagemaker_endpoint_configuration; + language: sql + primary_resource: aws_sagemaker_endpoint_configuration + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN kms_key_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN kms_key_id IS NULL THEN title || ' encryption at rest disabled.' + ELSE title || ' encryption at rest enabled.' + END AS reason, + region, + account_id + FROM + aws_sagemaker_endpoint_configuration; severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/SageMaker - soc_2: - - 'true' + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/SageMaker + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_sagemaker_model_in_vpc.yaml b/compliance/controls/aws/aws_sagemaker_model_in_vpc.yaml index b187eff07..725398ee8 100644 --- a/compliance/controls/aws/aws_sagemaker_model_in_vpc.yaml +++ b/compliance/controls/aws/aws_sagemaker_model_in_vpc.yaml @@ -1,26 +1,27 @@ id: aws_sagemaker_model_in_vpc title: SageMaker models should be in a VPC +type: control description: Manage access to the AWS Cloud by ensuring SageMaker models are within an AWS Virtual Private Cloud (AWS VPC). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sagemaker_model - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN vpc_config IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN vpc_config IS NOT NULL THEN title || ' in VPC.' - ELSE title || ' not in VPC.' - END AS reason - FROM - aws_sagemaker_model; + language: sql + primary_resource: aws_sagemaker_model + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN vpc_config IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN vpc_config IS NOT NULL THEN title || ' in VPC.' + ELSE title || ' not in VPC.' + END AS reason + FROM + aws_sagemaker_model; severity: low tags: {} diff --git a/compliance/controls/aws/aws_sagemaker_model_network_isolation_enabled.yaml b/compliance/controls/aws/aws_sagemaker_model_network_isolation_enabled.yaml index 04f3d2b7f..3cc7afdfe 100644 --- a/compliance/controls/aws/aws_sagemaker_model_network_isolation_enabled.yaml +++ b/compliance/controls/aws/aws_sagemaker_model_network_isolation_enabled.yaml @@ -1,26 +1,27 @@ id: aws_sagemaker_model_network_isolation_enabled title: SageMaker models should have network isolation enabled +type: control description: SageMaker models are internet-enabled by default. Network isolation should be enabled to avoid external network access to your inference containers. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sagemaker_model - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN enable_network_isolation THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enable_network_isolation THEN title || ' network isolation enabled.' - ELSE title || ' network isolation disabled.' - END AS reason - FROM - aws_sagemaker_model; + language: sql + primary_resource: aws_sagemaker_model + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN enable_network_isolation THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enable_network_isolation THEN title || ' network isolation enabled.' + ELSE title || ' network isolation disabled.' + END AS reason + FROM + aws_sagemaker_model; severity: low tags: {} diff --git a/compliance/controls/aws/aws_sagemaker_notebook_instance_direct_internet_access_disabled.yaml b/compliance/controls/aws/aws_sagemaker_notebook_instance_direct_internet_access_disabled.yaml index 468691d77..f829e6623 100644 --- a/compliance/controls/aws/aws_sagemaker_notebook_instance_direct_internet_access_disabled.yaml +++ b/compliance/controls/aws/aws_sagemaker_notebook_instance_direct_internet_access_disabled.yaml @@ -1,64 +1,65 @@ id: aws_sagemaker_notebook_instance_direct_internet_access_disabled title: SageMaker notebook instances should not have direct internet access +type: control description: Manage access to resources in the AWS Cloud by ensuring that AWS SageMaker notebooks do not allow direct internet access. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sagemaker_notebook_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN direct_internet_access = 'Enabled' THEN 'alarm' - ELSE 'ok' - END status, - CASE - WHEN direct_internet_access = 'Enabled' THEN title || ' direct internet access enabled.' - ELSE title || ' direct internet access disabled.' - END reason, - region, - account_id - FROM - aws_sagemaker_notebook_instance; + language: sql + primary_resource: aws_sagemaker_notebook_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN direct_internet_access = 'Enabled' THEN 'alarm' + ELSE 'ok' + END status, + CASE + WHEN direct_internet_access = 'Enabled' THEN title || ' direct internet access enabled.' + ELSE title || ' direct internet access disabled.' + END reason, + region, + account_id + FROM + aws_sagemaker_notebook_instance; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/SageMaker - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/SageMaker + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_sagemaker_notebook_instance_encrypted_with_kms_cmk.yaml b/compliance/controls/aws/aws_sagemaker_notebook_instance_encrypted_with_kms_cmk.yaml index 03e8f669d..47abcc6ae 100644 --- a/compliance/controls/aws/aws_sagemaker_notebook_instance_encrypted_with_kms_cmk.yaml +++ b/compliance/controls/aws/aws_sagemaker_notebook_instance_encrypted_with_kms_cmk.yaml @@ -1,50 +1,51 @@ id: aws_sagemaker_notebook_instance_encrypted_with_kms_cmk title: SageMaker notebook instances should be encrypted using CMK +type: control description: This control checks if SageMaker notebook instance storage volumes are encrypted with AWS KMS Customer Master Keys (CMKs) instead of AWS managed-keys. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sagemaker_notebook_instance - definition: | - WITH sagemaker_notebook_instances AS ( - SELECT - arn, - region, - account_id, - kms_key_id, - title, - tags, - _ctx, - platform_integration_id, - platform_resource_id - FROM - aws_sagemaker_notebook_instance - ), kms_keys AS ( - SELECT - arn, - key_manager, - enabled - FROM - aws_kms_key - ) - SELECT - i.arn AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN kms_key_id IS NULL THEN 'alarm' - WHEN k.key_manager = 'CUSTOMER' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN kms_key_id IS NULL THEN i.title || ' encryption disabled.' - WHEN k.key_manager = 'CUSTOMER' THEN i.title || ' encryption at rest with CMK enabled.' - ELSE i.title || ' encryption at rest with CMK disabled.' - END AS reason - FROM - sagemaker_notebook_instances AS i - LEFT JOIN kms_keys AS k ON i.kms_key_id = k.arn; + language: sql + primary_resource: aws_sagemaker_notebook_instance + definition: | + WITH sagemaker_notebook_instances AS ( + SELECT + arn, + region, + account_id, + kms_key_id, + title, + tags, + _ctx, + platform_integration_id, + platform_resource_id + FROM + aws_sagemaker_notebook_instance + ), kms_keys AS ( + SELECT + arn, + key_manager, + enabled + FROM + aws_kms_key + ) + SELECT + i.arn AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN kms_key_id IS NULL THEN 'alarm' + WHEN k.key_manager = 'CUSTOMER' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN kms_key_id IS NULL THEN i.title || ' encryption disabled.' + WHEN k.key_manager = 'CUSTOMER' THEN i.title || ' encryption at rest with CMK enabled.' + ELSE i.title || ' encryption at rest with CMK disabled.' + END AS reason + FROM + sagemaker_notebook_instances AS i + LEFT JOIN kms_keys AS k ON i.kms_key_id = k.arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_sagemaker_notebook_instance_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_sagemaker_notebook_instance_encryption_at_rest_enabled.yaml index e8b7108e9..285568e61 100644 --- a/compliance/controls/aws/aws_sagemaker_notebook_instance_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_sagemaker_notebook_instance_encryption_at_rest_enabled.yaml @@ -1,64 +1,65 @@ id: aws_sagemaker_notebook_instance_encryption_at_rest_enabled title: SageMaker notebook instance encryption should be enabled +type: control description: To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your SageMaker notebook. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sagemaker_notebook_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN kms_key_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN kms_key_id IS NULL THEN title || ' encryption at rest enabled' - ELSE title || ' encryption at rest not enabled' - END AS reason, - region, - account_id - FROM - aws_sagemaker_notebook_instance; + language: sql + primary_resource: aws_sagemaker_notebook_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN kms_key_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN kms_key_id IS NULL THEN title || ' encryption at rest enabled' + ELSE title || ' encryption at rest not enabled' + END AS reason, + region, + account_id + FROM + aws_sagemaker_notebook_instance; severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/SageMaker - soc_2: - - 'true' + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/SageMaker + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_sagemaker_notebook_instance_in_vpc.yaml b/compliance/controls/aws/aws_sagemaker_notebook_instance_in_vpc.yaml index eecf0ce9b..4092523d5 100644 --- a/compliance/controls/aws/aws_sagemaker_notebook_instance_in_vpc.yaml +++ b/compliance/controls/aws/aws_sagemaker_notebook_instance_in_vpc.yaml @@ -1,40 +1,41 @@ id: aws_sagemaker_notebook_instance_in_vpc title: SageMaker notebook instances should be in a VPC +type: control description: Manage access to the AWS Cloud by ensuring SageMaker notebook instances are within an AWS Virtual Private Cloud (AWS VPC). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sagemaker_notebook_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN subnet_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN subnet_id IS NOT NULL THEN title || ' in VPC.' - ELSE title || ' not in VPC.' - END AS reason, - region, - account_id - FROM - aws_sagemaker_notebook_instance; + language: sql + primary_resource: aws_sagemaker_notebook_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN subnet_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN subnet_id IS NOT NULL THEN title || ' in VPC.' + ELSE title || ' not in VPC.' + END AS reason, + region, + account_id + FROM + aws_sagemaker_notebook_instance; severity: high tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - resources_within_vpc - foundational_security_item_id: - - sagemaker_2 - plugin: - - aws - service: - - AWS/SageMaker + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - resources_within_vpc + foundational_security_item_id: + - sagemaker_2 + plugin: + - aws + service: + - AWS/SageMaker diff --git a/compliance/controls/aws/aws_sagemaker_notebook_instance_root_access_disabled.yaml b/compliance/controls/aws/aws_sagemaker_notebook_instance_root_access_disabled.yaml index bbb10c2db..0452452c8 100644 --- a/compliance/controls/aws/aws_sagemaker_notebook_instance_root_access_disabled.yaml +++ b/compliance/controls/aws/aws_sagemaker_notebook_instance_root_access_disabled.yaml @@ -1,40 +1,41 @@ id: aws_sagemaker_notebook_instance_root_access_disabled title: SageMaker notebook instances root access should be disabled +type: control description: Users with root access have administrator privileges and users can access and edit all files on a notebook instance. It is recommended to disable root access to restrict users from accessing and editing all the files. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sagemaker_notebook_instance - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN root_access = 'Disabled' THEN 'OK' - ELSE 'ALARM' - END AS status, - CASE - WHEN root_access = 'Disabled' THEN title || ' root access disabled.' - ELSE title || ' root access enabled.' - END AS reason, - region, - account_id - FROM - aws_sagemaker_notebook_instance; + language: sql + primary_resource: aws_sagemaker_notebook_instance + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN root_access = 'Disabled' THEN 'OK' + ELSE 'ALARM' + END AS status, + CASE + WHEN root_access = 'Disabled' THEN title || ' root access disabled.' + ELSE title || ' root access enabled.' + END AS reason, + region, + account_id + FROM + aws_sagemaker_notebook_instance; severity: high tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - root_user_access_restrictions - foundational_security_item_id: - - sagemaker_3 - plugin: - - aws - service: - - AWS/SageMaker + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - root_user_access_restrictions + foundational_security_item_id: + - sagemaker_3 + plugin: + - aws + service: + - AWS/SageMaker diff --git a/compliance/controls/aws/aws_sagemaker_training_job_in_vpc.yaml b/compliance/controls/aws/aws_sagemaker_training_job_in_vpc.yaml index acd7b1d28..ef23e08bf 100644 --- a/compliance/controls/aws/aws_sagemaker_training_job_in_vpc.yaml +++ b/compliance/controls/aws/aws_sagemaker_training_job_in_vpc.yaml @@ -1,26 +1,27 @@ id: aws_sagemaker_training_job_in_vpc title: SageMaker training jobs should be in VPC +type: control description: Manage access to the AWS Cloud by ensuring SageMaker training jobs are within an AWS Virtual Private Cloud (AWS VPC). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sagemaker_training_job - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN vpc_config IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN vpc_config IS NOT NULL THEN title || ' in VPC.' - ELSE title || ' not in VPC.' - END AS reason - FROM - aws_sagemaker_training_job; + language: sql + primary_resource: aws_sagemaker_training_job + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN vpc_config IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN vpc_config IS NOT NULL THEN title || ' in VPC.' + ELSE title || ' not in VPC.' + END AS reason + FROM + aws_sagemaker_training_job; severity: low tags: {} diff --git a/compliance/controls/aws/aws_sagemaker_training_job_inter_container_traffic_encryption_enabled.yaml b/compliance/controls/aws/aws_sagemaker_training_job_inter_container_traffic_encryption_enabled.yaml index f200f3dd5..98798da43 100644 --- a/compliance/controls/aws/aws_sagemaker_training_job_inter_container_traffic_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_sagemaker_training_job_inter_container_traffic_encryption_enabled.yaml @@ -1,28 +1,29 @@ id: aws_sagemaker_training_job_inter_container_traffic_encryption_enabled title: SageMaker training jobs should be enabled with inter-container traffic encryption +type: control description: Inter-container traffic encryption should be used to protect data that is transmitted between instances while performing distributed training. This control is compliant when inter-container traffic encryption is enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sagemaker_training_job - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN enable_inter_container_traffic_encryption THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enable_inter_container_traffic_encryption THEN - title || ' inter-container traffic encryption enabled.' - ELSE - title || ' inter-container traffic encryption disabled.' - END AS reason - FROM - aws_sagemaker_training_job; + language: sql + primary_resource: aws_sagemaker_training_job + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN enable_inter_container_traffic_encryption THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enable_inter_container_traffic_encryption THEN + title || ' inter-container traffic encryption enabled.' + ELSE + title || ' inter-container traffic encryption disabled.' + END AS reason + FROM + aws_sagemaker_training_job; severity: low tags: {} diff --git a/compliance/controls/aws/aws_sagemaker_training_job_network_isolation_enabled.yaml b/compliance/controls/aws/aws_sagemaker_training_job_network_isolation_enabled.yaml index 2872639cd..85568b4f2 100644 --- a/compliance/controls/aws/aws_sagemaker_training_job_network_isolation_enabled.yaml +++ b/compliance/controls/aws/aws_sagemaker_training_job_network_isolation_enabled.yaml @@ -1,26 +1,27 @@ id: aws_sagemaker_training_job_network_isolation_enabled title: SageMaker training jobs should have network isolation enabled +type: control description: SageMaker training jobs are internet-enabled by default. Network isolation should be enabled to avoid external network access to your training. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sagemaker_training_job - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN enable_network_isolation THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enable_network_isolation THEN title || ' network isolation enabled.' - ELSE title || ' network isolation disabled.' - END AS reason - FROM - aws_sagemaker_training_job; + language: sql + primary_resource: aws_sagemaker_training_job + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN enable_network_isolation THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enable_network_isolation THEN title || ' network isolation enabled.' + ELSE title || ' network isolation disabled.' + END AS reason + FROM + aws_sagemaker_training_job; severity: low tags: {} diff --git a/compliance/controls/aws/aws_sagemaker_training_job_volume_and_data_encryption_enabled.yaml b/compliance/controls/aws/aws_sagemaker_training_job_volume_and_data_encryption_enabled.yaml index 49dfbc8a3..7359214f2 100644 --- a/compliance/controls/aws/aws_sagemaker_training_job_volume_and_data_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_sagemaker_training_job_volume_and_data_encryption_enabled.yaml @@ -1,26 +1,27 @@ id: aws_sagemaker_training_job_volume_and_data_encryption_enabled title: SageMaker training jobs volumes and outputs should have KMS encryption enabled +type: control description: Ensure that SageMaker training jobs have volumes and outputs with KMS encryption enabled in order to have a more granular control over the data-at-rest encryption/decryption process and to meet compliance requirements. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sagemaker_training_job - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN output_data_config ->> 'KmsKeyId' IS NULL OR output_data_config ->> 'KmsKeyId' = '' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN output_data_config ->> 'KmsKeyId' IS NULL OR output_data_config ->> 'KmsKeyId' = '' THEN title || ' volume and output data encryption disabled.' - ELSE title || ' volume and output data encryption enabled.' - END AS reason - FROM - aws_sagemaker_training_job; + language: sql + primary_resource: aws_sagemaker_training_job + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN output_data_config ->> 'KmsKeyId' IS NULL OR output_data_config ->> 'KmsKeyId' = '' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN output_data_config ->> 'KmsKeyId' IS NULL OR output_data_config ->> 'KmsKeyId' = '' THEN title || ' volume and output data encryption disabled.' + ELSE title || ' volume and output data encryption enabled.' + END AS reason + FROM + aws_sagemaker_training_job; severity: low tags: {} diff --git a/compliance/controls/aws/aws_secretsmanager_secret_automatic_rotation_enabled.yaml b/compliance/controls/aws/aws_secretsmanager_secret_automatic_rotation_enabled.yaml index f80c8a286..f718a8104 100644 --- a/compliance/controls/aws/aws_secretsmanager_secret_automatic_rotation_enabled.yaml +++ b/compliance/controls/aws/aws_secretsmanager_secret_automatic_rotation_enabled.yaml @@ -1,48 +1,49 @@ id: aws_secretsmanager_secret_automatic_rotation_enabled title: Secrets Manager secrets should have automatic rotation enabled +type: control description: This rule ensures AWS Secrets Manager secrets have rotation enabled. Rotating secrets on a regular schedule can shorten the period a secret is active, and potentially reduce the business impact if the secret is compromised. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_secretsmanager_secret - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN rotation_rules IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN rotation_rules IS NULL THEN title || ' automatic rotation not enabled.' - ELSE title || ' automatic rotation enabled.' - END AS reason, - region, - account_id - FROM - aws_secretsmanager_secret; + language: sql + primary_resource: aws_secretsmanager_secret + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN rotation_rules IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN rotation_rules IS NULL THEN title || ' automatic rotation not enabled.' + ELSE title || ' automatic rotation enabled.' + END AS reason, + region, + account_id + FROM + aws_secretsmanager_secret; severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/SecretsManager - soc_2: - - 'true' + category: + - Compliance + cisa_cyber_essentials: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/SecretsManager + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_secretsmanager_secret_automatic_rotation_lambda_enabled.yaml b/compliance/controls/aws/aws_secretsmanager_secret_automatic_rotation_lambda_enabled.yaml index 6d5060931..ef290dc12 100644 --- a/compliance/controls/aws/aws_secretsmanager_secret_automatic_rotation_lambda_enabled.yaml +++ b/compliance/controls/aws/aws_secretsmanager_secret_automatic_rotation_lambda_enabled.yaml @@ -1,40 +1,41 @@ id: aws_secretsmanager_secret_automatic_rotation_lambda_enabled title: Secrets Manager secrets should be rotated within a specified number of days +type: control description: This control checks whether your secrets have been rotated at least once within 90 days. Rotating secrets can help you to reduce the risk of an unauthorized use of your secrets in your AWS account. Examples include database credentials, passwords, third-party API keys, and even arbitrary text. If you do not change your secrets for a long period of time, the secrets are more likely to be compromised. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_secretsmanager_secret - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN rotation_rules IS NOT NULL AND rotation_lambda_arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN rotation_rules IS NOT NULL AND rotation_lambda_arn IS NOT NULL THEN title || ' scheduled for rotation using Lambda function.' - ELSE title || ' automatic rotation using Lambda function disabled.' - END AS reason, - region, - account_id - FROM - aws_secretsmanager_secret; + language: sql + primary_resource: aws_secretsmanager_secret + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN rotation_rules IS NOT NULL AND rotation_lambda_arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN rotation_rules IS NOT NULL AND rotation_lambda_arn IS NOT NULL THEN title || ' scheduled for rotation using Lambda function.' + ELSE title || ' automatic rotation using Lambda function disabled.' + END AS reason, + region, + account_id + FROM + aws_secretsmanager_secret; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - secure_access_management - foundational_security_item_id: - - secretsmanager_4 - plugin: - - aws - service: - - AWS/SecretsManager + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - secure_access_management + foundational_security_item_id: + - secretsmanager_4 + plugin: + - aws + service: + - AWS/SecretsManager diff --git a/compliance/controls/aws/aws_secretsmanager_secret_encrypted_with_kms_cmk.yaml b/compliance/controls/aws/aws_secretsmanager_secret_encrypted_with_kms_cmk.yaml index 75ed1d2d4..16f613004 100644 --- a/compliance/controls/aws/aws_secretsmanager_secret_encrypted_with_kms_cmk.yaml +++ b/compliance/controls/aws/aws_secretsmanager_secret_encrypted_with_kms_cmk.yaml @@ -1,66 +1,67 @@ id: aws_secretsmanager_secret_encrypted_with_kms_cmk title: Secrets Manager secrets should be encrypted using CMK +type: control description: Ensure that all secrets in AWS Secrets Manager are encrypted using the AWS managed key (aws/secretsmanager) or a customer managed key that was created in AWS Key Management Service (AWS KMS). The rule is compliant if a secret is encrypted using a customer managed key. This rule is non-compliant if a secret is encrypted using aws/secretsmanager. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_secretsmanager_secret - definition: | - WITH encryption_keys AS ( - SELECT - DISTINCT s.arn, - k.aliases AS alias - FROM - aws_secretsmanager_secret AS s - LEFT JOIN aws_kms_key AS k - ON k.arn = s.kms_key_id - WHERE - jsonb_array_length(k.aliases) > 0 - ) - SELECT - s.arn AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN kms_key_id IS NULL - OR kms_key_id = 'alias/aws/secretsmanager' - OR k.alias @> '[{"AliasName":"alias/aws/secretsmanager"}]' - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN kms_key_id IS NULL - THEN title || ' not encrypted with KMS.' - WHEN kms_key_id = 'alias/aws/secretsmanager' - OR k.alias @> '[{"AliasName":"alias/aws/secretsmanager"}]' - THEN title || ' encrypted with AWS managed key.' - ELSE title || ' encrypted with CMK.' - END AS reason, - region, - account_id - FROM - aws_secretsmanager_secret AS s - LEFT JOIN encryption_keys AS k - ON s.arn = k.arn; + language: sql + primary_resource: aws_secretsmanager_secret + definition: | + WITH encryption_keys AS ( + SELECT + DISTINCT s.arn, + k.aliases AS alias + FROM + aws_secretsmanager_secret AS s + LEFT JOIN aws_kms_key AS k + ON k.arn = s.kms_key_id + WHERE + jsonb_array_length(k.aliases) > 0 + ) + SELECT + s.arn AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN kms_key_id IS NULL + OR kms_key_id = 'alias/aws/secretsmanager' + OR k.alias @> '[{"AliasName":"alias/aws/secretsmanager"}]' + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN kms_key_id IS NULL + THEN title || ' not encrypted with KMS.' + WHEN kms_key_id = 'alias/aws/secretsmanager' + OR k.alias @> '[{"AliasName":"alias/aws/secretsmanager"}]' + THEN title || ' encrypted with AWS managed key.' + ELSE title || ' encrypted with CMK.' + END AS reason, + region, + account_id + FROM + aws_secretsmanager_secret AS s + LEFT JOIN encryption_keys AS k + ON s.arn = k.arn; severity: high tags: - category: - - Compliance - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/SecretsManager + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/SecretsManager diff --git a/compliance/controls/aws/aws_secretsmanager_secret_last_changed_90_day.yaml b/compliance/controls/aws/aws_secretsmanager_secret_last_changed_90_day.yaml index 4bc37f03e..e092979c9 100644 --- a/compliance/controls/aws/aws_secretsmanager_secret_last_changed_90_day.yaml +++ b/compliance/controls/aws/aws_secretsmanager_secret_last_changed_90_day.yaml @@ -1,44 +1,45 @@ id: aws_secretsmanager_secret_last_changed_90_day title: Secrets Manager secrets should be rotated within specific number of days +type: control description: Ensure that AWS Secrets Manager secrets have been rotated in the past specified number of days. The rule is non-compliant if a secret has not been rotated for more than 'maxDaysSinceRotation' number of days. The default value is 90 days. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_secretsmanager_secret - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN last_changed_date IS NULL THEN 'alarm' - WHEN DATE(current_date) - DATE(last_changed_date) <= 90 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN last_changed_date IS NULL THEN title || ' never rotated.' - ELSE - title || ' last rotated ' || EXTRACT(DAY FROM current_timestamp - last_changed_date) || ' day(s) ago.' - END AS reason, - region, - account_id - FROM - aws_secretsmanager_secret; + language: sql + primary_resource: aws_secretsmanager_secret + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN last_changed_date IS NULL THEN 'alarm' + WHEN DATE(current_date) - DATE(last_changed_date) <= 90 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN last_changed_date IS NULL THEN title || ' never rotated.' + ELSE + title || ' last rotated ' || EXTRACT(DAY FROM current_timestamp - last_changed_date) || ' day(s) ago.' + END AS reason, + region, + account_id + FROM + aws_secretsmanager_secret; severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/SecretsManager + category: + - Compliance + cisa_cyber_essentials: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/SecretsManager diff --git a/compliance/controls/aws/aws_secretsmanager_secret_last_used_1_day.yaml b/compliance/controls/aws/aws_secretsmanager_secret_last_used_1_day.yaml index ac199dbaf..e4545f735 100644 --- a/compliance/controls/aws/aws_secretsmanager_secret_last_used_1_day.yaml +++ b/compliance/controls/aws/aws_secretsmanager_secret_last_used_1_day.yaml @@ -1,40 +1,41 @@ id: aws_secretsmanager_secret_last_used_1_day title: Remove unused Secrets Manager secrets +type: control description: This control checks whether your secrets have been accessed within a specified number of days. The default value is 90 days. If a secret was accessed even once within the defined number of days, this control fails. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_secretsmanager_secret - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN DATE(last_accessed_date) - DATE(created_date) >= 1 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN DATE(last_accessed_date) - DATE(created_date) >= 1 THEN title || ' recently used.' - ELSE title || ' not used recently.' - END AS reason, - region, - account_id - FROM - aws_secretsmanager_secret; + language: sql + primary_resource: aws_secretsmanager_secret + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN DATE(last_accessed_date) - DATE(created_date) >= 1 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN DATE(last_accessed_date) - DATE(created_date) >= 1 THEN title || ' recently used.' + ELSE title || ' not used recently.' + END AS reason, + region, + account_id + FROM + aws_secretsmanager_secret; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - secure_access_management - foundational_security_item_id: - - secretsmanager_3 - plugin: - - aws - service: - - AWS/SecretsManager + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - secure_access_management + foundational_security_item_id: + - secretsmanager_3 + plugin: + - aws + service: + - AWS/SecretsManager diff --git a/compliance/controls/aws/aws_secretsmanager_secret_rotated_as_scheduled.yaml b/compliance/controls/aws/aws_secretsmanager_secret_rotated_as_scheduled.yaml index 99a5b1cf0..05dec1114 100644 --- a/compliance/controls/aws/aws_secretsmanager_secret_rotated_as_scheduled.yaml +++ b/compliance/controls/aws/aws_secretsmanager_secret_rotated_as_scheduled.yaml @@ -1,52 +1,53 @@ id: aws_secretsmanager_secret_rotated_as_scheduled title: Secrets Manager secrets should be rotated as per the rotation schedule +type: control description: This rule ensures that AWS Secrets Manager secrets have rotated successfully according to the rotation schedule. Rotating secrets on a regular schedule can shorten the period that a secret is active, and potentially reduce the business impact if it is compromised. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_secretsmanager_secret - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN primary_region IS NOT NULL AND region != primary_region THEN 'skip' - WHEN rotation_rules IS NULL THEN 'alarm' - WHEN last_rotated_date IS NULL - AND (DATE(current_date) - DATE(created_date)) <= (rotation_rules -> 'AutomaticallyAfterDays')::integer THEN 'ok' - WHEN last_rotated_date IS NULL - AND (DATE(current_date) - DATE(created_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer THEN 'alarm' - WHEN last_rotated_date IS NOT NULL - AND (DATE(current_date) - DATE(last_rotated_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer THEN 'alarm' - END AS status, - CASE - WHEN primary_region IS NOT NULL AND region != primary_region THEN title || ' is a replica.' - WHEN rotation_rules IS NULL THEN title || ' rotation not enabled.' - WHEN last_rotated_date IS NULL - AND (DATE(current_date) - DATE(created_date)) <= (rotation_rules -> 'AutomaticallyAfterDays')::integer THEN title || ' scheduled for rotation.' - WHEN last_rotated_date IS NULL - AND (DATE(current_date) - DATE(created_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer THEN title || ' not rotated as per schedule.' - WHEN last_rotated_date IS NOT NULL - AND (DATE(current_date) - DATE(last_rotated_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer THEN title || ' not rotated as per schedule.' - END AS reason, - region, - account_id - FROM - aws_secretsmanager_secret; + language: sql + primary_resource: aws_secretsmanager_secret + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN primary_region IS NOT NULL AND region != primary_region THEN 'skip' + WHEN rotation_rules IS NULL THEN 'alarm' + WHEN last_rotated_date IS NULL + AND (DATE(current_date) - DATE(created_date)) <= (rotation_rules -> 'AutomaticallyAfterDays')::integer THEN 'ok' + WHEN last_rotated_date IS NULL + AND (DATE(current_date) - DATE(created_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer THEN 'alarm' + WHEN last_rotated_date IS NOT NULL + AND (DATE(current_date) - DATE(last_rotated_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer THEN 'alarm' + END AS status, + CASE + WHEN primary_region IS NOT NULL AND region != primary_region THEN title || ' is a replica.' + WHEN rotation_rules IS NULL THEN title || ' rotation not enabled.' + WHEN last_rotated_date IS NULL + AND (DATE(current_date) - DATE(created_date)) <= (rotation_rules -> 'AutomaticallyAfterDays')::integer THEN title || ' scheduled for rotation.' + WHEN last_rotated_date IS NULL + AND (DATE(current_date) - DATE(created_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer THEN title || ' not rotated as per schedule.' + WHEN last_rotated_date IS NOT NULL + AND (DATE(current_date) - DATE(last_rotated_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer THEN title || ' not rotated as per schedule.' + END AS reason, + region, + account_id + FROM + aws_secretsmanager_secret; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - secure_development - foundational_security_item_id: - - secretsmanager_2 - plugin: - - aws - service: - - AWS/SecretsManager + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - secure_development + foundational_security_item_id: + - secretsmanager_2 + plugin: + - aws + service: + - AWS/SecretsManager diff --git a/compliance/controls/aws/aws_secretsmanager_secret_unused_90_day.yaml b/compliance/controls/aws/aws_secretsmanager_secret_unused_90_day.yaml index b7dac1ce7..7449cca0b 100644 --- a/compliance/controls/aws/aws_secretsmanager_secret_unused_90_day.yaml +++ b/compliance/controls/aws/aws_secretsmanager_secret_unused_90_day.yaml @@ -1,43 +1,44 @@ id: aws_secretsmanager_secret_unused_90_day title: Secrets Manager secrets that have not been used in 90 days should be removed +type: control description: Ensure that AWS Secrets Manager secrets have been accessed within a specified number of days. The rule is non-compliant if a secret has not been accessed in 'unusedForDays' number of days. The default value is 90 days. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_secretsmanager_secret - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN last_accessed_date IS NULL THEN 'alarm' - WHEN DATE(current_date) - DATE(last_accessed_date) <= 90 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN last_accessed_date IS NULL THEN title || ' never accessed.' - ELSE title || ' last used ' || EXTRACT(day FROM current_timestamp - last_accessed_date) || ' day(s) ago.' - END AS reason, - region, - account_id - FROM - aws_secretsmanager_secret; + language: sql + primary_resource: aws_secretsmanager_secret + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN last_accessed_date IS NULL THEN 'alarm' + WHEN DATE(current_date) - DATE(last_accessed_date) <= 90 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN last_accessed_date IS NULL THEN title || ' never accessed.' + ELSE title || ' last used ' || EXTRACT(day FROM current_timestamp - last_accessed_date) || ' day(s) ago.' + END AS reason, + region, + account_id + FROM + aws_secretsmanager_secret; severity: low tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/SecretsManager + category: + - Compliance + cisa_cyber_essentials: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/SecretsManager diff --git a/compliance/controls/aws/aws_securityhub_enabled.yaml b/compliance/controls/aws/aws_securityhub_enabled.yaml index b17875eae..b54f95618 100644 --- a/compliance/controls/aws/aws_securityhub_enabled.yaml +++ b/compliance/controls/aws/aws_securityhub_enabled.yaml @@ -1,97 +1,98 @@ id: aws_securityhub_enabled title: AWS Security Hub should be enabled for an AWS Account +type: control description: AWS Security Hub helps to monitor unauthorized personnel, connections, devices, and software. AWS Security Hub aggregates, organizes, and prioritizes the security alerts, or findings, from multiple AWS services. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH regions AS ( - SELECT - 'arn:' || r.partition || '::' || r.region || ':' || r.account_id AS resource, - r.platform_integration_id AS platform_integration_id, - r.platform_resource_id AS platform_resource_id, - CASE - WHEN r.region = ANY(ARRAY['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'ap-northeast-3']) THEN 1 - WHEN r.opt_in_status = 'not-opted-in' THEN 1 - WHEN h.hub_arn IS NOT NULL THEN 0 - ELSE 2 - END AS status, - CASE - WHEN r.region = ANY(ARRAY['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'ap-northeast-3']) THEN r.region || ' region not supported.' - WHEN r.opt_in_status = 'not-opted-in' THEN r.region || ' region is disabled.' - WHEN h.hub_arn IS NOT NULL THEN 'Security Hub enabled in ' || r.region || '.' - ELSE 'Security Hub disabled in ' || r.region || '.' - END AS reason, - r.region, - r.account_id - FROM - aws_region AS r - LEFT JOIN aws_securityhub_hub AS h ON r.account_id = h.account_id AND r.name = h.region - ), - results AS ( - SELECT - account_id AS resource, - platform_integration_id AS platform_integration_id, - platform_integration_id AS platform_resource_id, - CASE - WHEN MAX(status) = 2 THEN 'alarm' - WHEN MAX(status) = 1 THEN 'skip' - WHEN MAX(status) = 0 THEN 'ok' - END AS status, - CASE - WHEN MAX(status) = 2 THEN 'SecurityHub is not enabled for this account on regions: [' || STRING_AGG(region, ',') || ']' - WHEN MAX(status) = 1 THEN 'Account is not opted in regions: [' || STRING_AGG(region, ',') || ']' - WHEN MAX(status) = 0 THEN 'SecurityHub is enabled for this account on regions: [' || STRING_AGG(region, ',') || ']' - END AS reason - FROM regions - GROUP BY account_id, platform_integration_id - ) - SELECT - r.resource AS resource, - r.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - r.status AS status, - r.reason AS reason - FROM results AS r - JOIN aws_account AS a ON r.platform_integration_id = a.platform_integration_id + language: sql + primary_resource: aws_account + definition: | + WITH regions AS ( + SELECT + 'arn:' || r.partition || '::' || r.region || ':' || r.account_id AS resource, + r.platform_integration_id AS platform_integration_id, + r.platform_resource_id AS platform_resource_id, + CASE + WHEN r.region = ANY(ARRAY['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'ap-northeast-3']) THEN 1 + WHEN r.opt_in_status = 'not-opted-in' THEN 1 + WHEN h.hub_arn IS NOT NULL THEN 0 + ELSE 2 + END AS status, + CASE + WHEN r.region = ANY(ARRAY['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'ap-northeast-3']) THEN r.region || ' region not supported.' + WHEN r.opt_in_status = 'not-opted-in' THEN r.region || ' region is disabled.' + WHEN h.hub_arn IS NOT NULL THEN 'Security Hub enabled in ' || r.region || '.' + ELSE 'Security Hub disabled in ' || r.region || '.' + END AS reason, + r.region, + r.account_id + FROM + aws_region AS r + LEFT JOIN aws_securityhub_hub AS h ON r.account_id = h.account_id AND r.name = h.region + ), + results AS ( + SELECT + account_id AS resource, + platform_integration_id AS platform_integration_id, + platform_integration_id AS platform_resource_id, + CASE + WHEN MAX(status) = 2 THEN 'alarm' + WHEN MAX(status) = 1 THEN 'skip' + WHEN MAX(status) = 0 THEN 'ok' + END AS status, + CASE + WHEN MAX(status) = 2 THEN 'SecurityHub is not enabled for this account on regions: [' || STRING_AGG(region, ',') || ']' + WHEN MAX(status) = 1 THEN 'Account is not opted in regions: [' || STRING_AGG(region, ',') || ']' + WHEN MAX(status) = 0 THEN 'SecurityHub is enabled for this account on regions: [' || STRING_AGG(region, ',') || ']' + END AS reason + FROM regions + GROUP BY account_id, platform_integration_id + ) + SELECT + r.resource AS resource, + r.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + r.status AS status, + r.reason AS reason + FROM results AS r + JOIN aws_account AS a ON r.platform_integration_id = a.platform_integration_id severity: low tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/SecurityHub - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/SecurityHub + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_sfn_state_machine_logging_enabled.yaml b/compliance/controls/aws/aws_sfn_state_machine_logging_enabled.yaml index 7587eb0ac..01adc3204 100644 --- a/compliance/controls/aws/aws_sfn_state_machine_logging_enabled.yaml +++ b/compliance/controls/aws/aws_sfn_state_machine_logging_enabled.yaml @@ -1,26 +1,27 @@ id: aws_sfn_state_machine_logging_enabled title: Step Functions state machines should have logging turned on +type: control description: This controls checks whether an AWS Step Functions state machine has logging turned on. The control fails if a state machine doesn't have logging turned on. If you provide a custom value for the logLevel parameter, the control passes only if the state machine has the specified logging level turned on. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sfn_state_machine - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN logging_configuration ->> 'Level' = 'OFF' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN logging_configuration ->> 'Level' = 'OFF' THEN title || ' logging disabled.' - ELSE title || ' logging enabled.' - END AS reason - FROM - aws_sfn_state_machine; + language: sql + primary_resource: aws_sfn_state_machine + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN logging_configuration ->> 'Level' = 'OFF' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN logging_configuration ->> 'Level' = 'OFF' THEN title || ' logging disabled.' + ELSE title || ' logging enabled.' + END AS reason + FROM + aws_sfn_state_machine; severity: low tags: {} diff --git a/compliance/controls/aws/aws_sns_topic_encrypted_at_rest.yaml b/compliance/controls/aws/aws_sns_topic_encrypted_at_rest.yaml index 5cd3271b2..14e000b69 100644 --- a/compliance/controls/aws/aws_sns_topic_encrypted_at_rest.yaml +++ b/compliance/controls/aws/aws_sns_topic_encrypted_at_rest.yaml @@ -1,62 +1,63 @@ id: aws_sns_topic_encrypted_at_rest title: SNS topics should be encrypted at rest +type: control description: To help protect data at rest, ensure that your AWS Simple Notification Service (AWS SNS) topics require encryption using AWS Key Management Service (AWS KMS). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sns_topic - definition: | - SELECT - topic_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN kms_master_key_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN kms_master_key_id IS NULL THEN title || ' encryption at rest disabled.' - ELSE title || ' encryption at rest enabled.' - END AS reason, - region, - account_id - FROM - aws_sns_topic; + language: sql + primary_resource: aws_sns_topic + definition: | + SELECT + topic_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN kms_master_key_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN kms_master_key_id IS NULL THEN title || ' encryption at rest disabled.' + ELSE title || ' encryption at rest enabled.' + END AS reason, + region, + account_id + FROM + aws_sns_topic; severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - gxp_eu_annex_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/SNS - soc_2: - - 'true' + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + gxp_eu_annex_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/SNS + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_sns_topic_notification_delivery_status_enabled.yaml b/compliance/controls/aws/aws_sns_topic_notification_delivery_status_enabled.yaml index ba13458ae..7a972fba8 100644 --- a/compliance/controls/aws/aws_sns_topic_notification_delivery_status_enabled.yaml +++ b/compliance/controls/aws/aws_sns_topic_notification_delivery_status_enabled.yaml @@ -1,49 +1,50 @@ id: aws_sns_topic_notification_delivery_status_enabled title: Logging of delivery status should be enabled for notification messages sent to a topic +type: control description: This control checks whether logging is enabled for the delivery status of notification messages sent to an AWS SNS topic for the endpoints. This control fails if the delivery status notification for messages is not enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sns_topic - definition: | - SELECT - topic_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN application_failure_feedback_role_arn IS NULL - AND firehose_failure_feedback_role_arn IS NULL - AND http_failure_feedback_role_arn IS NULL - AND lambda_failure_feedback_role_arn IS NULL - AND sqs_failure_feedback_role_arn IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN application_failure_feedback_role_arn IS NULL - AND firehose_failure_feedback_role_arn IS NULL - AND http_failure_feedback_role_arn IS NULL - AND lambda_failure_feedback_role_arn IS NULL - AND sqs_failure_feedback_role_arn IS NULL THEN title - || ' has delivery status logging for notification messages disabled.' - ELSE title || ' has delivery status logging for notification messages enabled.' - END AS reason, - region, - account_id - FROM - aws_sns_topic; + language: sql + primary_resource: aws_sns_topic + definition: | + SELECT + topic_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN application_failure_feedback_role_arn IS NULL + AND firehose_failure_feedback_role_arn IS NULL + AND http_failure_feedback_role_arn IS NULL + AND lambda_failure_feedback_role_arn IS NULL + AND sqs_failure_feedback_role_arn IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN application_failure_feedback_role_arn IS NULL + AND firehose_failure_feedback_role_arn IS NULL + AND http_failure_feedback_role_arn IS NULL + AND lambda_failure_feedback_role_arn IS NULL + AND sqs_failure_feedback_role_arn IS NULL THEN title + || ' has delivery status logging for notification messages disabled.' + ELSE title || ' has delivery status logging for notification messages enabled.' + END AS reason, + region, + account_id + FROM + aws_sns_topic; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - resource_configuration - foundational_security_item_id: - - sns_2 - plugin: - - aws - service: - - AWS/SNS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - resource_configuration + foundational_security_item_id: + - sns_2 + plugin: + - aws + service: + - AWS/SNS diff --git a/compliance/controls/aws/aws_sns_topic_policy_prohibit_cross_account_access.yaml b/compliance/controls/aws/aws_sns_topic_policy_prohibit_cross_account_access.yaml index 62f1deaa2..c7da91903 100644 --- a/compliance/controls/aws/aws_sns_topic_policy_prohibit_cross_account_access.yaml +++ b/compliance/controls/aws/aws_sns_topic_policy_prohibit_cross_account_access.yaml @@ -1,46 +1,47 @@ id: aws_sns_topic_policy_prohibit_cross_account_access title: SNS topic policies should prohibit cross account access +type: control description: Manage access to resources in the AWS Cloud by ensuring SNS topics does not have cross account access. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sns_topic - definition: | - WITH cross_account_policies AS ( - SELECT - topic_arn, - COUNT(*) AS statements_num - FROM - aws_sns_topic, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p - WHERE - s ->> 'Effect' = 'Allow' - AND ( - (s -> 'Principal' -> 'AWS') = '["*"]' - OR s ->> 'Principal' = '*' - OR split_part(p, ':', 5) <> account_id - ) - GROUP BY - topic_arn + language: sql + primary_resource: aws_sns_topic + definition: | + WITH cross_account_policies AS ( + SELECT + topic_arn, + COUNT(*) AS statements_num + FROM + aws_sns_topic, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Principal' -> 'AWS') AS p + WHERE + s ->> 'Effect' = 'Allow' + AND ( + (s -> 'Principal' -> 'AWS') = '["*"]' + OR s ->> 'Principal' = '*' + OR split_part(p, ':', 5) <> account_id ) - SELECT - t.topic_arn AS resource, - t.platform_integration_id AS platform_integration_id, - t.platform_resource_id AS platform_resource_id, - CASE - WHEN p.topic_arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.topic_arn IS NULL THEN title || ' does not allow cross account access.' - ELSE title || ' contains ' || COALESCE(p.statements_num,0) || ' statements that allows cross account access.' - END AS reason - FROM - aws_sns_topic AS t - LEFT JOIN cross_account_policies AS p - ON p.topic_arn = t.topic_arn; + GROUP BY + topic_arn + ) + SELECT + t.topic_arn AS resource, + t.platform_integration_id AS platform_integration_id, + t.platform_resource_id AS platform_resource_id, + CASE + WHEN p.topic_arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.topic_arn IS NULL THEN title || ' does not allow cross account access.' + ELSE title || ' contains ' || COALESCE(p.statements_num,0) || ' statements that allows cross account access.' + END AS reason + FROM + aws_sns_topic AS t + LEFT JOIN cross_account_policies AS p + ON p.topic_arn = t.topic_arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_sns_topic_policy_prohibit_public_access.yaml b/compliance/controls/aws/aws_sns_topic_policy_prohibit_public_access.yaml index b745eed5f..7dedf603b 100644 --- a/compliance/controls/aws/aws_sns_topic_policy_prohibit_public_access.yaml +++ b/compliance/controls/aws/aws_sns_topic_policy_prohibit_public_access.yaml @@ -1,44 +1,45 @@ id: aws_sns_topic_policy_prohibit_public_access title: SNS topic policies should prohibit public access +type: control description: Manage access to resources in the AWS Cloud by ensuring AWS SNS topics cannot be publicly accessed. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sns_topic - definition: | - WITH wildcard_action_policies AS ( - SELECT - topic_arn, - COUNT(*) AS statements_num - FROM - aws_sns_topic, - jsonb_array_elements(policy_std -> 'Statement') AS s - WHERE - s ->> 'Effect' = 'Allow' - AND ( - (s -> 'Principal' -> 'AWS') = '["*"]' - OR s ->> 'Principal' = '*' - ) - GROUP BY - topic_arn + language: sql + primary_resource: aws_sns_topic + definition: | + WITH wildcard_action_policies AS ( + SELECT + topic_arn, + COUNT(*) AS statements_num + FROM + aws_sns_topic, + jsonb_array_elements(policy_std -> 'Statement') AS s + WHERE + s ->> 'Effect' = 'Allow' + AND ( + (s -> 'Principal' -> 'AWS') = '["*"]' + OR s ->> 'Principal' = '*' ) - SELECT - t.topic_arn AS resource, - t.platform_integration_id AS platform_integration_id, - t.platform_resource_id AS platform_resource_id, - CASE - WHEN p.topic_arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.topic_arn IS NULL THEN title || ' does not allow public access.' - ELSE title || ' contains ' || COALESCE(p.statements_num, 0) || ' statements that allows public access.' - END AS reason - FROM - aws_sns_topic AS t - LEFT JOIN wildcard_action_policies AS p - ON p.topic_arn = t.topic_arn; + GROUP BY + topic_arn + ) + SELECT + t.topic_arn AS resource, + t.platform_integration_id AS platform_integration_id, + t.platform_resource_id AS platform_resource_id, + CASE + WHEN p.topic_arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.topic_arn IS NULL THEN title || ' does not allow public access.' + ELSE title || ' contains ' || COALESCE(p.statements_num, 0) || ' statements that allows public access.' + END AS reason + FROM + aws_sns_topic AS t + LEFT JOIN wildcard_action_policies AS p + ON p.topic_arn = t.topic_arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_sns_topic_policy_prohibit_publishing_access.yaml b/compliance/controls/aws/aws_sns_topic_policy_prohibit_publishing_access.yaml index 1e59fa666..72b75ef4b 100644 --- a/compliance/controls/aws/aws_sns_topic_policy_prohibit_publishing_access.yaml +++ b/compliance/controls/aws/aws_sns_topic_policy_prohibit_publishing_access.yaml @@ -1,46 +1,47 @@ id: aws_sns_topic_policy_prohibit_publishing_access title: SNS topic policies should prohibit publishing access +type: control description: Manage access to resources in the AWS Cloud by ensuring SNS topics cannot be accessed publicly for publishing. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sns_topic - definition: | - WITH wildcard_action_policies AS ( - SELECT - topic_arn, - COUNT(*) AS statements_num - FROM - aws_sns_topic, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Action') AS a - WHERE - s ->> 'Effect' = 'Allow' - AND ( - (s -> 'Principal' -> 'AWS') = '["*"]' - OR s ->> 'Principal' = '*' - ) - AND a = 'sns:publish' - AND s -> 'Condition' IS NULL - GROUP BY - topic_arn + language: sql + primary_resource: aws_sns_topic + definition: | + WITH wildcard_action_policies AS ( + SELECT + topic_arn, + COUNT(*) AS statements_num + FROM + aws_sns_topic, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Action') AS a + WHERE + s ->> 'Effect' = 'Allow' + AND ( + (s -> 'Principal' -> 'AWS') = '["*"]' + OR s ->> 'Principal' = '*' ) - SELECT - t.topic_arn AS resource, - t.platform_integration_id AS platform_integration_id, - t.platform_resource_id AS platform_resource_id, - CASE - WHEN p.topic_arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.topic_arn IS NULL THEN title || ' does not allow publish access without condition.' - ELSE title || ' contains ' || COALESCE(p.statements_num, 0) || ' statements that allows publish access without condition.' - END AS reason - FROM - aws_sns_topic AS t - LEFT JOIN wildcard_action_policies AS p ON p.topic_arn = t.topic_arn; + AND a = 'sns:publish' + AND s -> 'Condition' IS NULL + GROUP BY + topic_arn + ) + SELECT + t.topic_arn AS resource, + t.platform_integration_id AS platform_integration_id, + t.platform_resource_id AS platform_resource_id, + CASE + WHEN p.topic_arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.topic_arn IS NULL THEN title || ' does not allow publish access without condition.' + ELSE title || ' contains ' || COALESCE(p.statements_num, 0) || ' statements that allows publish access without condition.' + END AS reason + FROM + aws_sns_topic AS t + LEFT JOIN wildcard_action_policies AS p ON p.topic_arn = t.topic_arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_sns_topic_policy_prohibit_subscription_access.yaml b/compliance/controls/aws/aws_sns_topic_policy_prohibit_subscription_access.yaml index 1b887d23c..887d74ac5 100644 --- a/compliance/controls/aws/aws_sns_topic_policy_prohibit_subscription_access.yaml +++ b/compliance/controls/aws/aws_sns_topic_policy_prohibit_subscription_access.yaml @@ -1,46 +1,47 @@ id: aws_sns_topic_policy_prohibit_subscription_access title: SNS topic policies should prohibit subscription public access +type: control description: Manage access to resources in the AWS Cloud by ensuring SNS topics cannot be accessed publicly for subscription. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sns_topic - definition: | - WITH wildcard_action_policies AS ( - SELECT - topic_arn, - COUNT(*) AS statements_num - FROM - aws_sns_topic, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Action') AS a - WHERE - s ->> 'Effect' = 'Allow' - AND ( - (s -> 'Principal' -> 'AWS') = '["*"]' - OR s ->> 'Principal' = '*' - ) - AND a IN ('sns:subscribe', 'sns:receive') - AND s -> 'Condition' IS NULL - GROUP BY - topic_arn + language: sql + primary_resource: aws_sns_topic + definition: | + WITH wildcard_action_policies AS ( + SELECT + topic_arn, + COUNT(*) AS statements_num + FROM + aws_sns_topic, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Action') AS a + WHERE + s ->> 'Effect' = 'Allow' + AND ( + (s -> 'Principal' -> 'AWS') = '["*"]' + OR s ->> 'Principal' = '*' ) - SELECT - t.topic_arn AS resource, - t.platform_integration_id AS platform_integration_id, - t.platform_resource_id AS platform_resource_id, - CASE - WHEN p.topic_arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.topic_arn IS NULL THEN title || ' does not allow subscribe access without condition.' - ELSE title || ' contains ' || COALESCE(p.statements_num, 0) || ' statements that allows subscribe access without condition.' - END AS reason - FROM - aws_sns_topic AS t - LEFT JOIN wildcard_action_policies AS p ON p.topic_arn = t.topic_arn; + AND a IN ('sns:subscribe', 'sns:receive') + AND s -> 'Condition' IS NULL + GROUP BY + topic_arn + ) + SELECT + t.topic_arn AS resource, + t.platform_integration_id AS platform_integration_id, + t.platform_resource_id AS platform_resource_id, + CASE + WHEN p.topic_arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.topic_arn IS NULL THEN title || ' does not allow subscribe access without condition.' + ELSE title || ' contains ' || COALESCE(p.statements_num, 0) || ' statements that allows subscribe access without condition.' + END AS reason + FROM + aws_sns_topic AS t + LEFT JOIN wildcard_action_policies AS p ON p.topic_arn = t.topic_arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_sqs_queue_dead_letter_queue_configured.yaml b/compliance/controls/aws/aws_sqs_queue_dead_letter_queue_configured.yaml index 34815dbbd..419b4ed0c 100644 --- a/compliance/controls/aws/aws_sqs_queue_dead_letter_queue_configured.yaml +++ b/compliance/controls/aws/aws_sqs_queue_dead_letter_queue_configured.yaml @@ -1,26 +1,27 @@ id: aws_sqs_queue_dead_letter_queue_configured title: SQS queues should be configured with a dead-letter queue. +type: control description: Ensure SQS queue is configured with a dead-letter queue. Dead-letter queues are useful for debugging your application or messaging system because they let you isolate problematic messages to determine why their processing didn't succeed. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sqs_queue - definition: | - SELECT - queue_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN redrive_policy IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN redrive_policy IS NOT NULL THEN title || ' configured with dead-letter queue.' - ELSE title || ' not configured with dead-letter queue.' - END AS reason - FROM - aws_sqs_queue; + language: sql + primary_resource: aws_sqs_queue + definition: | + SELECT + queue_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN redrive_policy IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN redrive_policy IS NOT NULL THEN title || ' configured with dead-letter queue.' + ELSE title || ' not configured with dead-letter queue.' + END AS reason + FROM + aws_sqs_queue; severity: low tags: {} diff --git a/compliance/controls/aws/aws_sqs_queue_encrypted_at_rest.yaml b/compliance/controls/aws/aws_sqs_queue_encrypted_at_rest.yaml index fac3dc591..6ab4498be 100644 --- a/compliance/controls/aws/aws_sqs_queue_encrypted_at_rest.yaml +++ b/compliance/controls/aws/aws_sqs_queue_encrypted_at_rest.yaml @@ -1,40 +1,41 @@ id: aws_sqs_queue_encrypted_at_rest title: AWS SQS queues should be encrypted at rest +type: control description: This control checks whether AWS SQS queues are encrypted at rest. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sqs_queue - definition: | - SELECT - queue_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN kms_master_key_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN kms_master_key_id IS NULL THEN title || ' encryption at rest disabled.' - ELSE title || ' encryption at rest enabled.' - END AS reason, - region, - account_id - FROM - aws_sqs_queue; + language: sql + primary_resource: aws_sqs_queue + definition: | + SELECT + queue_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN kms_master_key_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN kms_master_key_id IS NULL THEN title || ' encryption at rest disabled.' + ELSE title || ' encryption at rest enabled.' + END AS reason, + region, + account_id + FROM + aws_sqs_queue; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - encryption_of_data_at_rest - foundational_security_item_id: - - sqs_1 - plugin: - - aws - service: - - AWS/SQS + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - encryption_of_data_at_rest + foundational_security_item_id: + - sqs_1 + plugin: + - aws + service: + - AWS/SQS diff --git a/compliance/controls/aws/aws_sqs_queue_encrypted_with_kms_cmk.yaml b/compliance/controls/aws/aws_sqs_queue_encrypted_with_kms_cmk.yaml index aa50e5b3a..38994704f 100644 --- a/compliance/controls/aws/aws_sqs_queue_encrypted_with_kms_cmk.yaml +++ b/compliance/controls/aws/aws_sqs_queue_encrypted_with_kms_cmk.yaml @@ -1,28 +1,29 @@ id: aws_sqs_queue_encrypted_with_kms_cmk title: SQS queues should be encrypted with KMS CMK +type: control description: To help protect sensitive data at rest, ensure encryption is enabled for your AWS SQS queues with KMS CMK. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sqs_queue - definition: | - SELECT - queue_arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN kms_master_key_id IS NULL THEN 'alarm' - WHEN kms_master_key_id IS NOT NULL AND kms_master_key_id = 'alias/aws/sqs' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN kms_master_key_id IS NULL THEN title || ' encryption at rest disabled.' - WHEN kms_master_key_id IS NOT NULL AND kms_master_key_id = 'alias/aws/sqs' THEN title || ' not encrypted with CMK.' - ELSE title || ' encrypted with CMK.' - END AS reason - FROM - aws_sqs_queue; + language: sql + primary_resource: aws_sqs_queue + definition: | + SELECT + queue_arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN kms_master_key_id IS NULL THEN 'alarm' + WHEN kms_master_key_id IS NOT NULL AND kms_master_key_id = 'alias/aws/sqs' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN kms_master_key_id IS NULL THEN title || ' encryption at rest disabled.' + WHEN kms_master_key_id IS NOT NULL AND kms_master_key_id = 'alias/aws/sqs' THEN title || ' not encrypted with CMK.' + ELSE title || ' encrypted with CMK.' + END AS reason + FROM + aws_sqs_queue; severity: low tags: {} diff --git a/compliance/controls/aws/aws_sqs_queue_policy_prohibit_public_access.yaml b/compliance/controls/aws/aws_sqs_queue_policy_prohibit_public_access.yaml index 949c0cc15..56b2f5913 100644 --- a/compliance/controls/aws/aws_sqs_queue_policy_prohibit_public_access.yaml +++ b/compliance/controls/aws/aws_sqs_queue_policy_prohibit_public_access.yaml @@ -1,45 +1,46 @@ id: aws_sqs_queue_policy_prohibit_public_access title: SQS queue policies should prohibit public access +type: control description: Manage access to resources in the AWS Cloud by ensuring AWS SQS queues cannot be publicly accessed. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_sqs_queue - definition: | - WITH wildcard_action_policies AS ( - SELECT - queue_arn, - COUNT(*) AS statements_num - FROM - aws_sqs_queue, - JSONB_ARRAY_ELEMENTS(policy_std -> 'Statement') AS s - WHERE - s ->> 'Effect' = 'Allow' - AND ( - (s -> 'Principal' -> 'AWS') = '["*"]' - OR s ->> 'Principal' = '*' - ) - GROUP BY - queue_arn + language: sql + primary_resource: aws_sqs_queue + definition: | + WITH wildcard_action_policies AS ( + SELECT + queue_arn, + COUNT(*) AS statements_num + FROM + aws_sqs_queue, + JSONB_ARRAY_ELEMENTS(policy_std -> 'Statement') AS s + WHERE + s ->> 'Effect' = 'Allow' + AND ( + (s -> 'Principal' -> 'AWS') = '["*"]' + OR s ->> 'Principal' = '*' ) - SELECT - q.queue_arn AS resource, - q.platform_integration_id AS platform_integration_id, - q.platform_resource_id AS platform_resource_id, - CASE - WHEN p.queue_arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.queue_arn IS NULL THEN title || ' does not allow public access.' - ELSE title || ' contains ' || COALESCE(p.statements_num, 0) || - ' statements that allow public access.' - END AS reason - FROM - aws_sqs_queue AS q - LEFT JOIN wildcard_action_policies AS p - ON q.queue_arn = p.queue_arn; + GROUP BY + queue_arn + ) + SELECT + q.queue_arn AS resource, + q.platform_integration_id AS platform_integration_id, + q.platform_resource_id AS platform_resource_id, + CASE + WHEN p.queue_arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.queue_arn IS NULL THEN title || ' does not allow public access.' + ELSE title || ' contains ' || COALESCE(p.statements_num, 0) || + ' statements that allow public access.' + END AS reason + FROM + aws_sqs_queue AS q + LEFT JOIN wildcard_action_policies AS p + ON q.queue_arn = p.queue_arn; severity: low tags: {} diff --git a/compliance/controls/aws/aws_ssm_document_prohibit_public_access.yaml b/compliance/controls/aws/aws_ssm_document_prohibit_public_access.yaml index 79a8ad377..0b2cd04dd 100644 --- a/compliance/controls/aws/aws_ssm_document_prohibit_public_access.yaml +++ b/compliance/controls/aws/aws_ssm_document_prohibit_public_access.yaml @@ -1,42 +1,43 @@ id: aws_ssm_document_prohibit_public_access title: SSM documents should not be public +type: control description: This control checks whether AWS Systems Manager documents that are owned by the account are public. This control fails if SSM documents with the owner Self are public. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ssm_document - definition: | - SELECT - 'arn:' || partition || ':ssm:' || region || ':' || account_id || ':document/' || name AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN account_ids :: jsonb ? 'all' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN account_ids :: jsonb ? 'all' THEN title || ' publicly accessible.' - ELSE title || ' not publicly accessible.' - END AS reason, - region, - account_id - FROM - aws_ssm_document - WHERE - owner_type = 'Self'; + language: sql + primary_resource: aws_ssm_document + definition: | + SELECT + 'arn:' || partition || ':ssm:' || region || ':' || account_id || ':document/' || name AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN account_ids :: jsonb ? 'all' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN account_ids :: jsonb ? 'all' THEN title || ' publicly accessible.' + ELSE title || ' not publicly accessible.' + END AS reason, + region, + account_id + FROM + aws_ssm_document + WHERE + owner_type = 'Self'; severity: critical tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - resources_not_publicly_accessible - foundational_security_item_id: - - ssm_4 - plugin: - - aws - service: - - AWS/SSM + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - resources_not_publicly_accessible + foundational_security_item_id: + - ssm_4 + plugin: + - aws + service: + - AWS/SSM diff --git a/compliance/controls/aws/aws_ssm_managed_instance_compliance_association_compliant.yaml b/compliance/controls/aws/aws_ssm_managed_instance_compliance_association_compliant.yaml index cbae2fa5d..dbd572504 100644 --- a/compliance/controls/aws/aws_ssm_managed_instance_compliance_association_compliant.yaml +++ b/compliance/controls/aws/aws_ssm_managed_instance_compliance_association_compliant.yaml @@ -1,68 +1,69 @@ id: aws_ssm_managed_instance_compliance_association_compliant title: SSM managed instance associations should be compliant +type: control description: Use AWS Systems Manager Associations to help with inventory of software platforms and applications within an organization. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ssm_managed_instance_compliance - definition: | - SELECT - c.id AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN c.status = 'COMPLIANT' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN c.status = 'COMPLIANT' THEN c.resource_id || ' association ' || c.title || ' is compliant.' - ELSE c.resource_id || ' association ' || c.title || ' is non-compliant.' - END AS reason, - c.region, - c.account_id - FROM - aws_ssm_managed_instance AS i, - aws_ssm_managed_instance_compliance AS c - WHERE - c.resource_id = i.instance_id - AND c.compliance_type = 'Association'; + language: sql + primary_resource: aws_ssm_managed_instance_compliance + definition: | + SELECT + c.id AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN c.status = 'COMPLIANT' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN c.status = 'COMPLIANT' THEN c.resource_id || ' association ' || c.title || ' is compliant.' + ELSE c.resource_id || ' association ' || c.title || ' is non-compliant.' + END AS reason, + c.region, + c.account_id + FROM + aws_ssm_managed_instance AS i, + aws_ssm_managed_instance_compliance AS c + WHERE + c.resource_id = i.instance_id + AND c.compliance_type = 'Association'; severity: low tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/SSM - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/SSM + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_ssm_managed_instance_compliance_patch_compliant.yaml b/compliance/controls/aws/aws_ssm_managed_instance_compliance_patch_compliant.yaml index bc9409a49..2af59f41a 100644 --- a/compliance/controls/aws/aws_ssm_managed_instance_compliance_patch_compliant.yaml +++ b/compliance/controls/aws/aws_ssm_managed_instance_compliance_patch_compliant.yaml @@ -1,68 +1,69 @@ id: aws_ssm_managed_instance_compliance_patch_compliant title: SSM managed instance patching should be compliant +type: control description: Enable this rule to help with identification and documentation of AWS Elastic Compute Cloud (AWS EC2) vulnerabilities. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ssm_managed_instance_compliance - definition: | - SELECT - c.id AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN c.status = 'COMPLIANT' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN c.status = 'COMPLIANT' THEN c.resource_id || ' patch ' || c.title || ' is compliant.' - ELSE c.resource_id || ' patch ' || c.title || ' is non-compliant.' - END AS reason, - c.region, - c.account_id - FROM - aws_ssm_managed_instance AS i, - aws_ssm_managed_instance_compliance AS c - WHERE - c.resource_id = i.instance_id - AND c.compliance_type = 'Patch'; + language: sql + primary_resource: aws_ssm_managed_instance_compliance + definition: | + SELECT + c.id AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN c.status = 'COMPLIANT' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN c.status = 'COMPLIANT' THEN c.resource_id || ' patch ' || c.title || ' is compliant.' + ELSE c.resource_id || ' patch ' || c.title || ' is non-compliant.' + END AS reason, + c.region, + c.account_id + FROM + aws_ssm_managed_instance AS i, + aws_ssm_managed_instance_compliance AS c + WHERE + c.resource_id = i.instance_id + AND c.compliance_type = 'Patch'; severity: medium tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/SSM - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/SSM + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_ssm_parameter_encryption_enabled.yaml b/compliance/controls/aws/aws_ssm_parameter_encryption_enabled.yaml index 176d5d751..253795150 100644 --- a/compliance/controls/aws/aws_ssm_parameter_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_ssm_parameter_encryption_enabled.yaml @@ -1,26 +1,27 @@ id: aws_ssm_parameter_encryption_enabled title: SSM parameters encryption should be enabled +type: control description: This control checks if SSM parameter has encryption enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ssm_parameter - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN type = 'SecureString' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN type = 'SecureString' THEN title || ' encryption enabled.' - ELSE title || ' encryption disabled.' - END AS reason - FROM - aws_ssm_parameter; + language: sql + primary_resource: aws_ssm_parameter + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN type = 'SecureString' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN type = 'SecureString' THEN title || ' encryption enabled.' + ELSE title || ' encryption disabled.' + END AS reason + FROM + aws_ssm_parameter; severity: low tags: {} diff --git a/compliance/controls/aws/aws_sso_users_with_permission_assignments_are_required_to_have_MFA_on_AzureAD.yaml b/compliance/controls/aws/aws_sso_users_with_permission_assignments_are_required_to_have_MFA_on_AzureAD.yaml index 64b63017c..e7c1ed2e7 100644 --- a/compliance/controls/aws/aws_sso_users_with_permission_assignments_are_required_to_have_MFA_on_AzureAD.yaml +++ b/compliance/controls/aws/aws_sso_users_with_permission_assignments_are_required_to_have_MFA_on_AzureAD.yaml @@ -1,43 +1,44 @@ id: aws_sso_users_with_permission_assignments_are_required_to_have_MFA_on_AzureAD title: AWS SSO Users with Permissions Require MFA +type: control description: AWS SSO Users with Permission Assignments are required to have MFA configured in IdP (EntraID) integration_type: - - aws_cloud_account - - azure_subscription +- aws_cloud_account +- azure_subscription parameters: [] policy: - language: sql - primary_resource: aws_identitystore_user - definition: | - SELECT - iden.id AS resource, - iden.platform_integration_id, - iden.platform_resource_id, - CASE - WHEN is_mfa_registered::BOOL THEN 'ok' - ELSE 'alarm' - END status, - CASE - WHEN is_mfa_registered::BOOL THEN iden.name || ' has MFA registered' - ELSE iden.name || ' doesnt have MFA' - END reason - FROM - (aws_identitystore_user - CROSS JOIN jsonb_array_elements(external_ids) AS external_id) iden - INNER JOIN entraid_user_registration_details az - ON az.id = value ->> 'Id' - WHERE - EXISTS ( - SELECT * - FROM aws_ssoadmin_account_assignment - WHERE principal_type = 'USER' - AND principal_id = iden.id - ) + language: sql + primary_resource: aws_identitystore_user + definition: | + SELECT + iden.id AS resource, + iden.platform_integration_id, + iden.platform_resource_id, + CASE + WHEN is_mfa_registered::BOOL THEN 'ok' + ELSE 'alarm' + END status, + CASE + WHEN is_mfa_registered::BOOL THEN iden.name || ' has MFA registered' + ELSE iden.name || ' doesnt have MFA' + END reason + FROM + (aws_identitystore_user + CROSS JOIN jsonb_array_elements(external_ids) AS external_id) iden + INNER JOIN entraid_user_registration_details az + ON az.id = value ->> 'Id' + WHERE + EXISTS ( + SELECT * + FROM aws_ssoadmin_account_assignment + WHERE principal_type = 'USER' + AND principal_id = iden.id + ) severity: high tags: - category: - - Compliance - plugin: - - aws - score_service_name: - - AWS Single Sign-On (SSO) + category: + - Compliance + plugin: + - aws + score_service_name: + - AWS Single Sign-On (SSO) diff --git a/compliance/controls/aws/aws_vpc_configured_to_use_vpc_endpoints.yaml b/compliance/controls/aws/aws_vpc_configured_to_use_vpc_endpoints.yaml index f09c06814..f6f20a407 100644 --- a/compliance/controls/aws/aws_vpc_configured_to_use_vpc_endpoints.yaml +++ b/compliance/controls/aws/aws_vpc_configured_to_use_vpc_endpoints.yaml @@ -1,54 +1,55 @@ id: aws_vpc_configured_to_use_vpc_endpoints title: VPC should be configured to use VPC endpoints +type: control description: Checks if Service Endpoint for the service provided in rule parameter is created for each AWS Virtual Private Cloud (AWS VPC). The rule is non-compliant if an AWS VPC doesn't have an AWS VPC endpoint created for the service. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN vpc_id NOT IN ( - SELECT - vpc_id - FROM - aws_vpc_endpoint - WHERE - service_name LIKE 'com.amazonaws.' || region || '.ec2' - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN vpc_id NOT IN ( - SELECT - vpc_id - FROM - aws_vpc_endpoint - WHERE - service_name LIKE 'com.amazonaws.' || region || '.ec2' - ) THEN title || ' not configured to use VPC endpoints.' - ELSE title || ' configured to use VPC endpoints.' - END AS reason, - region, - account_id - FROM - aws_vpc; + language: sql + primary_resource: aws_vpc + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN vpc_id NOT IN ( + SELECT + vpc_id + FROM + aws_vpc_endpoint + WHERE + service_name LIKE 'com.amazonaws.' || region || '.ec2' + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN vpc_id NOT IN ( + SELECT + vpc_id + FROM + aws_vpc_endpoint + WHERE + service_name LIKE 'com.amazonaws.' || region || '.ec2' + ) THEN title || ' not configured to use VPC endpoints.' + ELSE title || ' configured to use VPC endpoints.' + END AS reason, + region, + account_id + FROM + aws_vpc; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - api_private_access - foundational_security_item_id: - - ec2_10 - plugin: - - aws - service: - - AWS/EC2 + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - api_private_access + foundational_security_item_id: + - ec2_10 + plugin: + - aws + service: + - AWS/EC2 diff --git a/compliance/controls/aws/aws_vpc_default_security_group_restricts_all_traffic.yaml b/compliance/controls/aws/aws_vpc_default_security_group_restricts_all_traffic.yaml index 983fd9089..2ca8126aa 100644 --- a/compliance/controls/aws/aws_vpc_default_security_group_restricts_all_traffic.yaml +++ b/compliance/controls/aws/aws_vpc_default_security_group_restricts_all_traffic.yaml @@ -1,70 +1,71 @@ id: aws_vpc_default_security_group_restricts_all_traffic title: VPC default security group should not allow inbound and outbound traffic +type: control description: AWS Elastic Compute Cloud (AWS EC2) security groups can help in the management of network access by providing stateful filtering of ingress and egress network traffic to AWS resources. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN jsonb_array_length(ip_permissions) = 0 - AND jsonb_array_length(ip_permissions_egress) = 0 THEN 'ok' - ELSE 'alarm' - END status, - CASE - WHEN jsonb_array_length(ip_permissions) > 0 - AND jsonb_array_length(ip_permissions_egress) > 0 THEN 'Default security group ' || group_id || ' has inbound and outbound rules.' - WHEN jsonb_array_length(ip_permissions) > 0 - AND jsonb_array_length(ip_permissions_egress) = 0 THEN 'Default security group ' || group_id || ' has inbound rules.' - WHEN jsonb_array_length(ip_permissions) = 0 - AND jsonb_array_length(ip_permissions_egress) > 0 THEN 'Default security group ' || group_id || ' has outbound rules.' - ELSE 'Default security group ' || group_id || ' has no inbound or outbound rules.' - END reason, - region, - account_id - FROM - aws_vpc_security_group - WHERE - group_name = 'default'; + language: sql + primary_resource: aws_vpc_security_group + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN jsonb_array_length(ip_permissions) = 0 + AND jsonb_array_length(ip_permissions_egress) = 0 THEN 'ok' + ELSE 'alarm' + END status, + CASE + WHEN jsonb_array_length(ip_permissions) > 0 + AND jsonb_array_length(ip_permissions_egress) > 0 THEN 'Default security group ' || group_id || ' has inbound and outbound rules.' + WHEN jsonb_array_length(ip_permissions) > 0 + AND jsonb_array_length(ip_permissions_egress) = 0 THEN 'Default security group ' || group_id || ' has inbound rules.' + WHEN jsonb_array_length(ip_permissions) = 0 + AND jsonb_array_length(ip_permissions_egress) > 0 THEN 'Default security group ' || group_id || ' has outbound rules.' + ELSE 'Default security group ' || group_id || ' has no inbound or outbound rules.' + END reason, + region, + account_id + FROM + aws_vpc_security_group + WHERE + group_name = 'default'; severity: low tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/VPC - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/VPC + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_vpc_eip_associated.yaml b/compliance/controls/aws/aws_vpc_eip_associated.yaml index 70e4bdb77..4cb8924e6 100644 --- a/compliance/controls/aws/aws_vpc_eip_associated.yaml +++ b/compliance/controls/aws/aws_vpc_eip_associated.yaml @@ -1,48 +1,49 @@ id: aws_vpc_eip_associated title: VPC EIPs should be associated with an EC2 instance or ENI +type: control description: This rule ensures Elastic IPs allocated to a AWS Virtual Private Cloud (AWS VPC) are attached to AWS Elastic Compute Cloud (AWS EC2) instances or in-use Elastic Network Interfaces. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_eip - definition: | - SELECT - 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':eip/' || allocation_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN association_id IS NULL THEN 'alarm' - ELSE 'ok' - END status, - CASE - WHEN association_id IS NULL THEN title || ' is not associated with any resource.' - ELSE title || ' is associated with a resource.' - END reason, - region, - account_id - FROM - aws_vpc_eip; + language: sql + primary_resource: aws_vpc_eip + definition: | + SELECT + 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':eip/' || allocation_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN association_id IS NULL THEN 'alarm' + ELSE 'ok' + END status, + CASE + WHEN association_id IS NULL THEN title || ' is not associated with any resource.' + ELSE title || ' is associated with a resource.' + END reason, + region, + account_id + FROM + aws_vpc_eip; severity: medium tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - ffiec: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/VPC - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + ffiec: + - "true" + nist_800_171_rev_2: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/VPC + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_vpc_endpoint_service_acceptance_required_enabled.yaml b/compliance/controls/aws/aws_vpc_endpoint_service_acceptance_required_enabled.yaml index 956156f4a..7b394d537 100644 --- a/compliance/controls/aws/aws_vpc_endpoint_service_acceptance_required_enabled.yaml +++ b/compliance/controls/aws/aws_vpc_endpoint_service_acceptance_required_enabled.yaml @@ -1,26 +1,27 @@ id: aws_vpc_endpoint_service_acceptance_required_enabled title: VPC endpoint services should have acceptance required enabled +type: control description: Ensure VPC endpoints connection requests to the service are accepted by the service owner. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_endpoint_service - definition: | - SELECT - service_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN acceptance_required THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN acceptance_required THEN title || ' acceptance_required enabled.' - ELSE title || ' acceptance_required disabled.' - END AS reason - FROM - aws_vpc_endpoint_service; + language: sql + primary_resource: aws_vpc_endpoint_service + definition: | + SELECT + service_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN acceptance_required THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN acceptance_required THEN title || ' acceptance_required enabled.' + ELSE title || ' acceptance_required disabled.' + END AS reason + FROM + aws_vpc_endpoint_service; severity: low tags: {} diff --git a/compliance/controls/aws/aws_vpc_flow_logs_enabled.yaml b/compliance/controls/aws/aws_vpc_flow_logs_enabled.yaml index b6ae9076c..be1f3d483 100644 --- a/compliance/controls/aws/aws_vpc_flow_logs_enabled.yaml +++ b/compliance/controls/aws/aws_vpc_flow_logs_enabled.yaml @@ -1,72 +1,73 @@ id: aws_vpc_flow_logs_enabled title: VPC flow logs should be enabled +type: control description: The VPC flow logs provide detailed records for information about the IP traffic going to and from network interfaces in your AWS Virtual Private Cloud (AWS VPC. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc - definition: | - SELECT DISTINCT - v.arn AS resource, - v.platform_integration_id AS platform_integration_id, - v.platform_resource_id AS platform_resource_id, - CASE - WHEN v.account_id <> v.owner_id THEN 'skip' - WHEN f.resource_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN v.account_id <> v.owner_id THEN vpc_id || ' is a shared VPC.' - WHEN f.resource_id IS NOT NULL THEN vpc_id || ' flow logging enabled.' - ELSE vpc_id || ' flow logging disabled.' - END AS reason, - v.region, - v.account_id - FROM - aws_vpc AS v - LEFT JOIN aws_vpc_flow_log AS f - ON v.vpc_id = f.resource_id; + language: sql + primary_resource: aws_vpc + definition: | + SELECT DISTINCT + v.arn AS resource, + v.platform_integration_id AS platform_integration_id, + v.platform_resource_id AS platform_resource_id, + CASE + WHEN v.account_id <> v.owner_id THEN 'skip' + WHEN f.resource_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN v.account_id <> v.owner_id THEN vpc_id || ' is a shared VPC.' + WHEN f.resource_id IS NOT NULL THEN vpc_id || ' flow logging enabled.' + ELSE vpc_id || ' flow logging disabled.' + END AS reason, + v.region, + v.account_id + FROM + aws_vpc AS v + LEFT JOIN aws_vpc_flow_log AS f + ON v.vpc_id = f.resource_id; severity: low tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - score_tags: - - Unencrypted Traffic - service: - - AWS/VPC - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + score_tags: + - Unencrypted Traffic + service: + - AWS/VPC + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_vpc_gateway_endpoint_restrict_public_access.yaml b/compliance/controls/aws/aws_vpc_gateway_endpoint_restrict_public_access.yaml index 9d9cd9c08..0fef8c147 100644 --- a/compliance/controls/aws/aws_vpc_gateway_endpoint_restrict_public_access.yaml +++ b/compliance/controls/aws/aws_vpc_gateway_endpoint_restrict_public_access.yaml @@ -1,47 +1,48 @@ id: aws_vpc_gateway_endpoint_restrict_public_access title: VPC gateway endpoints should restrict public access +type: control description: Manage access to resources in the AWS Cloud by ensuring VPC gateway endpoints cannot be publicly accessed. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_endpoint - definition: | - WITH wildcard_action_policies AS ( - SELECT - vpc_endpoint_id, - COUNT(*) AS statements_num - FROM - aws_vpc_endpoint, - jsonb_array_elements(policy_std -> 'Statement') AS s - WHERE - s ->> 'Effect' = 'Allow' - AND s -> 'Condition' IS NULL - AND ( - (s -> 'Principal' -> 'AWS') = '[\"*\"]' - OR s ->> 'Principal' = '*' - ) - AND s ->> 'Action' = '[\"*\"]' - GROUP BY - vpc_endpoint_id + language: sql + primary_resource: aws_vpc_endpoint + definition: | + WITH wildcard_action_policies AS ( + SELECT + vpc_endpoint_id, + COUNT(*) AS statements_num + FROM + aws_vpc_endpoint, + jsonb_array_elements(policy_std -> 'Statement') AS s + WHERE + s ->> 'Effect' = 'Allow' + AND s -> 'Condition' IS NULL + AND ( + (s -> 'Principal' -> 'AWS') = '[\"*\"]' + OR s ->> 'Principal' = '*' ) - SELECT - e.vpc_endpoint_id AS resource, - e.platform_integration_id AS platform_integration_id, - e.platform_resource_id AS platform_resource_id, - CASE - WHEN e.vpc_endpoint_type <> 'Gateway' THEN 'skip' - WHEN p.vpc_endpoint_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN vpc_endpoint_type <> 'Gateway' THEN e.title || ' is of ' || e.vpc_endpoint_type || ' endpoint type.' - WHEN p.vpc_endpoint_id IS NULL THEN e.title || ' does not allow public access.' - ELSE title || ' contains ' || COALESCE(p.statements_num, 0) || ' statements that allow public access.' - END AS reason - FROM - aws_vpc_endpoint AS e - LEFT JOIN wildcard_action_policies AS p ON p.vpc_endpoint_id = e.vpc_endpoint_id + AND s ->> 'Action' = '[\"*\"]' + GROUP BY + vpc_endpoint_id + ) + SELECT + e.vpc_endpoint_id AS resource, + e.platform_integration_id AS platform_integration_id, + e.platform_resource_id AS platform_resource_id, + CASE + WHEN e.vpc_endpoint_type <> 'Gateway' THEN 'skip' + WHEN p.vpc_endpoint_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN vpc_endpoint_type <> 'Gateway' THEN e.title || ' is of ' || e.vpc_endpoint_type || ' endpoint type.' + WHEN p.vpc_endpoint_id IS NULL THEN e.title || ' does not allow public access.' + ELSE title || ' contains ' || COALESCE(p.statements_num, 0) || ' statements that allow public access.' + END AS reason + FROM + aws_vpc_endpoint AS e + LEFT JOIN wildcard_action_policies AS p ON p.vpc_endpoint_id = e.vpc_endpoint_id severity: low tags: {} diff --git a/compliance/controls/aws/aws_vpc_igw_attached_to_authorized_vpc.yaml b/compliance/controls/aws/aws_vpc_igw_attached_to_authorized_vpc.yaml index 58e20488e..cd9323ef5 100644 --- a/compliance/controls/aws/aws_vpc_igw_attached_to_authorized_vpc.yaml +++ b/compliance/controls/aws/aws_vpc_igw_attached_to_authorized_vpc.yaml @@ -1,56 +1,57 @@ id: aws_vpc_igw_attached_to_authorized_vpc title: VPC internet gateways should be attached to authorized vpc +type: control description: Manage access to resources in the AWS Cloud by ensuring that internet gateways are only attached to authorized AWS Virtual Private Cloud (AWS VPC). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_internet_gateway - definition: | - SELECT - 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':internet-gateway/' || title AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN jsonb_array_length(attachments) = 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN jsonb_array_length(attachments) = 0 THEN title || ' not attached to VPC.' - ELSE title || ' attached to ' || split_part( - SUBSTRING(attachments::text, 3, LENGTH(attachments::text) - 6), - '"VpcId": "', - 2 - ) || '.' - END AS reason, - region, - account_id - FROM - aws_vpc_internet_gateway; + language: sql + primary_resource: aws_vpc_internet_gateway + definition: | + SELECT + 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':internet-gateway/' || title AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN jsonb_array_length(attachments) = 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN jsonb_array_length(attachments) = 0 THEN title || ' not attached to VPC.' + ELSE title || ' attached to ' || split_part( + SUBSTRING(attachments::text, 3, LENGTH(attachments::text) - 6), + '"VpcId": "', + 2 + ) || '.' + END AS reason, + region, + account_id + FROM + aws_vpc_internet_gateway; severity: high tags: - category: - - Compliance - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/VPC - soc_2: - - 'true' + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/VPC + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_vpc_in_more_than_one_region.yaml b/compliance/controls/aws/aws_vpc_in_more_than_one_region.yaml index 72b3e2e12..1ed52f051 100644 --- a/compliance/controls/aws/aws_vpc_in_more_than_one_region.yaml +++ b/compliance/controls/aws/aws_vpc_in_more_than_one_region.yaml @@ -1,46 +1,47 @@ id: aws_vpc_in_more_than_one_region title: VPCs should exist in multiple regions +type: control description: This control checks whether there are VPCs present in multiple regions. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH vpc_region_list AS ( - SELECT - DISTINCT region, - account_id - FROM - aws_vpc - ), - vpc_count_in_account AS ( - SELECT - COUNT(*) AS num, - account_id - FROM - vpc_region_list - GROUP BY - account_id - ) - SELECT - arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN v.num > 1 THEN 'ok' - WHEN v.num = 1 THEN 'alarm' - ELSE 'alarm' - END AS status, - CASE - WHEN v.num > 1 THEN 'VPCs exist in ' || v.num || ' regions.' - WHEN v.num = 1 THEN 'VPCs exist only in one region.' - ELSE 'VPC does not exist.' - END AS reason - FROM - aws_account AS a - LEFT JOIN - vpc_count_in_account AS v ON v.account_id = a.account_id + language: sql + primary_resource: aws_account + definition: | + WITH vpc_region_list AS ( + SELECT + DISTINCT region, + account_id + FROM + aws_vpc + ), + vpc_count_in_account AS ( + SELECT + COUNT(*) AS num, + account_id + FROM + vpc_region_list + GROUP BY + account_id + ) + SELECT + arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN v.num > 1 THEN 'ok' + WHEN v.num = 1 THEN 'alarm' + ELSE 'alarm' + END AS status, + CASE + WHEN v.num > 1 THEN 'VPCs exist in ' || v.num || ' regions.' + WHEN v.num = 1 THEN 'VPCs exist only in one region.' + ELSE 'VPC does not exist.' + END AS reason + FROM + aws_account AS a + LEFT JOIN + vpc_count_in_account AS v ON v.account_id = a.account_id severity: low tags: {} diff --git a/compliance/controls/aws/aws_vpc_network_acl_remote_administration.yaml b/compliance/controls/aws/aws_vpc_network_acl_remote_administration.yaml index 0de220413..e387c3cfc 100644 --- a/compliance/controls/aws/aws_vpc_network_acl_remote_administration.yaml +++ b/compliance/controls/aws/aws_vpc_network_acl_remote_administration.yaml @@ -1,80 +1,81 @@ id: aws_vpc_network_acl_remote_administration title: Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389 +type: control description: This control checks if default ports for SSH/RDP ingress traffic for network access control lists (NACLs) is unrestricted. The rule fails if a NACL inbound entry allows a source CIDR block of '0.0.0.0/0' or '::/0' for ports 22 or 3389. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_network_acl - definition: | - WITH bad_rules AS ( - SELECT - network_acl_id, - COUNT(*) AS num_bad_rules - FROM - aws_vpc_network_acl, - jsonb_array_elements(entries) AS att - WHERE - att ->> 'Egress' = 'false' - AND ( - att ->> 'CidrBlock' = '0.0.0.0/0' - OR att ->> 'Ipv6CidrBlock' = '::/0' - ) - AND att ->> 'RuleAction' = 'allow' - AND ( - ( - att ->> 'Protocol' = '-1' - AND att ->> 'PortRange' IS NULL - ) - OR ( - (att -> 'PortRange' ->> 'From')::int <= 22 - AND (att -> 'PortRange' ->> 'To')::int >= 22 - AND att ->> 'Protocol' IN('6', '17') - ) - OR ( - (att -> 'PortRange' ->> 'From')::int <= 3389 - AND (att -> 'PortRange' ->> 'To')::int >= 3389 - AND att ->> 'Protocol' IN('6', '17') - ) - ) - GROUP BY - network_acl_id + language: sql + primary_resource: aws_vpc_network_acl + definition: | + WITH bad_rules AS ( + SELECT + network_acl_id, + COUNT(*) AS num_bad_rules + FROM + aws_vpc_network_acl, + jsonb_array_elements(entries) AS att + WHERE + att ->> 'Egress' = 'false' + AND ( + att ->> 'CidrBlock' = '0.0.0.0/0' + OR att ->> 'Ipv6CidrBlock' = '::/0' ) - SELECT - 'arn:' || acl.partition || ':ec2:' || acl.region || ':' || acl.account_id || ':network-acl/' || acl.network_acl_id AS resource, - acl.platform_integration_id AS platform_integration_id, - acl.platform_resource_id AS platform_resource_id, - CASE - WHEN bad_rules.network_acl_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN bad_rules.network_acl_id IS NULL THEN acl.network_acl_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - ELSE acl.network_acl_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) allowing ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - END AS reason, - acl.region, - acl.account_id - FROM - aws_vpc_network_acl AS acl - LEFT JOIN bad_rules ON bad_rules.network_acl_id = acl.network_acl_id; + AND att ->> 'RuleAction' = 'allow' + AND ( + ( + att ->> 'Protocol' = '-1' + AND att ->> 'PortRange' IS NULL + ) + OR ( + (att -> 'PortRange' ->> 'From')::int <= 22 + AND (att -> 'PortRange' ->> 'To')::int >= 22 + AND att ->> 'Protocol' IN('6', '17') + ) + OR ( + (att -> 'PortRange' ->> 'From')::int <= 3389 + AND (att -> 'PortRange' ->> 'To')::int >= 3389 + AND att ->> 'Protocol' IN('6', '17') + ) + ) + GROUP BY + network_acl_id + ) + SELECT + 'arn:' || acl.partition || ':ec2:' || acl.region || ':' || acl.account_id || ':network-acl/' || acl.network_acl_id AS resource, + acl.platform_integration_id AS platform_integration_id, + acl.platform_resource_id AS platform_resource_id, + CASE + WHEN bad_rules.network_acl_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN bad_rules.network_acl_id IS NULL THEN acl.network_acl_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' + ELSE acl.network_acl_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) allowing ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' + END AS reason, + acl.region, + acl.account_id + FROM + aws_vpc_network_acl AS acl + LEFT JOIN bad_rules ON bad_rules.network_acl_id = acl.network_acl_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '5.1' - cis_level: - - '1' - cis_section_id: - - '5' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - aws - service: - - AWS/VPC + category: + - Compliance + cis: + - "true" + cis_item_id: + - "5.1" + cis_level: + - "1" + cis_section_id: + - "5" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - aws + service: + - AWS/VPC diff --git a/compliance/controls/aws/aws_vpc_network_acl_unused.yaml b/compliance/controls/aws/aws_vpc_network_acl_unused.yaml index 61e499588..b873cefd0 100644 --- a/compliance/controls/aws/aws_vpc_network_acl_unused.yaml +++ b/compliance/controls/aws/aws_vpc_network_acl_unused.yaml @@ -1,40 +1,41 @@ id: aws_vpc_network_acl_unused title: VPC network access control lists (network ACLs) should be associated with a subnet. +type: control description: Ensure there are no unused network access control lists (network ACLs). The rule is compliant if each network ACL is associated with a subnet. The rule is non-compliant if a network ACL is not associated with a subnet. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_network_acl - definition: | - SELECT - network_acl_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN jsonb_array_length(associations) >= 1 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN jsonb_array_length(associations) >= 1 THEN title || ' associated with subnet.' - ELSE title || ' not associated with subnet.' - END AS reason, - region, - account_id - FROM - aws_vpc_network_acl; + language: sql + primary_resource: aws_vpc_network_acl + definition: | + SELECT + network_acl_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN jsonb_array_length(associations) >= 1 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN jsonb_array_length(associations) >= 1 THEN title || ' associated with subnet.' + ELSE title || ' not associated with subnet.' + END AS reason, + region, + account_id + FROM + aws_vpc_network_acl; severity: medium tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/VPC + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/VPC diff --git a/compliance/controls/aws/aws_vpc_not_in_use.yaml b/compliance/controls/aws/aws_vpc_not_in_use.yaml index 38f8f9ae5..593eab707 100644 --- a/compliance/controls/aws/aws_vpc_not_in_use.yaml +++ b/compliance/controls/aws/aws_vpc_not_in_use.yaml @@ -1,35 +1,36 @@ id: aws_vpc_not_in_use title: VPCs should be in use +type: control description: This control checks whether there are any unused VPCs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc - definition: | - WITH vpc_without_subnet AS ( - SELECT - DISTINCT vpc_id - FROM - aws_vpc - WHERE - vpc_id NOT IN (SELECT vpc_id FROM aws_vpc_subnet) - ) - SELECT - arn AS resource, - v.platform_integration_id AS platform_integration_id, - v.platform_resource_id AS platform_resource_id, - CASE - WHEN s.vpc_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN s.vpc_id IS NULL THEN title || ' in use.' - ELSE title || ' not in use.' - END AS reason - FROM - aws_vpc AS v - LEFT JOIN vpc_without_subnet AS s ON s.vpc_id = v.vpc_id; + language: sql + primary_resource: aws_vpc + definition: | + WITH vpc_without_subnet AS ( + SELECT + DISTINCT vpc_id + FROM + aws_vpc + WHERE + vpc_id NOT IN (SELECT vpc_id FROM aws_vpc_subnet) + ) + SELECT + arn AS resource, + v.platform_integration_id AS platform_integration_id, + v.platform_resource_id AS platform_resource_id, + CASE + WHEN s.vpc_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN s.vpc_id IS NULL THEN title || ' in use.' + ELSE title || ' not in use.' + END AS reason + FROM + aws_vpc AS v + LEFT JOIN vpc_without_subnet AS s ON s.vpc_id = v.vpc_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_vpc_peering_connection_no_cross_account_access.yaml b/compliance/controls/aws/aws_vpc_peering_connection_no_cross_account_access.yaml index a79148a6e..ae3e56852 100644 --- a/compliance/controls/aws/aws_vpc_peering_connection_no_cross_account_access.yaml +++ b/compliance/controls/aws/aws_vpc_peering_connection_no_cross_account_access.yaml @@ -1,28 +1,29 @@ id: aws_vpc_peering_connection_no_cross_account_access title: VPCs peering connection should not be allowed in cross account +type: control description: Ensure that all VPCs peering connection are not having cross account access. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_peering_connection - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN status_code <> 'active' THEN 'alarm' - WHEN requester_owner_id <> accepter_owner_id THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN status_code <> 'active' THEN title || ' is not in active state.' - WHEN requester_owner_id <> accepter_owner_id THEN title || ' have cross account access.' - ELSE title || ' does not have cross account access.' - END AS reason - FROM - aws_vpc_peering_connection; + language: sql + primary_resource: aws_vpc_peering_connection + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN status_code <> 'active' THEN 'alarm' + WHEN requester_owner_id <> accepter_owner_id THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN status_code <> 'active' THEN title || ' is not in active state.' + WHEN requester_owner_id <> accepter_owner_id THEN title || ' have cross account access.' + ELSE title || ' does not have cross account access.' + END AS reason + FROM + aws_vpc_peering_connection; severity: low tags: {} diff --git a/compliance/controls/aws/aws_vpc_peering_connection_route_table_least_privilege.yaml b/compliance/controls/aws/aws_vpc_peering_connection_route_table_least_privilege.yaml index 471bd2638..3853f31d5 100644 --- a/compliance/controls/aws/aws_vpc_peering_connection_route_table_least_privilege.yaml +++ b/compliance/controls/aws/aws_vpc_peering_connection_route_table_least_privilege.yaml @@ -1,44 +1,45 @@ id: aws_vpc_peering_connection_route_table_least_privilege title: VPCs peering connection route tables should have least privilege +type: control description: Ensure that all VPCs peering connection route tables have least privilege. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_peering_connection - definition: | - WITH vpc_peering_routing_tables AS ( - SELECT - r ->> 'VpcPeeringConnectionId' AS peering_connection_id - FROM - aws_vpc_route_table, - JSONB_ARRAY_ELEMENTS(routes) AS r - INNER JOIN aws_vpc_peering_connection AS c - ON r ->> 'VpcPeeringConnectionId' = c.id - WHERE - (r ->> 'DestinationCidrBlock' = '0.0.0.0/0' - OR r ->> 'DestinationCidrBlock' = '::/0' - OR (r ->> 'DestinationCidrBlock')::CIDR = c.accepter_cidr_block - OR (r ->> 'DestinationCidrBlock')::CIDR = c.requester_cidr_block) - GROUP BY - r ->> 'VpcPeeringConnectionId' - ) - SELECT - c.id AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN t.peering_connection_id IS NOT NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN t.peering_connection_id IS NOT NULL THEN c.title || ' does not have least privilege access.' - ELSE c.title || ' have least privilege access.' - END AS reason - FROM - aws_vpc_peering_connection AS c - LEFT JOIN vpc_peering_routing_tables AS t - ON t.peering_connection_id = c.id; + language: sql + primary_resource: aws_vpc_peering_connection + definition: | + WITH vpc_peering_routing_tables AS ( + SELECT + r ->> 'VpcPeeringConnectionId' AS peering_connection_id + FROM + aws_vpc_route_table, + JSONB_ARRAY_ELEMENTS(routes) AS r + INNER JOIN aws_vpc_peering_connection AS c + ON r ->> 'VpcPeeringConnectionId' = c.id + WHERE + (r ->> 'DestinationCidrBlock' = '0.0.0.0/0' + OR r ->> 'DestinationCidrBlock' = '::/0' + OR (r ->> 'DestinationCidrBlock')::CIDR = c.accepter_cidr_block + OR (r ->> 'DestinationCidrBlock')::CIDR = c.requester_cidr_block) + GROUP BY + r ->> 'VpcPeeringConnectionId' + ) + SELECT + c.id AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN t.peering_connection_id IS NOT NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN t.peering_connection_id IS NOT NULL THEN c.title || ' does not have least privilege access.' + ELSE c.title || ' have least privilege access.' + END AS reason + FROM + aws_vpc_peering_connection AS c + LEFT JOIN vpc_peering_routing_tables AS t + ON t.peering_connection_id = c.id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_vpc_route_table_restrict_public_access_to_igw.yaml b/compliance/controls/aws/aws_vpc_route_table_restrict_public_access_to_igw.yaml index b1e9b6c3c..72beca7f3 100644 --- a/compliance/controls/aws/aws_vpc_route_table_restrict_public_access_to_igw.yaml +++ b/compliance/controls/aws/aws_vpc_route_table_restrict_public_access_to_igw.yaml @@ -1,72 +1,73 @@ id: aws_vpc_route_table_restrict_public_access_to_igw title: VPC route table should restrict public access to IGW +type: control description: Ensure that there are public routes in the route table to an Internet Gateway (IGW). The rule is non-compliant if a route to an IGW has a destination CIDR block of '0.0.0.0/0' or '::/0'. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_route_table - definition: | - WITH route_with_public_access AS ( - SELECT - route_table_id, - COUNT(*) AS num - FROM - aws_vpc_route_table, - jsonb_array_elements(routes) AS r - WHERE - (r ->> 'DestinationCidrBlock' = '0.0.0.0/0' - OR r ->> 'DestinationCidrBlock' = '::/0') - AND r ->> 'GatewayId' LIKE 'igw%' - GROUP BY - route_table_id - ) - SELECT - a.route_table_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.route_table_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.route_table_id IS NULL THEN a.title || ' does not have public routes to an Internet Gateway (IGW)' - ELSE a.title || ' contains ' || b.num || ' rule(s) which have public routes to an Internet Gateway (IGW)' - END AS reason, - region, - account_id - FROM - aws_vpc_route_table AS a - LEFT JOIN route_with_public_access AS b - ON b.route_table_id = a.route_table_id; + language: sql + primary_resource: aws_vpc_route_table + definition: | + WITH route_with_public_access AS ( + SELECT + route_table_id, + COUNT(*) AS num + FROM + aws_vpc_route_table, + jsonb_array_elements(routes) AS r + WHERE + (r ->> 'DestinationCidrBlock' = '0.0.0.0/0' + OR r ->> 'DestinationCidrBlock' = '::/0') + AND r ->> 'GatewayId' LIKE 'igw%' + GROUP BY + route_table_id + ) + SELECT + a.route_table_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.route_table_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.route_table_id IS NULL THEN a.title || ' does not have public routes to an Internet Gateway (IGW)' + ELSE a.title || ' contains ' || b.num || ' rule(s) which have public routes to an Internet Gateway (IGW)' + END AS reason, + region, + account_id + FROM + aws_vpc_route_table AS a + LEFT JOIN route_with_public_access AS b + ON b.route_table_id = a.route_table_id; severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/VPC + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/VPC diff --git a/compliance/controls/aws/aws_vpc_security_group_allows_ingress_authorized_ports.yaml b/compliance/controls/aws/aws_vpc_security_group_allows_ingress_authorized_ports.yaml index be9f7965e..6b50102bd 100644 --- a/compliance/controls/aws/aws_vpc_security_group_allows_ingress_authorized_ports.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_allows_ingress_authorized_ports.yaml @@ -1,57 +1,58 @@ id: aws_vpc_security_group_allows_ingress_authorized_ports title: VPC Security groups should only allow unrestricted incoming traffic for authorized ports +type: control description: This control checks whether the VPC security groups that are in use allow unrestricted incoming traffic. Optionally the rule checks whether the port numbers are listed in the authorizedTcpPorts parameter. The default values for authorizedTcpPorts are 80 and 443. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH ingress_unauthorized_ports AS ( - SELECT - group_id, - COUNT(*) - FROM - aws_vpc_security_group_rule - WHERE - type = 'ingress' - AND cidr_ipv4 = '0.0.0.0/0' - AND ( - from_port IS NULL - OR from_port NOT IN (80, 443) - ) - GROUP BY - group_id + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH ingress_unauthorized_ports AS ( + SELECT + group_id, + COUNT(*) + FROM + aws_vpc_security_group_rule + WHERE + type = 'ingress' + AND cidr_ipv4 = '0.0.0.0/0' + AND ( + from_port IS NULL + OR from_port NOT IN (80, 443) ) - SELECT - sg.arn AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN ingress_unauthorized_ports.count > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN ingress_unauthorized_ports.count > 0 THEN sg.title || ' having unrestricted incoming traffic other than default ports from 0.0.0.0/0 ' - ELSE sg.title || ' allows unrestricted incoming traffic for authorized default ports (80, 443).' - END AS reason, - sg.region, - sg.account_id - FROM - aws_vpc_security_group AS sg - LEFT JOIN ingress_unauthorized_ports ON ingress_unauthorized_ports.group_id = sg.group_id + GROUP BY + group_id + ) + SELECT + sg.arn AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN ingress_unauthorized_ports.count > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN ingress_unauthorized_ports.count > 0 THEN sg.title || ' having unrestricted incoming traffic other than default ports from 0.0.0.0/0 ' + ELSE sg.title || ' allows unrestricted incoming traffic for authorized default ports (80, 443).' + END AS reason, + sg.region, + sg.account_id + FROM + aws_vpc_security_group AS sg + LEFT JOIN ingress_unauthorized_ports ON ingress_unauthorized_ports.group_id = sg.group_id severity: high tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - security_group_configuration - foundational_security_item_id: - - ec2_18 - plugin: - - aws - service: - - AWS/EC2 + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - security_group_configuration + foundational_security_item_id: + - ec2_18 + plugin: + - aws + service: + - AWS/EC2 diff --git a/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_cassandra_ports.yaml b/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_cassandra_ports.yaml index 10c39af9f..c5f47a8dd 100644 --- a/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_cassandra_ports.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_cassandra_ports.yaml @@ -1,50 +1,51 @@ id: aws_vpc_security_group_allows_ingress_to_cassandra_ports title: VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to cassandra ports 7199 or 9160 or 8888 +type: control description: This control checks whether the VPC security groups allow ingress from 0.0.0.0/0 or ::/0 to cassandra ports 7199 or 9160 or 8888. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 from ports 7199 or 9160 or 8888. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH ingress_ssh_rules AS ( - SELECT - group_id, - COUNT(*) AS num_ssh_rules - FROM - aws_vpc_security_group_rule - WHERE - type = 'ingress' - AND cidr_ipv4 = '0.0.0.0/0' - AND ( - (ip_protocol = '-1' - AND from_port IS NULL) - OR (from_port >= 7199 - AND to_port <= 7199) - OR (from_port >= 9160 - AND to_port <= 9160) - OR (from_port >= 8888 - AND to_port <= 8888) - ) - GROUP BY - group_id + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH ingress_ssh_rules AS ( + SELECT + group_id, + COUNT(*) AS num_ssh_rules + FROM + aws_vpc_security_group_rule + WHERE + type = 'ingress' + AND cidr_ipv4 = '0.0.0.0/0' + AND ( + (ip_protocol = '-1' + AND from_port IS NULL) + OR (from_port >= 7199 + AND to_port <= 7199) + OR (from_port >= 9160 + AND to_port <= 9160) + OR (from_port >= 8888 + AND to_port <= 8888) ) - - SELECT - arn AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN ingress_ssh_rules.group_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN ingress_ssh_rules.group_id IS NULL THEN sg.group_id || ' ingress restricted for cassandra ports from 0.0.0.0/0.' - ELSE sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing access for cassandra ports from 0.0.0.0/0.' - END AS reason - FROM - aws_vpc_security_group AS sg - LEFT JOIN ingress_ssh_rules ON ingress_ssh_rules.group_id = sg.group_id + GROUP BY + group_id + ) + + SELECT + arn AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN ingress_ssh_rules.group_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN ingress_ssh_rules.group_id IS NULL THEN sg.group_id || ' ingress restricted for cassandra ports from 0.0.0.0/0.' + ELSE sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing access for cassandra ports from 0.0.0.0/0.' + END AS reason + FROM + aws_vpc_security_group AS sg + LEFT JOIN ingress_ssh_rules ON ingress_ssh_rules.group_id = sg.group_id severity: low tags: {} diff --git a/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_memcached_port.yaml b/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_memcached_port.yaml index 1baddc949..1655bb021 100644 --- a/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_memcached_port.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_memcached_port.yaml @@ -1,46 +1,47 @@ id: aws_vpc_security_group_allows_ingress_to_memcached_port title: VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to memcached port 11211 +type: control description: This control checks whether the VPC security groups that are in use allow allow ingress from 0.0.0.0/0 or ::/0 to memcached port 11211. Optionally the rule checks whether the port numbers are listed in the authorizedTcpPorts parameter. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 from port 11211. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH ingress_ssh_rules AS ( - SELECT - group_id, - COUNT(*) AS num_ssh_rules - FROM - aws_vpc_security_group_rule - WHERE - type = 'ingress' - AND cidr_ipv4 = '0.0.0.0/0' - AND ( - (ip_protocol = '-1' AND from_port IS NULL) - OR ( - from_port >= 11211 - AND to_port <= 11211 - ) - ) - GROUP BY - group_id + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH ingress_ssh_rules AS ( + SELECT + group_id, + COUNT(*) AS num_ssh_rules + FROM + aws_vpc_security_group_rule + WHERE + type = 'ingress' + AND cidr_ipv4 = '0.0.0.0/0' + AND ( + (ip_protocol = '-1' AND from_port IS NULL) + OR ( + from_port >= 11211 + AND to_port <= 11211 + ) ) - SELECT - arn AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN ingress_ssh_rules.group_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN ingress_ssh_rules.group_id IS NULL THEN sg.group_id || ' ingress restricted for memcached port from 0.0.0.0/0.' - ELSE sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing access for memcached port from 0.0.0.0/0.' - END AS reason - FROM - aws_vpc_security_group AS sg - LEFT JOIN ingress_ssh_rules ON ingress_ssh_rules.group_id = sg.group_id; + GROUP BY + group_id + ) + SELECT + arn AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN ingress_ssh_rules.group_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN ingress_ssh_rules.group_id IS NULL THEN sg.group_id || ' ingress restricted for memcached port from 0.0.0.0/0.' + ELSE sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing access for memcached port from 0.0.0.0/0.' + END AS reason + FROM + aws_vpc_security_group AS sg + LEFT JOIN ingress_ssh_rules ON ingress_ssh_rules.group_id = sg.group_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_mongodb_ports.yaml b/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_mongodb_ports.yaml index 3931dedc9..f0c367e9a 100644 --- a/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_mongodb_ports.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_mongodb_ports.yaml @@ -1,45 +1,46 @@ id: aws_vpc_security_group_allows_ingress_to_mongodb_ports title: VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to mongoDB ports 27017 and 27018 +type: control description: This control checks whether the VPC security groups that are in use allow ingress from 0.0.0.0/0 or ::/0 to mongoDB ports 27017 and 27018. Optionally the rule checks whether the port numbers are listed in the authorizedTcpPorts parameter. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 from ports 27017 and 27018. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH ingress_ssh_rules AS ( - SELECT - group_id, - COUNT(*) AS num_ssh_rules - FROM - aws_vpc_security_group_rule - WHERE - type = 'ingress' - AND cidr_ipv4 = '0.0.0.0/0' - AND ( - (ip_protocol = '-1' AND from_port IS NULL) - OR (from_port >= 27017 AND to_port <= 27017) - OR (from_port >= 27018 AND to_port <= 27018) - ) - GROUP BY - group_id + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH ingress_ssh_rules AS ( + SELECT + group_id, + COUNT(*) AS num_ssh_rules + FROM + aws_vpc_security_group_rule + WHERE + type = 'ingress' + AND cidr_ipv4 = '0.0.0.0/0' + AND ( + (ip_protocol = '-1' AND from_port IS NULL) + OR (from_port >= 27017 AND to_port <= 27017) + OR (from_port >= 27018 AND to_port <= 27018) ) - SELECT - arn AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN ingress_ssh_rules.group_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN ingress_ssh_rules.group_id IS NULL THEN sg.group_id || ' ingress restricted for mongodb ports from 0.0.0.0/0.' - ELSE sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing access for mongodb ports from 0.0.0.0/0.' - END AS reason - FROM - aws_vpc_security_group AS sg - LEFT JOIN ingress_ssh_rules - ON ingress_ssh_rules.group_id = sg.group_id; + GROUP BY + group_id + ) + SELECT + arn AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN ingress_ssh_rules.group_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN ingress_ssh_rules.group_id IS NULL THEN sg.group_id || ' ingress restricted for mongodb ports from 0.0.0.0/0.' + ELSE sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing access for mongodb ports from 0.0.0.0/0.' + END AS reason + FROM + aws_vpc_security_group AS sg + LEFT JOIN ingress_ssh_rules + ON ingress_ssh_rules.group_id = sg.group_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_oracle_ports.yaml b/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_oracle_ports.yaml index f2ba2726e..293f266d6 100644 --- a/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_oracle_ports.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_oracle_ports.yaml @@ -1,50 +1,51 @@ id: aws_vpc_security_group_allows_ingress_to_oracle_ports title: VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to oracle ports 1521 or 2483 +type: control description: This control checks whether the VPC security groups that are in use allow ingress from 0.0.0.0/0 or ::/0 to oracle ports 1521 or 2483. Optionally the rule checks whether the port numbers are listed in the authorizedTcpPorts parameter. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 from ports 1521 or 2483. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH ingress_ssh_rules AS ( - SELECT - group_id, - COUNT(*) AS num_ssh_rules - FROM - aws_vpc_security_group_rule - WHERE - type = 'ingress' - AND cidr_ipv4 = '0.0.0.0/0' - AND ( - (ip_protocol = '-1' AND from_port IS NULL) - OR ( - from_port >= 1521 - AND to_port <= 1521 - ) - OR ( - from_port >= 2483 - AND to_port <= 2483 - ) + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH ingress_ssh_rules AS ( + SELECT + group_id, + COUNT(*) AS num_ssh_rules + FROM + aws_vpc_security_group_rule + WHERE + type = 'ingress' + AND cidr_ipv4 = '0.0.0.0/0' + AND ( + (ip_protocol = '-1' AND from_port IS NULL) + OR ( + from_port >= 1521 + AND to_port <= 1521 + ) + OR ( + from_port >= 2483 + AND to_port <= 2483 ) - GROUP BY - group_id ) - SELECT - arn AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN ingress_ssh_rules.group_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN ingress_ssh_rules.group_id IS NULL THEN sg.group_id || ' ingress restricted for oracle ports from 0.0.0.0/0.' - ELSE sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing access for oracle ports from 0.0.0.0/0.' - END AS reason - FROM - aws_vpc_security_group AS sg - LEFT JOIN ingress_ssh_rules ON ingress_ssh_rules.group_id = sg.group_id; + GROUP BY + group_id + ) + SELECT + arn AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN ingress_ssh_rules.group_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN ingress_ssh_rules.group_id IS NULL THEN sg.group_id || ' ingress restricted for oracle ports from 0.0.0.0/0.' + ELSE sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing access for oracle ports from 0.0.0.0/0.' + END AS reason + FROM + aws_vpc_security_group AS sg + LEFT JOIN ingress_ssh_rules ON ingress_ssh_rules.group_id = sg.group_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_vpc_security_group_associated_to_eni.yaml b/compliance/controls/aws/aws_vpc_security_group_associated_to_eni.yaml index f1cfa2873..47a7f4850 100644 --- a/compliance/controls/aws/aws_vpc_security_group_associated_to_eni.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_associated_to_eni.yaml @@ -1,52 +1,53 @@ id: aws_vpc_security_group_associated_to_eni title: VPC security groups should be associated with at least one ENI +type: control description: This rule ensures the security groups are attached to an AWS Elastic Compute Cloud (AWS EC2) instance or to an ENI. This rule helps monitoring unused security groups in the inventory and the management of your environment. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH associated_sg AS ( - SELECT - COUNT(sg ->> 'GroupId'), - sg ->> 'GroupId' AS secgrp_id - FROM - aws_ec2_network_interface, - JSONB_ARRAY_ELEMENTS(groups) AS sg - GROUP BY - sg ->> 'GroupId' - ) - SELECT - DISTINCT s.arn AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN a.secgrp_id = s.group_id THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.secgrp_id = s.group_id THEN s.title || ' is associated with ' || a.count || ' ENI(s).' - ELSE s.title || ' not associated to any ENI.' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group AS s - LEFT JOIN - associated_sg AS a ON s.group_id = a.secgrp_id; + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH associated_sg AS ( + SELECT + COUNT(sg ->> 'GroupId'), + sg ->> 'GroupId' AS secgrp_id + FROM + aws_ec2_network_interface, + JSONB_ARRAY_ELEMENTS(groups) AS sg + GROUP BY + sg ->> 'GroupId' + ) + SELECT + DISTINCT s.arn AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN a.secgrp_id = s.group_id THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.secgrp_id = s.group_id THEN s.title || ' is associated with ' || a.count || ' ENI(s).' + ELSE s.title || ' not associated to any ENI.' + END AS reason, + region, + account_id + FROM + aws_vpc_security_group AS s + LEFT JOIN + associated_sg AS a ON s.group_id = a.secgrp_id; severity: low tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - nist_800_171_rev_2: - - 'true' - plugin: - - aws - service: - - AWS/VPC - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS/VPC + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_vpc_security_group_not_uses_launch_wizard_sg.yaml b/compliance/controls/aws/aws_vpc_security_group_not_uses_launch_wizard_sg.yaml index 55c99a168..be8a4c112 100644 --- a/compliance/controls/aws/aws_vpc_security_group_not_uses_launch_wizard_sg.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_not_uses_launch_wizard_sg.yaml @@ -1,39 +1,40 @@ id: aws_vpc_security_group_not_uses_launch_wizard_sg title: VPC security groups should restrict uses of 'launch-wizard' security groups. +type: control description: Ensure the launch-wizard security group in your AWS account is not being used. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH associated_sg AS ( - SELECT - DISTINCT (sg ->> 'GroupName') AS sg_name - FROM - aws_ec2_network_interface, - JSONB_ARRAY_ELEMENTS(groups) AS sg - WHERE - (sg ->> 'GroupName') LIKE 'launch-wizard%' - ) - SELECT - arn AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN a.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.sg_name IS NULL THEN title || ' not in use.' - ELSE title || ' in use.' - END AS reason - FROM - aws_vpc_security_group AS s - LEFT JOIN associated_sg AS a - ON a.sg_name = s.group_name - WHERE - group_name LIKE 'launch-wizard%'; + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH associated_sg AS ( + SELECT + DISTINCT (sg ->> 'GroupName') AS sg_name + FROM + aws_ec2_network_interface, + JSONB_ARRAY_ELEMENTS(groups) AS sg + WHERE + (sg ->> 'GroupName') LIKE 'launch-wizard%' + ) + SELECT + arn AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN a.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.sg_name IS NULL THEN title || ' not in use.' + ELSE title || ' in use.' + END AS reason + FROM + aws_vpc_security_group AS s + LEFT JOIN associated_sg AS a + ON a.sg_name = s.group_name + WHERE + group_name LIKE 'launch-wizard%'; severity: low tags: {} diff --git a/compliance/controls/aws/aws_vpc_security_group_remote_administration.yaml b/compliance/controls/aws/aws_vpc_security_group_remote_administration.yaml index bf41f450a..548c6ec0c 100644 --- a/compliance/controls/aws/aws_vpc_security_group_remote_administration.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_remote_administration.yaml @@ -1,74 +1,75 @@ id: aws_vpc_security_group_remote_administration title: Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports +type: control description: Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH bad_rules AS ( - SELECT - group_id, - COUNT(*) AS num_bad_rules - FROM - aws_vpc_security_group_rule - WHERE - type = 'ingress' - AND ( - cidr_ipv4 = '0.0.0.0/0' - OR cidr_ipv6 = '::/0' - ) - AND ( - (ip_protocol = '-1' -- all traffic - AND from_port IS NULL) - OR ( - from_port >= 22 - AND to_port <= 22 - ) - OR ( - from_port >= 3389 - AND to_port <= 3389 - ) - ) - GROUP BY - group_id + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH bad_rules AS ( + SELECT + group_id, + COUNT(*) AS num_bad_rules + FROM + aws_vpc_security_group_rule + WHERE + type = 'ingress' + AND ( + cidr_ipv4 = '0.0.0.0/0' + OR cidr_ipv6 = '::/0' ) - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN bad_rules.group_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN bad_rules.group_id IS NULL THEN sg.group_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - ELSE sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - END AS reason, - sg.region, - sg.account_id - FROM - aws_vpc_security_group AS sg - LEFT JOIN bad_rules ON bad_rules.group_id = sg.group_id + AND ( + (ip_protocol = '-1' -- all traffic + AND from_port IS NULL) + OR ( + from_port >= 22 + AND to_port <= 22 + ) + OR ( + from_port >= 3389 + AND to_port <= 3389 + ) + ) + GROUP BY + group_id + ) + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN bad_rules.group_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN bad_rules.group_id IS NULL THEN sg.group_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' + ELSE sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' + END AS reason, + sg.region, + sg.account_id + FROM + aws_vpc_security_group AS sg + LEFT JOIN bad_rules ON bad_rules.group_id = sg.group_id severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '5.2' - cis_level: - - '1' - cis_section_id: - - '5' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - aws - service: - - AWS/VPC + category: + - Compliance + cis: + - "true" + cis_item_id: + - "5.2" + cis_level: + - "1" + cis_section_id: + - "5" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - aws + service: + - AWS/VPC diff --git a/compliance/controls/aws/aws_vpc_security_group_remote_administration_ipv4.yaml b/compliance/controls/aws/aws_vpc_security_group_remote_administration_ipv4.yaml index 711dc6dfd..21c8b2a92 100644 --- a/compliance/controls/aws/aws_vpc_security_group_remote_administration_ipv4.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_remote_administration_ipv4.yaml @@ -1,69 +1,70 @@ id: aws_vpc_security_group_remote_administration_ipv4 title: Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports +type: control description: Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389, using either the TCP (6), UDP (17) or ALL (-1) protocols. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH bad_rules AS ( - SELECT - group_id, - COUNT(*) AS num_bad_rules - FROM - aws_vpc_security_group_rule - WHERE - type = 'ingress' - AND ( - cidr_ipv4 = '0.0.0.0/0' - ) - AND ( - (ip_protocol = '-1' - AND from_port IS NULL) - OR (from_port >= 22 - AND to_port <= 22) - OR (from_port >= 3389 - AND to_port <= 3389) - ) - GROUP BY - group_id + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH bad_rules AS ( + SELECT + group_id, + COUNT(*) AS num_bad_rules + FROM + aws_vpc_security_group_rule + WHERE + type = 'ingress' + AND ( + cidr_ipv4 = '0.0.0.0/0' ) - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN bad_rules.group_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN bad_rules.group_id IS NULL THEN sg.group_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0.' - ELSE sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to port 22 or 3389 from 0.0.0.0/0.' - END AS reason, - sg.region, - sg.account_id - FROM - aws_vpc_security_group AS sg - LEFT JOIN bad_rules ON bad_rules.group_id = sg.group_id; + AND ( + (ip_protocol = '-1' + AND from_port IS NULL) + OR (from_port >= 22 + AND to_port <= 22) + OR (from_port >= 3389 + AND to_port <= 3389) + ) + GROUP BY + group_id + ) + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN bad_rules.group_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN bad_rules.group_id IS NULL THEN sg.group_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0.' + ELSE sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to port 22 or 3389 from 0.0.0.0/0.' + END AS reason, + sg.region, + sg.account_id + FROM + aws_vpc_security_group AS sg + LEFT JOIN bad_rules ON bad_rules.group_id = sg.group_id; severity: critical tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '5.2' - cis_level: - - '1' - cis_section_id: - - '5' - cis_type: - - automated - cis_version: - - v1.5.0 - plugin: - - aws - service: - - AWS/VPC + category: + - Compliance + cis: + - "true" + cis_item_id: + - "5.2" + cis_level: + - "1" + cis_section_id: + - "5" + cis_type: + - automated + cis_version: + - v1.5.0 + plugin: + - aws + service: + - AWS/VPC diff --git a/compliance/controls/aws/aws_vpc_security_group_remote_administration_ipv6.yaml b/compliance/controls/aws/aws_vpc_security_group_remote_administration_ipv6.yaml index e2483291a..ac54253cc 100644 --- a/compliance/controls/aws/aws_vpc_security_group_remote_administration_ipv6.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_remote_administration_ipv6.yaml @@ -1,73 +1,74 @@ id: aws_vpc_security_group_remote_administration_ipv6 title: Ensure no security groups allow ingress from ::/0 to remote server administration ports +type: control description: Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH bad_rules AS ( - SELECT - group_id, - COUNT(*) AS num_bad_rules - FROM - aws_vpc_security_group_rule - WHERE - type = 'ingress' - AND ( - cidr_ipv6 = '::/0' - ) - AND ( - (ip_protocol = '-1' -- all traffic - AND from_port IS NULL) - OR ( - from_port >= 22 - AND to_port <= 22 - ) - OR ( - from_port >= 3389 - AND to_port <= 3389 - ) - ) - GROUP BY - group_id + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH bad_rules AS ( + SELECT + group_id, + COUNT(*) AS num_bad_rules + FROM + aws_vpc_security_group_rule + WHERE + type = 'ingress' + AND ( + cidr_ipv6 = '::/0' ) - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN bad_rules.group_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN bad_rules.group_id IS NULL THEN sg.group_id || ' does not allow ingress to port 22 or 3389 from ::/0.' - ELSE sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to port 22 or 3389 from ::/0.' - END AS reason, - sg.region, - sg.account_id - FROM - aws_vpc_security_group AS sg - LEFT JOIN bad_rules ON bad_rules.group_id = sg.group_id + AND ( + (ip_protocol = '-1' -- all traffic + AND from_port IS NULL) + OR ( + from_port >= 22 + AND to_port <= 22 + ) + OR ( + from_port >= 3389 + AND to_port <= 3389 + ) + ) + GROUP BY + group_id + ) + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN bad_rules.group_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN bad_rules.group_id IS NULL THEN sg.group_id || ' does not allow ingress to port 22 or 3389 from ::/0.' + ELSE sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to port 22 or 3389 from ::/0.' + END AS reason, + sg.region, + sg.account_id + FROM + aws_vpc_security_group AS sg + LEFT JOIN bad_rules ON bad_rules.group_id = sg.group_id severity: critical tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '5.3' - cis_level: - - '1' - cis_section_id: - - '5' - cis_type: - - automated - cis_version: - - v1.5.0 - plugin: - - aws - service: - - AWS/VPC + category: + - Compliance + cis: + - "true" + cis_item_id: + - "5.3" + cis_level: + - "1" + cis_section_id: + - "5" + cis_type: + - automated + cis_version: + - v1.5.0 + plugin: + - aws + service: + - AWS/VPC diff --git a/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_common_ports_all.yaml b/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_common_ports_all.yaml index 8a27cf9b2..45cc1a3c4 100644 --- a/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_common_ports_all.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_common_ports_all.yaml @@ -1,84 +1,85 @@ id: aws_vpc_security_group_restrict_ingress_common_ports_all title: VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0 +type: control description: Manage access to resources in the AWS Cloud by ensuring common ports are restricted on AWS Elastic Compute Cloud (AWS EC2) security groups. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH ingress_ssh_rules AS ( - SELECT - group_id, - COUNT(*) AS num_ssh_rules - FROM - aws_vpc_security_group_rule - WHERE - type = 'ingress' - AND cidr_ipv4 = '0.0.0.0/0' - AND ( - (ip_protocol = '-1' AND from_port IS NULL) - OR (from_port >= 22 AND to_port <= 22) - OR (from_port >= 3389 AND to_port <= 3389) - OR (from_port >= 21 AND to_port <= 21) - OR (from_port >= 20 AND to_port <= 20) - OR (from_port >= 3306 AND to_port <= 3306) - OR (from_port >= 4333 AND to_port <= 4333) - ) - GROUP BY - group_id + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH ingress_ssh_rules AS ( + SELECT + group_id, + COUNT(*) AS num_ssh_rules + FROM + aws_vpc_security_group_rule + WHERE + type = 'ingress' + AND cidr_ipv4 = '0.0.0.0/0' + AND ( + (ip_protocol = '-1' AND from_port IS NULL) + OR (from_port >= 22 AND to_port <= 22) + OR (from_port >= 3389 AND to_port <= 3389) + OR (from_port >= 21 AND to_port <= 21) + OR (from_port >= 20 AND to_port <= 20) + OR (from_port >= 3306 AND to_port <= 3306) + OR (from_port >= 4333 AND to_port <= 4333) ) - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN ingress_ssh_rules.group_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN ingress_ssh_rules.group_id IS NULL THEN sg.group_id || ' ingress restricted for ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0.' - ELSE sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0.' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group AS sg - LEFT JOIN ingress_ssh_rules ON ingress_ssh_rules.group_id = sg.group_id; + GROUP BY + group_id + ) + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN ingress_ssh_rules.group_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN ingress_ssh_rules.group_id IS NULL THEN sg.group_id || ' ingress restricted for ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0.' + ELSE sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0.' + END AS reason, + region, + account_id + FROM + aws_vpc_security_group AS sg + LEFT JOIN ingress_ssh_rules ON ingress_ssh_rules.group_id = sg.group_id; severity: high tags: - audit_manager_control_tower: - - 'true' - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/VPC - soc_2: - - 'true' + audit_manager_control_tower: + - "true" + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/VPC + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_kafka_port.yaml b/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_kafka_port.yaml index 387480b6a..b358bfc52 100644 --- a/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_kafka_port.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_kafka_port.yaml @@ -1,50 +1,51 @@ id: aws_vpc_security_group_restrict_ingress_kafka_port title: VPC security groups should restrict ingress Kafka port access from 0.0.0.0/0 +type: control description: AWS VPC security groups can help in managing network access by providing stateful filtering of ingress and egress network traffic to AWS resources. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH ingress_kafka_port AS ( - SELECT - group_id, - COUNT(*) AS num_ssh_rules - FROM - aws_vpc_security_group_rule - WHERE - type = 'ingress' - AND ( - cidr_ipv4 = '0.0.0.0/0' - OR cidr_ipv6 = '::/0' - ) - AND ( - (ip_protocol = '-1' AND from_port IS NULL) - OR ( - from_port >= 9092 - AND to_port <= 9092 - ) - ) - GROUP BY - group_id + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH ingress_kafka_port AS ( + SELECT + group_id, + COUNT(*) AS num_ssh_rules + FROM + aws_vpc_security_group_rule + WHERE + type = 'ingress' + AND ( + cidr_ipv4 = '0.0.0.0/0' + OR cidr_ipv6 = '::/0' ) - SELECT - arn AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN k.group_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN k.group_id IS NULL THEN sg.group_id || ' ingress restricted for kafka port from 0.0.0.0/0.' - ELSE sg.group_id || ' contains ' || k.num_ssh_rules || ' ingress rule(s) allowing kafka port from 0.0.0.0/0.' - END AS reason - FROM - aws_vpc_security_group AS sg - LEFT JOIN ingress_kafka_port AS k - ON k.group_id = sg.group_id; + AND ( + (ip_protocol = '-1' AND from_port IS NULL) + OR ( + from_port >= 9092 + AND to_port <= 9092 + ) + ) + GROUP BY + group_id + ) + SELECT + arn AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN k.group_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN k.group_id IS NULL THEN sg.group_id || ' ingress restricted for kafka port from 0.0.0.0/0.' + ELSE sg.group_id || ' contains ' || k.num_ssh_rules || ' ingress rule(s) allowing kafka port from 0.0.0.0/0.' + END AS reason + FROM + aws_vpc_security_group AS sg + LEFT JOIN ingress_kafka_port AS k + ON k.group_id = sg.group_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_kibana_port.yaml b/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_kibana_port.yaml index 2d37a4bd0..d27089cda 100644 --- a/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_kibana_port.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_kibana_port.yaml @@ -1,48 +1,49 @@ id: aws_vpc_security_group_restrict_ingress_kibana_port title: VPC security groups should restrict ingress kibana port access from 0.0.0.0/0 +type: control description: AWS VPC security groups can help in managing network access by providing stateful filtering of ingress and egress network traffic to AWS resources. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH ingress_kibana_port AS ( - SELECT - group_id, - COUNT(*) AS num_ssh_rules - FROM - aws_vpc_security_group_rule - WHERE - type = 'ingress' - AND ( - cidr_ipv4 = '0.0.0.0/0' - OR cidr_ipv6 = '::/0' - ) - AND ( - (ip_protocol = '-1' AND from_port IS NULL) - OR (from_port >= 9200 AND to_port <= 9200) - OR (from_port >= 5601 AND to_port <= 5601) - ) - GROUP BY - group_id + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH ingress_kibana_port AS ( + SELECT + group_id, + COUNT(*) AS num_ssh_rules + FROM + aws_vpc_security_group_rule + WHERE + type = 'ingress' + AND ( + cidr_ipv4 = '0.0.0.0/0' + OR cidr_ipv6 = '::/0' ) - SELECT - arn AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN k.group_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN k.group_id IS NULL THEN sg.group_id || ' ingress restricted for kibana port from 0.0.0.0/0.' - ELSE sg.group_id || ' contains ' || k.num_ssh_rules || ' ingress rule(s) allowing kibana port from 0.0.0.0/0.' - END AS reason - FROM - aws_vpc_security_group AS sg - LEFT JOIN ingress_kibana_port AS k - ON k.group_id = sg.group_id; + AND ( + (ip_protocol = '-1' AND from_port IS NULL) + OR (from_port >= 9200 AND to_port <= 9200) + OR (from_port >= 5601 AND to_port <= 5601) + ) + GROUP BY + group_id + ) + SELECT + arn AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN k.group_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN k.group_id IS NULL THEN sg.group_id || ' ingress restricted for kibana port from 0.0.0.0/0.' + ELSE sg.group_id || ' contains ' || k.num_ssh_rules || ' ingress rule(s) allowing kibana port from 0.0.0.0/0.' + END AS reason + FROM + aws_vpc_security_group AS sg + LEFT JOIN ingress_kibana_port AS k + ON k.group_id = sg.group_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_rdp_all.yaml b/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_rdp_all.yaml index 26a22d420..c577c0f33 100644 --- a/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_rdp_all.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_rdp_all.yaml @@ -1,64 +1,65 @@ id: aws_vpc_security_group_restrict_ingress_rdp_all title: Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 +type: control description: Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH ingress_rdp_rules AS ( - SELECT - group_id, - COUNT(*) AS num_rdp_rules - FROM - aws_vpc_security_group_rule - WHERE - type = 'ingress' - AND cidr_ipv4 = '0.0.0.0/0' - AND ( - (ip_protocol = '-1' AND from_port IS NULL) - OR (from_port >= 3389 AND to_port <= 3389) - ) - GROUP BY - group_id + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH ingress_rdp_rules AS ( + SELECT + group_id, + COUNT(*) AS num_rdp_rules + FROM + aws_vpc_security_group_rule + WHERE + type = 'ingress' + AND cidr_ipv4 = '0.0.0.0/0' + AND ( + (ip_protocol = '-1' AND from_port IS NULL) + OR (from_port >= 3389 AND to_port <= 3389) ) - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN ingress_rdp_rules.group_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN ingress_rdp_rules.group_id IS NULL THEN CONCAT(sg.group_id, ' ingress restricted for RDP from 0.0.0.0/0.') - ELSE CONCAT(sg.group_id, ' contains ', ingress_rdp_rules.num_rdp_rules, ' ingress rule(s) allowing RDP from 0.0.0.0/0.') - END AS reason, - sg.region, - sg.account_id - FROM - aws_vpc_security_group AS sg - LEFT JOIN - ingress_rdp_rules ON ingress_rdp_rules.group_id = sg.group_id + GROUP BY + group_id + ) + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN ingress_rdp_rules.group_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN ingress_rdp_rules.group_id IS NULL THEN CONCAT(sg.group_id, ' ingress restricted for RDP from 0.0.0.0/0.') + ELSE CONCAT(sg.group_id, ' contains ', ingress_rdp_rules.num_rdp_rules, ' ingress rule(s) allowing RDP from 0.0.0.0/0.') + END AS reason, + sg.region, + sg.account_id + FROM + aws_vpc_security_group AS sg + LEFT JOIN + ingress_rdp_rules ON ingress_rdp_rules.group_id = sg.group_id severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '4.2' - cis_level: - - '1' - cis_section_id: - - '4' - cis_type: - - scored - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/VPC + category: + - Compliance + cis: + - "true" + cis_item_id: + - "4.2" + cis_level: + - "1" + cis_section_id: + - "4" + cis_type: + - scored + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/VPC diff --git a/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_redis_port.yaml b/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_redis_port.yaml index 3f784660a..41717c30c 100644 --- a/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_redis_port.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_redis_port.yaml @@ -1,46 +1,47 @@ id: aws_vpc_security_group_restrict_ingress_redis_port title: VPC security groups should restrict ingress redis access from 0.0.0.0/0 +type: control description: AWS VPC security groups can help in managing network access by providing stateful filtering of ingress and egress network traffic to AWS resources. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH ingress_redis_port AS ( - SELECT - group_id, - COUNT(*) AS num_redis_rules - FROM - aws_vpc_security_group_rule - WHERE - type = 'ingress' - AND ( - cidr_ipv4 = '0.0.0.0/0' - OR cidr_ipv6 = '::/0' - ) - AND ( - (ip_protocol = '-1' AND from_port IS NULL) - OR (from_port >= 6379 AND to_port <= 6379) - ) - GROUP BY - group_id + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH ingress_redis_port AS ( + SELECT + group_id, + COUNT(*) AS num_redis_rules + FROM + aws_vpc_security_group_rule + WHERE + type = 'ingress' + AND ( + cidr_ipv4 = '0.0.0.0/0' + OR cidr_ipv6 = '::/0' ) - SELECT - arn AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN ingress_redis_port.group_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN ingress_redis_port.group_id IS NULL THEN sg.group_id || ' restricted ingress from 0.0.0.0/0 or ::/0 to Redis port 6379.' - ELSE sg.group_id || ' contains ' || ingress_redis_port.num_redis_rules || ' ingress rule(s) from 0.0.0.0/0 or ::/0 to Redis port 6379.' - END AS reason - FROM - aws_vpc_security_group AS sg - LEFT JOIN ingress_redis_port ON ingress_redis_port.group_id = sg.group_id; + AND ( + (ip_protocol = '-1' AND from_port IS NULL) + OR (from_port >= 6379 AND to_port <= 6379) + ) + GROUP BY + group_id + ) + SELECT + arn AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN ingress_redis_port.group_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN ingress_redis_port.group_id IS NULL THEN sg.group_id || ' restricted ingress from 0.0.0.0/0 or ::/0 to Redis port 6379.' + ELSE sg.group_id || ' contains ' || ingress_redis_port.num_redis_rules || ' ingress rule(s) from 0.0.0.0/0 or ::/0 to Redis port 6379.' + END AS reason + FROM + aws_vpc_security_group AS sg + LEFT JOIN ingress_redis_port ON ingress_redis_port.group_id = sg.group_id; severity: low tags: {} diff --git a/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_ssh_all.yaml b/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_ssh_all.yaml index 68130c4f3..7011ce272 100644 --- a/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_ssh_all.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_ssh_all.yaml @@ -1,85 +1,86 @@ id: aws_vpc_security_group_restrict_ingress_ssh_all title: VPC security groups should restrict ingress SSH access from 0.0.0.0/0 +type: control description: AWS Elastic Compute Cloud (AWS EC2) Security Groups can help manage network access by providing stateful filtering of ingress and egress network traffic to AWS resources. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH ingress_ssh_rules AS ( - SELECT - group_id, - COUNT(*) AS num_ssh_rules - FROM - aws_vpc_security_group_rule - WHERE - type = 'ingress' - AND cidr_ipv4 = '0.0.0.0/0' - AND ( - (ip_protocol = '-1' AND from_port IS NULL) - OR (from_port >= 22 AND to_port <= 22) - ) - GROUP BY - group_id + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH ingress_ssh_rules AS ( + SELECT + group_id, + COUNT(*) AS num_ssh_rules + FROM + aws_vpc_security_group_rule + WHERE + type = 'ingress' + AND cidr_ipv4 = '0.0.0.0/0' + AND ( + (ip_protocol = '-1' AND from_port IS NULL) + OR (from_port >= 22 AND to_port <= 22) ) - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN ingress_ssh_rules.group_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN ingress_ssh_rules.group_id IS NULL - THEN sg.group_id || ' ingress restricted for SSH from 0.0.0.0/0.' - ELSE - sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing SSH from 0.0.0.0/0.' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group AS sg - LEFT JOIN ingress_ssh_rules ON ingress_ssh_rules.group_id = sg.group_id + GROUP BY + group_id + ) + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN ingress_ssh_rules.group_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN ingress_ssh_rules.group_id IS NULL + THEN sg.group_id || ' ingress restricted for SSH from 0.0.0.0/0.' + ELSE + sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing SSH from 0.0.0.0/0.' + END AS reason, + region, + account_id + FROM + aws_vpc_security_group AS sg + LEFT JOIN ingress_ssh_rules ON ingress_ssh_rules.group_id = sg.group_id severity: high tags: - audit_manager_control_tower: - - 'true' - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/VPC - soc_2: - - 'true' + audit_manager_control_tower: + - "true" + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/VPC + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_tcp_udp_all.yaml b/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_tcp_udp_all.yaml index 7a4693102..2785f1683 100644 --- a/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_tcp_udp_all.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_tcp_udp_all.yaml @@ -1,82 +1,83 @@ id: aws_vpc_security_group_restrict_ingress_tcp_udp_all title: VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0 +type: control description: Manage access to resources in the AWS Cloud by ensuring common ports are restricted on AWS Elastic Compute Cloud (AWS EC2) Security Groups. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH bad_rules AS ( - SELECT - group_id, - COUNT(*) AS num_bad_rules - FROM - aws_vpc_security_group_rule - WHERE - type = 'ingress' - AND cidr_ipv4 = '0.0.0.0/0' - AND ( - ip_protocol IN ('tcp', 'udp') - OR ( - ip_protocol = '-1' - AND from_port IS NULL - ) - ) - GROUP BY - group_id + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH bad_rules AS ( + SELECT + group_id, + COUNT(*) AS num_bad_rules + FROM + aws_vpc_security_group_rule + WHERE + type = 'ingress' + AND cidr_ipv4 = '0.0.0.0/0' + AND ( + ip_protocol IN ('tcp', 'udp') + OR ( + ip_protocol = '-1' + AND from_port IS NULL + ) ) - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN bad_rules.group_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN bad_rules.group_id IS NULL THEN sg.group_id || ' does not allow ingress to TCP or UDP ports from 0.0.0.0/0.' - ELSE sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to TCP or UDP ports from 0.0.0.0/0.' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group AS sg - LEFT JOIN bad_rules ON bad_rules.group_id = sg.group_id; + GROUP BY + group_id + ) + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN bad_rules.group_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN bad_rules.group_id IS NULL THEN sg.group_id || ' does not allow ingress to TCP or UDP ports from 0.0.0.0/0.' + ELSE sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to TCP or UDP ports from 0.0.0.0/0.' + END AS reason, + region, + account_id + FROM + aws_vpc_security_group AS sg + LEFT JOIN bad_rules ON bad_rules.group_id = sg.group_id; severity: high tags: - category: - - Compliance - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/VPC - soc_2: - - 'true' + category: + - Compliance + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/VPC + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_vpc_security_group_restricted_common_ports.yaml b/compliance/controls/aws/aws_vpc_security_group_restricted_common_ports.yaml index 20812ceb0..ee46360ed 100644 --- a/compliance/controls/aws/aws_vpc_security_group_restricted_common_ports.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_restricted_common_ports.yaml @@ -1,74 +1,75 @@ id: aws_vpc_security_group_restricted_common_ports title: Security groups should not allow unrestricted access to ports with high risk +type: control description: This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports that have the highest risk. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for those ports. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH ingress_ssh_rules AS ( - SELECT - group_id, - COUNT(*) AS num_ssh_rules - FROM - aws_vpc_security_group_rule - WHERE - type = 'ingress' - AND cidr_ipv4 = '0.0.0.0/0' - AND ( - (ip_protocol = '-1' AND from_port IS NULL) - OR (from_port >= 22 AND to_port <= 22) - OR (from_port >= 3389 AND to_port <= 3389) - OR (from_port >= 21 AND to_port <= 21) - OR (from_port >= 20 AND to_port <= 20) - OR (from_port >= 3306 AND to_port <= 3306) - OR (from_port >= 4333 AND to_port <= 4333) - OR (from_port >= 23 AND to_port <= 23) - OR (from_port >= 25 AND to_port <= 25) - OR (from_port >= 445 AND to_port <= 445) - OR (from_port >= 110 AND to_port <= 110) - OR (from_port >= 135 AND to_port <= 135) - OR (from_port >= 143 AND to_port <= 143) - OR (from_port >= 1433 AND to_port <= 1433) - OR (from_port >= 5432 AND to_port <= 5432) - OR (from_port >= 5500 AND to_port <= 5500) - OR (from_port >= 5601 AND to_port <= 5601) - OR (from_port >= 9200 AND to_port <= 9300) - OR (from_port >= 8080 AND to_port <= 8080) - ) - GROUP BY - group_id + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH ingress_ssh_rules AS ( + SELECT + group_id, + COUNT(*) AS num_ssh_rules + FROM + aws_vpc_security_group_rule + WHERE + type = 'ingress' + AND cidr_ipv4 = '0.0.0.0/0' + AND ( + (ip_protocol = '-1' AND from_port IS NULL) + OR (from_port >= 22 AND to_port <= 22) + OR (from_port >= 3389 AND to_port <= 3389) + OR (from_port >= 21 AND to_port <= 21) + OR (from_port >= 20 AND to_port <= 20) + OR (from_port >= 3306 AND to_port <= 3306) + OR (from_port >= 4333 AND to_port <= 4333) + OR (from_port >= 23 AND to_port <= 23) + OR (from_port >= 25 AND to_port <= 25) + OR (from_port >= 445 AND to_port <= 445) + OR (from_port >= 110 AND to_port <= 110) + OR (from_port >= 135 AND to_port <= 135) + OR (from_port >= 143 AND to_port <= 143) + OR (from_port >= 1433 AND to_port <= 1433) + OR (from_port >= 5432 AND to_port <= 5432) + OR (from_port >= 5500 AND to_port <= 5500) + OR (from_port >= 5601 AND to_port <= 5601) + OR (from_port >= 9200 AND to_port <= 9300) + OR (from_port >= 8080 AND to_port <= 8080) ) - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN ingress_ssh_rules.group_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN ingress_ssh_rules.group_id IS NULL THEN sg.group_id || ' ingress restricted for common ports from 0.0.0.0/0.' - ELSE sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing access for common ports from 0.0.0.0/0.' - END AS reason, - sg.region, - sg.account_id - FROM - aws_vpc_security_group AS sg - LEFT JOIN ingress_ssh_rules ON ingress_ssh_rules.group_id = sg.group_id + GROUP BY + group_id + ) + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN ingress_ssh_rules.group_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN ingress_ssh_rules.group_id IS NULL THEN sg.group_id || ' ingress restricted for common ports from 0.0.0.0/0.' + ELSE sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing access for common ports from 0.0.0.0/0.' + END AS reason, + sg.region, + sg.account_id + FROM + aws_vpc_security_group AS sg + LEFT JOIN ingress_ssh_rules ON ingress_ssh_rules.group_id = sg.group_id severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - security_group_configuration - foundational_security_item_id: - - ec2_19 - plugin: - - aws - service: - - AWS/EC2 + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - security_group_configuration + foundational_security_item_id: + - ec2_19 + plugin: + - aws + service: + - AWS/EC2 diff --git a/compliance/controls/aws/aws_vpc_security_group_unused.yaml b/compliance/controls/aws/aws_vpc_security_group_unused.yaml index 57d7c324e..fb13d34b7 100644 --- a/compliance/controls/aws/aws_vpc_security_group_unused.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_unused.yaml @@ -1,59 +1,60 @@ id: aws_vpc_security_group_unused title: Unused EC2 security groups should be removed +type: control description: This AWS control checks that security groups are attached to AWS Elastic Compute Cloud (AWS EC2) instances or to an elastic network interface. The control will fail if the security group is not associated with an AWS EC2 instance or an elastic network interface. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH associated_sg AS ( - SELECT - sg ->> 'GroupId' AS secgrp_id - FROM - aws_ec2_network_interface, - jsonb_array_elements(groups) AS sg - GROUP BY - sg ->> 'GroupId' - UNION - SELECT - sg ->> 'GroupId' AS secgrp_id - FROM - aws_ec2_instance, - jsonb_array_elements(security_groups) AS sg - GROUP BY - sg ->> 'GroupId' - ) - SELECT - DISTINCT s.arn AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN a.secgrp_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.secgrp_id IS NOT NULL THEN s.title || ' is in use.' - ELSE s.title || ' not in use.' - END AS reason, - s.region, - s.account_id - FROM - aws_vpc_security_group AS s - LEFT JOIN associated_sg AS a - ON s.group_id = a.secgrp_id; + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH associated_sg AS ( + SELECT + sg ->> 'GroupId' AS secgrp_id + FROM + aws_ec2_network_interface, + jsonb_array_elements(groups) AS sg + GROUP BY + sg ->> 'GroupId' + UNION + SELECT + sg ->> 'GroupId' AS secgrp_id + FROM + aws_ec2_instance, + jsonb_array_elements(security_groups) AS sg + GROUP BY + sg ->> 'GroupId' + ) + SELECT + DISTINCT s.arn AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN a.secgrp_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.secgrp_id IS NOT NULL THEN s.title || ' is in use.' + ELSE s.title || ' not in use.' + END AS reason, + s.region, + s.account_id + FROM + aws_vpc_security_group AS s + LEFT JOIN associated_sg AS a + ON s.group_id = a.secgrp_id; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - inventory - foundational_security_item_id: - - ec2_22 - plugin: - - aws - service: - - AWS/EC2 + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - inventory + foundational_security_item_id: + - ec2_22 + plugin: + - aws + service: + - AWS/EC2 diff --git a/compliance/controls/aws/aws_vpc_subnet_auto_assign_public_ip_disabled.yaml b/compliance/controls/aws/aws_vpc_subnet_auto_assign_public_ip_disabled.yaml index c0b0288bb..e2705d7df 100644 --- a/compliance/controls/aws/aws_vpc_subnet_auto_assign_public_ip_disabled.yaml +++ b/compliance/controls/aws/aws_vpc_subnet_auto_assign_public_ip_disabled.yaml @@ -1,56 +1,57 @@ id: aws_vpc_subnet_auto_assign_public_ip_disabled title: VPC subnet auto assign public IP should be disabled +type: control description: Ensure that AWS Virtual Private Cloud (AWS VPC) subnets are assigned a public IP address. The control is compliant if AWS VPC does not have subnets that are assigned a public IP address. The control is non-compliant if AWS VPC has subnets that are assigned a public IP address. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_subnet - definition: | - SELECT - subnet_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN map_public_ip_on_launch = 'false' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN map_public_ip_on_launch = 'false' THEN title || ' auto assign public IP disabled.' - ELSE title || ' auto assign public IP enabled.' - END AS reason, - region, - account_id - FROM - aws_vpc_subnet; + language: sql + primary_resource: aws_vpc_subnet + definition: | + SELECT + subnet_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN map_public_ip_on_launch = 'false' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN map_public_ip_on_launch = 'false' THEN title || ' auto assign public IP disabled.' + ELSE title || ' auto assign public IP enabled.' + END AS reason, + region, + account_id + FROM + aws_vpc_subnet; severity: high tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/VPC + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/VPC diff --git a/compliance/controls/aws/aws_vpc_vpn_tunnel_up.yaml b/compliance/controls/aws/aws_vpc_vpn_tunnel_up.yaml index b30fb4143..595c56ad6 100644 --- a/compliance/controls/aws/aws_vpc_vpn_tunnel_up.yaml +++ b/compliance/controls/aws/aws_vpc_vpn_tunnel_up.yaml @@ -1,67 +1,68 @@ id: aws_vpc_vpn_tunnel_up title: Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status +type: control description: Redundant Site-to-Site VPN tunnels can be implemented to achieve resilience requirements. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_vpn_connection - definition: | - WITH filter_data AS ( - SELECT - arn, - COUNT(t ->> 'Status') - FROM - aws_vpc_vpn_connection, - jsonb_array_elements(vgw_telemetry) AS t - WHERE - t ->> 'Status' = 'UP' - GROUP BY - arn - ) - SELECT - a.arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.count IS NULL OR b.count < 2 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN b.count IS NULL THEN a.title || ' has both tunnels offline.' - WHEN b.count = 1 THEN a.title || ' has one tunnel offline.' - ELSE a.title || ' has both tunnels online.' - END AS reason, - region, - account_id - FROM - aws_vpc_vpn_connection AS a - LEFT JOIN - filter_data AS b ON a.arn = b.arn; + language: sql + primary_resource: aws_vpc_vpn_connection + definition: | + WITH filter_data AS ( + SELECT + arn, + COUNT(t ->> 'Status') + FROM + aws_vpc_vpn_connection, + jsonb_array_elements(vgw_telemetry) AS t + WHERE + t ->> 'Status' = 'UP' + GROUP BY + arn + ) + SELECT + a.arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.count IS NULL OR b.count < 2 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN b.count IS NULL THEN a.title || ' has both tunnels offline.' + WHEN b.count = 1 THEN a.title || ' has one tunnel offline.' + ELSE a.title || ' has both tunnels online.' + END AS reason, + region, + account_id + FROM + aws_vpc_vpn_connection AS a + LEFT JOIN + filter_data AS b ON a.arn = b.arn; severity: medium tags: - category: - - Compliance - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_csf: - - 'true' - plugin: - - aws - service: - - AWS/VPC + category: + - Compliance + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/VPC diff --git a/compliance/controls/aws/aws_waf_regional_rule_condition_attached.yaml b/compliance/controls/aws/aws_waf_regional_rule_condition_attached.yaml index 3414a09ef..e2e98690a 100644 --- a/compliance/controls/aws/aws_waf_regional_rule_condition_attached.yaml +++ b/compliance/controls/aws/aws_waf_regional_rule_condition_attached.yaml @@ -1,40 +1,41 @@ id: aws_waf_regional_rule_condition_attached title: WAF regional rule should have at least one condition +type: control description: This control checks whether WAF regional rule contains any conditions. The control fails if no conditions are present within a rule. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_wafregional_rule - definition: | - SELECT - rule_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN predicates IS NULL OR jsonb_array_length(predicates) = 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN predicates IS NULL OR jsonb_array_length(predicates) = 0 THEN title || ' has no attached conditions.' - ELSE title || ' has ' || jsonb_array_length(predicates) || ' condition(s) attached.' - END AS reason, - region, - account_id - FROM - aws_wafregional_rule; + language: sql + primary_resource: aws_wafregional_rule + definition: | + SELECT + rule_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN predicates IS NULL OR jsonb_array_length(predicates) = 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN predicates IS NULL OR jsonb_array_length(predicates) = 0 THEN title || ' has no attached conditions.' + ELSE title || ' has ' || jsonb_array_length(predicates) || ' condition(s) attached.' + END AS reason, + region, + account_id + FROM + aws_wafregional_rule; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - secure_network_configuration - foundational_security_item_id: - - waf_2 - plugin: - - aws - service: - - AWS/WAF + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - secure_network_configuration + foundational_security_item_id: + - waf_2 + plugin: + - aws + service: + - AWS/WAF diff --git a/compliance/controls/aws/aws_waf_regional_rule_group_rule_attached.yaml b/compliance/controls/aws/aws_waf_regional_rule_group_rule_attached.yaml index 04037a6e0..f279a98e7 100644 --- a/compliance/controls/aws/aws_waf_regional_rule_group_rule_attached.yaml +++ b/compliance/controls/aws/aws_waf_regional_rule_group_rule_attached.yaml @@ -1,40 +1,41 @@ id: aws_waf_regional_rule_group_rule_attached title: WAF regional rule group should have at least one rule attached +type: control description: This control checks if WAF regional rule groups contain any rules. The rule is non-compliant if there are no rules present within a WAF regional rule group. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_wafregional_rule_group - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN activated_rules IS NULL OR jsonb_array_length(activated_rules) = 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN activated_rules IS NULL OR jsonb_array_length(activated_rules) = 0 THEN title || ' has no attached rules.' - ELSE title || ' has ' || jsonb_array_length(activated_rules) || ' rule(s) attached.' - END AS reason, - region, - account_id - FROM - aws_wafregional_rule_group; + language: sql + primary_resource: aws_wafregional_rule_group + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN activated_rules IS NULL OR jsonb_array_length(activated_rules) = 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN activated_rules IS NULL OR jsonb_array_length(activated_rules) = 0 THEN title || ' has no attached rules.' + ELSE title || ' has ' || jsonb_array_length(activated_rules) || ' rule(s) attached.' + END AS reason, + region, + account_id + FROM + aws_wafregional_rule_group; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - secure_network_configuration - foundational_security_item_id: - - waf_3 - plugin: - - aws - service: - - AWS/WAF + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - secure_network_configuration + foundational_security_item_id: + - waf_3 + plugin: + - aws + service: + - AWS/WAF diff --git a/compliance/controls/aws/aws_waf_regional_web_acl_rule_attached.yaml b/compliance/controls/aws/aws_waf_regional_web_acl_rule_attached.yaml index bd33b8424..efdd76ea1 100644 --- a/compliance/controls/aws/aws_waf_regional_web_acl_rule_attached.yaml +++ b/compliance/controls/aws/aws_waf_regional_web_acl_rule_attached.yaml @@ -1,40 +1,41 @@ id: aws_waf_regional_web_acl_rule_attached title: WAF regional web ACL should have at least one rule or rule group attached +type: control description: This control checks if a WAF regional Web ACL contains any WAF rules or rule groups. The rule is non-compliant if there are no WAF rules or rule groups present within a Web ACL. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_wafregional_web_acl - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN rules IS NULL OR jsonb_array_length(rules) = 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN rules IS NULL OR jsonb_array_length(rules) = 0 THEN title || ' has no attached rules.' - ELSE title || ' has ' || jsonb_array_length(rules) || ' rule(s) attached.' - END AS reason, - region, - account_id - FROM - aws_wafregional_web_acl; + language: sql + primary_resource: aws_wafregional_web_acl + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN rules IS NULL OR jsonb_array_length(rules) = 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN rules IS NULL OR jsonb_array_length(rules) = 0 THEN title || ' has no attached rules.' + ELSE title || ' has ' || jsonb_array_length(rules) || ' rule(s) attached.' + END AS reason, + region, + account_id + FROM + aws_wafregional_web_acl; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - secure_network_configuration - foundational_security_item_id: - - waf_4 - plugin: - - aws - service: - - AWS/WAF + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - secure_network_configuration + foundational_security_item_id: + - waf_4 + plugin: + - aws + service: + - AWS/WAF diff --git a/compliance/controls/aws/aws_waf_rule_condition_attached.yaml b/compliance/controls/aws/aws_waf_rule_condition_attached.yaml index 5fa311dea..d5e0349ac 100644 --- a/compliance/controls/aws/aws_waf_rule_condition_attached.yaml +++ b/compliance/controls/aws/aws_waf_rule_condition_attached.yaml @@ -1,40 +1,41 @@ id: aws_waf_rule_condition_attached title: WAF global rule should have at least one condition +type: control description: This control checks whether an AWS WAF global rule contains any conditions. The control fails if no conditions are present within a rule. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_waf_rule - definition: | - SELECT - rule_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN predicates IS NULL OR jsonb_array_length(predicates) = 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN predicates IS NULL OR jsonb_array_length(predicates) = 0 THEN title || ' has no attached conditions.' - ELSE title || ' has ' || jsonb_array_length(predicates) || ' attached conditions.' - END AS reason, - region, - account_id - FROM - aws_waf_rule; + language: sql + primary_resource: aws_waf_rule + definition: | + SELECT + rule_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN predicates IS NULL OR jsonb_array_length(predicates) = 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN predicates IS NULL OR jsonb_array_length(predicates) = 0 THEN title || ' has no attached conditions.' + ELSE title || ' has ' || jsonb_array_length(predicates) || ' attached conditions.' + END AS reason, + region, + account_id + FROM + aws_waf_rule; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - resource_configuration - foundational_security_item_id: - - waf_6 - plugin: - - aws - service: - - AWS/WAF + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - resource_configuration + foundational_security_item_id: + - waf_6 + plugin: + - aws + service: + - AWS/WAF diff --git a/compliance/controls/aws/aws_waf_rule_group_rule_attached.yaml b/compliance/controls/aws/aws_waf_rule_group_rule_attached.yaml index d228dafd1..946c590af 100644 --- a/compliance/controls/aws/aws_waf_rule_group_rule_attached.yaml +++ b/compliance/controls/aws/aws_waf_rule_group_rule_attached.yaml @@ -1,40 +1,41 @@ id: aws_waf_rule_group_rule_attached title: WAF global rule group should have at least one rule +type: control description: This control checks whether WAF global rule group has at least one rule. The control fails if no rules are present within a rule group. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_waf_rule_group - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN activated_rules IS NULL OR jsonb_array_length(activated_rules) = 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN activated_rules IS NULL OR jsonb_array_length(activated_rules) = 0 THEN title || ' has no attached rules.' - ELSE title || ' has ' || jsonb_array_length(activated_rules) || ' rule(s) attached.' - END AS reason, - region, - account_id - FROM - aws_waf_rule_group; + language: sql + primary_resource: aws_waf_rule_group + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN activated_rules IS NULL OR jsonb_array_length(activated_rules) = 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN activated_rules IS NULL OR jsonb_array_length(activated_rules) = 0 THEN title || ' has no attached rules.' + ELSE title || ' has ' || jsonb_array_length(activated_rules) || ' rule(s) attached.' + END AS reason, + region, + account_id + FROM + aws_waf_rule_group; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - resource_configuration - foundational_security_item_id: - - waf_7 - plugin: - - aws - service: - - AWS/WAF + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - resource_configuration + foundational_security_item_id: + - waf_7 + plugin: + - aws + service: + - AWS/WAF diff --git a/compliance/controls/aws/aws_waf_web_acl_logging_enabled.yaml b/compliance/controls/aws/aws_waf_web_acl_logging_enabled.yaml index 8338c80b8..cdc046c24 100644 --- a/compliance/controls/aws/aws_waf_web_acl_logging_enabled.yaml +++ b/compliance/controls/aws/aws_waf_web_acl_logging_enabled.yaml @@ -1,40 +1,41 @@ id: aws_waf_web_acl_logging_enabled title: WAF web ACL logging should be enabled +type: control description: To help with logging and monitoring within your environment, enable AWS WAF logging on regional and global web ACLs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_waf_web_acl - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN logging_configuration IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN logging_configuration IS NULL THEN title || ' logging disabled.' - ELSE title || ' logging enabled.' - END AS reason, - region, - account_id - FROM - aws_waf_web_acl; + language: sql + primary_resource: aws_waf_web_acl + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN logging_configuration IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN logging_configuration IS NULL THEN title || ' logging disabled.' + ELSE title || ' logging enabled.' + END AS reason, + region, + account_id + FROM + aws_waf_web_acl; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - logging - foundational_security_item_id: - - waf_1 - plugin: - - aws - service: - - AWS/WAF + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - logging + foundational_security_item_id: + - waf_1 + plugin: + - aws + service: + - AWS/WAF diff --git a/compliance/controls/aws/aws_waf_web_acl_resource_associated.yaml b/compliance/controls/aws/aws_waf_web_acl_resource_associated.yaml index 8b762d781..961f4040b 100644 --- a/compliance/controls/aws/aws_waf_web_acl_resource_associated.yaml +++ b/compliance/controls/aws/aws_waf_web_acl_resource_associated.yaml @@ -1,38 +1,39 @@ id: aws_waf_web_acl_resource_associated title: WAF web ACL should be associated with an Application Load Balancer, API Gateway stage, or CloudFront distributions +type: control description: This control checks if the web ACL is associated with an Application Load Balancer, API Gateway stage, or CloudFront distributions. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_wafregional_web_acl - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN jsonb_array_length(resources) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN jsonb_array_length(resources) > 0 THEN title || ' associated with ' || jsonb_array_length(resources) || ' AWS resource(s).' - ELSE title || ' not associated with AWS resource.' - END AS reason, - region, - account_id - FROM - aws_wafregional_web_acl; + language: sql + primary_resource: aws_wafregional_web_acl + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN jsonb_array_length(resources) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN jsonb_array_length(resources) > 0 THEN title || ' associated with ' || jsonb_array_length(resources) || ' AWS resource(s).' + ELSE title || ' not associated with AWS resource.' + END AS reason, + region, + account_id + FROM + aws_wafregional_web_acl; severity: medium tags: - category: - - Compliance - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - service: - - AWS/WAF + category: + - Compliance + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + service: + - AWS/WAF diff --git a/compliance/controls/aws/aws_waf_web_acl_rule_attached.yaml b/compliance/controls/aws/aws_waf_web_acl_rule_attached.yaml index e49193eac..490134e93 100644 --- a/compliance/controls/aws/aws_waf_web_acl_rule_attached.yaml +++ b/compliance/controls/aws/aws_waf_web_acl_rule_attached.yaml @@ -1,40 +1,41 @@ id: aws_waf_web_acl_rule_attached title: WAF global web ACL should have at least one rule or rule group +type: control description: This control checks whether WAF global web ACL contains at least one WAF rule or WAF rule group. The control fails if a web ACL does not contain any WAF rules or rule groups. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_waf_web_acl - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN rules IS NULL OR jsonb_array_length(rules) = 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN rules IS NULL OR jsonb_array_length(rules) = 0 THEN title || ' has no attached rules.' - ELSE title || ' has ' || jsonb_array_length(rules) || ' rule(s) attached.' - END AS reason, - region, - account_id - FROM - aws_waf_web_acl; + language: sql + primary_resource: aws_waf_web_acl + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN rules IS NULL OR jsonb_array_length(rules) = 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN rules IS NULL OR jsonb_array_length(rules) = 0 THEN title || ' has no attached rules.' + ELSE title || ' has ' || jsonb_array_length(rules) || ' rule(s) attached.' + END AS reason, + region, + account_id + FROM + aws_waf_web_acl; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - resource_configuration - foundational_security_item_id: - - waf_8 - plugin: - - aws - service: - - AWS/WAF + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - resource_configuration + foundational_security_item_id: + - waf_8 + plugin: + - aws + service: + - AWS/WAF diff --git a/compliance/controls/aws/aws_wafv2_rule_group_logging_enabled.yaml b/compliance/controls/aws/aws_wafv2_rule_group_logging_enabled.yaml index 0b7e21006..f057698d9 100644 --- a/compliance/controls/aws/aws_wafv2_rule_group_logging_enabled.yaml +++ b/compliance/controls/aws/aws_wafv2_rule_group_logging_enabled.yaml @@ -1,26 +1,27 @@ id: aws_wafv2_rule_group_logging_enabled title: AWS WAF rules should have CloudWatch metrics enabled +type: control description: This control checks whether an AWS WAF rule or rule group has Amazon CloudWatch metrics enabled. The control fails if the rule or rule group doesn't have CloudWatch metrics enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_wafv2_rule_group - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN (visibility_config ->> 'CloudWatchMetricsEnabled')::bool THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (visibility_config ->> 'CloudWatchMetricsEnabled')::bool THEN title || ' logging enabled.' - ELSE title || ' logging disabled.' - END AS reason - FROM - aws_wafv2_rule_group; + language: sql + primary_resource: aws_wafv2_rule_group + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN (visibility_config ->> 'CloudWatchMetricsEnabled')::bool THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (visibility_config ->> 'CloudWatchMetricsEnabled')::bool THEN title || ' logging enabled.' + ELSE title || ' logging disabled.' + END AS reason + FROM + aws_wafv2_rule_group; severity: low tags: {} diff --git a/compliance/controls/aws/aws_wafv2_web_acl_logging_enabled.yaml b/compliance/controls/aws/aws_wafv2_web_acl_logging_enabled.yaml index b72cffcbd..b89748b67 100644 --- a/compliance/controls/aws/aws_wafv2_web_acl_logging_enabled.yaml +++ b/compliance/controls/aws/aws_wafv2_web_acl_logging_enabled.yaml @@ -1,66 +1,67 @@ id: aws_wafv2_web_acl_logging_enabled title: Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs) +type: control description: To help with logging and monitoring within your environment, enable AWS WAF (V2) logging on regional and global web ACLs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_wafv2_web_acl - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN logging_configuration IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN logging_configuration IS NULL THEN title || ' logging disabled.' - ELSE title || ' logging enabled.' - END AS reason, - region, - account_id - FROM - aws_wafv2_web_acl; + language: sql + primary_resource: aws_wafv2_web_acl + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN logging_configuration IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN logging_configuration IS NULL THEN title || ' logging disabled.' + ELSE title || ' logging enabled.' + END AS reason, + region, + account_id + FROM + aws_wafv2_web_acl; severity: medium tags: - category: - - Compliance - cis_controls_v8_ig1: - - 'true' - cisa_cyber_essentials: - - 'true' - fedramp_low_rev_4: - - 'true' - fedramp_moderate_rev_4: - - 'true' - ffiec: - - 'true' - gdpr: - - 'true' - gxp_21_cfr_part_11: - - 'true' - hipaa_final_omnibus_security_rule_2013: - - 'true' - hipaa_security_rule_2003: - - 'true' - nist_800_53_rev_4: - - 'true' - nist_800_53_rev_5: - - 'true' - nist_800_171_rev_2: - - 'true' - nist_csf: - - 'true' - pci_dss_v321: - - 'true' - plugin: - - aws - rbi_cyber_security: - - 'true' - service: - - AWS/WAFv2 - soc_2: - - 'true' + category: + - Compliance + cis_controls_v8_ig1: + - "true" + cisa_cyber_essentials: + - "true" + fedramp_low_rev_4: + - "true" + fedramp_moderate_rev_4: + - "true" + ffiec: + - "true" + gdpr: + - "true" + gxp_21_cfr_part_11: + - "true" + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_security_rule_2003: + - "true" + nist_800_171_rev_2: + - "true" + nist_800_53_rev_4: + - "true" + nist_800_53_rev_5: + - "true" + nist_csf: + - "true" + pci_dss_v321: + - "true" + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS/WAFv2 + soc_2: + - "true" diff --git a/compliance/controls/aws/aws_wafv2_web_acl_rule_attached.yaml b/compliance/controls/aws/aws_wafv2_web_acl_rule_attached.yaml index c7d3d48a6..20757043d 100644 --- a/compliance/controls/aws/aws_wafv2_web_acl_rule_attached.yaml +++ b/compliance/controls/aws/aws_wafv2_web_acl_rule_attached.yaml @@ -1,55 +1,56 @@ id: aws_wafv2_web_acl_rule_attached title: A WAFV2 web ACL should have at least one rule or rule group +type: control description: This control checks whether a WAFV2 web access control list (web ACL) contains at least one WAF rule or WAF rule group. The control fails if a web ACL does not contain any WAF rules or rule groups. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_wafv2_web_acl - definition: | - WITH rule_group_count AS ( - SELECT - arn, - COUNT(*) AS rule_group_count - FROM - aws_wafv2_web_acl, - jsonb_array_elements(rules) AS r - WHERE - r -> 'Statement' -> 'RuleGroupReferenceStatement' ->> 'ARN' IS NOT NULL - GROUP BY - arn - ) - SELECT - a.arn AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN rules IS NULL OR jsonb_array_length(rules) = 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN rules IS NULL OR jsonb_array_length(rules) = 0 THEN title || ' has no attached rules.' - ELSE title || ' has ' || c.rule_group_count || ' rule group(s) and ' || (jsonb_array_length(rules) - c.rule_group_count) || ' rule(s) attached.' - END AS reason, - region, - account_id - FROM - aws_wafv2_web_acl AS a - LEFT JOIN rule_group_count AS c - ON - c.arn = a.arn; + language: sql + primary_resource: aws_wafv2_web_acl + definition: | + WITH rule_group_count AS ( + SELECT + arn, + COUNT(*) AS rule_group_count + FROM + aws_wafv2_web_acl, + jsonb_array_elements(rules) AS r + WHERE + r -> 'Statement' -> 'RuleGroupReferenceStatement' ->> 'ARN' IS NOT NULL + GROUP BY + arn + ) + SELECT + a.arn AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN rules IS NULL OR jsonb_array_length(rules) = 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN rules IS NULL OR jsonb_array_length(rules) = 0 THEN title || ' has no attached rules.' + ELSE title || ' has ' || c.rule_group_count || ' rule group(s) and ' || (jsonb_array_length(rules) - c.rule_group_count) || ' rule(s) attached.' + END AS reason, + region, + account_id + FROM + aws_wafv2_web_acl AS a + LEFT JOIN rule_group_count AS c + ON + c.arn = a.arn; severity: medium tags: - aws_foundational_security: - - 'true' - category: - - Compliance - foundational_security_category: - - secure_network_configuration - foundational_security_item_id: - - waf_10 - plugin: - - aws - service: - - AWS/WAF + aws_foundational_security: + - "true" + category: + - Compliance + foundational_security_category: + - secure_network_configuration + foundational_security_item_id: + - waf_10 + plugin: + - aws + service: + - AWS/WAF diff --git a/compliance/controls/aws/aws_workspaces_workspace_volume_encryption_enabled.yaml b/compliance/controls/aws/aws_workspaces_workspace_volume_encryption_enabled.yaml index 7e9f8d7d9..41b07d2c6 100644 --- a/compliance/controls/aws/aws_workspaces_workspace_volume_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_workspaces_workspace_volume_encryption_enabled.yaml @@ -1,31 +1,32 @@ id: aws_workspaces_workspace_volume_encryption_enabled title: WorkSpaces root and user volume encryption should be enabled +type: control description: To help protect data at rest, ensure encryption is enabled for your WorkSpaces root and user volumes. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_workspaces_workspace - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, + language: sql + primary_resource: aws_workspaces_workspace + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN user_volume_encryption_enabled AND root_volume_encryption_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN user_volume_encryption_enabled AND root_volume_encryption_enabled THEN title || ' user and root volume encryption enabled.' + ELSE CASE - WHEN user_volume_encryption_enabled AND root_volume_encryption_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN user_volume_encryption_enabled AND root_volume_encryption_enabled THEN title || ' user and root volume encryption enabled.' - ELSE - CASE - WHEN NOT user_volume_encryption_enabled AND NOT root_volume_encryption_enabled THEN title || ' user and root volume encryption disabled.' - WHEN NOT root_volume_encryption_enabled THEN title || ' root volume encryption disabled.' - ELSE title || ' user volume encryption disabled.' - END - END AS reason - FROM - aws_workspaces_workspace; + WHEN NOT user_volume_encryption_enabled AND NOT root_volume_encryption_enabled THEN title || ' user and root volume encryption disabled.' + WHEN NOT root_volume_encryption_enabled THEN title || ' root volume encryption disabled.' + ELSE title || ' user volume encryption disabled.' + END + END AS reason + FROM + aws_workspaces_workspace; severity: low tags: {} diff --git a/compliance/controls/azure/azure_ad_guest_user_reviewed_monthly.yaml b/compliance/controls/azure/azure_ad_guest_user_reviewed_monthly.yaml index de05f6b7a..e0c35ed9a 100644 --- a/compliance/controls/azure/azure_ad_guest_user_reviewed_monthly.yaml +++ b/compliance/controls/azure/azure_ad_guest_user_reviewed_monthly.yaml @@ -1,50 +1,51 @@ id: azure_ad_guest_user_reviewed_monthly title: Ensure guest users are reviewed on a monthly basis +type: control description: Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data. Guest users should be review on a monthly basis to ensure that inactive and unneeded accounts are removed. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: entraid_user - definition: | - SELECT - u.display_name AS resource, - u.platform_integration_id AS platform_integration_id, - u.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT account_enabled THEN 'alarm' - WHEN u.created_date_time::timestamp <= (current_date - interval '30' day) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT account_enabled THEN 'Guest user ''' || u.display_name || ''' inactive.' - ELSE 'Guest user ''' || u.display_name || ''' was created ' || EXTRACT(day FROM current_timestamp - u.created_date_time::timestamp) || ' days ago.' - END AS reason, - t.tenant_id - FROM - entraid_user AS u - LEFT JOIN - azure_tenant AS t ON t.tenant_id = u.tenant_id - WHERE - u.user_type = 'Guest'; + language: sql + primary_resource: entraid_user + definition: | + SELECT + u.display_name AS resource, + u.platform_integration_id AS platform_integration_id, + u.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT account_enabled THEN 'alarm' + WHEN u.created_date_time::timestamp <= (current_date - interval '30' day) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT account_enabled THEN 'Guest user ''' || u.display_name || ''' inactive.' + ELSE 'Guest user ''' || u.display_name || ''' was created ' || EXTRACT(day FROM current_timestamp - u.created_date_time::timestamp) || ' days ago.' + END AS reason, + t.tenant_id + FROM + entraid_user AS u + LEFT JOIN + azure_tenant AS t ON t.tenant_id = u.tenant_id + WHERE + u.user_type = 'Guest'; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '1.3' - cis_level: - - '1' - cis_section_id: - - '1' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/ActiveDirectory + category: + - Compliance + cis: + - "true" + cis_item_id: + - "1.3" + cis_level: + - "1" + cis_section_id: + - "1" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/ActiveDirectory diff --git a/compliance/controls/azure/azure_apimanagement_service_client_certificate_enabled.yaml b/compliance/controls/azure/azure_apimanagement_service_client_certificate_enabled.yaml index 1be5ff8f6..a822dbadc 100644 --- a/compliance/controls/azure/azure_apimanagement_service_client_certificate_enabled.yaml +++ b/compliance/controls/azure/azure_apimanagement_service_client_certificate_enabled.yaml @@ -1,27 +1,28 @@ id: azure_apimanagement_service_client_certificate_enabled title: API Management client certificate should be enabled +type: control description: Ensure API Management client certificate is enabled. This control is non-compliant if API Management client certificate is disabled. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_api_management - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN enable_client_certificate THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enable_client_certificate THEN a.name || ' client certificate enabled.' - ELSE a.name || ' client certificate disabled.' - END AS reason - FROM - azure_api_management a, - azure_subscription sub; + language: sql + primary_resource: azure_api_management + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN enable_client_certificate THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enable_client_certificate THEN a.name || ' client certificate enabled.' + ELSE a.name || ' client certificate disabled.' + END AS reason + FROM + azure_api_management a, + azure_subscription sub; severity: low tags: {} diff --git a/compliance/controls/azure/azure_apimanagement_service_with_virtual_network.yaml b/compliance/controls/azure/azure_apimanagement_service_with_virtual_network.yaml index ac0791603..550c03482 100644 --- a/compliance/controls/azure/azure_apimanagement_service_with_virtual_network.yaml +++ b/compliance/controls/azure/azure_apimanagement_service_with_virtual_network.yaml @@ -1,30 +1,31 @@ id: azure_apimanagement_service_with_virtual_network title: API Management services should use a virtual network +type: control description: Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_api_management - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN virtual_network_type != 'None' THEN 'ok' - ELSE 'alarm' - END AS status, - a.name || ' Virtual network is set to ' || virtual_network_type AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_api_management a, - azure_subscription sub; + language: sql + primary_resource: azure_api_management + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN virtual_network_type != 'None' THEN 'ok' + ELSE 'alarm' + END AS status, + a.name || ' Virtual network is set to ' || virtual_network_type AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_api_management a, + azure_subscription sub; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/APIManagement + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/APIManagement diff --git a/compliance/controls/azure/azure_app_configuration_encryption_enabled.yaml b/compliance/controls/azure/azure_app_configuration_encryption_enabled.yaml index e0c59b7c9..581b46a88 100644 --- a/compliance/controls/azure/azure_app_configuration_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_app_configuration_encryption_enabled.yaml @@ -1,27 +1,28 @@ id: azure_app_configuration_encryption_enabled title: App Configuration encryption should be enabled +type: control description: Enabling App Configuration encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_configuration - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN encryption -> 'keyVaultProperties' ->> 'keyIdentifier' IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption -> 'keyVaultProperties' ->> 'keyIdentifier' IS NOT NULL THEN a.name || ' encryption enabled.' - ELSE a.name || ' encryption disabled.' - END AS reason - FROM - azure_app_configuration AS a, - azure_subscription AS sub; + language: sql + primary_resource: azure_app_configuration + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN encryption -> 'keyVaultProperties' ->> 'keyIdentifier' IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption -> 'keyVaultProperties' ->> 'keyIdentifier' IS NOT NULL THEN a.name || ' encryption enabled.' + ELSE a.name || ' encryption disabled.' + END AS reason + FROM + azure_app_configuration AS a, + azure_subscription AS sub; severity: low tags: {} diff --git a/compliance/controls/azure/azure_app_configuration_private_link_used.yaml b/compliance/controls/azure/azure_app_configuration_private_link_used.yaml index f800d3118..4dc86478e 100644 --- a/compliance/controls/azure/azure_app_configuration_private_link_used.yaml +++ b/compliance/controls/azure/azure_app_configuration_private_link_used.yaml @@ -1,37 +1,38 @@ id: azure_app_configuration_private_link_used title: App Configuration should use private link +type: control description: Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_configuration - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN sku_name = 'free' THEN 'skip' - WHEN public_network_access = 'Enabled' AND private_endpoint_connections IS NULL THEN 'alarm' - WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN sku_name = 'free' THEN a.name || ' is of ' || sku_name || ' tier.' - WHEN public_network_access = 'Enabled' AND private_endpoint_connections IS NULL THEN ' using public networks.' - WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb THEN a.name || ' using private link.' - ELSE a.name || ' not using private link.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_configuration AS a, - azure_subscription AS sub; + language: sql + primary_resource: azure_app_configuration + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN sku_name = 'free' THEN 'skip' + WHEN public_network_access = 'Enabled' AND private_endpoint_connections IS NULL THEN 'alarm' + WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN sku_name = 'free' THEN a.name || ' is of ' || sku_name || ' tier.' + WHEN public_network_access = 'Enabled' AND private_endpoint_connections IS NULL THEN ' using public networks.' + WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb THEN a.name || ' using private link.' + ELSE a.name || ' not using private link.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_configuration AS a, + azure_subscription AS sub; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/AppConfiguration + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/AppConfiguration diff --git a/compliance/controls/azure/azure_app_configuration_sku_standard.yaml b/compliance/controls/azure/azure_app_configuration_sku_standard.yaml index c290c515a..7c2b64103 100644 --- a/compliance/controls/azure/azure_app_configuration_sku_standard.yaml +++ b/compliance/controls/azure/azure_app_configuration_sku_standard.yaml @@ -1,24 +1,25 @@ id: azure_app_configuration_sku_standard title: App Configuration should use standard SKU +type: control description: Ensure that App Configuration uses standard SKU tier. This control is non-compliant if App Configuration does not use standard SKU. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_configuration - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN sku_name = 'standard' THEN 'ok' - ELSE 'alarm' - END AS status, - a.name || ' has ' || sku_name || ' SKU tier.' AS reason - FROM - azure_app_configuration AS a, - azure_subscription AS sub; + language: sql + primary_resource: azure_app_configuration + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN sku_name = 'standard' THEN 'ok' + ELSE 'alarm' + END AS status, + a.name || ' has ' || sku_name || ' SKU tier.' AS reason + FROM + azure_app_configuration AS a, + azure_subscription AS sub; severity: low tags: {} diff --git a/compliance/controls/azure/azure_app_service_environment_internal_encryption_enabled.yaml b/compliance/controls/azure/azure_app_service_environment_internal_encryption_enabled.yaml index a395f0e8f..e7a4ac96e 100644 --- a/compliance/controls/azure/azure_app_service_environment_internal_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_app_service_environment_internal_encryption_enabled.yaml @@ -1,46 +1,47 @@ id: azure_app_service_environment_internal_encryption_enabled title: App Service Environment should enable internal encryption +type: control description: Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_environment - definition: | - WITH app_service_environment AS ( - SELECT - DISTINCT id AS id - FROM - azure_app_service_environment, - jsonb_array_elements(cluster_settings) AS s - WHERE - s ->> 'name' = 'InternalEncryption' - AND s ->> 'value' = 'true' - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.id IS NOT NULL THEN a.title || ' internal encryption enabled.' - ELSE a.name || ' internal encryption disabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_environment AS a - LEFT JOIN app_service_environment AS b ON a.id = b.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_app_service_environment + definition: | + WITH app_service_environment AS ( + SELECT + DISTINCT id AS id + FROM + azure_app_service_environment, + jsonb_array_elements(cluster_settings) AS s + WHERE + s ->> 'name' = 'InternalEncryption' + AND s ->> 'value' = 'true' + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.id IS NOT NULL THEN a.title || ' internal encryption enabled.' + ELSE a.name || ' internal encryption disabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_environment AS a + LEFT JOIN app_service_environment AS b ON a.id = b.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/AppService + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_application_gateway_waf_enabled.yaml b/compliance/controls/azure/azure_application_gateway_waf_enabled.yaml index e2789fe9d..787ff8805 100644 --- a/compliance/controls/azure/azure_application_gateway_waf_enabled.yaml +++ b/compliance/controls/azure/azure_application_gateway_waf_enabled.yaml @@ -1,36 +1,37 @@ id: azure_application_gateway_waf_enabled title: Web Application Firewall (WAF) should be enabled for Application Gateway +type: control description: Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_application_gateway - definition: | - SELECT - ag.id AS resource, - ag.platform_integration_id AS platform_integration_id, - ag.platform_resource_id AS platform_resource_id, - CASE - WHEN web_application_firewall_configuration IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN web_application_firewall_configuration IS NOT NULL THEN ag.name || ' WAF enabled.' - ELSE ag.name || ' WAF disabled.' - END AS reason, - ag.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_application_gateway AS ag - JOIN - azure_subscription AS sub - ON - sub.subscription_id = ag.subscription_id; + language: sql + primary_resource: azure_application_gateway + definition: | + SELECT + ag.id AS resource, + ag.platform_integration_id AS platform_integration_id, + ag.platform_resource_id AS platform_resource_id, + CASE + WHEN web_application_firewall_configuration IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN web_application_firewall_configuration IS NOT NULL THEN ag.name || ' WAF enabled.' + ELSE ag.name || ' WAF disabled.' + END AS reason, + ag.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_application_gateway AS ag + JOIN + azure_subscription AS sub + ON + sub.subscription_id = ag.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Network + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Network diff --git a/compliance/controls/azure/azure_application_gateway_waf_uses_specified_mode.yaml b/compliance/controls/azure/azure_application_gateway_waf_uses_specified_mode.yaml index dbda4a374..5c426af4e 100644 --- a/compliance/controls/azure/azure_application_gateway_waf_uses_specified_mode.yaml +++ b/compliance/controls/azure/azure_application_gateway_waf_uses_specified_mode.yaml @@ -1,29 +1,30 @@ id: azure_application_gateway_waf_uses_specified_mode title: Web Application Firewall (WAF) should use the specified mode for Application Gateway +type: control description: Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_application_gateway - definition: | - SELECT - ag.id AS resource, - ag.platform_integration_id AS platform_integration_id, - ag.platform_resource_id AS platform_resource_id, - CASE - WHEN (web_application_firewall_configuration::json -> 'PolicySettings' ->> 'mode') IN ('Prevention', 'Detection') THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (web_application_firewall_configuration::json -> 'PolicySettings' ->> 'mode') IN ('Prevention', 'Detection') THEN ag.name || ' WAF mode is set to ' || (web_application_firewall_configuration::json -> 'PolicySettings' ->> 'mode') || '.' - ELSE ag.name || ' WAF mode is not set to Prevention or Detection mode.' - END AS reason - FROM - azure_application_gateway AS ag - JOIN - azure_subscription AS sub - ON sub.subscription_id = ag.subscription_id; + language: sql + primary_resource: azure_application_gateway + definition: | + SELECT + ag.id AS resource, + ag.platform_integration_id AS platform_integration_id, + ag.platform_resource_id AS platform_resource_id, + CASE + WHEN (web_application_firewall_configuration::json -> 'PolicySettings' ->> 'mode') IN ('Prevention', 'Detection') THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (web_application_firewall_configuration::json -> 'PolicySettings' ->> 'mode') IN ('Prevention', 'Detection') THEN ag.name || ' WAF mode is set to ' || (web_application_firewall_configuration::json -> 'PolicySettings' ->> 'mode') || '.' + ELSE ag.name || ' WAF mode is not set to Prevention or Detection mode.' + END AS reason + FROM + azure_application_gateway AS ag + JOIN + azure_subscription AS sub + ON sub.subscription_id = ag.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_application_insights_block_log_ingestion_and_querying_from_public.yaml b/compliance/controls/azure/azure_application_insights_block_log_ingestion_and_querying_from_public.yaml index eaea8941b..d1204dc84 100644 --- a/compliance/controls/azure/azure_application_insights_block_log_ingestion_and_querying_from_public.yaml +++ b/compliance/controls/azure/azure_application_insights_block_log_ingestion_and_querying_from_public.yaml @@ -1,31 +1,32 @@ id: azure_application_insights_block_log_ingestion_and_querying_from_public title: Application Insights components should block log ingestion and querying from public networks -description: Improve Application Insights security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs of this component. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights. +type: control +description: "Improve Application Insights security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs of this component. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_application_insight - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN type = 'microsoft.insights/components' - AND public_network_access_for_ingestion = 'Enabled' - AND public_network_access_for_query = 'Enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN type = 'microsoft.insights/components' - AND public_network_access_for_ingestion = 'Enabled' - AND public_network_access_for_query = 'Enabled' THEN a.name || ' allows log ingestion and querying from public network.' - ELSE a.name || ' does not allow log ingestion and querying from public network.' - END AS reason - FROM - azure_application_insight AS a - LEFT JOIN azure_subscription sub ON sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_application_insight + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN type = 'microsoft.insights/components' + AND public_network_access_for_ingestion = 'Enabled' + AND public_network_access_for_query = 'Enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN type = 'microsoft.insights/components' + AND public_network_access_for_ingestion = 'Enabled' + AND public_network_access_for_query = 'Enabled' THEN a.name || ' allows log ingestion and querying from public network.' + ELSE a.name || ' does not allow log ingestion and querying from public network.' + END AS reason + FROM + azure_application_insight AS a + LEFT JOIN azure_subscription sub ON sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_appservice_api_app_client_certificates_on.yaml b/compliance/controls/azure/azure_appservice_api_app_client_certificates_on.yaml index 6adc8843e..257ecbc9a 100644 --- a/compliance/controls/azure/azure_appservice_api_app_client_certificates_on.yaml +++ b/compliance/controls/azure/azure_appservice_api_app_client_certificates_on.yaml @@ -1,54 +1,55 @@ id: azure_appservice_api_app_client_certificates_on title: App Service apps should have Client Certificates (Incoming client certificates) enabled +type: control description: Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - WITH all_api_app AS ( + language: sql + primary_resource: azure_app_service_web_app + definition: | + WITH all_api_app AS ( + SELECT + id + FROM + azure_app_service_web_app + WHERE + EXISTS ( SELECT - id FROM - azure_app_service_web_app + UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem WHERE - EXISTS ( - SELECT - FROM - UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem - WHERE - elem LIKE '%api' - ) + elem LIKE '%api' ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.id IS NULL THEN 'skip' - WHEN client_cert_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' - WHEN client_cert_enabled THEN a.name || ' client certificate enabled.' - ELSE a.name || ' client certificate disabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_web_app AS a - LEFT JOIN all_api_app AS b ON a.id = b.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.id IS NULL THEN 'skip' + WHEN client_cert_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' + WHEN client_cert_enabled THEN a.name || ' client certificate enabled.' + ELSE a.name || ' client certificate disabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_web_app AS a + LEFT JOIN all_api_app AS b ON a.id = b.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/AppService + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_api_app_cors_no_star.yaml b/compliance/controls/azure/azure_appservice_api_app_cors_no_star.yaml index 381fc267b..318b4b9d2 100644 --- a/compliance/controls/azure/azure_appservice_api_app_cors_no_star.yaml +++ b/compliance/controls/azure/azure_appservice_api_app_cors_no_star.yaml @@ -1,54 +1,55 @@ id: azure_appservice_api_app_cors_no_star title: App Service apps should not have CORS configured to allow every resource to access your apps +type: control description: Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - WITH all_api_app AS ( + language: sql + primary_resource: azure_app_service_web_app + definition: | + WITH all_api_app AS ( + SELECT + id + FROM + azure_app_service_web_app + WHERE + EXISTS ( SELECT - id FROM - azure_app_service_web_app + UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem WHERE - EXISTS ( - SELECT - FROM - UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem - WHERE - elem LIKE '%api' - ) + elem LIKE '%api' ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.id IS NULL THEN 'skip' - WHEN configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '["*"]' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' - WHEN configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '["*"]' THEN a.name || ' CORS allow all domains to access the application.' - ELSE a.name || ' CORS does not allow all domains to access the application.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_web_app AS a - LEFT JOIN all_api_app AS b ON a.id = b.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.id IS NULL THEN 'skip' + WHEN configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '["*"]' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' + WHEN configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '["*"]' THEN a.name || ' CORS allow all domains to access the application.' + ELSE a.name || ' CORS does not allow all domains to access the application.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_web_app AS a + LEFT JOIN all_api_app AS b ON a.id = b.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/AppService + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_api_app_ftps_enabled.yaml b/compliance/controls/azure/azure_appservice_api_app_ftps_enabled.yaml index 171005018..a8d1bff78 100644 --- a/compliance/controls/azure/azure_appservice_api_app_ftps_enabled.yaml +++ b/compliance/controls/azure/azure_appservice_api_app_ftps_enabled.yaml @@ -1,53 +1,54 @@ id: azure_appservice_api_app_ftps_enabled title: FTPS only should be required in your API App +type: control description: Enable FTPS enforcement for enhanced security. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - WITH all_api_app AS ( + language: sql + primary_resource: azure_app_service_web_app + definition: | + WITH all_api_app AS ( + SELECT + id + FROM + azure_app_service_web_app + WHERE + EXISTS ( SELECT - id FROM - azure_app_service_web_app + UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem WHERE - EXISTS ( - SELECT - FROM - UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem - WHERE - elem LIKE '%api' - ) + elem LIKE '%api' ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.id IS NULL THEN 'skip' - WHEN configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' - WHEN configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' THEN a.name || ' FTPS disabled.' - ELSE a.name || ' FTPS enabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_web_app AS a - LEFT JOIN all_api_app AS b - ON a.id = b.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.id IS NULL THEN 'skip' + WHEN configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' + WHEN configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' THEN a.name || ' FTPS disabled.' + ELSE a.name || ' FTPS enabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_web_app AS a + LEFT JOIN all_api_app AS b + ON a.id = b.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/AppService + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_api_app_latest_tls_version.yaml b/compliance/controls/azure/azure_appservice_api_app_latest_tls_version.yaml index b99d6b98a..ddd507d68 100644 --- a/compliance/controls/azure/azure_appservice_api_app_latest_tls_version.yaml +++ b/compliance/controls/azure/azure_appservice_api_app_latest_tls_version.yaml @@ -1,54 +1,55 @@ id: azure_appservice_api_app_latest_tls_version title: App Service apps should use the latest TLS version +type: control description: Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - WITH all_api_app AS ( + language: sql + primary_resource: azure_app_service_web_app + definition: | + WITH all_api_app AS ( + SELECT + id + FROM + azure_app_service_web_app + WHERE + EXISTS ( SELECT - id FROM - azure_app_service_web_app + UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem WHERE - EXISTS ( - SELECT - FROM - UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem - WHERE - elem LIKE '%api' - ) + elem LIKE '%api' ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.id IS NULL THEN 'skip' - WHEN configuration -> 'properties' ->> 'minTlsVersion' < '1.2' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' - WHEN configuration -> 'properties' ->> 'minTlsVersion' < '1.2' THEN a.name || ' not using the latest version of TLS encryption.' - ELSE a.name || ' using the latest version of TLS encryption.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_web_app AS a - LEFT JOIN all_api_app AS b ON a.id = b.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.id IS NULL THEN 'skip' + WHEN configuration -> 'properties' ->> 'minTlsVersion' < '1.2' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' + WHEN configuration -> 'properties' ->> 'minTlsVersion' < '1.2' THEN a.name || ' not using the latest version of TLS encryption.' + ELSE a.name || ' using the latest version of TLS encryption.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_web_app AS a + LEFT JOIN all_api_app AS b ON a.id = b.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/AppService + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_api_app_remote_debugging_disabled.yaml b/compliance/controls/azure/azure_appservice_api_app_remote_debugging_disabled.yaml index abe416a3d..a9e278210 100644 --- a/compliance/controls/azure/azure_appservice_api_app_remote_debugging_disabled.yaml +++ b/compliance/controls/azure/azure_appservice_api_app_remote_debugging_disabled.yaml @@ -1,39 +1,40 @@ id: azure_appservice_api_app_remote_debugging_disabled title: App Service apps should have remote debugging turned off +type: control description: Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN kind <> 'api' THEN 'skip' - WHEN configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN kind <> 'api' THEN name || ' is of ' || kind || ' type.' - WHEN configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' THEN name || ' remote debugging disabled.' - ELSE name || ' remote debugging enabled.' - END AS reason, - app.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN kind <> 'api' THEN 'skip' + WHEN configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN kind <> 'api' THEN name || ' is of ' || kind || ' type.' + WHEN configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' THEN name || ' remote debugging disabled.' + ELSE name || ' remote debugging enabled.' + END AS reason, + app.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/AppService + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_api_app_use_https.yaml b/compliance/controls/azure/azure_appservice_api_app_use_https.yaml index aa6101e8b..e974c4b41 100644 --- a/compliance/controls/azure/azure_appservice_api_app_use_https.yaml +++ b/compliance/controls/azure/azure_appservice_api_app_use_https.yaml @@ -1,56 +1,57 @@ id: azure_appservice_api_app_use_https title: App Service API apps should only be accessible over HTTPS +type: control description: Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - WITH all_api_app AS ( + language: sql + primary_resource: azure_app_service_web_app + definition: | + WITH all_api_app AS ( + SELECT + id + FROM + azure_app_service_web_app + WHERE + EXISTS ( SELECT - id FROM - azure_app_service_web_app + unnest(regexp_split_to_array(kind, ',')) elem WHERE - EXISTS ( - SELECT - FROM - unnest(regexp_split_to_array(kind, ',')) elem - WHERE - elem LIKE '%api' - ) + elem LIKE '%api' ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.id IS NULL THEN 'skip' - WHEN NOT https_only THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' - WHEN NOT https_only THEN a.name || ' does not redirect all HTTP traffic to HTTPS.' - ELSE a.name || ' redirects all HTTP traffic to HTTPS.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_web_app AS a - LEFT JOIN all_api_app AS b ON a.id = b.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.id IS NULL THEN 'skip' + WHEN NOT https_only THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' + WHEN NOT https_only THEN a.name || ' does not redirect all HTTP traffic to HTTPS.' + ELSE a.name || ' redirects all HTTP traffic to HTTPS.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_web_app AS a + LEFT JOIN all_api_app AS b ON a.id = b.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - pci_dss_v321: - - 'true' - service: - - Azure/AppService + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + pci_dss_v321: + - "true" + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_api_app_uses_managed_identity.yaml b/compliance/controls/azure/azure_appservice_api_app_uses_managed_identity.yaml index 049a1518c..94e779723 100644 --- a/compliance/controls/azure/azure_appservice_api_app_uses_managed_identity.yaml +++ b/compliance/controls/azure/azure_appservice_api_app_uses_managed_identity.yaml @@ -1,58 +1,59 @@ id: azure_appservice_api_app_uses_managed_identity title: Managed identity should be used in your API App +type: control description: Use a managed identity for enhanced authentication security. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - WITH all_api_app AS ( + language: sql + primary_resource: azure_app_service_web_app + definition: | + WITH all_api_app AS ( + SELECT + id + FROM + azure_app_service_web_app + WHERE + EXISTS ( SELECT - id FROM - azure_app_service_web_app + UNNEST(regexp_split_to_array(kind, ',')) elem WHERE - EXISTS ( - SELECT - FROM - UNNEST(regexp_split_to_array(kind, ',')) elem - WHERE - elem LIKE '%api' - ) + elem LIKE '%api' ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.id IS NULL THEN 'skip' - WHEN - configuration -> 'properties' ->> 'xManagedServiceIdentityId' IS NOT NULL - OR configuration -> 'properties' ->> 'managedServiceIdentityId' IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' - WHEN - configuration -> 'properties' ->> 'xManagedServiceIdentityId' IS NOT NULL - OR configuration -> 'properties' ->> 'managedServiceIdentityId' IS NOT NULL THEN a.name || ' uses managed identity.' - ELSE a.name || ' not uses managed identity' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_web_app AS a - LEFT JOIN all_api_app AS b ON a.id = b.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.id IS NULL THEN 'skip' + WHEN + configuration -> 'properties' ->> 'xManagedServiceIdentityId' IS NOT NULL + OR configuration -> 'properties' ->> 'managedServiceIdentityId' IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' + WHEN + configuration -> 'properties' ->> 'xManagedServiceIdentityId' IS NOT NULL + OR configuration -> 'properties' ->> 'managedServiceIdentityId' IS NOT NULL THEN a.name || ' uses managed identity.' + ELSE a.name || ' not uses managed identity' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_web_app AS a + LEFT JOIN all_api_app AS b ON a.id = b.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/AppService + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_authentication_enabled.yaml b/compliance/controls/azure/azure_appservice_authentication_enabled.yaml index 74597ace3..00417e1fc 100644 --- a/compliance/controls/azure/azure_appservice_authentication_enabled.yaml +++ b/compliance/controls/azure/azure_appservice_authentication_enabled.yaml @@ -1,49 +1,50 @@ id: azure_appservice_authentication_enabled title: Ensure App Service authentication is set up for apps in Azure App Service +type: control description: Azure App Service authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT (auth_settings -> 'properties' ->> 'enabled')::boolean THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT (auth_settings -> 'properties' ->> 'enabled')::boolean THEN name || ' authentication not set.' - ELSE name || ' authentication set.' - END AS reason, - app.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT (auth_settings -> 'properties' ->> 'enabled')::boolean THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT (auth_settings -> 'properties' ->> 'enabled')::boolean THEN name || ' authentication not set.' + ELSE name || ' authentication set.' + END AS reason, + app.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '9.1' - cis_level: - - '2' - cis_section_id: - - '9' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/AppService + category: + - Compliance + cis: + - "true" + cis_item_id: + - "9.1" + cis_level: + - "2" + cis_section_id: + - "9" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_ftp_deployment_disabled.yaml b/compliance/controls/azure/azure_appservice_ftp_deployment_disabled.yaml index ba138ce65..6b0c3ddef 100644 --- a/compliance/controls/azure/azure_appservice_ftp_deployment_disabled.yaml +++ b/compliance/controls/azure/azure_appservice_ftp_deployment_disabled.yaml @@ -1,73 +1,74 @@ id: azure_appservice_ftp_deployment_disabled title: Ensure FTP deployments are Disabled +type: control description: By default, Azure Functions, Web, and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - fa.id AS resource, - fa.platform_integration_id AS platform_integration_id, - fa.platform_resource_id AS platform_resource_id, - 'azure_app_service_function_app' AS platform_table_name, - CASE - WHEN configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' THEN name || ' FTP deployments enabled.' - ELSE name || ' FTP deployments disabled.' - END AS reason, - fa.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_function_app fa, - azure_subscription sub - WHERE - sub.subscription_id = fa.subscription_id - - UNION - - SELECT - wa.id AS resource, - wa.platform_integration_id AS platform_integration_id, - wa.platform_resource_id AS platform_resource_id, - 'azure_app_service_web_app' AS platform_table_name, - CASE - WHEN configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' THEN name || ' FTP deployments enabled.' - ELSE name || ' FTP deployments disabled.' - END AS reason, - wa.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_web_app AS wa, - azure_subscription AS sub - WHERE - sub.subscription_id = wa.subscription_id; + language: sql + primary_resource: "" + definition: | + SELECT + fa.id AS resource, + fa.platform_integration_id AS platform_integration_id, + fa.platform_resource_id AS platform_resource_id, + 'azure_app_service_function_app' AS platform_table_name, + CASE + WHEN configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' THEN name || ' FTP deployments enabled.' + ELSE name || ' FTP deployments disabled.' + END AS reason, + fa.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_function_app fa, + azure_subscription sub + WHERE + sub.subscription_id = fa.subscription_id + + UNION + + SELECT + wa.id AS resource, + wa.platform_integration_id AS platform_integration_id, + wa.platform_resource_id AS platform_resource_id, + 'azure_app_service_web_app' AS platform_table_name, + CASE + WHEN configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' THEN name || ' FTP deployments enabled.' + ELSE name || ' FTP deployments disabled.' + END AS reason, + wa.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_web_app AS wa, + azure_subscription AS sub + WHERE + sub.subscription_id = wa.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '9.10' - cis_level: - - '1' - cis_section_id: - - '9' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/AppService + category: + - Compliance + cis: + - "true" + cis_item_id: + - "9.10" + cis_level: + - "1" + cis_section_id: + - "9" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_function_app_authentication_on.yaml b/compliance/controls/azure/azure_appservice_function_app_authentication_on.yaml index 32de767b5..3c9263014 100644 --- a/compliance/controls/azure/azure_appservice_function_app_authentication_on.yaml +++ b/compliance/controls/azure/azure_appservice_function_app_authentication_on.yaml @@ -1,29 +1,30 @@ id: azure_appservice_function_app_authentication_on title: Ensure App Service authentication is set up for function apps in Azure App Service +type: control description: Azure App Service authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_function_app - definition: | - SELECT - fa.id AS resource, - fa.platform_integration_id AS platform_integration_id, - fa.platform_resource_id AS platform_resource_id, - CASE - WHEN auth_settings -> 'properties' ->> 'enabled' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN auth_settings -> 'properties' ->> 'enabled' = 'true' THEN name || ' authentication enabled.' - ELSE name || ' authentication disabled.' - END AS reason - FROM - azure_app_service_function_app fa, - azure_subscription sub - WHERE - sub.subscription_id = fa.subscription_id; + language: sql + primary_resource: azure_app_service_function_app + definition: | + SELECT + fa.id AS resource, + fa.platform_integration_id AS platform_integration_id, + fa.platform_resource_id AS platform_resource_id, + CASE + WHEN auth_settings -> 'properties' ->> 'enabled' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN auth_settings -> 'properties' ->> 'enabled' = 'true' THEN name || ' authentication enabled.' + ELSE name || ' authentication disabled.' + END AS reason + FROM + azure_app_service_function_app fa, + azure_subscription sub + WHERE + sub.subscription_id = fa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_appservice_function_app_client_certificates_on.yaml b/compliance/controls/azure/azure_appservice_function_app_client_certificates_on.yaml index ba7a50276..fe76fe53e 100644 --- a/compliance/controls/azure/azure_appservice_function_app_client_certificates_on.yaml +++ b/compliance/controls/azure/azure_appservice_function_app_client_certificates_on.yaml @@ -1,35 +1,36 @@ id: azure_appservice_function_app_client_certificates_on title: Function apps should have 'Client Certificates (Incoming client certificates)' enabled +type: control description: Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_function_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN client_cert_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN client_cert_enabled THEN app.name || ' client certificate enabled.' - ELSE app.name || ' client certificate disabled.' - END AS reason, - app.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_function_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_function_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN client_cert_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN client_cert_enabled THEN app.name || ' client certificate enabled.' + ELSE app.name || ' client certificate disabled.' + END AS reason, + app.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_function_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/AppService + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_function_app_cors_no_star.yaml b/compliance/controls/azure/azure_appservice_function_app_cors_no_star.yaml index 59f687e37..cfe0a45ec 100644 --- a/compliance/controls/azure/azure_appservice_function_app_cors_no_star.yaml +++ b/compliance/controls/azure/azure_appservice_function_app_cors_no_star.yaml @@ -1,38 +1,39 @@ id: azure_appservice_function_app_cors_no_star title: Function apps should not have CORS configured to allow every resource to access your apps +type: control description: Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_function_app - definition: | - SELECT - b.id AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '["*"]' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '["*"]' - THEN b.name || ' CORS allow all domains to access the application.' - ELSE b.name || ' CORS does not allow all domains to access the application.' - END AS reason, - b.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_function_app AS b, - azure_subscription AS sub - WHERE - sub.subscription_id = b.subscription_id; + language: sql + primary_resource: azure_app_service_function_app + definition: | + SELECT + b.id AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '["*"]' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '["*"]' + THEN b.name || ' CORS allow all domains to access the application.' + ELSE b.name || ' CORS does not allow all domains to access the application.' + END AS reason, + b.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_function_app AS b, + azure_subscription AS sub + WHERE + sub.subscription_id = b.subscription_id; severity: high tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/AppService + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_function_app_ftps_enabled.yaml b/compliance/controls/azure/azure_appservice_function_app_ftps_enabled.yaml index 0b72d20e9..a4998e71d 100644 --- a/compliance/controls/azure/azure_appservice_function_app_ftps_enabled.yaml +++ b/compliance/controls/azure/azure_appservice_function_app_ftps_enabled.yaml @@ -1,52 +1,53 @@ id: azure_appservice_function_app_ftps_enabled title: FTPS only should be required in your Function App +type: control description: Enable FTPS enforcement for enhanced security. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_function_app - definition: | - WITH all_function_app AS ( + language: sql + primary_resource: azure_app_service_function_app + definition: | + WITH all_function_app AS ( + SELECT + id + FROM + azure_app_service_function_app + WHERE + EXISTS ( SELECT - id FROM - azure_app_service_function_app + UNNEST(regexp_split_to_array(kind, ',')) elem WHERE - EXISTS ( - SELECT - FROM - UNNEST(regexp_split_to_array(kind, ',')) elem - WHERE - elem LIKE 'functionapp%' - ) + elem LIKE 'functionapp%' ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.id IS NULL THEN 'skip' - WHEN configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' - WHEN configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' THEN a.name || ' FTPS disabled.' - ELSE a.name || ' FTPS enabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_function_app AS a - LEFT JOIN all_function_app AS b ON a.id = b.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.id IS NULL THEN 'skip' + WHEN configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' + WHEN configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' THEN a.name || ' FTPS disabled.' + ELSE a.name || ' FTPS enabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_function_app AS a + LEFT JOIN all_function_app AS b ON a.id = b.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/AppService + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_function_app_latest_http_version.yaml b/compliance/controls/azure/azure_appservice_function_app_latest_http_version.yaml index 374abc658..2bc9730fc 100644 --- a/compliance/controls/azure/azure_appservice_function_app_latest_http_version.yaml +++ b/compliance/controls/azure/azure_appservice_function_app_latest_http_version.yaml @@ -1,60 +1,61 @@ id: azure_appservice_function_app_latest_http_version title: Ensure that 'HTTP Version' is the latest, if used to run the Function app +type: control description: Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_function_app - definition: | - WITH all_function_app AS ( + language: sql + primary_resource: azure_app_service_function_app + definition: | + WITH all_function_app AS ( + SELECT + id + FROM + azure_app_service_function_app + WHERE + EXISTS ( SELECT - id FROM - azure_app_service_function_app + UNNEST(regexp_split_to_array(kind, ',')) elem WHERE - EXISTS ( - SELECT - FROM - UNNEST(regexp_split_to_array(kind, ',')) elem - WHERE - elem LIKE 'functionapp%' - ) - AND - EXISTS ( - SELECT - FROM - UNNEST(regexp_split_to_array(kind, ',')) elem - WHERE - elem = 'linux' - ) + elem LIKE 'functionapp%' ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.id IS NULL THEN 'skip' - WHEN configuration -> 'properties' ->> 'http20Enabled' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.id IS NULL THEN a.title || ' is not a linux function app.' - WHEN configuration -> 'properties' ->> 'http20Enabled' = 'true' THEN a.name || ' using the latest HTTP version.' - ELSE a.name || ' not using latest HTTP version.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_function_app AS a - LEFT JOIN all_function_app AS b ON a.id = b.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + AND + EXISTS ( + SELECT + FROM + UNNEST(regexp_split_to_array(kind, ',')) elem + WHERE + elem = 'linux' + ) + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.id IS NULL THEN 'skip' + WHEN configuration -> 'properties' ->> 'http20Enabled' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.id IS NULL THEN a.title || ' is not a linux function app.' + WHEN configuration -> 'properties' ->> 'http20Enabled' = 'true' THEN a.name || ' using the latest HTTP version.' + ELSE a.name || ' not using latest HTTP version.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_function_app AS a + LEFT JOIN all_function_app AS b ON a.id = b.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/AppService + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_function_app_latest_java_version.yaml b/compliance/controls/azure/azure_appservice_function_app_latest_java_version.yaml index c1bc8cbe2..2fc3dc7f2 100644 --- a/compliance/controls/azure/azure_appservice_function_app_latest_java_version.yaml +++ b/compliance/controls/azure/azure_appservice_function_app_latest_java_version.yaml @@ -1,63 +1,64 @@ id: azure_appservice_function_app_latest_java_version title: Ensure that 'Java version' is the latest, if used as a part of the Function app +type: control description: Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_function_app - definition: | - WITH all_function_app AS ( + language: sql + primary_resource: azure_app_service_function_app + definition: | + WITH all_function_app AS ( + SELECT + id + FROM + azure_app_service_function_app + WHERE + EXISTS ( SELECT - id FROM - azure_app_service_function_app + UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem WHERE - EXISTS ( - SELECT - FROM - UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem - WHERE - elem LIKE 'functionapp%' - ) - AND - EXISTS ( - SELECT - FROM - UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem - WHERE - elem = 'linux' - ) + elem LIKE 'functionapp%' ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.id IS NULL THEN 'skip' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'Java%' THEN 'ok' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' LIKE '%11' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.id IS NULL THEN a.title || ' is not of linux kind.' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'Java%' THEN a.name || ' not using JAVA version.' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' LIKE '%11' THEN a.name || ' using the latest JAVA version.' - ELSE a.name || ' not using latest JAVA version.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_function_app AS a - LEFT JOIN all_function_app AS b - ON a.id = b.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + AND + EXISTS ( + SELECT + FROM + UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem + WHERE + elem = 'linux' + ) + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.id IS NULL THEN 'skip' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'Java%' THEN 'ok' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' LIKE '%11' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.id IS NULL THEN a.title || ' is not of linux kind.' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'Java%' THEN a.name || ' not using JAVA version.' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' LIKE '%11' THEN a.name || ' using the latest JAVA version.' + ELSE a.name || ' not using latest JAVA version.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_function_app AS a + LEFT JOIN all_function_app AS b + ON a.id = b.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/AppService + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_function_app_latest_python_version.yaml b/compliance/controls/azure/azure_appservice_function_app_latest_python_version.yaml index f5ba7ecc9..6f042b037 100644 --- a/compliance/controls/azure/azure_appservice_function_app_latest_python_version.yaml +++ b/compliance/controls/azure/azure_appservice_function_app_latest_python_version.yaml @@ -1,62 +1,63 @@ id: azure_appservice_function_app_latest_python_version title: Ensure that 'Python version' is the latest, if used as a part of the Function app +type: control description: Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_function_app - definition: | - WITH all_function_app AS ( + language: sql + primary_resource: azure_app_service_function_app + definition: | + WITH all_function_app AS ( + SELECT + id + FROM + azure_app_service_function_app + WHERE + EXISTS ( SELECT - id FROM - azure_app_service_function_app + UNNEST(regexp_split_to_array(kind, ',')) elem WHERE - EXISTS ( - SELECT - FROM - UNNEST(regexp_split_to_array(kind, ',')) elem - WHERE - elem LIKE 'functionapp%' - ) - AND - EXISTS ( - SELECT - FROM - UNNEST(regexp_split_to_array(kind, ',')) elem - WHERE - elem = 'linux' - ) + elem LIKE 'functionapp%' ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.id IS NULL THEN 'skip' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'Python%' THEN 'ok' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' = 'Python|3.9' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'Python%' THEN a.name || ' not using python version.' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' = 'Python|3.9' THEN a.name || ' using the latest python version.' - ELSE a.name || ' not using latest python version.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_function_app AS a - LEFT JOIN all_function_app AS b ON a.id = b.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + AND + EXISTS ( + SELECT + FROM + UNNEST(regexp_split_to_array(kind, ',')) elem + WHERE + elem = 'linux' + ) + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.id IS NULL THEN 'skip' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'Python%' THEN 'ok' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' = 'Python|3.9' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'Python%' THEN a.name || ' not using python version.' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' = 'Python|3.9' THEN a.name || ' using the latest python version.' + ELSE a.name || ' not using latest python version.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_function_app AS a + LEFT JOIN all_function_app AS b ON a.id = b.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/AppService + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_function_app_latest_tls_version.yaml b/compliance/controls/azure/azure_appservice_function_app_latest_tls_version.yaml index 9708337c5..51ce2ce08 100644 --- a/compliance/controls/azure/azure_appservice_function_app_latest_tls_version.yaml +++ b/compliance/controls/azure/azure_appservice_function_app_latest_tls_version.yaml @@ -1,37 +1,38 @@ id: azure_appservice_function_app_latest_tls_version title: Function apps should use the latest TLS version +type: control description: Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_function_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN configuration -> 'properties' ->> 'minTlsVersion' < '1.2' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN configuration -> 'properties' ->> 'minTlsVersion' < '1.2' THEN name || ' not using the latest version of TLS encryption.' - ELSE name || ' using the latest version of TLS encryption.' - END AS reason, - app.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_function_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_function_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN configuration -> 'properties' ->> 'minTlsVersion' < '1.2' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN configuration -> 'properties' ->> 'minTlsVersion' < '1.2' THEN name || ' not using the latest version of TLS encryption.' + ELSE name || ' using the latest version of TLS encryption.' + END AS reason, + app.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_function_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/AppService + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_function_app_only_https_accessible.yaml b/compliance/controls/azure/azure_appservice_function_app_only_https_accessible.yaml index 6023ecbde..59269ca36 100644 --- a/compliance/controls/azure/azure_appservice_function_app_only_https_accessible.yaml +++ b/compliance/controls/azure/azure_appservice_function_app_only_https_accessible.yaml @@ -1,39 +1,40 @@ id: azure_appservice_function_app_only_https_accessible title: Function apps should only be accessible over HTTPS +type: control description: Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_function_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN https_only THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN https_only THEN name || ' https-only accessible enabled.' - ELSE name || ' https-only accessible disabled.' - END AS reason, - app.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_function_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_function_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN https_only THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN https_only THEN name || ' https-only accessible enabled.' + ELSE name || ' https-only accessible disabled.' + END AS reason, + app.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_function_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - pci_dss_v321: - - 'true' - service: - - Azure/AppService + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + pci_dss_v321: + - "true" + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_function_app_remote_debugging_disabled.yaml b/compliance/controls/azure/azure_appservice_function_app_remote_debugging_disabled.yaml index c6044bca5..82317cab7 100644 --- a/compliance/controls/azure/azure_appservice_function_app_remote_debugging_disabled.yaml +++ b/compliance/controls/azure/azure_appservice_function_app_remote_debugging_disabled.yaml @@ -1,37 +1,38 @@ id: azure_appservice_function_app_remote_debugging_disabled title: Function apps should have remote debugging turned off +type: control description: Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_function_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' THEN name || ' remote debugging disabled.' - ELSE name || ' remote debugging enabled.' - END AS reason, - app.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_function_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_function_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' THEN name || ' remote debugging disabled.' + ELSE name || ' remote debugging enabled.' + END AS reason, + app.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_function_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/AppService + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_function_app_restrict_public_acces.yaml b/compliance/controls/azure/azure_appservice_function_app_restrict_public_acces.yaml index 4c81924ee..2fb8bfe9e 100644 --- a/compliance/controls/azure/azure_appservice_function_app_restrict_public_acces.yaml +++ b/compliance/controls/azure/azure_appservice_function_app_restrict_public_acces.yaml @@ -1,40 +1,41 @@ id: azure_appservice_function_app_restrict_public_acces title: App Service function apps public access should be restricted +type: control description: Anonymous public read access to function app in Azure App Service is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a function app unless your scenario requires it. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_function_app - definition: | - WITH public_function_app AS ( - SELECT - id - FROM - azure_app_service_function_app, - jsonb_array_elements(configuration -> 'properties' -> 'ipSecurityRestrictions') AS r - WHERE - r ->> 'ipAddress' = 'Any' - AND r ->> 'action' = 'Allow' - ) - SELECT - fa.id AS resource, - fa.platform_integration_id AS platform_integration_id, - fa.platform_resource_id AS platform_resource_id, - CASE - WHEN p.id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.id IS NULL THEN name || ' not publicly accessible.' - ELSE name || ' publicly accessible.' - END AS reason - FROM - azure_app_service_function_app fa - LEFT JOIN public_function_app AS p ON p.id = fa.id, - azure_subscription sub - WHERE - sub.subscription_id = fa.subscription_id; + language: sql + primary_resource: azure_app_service_function_app + definition: | + WITH public_function_app AS ( + SELECT + id + FROM + azure_app_service_function_app, + jsonb_array_elements(configuration -> 'properties' -> 'ipSecurityRestrictions') AS r + WHERE + r ->> 'ipAddress' = 'Any' + AND r ->> 'action' = 'Allow' + ) + SELECT + fa.id AS resource, + fa.platform_integration_id AS platform_integration_id, + fa.platform_resource_id AS platform_resource_id, + CASE + WHEN p.id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.id IS NULL THEN name || ' not publicly accessible.' + ELSE name || ' publicly accessible.' + END AS reason + FROM + azure_app_service_function_app fa + LEFT JOIN public_function_app AS p ON p.id = fa.id, + azure_subscription sub + WHERE + sub.subscription_id = fa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_appservice_function_app_uses_managed_identity.yaml b/compliance/controls/azure/azure_appservice_function_app_uses_managed_identity.yaml index f73a688dc..399508786 100644 --- a/compliance/controls/azure/azure_appservice_function_app_uses_managed_identity.yaml +++ b/compliance/controls/azure/azure_appservice_function_app_uses_managed_identity.yaml @@ -1,59 +1,60 @@ id: azure_appservice_function_app_uses_managed_identity title: Function apps should use managed identity +type: control description: Use a managed identity for enhanced authentication security. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_function_app - definition: | - WITH all_function_app AS ( + language: sql + primary_resource: azure_app_service_function_app + definition: | + WITH all_function_app AS ( + SELECT + id + FROM + azure_app_service_function_app + WHERE + EXISTS ( SELECT - id FROM - azure_app_service_function_app + UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem WHERE - EXISTS ( - SELECT - FROM - UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem - WHERE - elem LIKE 'functionapp%' - ) + elem LIKE 'functionapp%' ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.id IS NULL THEN 'skip' - WHEN - configuration -> 'properties' ->> 'xManagedServiceIdentityId' IS NOT NULL - OR configuration -> 'properties' ->> 'managedServiceIdentityId' IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' - WHEN - configuration -> 'properties' ->> 'xManagedServiceIdentityId' IS NOT NULL - OR configuration -> 'properties' ->> 'managedServiceIdentityId' IS NOT NULL - THEN a.name || ' uses managed identity.' - ELSE a.name || ' not uses managed identity' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_function_app AS a - LEFT JOIN all_function_app AS b ON a.id = b.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.id IS NULL THEN 'skip' + WHEN + configuration -> 'properties' ->> 'xManagedServiceIdentityId' IS NOT NULL + OR configuration -> 'properties' ->> 'managedServiceIdentityId' IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' + WHEN + configuration -> 'properties' ->> 'xManagedServiceIdentityId' IS NOT NULL + OR configuration -> 'properties' ->> 'managedServiceIdentityId' IS NOT NULL + THEN a.name || ' uses managed identity.' + ELSE a.name || ' not uses managed identity' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_function_app AS a + LEFT JOIN all_function_app AS b ON a.id = b.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/AppService + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_plan_minimum_sku.yaml b/compliance/controls/azure/azure_appservice_plan_minimum_sku.yaml index f16395bfb..4e3913f78 100644 --- a/compliance/controls/azure/azure_appservice_plan_minimum_sku.yaml +++ b/compliance/controls/azure/azure_appservice_plan_minimum_sku.yaml @@ -1,26 +1,27 @@ id: azure_appservice_plan_minimum_sku title: Appservice plan should not use free, shared or basic SKU +type: control description: The Free, Shared, and Basic plans are suitable for constrained testing and development purposes. This control is considered non-compliant when free, shared, or basic SKUs are utilized. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_plan - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN sku_name IN ('F1', 'D1', 'B1', 'B2', 'B3') THEN 'alarm' - ELSE 'ok' - END AS status, - a.name || ' is of ' || sku_family || ' SKU family.' AS reason - FROM - azure_app_service_plan AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_app_service_plan + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN sku_name IN ('F1', 'D1', 'B1', 'B2', 'B3') THEN 'alarm' + ELSE 'ok' + END AS status, + a.name || ' is of ' || sku_family || ' SKU family.' AS reason + FROM + azure_app_service_plan AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_appservice_web_app_always_on.yaml b/compliance/controls/azure/azure_appservice_web_app_always_on.yaml index 3119ecedb..f0b589fd9 100644 --- a/compliance/controls/azure/azure_appservice_web_app_always_on.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_always_on.yaml @@ -1,29 +1,30 @@ id: azure_appservice_web_app_always_on title: Web apps should be configured to always be on +type: control description: This control ensures that a web app is configured with settings to keep it consistently active. Always On feature of Azure App Service, keeps the host process running. This allows your site to be more responsive to requests after significant idle periods. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN configuration -> 'properties' ->> 'alwaysOn' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN configuration -> 'properties' ->> 'alwaysOn' = 'true' THEN a.name || ' alwaysOn is enabled.' - ELSE a.name || ' alwaysOn is disabled.' - END AS reason - FROM - azure_app_service_web_app AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN configuration -> 'properties' ->> 'alwaysOn' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN configuration -> 'properties' ->> 'alwaysOn' = 'true' THEN a.name || ' alwaysOn is enabled.' + ELSE a.name || ' alwaysOn is disabled.' + END AS reason + FROM + azure_app_service_web_app AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_appservice_web_app_client_certificates_on.yaml b/compliance/controls/azure/azure_appservice_web_app_client_certificates_on.yaml index d3cb6c6e7..5580dacc5 100644 --- a/compliance/controls/azure/azure_appservice_web_app_client_certificates_on.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_client_certificates_on.yaml @@ -1,54 +1,55 @@ id: azure_appservice_web_app_client_certificates_on title: App Service apps should have 'Client Certificates (Incoming client certificates)' enabled +type: control description: Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - WITH all_web_app AS ( + language: sql + primary_resource: azure_app_service_web_app + definition: | + WITH all_web_app AS ( + SELECT + id + FROM + azure_app_service_web_app + WHERE + EXISTS ( SELECT - id FROM - azure_app_service_web_app + UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem WHERE - EXISTS ( - SELECT - FROM - UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem - WHERE - elem LIKE 'app%' - ) + elem LIKE 'app%' ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.id IS NULL THEN 'skip' - WHEN client_cert_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' - WHEN client_cert_enabled THEN a.name || ' client certificate enabled.' - ELSE a.name || ' client certificate disabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_web_app AS a - LEFT JOIN all_web_app AS b ON a.id = b.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.id IS NULL THEN 'skip' + WHEN client_cert_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' + WHEN client_cert_enabled THEN a.name || ' client certificate enabled.' + ELSE a.name || ' client certificate disabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_web_app AS a + LEFT JOIN all_web_app AS b ON a.id = b.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/AppService + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_web_app_cors_no_star.yaml b/compliance/controls/azure/azure_appservice_web_app_cors_no_star.yaml index 21c30eae7..890332334 100644 --- a/compliance/controls/azure/azure_appservice_web_app_cors_no_star.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_cors_no_star.yaml @@ -1,37 +1,38 @@ id: azure_appservice_web_app_cors_no_star title: App Service apps should not have CORS configured to allow every resource to access your apps +type: control description: Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '["*"]' - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '["*"]' - THEN a.name || ' CORS allow all domains to access the application.' - ELSE a.name || ' CORS does not allow all domains to access the application.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_web_app AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '["*"]' + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '["*"]' + THEN a.name || ' CORS allow all domains to access the application.' + ELSE a.name || ' CORS does not allow all domains to access the application.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_web_app AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/AppService + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_web_app_diagnostic_logs_enabled.yaml b/compliance/controls/azure/azure_appservice_web_app_diagnostic_logs_enabled.yaml index 320622a3e..d4d4f2883 100644 --- a/compliance/controls/azure/azure_appservice_web_app_diagnostic_logs_enabled.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_diagnostic_logs_enabled.yaml @@ -1,43 +1,44 @@ id: azure_appservice_web_app_diagnostic_logs_enabled title: App Service apps should have resource logs enabled +type: control description: Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN (a.configuration-> 'properties' -> 'detailedErrorLoggingEnabled')::bool - AND (a.configuration -> 'properties' -> 'httpLoggingEnabled')::bool - AND (a.configuration-> 'properties' -> 'requestTracingEnabled')::bool - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (a.configuration-> 'properties' -> 'detailedErrorLoggingEnabled')::bool - AND (a.configuration -> 'properties' -> 'httpLoggingEnabled')::bool - AND (a.configuration-> 'properties' -> 'requestTracingEnabled')::bool - THEN a.name || ' diagnostic logs enabled.' - ELSE a.title || ' diagnostic logs disabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_web_app AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN (a.configuration-> 'properties' -> 'detailedErrorLoggingEnabled')::bool + AND (a.configuration -> 'properties' -> 'httpLoggingEnabled')::bool + AND (a.configuration-> 'properties' -> 'requestTracingEnabled')::bool + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (a.configuration-> 'properties' -> 'detailedErrorLoggingEnabled')::bool + AND (a.configuration -> 'properties' -> 'httpLoggingEnabled')::bool + AND (a.configuration-> 'properties' -> 'requestTracingEnabled')::bool + THEN a.name || ' diagnostic logs enabled.' + ELSE a.title || ' diagnostic logs disabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_web_app AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/AppService + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_web_app_failed_request_tracing_enabled.yaml b/compliance/controls/azure/azure_appservice_web_app_failed_request_tracing_enabled.yaml index f1fb35752..f1e657b2e 100644 --- a/compliance/controls/azure/azure_appservice_web_app_failed_request_tracing_enabled.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_failed_request_tracing_enabled.yaml @@ -1,29 +1,30 @@ id: azure_appservice_web_app_failed_request_tracing_enabled title: Web app failed request tracing should be enabled +type: control description: Ensure that Web app enables failed request tracing. This control is non-compliant if Web app failed request tracing is disabled. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN diagnostic_logs_configuration -> 'properties' -> 'failedRequestsTracing' ->> 'enabled' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN diagnostic_logs_configuration -> 'properties' -> 'failedRequestsTracing' ->> 'enabled' = 'true' THEN a.name || ' failed requests tracing enabled.' - ELSE a.name || ' failed requests tracing disabled.' - END AS reason - FROM - azure_app_service_web_app AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN diagnostic_logs_configuration -> 'properties' -> 'failedRequestsTracing' ->> 'enabled' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN diagnostic_logs_configuration -> 'properties' -> 'failedRequestsTracing' ->> 'enabled' = 'true' THEN a.name || ' failed requests tracing enabled.' + ELSE a.name || ' failed requests tracing disabled.' + END AS reason + FROM + azure_app_service_web_app AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_appservice_web_app_ftps_enabled.yaml b/compliance/controls/azure/azure_appservice_web_app_ftps_enabled.yaml index 0c5122fe9..5edf20928 100644 --- a/compliance/controls/azure/azure_appservice_web_app_ftps_enabled.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_ftps_enabled.yaml @@ -1,52 +1,53 @@ id: azure_appservice_web_app_ftps_enabled title: FTPS should be required in your Web App +type: control description: Enable FTPS enforcement for enhanced security. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - WITH all_web_app AS ( + language: sql + primary_resource: azure_app_service_web_app + definition: | + WITH all_web_app AS ( + SELECT + id + FROM + azure_app_service_web_app + WHERE + EXISTS ( SELECT - id FROM - azure_app_service_web_app + UNNEST(regexp_split_to_array(kind, ',')) elem WHERE - EXISTS ( - SELECT - FROM - UNNEST(regexp_split_to_array(kind, ',')) elem - WHERE - elem LIKE 'app%' - ) + elem LIKE 'app%' ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.id IS NULL THEN 'skip' - WHEN configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' - WHEN configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' THEN a.name || ' FTPS disabled.' - ELSE a.name || ' FTPS enabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_web_app AS a - LEFT JOIN all_web_app AS b ON a.id = b.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.id IS NULL THEN 'skip' + WHEN configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' + WHEN configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' THEN a.name || ' FTPS disabled.' + ELSE a.name || ' FTPS enabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_web_app AS a + LEFT JOIN all_web_app AS b ON a.id = b.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/AppService + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_web_app_health_check_enabled.yaml b/compliance/controls/azure/azure_appservice_web_app_health_check_enabled.yaml index 0cd645af3..c5419eef9 100644 --- a/compliance/controls/azure/azure_appservice_web_app_health_check_enabled.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_health_check_enabled.yaml @@ -1,29 +1,30 @@ id: azure_appservice_web_app_health_check_enabled title: Web apps should have health check enabled +type: control description: Health check increases your application's availability by rerouting requests away from unhealthy instances and replacing instances if they remain unhealthy. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN configuration -> 'properties' ->> 'healthCheckPath' IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN configuration -> 'properties' ->> 'healthCheckPath' IS NOT NULL THEN a.name || ' health check enabled.' - ELSE a.name || ' health check disabled.' - END AS reason - FROM - azure_app_service_web_app AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN configuration -> 'properties' ->> 'healthCheckPath' IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN configuration -> 'properties' ->> 'healthCheckPath' IS NOT NULL THEN a.name || ' health check enabled.' + ELSE a.name || ' health check disabled.' + END AS reason + FROM + azure_app_service_web_app AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_appservice_web_app_http_logs_enabled.yaml b/compliance/controls/azure/azure_appservice_web_app_http_logs_enabled.yaml index 9a318f5ec..0483f7267 100644 --- a/compliance/controls/azure/azure_appservice_web_app_http_logs_enabled.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_http_logs_enabled.yaml @@ -1,29 +1,30 @@ id: azure_appservice_web_app_http_logs_enabled title: Web app HTTP logs should be enabled +type: control description: Ensure that Web app HTTP logs is enabled. This control is non-compliant if Web app HTTP logs is disabled. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN configuration -> 'properties' ->> 'httpLoggingEnabled' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN configuration -> 'properties' ->> 'httpLoggingEnabled' = 'true' THEN a.name || ' HTTP logs enabled.' - ELSE a.name || ' HTTP logs disabled.' - END AS reason - FROM - azure_app_service_web_app AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN configuration -> 'properties' ->> 'httpLoggingEnabled' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN configuration -> 'properties' ->> 'httpLoggingEnabled' = 'true' THEN a.name || ' HTTP logs enabled.' + ELSE a.name || ' HTTP logs disabled.' + END AS reason + FROM + azure_app_service_web_app AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_appservice_web_app_incoming_client_cert_on.yaml b/compliance/controls/azure/azure_appservice_web_app_incoming_client_cert_on.yaml index f640d2ed3..230fb42be 100644 --- a/compliance/controls/azure/azure_appservice_web_app_incoming_client_cert_on.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_incoming_client_cert_on.yaml @@ -1,49 +1,50 @@ id: azure_appservice_web_app_incoming_client_cert_on title: Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' +type: control description: Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT client_cert_enabled THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT client_cert_enabled THEN name || ' incoming client certificates set to off.' - ELSE name || ' incoming client certificates set to on.' - END AS reason, - app.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT client_cert_enabled THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT client_cert_enabled THEN name || ' incoming client certificates set to off.' + ELSE name || ' incoming client certificates set to on.' + END AS reason, + app.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '9.4' - cis_level: - - '2' - cis_section_id: - - '9' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/AppService + category: + - Compliance + cis: + - "true" + cis_item_id: + - "9.4" + cis_level: + - "2" + cis_section_id: + - "9" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_web_app_latest_dotnet_framework_version.yaml b/compliance/controls/azure/azure_appservice_web_app_latest_dotnet_framework_version.yaml index ec7c4d319..daf6c28de 100644 --- a/compliance/controls/azure/azure_appservice_web_app_latest_dotnet_framework_version.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_latest_dotnet_framework_version.yaml @@ -1,48 +1,49 @@ id: azure_appservice_web_app_latest_dotnet_framework_version title: Web app should use the latest 'Net Framework' version +type: control description: Periodically, newer versions are released for Net Framework software either due to security flaws or to include additional functionality. Using the latest Net Framework for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - WITH all_linux_web_app AS ( + language: sql + primary_resource: azure_app_service_web_app + definition: | + WITH all_linux_web_app AS ( + SELECT + id + FROM + azure_app_service_web_app + WHERE + EXISTS ( SELECT - id FROM - azure_app_service_web_app + UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem WHERE - EXISTS ( - SELECT - FROM - UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem - WHERE - elem = 'linux' - ) + elem = 'linux' ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.id IS NULL AND configuration -> 'properties' ->> 'netFrameworkVersion' IN ('v6.0', 'v7.0') THEN 'ok' - WHEN b.id IS NOT NULL AND configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'DOTNETCORE|%' THEN 'ok' - WHEN b.id IS NOT NULL AND configuration -> 'properties' ->> 'linuxFxVersion' IN ('DOTNETCORE|6.0', 'DOTNETCORE|7.0') THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.id IS NULL AND configuration -> 'properties' ->> 'netFrameworkVersion' IN ('v6.0', 'v7.0') THEN a.name || ' using latest dotnet framework version.' - WHEN b.id IS NOT NULL AND configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'DOTNETCORE|%' THEN a.name || ' not using dotnet framework.' - WHEN b.id IS NOT NULL AND configuration -> 'properties' ->> 'linuxFxVersion' IN ('DOTNETCORE|6.0', 'DOTNETCORE|7.0') THEN a.name || ' using latest dotnet framework version.' - ELSE a.name || ' not using latest dotnet framework version.' - END AS reason - FROM - azure_app_service_web_app AS a - LEFT JOIN all_linux_web_app AS b ON a.id = b.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.id IS NULL AND configuration -> 'properties' ->> 'netFrameworkVersion' IN ('v6.0', 'v7.0') THEN 'ok' + WHEN b.id IS NOT NULL AND configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'DOTNETCORE|%' THEN 'ok' + WHEN b.id IS NOT NULL AND configuration -> 'properties' ->> 'linuxFxVersion' IN ('DOTNETCORE|6.0', 'DOTNETCORE|7.0') THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.id IS NULL AND configuration -> 'properties' ->> 'netFrameworkVersion' IN ('v6.0', 'v7.0') THEN a.name || ' using latest dotnet framework version.' + WHEN b.id IS NOT NULL AND configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'DOTNETCORE|%' THEN a.name || ' not using dotnet framework.' + WHEN b.id IS NOT NULL AND configuration -> 'properties' ->> 'linuxFxVersion' IN ('DOTNETCORE|6.0', 'DOTNETCORE|7.0') THEN a.name || ' using latest dotnet framework version.' + ELSE a.name || ' not using latest dotnet framework version.' + END AS reason + FROM + azure_app_service_web_app AS a + LEFT JOIN all_linux_web_app AS b ON a.id = b.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_appservice_web_app_latest_http_version.yaml b/compliance/controls/azure/azure_appservice_web_app_latest_http_version.yaml index 75ccc014c..644c76e0f 100644 --- a/compliance/controls/azure/azure_appservice_web_app_latest_http_version.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_latest_http_version.yaml @@ -1,49 +1,50 @@ id: azure_appservice_web_app_latest_http_version title: Ensure that 'HTTP Version' is the latest, if used to run the Web app +type: control description: Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT (configuration -> 'properties' ->> 'http20Enabled')::boolean THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT (configuration -> 'properties' ->> 'http20Enabled')::boolean THEN name || ' HTTP version not latest.' - ELSE name || ' HTTP version is latest.' - END AS reason, - app.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT (configuration -> 'properties' ->> 'http20Enabled')::boolean THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT (configuration -> 'properties' ->> 'http20Enabled')::boolean THEN name || ' HTTP version not latest.' + ELSE name || ' HTTP version is latest.' + END AS reason, + app.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '9.9' - cis_level: - - '1' - cis_section_id: - - '9' - cis_type: - - manual - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/AppService + category: + - Compliance + cis: + - "true" + cis_item_id: + - "9.9" + cis_level: + - "1" + cis_section_id: + - "9" + cis_type: + - manual + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_web_app_latest_java_version.yaml b/compliance/controls/azure/azure_appservice_web_app_latest_java_version.yaml index ec39ff192..72af6ce6a 100644 --- a/compliance/controls/azure/azure_appservice_web_app_latest_java_version.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_latest_java_version.yaml @@ -1,62 +1,63 @@ id: azure_appservice_web_app_latest_java_version title: Ensure that 'Java version' is the latest, if used as a part of the Web app +type: control description: Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - WITH all_web_app AS ( + language: sql + primary_resource: azure_app_service_web_app + definition: | + WITH all_web_app AS ( + SELECT + id + FROM + azure_app_service_web_app + WHERE + EXISTS ( SELECT - id FROM - azure_app_service_web_app + UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem WHERE - EXISTS ( - SELECT - FROM - UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem - WHERE - elem LIKE 'app%' - ) - AND - EXISTS ( - SELECT - FROM - UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem - WHERE - elem = 'linux' - ) + elem LIKE 'app%' ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.id IS NULL THEN 'skip' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'JAVA%' THEN 'ok' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' LIKE '%11' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'JAVA%' THEN a.name || ' not using JAVA version.' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' LIKE '%11' THEN a.name || ' using the latest JAVA version.' - ELSE a.name || ' not using latest JAVA version.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_web_app AS a - LEFT JOIN all_web_app AS b ON a.id = b.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + AND + EXISTS ( + SELECT + FROM + UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem + WHERE + elem = 'linux' + ) + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.id IS NULL THEN 'skip' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'JAVA%' THEN 'ok' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' LIKE '%11' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'JAVA%' THEN a.name || ' not using JAVA version.' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' LIKE '%11' THEN a.name || ' using the latest JAVA version.' + ELSE a.name || ' not using latest JAVA version.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_web_app AS a + LEFT JOIN all_web_app AS b ON a.id = b.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/AppService + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_web_app_latest_php_version.yaml b/compliance/controls/azure/azure_appservice_web_app_latest_php_version.yaml index 9995f9362..07fd61cfb 100644 --- a/compliance/controls/azure/azure_appservice_web_app_latest_php_version.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_latest_php_version.yaml @@ -1,61 +1,62 @@ id: azure_appservice_web_app_latest_php_version title: Ensure that 'PHP version' is the latest, if used as a part of the WEB app +type: control description: Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - WITH all_web_app AS ( + language: sql + primary_resource: azure_app_service_web_app + definition: | + WITH all_web_app AS ( + SELECT + id + FROM + azure_app_service_web_app + WHERE + EXISTS ( SELECT - id FROM - azure_app_service_web_app + UNNEST(regexp_split_to_array(kind, ',')) elem WHERE - EXISTS ( - SELECT - FROM - UNNEST(regexp_split_to_array(kind, ',')) elem - WHERE - elem LIKE 'app%' - ) - AND EXISTS ( - SELECT - FROM - UNNEST(regexp_split_to_array(kind, ',')) elem - WHERE - elem = 'linux' - ) + elem LIKE 'app%' ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.id IS NULL THEN 'skip' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'PHP%' THEN 'ok' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' = 'PHP|8.0' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'PHP%' THEN a.name || ' not using php version.' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' = 'PHP|8.0' THEN a.name || ' using the latest php version.' - ELSE a.name || ' not using latest php version.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_web_app AS a - LEFT JOIN all_web_app AS b ON a.id = b.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + AND EXISTS ( + SELECT + FROM + UNNEST(regexp_split_to_array(kind, ',')) elem + WHERE + elem = 'linux' + ) + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.id IS NULL THEN 'skip' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'PHP%' THEN 'ok' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' = 'PHP|8.0' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'PHP%' THEN a.name || ' not using php version.' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' = 'PHP|8.0' THEN a.name || ' using the latest php version.' + ELSE a.name || ' not using latest php version.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_web_app AS a + LEFT JOIN all_web_app AS b ON a.id = b.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/AppService + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_web_app_latest_python_version.yaml b/compliance/controls/azure/azure_appservice_web_app_latest_python_version.yaml index 7b6f96c36..66f9c8510 100644 --- a/compliance/controls/azure/azure_appservice_web_app_latest_python_version.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_latest_python_version.yaml @@ -1,62 +1,63 @@ id: azure_appservice_web_app_latest_python_version title: Ensure that 'Python version' is the latest, if used as a part of the Web app +type: control description: Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - WITH all_web_app AS ( + language: sql + primary_resource: azure_app_service_web_app + definition: | + WITH all_web_app AS ( + SELECT + id + FROM + azure_app_service_web_app + WHERE + EXISTS ( SELECT - id FROM - azure_app_service_web_app + UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem WHERE - EXISTS ( - SELECT - FROM - UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem - WHERE - elem LIKE 'app%' - ) - AND - EXISTS ( - SELECT - FROM - UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem - WHERE - elem = 'linux' - ) + elem LIKE 'app%' ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.id IS NULL THEN 'skip' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'PYTHON%' THEN 'ok' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' = 'PYTHON|3.9' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.id IS NULL THEN a.title || ' is not of linux kind.' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'PYTHON%' THEN a.name || ' not using python version.' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' = 'PYTHON|3.9' THEN a.name || ' using the latest python version.' - ELSE a.name || ' not using latest python version.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_web_app AS a - LEFT JOIN all_web_app AS b ON a.id = b.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + AND + EXISTS ( + SELECT + FROM + UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem + WHERE + elem = 'linux' + ) + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.id IS NULL THEN 'skip' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'PYTHON%' THEN 'ok' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' = 'PYTHON|3.9' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.id IS NULL THEN a.title || ' is not of linux kind.' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'PYTHON%' THEN a.name || ' not using python version.' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' = 'PYTHON|3.9' THEN a.name || ' using the latest python version.' + ELSE a.name || ' not using latest python version.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_web_app AS a + LEFT JOIN all_web_app AS b ON a.id = b.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/AppService + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_web_app_latest_tls_version.yaml b/compliance/controls/azure/azure_appservice_web_app_latest_tls_version.yaml index de533cf05..9e62d1db6 100644 --- a/compliance/controls/azure/azure_appservice_web_app_latest_tls_version.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_latest_tls_version.yaml @@ -1,49 +1,50 @@ id: azure_appservice_web_app_latest_tls_version title: Latest TLS version should be used in your Web App +type: control description: Upgrade to the latest TLS version. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN configuration -> 'properties' ->> 'minTlsVersion' < '1.2' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN configuration -> 'properties' ->> 'minTlsVersion' < '1.2' THEN name || ' not using the latest version of TLS encryption.' - ELSE name || ' using the latest version of TLS encryption.' - END AS reason, - app.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN configuration -> 'properties' ->> 'minTlsVersion' < '1.2' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN configuration -> 'properties' ->> 'minTlsVersion' < '1.2' THEN name || ' not using the latest version of TLS encryption.' + ELSE name || ' using the latest version of TLS encryption.' + END AS reason, + app.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '9.3' - cis_level: - - '1' - cis_section_id: - - '9' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/AppService + category: + - Compliance + cis: + - "true" + cis_item_id: + - "9.3" + cis_level: + - "1" + cis_section_id: + - "9" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_web_app_register_with_active_directory_enabled.yaml b/compliance/controls/azure/azure_appservice_web_app_register_with_active_directory_enabled.yaml index d85fc824a..7bb3cf943 100644 --- a/compliance/controls/azure/azure_appservice_web_app_register_with_active_directory_enabled.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_register_with_active_directory_enabled.yaml @@ -1,49 +1,50 @@ id: azure_appservice_web_app_register_with_active_directory_enabled title: Ensure that Register with Azure Active Directory is enabled on App Service +type: control description: Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in App Service, the app will connect to other Azure services securely without the need for usernames and passwords. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN identity = '{}' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN identity = '{}' THEN name || ' register with azure active directory disabled.' - ELSE name || ' register with azure active directory enabled.' - END AS reason, - app.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN identity = '{}' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN identity = '{}' THEN name || ' register with azure active directory disabled.' + ELSE name || ' register with azure active directory enabled.' + END AS reason, + app.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '9.5' - cis_level: - - '1' - cis_section_id: - - '9' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/AppService + category: + - Compliance + cis: + - "true" + cis_item_id: + - "9.5" + cis_level: + - "1" + cis_section_id: + - "9" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_web_app_remote_debugging_disabled.yaml b/compliance/controls/azure/azure_appservice_web_app_remote_debugging_disabled.yaml index 1ec7c2bba..cc7514b80 100644 --- a/compliance/controls/azure/azure_appservice_web_app_remote_debugging_disabled.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_remote_debugging_disabled.yaml @@ -1,39 +1,40 @@ id: azure_appservice_web_app_remote_debugging_disabled title: Remote debugging should be turned off for Web Applications +type: control description: Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN kind = 'api' THEN 'skip' - WHEN configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN kind = 'api' THEN name || ' is of ' || kind || ' type.' - WHEN configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' THEN name || ' remote debugging disabled.' - ELSE name || ' remote debugging enabled.' - END AS reason, - app.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN kind = 'api' THEN 'skip' + WHEN configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN kind = 'api' THEN name || ' is of ' || kind || ' type.' + WHEN configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' THEN name || ' remote debugging disabled.' + ELSE name || ' remote debugging enabled.' + END AS reason, + app.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/AppService + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_web_app_slot_use_https.yaml b/compliance/controls/azure/azure_appservice_web_app_slot_use_https.yaml index 37d4a1251..1d729924e 100644 --- a/compliance/controls/azure/azure_appservice_web_app_slot_use_https.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_slot_use_https.yaml @@ -1,29 +1,30 @@ id: azure_appservice_web_app_slot_use_https title: Web app slot should only be accessible over HTTPS +type: control description: Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app_slot - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN https_only THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN https_only THEN name || ' https-only accessible enabled.' - ELSE name || ' https-only accessible disabled.' - END AS reason - FROM - azure_app_service_web_app_slot AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_app_service_web_app_slot + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN https_only THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN https_only THEN name || ' https-only accessible enabled.' + ELSE name || ' https-only accessible disabled.' + END AS reason + FROM + azure_app_service_web_app_slot AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_appservice_web_app_use_https.yaml b/compliance/controls/azure/azure_appservice_web_app_use_https.yaml index 32a885f84..4d793c312 100644 --- a/compliance/controls/azure/azure_appservice_web_app_use_https.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_use_https.yaml @@ -1,49 +1,50 @@ id: azure_appservice_web_app_use_https title: Web Application should only be accessible over HTTPS +type: control description: Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT https_only THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT https_only THEN name || ' does not redirect all HTTP traffic to HTTPS.' - ELSE name || ' redirects all HTTP traffic to HTTPS.' - END AS reason, - app.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT https_only THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT https_only THEN name || ' does not redirect all HTTP traffic to HTTPS.' + ELSE name || ' redirects all HTTP traffic to HTTPS.' + END AS reason, + app.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '9.2' - cis_level: - - '1' - cis_section_id: - - '9' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/AppService + category: + - Compliance + cis: + - "true" + cis_item_id: + - "9.2" + cis_level: + - "1" + cis_section_id: + - "9" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_web_app_use_virtual_service_endpoint.yaml b/compliance/controls/azure/azure_appservice_web_app_use_virtual_service_endpoint.yaml index 797b1e248..144ff02e0 100644 --- a/compliance/controls/azure/azure_appservice_web_app_use_virtual_service_endpoint.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_use_virtual_service_endpoint.yaml @@ -1,35 +1,36 @@ id: azure_appservice_web_app_use_virtual_service_endpoint title: App Service apps should use a virtual network service endpoint +type: control description: Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aks.ms/appservice-vnet-service-endpoint. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN vnet_connection -> 'properties' -> 'vnetResourceId' IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN vnet_connection -> 'properties' -> 'vnetResourceId' IS NOT NULL THEN a.name || ' configured with virtual network service endpoint.' - ELSE a.name || ' not configured with virtual network service endpoint.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_web_app AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN vnet_connection -> 'properties' -> 'vnetResourceId' IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN vnet_connection -> 'properties' -> 'vnetResourceId' IS NOT NULL THEN a.name || ' configured with virtual network service endpoint.' + ELSE a.name || ' not configured with virtual network service endpoint.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_web_app AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - service: - - Azure/AppService + hipaa_hitrust_v92: + - "true" + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_appservice_web_app_uses_managed_identity.yaml b/compliance/controls/azure/azure_appservice_web_app_uses_managed_identity.yaml index ebb013fd4..687f6bd74 100644 --- a/compliance/controls/azure/azure_appservice_web_app_uses_managed_identity.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_uses_managed_identity.yaml @@ -1,59 +1,60 @@ id: azure_appservice_web_app_uses_managed_identity title: App Service apps should use managed identity +type: control description: Use a managed identity for enhanced authentication security. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - WITH all_web_app AS ( + language: sql + primary_resource: azure_app_service_web_app + definition: | + WITH all_web_app AS ( + SELECT + id + FROM + azure_app_service_web_app + WHERE + EXISTS ( SELECT - id FROM - azure_app_service_web_app + UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem WHERE - EXISTS ( - SELECT - FROM - UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem - WHERE - elem LIKE 'app%' - ) + elem LIKE 'app%' ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.id IS NULL THEN 'skip' - WHEN - configuration -> 'properties' ->> 'xManagedServiceIdentityId' IS NOT NULL - OR configuration -> 'properties' ->> 'managedServiceIdentityId' IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' - WHEN - configuration -> 'properties' ->> 'xManagedServiceIdentityId' IS NOT NULL - OR configuration -> 'properties' ->> 'managedServiceIdentityId' IS NOT NULL - THEN a.name || ' uses managed identity.' - ELSE a.name || ' not uses managed identity' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_web_app AS a - LEFT JOIN all_web_app AS b ON a.id = b.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.id IS NULL THEN 'skip' + WHEN + configuration -> 'properties' ->> 'xManagedServiceIdentityId' IS NOT NULL + OR configuration -> 'properties' ->> 'managedServiceIdentityId' IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' + WHEN + configuration -> 'properties' ->> 'xManagedServiceIdentityId' IS NOT NULL + OR configuration -> 'properties' ->> 'managedServiceIdentityId' IS NOT NULL + THEN a.name || ' uses managed identity.' + ELSE a.name || ' not uses managed identity' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_web_app AS a + LEFT JOIN all_web_app AS b ON a.id = b.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/AppService + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/AppService diff --git a/compliance/controls/azure/azure_arc_compute_machine_linux_log_analytics_agent_installed.yaml b/compliance/controls/azure/azure_arc_compute_machine_linux_log_analytics_agent_installed.yaml index 31c76107b..11415dd94 100644 --- a/compliance/controls/azure/azure_arc_compute_machine_linux_log_analytics_agent_installed.yaml +++ b/compliance/controls/azure/azure_arc_compute_machine_linux_log_analytics_agent_installed.yaml @@ -1,51 +1,52 @@ id: azure_arc_compute_machine_linux_log_analytics_agent_installed title: Log Analytics extension should be installed on your Linux Azure Arc machines +type: control description: This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_hybrid_compute_machine - definition: | - WITH compute_machine AS ( - SELECT - id, - name, - subscription_id, - resource_group - FROM - azure_hybrid_compute_machine, - jsonb_array_elements(extensions) AS e - WHERE - e ->> 'name' = 'OMSAgentForLinux' - AND e ->> 'provisioningState' = 'Succeeded' - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.os_name <> 'linux' THEN 'skip' - WHEN m.id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.os_name <> 'linux' THEN a.name || ' is of ' || a.os_name || ' operating system.' - WHEN m.id IS NOT NULL THEN a.name || ' log analytics extension installed.' - ELSE a.name || ' log analytics extension not installed.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_hybrid_compute_machine AS a - LEFT JOIN compute_machine AS m ON m.id = a.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id + language: sql + primary_resource: azure_hybrid_compute_machine + definition: | + WITH compute_machine AS ( + SELECT + id, + name, + subscription_id, + resource_group + FROM + azure_hybrid_compute_machine, + jsonb_array_elements(extensions) AS e + WHERE + e ->> 'name' = 'OMSAgentForLinux' + AND e ->> 'provisioningState' = 'Succeeded' + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.os_name <> 'linux' THEN 'skip' + WHEN m.id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.os_name <> 'linux' THEN a.name || ' is of ' || a.os_name || ' operating system.' + WHEN m.id IS NOT NULL THEN a.name || ' log analytics extension installed.' + ELSE a.name || ' log analytics extension not installed.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_hybrid_compute_machine AS a + LEFT JOIN compute_machine AS m ON m.id = a.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Compute + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_arc_compute_machine_windows_log_analytics_agent_installed.yaml b/compliance/controls/azure/azure_arc_compute_machine_windows_log_analytics_agent_installed.yaml index 4345013bc..f1009df4c 100644 --- a/compliance/controls/azure/azure_arc_compute_machine_windows_log_analytics_agent_installed.yaml +++ b/compliance/controls/azure/azure_arc_compute_machine_windows_log_analytics_agent_installed.yaml @@ -1,52 +1,53 @@ id: azure_arc_compute_machine_windows_log_analytics_agent_installed title: Log Analytics extension should be installed on your Windows Azure Arc machines +type: control description: This policy audits Windows Azure Arc machines if the Log Analytics agent is not installed. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_hybrid_compute_machine - definition: | - WITH compute_machine AS ( - SELECT - id, - name, - subscription_id, - resource_group - FROM - azure_hybrid_compute_machine, - jsonb_array_elements(extensions) AS e - WHERE - e ->> 'name' = 'MicrosoftMonitoringAgent' - AND e ->> 'provisioningState' = 'Succeeded' - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.os_name <> 'windows' THEN 'skip' - WHEN m.id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.os_name <> 'windows' THEN a.name || ' is of ' || a.os_name || ' operating system.' - WHEN m.id IS NOT NULL THEN a.name || ' log analytics extension installed.' - ELSE a.name || ' log analytics extension not installed.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_hybrid_compute_machine AS a - LEFT JOIN - compute_machine AS m ON m.id = a.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id + language: sql + primary_resource: azure_hybrid_compute_machine + definition: | + WITH compute_machine AS ( + SELECT + id, + name, + subscription_id, + resource_group + FROM + azure_hybrid_compute_machine, + jsonb_array_elements(extensions) AS e + WHERE + e ->> 'name' = 'MicrosoftMonitoringAgent' + AND e ->> 'provisioningState' = 'Succeeded' + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.os_name <> 'windows' THEN 'skip' + WHEN m.id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.os_name <> 'windows' THEN a.name || ' is of ' || a.os_name || ' operating system.' + WHEN m.id IS NOT NULL THEN a.name || ' log analytics extension installed.' + ELSE a.name || ' log analytics extension not installed.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_hybrid_compute_machine AS a + LEFT JOIN + compute_machine AS m ON m.id = a.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Compute + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_arc_kubernetes_cluster_azure_defender_extension_installed.yaml b/compliance/controls/azure/azure_arc_kubernetes_cluster_azure_defender_extension_installed.yaml index 36be056d1..992e0e887 100644 --- a/compliance/controls/azure/azure_arc_kubernetes_cluster_azure_defender_extension_installed.yaml +++ b/compliance/controls/azure/azure_arc_kubernetes_cluster_azure_defender_extension_installed.yaml @@ -1,23 +1,24 @@ id: azure_arc_kubernetes_cluster_azure_defender_extension_installed title: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed +type: control description: Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_audit_diagnostic_setting.yaml b/compliance/controls/azure/azure_audit_diagnostic_setting.yaml index fbbd35e8d..db344cab2 100644 --- a/compliance/controls/azure/azure_audit_diagnostic_setting.yaml +++ b/compliance/controls/azure/azure_audit_diagnostic_setting.yaml @@ -1,23 +1,24 @@ id: azure_audit_diagnostic_setting title: Audit diagnostic setting for selected resource types +type: control description: Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required. Check control description for more details.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required. Check control description for more details.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_authorize_access_to_security_functions_and_information.yaml b/compliance/controls/azure/azure_authorize_access_to_security_functions_and_information.yaml index d9cf192e4..b0e252d72 100644 --- a/compliance/controls/azure/azure_authorize_access_to_security_functions_and_information.yaml +++ b/compliance/controls/azure/azure_authorize_access_to_security_functions_and_information.yaml @@ -1,23 +1,24 @@ id: azure_authorize_access_to_security_functions_and_information title: Authorize access to security functions and information +type: control description: CMA_0022 - Authorize access to security functions and information. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_automation_account_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_automation_account_encrypted_with_cmk.yaml index c74804a5d..60e2d566f 100644 --- a/compliance/controls/azure/azure_automation_account_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_automation_account_encrypted_with_cmk.yaml @@ -1,23 +1,24 @@ id: azure_automation_account_encrypted_with_cmk title: Azure Automation accounts should use customer-managed keys to encrypt data at rest +type: control description: Use customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/automation-cmk. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_automation_account_variable_encryption_enabled.yaml b/compliance/controls/azure/azure_automation_account_variable_encryption_enabled.yaml index a02289bbd..637509d7b 100644 --- a/compliance/controls/azure/azure_automation_account_variable_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_automation_account_variable_encryption_enabled.yaml @@ -1,33 +1,34 @@ id: azure_automation_account_variable_encryption_enabled title: Automation account variables should be encrypted +type: control description: It is important to enable encryption of Automation account variable assets when storing sensitive data integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_automation_variable - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN is_encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN is_encrypted THEN a.title || ' encryption enabled.' - ELSE a.title || ' encryption disabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_automation_variable AS a, - azure_subscription AS sub; + language: sql + primary_resource: azure_automation_variable + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN is_encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN is_encrypted THEN a.title || ' encryption enabled.' + ELSE a.title || ' encryption disabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_automation_variable AS a, + azure_subscription AS sub; severity: high tags: - pci_dss_v321: - - 'true' - service: - - Azure/Automation + pci_dss_v321: + - "true" + service: + - Azure/Automation diff --git a/compliance/controls/azure/azure_batch_account_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_batch_account_encrypted_with_cmk.yaml index 92a1b1049..5cb64d77a 100644 --- a/compliance/controls/azure/azure_batch_account_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_batch_account_encrypted_with_cmk.yaml @@ -1,35 +1,36 @@ id: azure_batch_account_encrypted_with_cmk title: Azure Batch account should use customer-managed keys to encrypt data +type: control description: Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_batch_account - definition: | - SELECT - batch.id AS resource, - batch.platform_integration_id AS platform_integration_id, - batch.platform_resource_id AS platform_resource_id, - CASE - WHEN encryption ->> 'keySource' = 'Microsoft.KeyVault' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption ->> 'keySource' = 'Microsoft.KeyVault' THEN batch.name || ' encrypted with CMK.' - ELSE batch.name || ' not encrypted with CMK.' - END AS reason, - batch.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_batch_account AS batch, - azure_subscription AS sub - WHERE - sub.subscription_id = batch.subscription_id; + language: sql + primary_resource: azure_batch_account + definition: | + SELECT + batch.id AS resource, + batch.platform_integration_id AS platform_integration_id, + batch.platform_resource_id AS platform_resource_id, + CASE + WHEN encryption ->> 'keySource' = 'Microsoft.KeyVault' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption ->> 'keySource' = 'Microsoft.KeyVault' THEN batch.name || ' encrypted with CMK.' + ELSE batch.name || ' not encrypted with CMK.' + END AS reason, + batch.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_batch_account AS batch, + azure_subscription AS sub + WHERE + sub.subscription_id = batch.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Batch + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Batch diff --git a/compliance/controls/azure/azure_batch_account_identity_provider_enabled.yaml b/compliance/controls/azure/azure_batch_account_identity_provider_enabled.yaml index 1a1c07386..f16c006d6 100644 --- a/compliance/controls/azure/azure_batch_account_identity_provider_enabled.yaml +++ b/compliance/controls/azure/azure_batch_account_identity_provider_enabled.yaml @@ -1,29 +1,30 @@ id: azure_batch_account_identity_provider_enabled title: Batch accounts identity provider should be enabled +type: control description: Ensure that managed identity provider is enabled for the batch account. This control is non-compliant if batch account identity provider is disabled. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_batch_account - definition: | - SELECT - b.id AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN identity ->> 'type' = 'None' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN identity ->> 'type' = 'None' THEN b.name || ' identity provider disabled.' - ELSE b.name || ' identity provider enabled.' - END AS reason - FROM - azure_batch_account AS b, - azure_subscription AS sub - WHERE - sub.subscription_id = b.subscription_id; + language: sql + primary_resource: azure_batch_account + definition: | + SELECT + b.id AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN identity ->> 'type' = 'None' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN identity ->> 'type' = 'None' THEN b.name || ' identity provider disabled.' + ELSE b.name || ' identity provider enabled.' + END AS reason + FROM + azure_batch_account AS b, + azure_subscription AS sub + WHERE + sub.subscription_id = b.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_batch_account_logging_enabled.yaml b/compliance/controls/azure/azure_batch_account_logging_enabled.yaml index f47183691..e78da3857 100644 --- a/compliance/controls/azure/azure_batch_account_logging_enabled.yaml +++ b/compliance/controls/azure/azure_batch_account_logging_enabled.yaml @@ -1,65 +1,66 @@ id: azure_batch_account_logging_enabled title: Resource logs in Batch accounts should be enabled +type: control description: Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_batch_account - definition: | - WITH logging_details AS ( - SELECT - DISTINCT name AS account_name - FROM - azure_batch_account, - jsonb_array_elements(diagnostic_settings) setting, - jsonb_array_elements(setting -> 'properties' -> 'logs') log - WHERE - diagnostic_settings IS NOT NULL + language: sql + primary_resource: azure_batch_account + definition: | + WITH logging_details AS ( + SELECT + DISTINCT name AS account_name + FROM + azure_batch_account, + jsonb_array_elements(diagnostic_settings) setting, + jsonb_array_elements(setting -> 'properties' -> 'logs') log + WHERE + diagnostic_settings IS NOT NULL + AND ( + ( + (log ->> 'enabled')::boolean + AND (log -> 'retentionPolicy' ->> 'enabled')::boolean + AND (log -> 'retentionPolicy')::JSONB ? 'days' + ) + OR + ( + (log ->> 'enabled')::boolean AND ( - ( - (log ->> 'enabled')::boolean - AND (log -> 'retentionPolicy' ->> 'enabled')::boolean - AND (log -> 'retentionPolicy')::JSONB ? 'days' - ) - OR - ( - (log ->> 'enabled')::boolean - AND ( - log -> 'retentionPolicy' ->> 'enabled' <> 'true' - OR setting -> 'properties' ->> 'storageAccountId' = '' - ) - ) + log -> 'retentionPolicy' ->> 'enabled' <> 'true' + OR setting -> 'properties' ->> 'storageAccountId' = '' ) + ) ) - SELECT - v.id AS resource, - v.platform_integration_id AS platform_integration_id, - v.platform_resource_id AS platform_resource_id, - CASE - WHEN v.diagnostic_settings IS NULL THEN 'alarm' - WHEN l.account_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN v.diagnostic_settings IS NULL THEN v.name || ' logging not enabled.' - WHEN l.account_name IS NULL THEN v.name || ' logging not enabled.' - ELSE v.name || ' logging enabled.' - END AS reason, - v.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_batch_account AS v - LEFT JOIN logging_details AS l ON v.name = l.account_name, - azure_subscription AS sub - WHERE - sub.subscription_id = v.subscription_id + ) + SELECT + v.id AS resource, + v.platform_integration_id AS platform_integration_id, + v.platform_resource_id AS platform_resource_id, + CASE + WHEN v.diagnostic_settings IS NULL THEN 'alarm' + WHEN l.account_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN v.diagnostic_settings IS NULL THEN v.name || ' logging not enabled.' + WHEN l.account_name IS NULL THEN v.name || ' logging not enabled.' + ELSE v.name || ' logging enabled.' + END AS reason, + v.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_batch_account AS v + LEFT JOIN logging_details AS l ON v.name = l.account_name, + azure_subscription AS sub + WHERE + sub.subscription_id = v.subscription_id severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Batch + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Batch diff --git a/compliance/controls/azure/azure_bot_service_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_bot_service_encrypted_with_cmk.yaml index f584b7e3d..db83c25ca 100644 --- a/compliance/controls/azure/azure_bot_service_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_bot_service_encrypted_with_cmk.yaml @@ -1,23 +1,24 @@ id: azure_bot_service_encrypted_with_cmk title: Bot Service should be encrypted with a customer-managed key -description: 'Azure Bot Service automatically encrypts your resource to protect your data and meet organizational security and compliance commitments. By default, Microsoft-managed encryption keys are used. For greater flexibility in managing keys or controlling access to your subscription, select customer-managed keys, also known as bring your own key (BYOK). Learn more about Azure Bot Service encryption: https://docs.microsoft.com/azure/bot-service/bot-service-encryption.' +type: control +description: "Azure Bot Service automatically encrypts your resource to protect your data and meet organizational security and compliance commitments. By default, Microsoft-managed encryption keys are used. For greater flexibility in managing keys or controlling access to your subscription, select customer-managed keys, also known as bring your own key (BYOK). Learn more about Azure Bot Service encryption: https://docs.microsoft.com/azure/bot-service/bot-service-encryption." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_1_1.yaml b/compliance/controls/azure/azure_cis_v130_1_1.yaml index 8cf041f5b..8b015961a 100644 --- a/compliance/controls/azure/azure_cis_v130_1_1.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_1.yaml @@ -1,18 +1,19 @@ id: azure_cis_v130_1_1 title: 1.1 Ensure that multi-factor authentication is enabled for all privileged users +type: control description: Enable multi-factor authentication for all user credentials who have write access to Azure resources. These include roles like 'Service Co-Administrators', 'Subscription Owners', 'Contributors'. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_1_10.yaml b/compliance/controls/azure/azure_cis_v130_1_10.yaml index cddb6134e..0a4a455b1 100644 --- a/compliance/controls/azure/azure_cis_v130_1_10.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_10.yaml @@ -1,18 +1,19 @@ id: azure_cis_v130_1_10 title: 1.10 Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' +type: control description: Require administrators to provide consent for the apps before use. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_1_11.yaml b/compliance/controls/azure/azure_cis_v130_1_11.yaml index 36acff3b1..294acec0a 100644 --- a/compliance/controls/azure/azure_cis_v130_1_11.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_11.yaml @@ -1,18 +1,19 @@ id: azure_cis_v130_1_11 title: 1.11 Ensure that 'Users can register applications' is set to 'No' +type: control description: Require administrators to register third-party applications. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_1_12.yaml b/compliance/controls/azure/azure_cis_v130_1_12.yaml index bef102532..b2cdaa6c6 100644 --- a/compliance/controls/azure/azure_cis_v130_1_12.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_12.yaml @@ -1,18 +1,19 @@ id: azure_cis_v130_1_12 title: 1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes' +type: control description: Limit guest user permissions. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_1_13.yaml b/compliance/controls/azure/azure_cis_v130_1_13.yaml index e8aee7a4f..50c4dcbb6 100644 --- a/compliance/controls/azure/azure_cis_v130_1_13.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_13.yaml @@ -1,18 +1,19 @@ id: azure_cis_v130_1_13 title: 1.13 Ensure that 'Members can invite' is set to 'No' +type: control description: Restrict invitations to administrators only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_1_14.yaml b/compliance/controls/azure/azure_cis_v130_1_14.yaml index 208acdb72..d7704b243 100644 --- a/compliance/controls/azure/azure_cis_v130_1_14.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_14.yaml @@ -1,18 +1,19 @@ id: azure_cis_v130_1_14 title: 1.14 Ensure that 'Guests can invite' is set to 'No' +type: control description: Restrict guest being able to invite other guests to collaborate with your organization. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_1_15.yaml b/compliance/controls/azure/azure_cis_v130_1_15.yaml index 86f7dd4db..5b1bb8f43 100644 --- a/compliance/controls/azure/azure_cis_v130_1_15.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_15.yaml @@ -1,18 +1,19 @@ id: azure_cis_v130_1_15 title: 1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' +type: control description: Restrict access to the Azure AD administration portal to administrators only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_1_16.yaml b/compliance/controls/azure/azure_cis_v130_1_16.yaml index 9abe62173..8b6efd6da 100644 --- a/compliance/controls/azure/azure_cis_v130_1_16.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_16.yaml @@ -1,18 +1,19 @@ id: azure_cis_v130_1_16 title: 1.16 Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No' +type: control description: Restrict group creation to administrators only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_1_17.yaml b/compliance/controls/azure/azure_cis_v130_1_17.yaml index 62bcec33b..01f82485b 100644 --- a/compliance/controls/azure/azure_cis_v130_1_17.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_17.yaml @@ -1,18 +1,19 @@ id: azure_cis_v130_1_17 title: 1.17 Ensure that 'Users can create security groups in Azure Portals' is set to 'No' +type: control description: Restrict security group creation to administrators only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_1_18.yaml b/compliance/controls/azure/azure_cis_v130_1_18.yaml index 5d4557333..6c5f6e18a 100644 --- a/compliance/controls/azure/azure_cis_v130_1_18.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_18.yaml @@ -1,18 +1,19 @@ id: azure_cis_v130_1_18 title: 1.18 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' +type: control description: Restrict security group management to administrators only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_1_19.yaml b/compliance/controls/azure/azure_cis_v130_1_19.yaml index 8dbf69cb0..93aec558f 100644 --- a/compliance/controls/azure/azure_cis_v130_1_19.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_19.yaml @@ -1,18 +1,19 @@ id: azure_cis_v130_1_19 title: 1.19 Ensure that 'Users can create Microsoft 365 groups in Azure Portals' is set to 'No' +type: control description: Restrict Microsoft 365 group creation to administrators only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_1_2.yaml b/compliance/controls/azure/azure_cis_v130_1_2.yaml index 8efc086c0..7804fbaa2 100644 --- a/compliance/controls/azure/azure_cis_v130_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_2.yaml @@ -1,18 +1,19 @@ id: azure_cis_v130_1_2 title: 1.2 Ensure that multi-factor authentication is enabled for all non-privileged users +type: control description: Enable multi-factor authentication for all non-privileged users. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_1_20.yaml b/compliance/controls/azure/azure_cis_v130_1_20.yaml index c7a03af36..e54aab42a 100644 --- a/compliance/controls/azure/azure_cis_v130_1_20.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_20.yaml @@ -1,18 +1,19 @@ id: azure_cis_v130_1_20 title: 1.20 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' +type: control description: Joining devices to the active directory should require Multi-factor authentication. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_1_21.yaml b/compliance/controls/azure/azure_cis_v130_1_21.yaml index e22a89e12..49e3a7bea 100644 --- a/compliance/controls/azure/azure_cis_v130_1_21.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_21.yaml @@ -1,54 +1,55 @@ id: azure_cis_v130_1_21 title: 1.21 Ensure that no custom subscription owner roles are created +type: control description: Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_role_definition - definition: | - WITH owner_custom_roles AS ( - SELECT - role_name, - role_type, - title, - platform_integration_id, - platform_resource_id, - action, - _ctx, - subscription_id - FROM - azure_role_definition, - jsonb_array_elements(permissions) AS s, - jsonb_array_elements_text(s -> 'actions') AS action - WHERE - role_type = 'CustomRole' - AND action IN ('*', '*:*') - ) - SELECT - cr.subscription_id AS resource, - cr.platform_integration_id AS platform_integration_id, - cr.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(*) > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN COUNT(*) = 1 THEN 'There is one custom owner role.' - WHEN COUNT(*) > 1 THEN 'There are ' || COUNT(*) || ' custom owner roles.' - ELSE 'There are no custom owner roles.' - END AS reason - FROM - owner_custom_roles cr, - azure_subscription sub - WHERE - sub.subscription_id = cr.subscription_id - GROUP BY - cr.subscription_id, - cr.platform_integration_id, - cr.platform_resource_id, - cr._ctx, - sub.display_name; + language: sql + primary_resource: azure_role_definition + definition: | + WITH owner_custom_roles AS ( + SELECT + role_name, + role_type, + title, + platform_integration_id, + platform_resource_id, + action, + _ctx, + subscription_id + FROM + azure_role_definition, + jsonb_array_elements(permissions) AS s, + jsonb_array_elements_text(s -> 'actions') AS action + WHERE + role_type = 'CustomRole' + AND action IN ('*', '*:*') + ) + SELECT + cr.subscription_id AS resource, + cr.platform_integration_id AS platform_integration_id, + cr.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(*) > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN COUNT(*) = 1 THEN 'There is one custom owner role.' + WHEN COUNT(*) > 1 THEN 'There are ' || COUNT(*) || ' custom owner roles.' + ELSE 'There are no custom owner roles.' + END AS reason + FROM + owner_custom_roles cr, + azure_subscription sub + WHERE + sub.subscription_id = cr.subscription_id + GROUP BY + cr.subscription_id, + cr.platform_integration_id, + cr.platform_resource_id, + cr._ctx, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_1_22.yaml b/compliance/controls/azure/azure_cis_v130_1_22.yaml index 9ef79c0a7..4b62e8569 100644 --- a/compliance/controls/azure/azure_cis_v130_1_22.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_22.yaml @@ -1,18 +1,19 @@ id: azure_cis_v130_1_22 title: 1.22 Ensure Security Defaults is enabled on Azure Active Directory +type: control description: Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_1_23.yaml b/compliance/controls/azure/azure_cis_v130_1_23.yaml index e9a6f168e..9ebc76704 100644 --- a/compliance/controls/azure/azure_cis_v130_1_23.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_23.yaml @@ -1,18 +1,19 @@ id: azure_cis_v130_1_23 title: 1.23 Ensure Custom Role is assigned for Administering Resource Locks +type: control description: Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_1_3.yaml b/compliance/controls/azure/azure_cis_v130_1_3.yaml index fe0d34e1b..7f7d7db00 100644 --- a/compliance/controls/azure/azure_cis_v130_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_3.yaml @@ -1,39 +1,40 @@ id: azure_cis_v130_1_3 title: 1.3 Ensure guest users are reviewed on a monthly basis +type: control description: Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data. Guest users should be review on a monthly basis to ensure that inactive and unneeded accounts are removed. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: entraid_user - definition: | - WITH distinct_tenant AS ( - SELECT - DISTINCT tenant_id, - subscription_id, - _ctx - FROM - azure_tenant - ) - SELECT - u.display_name AS resource, - u.platform_integration_id AS platform_integration_id, - u.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT account_enabled THEN 'alarm' - WHEN u.created_date_time::TIMESTAMP <= (CURRENT_DATE - INTERVAL '30' DAY) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT account_enabled THEN 'Guest user ''' || u.display_name || ''' inactive.' - ELSE 'Guest user ''' || u.display_name || ''' was created ' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - u.created_date_time::TIMESTAMP) || ' days ago.' - END AS reason, - t.tenant_id - FROM - entraid_user AS u - LEFT JOIN distinct_tenant AS t ON t.tenant_id = u.tenant_id - WHERE - u.user_type = 'Guest'; + language: sql + primary_resource: entraid_user + definition: | + WITH distinct_tenant AS ( + SELECT + DISTINCT tenant_id, + subscription_id, + _ctx + FROM + azure_tenant + ) + SELECT + u.display_name AS resource, + u.platform_integration_id AS platform_integration_id, + u.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT account_enabled THEN 'alarm' + WHEN u.created_date_time::TIMESTAMP <= (CURRENT_DATE - INTERVAL '30' DAY) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT account_enabled THEN 'Guest user ''' || u.display_name || ''' inactive.' + ELSE 'Guest user ''' || u.display_name || ''' was created ' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - u.created_date_time::TIMESTAMP) || ' days ago.' + END AS reason, + t.tenant_id + FROM + entraid_user AS u + LEFT JOIN distinct_tenant AS t ON t.tenant_id = u.tenant_id + WHERE + u.user_type = 'Guest'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_1_4.yaml b/compliance/controls/azure/azure_cis_v130_1_4.yaml index 05bfa2696..ed4bf7685 100644 --- a/compliance/controls/azure/azure_cis_v130_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_4.yaml @@ -1,18 +1,19 @@ id: azure_cis_v130_1_4 title: 1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' +type: control description: Do not allow users to remember multi-factor authentication on devices. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_1_5.yaml b/compliance/controls/azure/azure_cis_v130_1_5.yaml index 135c56379..1f7b3f42e 100644 --- a/compliance/controls/azure/azure_cis_v130_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_5.yaml @@ -1,18 +1,19 @@ id: azure_cis_v130_1_5 title: 1.5 Ensure that 'Number of methods required to reset' is set to '2' +type: control description: Ensure that two alternate forms of identification are provided before allowing a password reset. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_1_6.yaml b/compliance/controls/azure/azure_cis_v130_1_6.yaml index 38375b87a..bb8c73bd5 100644 --- a/compliance/controls/azure/azure_cis_v130_1_6.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_6.yaml @@ -1,18 +1,19 @@ id: azure_cis_v130_1_6 title: 1.6 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to 0 +type: control description: Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_1_7.yaml b/compliance/controls/azure/azure_cis_v130_1_7.yaml index 875f38026..d7a3a7eaf 100644 --- a/compliance/controls/azure/azure_cis_v130_1_7.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_7.yaml @@ -1,18 +1,19 @@ id: azure_cis_v130_1_7 title: 1.7 Ensure that 'Notify users on password resets?' is set to 'Yes' +type: control description: Ensure that users are notified on their primary and secondary emails on password resets. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_1_8.yaml b/compliance/controls/azure/azure_cis_v130_1_8.yaml index 0994e5ee7..edd10ee83 100644 --- a/compliance/controls/azure/azure_cis_v130_1_8.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_8.yaml @@ -1,18 +1,19 @@ id: azure_cis_v130_1_8 title: 1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' +type: control description: Ensure that all administrators are notified if any other administrator resets their password. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_1_9.yaml b/compliance/controls/azure/azure_cis_v130_1_9.yaml index f7165330b..e087f6213 100644 --- a/compliance/controls/azure/azure_cis_v130_1_9.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_9.yaml @@ -1,18 +1,19 @@ id: azure_cis_v130_1_9 title: 1.9 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' +type: control description: Require administrators to provide consent for the apps before use. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_2_1.yaml b/compliance/controls/azure/azure_cis_v130_2_1.yaml index e372122c4..63d78783b 100644 --- a/compliance/controls/azure/azure_cis_v130_2_1.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_1.yaml @@ -1,29 +1,30 @@ id: azure_cis_v130_2_1 title: 2.1 Ensure that Azure Defender is set to On for Servers +type: control description: Turning on Azure Defender enables threat detection for Server, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Servers.' - ELSE 'Azure Defender off for Servers.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'VirtualMachines'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Servers.' + ELSE 'Azure Defender off for Servers.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'VirtualMachines'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_2_10.yaml b/compliance/controls/azure/azure_cis_v130_2_10.yaml index 1c4e3e9d8..09b19c85d 100644 --- a/compliance/controls/azure/azure_cis_v130_2_10.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_10.yaml @@ -1,30 +1,31 @@ id: azure_cis_v130_2_10 title: 2.10 Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected +type: control description: This setting enables Microsoft Cloud App Security (MCAS) integration with Security Center. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_setting - definition: | - SELECT - sc_sett.id AS resource, - sc_sett.platform_integration_id AS platform_integration_id, - sc_sett.platform_resource_id AS platform_resource_id, - CASE - WHEN enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enabled THEN 'Windows Defender ATP (WDATP) integrated with Security Center.' - ELSE 'Windows Defender ATP (WDATP) not integrated with Security Center.' - END AS reason - FROM - azure_security_center_setting sc_sett - RIGHT JOIN - azure_subscription sub ON sc_sett.subscription_id = sub.subscription_id - WHERE - name = 'MCAS'; + language: sql + primary_resource: azure_security_center_setting + definition: | + SELECT + sc_sett.id AS resource, + sc_sett.platform_integration_id AS platform_integration_id, + sc_sett.platform_resource_id AS platform_resource_id, + CASE + WHEN enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enabled THEN 'Windows Defender ATP (WDATP) integrated with Security Center.' + ELSE 'Windows Defender ATP (WDATP) not integrated with Security Center.' + END AS reason + FROM + azure_security_center_setting sc_sett + RIGHT JOIN + azure_subscription sub ON sc_sett.subscription_id = sub.subscription_id + WHERE + name = 'MCAS'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_2_11.yaml b/compliance/controls/azure/azure_cis_v130_2_11.yaml index f66e29bd7..dc4d1346d 100644 --- a/compliance/controls/azure/azure_cis_v130_2_11.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_11.yaml @@ -1,30 +1,31 @@ id: azure_cis_v130_2_11 title: 2.11 Ensure that 'Automatic provisioning of monitoring agent' is set to 'On' +type: control description: Enable automatic provisioning of the monitoring agent to collect security data. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_auto_provisioning - definition: | - SELECT - sc_prov.id AS resource, - sc_prov.platform_integration_id AS platform_integration_id, - sc_prov.platform_resource_id AS platform_resource_id, - CASE - WHEN auto_provision = 'On' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN auto_provision = 'On' THEN 'Automatic provisioning of monitoring agent is on.' - ELSE 'Automatic provisioning of monitoring agent is off.' - END AS reason - FROM - azure_security_center_auto_provisioning sc_prov - RIGHT JOIN - azure_subscription sub - ON - sc_prov.subscription_id = sub.subscription_id; + language: sql + primary_resource: azure_security_center_auto_provisioning + definition: | + SELECT + sc_prov.id AS resource, + sc_prov.platform_integration_id AS platform_integration_id, + sc_prov.platform_resource_id AS platform_resource_id, + CASE + WHEN auto_provision = 'On' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN auto_provision = 'On' THEN 'Automatic provisioning of monitoring agent is on.' + ELSE 'Automatic provisioning of monitoring agent is off.' + END AS reason + FROM + azure_security_center_auto_provisioning sc_prov + RIGHT JOIN + azure_subscription sub + ON + sc_prov.subscription_id = sub.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_2_12.yaml b/compliance/controls/azure/azure_cis_v130_2_12.yaml index 7631c041b..38416d50a 100644 --- a/compliance/controls/azure/azure_cis_v130_2_12.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_12.yaml @@ -1,50 +1,51 @@ id: azure_cis_v130_2_12 title: 2.12 Ensure any of the ASC Default policy setting is not set to Disabled +type: control description: None of the settings offered by ASC Default policy should be set to effect Disabled. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH policy_assignment_parameters AS ( - SELECT - id, - name, - key, - parameters -> key ->> 'value' AS value, - subscription_id - FROM - azure_policy_assignment, - jsonb_object_keys(parameters) AS key - WHERE - name = 'SecurityCenterBuiltIn' - ) - SELECT - sub.id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(value = 'Disabled') > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN COUNT(value = 'Disabled') > 0 THEN 'Settings disabled for ' || COUNT(*) FILTER (WHERE value = 'Disabled') || ' parameters.' - ELSE 'Settings enabled for all the parameters.' - END AS reason - FROM - policy_assignment_parameters pol_assignment - RIGHT JOIN azure_subscription sub - ON pol_assignment.subscription_id = sub.subscription_id - GROUP BY - sub.id, - pol_assignment.id, - sub._ctx, - sub.subscription_id, - pol_assignment.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + language: sql + primary_resource: azure_subscription + definition: | + WITH policy_assignment_parameters AS ( + SELECT + id, + name, + key, + parameters -> key ->> 'value' AS value, + subscription_id + FROM + azure_policy_assignment, + jsonb_object_keys(parameters) AS key + WHERE + name = 'SecurityCenterBuiltIn' + ) + SELECT + sub.id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(value = 'Disabled') > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN COUNT(value = 'Disabled') > 0 THEN 'Settings disabled for ' || COUNT(*) FILTER (WHERE value = 'Disabled') || ' parameters.' + ELSE 'Settings enabled for all the parameters.' + END AS reason + FROM + policy_assignment_parameters pol_assignment + RIGHT JOIN azure_subscription sub + ON pol_assignment.subscription_id = sub.subscription_id + GROUP BY + sub.id, + pol_assignment.id, + sub._ctx, + sub.subscription_id, + pol_assignment.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_2_13.yaml b/compliance/controls/azure/azure_cis_v130_2_13.yaml index 88a1bcbfa..12e4858a7 100644 --- a/compliance/controls/azure/azure_cis_v130_2_13.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_13.yaml @@ -1,41 +1,42 @@ id: azure_cis_v130_2_13 title: 2.13 Ensure 'Additional email addresses' is configured with a security contact email +type: control description: Security Center emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH contact_info AS ( - SELECT - jsonb_agg(email) FILTER (WHERE name = 'default' AND email != '') AS default_email, - COUNT(*) FILTER (WHERE name != 'default') AS non_default_count, - COUNT(*) FILTER (WHERE name = 'default') AS default_count, - subscription_id - FROM - azure_security_center_contact - GROUP BY - subscription_id - LIMIT 1 - ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN non_default_count > 0 THEN 'ok' - WHEN default_count = 1 AND jsonb_array_length(default_email) != 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN non_default_count > 0 THEN 'Additional email addresses configured.' - WHEN default_count = 1 AND default_email IS NOT NULL THEN 'Additional email addresses configured.' - ELSE 'Additional email addresses not configured.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; + language: sql + primary_resource: azure_subscription + definition: | + WITH contact_info AS ( + SELECT + jsonb_agg(email) FILTER (WHERE name = 'default' AND email != '') AS default_email, + COUNT(*) FILTER (WHERE name != 'default') AS non_default_count, + COUNT(*) FILTER (WHERE name = 'default') AS default_count, + subscription_id + FROM + azure_security_center_contact + GROUP BY + subscription_id + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN non_default_count > 0 THEN 'ok' + WHEN default_count = 1 AND jsonb_array_length(default_email) != 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN non_default_count > 0 THEN 'Additional email addresses configured.' + WHEN default_count = 1 AND default_email IS NOT NULL THEN 'Additional email addresses configured.' + ELSE 'Additional email addresses not configured.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_2_14.yaml b/compliance/controls/azure/azure_cis_v130_2_14.yaml index bb028ce66..0bdbe82da 100644 --- a/compliance/controls/azure/azure_cis_v130_2_14.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_14.yaml @@ -1,37 +1,38 @@ id: azure_cis_v130_2_14 title: 2.14 Ensure that 'Notify about alerts with the following severity' is set to 'High' +type: control description: Enables emailing security alerts to the subscription owner or other designated security contact. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH contact_info AS ( - SELECT - COUNT(*) FILTER (WHERE alert_notifications = 'On') AS notification_alert_count, - subscription_id - FROM - azure_security_center_contact - GROUP BY - subscription_id - LIMIT 1 - ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN notification_alert_count > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN notification_alert_count > 0 THEN '"Notify about alerts with the following severity" set to High.' - ELSE '"Notify about alerts with the following severity" not set to High.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; + language: sql + primary_resource: azure_subscription + definition: | + WITH contact_info AS ( + SELECT + COUNT(*) FILTER (WHERE alert_notifications = 'On') AS notification_alert_count, + subscription_id + FROM + azure_security_center_contact + GROUP BY + subscription_id + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN notification_alert_count > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN notification_alert_count > 0 THEN '"Notify about alerts with the following severity" set to High.' + ELSE '"Notify about alerts with the following severity" not set to High.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_2_15.yaml b/compliance/controls/azure/azure_cis_v130_2_15.yaml index 9f2a9eb7e..eddd435f7 100644 --- a/compliance/controls/azure/azure_cis_v130_2_15.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_15.yaml @@ -1,37 +1,38 @@ id: azure_cis_v130_2_15 title: 2.15 Ensure that 'All users with the following roles' is set to 'Owner' +type: control description: Enable security alert emails to subscription owners. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH contact_info AS ( - SELECT - COUNT(*) FILTER (WHERE alerts_to_admins = 'On') AS admin_alert_count, - subscription_id - FROM - azure_security_center_contact - GROUP BY - subscription_id - LIMIT 1 - ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN admin_alert_count > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN admin_alert_count > 0 THEN '"All users with the following roles" set to Owner' - ELSE '"All users with the following roles" not set to Owner.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; + language: sql + primary_resource: azure_subscription + definition: | + WITH contact_info AS ( + SELECT + COUNT(*) FILTER (WHERE alerts_to_admins = 'On') AS admin_alert_count, + subscription_id + FROM + azure_security_center_contact + GROUP BY + subscription_id + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN admin_alert_count > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN admin_alert_count > 0 THEN '"All users with the following roles" set to Owner' + ELSE '"All users with the following roles" not set to Owner.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_2_2.yaml b/compliance/controls/azure/azure_cis_v130_2_2.yaml index 1e209a3f5..b0f5deb19 100644 --- a/compliance/controls/azure/azure_cis_v130_2_2.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_2.yaml @@ -1,32 +1,33 @@ id: azure_cis_v130_2_2 title: 2.2 Ensure that Azure Defender is set to On for App Service +type: control description: Turning on Azure Defender enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for App Services.' - ELSE 'Azure Defender off for App Services.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub - ON - sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'AppServices'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for App Services.' + ELSE 'Azure Defender off for App Services.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub + ON + sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'AppServices'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_2_3.yaml b/compliance/controls/azure/azure_cis_v130_2_3.yaml index 27e39e174..ed7357641 100644 --- a/compliance/controls/azure/azure_cis_v130_2_3.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_3.yaml @@ -1,30 +1,31 @@ id: azure_cis_v130_2_3 title: 2.3 Ensure that Azure Defender is set to On for Azure SQL database servers +type: control description: Turning on Azure Defender enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for SQL database servers.' - ELSE 'Azure Defender off for SQL database servers.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN azure_subscription sub - ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'SqlServers'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for SQL database servers.' + ELSE 'Azure Defender off for SQL database servers.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN azure_subscription sub + ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'SqlServers'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_2_4.yaml b/compliance/controls/azure/azure_cis_v130_2_4.yaml index 4aed7e716..00c3df4e1 100644 --- a/compliance/controls/azure/azure_cis_v130_2_4.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_4.yaml @@ -1,30 +1,31 @@ id: azure_cis_v130_2_4 title: 2.4 Ensure that Azure Defender is set to On for SQL servers on machines +type: control description: Turning on Azure Defender enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for SQL servers on machines.' - ELSE 'Azure Defender off for SQL servers on machines.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'SqlServerVirtualMachines'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for SQL servers on machines.' + ELSE 'Azure Defender off for SQL servers on machines.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'SqlServerVirtualMachines'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_2_5.yaml b/compliance/controls/azure/azure_cis_v130_2_5.yaml index d507a062e..c554dfa2a 100644 --- a/compliance/controls/azure/azure_cis_v130_2_5.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_5.yaml @@ -1,30 +1,31 @@ id: azure_cis_v130_2_5 title: 2.5 Ensure that Azure Defender is set to On for Storage +type: control description: Turning on Azure Defender enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Storage.' - ELSE 'Azure Defender off for Storage.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'StorageAccounts'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Storage.' + ELSE 'Azure Defender off for Storage.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'StorageAccounts'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_2_6.yaml b/compliance/controls/azure/azure_cis_v130_2_6.yaml index 81f62088d..b69e20b18 100644 --- a/compliance/controls/azure/azure_cis_v130_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_6.yaml @@ -1,29 +1,30 @@ id: azure_cis_v130_2_6 title: 2.6 Ensure that Azure Defender is set to On for Kubernetes +type: control description: Turning on Azure Defender enables threat detection for Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Kubernetes.' - ELSE 'Azure Defender off for Kubernetes.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'KubernetesService'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Kubernetes.' + ELSE 'Azure Defender off for Kubernetes.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'KubernetesService'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_2_7.yaml b/compliance/controls/azure/azure_cis_v130_2_7.yaml index 0eefdadcb..3cd7ae501 100644 --- a/compliance/controls/azure/azure_cis_v130_2_7.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_7.yaml @@ -1,30 +1,31 @@ id: azure_cis_v130_2_7 title: 2.7 Ensure that Azure Defender is set to On for Container Registries +type: control description: Turning on Azure Defender enables threat detection for Container Registries, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Container Registry.' - ELSE 'Azure Defender off for Container Registry.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN azure_subscription sub - ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'ContainerRegistry'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Container Registry.' + ELSE 'Azure Defender off for Container Registry.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN azure_subscription sub + ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'ContainerRegistry'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_2_8.yaml b/compliance/controls/azure/azure_cis_v130_2_8.yaml index 4d3d6ee94..4bb29dd03 100644 --- a/compliance/controls/azure/azure_cis_v130_2_8.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_8.yaml @@ -1,30 +1,31 @@ id: azure_cis_v130_2_8 title: 2.8 Ensure that Azure Defender is set to On for Key Vault +type: control description: Turning on Azure Defender enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Key Vaults.' - ELSE 'Azure Defender off for Key Vaults.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN azure_subscription sub - ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'KeyVaults'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Key Vaults.' + ELSE 'Azure Defender off for Key Vaults.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN azure_subscription sub + ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'KeyVaults'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_2_9.yaml b/compliance/controls/azure/azure_cis_v130_2_9.yaml index 6aa1a97b8..e933e2e7a 100644 --- a/compliance/controls/azure/azure_cis_v130_2_9.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_9.yaml @@ -1,29 +1,30 @@ id: azure_cis_v130_2_9 title: 2.9 Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected +type: control description: This setting enables Windows Defender ATP (WDATP) integration with Security Center. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_setting - definition: | - SELECT - sc_sett.id AS resource, - sc_sett.platform_integration_id AS platform_integration_id, - sc_sett.platform_resource_id AS platform_resource_id, - CASE - WHEN enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enabled THEN 'Microsoft Cloud App Security (MCAS) integrated with Security Center.' - ELSE 'Microsoft Cloud App Security (MCAS) not integrated with Security Center.' - END AS reason - FROM - azure_security_center_setting sc_sett - RIGHT JOIN azure_subscription sub ON sc_sett.subscription_id = sub.subscription_id - WHERE - name = 'WDATP'; + language: sql + primary_resource: azure_security_center_setting + definition: | + SELECT + sc_sett.id AS resource, + sc_sett.platform_integration_id AS platform_integration_id, + sc_sett.platform_resource_id AS platform_resource_id, + CASE + WHEN enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enabled THEN 'Microsoft Cloud App Security (MCAS) integrated with Security Center.' + ELSE 'Microsoft Cloud App Security (MCAS) not integrated with Security Center.' + END AS reason + FROM + azure_security_center_setting sc_sett + RIGHT JOIN azure_subscription sub ON sc_sett.subscription_id = sub.subscription_id + WHERE + name = 'WDATP'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_3_1.yaml b/compliance/controls/azure/azure_cis_v130_3_1.yaml index 96e4db5e6..64c015f7d 100644 --- a/compliance/controls/azure/azure_cis_v130_3_1.yaml +++ b/compliance/controls/azure/azure_cis_v130_3_1.yaml @@ -1,29 +1,30 @@ id: azure_cis_v130_3_1 title: 3.1 Ensure that 'Secure transfer required' is set to 'Enabled' +type: control description: Enable data encryption in transit. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT enable_https_traffic_only THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT enable_https_traffic_only THEN sa.name || ' encryption in transit not enabled.' - ELSE sa.name || ' encryption in transit enabled.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT enable_https_traffic_only THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT enable_https_traffic_only THEN sa.name || ' encryption in transit not enabled.' + ELSE sa.name || ' encryption in transit enabled.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_3_10.yaml b/compliance/controls/azure/azure_cis_v130_3_10.yaml index 95d9bb920..7ac6a75f7 100644 --- a/compliance/controls/azure/azure_cis_v130_3_10.yaml +++ b/compliance/controls/azure/azure_cis_v130_3_10.yaml @@ -1,38 +1,39 @@ id: azure_cis_v130_3_10 title: 3.10 Ensure Storage logging is enabled for Blob service for read, write, and delete requests -description: 'The Storage Blob service provides scalable, cost-efficient objective storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages.' +type: control +description: "The Storage Blob service provides scalable, cost-efficient objective storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT (sa.blob_service_logging ->> 'Read') :: BOOLEAN - OR NOT (sa.blob_service_logging ->> 'Write') :: BOOLEAN - OR NOT (sa.blob_service_logging ->> 'Delete') :: BOOLEAN THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT (sa.blob_service_logging ->> 'Read') :: BOOLEAN - OR NOT (sa.blob_service_logging ->> 'Write') :: BOOLEAN - OR NOT (sa.blob_service_logging ->> 'Delete') :: BOOLEAN THEN name || ' blob service logging not enabled for ' || - CONCAT_WS(', ', - CASE WHEN NOT (sa.blob_service_logging ->> 'Write') :: BOOLEAN THEN 'write' END, - CASE WHEN NOT (sa.blob_service_logging ->> 'Read') :: BOOLEAN THEN 'read' END, - CASE WHEN NOT (sa.blob_service_logging ->> 'Delete') :: BOOLEAN THEN 'delete' END - ) || ' requests.' - ELSE name || ' blob service logging enabled for read, write, delete requests.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT (sa.blob_service_logging ->> 'Read') :: BOOLEAN + OR NOT (sa.blob_service_logging ->> 'Write') :: BOOLEAN + OR NOT (sa.blob_service_logging ->> 'Delete') :: BOOLEAN THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT (sa.blob_service_logging ->> 'Read') :: BOOLEAN + OR NOT (sa.blob_service_logging ->> 'Write') :: BOOLEAN + OR NOT (sa.blob_service_logging ->> 'Delete') :: BOOLEAN THEN name || ' blob service logging not enabled for ' || + CONCAT_WS(', ', + CASE WHEN NOT (sa.blob_service_logging ->> 'Write') :: BOOLEAN THEN 'write' END, + CASE WHEN NOT (sa.blob_service_logging ->> 'Read') :: BOOLEAN THEN 'read' END, + CASE WHEN NOT (sa.blob_service_logging ->> 'Delete') :: BOOLEAN THEN 'delete' END + ) || ' requests.' + ELSE name || ' blob service logging enabled for read, write, delete requests.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_3_11.yaml b/compliance/controls/azure/azure_cis_v130_3_11.yaml index b375b9718..17beae226 100644 --- a/compliance/controls/azure/azure_cis_v130_3_11.yaml +++ b/compliance/controls/azure/azure_cis_v130_3_11.yaml @@ -1,23 +1,24 @@ id: azure_cis_v130_3_11 title: 3.11 Ensure Storage logging is enabled for Table service for read, write, and delete requests -description: 'The Storage Table storage is a service that stores structure NoSQL data in the cloud, providing a key/attribute store with a schema less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information and the sizes of the request and response messages.' +type: control +description: "The Storage Table storage is a service that stores structure NoSQL data in the cloud, providing a key/attribute store with a schema less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information and the sizes of the request and response messages." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_3_2.yaml b/compliance/controls/azure/azure_cis_v130_3_2.yaml index a6acff596..1d2b5c963 100644 --- a/compliance/controls/azure/azure_cis_v130_3_2.yaml +++ b/compliance/controls/azure/azure_cis_v130_3_2.yaml @@ -1,23 +1,24 @@ id: azure_cis_v130_3_2 title: 3.2 Ensure that storage account access keys are periodically regenerated +type: control description: Regenerate storage account access keys periodically. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_3_3.yaml b/compliance/controls/azure/azure_cis_v130_3_3.yaml index 1e5ce5a65..cff28c8aa 100644 --- a/compliance/controls/azure/azure_cis_v130_3_3.yaml +++ b/compliance/controls/azure/azure_cis_v130_3_3.yaml @@ -1,35 +1,36 @@ id: azure_cis_v130_3_3 title: 3.3 Ensure Storage logging is enabled for Queue service for read, write, and delete requests -description: 'The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages.' +type: control +description: "The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN queue_logging_read AND queue_logging_write AND queue_logging_delete THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN queue_logging_read AND queue_logging_write AND queue_logging_delete - THEN sa.name || ' queue service logging enabled for read, write, delete requests.' - ELSE sa.name || ' queue service logging not enabled for: ' || - CONCAT_WS(', ', - CASE WHEN NOT queue_logging_write THEN 'write' END, - CASE WHEN NOT queue_logging_read THEN 'read' END, - CASE WHEN NOT queue_logging_delete THEN 'delete' END - ) || ' requests.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN queue_logging_read AND queue_logging_write AND queue_logging_delete THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN queue_logging_read AND queue_logging_write AND queue_logging_delete + THEN sa.name || ' queue service logging enabled for read, write, delete requests.' + ELSE sa.name || ' queue service logging not enabled for: ' || + CONCAT_WS(', ', + CASE WHEN NOT queue_logging_write THEN 'write' END, + CASE WHEN NOT queue_logging_read THEN 'read' END, + CASE WHEN NOT queue_logging_delete THEN 'delete' END + ) || ' requests.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_3_4.yaml b/compliance/controls/azure/azure_cis_v130_3_4.yaml index a4fa82d03..1469e6c19 100644 --- a/compliance/controls/azure/azure_cis_v130_3_4.yaml +++ b/compliance/controls/azure/azure_cis_v130_3_4.yaml @@ -1,21 +1,22 @@ id: azure_cis_v130_3_4 title: 3.4 Ensure that shared access signature tokens expire within an hour +type: control description: A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. A shared access signature can be provided to clients who should not be trusted with the storage account key but for whom it may be necessary to delegate access to certain storage account resources. Providing a shared access signature URI to these clients allows them access to a resource for a specified period of time. This time should be set as low as possible and preferably no longer than an hour. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_3_6.yaml b/compliance/controls/azure/azure_cis_v130_3_6.yaml index 96fb3bb37..2b7a89e84 100644 --- a/compliance/controls/azure/azure_cis_v130_3_6.yaml +++ b/compliance/controls/azure/azure_cis_v130_3_6.yaml @@ -1,29 +1,30 @@ id: azure_cis_v130_3_6 title: 3.6 Ensure default network access rule for Storage Accounts is set to deny +type: control description: Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN sa.network_rule_default_action = 'Allow' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN sa.network_rule_default_action = 'Allow' THEN name || ' allows traffic from all networks.' - ELSE name || ' allows traffic from specific networks.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN sa.network_rule_default_action = 'Allow' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN sa.network_rule_default_action = 'Allow' THEN name || ' allows traffic from all networks.' + ELSE name || ' allows traffic from specific networks.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_3_7.yaml b/compliance/controls/azure/azure_cis_v130_3_7.yaml index 26ce8bb7f..9bb2b5614 100644 --- a/compliance/controls/azure/azure_cis_v130_3_7.yaml +++ b/compliance/controls/azure/azure_cis_v130_3_7.yaml @@ -1,29 +1,30 @@ id: azure_cis_v130_3_7 title: 3.7 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access +type: control description: "Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN network_rule_bypass NOT LIKE '%AzureServices%' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN network_rule_bypass NOT LIKE '%AzureServices%' THEN sa.name || ' trusted Microsoft services not enabled.' - ELSE sa.name || ' trusted Microsoft services enabled.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN network_rule_bypass NOT LIKE '%AzureServices%' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN network_rule_bypass NOT LIKE '%AzureServices%' THEN sa.name || ' trusted Microsoft services not enabled.' + ELSE sa.name || ' trusted Microsoft services enabled.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_3_8.yaml b/compliance/controls/azure/azure_cis_v130_3_8.yaml index de9028dc7..fcbe87f58 100644 --- a/compliance/controls/azure/azure_cis_v130_3_8.yaml +++ b/compliance/controls/azure/azure_cis_v130_3_8.yaml @@ -1,29 +1,30 @@ id: azure_cis_v130_3_8 title: 3.8 Ensure soft delete is enabled for Azure Storage +type: control description: The Azure Storage blobs contain data like ePHI, Financial, secret or personal. Erroneously modified or deleted accidentally by an application or other storage account user cause data loss or data unavailability. It is recommended the Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT blob_soft_delete_enabled THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT blob_soft_delete_enabled THEN sa.name || ' blobs soft delete disabled.' - ELSE sa.name || ' blobs soft delete enabled.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT blob_soft_delete_enabled THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT blob_soft_delete_enabled THEN sa.name || ' blobs soft delete disabled.' + ELSE sa.name || ' blobs soft delete enabled.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_3_9.yaml b/compliance/controls/azure/azure_cis_v130_3_9.yaml index 5a6ef2480..c4f81239c 100644 --- a/compliance/controls/azure/azure_cis_v130_3_9.yaml +++ b/compliance/controls/azure/azure_cis_v130_3_9.yaml @@ -1,29 +1,30 @@ id: azure_cis_v130_3_9 title: 3.9 Ensure storage for critical data are encrypted with Customer Managed Key +type: control description: Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN sa.encryption_key_source = 'Microsoft.Storage' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN sa.encryption_key_source = 'Microsoft.Storage' THEN sa.name || ' not encrypted with CMK.' - ELSE sa.name || ' encrypted with CMK.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN sa.encryption_key_source = 'Microsoft.Storage' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN sa.encryption_key_source = 'Microsoft.Storage' THEN sa.name || ' not encrypted with CMK.' + ELSE sa.name || ' encrypted with CMK.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_4_1_2.yaml b/compliance/controls/azure/azure_cis_v130_4_1_2.yaml index 655569e1c..1f0a8dfbd 100644 --- a/compliance/controls/azure/azure_cis_v130_4_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v130_4_1_2.yaml @@ -1,34 +1,35 @@ id: azure_cis_v130_4_1_2 title: 4.1.2 Ensure that 'Data encryption' is set to 'On' on a SQL Database -description: '' +type: control +description: "" integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_database - definition: | - SELECT - s.database_id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN transparent_data_encryption ->> 'status' = 'Enabled' - OR transparent_data_encryption ->> 'state' = 'Enabled' - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN transparent_data_encryption ->> 'status' = 'Enabled' - OR transparent_data_encryption ->> 'state' = 'Enabled' - THEN s.title || ' transparent data encryption enabled.' - ELSE s.title || ' transparent data encryption disabled.' - END AS reason - FROM - azure_sql_database AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id - AND s.name <> 'master'; + language: sql + primary_resource: azure_sql_database + definition: | + SELECT + s.database_id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN transparent_data_encryption ->> 'status' = 'Enabled' + OR transparent_data_encryption ->> 'state' = 'Enabled' + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN transparent_data_encryption ->> 'status' = 'Enabled' + OR transparent_data_encryption ->> 'state' = 'Enabled' + THEN s.title || ' transparent data encryption enabled.' + ELSE s.title || ' transparent data encryption disabled.' + END AS reason + FROM + azure_sql_database AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id + AND s.name <> 'master'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_4_3_1.yaml b/compliance/controls/azure/azure_cis_v130_4_3_1.yaml index d443f697e..24c5a67d6 100644 --- a/compliance/controls/azure/azure_cis_v130_4_3_1.yaml +++ b/compliance/controls/azure/azure_cis_v130_4_3_1.yaml @@ -1,29 +1,30 @@ id: azure_cis_v130_4_3_1 title: 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server +type: control description: Enable SSL connection on PostgreSQL Servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_postgresql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN ssl_enforcement = 'Disabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN ssl_enforcement = 'Disabled' THEN name || ' SSL connection disabled.' - ELSE name || ' SSL connection enabled.' - END AS reason - FROM - azure_postgresql_server s, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_postgresql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN ssl_enforcement = 'Disabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN ssl_enforcement = 'Disabled' THEN name || ' SSL connection disabled.' + ELSE name || ' SSL connection enabled.' + END AS reason + FROM + azure_postgresql_server s, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_4_3_2.yaml b/compliance/controls/azure/azure_cis_v130_4_3_2.yaml index e15ab85c3..5c2a96f4e 100644 --- a/compliance/controls/azure/azure_cis_v130_4_3_2.yaml +++ b/compliance/controls/azure/azure_cis_v130_4_3_2.yaml @@ -1,29 +1,30 @@ id: azure_cis_v130_4_3_2 title: 4.3.2 Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server +type: control description: Enable SSL connection on MYSQL Servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_mysql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN ssl_enforcement = 'Disabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN ssl_enforcement = 'Disabled' THEN s.name || ' SSL connection disabled.' - ELSE s.name || ' SSL connection enabled.' - END AS reason - FROM - azure_mysql_server AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_mysql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN ssl_enforcement = 'Disabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN ssl_enforcement = 'Disabled' THEN s.name || ' SSL connection disabled.' + ELSE s.name || ' SSL connection enabled.' + END AS reason + FROM + azure_mysql_server AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_4_3_5.yaml b/compliance/controls/azure/azure_cis_v130_4_3_5.yaml index 92f95c179..c5655cb6a 100644 --- a/compliance/controls/azure/azure_cis_v130_4_3_5.yaml +++ b/compliance/controls/azure/azure_cis_v130_4_3_5.yaml @@ -1,31 +1,32 @@ id: azure_cis_v130_4_3_5 title: 4.3.5 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server +type: control description: Enable log_disconnections on PostgreSQL Servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_postgresql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN name || ' server parameter log_disconnections off.' - ELSE name || ' server parameter log_disconnections on.' - END AS reason - FROM - azure_postgresql_server s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - WHERE - config ->> 'Name' = 'log_disconnections' - AND sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_postgresql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN name || ' server parameter log_disconnections off.' + ELSE name || ' server parameter log_disconnections on.' + END AS reason + FROM + azure_postgresql_server s, + jsonb_array_elements(server_configurations) config, + azure_subscription sub + WHERE + config ->> 'Name' = 'log_disconnections' + AND sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_4_3_8.yaml b/compliance/controls/azure/azure_cis_v130_4_3_8.yaml index 26606b6d4..db4b547a3 100644 --- a/compliance/controls/azure/azure_cis_v130_4_3_8.yaml +++ b/compliance/controls/azure/azure_cis_v130_4_3_8.yaml @@ -1,23 +1,24 @@ id: azure_cis_v130_4_3_8 title: 4.3.8 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled +type: control description: Disable access from Azure services to PostgreSQL Database Server. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_4_4.yaml b/compliance/controls/azure/azure_cis_v130_4_4.yaml index e689d78ea..2ef1e9f19 100644 --- a/compliance/controls/azure/azure_cis_v130_4_4.yaml +++ b/compliance/controls/azure/azure_cis_v130_4_4.yaml @@ -1,30 +1,31 @@ id: azure_cis_v130_4_4 title: 4.4 Ensure that Azure Active Directory Admin is configured +type: control description: Use Azure Active Directory Authentication for authentication with SQL Database. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN server_azure_ad_administrator IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN server_azure_ad_administrator IS NULL - THEN name || ' Azure AD authentication not configured.' - ELSE name || ' Azure AD authentication configured.' - END AS reason - FROM - azure_sql_server s, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN server_azure_ad_administrator IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN server_azure_ad_administrator IS NULL + THEN name || ' Azure AD authentication not configured.' + ELSE name || ' Azure AD authentication configured.' + END AS reason + FROM + azure_sql_server s, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_5_1_1.yaml b/compliance/controls/azure/azure_cis_v130_5_1_1.yaml index 79cd40a02..91c9c1d09 100644 --- a/compliance/controls/azure/azure_cis_v130_5_1_1.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_1_1.yaml @@ -1,23 +1,24 @@ id: azure_cis_v130_5_1_1 title: 5.1.1 Ensure that a 'Diagnostics Setting' exists +type: control description: Enable Diagnostic settings for exporting activity logs. Diagnostic setting are available for each individual resources within a subscription. Settings should be configured for all appropriate resources for your environment. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_5_1_2.yaml b/compliance/controls/azure/azure_cis_v130_5_1_2.yaml index fcae84e58..eeb031da0 100644 --- a/compliance/controls/azure/azure_cis_v130_5_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_1_2.yaml @@ -1,59 +1,60 @@ id: azure_cis_v130_5_1_2 title: 5.1.2 Ensure Diagnostic Setting captures appropriate categories +type: control description: Enable Diagnostic settings for exporting activity logs. Diagnostic setting are available for each individual resources within a subscription. Settings should be configured for all appropriate resources for your environment. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_diagnostic_setting - definition: | - WITH enabled_settings AS ( - SELECT - name, - id, - _ctx, - resource_group, - subscription_id, - platform_integration_id, - platform_resource_id, - COUNT(*) FILTER (WHERE l ->> 'enabled' = 'true' - AND l ->> 'category' IN ('Administrative', 'Security', 'Alert', 'Policy') - ) AS valid_category_count, - STRING_AGG(l ->> 'category', ', ') FILTER (WHERE l ->> 'enabled' = 'true' - AND l ->> 'category' IN ('Administrative', 'Security', 'Alert', 'Policy') - ) AS valid_categories - FROM - azure_diagnostic_setting, - jsonb_array_elements(logs) AS l - GROUP BY - name, - id, - _ctx, - platform_integration_id, - platform_resource_id, - resource_group, - subscription_id - ) - SELECT - sett.id AS resource, - sett.platform_integration_id AS platform_integration_id, - sett.platform_resource_id AS platform_resource_id, - CASE - WHEN valid_category_count = 4 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN valid_category_count = 4 - THEN name || ' logs enabled for required categories administrative, security, alert, and policy.' - WHEN valid_category_count > 0 - THEN sett.name || ' logs enabled for ' || valid_categories || ' categories.' - ELSE sett.name || ' logs not enabled for categories administrative, security, alert, and policy.' - END AS reason - FROM - enabled_settings sett, - azure_subscription sub - WHERE - sub.subscription_id = sett.subscription_id; + language: sql + primary_resource: azure_diagnostic_setting + definition: | + WITH enabled_settings AS ( + SELECT + name, + id, + _ctx, + resource_group, + subscription_id, + platform_integration_id, + platform_resource_id, + COUNT(*) FILTER (WHERE l ->> 'enabled' = 'true' + AND l ->> 'category' IN ('Administrative', 'Security', 'Alert', 'Policy') + ) AS valid_category_count, + STRING_AGG(l ->> 'category', ', ') FILTER (WHERE l ->> 'enabled' = 'true' + AND l ->> 'category' IN ('Administrative', 'Security', 'Alert', 'Policy') + ) AS valid_categories + FROM + azure_diagnostic_setting, + jsonb_array_elements(logs) AS l + GROUP BY + name, + id, + _ctx, + platform_integration_id, + platform_resource_id, + resource_group, + subscription_id + ) + SELECT + sett.id AS resource, + sett.platform_integration_id AS platform_integration_id, + sett.platform_resource_id AS platform_resource_id, + CASE + WHEN valid_category_count = 4 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN valid_category_count = 4 + THEN name || ' logs enabled for required categories administrative, security, alert, and policy.' + WHEN valid_category_count > 0 + THEN sett.name || ' logs enabled for ' || valid_categories || ' categories.' + ELSE sett.name || ' logs not enabled for categories administrative, security, alert, and policy.' + END AS reason + FROM + enabled_settings sett, + azure_subscription sub + WHERE + sub.subscription_id = sett.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_5_1_3.yaml b/compliance/controls/azure/azure_cis_v130_5_1_3.yaml index 699990d0a..750b83aef 100644 --- a/compliance/controls/azure/azure_cis_v130_5_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_1_3.yaml @@ -1,31 +1,32 @@ id: azure_cis_v130_5_1_3 title: 5.1.3 Ensure the storage container storing the activity logs is not publicly accessible +type: control description: The storage account container containing the activity log export should not be publicly accessible. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_container - definition: | - SELECT - sc.id AS resource, - sc.platform_integration_id AS platform_integration_id, - sc.platform_resource_id AS platform_resource_id, - CASE - WHEN public_access != 'None' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN public_access != 'None' - THEN account_name || ' container insights-operational-logs storing activity logs publicly accessible.' - ELSE account_name || ' container insights-operational-logs storing activity logs not publicly accessible.' - END AS reason - FROM - azure_storage_container sc, - azure_subscription sub - WHERE - name = 'insights-operational-logs' - AND sub.subscription_id = sc.subscription_id; + language: sql + primary_resource: azure_storage_container + definition: | + SELECT + sc.id AS resource, + sc.platform_integration_id AS platform_integration_id, + sc.platform_resource_id AS platform_resource_id, + CASE + WHEN public_access != 'None' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN public_access != 'None' + THEN account_name || ' container insights-operational-logs storing activity logs publicly accessible.' + ELSE account_name || ' container insights-operational-logs storing activity logs not publicly accessible.' + END AS reason + FROM + azure_storage_container sc, + azure_subscription sub + WHERE + name = 'insights-operational-logs' + AND sub.subscription_id = sc.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_5_1_5.yaml b/compliance/controls/azure/azure_cis_v130_5_1_5.yaml index 541a57015..3c2afedae 100644 --- a/compliance/controls/azure/azure_cis_v130_5_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_1_5.yaml @@ -1,46 +1,47 @@ id: azure_cis_v130_5_1_5 title: 5.1.5 Ensure that logging for Azure KeyVault is 'Enabled' +type: control description: Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - WITH logging_details AS ( - SELECT - name AS key_vault_name - FROM - azure_key_vault, - jsonb_array_elements(diagnostic_settings) setting, - jsonb_array_elements(setting -> 'properties' -> 'logs') log - WHERE - diagnostic_settings IS NOT NULL - AND setting -> 'properties' ->> 'storageAccountId' <> '' - AND (log ->> 'enabled')::boolean - AND log ->> 'category' = 'AuditEvent' - AND (log -> 'retentionPolicy')::JSONB ? 'days' - ) + language: sql + primary_resource: azure_key_vault + definition: | + WITH logging_details AS ( SELECT - v.id AS resource, - v.platform_integration_id AS platform_integration_id, - v.platform_resource_id AS platform_resource_id, - CASE - WHEN v.diagnostic_settings IS NULL THEN 'alarm' - WHEN l.key_vault_name NOT LIKE CONCAT('%', v.name, '%') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN v.diagnostic_settings IS NULL THEN v.name || ' logging not enabled.' - WHEN l.key_vault_name NOT LIKE CONCAT('%', v.name, '%') THEN v.name || ' logging not enabled.' - ELSE v.name || ' logging enabled.' - END AS reason + name AS key_vault_name FROM - azure_key_vault v, - logging_details l, - azure_subscription sub + azure_key_vault, + jsonb_array_elements(diagnostic_settings) setting, + jsonb_array_elements(setting -> 'properties' -> 'logs') log WHERE - sub.subscription_id = v.subscription_id; + diagnostic_settings IS NOT NULL + AND setting -> 'properties' ->> 'storageAccountId' <> '' + AND (log ->> 'enabled')::boolean + AND log ->> 'category' = 'AuditEvent' + AND (log -> 'retentionPolicy')::JSONB ? 'days' + ) + SELECT + v.id AS resource, + v.platform_integration_id AS platform_integration_id, + v.platform_resource_id AS platform_resource_id, + CASE + WHEN v.diagnostic_settings IS NULL THEN 'alarm' + WHEN l.key_vault_name NOT LIKE CONCAT('%', v.name, '%') THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN v.diagnostic_settings IS NULL THEN v.name || ' logging not enabled.' + WHEN l.key_vault_name NOT LIKE CONCAT('%', v.name, '%') THEN v.name || ' logging not enabled.' + ELSE v.name || ' logging enabled.' + END AS reason + FROM + azure_key_vault v, + logging_details l, + azure_subscription sub + WHERE + sub.subscription_id = v.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_5_2_1.yaml b/compliance/controls/azure/azure_cis_v130_5_2_1.yaml index 94c638ddb..ad3f0d9ba 100644 --- a/compliance/controls/azure/azure_cis_v130_5_2_1.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_2_1.yaml @@ -1,50 +1,51 @@ id: azure_cis_v130_5_2_1 title: 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment +type: control description: Create an activity log alert for the Create Policy Assignment event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_log_alert - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/write"}]' - LIMIT 1 - ) - SELECT - a.subscription_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create policy assignment event.' - ELSE 'Activity log alert does not exist for create policy assignment event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - a.subscription_id, - sub.subscription_id, - sub._ctx, - sub.display_name; + language: sql + primary_resource: azure_log_alert + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/write"}]' + LIMIT 1 + ) + SELECT + a.subscription_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create policy assignment event.' + ELSE 'Activity log alert does not exist for create policy assignment event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + a.subscription_id, + sub.subscription_id, + sub._ctx, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_5_2_2.yaml b/compliance/controls/azure/azure_cis_v130_5_2_2.yaml index b246092af..ae94b92bb 100644 --- a/compliance/controls/azure/azure_cis_v130_5_2_2.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_2_2.yaml @@ -1,51 +1,52 @@ id: azure_cis_v130_5_2_2 title: 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment +type: control description: Create an activity log alert for the Delete Policy Assignment event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND alert.condition -> 'allOf' @> '[{"equals":"Administrative", "field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/delete"}]' - LIMIT 1 - ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete policy assignment event.' - ELSE 'Activity log alert does not exist for delete policy assignment event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.platform_integration_id, - sub.platform_resource_id, - sub.subscription_id, - sub.display_name; + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND alert.condition -> 'allOf' @> '[{"equals":"Administrative", "field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/delete"}]' + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete policy assignment event.' + ELSE 'Activity log alert does not exist for delete policy assignment event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.platform_integration_id, + sub.platform_resource_id, + sub.subscription_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_5_2_3.yaml b/compliance/controls/azure/azure_cis_v130_5_2_3.yaml index d2ceb728e..f87dc741b 100644 --- a/compliance/controls/azure/azure_cis_v130_5_2_3.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_2_3.yaml @@ -1,61 +1,62 @@ id: azure_cis_v130_5_2_3 title: 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group +type: control description: Create an Activity Log Alert for the "Create" or "Update Network Security Group" event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/write"}]' - ) - OR - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/write"}]' + ) + OR + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create or update Network Security Group event.' - ELSE 'Activity log alert does not exist for create or update Network Security Group event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.platform_integration_id, - sub.platform_resource_id, - sub.subscription_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create or update Network Security Group event.' + ELSE 'Activity log alert does not exist for create or update Network Security Group event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.platform_integration_id, + sub.platform_resource_id, + sub.subscription_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_5_2_4.yaml b/compliance/controls/azure/azure_cis_v130_5_2_4.yaml index b0f6df652..591d87bdc 100644 --- a/compliance/controls/azure/azure_cis_v130_5_2_4.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_2_4.yaml @@ -1,62 +1,63 @@ id: azure_cis_v130_5_2_4 title: 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group +type: control description: Create an activity log alert for the Delete Network Security Group event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id, - jsonb_array_length(alert.condition -> 'allOf') - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/delete"}]' - ) - OR - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id, + jsonb_array_length(alert.condition -> 'allOf') + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/delete"}]' + ) + OR + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Network Security Group event.' - ELSE 'Activity log alert does not exist for delete Network Security Group event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Network Security Group event.' + ELSE 'Activity log alert does not exist for delete Network Security Group event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_5_2_5.yaml b/compliance/controls/azure/azure_cis_v130_5_2_5.yaml index 7dbd0a5d2..ca9662959 100644 --- a/compliance/controls/azure/azure_cis_v130_5_2_5.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_2_5.yaml @@ -1,61 +1,62 @@ id: azure_cis_v130_5_2_5 title: 5.2.5 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule +type: control description: Create an activity log alert for the Create or Update Network Security Group Rule event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networksecuritygroups/securityrules/write"}]' - ) - OR - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups/securityrules"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networksecuritygroups/securityrules/write"}]' + ) + OR + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups/securityrules"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create or update Network Security Group Rule event.' - ELSE 'Activity log alert does not exist for create or update Network Security Group Rule event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.platform_integration_id, - sub.platform_resource_id, - sub.subscription_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create or update Network Security Group Rule event.' + ELSE 'Activity log alert does not exist for create or update Network Security Group Rule event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.platform_integration_id, + sub.platform_resource_id, + sub.subscription_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_5_2_6.yaml b/compliance/controls/azure/azure_cis_v130_5_2_6.yaml index c28b90a54..ec615e2f8 100644 --- a/compliance/controls/azure/azure_cis_v130_5_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_2_6.yaml @@ -1,61 +1,62 @@ id: azure_cis_v130_5_2_6 title: 5.2.6 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule +type: control description: Create an activity log alert for the Create or Update Network Security Group Rule event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition->'allOf' @> '[{"equals":"Administrative", "field":"category"}]' - AND alert.condition->'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networksecuritygroups/securityrules/delete"}]' - ) - OR ( - alert.condition->'allOf' @> '[{"equals":"Administrative", "field":"category"}]' - AND alert.condition->'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups/securityrules"}]' - AND jsonb_array_length(alert.condition->'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition->'allOf' @> '[{"equals":"Administrative", "field":"category"}]' + AND alert.condition->'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networksecuritygroups/securityrules/delete"}]' + ) + OR ( + alert.condition->'allOf' @> '[{"equals":"Administrative", "field":"category"}]' + AND alert.condition->'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups/securityrules"}]' + AND jsonb_array_length(alert.condition->'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Network Security Group Rule event.' - ELSE 'Activity log alert does not exist for delete Network Security Group Rule event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a - ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Network Security Group Rule event.' + ELSE 'Activity log alert does not exist for delete Network Security Group Rule event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a + ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_5_2_7.yaml b/compliance/controls/azure/azure_cis_v130_5_2_7.yaml index 358b957b3..518d7bdb2 100644 --- a/compliance/controls/azure/azure_cis_v130_5_2_7.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_2_7.yaml @@ -1,61 +1,62 @@ id: azure_cis_v130_5_2_7 title: 5.2.7 Ensure that Activity Log Alert exists for Create or Update Security Solution +type: control description: Create an activity log alert for the Create or Update Security Solution event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Security/securitySolutions/write"}]' - ) - OR - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Security/securitySolutions/write"}]' + ) + OR + ( + alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create or update Security Solution event.' - ELSE 'Activity log alert does not exist for create or update Security Solution event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create or update Security Solution event.' + ELSE 'Activity log alert does not exist for create or update Security Solution event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_5_2_8.yaml b/compliance/controls/azure/azure_cis_v130_5_2_8.yaml index f20833265..974b86e72 100644 --- a/compliance/controls/azure/azure_cis_v130_5_2_8.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_2_8.yaml @@ -1,61 +1,62 @@ id: azure_cis_v130_5_2_8 title: 5.2.8 Ensure that Activity Log Alert exists for Delete Security Solution +type: control description: Create an activity log alert for the Delete Security Solution event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Security/securitySolutions/delete"}]' - ) - OR - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Security/securitySolutions/delete"}]' + ) + OR + ( + alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Security Solution event.' - ELSE 'Activity log alert does not exist for delete Security Solution event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.platform_integration_id, - sub.platform_resource_id, - sub.subscription_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Security Solution event.' + ELSE 'Activity log alert does not exist for delete Security Solution event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.platform_integration_id, + sub.platform_resource_id, + sub.subscription_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_5_2_9.yaml b/compliance/controls/azure/azure_cis_v130_5_2_9.yaml index 9f26da89e..7aa0a4780 100644 --- a/compliance/controls/azure/azure_cis_v130_5_2_9.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_2_9.yaml @@ -1,52 +1,53 @@ id: azure_cis_v130_5_2_9 title: 5.2.9 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule +type: control description: Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.sql/servers"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - LIMIT 1 - ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create, update and delete SQL Server Firewall Rule event.' - ELSE 'Activity log alert does not exist for create, update and delete SQL Server Firewall Rule event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.sql/servers"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create, update and delete SQL Server Firewall Rule event.' + ELSE 'Activity log alert does not exist for create, update and delete SQL Server Firewall Rule event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_5_3.yaml b/compliance/controls/azure/azure_cis_v130_5_3.yaml index 7d94d321a..c5a2478d2 100644 --- a/compliance/controls/azure/azure_cis_v130_5_3.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_3.yaml @@ -1,23 +1,24 @@ id: azure_cis_v130_5_3 title: 5.3 Ensure that Diagnostic Logs are enabled for all services which support it +type: control description: Diagnostic Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself. It is crucial that logging systems are correctly configured to log all relevant activities and retain those logs for a sufficient length of time. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_6_1.yaml b/compliance/controls/azure/azure_cis_v130_6_1.yaml index 000c0fee0..b7a946539 100644 --- a/compliance/controls/azure/azure_cis_v130_6_1.yaml +++ b/compliance/controls/azure/azure_cis_v130_6_1.yaml @@ -1,57 +1,58 @@ id: azure_cis_v130_6_1 title: 6.1 Ensure that RDP access is restricted from the internet +type: control description: Disable RDP access on network security groups from the Internet. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH network_sg AS ( - SELECT - DISTINCT name sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules) sg, - jsonb_array_elements_text( - sg -> 'properties' -> 'destinationPortRanges' - || (sg -> 'properties' -> 'destinationPortRange')::jsonb - ) dport, - jsonb_array_elements_text( - sg -> 'properties' -> 'sourceAddressPrefixes' - || (sg -> 'properties' -> 'sourceAddressPrefix')::jsonb - ) sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') - AND ( - dport IN ('3389', '*') - OR ( - dport LIKE '%-%' - AND split_part(dport, '-', 1)::integer <= 3389 - AND split_part(dport, '-', 2)::integer >= 3389 - ) - ) + language: sql + primary_resource: azure_network_security_group + definition: | + WITH network_sg AS ( + SELECT + DISTINCT name sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules) sg, + jsonb_array_elements_text( + sg -> 'properties' -> 'destinationPortRanges' + || (sg -> 'properties' -> 'destinationPortRange')::jsonb + ) dport, + jsonb_array_elements_text( + sg -> 'properties' -> 'sourceAddressPrefixes' + || (sg -> 'properties' -> 'sourceAddressPrefix')::jsonb + ) sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('3389', '*') + OR ( + dport LIKE '%-%' + AND split_part(dport, '-', 1)::integer <= 3389 + AND split_part(dport, '-', 2)::integer >= 3389 + ) ) - SELECT - sg.id resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL - THEN sg.title || ' restricts RDP access from internet.' - ELSE sg.title || ' allows RDP access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL + THEN sg.title || ' restricts RDP access from internet.' + ELSE sg.title || ' allows RDP access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_6_2.yaml b/compliance/controls/azure/azure_cis_v130_6_2.yaml index 48c328977..b073dcef6 100644 --- a/compliance/controls/azure/azure_cis_v130_6_2.yaml +++ b/compliance/controls/azure/azure_cis_v130_6_2.yaml @@ -1,54 +1,55 @@ id: azure_cis_v130_6_2 title: 6.2 Ensure that SSH access is restricted from the internet +type: control description: Disable SSH access on network security groups from the Internet. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH network_sg AS ( - SELECT - DISTINCT name AS sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules) sg, - jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange')::jsonb) dport, - jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix')::jsonb) sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') - AND ( - dport IN ('22', '*') - OR ( - dport LIKE '%-%' - AND split_part(dport, '-', 1)::INTEGER <= 22 - AND split_part(dport, '-', 2)::INTEGER >= 22 - ) - ) + language: sql + primary_resource: azure_network_security_group + definition: | + WITH network_sg AS ( + SELECT + DISTINCT name AS sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules) sg, + jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange')::jsonb) dport, + jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix')::jsonb) sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('22', '*') + OR ( + dport LIKE '%-%' + AND split_part(dport, '-', 1)::INTEGER <= 22 + AND split_part(dport, '-', 2)::INTEGER >= 22 + ) ) - - SELECT - sg.id AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL - THEN sg.title || ' restricts SSH access from internet.' - ELSE sg.title || ' allows SSH access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN - network_sg nsg ON nsg.sg_name = sg.name - JOIN - azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + + SELECT + sg.id AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL + THEN sg.title || ' restricts SSH access from internet.' + ELSE sg.title || ' allows SSH access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN + network_sg nsg ON nsg.sg_name = sg.name + JOIN + azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_6_3.yaml b/compliance/controls/azure/azure_cis_v130_6_3.yaml index e75025faf..6ebf13a3c 100644 --- a/compliance/controls/azure/azure_cis_v130_6_3.yaml +++ b/compliance/controls/azure/azure_cis_v130_6_3.yaml @@ -1,33 +1,34 @@ id: azure_cis_v130_6_3 title: 6.3 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) +type: control description: Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]' - OR firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]' - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]' - OR firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]' - THEN s.title || ' allows ingress 0.0.0.0/0 or any IP over Internet.' - ELSE s.title || ' does not allow ingress 0.0.0.0/0 or any IP over Internet.' - END AS reason - FROM - azure_sql_server s, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]' + OR firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]' + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]' + OR firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]' + THEN s.title || ' allows ingress 0.0.0.0/0 or any IP over Internet.' + ELSE s.title || ' does not allow ingress 0.0.0.0/0 or any IP over Internet.' + END AS reason + FROM + azure_sql_server s, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_6_6.yaml b/compliance/controls/azure/azure_cis_v130_6_6.yaml index 05ac7f014..f354a5f98 100644 --- a/compliance/controls/azure/azure_cis_v130_6_6.yaml +++ b/compliance/controls/azure/azure_cis_v130_6_6.yaml @@ -1,56 +1,57 @@ id: azure_cis_v130_6_6 title: 6.6 Ensure that UDP Services are restricted from the Internet +type: control description: Disable Internet exposed UDP ports on network security groups. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH network_sg AS ( - SELECT - DISTINCT name sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules) sg, - jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange')::jsonb) dport, - jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix')::jsonb) sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND sg -> 'properties' ->> 'protocol' = 'UDP' - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + language: sql + primary_resource: azure_network_security_group + definition: | + WITH network_sg AS ( + SELECT + DISTINCT name sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules) sg, + jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange')::jsonb) dport, + jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix')::jsonb) sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND sg -> 'properties' ->> 'protocol' = 'UDP' + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport = '*' + OR ( + dport LIKE '%-%' AND ( - dport = '*' - OR ( - dport LIKE '%-%' - AND ( - 53 BETWEEN split_part(dport, '-', 1)::integer AND split_part(dport, '-', 2)::integer - OR 123 BETWEEN split_part(dport, '-', 1)::integer AND split_part(dport, '-', 2)::integer - OR 161 BETWEEN split_part(dport, '-', 1)::integer AND split_part(dport, '-', 2)::integer - OR 389 BETWEEN split_part(dport, '-', 1)::integer AND split_part(dport, '-', 2)::integer - OR 1900 BETWEEN split_part(dport, '-', 1)::integer AND split_part(dport, '-', 2)::integer - ) - ) + 53 BETWEEN split_part(dport, '-', 1)::integer AND split_part(dport, '-', 2)::integer + OR 123 BETWEEN split_part(dport, '-', 1)::integer AND split_part(dport, '-', 2)::integer + OR 161 BETWEEN split_part(dport, '-', 1)::integer AND split_part(dport, '-', 2)::integer + OR 389 BETWEEN split_part(dport, '-', 1)::integer AND split_part(dport, '-', 2)::integer + OR 1900 BETWEEN split_part(dport, '-', 1)::integer AND split_part(dport, '-', 2)::integer ) + ) ) - SELECT - sg.id resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL - THEN sg.title || ' restricts UDP services from internet.' - ELSE sg.title || ' allows UDP services from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL + THEN sg.title || ' restricts UDP services from internet.' + ELSE sg.title || ' allows UDP services from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_7_1.yaml b/compliance/controls/azure/azure_cis_v130_7_1.yaml index e3d42730d..b77c0747f 100644 --- a/compliance/controls/azure/azure_cis_v130_7_1.yaml +++ b/compliance/controls/azure/azure_cis_v130_7_1.yaml @@ -1,29 +1,30 @@ id: azure_cis_v130_7_1 title: 7.1 Ensure Virtual Machines are utilizing Managed Disks +type: control description: Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - SELECT - vm.id AS resource, - vm.platform_integration_id AS platform_integration_id, - vm.platform_resource_id AS platform_resource_id, - CASE - WHEN managed_disk_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN managed_disk_id IS NULL THEN vm.name || ' VM not utilizing managed disks.' - ELSE vm.name || ' VM utilizing managed disks.' - END AS reason - FROM - azure_compute_virtual_machine AS vm, - azure_subscription AS sub - WHERE - sub.subscription_id = vm.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + SELECT + vm.id AS resource, + vm.platform_integration_id AS platform_integration_id, + vm.platform_resource_id AS platform_resource_id, + CASE + WHEN managed_disk_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN managed_disk_id IS NULL THEN vm.name || ' VM not utilizing managed disks.' + ELSE vm.name || ' VM utilizing managed disks.' + END AS reason + FROM + azure_compute_virtual_machine AS vm, + azure_subscription AS sub + WHERE + sub.subscription_id = vm.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_7_2.yaml b/compliance/controls/azure/azure_cis_v130_7_2.yaml index c2d15f7bf..c3c92dda4 100644 --- a/compliance/controls/azure/azure_cis_v130_7_2.yaml +++ b/compliance/controls/azure/azure_cis_v130_7_2.yaml @@ -1,30 +1,31 @@ id: azure_cis_v130_7_2 title: 7.2 Ensure that 'OS and Data' disks are encrypted with CMK +type: control description: Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_disk - definition: | - SELECT - disk.id AS resource, - disk.platform_integration_id AS platform_integration_id, - disk.platform_resource_id AS platform_resource_id, - CASE - WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN disk.name || ' encrypted with CMK.' - ELSE disk.name || ' not encrypted with CMK.' - END AS reason - FROM - azure_compute_disk disk, - azure_subscription sub - WHERE - disk_state = 'Attached' - AND sub.subscription_id = disk.subscription_id; + language: sql + primary_resource: azure_compute_disk + definition: | + SELECT + disk.id AS resource, + disk.platform_integration_id AS platform_integration_id, + disk.platform_resource_id AS platform_resource_id, + CASE + WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN disk.name || ' encrypted with CMK.' + ELSE disk.name || ' not encrypted with CMK.' + END AS reason + FROM + azure_compute_disk disk, + azure_subscription sub + WHERE + disk_state = 'Attached' + AND sub.subscription_id = disk.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_7_3.yaml b/compliance/controls/azure/azure_cis_v130_7_3.yaml index ea3844429..146e6e8c2 100644 --- a/compliance/controls/azure/azure_cis_v130_7_3.yaml +++ b/compliance/controls/azure/azure_cis_v130_7_3.yaml @@ -1,30 +1,31 @@ id: azure_cis_v130_7_3 title: 7.3 Ensure that 'Unattached disks' are encrypted with CMK +type: control description: Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_disk - definition: | - SELECT - disk.id AS resource, - disk.platform_integration_id AS platform_integration_id, - disk.platform_resource_id AS platform_resource_id, - CASE - WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN disk.name || ' encrypted with CMK.' - ELSE disk.name || ' not encrypted with CMK.' - END AS reason - FROM - azure_compute_disk disk, - azure_subscription sub - WHERE - disk_state != 'Attached' - AND sub.subscription_id = disk.subscription_id; + language: sql + primary_resource: azure_compute_disk + definition: | + SELECT + disk.id AS resource, + disk.platform_integration_id AS platform_integration_id, + disk.platform_resource_id AS platform_resource_id, + CASE + WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN disk.name || ' encrypted with CMK.' + ELSE disk.name || ' not encrypted with CMK.' + END AS reason + FROM + azure_compute_disk disk, + azure_subscription sub + WHERE + disk_state != 'Attached' + AND sub.subscription_id = disk.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_7_4.yaml b/compliance/controls/azure/azure_cis_v130_7_4.yaml index 0d3541d1f..ff584d36b 100644 --- a/compliance/controls/azure/azure_cis_v130_7_4.yaml +++ b/compliance/controls/azure/azure_cis_v130_7_4.yaml @@ -1,23 +1,24 @@ id: azure_cis_v130_7_4 title: 7.4 Ensure that only approved extensions are installed +type: control description: Only install organization-approved extensions on VMs. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_7_5.yaml b/compliance/controls/azure/azure_cis_v130_7_5.yaml index 09ca00e19..255ebe1ad 100644 --- a/compliance/controls/azure/azure_cis_v130_7_5.yaml +++ b/compliance/controls/azure/azure_cis_v130_7_5.yaml @@ -1,23 +1,24 @@ id: azure_cis_v130_7_5 title: 7.5 Ensure that the latest OS Patches for all Virtual Machines are applied +type: control description: Ensure that the latest OS patches for all virtual machines are applied. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_7_6.yaml b/compliance/controls/azure/azure_cis_v130_7_6.yaml index 718839e23..b780dbdd4 100644 --- a/compliance/controls/azure/azure_cis_v130_7_6.yaml +++ b/compliance/controls/azure/azure_cis_v130_7_6.yaml @@ -1,23 +1,24 @@ id: azure_cis_v130_7_6 title: 7.6 Ensure that the endpoint protection for all Virtual Machines is installed +type: control description: Install endpoint protection for all virtual machines. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_7_7.yaml b/compliance/controls/azure/azure_cis_v130_7_7.yaml index 8d9c09806..d2af706ab 100644 --- a/compliance/controls/azure/azure_cis_v130_7_7.yaml +++ b/compliance/controls/azure/azure_cis_v130_7_7.yaml @@ -1,23 +1,24 @@ id: azure_cis_v130_7_7 title: 7.7 Ensure that VHD's are encrypted +type: control description: VHD (Virtual Hard Disks) are stored in BLOB storage and are the old style disks that were attached to Virtual Machines, and the BLOB VHD was then leased to the VM. By Default storage accounts are not encrypted, and Azure Defender(Security Centre) would then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK and this should be turned on for storage accounts containing VHD's. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_8_1.yaml b/compliance/controls/azure/azure_cis_v130_8_1.yaml index 0d8ac3c86..3e9f14210 100644 --- a/compliance/controls/azure/azure_cis_v130_8_1.yaml +++ b/compliance/controls/azure/azure_cis_v130_8_1.yaml @@ -1,31 +1,32 @@ id: azure_cis_v130_8_1 title: 8.1 Ensure that the expiration date is set on all keys +type: control description: Ensure that all keys in Azure Key Vault have an expiration time set. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_key - definition: | - SELECT - kvk.id AS resource, - kvk.platform_integration_id AS platform_integration_id, - kvk.platform_resource_id AS platform_resource_id, - CASE - WHEN enabled AND expires_at IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - vault_name || ' key ' || name || - CASE - WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' - WHEN NOT enabled THEN ' disabled.' - ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - azure_key_vault_key kvk, - azure_subscription sub - WHERE - sub.subscription_id = kvk.subscription_id; + language: sql + primary_resource: azure_key_vault_key + definition: | + SELECT + kvk.id AS resource, + kvk.platform_integration_id AS platform_integration_id, + kvk.platform_resource_id AS platform_resource_id, + CASE + WHEN enabled AND expires_at IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + vault_name || ' key ' || name || + CASE + WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' + WHEN NOT enabled THEN ' disabled.' + ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + azure_key_vault_key kvk, + azure_subscription sub + WHERE + sub.subscription_id = kvk.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_8_2.yaml b/compliance/controls/azure/azure_cis_v130_8_2.yaml index afaf2c0e6..bb97fc564 100644 --- a/compliance/controls/azure/azure_cis_v130_8_2.yaml +++ b/compliance/controls/azure/azure_cis_v130_8_2.yaml @@ -1,31 +1,32 @@ id: azure_cis_v130_8_2 title: 8.2 Ensure that the expiration date is set on all Secrets +type: control description: Ensure that all Secrets in the Azure Key Vault have an expiration time set. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_secret - definition: | - SELECT - kvs.id AS resource, - kvs.platform_integration_id AS platform_integration_id, - kvs.platform_resource_id AS platform_resource_id, - CASE - WHEN enabled AND expires_at IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - vault_name || ' secret ' || name || - CASE - WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' - WHEN NOT enabled THEN ' disabled.' - ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - azure_key_vault_secret AS kvs, - azure_subscription AS sub - WHERE - sub.subscription_id = kvs.subscription_id; + language: sql + primary_resource: azure_key_vault_secret + definition: | + SELECT + kvs.id AS resource, + kvs.platform_integration_id AS platform_integration_id, + kvs.platform_resource_id AS platform_resource_id, + CASE + WHEN enabled AND expires_at IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + vault_name || ' secret ' || name || + CASE + WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' + WHEN NOT enabled THEN ' disabled.' + ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + azure_key_vault_secret AS kvs, + azure_subscription AS sub + WHERE + sub.subscription_id = kvs.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_8_3.yaml b/compliance/controls/azure/azure_cis_v130_8_3.yaml index 9f5a8a9f2..e3927e472 100644 --- a/compliance/controls/azure/azure_cis_v130_8_3.yaml +++ b/compliance/controls/azure/azure_cis_v130_8_3.yaml @@ -1,23 +1,24 @@ id: azure_cis_v130_8_3 title: 8.3 Ensure that Resource Locks are set for mission critical Azure resources +type: control description: Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. These locks are very useful when there is an important resource in a subscription that users should not be able to delete or change. Locks can help prevent accidental and malicious changes or deletion. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_8_4.yaml b/compliance/controls/azure/azure_cis_v130_8_4.yaml index 054ef0b7b..36e44b1d5 100644 --- a/compliance/controls/azure/azure_cis_v130_8_4.yaml +++ b/compliance/controls/azure/azure_cis_v130_8_4.yaml @@ -1,31 +1,32 @@ id: azure_cis_v130_8_4 title: 8.4 Ensure the key vault is recoverable +type: control description: The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. It is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - SELECT - kv.id AS resource, - kv.platform_integration_id AS platform_integration_id, - kv.platform_resource_id AS platform_resource_id, - CASE - WHEN soft_delete_enabled AND purge_protection_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN NOT soft_delete_enabled AND NOT purge_protection_enabled THEN name || ' "soft delete" and "do not purge" not enabled.' - WHEN NOT soft_delete_enabled THEN name || ' "soft delete" not enabled.' - WHEN NOT purge_protection_enabled THEN name || ' "do not purge" not enabled.' - ELSE name || ' "soft delete" and "do not purge" enabled.' - END AS reason - FROM - azure_key_vault kv, - azure_subscription sub - WHERE - sub.subscription_id = kv.subscription_id; + language: sql + primary_resource: azure_key_vault + definition: | + SELECT + kv.id AS resource, + kv.platform_integration_id AS platform_integration_id, + kv.platform_resource_id AS platform_resource_id, + CASE + WHEN soft_delete_enabled AND purge_protection_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN NOT soft_delete_enabled AND NOT purge_protection_enabled THEN name || ' "soft delete" and "do not purge" not enabled.' + WHEN NOT soft_delete_enabled THEN name || ' "soft delete" not enabled.' + WHEN NOT purge_protection_enabled THEN name || ' "do not purge" not enabled.' + ELSE name || ' "soft delete" and "do not purge" enabled.' + END AS reason + FROM + azure_key_vault kv, + azure_subscription sub + WHERE + sub.subscription_id = kv.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_8_5.yaml b/compliance/controls/azure/azure_cis_v130_8_5.yaml index a0f48f8ea..a9de11c29 100644 --- a/compliance/controls/azure/azure_cis_v130_8_5.yaml +++ b/compliance/controls/azure/azure_cis_v130_8_5.yaml @@ -1,31 +1,32 @@ id: azure_cis_v130_8_5 title: 8.5 Enable role-based access control (RBAC) within Azure Kubernetes Services +type: control description: Ensure that RBAC is enabled on all Azure Kubernetes Services Instances. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - SELECT - kv.id AS resource, - kv.platform_integration_id AS platform_integration_id, - kv.platform_resource_id AS platform_resource_id, - CASE - WHEN soft_delete_enabled AND purge_protection_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN NOT soft_delete_enabled AND NOT purge_protection_enabled THEN name || ' "soft delete" and "do not purge" not enabled.' - WHEN NOT soft_delete_enabled THEN name || ' "soft delete" not enabled.' - WHEN NOT purge_protection_enabled THEN name || ' "do not purge" not enabled.' - ELSE name || ' "soft delete" and "do not purge" enabled.' - END AS reason - FROM - azure_key_vault kv, - azure_subscription sub - WHERE - sub.subscription_id = kv.subscription_id; + language: sql + primary_resource: azure_key_vault + definition: | + SELECT + kv.id AS resource, + kv.platform_integration_id AS platform_integration_id, + kv.platform_resource_id AS platform_resource_id, + CASE + WHEN soft_delete_enabled AND purge_protection_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN NOT soft_delete_enabled AND NOT purge_protection_enabled THEN name || ' "soft delete" and "do not purge" not enabled.' + WHEN NOT soft_delete_enabled THEN name || ' "soft delete" not enabled.' + WHEN NOT purge_protection_enabled THEN name || ' "do not purge" not enabled.' + ELSE name || ' "soft delete" and "do not purge" enabled.' + END AS reason + FROM + azure_key_vault kv, + azure_subscription sub + WHERE + sub.subscription_id = kv.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_9_1.yaml b/compliance/controls/azure/azure_cis_v130_9_1.yaml index 137080aca..2c445ed32 100644 --- a/compliance/controls/azure/azure_cis_v130_9_1.yaml +++ b/compliance/controls/azure/azure_cis_v130_9_1.yaml @@ -1,29 +1,30 @@ id: azure_cis_v130_9_1 title: 9.1 Ensure App Service Authentication is set on Azure App Service +type: control description: Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT (auth_settings -> 'properties' ->> 'enabled')::boolean THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT (auth_settings -> 'properties' ->> 'enabled')::boolean THEN name || ' authentication not set.' - ELSE name || ' authentication set.' - END AS reason - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT (auth_settings -> 'properties' ->> 'enabled')::boolean THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT (auth_settings -> 'properties' ->> 'enabled')::boolean THEN name || ' authentication not set.' + ELSE name || ' authentication set.' + END AS reason + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_9_11.yaml b/compliance/controls/azure/azure_cis_v130_9_11.yaml index 3c854ab98..423d76001 100644 --- a/compliance/controls/azure/azure_cis_v130_9_11.yaml +++ b/compliance/controls/azure/azure_cis_v130_9_11.yaml @@ -1,23 +1,24 @@ id: azure_cis_v130_9_11 title: 9.11 Ensure Azure Keyvaults are used to store secrets +type: control description: Encryption keys, Certificate thumbprints and Managed Identity Credentials can be coded into the APP service, this renders them visible as part of the configuration, to maintain security of these keys it is better to store in an Azure Keyvault and reference them from the Keyvault. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_9_2.yaml b/compliance/controls/azure/azure_cis_v130_9_2.yaml index a57ab476e..c2335f024 100644 --- a/compliance/controls/azure/azure_cis_v130_9_2.yaml +++ b/compliance/controls/azure/azure_cis_v130_9_2.yaml @@ -1,29 +1,30 @@ id: azure_cis_v130_9_2 title: 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service +type: control description: Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT https_only THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT https_only THEN name || ' does not redirect all HTTP traffic to HTTPS.' - ELSE name || ' redirects all HTTP traffic to HTTPS.' - END AS reason - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT https_only THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT https_only THEN name || ' does not redirect all HTTP traffic to HTTPS.' + ELSE name || ' redirects all HTTP traffic to HTTPS.' + END AS reason + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_9_3.yaml b/compliance/controls/azure/azure_cis_v130_9_3.yaml index 2a7b82401..856758435 100644 --- a/compliance/controls/azure/azure_cis_v130_9_3.yaml +++ b/compliance/controls/azure/azure_cis_v130_9_3.yaml @@ -1,29 +1,30 @@ id: azure_cis_v130_9_3 title: 9.3 Ensure web app is using the latest version of TLS encryption +type: control description: The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN configuration -> 'properties' ->> 'minTlsVersion' < '1.2' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN configuration -> 'properties' ->> 'minTlsVersion' < '1.2' THEN name || ' not using the latest version of TLS encryption.' - ELSE name || ' using the latest version of TLS encryption.' - END AS reason - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN configuration -> 'properties' ->> 'minTlsVersion' < '1.2' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN configuration -> 'properties' ->> 'minTlsVersion' < '1.2' THEN name || ' not using the latest version of TLS encryption.' + ELSE name || ' using the latest version of TLS encryption.' + END AS reason + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_9_4.yaml b/compliance/controls/azure/azure_cis_v130_9_4.yaml index 8ed4fdfb1..ee889f782 100644 --- a/compliance/controls/azure/azure_cis_v130_9_4.yaml +++ b/compliance/controls/azure/azure_cis_v130_9_4.yaml @@ -1,29 +1,30 @@ id: azure_cis_v130_9_4 title: 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' +type: control description: Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT client_cert_enabled THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT client_cert_enabled THEN name || ' incoming client certificates set to off.' - ELSE name || ' incoming client certificates set to on.' - END AS reason - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT client_cert_enabled THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT client_cert_enabled THEN name || ' incoming client certificates set to off.' + ELSE name || ' incoming client certificates set to on.' + END AS reason + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_9_5.yaml b/compliance/controls/azure/azure_cis_v130_9_5.yaml index 95ed8a528..a520f08fb 100644 --- a/compliance/controls/azure/azure_cis_v130_9_5.yaml +++ b/compliance/controls/azure/azure_cis_v130_9_5.yaml @@ -1,29 +1,30 @@ id: azure_cis_v130_9_5 title: 9.5 Ensure that Register with Azure Active Directory is enabled on App Service +type: control description: Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN identity = '{}' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN identity = '{}' THEN name || ' register with azure active directory disabled.' - ELSE name || ' register with azure active directory enabled.' - END AS reason - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN identity = '{}' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN identity = '{}' THEN name || ' register with azure active directory disabled.' + ELSE name || ' register with azure active directory enabled.' + END AS reason + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v130_9_6.yaml b/compliance/controls/azure/azure_cis_v130_9_6.yaml index e714776d4..29c442197 100644 --- a/compliance/controls/azure/azure_cis_v130_9_6.yaml +++ b/compliance/controls/azure/azure_cis_v130_9_6.yaml @@ -1,23 +1,24 @@ id: azure_cis_v130_9_6 title: 9.6 Ensure that 'PHP version' is the latest, if used to run the web app +type: control description: Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_9_7.yaml b/compliance/controls/azure/azure_cis_v130_9_7.yaml index 3b9f96a5c..1820b1413 100644 --- a/compliance/controls/azure/azure_cis_v130_9_7.yaml +++ b/compliance/controls/azure/azure_cis_v130_9_7.yaml @@ -1,23 +1,24 @@ id: azure_cis_v130_9_7 title: 9.7 Ensure that 'Python version' is the latest, if used to run the web app +type: control description: Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_9_8.yaml b/compliance/controls/azure/azure_cis_v130_9_8.yaml index e005612be..8569c8402 100644 --- a/compliance/controls/azure/azure_cis_v130_9_8.yaml +++ b/compliance/controls/azure/azure_cis_v130_9_8.yaml @@ -1,23 +1,24 @@ id: azure_cis_v130_9_8 title: 9.8 Ensure that 'Java version' is the latest, if used to run the web app +type: control description: Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v130_9_9.yaml b/compliance/controls/azure/azure_cis_v130_9_9.yaml index 09aee5923..db8d29da4 100644 --- a/compliance/controls/azure/azure_cis_v130_9_9.yaml +++ b/compliance/controls/azure/azure_cis_v130_9_9.yaml @@ -1,29 +1,30 @@ id: azure_cis_v130_9_9 title: 9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app +type: control description: Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT (configuration -> 'properties' ->> 'http20Enabled')::BOOLEAN THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT (configuration -> 'properties' ->> 'http20Enabled')::BOOLEAN THEN name || ' HTTP version not latest.' - ELSE name || ' HTTP version is latest.' - END AS reason - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT (configuration -> 'properties' ->> 'http20Enabled')::BOOLEAN THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT (configuration -> 'properties' ->> 'http20Enabled')::BOOLEAN THEN name || ' HTTP version not latest.' + ELSE name || ' HTTP version is latest.' + END AS reason + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_1_1.yaml b/compliance/controls/azure/azure_cis_v140_1_1.yaml index a7846aef8..2347086cd 100644 --- a/compliance/controls/azure/azure_cis_v140_1_1.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_1.yaml @@ -1,18 +1,19 @@ id: azure_cis_v140_1_1 title: 1.1 Ensure that multi-factor authentication status is enabled for all privileged users +type: control description: Enable multi-factor authentication for all user credentials who have write access to Azure resources. These include roles like 'Service Co-Administrators', 'Subscription Owners', 'Contributors'. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_1_10.yaml b/compliance/controls/azure/azure_cis_v140_1_10.yaml index 610c9389c..11aeef45e 100644 --- a/compliance/controls/azure/azure_cis_v140_1_10.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_10.yaml @@ -1,18 +1,19 @@ id: azure_cis_v140_1_10 title: 1.10 Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' +type: control description: Require administrators to provide consent for the apps before use. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_1_11.yaml b/compliance/controls/azure/azure_cis_v140_1_11.yaml index 7e2f24eb7..95c71801d 100644 --- a/compliance/controls/azure/azure_cis_v140_1_11.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_11.yaml @@ -1,18 +1,19 @@ id: azure_cis_v140_1_11 title: 1.11 Ensure that 'Users can register applications' is set to 'No' +type: control description: Require administrators to register third-party applications. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_1_12.yaml b/compliance/controls/azure/azure_cis_v140_1_12.yaml index c93b7bd52..ce73cd7fd 100644 --- a/compliance/controls/azure/azure_cis_v140_1_12.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_12.yaml @@ -1,18 +1,19 @@ id: azure_cis_v140_1_12 title: 1.12 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' +type: control description: Limit guest user permissions. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_1_13.yaml b/compliance/controls/azure/azure_cis_v140_1_13.yaml index ab6140922..e71e72f0a 100644 --- a/compliance/controls/azure/azure_cis_v140_1_13.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_13.yaml @@ -1,18 +1,19 @@ id: azure_cis_v140_1_13 title: 1.13 Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' +type: control description: Restrict invitations to users with specific admin roles only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_1_14.yaml b/compliance/controls/azure/azure_cis_v140_1_14.yaml index a180827a2..c6c2fa3d8 100644 --- a/compliance/controls/azure/azure_cis_v140_1_14.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_14.yaml @@ -1,18 +1,19 @@ id: azure_cis_v140_1_14 title: 1.14 Ensure That 'Restrict access to Azure AD administration portal' is set to 'Yes' +type: control description: Restrict access to the Azure AD administration portal to administrators only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_1_15.yaml b/compliance/controls/azure/azure_cis_v140_1_15.yaml index 097030622..ee27512d5 100644 --- a/compliance/controls/azure/azure_cis_v140_1_15.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_15.yaml @@ -1,18 +1,19 @@ id: azure_cis_v140_1_15 title: 1.15 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' +type: control description: Restricts group creation to administrators with permissions only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_1_16.yaml b/compliance/controls/azure/azure_cis_v140_1_16.yaml index 20dbf7de2..0f391e95b 100644 --- a/compliance/controls/azure/azure_cis_v140_1_16.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_16.yaml @@ -1,18 +1,19 @@ id: azure_cis_v140_1_16 title: 1.16 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' +type: control description: Restrict security group creation to administrators only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_1_17.yaml b/compliance/controls/azure/azure_cis_v140_1_17.yaml index f029047a0..034a5d828 100644 --- a/compliance/controls/azure/azure_cis_v140_1_17.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_17.yaml @@ -1,18 +1,19 @@ id: azure_cis_v140_1_17 title: 1.17 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' +type: control description: Restrict security group management to administrators only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_1_18.yaml b/compliance/controls/azure/azure_cis_v140_1_18.yaml index 30bbee00e..5befe777e 100644 --- a/compliance/controls/azure/azure_cis_v140_1_18.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_18.yaml @@ -1,18 +1,19 @@ id: azure_cis_v140_1_18 title: 1.18 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' +type: control description: Restrict Microsoft 365 group creation to administrators only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_1_19.yaml b/compliance/controls/azure/azure_cis_v140_1_19.yaml index 36329768c..fbb051021 100644 --- a/compliance/controls/azure/azure_cis_v140_1_19.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_19.yaml @@ -1,18 +1,19 @@ id: azure_cis_v140_1_19 title: 1.19 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' +type: control description: Joining or registering devices to the active directory should require Multi-factor authentication. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_1_2.yaml b/compliance/controls/azure/azure_cis_v140_1_2.yaml index fab7c2f40..133950379 100644 --- a/compliance/controls/azure/azure_cis_v140_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_2.yaml @@ -1,18 +1,19 @@ id: azure_cis_v140_1_2 title: 1.2 Ensure that multi-factor authentication status is enabled for all non-privileged users +type: control description: Enable multi-factor authentication for all non-privileged users. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_1_20.yaml b/compliance/controls/azure/azure_cis_v140_1_20.yaml index 95a2b242d..c64a33e2d 100644 --- a/compliance/controls/azure/azure_cis_v140_1_20.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_20.yaml @@ -1,54 +1,55 @@ id: azure_cis_v140_1_20 title: 1.20 Ensure that no custom subscription owner roles are created +type: control description: Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_role_definition - definition: | - WITH owner_custom_roles AS ( - SELECT - role_name, - role_type, - title, - platform_integration_id, - platform_resource_id, - action, - _ctx, - subscription_id - FROM - azure_role_definition, - jsonb_array_elements(permissions) AS s, - jsonb_array_elements_text(s -> 'actions') AS action - WHERE - role_type = 'CustomRole' - AND action IN ('*', '*:*') - ) - SELECT - cr.subscription_id AS resource, - cr.platform_integration_id AS platform_integration_id, - cr.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(*) > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN COUNT(*) = 1 THEN 'There is one custom owner role.' - WHEN COUNT(*) > 1 THEN 'There are ' || COUNT(*) || ' custom owner roles.' - ELSE 'There are no custom owner roles.' - END AS reason - FROM - owner_custom_roles cr, - azure_subscription sub - WHERE - sub.subscription_id = cr.subscription_id - GROUP BY - cr.subscription_id, - cr.platform_integration_id, - cr.platform_resource_id, - cr._ctx, - sub.display_name; + language: sql + primary_resource: azure_role_definition + definition: | + WITH owner_custom_roles AS ( + SELECT + role_name, + role_type, + title, + platform_integration_id, + platform_resource_id, + action, + _ctx, + subscription_id + FROM + azure_role_definition, + jsonb_array_elements(permissions) AS s, + jsonb_array_elements_text(s -> 'actions') AS action + WHERE + role_type = 'CustomRole' + AND action IN ('*', '*:*') + ) + SELECT + cr.subscription_id AS resource, + cr.platform_integration_id AS platform_integration_id, + cr.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(*) > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN COUNT(*) = 1 THEN 'There is one custom owner role.' + WHEN COUNT(*) > 1 THEN 'There are ' || COUNT(*) || ' custom owner roles.' + ELSE 'There are no custom owner roles.' + END AS reason + FROM + owner_custom_roles cr, + azure_subscription sub + WHERE + sub.subscription_id = cr.subscription_id + GROUP BY + cr.subscription_id, + cr.platform_integration_id, + cr.platform_resource_id, + cr._ctx, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_1_21.yaml b/compliance/controls/azure/azure_cis_v140_1_21.yaml index 68736979d..f627520a6 100644 --- a/compliance/controls/azure/azure_cis_v140_1_21.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_21.yaml @@ -1,18 +1,19 @@ id: azure_cis_v140_1_21 title: 1.21 Ensure Security Defaults is enabled on Azure Active Directory +type: control description: Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_1_22.yaml b/compliance/controls/azure/azure_cis_v140_1_22.yaml index eab07f572..3815f5663 100644 --- a/compliance/controls/azure/azure_cis_v140_1_22.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_22.yaml @@ -1,18 +1,19 @@ id: azure_cis_v140_1_22 title: 1.22 Ensure Custom Role is assigned for Administering Resource Locks +type: control description: Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_1_3.yaml b/compliance/controls/azure/azure_cis_v140_1_3.yaml index f7c05bb43..9e21d519d 100644 --- a/compliance/controls/azure/azure_cis_v140_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_3.yaml @@ -1,39 +1,40 @@ id: azure_cis_v140_1_3 title: 1.3 Ensure guest users are reviewed on a monthly basis +type: control description: Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data. Guest users should be review on a monthly basis to ensure that inactive and unneeded accounts are removed. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: entraid_user - definition: | - WITH distinct_tenant AS ( - SELECT DISTINCT - tenant_id, - subscription_id, - _ctx - FROM - azure_tenant - ) - SELECT - u.display_name AS resource, - u.platform_integration_id AS platform_integration_id, - u.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT account_enabled THEN 'alarm' - WHEN u.created_date_time::timestamp <= (CURRENT_DATE - INTERVAL '30' DAY) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT account_enabled THEN 'Guest user ''' || u.display_name || ''' inactive.' - ELSE 'Guest user ''' || u.display_name || ''' was created ' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - u.created_date_time::timestamp) || ' days ago.' - END AS reason, - t.tenant_id - FROM - entraid_user AS u - LEFT JOIN distinct_tenant AS t ON t.tenant_id = u.tenant_id - WHERE - u.user_type = 'Guest'; + language: sql + primary_resource: entraid_user + definition: | + WITH distinct_tenant AS ( + SELECT DISTINCT + tenant_id, + subscription_id, + _ctx + FROM + azure_tenant + ) + SELECT + u.display_name AS resource, + u.platform_integration_id AS platform_integration_id, + u.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT account_enabled THEN 'alarm' + WHEN u.created_date_time::timestamp <= (CURRENT_DATE - INTERVAL '30' DAY) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT account_enabled THEN 'Guest user ''' || u.display_name || ''' inactive.' + ELSE 'Guest user ''' || u.display_name || ''' was created ' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - u.created_date_time::timestamp) || ' days ago.' + END AS reason, + t.tenant_id + FROM + entraid_user AS u + LEFT JOIN distinct_tenant AS t ON t.tenant_id = u.tenant_id + WHERE + u.user_type = 'Guest'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_1_4.yaml b/compliance/controls/azure/azure_cis_v140_1_4.yaml index 96267c079..4fa99b8d2 100644 --- a/compliance/controls/azure/azure_cis_v140_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_4.yaml @@ -1,18 +1,19 @@ id: azure_cis_v140_1_4 title: 1.4 Ensure that 'Restore multi-factor authentication on all remembered devices' is enabled +type: control description: Do not allow users to remember multi-factor authentication on devices. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_1_5.yaml b/compliance/controls/azure/azure_cis_v140_1_5.yaml index 7efaadd7c..4511f396f 100644 --- a/compliance/controls/azure/azure_cis_v140_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_5.yaml @@ -1,18 +1,19 @@ id: azure_cis_v140_1_5 title: 1.5 Ensure that 'Number of methods required to reset' is set to '2' +type: control description: Ensure that two alternate forms of identification are provided before allowing a password reset. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_1_7.yaml b/compliance/controls/azure/azure_cis_v140_1_7.yaml index b1d8d6f94..4cf377006 100644 --- a/compliance/controls/azure/azure_cis_v140_1_7.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_7.yaml @@ -1,18 +1,19 @@ id: azure_cis_v140_1_7 title: 1.7 Ensure that 'Notify users on password resets?' is set to 'Yes' +type: control description: Ensure that users are notified on their primary and secondary emails on password resets. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_1_9.yaml b/compliance/controls/azure/azure_cis_v140_1_9.yaml index d5d126827..98ce69e3e 100644 --- a/compliance/controls/azure/azure_cis_v140_1_9.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_9.yaml @@ -1,18 +1,19 @@ id: azure_cis_v140_1_9 title: 1.9 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' +type: control description: Require administrators to provide consent for the apps before use. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_2_1.yaml b/compliance/controls/azure/azure_cis_v140_2_1.yaml index 339f135b9..0349029fb 100644 --- a/compliance/controls/azure/azure_cis_v140_2_1.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_1.yaml @@ -1,30 +1,31 @@ id: azure_cis_v140_2_1 title: 2.1 Ensure that Microsoft Defender for Servers is set to 'On' +type: control description: Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Servers.' - ELSE 'Azure Defender off for Servers.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'VirtualMachines'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Servers.' + ELSE 'Azure Defender off for Servers.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'VirtualMachines'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_2_10.yaml b/compliance/controls/azure/azure_cis_v140_2_10.yaml index 4005633c1..49848fc2b 100644 --- a/compliance/controls/azure/azure_cis_v140_2_10.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_10.yaml @@ -1,30 +1,31 @@ id: azure_cis_v140_2_10 title: 2.10 Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is Selected +type: control description: This setting enables Microsoft Defender for Cloud Apps (MCAS) integration with Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_setting - definition: | - SELECT - sc_sett.id AS resource, - sc_sett.platform_integration_id AS platform_integration_id, - sc_sett.platform_resource_id AS platform_resource_id, - CASE - WHEN enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enabled THEN 'Windows Defender ATP (WDATP) integrated with Security Center.' - ELSE 'Windows Defender ATP (WDATP) not integrated with Security Center.' - END AS reason - FROM - azure_security_center_setting sc_sett - RIGHT JOIN azure_subscription sub - ON sc_sett.subscription_id = sub.subscription_id - WHERE - name = 'MCAS'; + language: sql + primary_resource: azure_security_center_setting + definition: | + SELECT + sc_sett.id AS resource, + sc_sett.platform_integration_id AS platform_integration_id, + sc_sett.platform_resource_id AS platform_resource_id, + CASE + WHEN enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enabled THEN 'Windows Defender ATP (WDATP) integrated with Security Center.' + ELSE 'Windows Defender ATP (WDATP) not integrated with Security Center.' + END AS reason + FROM + azure_security_center_setting sc_sett + RIGHT JOIN azure_subscription sub + ON sc_sett.subscription_id = sub.subscription_id + WHERE + name = 'MCAS'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_2_11.yaml b/compliance/controls/azure/azure_cis_v140_2_11.yaml index 1745d4921..6938e8ab2 100644 --- a/compliance/controls/azure/azure_cis_v140_2_11.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_11.yaml @@ -1,29 +1,30 @@ id: azure_cis_v140_2_11 title: 2.11 Ensure That Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' +type: control description: Enable automatic provisioning of the monitoring agent to collect security data. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_auto_provisioning - definition: | - SELECT - sc_prov.id AS resource, - sc_prov.platform_integration_id AS platform_integration_id, - sc_prov.platform_resource_id AS platform_resource_id, - CASE - WHEN auto_provision = 'On' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN auto_provision = 'On' THEN 'Automatic provisioning of monitoring agent is on.' - ELSE 'Automatic provisioning of monitoring agent is off.' - END AS reason - FROM - azure_security_center_auto_provisioning sc_prov - RIGHT JOIN - azure_subscription sub - ON sc_prov.subscription_id = sub.subscription_id; + language: sql + primary_resource: azure_security_center_auto_provisioning + definition: | + SELECT + sc_prov.id AS resource, + sc_prov.platform_integration_id AS platform_integration_id, + sc_prov.platform_resource_id AS platform_resource_id, + CASE + WHEN auto_provision = 'On' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN auto_provision = 'On' THEN 'Automatic provisioning of monitoring agent is on.' + ELSE 'Automatic provisioning of monitoring agent is off.' + END AS reason + FROM + azure_security_center_auto_provisioning sc_prov + RIGHT JOIN + azure_subscription sub + ON sc_prov.subscription_id = sub.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_2_12.yaml b/compliance/controls/azure/azure_cis_v140_2_12.yaml index 9c72cdf2a..4992e1390 100644 --- a/compliance/controls/azure/azure_cis_v140_2_12.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_12.yaml @@ -1,49 +1,50 @@ id: azure_cis_v140_2_12 title: 2.12 Ensure Any of the ASC Default Policy Setting is Not Set to 'Disabled' +type: control description: None of the settings offered by ASC Default policy should be set to effect "Disabled". integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH policy_assignment_parameters AS ( - SELECT - id, - name, - key, - parameters -> key ->> 'value' AS value, - subscription_id - FROM - azure_policy_assignment, - jsonb_object_keys(parameters) AS key - WHERE - name = 'SecurityCenterBuiltIn' - ) - SELECT - sub.id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(value = 'Disabled') > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN COUNT(value = 'Disabled') > 0 THEN 'Settings disabled for ' || COUNT(*) FILTER (WHERE value = 'Disabled') || ' parameters.' - ELSE 'Settings enabled for all the parameters.' - END AS reason - FROM - policy_assignment_parameters pol_assignment - RIGHT JOIN azure_subscription sub ON pol_assignment.subscription_id = sub.subscription_id - GROUP BY - sub.id, - pol_assignment.id, - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - pol_assignment.subscription_id, - sub.display_name; + language: sql + primary_resource: azure_subscription + definition: | + WITH policy_assignment_parameters AS ( + SELECT + id, + name, + key, + parameters -> key ->> 'value' AS value, + subscription_id + FROM + azure_policy_assignment, + jsonb_object_keys(parameters) AS key + WHERE + name = 'SecurityCenterBuiltIn' + ) + SELECT + sub.id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(value = 'Disabled') > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN COUNT(value = 'Disabled') > 0 THEN 'Settings disabled for ' || COUNT(*) FILTER (WHERE value = 'Disabled') || ' parameters.' + ELSE 'Settings enabled for all the parameters.' + END AS reason + FROM + policy_assignment_parameters pol_assignment + RIGHT JOIN azure_subscription sub ON pol_assignment.subscription_id = sub.subscription_id + GROUP BY + sub.id, + pol_assignment.id, + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + pol_assignment.subscription_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_2_13.yaml b/compliance/controls/azure/azure_cis_v140_2_13.yaml index e3e8b0e51..a2a65b328 100644 --- a/compliance/controls/azure/azure_cis_v140_2_13.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_13.yaml @@ -1,41 +1,42 @@ id: azure_cis_v140_2_13 title: 2.13 Ensure 'Additional email addresses' is Configured with a Security Contact Email +type: control description: Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH contact_info AS ( - SELECT - jsonb_agg(email) FILTER (WHERE name = 'default' AND email != '') AS default_email, - COUNT(*) FILTER (WHERE name != 'default') AS non_default_count, - COUNT(*) FILTER (WHERE name = 'default') AS default_count, - subscription_id - FROM - azure_security_center_contact - GROUP BY - subscription_id - LIMIT 1 - ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN non_default_count > 0 THEN 'ok' - WHEN default_count = 1 AND jsonb_array_length(default_email) != 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN non_default_count > 0 THEN 'Additional email addresses configured.' - WHEN default_count = 1 AND default_email IS NOT NULL THEN 'Additional email addresses configured.' - ELSE 'Additional email addresses not configured.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id + language: sql + primary_resource: azure_subscription + definition: | + WITH contact_info AS ( + SELECT + jsonb_agg(email) FILTER (WHERE name = 'default' AND email != '') AS default_email, + COUNT(*) FILTER (WHERE name != 'default') AS non_default_count, + COUNT(*) FILTER (WHERE name = 'default') AS default_count, + subscription_id + FROM + azure_security_center_contact + GROUP BY + subscription_id + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN non_default_count > 0 THEN 'ok' + WHEN default_count = 1 AND jsonb_array_length(default_email) != 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN non_default_count > 0 THEN 'Additional email addresses configured.' + WHEN default_count = 1 AND default_email IS NOT NULL THEN 'Additional email addresses configured.' + ELSE 'Additional email addresses not configured.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_2_14.yaml b/compliance/controls/azure/azure_cis_v140_2_14.yaml index d272fcbfc..d016d9745 100644 --- a/compliance/controls/azure/azure_cis_v140_2_14.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_14.yaml @@ -1,37 +1,38 @@ id: azure_cis_v140_2_14 title: 2.14 Ensure that 'Notify about alerts with the following severity' is set to 'High' +type: control description: Enables emailing security alerts to the subscription owner or other designated security contact. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH contact_info AS ( - SELECT - COUNT(*) FILTER (WHERE alert_notifications = 'On') AS notification_alert_count, - subscription_id - FROM - azure_security_center_contact - GROUP BY - subscription_id - LIMIT 1 - ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN notification_alert_count > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN notification_alert_count > 0 THEN '"Notify about alerts with the following severity" set to High.' - ELSE '"Notify about alerts with the following severity" not set to High.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; + language: sql + primary_resource: azure_subscription + definition: | + WITH contact_info AS ( + SELECT + COUNT(*) FILTER (WHERE alert_notifications = 'On') AS notification_alert_count, + subscription_id + FROM + azure_security_center_contact + GROUP BY + subscription_id + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN notification_alert_count > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN notification_alert_count > 0 THEN '"Notify about alerts with the following severity" set to High.' + ELSE '"Notify about alerts with the following severity" not set to High.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_2_15.yaml b/compliance/controls/azure/azure_cis_v140_2_15.yaml index 9f7279aac..31cc5a64d 100644 --- a/compliance/controls/azure/azure_cis_v140_2_15.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_15.yaml @@ -1,37 +1,38 @@ id: azure_cis_v140_2_15 title: 2.15 Ensure that 'All users with the following roles' is set to 'Owner' +type: control description: Enable security alert emails to subscription owners. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH contact_info AS ( - SELECT - COUNT(*) FILTER (WHERE alerts_to_admins = 'On') AS admin_alert_count, - subscription_id - FROM - azure_security_center_contact - GROUP BY - subscription_id - LIMIT 1 - ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN admin_alert_count > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN admin_alert_count > 0 THEN '"All users with the following roles" set to Owner' - ELSE '"All users with the following roles" not set to Owner.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; + language: sql + primary_resource: azure_subscription + definition: | + WITH contact_info AS ( + SELECT + COUNT(*) FILTER (WHERE alerts_to_admins = 'On') AS admin_alert_count, + subscription_id + FROM + azure_security_center_contact + GROUP BY + subscription_id + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN admin_alert_count > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN admin_alert_count > 0 THEN '"All users with the following roles" set to Owner' + ELSE '"All users with the following roles" not set to Owner.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_2_2.yaml b/compliance/controls/azure/azure_cis_v140_2_2.yaml index 241bb318a..5c3b0ef4f 100644 --- a/compliance/controls/azure/azure_cis_v140_2_2.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_2.yaml @@ -1,30 +1,31 @@ id: azure_cis_v140_2_2 title: 2.2 Ensure that Microsoft Defender for App Service is set to 'On' +type: control description: Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for App Services.' - ELSE 'Azure Defender off for App Services.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'AppServices'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for App Services.' + ELSE 'Azure Defender off for App Services.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'AppServices'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_2_3.yaml b/compliance/controls/azure/azure_cis_v140_2_3.yaml index c4ab2179e..31fa86848 100644 --- a/compliance/controls/azure/azure_cis_v140_2_3.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_3.yaml @@ -1,30 +1,31 @@ id: azure_cis_v140_2_3 title: 2.3 Ensure that Microsoft Defender for Azure SQL Databases is set to 'On' +type: control description: Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for SQL database servers.' - ELSE 'Azure Defender off for SQL database servers.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN azure_subscription sub - ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'SqlServers'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for SQL database servers.' + ELSE 'Azure Defender off for SQL database servers.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN azure_subscription sub + ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'SqlServers'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_2_4.yaml b/compliance/controls/azure/azure_cis_v140_2_4.yaml index 7ff2b965f..779a2c70e 100644 --- a/compliance/controls/azure/azure_cis_v140_2_4.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_4.yaml @@ -1,29 +1,30 @@ id: azure_cis_v140_2_4 title: 2.4 Ensure that Microsoft Defender for SQL servers on machines is set to 'On' +type: control description: Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for SQL servers on machines.' - ELSE 'Azure Defender off for SQL servers on machines.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'SqlServerVirtualMachines'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for SQL servers on machines.' + ELSE 'Azure Defender off for SQL servers on machines.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'SqlServerVirtualMachines'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_2_5.yaml b/compliance/controls/azure/azure_cis_v140_2_5.yaml index d682773bf..abc0846ef 100644 --- a/compliance/controls/azure/azure_cis_v140_2_5.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_5.yaml @@ -1,30 +1,31 @@ id: azure_cis_v140_2_5 title: 2.5 Ensure that Microsoft Defender for Storage is set to 'On' +type: control description: Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Storage.' - ELSE 'Azure Defender off for Storage.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'StorageAccounts'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Storage.' + ELSE 'Azure Defender off for Storage.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'StorageAccounts'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_2_6.yaml b/compliance/controls/azure/azure_cis_v140_2_6.yaml index e0475cbc1..fc4ebbffa 100644 --- a/compliance/controls/azure/azure_cis_v140_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_6.yaml @@ -1,30 +1,31 @@ id: azure_cis_v140_2_6 title: 2.6 Ensure that Microsoft Defender for Kubernetes is set to 'On' +type: control description: Turning on Microsoft Defender for Kubernetes enables threat detection for Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Kubernetes.' - ELSE 'Azure Defender off for Kubernetes.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'KubernetesService'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Kubernetes.' + ELSE 'Azure Defender off for Kubernetes.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'KubernetesService'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_2_7.yaml b/compliance/controls/azure/azure_cis_v140_2_7.yaml index b4a23e748..d7a6fd714 100644 --- a/compliance/controls/azure/azure_cis_v140_2_7.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_7.yaml @@ -1,30 +1,31 @@ id: azure_cis_v140_2_7 title: 2.7 Ensure that Microsoft Defender for Container Registries is set to 'On' +type: control description: Turning on Microsoft Defender for Container Registries enables threat detection for Container Registries, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Container Registry.' - ELSE 'Azure Defender off for Container Registry.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'ContainerRegistry'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Container Registry.' + ELSE 'Azure Defender off for Container Registry.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'ContainerRegistry'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_2_8.yaml b/compliance/controls/azure/azure_cis_v140_2_8.yaml index cca4772bb..c28734bb1 100644 --- a/compliance/controls/azure/azure_cis_v140_2_8.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_8.yaml @@ -1,32 +1,33 @@ id: azure_cis_v140_2_8 title: 2.8 Ensure that Microsoft Defender for Key Vault is set to 'On' +type: control description: Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Key Vaults.' - ELSE 'Azure Defender off for Key Vaults.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub - ON - sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'KeyVaults'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Key Vaults.' + ELSE 'Azure Defender off for Key Vaults.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub + ON + sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'KeyVaults'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_2_9.yaml b/compliance/controls/azure/azure_cis_v140_2_9.yaml index 40ed92f71..72a217757 100644 --- a/compliance/controls/azure/azure_cis_v140_2_9.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_9.yaml @@ -1,30 +1,31 @@ id: azure_cis_v140_2_9 title: 2.9 Ensure that Microsoft Defender for Endpoint (WDATP) integration with Microsoft Defender for Cloud is selected +type: control description: This setting enables Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_setting - definition: | - SELECT - sc_sett.id AS resource, - sc_sett.platform_integration_id AS platform_integration_id, - sc_sett.platform_resource_id AS platform_resource_id, - CASE - WHEN enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enabled THEN 'Microsoft Cloud App Security (MCAS) integrated with Security Center.' - ELSE 'Microsoft Cloud App Security (MCAS) not integrated with Security Center.' - END AS reason - FROM - azure_security_center_setting sc_sett - RIGHT JOIN - azure_subscription sub ON sc_sett.subscription_id = sub.subscription_id - WHERE - name = 'WDATP'; + language: sql + primary_resource: azure_security_center_setting + definition: | + SELECT + sc_sett.id AS resource, + sc_sett.platform_integration_id AS platform_integration_id, + sc_sett.platform_resource_id AS platform_resource_id, + CASE + WHEN enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enabled THEN 'Microsoft Cloud App Security (MCAS) integrated with Security Center.' + ELSE 'Microsoft Cloud App Security (MCAS) not integrated with Security Center.' + END AS reason + FROM + azure_security_center_setting sc_sett + RIGHT JOIN + azure_subscription sub ON sc_sett.subscription_id = sub.subscription_id + WHERE + name = 'WDATP'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_3_1.yaml b/compliance/controls/azure/azure_cis_v140_3_1.yaml index ceac4897b..f487496d3 100644 --- a/compliance/controls/azure/azure_cis_v140_3_1.yaml +++ b/compliance/controls/azure/azure_cis_v140_3_1.yaml @@ -1,29 +1,30 @@ id: azure_cis_v140_3_1 title: 3.1 Ensure that 'Secure transfer required' is set to 'Enabled' +type: control description: Enable data encryption in transit. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT enable_https_traffic_only THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT enable_https_traffic_only THEN sa.name || ' encryption in transit not enabled.' - ELSE sa.name || ' encryption in transit enabled.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT enable_https_traffic_only THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT enable_https_traffic_only THEN sa.name || ' encryption in transit not enabled.' + ELSE sa.name || ' encryption in transit enabled.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_3_10.yaml b/compliance/controls/azure/azure_cis_v140_3_10.yaml index a289f8533..0efd808d5 100644 --- a/compliance/controls/azure/azure_cis_v140_3_10.yaml +++ b/compliance/controls/azure/azure_cis_v140_3_10.yaml @@ -1,40 +1,41 @@ id: azure_cis_v140_3_10 title: 3.10 Ensure Storage logging is enabled for Blob service for 'Read', 'Write', and 'Delete' requests -description: 'The Storage Blob service provides scalable, cost-efficient objective storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages.' +type: control +description: "The Storage Blob service provides scalable, cost-efficient objective storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT (sa.blob_service_logging ->> 'Read'):: BOOLEAN - OR NOT (sa.blob_service_logging ->> 'Write'):: BOOLEAN - OR NOT (sa.blob_service_logging ->> 'Delete'):: BOOLEAN - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT (sa.blob_service_logging ->> 'Read'):: BOOLEAN - OR NOT (sa.blob_service_logging ->> 'Write'):: BOOLEAN - OR NOT (sa.blob_service_logging ->> 'Delete'):: BOOLEAN - THEN name || ' blob service logging not enabled for ' || - CONCAT_WS(', ', - CASE WHEN NOT (sa.blob_service_logging ->> 'Write'):: BOOLEAN THEN 'write' END, - CASE WHEN NOT (sa.blob_service_logging ->> 'Read'):: BOOLEAN THEN 'read' END, - CASE WHEN NOT (sa.blob_service_logging ->> 'Delete'):: BOOLEAN THEN 'delete' END - ) || ' requests.' - ELSE name || ' blob service logging enabled for read, write, delete requests.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT (sa.blob_service_logging ->> 'Read'):: BOOLEAN + OR NOT (sa.blob_service_logging ->> 'Write'):: BOOLEAN + OR NOT (sa.blob_service_logging ->> 'Delete'):: BOOLEAN + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT (sa.blob_service_logging ->> 'Read'):: BOOLEAN + OR NOT (sa.blob_service_logging ->> 'Write'):: BOOLEAN + OR NOT (sa.blob_service_logging ->> 'Delete'):: BOOLEAN + THEN name || ' blob service logging not enabled for ' || + CONCAT_WS(', ', + CASE WHEN NOT (sa.blob_service_logging ->> 'Write'):: BOOLEAN THEN 'write' END, + CASE WHEN NOT (sa.blob_service_logging ->> 'Read'):: BOOLEAN THEN 'read' END, + CASE WHEN NOT (sa.blob_service_logging ->> 'Delete'):: BOOLEAN THEN 'delete' END + ) || ' requests.' + ELSE name || ' blob service logging enabled for read, write, delete requests.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_3_11.yaml b/compliance/controls/azure/azure_cis_v140_3_11.yaml index b64d5242f..f3a5c4e72 100644 --- a/compliance/controls/azure/azure_cis_v140_3_11.yaml +++ b/compliance/controls/azure/azure_cis_v140_3_11.yaml @@ -1,23 +1,24 @@ id: azure_cis_v140_3_11 title: 3.11 Ensure Storage logging is enabled for Table service for 'Read', 'Write', and 'Delete' requests -description: 'The Storage Table storage is a service that stores structure NoSQL data in the cloud, providing a key/attribute store with a schema less design. Storage Logging happens server- side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages.' +type: control +description: "The Storage Table storage is a service that stores structure NoSQL data in the cloud, providing a key/attribute store with a schema less design. Storage Logging happens server- side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_3_12.yaml b/compliance/controls/azure/azure_cis_v140_3_12.yaml index 980c922b5..8b78e1a6c 100644 --- a/compliance/controls/azure/azure_cis_v140_3_12.yaml +++ b/compliance/controls/azure/azure_cis_v140_3_12.yaml @@ -1,31 +1,32 @@ id: azure_cis_v140_3_12 title: 3.12 Ensure the 'Minimum TLS version' is set to 'Version 1.2' +type: control description: Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN minimum_tls_version = 'TLSEnforcementDisabled' THEN 'alarm' - WHEN minimum_tls_version = 'TLS1_2' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN minimum_tls_version = 'TLSEnforcementDisabled' THEN sa.name || ' TLS enforcement is disabled.' - WHEN minimum_tls_version = 'TLS1_2' THEN sa.name || ' minimum TLS version set to ' || minimum_tls_version || '.' - ELSE sa.name || ' minimum TLS version set to ' || minimum_tls_version || '.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN minimum_tls_version = 'TLSEnforcementDisabled' THEN 'alarm' + WHEN minimum_tls_version = 'TLS1_2' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN minimum_tls_version = 'TLSEnforcementDisabled' THEN sa.name || ' TLS enforcement is disabled.' + WHEN minimum_tls_version = 'TLS1_2' THEN sa.name || ' minimum TLS version set to ' || minimum_tls_version || '.' + ELSE sa.name || ' minimum TLS version set to ' || minimum_tls_version || '.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_3_2.yaml b/compliance/controls/azure/azure_cis_v140_3_2.yaml index 33ad57bc9..686f60c36 100644 --- a/compliance/controls/azure/azure_cis_v140_3_2.yaml +++ b/compliance/controls/azure/azure_cis_v140_3_2.yaml @@ -1,23 +1,24 @@ id: azure_cis_v140_3_2 title: 3.2 Ensure that storage account access keys are periodically regenerated +type: control description: Regenerate storage account access keys periodically. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_3_3.yaml b/compliance/controls/azure/azure_cis_v140_3_3.yaml index 1195e4acb..9e73f1533 100644 --- a/compliance/controls/azure/azure_cis_v140_3_3.yaml +++ b/compliance/controls/azure/azure_cis_v140_3_3.yaml @@ -1,35 +1,36 @@ id: azure_cis_v140_3_3 title: 3.3 Ensure Storage logging is enabled for Queue service for 'Read', 'Write', and 'Delete' requests -description: 'The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information and the sizes of the request and response messages.' +type: control +description: "The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information and the sizes of the request and response messages." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN queue_logging_read AND queue_logging_write AND queue_logging_delete THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN queue_logging_read AND queue_logging_write AND queue_logging_delete - THEN sa.name || ' queue service logging enabled for read, write, delete requests.' - ELSE sa.name || ' queue service logging not enabled for: ' || - concat_ws(', ', - CASE WHEN NOT queue_logging_write THEN 'write' END, - CASE WHEN NOT queue_logging_read THEN 'read' END, - CASE WHEN NOT queue_logging_delete THEN 'delete' END - ) || ' requests.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN queue_logging_read AND queue_logging_write AND queue_logging_delete THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN queue_logging_read AND queue_logging_write AND queue_logging_delete + THEN sa.name || ' queue service logging enabled for read, write, delete requests.' + ELSE sa.name || ' queue service logging not enabled for: ' || + concat_ws(', ', + CASE WHEN NOT queue_logging_write THEN 'write' END, + CASE WHEN NOT queue_logging_read THEN 'read' END, + CASE WHEN NOT queue_logging_delete THEN 'delete' END + ) || ' requests.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_3_4.yaml b/compliance/controls/azure/azure_cis_v140_3_4.yaml index 0bac1b264..da65516a8 100644 --- a/compliance/controls/azure/azure_cis_v140_3_4.yaml +++ b/compliance/controls/azure/azure_cis_v140_3_4.yaml @@ -1,23 +1,24 @@ id: azure_cis_v140_3_4 title: 3.4 Ensure that shared access signature tokens expire within an hour +type: control description: A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. A shared access signature can be provided to clients who should not be trusted with the storage account key but for whom it may be necessary to delegate access to certain storage account resources. Providing a shared access signature URI to these clients allows them access to a resource for a specified period of time. This time should be set as low as possible and preferably no longer than an hour. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_3_6.yaml b/compliance/controls/azure/azure_cis_v140_3_6.yaml index c6fb4a9a4..3e38dee09 100644 --- a/compliance/controls/azure/azure_cis_v140_3_6.yaml +++ b/compliance/controls/azure/azure_cis_v140_3_6.yaml @@ -1,29 +1,30 @@ id: azure_cis_v140_3_6 title: 3.6 Ensure default network access rule for Storage Accounts is set to deny +type: control description: Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN sa.network_rule_default_action = 'Allow' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN sa.network_rule_default_action = 'Allow' THEN name || ' allows traffic from all networks.' - ELSE name || ' allows traffic from specific networks.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN sa.network_rule_default_action = 'Allow' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN sa.network_rule_default_action = 'Allow' THEN name || ' allows traffic from all networks.' + ELSE name || ' allows traffic from specific networks.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_3_7.yaml b/compliance/controls/azure/azure_cis_v140_3_7.yaml index 8e737c998..81150a4eb 100644 --- a/compliance/controls/azure/azure_cis_v140_3_7.yaml +++ b/compliance/controls/azure/azure_cis_v140_3_7.yaml @@ -1,29 +1,30 @@ id: azure_cis_v140_3_7 title: 3.7 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access +type: control description: "Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN network_rule_bypass NOT LIKE '%AzureServices%' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN network_rule_bypass NOT LIKE '%AzureServices%' THEN sa.name || ' trusted Microsoft services not enabled.' - ELSE sa.name || ' trusted Microsoft services enabled.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN network_rule_bypass NOT LIKE '%AzureServices%' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN network_rule_bypass NOT LIKE '%AzureServices%' THEN sa.name || ' trusted Microsoft services not enabled.' + ELSE sa.name || ' trusted Microsoft services enabled.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_3_8.yaml b/compliance/controls/azure/azure_cis_v140_3_8.yaml index 446c5306d..20ca7f8b5 100644 --- a/compliance/controls/azure/azure_cis_v140_3_8.yaml +++ b/compliance/controls/azure/azure_cis_v140_3_8.yaml @@ -1,29 +1,30 @@ id: azure_cis_v140_3_8 title: 3.8 Ensure soft delete is enabled for Azure Storage +type: control description: The Azure Storage blobs contain data like ePHI, Financial, secret or personal. Erroneously modified or deleted accidentally by an application or other storage account user cause data loss or data unavailability. It is recommended the Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT blob_soft_delete_enabled THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT blob_soft_delete_enabled THEN sa.name || ' blobs soft delete disabled.' - ELSE sa.name || ' blobs soft delete enabled.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT blob_soft_delete_enabled THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT blob_soft_delete_enabled THEN sa.name || ' blobs soft delete disabled.' + ELSE sa.name || ' blobs soft delete enabled.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_3_9.yaml b/compliance/controls/azure/azure_cis_v140_3_9.yaml index 25cb177ff..8ab405fcc 100644 --- a/compliance/controls/azure/azure_cis_v140_3_9.yaml +++ b/compliance/controls/azure/azure_cis_v140_3_9.yaml @@ -1,29 +1,30 @@ id: azure_cis_v140_3_9 title: 3.9 Ensure storage for critical data are encrypted with Customer Managed Key +type: control description: Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN sa.encryption_key_source = 'Microsoft.Storage' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN sa.encryption_key_source = 'Microsoft.Storage' THEN sa.name || ' not encrypted with CMK.' - ELSE sa.name || ' encrypted with CMK.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN sa.encryption_key_source = 'Microsoft.Storage' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN sa.encryption_key_source = 'Microsoft.Storage' THEN sa.name || ' not encrypted with CMK.' + ELSE sa.name || ' encrypted with CMK.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_4_1_2.yaml b/compliance/controls/azure/azure_cis_v140_4_1_2.yaml index cc7e85abb..23e271632 100644 --- a/compliance/controls/azure/azure_cis_v140_4_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v140_4_1_2.yaml @@ -1,32 +1,33 @@ id: azure_cis_v140_4_1_2 title: 4.1.2 Ensure that 'Data encryption' is set to 'On' on a SQL Database -description: '' +type: control +description: "" integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_database - definition: | - SELECT - s.database_id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN transparent_data_encryption ->> 'status' = 'Enabled' - OR transparent_data_encryption ->> 'state' = 'Enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN transparent_data_encryption ->> 'status' = 'Enabled' - OR transparent_data_encryption ->> 'state' = 'Enabled' THEN s.title || ' transparent data encryption enabled.' - ELSE s.title || ' transparent data encryption disabled.' - END AS reason - FROM - azure_sql_database AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id - AND s.name <> 'master'; + language: sql + primary_resource: azure_sql_database + definition: | + SELECT + s.database_id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN transparent_data_encryption ->> 'status' = 'Enabled' + OR transparent_data_encryption ->> 'state' = 'Enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN transparent_data_encryption ->> 'status' = 'Enabled' + OR transparent_data_encryption ->> 'state' = 'Enabled' THEN s.title || ' transparent data encryption enabled.' + ELSE s.title || ' transparent data encryption disabled.' + END AS reason + FROM + azure_sql_database AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id + AND s.name <> 'master'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_4_3_1.yaml b/compliance/controls/azure/azure_cis_v140_4_3_1.yaml index e0750deab..2de39fcd6 100644 --- a/compliance/controls/azure/azure_cis_v140_4_3_1.yaml +++ b/compliance/controls/azure/azure_cis_v140_4_3_1.yaml @@ -1,29 +1,30 @@ id: azure_cis_v140_4_3_1 title: 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server +type: control description: Enable SSL connection on PostgreSQL Servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_postgresql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN ssl_enforcement = 'Disabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN ssl_enforcement = 'Disabled' THEN name || ' SSL connection disabled.' - ELSE name || ' SSL connection enabled.' - END AS reason - FROM - azure_postgresql_server s, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_postgresql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN ssl_enforcement = 'Disabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN ssl_enforcement = 'Disabled' THEN name || ' SSL connection disabled.' + ELSE name || ' SSL connection enabled.' + END AS reason + FROM + azure_postgresql_server s, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_4_3_7.yaml b/compliance/controls/azure/azure_cis_v140_4_3_7.yaml index 296abea4b..6bcb47746 100644 --- a/compliance/controls/azure/azure_cis_v140_4_3_7.yaml +++ b/compliance/controls/azure/azure_cis_v140_4_3_7.yaml @@ -1,23 +1,24 @@ id: azure_cis_v140_4_3_7 title: 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled +type: control description: Disable access from Azure services to PostgreSQL Database Server. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_4_3_8.yaml b/compliance/controls/azure/azure_cis_v140_4_3_8.yaml index db12d11e6..3a7a56617 100644 --- a/compliance/controls/azure/azure_cis_v140_4_3_8.yaml +++ b/compliance/controls/azure/azure_cis_v140_4_3_8.yaml @@ -1,29 +1,30 @@ id: azure_cis_v140_4_3_8 title: 4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' +type: control description: Enable encryption at rest for PostgreSQL Databases. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_postgresql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN infrastructure_encryption = 'Enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN infrastructure_encryption = 'Enabled' THEN name || ' infrastructure encryption enabled.' - ELSE name || ' infrastructure encryption disabled.' - END AS reason - FROM - azure_postgresql_server AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_postgresql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN infrastructure_encryption = 'Enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN infrastructure_encryption = 'Enabled' THEN name || ' infrastructure encryption enabled.' + ELSE name || ' infrastructure encryption disabled.' + END AS reason + FROM + azure_postgresql_server AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_4_4_1.yaml b/compliance/controls/azure/azure_cis_v140_4_4_1.yaml index 808d6b4ed..afc092662 100644 --- a/compliance/controls/azure/azure_cis_v140_4_4_1.yaml +++ b/compliance/controls/azure/azure_cis_v140_4_4_1.yaml @@ -1,29 +1,30 @@ id: azure_cis_v140_4_4_1 title: 4.4.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server +type: control description: Enable SSL connection on MYSQL Servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_mysql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN ssl_enforcement = 'Disabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN ssl_enforcement = 'Disabled' THEN s.name || ' SSL connection disabled.' - ELSE s.name || ' SSL connection enabled.' - END AS reason - FROM - azure_mysql_server AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_mysql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN ssl_enforcement = 'Disabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN ssl_enforcement = 'Disabled' THEN s.name || ' SSL connection disabled.' + ELSE s.name || ' SSL connection enabled.' + END AS reason + FROM + azure_mysql_server AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_4_4_2.yaml b/compliance/controls/azure/azure_cis_v140_4_4_2.yaml index a5d34ea86..74ed94e63 100644 --- a/compliance/controls/azure/azure_cis_v140_4_4_2.yaml +++ b/compliance/controls/azure/azure_cis_v140_4_4_2.yaml @@ -1,31 +1,32 @@ id: azure_cis_v140_4_4_2 title: 4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server +type: control description: Ensure TLS version on MySQL flexible servers is set to the default value. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_mysql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN minimal_tls_version = 'TLSEnforcementDisabled' THEN 'alarm' - WHEN minimal_tls_version = 'TLS1_2' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN minimal_tls_version = 'TLSEnforcementDisabled' THEN s.name || ' TLS enforcement is disabled.' - WHEN minimal_tls_version = 'TLS1_2' THEN s.name || ' minimum TLS version set to ' || minimal_tls_version || '.' - ELSE s.name || ' minimum TLS version set to ' || minimal_tls_version || '.' - END AS reason - FROM - azure_mysql_server AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_mysql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN minimal_tls_version = 'TLSEnforcementDisabled' THEN 'alarm' + WHEN minimal_tls_version = 'TLS1_2' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN minimal_tls_version = 'TLSEnforcementDisabled' THEN s.name || ' TLS enforcement is disabled.' + WHEN minimal_tls_version = 'TLS1_2' THEN s.name || ' minimum TLS version set to ' || minimal_tls_version || '.' + ELSE s.name || ' minimum TLS version set to ' || minimal_tls_version || '.' + END AS reason + FROM + azure_mysql_server AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_4_5.yaml b/compliance/controls/azure/azure_cis_v140_4_5.yaml index 7192e55fb..d85de5a4e 100644 --- a/compliance/controls/azure/azure_cis_v140_4_5.yaml +++ b/compliance/controls/azure/azure_cis_v140_4_5.yaml @@ -1,29 +1,30 @@ id: azure_cis_v140_4_5 title: 4.5 Ensure that Azure Active Directory Admin is configured +type: control description: Use Azure Active Directory Authentication for authentication with SQL Database. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN server_azure_ad_administrator IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN server_azure_ad_administrator IS NULL THEN name || ' Azure AD authentication not configured.' - ELSE name || ' Azure AD authentication configured.' - END AS reason - FROM - azure_sql_server s, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN server_azure_ad_administrator IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN server_azure_ad_administrator IS NULL THEN name || ' Azure AD authentication not configured.' + ELSE name || ' Azure AD authentication configured.' + END AS reason + FROM + azure_sql_server s, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_5_1_1.yaml b/compliance/controls/azure/azure_cis_v140_5_1_1.yaml index 4112065eb..f6f5edf71 100644 --- a/compliance/controls/azure/azure_cis_v140_5_1_1.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_1_1.yaml @@ -1,23 +1,24 @@ id: azure_cis_v140_5_1_1 title: 5.1.1 Ensure that a 'Diagnostics Setting' exists +type: control description: Enable Diagnostic settings for exporting activity logs. Diagnostic setting are available for each individual resources within a subscription. Settings should be configured for all appropriate resources for your environment. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_5_1_2.yaml b/compliance/controls/azure/azure_cis_v140_5_1_2.yaml index 63c0f1431..076498dd2 100644 --- a/compliance/controls/azure/azure_cis_v140_5_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_1_2.yaml @@ -1,59 +1,60 @@ id: azure_cis_v140_5_1_2 title: 5.1.2 Ensure Diagnostic Setting captures appropriate categories +type: control description: Enable Diagnostic settings for exporting activity logs. Diagnostic setting are available for each individual resources within a subscription. Settings should be configured for all appropriate resources for your environment. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_diagnostic_setting - definition: | - WITH enabled_settings AS ( - SELECT - name, - id, - _ctx, - resource_group, - platform_integration_id, - platform_resource_id, - subscription_id, - COUNT(*) FILTER (WHERE l ->> 'enabled' = 'true' - AND l ->> 'category' IN ('Administrative', 'Security', 'Alert', 'Policy') - ) AS valid_category_count, - STRING_AGG(l ->> 'category', ', ') FILTER (WHERE l ->> 'enabled' = 'true' - AND l ->> 'category' IN ('Administrative', 'Security', 'Alert', 'Policy') - ) AS valid_categories - FROM - azure_diagnostic_setting, - JSONB_ARRAY_ELEMENTS(logs) AS l - GROUP BY - name, - id, - _ctx, - resource_group, - platform_integration_id, - platform_resource_id, - subscription_id - ) - SELECT - sett.id AS resource, - sett.platform_integration_id AS platform_integration_id, - sett.platform_resource_id AS platform_resource_id, - CASE - WHEN valid_category_count = 4 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN valid_category_count = 4 - THEN name || ' logs enabled for required categories administrative, security, alert and policy.' - WHEN valid_category_count > 0 - THEN sett.name || ' logs enabled for ' || valid_categories || ' categories.' - ELSE sett.name || ' logs not enabled for categories administrative, security, alert and policy.' - END AS reason - FROM - enabled_settings sett, - azure_subscription sub - WHERE - sub.subscription_id = sett.subscription_id; + language: sql + primary_resource: azure_diagnostic_setting + definition: | + WITH enabled_settings AS ( + SELECT + name, + id, + _ctx, + resource_group, + platform_integration_id, + platform_resource_id, + subscription_id, + COUNT(*) FILTER (WHERE l ->> 'enabled' = 'true' + AND l ->> 'category' IN ('Administrative', 'Security', 'Alert', 'Policy') + ) AS valid_category_count, + STRING_AGG(l ->> 'category', ', ') FILTER (WHERE l ->> 'enabled' = 'true' + AND l ->> 'category' IN ('Administrative', 'Security', 'Alert', 'Policy') + ) AS valid_categories + FROM + azure_diagnostic_setting, + JSONB_ARRAY_ELEMENTS(logs) AS l + GROUP BY + name, + id, + _ctx, + resource_group, + platform_integration_id, + platform_resource_id, + subscription_id + ) + SELECT + sett.id AS resource, + sett.platform_integration_id AS platform_integration_id, + sett.platform_resource_id AS platform_resource_id, + CASE + WHEN valid_category_count = 4 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN valid_category_count = 4 + THEN name || ' logs enabled for required categories administrative, security, alert and policy.' + WHEN valid_category_count > 0 + THEN sett.name || ' logs enabled for ' || valid_categories || ' categories.' + ELSE sett.name || ' logs not enabled for categories administrative, security, alert and policy.' + END AS reason + FROM + enabled_settings sett, + azure_subscription sub + WHERE + sub.subscription_id = sett.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_5_1_3.yaml b/compliance/controls/azure/azure_cis_v140_5_1_3.yaml index 763cce358..bec219363 100644 --- a/compliance/controls/azure/azure_cis_v140_5_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_1_3.yaml @@ -1,31 +1,32 @@ id: azure_cis_v140_5_1_3 title: 5.1.3 Ensure the storage container storing the activity logs is not publicly accessible +type: control description: The storage account container containing the activity log export should not be publicly accessible. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_container - definition: | - SELECT - sc.id AS resource, - sc.platform_integration_id AS platform_integration_id, - sc.platform_resource_id AS platform_resource_id, - CASE - WHEN public_access != 'None' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN public_access != 'None' - THEN account_name || ' container insights-operational-logs storing activity logs publicly accessible.' - ELSE account_name || ' container insights-operational-logs storing activity logs not publicly accessible.' - END AS reason - FROM - azure_storage_container sc, - azure_subscription sub - WHERE - name = 'insights-operational-logs' - AND sub.subscription_id = sc.subscription_id; + language: sql + primary_resource: azure_storage_container + definition: | + SELECT + sc.id AS resource, + sc.platform_integration_id AS platform_integration_id, + sc.platform_resource_id AS platform_resource_id, + CASE + WHEN public_access != 'None' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN public_access != 'None' + THEN account_name || ' container insights-operational-logs storing activity logs publicly accessible.' + ELSE account_name || ' container insights-operational-logs storing activity logs not publicly accessible.' + END AS reason + FROM + azure_storage_container sc, + azure_subscription sub + WHERE + name = 'insights-operational-logs' + AND sub.subscription_id = sc.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_5_1_5.yaml b/compliance/controls/azure/azure_cis_v140_5_1_5.yaml index 330ee6832..7032c4861 100644 --- a/compliance/controls/azure/azure_cis_v140_5_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_1_5.yaml @@ -1,46 +1,47 @@ id: azure_cis_v140_5_1_5 title: 5.1.5 Ensure that logging for Azure KeyVault is 'Enabled' +type: control description: Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - WITH logging_details AS ( - SELECT - name AS key_vault_name - FROM - azure_key_vault, - jsonb_array_elements(diagnostic_settings) setting, - jsonb_array_elements(setting -> 'properties' -> 'logs') log - WHERE - diagnostic_settings IS NOT NULL - AND setting -> 'properties' ->> 'storageAccountId' <> '' - AND (log ->> 'enabled')::BOOLEAN - AND log ->> 'category' = 'AuditEvent' - AND (log -> 'retentionPolicy')::JSONB ? 'days' - ) - SELECT - v.id AS resource, - v.platform_integration_id AS platform_integration_id, - v.platform_resource_id AS platform_resource_id, - CASE - WHEN v.diagnostic_settings IS NULL THEN 'alarm' - WHEN l.key_vault_name NOT LIKE CONCAT('%', v.name, '%') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN v.diagnostic_settings IS NULL THEN v.name || ' logging not enabled.' - WHEN l.key_vault_name NOT LIKE CONCAT('%', v.name, '%') THEN v.name || ' logging not enabled.' - ELSE v.name || ' logging enabled.' - END AS reason - FROM - azure_key_vault v, - logging_details l, - azure_subscription sub - WHERE - sub.subscription_id = v.subscription_id; + language: sql + primary_resource: azure_key_vault + definition: | + WITH logging_details AS ( + SELECT + name AS key_vault_name + FROM + azure_key_vault, + jsonb_array_elements(diagnostic_settings) setting, + jsonb_array_elements(setting -> 'properties' -> 'logs') log + WHERE + diagnostic_settings IS NOT NULL + AND setting -> 'properties' ->> 'storageAccountId' <> '' + AND (log ->> 'enabled')::BOOLEAN + AND log ->> 'category' = 'AuditEvent' + AND (log -> 'retentionPolicy')::JSONB ? 'days' + ) + SELECT + v.id AS resource, + v.platform_integration_id AS platform_integration_id, + v.platform_resource_id AS platform_resource_id, + CASE + WHEN v.diagnostic_settings IS NULL THEN 'alarm' + WHEN l.key_vault_name NOT LIKE CONCAT('%', v.name, '%') THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN v.diagnostic_settings IS NULL THEN v.name || ' logging not enabled.' + WHEN l.key_vault_name NOT LIKE CONCAT('%', v.name, '%') THEN v.name || ' logging not enabled.' + ELSE v.name || ' logging enabled.' + END AS reason + FROM + azure_key_vault v, + logging_details l, + azure_subscription sub + WHERE + sub.subscription_id = v.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_5_2_1.yaml b/compliance/controls/azure/azure_cis_v140_5_2_1.yaml index 9862eac98..6697d502f 100644 --- a/compliance/controls/azure/azure_cis_v140_5_2_1.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_2_1.yaml @@ -1,50 +1,51 @@ id: azure_cis_v140_5_2_1 title: 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment +type: control description: Create an activity log alert for the Create Policy Assignment event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_log_alert - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/write"}]' - LIMIT 1 - ) - SELECT - a.subscription_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create policy assignment event.' - ELSE 'Activity log alert does not exist for create policy assignment event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - a.subscription_id, - sub.subscription_id, - sub._ctx, - sub.display_name; + language: sql + primary_resource: azure_log_alert + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/write"}]' + LIMIT 1 + ) + SELECT + a.subscription_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create policy assignment event.' + ELSE 'Activity log alert does not exist for create policy assignment event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + a.subscription_id, + sub.subscription_id, + sub._ctx, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_5_2_2.yaml b/compliance/controls/azure/azure_cis_v140_5_2_2.yaml index a6a8e600d..242a2fe7e 100644 --- a/compliance/controls/azure/azure_cis_v140_5_2_2.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_2_2.yaml @@ -1,51 +1,52 @@ id: azure_cis_v140_5_2_2 title: 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment +type: control description: Create an activity log alert for the Delete Policy Assignment event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/delete"}]' - LIMIT 1 - ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete policy assignment event.' - ELSE 'Activity log alert does not exist for delete policy assignment event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/delete"}]' + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete policy assignment event.' + ELSE 'Activity log alert does not exist for delete policy assignment event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_5_2_3.yaml b/compliance/controls/azure/azure_cis_v140_5_2_3.yaml index 501132aa7..aa096339a 100644 --- a/compliance/controls/azure/azure_cis_v140_5_2_3.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_2_3.yaml @@ -1,61 +1,62 @@ id: azure_cis_v140_5_2_3 title: 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group +type: control description: Create an Activity Log Alert for the "Create" or "Update Network Security Group" event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/write"}]' - ) - OR - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 - ) + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create or update Network Security Group event.' - ELSE 'Activity log alert does not exist for create or update Network Security Group event.' - END AS reason + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/write"}]' + ) + OR + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) + ) + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create or update Network Security Group event.' + ELSE 'Activity log alert does not exist for create or update Network Security Group event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_5_2_4.yaml b/compliance/controls/azure/azure_cis_v140_5_2_4.yaml index 047790f6c..d32e34563 100644 --- a/compliance/controls/azure/azure_cis_v140_5_2_4.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_2_4.yaml @@ -1,62 +1,63 @@ id: azure_cis_v140_5_2_4 title: 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group +type: control description: Create an activity log alert for the Delete Network Security Group event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id, - jsonb_array_length(alert.condition -> 'allOf') - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/delete"}]' - ) - OR - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id, + jsonb_array_length(alert.condition -> 'allOf') + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/delete"}]' + ) + OR + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Network Security Group event.' - ELSE 'Activity log alert does not exist for delete Network Security Group event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Network Security Group event.' + ELSE 'Activity log alert does not exist for delete Network Security Group event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_5_2_5.yaml b/compliance/controls/azure/azure_cis_v140_5_2_5.yaml index d6cfe5b41..1c4d27d0a 100644 --- a/compliance/controls/azure/azure_cis_v140_5_2_5.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_2_5.yaml @@ -1,59 +1,60 @@ id: azure_cis_v140_5_2_5 title: 5.2.5 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule +type: control description: Create an activity log alert for the Create or Update Network Security Group Rule event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networksecuritygroups/securityrules/write"}]' - ) OR ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups/securityrules"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networksecuritygroups/securityrules/write"}]' + ) OR ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups/securityrules"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create or update Network Security Group Rule event.' - ELSE 'Activity log alert does not exist for create or update Network Security Group Rule event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create or update Network Security Group Rule event.' + ELSE 'Activity log alert does not exist for create or update Network Security Group Rule event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_5_2_6.yaml b/compliance/controls/azure/azure_cis_v140_5_2_6.yaml index c5e46187c..d8f4d3258 100644 --- a/compliance/controls/azure/azure_cis_v140_5_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_2_6.yaml @@ -1,59 +1,60 @@ id: azure_cis_v140_5_2_6 title: 5.2.6 Ensure that Activity Log Alert exists for Delete Network Security Group Rule +type: control description: Create an activity log alert for the Delete Network Security Group Rule event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networksecuritygroups/securityrules/delete"}]' - ) - OR - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups/securityrules"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networksecuritygroups/securityrules/delete"}]' + ) + OR + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups/securityrules"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Network Security Group Rule event.' - ELSE 'Activity log alert does not exist for delete Network Security Group Rule event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Network Security Group Rule event.' + ELSE 'Activity log alert does not exist for delete Network Security Group Rule event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_5_2_7.yaml b/compliance/controls/azure/azure_cis_v140_5_2_7.yaml index b090d3de9..a5c3bedc0 100644 --- a/compliance/controls/azure/azure_cis_v140_5_2_7.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_2_7.yaml @@ -1,60 +1,61 @@ id: azure_cis_v140_5_2_7 title: 5.2.7 Ensure that Activity Log Alert exists for Create or Update Security Solution +type: control description: Create an activity log alert for the Create or Update Security Solution event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Security/securitySolutions/write"}]' - ) - OR ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Security/securitySolutions/write"}]' + ) + OR ( + alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create or update Security Solution event.' - ELSE 'Activity log alert does not exist for create or update Security Solution event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create or update Security Solution event.' + ELSE 'Activity log alert does not exist for create or update Security Solution event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_5_2_8.yaml b/compliance/controls/azure/azure_cis_v140_5_2_8.yaml index 7d1d9e17f..d55b18b9b 100644 --- a/compliance/controls/azure/azure_cis_v140_5_2_8.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_2_8.yaml @@ -1,61 +1,62 @@ id: azure_cis_v140_5_2_8 title: 5.2.8 Ensure that Activity Log Alert exists for Delete Security Solution +type: control description: Create an activity log alert for the Delete Security Solution event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Security/securitySolutions/delete"}]' - ) - OR - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Security/securitySolutions/delete"}]' + ) + OR + ( + alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Security Solution event.' - ELSE 'Activity log alert does not exist for delete Security Solution event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Security Solution event.' + ELSE 'Activity log alert does not exist for delete Security Solution event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_5_2_9.yaml b/compliance/controls/azure/azure_cis_v140_5_2_9.yaml index 97401cc8e..f37a5451c 100644 --- a/compliance/controls/azure/azure_cis_v140_5_2_9.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_2_9.yaml @@ -1,52 +1,53 @@ id: azure_cis_v140_5_2_9 title: 5.2.9 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule +type: control description: Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.sql/servers"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - LIMIT 1 - ) + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create, update and delete SQL Server Firewall Rule event.' - ELSE 'Activity log alert does not exist for create, update and delete SQL Server Firewall Rule event.' - END AS reason + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.sql/servers"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create, update and delete SQL Server Firewall Rule event.' + ELSE 'Activity log alert does not exist for create, update and delete SQL Server Firewall Rule event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_5_3.yaml b/compliance/controls/azure/azure_cis_v140_5_3.yaml index d19dd5ab0..14187b2df 100644 --- a/compliance/controls/azure/azure_cis_v140_5_3.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_3.yaml @@ -1,23 +1,24 @@ id: azure_cis_v140_5_3 title: 5.3 Ensure that Diagnostic Logs are enabled for all services which support it +type: control description: Diagnostic Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself. It is crucial that logging systems are correctly configured to log all relevant activities and retain those logs for a sufficient length of time. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_6_1.yaml b/compliance/controls/azure/azure_cis_v140_6_1.yaml index 1de5f0aa1..a113d8bc2 100644 --- a/compliance/controls/azure/azure_cis_v140_6_1.yaml +++ b/compliance/controls/azure/azure_cis_v140_6_1.yaml @@ -1,54 +1,55 @@ id: azure_cis_v140_6_1 title: 6.1 Ensure that RDP access is restricted from the internet +type: control description: Disable RDP access on network security groups from the Internet. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH network_sg AS ( - SELECT - DISTINCT name sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules) sg, - jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || - (sg -> 'properties' -> 'destinationPortRange') :: jsonb) dport, - jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || - (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' - OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') - AND ( - dport IN ('3389', '*') - OR ( - dport LIKE '%-%' - AND split_part(dport, '-', 1) :: integer <= 3389 - AND split_part(dport, '-', 2) :: integer >= 3389 - ) - ) + language: sql + primary_resource: azure_network_security_group + definition: | + WITH network_sg AS ( + SELECT + DISTINCT name sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules) sg, + jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || + (sg -> 'properties' -> 'destinationPortRange') :: jsonb) dport, + jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || + (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' + OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('3389', '*') + OR ( + dport LIKE '%-%' + AND split_part(dport, '-', 1) :: integer <= 3389 + AND split_part(dport, '-', 2) :: integer >= 3389 + ) ) - SELECT - sg.id resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL - THEN sg.title || ' restricts RDP access from internet.' - ELSE sg.title || ' allows RDP access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL + THEN sg.title || ' restricts RDP access from internet.' + ELSE sg.title || ' allows RDP access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_6_2.yaml b/compliance/controls/azure/azure_cis_v140_6_2.yaml index db7040b9a..26316d7f4 100644 --- a/compliance/controls/azure/azure_cis_v140_6_2.yaml +++ b/compliance/controls/azure/azure_cis_v140_6_2.yaml @@ -1,51 +1,52 @@ id: azure_cis_v140_6_2 title: 6.2 Ensure that SSH access is restricted from the internet +type: control description: Disable SSH access on network security groups from the Internet. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH network_sg AS ( - SELECT - DISTINCT name AS sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules) sg, - jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange') :: jsonb) AS dport, - jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) AS sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') - AND ( - dport IN ('22', '*') - OR ( - dport LIKE '%-%' - AND split_part(dport, '-', 1) :: INTEGER <= 22 - AND split_part(dport, '-', 2) :: INTEGER >= 22 - ) - ) + language: sql + primary_resource: azure_network_security_group + definition: | + WITH network_sg AS ( + SELECT + DISTINCT name AS sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules) sg, + jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange') :: jsonb) AS dport, + jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) AS sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('22', '*') + OR ( + dport LIKE '%-%' + AND split_part(dport, '-', 1) :: INTEGER <= 22 + AND split_part(dport, '-', 2) :: INTEGER >= 22 + ) ) - SELECT - sg.id AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL - THEN sg.title || ' restricts SSH access from internet.' - ELSE sg.title || ' allows SSH access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL + THEN sg.title || ' restricts SSH access from internet.' + ELSE sg.title || ' allows SSH access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_6_3.yaml b/compliance/controls/azure/azure_cis_v140_6_3.yaml index 6e8b3258c..ad7679223 100644 --- a/compliance/controls/azure/azure_cis_v140_6_3.yaml +++ b/compliance/controls/azure/azure_cis_v140_6_3.yaml @@ -1,33 +1,34 @@ id: azure_cis_v140_6_3 title: 6.3 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) +type: control description: Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]' - OR firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]' - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]' - OR firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]' - THEN s.title || ' allows ingress 0.0.0.0/0 or any IP over internet.' - ELSE s.title || ' does not allow ingress 0.0.0.0/0 or any IP over internet.' - END AS reason - FROM - azure_sql_server s, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]' + OR firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]' + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]' + OR firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]' + THEN s.title || ' allows ingress 0.0.0.0/0 or any IP over internet.' + ELSE s.title || ' does not allow ingress 0.0.0.0/0 or any IP over internet.' + END AS reason + FROM + azure_sql_server s, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_6_6.yaml b/compliance/controls/azure/azure_cis_v140_6_6.yaml index 600f34762..1ced842dd 100644 --- a/compliance/controls/azure/azure_cis_v140_6_6.yaml +++ b/compliance/controls/azure/azure_cis_v140_6_6.yaml @@ -1,56 +1,57 @@ id: azure_cis_v140_6_6 title: 6.6 Ensure that UDP Services are restricted from the Internet +type: control description: Disable Internet exposed UDP ports on network security groups. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH network_sg AS ( - SELECT - DISTINCT name sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules) sg, - jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange') :: jsonb) dport, - jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND sg -> 'properties' ->> 'protocol' = 'UDP' - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + language: sql + primary_resource: azure_network_security_group + definition: | + WITH network_sg AS ( + SELECT + DISTINCT name sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules) sg, + jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange') :: jsonb) dport, + jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND sg -> 'properties' ->> 'protocol' = 'UDP' + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport = '*' + OR ( + dport LIKE '%-%' AND ( - dport = '*' - OR ( - dport LIKE '%-%' - AND ( - 53 BETWEEN split_part(dport, '-', 1)::INTEGER AND split_part(dport, '-', 2)::INTEGER - OR 123 BETWEEN split_part(dport, '-', 1)::INTEGER AND split_part(dport, '-', 2)::INTEGER - OR 161 BETWEEN split_part(dport, '-', 1)::INTEGER AND split_part(dport, '-', 2)::INTEGER - OR 389 BETWEEN split_part(dport, '-', 1)::INTEGER AND split_part(dport, '-', 2)::INTEGER - OR 1900 BETWEEN split_part(dport, '-', 1)::INTEGER AND split_part(dport, '-', 2)::INTEGER - ) - ) + 53 BETWEEN split_part(dport, '-', 1)::INTEGER AND split_part(dport, '-', 2)::INTEGER + OR 123 BETWEEN split_part(dport, '-', 1)::INTEGER AND split_part(dport, '-', 2)::INTEGER + OR 161 BETWEEN split_part(dport, '-', 1)::INTEGER AND split_part(dport, '-', 2)::INTEGER + OR 389 BETWEEN split_part(dport, '-', 1)::INTEGER AND split_part(dport, '-', 2)::INTEGER + OR 1900 BETWEEN split_part(dport, '-', 1)::INTEGER AND split_part(dport, '-', 2)::INTEGER ) + ) ) - SELECT - sg.id resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL - THEN sg.title || ' restricts UDP services from internet.' - ELSE sg.title || ' allows UDP services from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL + THEN sg.title || ' restricts UDP services from internet.' + ELSE sg.title || ' allows UDP services from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_7_1.yaml b/compliance/controls/azure/azure_cis_v140_7_1.yaml index 4870c6cdf..59682c494 100644 --- a/compliance/controls/azure/azure_cis_v140_7_1.yaml +++ b/compliance/controls/azure/azure_cis_v140_7_1.yaml @@ -1,29 +1,30 @@ id: azure_cis_v140_7_1 title: 7.1 Ensure Virtual Machines are utilizing Managed Disks +type: control description: Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - SELECT - vm.id AS resource, - vm.platform_integration_id AS platform_integration_id, - vm.platform_resource_id AS platform_resource_id, - CASE - WHEN managed_disk_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN managed_disk_id IS NULL THEN vm.name || ' VM not utilizing managed disks.' - ELSE vm.name || ' VM utilizing managed disks.' - END AS reason - FROM - azure_compute_virtual_machine AS vm, - azure_subscription AS sub - WHERE - sub.subscription_id = vm.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + SELECT + vm.id AS resource, + vm.platform_integration_id AS platform_integration_id, + vm.platform_resource_id AS platform_resource_id, + CASE + WHEN managed_disk_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN managed_disk_id IS NULL THEN vm.name || ' VM not utilizing managed disks.' + ELSE vm.name || ' VM utilizing managed disks.' + END AS reason + FROM + azure_compute_virtual_machine AS vm, + azure_subscription AS sub + WHERE + sub.subscription_id = vm.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_7_2.yaml b/compliance/controls/azure/azure_cis_v140_7_2.yaml index 1ee676894..e6736fddc 100644 --- a/compliance/controls/azure/azure_cis_v140_7_2.yaml +++ b/compliance/controls/azure/azure_cis_v140_7_2.yaml @@ -1,30 +1,31 @@ id: azure_cis_v140_7_2 title: 7.2 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) +type: control description: Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption(SSE). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_disk - definition: | - SELECT - disk.id AS resource, - disk.platform_integration_id AS platform_integration_id, - disk.platform_resource_id AS platform_resource_id, - CASE - WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN disk.name || ' encrypted with CMK.' - ELSE disk.name || ' not encrypted with CMK.' - END AS reason - FROM - azure_compute_disk disk, - azure_subscription sub - WHERE - disk_state = 'Attached' - AND sub.subscription_id = disk.subscription_id; + language: sql + primary_resource: azure_compute_disk + definition: | + SELECT + disk.id AS resource, + disk.platform_integration_id AS platform_integration_id, + disk.platform_resource_id AS platform_resource_id, + CASE + WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN disk.name || ' encrypted with CMK.' + ELSE disk.name || ' not encrypted with CMK.' + END AS reason + FROM + azure_compute_disk disk, + azure_subscription sub + WHERE + disk_state = 'Attached' + AND sub.subscription_id = disk.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_7_3.yaml b/compliance/controls/azure/azure_cis_v140_7_3.yaml index 40226e9d3..84c3cfabe 100644 --- a/compliance/controls/azure/azure_cis_v140_7_3.yaml +++ b/compliance/controls/azure/azure_cis_v140_7_3.yaml @@ -1,30 +1,31 @@ id: azure_cis_v140_7_3 title: 7.3 Ensure that 'Unattached disks' are encrypted with CMK +type: control description: Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_disk - definition: | - SELECT - disk.id AS resource, - disk.platform_integration_id AS platform_integration_id, - disk.platform_resource_id AS platform_resource_id, - CASE - WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN disk.name || ' encrypted with CMK.' - ELSE disk.name || ' not encrypted with CMK.' - END AS reason - FROM - azure_compute_disk disk, - azure_subscription sub - WHERE - disk_state != 'Attached' - AND sub.subscription_id = disk.subscription_id; + language: sql + primary_resource: azure_compute_disk + definition: | + SELECT + disk.id AS resource, + disk.platform_integration_id AS platform_integration_id, + disk.platform_resource_id AS platform_resource_id, + CASE + WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN disk.name || ' encrypted with CMK.' + ELSE disk.name || ' not encrypted with CMK.' + END AS reason + FROM + azure_compute_disk disk, + azure_subscription sub + WHERE + disk_state != 'Attached' + AND sub.subscription_id = disk.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_7_4.yaml b/compliance/controls/azure/azure_cis_v140_7_4.yaml index 9ec94cc7a..7f5f0ebee 100644 --- a/compliance/controls/azure/azure_cis_v140_7_4.yaml +++ b/compliance/controls/azure/azure_cis_v140_7_4.yaml @@ -1,23 +1,24 @@ id: azure_cis_v140_7_4 title: 7.4 Ensure that only approved extensions are installed +type: control description: For added security only install organization-approved extensions on VMs. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_7_5.yaml b/compliance/controls/azure/azure_cis_v140_7_5.yaml index 9370b00d8..13b58aac3 100644 --- a/compliance/controls/azure/azure_cis_v140_7_5.yaml +++ b/compliance/controls/azure/azure_cis_v140_7_5.yaml @@ -1,23 +1,24 @@ id: azure_cis_v140_7_5 title: 7.5 Ensure that the latest OS Patches for all Virtual Machines are applied +type: control description: Ensure that the latest OS patches for all virtual machines are applied. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_7_6.yaml b/compliance/controls/azure/azure_cis_v140_7_6.yaml index 9719ee9b7..ec294fbb4 100644 --- a/compliance/controls/azure/azure_cis_v140_7_6.yaml +++ b/compliance/controls/azure/azure_cis_v140_7_6.yaml @@ -1,23 +1,24 @@ id: azure_cis_v140_7_6 title: 7.6 Ensure that the endpoint protection for all Virtual Machines is installed +type: control description: Install endpoint protection for all virtual machines. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_7_7.yaml b/compliance/controls/azure/azure_cis_v140_7_7.yaml index 976845c3a..ed6bb89ed 100644 --- a/compliance/controls/azure/azure_cis_v140_7_7.yaml +++ b/compliance/controls/azure/azure_cis_v140_7_7.yaml @@ -1,23 +1,24 @@ id: azure_cis_v140_7_7 title: 7.7 Ensure that VHD's are encrypted +type: control description: VHD (Virtual Hard Disks) are stored in BLOB storage and are the old style disks that were attached to Virtual Machines, and the BLOB VHD was then leased to the VM. By Default storage accounts are not encrypted, and Azure Defender(Security Centre) would then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK and this should be turned on for storage accounts containing VHD's. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_8_1.yaml b/compliance/controls/azure/azure_cis_v140_8_1.yaml index 0eb99e473..908fa0bca 100644 --- a/compliance/controls/azure/azure_cis_v140_8_1.yaml +++ b/compliance/controls/azure/azure_cis_v140_8_1.yaml @@ -1,42 +1,43 @@ id: azure_cis_v140_8_1 title: 8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults +type: control description: Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_key - definition: | - WITH rbac_vault AS ( - SELECT - name - FROM - azure_key_vault - WHERE - enable_rbac_authorization - ) - SELECT - kvk.id AS resource, - kvk.platform_integration_id AS platform_integration_id, - kvk.platform_resource_id AS platform_resource_id, - CASE - WHEN v.name IS NULL THEN 'skip' - WHEN enabled AND expires_at IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - vault_name || ' key ' || kvk.name || - CASE - WHEN v.name IS NULL THEN ' not RBAC enabled vault.' - WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' - WHEN NOT enabled THEN ' disabled.' - ELSE ' expiration date set to ' || to_char(expires_at, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - azure_key_vault_key kvk - LEFT JOIN rbac_vault AS v ON v.name = kvk.vault_name, - azure_subscription sub - WHERE - sub.subscription_id = kvk.subscription_id; + language: sql + primary_resource: azure_key_vault_key + definition: | + WITH rbac_vault AS ( + SELECT + name + FROM + azure_key_vault + WHERE + enable_rbac_authorization + ) + SELECT + kvk.id AS resource, + kvk.platform_integration_id AS platform_integration_id, + kvk.platform_resource_id AS platform_resource_id, + CASE + WHEN v.name IS NULL THEN 'skip' + WHEN enabled AND expires_at IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + vault_name || ' key ' || kvk.name || + CASE + WHEN v.name IS NULL THEN ' not RBAC enabled vault.' + WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' + WHEN NOT enabled THEN ' disabled.' + ELSE ' expiration date set to ' || to_char(expires_at, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + azure_key_vault_key kvk + LEFT JOIN rbac_vault AS v ON v.name = kvk.vault_name, + azure_subscription sub + WHERE + sub.subscription_id = kvk.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_8_2.yaml b/compliance/controls/azure/azure_cis_v140_8_2.yaml index 4810d27ed..c6c3ae7af 100644 --- a/compliance/controls/azure/azure_cis_v140_8_2.yaml +++ b/compliance/controls/azure/azure_cis_v140_8_2.yaml @@ -1,42 +1,43 @@ id: azure_cis_v140_8_2 title: 8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults +type: control description: Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_key - definition: | - WITH non_rbac_vault AS ( - SELECT - name - FROM - azure_key_vault - WHERE - NOT enable_rbac_authorization - ) - SELECT - kvk.id AS resource, - kvk.platform_integration_id AS platform_integration_id, - kvk.platform_resource_id AS platform_resource_id, - CASE - WHEN v.name IS NULL THEN 'skip' - WHEN enabled AND expires_at IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - vault_name || ' key ' || kvk.name || - CASE - WHEN v.name IS NULL THEN ' RBAC enabled vault.' - WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' - WHEN NOT enabled THEN ' disabled.' - ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - azure_key_vault_key kvk - LEFT JOIN non_rbac_vault AS v ON v.name = kvk.vault_name, - azure_subscription sub - WHERE - sub.subscription_id = kvk.subscription_id; + language: sql + primary_resource: azure_key_vault_key + definition: | + WITH non_rbac_vault AS ( + SELECT + name + FROM + azure_key_vault + WHERE + NOT enable_rbac_authorization + ) + SELECT + kvk.id AS resource, + kvk.platform_integration_id AS platform_integration_id, + kvk.platform_resource_id AS platform_resource_id, + CASE + WHEN v.name IS NULL THEN 'skip' + WHEN enabled AND expires_at IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + vault_name || ' key ' || kvk.name || + CASE + WHEN v.name IS NULL THEN ' RBAC enabled vault.' + WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' + WHEN NOT enabled THEN ' disabled.' + ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + azure_key_vault_key kvk + LEFT JOIN non_rbac_vault AS v ON v.name = kvk.vault_name, + azure_subscription sub + WHERE + sub.subscription_id = kvk.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_8_3.yaml b/compliance/controls/azure/azure_cis_v140_8_3.yaml index 134b6affa..0c7588091 100644 --- a/compliance/controls/azure/azure_cis_v140_8_3.yaml +++ b/compliance/controls/azure/azure_cis_v140_8_3.yaml @@ -1,43 +1,44 @@ id: azure_cis_v140_8_3 title: 8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults +type: control description: Ensure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_secret - definition: | - WITH rbac_vault AS ( - SELECT - name - FROM - azure_key_vault - WHERE - enable_rbac_authorization - ) - - SELECT - kvs.id AS resource, - kvs.platform_integration_id AS platform_integration_id, - kvs.platform_resource_id AS platform_resource_id, - CASE - WHEN v.name IS NULL THEN 'skip' - WHEN enabled AND expires_at IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - vault_name || ' key ' || kvs.name || - CASE - WHEN v.name IS NULL THEN ' not RBAC enabled vault.' - WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' - WHEN NOT enabled THEN ' disabled.' - ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - azure_key_vault_secret kvs - LEFT JOIN rbac_vault AS v ON v.name = kvs.vault_name, - azure_subscription sub - WHERE - sub.subscription_id = kvs.subscription_id; + language: sql + primary_resource: azure_key_vault_secret + definition: | + WITH rbac_vault AS ( + SELECT + name + FROM + azure_key_vault + WHERE + enable_rbac_authorization + ) + + SELECT + kvs.id AS resource, + kvs.platform_integration_id AS platform_integration_id, + kvs.platform_resource_id AS platform_resource_id, + CASE + WHEN v.name IS NULL THEN 'skip' + WHEN enabled AND expires_at IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + vault_name || ' key ' || kvs.name || + CASE + WHEN v.name IS NULL THEN ' not RBAC enabled vault.' + WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' + WHEN NOT enabled THEN ' disabled.' + ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + azure_key_vault_secret kvs + LEFT JOIN rbac_vault AS v ON v.name = kvs.vault_name, + azure_subscription sub + WHERE + sub.subscription_id = kvs.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_8_4.yaml b/compliance/controls/azure/azure_cis_v140_8_4.yaml index 0a0ddbb15..898152664 100644 --- a/compliance/controls/azure/azure_cis_v140_8_4.yaml +++ b/compliance/controls/azure/azure_cis_v140_8_4.yaml @@ -1,43 +1,44 @@ id: azure_cis_v140_8_4 title: 8.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults +type: control description: Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_secret - definition: | - WITH non_rbac_vault AS ( - SELECT - name - FROM - azure_key_vault - WHERE - NOT enable_rbac_authorization - ) - SELECT - kvs.id AS resource, - kvs.platform_integration_id AS platform_integration_id, - kvs.platform_resource_id AS platform_resource_id, - CASE - WHEN v.name IS NULL THEN 'skip' - WHEN enabled AND expires_at IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - vault_name || ' key ' || kvs.name || - CASE - WHEN v.name IS NULL THEN ' RBAC enabled vault.' - WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' - WHEN NOT enabled THEN ' disabled.' - ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - azure_key_vault_secret kvs - LEFT JOIN non_rbac_vault AS v - ON v.name = kvs.vault_name, - azure_subscription sub - WHERE - sub.subscription_id = kvs.subscription_id; + language: sql + primary_resource: azure_key_vault_secret + definition: | + WITH non_rbac_vault AS ( + SELECT + name + FROM + azure_key_vault + WHERE + NOT enable_rbac_authorization + ) + SELECT + kvs.id AS resource, + kvs.platform_integration_id AS platform_integration_id, + kvs.platform_resource_id AS platform_resource_id, + CASE + WHEN v.name IS NULL THEN 'skip' + WHEN enabled AND expires_at IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + vault_name || ' key ' || kvs.name || + CASE + WHEN v.name IS NULL THEN ' RBAC enabled vault.' + WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' + WHEN NOT enabled THEN ' disabled.' + ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + azure_key_vault_secret kvs + LEFT JOIN non_rbac_vault AS v + ON v.name = kvs.vault_name, + azure_subscription sub + WHERE + sub.subscription_id = kvs.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_8_5.yaml b/compliance/controls/azure/azure_cis_v140_8_5.yaml index 29357ed64..b072982d6 100644 --- a/compliance/controls/azure/azure_cis_v140_8_5.yaml +++ b/compliance/controls/azure/azure_cis_v140_8_5.yaml @@ -1,23 +1,24 @@ id: azure_cis_v140_8_5 title: 8.5 Ensure that Resource Locks are set for mission critical Azure resources +type: control description: Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. These locks are very useful when there is an important resource in a subscription that users should not be able to delete or change. Locks can help prevent accidental and malicious changes or deletion. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_8_6.yaml b/compliance/controls/azure/azure_cis_v140_8_6.yaml index dac93e3d9..afab5765f 100644 --- a/compliance/controls/azure/azure_cis_v140_8_6.yaml +++ b/compliance/controls/azure/azure_cis_v140_8_6.yaml @@ -1,31 +1,32 @@ id: azure_cis_v140_8_6 title: 8.6 Ensure the key vault is recoverable +type: control description: The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. It is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - SELECT - kv.id AS resource, - kv.platform_integration_id AS platform_integration_id, - kv.platform_resource_id AS platform_resource_id, - CASE - WHEN soft_delete_enabled AND purge_protection_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN NOT soft_delete_enabled AND NOT purge_protection_enabled THEN name || ' "soft delete" and "do not purge" not enabled.' - WHEN NOT soft_delete_enabled THEN name || ' "soft delete" not enabled.' - WHEN NOT purge_protection_enabled THEN name || ' "do not purge" not enabled.' - ELSE name || ' "soft delete" and "do not purge" enabled.' - END AS reason - FROM - azure_key_vault kv, - azure_subscription sub - WHERE - sub.subscription_id = kv.subscription_id; + language: sql + primary_resource: azure_key_vault + definition: | + SELECT + kv.id AS resource, + kv.platform_integration_id AS platform_integration_id, + kv.platform_resource_id AS platform_resource_id, + CASE + WHEN soft_delete_enabled AND purge_protection_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN NOT soft_delete_enabled AND NOT purge_protection_enabled THEN name || ' "soft delete" and "do not purge" not enabled.' + WHEN NOT soft_delete_enabled THEN name || ' "soft delete" not enabled.' + WHEN NOT purge_protection_enabled THEN name || ' "do not purge" not enabled.' + ELSE name || ' "soft delete" and "do not purge" enabled.' + END AS reason + FROM + azure_key_vault kv, + azure_subscription sub + WHERE + sub.subscription_id = kv.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_8_7.yaml b/compliance/controls/azure/azure_cis_v140_8_7.yaml index bb969098c..eb05d3fb7 100644 --- a/compliance/controls/azure/azure_cis_v140_8_7.yaml +++ b/compliance/controls/azure/azure_cis_v140_8_7.yaml @@ -1,31 +1,32 @@ id: azure_cis_v140_8_7 title: 8.7 Enable role-based access control (RBAC) within Azure Kubernetes Services +type: control description: Ensure that RBAC is enabled on all Azure Kubernetes Services Instances. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - SELECT - kv.id AS resource, - kv.platform_integration_id AS platform_integration_id, - kv.platform_resource_id AS platform_resource_id, - CASE - WHEN soft_delete_enabled AND purge_protection_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN NOT soft_delete_enabled AND NOT purge_protection_enabled THEN name || ' "soft delete" and "do not purge" not enabled.' - WHEN NOT soft_delete_enabled THEN name || ' "soft delete" not enabled.' - WHEN NOT purge_protection_enabled THEN name || ' "do not purge" not enabled.' - ELSE name || ' "soft delete" and "do not purge" enabled.' - END AS reason - FROM - azure_key_vault kv, - azure_subscription sub - WHERE - sub.subscription_id = kv.subscription_id; + language: sql + primary_resource: azure_key_vault + definition: | + SELECT + kv.id AS resource, + kv.platform_integration_id AS platform_integration_id, + kv.platform_resource_id AS platform_resource_id, + CASE + WHEN soft_delete_enabled AND purge_protection_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN NOT soft_delete_enabled AND NOT purge_protection_enabled THEN name || ' "soft delete" and "do not purge" not enabled.' + WHEN NOT soft_delete_enabled THEN name || ' "soft delete" not enabled.' + WHEN NOT purge_protection_enabled THEN name || ' "do not purge" not enabled.' + ELSE name || ' "soft delete" and "do not purge" enabled.' + END AS reason + FROM + azure_key_vault kv, + azure_subscription sub + WHERE + sub.subscription_id = kv.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_9_1.yaml b/compliance/controls/azure/azure_cis_v140_9_1.yaml index d3c6f31de..5facc5f99 100644 --- a/compliance/controls/azure/azure_cis_v140_9_1.yaml +++ b/compliance/controls/azure/azure_cis_v140_9_1.yaml @@ -1,29 +1,30 @@ id: azure_cis_v140_9_1 title: 9.1 Ensure App Service Authentication is set up for apps in Azure App Service +type: control description: Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT (auth_settings -> 'properties' ->> 'enabled')::boolean THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT (auth_settings -> 'properties' ->> 'enabled')::boolean THEN name || ' authentication not set.' - ELSE name || ' authentication set.' - END AS reason - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT (auth_settings -> 'properties' ->> 'enabled')::boolean THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT (auth_settings -> 'properties' ->> 'enabled')::boolean THEN name || ' authentication not set.' + ELSE name || ' authentication set.' + END AS reason + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_9_11.yaml b/compliance/controls/azure/azure_cis_v140_9_11.yaml index d8b1c6a76..8fdf4d2b9 100644 --- a/compliance/controls/azure/azure_cis_v140_9_11.yaml +++ b/compliance/controls/azure/azure_cis_v140_9_11.yaml @@ -1,23 +1,24 @@ id: azure_cis_v140_9_11 title: 9.11 Ensure Azure Keyvaults are used to store secrets +type: control description: Encryption keys, Certificate thumbprints and Managed Identity Credentials can be coded into the APP service, this renders them visible as part of the configuration, to maintain security of these keys it is better to store in an Azure Keyvault and reference them from the Keyvault. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_9_2.yaml b/compliance/controls/azure/azure_cis_v140_9_2.yaml index c7face08d..e8a937c14 100644 --- a/compliance/controls/azure/azure_cis_v140_9_2.yaml +++ b/compliance/controls/azure/azure_cis_v140_9_2.yaml @@ -1,29 +1,30 @@ id: azure_cis_v140_9_2 title: 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service +type: control description: Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT https_only THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT https_only THEN name || ' does not redirect all HTTP traffic to HTTPS.' - ELSE name || ' redirects all HTTP traffic to HTTPS.' - END AS reason - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT https_only THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT https_only THEN name || ' does not redirect all HTTP traffic to HTTPS.' + ELSE name || ' redirects all HTTP traffic to HTTPS.' + END AS reason + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_9_3.yaml b/compliance/controls/azure/azure_cis_v140_9_3.yaml index 83a4494b0..5db4ddf78 100644 --- a/compliance/controls/azure/azure_cis_v140_9_3.yaml +++ b/compliance/controls/azure/azure_cis_v140_9_3.yaml @@ -1,29 +1,30 @@ id: azure_cis_v140_9_3 title: 9.3 Ensure web app is using the latest version of TLS encryption +type: control description: The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN configuration -> 'properties' ->> 'minTlsVersion' < '1.2' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN configuration -> 'properties' ->> 'minTlsVersion' < '1.2' THEN name || ' not using the latest version of TLS encryption.' - ELSE name || ' using the latest version of TLS encryption.' - END AS reason - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN configuration -> 'properties' ->> 'minTlsVersion' < '1.2' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN configuration -> 'properties' ->> 'minTlsVersion' < '1.2' THEN name || ' not using the latest version of TLS encryption.' + ELSE name || ' using the latest version of TLS encryption.' + END AS reason + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_9_4.yaml b/compliance/controls/azure/azure_cis_v140_9_4.yaml index 59c2ec968..fd4bc9621 100644 --- a/compliance/controls/azure/azure_cis_v140_9_4.yaml +++ b/compliance/controls/azure/azure_cis_v140_9_4.yaml @@ -1,29 +1,30 @@ id: azure_cis_v140_9_4 title: 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' +type: control description: Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT client_cert_enabled THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT client_cert_enabled THEN name || ' incoming client certificates set to off.' - ELSE name || ' incoming client certificates set to on.' - END AS reason - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT client_cert_enabled THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT client_cert_enabled THEN name || ' incoming client certificates set to off.' + ELSE name || ' incoming client certificates set to on.' + END AS reason + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_9_5.yaml b/compliance/controls/azure/azure_cis_v140_9_5.yaml index 98a5ddfb0..a8b25a72e 100644 --- a/compliance/controls/azure/azure_cis_v140_9_5.yaml +++ b/compliance/controls/azure/azure_cis_v140_9_5.yaml @@ -1,29 +1,30 @@ id: azure_cis_v140_9_5 title: 9.5 Ensure that Register with Azure Active Directory is enabled on App Service +type: control description: Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN identity = '{}' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN identity = '{}' THEN name || ' register with azure active directory disabled.' - ELSE name || ' register with azure active directory enabled.' - END AS reason - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN identity = '{}' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN identity = '{}' THEN name || ' register with azure active directory disabled.' + ELSE name || ' register with azure active directory enabled.' + END AS reason + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v140_9_6.yaml b/compliance/controls/azure/azure_cis_v140_9_6.yaml index bb0d54027..688980100 100644 --- a/compliance/controls/azure/azure_cis_v140_9_6.yaml +++ b/compliance/controls/azure/azure_cis_v140_9_6.yaml @@ -1,23 +1,24 @@ id: azure_cis_v140_9_6 title: 9.6 Ensure that 'PHP version' is the latest, if used to run the web app +type: control description: Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_9_7.yaml b/compliance/controls/azure/azure_cis_v140_9_7.yaml index 22ca55bcf..4bc5902fd 100644 --- a/compliance/controls/azure/azure_cis_v140_9_7.yaml +++ b/compliance/controls/azure/azure_cis_v140_9_7.yaml @@ -1,23 +1,24 @@ id: azure_cis_v140_9_7 title: 9.7 Ensure that 'Python version' is the latest, if used to run the web app +type: control description: Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_9_8.yaml b/compliance/controls/azure/azure_cis_v140_9_8.yaml index b47d642bb..07975e207 100644 --- a/compliance/controls/azure/azure_cis_v140_9_8.yaml +++ b/compliance/controls/azure/azure_cis_v140_9_8.yaml @@ -1,25 +1,24 @@ id: azure_cis_v140_9_8 title: 9.8 Ensure that 'Java version' is the latest, if used to run the web app -description: >- - Periodically, newer versions are released for Java software either due to security - flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version. +type: control +description: Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v140_9_9.yaml b/compliance/controls/azure/azure_cis_v140_9_9.yaml index 416d059b7..bc6c1f4b3 100644 --- a/compliance/controls/azure/azure_cis_v140_9_9.yaml +++ b/compliance/controls/azure/azure_cis_v140_9_9.yaml @@ -1,29 +1,30 @@ id: azure_cis_v140_9_9 title: 9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app +type: control description: Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT (configuration -> 'properties' ->> 'http20Enabled')::boolean THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT (configuration -> 'properties' ->> 'http20Enabled')::boolean THEN name || ' HTTP version not latest.' - ELSE name || ' HTTP version is latest.' - END AS reason - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT (configuration -> 'properties' ->> 'http20Enabled')::boolean THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT (configuration -> 'properties' ->> 'http20Enabled')::boolean THEN name || ' HTTP version not latest.' + ELSE name || ' HTTP version is latest.' + END AS reason + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_10_1.yaml b/compliance/controls/azure/azure_cis_v150_10_1.yaml index 3ef74240a..bbc7e1fbe 100644 --- a/compliance/controls/azure/azure_cis_v150_10_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_10_1.yaml @@ -1,23 +1,24 @@ id: azure_cis_v150_10_1 title: 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources +type: control description: Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. These locks are very useful when there is an important resource in a subscription that users should not be able to delete or change. Locks can help prevent accidental and malicious changes or deletion. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_1_10.yaml b/compliance/controls/azure/azure_cis_v150_1_10.yaml index 9164f31ee..1e57768a8 100644 --- a/compliance/controls/azure/azure_cis_v150_1_10.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_10.yaml @@ -1,18 +1,19 @@ id: azure_cis_v150_1_10 title: 1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' +type: control description: Ensure that all administrators are notified if any other administrator resets their password. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_1_11.yaml b/compliance/controls/azure/azure_cis_v150_1_11.yaml index f4a125a7f..a23e26f5c 100644 --- a/compliance/controls/azure/azure_cis_v150_1_11.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_11.yaml @@ -1,18 +1,19 @@ id: azure_cis_v150_1_11 title: 1.11 Ensure That ‘Users Can Consent to Apps Accessing Company Data on Their Behalf’ Is Set To ‘Allow for Verified Publishers’ +type: control description: Allow users to provide consent for selected permissions when a request is coming from a verified publisher. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_1_12.yaml b/compliance/controls/azure/azure_cis_v150_1_12.yaml index ccc85a546..13972ce21 100644 --- a/compliance/controls/azure/azure_cis_v150_1_12.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_12.yaml @@ -1,18 +1,19 @@ id: azure_cis_v150_1_12 title: 1.12 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' +type: control description: Require administrators to provide consent for the apps before use. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_1_14.yaml b/compliance/controls/azure/azure_cis_v150_1_14.yaml index fc44e27fb..a47f3b2a2 100644 --- a/compliance/controls/azure/azure_cis_v150_1_14.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_14.yaml @@ -1,36 +1,37 @@ id: azure_cis_v150_1_14 title: 1.14 Ensure That ‘Users Can Register Applications’ Is Set to ‘No’ +type: control description: Require administrators or appropriately delegated users to register third-party applications. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: entraid_authorization_policy - definition: | - WITH distinct_tenant AS ( - SELECT - DISTINCT tenant_id, - subscription_id, - _ctx - FROM - azure_tenant - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' THEN a.display_name || ' does not allow user to register applications.' - ELSE a.display_name || ' allows user to register applications.' - END AS reason, - t.tenant_id - FROM - distinct_tenant AS t, - entraid_authorization_policy AS a; + language: sql + primary_resource: entraid_authorization_policy + definition: | + WITH distinct_tenant AS ( + SELECT + DISTINCT tenant_id, + subscription_id, + _ctx + FROM + azure_tenant + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' THEN a.display_name || ' does not allow user to register applications.' + ELSE a.display_name || ' allows user to register applications.' + END AS reason, + t.tenant_id + FROM + distinct_tenant AS t, + entraid_authorization_policy AS a; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_1_15.yaml b/compliance/controls/azure/azure_cis_v150_1_15.yaml index 4ca5a8105..1c0abe0f9 100644 --- a/compliance/controls/azure/azure_cis_v150_1_15.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_15.yaml @@ -1,18 +1,19 @@ id: azure_cis_v150_1_15 title: 1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' +type: control description: Limit guest user permissions. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_1_16.yaml b/compliance/controls/azure/azure_cis_v150_1_16.yaml index 703ce6d82..f237324d4 100644 --- a/compliance/controls/azure/azure_cis_v150_1_16.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_16.yaml @@ -1,18 +1,19 @@ id: azure_cis_v150_1_16 title: 1.16 Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' +type: control description: Restrict invitations to users with specific administrative roles only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_1_17.yaml b/compliance/controls/azure/azure_cis_v150_1_17.yaml index 5e4c9d3b3..e2aa6efd1 100644 --- a/compliance/controls/azure/azure_cis_v150_1_17.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_17.yaml @@ -1,18 +1,19 @@ id: azure_cis_v150_1_17 title: 1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes' +type: control description: Restrict access to the Azure AD administration portal to administrators only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_1_19.yaml b/compliance/controls/azure/azure_cis_v150_1_19.yaml index ab55b9643..ad426b91a 100644 --- a/compliance/controls/azure/azure_cis_v150_1_19.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_19.yaml @@ -1,36 +1,37 @@ id: azure_cis_v150_1_19 title: 1.19 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' +type: control description: Restrict security group creation to administrators only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: entraid_authorization_policy - definition: | - WITH distinct_tenant AS ( - SELECT - DISTINCT tenant_id, - subscription_id, - _ctx - FROM - azure_tenant - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' THEN a.display_name || ' does not allow user to create security groups.' - ELSE a.display_name || ' allows user to create security groups.' - END AS reason, - t.tenant_id - FROM - distinct_tenant AS t, - entraid_authorization_policy AS a; + language: sql + primary_resource: entraid_authorization_policy + definition: | + WITH distinct_tenant AS ( + SELECT + DISTINCT tenant_id, + subscription_id, + _ctx + FROM + azure_tenant + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' THEN a.display_name || ' does not allow user to create security groups.' + ELSE a.display_name || ' allows user to create security groups.' + END AS reason, + t.tenant_id + FROM + distinct_tenant AS t, + entraid_authorization_policy AS a; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_1_1_1.yaml b/compliance/controls/azure/azure_cis_v150_1_1_1.yaml index 7ea63a3e3..5e4402831 100644 --- a/compliance/controls/azure/azure_cis_v150_1_1_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_1_1.yaml @@ -1,18 +1,19 @@ id: azure_cis_v150_1_1_1 title: 1.1.1 Ensure Security Defaults is enabled on Azure Active Directory +type: control description: Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. You may turn on security defaults in the Azure portal. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_1_1_2.yaml b/compliance/controls/azure/azure_cis_v150_1_1_2.yaml index 036aaa8b5..573858f96 100644 --- a/compliance/controls/azure/azure_cis_v150_1_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_1_2.yaml @@ -1,18 +1,19 @@ id: azure_cis_v150_1_1_2 title: 1.1.2 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users +type: control description: Enable multi-factor authentication for all roles, groups, and users that have write access or permissions to Azure resources. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_1_1_3.yaml b/compliance/controls/azure/azure_cis_v150_1_1_3.yaml index 1ace39490..a9f835260 100644 --- a/compliance/controls/azure/azure_cis_v150_1_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_1_3.yaml @@ -1,18 +1,19 @@ id: azure_cis_v150_1_1_3 title: 1.1.3 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users +type: control description: Enable multi-factor authentication for all non-privileged users. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_1_1_4.yaml b/compliance/controls/azure/azure_cis_v150_1_1_4.yaml index d61d9c70c..db7f63825 100644 --- a/compliance/controls/azure/azure_cis_v150_1_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_1_4.yaml @@ -1,18 +1,19 @@ id: azure_cis_v150_1_1_4 title: 1.1.4 Ensure that 'Restore multi-factor authentication on all remembered devices' is Enabled +type: control description: Do not allow users to remember multi-factor authentication on devices. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_1_20.yaml b/compliance/controls/azure/azure_cis_v150_1_20.yaml index 95d50b143..54cc20d07 100644 --- a/compliance/controls/azure/azure_cis_v150_1_20.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_20.yaml @@ -1,18 +1,19 @@ id: azure_cis_v150_1_20 title: 1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' +type: control description: Restrict security group management to administrators only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_1_21.yaml b/compliance/controls/azure/azure_cis_v150_1_21.yaml index 7d6e2714b..92a3d9bfe 100644 --- a/compliance/controls/azure/azure_cis_v150_1_21.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_21.yaml @@ -1,18 +1,19 @@ id: azure_cis_v150_1_21 title: 1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' +type: control description: Restrict Microsoft 365 group creation to administrators only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_1_22.yaml b/compliance/controls/azure/azure_cis_v150_1_22.yaml index 2afa02553..6c11dfee7 100644 --- a/compliance/controls/azure/azure_cis_v150_1_22.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_22.yaml @@ -1,18 +1,19 @@ id: azure_cis_v150_1_22 title: 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' +type: control description: Joining or registering devices to the active directory should require Multi-factor authentication. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_1_23.yaml b/compliance/controls/azure/azure_cis_v150_1_23.yaml index 92da076fc..b652925c6 100644 --- a/compliance/controls/azure/azure_cis_v150_1_23.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_23.yaml @@ -1,54 +1,55 @@ id: azure_cis_v150_1_23 title: 1.23 Ensure That No Custom Subscription Owner Roles Are Created +type: control description: Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_role_definition - definition: | - WITH owner_custom_roles AS ( - SELECT - role_name, - platform_integration_id, - platform_resource_id, - role_type, - title, - action, - _ctx, - subscription_id - FROM - azure_role_definition, - jsonb_array_elements(permissions) AS s, - jsonb_array_elements_text(s -> 'actions') AS action - WHERE - role_type = 'CustomRole' - AND action IN ('*', '*:*') - ) - SELECT - cr.subscription_id AS resource, - cr.platform_integration_id AS platform_integration_id, - cr.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(*) > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN COUNT(*) = 1 THEN 'There is one custom owner role.' - WHEN COUNT(*) > 1 THEN 'There are ' || COUNT(*) || ' custom owner roles.' - ELSE 'There are no custom owner roles.' - END AS reason - FROM - owner_custom_roles cr, - azure_subscription sub - WHERE - sub.subscription_id = cr.subscription_id - GROUP BY - cr.subscription_id, - cr._ctx, - sub.display_name, - cr.platform_integration_id, - cr.platform_resource_id; + language: sql + primary_resource: azure_role_definition + definition: | + WITH owner_custom_roles AS ( + SELECT + role_name, + platform_integration_id, + platform_resource_id, + role_type, + title, + action, + _ctx, + subscription_id + FROM + azure_role_definition, + jsonb_array_elements(permissions) AS s, + jsonb_array_elements_text(s -> 'actions') AS action + WHERE + role_type = 'CustomRole' + AND action IN ('*', '*:*') + ) + SELECT + cr.subscription_id AS resource, + cr.platform_integration_id AS platform_integration_id, + cr.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(*) > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN COUNT(*) = 1 THEN 'There is one custom owner role.' + WHEN COUNT(*) > 1 THEN 'There are ' || COUNT(*) || ' custom owner roles.' + ELSE 'There are no custom owner roles.' + END AS reason + FROM + owner_custom_roles cr, + azure_subscription sub + WHERE + sub.subscription_id = cr.subscription_id + GROUP BY + cr.subscription_id, + cr._ctx, + sub.display_name, + cr.platform_integration_id, + cr.platform_resource_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_1_24.yaml b/compliance/controls/azure/azure_cis_v150_1_24.yaml index 052134fa5..c3b8115e0 100644 --- a/compliance/controls/azure/azure_cis_v150_1_24.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_24.yaml @@ -1,18 +1,19 @@ id: azure_cis_v150_1_24 title: 1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks +type: control description: Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_1_25.yaml b/compliance/controls/azure/azure_cis_v150_1_25.yaml index d1d275594..e35694a07 100644 --- a/compliance/controls/azure/azure_cis_v150_1_25.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_25.yaml @@ -1,18 +1,19 @@ id: azure_cis_v150_1_25 title: 1.25 Ensure That ‘Subscription Entering AAD Directory’ and ‘Subscription Leaving AAD Directory’ Is Set To ‘Permit No One’ +type: control description: Users who are set as subscription owners are able to make administrative changes to the subscriptions and move them into and out of Azure Active Directories. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_1_2_1.yaml b/compliance/controls/azure/azure_cis_v150_1_2_1.yaml index c92fab1c0..bb8baa3ba 100644 --- a/compliance/controls/azure/azure_cis_v150_1_2_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_2_1.yaml @@ -1,18 +1,19 @@ id: azure_cis_v150_1_2_1 title: 1.2.1 Ensure Trusted Locations Are Defined +type: control description: Azure Active Directory Conditional Access allows an organization to configure Named locations and configure whether those locations are trusted or untrusted. These settings provide organizations the means to specify Geographical locations for use in conditional access policies, or define actual IP addresses and IP ranges and whether or not those IP addresses and/or ranges are trusted by the organization. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_1_2_2.yaml b/compliance/controls/azure/azure_cis_v150_1_2_2.yaml index 5a138e589..e2e92e550 100644 --- a/compliance/controls/azure/azure_cis_v150_1_2_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_2_2.yaml @@ -1,18 +1,19 @@ id: azure_cis_v150_1_2_2 title: 1.2.2 Ensure that an exclusionary Geographic Access Policy is considered +type: control description: Conditional Access Policies can be used to block access from geographic locations that are deemed out-of-scope for your organization or application. The scope and variables for this policy should be carefully examined and defined. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_1_2_3.yaml b/compliance/controls/azure/azure_cis_v150_1_2_3.yaml index 817aa5d5d..627708df4 100644 --- a/compliance/controls/azure/azure_cis_v150_1_2_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_2_3.yaml @@ -1,18 +1,19 @@ id: azure_cis_v150_1_2_3 title: 1.2.3 Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups +type: control description: For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_1_2_4.yaml b/compliance/controls/azure/azure_cis_v150_1_2_4.yaml index 0d9fef7bd..faa0ab85c 100644 --- a/compliance/controls/azure/azure_cis_v150_1_2_4.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_2_4.yaml @@ -1,18 +1,19 @@ id: azure_cis_v150_1_2_4 title: 1.2.4 Ensure that A Multi-factor Authentication Policy Exists for All Users +type: control description: For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_1_2_5.yaml b/compliance/controls/azure/azure_cis_v150_1_2_5.yaml index efa72e823..0d5d2efa9 100644 --- a/compliance/controls/azure/azure_cis_v150_1_2_5.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_2_5.yaml @@ -1,18 +1,19 @@ id: azure_cis_v150_1_2_5 title: 1.2.5 Ensure Multi-factor Authentication is Required for Risky Sign-ins +type: control description: For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_1_2_6.yaml b/compliance/controls/azure/azure_cis_v150_1_2_6.yaml index 3e1b10ad2..a64ff5c19 100644 --- a/compliance/controls/azure/azure_cis_v150_1_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_2_6.yaml @@ -1,36 +1,37 @@ id: azure_cis_v150_1_2_6 title: 1.2.6 Ensure Multi-factor Authentication is Required for Azure Management +type: control description: For designated users, they will be prompted to use their multi-factor authentication(MFA) process on logins. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: entraid_conditional_access_policy - definition: | - WITH distinct_tenant AS ( - SELECT - DISTINCT tenant_id, - subscription_id, - _ctx - FROM - azure_tenant - ) - SELECT - p.id AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN p.built_in_controls @> '["mfa"]' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.built_in_controls @> '["mfa"]' THEN p.display_name || ' MFA enabled.' - ELSE p.display_name || ' MFA disabled.' - END AS reason, - t.tenant_id - FROM - distinct_tenant AS t, - entraid_conditional_access_policy AS p; + language: sql + primary_resource: entraid_conditional_access_policy + definition: | + WITH distinct_tenant AS ( + SELECT + DISTINCT tenant_id, + subscription_id, + _ctx + FROM + azure_tenant + ) + SELECT + p.id AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN p.built_in_controls @> '["mfa"]' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.built_in_controls @> '["mfa"]' THEN p.display_name || ' MFA enabled.' + ELSE p.display_name || ' MFA disabled.' + END AS reason, + t.tenant_id + FROM + distinct_tenant AS t, + entraid_conditional_access_policy AS p; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_1_3.yaml b/compliance/controls/azure/azure_cis_v150_1_3.yaml index e8e0a85dd..a96f4d785 100644 --- a/compliance/controls/azure/azure_cis_v150_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_3.yaml @@ -1,18 +1,19 @@ id: azure_cis_v150_1_3 title: 1.3 Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management +type: control description: This recommendation extends guest access review by utilizing the Azure AD Privileged Identity Management feature provided in Azure AD Premium P2. Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data. Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources as a guest user. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_1_4.yaml b/compliance/controls/azure/azure_cis_v150_1_4.yaml index bbac61b12..978b7e974 100644 --- a/compliance/controls/azure/azure_cis_v150_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_4.yaml @@ -1,40 +1,41 @@ id: azure_cis_v150_1_4 title: 1.4 Ensure Guest Users Are Reviewed on a Regular Basis +type: control description: Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data. Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources as a guest user. Guest users in every subscription should be reviewed on a regular basis to ensure that inactive and unneeded accounts are removed. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: entraid_user - definition: | - WITH distinct_tenant AS ( - SELECT - DISTINCT tenant_id, - subscription_id, - _ctx - FROM - azure_tenant - ) - SELECT - u.display_name AS resource, - u.platform_integration_id AS platform_integration_id, - u.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT account_enabled THEN 'alarm' - WHEN u.created_date_time::timestamp <= (current_date - INTERVAL '30' DAY) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT account_enabled THEN 'Guest user ''' || u.display_name || ''' inactive.' - ELSE 'Guest user ''' || u.display_name || ''' was created ' || EXTRACT(DAY FROM current_timestamp - u.created_date_time::timestamp) || ' days ago.' - END AS reason, - t.tenant_id - FROM - entraid_user AS u - LEFT JOIN - distinct_tenant AS t ON t.tenant_id = u.tenant_id - WHERE - u.user_type = 'Guest'; + language: sql + primary_resource: entraid_user + definition: | + WITH distinct_tenant AS ( + SELECT + DISTINCT tenant_id, + subscription_id, + _ctx + FROM + azure_tenant + ) + SELECT + u.display_name AS resource, + u.platform_integration_id AS platform_integration_id, + u.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT account_enabled THEN 'alarm' + WHEN u.created_date_time::timestamp <= (current_date - INTERVAL '30' DAY) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT account_enabled THEN 'Guest user ''' || u.display_name || ''' inactive.' + ELSE 'Guest user ''' || u.display_name || ''' was created ' || EXTRACT(DAY FROM current_timestamp - u.created_date_time::timestamp) || ' days ago.' + END AS reason, + t.tenant_id + FROM + entraid_user AS u + LEFT JOIN + distinct_tenant AS t ON t.tenant_id = u.tenant_id + WHERE + u.user_type = 'Guest'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_1_5.yaml b/compliance/controls/azure/azure_cis_v150_1_5.yaml index 4a143a379..0e2c8b5e3 100644 --- a/compliance/controls/azure/azure_cis_v150_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_5.yaml @@ -1,18 +1,19 @@ id: azure_cis_v150_1_5 title: 1.5 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled' +type: control description: Do not allow users to remember multi-factor authentication on devices. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_1_6.yaml b/compliance/controls/azure/azure_cis_v150_1_6.yaml index 178d2d99a..c79fd641d 100644 --- a/compliance/controls/azure/azure_cis_v150_1_6.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_6.yaml @@ -1,18 +1,19 @@ id: azure_cis_v150_1_6 title: 1.6 Ensure That 'Number of methods required to reset' is set to '2' +type: control description: Ensures that two alternate forms of identification are provided before allowing a password reset. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_1_7.yaml b/compliance/controls/azure/azure_cis_v150_1_7.yaml index 58bf0c983..921758d41 100644 --- a/compliance/controls/azure/azure_cis_v150_1_7.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_7.yaml @@ -1,18 +1,19 @@ id: azure_cis_v150_1_7 title: 1.7 Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization +type: control description: Microsoft Azure creates a default bad password policy that is already applied to Azure administrative and normal user accounts. This is not applied to user accounts that are synced from an on-premise Active Directory unless Azure AD Connect is used and you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers. Please see the list in default values on the specifics of this policy. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_1_8.yaml b/compliance/controls/azure/azure_cis_v150_1_8.yaml index 6f99b8be7..3d0c380ab 100644 --- a/compliance/controls/azure/azure_cis_v150_1_8.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_8.yaml @@ -1,18 +1,19 @@ id: azure_cis_v150_1_8 title: 1.8 Ensure that 'Number of days before users are asked to reconfirm their authentication information' is not set to '0' +type: control description: Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_1_9.yaml b/compliance/controls/azure/azure_cis_v150_1_9.yaml index 820d348b2..6f2c9427f 100644 --- a/compliance/controls/azure/azure_cis_v150_1_9.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_9.yaml @@ -1,18 +1,19 @@ id: azure_cis_v150_1_9 title: 1.9 Ensure that 'Notify users on password resets?' is set to 'Yes' +type: control description: Ensure that users are notified on their primary and secondary emails on password resets. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_2_1_1.yaml b/compliance/controls/azure/azure_cis_v150_2_1_1.yaml index f0383a82c..18370244f 100644 --- a/compliance/controls/azure/azure_cis_v150_2_1_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_1_1.yaml @@ -1,30 +1,31 @@ id: azure_cis_v150_2_1_1 title: 2.1.1 Ensure That Microsoft Defender for Servers Is Set to 'On' +type: control description: Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Servers.' - ELSE 'Azure Defender off for Servers.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN azure_subscription sub - ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'VirtualMachines'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Servers.' + ELSE 'Azure Defender off for Servers.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN azure_subscription sub + ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'VirtualMachines'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_2_1_10.yaml b/compliance/controls/azure/azure_cis_v150_2_1_10.yaml index ce05ebf57..551433074 100644 --- a/compliance/controls/azure/azure_cis_v150_2_1_10.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_1_10.yaml @@ -1,30 +1,31 @@ id: azure_cis_v150_2_1_10 title: 2.1.10 Ensure That Microsoft Defender for Key Vault Is Set To 'On' +type: control description: Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Key Vaults.' - ELSE 'Azure Defender off for Key Vaults.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'KeyVaults'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Key Vaults.' + ELSE 'Azure Defender off for Key Vaults.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'KeyVaults'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_2_1_11.yaml b/compliance/controls/azure/azure_cis_v150_2_1_11.yaml index 69a6b60d5..7054eeba6 100644 --- a/compliance/controls/azure/azure_cis_v150_2_1_11.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_1_11.yaml @@ -1,30 +1,31 @@ id: azure_cis_v150_2_1_11 title: 2.1.11 Ensure That Microsoft Defender for DNS Is Set To 'On' +type: control description: Microsoft Defender for DNS scans all network traffic exiting from within a subscription. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for DNS.' - ELSE 'Azure Defender off for DNS.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN azure_subscription sub - ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'Dns'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for DNS.' + ELSE 'Azure Defender off for DNS.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN azure_subscription sub + ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'Dns'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_2_1_12.yaml b/compliance/controls/azure/azure_cis_v150_2_1_12.yaml index 532a667e8..490c174e9 100644 --- a/compliance/controls/azure/azure_cis_v150_2_1_12.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_1_12.yaml @@ -1,23 +1,24 @@ id: azure_cis_v150_2_1_12 title: 2.1.12 Ensure That Microsoft Defender for IoT Is Set To 'On' +type: control description: Microsoft Defender for IoT acts as a central security hub for IoT devices within your organization. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_2_1_13.yaml b/compliance/controls/azure/azure_cis_v150_2_1_13.yaml index 4b86685d5..492e532ac 100644 --- a/compliance/controls/azure/azure_cis_v150_2_1_13.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_1_13.yaml @@ -1,30 +1,31 @@ id: azure_cis_v150_2_1_13 title: 2.1.13 Ensure That Microsoft Defender for Resource Manager Is Set To 'On' +type: control description: Microsoft Defender for Resource Manager scans incoming administrative requests to change your infrastructure from both CLI and the Azure portal. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Resource Manager.' - ELSE 'Azure Defender off for Resource Manager.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'Arm'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Resource Manager.' + ELSE 'Azure Defender off for Resource Manager.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'Arm'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_2_1_2.yaml b/compliance/controls/azure/azure_cis_v150_2_1_2.yaml index 29e8020f8..1e7cdbdc6 100644 --- a/compliance/controls/azure/azure_cis_v150_2_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_1_2.yaml @@ -1,32 +1,33 @@ id: azure_cis_v150_2_1_2 title: 2.1.2 Ensure That Microsoft Defender for App Services Is Set To 'On' +type: control description: Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for App Services.' - ELSE 'Azure Defender off for App Services.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub - ON - sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'AppServices'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for App Services.' + ELSE 'Azure Defender off for App Services.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub + ON + sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'AppServices'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_2_1_3.yaml b/compliance/controls/azure/azure_cis_v150_2_1_3.yaml index 55e26811c..281756c9a 100644 --- a/compliance/controls/azure/azure_cis_v150_2_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_1_3.yaml @@ -1,48 +1,49 @@ id: azure_cis_v150_2_1_3 title: 2.1.3 Ensure That Microsoft Defender for Databases Is Set To 'On' +type: control description: Turning on Microsoft Defender for Databases enables threat detection for the instances running your database software. This provides threat intelligence, anomaly detection, and behavior analytics in the Azure Microsoft Defender for Cloud. Instead of being enabled on services like Platform as a Service (PaaS), this implementation will run within your instances as Infrastructure as a Service (IaaS) on the Operating Systems hosting your databases. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH defender_list AS ( - SELECT - json_object_agg(name, pricing_tier) AS data, - subscription_id - FROM - azure_security_center_subscription_pricing - WHERE - name = ANY(ARRAY ['CosmosDbs', 'OpenSourceRelationalDatabases', 'SqlServerVirtualMachines', 'SqlServers']) - GROUP BY - subscription_id - ) - SELECT - sub.id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN - data ->> 'CosmosDbs' = 'Standard' - AND data ->> 'OpenSourceRelationalDatabases' = 'Standard' - AND data ->> 'SqlServerVirtualMachines' = 'Standard' - AND data ->> 'SqlServers' = 'Standard' - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN - data ->> 'CosmosDbs' = 'Standard' - AND data ->> 'OpenSourceRelationalDatabases' = 'Standard' - AND data ->> 'SqlServerVirtualMachines' = 'Standard' - AND data ->> 'SqlServers' = 'Standard' - THEN 'Azure Defender on for Databases.' - ELSE 'Azure Defender off for Databases.' - END AS reason - FROM - azure_subscription AS sub - LEFT JOIN defender_list AS l ON l.subscription_id = sub.subscription_id; + language: sql + primary_resource: azure_subscription + definition: | + WITH defender_list AS ( + SELECT + json_object_agg(name, pricing_tier) AS data, + subscription_id + FROM + azure_security_center_subscription_pricing + WHERE + name = ANY(ARRAY ['CosmosDbs', 'OpenSourceRelationalDatabases', 'SqlServerVirtualMachines', 'SqlServers']) + GROUP BY + subscription_id + ) + SELECT + sub.id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN + data ->> 'CosmosDbs' = 'Standard' + AND data ->> 'OpenSourceRelationalDatabases' = 'Standard' + AND data ->> 'SqlServerVirtualMachines' = 'Standard' + AND data ->> 'SqlServers' = 'Standard' + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN + data ->> 'CosmosDbs' = 'Standard' + AND data ->> 'OpenSourceRelationalDatabases' = 'Standard' + AND data ->> 'SqlServerVirtualMachines' = 'Standard' + AND data ->> 'SqlServers' = 'Standard' + THEN 'Azure Defender on for Databases.' + ELSE 'Azure Defender off for Databases.' + END AS reason + FROM + azure_subscription AS sub + LEFT JOIN defender_list AS l ON l.subscription_id = sub.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_2_1_4.yaml b/compliance/controls/azure/azure_cis_v150_2_1_4.yaml index 702fb48b7..c7eb0f8f8 100644 --- a/compliance/controls/azure/azure_cis_v150_2_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_1_4.yaml @@ -1,30 +1,31 @@ id: azure_cis_v150_2_1_4 title: 2.1.4 Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On' +type: control description: Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for SQL database servers.' - ELSE 'Azure Defender off for SQL database servers.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'SqlServers'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for SQL database servers.' + ELSE 'Azure Defender off for SQL database servers.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'SqlServers'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_2_1_5.yaml b/compliance/controls/azure/azure_cis_v150_2_1_5.yaml index 006c4598f..04c16de2b 100644 --- a/compliance/controls/azure/azure_cis_v150_2_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_1_5.yaml @@ -1,30 +1,31 @@ id: azure_cis_v150_2_1_5 title: 2.1.5 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' +type: control description: Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for SQL servers on machines.' - ELSE 'Azure Defender off for SQL servers on machines.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'SqlServerVirtualMachines'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for SQL servers on machines.' + ELSE 'Azure Defender off for SQL servers on machines.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'SqlServerVirtualMachines'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_2_1_6.yaml b/compliance/controls/azure/azure_cis_v150_2_1_6.yaml index 25c6f6685..505459c9f 100644 --- a/compliance/controls/azure/azure_cis_v150_2_1_6.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_1_6.yaml @@ -1,29 +1,30 @@ id: azure_cis_v150_2_1_6 title: 2.1.6 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' +type: control description: Turning on Microsoft Defender for Open-source relational databases enables threat detection for Open-source relational databases, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Open Source Relational Databases.' - ELSE 'Azure Defender off for Open Source Relational Databases.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'OpenSourceRelationalDatabases'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Open Source Relational Databases.' + ELSE 'Azure Defender off for Open Source Relational Databases.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'OpenSourceRelationalDatabases'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_2_1_7.yaml b/compliance/controls/azure/azure_cis_v150_2_1_7.yaml index d5dcb8c97..15f5124c5 100644 --- a/compliance/controls/azure/azure_cis_v150_2_1_7.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_1_7.yaml @@ -1,30 +1,31 @@ id: azure_cis_v150_2_1_7 title: 2.1.7 Ensure That Microsoft Defender for Storage Is Set To 'On' +type: control description: Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Storage.' - ELSE 'Azure Defender off for Storage.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'StorageAccounts'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Storage.' + ELSE 'Azure Defender off for Storage.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'StorageAccounts'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_2_1_8.yaml b/compliance/controls/azure/azure_cis_v150_2_1_8.yaml index a4f7723fe..f5fa0e703 100644 --- a/compliance/controls/azure/azure_cis_v150_2_1_8.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_1_8.yaml @@ -1,30 +1,31 @@ id: azure_cis_v150_2_1_8 title: 2.1.8 Ensure That Microsoft Defender for Containers Is Set To 'On' +type: control description: Turning on Microsoft Defender for Containers enables threat detection for Container Registries including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Container Registry.' - ELSE 'Azure Defender off for Container Registry.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN azure_subscription sub - ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'ContainerRegistry'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Container Registry.' + ELSE 'Azure Defender off for Container Registry.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN azure_subscription sub + ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'ContainerRegistry'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_2_1_9.yaml b/compliance/controls/azure/azure_cis_v150_2_1_9.yaml index 431719853..9e569b175 100644 --- a/compliance/controls/azure/azure_cis_v150_2_1_9.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_1_9.yaml @@ -1,32 +1,33 @@ id: azure_cis_v150_2_1_9 title: 2.1.9 Ensure That Microsoft Defender for Cosmos DB Is Set To 'On' +type: control description: Microsoft Defender for Cosmos DB scans all incoming network requests for changes to your virtual machine. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Cosmos DB.' - ELSE 'Azure Defender off for Cosmos DB.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub - ON - sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'CosmosDbs'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Cosmos DB.' + ELSE 'Azure Defender off for Cosmos DB.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub + ON + sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'CosmosDbs'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_2_2_1.yaml b/compliance/controls/azure/azure_cis_v150_2_2_1.yaml index c41f42363..b7c61bca0 100644 --- a/compliance/controls/azure/azure_cis_v150_2_2_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_2_1.yaml @@ -1,30 +1,31 @@ id: azure_cis_v150_2_2_1 title: 2.2.1 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' +type: control description: Enable automatic provisioning of the monitoring agent to collect security data. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_auto_provisioning - definition: | - SELECT - sc_prov.id AS resource, - sc_prov.platform_integration_id AS platform_integration_id, - sc_prov.platform_resource_id AS platform_resource_id, - CASE - WHEN auto_provision = 'On' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN auto_provision = 'On' THEN 'Automatic provisioning of monitoring agent is on.' - ELSE 'Automatic provisioning of monitoring agent is off.' - END AS reason - FROM - azure_security_center_auto_provisioning sc_prov - RIGHT JOIN - azure_subscription sub - ON - sc_prov.subscription_id = sub.subscription_id; + language: sql + primary_resource: azure_security_center_auto_provisioning + definition: | + SELECT + sc_prov.id AS resource, + sc_prov.platform_integration_id AS platform_integration_id, + sc_prov.platform_resource_id AS platform_resource_id, + CASE + WHEN auto_provision = 'On' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN auto_provision = 'On' THEN 'Automatic provisioning of monitoring agent is on.' + ELSE 'Automatic provisioning of monitoring agent is off.' + END AS reason + FROM + azure_security_center_auto_provisioning sc_prov + RIGHT JOIN + azure_subscription sub + ON + sc_prov.subscription_id = sub.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_2_2_2.yaml b/compliance/controls/azure/azure_cis_v150_2_2_2.yaml index 2180d883d..a7fee264f 100644 --- a/compliance/controls/azure/azure_cis_v150_2_2_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_2_2.yaml @@ -1,23 +1,24 @@ id: azure_cis_v150_2_2_2 title: 2.2.2 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' +type: control description: Enable automatic provisioning of vulnerability assessment for machines on both Azure and hybrid (Arc enabled) machines. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_2_2_3.yaml b/compliance/controls/azure/azure_cis_v150_2_2_3.yaml index 312cd07b1..e8d83b79a 100644 --- a/compliance/controls/azure/azure_cis_v150_2_2_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_2_3.yaml @@ -1,23 +1,24 @@ id: azure_cis_v150_2_2_3 title: 2.2.3 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' +type: control description: Enable automatic provisioning of the Microsoft Defender for Containers components. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_2_3_1.yaml b/compliance/controls/azure/azure_cis_v150_2_3_1.yaml index 71466c2cf..df8783cf4 100644 --- a/compliance/controls/azure/azure_cis_v150_2_3_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_3_1.yaml @@ -1,37 +1,38 @@ id: azure_cis_v150_2_3_1 title: 2.3.1 Ensure That 'All users with the following roles' is set to 'Owner' +type: control description: Enable security alert emails to subscription owners. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH contact_info AS ( - SELECT - COUNT(*) FILTER (WHERE alerts_to_admins = 'On') AS admin_alert_count, - subscription_id - FROM - azure_security_center_contact - GROUP BY - subscription_id - LIMIT 1 - ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN admin_alert_count > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN admin_alert_count > 0 THEN '"All users with the following roles" set to Owner' - ELSE '"All users with the following roles" not set to Owner.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; + language: sql + primary_resource: azure_subscription + definition: | + WITH contact_info AS ( + SELECT + COUNT(*) FILTER (WHERE alerts_to_admins = 'On') AS admin_alert_count, + subscription_id + FROM + azure_security_center_contact + GROUP BY + subscription_id + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN admin_alert_count > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN admin_alert_count > 0 THEN '"All users with the following roles" set to Owner' + ELSE '"All users with the following roles" not set to Owner.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_2_3_2.yaml b/compliance/controls/azure/azure_cis_v150_2_3_2.yaml index eb1a302d6..5a886f85d 100644 --- a/compliance/controls/azure/azure_cis_v150_2_3_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_3_2.yaml @@ -1,41 +1,42 @@ id: azure_cis_v150_2_3_2 title: 2.3.2 Ensure 'Additional email addresses' is Configured with a Security Contact Email +type: control description: Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH contact_info AS ( - SELECT - JSONB_AGG(email) FILTER (WHERE name = 'default' AND email != '') AS default_email, - COUNT(*) FILTER (WHERE name != 'default') AS non_default_count, - COUNT(*) FILTER (WHERE name = 'default') AS default_count, - subscription_id - FROM - azure_security_center_contact - GROUP BY - subscription_id - LIMIT 1 - ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN non_default_count > 0 THEN 'ok' - WHEN default_count = 1 AND JSONB_ARRAY_LENGTH(default_email) != 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN non_default_count > 0 THEN 'Additional email addresses configured.' - WHEN default_count = 1 AND default_email IS NOT NULL THEN 'Additional email addresses configured.' - ELSE 'Additional email addresses not configured.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; + language: sql + primary_resource: azure_subscription + definition: | + WITH contact_info AS ( + SELECT + JSONB_AGG(email) FILTER (WHERE name = 'default' AND email != '') AS default_email, + COUNT(*) FILTER (WHERE name != 'default') AS non_default_count, + COUNT(*) FILTER (WHERE name = 'default') AS default_count, + subscription_id + FROM + azure_security_center_contact + GROUP BY + subscription_id + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN non_default_count > 0 THEN 'ok' + WHEN default_count = 1 AND JSONB_ARRAY_LENGTH(default_email) != 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN non_default_count > 0 THEN 'Additional email addresses configured.' + WHEN default_count = 1 AND default_email IS NOT NULL THEN 'Additional email addresses configured.' + ELSE 'Additional email addresses not configured.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_2_3_3.yaml b/compliance/controls/azure/azure_cis_v150_2_3_3.yaml index f2758bef4..91af78f53 100644 --- a/compliance/controls/azure/azure_cis_v150_2_3_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_3_3.yaml @@ -1,37 +1,38 @@ id: azure_cis_v150_2_3_3 title: 2.3.3 Ensure That 'Notify about alerts with the following severity' is Set to 'High' +type: control description: Enables emailing security alerts to the subscription owner or other designated security contact. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH contact_info AS ( - SELECT - COUNT(*) FILTER (WHERE alert_notifications = 'On') AS notification_alert_count, - subscription_id - FROM - azure_security_center_contact - GROUP BY - subscription_id - LIMIT 1 - ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN notification_alert_count > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN notification_alert_count > 0 THEN '"Notify about alerts with the following severity" set to High.' - ELSE '"Notify about alerts with the following severity" not set to High.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; + language: sql + primary_resource: azure_subscription + definition: | + WITH contact_info AS ( + SELECT + COUNT(*) FILTER (WHERE alert_notifications = 'On') AS notification_alert_count, + subscription_id + FROM + azure_security_center_contact + GROUP BY + subscription_id + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN notification_alert_count > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN notification_alert_count > 0 THEN '"Notify about alerts with the following severity" set to High.' + ELSE '"Notify about alerts with the following severity" not set to High.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_2_4_1.yaml b/compliance/controls/azure/azure_cis_v150_2_4_1.yaml index d185686dd..5487a645d 100644 --- a/compliance/controls/azure/azure_cis_v150_2_4_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_4_1.yaml @@ -1,29 +1,30 @@ id: azure_cis_v150_2_4_1 title: 2.4.1 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected +type: control description: This integration setting enables Microsoft Defender for Cloud Apps (formerly 'Microsoft Cloud App Security' or 'MCAS' - see additional info) to communicate with Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_setting - definition: | - SELECT - sc_sett.id AS resource, - sc_sett.platform_integration_id AS platform_integration_id, - sc_sett.platform_resource_id AS platform_resource_id, - CASE - WHEN enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enabled THEN 'Windows Defender ATP (WDATP) integrated with Security Center.' - ELSE 'Windows Defender ATP (WDATP) not integrated with Security Center.' - END AS reason - FROM - azure_security_center_setting sc_sett - RIGHT JOIN azure_subscription sub ON sc_sett.subscription_id = sub.subscription_id - WHERE - name = 'MCAS'; + language: sql + primary_resource: azure_security_center_setting + definition: | + SELECT + sc_sett.id AS resource, + sc_sett.platform_integration_id AS platform_integration_id, + sc_sett.platform_resource_id AS platform_resource_id, + CASE + WHEN enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enabled THEN 'Windows Defender ATP (WDATP) integrated with Security Center.' + ELSE 'Windows Defender ATP (WDATP) not integrated with Security Center.' + END AS reason + FROM + azure_security_center_setting sc_sett + RIGHT JOIN azure_subscription sub ON sc_sett.subscription_id = sub.subscription_id + WHERE + name = 'MCAS'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_2_4_2.yaml b/compliance/controls/azure/azure_cis_v150_2_4_2.yaml index d209689ee..a9800d941 100644 --- a/compliance/controls/azure/azure_cis_v150_2_4_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_4_2.yaml @@ -1,30 +1,31 @@ id: azure_cis_v150_2_4_2 title: 2.4.2 Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected +type: control description: This integration setting enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_setting - definition: | - SELECT - sc_sett.id AS resource, - sc_sett.platform_integration_id AS platform_integration_id, - sc_sett.platform_resource_id AS platform_resource_id, - CASE - WHEN enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enabled THEN 'Microsoft Cloud App Security (MCAS) integrated with Security Center.' - ELSE 'Microsoft Cloud App Security (MCAS) not integrated with Security Center.' - END AS reason - FROM - azure_security_center_setting sc_sett - RIGHT JOIN - azure_subscription sub ON sc_sett.subscription_id = sub.subscription_id - WHERE - name = 'WDATP'; + language: sql + primary_resource: azure_security_center_setting + definition: | + SELECT + sc_sett.id AS resource, + sc_sett.platform_integration_id AS platform_integration_id, + sc_sett.platform_resource_id AS platform_resource_id, + CASE + WHEN enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enabled THEN 'Microsoft Cloud App Security (MCAS) integrated with Security Center.' + ELSE 'Microsoft Cloud App Security (MCAS) not integrated with Security Center.' + END AS reason + FROM + azure_security_center_setting sc_sett + RIGHT JOIN + azure_subscription sub ON sc_sett.subscription_id = sub.subscription_id + WHERE + name = 'WDATP'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_2_5.yaml b/compliance/controls/azure/azure_cis_v150_2_5.yaml index 58b7eb84b..5e367852e 100644 --- a/compliance/controls/azure/azure_cis_v150_2_5.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_5.yaml @@ -1,23 +1,24 @@ id: azure_cis_v150_2_5 title: 2.5 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' +type: control description: Ensure that the latest OS patches for all virtual machines are applied. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_2_6.yaml b/compliance/controls/azure/azure_cis_v150_2_6.yaml index 018f2cdb4..d5d1d6699 100644 --- a/compliance/controls/azure/azure_cis_v150_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_6.yaml @@ -1,49 +1,50 @@ id: azure_cis_v150_2_6 title: 2.6 Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled' +type: control description: None of the settings offered by ASC Default policy should be set to effect Disabled. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH policy_assignment_parameters AS ( - SELECT - id, - name, - key, - parameters -> key ->> 'value' AS value, - subscription_id - FROM - azure_policy_assignment, - jsonb_object_keys(parameters) AS key - WHERE - name = 'SecurityCenterBuiltIn' - ) - SELECT - sub.id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(value = 'Disabled') > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN COUNT(value = 'Disabled') > 0 THEN 'Settings disabled for ' || COUNT(*) FILTER (WHERE value = 'Disabled') || ' parameters.' - ELSE 'Settings enabled for all the parameters.' - END AS reason - FROM - policy_assignment_parameters pol_assignment - RIGHT JOIN azure_subscription sub ON pol_assignment.subscription_id = sub.subscription_id - GROUP BY - sub.id, - pol_assignment.id, - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - pol_assignment.subscription_id, - sub.display_name + language: sql + primary_resource: azure_subscription + definition: | + WITH policy_assignment_parameters AS ( + SELECT + id, + name, + key, + parameters -> key ->> 'value' AS value, + subscription_id + FROM + azure_policy_assignment, + jsonb_object_keys(parameters) AS key + WHERE + name = 'SecurityCenterBuiltIn' + ) + SELECT + sub.id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(value = 'Disabled') > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN COUNT(value = 'Disabled') > 0 THEN 'Settings disabled for ' || COUNT(*) FILTER (WHERE value = 'Disabled') || ' parameters.' + ELSE 'Settings enabled for all the parameters.' + END AS reason + FROM + policy_assignment_parameters pol_assignment + RIGHT JOIN azure_subscription sub ON pol_assignment.subscription_id = sub.subscription_id + GROUP BY + sub.id, + pol_assignment.id, + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + pol_assignment.subscription_id, + sub.display_name severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_3_1.yaml b/compliance/controls/azure/azure_cis_v150_3_1.yaml index 760e267ff..6fabd7d99 100644 --- a/compliance/controls/azure/azure_cis_v150_3_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_3_1.yaml @@ -1,29 +1,30 @@ id: azure_cis_v150_3_1 title: 3.1 Ensure that 'Secure transfer required' is set to 'Enabled' +type: control description: Enable data encryption in transit. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT enable_https_traffic_only THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT enable_https_traffic_only THEN sa.name || ' encryption in transit not enabled.' - ELSE sa.name || ' encryption in transit enabled.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT enable_https_traffic_only THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT enable_https_traffic_only THEN sa.name || ' encryption in transit not enabled.' + ELSE sa.name || ' encryption in transit enabled.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_3_10.yaml b/compliance/controls/azure/azure_cis_v150_3_10.yaml index e4a760555..1d4cfd4c8 100644 --- a/compliance/controls/azure/azure_cis_v150_3_10.yaml +++ b/compliance/controls/azure/azure_cis_v150_3_10.yaml @@ -1,39 +1,40 @@ id: azure_cis_v150_3_10 title: 3.10 Ensure Private Endpoints are used to access Storage Accounts +type: control description: Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - WITH storage_account_connection AS ( - SELECT - DISTINCT a.id - FROM - azure_storage_account AS a, - jsonb_array_elements(private_endpoint_connections) AS connection - WHERE - connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' - ) - SELECT - DISTINCT a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN s.id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN s.id IS NULL THEN a.name || ' not uses private link.' - ELSE a.name || ' uses private link.' - END AS reason - FROM - azure_storage_account AS a - LEFT JOIN storage_account_connection AS s ON a.id = s.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + WITH storage_account_connection AS ( + SELECT + DISTINCT a.id + FROM + azure_storage_account AS a, + jsonb_array_elements(private_endpoint_connections) AS connection + WHERE + connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' + ) + SELECT + DISTINCT a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN s.id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN s.id IS NULL THEN a.name || ' not uses private link.' + ELSE a.name || ' uses private link.' + END AS reason + FROM + azure_storage_account AS a + LEFT JOIN storage_account_connection AS s ON a.id = s.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_3_11.yaml b/compliance/controls/azure/azure_cis_v150_3_11.yaml index 4cd9ce0f0..2308a625f 100644 --- a/compliance/controls/azure/azure_cis_v150_3_11.yaml +++ b/compliance/controls/azure/azure_cis_v150_3_11.yaml @@ -1,29 +1,30 @@ id: azure_cis_v150_3_11 title: 3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage +type: control description: The Azure Storage blobs contain data like ePHI or Financial, which can be secret or personal. Data that is erroneously modified or deleted by an application or other storage account user will cause data loss or unavailability. It is recommended that both Azure Containers with attached Blob Storage and standalone containers with Blob Storage be made recoverable by enabling the soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT blob_soft_delete_enabled THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT blob_soft_delete_enabled THEN sa.name || ' blobs soft delete disabled.' - ELSE sa.name || ' blobs soft delete enabled.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT blob_soft_delete_enabled THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT blob_soft_delete_enabled THEN sa.name || ' blobs soft delete disabled.' + ELSE sa.name || ' blobs soft delete enabled.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_3_12.yaml b/compliance/controls/azure/azure_cis_v150_3_12.yaml index c84a82e81..9ba169f1e 100644 --- a/compliance/controls/azure/azure_cis_v150_3_12.yaml +++ b/compliance/controls/azure/azure_cis_v150_3_12.yaml @@ -1,29 +1,30 @@ id: azure_cis_v150_3_12 title: 3.12 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys +type: control description: Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN sa.encryption_key_source = 'Microsoft.Storage' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN sa.encryption_key_source = 'Microsoft.Storage' THEN sa.name || ' not encrypted with CMK.' - ELSE sa.name || ' encrypted with CMK.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN sa.encryption_key_source = 'Microsoft.Storage' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN sa.encryption_key_source = 'Microsoft.Storage' THEN sa.name || ' not encrypted with CMK.' + ELSE sa.name || ' encrypted with CMK.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_3_14.yaml b/compliance/controls/azure/azure_cis_v150_3_14.yaml index b365e8fb5..b2afc06e5 100644 --- a/compliance/controls/azure/azure_cis_v150_3_14.yaml +++ b/compliance/controls/azure/azure_cis_v150_3_14.yaml @@ -1,35 +1,36 @@ id: azure_cis_v150_3_14 title: 3.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests -description: 'Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.' +type: control +description: "Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN table_logging_write AND table_logging_read AND table_logging_delete THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN table_logging_write AND table_logging_read AND table_logging_delete - THEN sa.name || ' table service logging enabled for read, write, delete requests.' - ELSE sa.name || ' table service logging not enabled for: ' || - CONCAT_WS(', ', - CASE WHEN NOT table_logging_write THEN 'write' END, - CASE WHEN NOT table_logging_read THEN 'read' END, - CASE WHEN NOT table_logging_delete THEN 'delete' END - ) || ' requests.' - END AS reason - FROM - azure_storage_account AS sa, - azure_subscription AS sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN table_logging_write AND table_logging_read AND table_logging_delete THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN table_logging_write AND table_logging_read AND table_logging_delete + THEN sa.name || ' table service logging enabled for read, write, delete requests.' + ELSE sa.name || ' table service logging not enabled for: ' || + CONCAT_WS(', ', + CASE WHEN NOT table_logging_write THEN 'write' END, + CASE WHEN NOT table_logging_read THEN 'read' END, + CASE WHEN NOT table_logging_delete THEN 'delete' END + ) || ' requests.' + END AS reason + FROM + azure_storage_account AS sa, + azure_subscription AS sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_3_15.yaml b/compliance/controls/azure/azure_cis_v150_3_15.yaml index 3bc3d6fe4..bfc1c4f2f 100644 --- a/compliance/controls/azure/azure_cis_v150_3_15.yaml +++ b/compliance/controls/azure/azure_cis_v150_3_15.yaml @@ -1,31 +1,32 @@ id: azure_cis_v150_3_15 title: 3.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' +type: control description: In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN minimum_tls_version = 'TLSEnforcementDisabled' THEN 'alarm' - WHEN minimum_tls_version = 'TLS1_2' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN minimum_tls_version = 'TLSEnforcementDisabled' THEN sa.name || ' TLS enforcement is disabled.' - WHEN minimum_tls_version = 'TLS1_2' THEN sa.name || ' minimum TLS version set to ' || minimum_tls_version || '.' - ELSE sa.name || ' minimum TLS version set to ' || minimum_tls_version || '.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN minimum_tls_version = 'TLSEnforcementDisabled' THEN 'alarm' + WHEN minimum_tls_version = 'TLS1_2' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN minimum_tls_version = 'TLSEnforcementDisabled' THEN sa.name || ' TLS enforcement is disabled.' + WHEN minimum_tls_version = 'TLS1_2' THEN sa.name || ' minimum TLS version set to ' || minimum_tls_version || '.' + ELSE sa.name || ' minimum TLS version set to ' || minimum_tls_version || '.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_3_2.yaml b/compliance/controls/azure/azure_cis_v150_3_2.yaml index 85086d69f..3afc6e82c 100644 --- a/compliance/controls/azure/azure_cis_v150_3_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_3_2.yaml @@ -1,29 +1,30 @@ id: azure_cis_v150_3_2 title: 3.2 Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to ‘enabled’ +type: control description: Enabling double encryption at the hardware level on top of the default software encryption for Storage Accounts accessing Azure storage solutions. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN require_infrastructure_encryption THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN require_infrastructure_encryption THEN name || ' infrastructure encryption enabled.' - ELSE name || ' infrastructure encryption disabled.' - END AS reason - FROM - azure_storage_account AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN require_infrastructure_encryption THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN require_infrastructure_encryption THEN name || ' infrastructure encryption enabled.' + ELSE name || ' infrastructure encryption disabled.' + END AS reason + FROM + azure_storage_account AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_3_3.yaml b/compliance/controls/azure/azure_cis_v150_3_3.yaml index e69dfb5f3..3ed76035e 100644 --- a/compliance/controls/azure/azure_cis_v150_3_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_3_3.yaml @@ -1,23 +1,24 @@ id: azure_cis_v150_3_3 title: 3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account +type: control description: Access Keys authenticate application access requests to data contained in Storage Accounts. A periodic rotation of these keys is recommended to ensure that potentially compromised keys cannot result in a long-term exploitable credential. The Rotation Reminder is an automatic reminder feature for a manual procedure. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_3_4.yaml b/compliance/controls/azure/azure_cis_v150_3_4.yaml index d575b22e0..f2daf7508 100644 --- a/compliance/controls/azure/azure_cis_v150_3_4.yaml +++ b/compliance/controls/azure/azure_cis_v150_3_4.yaml @@ -1,23 +1,24 @@ id: azure_cis_v150_3_4 title: 3.4 Ensure that Storage Account Access Keys are Periodically Regenerated +type: control description: For increased security, regenerate storage account access keys periodically. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_3_5.yaml b/compliance/controls/azure/azure_cis_v150_3_5.yaml index a3955a30a..09e1b3a3c 100644 --- a/compliance/controls/azure/azure_cis_v150_3_5.yaml +++ b/compliance/controls/azure/azure_cis_v150_3_5.yaml @@ -1,35 +1,36 @@ id: azure_cis_v150_3_5 title: 3.5 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' request -description: 'The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages.' +type: control +description: "The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN queue_logging_read AND queue_logging_write AND queue_logging_delete THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN queue_logging_read AND queue_logging_write AND queue_logging_delete - THEN sa.name || ' queue service logging enabled for read, write, delete requests.' - ELSE sa.name || ' queue service logging not enabled for: ' || - CONCAT_WS(', ', - CASE WHEN NOT queue_logging_write THEN 'write' END, - CASE WHEN NOT queue_logging_read THEN 'read' END, - CASE WHEN NOT queue_logging_delete THEN 'delete' END - ) || ' requests.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN queue_logging_read AND queue_logging_write AND queue_logging_delete THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN queue_logging_read AND queue_logging_write AND queue_logging_delete + THEN sa.name || ' queue service logging enabled for read, write, delete requests.' + ELSE sa.name || ' queue service logging not enabled for: ' || + CONCAT_WS(', ', + CASE WHEN NOT queue_logging_write THEN 'write' END, + CASE WHEN NOT queue_logging_read THEN 'read' END, + CASE WHEN NOT queue_logging_delete THEN 'delete' END + ) || ' requests.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_3_6.yaml b/compliance/controls/azure/azure_cis_v150_3_6.yaml index f5fb22375..b2ac7de81 100644 --- a/compliance/controls/azure/azure_cis_v150_3_6.yaml +++ b/compliance/controls/azure/azure_cis_v150_3_6.yaml @@ -1,23 +1,24 @@ id: azure_cis_v150_3_6 title: 3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour +type: control description: Expire shared access signature tokens within an hour. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_3_7.yaml b/compliance/controls/azure/azure_cis_v150_3_7.yaml index 869380fa8..e99c7cf08 100644 --- a/compliance/controls/azure/azure_cis_v150_3_7.yaml +++ b/compliance/controls/azure/azure_cis_v150_3_7.yaml @@ -1,29 +1,30 @@ id: azure_cis_v150_3_7 title: 3.7 Ensure that 'Public access level' is disabled for storage accounts with blob containers +type: control description: Disallowing public access for a storage account overrides the public access settings for individual containers in that storage account. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_container - definition: | - SELECT - container.id AS resource, - container.platform_integration_id AS platform_integration_id, - container.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT account.allow_blob_public_access AND container.public_access = 'None' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN NOT account.allow_blob_public_access AND container.public_access = 'None' - THEN account.name || ' container ' || container.name || ' doesn''t allow anonymous access.' - ELSE account.name || ' container ' || container.name || ' allows anonymous access.' - END AS reason - FROM - azure_storage_container container - JOIN azure_storage_account account ON container.account_name = account.name - JOIN azure_subscription sub ON sub.subscription_id = account.subscription_id; + language: sql + primary_resource: azure_storage_container + definition: | + SELECT + container.id AS resource, + container.platform_integration_id AS platform_integration_id, + container.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT account.allow_blob_public_access AND container.public_access = 'None' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN NOT account.allow_blob_public_access AND container.public_access = 'None' + THEN account.name || ' container ' || container.name || ' doesn''t allow anonymous access.' + ELSE account.name || ' container ' || container.name || ' allows anonymous access.' + END AS reason + FROM + azure_storage_container container + JOIN azure_storage_account account ON container.account_name = account.name + JOIN azure_subscription sub ON sub.subscription_id = account.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_3_8.yaml b/compliance/controls/azure/azure_cis_v150_3_8.yaml index ad308606b..8794948ab 100644 --- a/compliance/controls/azure/azure_cis_v150_3_8.yaml +++ b/compliance/controls/azure/azure_cis_v150_3_8.yaml @@ -1,29 +1,30 @@ id: azure_cis_v150_3_8 title: 3.8 Ensure Default Network Access Rule for Storage Accounts is Set to Deny +type: control description: Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN sa.network_rule_default_action = 'Allow' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN sa.network_rule_default_action = 'Allow' THEN name || ' allows traffic from all networks.' - ELSE name || ' allows traffic from specific networks.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN sa.network_rule_default_action = 'Allow' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN sa.network_rule_default_action = 'Allow' THEN name || ' allows traffic from all networks.' + ELSE name || ' allows traffic from specific networks.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_3_9.yaml b/compliance/controls/azure/azure_cis_v150_3_9.yaml index d27bd4175..c4083985b 100644 --- a/compliance/controls/azure/azure_cis_v150_3_9.yaml +++ b/compliance/controls/azure/azure_cis_v150_3_9.yaml @@ -1,29 +1,30 @@ id: azure_cis_v150_3_9 title: 3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access +type: control description: "Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Azure services exception is enabled, the following services are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor, and Azure SQL Data Warehouse (when registered in the subscription)." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN network_rule_bypass NOT LIKE '%AzureServices%' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN network_rule_bypass NOT LIKE '%AzureServices%' THEN sa.name || ' trusted Microsoft services not enabled.' - ELSE sa.name || ' trusted Microsoft services enabled.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN network_rule_bypass NOT LIKE '%AzureServices%' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN network_rule_bypass NOT LIKE '%AzureServices%' THEN sa.name || ' trusted Microsoft services not enabled.' + ELSE sa.name || ' trusted Microsoft services enabled.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_4_1_2.yaml b/compliance/controls/azure/azure_cis_v150_4_1_2.yaml index b4439c530..b6faff35a 100644 --- a/compliance/controls/azure/azure_cis_v150_4_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_4_1_2.yaml @@ -1,33 +1,34 @@ id: azure_cis_v150_4_1_2 title: 4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) +type: control description: Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]' - OR firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]' - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]' - OR firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]' - THEN s.title || ' allows ingress 0.0.0.0/0 or any IP over the internet.' - ELSE s.title || ' does not allow ingress 0.0.0.0/0 or any IP over the internet.' - END AS reason - FROM - azure_sql_server s, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]' + OR firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]' + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]' + OR firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]' + THEN s.title || ' allows ingress 0.0.0.0/0 or any IP over the internet.' + ELSE s.title || ' does not allow ingress 0.0.0.0/0 or any IP over the internet.' + END AS reason + FROM + azure_sql_server s, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_4_1_4.yaml b/compliance/controls/azure/azure_cis_v150_4_1_4.yaml index 89bd54fc4..b17f407ae 100644 --- a/compliance/controls/azure/azure_cis_v150_4_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v150_4_1_4.yaml @@ -1,29 +1,30 @@ id: azure_cis_v150_4_1_4 title: 4.1.4 Ensure that Azure Active Directory Admin is Configured for SQL Servers +type: control description: Use Azure Active Directory Authentication for authentication with SQL Database to manage credentials in a single place. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN server_azure_ad_administrator IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN server_azure_ad_administrator IS NULL THEN name || ' Azure AD authentication not configured.' - ELSE name || ' Azure AD authentication configured.' - END AS reason - FROM - azure_sql_server s, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN server_azure_ad_administrator IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN server_azure_ad_administrator IS NULL THEN name || ' Azure AD authentication not configured.' + ELSE name || ' Azure AD authentication configured.' + END AS reason + FROM + azure_sql_server s, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_4_1_5.yaml b/compliance/controls/azure/azure_cis_v150_4_1_5.yaml index a3cf26b25..69f7c2fab 100644 --- a/compliance/controls/azure/azure_cis_v150_4_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v150_4_1_5.yaml @@ -1,34 +1,35 @@ id: azure_cis_v150_4_1_5 title: 4.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database +type: control description: Enable Transparent Data Encryption on every SQL server. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_database - definition: | - SELECT - s.database_id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN transparent_data_encryption ->> 'status' = 'Enabled' - OR transparent_data_encryption ->> 'state' = 'Enabled' - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN transparent_data_encryption ->> 'status' = 'Enabled' - OR transparent_data_encryption ->> 'state' = 'Enabled' - THEN s.title || ' transparent data encryption enabled.' - ELSE s.title || ' transparent data encryption disabled.' - END AS reason - FROM - azure_sql_database AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id - AND s.name <> 'master'; + language: sql + primary_resource: azure_sql_database + definition: | + SELECT + s.database_id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN transparent_data_encryption ->> 'status' = 'Enabled' + OR transparent_data_encryption ->> 'state' = 'Enabled' + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN transparent_data_encryption ->> 'status' = 'Enabled' + OR transparent_data_encryption ->> 'state' = 'Enabled' + THEN s.title || ' transparent data encryption enabled.' + ELSE s.title || ' transparent data encryption disabled.' + END AS reason + FROM + azure_sql_database AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id + AND s.name <> 'master'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_4_3_1.yaml b/compliance/controls/azure/azure_cis_v150_4_3_1.yaml index 617200670..8160311a4 100644 --- a/compliance/controls/azure/azure_cis_v150_4_3_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_4_3_1.yaml @@ -1,29 +1,30 @@ id: azure_cis_v150_4_3_1 title: 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server +type: control description: Enable SSL connection on PostgreSQL Servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_postgresql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN ssl_enforcement = 'Disabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN ssl_enforcement = 'Disabled' THEN name || ' SSL connection disabled.' - ELSE name || ' SSL connection enabled.' - END AS reason - FROM - azure_postgresql_server s, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_postgresql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN ssl_enforcement = 'Disabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN ssl_enforcement = 'Disabled' THEN name || ' SSL connection disabled.' + ELSE name || ' SSL connection enabled.' + END AS reason + FROM + azure_postgresql_server s, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_4_3_7.yaml b/compliance/controls/azure/azure_cis_v150_4_3_7.yaml index 0f8e55976..d2620361a 100644 --- a/compliance/controls/azure/azure_cis_v150_4_3_7.yaml +++ b/compliance/controls/azure/azure_cis_v150_4_3_7.yaml @@ -1,23 +1,24 @@ id: azure_cis_v150_4_3_7 title: 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled +type: control description: Disable access from Azure services to PostgreSQL Database Server. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_4_3_8.yaml b/compliance/controls/azure/azure_cis_v150_4_3_8.yaml index 598b9c9ba..313bc7ddc 100644 --- a/compliance/controls/azure/azure_cis_v150_4_3_8.yaml +++ b/compliance/controls/azure/azure_cis_v150_4_3_8.yaml @@ -1,29 +1,30 @@ id: azure_cis_v150_4_3_8 title: 4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' +type: control description: Enable encryption at rest for PostgreSQL Databases. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_postgresql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN infrastructure_encryption = 'Enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN infrastructure_encryption = 'Enabled' THEN name || ' infrastructure encryption enabled.' - ELSE name || ' infrastructure encryption disabled.' - END AS reason - FROM - azure_postgresql_server AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_postgresql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN infrastructure_encryption = 'Enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN infrastructure_encryption = 'Enabled' THEN name || ' infrastructure encryption enabled.' + ELSE name || ' infrastructure encryption disabled.' + END AS reason + FROM + azure_postgresql_server AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_4_4_1.yaml b/compliance/controls/azure/azure_cis_v150_4_4_1.yaml index 4c18def2a..8649bc73b 100644 --- a/compliance/controls/azure/azure_cis_v150_4_4_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_4_4_1.yaml @@ -1,29 +1,30 @@ id: azure_cis_v150_4_4_1 title: 4.4.1 Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server +type: control description: Enable SSL connection on MySQL Servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_mysql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN ssl_enforcement = 'Disabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN ssl_enforcement = 'Disabled' THEN s.name || ' SSL connection disabled.' - ELSE s.name || ' SSL connection enabled.' - END AS reason - FROM - azure_mysql_server AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_mysql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN ssl_enforcement = 'Disabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN ssl_enforcement = 'Disabled' THEN s.name || ' SSL connection disabled.' + ELSE s.name || ' SSL connection enabled.' + END AS reason + FROM + azure_mysql_server AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_4_4_2.yaml b/compliance/controls/azure/azure_cis_v150_4_4_2.yaml index e4429de8a..ec8afebfa 100644 --- a/compliance/controls/azure/azure_cis_v150_4_4_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_4_4_2.yaml @@ -1,31 +1,32 @@ id: azure_cis_v150_4_4_2 title: 4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server +type: control description: Ensure TLS version on MySQL flexible servers is set to the default value. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_mysql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN minimal_tls_version = 'TLSEnforcementDisabled' THEN 'alarm' - WHEN minimal_tls_version = 'TLS1_2' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN minimal_tls_version = 'TLSEnforcementDisabled' THEN s.name || ' TLS enforcement is disabled.' - WHEN minimal_tls_version = 'TLS1_2' THEN s.name || ' minimum TLS version set to ' || minimal_tls_version || '.' - ELSE s.name || ' minimum TLS version set to ' || minimal_tls_version || '.' - END AS reason - FROM - azure_mysql_server AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_mysql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN minimal_tls_version = 'TLSEnforcementDisabled' THEN 'alarm' + WHEN minimal_tls_version = 'TLS1_2' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN minimal_tls_version = 'TLSEnforcementDisabled' THEN s.name || ' TLS enforcement is disabled.' + WHEN minimal_tls_version = 'TLS1_2' THEN s.name || ' minimum TLS version set to ' || minimal_tls_version || '.' + ELSE s.name || ' minimum TLS version set to ' || minimal_tls_version || '.' + END AS reason + FROM + azure_mysql_server AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_4_4_3.yaml b/compliance/controls/azure/azure_cis_v150_4_4_3.yaml index a99f921bc..7a3952297 100644 --- a/compliance/controls/azure/azure_cis_v150_4_4_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_4_4_3.yaml @@ -1,31 +1,32 @@ id: azure_cis_v150_4_4_3 title: 4.4.3 Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server +type: control description: Enable audit_log_enabled on MySQL Servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_mysql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN s.name || ' server parameter audit_log_enabled off.' - ELSE s.name || ' server parameter audit_log_enabled on.' - END AS reason - FROM - azure_mysql_server AS s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - WHERE - config ->> 'Name' = 'audit_log_enabled' - AND sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_mysql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN s.name || ' server parameter audit_log_enabled off.' + ELSE s.name || ' server parameter audit_log_enabled on.' + END AS reason + FROM + azure_mysql_server AS s, + jsonb_array_elements(server_configurations) config, + azure_subscription sub + WHERE + config ->> 'Name' = 'audit_log_enabled' + AND sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_4_5_1.yaml b/compliance/controls/azure/azure_cis_v150_4_5_1.yaml index e7defaa1d..fe2b95489 100644 --- a/compliance/controls/azure/azure_cis_v150_4_5_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_4_5_1.yaml @@ -1,31 +1,32 @@ id: azure_cis_v150_4_5_1 title: 4.5.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks -description: '' +type: control +description: "" integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_cosmosdb_account - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN public_network_access = 'Disabled' THEN 'ok' - WHEN public_network_access = 'Enabled' AND is_virtual_network_filter_enabled = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN public_network_access = 'Disabled' THEN a.name || ' public network access disabled.' - WHEN public_network_access = 'Enabled' AND is_virtual_network_filter_enabled = 'true' THEN a.name || ' virtual network filter enabled.' - ELSE a.name || ' virtual network filter disabled.' - END AS reason - FROM - azure_cosmosdb_account AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_cosmosdb_account + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN public_network_access = 'Disabled' THEN 'ok' + WHEN public_network_access = 'Enabled' AND is_virtual_network_filter_enabled = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN public_network_access = 'Disabled' THEN a.name || ' public network access disabled.' + WHEN public_network_access = 'Enabled' AND is_virtual_network_filter_enabled = 'true' THEN a.name || ' virtual network filter enabled.' + ELSE a.name || ' virtual network filter disabled.' + END AS reason + FROM + azure_cosmosdb_account AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_4_5_2.yaml b/compliance/controls/azure/azure_cis_v150_4_5_2.yaml index ab6616532..b3f1d3a2e 100644 --- a/compliance/controls/azure/azure_cis_v150_4_5_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_4_5_2.yaml @@ -1,39 +1,40 @@ id: azure_cis_v150_4_5_2 title: 4.5.2 Ensure That Private Endpoints Are Used Where Possible +type: control description: Based on business needs or criticality of data/databases hosted on a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_cosmosdb_account - definition: | - WITH cosmosdb_private_connection AS ( - SELECT - DISTINCT a.id - FROM - azure_cosmosdb_account AS a, - jsonb_array_elements(private_endpoint_connections) AS connection - WHERE - connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN c.id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN c.id IS NULL THEN a.name || ' not uses private link.' - ELSE a.name || ' uses private link.' - END AS reason - FROM - azure_cosmosdb_account AS a - LEFT JOIN cosmosdb_private_connection AS c ON c.id = a.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_cosmosdb_account + definition: | + WITH cosmosdb_private_connection AS ( + SELECT + DISTINCT a.id + FROM + azure_cosmosdb_account AS a, + jsonb_array_elements(private_endpoint_connections) AS connection + WHERE + connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN c.id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN c.id IS NULL THEN a.name || ' not uses private link.' + ELSE a.name || ' uses private link.' + END AS reason + FROM + azure_cosmosdb_account AS a + LEFT JOIN cosmosdb_private_connection AS c ON c.id = a.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_5_1_1.yaml b/compliance/controls/azure/azure_cis_v150_5_1_1.yaml index 623b1dd4b..f7ff0ccd0 100644 --- a/compliance/controls/azure/azure_cis_v150_5_1_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_1_1.yaml @@ -1,23 +1,24 @@ id: azure_cis_v150_5_1_1 title: 5.1.1 Ensure that a 'Diagnostics Setting' exists +type: control description: Enable Diagnostic settings for exporting activity logs. Diagnostic settings are available for each individual resource within a subscription. Settings should be configured for all appropriate resources for your environment. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_5_1_2.yaml b/compliance/controls/azure/azure_cis_v150_5_1_2.yaml index 3e710aaaa..567671954 100644 --- a/compliance/controls/azure/azure_cis_v150_5_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_1_2.yaml @@ -1,59 +1,60 @@ id: azure_cis_v150_5_1_2 title: 5.1.2 Ensure Diagnostic Setting captures appropriate categories +type: control description: "A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: 'Ensure that a 'Diagnostic Setting' exists.' The diagnostic setting should be configured to log the appropriate activities from the control/management plane." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_diagnostic_setting - definition: | - WITH enabled_settings AS ( - SELECT - name, - id, - _ctx, - platform_integration_id, - platform_resource_id, - resource_group, - subscription_id, - COUNT(*) FILTER (WHERE l ->> 'enabled' = 'true' - AND l ->> 'category' IN ('Administrative', 'Security', 'Alert', 'Policy') - ) AS valid_category_count, - STRING_AGG(l ->> 'category', ', ') FILTER (WHERE l ->> 'enabled' = 'true' - AND l ->> 'category' IN ('Administrative', 'Security', 'Alert', 'Policy') - ) AS valid_categories - FROM - azure_diagnostic_setting, - jsonb_array_elements(logs) AS l - GROUP BY - name, - id, - _ctx, - resource_group, - platform_integration_id, - platform_resource_id, - subscription_id - ) - SELECT - sett.id AS resource, - sett.platform_integration_id AS platform_integration_id, - sett.platform_resource_id AS platform_resource_id, - CASE - WHEN valid_category_count = 4 THEN 'OK' - ELSE 'ALARM' - END AS status, - CASE - WHEN valid_category_count = 4 - THEN name || ' logs enabled for required categories Administrative, Security, Alert, and Policy.' - WHEN valid_category_count > 0 - THEN sett.name || ' logs enabled for ' || valid_categories || ' categories.' - ELSE sett.name || ' logs not enabled for categories Administrative, Security, Alert, and Policy.' - END AS reason - FROM - enabled_settings sett, - azure_subscription sub - WHERE - sub.subscription_id = sett.subscription_id; + language: sql + primary_resource: azure_diagnostic_setting + definition: | + WITH enabled_settings AS ( + SELECT + name, + id, + _ctx, + platform_integration_id, + platform_resource_id, + resource_group, + subscription_id, + COUNT(*) FILTER (WHERE l ->> 'enabled' = 'true' + AND l ->> 'category' IN ('Administrative', 'Security', 'Alert', 'Policy') + ) AS valid_category_count, + STRING_AGG(l ->> 'category', ', ') FILTER (WHERE l ->> 'enabled' = 'true' + AND l ->> 'category' IN ('Administrative', 'Security', 'Alert', 'Policy') + ) AS valid_categories + FROM + azure_diagnostic_setting, + jsonb_array_elements(logs) AS l + GROUP BY + name, + id, + _ctx, + resource_group, + platform_integration_id, + platform_resource_id, + subscription_id + ) + SELECT + sett.id AS resource, + sett.platform_integration_id AS platform_integration_id, + sett.platform_resource_id AS platform_resource_id, + CASE + WHEN valid_category_count = 4 THEN 'OK' + ELSE 'ALARM' + END AS status, + CASE + WHEN valid_category_count = 4 + THEN name || ' logs enabled for required categories Administrative, Security, Alert, and Policy.' + WHEN valid_category_count > 0 + THEN sett.name || ' logs enabled for ' || valid_categories || ' categories.' + ELSE sett.name || ' logs not enabled for categories Administrative, Security, Alert, and Policy.' + END AS reason + FROM + enabled_settings sett, + azure_subscription sub + WHERE + sub.subscription_id = sett.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_5_1_3.yaml b/compliance/controls/azure/azure_cis_v150_5_1_3.yaml index f0a8cbff3..1e9e68c8d 100644 --- a/compliance/controls/azure/azure_cis_v150_5_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_1_3.yaml @@ -1,31 +1,32 @@ id: azure_cis_v150_5_1_3 title: 5.1.3 Ensure the storage container storing the activity logs is not publicly accessible +type: control description: The storage account container containing the activity log export should not be publicly accessible. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_container - definition: | - SELECT - sc.id AS resource, - sc.platform_integration_id AS platform_integration_id, - sc.platform_resource_id AS platform_resource_id, - CASE - WHEN public_access != 'None' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN public_access != 'None' - THEN account_name || ' container insights-operational-logs storing activity logs publicly accessible.' - ELSE account_name || ' container insights-operational-logs storing activity logs not publicly accessible.' - END AS reason - FROM - azure_storage_container sc, - azure_subscription sub - WHERE - name = 'insights-operational-logs' - AND sub.subscription_id = sc.subscription_id; + language: sql + primary_resource: azure_storage_container + definition: | + SELECT + sc.id AS resource, + sc.platform_integration_id AS platform_integration_id, + sc.platform_resource_id AS platform_resource_id, + CASE + WHEN public_access != 'None' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN public_access != 'None' + THEN account_name || ' container insights-operational-logs storing activity logs publicly accessible.' + ELSE account_name || ' container insights-operational-logs storing activity logs not publicly accessible.' + END AS reason + FROM + azure_storage_container sc, + azure_subscription sub + WHERE + name = 'insights-operational-logs' + AND sub.subscription_id = sc.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_5_1_5.yaml b/compliance/controls/azure/azure_cis_v150_5_1_5.yaml index 0546f7a6d..173a8ffc1 100644 --- a/compliance/controls/azure/azure_cis_v150_5_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_1_5.yaml @@ -1,46 +1,47 @@ id: azure_cis_v150_5_1_5 title: 5.1.5 Ensure that logging for Azure KeyVault is 'Enabled' +type: control description: Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - WITH logging_details AS ( - SELECT - name AS key_vault_name - FROM - azure_key_vault, - jsonb_array_elements(diagnostic_settings) setting, - jsonb_array_elements(setting -> 'properties' -> 'logs') log - WHERE - diagnostic_settings IS NOT NULL - AND setting -> 'properties' ->> 'storageAccountId' <> '' - AND (log ->> 'enabled')::boolean - AND log ->> 'category' = 'AuditEvent' - AND (log -> 'retentionPolicy')::JSONB ? 'days' - ) - SELECT - v.id AS resource, - v.platform_integration_id AS platform_integration_id, - v.platform_resource_id AS platform_resource_id, - CASE - WHEN v.diagnostic_settings IS NULL THEN 'alarm' - WHEN l.key_vault_name NOT LIKE CONCAT('%', v.name, '%') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN v.diagnostic_settings IS NULL THEN v.name || ' logging not enabled.' - WHEN l.key_vault_name NOT LIKE CONCAT('%', v.name, '%') THEN v.name || ' logging not enabled.' - ELSE v.name || ' logging enabled.' - END AS reason - FROM - azure_key_vault v, - logging_details l, - azure_subscription sub - WHERE - sub.subscription_id = v.subscription_id; + language: sql + primary_resource: azure_key_vault + definition: | + WITH logging_details AS ( + SELECT + name AS key_vault_name + FROM + azure_key_vault, + jsonb_array_elements(diagnostic_settings) setting, + jsonb_array_elements(setting -> 'properties' -> 'logs') log + WHERE + diagnostic_settings IS NOT NULL + AND setting -> 'properties' ->> 'storageAccountId' <> '' + AND (log ->> 'enabled')::boolean + AND log ->> 'category' = 'AuditEvent' + AND (log -> 'retentionPolicy')::JSONB ? 'days' + ) + SELECT + v.id AS resource, + v.platform_integration_id AS platform_integration_id, + v.platform_resource_id AS platform_resource_id, + CASE + WHEN v.diagnostic_settings IS NULL THEN 'alarm' + WHEN l.key_vault_name NOT LIKE CONCAT('%', v.name, '%') THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN v.diagnostic_settings IS NULL THEN v.name || ' logging not enabled.' + WHEN l.key_vault_name NOT LIKE CONCAT('%', v.name, '%') THEN v.name || ' logging not enabled.' + ELSE v.name || ' logging enabled.' + END AS reason + FROM + azure_key_vault v, + logging_details l, + azure_subscription sub + WHERE + sub.subscription_id = v.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_5_1_6.yaml b/compliance/controls/azure/azure_cis_v150_5_1_6.yaml index 9b2aa61e8..44718b626 100644 --- a/compliance/controls/azure/azure_cis_v150_5_1_6.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_1_6.yaml @@ -1,23 +1,24 @@ id: azure_cis_v150_5_1_6 title: 5.1.6 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics +type: control description: Ensure that network flow logs are captured and fed into a central log analytics workspace. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_5_1_7.yaml b/compliance/controls/azure/azure_cis_v150_5_1_7.yaml index a853f6115..350e5754a 100644 --- a/compliance/controls/azure/azure_cis_v150_5_1_7.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_1_7.yaml @@ -1,23 +1,24 @@ id: azure_cis_v150_5_1_7 title: 5.1.7 Ensure that logging for Azure AppService 'AppServiceHTTPLogs' is enabled. +type: control description: Enable AppServiceHTTPLogs diagnostic log category for Azure App Service instances to ensure all http requests are captured and centrally logged. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_5_2_1.yaml b/compliance/controls/azure/azure_cis_v150_5_2_1.yaml index 7caaa0783..e1dacc109 100644 --- a/compliance/controls/azure/azure_cis_v150_5_2_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_1.yaml @@ -1,50 +1,51 @@ id: azure_cis_v150_5_2_1 title: 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment +type: control description: Create an activity log alert for the Create Policy Assignment event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_log_alert - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/write"}]' - LIMIT 1 - ) - SELECT - a.subscription_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create policy assignment event.' - ELSE 'Activity log alert does not exist for create policy assignment event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - a.subscription_id, - sub.subscription_id, - sub._ctx, - sub.display_name; + language: sql + primary_resource: azure_log_alert + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/write"}]' + LIMIT 1 + ) + SELECT + a.subscription_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create policy assignment event.' + ELSE 'Activity log alert does not exist for create policy assignment event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + a.subscription_id, + sub.subscription_id, + sub._ctx, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_5_2_10.yaml b/compliance/controls/azure/azure_cis_v150_5_2_10.yaml index 318865a61..0c43e48f6 100644 --- a/compliance/controls/azure/azure_cis_v150_5_2_10.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_10.yaml @@ -1,57 +1,58 @@ id: azure_cis_v150_5_2_10 title: 5.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule +type: control description: Create an activity log alert for the Delete Public IP Address rule. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/publicIPAddresses/delete"}]') - OR - (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/publicipaddresses"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/publicIPAddresses/delete"}]') + OR + (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/publicipaddresses"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Delete Public IP Address rule.' - ELSE 'Activity Log Alert does not exist for Delete Public IP Address rule.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Delete Public IP Address rule.' + ELSE 'Activity Log Alert does not exist for Delete Public IP Address rule.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_5_2_2.yaml b/compliance/controls/azure/azure_cis_v150_5_2_2.yaml index 36244263f..335e35d98 100644 --- a/compliance/controls/azure/azure_cis_v150_5_2_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_2.yaml @@ -1,51 +1,52 @@ id: azure_cis_v150_5_2_2 title: 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment +type: control description: Create an activity log alert for the Delete Policy Assignment event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/delete"}]' - LIMIT 1 - ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete policy assignment event.' - ELSE 'Activity log alert does not exist for delete policy assignment event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/delete"}]' + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete policy assignment event.' + ELSE 'Activity log alert does not exist for delete policy assignment event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_5_2_3.yaml b/compliance/controls/azure/azure_cis_v150_5_2_3.yaml index 840a0d4f8..8f9de2744 100644 --- a/compliance/controls/azure/azure_cis_v150_5_2_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_3.yaml @@ -1,61 +1,62 @@ id: azure_cis_v150_5_2_3 title: 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group +type: control description: Create an Activity Log Alert for the Create or Update Network Security Group event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/write"}]' - ) - OR - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/write"}]' + ) + OR + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create or update Network Security Group event.' - ELSE 'Activity log alert does not exist for create or update Network Security Group event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create or update Network Security Group event.' + ELSE 'Activity log alert does not exist for create or update Network Security Group event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_5_2_4.yaml b/compliance/controls/azure/azure_cis_v150_5_2_4.yaml index f251bafdb..0ca77b705 100644 --- a/compliance/controls/azure/azure_cis_v150_5_2_4.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_4.yaml @@ -1,62 +1,63 @@ id: azure_cis_v150_5_2_4 title: 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group +type: control description: Create an activity log alert for the Delete Network Security Group event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id, - jsonb_array_length(alert.condition -> 'allOf') - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/delete"}]' - ) - OR - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id, + jsonb_array_length(alert.condition -> 'allOf') + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/delete"}]' + ) + OR + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Network Security Group event.' - ELSE 'Activity log alert does not exist for delete Network Security Group event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Network Security Group event.' + ELSE 'Activity log alert does not exist for delete Network Security Group event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_5_2_5.yaml b/compliance/controls/azure/azure_cis_v150_5_2_5.yaml index 037124927..36f65aff1 100644 --- a/compliance/controls/azure/azure_cis_v150_5_2_5.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_5.yaml @@ -1,61 +1,62 @@ id: azure_cis_v150_5_2_5 title: 5.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution +type: control description: Create an activity log alert for the Create or Update Security Solution event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field":"operationName", "equals": "Microsoft.Security/securitySolutions/write"}]' - ) - OR - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field":"operationName", "equals": "Microsoft.Security/securitySolutions/write"}]' + ) + OR + ( + alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create or update Security Solution event.' - ELSE 'Activity log alert does not exist for create or update Security Solution event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create or update Security Solution event.' + ELSE 'Activity log alert does not exist for create or update Security Solution event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_5_2_6.yaml b/compliance/controls/azure/azure_cis_v150_5_2_6.yaml index 2b40c9876..8b64bf1af 100644 --- a/compliance/controls/azure/azure_cis_v150_5_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_6.yaml @@ -1,61 +1,62 @@ id: azure_cis_v150_5_2_6 title: 5.2.6 Ensure that Activity Log Alert exists for Delete Security Solution +type: control description: Create an activity log alert for the Delete Security Solution event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Security/securitySolutions/delete"}]' - ) - OR - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Security/securitySolutions/delete"}]' + ) + OR + ( + alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Security Solution event.' - ELSE 'Activity log alert does not exists for delete Security Solution event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Security Solution event.' + ELSE 'Activity log alert does not exists for delete Security Solution event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_5_2_7.yaml b/compliance/controls/azure/azure_cis_v150_5_2_7.yaml index bb03f6f5a..25d9fb5f1 100644 --- a/compliance/controls/azure/azure_cis_v150_5_2_7.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_7.yaml @@ -1,58 +1,59 @@ id: azure_cis_v150_5_2_7 title: 5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule +type: control description: Create an activity log alert for the Create or Update SQL Server Firewall Rule event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Sql/servers/firewallRules/write"}]') - OR - (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.sql/servers/firewallrules"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Sql/servers/firewallRules/write"}]') + OR + (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.sql/servers/firewallrules"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2) ) - - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Create or Update SQL Server Firewall Rule.' - ELSE 'Activity Log Alert does not exist for Create or Update SQL Server Firewall Rule.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.platform_integration_id, - sub.platform_resource_id, - sub.subscription_id, - sub.display_name; + LIMIT 1 + ) + + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Create or Update SQL Server Firewall Rule.' + ELSE 'Activity Log Alert does not exist for Create or Update SQL Server Firewall Rule.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.platform_integration_id, + sub.platform_resource_id, + sub.subscription_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_5_2_8.yaml b/compliance/controls/azure/azure_cis_v150_5_2_8.yaml index f21ee6a53..e43482fa6 100644 --- a/compliance/controls/azure/azure_cis_v150_5_2_8.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_8.yaml @@ -1,57 +1,58 @@ id: azure_cis_v150_5_2_8 title: 5.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule +type: control description: Create an activity log alert for the 'Delete SQL Server Firewall Rule.' integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Sql/servers/firewallRules/delete"}]') - OR - (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.sql/servers/firewallrules"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Sql/servers/firewallRules/delete"}]') + OR + (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.sql/servers/firewallrules"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Delete SQL Server Firewall Rule.' - ELSE 'Activity Log Alert does not exist for Delete SQL Server Firewall Rule.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Delete SQL Server Firewall Rule.' + ELSE 'Activity Log Alert does not exist for Delete SQL Server Firewall Rule.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_5_2_9.yaml b/compliance/controls/azure/azure_cis_v150_5_2_9.yaml index e6219f179..7b12949ae 100644 --- a/compliance/controls/azure/azure_cis_v150_5_2_9.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_9.yaml @@ -1,60 +1,61 @@ id: azure_cis_v150_5_2_9 title: 5.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule +type: control description: Create an activity log alert for the Create or Update Public IP Addresses rule. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/publicIPAddresses/write"}]' - ) - OR - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/publicipaddresses"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/publicIPAddresses/write"}]' + ) + OR + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/publicipaddresses"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Create or Update Public IP Address rule.' - ELSE 'Activity Log Alert does not exist for Create or Update Public IP Address rule.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Create or Update Public IP Address rule.' + ELSE 'Activity Log Alert does not exist for Create or Update Public IP Address rule.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_5_3.yaml b/compliance/controls/azure/azure_cis_v150_5_3.yaml index 4c67adf83..7df2af667 100644 --- a/compliance/controls/azure/azure_cis_v150_5_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_3.yaml @@ -1,23 +1,24 @@ id: azure_cis_v150_5_3 title: 5.3 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it +type: control description: Resource Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself; for example, reading or updating a secret from a Key Vault. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_6_1.yaml b/compliance/controls/azure/azure_cis_v150_6_1.yaml index 597143baf..c686f40da 100644 --- a/compliance/controls/azure/azure_cis_v150_6_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_6_1.yaml @@ -1,51 +1,52 @@ id: azure_cis_v150_6_1 title: 6.1 Ensure that RDP from the internet access is evaluated and restricted +type: control description: Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH network_sg AS ( - SELECT - DISTINCT name sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules) sg, - jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange')::jsonb) dport, - jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix')::jsonb) sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') - AND ( - dport IN ('3389', '*') - OR ( - dport LIKE '%-%' - AND split_part(dport, '-', 1)::integer <= 3389 - AND split_part(dport, '-', 2)::integer >= 3389 - ) - ) + language: sql + primary_resource: azure_network_security_group + definition: | + WITH network_sg AS ( + SELECT + DISTINCT name sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules) sg, + jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange')::jsonb) dport, + jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix')::jsonb) sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('3389', '*') + OR ( + dport LIKE '%-%' + AND split_part(dport, '-', 1)::integer <= 3389 + AND split_part(dport, '-', 2)::integer >= 3389 + ) ) - SELECT - sg.id resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL - THEN sg.title || ' restricts RDP access from internet.' - ELSE sg.title || ' allows RDP access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL + THEN sg.title || ' restricts RDP access from internet.' + ELSE sg.title || ' allows RDP access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_6_2.yaml b/compliance/controls/azure/azure_cis_v150_6_2.yaml index 9817ec185..e3dd74445 100644 --- a/compliance/controls/azure/azure_cis_v150_6_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_6_2.yaml @@ -1,51 +1,52 @@ id: azure_cis_v150_6_2 title: 6.2 Ensure that SSH access from the internet is evaluated and restricted +type: control description: Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH network_sg AS ( - SELECT - DISTINCT name AS sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules) sg, - jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange')::jsonb) dport, - jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix')::jsonb) sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') - AND ( - dport IN ('22', '*') - OR ( - dport LIKE '%-%' - AND split_part(dport, '-', 1)::integer <= 22 - AND split_part(dport, '-', 2)::integer >= 22 - ) - ) + language: sql + primary_resource: azure_network_security_group + definition: | + WITH network_sg AS ( + SELECT + DISTINCT name AS sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules) sg, + jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange')::jsonb) dport, + jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix')::jsonb) sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('22', '*') + OR ( + dport LIKE '%-%' + AND split_part(dport, '-', 1)::integer <= 22 + AND split_part(dport, '-', 2)::integer >= 22 + ) ) - SELECT - sg.id AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL - THEN sg.title || ' restricts SSH access from internet.' - ELSE sg.title || ' allows SSH access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL + THEN sg.title || ' restricts SSH access from internet.' + ELSE sg.title || ' allows SSH access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_6_3.yaml b/compliance/controls/azure/azure_cis_v150_6_3.yaml index 229744636..a1e834d6f 100644 --- a/compliance/controls/azure/azure_cis_v150_6_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_6_3.yaml @@ -1,56 +1,57 @@ id: azure_cis_v150_6_3 title: 6.3 Ensure that UDP access from the Internet is evaluated and restricted +type: control description: Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH network_sg AS ( - SELECT - DISTINCT name sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules) sg, - jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange') :: jsonb) dport, - jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND sg -> 'properties' ->> 'protocol' = 'UDP' - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + language: sql + primary_resource: azure_network_security_group + definition: | + WITH network_sg AS ( + SELECT + DISTINCT name sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules) sg, + jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange') :: jsonb) dport, + jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND sg -> 'properties' ->> 'protocol' = 'UDP' + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport = '*' + OR ( + dport LIKE '%-%' AND ( - dport = '*' - OR ( - dport LIKE '%-%' - AND ( - 53 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER - OR 123 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER - OR 161 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER - OR 389 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER - OR 1900 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER - ) - ) + 53 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER + OR 123 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER + OR 161 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER + OR 389 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER + OR 1900 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER ) + ) ) - SELECT - sg.id resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL - THEN sg.title || ' restricts UDP services from internet.' - ELSE sg.title || ' allows UDP services from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL + THEN sg.title || ' restricts UDP services from internet.' + ELSE sg.title || ' allows UDP services from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_6_4.yaml b/compliance/controls/azure/azure_cis_v150_6_4.yaml index 8837b3d87..2dc3c18a9 100644 --- a/compliance/controls/azure/azure_cis_v150_6_4.yaml +++ b/compliance/controls/azure/azure_cis_v150_6_4.yaml @@ -1,58 +1,59 @@ id: azure_cis_v150_6_4 title: 6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted +type: control description: Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH network_sg AS ( - SELECT DISTINCT - name AS sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules) sg, - jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange')::jsonb) dport, - jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix')::jsonb) sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND sg -> 'properties' ->> 'protocol' ILIKE 'TCP' - AND sip IN ( - '*', - '0.0.0.0', - '0.0.0.0/0', - 'Internet', - 'any', - '/0', - '/0' - ) - AND ( - dport IN ('80', '*') - OR ( - dport LIKE '%-%' - AND split_part(dport, '-', 1)::integer <= 80 - AND split_part(dport, '-', 2)::integer >= 80 - ) - ) + language: sql + primary_resource: azure_network_security_group + definition: | + WITH network_sg AS ( + SELECT DISTINCT + name AS sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules) sg, + jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange')::jsonb) dport, + jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix')::jsonb) sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND sg -> 'properties' ->> 'protocol' ILIKE 'TCP' + AND sip IN ( + '*', + '0.0.0.0', + '0.0.0.0/0', + 'Internet', + 'any', + '/0', + '/0' ) - SELECT - sg.id AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts HTTPS access from internet.' - ELSE sg.title || ' allows HTTPS access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + AND ( + dport IN ('80', '*') + OR ( + dport LIKE '%-%' + AND split_part(dport, '-', 1)::integer <= 80 + AND split_part(dport, '-', 2)::integer >= 80 + ) + ) + ) + SELECT + sg.id AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts HTTPS access from internet.' + ELSE sg.title || ' allows HTTPS access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_7_1.yaml b/compliance/controls/azure/azure_cis_v150_7_1.yaml index 5702d6c32..8c65fe3f8 100644 --- a/compliance/controls/azure/azure_cis_v150_7_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_7_1.yaml @@ -1,29 +1,30 @@ id: azure_cis_v150_7_1 title: 7.1 Ensure Virtual Machines are utilizing Managed Disks +type: control description: Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - SELECT - vm.id AS resource, - vm.platform_integration_id AS platform_integration_id, - vm.platform_resource_id AS platform_resource_id, - CASE - WHEN managed_disk_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN managed_disk_id IS NULL THEN vm.name || ' VM not utilizing managed disks.' - ELSE vm.name || ' VM utilizing managed disks.' - END AS reason - FROM - azure_compute_virtual_machine AS vm, - azure_subscription AS sub - WHERE - sub.subscription_id = vm.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + SELECT + vm.id AS resource, + vm.platform_integration_id AS platform_integration_id, + vm.platform_resource_id AS platform_resource_id, + CASE + WHEN managed_disk_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN managed_disk_id IS NULL THEN vm.name || ' VM not utilizing managed disks.' + ELSE vm.name || ' VM utilizing managed disks.' + END AS reason + FROM + azure_compute_virtual_machine AS vm, + azure_subscription AS sub + WHERE + sub.subscription_id = vm.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_7_2.yaml b/compliance/controls/azure/azure_cis_v150_7_2.yaml index 6f6ce6d0d..2561430a8 100644 --- a/compliance/controls/azure/azure_cis_v150_7_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_7_2.yaml @@ -1,30 +1,31 @@ id: azure_cis_v150_7_2 title: 7.2 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) +type: control description: Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption(SSE). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_disk - definition: | - SELECT - disk.id AS resource, - disk.platform_integration_id AS platform_integration_id, - disk.platform_resource_id AS platform_resource_id, - CASE - WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN disk.name || ' encrypted with CMK.' - ELSE disk.name || ' not encrypted with CMK.' - END AS reason - FROM - azure_compute_disk disk, - azure_subscription sub - WHERE - disk_state = 'Attached' - AND sub.subscription_id = disk.subscription_id; + language: sql + primary_resource: azure_compute_disk + definition: | + SELECT + disk.id AS resource, + disk.platform_integration_id AS platform_integration_id, + disk.platform_resource_id AS platform_resource_id, + CASE + WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN disk.name || ' encrypted with CMK.' + ELSE disk.name || ' not encrypted with CMK.' + END AS reason + FROM + azure_compute_disk disk, + azure_subscription sub + WHERE + disk_state = 'Attached' + AND sub.subscription_id = disk.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_7_3.yaml b/compliance/controls/azure/azure_cis_v150_7_3.yaml index ecb4e46e9..fa0ebddd6 100644 --- a/compliance/controls/azure/azure_cis_v150_7_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_7_3.yaml @@ -1,30 +1,31 @@ id: azure_cis_v150_7_3 title: 7.3 Ensure that 'Unattached disks' are encrypted with CMK +type: control description: Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_disk - definition: | - SELECT - disk.id AS resource, - disk.platform_integration_id AS platform_integration_id, - disk.platform_resource_id AS platform_resource_id, - CASE - WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN disk.name || ' encrypted with CMK.' - ELSE disk.name || ' not encrypted with CMK.' - END AS reason - FROM - azure_compute_disk disk, - azure_subscription sub - WHERE - disk_state != 'Attached' - AND sub.subscription_id = disk.subscription_id; + language: sql + primary_resource: azure_compute_disk + definition: | + SELECT + disk.id AS resource, + disk.platform_integration_id AS platform_integration_id, + disk.platform_resource_id AS platform_resource_id, + CASE + WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN disk.name || ' encrypted with CMK.' + ELSE disk.name || ' not encrypted with CMK.' + END AS reason + FROM + azure_compute_disk disk, + azure_subscription sub + WHERE + disk_state != 'Attached' + AND sub.subscription_id = disk.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_7_4.yaml b/compliance/controls/azure/azure_cis_v150_7_4.yaml index 7291e89db..1649d46a8 100644 --- a/compliance/controls/azure/azure_cis_v150_7_4.yaml +++ b/compliance/controls/azure/azure_cis_v150_7_4.yaml @@ -1,23 +1,24 @@ id: azure_cis_v150_7_4 title: 7.4 Ensure that only approved extensions are installed +type: control description: For added security only install organization-approved extensions on VMs. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_7_5.yaml b/compliance/controls/azure/azure_cis_v150_7_5.yaml index 20140d0ab..794d8bf0d 100644 --- a/compliance/controls/azure/azure_cis_v150_7_5.yaml +++ b/compliance/controls/azure/azure_cis_v150_7_5.yaml @@ -1,23 +1,24 @@ id: azure_cis_v150_7_5 title: 7.5 Ensure that the endpoint protection for all Virtual Machines is installed +type: control description: Install endpoint protection for all virtual machines. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_7_6.yaml b/compliance/controls/azure/azure_cis_v150_7_6.yaml index bc53636e9..1e566d28c 100644 --- a/compliance/controls/azure/azure_cis_v150_7_6.yaml +++ b/compliance/controls/azure/azure_cis_v150_7_6.yaml @@ -1,23 +1,24 @@ id: azure_cis_v150_7_6 title: 7.6 Ensure that VHD's are encrypted +type: control description: VHD (Virtual Hard Disks) are stored in blob storage and are the old-style disks that were attached to Virtual Machines. The blob VHD was then leased to the VM. By default, storage accounts are not encrypted, and Microsoft Defender will then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK. This should be turned on for storage accounts containing VHDs. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_8_1.yaml b/compliance/controls/azure/azure_cis_v150_8_1.yaml index 38816a768..f67cbe987 100644 --- a/compliance/controls/azure/azure_cis_v150_8_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_8_1.yaml @@ -1,42 +1,43 @@ id: azure_cis_v150_8_1 title: 8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults +type: control description: Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_key - definition: | - WITH rbac_vault AS ( - SELECT - name - FROM - azure_key_vault - WHERE - enable_rbac_authorization - ) - SELECT - kvk.id AS resource, - kvk.platform_integration_id AS platform_integration_id, - kvk.platform_resource_id AS platform_resource_id, - CASE - WHEN v.name IS NULL THEN 'skip' - WHEN enabled AND expires_at IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - vault_name || ' key ' || kvk.name || - CASE - WHEN v.name IS NULL THEN ' not RBAC enabled vault.' - WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' - WHEN NOT enabled THEN ' disabled.' - ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - azure_key_vault_key kvk - LEFT JOIN rbac_vault AS v ON v.name = kvk.vault_name, - azure_subscription sub - WHERE - sub.subscription_id = kvk.subscription_id; + language: sql + primary_resource: azure_key_vault_key + definition: | + WITH rbac_vault AS ( + SELECT + name + FROM + azure_key_vault + WHERE + enable_rbac_authorization + ) + SELECT + kvk.id AS resource, + kvk.platform_integration_id AS platform_integration_id, + kvk.platform_resource_id AS platform_resource_id, + CASE + WHEN v.name IS NULL THEN 'skip' + WHEN enabled AND expires_at IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + vault_name || ' key ' || kvk.name || + CASE + WHEN v.name IS NULL THEN ' not RBAC enabled vault.' + WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' + WHEN NOT enabled THEN ' disabled.' + ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + azure_key_vault_key kvk + LEFT JOIN rbac_vault AS v ON v.name = kvk.vault_name, + azure_subscription sub + WHERE + sub.subscription_id = kvk.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_8_2.yaml b/compliance/controls/azure/azure_cis_v150_8_2.yaml index ca7544dbc..a593b1555 100644 --- a/compliance/controls/azure/azure_cis_v150_8_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_8_2.yaml @@ -1,43 +1,44 @@ id: azure_cis_v150_8_2 title: 8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults +type: control description: Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_key - definition: | - WITH non_rbac_vault AS ( - SELECT - name - FROM - azure_key_vault - WHERE - NOT enable_rbac_authorization - ) - - SELECT - kvk.id AS resource, - kvk.platform_integration_id AS platform_integration_id, - kvk.platform_resource_id AS platform_resource_id, - CASE - WHEN v.name IS NULL THEN 'skip' - WHEN enabled AND expires_at IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - vault_name || ' key ' || kvk.name || - CASE - WHEN v.name IS NULL THEN ' RBAC enabled vault.' - WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' - WHEN NOT enabled THEN ' disabled.' - ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - azure_key_vault_key kvk - LEFT JOIN non_rbac_vault AS v ON v.name = kvk.vault_name, - azure_subscription sub - WHERE - sub.subscription_id = kvk.subscription_id; + language: sql + primary_resource: azure_key_vault_key + definition: | + WITH non_rbac_vault AS ( + SELECT + name + FROM + azure_key_vault + WHERE + NOT enable_rbac_authorization + ) + + SELECT + kvk.id AS resource, + kvk.platform_integration_id AS platform_integration_id, + kvk.platform_resource_id AS platform_resource_id, + CASE + WHEN v.name IS NULL THEN 'skip' + WHEN enabled AND expires_at IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + vault_name || ' key ' || kvk.name || + CASE + WHEN v.name IS NULL THEN ' RBAC enabled vault.' + WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' + WHEN NOT enabled THEN ' disabled.' + ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + azure_key_vault_key kvk + LEFT JOIN non_rbac_vault AS v ON v.name = kvk.vault_name, + azure_subscription sub + WHERE + sub.subscription_id = kvk.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_8_3.yaml b/compliance/controls/azure/azure_cis_v150_8_3.yaml index f855654c2..0d7377c31 100644 --- a/compliance/controls/azure/azure_cis_v150_8_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_8_3.yaml @@ -1,42 +1,43 @@ id: azure_cis_v150_8_3 title: 8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults +type: control description: Ensure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_secret - definition: | - WITH rbac_vault AS ( - SELECT - name - FROM - azure_key_vault - WHERE - enable_rbac_authorization - ) - SELECT - kvs.id AS resource, - kvs.platform_integration_id AS platform_integration_id, - kvs.platform_resource_id AS platform_resource_id, - CASE - WHEN v.name IS NULL THEN 'skip' - WHEN enabled AND expires_at IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - vault_name || ' key ' || kvs.name || - CASE - WHEN v.name IS NULL THEN ' not RBAC enabled vault.' - WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' - WHEN NOT enabled THEN ' disabled.' - ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - azure_key_vault_secret kvs - LEFT JOIN rbac_vault AS v ON v.name = kvs.vault_name, - azure_subscription sub - WHERE - sub.subscription_id = kvs.subscription_id; + language: sql + primary_resource: azure_key_vault_secret + definition: | + WITH rbac_vault AS ( + SELECT + name + FROM + azure_key_vault + WHERE + enable_rbac_authorization + ) + SELECT + kvs.id AS resource, + kvs.platform_integration_id AS platform_integration_id, + kvs.platform_resource_id AS platform_resource_id, + CASE + WHEN v.name IS NULL THEN 'skip' + WHEN enabled AND expires_at IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + vault_name || ' key ' || kvs.name || + CASE + WHEN v.name IS NULL THEN ' not RBAC enabled vault.' + WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' + WHEN NOT enabled THEN ' disabled.' + ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + azure_key_vault_secret kvs + LEFT JOIN rbac_vault AS v ON v.name = kvs.vault_name, + azure_subscription sub + WHERE + sub.subscription_id = kvs.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_8_4.yaml b/compliance/controls/azure/azure_cis_v150_8_4.yaml index 639039c4d..64928c802 100644 --- a/compliance/controls/azure/azure_cis_v150_8_4.yaml +++ b/compliance/controls/azure/azure_cis_v150_8_4.yaml @@ -1,42 +1,43 @@ id: azure_cis_v150_8_4 title: 8.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults +type: control description: Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_secret - definition: | - WITH non_rbac_vault AS ( - SELECT - name - FROM - azure_key_vault - WHERE - NOT enable_rbac_authorization - ) - SELECT - kvs.id AS resource, - kvs.platform_integration_id AS platform_integration_id, - kvs.platform_resource_id AS platform_resource_id, - CASE - WHEN v.name IS NULL THEN 'skip' - WHEN enabled AND expires_at IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - vault_name || ' key ' || kvs.name || - CASE - WHEN v.name IS NULL THEN ' RBAC enabled vault.' - WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' - WHEN NOT enabled THEN ' disabled.' - ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - azure_key_vault_secret kvs - LEFT JOIN non_rbac_vault AS v ON v.name = kvs.vault_name, - azure_subscription sub - WHERE - sub.subscription_id = kvs.subscription_id; + language: sql + primary_resource: azure_key_vault_secret + definition: | + WITH non_rbac_vault AS ( + SELECT + name + FROM + azure_key_vault + WHERE + NOT enable_rbac_authorization + ) + SELECT + kvs.id AS resource, + kvs.platform_integration_id AS platform_integration_id, + kvs.platform_resource_id AS platform_resource_id, + CASE + WHEN v.name IS NULL THEN 'skip' + WHEN enabled AND expires_at IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + vault_name || ' key ' || kvs.name || + CASE + WHEN v.name IS NULL THEN ' RBAC enabled vault.' + WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' + WHEN NOT enabled THEN ' disabled.' + ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + azure_key_vault_secret kvs + LEFT JOIN non_rbac_vault AS v ON v.name = kvs.vault_name, + azure_subscription sub + WHERE + sub.subscription_id = kvs.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_8_5.yaml b/compliance/controls/azure/azure_cis_v150_8_5.yaml index 43cb6e445..b36f43aa1 100644 --- a/compliance/controls/azure/azure_cis_v150_8_5.yaml +++ b/compliance/controls/azure/azure_cis_v150_8_5.yaml @@ -1,34 +1,35 @@ id: azure_cis_v150_8_5 title: 8.5 Ensure the key vault is recoverable +type: control description: The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. It is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - SELECT - kv.id AS resource, - kv.platform_integration_id AS platform_integration_id, - kv.platform_resource_id AS platform_resource_id, - CASE - WHEN soft_delete_enabled AND purge_protection_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN NOT soft_delete_enabled AND NOT purge_protection_enabled - THEN name || ' "soft delete" and "do not purge" not enabled.' - WHEN NOT soft_delete_enabled - THEN name || ' "soft delete" not enabled.' - WHEN NOT purge_protection_enabled - THEN name || ' "do not purge" not enabled.' - ELSE name || ' "soft delete" and "do not purge" enabled.' - END AS reason - FROM - azure_key_vault kv, - azure_subscription sub - WHERE - sub.subscription_id = kv.subscription_id; + language: sql + primary_resource: azure_key_vault + definition: | + SELECT + kv.id AS resource, + kv.platform_integration_id AS platform_integration_id, + kv.platform_resource_id AS platform_resource_id, + CASE + WHEN soft_delete_enabled AND purge_protection_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN NOT soft_delete_enabled AND NOT purge_protection_enabled + THEN name || ' "soft delete" and "do not purge" not enabled.' + WHEN NOT soft_delete_enabled + THEN name || ' "soft delete" not enabled.' + WHEN NOT purge_protection_enabled + THEN name || ' "do not purge" not enabled.' + ELSE name || ' "soft delete" and "do not purge" enabled.' + END AS reason + FROM + azure_key_vault kv, + azure_subscription sub + WHERE + sub.subscription_id = kv.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_8_6.yaml b/compliance/controls/azure/azure_cis_v150_8_6.yaml index 4cb8c25c3..5c314a292 100644 --- a/compliance/controls/azure/azure_cis_v150_8_6.yaml +++ b/compliance/controls/azure/azure_cis_v150_8_6.yaml @@ -1,29 +1,30 @@ id: azure_cis_v150_8_6 title: 8.6 Enable Role Based Access Control for Azure Key Vault +type: control description: Role assignments disappear when a Key Vault has been deleted (soft-delete) and recovered. Afterwards it will be required to recreate all role assignments. This is a limitation of the soft-delete feature across all Azure services. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - SELECT - kv.id AS resource, - kv.platform_integration_id AS platform_integration_id, - kv.platform_resource_id AS platform_resource_id, - CASE - WHEN enable_rbac_authorization THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enable_rbac_authorization THEN name || ' has RBAC enabled.' - ELSE name || ' have RBAC disabled.' - END AS reason - FROM - azure_key_vault AS kv, - azure_subscription AS sub - WHERE - sub.subscription_id = kv.subscription_id; + language: sql + primary_resource: azure_key_vault + definition: | + SELECT + kv.id AS resource, + kv.platform_integration_id AS platform_integration_id, + kv.platform_resource_id AS platform_resource_id, + CASE + WHEN enable_rbac_authorization THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enable_rbac_authorization THEN name || ' has RBAC enabled.' + ELSE name || ' have RBAC disabled.' + END AS reason + FROM + azure_key_vault AS kv, + azure_subscription AS sub + WHERE + sub.subscription_id = kv.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_8_8.yaml b/compliance/controls/azure/azure_cis_v150_8_8.yaml index 911f41163..ab3f2a867 100644 --- a/compliance/controls/azure/azure_cis_v150_8_8.yaml +++ b/compliance/controls/azure/azure_cis_v150_8_8.yaml @@ -1,23 +1,24 @@ id: azure_cis_v150_8_8 title: 8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services +type: control description: Automatic Key Rotation is available in Public Preview. The currently supported applications are Key Vault, Managed Disks, and Storage accounts accessing keys within Key Vault. The number of supported applications will incrementally increase. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_9_1.yaml b/compliance/controls/azure/azure_cis_v150_9_1.yaml index e1394fddb..527b832b9 100644 --- a/compliance/controls/azure/azure_cis_v150_9_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_9_1.yaml @@ -1,29 +1,30 @@ id: azure_cis_v150_9_1 title: 9.1 Ensure App Service Authentication is set up for apps in Azure App Service +type: control description: Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT (auth_settings -> 'properties' ->> 'enabled')::BOOLEAN THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT (auth_settings -> 'properties' ->> 'enabled')::BOOLEAN THEN name || ' authentication not set.' - ELSE name || ' authentication set.' - END AS reason - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT (auth_settings -> 'properties' ->> 'enabled')::BOOLEAN THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT (auth_settings -> 'properties' ->> 'enabled')::BOOLEAN THEN name || ' authentication not set.' + ELSE name || ' authentication set.' + END AS reason + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_9_11.yaml b/compliance/controls/azure/azure_cis_v150_9_11.yaml index daecab23d..3f9b8b6b5 100644 --- a/compliance/controls/azure/azure_cis_v150_9_11.yaml +++ b/compliance/controls/azure/azure_cis_v150_9_11.yaml @@ -1,23 +1,24 @@ id: azure_cis_v150_9_11 title: 9.11 Ensure Azure Keyvaults are used to store secrets +type: control description: Encryption keys, Certificate thumbprints and Managed Identity Credentials can be coded into the APP service, this renders them visible as part of the configuration. To maintain security of these keys, it is better to store them in an Azure Keyvault and reference them from the Keyvault. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_9_2.yaml b/compliance/controls/azure/azure_cis_v150_9_2.yaml index fa14f3cce..237416fea 100644 --- a/compliance/controls/azure/azure_cis_v150_9_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_9_2.yaml @@ -1,29 +1,30 @@ id: azure_cis_v150_9_2 title: 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service +type: control description: Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT https_only THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT https_only THEN name || ' does not redirect all HTTP traffic to HTTPS.' - ELSE name || ' redirects all HTTP traffic to HTTPS.' - END AS reason - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT https_only THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT https_only THEN name || ' does not redirect all HTTP traffic to HTTPS.' + ELSE name || ' redirects all HTTP traffic to HTTPS.' + END AS reason + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_9_4.yaml b/compliance/controls/azure/azure_cis_v150_9_4.yaml index 263d1a012..93d5063ed 100644 --- a/compliance/controls/azure/azure_cis_v150_9_4.yaml +++ b/compliance/controls/azure/azure_cis_v150_9_4.yaml @@ -1,29 +1,30 @@ id: azure_cis_v150_9_4 title: 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' +type: control description: Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT client_cert_enabled THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT client_cert_enabled THEN name || ' incoming client certificates set to off.' - ELSE name || ' incoming client certificates set to on.' - END AS reason - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT client_cert_enabled THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT client_cert_enabled THEN name || ' incoming client certificates set to off.' + ELSE name || ' incoming client certificates set to on.' + END AS reason + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_9_5.yaml b/compliance/controls/azure/azure_cis_v150_9_5.yaml index 1e62c1d20..58a139a6b 100644 --- a/compliance/controls/azure/azure_cis_v150_9_5.yaml +++ b/compliance/controls/azure/azure_cis_v150_9_5.yaml @@ -1,29 +1,30 @@ id: azure_cis_v150_9_5 title: 9.5 Ensure that Register with Azure Active Directory is enabled on App Service +type: control description: Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN identity = '{}' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN identity = '{}' THEN name || ' register with Azure Active Directory disabled.' - ELSE name || ' register with Azure Active Directory enabled.' - END AS reason - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN identity = '{}' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN identity = '{}' THEN name || ' register with Azure Active Directory disabled.' + ELSE name || ' register with Azure Active Directory enabled.' + END AS reason + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v150_9_6.yaml b/compliance/controls/azure/azure_cis_v150_9_6.yaml index 967dd06cd..5375ce76f 100644 --- a/compliance/controls/azure/azure_cis_v150_9_6.yaml +++ b/compliance/controls/azure/azure_cis_v150_9_6.yaml @@ -1,23 +1,24 @@ id: azure_cis_v150_9_6 title: 9.6 Ensure that 'PHP version' is the latest, if used to run the web app +type: control description: Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_9_7.yaml b/compliance/controls/azure/azure_cis_v150_9_7.yaml index f63be6575..cabf5b799 100644 --- a/compliance/controls/azure/azure_cis_v150_9_7.yaml +++ b/compliance/controls/azure/azure_cis_v150_9_7.yaml @@ -1,23 +1,24 @@ id: azure_cis_v150_9_7 title: 9.7 Ensure that 'Python version' is the latest stable version, if used to run the web app +type: control description: Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_9_8.yaml b/compliance/controls/azure/azure_cis_v150_9_8.yaml index 6768cbf31..138569808 100644 --- a/compliance/controls/azure/azure_cis_v150_9_8.yaml +++ b/compliance/controls/azure/azure_cis_v150_9_8.yaml @@ -1,23 +1,24 @@ id: azure_cis_v150_9_8 title: 9.8 Ensure that 'Java version' is the latest, if used to run the web app +type: control description: Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v150_9_9.yaml b/compliance/controls/azure/azure_cis_v150_9_9.yaml index ebcc660ea..b7a9b66dd 100644 --- a/compliance/controls/azure/azure_cis_v150_9_9.yaml +++ b/compliance/controls/azure/azure_cis_v150_9_9.yaml @@ -1,29 +1,30 @@ id: azure_cis_v150_9_9 title: 9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app +type: control description: Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT (configuration -> 'properties' ->> 'http20Enabled')::boolean THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT (configuration -> 'properties' ->> 'http20Enabled')::boolean THEN name || ' HTTP version not latest.' - ELSE name || ' HTTP version is latest.' - END AS reason - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT (configuration -> 'properties' ->> 'http20Enabled')::boolean THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT (configuration -> 'properties' ->> 'http20Enabled')::boolean THEN name || ' HTTP version not latest.' + ELSE name || ' HTTP version is latest.' + END AS reason + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_10_1.yaml b/compliance/controls/azure/azure_cis_v200_10_1.yaml index c5d886c54..8551f6454 100644 --- a/compliance/controls/azure/azure_cis_v200_10_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_10_1.yaml @@ -1,23 +1,24 @@ id: azure_cis_v200_10_1 title: 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources +type: control description: Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_1_10.yaml b/compliance/controls/azure/azure_cis_v200_1_10.yaml index 4bced20a4..274ec4756 100644 --- a/compliance/controls/azure/azure_cis_v200_1_10.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_10.yaml @@ -1,18 +1,19 @@ id: azure_cis_v200_1_10 title: 1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' +type: control description: Ensure that all Global Administrators are notified if any other administrator resets their password. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_1_12.yaml b/compliance/controls/azure/azure_cis_v200_1_12.yaml index 6c77a2d65..3cd95ce64 100644 --- a/compliance/controls/azure/azure_cis_v200_1_12.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_12.yaml @@ -1,18 +1,19 @@ id: azure_cis_v200_1_12 title: 1.12 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers' +type: control description: Allow users to provide consent for selected permissions when a request is coming from a verified publisher. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_1_13.yaml b/compliance/controls/azure/azure_cis_v200_1_13.yaml index ce90a2fb2..0b4d3fa93 100644 --- a/compliance/controls/azure/azure_cis_v200_1_13.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_13.yaml @@ -1,18 +1,19 @@ id: azure_cis_v200_1_13 title: 1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No' +type: control description: Require administrators to provide consent for the apps before use. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_1_14.yaml b/compliance/controls/azure/azure_cis_v200_1_14.yaml index 7df54acc8..46d883a67 100644 --- a/compliance/controls/azure/azure_cis_v200_1_14.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_14.yaml @@ -1,36 +1,37 @@ id: azure_cis_v200_1_14 title: 1.14 Ensure That 'Users Can Register Applications' Is Set to 'No' +type: control description: Require administrators or appropriately delegated users to register third-party applications. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: entraid_authorization_policy - definition: | - WITH distinct_tenant AS ( - SELECT - DISTINCT tenant_id, - subscription_id, - _ctx - FROM - azure_tenant - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' THEN a.display_name || ' does not allow user to register applications.' - ELSE a.display_name || ' allows user to register applications.' - END AS reason, - t.tenant_id - FROM - distinct_tenant AS t, - entraid_authorization_policy AS a; + language: sql + primary_resource: entraid_authorization_policy + definition: | + WITH distinct_tenant AS ( + SELECT + DISTINCT tenant_id, + subscription_id, + _ctx + FROM + azure_tenant + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' THEN a.display_name || ' does not allow user to register applications.' + ELSE a.display_name || ' allows user to register applications.' + END AS reason, + t.tenant_id + FROM + distinct_tenant AS t, + entraid_authorization_policy AS a; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_1_15.yaml b/compliance/controls/azure/azure_cis_v200_1_15.yaml index b292dbcf8..fc6ebd752 100644 --- a/compliance/controls/azure/azure_cis_v200_1_15.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_15.yaml @@ -1,18 +1,19 @@ id: azure_cis_v200_1_15 title: 1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' +type: control description: Limit guest user permissions. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_1_16.yaml b/compliance/controls/azure/azure_cis_v200_1_16.yaml index adeea1cf1..b7da1e80d 100644 --- a/compliance/controls/azure/azure_cis_v200_1_16.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_16.yaml @@ -1,18 +1,19 @@ id: azure_cis_v200_1_16 title: 1.16 Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' +type: control description: Restrict invitations to users with specific administrative roles only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_1_17.yaml b/compliance/controls/azure/azure_cis_v200_1_17.yaml index 8e10f00fa..fc9ee01a5 100644 --- a/compliance/controls/azure/azure_cis_v200_1_17.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_17.yaml @@ -1,18 +1,19 @@ id: azure_cis_v200_1_17 title: 1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes' +type: control description: Restrict access to the Azure AD administration portal to administrators only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_1_18.yaml b/compliance/controls/azure/azure_cis_v200_1_18.yaml index de075a0ef..08fd46689 100644 --- a/compliance/controls/azure/azure_cis_v200_1_18.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_18.yaml @@ -1,18 +1,19 @@ id: azure_cis_v200_1_18 title: 1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' +type: control description: Restricts group creation to administrators with permissions only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_1_19.yaml b/compliance/controls/azure/azure_cis_v200_1_19.yaml index d55c6359b..98ceb5365 100644 --- a/compliance/controls/azure/azure_cis_v200_1_19.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_19.yaml @@ -1,36 +1,37 @@ id: azure_cis_v200_1_19 title: 1.19 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' +type: control description: Restrict security group creation to administrators only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: entraid_authorization_policy - definition: | - WITH distinct_tenant AS ( - SELECT DISTINCT - tenant_id, - subscription_id, - _ctx - FROM - azure_tenant - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' THEN a.display_name || ' does not allow user to create security groups.' - ELSE a.display_name || ' allows user to create security groups.' - END AS reason, - t.tenant_id - FROM - distinct_tenant AS t, - entraid_authorization_policy AS a; + language: sql + primary_resource: entraid_authorization_policy + definition: | + WITH distinct_tenant AS ( + SELECT DISTINCT + tenant_id, + subscription_id, + _ctx + FROM + azure_tenant + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' THEN a.display_name || ' does not allow user to create security groups.' + ELSE a.display_name || ' allows user to create security groups.' + END AS reason, + t.tenant_id + FROM + distinct_tenant AS t, + entraid_authorization_policy AS a; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_1_1_1.yaml b/compliance/controls/azure/azure_cis_v200_1_1_1.yaml index fa74cd57a..284ab38f6 100644 --- a/compliance/controls/azure/azure_cis_v200_1_1_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_1_1.yaml @@ -1,18 +1,19 @@ id: azure_cis_v200_1_1_1 title: 1.1.1 Ensure Security Defaults is enabled on Azure Active Directory +type: control description: Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Security defaults is available to everyone. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. You may turn on security defaults in the Azure portal. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_1_1_2.yaml b/compliance/controls/azure/azure_cis_v200_1_1_2.yaml index da835c531..e42ddb7b0 100644 --- a/compliance/controls/azure/azure_cis_v200_1_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_1_2.yaml @@ -1,18 +1,19 @@ id: azure_cis_v200_1_1_2 title: 1.1.2 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users +type: control description: Enable multi-factor authentication for all roles, groups, and users that have write access or permissions to Azure resources. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_1_1_3.yaml b/compliance/controls/azure/azure_cis_v200_1_1_3.yaml index 28abada74..2870b1f8f 100644 --- a/compliance/controls/azure/azure_cis_v200_1_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_1_3.yaml @@ -1,18 +1,19 @@ id: azure_cis_v200_1_1_3 title: 1.1.3 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users +type: control description: Enable multi-factor authentication for all non-privileged users. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_1_1_4.yaml b/compliance/controls/azure/azure_cis_v200_1_1_4.yaml index a66756474..f7c79ad2d 100644 --- a/compliance/controls/azure/azure_cis_v200_1_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_1_4.yaml @@ -1,18 +1,19 @@ id: azure_cis_v200_1_1_4 title: 1.1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled +type: control description: Do not allow users to remember multi-factor authentication on devices. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_1_20.yaml b/compliance/controls/azure/azure_cis_v200_1_20.yaml index 0b8ca3ee6..2572d6b77 100644 --- a/compliance/controls/azure/azure_cis_v200_1_20.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_20.yaml @@ -1,18 +1,19 @@ id: azure_cis_v200_1_20 title: 1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' +type: control description: Restrict security group management to administrators only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_1_21.yaml b/compliance/controls/azure/azure_cis_v200_1_21.yaml index cf2f6553c..450251f04 100644 --- a/compliance/controls/azure/azure_cis_v200_1_21.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_21.yaml @@ -1,18 +1,19 @@ id: azure_cis_v200_1_21 title: 1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' +type: control description: Restrict Microsoft 365 group creation to administrators only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_1_22.yaml b/compliance/controls/azure/azure_cis_v200_1_22.yaml index abe0799d9..bbfec48c4 100644 --- a/compliance/controls/azure/azure_cis_v200_1_22.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_22.yaml @@ -1,18 +1,19 @@ id: azure_cis_v200_1_22 title: 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' +type: control description: Joining or registering devices to the active directory should require Multi-factor authentication. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_1_23.yaml b/compliance/controls/azure/azure_cis_v200_1_23.yaml index c8afc26f7..152479dac 100644 --- a/compliance/controls/azure/azure_cis_v200_1_23.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_23.yaml @@ -1,54 +1,55 @@ id: azure_cis_v200_1_23 title: 1.23 Ensure That No Custom Subscription Administrator Roles Exist +type: control description: The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_role_definition - definition: | - WITH owner_custom_roles AS ( - SELECT - role_name, - role_type, - platform_integration_id, - platform_resource_id, - title, - action, - _ctx, - subscription_id - FROM - azure_role_definition, - jsonb_array_elements(permissions) AS s, - jsonb_array_elements_text(s -> 'actions') AS action - WHERE - role_type = 'CustomRole' - AND action IN ('*', '*:*') - ) - SELECT - cr.subscription_id AS resource, - cr.platform_integration_id AS platform_integration_id, - cr.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(*) > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN COUNT(*) = 1 THEN 'There is one custom owner role.' - WHEN COUNT(*) > 1 THEN 'There are ' || COUNT(*) || ' custom owner roles.' - ELSE 'There are no custom owner roles.' - END AS reason - FROM - owner_custom_roles cr, - azure_subscription sub - WHERE - sub.subscription_id = cr.subscription_id - GROUP BY - cr.subscription_id, - cr._ctx, - cr.platform_integration_id, - cr.platform_resource_id, - sub.display_name; + language: sql + primary_resource: azure_role_definition + definition: | + WITH owner_custom_roles AS ( + SELECT + role_name, + role_type, + platform_integration_id, + platform_resource_id, + title, + action, + _ctx, + subscription_id + FROM + azure_role_definition, + jsonb_array_elements(permissions) AS s, + jsonb_array_elements_text(s -> 'actions') AS action + WHERE + role_type = 'CustomRole' + AND action IN ('*', '*:*') + ) + SELECT + cr.subscription_id AS resource, + cr.platform_integration_id AS platform_integration_id, + cr.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(*) > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN COUNT(*) = 1 THEN 'There is one custom owner role.' + WHEN COUNT(*) > 1 THEN 'There are ' || COUNT(*) || ' custom owner roles.' + ELSE 'There are no custom owner roles.' + END AS reason + FROM + owner_custom_roles cr, + azure_subscription sub + WHERE + sub.subscription_id = cr.subscription_id + GROUP BY + cr.subscription_id, + cr._ctx, + cr.platform_integration_id, + cr.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_1_24.yaml b/compliance/controls/azure/azure_cis_v200_1_24.yaml index 24504a4d7..9eea2bee8 100644 --- a/compliance/controls/azure/azure_cis_v200_1_24.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_24.yaml @@ -1,18 +1,19 @@ id: azure_cis_v200_1_24 title: 1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks +type: control description: Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_1_25.yaml b/compliance/controls/azure/azure_cis_v200_1_25.yaml index d9dd90b49..f7b41c6aa 100644 --- a/compliance/controls/azure/azure_cis_v200_1_25.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_25.yaml @@ -1,18 +1,19 @@ id: azure_cis_v200_1_25 title: 1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One' +type: control description: Users who are set as subscription owners are able to make administrative changes to the subscriptions and move them into and out of Azure Active Directories. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_1_2_1.yaml b/compliance/controls/azure/azure_cis_v200_1_2_1.yaml index 5cb796afe..cf44476cb 100644 --- a/compliance/controls/azure/azure_cis_v200_1_2_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_2_1.yaml @@ -1,18 +1,19 @@ id: azure_cis_v200_1_2_1 title: 1.2.1 Ensure Trusted Locations Are Defined +type: control description: Azure Active Directory Conditional Access allows an organization to configure Named locations and configure whether those locations are trusted or untrusted. These settings provide organizations the means to specify Geographical locations for use in conditional access policies, or define actual IP addresses and IP ranges and whether or not those IP addresses and/or ranges are trusted by the organization. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_1_2_2.yaml b/compliance/controls/azure/azure_cis_v200_1_2_2.yaml index 72a9a7bf6..d33966025 100644 --- a/compliance/controls/azure/azure_cis_v200_1_2_2.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_2_2.yaml @@ -1,18 +1,19 @@ id: azure_cis_v200_1_2_2 title: 1.2.2 Ensure that an exclusionary Geographic Access Policy is considered +type: control description: Conditional Access Policies can be used to block access from geographic locations that are deemed out-of-scope for your organization or application. The scope and variables for this policy should be carefully examined and defined. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_1_2_3.yaml b/compliance/controls/azure/azure_cis_v200_1_2_3.yaml index 8ed1d5077..fdfe1a3b1 100644 --- a/compliance/controls/azure/azure_cis_v200_1_2_3.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_2_3.yaml @@ -1,18 +1,19 @@ id: azure_cis_v200_1_2_3 title: 1.2.3 Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups +type: control description: For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_1_2_4.yaml b/compliance/controls/azure/azure_cis_v200_1_2_4.yaml index a17702191..67bf23a67 100644 --- a/compliance/controls/azure/azure_cis_v200_1_2_4.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_2_4.yaml @@ -1,18 +1,19 @@ id: azure_cis_v200_1_2_4 title: 1.2.4 Ensure that A Multi-factor Authentication Policy Exists for All Users +type: control description: For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_1_2_5.yaml b/compliance/controls/azure/azure_cis_v200_1_2_5.yaml index 459c77610..bc438921f 100644 --- a/compliance/controls/azure/azure_cis_v200_1_2_5.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_2_5.yaml @@ -1,18 +1,19 @@ id: azure_cis_v200_1_2_5 title: 1.2.5 Ensure Multi-factor Authentication is Required for Risky Sign-ins +type: control description: For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_1_2_6.yaml b/compliance/controls/azure/azure_cis_v200_1_2_6.yaml index 675ba1384..b16403273 100644 --- a/compliance/controls/azure/azure_cis_v200_1_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_2_6.yaml @@ -1,36 +1,37 @@ id: azure_cis_v200_1_2_6 title: 1.2.6 Ensure Multi-factor Authentication is Required for Azure Management +type: control description: For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: entraid_conditional_access_policy - definition: | - WITH distinct_tenant AS ( - SELECT - DISTINCT tenant_id, - subscription_id, - _ctx - FROM - azure_tenant - ) - SELECT - p.id AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN p.built_in_controls @> '["mfa"]' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.built_in_controls @> '["mfa"]' THEN p.display_name || ' MFA enabled.' - ELSE p.display_name || ' MFA disabled.' - END AS reason, - t.tenant_id - FROM - distinct_tenant AS t, - entraid_conditional_access_policy AS p; + language: sql + primary_resource: entraid_conditional_access_policy + definition: | + WITH distinct_tenant AS ( + SELECT + DISTINCT tenant_id, + subscription_id, + _ctx + FROM + azure_tenant + ) + SELECT + p.id AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN p.built_in_controls @> '["mfa"]' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.built_in_controls @> '["mfa"]' THEN p.display_name || ' MFA enabled.' + ELSE p.display_name || ' MFA disabled.' + END AS reason, + t.tenant_id + FROM + distinct_tenant AS t, + entraid_conditional_access_policy AS p; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_1_3.yaml b/compliance/controls/azure/azure_cis_v200_1_3.yaml index ca654d4dd..8e846d762 100644 --- a/compliance/controls/azure/azure_cis_v200_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_3.yaml @@ -1,18 +1,19 @@ id: azure_cis_v200_1_3 title: 1.3 Ensure that 'Users can create Azure AD Tenants' is set to 'No' +type: control description: Require administrators or appropriately delegated users to create new tenants. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_1_4.yaml b/compliance/controls/azure/azure_cis_v200_1_4.yaml index 759132db1..a508741a1 100644 --- a/compliance/controls/azure/azure_cis_v200_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_4.yaml @@ -1,18 +1,19 @@ id: azure_cis_v200_1_4 title: 1.4 Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management +type: control description: This recommendation extends guest access review by utilizing the Azure AD Privileged Identity Management feature provided in Azure AD Premium P2. Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_1_5.yaml b/compliance/controls/azure/azure_cis_v200_1_5.yaml index 390ffcea4..44f182b89 100644 --- a/compliance/controls/azure/azure_cis_v200_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_5.yaml @@ -1,39 +1,40 @@ id: azure_cis_v200_1_5 title: 1.5 Ensure Guest Users Are Reviewed on a Regular Basis +type: control description: Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data. Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources as a guest user. Guest users in every subscription should be review on a regular basis to ensure that inactive and unneeded accounts are removed. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: entraid_user - definition: | - WITH distinct_tenant AS ( - SELECT - DISTINCT tenant_id, - subscription_id, - _ctx - FROM - azure_tenant - ) - SELECT - u.display_name AS resource, - u.platform_integration_id AS platform_integration_id, - u.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT account_enabled THEN 'alarm' - WHEN u.created_date_time::timestamp <= (CURRENT_DATE - INTERVAL '30' DAY) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT account_enabled THEN 'Guest user ''' || u.display_name || ''' inactive.' - ELSE 'Guest user ''' || u.display_name || ''' was created ' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - u.created_date_time::timestamp) || ' days ago.' - END AS reason, - t.tenant_id - FROM - entraid_user AS u - LEFT JOIN distinct_tenant AS t ON t.tenant_id = u.tenant_id - WHERE - u.user_type = 'Guest'; + language: sql + primary_resource: entraid_user + definition: | + WITH distinct_tenant AS ( + SELECT + DISTINCT tenant_id, + subscription_id, + _ctx + FROM + azure_tenant + ) + SELECT + u.display_name AS resource, + u.platform_integration_id AS platform_integration_id, + u.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT account_enabled THEN 'alarm' + WHEN u.created_date_time::timestamp <= (CURRENT_DATE - INTERVAL '30' DAY) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT account_enabled THEN 'Guest user ''' || u.display_name || ''' inactive.' + ELSE 'Guest user ''' || u.display_name || ''' was created ' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - u.created_date_time::timestamp) || ' days ago.' + END AS reason, + t.tenant_id + FROM + entraid_user AS u + LEFT JOIN distinct_tenant AS t ON t.tenant_id = u.tenant_id + WHERE + u.user_type = 'Guest'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_1_6.yaml b/compliance/controls/azure/azure_cis_v200_1_6.yaml index ac2e7074d..9e1a290ff 100644 --- a/compliance/controls/azure/azure_cis_v200_1_6.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_6.yaml @@ -1,18 +1,19 @@ id: azure_cis_v200_1_6 title: 1.6 Ensure That 'Number of methods required to reset' is set to '2' +type: control description: Ensures that two alternate forms of identification are provided before allowing a password reset. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_1_7.yaml b/compliance/controls/azure/azure_cis_v200_1_7.yaml index e988bf289..6b2b91237 100644 --- a/compliance/controls/azure/azure_cis_v200_1_7.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_7.yaml @@ -1,18 +1,19 @@ id: azure_cis_v200_1_7 title: 1.7 Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization +type: control description: Microsoft Azure provides a Global Banned Password policy that applies to Azure administrative and normal user accounts. This is not applied to user accounts that are synced from an on-premise Active Directory unless Azure AD Connect is used and you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers. Please see the list in default values on the specifics of this policy. To further password security, it is recommended to further define a custom banned password policy. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_1_8.yaml b/compliance/controls/azure/azure_cis_v200_1_8.yaml index 7b12729e2..527703286 100644 --- a/compliance/controls/azure/azure_cis_v200_1_8.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_8.yaml @@ -1,18 +1,19 @@ id: azure_cis_v200_1_8 title: 1.8 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' +type: control description: Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_1_9.yaml b/compliance/controls/azure/azure_cis_v200_1_9.yaml index 9ccd3491f..ad25d6352 100644 --- a/compliance/controls/azure/azure_cis_v200_1_9.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_9.yaml @@ -1,18 +1,19 @@ id: azure_cis_v200_1_9 title: 1.9 Ensure that 'Notify users on password resets?' is set to 'Yes' +type: control description: Ensure that users are notified on their primary and secondary emails on password resets. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_2_1_1.yaml b/compliance/controls/azure/azure_cis_v200_2_1_1.yaml index 3cd68ff00..59f75edcf 100644 --- a/compliance/controls/azure/azure_cis_v200_2_1_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_1.yaml @@ -1,32 +1,33 @@ id: azure_cis_v200_2_1_1 title: 2.1.1 Ensure That Microsoft Defender for Servers Is Set to 'On' +type: control description: Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Servers.' - ELSE 'Azure Defender off for Servers.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub - ON - sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'VirtualMachines'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Servers.' + ELSE 'Azure Defender off for Servers.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub + ON + sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'VirtualMachines'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_2_1_11.yaml b/compliance/controls/azure/azure_cis_v200_2_1_11.yaml index f755bab57..1df420b85 100644 --- a/compliance/controls/azure/azure_cis_v200_2_1_11.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_11.yaml @@ -1,32 +1,33 @@ id: azure_cis_v200_2_1_11 title: 2.1.11 Ensure That Microsoft Defender for DNS Is Set To 'On' +type: control description: Microsoft Defender for DNS scans all network traffic exiting from within a subscription. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for DNS.' - ELSE 'Azure Defender off for DNS.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub - ON - sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'Dns'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for DNS.' + ELSE 'Azure Defender off for DNS.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub + ON + sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'Dns'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_2_1_12.yaml b/compliance/controls/azure/azure_cis_v200_2_1_12.yaml index 30d81df3b..ae91e65f6 100644 --- a/compliance/controls/azure/azure_cis_v200_2_1_12.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_12.yaml @@ -1,23 +1,24 @@ id: azure_cis_v200_2_1_12 title: 2.1.12 Ensure That Microsoft Defender for Resource Manager Is Set To 'On' +type: control description: Microsoft Defender for Resource Manager scans incoming administrative requests to change your infrastructure from both CLI and the Azure portal. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_2_1_13.yaml b/compliance/controls/azure/azure_cis_v200_2_1_13.yaml index a81de6f99..bdd7d6cb1 100644 --- a/compliance/controls/azure/azure_cis_v200_2_1_13.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_13.yaml @@ -1,23 +1,24 @@ id: azure_cis_v200_2_1_13 title: 2.1.13 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' +type: control description: Ensure that the latest OS patches for all virtual machines are applied. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_2_1_14.yaml b/compliance/controls/azure/azure_cis_v200_2_1_14.yaml index 0bdbabe0d..3ddf381ab 100644 --- a/compliance/controls/azure/azure_cis_v200_2_1_14.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_14.yaml @@ -1,51 +1,52 @@ id: azure_cis_v200_2_1_14 title: 2.1.14 Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled' +type: control description: None of the settings offered by ASC Default policy should be set to effect Disabled. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH policy_assignment_parameters AS ( - SELECT - id, - name, - key, - parameters -> key ->> 'value' AS value, - subscription_id - FROM - azure_policy_assignment, - jsonb_object_keys(parameters) AS key - WHERE - name = 'SecurityCenterBuiltIn' - ) - SELECT - sub.id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(value = 'Disabled') > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN COUNT(value = 'Disabled') > 0 THEN - 'Settings disabled for ' || COUNT(*) FILTER (WHERE value = 'Disabled') || ' parameters.' - ELSE 'Settings enabled for all the parameters.' - END AS reason - FROM - policy_assignment_parameters pol_assignment - RIGHT JOIN - azure_subscription sub ON pol_assignment.subscription_id = sub.subscription_id - GROUP BY - sub.id, - pol_assignment.id, - sub._ctx, - sub.subscription_id, - pol_assignment.subscription_id, - sub.display_name, - sub.platform_integration_id, - sub.platform_resource_id; + language: sql + primary_resource: azure_subscription + definition: | + WITH policy_assignment_parameters AS ( + SELECT + id, + name, + key, + parameters -> key ->> 'value' AS value, + subscription_id + FROM + azure_policy_assignment, + jsonb_object_keys(parameters) AS key + WHERE + name = 'SecurityCenterBuiltIn' + ) + SELECT + sub.id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(value = 'Disabled') > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN COUNT(value = 'Disabled') > 0 THEN + 'Settings disabled for ' || COUNT(*) FILTER (WHERE value = 'Disabled') || ' parameters.' + ELSE 'Settings enabled for all the parameters.' + END AS reason + FROM + policy_assignment_parameters pol_assignment + RIGHT JOIN + azure_subscription sub ON pol_assignment.subscription_id = sub.subscription_id + GROUP BY + sub.id, + pol_assignment.id, + sub._ctx, + sub.subscription_id, + pol_assignment.subscription_id, + sub.display_name, + sub.platform_integration_id, + sub.platform_resource_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_2_1_15.yaml b/compliance/controls/azure/azure_cis_v200_2_1_15.yaml index 89b301553..c424e6a33 100644 --- a/compliance/controls/azure/azure_cis_v200_2_1_15.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_15.yaml @@ -1,29 +1,30 @@ id: azure_cis_v200_2_1_15 title: 2.1.15 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' +type: control description: Enable automatic provisioning of the monitoring agent to collect security data. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_auto_provisioning - definition: | - SELECT - sc_prov.id AS resource, - sc_prov.platform_integration_id AS platform_integration_id, - sc_prov.platform_resource_id AS platform_resource_id, - CASE - WHEN auto_provision = 'On' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN auto_provision = 'On' THEN 'Automatic provisioning of monitoring agent is on.' - ELSE 'Automatic provisioning of monitoring agent is off.' - END AS reason - FROM - azure_security_center_auto_provisioning sc_prov - RIGHT JOIN - azure_subscription sub - ON sc_prov.subscription_id = sub.subscription_id; + language: sql + primary_resource: azure_security_center_auto_provisioning + definition: | + SELECT + sc_prov.id AS resource, + sc_prov.platform_integration_id AS platform_integration_id, + sc_prov.platform_resource_id AS platform_resource_id, + CASE + WHEN auto_provision = 'On' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN auto_provision = 'On' THEN 'Automatic provisioning of monitoring agent is on.' + ELSE 'Automatic provisioning of monitoring agent is off.' + END AS reason + FROM + azure_security_center_auto_provisioning sc_prov + RIGHT JOIN + azure_subscription sub + ON sc_prov.subscription_id = sub.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_2_1_16.yaml b/compliance/controls/azure/azure_cis_v200_2_1_16.yaml index fdc6cdf7e..2ebfb9ff1 100644 --- a/compliance/controls/azure/azure_cis_v200_2_1_16.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_16.yaml @@ -1,23 +1,24 @@ id: azure_cis_v200_2_1_16 title: 2.1.16 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' +type: control description: Enable automatic provisioning of vulnerability assessment for machines on both Azure and hybrid (Arc enabled) machines. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_2_1_17.yaml b/compliance/controls/azure/azure_cis_v200_2_1_17.yaml index b0f237105..52bb43ab2 100644 --- a/compliance/controls/azure/azure_cis_v200_2_1_17.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_17.yaml @@ -1,23 +1,24 @@ id: azure_cis_v200_2_1_17 title: 2.1.17 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' +type: control description: Enable automatic provisioning of the Microsoft Defender for Containers components. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_2_1_18.yaml b/compliance/controls/azure/azure_cis_v200_2_1_18.yaml index bf432321d..d8fcff41c 100644 --- a/compliance/controls/azure/azure_cis_v200_2_1_18.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_18.yaml @@ -1,37 +1,38 @@ id: azure_cis_v200_2_1_18 title: 2.1.18 Ensure That 'All users with the following roles' is set to 'Owner' +type: control description: Enable security alert emails to subscription owners. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH contact_info AS ( - SELECT - COUNT(*) FILTER (WHERE alerts_to_admins = 'On') AS admin_alert_count, - subscription_id - FROM - azure_security_center_contact - GROUP BY - subscription_id - LIMIT 1 - ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN admin_alert_count > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN admin_alert_count > 0 THEN '"All users with the following roles" set to Owner' - ELSE '"All users with the following roles" not set to Owner.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; + language: sql + primary_resource: azure_subscription + definition: | + WITH contact_info AS ( + SELECT + COUNT(*) FILTER (WHERE alerts_to_admins = 'On') AS admin_alert_count, + subscription_id + FROM + azure_security_center_contact + GROUP BY + subscription_id + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN admin_alert_count > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN admin_alert_count > 0 THEN '"All users with the following roles" set to Owner' + ELSE '"All users with the following roles" not set to Owner.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_2_1_19.yaml b/compliance/controls/azure/azure_cis_v200_2_1_19.yaml index f154b7c8d..4d778ec7a 100644 --- a/compliance/controls/azure/azure_cis_v200_2_1_19.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_19.yaml @@ -1,42 +1,43 @@ id: azure_cis_v200_2_1_19 title: 2.1.19 Ensure 'Additional email addresses' is Configured with a Security Contact Email +type: control description: Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH contact_info AS ( - SELECT - jsonb_agg(email) FILTER (WHERE name = 'default' AND email != '') AS default_email, - COUNT(*) FILTER (WHERE name != 'default') AS non_default_count, - COUNT(*) FILTER (WHERE name = 'default') AS default_count, - subscription_id - FROM - azure_security_center_contact - GROUP BY - subscription_id - LIMIT 1 - ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN non_default_count > 0 THEN 'ok' - WHEN default_count = 1 AND jsonb_array_length(default_email) != 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN non_default_count > 0 THEN 'Additional email addresses configured.' - WHEN default_count = 1 AND default_email IS NOT NULL THEN 'Additional email addresses configured.' - ELSE 'Additional email addresses not configured.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN - contact_info ci ON sub.subscription_id = ci.subscription_id; + language: sql + primary_resource: azure_subscription + definition: | + WITH contact_info AS ( + SELECT + jsonb_agg(email) FILTER (WHERE name = 'default' AND email != '') AS default_email, + COUNT(*) FILTER (WHERE name != 'default') AS non_default_count, + COUNT(*) FILTER (WHERE name = 'default') AS default_count, + subscription_id + FROM + azure_security_center_contact + GROUP BY + subscription_id + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN non_default_count > 0 THEN 'ok' + WHEN default_count = 1 AND jsonb_array_length(default_email) != 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN non_default_count > 0 THEN 'Additional email addresses configured.' + WHEN default_count = 1 AND default_email IS NOT NULL THEN 'Additional email addresses configured.' + ELSE 'Additional email addresses not configured.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN + contact_info ci ON sub.subscription_id = ci.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_2_1_2.yaml b/compliance/controls/azure/azure_cis_v200_2_1_2.yaml index 2b648b36a..ff4d82355 100644 --- a/compliance/controls/azure/azure_cis_v200_2_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_2.yaml @@ -1,29 +1,30 @@ id: azure_cis_v200_2_1_2 title: 2.1.2 Ensure That Microsoft Defender for App Services Is Set To 'On' +type: control description: Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for App Services.' - ELSE 'Azure Defender off for App Services.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'AppServices'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for App Services.' + ELSE 'Azure Defender off for App Services.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'AppServices'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_2_1_20.yaml b/compliance/controls/azure/azure_cis_v200_2_1_20.yaml index 140cdb55e..36da4e594 100644 --- a/compliance/controls/azure/azure_cis_v200_2_1_20.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_20.yaml @@ -1,37 +1,38 @@ id: azure_cis_v200_2_1_20 title: 2.1.20 Ensure That 'Notify about alerts with the following severity' is Set to 'High' +type: control description: Enables emailing security alerts to the subscription owner or other designated security contact. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH contact_info AS ( - SELECT - COUNT(*) FILTER (WHERE alert_notifications = 'On') AS notification_alert_count, - subscription_id - FROM - azure_security_center_contact - GROUP BY - subscription_id - LIMIT 1 - ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN notification_alert_count > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN notification_alert_count > 0 THEN '"Notify about alerts with the following severity" set to High.' - ELSE '"Notify about alerts with the following severity" not set to High.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; + language: sql + primary_resource: azure_subscription + definition: | + WITH contact_info AS ( + SELECT + COUNT(*) FILTER (WHERE alert_notifications = 'On') AS notification_alert_count, + subscription_id + FROM + azure_security_center_contact + GROUP BY + subscription_id + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN notification_alert_count > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN notification_alert_count > 0 THEN '"Notify about alerts with the following severity" set to High.' + ELSE '"Notify about alerts with the following severity" not set to High.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_2_1_21.yaml b/compliance/controls/azure/azure_cis_v200_2_1_21.yaml index e22c26fa5..523261170 100644 --- a/compliance/controls/azure/azure_cis_v200_2_1_21.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_21.yaml @@ -1,32 +1,33 @@ id: azure_cis_v200_2_1_21 title: 2.1.21 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected +type: control description: This integration setting enables Microsoft Defender for Cloud Apps (formerly 'Microsoft Cloud App Security' or 'MCAS' - see additional info) to communicate with Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_setting - definition: | - SELECT - sc_sett.id AS resource, - sc_sett.platform_integration_id AS platform_integration_id, - sc_sett.platform_resource_id AS platform_resource_id, - CASE - WHEN enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enabled THEN 'Windows Defender ATP (WDATP) integrated with Security Center.' - ELSE 'Windows Defender ATP (WDATP) not integrated with Security Center.' - END AS reason - FROM - azure_security_center_setting sc_sett - RIGHT JOIN - azure_subscription sub - ON - sc_sett.subscription_id = sub.subscription_id - WHERE - name = 'MCAS'; + language: sql + primary_resource: azure_security_center_setting + definition: | + SELECT + sc_sett.id AS resource, + sc_sett.platform_integration_id AS platform_integration_id, + sc_sett.platform_resource_id AS platform_resource_id, + CASE + WHEN enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enabled THEN 'Windows Defender ATP (WDATP) integrated with Security Center.' + ELSE 'Windows Defender ATP (WDATP) not integrated with Security Center.' + END AS reason + FROM + azure_security_center_setting sc_sett + RIGHT JOIN + azure_subscription sub + ON + sc_sett.subscription_id = sub.subscription_id + WHERE + name = 'MCAS'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_2_1_22.yaml b/compliance/controls/azure/azure_cis_v200_2_1_22.yaml index 88d0225dc..e8f7c5a95 100644 --- a/compliance/controls/azure/azure_cis_v200_2_1_22.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_22.yaml @@ -1,29 +1,30 @@ id: azure_cis_v200_2_1_22 title: 2.1.22 Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected +type: control description: This integration setting enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_setting - definition: | - SELECT - sc_sett.id AS resource, - sc_sett.platform_integration_id AS platform_integration_id, - sc_sett.platform_resource_id AS platform_resource_id, - CASE - WHEN enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enabled THEN 'Microsoft Cloud App Security (MCAS) integrated with Security Center.' - ELSE 'Microsoft Cloud App Security (MCAS) not integrated with Security Center.' - END AS reason - FROM - azure_security_center_setting sc_sett - RIGHT JOIN azure_subscription sub ON sc_sett.subscription_id = sub.subscription_id - WHERE - name = 'WDATP'; + language: sql + primary_resource: azure_security_center_setting + definition: | + SELECT + sc_sett.id AS resource, + sc_sett.platform_integration_id AS platform_integration_id, + sc_sett.platform_resource_id AS platform_resource_id, + CASE + WHEN enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enabled THEN 'Microsoft Cloud App Security (MCAS) integrated with Security Center.' + ELSE 'Microsoft Cloud App Security (MCAS) not integrated with Security Center.' + END AS reason + FROM + azure_security_center_setting sc_sett + RIGHT JOIN azure_subscription sub ON sc_sett.subscription_id = sub.subscription_id + WHERE + name = 'WDATP'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_2_1_3.yaml b/compliance/controls/azure/azure_cis_v200_2_1_3.yaml index a41cb21d7..dc649ca0e 100644 --- a/compliance/controls/azure/azure_cis_v200_2_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_3.yaml @@ -1,48 +1,49 @@ id: azure_cis_v200_2_1_3 title: 2.1.3 Ensure That Microsoft Defender for Databases Is Set To 'On' +type: control description: Turning on Microsoft Defender for Databases enables threat detection for the instances running your database software. This provides threat intelligence, anomaly detection, and behavior analytics in the Azure Microsoft Defender for Cloud. Instead of being enabled on services like Platform as a Service (PaaS), this implementation will run within your instances as Infrastructure as a Service (IaaS) on the Operating Systems hosting your databases. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH defender_list AS ( - SELECT - json_object_agg(name, pricing_tier) AS data, - subscription_id - FROM - azure_security_center_subscription_pricing - WHERE - name = ANY(ARRAY ['CosmosDbs', 'OpenSourceRelationalDatabases', 'SqlServerVirtualMachines', 'SqlServers']) - GROUP BY - subscription_id - ) - SELECT - sub.id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN - data ->> 'CosmosDbs' = 'Standard' - AND data ->> 'OpenSourceRelationalDatabases' = 'Standard' - AND data ->> 'SqlServerVirtualMachines' = 'Standard' - AND data ->> 'SqlServers' = 'Standard' - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN - data ->> 'CosmosDbs' = 'Standard' - AND data ->> 'OpenSourceRelationalDatabases' = 'Standard' - AND data ->> 'SqlServerVirtualMachines' = 'Standard' - AND data ->> 'SqlServers' = 'Standard' - THEN 'Azure Defender on for Databases.' - ELSE 'Azure Defender off for Databases.' - END AS reason - FROM - azure_subscription AS sub - LEFT JOIN defender_list AS l ON l.subscription_id = sub.subscription_id; + language: sql + primary_resource: azure_subscription + definition: | + WITH defender_list AS ( + SELECT + json_object_agg(name, pricing_tier) AS data, + subscription_id + FROM + azure_security_center_subscription_pricing + WHERE + name = ANY(ARRAY ['CosmosDbs', 'OpenSourceRelationalDatabases', 'SqlServerVirtualMachines', 'SqlServers']) + GROUP BY + subscription_id + ) + SELECT + sub.id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN + data ->> 'CosmosDbs' = 'Standard' + AND data ->> 'OpenSourceRelationalDatabases' = 'Standard' + AND data ->> 'SqlServerVirtualMachines' = 'Standard' + AND data ->> 'SqlServers' = 'Standard' + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN + data ->> 'CosmosDbs' = 'Standard' + AND data ->> 'OpenSourceRelationalDatabases' = 'Standard' + AND data ->> 'SqlServerVirtualMachines' = 'Standard' + AND data ->> 'SqlServers' = 'Standard' + THEN 'Azure Defender on for Databases.' + ELSE 'Azure Defender off for Databases.' + END AS reason + FROM + azure_subscription AS sub + LEFT JOIN defender_list AS l ON l.subscription_id = sub.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_2_1_4.yaml b/compliance/controls/azure/azure_cis_v200_2_1_4.yaml index 7b6df8c3d..ab045cf70 100644 --- a/compliance/controls/azure/azure_cis_v200_2_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_4.yaml @@ -1,30 +1,31 @@ id: azure_cis_v200_2_1_4 title: 2.1.4 Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On' +type: control description: Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for SQL database servers.' - ELSE 'Azure Defender off for SQL database servers.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'SqlServers'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for SQL database servers.' + ELSE 'Azure Defender off for SQL database servers.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'SqlServers'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_2_1_5.yaml b/compliance/controls/azure/azure_cis_v200_2_1_5.yaml index af35a33c3..3108eba74 100644 --- a/compliance/controls/azure/azure_cis_v200_2_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_5.yaml @@ -1,30 +1,31 @@ id: azure_cis_v200_2_1_5 title: 2.1.5 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' +type: control description: Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for SQL servers on machines.' - ELSE 'Azure Defender off for SQL servers on machines.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'SqlServerVirtualMachines'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for SQL servers on machines.' + ELSE 'Azure Defender off for SQL servers on machines.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'SqlServerVirtualMachines'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_2_1_6.yaml b/compliance/controls/azure/azure_cis_v200_2_1_6.yaml index 401c634e6..6be002f10 100644 --- a/compliance/controls/azure/azure_cis_v200_2_1_6.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_6.yaml @@ -1,32 +1,33 @@ id: azure_cis_v200_2_1_6 title: 2.1.6 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' +type: control description: Turning on Microsoft Defender for Open-source relational databases enables threat detection for Open-source relational databases, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Open Source Relational Databases.' - ELSE 'Azure Defender off for Open Source Relational Databases.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub - ON - sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'OpenSourceRelationalDatabases'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Open Source Relational Databases.' + ELSE 'Azure Defender off for Open Source Relational Databases.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub + ON + sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'OpenSourceRelationalDatabases'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_2_1_7.yaml b/compliance/controls/azure/azure_cis_v200_2_1_7.yaml index 83c3ce06e..fef1ba309 100644 --- a/compliance/controls/azure/azure_cis_v200_2_1_7.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_7.yaml @@ -1,32 +1,33 @@ id: azure_cis_v200_2_1_7 title: 2.1.7 Ensure That Microsoft Defender for Storage Is Set To 'On' +type: control description: Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Storage.' - ELSE 'Azure Defender off for Storage.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub - ON - sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'StorageAccounts'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Storage.' + ELSE 'Azure Defender off for Storage.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub + ON + sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'StorageAccounts'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_2_1_8.yaml b/compliance/controls/azure/azure_cis_v200_2_1_8.yaml index 1689d333e..34a43797a 100644 --- a/compliance/controls/azure/azure_cis_v200_2_1_8.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_8.yaml @@ -1,30 +1,31 @@ id: azure_cis_v200_2_1_8 title: 2.1.8 Ensure That Microsoft Defender for Containers Is Set To 'On' +type: control description: Turning on Microsoft Defender for Containers enables threat detection for Container Registries including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Container Registry.' - ELSE 'Azure Defender off for Container Registry.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'ContainerRegistry'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Container Registry.' + ELSE 'Azure Defender off for Container Registry.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'ContainerRegistry'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_2_1_9.yaml b/compliance/controls/azure/azure_cis_v200_2_1_9.yaml index 54f5b22b6..9b891b0e7 100644 --- a/compliance/controls/azure/azure_cis_v200_2_1_9.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_9.yaml @@ -1,30 +1,31 @@ id: azure_cis_v200_2_1_9 title: 2.1.9 Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' +type: control description: Microsoft Defender for Azure Cosmos DB scans all incoming network requests for threats to your Azure Cosmos DB resources. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Cosmos DB.' - ELSE 'Azure Defender off for Cosmos DB.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN azure_subscription sub - ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'CosmosDbs'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Cosmos DB.' + ELSE 'Azure Defender off for Cosmos DB.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN azure_subscription sub + ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'CosmosDbs'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_2_2_1.yaml b/compliance/controls/azure/azure_cis_v200_2_2_1.yaml index 82fc0ae4c..97f6a88e0 100644 --- a/compliance/controls/azure/azure_cis_v200_2_2_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_2_1.yaml @@ -1,23 +1,24 @@ id: azure_cis_v200_2_2_1 title: 2.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On' +type: control description: Microsoft Defender for IoT acts as a central security hub for IoT devices within your organization. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_3_1.yaml b/compliance/controls/azure/azure_cis_v200_3_1.yaml index 2a077c15c..62bf937e2 100644 --- a/compliance/controls/azure/azure_cis_v200_3_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_3_1.yaml @@ -1,29 +1,30 @@ id: azure_cis_v200_3_1 title: 3.1 Ensure that 'Secure transfer required' is set to 'Enabled' +type: control description: Enable data encryption in transit. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT enable_https_traffic_only THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT enable_https_traffic_only THEN sa.name || ' encryption in transit not enabled.' - ELSE sa.name || ' encryption in transit enabled.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT enable_https_traffic_only THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT enable_https_traffic_only THEN sa.name || ' encryption in transit not enabled.' + ELSE sa.name || ' encryption in transit enabled.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_3_10.yaml b/compliance/controls/azure/azure_cis_v200_3_10.yaml index ba723d192..b6a30e9a3 100644 --- a/compliance/controls/azure/azure_cis_v200_3_10.yaml +++ b/compliance/controls/azure/azure_cis_v200_3_10.yaml @@ -1,40 +1,41 @@ id: azure_cis_v200_3_10 title: 3.10 Ensure Private Endpoints are used to access Storage Accounts +type: control description: Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - WITH storage_account_connection AS ( - SELECT DISTINCT - a.id - FROM - azure_storage_account AS a, - jsonb_array_elements(private_endpoint_connections) AS connection - WHERE - connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' - ) - SELECT DISTINCT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN s.id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN s.id IS NULL THEN a.name || ' not uses private link.' - ELSE a.name || ' uses private link.' - END AS reason - FROM - azure_storage_account AS a - LEFT JOIN - storage_account_connection AS s ON a.id = s.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + WITH storage_account_connection AS ( + SELECT DISTINCT + a.id + FROM + azure_storage_account AS a, + jsonb_array_elements(private_endpoint_connections) AS connection + WHERE + connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' + ) + SELECT DISTINCT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN s.id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN s.id IS NULL THEN a.name || ' not uses private link.' + ELSE a.name || ' uses private link.' + END AS reason + FROM + azure_storage_account AS a + LEFT JOIN + storage_account_connection AS s ON a.id = s.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_3_11.yaml b/compliance/controls/azure/azure_cis_v200_3_11.yaml index 173109389..494964dc7 100644 --- a/compliance/controls/azure/azure_cis_v200_3_11.yaml +++ b/compliance/controls/azure/azure_cis_v200_3_11.yaml @@ -1,29 +1,30 @@ id: azure_cis_v200_3_11 title: 3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage +type: control description: The Azure Storage blobs contain data like ePHI or Financial, which can be secret or personal. Data that is erroneously modified or deleted by an application or other storage account user will cause data loss or unavailability. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT blob_soft_delete_enabled THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT blob_soft_delete_enabled THEN sa.name || ' blobs soft delete disabled.' - ELSE sa.name || ' blobs soft delete enabled.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT blob_soft_delete_enabled THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT blob_soft_delete_enabled THEN sa.name || ' blobs soft delete disabled.' + ELSE sa.name || ' blobs soft delete enabled.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_3_12.yaml b/compliance/controls/azure/azure_cis_v200_3_12.yaml index c6f034570..1df09cd81 100644 --- a/compliance/controls/azure/azure_cis_v200_3_12.yaml +++ b/compliance/controls/azure/azure_cis_v200_3_12.yaml @@ -1,29 +1,30 @@ id: azure_cis_v200_3_12 title: 3.12 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys +type: control description: Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN sa.encryption_key_source = 'Microsoft.Storage' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN sa.encryption_key_source = 'Microsoft.Storage' THEN sa.name || ' not encrypted with CMK.' - ELSE sa.name || ' encrypted with CMK.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN sa.encryption_key_source = 'Microsoft.Storage' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN sa.encryption_key_source = 'Microsoft.Storage' THEN sa.name || ' not encrypted with CMK.' + ELSE sa.name || ' encrypted with CMK.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_3_14.yaml b/compliance/controls/azure/azure_cis_v200_3_14.yaml index c0059831d..ca80f3ac7 100644 --- a/compliance/controls/azure/azure_cis_v200_3_14.yaml +++ b/compliance/controls/azure/azure_cis_v200_3_14.yaml @@ -1,35 +1,36 @@ id: azure_cis_v200_3_14 title: 3.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests -description: 'Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.' +type: control +description: "Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN table_logging_write AND table_logging_read AND table_logging_delete THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN table_logging_write AND table_logging_read AND table_logging_delete - THEN sa.name || ' table service logging enabled for read, write, delete requests.' - ELSE sa.name || ' table service logging not enabled for: ' || - CONCAT_WS(', ', - CASE WHEN NOT table_logging_write THEN 'write' END, - CASE WHEN NOT table_logging_read THEN 'read' END, - CASE WHEN NOT table_logging_delete THEN 'delete' END - ) || ' requests.' - END AS reason - FROM - azure_storage_account AS sa, - azure_subscription AS sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN table_logging_write AND table_logging_read AND table_logging_delete THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN table_logging_write AND table_logging_read AND table_logging_delete + THEN sa.name || ' table service logging enabled for read, write, delete requests.' + ELSE sa.name || ' table service logging not enabled for: ' || + CONCAT_WS(', ', + CASE WHEN NOT table_logging_write THEN 'write' END, + CASE WHEN NOT table_logging_read THEN 'read' END, + CASE WHEN NOT table_logging_delete THEN 'delete' END + ) || ' requests.' + END AS reason + FROM + azure_storage_account AS sa, + azure_subscription AS sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_3_15.yaml b/compliance/controls/azure/azure_cis_v200_3_15.yaml index f5701c8d4..ccf64a8d2 100644 --- a/compliance/controls/azure/azure_cis_v200_3_15.yaml +++ b/compliance/controls/azure/azure_cis_v200_3_15.yaml @@ -1,31 +1,32 @@ id: azure_cis_v200_3_15 title: 3.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' +type: control description: In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN minimum_tls_version = 'TLSEnforcementDisabled' THEN 'alarm' - WHEN minimum_tls_version = 'TLS1_2' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN minimum_tls_version = 'TLSEnforcementDisabled' THEN sa.name || ' TLS enforcement is disabled.' - WHEN minimum_tls_version = 'TLS1_2' THEN sa.name || ' minimum TLS version set to ' || minimum_tls_version || '.' - ELSE sa.name || ' minimum TLS version set to ' || minimum_tls_version || '.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN minimum_tls_version = 'TLSEnforcementDisabled' THEN 'alarm' + WHEN minimum_tls_version = 'TLS1_2' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN minimum_tls_version = 'TLSEnforcementDisabled' THEN sa.name || ' TLS enforcement is disabled.' + WHEN minimum_tls_version = 'TLS1_2' THEN sa.name || ' minimum TLS version set to ' || minimum_tls_version || '.' + ELSE sa.name || ' minimum TLS version set to ' || minimum_tls_version || '.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_3_2.yaml b/compliance/controls/azure/azure_cis_v200_3_2.yaml index 502a61f00..6ef1c61c0 100644 --- a/compliance/controls/azure/azure_cis_v200_3_2.yaml +++ b/compliance/controls/azure/azure_cis_v200_3_2.yaml @@ -1,29 +1,30 @@ id: azure_cis_v200_3_2 title: 3.2 Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled' +type: control description: Enabling encryption at the hardware level on top of the default software encryption for Storage Accounts accessing Azure storage solutions. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN require_infrastructure_encryption THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN require_infrastructure_encryption THEN name || ' infrastructure encryption enabled.' - ELSE name || ' infrastructure encryption disabled.' - END AS reason - FROM - azure_storage_account AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN require_infrastructure_encryption THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN require_infrastructure_encryption THEN name || ' infrastructure encryption enabled.' + ELSE name || ' infrastructure encryption disabled.' + END AS reason + FROM + azure_storage_account AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_3_3.yaml b/compliance/controls/azure/azure_cis_v200_3_3.yaml index 8c08dfd81..5eabbfa5c 100644 --- a/compliance/controls/azure/azure_cis_v200_3_3.yaml +++ b/compliance/controls/azure/azure_cis_v200_3_3.yaml @@ -1,23 +1,24 @@ id: azure_cis_v200_3_3 title: 3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account +type: control description: Access Keys authenticate application access requests to data contained in Storage Accounts. A periodic rotation of these keys is recommended to ensure that potentially compromised keys cannot result in a long-term exploitable credential. The 'Rotation Reminder' is an automatic reminder feature for a manual procedure. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_3_4.yaml b/compliance/controls/azure/azure_cis_v200_3_4.yaml index 73080dbb1..8c3e758cd 100644 --- a/compliance/controls/azure/azure_cis_v200_3_4.yaml +++ b/compliance/controls/azure/azure_cis_v200_3_4.yaml @@ -1,23 +1,24 @@ id: azure_cis_v200_3_4 title: 3.4 Ensure that Storage Account Access Keys are Periodically Regenerated +type: control description: For increased security, regenerate storage account access keys periodically. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_3_5.yaml b/compliance/controls/azure/azure_cis_v200_3_5.yaml index e830424dc..7b8daa213 100644 --- a/compliance/controls/azure/azure_cis_v200_3_5.yaml +++ b/compliance/controls/azure/azure_cis_v200_3_5.yaml @@ -1,35 +1,36 @@ id: azure_cis_v200_3_5 title: 3.5 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests +type: control description: The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN queue_logging_read AND queue_logging_write AND queue_logging_delete THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN queue_logging_read AND queue_logging_write AND queue_logging_delete - THEN sa.name || ' queue service logging enabled for read, write, delete requests.' - ELSE sa.name || ' queue service logging not enabled for: ' || - CONCAT_WS(', ', - CASE WHEN NOT queue_logging_write THEN 'write' END, - CASE WHEN NOT queue_logging_read THEN 'read' END, - CASE WHEN NOT queue_logging_delete THEN 'delete' END - ) || ' requests.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN queue_logging_read AND queue_logging_write AND queue_logging_delete THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN queue_logging_read AND queue_logging_write AND queue_logging_delete + THEN sa.name || ' queue service logging enabled for read, write, delete requests.' + ELSE sa.name || ' queue service logging not enabled for: ' || + CONCAT_WS(', ', + CASE WHEN NOT queue_logging_write THEN 'write' END, + CASE WHEN NOT queue_logging_read THEN 'read' END, + CASE WHEN NOT queue_logging_delete THEN 'delete' END + ) || ' requests.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_3_6.yaml b/compliance/controls/azure/azure_cis_v200_3_6.yaml index 3bd8b41fc..53a1f2664 100644 --- a/compliance/controls/azure/azure_cis_v200_3_6.yaml +++ b/compliance/controls/azure/azure_cis_v200_3_6.yaml @@ -1,23 +1,24 @@ id: azure_cis_v200_3_6 title: 3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour +type: control description: Expire shared access signature tokens within an hour. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_3_8.yaml b/compliance/controls/azure/azure_cis_v200_3_8.yaml index 1faa52238..433b50d28 100644 --- a/compliance/controls/azure/azure_cis_v200_3_8.yaml +++ b/compliance/controls/azure/azure_cis_v200_3_8.yaml @@ -1,29 +1,30 @@ id: azure_cis_v200_3_8 title: 3.8 Ensure Default Network Access Rule for Storage Accounts is Set to Deny +type: control description: Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN sa.network_rule_default_action = 'Allow' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN sa.network_rule_default_action = 'Allow' THEN name || ' allows traffic from all networks.' - ELSE name || ' allows traffic from specific networks.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN sa.network_rule_default_action = 'Allow' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN sa.network_rule_default_action = 'Allow' THEN name || ' allows traffic from all networks.' + ELSE name || ' allows traffic from specific networks.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_3_9.yaml b/compliance/controls/azure/azure_cis_v200_3_9.yaml index ccf03af31..5e4a6c087 100644 --- a/compliance/controls/azure/azure_cis_v200_3_9.yaml +++ b/compliance/controls/azure/azure_cis_v200_3_9.yaml @@ -1,29 +1,30 @@ id: azure_cis_v200_3_9 title: 3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access +type: control description: Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN network_rule_bypass NOT LIKE '%AzureServices%' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN network_rule_bypass NOT LIKE '%AzureServices%' THEN sa.name || ' trusted Microsoft services not enabled.' - ELSE sa.name || ' trusted Microsoft services enabled.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN network_rule_bypass NOT LIKE '%AzureServices%' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN network_rule_bypass NOT LIKE '%AzureServices%' THEN sa.name || ' trusted Microsoft services not enabled.' + ELSE sa.name || ' trusted Microsoft services enabled.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_4_1_2.yaml b/compliance/controls/azure/azure_cis_v200_4_1_2.yaml index ca9615656..e4a77fc66 100644 --- a/compliance/controls/azure/azure_cis_v200_4_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v200_4_1_2.yaml @@ -1,33 +1,34 @@ id: azure_cis_v200_4_1_2 title: 4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) +type: control description: Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]' - OR firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]' - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]' - OR firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]' - THEN s.title || ' allows ingress 0.0.0.0/0 or any IP over internet.' - ELSE s.title || ' does not allow ingress 0.0.0.0/0 or any IP over internet.' - END AS reason - FROM - azure_sql_server s, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]' + OR firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]' + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]' + OR firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]' + THEN s.title || ' allows ingress 0.0.0.0/0 or any IP over internet.' + ELSE s.title || ' does not allow ingress 0.0.0.0/0 or any IP over internet.' + END AS reason + FROM + azure_sql_server s, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_4_1_4.yaml b/compliance/controls/azure/azure_cis_v200_4_1_4.yaml index 631723c3d..0c5b14b75 100644 --- a/compliance/controls/azure/azure_cis_v200_4_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v200_4_1_4.yaml @@ -1,29 +1,30 @@ id: azure_cis_v200_4_1_4 title: 4.1.4 Ensure that Azure Active Directory Admin is Configured for SQL Servers +type: control description: Use Azure Active Directory Authentication for authentication with SQL Database to manage credentials in a single place. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN server_azure_ad_administrator IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN server_azure_ad_administrator IS NULL THEN name || ' Azure AD authentication not configured.' - ELSE name || ' Azure AD authentication configured.' - END AS reason - FROM - azure_sql_server s, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN server_azure_ad_administrator IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN server_azure_ad_administrator IS NULL THEN name || ' Azure AD authentication not configured.' + ELSE name || ' Azure AD authentication configured.' + END AS reason + FROM + azure_sql_server s, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_4_3_1.yaml b/compliance/controls/azure/azure_cis_v200_4_3_1.yaml index 5104b624a..de8e98f29 100644 --- a/compliance/controls/azure/azure_cis_v200_4_3_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_4_3_1.yaml @@ -1,29 +1,30 @@ id: azure_cis_v200_4_3_1 title: 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server +type: control description: Enable SSL connection on PostgreSQL Servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_postgresql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN ssl_enforcement = 'Disabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN ssl_enforcement = 'Disabled' THEN name || ' SSL connection disabled.' - ELSE name || ' SSL connection enabled.' - END AS reason - FROM - azure_postgresql_server s, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_postgresql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN ssl_enforcement = 'Disabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN ssl_enforcement = 'Disabled' THEN name || ' SSL connection disabled.' + ELSE name || ' SSL connection enabled.' + END AS reason + FROM + azure_postgresql_server s, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_4_3_5.yaml b/compliance/controls/azure/azure_cis_v200_4_3_5.yaml index b3bc85e05..193cb36f3 100644 --- a/compliance/controls/azure/azure_cis_v200_4_3_5.yaml +++ b/compliance/controls/azure/azure_cis_v200_4_3_5.yaml @@ -1,31 +1,32 @@ id: azure_cis_v200_4_3_5 title: 4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server +type: control description: Enable connection_throttling on PostgreSQL Servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_postgresql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN s.name || ' server parameter connection_throttling off.' - ELSE s.name || ' server parameter connection_throttling on.' - END AS reason - FROM - azure_postgresql_server s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - WHERE - config ->> 'Name' = 'connection_throttling' - AND sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_postgresql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN s.name || ' server parameter connection_throttling off.' + ELSE s.name || ' server parameter connection_throttling on.' + END AS reason + FROM + azure_postgresql_server s, + jsonb_array_elements(server_configurations) config, + azure_subscription sub + WHERE + config ->> 'Name' = 'connection_throttling' + AND sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_4_3_7.yaml b/compliance/controls/azure/azure_cis_v200_4_3_7.yaml index 83e8f4fed..c5c0d9360 100644 --- a/compliance/controls/azure/azure_cis_v200_4_3_7.yaml +++ b/compliance/controls/azure/azure_cis_v200_4_3_7.yaml @@ -1,41 +1,42 @@ id: azure_cis_v200_4_3_7 title: 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled +type: control description: Disable access from Azure services to PostgreSQL Database Server. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_postgresql_server - definition: | - WITH postgres_db_with_allow_access_to_azure_services AS ( - SELECT - id - FROM - azure_postgresql_server, - JSONB_ARRAY_ELEMENTS(firewall_rules) AS r - WHERE - r -> 'FirewallRuleProperties' ->> 'endIpAddress' = '0.0.0.0' - AND r -> 'FirewallRuleProperties' ->> 'startIpAddress' = '0.0.0.0' - ) - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN a.id IS NOT NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN a.id IS NOT NULL THEN s.title || ' does not restrict access to azure services.' - ELSE s.title || ' restricts access to azure services.' - END AS reason - FROM - azure_postgresql_server AS s - LEFT JOIN postgres_db_with_allow_access_to_azure_services AS a - ON a.id = s.id, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_postgresql_server + definition: | + WITH postgres_db_with_allow_access_to_azure_services AS ( + SELECT + id + FROM + azure_postgresql_server, + JSONB_ARRAY_ELEMENTS(firewall_rules) AS r + WHERE + r -> 'FirewallRuleProperties' ->> 'endIpAddress' = '0.0.0.0' + AND r -> 'FirewallRuleProperties' ->> 'startIpAddress' = '0.0.0.0' + ) + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN a.id IS NOT NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN a.id IS NOT NULL THEN s.title || ' does not restrict access to azure services.' + ELSE s.title || ' restricts access to azure services.' + END AS reason + FROM + azure_postgresql_server AS s + LEFT JOIN postgres_db_with_allow_access_to_azure_services AS a + ON a.id = s.id, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_4_3_8.yaml b/compliance/controls/azure/azure_cis_v200_4_3_8.yaml index 677ec2bef..a2f373ec3 100644 --- a/compliance/controls/azure/azure_cis_v200_4_3_8.yaml +++ b/compliance/controls/azure/azure_cis_v200_4_3_8.yaml @@ -1,29 +1,30 @@ id: azure_cis_v200_4_3_8 title: 4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' +type: control description: Azure Database for PostgreSQL servers should be created with 'infrastructure double encryption' enabled. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_postgresql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN infrastructure_encryption = 'Enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN infrastructure_encryption = 'Enabled' THEN name || ' infrastructure encryption enabled.' - ELSE name || ' infrastructure encryption disabled.' - END AS reason - FROM - azure_postgresql_server AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_postgresql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN infrastructure_encryption = 'Enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN infrastructure_encryption = 'Enabled' THEN name || ' infrastructure encryption enabled.' + ELSE name || ' infrastructure encryption disabled.' + END AS reason + FROM + azure_postgresql_server AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_4_4_1.yaml b/compliance/controls/azure/azure_cis_v200_4_4_1.yaml index a6b19610d..4c6c3e7ec 100644 --- a/compliance/controls/azure/azure_cis_v200_4_4_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_4_4_1.yaml @@ -1,29 +1,30 @@ id: azure_cis_v200_4_4_1 title: 4.4.1 Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server +type: control description: Enable SSL connection on MySQL Servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_mysql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN ssl_enforcement = 'Disabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN ssl_enforcement = 'Disabled' THEN s.name || ' SSL connection disabled.' - ELSE s.name || ' SSL connection enabled.' - END AS reason - FROM - azure_mysql_server AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_mysql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN ssl_enforcement = 'Disabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN ssl_enforcement = 'Disabled' THEN s.name || ' SSL connection disabled.' + ELSE s.name || ' SSL connection enabled.' + END AS reason + FROM + azure_mysql_server AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_4_4_2.yaml b/compliance/controls/azure/azure_cis_v200_4_4_2.yaml index 46b88f6a1..c59cd5cc8 100644 --- a/compliance/controls/azure/azure_cis_v200_4_4_2.yaml +++ b/compliance/controls/azure/azure_cis_v200_4_4_2.yaml @@ -1,31 +1,32 @@ id: azure_cis_v200_4_4_2 title: 4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server +type: control description: Ensure TLS version on MySQL flexible servers is set to the default value. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_mysql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN minimal_tls_version = 'TLSEnforcementDisabled' THEN 'alarm' - WHEN minimal_tls_version = 'TLS1_2' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN minimal_tls_version = 'TLSEnforcementDisabled' THEN s.name || ' TLS enforcement is disabled.' - WHEN minimal_tls_version = 'TLS1_2' THEN s.name || ' minimum TLS version set to ' || minimal_tls_version || '.' - ELSE s.name || ' minimum TLS version set to ' || minimal_tls_version || '.' - END AS reason - FROM - azure_mysql_server AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_mysql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN minimal_tls_version = 'TLSEnforcementDisabled' THEN 'alarm' + WHEN minimal_tls_version = 'TLS1_2' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN minimal_tls_version = 'TLSEnforcementDisabled' THEN s.name || ' TLS enforcement is disabled.' + WHEN minimal_tls_version = 'TLS1_2' THEN s.name || ' minimum TLS version set to ' || minimal_tls_version || '.' + ELSE s.name || ' minimum TLS version set to ' || minimal_tls_version || '.' + END AS reason + FROM + azure_mysql_server AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_4_5_1.yaml b/compliance/controls/azure/azure_cis_v200_4_5_1.yaml index 162a6146c..f50eccc1c 100644 --- a/compliance/controls/azure/azure_cis_v200_4_5_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_4_5_1.yaml @@ -1,31 +1,32 @@ id: azure_cis_v200_4_5_1 title: 4.5.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks +type: control description: Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_cosmosdb_account - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN public_network_access = 'Disabled' THEN 'ok' - WHEN public_network_access = 'Enabled' AND is_virtual_network_filter_enabled = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN public_network_access = 'Disabled' THEN a.name || ' public network access disabled.' - WHEN public_network_access = 'Enabled' AND is_virtual_network_filter_enabled = 'true' THEN a.name || ' virtual network filter enabled.' - ELSE a.name || ' virtual network filter disabled.' - END AS reason - FROM - azure_cosmosdb_account AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_cosmosdb_account + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN public_network_access = 'Disabled' THEN 'ok' + WHEN public_network_access = 'Enabled' AND is_virtual_network_filter_enabled = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN public_network_access = 'Disabled' THEN a.name || ' public network access disabled.' + WHEN public_network_access = 'Enabled' AND is_virtual_network_filter_enabled = 'true' THEN a.name || ' virtual network filter enabled.' + ELSE a.name || ' virtual network filter disabled.' + END AS reason + FROM + azure_cosmosdb_account AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_4_5_2.yaml b/compliance/controls/azure/azure_cis_v200_4_5_2.yaml index 7af8e35df..981ef258c 100644 --- a/compliance/controls/azure/azure_cis_v200_4_5_2.yaml +++ b/compliance/controls/azure/azure_cis_v200_4_5_2.yaml @@ -1,39 +1,40 @@ id: azure_cis_v200_4_5_2 title: 4.5.2 Ensure That Private Endpoints Are Used Where Possible +type: control description: Private endpoints limit network traffic to approved sources. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_cosmosdb_account - definition: | - WITH cosmosdb_private_connection AS ( - SELECT - DISTINCT a.id - FROM - azure_cosmosdb_account AS a, - jsonb_array_elements(private_endpoint_connections) AS connection - WHERE - connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN c.id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN c.id IS NULL THEN a.name || ' not uses private link.' - ELSE a.name || ' uses private link.' - END AS reason - FROM - azure_cosmosdb_account AS a - LEFT JOIN cosmosdb_private_connection AS c ON c.id = a.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_cosmosdb_account + definition: | + WITH cosmosdb_private_connection AS ( + SELECT + DISTINCT a.id + FROM + azure_cosmosdb_account AS a, + jsonb_array_elements(private_endpoint_connections) AS connection + WHERE + connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN c.id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN c.id IS NULL THEN a.name || ' not uses private link.' + ELSE a.name || ' uses private link.' + END AS reason + FROM + azure_cosmosdb_account AS a + LEFT JOIN cosmosdb_private_connection AS c ON c.id = a.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_4_5_3.yaml b/compliance/controls/azure/azure_cis_v200_4_5_3.yaml index 957288bb1..9315584c2 100644 --- a/compliance/controls/azure/azure_cis_v200_4_5_3.yaml +++ b/compliance/controls/azure/azure_cis_v200_4_5_3.yaml @@ -1,23 +1,24 @@ id: azure_cis_v200_4_5_3 title: 4.5.3 Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible +type: control description: Cosmos DB can use tokens or AAD for client authentication which in turn will use Azure RBAC for authorization. Using AAD is significantly more secure because AAD handles the credentials and allows for MFA and centralized management, and the Azure RBAC better integrated with the rest of Azure. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_5_1_1.yaml b/compliance/controls/azure/azure_cis_v200_5_1_1.yaml index 16184e713..0e105807c 100644 --- a/compliance/controls/azure/azure_cis_v200_5_1_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_1_1.yaml @@ -1,23 +1,24 @@ id: azure_cis_v200_5_1_1 title: 5.1.1 Ensure that a 'Diagnostic Setting' exists +type: control description: Enable Diagnostic settings for exporting activity logs. Diagnostic settings are available for each individual resource within a subscription. Settings should be configured for all appropriate resources for your environment. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_5_1_2.yaml b/compliance/controls/azure/azure_cis_v200_5_1_2.yaml index 176e4af06..50965bf77 100644 --- a/compliance/controls/azure/azure_cis_v200_5_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_1_2.yaml @@ -1,57 +1,58 @@ id: azure_cis_v200_5_1_2 title: 5.1.2 Ensure Diagnostic Setting captures appropriate categories +type: control description: "A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: 'Ensure that a 'Diagnostic Setting' exists.' The diagnostic setting should be configured to log the appropriate activities from the control/management plane." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_diagnostic_setting - definition: | - WITH enabled_settings AS ( - SELECT - name, - id, - _ctx, - resource_group, - subscription_id, - COUNT(*) FILTER (WHERE l ->> 'enabled' = 'true' - AND l ->> 'category' IN ('Administrative', 'Security', 'Alert', 'Policy')) AS valid_category_count, - STRING_AGG(l ->> 'category', ', ') FILTER (WHERE l ->> 'enabled' = 'true' - AND l ->> 'category' IN ('Administrative', 'Security', 'Alert', 'Policy')) AS valid_categories, - platform_integration_id, - platform_resource_id - FROM - azure_diagnostic_setting, - jsonb_array_elements(logs) AS l - GROUP BY - name, - id, - _ctx, - resource_group, - subscription_id, - platform_integration_id, - platform_resource_id - ) - SELECT - sett.id AS resource, - sett.platform_integration_id AS platform_integration_id, - sett.platform_resource_id AS platform_resource_id, - CASE - WHEN valid_category_count = 4 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN valid_category_count = 4 - THEN name || ' logs enabled for required categories administrative, security, alert and policy.' - WHEN valid_category_count > 0 - THEN sett.name || ' logs enabled for ' || valid_categories || ' categories.' - ELSE sett.name || ' logs not enabled for categories administrative, security, alert and policy.' - END AS reason - FROM - enabled_settings sett, - azure_subscription sub - WHERE - sub.subscription_id = sett.subscription_id; + language: sql + primary_resource: azure_diagnostic_setting + definition: | + WITH enabled_settings AS ( + SELECT + name, + id, + _ctx, + resource_group, + subscription_id, + COUNT(*) FILTER (WHERE l ->> 'enabled' = 'true' + AND l ->> 'category' IN ('Administrative', 'Security', 'Alert', 'Policy')) AS valid_category_count, + STRING_AGG(l ->> 'category', ', ') FILTER (WHERE l ->> 'enabled' = 'true' + AND l ->> 'category' IN ('Administrative', 'Security', 'Alert', 'Policy')) AS valid_categories, + platform_integration_id, + platform_resource_id + FROM + azure_diagnostic_setting, + jsonb_array_elements(logs) AS l + GROUP BY + name, + id, + _ctx, + resource_group, + subscription_id, + platform_integration_id, + platform_resource_id + ) + SELECT + sett.id AS resource, + sett.platform_integration_id AS platform_integration_id, + sett.platform_resource_id AS platform_resource_id, + CASE + WHEN valid_category_count = 4 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN valid_category_count = 4 + THEN name || ' logs enabled for required categories administrative, security, alert and policy.' + WHEN valid_category_count > 0 + THEN sett.name || ' logs enabled for ' || valid_categories || ' categories.' + ELSE sett.name || ' logs not enabled for categories administrative, security, alert and policy.' + END AS reason + FROM + enabled_settings sett, + azure_subscription sub + WHERE + sub.subscription_id = sett.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_5_1_3.yaml b/compliance/controls/azure/azure_cis_v200_5_1_3.yaml index f0bf2013e..0b3da545a 100644 --- a/compliance/controls/azure/azure_cis_v200_5_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_1_3.yaml @@ -1,31 +1,32 @@ id: azure_cis_v200_5_1_3 title: 5.1.3 Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible +type: control description: The storage account container containing the activity log export should not be publicly accessible. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_container - definition: | - SELECT - sc.id AS resource, - sc.platform_integration_id AS platform_integration_id, - sc.platform_resource_id AS platform_resource_id, - CASE - WHEN public_access != 'None' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN public_access != 'None' - THEN account_name || ' container insights-activity-logs storing activity logs publicly accessible.' - ELSE account_name || ' container insights-activity-logs storing activity logs not publicly accessible.' - END AS reason - FROM - azure_storage_container sc, - azure_subscription sub - WHERE - name = 'insights-activity-logs' - AND sub.subscription_id = sc.subscription_id; + language: sql + primary_resource: azure_storage_container + definition: | + SELECT + sc.id AS resource, + sc.platform_integration_id AS platform_integration_id, + sc.platform_resource_id AS platform_resource_id, + CASE + WHEN public_access != 'None' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN public_access != 'None' + THEN account_name || ' container insights-activity-logs storing activity logs publicly accessible.' + ELSE account_name || ' container insights-activity-logs storing activity logs not publicly accessible.' + END AS reason + FROM + azure_storage_container sc, + azure_subscription sub + WHERE + name = 'insights-activity-logs' + AND sub.subscription_id = sc.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_5_1_5.yaml b/compliance/controls/azure/azure_cis_v200_5_1_5.yaml index a11ef08a2..96dd0b9a0 100644 --- a/compliance/controls/azure/azure_cis_v200_5_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_1_5.yaml @@ -1,46 +1,47 @@ id: azure_cis_v200_5_1_5 title: 5.1.5 Ensure that logging for Azure Key Vault is 'Enabled' +type: control description: Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - WITH logging_details AS ( - SELECT - name AS key_vault_name - FROM - azure_key_vault, - jsonb_array_elements(diagnostic_settings) setting, - jsonb_array_elements(setting -> 'properties' -> 'logs') log - WHERE - diagnostic_settings IS NOT NULL - AND setting -> 'properties' ->> 'storageAccountId' <> '' - AND (log ->> 'enabled')::BOOLEAN - AND log ->> 'category' = 'AuditEvent' - AND (log -> 'retentionPolicy')::JSONB ? 'days' - ) - SELECT - v.id AS resource, - v.platform_integration_id AS platform_integration_id, - v.platform_resource_id AS platform_resource_id, - CASE - WHEN v.diagnostic_settings IS NULL THEN 'alarm' - WHEN l.key_vault_name NOT LIKE CONCAT('%', v.name, '%') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN v.diagnostic_settings IS NULL THEN v.name || ' logging not enabled.' - WHEN l.key_vault_name NOT LIKE CONCAT('%', v.name, '%') THEN v.name || ' logging not enabled.' - ELSE v.name || ' logging enabled.' - END AS reason - FROM - azure_key_vault v, - logging_details l, - azure_subscription sub - WHERE - sub.subscription_id = v.subscription_id; + language: sql + primary_resource: azure_key_vault + definition: | + WITH logging_details AS ( + SELECT + name AS key_vault_name + FROM + azure_key_vault, + jsonb_array_elements(diagnostic_settings) setting, + jsonb_array_elements(setting -> 'properties' -> 'logs') log + WHERE + diagnostic_settings IS NOT NULL + AND setting -> 'properties' ->> 'storageAccountId' <> '' + AND (log ->> 'enabled')::BOOLEAN + AND log ->> 'category' = 'AuditEvent' + AND (log -> 'retentionPolicy')::JSONB ? 'days' + ) + SELECT + v.id AS resource, + v.platform_integration_id AS platform_integration_id, + v.platform_resource_id AS platform_resource_id, + CASE + WHEN v.diagnostic_settings IS NULL THEN 'alarm' + WHEN l.key_vault_name NOT LIKE CONCAT('%', v.name, '%') THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN v.diagnostic_settings IS NULL THEN v.name || ' logging not enabled.' + WHEN l.key_vault_name NOT LIKE CONCAT('%', v.name, '%') THEN v.name || ' logging not enabled.' + ELSE v.name || ' logging enabled.' + END AS reason + FROM + azure_key_vault v, + logging_details l, + azure_subscription sub + WHERE + sub.subscription_id = v.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_5_1_6.yaml b/compliance/controls/azure/azure_cis_v200_5_1_6.yaml index 1c68c517b..9a869d304 100644 --- a/compliance/controls/azure/azure_cis_v200_5_1_6.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_1_6.yaml @@ -1,23 +1,24 @@ id: azure_cis_v200_5_1_6 title: 5.1.6 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics +type: control description: Ensure that network flow logs are captured and fed into a central log analytics workspace. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_5_1_7.yaml b/compliance/controls/azure/azure_cis_v200_5_1_7.yaml index 64d8acba9..5df29d248 100644 --- a/compliance/controls/azure/azure_cis_v200_5_1_7.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_1_7.yaml @@ -1,23 +1,24 @@ id: azure_cis_v200_5_1_7 title: 5.1.7 Ensure that logging for Azure AppService 'HTTP logs' is enabled +type: control description: Enable AppServiceHTTPLogs diagnostic log category for Azure App Service instances to ensure all http requests are captured and centrally logged. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_5_2_1.yaml b/compliance/controls/azure/azure_cis_v200_5_2_1.yaml index b07d43b36..0ca1f83db 100644 --- a/compliance/controls/azure/azure_cis_v200_5_2_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_2_1.yaml @@ -1,54 +1,55 @@ id: azure_cis_v200_5_2_1 title: 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment +type: control description: Create an activity log alert for the Create Policy Assignment event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_log_alert - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id, - alert.platform_integration_id AS platform_integration_id, - alert.platform_resource_id AS platform_resource_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/write"}]' - LIMIT 1 - ) - SELECT - a.subscription_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create policy assignment event.' - ELSE 'Activity log alert does not exist for create policy assignment event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - a.subscription_id, - sub.subscription_id, - sub._ctx, - sub.display_name, - a.platform_integration_id, - a.platform_resource_id; + language: sql + primary_resource: azure_log_alert + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id, + alert.platform_integration_id AS platform_integration_id, + alert.platform_resource_id AS platform_resource_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/write"}]' + LIMIT 1 + ) + SELECT + a.subscription_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create policy assignment event.' + ELSE 'Activity log alert does not exist for create policy assignment event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + a.subscription_id, + sub.subscription_id, + sub._ctx, + sub.display_name, + a.platform_integration_id, + a.platform_resource_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_5_2_10.yaml b/compliance/controls/azure/azure_cis_v200_5_2_10.yaml index 49a66ac79..4388d03a6 100644 --- a/compliance/controls/azure/azure_cis_v200_5_2_10.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_2_10.yaml @@ -1,57 +1,58 @@ id: azure_cis_v200_5_2_10 title: 5.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule +type: control description: Create an activity log alert for the Delete Public IP Address rule. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/publicIPAddresses/delete"}]') - OR - (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/publicipaddresses"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/publicIPAddresses/delete"}]') + OR + (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/publicipaddresses"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'OK' - ELSE 'ALARM' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Delete Public IP Address rule.' - ELSE 'Activity Log Alert does not exist for Delete Public IP Address rule.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.display_name, - sub.platform_integration_id, - sub.platform_resource_id; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'OK' + ELSE 'ALARM' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Delete Public IP Address rule.' + ELSE 'Activity Log Alert does not exist for Delete Public IP Address rule.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.display_name, + sub.platform_integration_id, + sub.platform_resource_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_5_2_2.yaml b/compliance/controls/azure/azure_cis_v200_5_2_2.yaml index bfa2625a4..3c55739d3 100644 --- a/compliance/controls/azure/azure_cis_v200_5_2_2.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_2_2.yaml @@ -1,51 +1,52 @@ id: azure_cis_v200_5_2_2 title: 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment +type: control description: Create an activity log alert for the Delete Policy Assignment event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/delete"}]' - LIMIT 1 - ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete policy assignment event.' - ELSE 'Activity log alert does not exist for delete policy assignment event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.display_name, - sub.platform_integration_id, - sub.platform_resource_id; + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/delete"}]' + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete policy assignment event.' + ELSE 'Activity log alert does not exist for delete policy assignment event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.display_name, + sub.platform_integration_id, + sub.platform_resource_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_5_2_3.yaml b/compliance/controls/azure/azure_cis_v200_5_2_3.yaml index 8143e0d37..0d196a05f 100644 --- a/compliance/controls/azure/azure_cis_v200_5_2_3.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_2_3.yaml @@ -1,63 +1,64 @@ id: azure_cis_v200_5_2_3 title: 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group +type: control description: Create an Activity Log Alert for the Create or Update Network Security Group event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/write"}]' - ) - OR - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/write"}]' + ) + OR + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 - THEN 'Activity log alert exists for create or update Network Security Group event.' - ELSE 'Activity log alert does not exist for create or update Network Security Group event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN - alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.display_name, - sub.platform_integration_id, - sub.platform_resource_id; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 + THEN 'Activity log alert exists for create or update Network Security Group event.' + ELSE 'Activity log alert does not exist for create or update Network Security Group event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN + alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.display_name, + sub.platform_integration_id, + sub.platform_resource_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_5_2_4.yaml b/compliance/controls/azure/azure_cis_v200_5_2_4.yaml index 4bd76aaed..6be4ce25a 100644 --- a/compliance/controls/azure/azure_cis_v200_5_2_4.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_2_4.yaml @@ -1,62 +1,63 @@ id: azure_cis_v200_5_2_4 title: 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group +type: control description: Create an activity log alert for the Delete Network Security Group event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id, - jsonb_array_length(alert.condition -> 'allOf') - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/delete"}]' - ) - OR - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id, + jsonb_array_length(alert.condition -> 'allOf') + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/delete"}]' + ) + OR + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Network Security Group event.' - ELSE 'Activity log alert does not exist for delete Network Security Group event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.display_name, - sub.platform_integration_id, - sub.platform_resource_id; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Network Security Group event.' + ELSE 'Activity log alert does not exist for delete Network Security Group event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.display_name, + sub.platform_integration_id, + sub.platform_resource_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_5_2_5.yaml b/compliance/controls/azure/azure_cis_v200_5_2_5.yaml index 786728496..81854573d 100644 --- a/compliance/controls/azure/azure_cis_v200_5_2_5.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_2_5.yaml @@ -1,61 +1,62 @@ id: azure_cis_v200_5_2_5 title: 5.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution +type: control description: Create an activity log alert for the Create or Update Security Solution event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Security/securitySolutions/write"}]' - ) - OR - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Security/securitySolutions/write"}]' + ) + OR + ( + alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create or update Security Solution event.' - ELSE 'Activity log alert does not exist for create or update Security Solution event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.display_name, - sub.platform_integration_id, - sub.platform_resource_id; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create or update Security Solution event.' + ELSE 'Activity log alert does not exist for create or update Security Solution event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.display_name, + sub.platform_integration_id, + sub.platform_resource_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_5_2_6.yaml b/compliance/controls/azure/azure_cis_v200_5_2_6.yaml index 07a0634f1..294a8e0db 100644 --- a/compliance/controls/azure/azure_cis_v200_5_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_2_6.yaml @@ -1,61 +1,62 @@ id: azure_cis_v200_5_2_6 title: 5.2.6 Ensure that Activity Log Alert exists for Delete Security Solution +type: control description: Create an activity log alert for the Delete Security Solution event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Security/securitySolutions/delete"}]' - ) - OR - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Security/securitySolutions/delete"}]' + ) + OR + ( + alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Security Solution event.' - ELSE 'Activity log alert does not exist for delete Security Solution event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.display_name, - sub.platform_integration_id, - sub.platform_resource_id + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Security Solution event.' + ELSE 'Activity log alert does not exist for delete Security Solution event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.display_name, + sub.platform_integration_id, + sub.platform_resource_id severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_5_2_7.yaml b/compliance/controls/azure/azure_cis_v200_5_2_7.yaml index d4ee70b2b..88d256c12 100644 --- a/compliance/controls/azure/azure_cis_v200_5_2_7.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_2_7.yaml @@ -1,59 +1,60 @@ id: azure_cis_v200_5_2_7 title: 5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule +type: control description: Create an activity log alert for the Create or Update SQL Server Firewall Rule event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS + ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND - ( - (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Sql/servers/firewallRules/write"}]') - OR - (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.sql/servers/firewallrules"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2) - ) - LIMIT 1 + (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Sql/servers/firewallRules/write"}]') + OR + (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.sql/servers/firewallrules"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Create or Update SQL Server Firewall Rule.' - ELSE 'Activity Log Alert does not exists for Create or Update SQL Server Firewall Rule.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.display_name, - sub.platform_integration_id, - sub.platform_resource_id; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Create or Update SQL Server Firewall Rule.' + ELSE 'Activity Log Alert does not exists for Create or Update SQL Server Firewall Rule.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.display_name, + sub.platform_integration_id, + sub.platform_resource_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_5_2_8.yaml b/compliance/controls/azure/azure_cis_v200_5_2_8.yaml index d42233539..f10690651 100644 --- a/compliance/controls/azure/azure_cis_v200_5_2_8.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_2_8.yaml @@ -1,57 +1,58 @@ id: azure_cis_v200_5_2_8 title: 5.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule +type: control description: Create an activity log alert for the 'Delete SQL Server Firewall Rule.' integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Sql/servers/firewallRules/delete"}]') - OR - (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.sql/servers/firewallrules"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Sql/servers/firewallRules/delete"}]') + OR + (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.sql/servers/firewallrules"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Delete SQL Server Firewall Rule.' - ELSE 'Activity Log Alert does not exist for Delete SQL Server Firewall Rule.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.display_name, - sub.platform_integration_id, - sub.platform_resource_id; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Delete SQL Server Firewall Rule.' + ELSE 'Activity Log Alert does not exist for Delete SQL Server Firewall Rule.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.display_name, + sub.platform_integration_id, + sub.platform_resource_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_5_2_9.yaml b/compliance/controls/azure/azure_cis_v200_5_2_9.yaml index 67a22e8b3..09b282f5d 100644 --- a/compliance/controls/azure/azure_cis_v200_5_2_9.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_2_9.yaml @@ -1,59 +1,60 @@ id: azure_cis_v200_5_2_9 title: 5.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule +type: control description: Create an activity log alert for the Create or Update Public IP Addresses rule. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/publicIPAddresses/write"}]' - ) - OR - (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/publicipaddresses"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/publicIPAddresses/write"}]' + ) + OR + (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/publicipaddresses"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Create or Update Public IP Address rule.' - ELSE 'Activity Log Alert does not exists for Create or Update Public IP Address rule.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.display_name, - sub.platform_integration_id, - sub.platform_resource_id; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Create or Update Public IP Address rule.' + ELSE 'Activity Log Alert does not exists for Create or Update Public IP Address rule.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.display_name, + sub.platform_integration_id, + sub.platform_resource_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_5_3_1.yaml b/compliance/controls/azure/azure_cis_v200_5_3_1.yaml index aaf18ba73..9a7bafbe1 100644 --- a/compliance/controls/azure/azure_cis_v200_5_3_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_3_1.yaml @@ -1,36 +1,37 @@ id: azure_cis_v200_5_3_1 title: 5.3.1 Ensure Application Insights are Configured +type: control description: Application Insights within Azure act as an Application Performance Monitoring solution providing valuable data into how well an application performs and additional information when performing incident response. The types of log data collected include application metrics, telemetry data, and application trace logging data providing organizations with detailed information about application activity and application transactions. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH application_insights AS ( - SELECT - subscription_id, - COUNT(*) AS no_application_insight - FROM - azure_application_insight - GROUP BY - subscription_id - ) - SELECT - sub.id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN i.subscription_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN i.subscription_id IS NULL THEN sub.display_name || ' does not have application insights configured.' - ELSE sub.display_name || ' has ' || no_application_insight || ' application insights configured.' - END AS reason - FROM - azure_subscription AS sub - LEFT JOIN application_insights AS i ON i.subscription_id = sub.subscription_id; + language: sql + primary_resource: azure_subscription + definition: | + WITH application_insights AS ( + SELECT + subscription_id, + COUNT(*) AS no_application_insight + FROM + azure_application_insight + GROUP BY + subscription_id + ) + SELECT + sub.id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN i.subscription_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN i.subscription_id IS NULL THEN sub.display_name || ' does not have application insights configured.' + ELSE sub.display_name || ' has ' || no_application_insight || ' application insights configured.' + END AS reason + FROM + azure_subscription AS sub + LEFT JOIN application_insights AS i ON i.subscription_id = sub.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_5_4.yaml b/compliance/controls/azure/azure_cis_v200_5_4.yaml index 7990314fe..ff3878dc5 100644 --- a/compliance/controls/azure/azure_cis_v200_5_4.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_4.yaml @@ -1,23 +1,24 @@ id: azure_cis_v200_5_4 title: 5.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it +type: control description: Resource Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself; for example, reading or updating a secret from a Key Vault. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_6_1.yaml b/compliance/controls/azure/azure_cis_v200_6_1.yaml index f43ca678b..0c842497b 100644 --- a/compliance/controls/azure/azure_cis_v200_6_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_6_1.yaml @@ -1,51 +1,52 @@ id: azure_cis_v200_6_1 title: 6.1 Ensure that RDP access from the Internet is evaluated and restricted +type: control description: Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH network_sg AS ( - SELECT - DISTINCT name AS sg_name - FROM - azure_network_security_group AS nsg, - jsonb_array_elements(security_rules) AS sg, - jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange') :: jsonb) AS dport, - jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) AS sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') - AND ( - dport IN ('3389', '*') - OR ( - dport LIKE '%-%' - AND split_part(dport, '-', 1) :: INTEGER <= 3389 - AND split_part(dport, '-', 2) :: INTEGER >= 3389 - ) - ) + language: sql + primary_resource: azure_network_security_group + definition: | + WITH network_sg AS ( + SELECT + DISTINCT name AS sg_name + FROM + azure_network_security_group AS nsg, + jsonb_array_elements(security_rules) AS sg, + jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange') :: jsonb) AS dport, + jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) AS sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('3389', '*') + OR ( + dport LIKE '%-%' + AND split_part(dport, '-', 1) :: INTEGER <= 3389 + AND split_part(dport, '-', 2) :: INTEGER >= 3389 + ) ) - SELECT - sg.id AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL - THEN sg.title || ' restricts RDP access from internet.' - ELSE sg.title || ' allows RDP access from internet.' - END AS reason - FROM - azure_network_security_group AS sg - LEFT JOIN network_sg AS nsg ON nsg.sg_name = sg.name - JOIN azure_subscription AS sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL + THEN sg.title || ' restricts RDP access from internet.' + ELSE sg.title || ' allows RDP access from internet.' + END AS reason + FROM + azure_network_security_group AS sg + LEFT JOIN network_sg AS nsg ON nsg.sg_name = sg.name + JOIN azure_subscription AS sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_6_2.yaml b/compliance/controls/azure/azure_cis_v200_6_2.yaml index 26f501a4b..39ae62894 100644 --- a/compliance/controls/azure/azure_cis_v200_6_2.yaml +++ b/compliance/controls/azure/azure_cis_v200_6_2.yaml @@ -1,51 +1,52 @@ id: azure_cis_v200_6_2 title: 6.2 Ensure that SSH access from the Internet is evaluated and restricted +type: control description: Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH network_sg AS ( - SELECT - DISTINCT name sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules) sg, - jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange')::jsonb) dport, - jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix')::jsonb) sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') - AND ( - dport IN ('22', '*') - OR ( - dport LIKE '%-%' - AND SPLIT_PART(dport, '-', 1)::integer <= 22 - AND SPLIT_PART(dport, '-', 2)::integer >= 22 - ) - ) + language: sql + primary_resource: azure_network_security_group + definition: | + WITH network_sg AS ( + SELECT + DISTINCT name sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules) sg, + jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange')::jsonb) dport, + jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix')::jsonb) sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('22', '*') + OR ( + dport LIKE '%-%' + AND SPLIT_PART(dport, '-', 1)::integer <= 22 + AND SPLIT_PART(dport, '-', 2)::integer >= 22 + ) ) - SELECT - sg.id resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL - THEN sg.title || ' restricts SSH access from internet.' - ELSE sg.title || ' allows SSH access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL + THEN sg.title || ' restricts SSH access from internet.' + ELSE sg.title || ' allows SSH access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_6_3.yaml b/compliance/controls/azure/azure_cis_v200_6_3.yaml index 05c800c44..0d7ea50dd 100644 --- a/compliance/controls/azure/azure_cis_v200_6_3.yaml +++ b/compliance/controls/azure/azure_cis_v200_6_3.yaml @@ -1,56 +1,57 @@ id: azure_cis_v200_6_3 title: 6.3 Ensure that UDP access from the Internet is evaluated and restricted +type: control description: Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH network_sg AS ( - SELECT - DISTINCT name sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules) sg, - jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange') :: jsonb) dport, - jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND sg -> 'properties' ->> 'protocol' = 'UDP' - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + language: sql + primary_resource: azure_network_security_group + definition: | + WITH network_sg AS ( + SELECT + DISTINCT name sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules) sg, + jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange') :: jsonb) dport, + jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND sg -> 'properties' ->> 'protocol' = 'UDP' + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport = '*' + OR ( + dport LIKE '%-%' AND ( - dport = '*' - OR ( - dport LIKE '%-%' - AND ( - 53 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER - OR 123 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER - OR 161 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER - OR 389 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER - OR 1900 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER - ) - ) + 53 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER + OR 123 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER + OR 161 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER + OR 389 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER + OR 1900 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER ) + ) ) - SELECT - sg.id AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL - THEN sg.title || ' restricts UDP services from internet.' - ELSE sg.title || ' allows UDP services from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL + THEN sg.title || ' restricts UDP services from internet.' + ELSE sg.title || ' allows UDP services from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_6_4.yaml b/compliance/controls/azure/azure_cis_v200_6_4.yaml index 7bd96c89c..b7921443e 100644 --- a/compliance/controls/azure/azure_cis_v200_6_4.yaml +++ b/compliance/controls/azure/azure_cis_v200_6_4.yaml @@ -1,61 +1,62 @@ id: azure_cis_v200_6_4 title: 6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted +type: control description: Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH network_sg AS ( - SELECT DISTINCT - name AS sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules) sg, - jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange')::jsonb) AS dport, - jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix')::jsonb) AS sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND sg -> 'properties' ->> 'protocol' ILIKE 'TCP' - AND sip IN - ( - '*', - '0.0.0.0', - '0.0.0.0/0', - 'Internet', - 'any', - '/0', - '/0' - ) - AND - ( - dport IN ('80', '*') - OR - ( - dport LIKE '%-%' - AND split_part(dport, '-', 1)::integer <= 80 - AND split_part(dport, '-', 2)::integer >= 80 - ) - ) + language: sql + primary_resource: azure_network_security_group + definition: | + WITH network_sg AS ( + SELECT DISTINCT + name AS sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules) sg, + jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange')::jsonb) AS dport, + jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix')::jsonb) AS sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND sg -> 'properties' ->> 'protocol' ILIKE 'TCP' + AND sip IN + ( + '*', + '0.0.0.0', + '0.0.0.0/0', + 'Internet', + 'any', + '/0', + '/0' ) - SELECT - sg.id AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts HTTPS access from internet.' - ELSE sg.title || ' allows HTTPS access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + AND + ( + dport IN ('80', '*') + OR + ( + dport LIKE '%-%' + AND split_part(dport, '-', 1)::integer <= 80 + AND split_part(dport, '-', 2)::integer >= 80 + ) + ) + ) + SELECT + sg.id AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts HTTPS access from internet.' + ELSE sg.title || ' allows HTTPS access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_6_7.yaml b/compliance/controls/azure/azure_cis_v200_6_7.yaml index 0e002bb19..4dafe4510 100644 --- a/compliance/controls/azure/azure_cis_v200_6_7.yaml +++ b/compliance/controls/azure/azure_cis_v200_6_7.yaml @@ -1,23 +1,24 @@ id: azure_cis_v200_6_7 title: 6.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis +type: control description: Public IP Addresses provide tenant accounts with Internet connectivity for resources contained within the tenant. During the creation of certain resources in Azure, a Public IP Address may be created. All Public IP Addresses within the tenant should be periodically reviewed for accuracy and necessity. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_7_1.yaml b/compliance/controls/azure/azure_cis_v200_7_1.yaml index 88954989b..0592803b4 100644 --- a/compliance/controls/azure/azure_cis_v200_7_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_7_1.yaml @@ -1,43 +1,44 @@ id: azure_cis_v200_7_1 title: 7.1 Ensure an Azure Bastion Host Exists +type: control description: The Azure Bastion service allows secure remote access to Azure Virtual Machines over the Internet without exposing remote access protocol ports and services directly to the Internet. The Azure Bastion service provides this access using TLS over 443/TCP, and subscribes to hardened configurations within an organization's Azure Active Directory service. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH bastion_hosts AS ( - SELECT - subscription_id, - _ctx, - region, - resource_group, - COUNT(*) AS no_bastion_host - FROM - azure_bastion_host - GROUP BY - subscription_id, - _ctx, - resource_group, - region - ) - SELECT - sub.id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN i.subscription_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN i.subscription_id IS NULL THEN sub.display_name || ' does not have bastion host.' - ELSE sub.display_name || ' has ' || no_bastion_host || ' bastion host(s).' - END AS reason - FROM - azure_subscription AS sub - LEFT JOIN bastion_hosts AS i - ON i.subscription_id = sub.subscription_id; + language: sql + primary_resource: azure_subscription + definition: | + WITH bastion_hosts AS ( + SELECT + subscription_id, + _ctx, + region, + resource_group, + COUNT(*) AS no_bastion_host + FROM + azure_bastion_host + GROUP BY + subscription_id, + _ctx, + resource_group, + region + ) + SELECT + sub.id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN i.subscription_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN i.subscription_id IS NULL THEN sub.display_name || ' does not have bastion host.' + ELSE sub.display_name || ' has ' || no_bastion_host || ' bastion host(s).' + END AS reason + FROM + azure_subscription AS sub + LEFT JOIN bastion_hosts AS i + ON i.subscription_id = sub.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_7_2.yaml b/compliance/controls/azure/azure_cis_v200_7_2.yaml index 408378adb..ae8e77d72 100644 --- a/compliance/controls/azure/azure_cis_v200_7_2.yaml +++ b/compliance/controls/azure/azure_cis_v200_7_2.yaml @@ -1,29 +1,30 @@ id: azure_cis_v200_7_2 title: 7.2 Ensure Virtual Machines are utilizing Managed Disks +type: control description: Migrate blob-based VHDs to Managed Disks on Virtual Machines to exploit the default features of this configuration. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - SELECT - vm.id AS resource, - vm.platform_integration_id AS platform_integration_id, - vm.platform_resource_id AS platform_resource_id, - CASE - WHEN managed_disk_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN managed_disk_id IS NULL THEN vm.name || ' VM not utilizing managed disks.' - ELSE vm.name || ' VM utilizing managed disks.' - END AS reason - FROM - azure_compute_virtual_machine AS vm, - azure_subscription AS sub - WHERE - sub.subscription_id = vm.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + SELECT + vm.id AS resource, + vm.platform_integration_id AS platform_integration_id, + vm.platform_resource_id AS platform_resource_id, + CASE + WHEN managed_disk_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN managed_disk_id IS NULL THEN vm.name || ' VM not utilizing managed disks.' + ELSE vm.name || ' VM utilizing managed disks.' + END AS reason + FROM + azure_compute_virtual_machine AS vm, + azure_subscription AS sub + WHERE + sub.subscription_id = vm.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_7_3.yaml b/compliance/controls/azure/azure_cis_v200_7_3.yaml index 702ad93c2..40227e7e8 100644 --- a/compliance/controls/azure/azure_cis_v200_7_3.yaml +++ b/compliance/controls/azure/azure_cis_v200_7_3.yaml @@ -1,30 +1,31 @@ id: azure_cis_v200_7_3 title: 7.3 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) +type: control description: Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption(SSE). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_disk - definition: | - SELECT - disk.id AS resource, - disk.platform_integration_id AS platform_integration_id, - disk.platform_resource_id AS platform_resource_id, - CASE - WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN disk.name || ' encrypted with CMK.' - ELSE disk.name || ' not encrypted with CMK.' - END AS reason - FROM - azure_compute_disk disk, - azure_subscription sub - WHERE - disk_state = 'Attached' - AND sub.subscription_id = disk.subscription_id; + language: sql + primary_resource: azure_compute_disk + definition: | + SELECT + disk.id AS resource, + disk.platform_integration_id AS platform_integration_id, + disk.platform_resource_id AS platform_resource_id, + CASE + WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN disk.name || ' encrypted with CMK.' + ELSE disk.name || ' not encrypted with CMK.' + END AS reason + FROM + azure_compute_disk disk, + azure_subscription sub + WHERE + disk_state = 'Attached' + AND sub.subscription_id = disk.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_7_4.yaml b/compliance/controls/azure/azure_cis_v200_7_4.yaml index 7b34506b4..3344dfbbb 100644 --- a/compliance/controls/azure/azure_cis_v200_7_4.yaml +++ b/compliance/controls/azure/azure_cis_v200_7_4.yaml @@ -1,30 +1,31 @@ id: azure_cis_v200_7_4 title: 7.4 Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) +type: control description: Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_disk - definition: | - SELECT - disk.id AS resource, - disk.platform_integration_id AS platform_integration_id, - disk.platform_resource_id AS platform_resource_id, - CASE - WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN disk.name || ' encrypted with CMK.' - ELSE disk.name || ' not encrypted with CMK.' - END AS reason - FROM - azure_compute_disk disk, - azure_subscription sub - WHERE - disk_state != 'Attached' - AND sub.subscription_id = disk.subscription_id; + language: sql + primary_resource: azure_compute_disk + definition: | + SELECT + disk.id AS resource, + disk.platform_integration_id AS platform_integration_id, + disk.platform_resource_id AS platform_resource_id, + CASE + WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN disk.name || ' encrypted with CMK.' + ELSE disk.name || ' not encrypted with CMK.' + END AS reason + FROM + azure_compute_disk disk, + azure_subscription sub + WHERE + disk_state != 'Attached' + AND sub.subscription_id = disk.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_7_5.yaml b/compliance/controls/azure/azure_cis_v200_7_5.yaml index 3c50f3158..7b1db41a0 100644 --- a/compliance/controls/azure/azure_cis_v200_7_5.yaml +++ b/compliance/controls/azure/azure_cis_v200_7_5.yaml @@ -1,23 +1,24 @@ id: azure_cis_v200_7_5 title: 7.5 Ensure that Only Approved Extensions Are Installed +type: control description: For added security, only install organization-approved extensions on VMs. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_7_6.yaml b/compliance/controls/azure/azure_cis_v200_7_6.yaml index 22e2ab9ff..614f70666 100644 --- a/compliance/controls/azure/azure_cis_v200_7_6.yaml +++ b/compliance/controls/azure/azure_cis_v200_7_6.yaml @@ -1,23 +1,24 @@ id: azure_cis_v200_7_6 title: 7.6 Ensure that Endpoint Protection for all Virtual Machines is installed +type: control description: Install endpoint protection for all virtual machines. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_7_7.yaml b/compliance/controls/azure/azure_cis_v200_7_7.yaml index 0235eaaad..ecbd9d144 100644 --- a/compliance/controls/azure/azure_cis_v200_7_7.yaml +++ b/compliance/controls/azure/azure_cis_v200_7_7.yaml @@ -1,23 +1,24 @@ id: azure_cis_v200_7_7 title: 7.7 Ensure that VHDs are Encrypted +type: control description: VHD (Virtual Hard Disks) are stored in blob storage and are the old-style disks that were attached to Virtual Machines. The blob VHD was then leased to the VM. By default, storage accounts are not encrypted, and Microsoft Defender will then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK. This should be turned on for storage accounts containing VHDs. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_8_1.yaml b/compliance/controls/azure/azure_cis_v200_8_1.yaml index 9600ef616..4d99f1f57 100644 --- a/compliance/controls/azure/azure_cis_v200_8_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_8_1.yaml @@ -1,42 +1,43 @@ id: azure_cis_v200_8_1 title: 8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults +type: control description: Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_key - definition: | - WITH rbac_vault AS ( - SELECT - name - FROM - azure_key_vault - WHERE - enable_rbac_authorization - ) - SELECT - kvk.id AS resource, - kvk.platform_integration_id AS platform_integration_id, - kvk.platform_resource_id AS platform_resource_id, - CASE - WHEN v.name IS NULL THEN 'skip' - WHEN enabled AND expires_at IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - vault_name || ' key ' || kvk.name || - CASE - WHEN v.name IS NULL THEN ' not RBAC enabled vault.' - WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' - WHEN NOT enabled THEN ' disabled.' - ELSE ' expiration date set to ' || to_char(expires_at, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - azure_key_vault_key kvk - LEFT JOIN rbac_vault AS v ON v.name = kvk.vault_name, - azure_subscription sub - WHERE - sub.subscription_id = kvk.subscription_id; + language: sql + primary_resource: azure_key_vault_key + definition: | + WITH rbac_vault AS ( + SELECT + name + FROM + azure_key_vault + WHERE + enable_rbac_authorization + ) + SELECT + kvk.id AS resource, + kvk.platform_integration_id AS platform_integration_id, + kvk.platform_resource_id AS platform_resource_id, + CASE + WHEN v.name IS NULL THEN 'skip' + WHEN enabled AND expires_at IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + vault_name || ' key ' || kvk.name || + CASE + WHEN v.name IS NULL THEN ' not RBAC enabled vault.' + WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' + WHEN NOT enabled THEN ' disabled.' + ELSE ' expiration date set to ' || to_char(expires_at, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + azure_key_vault_key kvk + LEFT JOIN rbac_vault AS v ON v.name = kvk.vault_name, + azure_subscription sub + WHERE + sub.subscription_id = kvk.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_8_2.yaml b/compliance/controls/azure/azure_cis_v200_8_2.yaml index 5997c7f95..56836e8f9 100644 --- a/compliance/controls/azure/azure_cis_v200_8_2.yaml +++ b/compliance/controls/azure/azure_cis_v200_8_2.yaml @@ -1,42 +1,43 @@ id: azure_cis_v200_8_2 title: 8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults +type: control description: Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_key - definition: | - WITH non_rbac_vault AS ( - SELECT - name - FROM - azure_key_vault - WHERE - NOT enable_rbac_authorization - ) - SELECT - kvk.id AS resource, - kvk.platform_integration_id AS platform_integration_id, - kvk.platform_resource_id AS platform_resource_id, - CASE - WHEN v.name IS NULL THEN 'skip' - WHEN enabled AND expires_at IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - vault_name || ' key ' || kvk.name || - CASE - WHEN v.name IS NULL THEN ' RBAC enabled vault.' - WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' - WHEN NOT enabled THEN ' disabled.' - ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - azure_key_vault_key kvk - LEFT JOIN non_rbac_vault AS v ON v.name = kvk.vault_name, - azure_subscription sub - WHERE - sub.subscription_id = kvk.subscription_id; + language: sql + primary_resource: azure_key_vault_key + definition: | + WITH non_rbac_vault AS ( + SELECT + name + FROM + azure_key_vault + WHERE + NOT enable_rbac_authorization + ) + SELECT + kvk.id AS resource, + kvk.platform_integration_id AS platform_integration_id, + kvk.platform_resource_id AS platform_resource_id, + CASE + WHEN v.name IS NULL THEN 'skip' + WHEN enabled AND expires_at IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + vault_name || ' key ' || kvk.name || + CASE + WHEN v.name IS NULL THEN ' RBAC enabled vault.' + WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' + WHEN NOT enabled THEN ' disabled.' + ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + azure_key_vault_key kvk + LEFT JOIN non_rbac_vault AS v ON v.name = kvk.vault_name, + azure_subscription sub + WHERE + sub.subscription_id = kvk.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_8_3.yaml b/compliance/controls/azure/azure_cis_v200_8_3.yaml index f56b35414..7216011d7 100644 --- a/compliance/controls/azure/azure_cis_v200_8_3.yaml +++ b/compliance/controls/azure/azure_cis_v200_8_3.yaml @@ -1,42 +1,43 @@ id: azure_cis_v200_8_3 title: 8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults +type: control description: Ensure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_secret - definition: | - WITH rbac_vault AS ( - SELECT - name - FROM - azure_key_vault - WHERE - enable_rbac_authorization - ) - SELECT - kvs.id AS resource, - kvs.platform_integration_id AS platform_integration_id, - kvs.platform_resource_id AS platform_resource_id, - CASE - WHEN v.name IS NULL THEN 'skip' - WHEN enabled AND expires_at IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - vault_name || ' key ' || kvs.name || - CASE - WHEN v.name IS NULL THEN ' not RBAC enabled vault.' - WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' - WHEN NOT enabled THEN ' disabled.' - ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - azure_key_vault_secret kvs - LEFT JOIN rbac_vault AS v ON v.name = kvs.vault_name, - azure_subscription sub - WHERE - sub.subscription_id = kvs.subscription_id; + language: sql + primary_resource: azure_key_vault_secret + definition: | + WITH rbac_vault AS ( + SELECT + name + FROM + azure_key_vault + WHERE + enable_rbac_authorization + ) + SELECT + kvs.id AS resource, + kvs.platform_integration_id AS platform_integration_id, + kvs.platform_resource_id AS platform_resource_id, + CASE + WHEN v.name IS NULL THEN 'skip' + WHEN enabled AND expires_at IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + vault_name || ' key ' || kvs.name || + CASE + WHEN v.name IS NULL THEN ' not RBAC enabled vault.' + WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' + WHEN NOT enabled THEN ' disabled.' + ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + azure_key_vault_secret kvs + LEFT JOIN rbac_vault AS v ON v.name = kvs.vault_name, + azure_subscription sub + WHERE + sub.subscription_id = kvs.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_8_4.yaml b/compliance/controls/azure/azure_cis_v200_8_4.yaml index 65aae1594..f9e483e6e 100644 --- a/compliance/controls/azure/azure_cis_v200_8_4.yaml +++ b/compliance/controls/azure/azure_cis_v200_8_4.yaml @@ -1,42 +1,43 @@ id: azure_cis_v200_8_4 title: 8.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults +type: control description: Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_secret - definition: | - WITH non_rbac_vault AS ( - SELECT - name - FROM - azure_key_vault - WHERE - NOT enable_rbac_authorization - ) - SELECT - kvs.id AS resource, - kvs.platform_integration_id AS platform_integration_id, - kvs.platform_resource_id AS platform_resource_id, - CASE - WHEN v.name IS NULL THEN 'skip' - WHEN enabled AND expires_at IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - vault_name || ' key ' || kvs.name || - CASE - WHEN v.name IS NULL THEN ' RBAC enabled vault.' - WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' - WHEN NOT enabled THEN ' disabled.' - ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - azure_key_vault_secret kvs - LEFT JOIN non_rbac_vault AS v ON v.name = kvs.vault_name, - azure_subscription sub - WHERE - sub.subscription_id = kvs.subscription_id; + language: sql + primary_resource: azure_key_vault_secret + definition: | + WITH non_rbac_vault AS ( + SELECT + name + FROM + azure_key_vault + WHERE + NOT enable_rbac_authorization + ) + SELECT + kvs.id AS resource, + kvs.platform_integration_id AS platform_integration_id, + kvs.platform_resource_id AS platform_resource_id, + CASE + WHEN v.name IS NULL THEN 'skip' + WHEN enabled AND expires_at IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + vault_name || ' key ' || kvs.name || + CASE + WHEN v.name IS NULL THEN ' RBAC enabled vault.' + WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' + WHEN NOT enabled THEN ' disabled.' + ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + azure_key_vault_secret kvs + LEFT JOIN non_rbac_vault AS v ON v.name = kvs.vault_name, + azure_subscription sub + WHERE + sub.subscription_id = kvs.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_8_5.yaml b/compliance/controls/azure/azure_cis_v200_8_5.yaml index 6ee5cefe6..6d045ede3 100644 --- a/compliance/controls/azure/azure_cis_v200_8_5.yaml +++ b/compliance/controls/azure/azure_cis_v200_8_5.yaml @@ -1,31 +1,32 @@ id: azure_cis_v200_8_5 title: 8.5 Ensure the Key Vault is Recoverable +type: control description: The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. It is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - SELECT - kv.id AS resource, - kv.platform_integration_id AS platform_integration_id, - kv.platform_resource_id AS platform_resource_id, - CASE - WHEN soft_delete_enabled AND purge_protection_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN NOT soft_delete_enabled AND NOT purge_protection_enabled THEN name || ' "soft delete" and "do not purge" not enabled.' - WHEN NOT soft_delete_enabled THEN name || ' "soft delete" not enabled.' - WHEN NOT purge_protection_enabled THEN name || ' "do not purge" not enabled.' - ELSE name || ' "soft delete" and "do not purge" enabled.' - END AS reason - FROM - azure_key_vault kv, - azure_subscription sub - WHERE - sub.subscription_id = kv.subscription_id; + language: sql + primary_resource: azure_key_vault + definition: | + SELECT + kv.id AS resource, + kv.platform_integration_id AS platform_integration_id, + kv.platform_resource_id AS platform_resource_id, + CASE + WHEN soft_delete_enabled AND purge_protection_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN NOT soft_delete_enabled AND NOT purge_protection_enabled THEN name || ' "soft delete" and "do not purge" not enabled.' + WHEN NOT soft_delete_enabled THEN name || ' "soft delete" not enabled.' + WHEN NOT purge_protection_enabled THEN name || ' "do not purge" not enabled.' + ELSE name || ' "soft delete" and "do not purge" enabled.' + END AS reason + FROM + azure_key_vault kv, + azure_subscription sub + WHERE + sub.subscription_id = kv.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_8_6.yaml b/compliance/controls/azure/azure_cis_v200_8_6.yaml index ce24647ad..d3ebc749a 100644 --- a/compliance/controls/azure/azure_cis_v200_8_6.yaml +++ b/compliance/controls/azure/azure_cis_v200_8_6.yaml @@ -1,29 +1,30 @@ id: azure_cis_v200_8_6 title: 8.6 Enable Role Based Access Control for Azure Key Vault +type: control description: Role assignments disappear when a Key Vault has been deleted (soft-delete) and recovered. Afterwards, it will be required to recreate all role assignments. This is a limitation of the soft-delete feature across all Azure services. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - SELECT - kv.id AS resource, - kv.platform_integration_id AS platform_integration_id, - kv.platform_resource_id AS platform_resource_id, - CASE - WHEN enable_rbac_authorization THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enable_rbac_authorization THEN name || ' has RBAC enabled.' - ELSE name || ' have RBAC disabled.' - END AS reason - FROM - azure_key_vault AS kv, - azure_subscription AS sub - WHERE - sub.subscription_id = kv.subscription_id; + language: sql + primary_resource: azure_key_vault + definition: | + SELECT + kv.id AS resource, + kv.platform_integration_id AS platform_integration_id, + kv.platform_resource_id AS platform_resource_id, + CASE + WHEN enable_rbac_authorization THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enable_rbac_authorization THEN name || ' has RBAC enabled.' + ELSE name || ' have RBAC disabled.' + END AS reason + FROM + azure_key_vault AS kv, + azure_subscription AS sub + WHERE + sub.subscription_id = kv.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_8_8.yaml b/compliance/controls/azure/azure_cis_v200_8_8.yaml index cbba272cb..6a869641f 100644 --- a/compliance/controls/azure/azure_cis_v200_8_8.yaml +++ b/compliance/controls/azure/azure_cis_v200_8_8.yaml @@ -1,23 +1,24 @@ id: azure_cis_v200_8_8 title: 8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services +type: control description: Automatic Key Rotation is available in Public Preview. The currently supported applications are Key Vault, Managed Disks, and Storage accounts accessing keys within Key Vault. The number of supported applications will incrementally increase. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_9_1.yaml b/compliance/controls/azure/azure_cis_v200_9_1.yaml index 0111ef59a..d84af2b12 100644 --- a/compliance/controls/azure/azure_cis_v200_9_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_9_1.yaml @@ -1,29 +1,30 @@ id: azure_cis_v200_9_1 title: 9.1 Ensure App Service Authentication is set up for apps in Azure App Service +type: control description: Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT (auth_settings -> 'properties' ->> 'enabled')::BOOLEAN THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT (auth_settings -> 'properties' ->> 'enabled')::BOOLEAN THEN name || ' authentication not set.' - ELSE name || ' authentication set.' - END AS reason - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT (auth_settings -> 'properties' ->> 'enabled')::BOOLEAN THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT (auth_settings -> 'properties' ->> 'enabled')::BOOLEAN THEN name || ' authentication not set.' + ELSE name || ' authentication set.' + END AS reason + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_9_11.yaml b/compliance/controls/azure/azure_cis_v200_9_11.yaml index 583b8ac54..0c3954112 100644 --- a/compliance/controls/azure/azure_cis_v200_9_11.yaml +++ b/compliance/controls/azure/azure_cis_v200_9_11.yaml @@ -1,23 +1,24 @@ id: azure_cis_v200_9_11 title: 9.11 Ensure Azure Key Vaults are Used to Store Secrets +type: control description: Azure Key Vault will store multiple types of sensitive information such as encryption keys, certificate thumbprints, and Managed Identity Credentials. Access to these 'Secrets' can be controlled through granular permissions. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_9_2.yaml b/compliance/controls/azure/azure_cis_v200_9_2.yaml index 7af8ba696..500c920be 100644 --- a/compliance/controls/azure/azure_cis_v200_9_2.yaml +++ b/compliance/controls/azure/azure_cis_v200_9_2.yaml @@ -1,29 +1,30 @@ id: azure_cis_v200_9_2 title: 9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service +type: control description: Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT https_only THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT https_only THEN name || ' does not redirect all HTTP traffic to HTTPS.' - ELSE name || ' redirects all HTTP traffic to HTTPS.' - END AS reason - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT https_only THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT https_only THEN name || ' does not redirect all HTTP traffic to HTTPS.' + ELSE name || ' redirects all HTTP traffic to HTTPS.' + END AS reason + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_9_3.yaml b/compliance/controls/azure/azure_cis_v200_9_3.yaml index 2c23e731c..1ce03dcf8 100644 --- a/compliance/controls/azure/azure_cis_v200_9_3.yaml +++ b/compliance/controls/azure/azure_cis_v200_9_3.yaml @@ -1,29 +1,30 @@ id: azure_cis_v200_9_3 title: 9.3 Ensure Web App is using the latest version of TLS encryption +type: control description: The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN configuration -> 'properties' ->> 'minTlsVersion' < '1.2' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN configuration -> 'properties' ->> 'minTlsVersion' < '1.2' THEN name || ' not using the latest version of TLS encryption.' - ELSE name || ' using the latest version of TLS encryption.' - END AS reason - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN configuration -> 'properties' ->> 'minTlsVersion' < '1.2' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN configuration -> 'properties' ->> 'minTlsVersion' < '1.2' THEN name || ' not using the latest version of TLS encryption.' + ELSE name || ' using the latest version of TLS encryption.' + END AS reason + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_9_4.yaml b/compliance/controls/azure/azure_cis_v200_9_4.yaml index 51746cac4..3c3eae6a6 100644 --- a/compliance/controls/azure/azure_cis_v200_9_4.yaml +++ b/compliance/controls/azure/azure_cis_v200_9_4.yaml @@ -1,29 +1,30 @@ id: azure_cis_v200_9_4 title: 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' +type: control description: Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT client_cert_enabled THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT client_cert_enabled THEN name || ' incoming client certificates set to off.' - ELSE name || ' incoming client certificates set to on.' - END AS reason - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT client_cert_enabled THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT client_cert_enabled THEN name || ' incoming client certificates set to off.' + ELSE name || ' incoming client certificates set to on.' + END AS reason + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_9_5.yaml b/compliance/controls/azure/azure_cis_v200_9_5.yaml index 1898823d0..4a4e3c209 100644 --- a/compliance/controls/azure/azure_cis_v200_9_5.yaml +++ b/compliance/controls/azure/azure_cis_v200_9_5.yaml @@ -1,29 +1,30 @@ id: azure_cis_v200_9_5 title: 9.5 Ensure that Register with Azure Active Directory is enabled on App Service +type: control description: Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in App Service, the app will connect to other Azure services securely without the need for usernames and passwords. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN identity = '{}' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN identity = '{}' THEN name || ' register with azure active directory disabled.' - ELSE name || ' register with azure active directory enabled.' - END AS reason - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN identity = '{}' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN identity = '{}' THEN name || ' register with azure active directory disabled.' + ELSE name || ' register with azure active directory enabled.' + END AS reason + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v200_9_6.yaml b/compliance/controls/azure/azure_cis_v200_9_6.yaml index 5d66720d2..706b0c4c1 100644 --- a/compliance/controls/azure/azure_cis_v200_9_6.yaml +++ b/compliance/controls/azure/azure_cis_v200_9_6.yaml @@ -1,23 +1,24 @@ id: azure_cis_v200_9_6 title: 9.6 Ensure That 'PHP version' is the Latest, If Used to Run the Web App +type: control description: Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_9_7.yaml b/compliance/controls/azure/azure_cis_v200_9_7.yaml index 0fc515fb4..d37e716f5 100644 --- a/compliance/controls/azure/azure_cis_v200_9_7.yaml +++ b/compliance/controls/azure/azure_cis_v200_9_7.yaml @@ -1,23 +1,24 @@ id: azure_cis_v200_9_7 title: 9.7 Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App +type: control description: Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_9_8.yaml b/compliance/controls/azure/azure_cis_v200_9_8.yaml index fa41468fd..0a71bb6cf 100644 --- a/compliance/controls/azure/azure_cis_v200_9_8.yaml +++ b/compliance/controls/azure/azure_cis_v200_9_8.yaml @@ -1,23 +1,24 @@ id: azure_cis_v200_9_8 title: 9.8 Ensure that 'Java version' is the latest, if used to run the Web App +type: control description: Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v200_9_9.yaml b/compliance/controls/azure/azure_cis_v200_9_9.yaml index 332d75d9a..1361428e1 100644 --- a/compliance/controls/azure/azure_cis_v200_9_9.yaml +++ b/compliance/controls/azure/azure_cis_v200_9_9.yaml @@ -1,29 +1,30 @@ id: azure_cis_v200_9_9 title: 9.9 Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App +type: control description: Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT (configuration -> 'properties' ->> 'http20Enabled')::boolean THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT (configuration -> 'properties' ->> 'http20Enabled')::boolean THEN name || ' HTTP version not latest.' - ELSE name || ' HTTP version is latest.' - END AS reason - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT (configuration -> 'properties' ->> 'http20Enabled')::boolean THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT (configuration -> 'properties' ->> 'http20Enabled')::boolean THEN name || ' HTTP version not latest.' + ELSE name || ' HTTP version is latest.' + END AS reason + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_10_1.yaml b/compliance/controls/azure/azure_cis_v210_10_1.yaml index 9986c7a09..630f0cede 100644 --- a/compliance/controls/azure/azure_cis_v210_10_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_10_1.yaml @@ -1,23 +1,24 @@ id: azure_cis_v210_10_1 title: 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources +type: control description: Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_1_10.yaml b/compliance/controls/azure/azure_cis_v210_1_10.yaml index 43aa9ef9d..48cb2ecc5 100644 --- a/compliance/controls/azure/azure_cis_v210_1_10.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_10.yaml @@ -1,18 +1,19 @@ id: azure_cis_v210_1_10 title: 1.10 Ensure 'User consent for applications' is set to 'Do not allow user consent' +type: control description: Require administrators to provide consent for applications before use. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_1_11.yaml b/compliance/controls/azure/azure_cis_v210_1_11.yaml index 7c8152b58..d168a2617 100644 --- a/compliance/controls/azure/azure_cis_v210_1_11.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_11.yaml @@ -1,18 +1,19 @@ id: azure_cis_v210_1_11 title: 1.11 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers' +type: control description: Allow users to provide consent for selected permissions when a request is coming from a verified publisher. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_1_12.yaml b/compliance/controls/azure/azure_cis_v210_1_12.yaml index 888e68c0d..99b32a6ee 100644 --- a/compliance/controls/azure/azure_cis_v210_1_12.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_12.yaml @@ -1,18 +1,19 @@ id: azure_cis_v210_1_12 title: 1.12 Ensure that 'Users can add gallery apps to My Apps' is set to 'No' +type: control description: Require administrators to provide consent for the apps before use. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_1_13.yaml b/compliance/controls/azure/azure_cis_v210_1_13.yaml index 60ced1f59..94cd64e57 100644 --- a/compliance/controls/azure/azure_cis_v210_1_13.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_13.yaml @@ -1,36 +1,37 @@ id: azure_cis_v210_1_13 title: 1.13 Ensure That 'Users Can Register Applications' Is Set to 'No' +type: control description: Require administrators or appropriately delegated users to register third-party applications. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: entraid_authorization_policy - definition: | - WITH distinct_tenant AS ( - SELECT DISTINCT - tenant_id, - subscription_id, - _ctx - FROM - azure_tenant - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' THEN a.display_name || ' does not allow user to register applications.' - ELSE a.display_name || ' allows user to register applications.' - END AS reason, - t.tenant_id - FROM - distinct_tenant AS t, - entraid_authorization_policy AS a; + language: sql + primary_resource: entraid_authorization_policy + definition: | + WITH distinct_tenant AS ( + SELECT DISTINCT + tenant_id, + subscription_id, + _ctx + FROM + azure_tenant + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' THEN a.display_name || ' does not allow user to register applications.' + ELSE a.display_name || ' allows user to register applications.' + END AS reason, + t.tenant_id + FROM + distinct_tenant AS t, + entraid_authorization_policy AS a; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_1_14.yaml b/compliance/controls/azure/azure_cis_v210_1_14.yaml index 708423021..2e7eedcff 100644 --- a/compliance/controls/azure/azure_cis_v210_1_14.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_14.yaml @@ -1,18 +1,19 @@ id: azure_cis_v210_1_14 title: 1.14 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' +type: control description: Limit guest user permissions. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_1_15.yaml b/compliance/controls/azure/azure_cis_v210_1_15.yaml index 58f38b9a5..190d826d4 100644 --- a/compliance/controls/azure/azure_cis_v210_1_15.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_15.yaml @@ -1,18 +1,19 @@ id: azure_cis_v210_1_15 title: 1.15 Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' +type: control description: Restrict invitations to users with specific administrative roles only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_1_16.yaml b/compliance/controls/azure/azure_cis_v210_1_16.yaml index a75248bf4..e191a745f 100644 --- a/compliance/controls/azure/azure_cis_v210_1_16.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_16.yaml @@ -1,18 +1,19 @@ id: azure_cis_v210_1_16 title: 1.16 Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes' +type: control description: Restrict access to the Azure AD administration portal to administrators only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_1_17.yaml b/compliance/controls/azure/azure_cis_v210_1_17.yaml index 7d3591d87..41c1978db 100644 --- a/compliance/controls/azure/azure_cis_v210_1_17.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_17.yaml @@ -1,18 +1,19 @@ id: azure_cis_v210_1_17 title: 1.17 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' +type: control description: Restricts group creation to administrators with permissions only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_1_18.yaml b/compliance/controls/azure/azure_cis_v210_1_18.yaml index fe980feb1..0e0af6b9f 100644 --- a/compliance/controls/azure/azure_cis_v210_1_18.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_18.yaml @@ -1,36 +1,37 @@ id: azure_cis_v210_1_18 title: 1.18 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' +type: control description: Restrict security group creation to administrators only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: entraid_authorization_policy - definition: | - WITH distinct_tenant AS ( - SELECT - DISTINCT tenant_id, - subscription_id, - _ctx - FROM - azure_tenant - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' THEN a.display_name || ' does not allow user to create security groups.' - ELSE a.display_name || ' allows user to create security groups.' - END AS reason, - t.tenant_id - FROM - distinct_tenant AS t, - entraid_authorization_policy AS a; + language: sql + primary_resource: entraid_authorization_policy + definition: | + WITH distinct_tenant AS ( + SELECT + DISTINCT tenant_id, + subscription_id, + _ctx + FROM + azure_tenant + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' THEN a.display_name || ' does not allow user to create security groups.' + ELSE a.display_name || ' allows user to create security groups.' + END AS reason, + t.tenant_id + FROM + distinct_tenant AS t, + entraid_authorization_policy AS a; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_1_19.yaml b/compliance/controls/azure/azure_cis_v210_1_19.yaml index a5fe3bee3..075ac05d6 100644 --- a/compliance/controls/azure/azure_cis_v210_1_19.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_19.yaml @@ -1,18 +1,19 @@ id: azure_cis_v210_1_19 title: 1.19 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' +type: control description: Restrict security group management to administrators only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_1_1_1.yaml b/compliance/controls/azure/azure_cis_v210_1_1_1.yaml index 693f60985..610f66c50 100644 --- a/compliance/controls/azure/azure_cis_v210_1_1_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_1_1.yaml @@ -1,18 +1,19 @@ id: azure_cis_v210_1_1_1 title: 1.1.1 Ensure Security Defaults is enabled on Microsoft Entra ID +type: control description: Security defaults in Microsoft Entra ID make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Security defaults is available to everyone. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. You may turn on security defaults in the Azure portal. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_1_1_2.yaml b/compliance/controls/azure/azure_cis_v210_1_1_2.yaml index d72ec1340..08c063030 100644 --- a/compliance/controls/azure/azure_cis_v210_1_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_1_2.yaml @@ -1,18 +1,19 @@ id: azure_cis_v210_1_1_2 title: 1.1.2 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users +type: control description: Enable multi-factor authentication for all roles, groups, and users that have write access or permissions to Azure resources. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_1_1_3.yaml b/compliance/controls/azure/azure_cis_v210_1_1_3.yaml index 0b5d79911..933af382d 100644 --- a/compliance/controls/azure/azure_cis_v210_1_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_1_3.yaml @@ -1,18 +1,19 @@ id: azure_cis_v210_1_1_3 title: 1.1.3 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users +type: control description: Enable multi-factor authentication for all non-privileged users. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_1_1_4.yaml b/compliance/controls/azure/azure_cis_v210_1_1_4.yaml index 9d0e9e512..bac543fdc 100644 --- a/compliance/controls/azure/azure_cis_v210_1_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_1_4.yaml @@ -1,18 +1,19 @@ id: azure_cis_v210_1_1_4 title: 1.1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled +type: control description: Do not allow users to remember multi-factor authentication on devices. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_1_20.yaml b/compliance/controls/azure/azure_cis_v210_1_20.yaml index f0de5e8a2..4cad96d43 100644 --- a/compliance/controls/azure/azure_cis_v210_1_20.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_20.yaml @@ -1,18 +1,19 @@ id: azure_cis_v210_1_20 title: 1.20 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' +type: control description: Restrict Microsoft 365 group creation to administrators only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_1_21.yaml b/compliance/controls/azure/azure_cis_v210_1_21.yaml index 5b21a83f2..c81b1f507 100644 --- a/compliance/controls/azure/azure_cis_v210_1_21.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_21.yaml @@ -1,18 +1,19 @@ id: azure_cis_v210_1_21 title: 1.21 Ensure that 'Require Multi-Factor Authentication to register or join devices with Microsoft Entra ID' is set to 'Yes' +type: control description: Joining or registering devices to the active directory should require Multi-factor authentication. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_1_22.yaml b/compliance/controls/azure/azure_cis_v210_1_22.yaml index a04f0b98a..60fc946d7 100644 --- a/compliance/controls/azure/azure_cis_v210_1_22.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_22.yaml @@ -1,54 +1,55 @@ id: azure_cis_v210_1_22 title: 1.22 Ensure That No Custom Subscription Administrator Roles Exist +type: control description: The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_role_definition - definition: | - WITH owner_custom_roles AS ( - SELECT - role_name, - role_type, - title, - action, - _ctx, - subscription_id, - platform_integration_id, - platform_resource_id - FROM - azure_role_definition, - jsonb_array_elements(permissions) AS s, - jsonb_array_elements_text(s -> 'actions') AS action - WHERE - role_type = 'CustomRole' - AND action IN ('*', '*:*') - ) - SELECT - cr.subscription_id AS resource, - cr.platform_integration_id AS platform_integration_id, - cr.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(*) > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN COUNT(*) = 1 THEN 'There is one custom owner role.' - WHEN COUNT(*) > 1 THEN 'There are ' || COUNT(*) || ' custom owner roles.' - ELSE 'There are no custom owner roles.' - END AS reason - FROM - owner_custom_roles cr, - azure_subscription sub - WHERE - sub.subscription_id = cr.subscription_id - GROUP BY - cr.subscription_id, - cr._ctx, - sub.display_name, - cr.platform_integration_id, - cr.platform_resource_id; + language: sql + primary_resource: azure_role_definition + definition: | + WITH owner_custom_roles AS ( + SELECT + role_name, + role_type, + title, + action, + _ctx, + subscription_id, + platform_integration_id, + platform_resource_id + FROM + azure_role_definition, + jsonb_array_elements(permissions) AS s, + jsonb_array_elements_text(s -> 'actions') AS action + WHERE + role_type = 'CustomRole' + AND action IN ('*', '*:*') + ) + SELECT + cr.subscription_id AS resource, + cr.platform_integration_id AS platform_integration_id, + cr.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(*) > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN COUNT(*) = 1 THEN 'There is one custom owner role.' + WHEN COUNT(*) > 1 THEN 'There are ' || COUNT(*) || ' custom owner roles.' + ELSE 'There are no custom owner roles.' + END AS reason + FROM + owner_custom_roles cr, + azure_subscription sub + WHERE + sub.subscription_id = cr.subscription_id + GROUP BY + cr.subscription_id, + cr._ctx, + sub.display_name, + cr.platform_integration_id, + cr.platform_resource_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_1_23.yaml b/compliance/controls/azure/azure_cis_v210_1_23.yaml index f982bd62c..cb83d1cb7 100644 --- a/compliance/controls/azure/azure_cis_v210_1_23.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_23.yaml @@ -1,18 +1,19 @@ id: azure_cis_v210_1_23 title: 1.23 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks +type: control description: Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_1_24.yaml b/compliance/controls/azure/azure_cis_v210_1_24.yaml index 3995920c8..03fc17daf 100644 --- a/compliance/controls/azure/azure_cis_v210_1_24.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_24.yaml @@ -1,18 +1,19 @@ id: azure_cis_v210_1_24 title: 1.24 Ensure That `Subscription leaving Microsoft Entra ID directory` and `Subscription entering Microsoft Entra ID directory` Is Set To 'Permit No One' +type: control description: Users who are set as subscription owners are able to make administrative changes to the subscriptions and move them into and out of Azure Active Directories. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_1_25.yaml b/compliance/controls/azure/azure_cis_v210_1_25.yaml index b2b71a9b6..4997175fe 100644 --- a/compliance/controls/azure/azure_cis_v210_1_25.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_25.yaml @@ -1,38 +1,39 @@ id: azure_cis_v210_1_25 title: 1.25 Ensure fewer than 5 users have global administrator assignment +type: control description: This recommendation aims to maintain a balance between security and operational efficiency by ensuring that a minimum of 2 and a maximum of 4 users are assigned the Global Administrator role in Microsoft Entra ID. Having at least two Global Administrators ensures redundancy, while limiting the number to four reduces the risk of excessive privileged access. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: entraid_directory_role - definition: | - WITH distinct_tenant AS ( - SELECT - DISTINCT tenant_id, - title, - subscription_id, - platform_integration_id, - platform_resource_id, - _ctx - FROM - azure_tenant - ) - SELECT - t.tenant_id AS resource, - t.platform_integration_id AS platform_integration_id, - t.platform_resource_id AS platform_resource_id, - CASE - WHEN jsonb_array_length(member_ids) <= 5 THEN 'ok' - ELSE 'alarm' - END AS status, - t.title || ' has ' || (jsonb_array_length(member_ids)) || ' users with global administrator assignment.' AS reason, - t.tenant_id - FROM - distinct_tenant AS t, - entraid_directory_role - WHERE - display_name = 'Global Administrator' + language: sql + primary_resource: entraid_directory_role + definition: | + WITH distinct_tenant AS ( + SELECT + DISTINCT tenant_id, + title, + subscription_id, + platform_integration_id, + platform_resource_id, + _ctx + FROM + azure_tenant + ) + SELECT + t.tenant_id AS resource, + t.platform_integration_id AS platform_integration_id, + t.platform_resource_id AS platform_resource_id, + CASE + WHEN jsonb_array_length(member_ids) <= 5 THEN 'ok' + ELSE 'alarm' + END AS status, + t.title || ' has ' || (jsonb_array_length(member_ids)) || ' users with global administrator assignment.' AS reason, + t.tenant_id + FROM + distinct_tenant AS t, + entraid_directory_role + WHERE + display_name = 'Global Administrator' severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_1_2_1.yaml b/compliance/controls/azure/azure_cis_v210_1_2_1.yaml index 6f1079908..d84af1533 100644 --- a/compliance/controls/azure/azure_cis_v210_1_2_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_2_1.yaml @@ -1,18 +1,19 @@ id: azure_cis_v210_1_2_1 title: 1.2.1 Ensure Trusted Locations Are Defined +type: control description: Microsoft Entra ID Conditional Access allows an organization to configure Named locations and configure whether those locations are trusted or untrusted. These settings provide organizations the means to specify Geographical locations for use in conditional access policies, or define actual IP addresses and IP ranges and whether or not those IP addresses and/or ranges are trusted by the organization. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_1_2_2.yaml b/compliance/controls/azure/azure_cis_v210_1_2_2.yaml index cd4b9f490..2c3492a79 100644 --- a/compliance/controls/azure/azure_cis_v210_1_2_2.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_2_2.yaml @@ -1,18 +1,19 @@ id: azure_cis_v210_1_2_2 title: 1.2.2 Ensure that an exclusionary Geographic Access Policy is considered +type: control description: Conditional Access Policies can be used to block access from geographic locations that are deemed out-of-scope for your organization or application. The scope and variables for this policy should be carefully examined and defined. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_1_2_3.yaml b/compliance/controls/azure/azure_cis_v210_1_2_3.yaml index 44f77f226..7d72a6059 100644 --- a/compliance/controls/azure/azure_cis_v210_1_2_3.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_2_3.yaml @@ -1,18 +1,19 @@ id: azure_cis_v210_1_2_3 title: 1.2.3 Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups +type: control description: For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_1_2_4.yaml b/compliance/controls/azure/azure_cis_v210_1_2_4.yaml index e53929dfb..8eb1b682f 100644 --- a/compliance/controls/azure/azure_cis_v210_1_2_4.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_2_4.yaml @@ -1,18 +1,19 @@ id: azure_cis_v210_1_2_4 title: 1.2.4 Ensure that A Multi-factor Authentication Policy Exists for All Users +type: control description: For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_1_2_5.yaml b/compliance/controls/azure/azure_cis_v210_1_2_5.yaml index 8c0a51c2c..086a05612 100644 --- a/compliance/controls/azure/azure_cis_v210_1_2_5.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_2_5.yaml @@ -1,18 +1,19 @@ id: azure_cis_v210_1_2_5 title: 1.2.5 Ensure Multi-factor Authentication is Required for Risky Sign-ins +type: control description: For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_1_2_6.yaml b/compliance/controls/azure/azure_cis_v210_1_2_6.yaml index 61ca47279..eb822dafd 100644 --- a/compliance/controls/azure/azure_cis_v210_1_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_2_6.yaml @@ -1,36 +1,37 @@ id: azure_cis_v210_1_2_6 title: 1.2.6 Ensure Multifactor Authentication is Required for Windows Azure Service Management API +type: control description: This recommendation ensures that users accessing the Windows Azure Service Management API (i.e. Azure Powershell, Azure CLI, Azure Resource Manager API, etc.) are required to use multifactor authentication (MFA) credentials when accessing resources through the Windows Azure Service Management API. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: entraid_conditional_access_policy - definition: | - WITH distinct_tenant AS ( - SELECT - DISTINCT tenant_id, - subscription_id, - _ctx - FROM - azure_tenant - ) - SELECT - p.id AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN p.built_in_controls @> '["mfa"]' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.built_in_controls @> '["mfa"]' THEN p.display_name || ' MFA enabled.' - ELSE p.display_name || ' MFA disabled.' - END AS reason, - t.tenant_id - FROM - distinct_tenant AS t, - entraid_conditional_access_policy AS p; + language: sql + primary_resource: entraid_conditional_access_policy + definition: | + WITH distinct_tenant AS ( + SELECT + DISTINCT tenant_id, + subscription_id, + _ctx + FROM + azure_tenant + ) + SELECT + p.id AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN p.built_in_controls @> '["mfa"]' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.built_in_controls @> '["mfa"]' THEN p.display_name || ' MFA enabled.' + ELSE p.display_name || ' MFA disabled.' + END AS reason, + t.tenant_id + FROM + distinct_tenant AS t, + entraid_conditional_access_policy AS p; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_1_2_7.yaml b/compliance/controls/azure/azure_cis_v210_1_2_7.yaml index 4a2c0d06c..7b7f79e80 100644 --- a/compliance/controls/azure/azure_cis_v210_1_2_7.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_2_7.yaml @@ -1,40 +1,41 @@ id: azure_cis_v210_1_2_7 title: 1.2.7 Ensure Multifactor Authentication is Required to access Microsoft Admin Portals +type: control description: This recommendation ensures that users accessing Microsoft Admin Portals (i.e. Microsoft 365 Admin, Microsoft 365 Defender, Exchange Admin Center, Azure Portal, etc.) are required to use multifactor authentication (MFA) credentials when logging into an Admin Portal. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: entraid_conditional_access_policy - definition: | - WITH distinct_tenant AS ( - SELECT - u.id, - tenant_id - FROM - entraid_user AS u - LEFT JOIN azure_role_assignment AS a ON a.principal_id = u.id - LEFT JOIN azure_role_definition AS d ON d.id = a.role_definition_id - WHERE - role_type = 'BuiltInRole' - AND (role_name LIKE '%Administrator%' OR role_name = 'Owner') - ) - SELECT - p.id AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN p.built_in_controls @> '["mfa"]' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.built_in_controls @> '["mfa"]' THEN p.display_name || ' MFA enabled.' - ELSE p.display_name || ' MFA disabled.' - END AS reason, - t.tenant_id - FROM - distinct_tenant AS t, - entraid_conditional_access_policy AS p; + language: sql + primary_resource: entraid_conditional_access_policy + definition: | + WITH distinct_tenant AS ( + SELECT + u.id, + tenant_id + FROM + entraid_user AS u + LEFT JOIN azure_role_assignment AS a ON a.principal_id = u.id + LEFT JOIN azure_role_definition AS d ON d.id = a.role_definition_id + WHERE + role_type = 'BuiltInRole' + AND (role_name LIKE '%Administrator%' OR role_name = 'Owner') + ) + SELECT + p.id AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN p.built_in_controls @> '["mfa"]' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.built_in_controls @> '["mfa"]' THEN p.display_name || ' MFA enabled.' + ELSE p.display_name || ' MFA disabled.' + END AS reason, + t.tenant_id + FROM + distinct_tenant AS t, + entraid_conditional_access_policy AS p; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_1_4.yaml b/compliance/controls/azure/azure_cis_v210_1_4.yaml index 77cc911b5..d63306699 100644 --- a/compliance/controls/azure/azure_cis_v210_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_4.yaml @@ -1,39 +1,40 @@ id: azure_cis_v210_1_4 title: 1.4 Ensure Guest Users Are Reviewed on a Regular Basis +type: control description: Microsoft Entra ID is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data. Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources as a guest user. Guest users in every subscription should be review on a regular basis to ensure that inactive and unneeded accounts are removed. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: entraid_user - definition: | - WITH distinct_tenant AS ( - SELECT - DISTINCT tenant_id, - subscription_id, - _ctx - FROM - azure_tenant - ) - SELECT - u.display_name AS resource, - u.platform_integration_id AS platform_integration_id, - u.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT account_enabled THEN 'alarm' - WHEN u.created_date_time::timestamp <= (CURRENT_DATE - INTERVAL '30' DAY) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT account_enabled THEN 'Guest user ''' || u.display_name || ''' inactive.' - ELSE 'Guest user ''' || u.display_name || ''' was created ' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - u.created_date_time::timestamp) || ' days ago.' - END AS reason, - t.tenant_id - FROM - entraid_user AS u - LEFT JOIN distinct_tenant AS t ON t.tenant_id = u.tenant_id - WHERE - u.user_type = 'Guest'; + language: sql + primary_resource: entraid_user + definition: | + WITH distinct_tenant AS ( + SELECT + DISTINCT tenant_id, + subscription_id, + _ctx + FROM + azure_tenant + ) + SELECT + u.display_name AS resource, + u.platform_integration_id AS platform_integration_id, + u.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT account_enabled THEN 'alarm' + WHEN u.created_date_time::timestamp <= (CURRENT_DATE - INTERVAL '30' DAY) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT account_enabled THEN 'Guest user ''' || u.display_name || ''' inactive.' + ELSE 'Guest user ''' || u.display_name || ''' was created ' || EXTRACT(DAY FROM CURRENT_TIMESTAMP - u.created_date_time::timestamp) || ' days ago.' + END AS reason, + t.tenant_id + FROM + entraid_user AS u + LEFT JOIN distinct_tenant AS t ON t.tenant_id = u.tenant_id + WHERE + u.user_type = 'Guest'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_1_5.yaml b/compliance/controls/azure/azure_cis_v210_1_5.yaml index aa9df7bbe..b4bc52686 100644 --- a/compliance/controls/azure/azure_cis_v210_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_5.yaml @@ -1,18 +1,19 @@ id: azure_cis_v210_1_5 title: 1.5 Ensure That 'Number of methods required to reset' is set to '2' +type: control description: Ensures that two alternate forms of identification are provided before allowing a password reset. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_1_6.yaml b/compliance/controls/azure/azure_cis_v210_1_6.yaml index 39d2811a8..558e77bb9 100644 --- a/compliance/controls/azure/azure_cis_v210_1_6.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_6.yaml @@ -1,18 +1,19 @@ id: azure_cis_v210_1_6 title: 1.6 Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization +type: control description: Microsoft Azure provides a Global Banned Password policy that applies to Azure administrative and normal user accounts. This is not applied to user accounts that are synced from an on-premise Active Directory unless Azure AD Connect is used and you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers. Please see the list in default values on the specifics of this policy. To further password security, it is recommended to further define a custom banned password policy. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_1_7.yaml b/compliance/controls/azure/azure_cis_v210_1_7.yaml index 7c0e39699..bea3bea2f 100644 --- a/compliance/controls/azure/azure_cis_v210_1_7.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_7.yaml @@ -1,18 +1,19 @@ id: azure_cis_v210_1_7 title: 1.7 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' +type: control description: Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_1_8.yaml b/compliance/controls/azure/azure_cis_v210_1_8.yaml index 296d61a9d..7838ad237 100644 --- a/compliance/controls/azure/azure_cis_v210_1_8.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_8.yaml @@ -1,18 +1,19 @@ id: azure_cis_v210_1_8 title: 1.8 Ensure that 'Notify users on password resets?' is set to 'Yes' +type: control description: Ensure that users are notified on their primary and secondary emails on password resets. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_1_9.yaml b/compliance/controls/azure/azure_cis_v210_1_9.yaml index c0078bf41..f397af6fb 100644 --- a/compliance/controls/azure/azure_cis_v210_1_9.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_9.yaml @@ -1,18 +1,19 @@ id: azure_cis_v210_1_9 title: 1.9 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' +type: control description: Ensure that all Global Administrators are notified if any other administrator resets their password. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - 'active_directory' AS resource, - 'info' AS status, - 'Manual verification required.' AS reason; + language: sql + primary_resource: "" + definition: | + SELECT + 'active_directory' AS resource, + 'info' AS status, + 'Manual verification required.' AS reason; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_2_1_1.yaml b/compliance/controls/azure/azure_cis_v210_2_1_1.yaml index 976149211..10e1dbf49 100644 --- a/compliance/controls/azure/azure_cis_v210_2_1_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_1.yaml @@ -1,32 +1,33 @@ id: azure_cis_v210_2_1_1 title: 2.1.1 Ensure That Microsoft Defender for Servers Is Set to 'On' +type: control description: Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Servers.' - ELSE 'Azure Defender off for Servers.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub - ON - sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'VirtualMachines'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Servers.' + ELSE 'Azure Defender off for Servers.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub + ON + sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'VirtualMachines'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_2_1_10.yaml b/compliance/controls/azure/azure_cis_v210_2_1_10.yaml index 0bf48affc..a1d3b098f 100644 --- a/compliance/controls/azure/azure_cis_v210_2_1_10.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_10.yaml @@ -1,30 +1,31 @@ id: azure_cis_v210_2_1_10 title: 2.1.10 [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On' +type: control description: Microsoft Defender for DNS scans all network traffic exiting from within a subscription. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for DNS.' - ELSE 'Azure Defender off for DNS.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'Dns'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for DNS.' + ELSE 'Azure Defender off for DNS.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'Dns'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_2_1_11.yaml b/compliance/controls/azure/azure_cis_v210_2_1_11.yaml index d6245ddbf..7d853f6af 100644 --- a/compliance/controls/azure/azure_cis_v210_2_1_11.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_11.yaml @@ -1,30 +1,31 @@ id: azure_cis_v210_2_1_11 title: 2.1.11 Ensure That Microsoft Defender for Resource Manager Is Set To 'On' +type: control description: Microsoft Defender for Resource Manager scans incoming administrative requests to change your infrastructure from both CLI and the Azure portal. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Resource Manager.' - ELSE 'Azure Defender off for Resource Manager.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN azure_subscription sub - ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'Arm'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Resource Manager.' + ELSE 'Azure Defender off for Resource Manager.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN azure_subscription sub + ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'Arm'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_2_1_12.yaml b/compliance/controls/azure/azure_cis_v210_2_1_12.yaml index 2d1474b4b..ab4960ed7 100644 --- a/compliance/controls/azure/azure_cis_v210_2_1_12.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_12.yaml @@ -1,23 +1,24 @@ id: azure_cis_v210_2_1_12 title: 2.1.12 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' +type: control description: Ensure that the latest OS patches for all virtual machines are applied. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_2_1_13.yaml b/compliance/controls/azure/azure_cis_v210_2_1_13.yaml index a652f3330..7522349d6 100644 --- a/compliance/controls/azure/azure_cis_v210_2_1_13.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_13.yaml @@ -1,23 +1,24 @@ id: azure_cis_v210_2_1_13 title: 2.1.13 Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled' +type: control description: The Microsoft Cloud Security Benchmark (or 'MCSB') is an Azure Policy Initiative containing many security policies to evaluate resource configuration against best practice recommendations. If a policy in the MCSB is set with effect type Disabled, it is not evaluated and may prevent administrators from being informed of valuable security recommendations. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_2_1_14.yaml b/compliance/controls/azure/azure_cis_v210_2_1_14.yaml index 9c4728e08..85c3241c5 100644 --- a/compliance/controls/azure/azure_cis_v210_2_1_14.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_14.yaml @@ -1,30 +1,31 @@ id: azure_cis_v210_2_1_14 title: 2.1.14 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' +type: control description: Enable automatic provisioning of the monitoring agent to collect security data. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_auto_provisioning - definition: | - SELECT - sc_prov.id AS resource, - sc_prov.platform_integration_id AS platform_integration_id, - sc_prov.platform_resource_id AS platform_resource_id, - CASE - WHEN auto_provision = 'On' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN auto_provision = 'On' THEN 'Automatic provisioning of monitoring agent is on.' - ELSE 'Automatic provisioning of monitoring agent is off.' - END AS reason - FROM - azure_security_center_auto_provisioning sc_prov - RIGHT JOIN - azure_subscription sub - ON - sc_prov.subscription_id = sub.subscription_id; + language: sql + primary_resource: azure_security_center_auto_provisioning + definition: | + SELECT + sc_prov.id AS resource, + sc_prov.platform_integration_id AS platform_integration_id, + sc_prov.platform_resource_id AS platform_resource_id, + CASE + WHEN auto_provision = 'On' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN auto_provision = 'On' THEN 'Automatic provisioning of monitoring agent is on.' + ELSE 'Automatic provisioning of monitoring agent is off.' + END AS reason + FROM + azure_security_center_auto_provisioning sc_prov + RIGHT JOIN + azure_subscription sub + ON + sc_prov.subscription_id = sub.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_2_1_15.yaml b/compliance/controls/azure/azure_cis_v210_2_1_15.yaml index 2fd1c8ae8..bbe928b79 100644 --- a/compliance/controls/azure/azure_cis_v210_2_1_15.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_15.yaml @@ -1,23 +1,24 @@ id: azure_cis_v210_2_1_15 title: 2.1.15 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' +type: control description: Enable automatic provisioning of vulnerability assessment for machines on both Azure and hybrid (Arc enabled) machines. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_2_1_16.yaml b/compliance/controls/azure/azure_cis_v210_2_1_16.yaml index bd45ce84c..b4e8dd9ae 100644 --- a/compliance/controls/azure/azure_cis_v210_2_1_16.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_16.yaml @@ -1,30 +1,31 @@ id: azure_cis_v210_2_1_16 title: 2.1.16 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' +type: control description: Enable automatic provisioning of the Microsoft Defender for Containers components. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Containers.' - ELSE 'Azure Defender off for Containers.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'Containers'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Containers.' + ELSE 'Azure Defender off for Containers.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'Containers'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_2_1_17.yaml b/compliance/controls/azure/azure_cis_v210_2_1_17.yaml index 9eec41e4d..dc9bb11bb 100644 --- a/compliance/controls/azure/azure_cis_v210_2_1_17.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_17.yaml @@ -1,37 +1,38 @@ id: azure_cis_v210_2_1_17 title: 2.1.17 Ensure That 'All users with the following roles' is set to 'Owner' +type: control description: Enable security alert emails to subscription owners. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH contact_info AS ( - SELECT - COUNT(*) FILTER (WHERE alerts_to_admins = 'On') AS admin_alert_count, - subscription_id - FROM - azure_security_center_contact - GROUP BY - subscription_id - LIMIT 1 - ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN admin_alert_count > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN admin_alert_count > 0 THEN '"All users with the following roles" set to Owner' - ELSE '"All users with the following roles" not set to Owner.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; + language: sql + primary_resource: azure_subscription + definition: | + WITH contact_info AS ( + SELECT + COUNT(*) FILTER (WHERE alerts_to_admins = 'On') AS admin_alert_count, + subscription_id + FROM + azure_security_center_contact + GROUP BY + subscription_id + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN admin_alert_count > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN admin_alert_count > 0 THEN '"All users with the following roles" set to Owner' + ELSE '"All users with the following roles" not set to Owner.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_2_1_18.yaml b/compliance/controls/azure/azure_cis_v210_2_1_18.yaml index ca42cacd5..cdef2d3f8 100644 --- a/compliance/controls/azure/azure_cis_v210_2_1_18.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_18.yaml @@ -1,41 +1,42 @@ id: azure_cis_v210_2_1_18 title: 2.1.18 Ensure 'Additional email addresses' is Configured with a Security Contact Email +type: control description: Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH contact_info AS ( - SELECT - JSONB_AGG(email) FILTER (WHERE name = 'default' AND email != '') AS default_email, - COUNT(*) FILTER (WHERE name != 'default') AS non_default_count, - COUNT(*) FILTER (WHERE name = 'default') AS default_count, - subscription_id - FROM - azure_security_center_contact - GROUP BY - subscription_id - LIMIT 1 - ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN non_default_count > 0 THEN 'ok' - WHEN default_count = 1 AND JSONB_ARRAY_LENGTH(default_email) != 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN non_default_count > 0 THEN 'Additional email addresses configured.' - WHEN default_count = 1 AND default_email IS NOT NULL THEN 'Additional email addresses configured.' - ELSE 'Additional email addresses not configured.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; + language: sql + primary_resource: azure_subscription + definition: | + WITH contact_info AS ( + SELECT + JSONB_AGG(email) FILTER (WHERE name = 'default' AND email != '') AS default_email, + COUNT(*) FILTER (WHERE name != 'default') AS non_default_count, + COUNT(*) FILTER (WHERE name = 'default') AS default_count, + subscription_id + FROM + azure_security_center_contact + GROUP BY + subscription_id + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN non_default_count > 0 THEN 'ok' + WHEN default_count = 1 AND JSONB_ARRAY_LENGTH(default_email) != 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN non_default_count > 0 THEN 'Additional email addresses configured.' + WHEN default_count = 1 AND default_email IS NOT NULL THEN 'Additional email addresses configured.' + ELSE 'Additional email addresses not configured.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_2_1_19.yaml b/compliance/controls/azure/azure_cis_v210_2_1_19.yaml index 62214deac..ffabb4567 100644 --- a/compliance/controls/azure/azure_cis_v210_2_1_19.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_19.yaml @@ -1,37 +1,38 @@ id: azure_cis_v210_2_1_19 title: 2.1.19 Ensure That 'Notify about alerts with the following severity' is Set to 'High' +type: control description: Enables emailing security alerts to the subscription owner or other designated security contact. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH contact_info AS ( - SELECT - COUNT(*) FILTER (WHERE alert_notifications = 'On') AS notification_alert_count, - subscription_id - FROM - azure_security_center_contact - GROUP BY - subscription_id - LIMIT 1 - ) + language: sql + primary_resource: azure_subscription + definition: | + WITH contact_info AS ( SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN notification_alert_count > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN notification_alert_count > 0 THEN '"Notify about alerts with the following severity" set to High.' - ELSE '"Notify about alerts with the following severity" not set to High.' - END AS reason + COUNT(*) FILTER (WHERE alert_notifications = 'On') AS notification_alert_count, + subscription_id FROM - azure_subscription sub - LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; + azure_security_center_contact + GROUP BY + subscription_id + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN notification_alert_count > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN notification_alert_count > 0 THEN '"Notify about alerts with the following severity" set to High.' + ELSE '"Notify about alerts with the following severity" not set to High.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_2_1_2.yaml b/compliance/controls/azure/azure_cis_v210_2_1_2.yaml index 9a1e0fea7..e8d03ca9d 100644 --- a/compliance/controls/azure/azure_cis_v210_2_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_2.yaml @@ -1,31 +1,32 @@ id: azure_cis_v210_2_1_2 title: 2.1.2 Ensure That Microsoft Defender for App Services Is Set To 'On' +type: control description: Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for App Services.' - ELSE 'Azure Defender off for App Services.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub - ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'AppServices'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for App Services.' + ELSE 'Azure Defender off for App Services.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub + ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'AppServices'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_2_1_20.yaml b/compliance/controls/azure/azure_cis_v210_2_1_20.yaml index a09cd42bb..008510950 100644 --- a/compliance/controls/azure/azure_cis_v210_2_1_20.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_20.yaml @@ -1,32 +1,33 @@ id: azure_cis_v210_2_1_20 title: 2.1.20 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected +type: control description: This integration setting enables Microsoft Defender for Cloud Apps (formerly 'Microsoft Cloud App Security' or 'MCAS' - see additional info) to communicate with Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_setting - definition: | - SELECT - sc_sett.id AS resource, - sc_sett.platform_integration_id AS platform_integration_id, - sc_sett.platform_resource_id AS platform_resource_id, - CASE - WHEN enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enabled THEN 'Windows Defender ATP (WDATP) integrated with Security Center.' - ELSE 'Windows Defender ATP (WDATP) not integrated with Security Center.' - END AS reason - FROM - azure_security_center_setting sc_sett - RIGHT JOIN - azure_subscription sub - ON - sc_sett.subscription_id = sub.subscription_id - WHERE - name = 'MCAS'; + language: sql + primary_resource: azure_security_center_setting + definition: | + SELECT + sc_sett.id AS resource, + sc_sett.platform_integration_id AS platform_integration_id, + sc_sett.platform_resource_id AS platform_resource_id, + CASE + WHEN enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enabled THEN 'Windows Defender ATP (WDATP) integrated with Security Center.' + ELSE 'Windows Defender ATP (WDATP) not integrated with Security Center.' + END AS reason + FROM + azure_security_center_setting sc_sett + RIGHT JOIN + azure_subscription sub + ON + sc_sett.subscription_id = sub.subscription_id + WHERE + name = 'MCAS'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_2_1_21.yaml b/compliance/controls/azure/azure_cis_v210_2_1_21.yaml index 6adb99985..96d9bef16 100644 --- a/compliance/controls/azure/azure_cis_v210_2_1_21.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_21.yaml @@ -1,32 +1,33 @@ id: azure_cis_v210_2_1_21 title: 2.1.21 Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected +type: control description: This integration setting enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_setting - definition: | - SELECT - sc_sett.id AS resource, - sc_sett.platform_integration_id AS platform_integration_id, - sc_sett.platform_resource_id AS platform_resource_id, - CASE - WHEN enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enabled THEN 'Microsoft Cloud App Security (MCAS) integrated with Security Center.' - ELSE 'Microsoft Cloud App Security (MCAS) not integrated with Security Center.' - END AS reason - FROM - azure_security_center_setting sc_sett - RIGHT JOIN - azure_subscription sub - ON - sc_sett.subscription_id = sub.subscription_id - WHERE - name = 'WDATP'; + language: sql + primary_resource: azure_security_center_setting + definition: | + SELECT + sc_sett.id AS resource, + sc_sett.platform_integration_id AS platform_integration_id, + sc_sett.platform_resource_id AS platform_resource_id, + CASE + WHEN enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enabled THEN 'Microsoft Cloud App Security (MCAS) integrated with Security Center.' + ELSE 'Microsoft Cloud App Security (MCAS) not integrated with Security Center.' + END AS reason + FROM + azure_security_center_setting sc_sett + RIGHT JOIN + azure_subscription sub + ON + sc_sett.subscription_id = sub.subscription_id + WHERE + name = 'WDATP'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_2_1_22.yaml b/compliance/controls/azure/azure_cis_v210_2_1_22.yaml index d86679de6..7eb9def6e 100644 --- a/compliance/controls/azure/azure_cis_v210_2_1_22.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_22.yaml @@ -1,23 +1,24 @@ id: azure_cis_v210_2_1_22 title: 2.1.22 Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled +type: control description: An organization's attack surface is the collection of assets with a public network identifier or URI that an external threat actor can see or access from outside your cloud. It is the set of points on the boundary of a system, a system element, system component, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, system component, or environment. The larger the attack surface, the harder it is to protect. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_2_1_3.yaml b/compliance/controls/azure/azure_cis_v210_2_1_3.yaml index eae97a549..1592e99f6 100644 --- a/compliance/controls/azure/azure_cis_v210_2_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_3.yaml @@ -1,30 +1,31 @@ id: azure_cis_v210_2_1_3 title: 2.1.3 Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On' +type: control description: Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for SQL database servers.' - ELSE 'Azure Defender off for SQL database servers.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN azure_subscription sub - ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'SqlServers'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for SQL database servers.' + ELSE 'Azure Defender off for SQL database servers.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN azure_subscription sub + ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'SqlServers'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_2_1_4.yaml b/compliance/controls/azure/azure_cis_v210_2_1_4.yaml index 7ff32d06d..ad0c23410 100644 --- a/compliance/controls/azure/azure_cis_v210_2_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_4.yaml @@ -1,30 +1,31 @@ id: azure_cis_v210_2_1_4 title: 2.1.4 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' +type: control description: Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for SQL servers on machines.' - ELSE 'Azure Defender off for SQL servers on machines.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'SqlServerVirtualMachines'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for SQL servers on machines.' + ELSE 'Azure Defender off for SQL servers on machines.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'SqlServerVirtualMachines'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_2_1_5.yaml b/compliance/controls/azure/azure_cis_v210_2_1_5.yaml index 2edf6ca4b..91a1c8ebf 100644 --- a/compliance/controls/azure/azure_cis_v210_2_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_5.yaml @@ -1,30 +1,31 @@ id: azure_cis_v210_2_1_5 title: 2.1.5 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' +type: control description: Turning on Microsoft Defender for Open-source relational databases enables threat detection for Open-source relational databases, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Open Source Relational Databases.' - ELSE 'Azure Defender off for Open Source Relational Databases.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'OpenSourceRelationalDatabases'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Open Source Relational Databases.' + ELSE 'Azure Defender off for Open Source Relational Databases.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'OpenSourceRelationalDatabases'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_2_1_6.yaml b/compliance/controls/azure/azure_cis_v210_2_1_6.yaml index 5ec740a5b..17df34d72 100644 --- a/compliance/controls/azure/azure_cis_v210_2_1_6.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_6.yaml @@ -1,30 +1,31 @@ id: azure_cis_v210_2_1_6 title: 2.1.6 Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' +type: control description: Microsoft Defender for Azure Cosmos DB scans all incoming network requests for threats to your Azure Cosmos DB resources. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Cosmos DB.' - ELSE 'Azure Defender off for Cosmos DB.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'CosmosDbs'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Cosmos DB.' + ELSE 'Azure Defender off for Cosmos DB.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'CosmosDbs'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_2_1_7.yaml b/compliance/controls/azure/azure_cis_v210_2_1_7.yaml index 3007ccbf0..84f97ae4e 100644 --- a/compliance/controls/azure/azure_cis_v210_2_1_7.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_7.yaml @@ -1,29 +1,30 @@ id: azure_cis_v210_2_1_7 title: 2.1.7 Ensure That Microsoft Defender for Storage Is Set To 'On' +type: control description: Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Storage.' - ELSE 'Azure Defender off for Storage.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'StorageAccounts'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Storage.' + ELSE 'Azure Defender off for Storage.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'StorageAccounts'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_2_1_8.yaml b/compliance/controls/azure/azure_cis_v210_2_1_8.yaml index 1aa0709d3..b6c7b0d52 100644 --- a/compliance/controls/azure/azure_cis_v210_2_1_8.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_8.yaml @@ -1,32 +1,33 @@ id: azure_cis_v210_2_1_8 title: 2.1.8 Ensure That Microsoft Defender for Containers Is Set To 'On' +type: control description: Turning on Microsoft Defender for Containers enables threat detection for Container Registries including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Container Registry.' - ELSE 'Azure Defender off for Container Registry.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub - ON - sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'ContainerRegistry'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Container Registry.' + ELSE 'Azure Defender off for Container Registry.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub + ON + sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'ContainerRegistry'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_2_2_1.yaml b/compliance/controls/azure/azure_cis_v210_2_2_1.yaml index ee88ed708..60807f823 100644 --- a/compliance/controls/azure/azure_cis_v210_2_2_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_2_1.yaml @@ -1,23 +1,24 @@ id: azure_cis_v210_2_2_1 title: 2.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On' +type: control description: Microsoft Defender for IoT acts as a central security hub for IoT devices within your organization. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_3_1.yaml b/compliance/controls/azure/azure_cis_v210_3_1.yaml index 3aa89d8d3..74ab79b60 100644 --- a/compliance/controls/azure/azure_cis_v210_3_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_1.yaml @@ -1,29 +1,30 @@ id: azure_cis_v210_3_1 title: 3.1 Ensure that 'Secure transfer required' is set to 'Enabled' +type: control description: Enable data encryption in transit. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT enable_https_traffic_only THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT enable_https_traffic_only THEN sa.name || ' encryption in transit not enabled.' - ELSE sa.name || ' encryption in transit enabled.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT enable_https_traffic_only THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT enable_https_traffic_only THEN sa.name || ' encryption in transit not enabled.' + ELSE sa.name || ' encryption in transit enabled.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_3_10.yaml b/compliance/controls/azure/azure_cis_v210_3_10.yaml index 5815b373f..095354fc9 100644 --- a/compliance/controls/azure/azure_cis_v210_3_10.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_10.yaml @@ -1,39 +1,40 @@ id: azure_cis_v210_3_10 title: 3.10 Ensure Private Endpoints are used to access Storage Accounts +type: control description: Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - WITH storage_account_connection AS ( - SELECT - DISTINCT a.id - FROM - azure_storage_account AS a, - jsonb_array_elements(private_endpoint_connections) AS connection - WHERE - connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' - ) - SELECT - DISTINCT a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN s.id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN s.id IS NULL THEN a.name || ' not uses private link.' - ELSE a.name || ' uses private link.' - END AS reason - FROM - azure_storage_account AS a - LEFT JOIN storage_account_connection AS s ON a.id = s.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + WITH storage_account_connection AS ( + SELECT + DISTINCT a.id + FROM + azure_storage_account AS a, + jsonb_array_elements(private_endpoint_connections) AS connection + WHERE + connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' + ) + SELECT + DISTINCT a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN s.id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN s.id IS NULL THEN a.name || ' not uses private link.' + ELSE a.name || ' uses private link.' + END AS reason + FROM + azure_storage_account AS a + LEFT JOIN storage_account_connection AS s ON a.id = s.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_3_11.yaml b/compliance/controls/azure/azure_cis_v210_3_11.yaml index d9b443790..aa55a8a8b 100644 --- a/compliance/controls/azure/azure_cis_v210_3_11.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_11.yaml @@ -1,29 +1,30 @@ id: azure_cis_v210_3_11 title: 3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage +type: control description: The Azure Storage blobs contain data like ePHI or Financial, which can be secret or personal. Data that is erroneously modified or deleted by an application or other storage account user will cause data loss or unavailability. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT blob_soft_delete_enabled THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT blob_soft_delete_enabled THEN sa.name || ' blobs soft delete disabled.' - ELSE sa.name || ' blobs soft delete enabled.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT blob_soft_delete_enabled THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT blob_soft_delete_enabled THEN sa.name || ' blobs soft delete disabled.' + ELSE sa.name || ' blobs soft delete enabled.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_3_12.yaml b/compliance/controls/azure/azure_cis_v210_3_12.yaml index 7aef26e10..2385c114a 100644 --- a/compliance/controls/azure/azure_cis_v210_3_12.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_12.yaml @@ -1,29 +1,30 @@ id: azure_cis_v210_3_12 title: 3.12 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys +type: control description: Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN sa.encryption_key_source = 'Microsoft.Storage' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN sa.encryption_key_source = 'Microsoft.Storage' THEN sa.name || ' not encrypted with CMK.' - ELSE sa.name || ' encrypted with CMK.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN sa.encryption_key_source = 'Microsoft.Storage' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN sa.encryption_key_source = 'Microsoft.Storage' THEN sa.name || ' not encrypted with CMK.' + ELSE sa.name || ' encrypted with CMK.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_3_13.yaml b/compliance/controls/azure/azure_cis_v210_3_13.yaml index 6ebf68e22..309e40b6f 100644 --- a/compliance/controls/azure/azure_cis_v210_3_13.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_13.yaml @@ -1,38 +1,39 @@ id: azure_cis_v210_3_13 title: 3.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests -description: 'The Storage Blob service provides scalable, cost-efficient object storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.' +type: control +description: "The Storage Blob service provides scalable, cost-efficient object storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT (sa.blob_service_logging ->> 'Read')::BOOLEAN - OR NOT (sa.blob_service_logging ->> 'Write')::BOOLEAN - OR NOT (sa.blob_service_logging ->> 'Delete')::BOOLEAN THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT (sa.blob_service_logging ->> 'Read')::BOOLEAN - OR NOT (sa.blob_service_logging ->> 'Write')::BOOLEAN - OR NOT (sa.blob_service_logging ->> 'Delete')::BOOLEAN THEN name || ' blob service logging not enabled for ' || - CONCAT_WS(', ', - CASE WHEN NOT (sa.blob_service_logging ->> 'Write')::BOOLEAN THEN 'write' END, - CASE WHEN NOT (sa.blob_service_logging ->> 'Read')::BOOLEAN THEN 'read' END, - CASE WHEN NOT (sa.blob_service_logging ->> 'Delete')::BOOLEAN THEN 'delete' END - ) || ' requests.' - ELSE name || ' blob service logging enabled for read, write, delete requests.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT (sa.blob_service_logging ->> 'Read')::BOOLEAN + OR NOT (sa.blob_service_logging ->> 'Write')::BOOLEAN + OR NOT (sa.blob_service_logging ->> 'Delete')::BOOLEAN THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT (sa.blob_service_logging ->> 'Read')::BOOLEAN + OR NOT (sa.blob_service_logging ->> 'Write')::BOOLEAN + OR NOT (sa.blob_service_logging ->> 'Delete')::BOOLEAN THEN name || ' blob service logging not enabled for ' || + CONCAT_WS(', ', + CASE WHEN NOT (sa.blob_service_logging ->> 'Write')::BOOLEAN THEN 'write' END, + CASE WHEN NOT (sa.blob_service_logging ->> 'Read')::BOOLEAN THEN 'read' END, + CASE WHEN NOT (sa.blob_service_logging ->> 'Delete')::BOOLEAN THEN 'delete' END + ) || ' requests.' + ELSE name || ' blob service logging enabled for read, write, delete requests.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_3_14.yaml b/compliance/controls/azure/azure_cis_v210_3_14.yaml index 903bfa239..3634c29e6 100644 --- a/compliance/controls/azure/azure_cis_v210_3_14.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_14.yaml @@ -1,35 +1,36 @@ id: azure_cis_v210_3_14 title: 3.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests -description: 'Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.' +type: control +description: "Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN table_logging_write AND table_logging_read AND table_logging_delete THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN table_logging_write AND table_logging_read AND table_logging_delete - THEN sa.name || ' table service logging enabled for read, write, delete requests.' - ELSE sa.name || ' table service logging not enabled for: ' || - CONCAT_WS(', ', - CASE WHEN NOT table_logging_write THEN 'write' END, - CASE WHEN NOT table_logging_read THEN 'read' END, - CASE WHEN NOT table_logging_delete THEN 'delete' END - ) || ' requests.' - END AS reason - FROM - azure_storage_account AS sa, - azure_subscription AS sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN table_logging_write AND table_logging_read AND table_logging_delete THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN table_logging_write AND table_logging_read AND table_logging_delete + THEN sa.name || ' table service logging enabled for read, write, delete requests.' + ELSE sa.name || ' table service logging not enabled for: ' || + CONCAT_WS(', ', + CASE WHEN NOT table_logging_write THEN 'write' END, + CASE WHEN NOT table_logging_read THEN 'read' END, + CASE WHEN NOT table_logging_delete THEN 'delete' END + ) || ' requests.' + END AS reason + FROM + azure_storage_account AS sa, + azure_subscription AS sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_3_15.yaml b/compliance/controls/azure/azure_cis_v210_3_15.yaml index a495a1eb4..7896ee119 100644 --- a/compliance/controls/azure/azure_cis_v210_3_15.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_15.yaml @@ -1,31 +1,32 @@ id: azure_cis_v210_3_15 title: 3.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' +type: control description: In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN minimum_tls_version = 'TLSEnforcementDisabled' THEN 'alarm' - WHEN minimum_tls_version = 'TLS1_2' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN minimum_tls_version = 'TLSEnforcementDisabled' THEN sa.name || ' TLS enforcement is disabled.' - WHEN minimum_tls_version = 'TLS1_2' THEN sa.name || ' minimum TLS version set to ' || minimum_tls_version || '.' - ELSE sa.name || ' minimum TLS version set to ' || minimum_tls_version || '.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN minimum_tls_version = 'TLSEnforcementDisabled' THEN 'alarm' + WHEN minimum_tls_version = 'TLS1_2' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN minimum_tls_version = 'TLSEnforcementDisabled' THEN sa.name || ' TLS enforcement is disabled.' + WHEN minimum_tls_version = 'TLS1_2' THEN sa.name || ' minimum TLS version set to ' || minimum_tls_version || '.' + ELSE sa.name || ' minimum TLS version set to ' || minimum_tls_version || '.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_3_16.yaml b/compliance/controls/azure/azure_cis_v210_3_16.yaml index f7bf5f799..400bc2760 100644 --- a/compliance/controls/azure/azure_cis_v210_3_16.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_16.yaml @@ -1,23 +1,24 @@ id: azure_cis_v210_3_16 title: 3.16 Ensure 'Cross Tenant Replication' is not enabled +type: control description: Cross Tenant Replication in Azure allows data to be replicated across multiple Azure tenants. While this feature can be beneficial for data sharing and availability, it also poses a significant security risk if not properly managed. Unauthorized data access, data leakage, and compliance violations are potential risks. Disabling Cross Tenant Replication ensures that data is not inadvertently replicated across different tenant boundaries without explicit authorization. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_3_2.yaml b/compliance/controls/azure/azure_cis_v210_3_2.yaml index af6fdad62..0755d2d3d 100644 --- a/compliance/controls/azure/azure_cis_v210_3_2.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_2.yaml @@ -1,29 +1,30 @@ id: azure_cis_v210_3_2 title: 3.2 Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled' +type: control description: Enabling encryption at the hardware level on top of the default software encryption for Storage Accounts accessing Azure storage solutions. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN require_infrastructure_encryption THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN require_infrastructure_encryption THEN name || ' infrastructure encryption enabled.' - ELSE name || ' infrastructure encryption disabled.' - END AS reason - FROM - azure_storage_account AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN require_infrastructure_encryption THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN require_infrastructure_encryption THEN name || ' infrastructure encryption enabled.' + ELSE name || ' infrastructure encryption disabled.' + END AS reason + FROM + azure_storage_account AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_3_3.yaml b/compliance/controls/azure/azure_cis_v210_3_3.yaml index 6c534c9de..74aeae299 100644 --- a/compliance/controls/azure/azure_cis_v210_3_3.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_3.yaml @@ -1,23 +1,24 @@ id: azure_cis_v210_3_3 title: 3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account +type: control description: Access Keys authenticate application access requests to data contained in Storage Accounts. A periodic rotation of these keys is recommended to ensure that potentially compromised keys cannot result in a long-term exploitable credential. The 'Rotation Reminder' is an automatic reminder feature for a manual procedure. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_3_4.yaml b/compliance/controls/azure/azure_cis_v210_3_4.yaml index f37024124..afa2f3692 100644 --- a/compliance/controls/azure/azure_cis_v210_3_4.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_4.yaml @@ -1,23 +1,24 @@ id: azure_cis_v210_3_4 title: 3.4 Ensure that Storage Account Access Keys are Periodically Regenerated +type: control description: For increased security, regenerate storage account access keys periodically. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_3_5.yaml b/compliance/controls/azure/azure_cis_v210_3_5.yaml index 102c275ce..55f14f667 100644 --- a/compliance/controls/azure/azure_cis_v210_3_5.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_5.yaml @@ -1,35 +1,36 @@ id: azure_cis_v210_3_5 title: 3.5 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests +type: control description: The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN queue_logging_read AND queue_logging_write AND queue_logging_delete THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN queue_logging_read AND queue_logging_write AND queue_logging_delete - THEN sa.name || ' queue service logging enabled for read, write, delete requests.' - ELSE sa.name || ' queue service logging not enabled for: ' || - CONCAT_WS(', ', - CASE WHEN NOT queue_logging_write THEN 'write' END, - CASE WHEN NOT queue_logging_read THEN 'read' END, - CASE WHEN NOT queue_logging_delete THEN 'delete' END - ) || ' requests.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN queue_logging_read AND queue_logging_write AND queue_logging_delete THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN queue_logging_read AND queue_logging_write AND queue_logging_delete + THEN sa.name || ' queue service logging enabled for read, write, delete requests.' + ELSE sa.name || ' queue service logging not enabled for: ' || + CONCAT_WS(', ', + CASE WHEN NOT queue_logging_write THEN 'write' END, + CASE WHEN NOT queue_logging_read THEN 'read' END, + CASE WHEN NOT queue_logging_delete THEN 'delete' END + ) || ' requests.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_3_6.yaml b/compliance/controls/azure/azure_cis_v210_3_6.yaml index 7d6356b66..22d78f0de 100644 --- a/compliance/controls/azure/azure_cis_v210_3_6.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_6.yaml @@ -1,23 +1,24 @@ id: azure_cis_v210_3_6 title: 3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour +type: control description: Expire shared access signature tokens within an hour. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_3_7.yaml b/compliance/controls/azure/azure_cis_v210_3_7.yaml index a1f360749..3dc3dde7b 100644 --- a/compliance/controls/azure/azure_cis_v210_3_7.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_7.yaml @@ -1,29 +1,30 @@ id: azure_cis_v210_3_7 title: 3.7 Ensure that 'Public Network Access' is `Disabled' for storage accounts +type: control description: Disallowing public network access for a storage account overrides the public access settings for individual containers in that storage account for Azure Resource Manager Deployment Model storage accounts. Azure Storage accounts that use the classic deployment model will be retired on August 31, 2024. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN LOWER(sa.public_network_access) = 'disabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN LOWER(sa.public_network_access) = 'disabled' THEN sa.name || ' not publicly accessible.' - ELSE sa.name || ' publicly accessible.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN LOWER(sa.public_network_access) = 'disabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN LOWER(sa.public_network_access) = 'disabled' THEN sa.name || ' not publicly accessible.' + ELSE sa.name || ' publicly accessible.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_3_8.yaml b/compliance/controls/azure/azure_cis_v210_3_8.yaml index ce1b994c5..bffe650f6 100644 --- a/compliance/controls/azure/azure_cis_v210_3_8.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_8.yaml @@ -1,29 +1,30 @@ id: azure_cis_v210_3_8 title: 3.8 Ensure Default Network Access Rule for Storage Accounts is Set to Deny +type: control description: Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN sa.network_rule_default_action = 'Allow' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN sa.network_rule_default_action = 'Allow' THEN name || ' allows traffic from all networks.' - ELSE name || ' allows traffic from specific networks.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN sa.network_rule_default_action = 'Allow' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN sa.network_rule_default_action = 'Allow' THEN name || ' allows traffic from all networks.' + ELSE name || ' allows traffic from specific networks.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_3_9.yaml b/compliance/controls/azure/azure_cis_v210_3_9.yaml index cf9cacd9c..b3e18c5a1 100644 --- a/compliance/controls/azure/azure_cis_v210_3_9.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_9.yaml @@ -1,29 +1,30 @@ id: azure_cis_v210_3_9 title: 3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access +type: control description: Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN network_rule_bypass NOT LIKE '%AzureServices%' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN network_rule_bypass NOT LIKE '%AzureServices%' THEN sa.name || ' trusted Microsoft services not enabled.' - ELSE sa.name || ' trusted Microsoft services enabled.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN network_rule_bypass NOT LIKE '%AzureServices%' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN network_rule_bypass NOT LIKE '%AzureServices%' THEN sa.name || ' trusted Microsoft services not enabled.' + ELSE sa.name || ' trusted Microsoft services enabled.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_4_1_2.yaml b/compliance/controls/azure/azure_cis_v210_4_1_2.yaml index b6996ad98..42fad1d41 100644 --- a/compliance/controls/azure/azure_cis_v210_4_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v210_4_1_2.yaml @@ -1,33 +1,34 @@ id: azure_cis_v210_4_1_2 title: 4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) +type: control description: Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]' - OR firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]' - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]' - OR firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]' - THEN s.title || ' allows ingress 0.0.0.0/0 or any IP over the internet.' - ELSE s.title || ' does not allow ingress 0.0.0.0/0 or any IP over the internet.' - END AS reason - FROM - azure_sql_server s, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]' + OR firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]' + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]' + OR firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]' + THEN s.title || ' allows ingress 0.0.0.0/0 or any IP over the internet.' + ELSE s.title || ' does not allow ingress 0.0.0.0/0 or any IP over the internet.' + END AS reason + FROM + azure_sql_server s, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_4_1_4.yaml b/compliance/controls/azure/azure_cis_v210_4_1_4.yaml index d49f0d8d8..064018de9 100644 --- a/compliance/controls/azure/azure_cis_v210_4_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v210_4_1_4.yaml @@ -1,29 +1,30 @@ id: azure_cis_v210_4_1_4 title: 4.1.4 Ensure that Microsoft Entra authentication is Configured for SQL Servers +type: control description: Use Azure Active Directory Authentication for authentication with SQL Database to manage credentials in a single place. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN server_azure_ad_administrator IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN server_azure_ad_administrator IS NULL THEN name || ' Azure AD authentication not configured.' - ELSE name || ' Azure AD authentication configured.' - END AS reason - FROM - azure_sql_server s, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN server_azure_ad_administrator IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN server_azure_ad_administrator IS NULL THEN name || ' Azure AD authentication not configured.' + ELSE name || ' Azure AD authentication configured.' + END AS reason + FROM + azure_sql_server s, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_4_1_5.yaml b/compliance/controls/azure/azure_cis_v210_4_1_5.yaml index 98eab1146..41ec8f384 100644 --- a/compliance/controls/azure/azure_cis_v210_4_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v210_4_1_5.yaml @@ -1,30 +1,31 @@ id: azure_cis_v210_4_1_5 title: 4.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database +type: control description: Enable Transparent Data Encryption on every SQL server. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_database - definition: | - SELECT - s.database_id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN transparent_data_encryption ->> 'status' = 'Enabled' OR transparent_data_encryption ->> 'state' = 'Enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN transparent_data_encryption ->> 'status' = 'Enabled' OR transparent_data_encryption ->> 'state' = 'Enabled' THEN s.title || ' transparent data encryption enabled.' - ELSE s.title || ' transparent data encryption disabled.' - END AS reason - FROM - azure_sql_database AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id - AND s.name <> 'master'; + language: sql + primary_resource: azure_sql_database + definition: | + SELECT + s.database_id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN transparent_data_encryption ->> 'status' = 'Enabled' OR transparent_data_encryption ->> 'state' = 'Enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN transparent_data_encryption ->> 'status' = 'Enabled' OR transparent_data_encryption ->> 'state' = 'Enabled' THEN s.title || ' transparent data encryption enabled.' + ELSE s.title || ' transparent data encryption disabled.' + END AS reason + FROM + azure_sql_database AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id + AND s.name <> 'master'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_4_3_1.yaml b/compliance/controls/azure/azure_cis_v210_4_3_1.yaml index 8ef8a32f9..d25cbba98 100644 --- a/compliance/controls/azure/azure_cis_v210_4_3_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_4_3_1.yaml @@ -1,29 +1,30 @@ id: azure_cis_v210_4_3_1 title: 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server +type: control description: Enable SSL connection on PostgreSQL Servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_postgresql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN ssl_enforcement = 'Disabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN ssl_enforcement = 'Disabled' THEN name || ' SSL connection disabled.' - ELSE name || ' SSL connection enabled.' - END AS reason - FROM - azure_postgresql_server s, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_postgresql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN ssl_enforcement = 'Disabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN ssl_enforcement = 'Disabled' THEN name || ' SSL connection disabled.' + ELSE name || ' SSL connection enabled.' + END AS reason + FROM + azure_postgresql_server s, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_4_3_7.yaml b/compliance/controls/azure/azure_cis_v210_4_3_7.yaml index 518675ad3..1fc6c5b0e 100644 --- a/compliance/controls/azure/azure_cis_v210_4_3_7.yaml +++ b/compliance/controls/azure/azure_cis_v210_4_3_7.yaml @@ -1,41 +1,42 @@ id: azure_cis_v210_4_3_7 title: 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled +type: control description: Disable access from Azure services to PostgreSQL Database Server. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_postgresql_server - definition: | - WITH postgres_db_with_allow_access_to_azure_services AS ( - SELECT - id - FROM - azure_postgresql_server, - jsonb_array_elements(firewall_rules) AS r - WHERE - r -> 'FirewallRuleProperties' ->> 'endIpAddress' = '0.0.0.0' - AND r -> 'FirewallRuleProperties' ->> 'startIpAddress' = '0.0.0.0' - ) - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN a.id IS NOT NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN a.id IS NOT NULL THEN s.title || ' does not restrict access to Azure services.' - ELSE s.title || ' restricts access to Azure services.' - END AS reason - FROM - azure_postgresql_server AS s - LEFT JOIN - postgres_db_with_allow_access_to_azure_services AS a ON a.id = s.id, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_postgresql_server + definition: | + WITH postgres_db_with_allow_access_to_azure_services AS ( + SELECT + id + FROM + azure_postgresql_server, + jsonb_array_elements(firewall_rules) AS r + WHERE + r -> 'FirewallRuleProperties' ->> 'endIpAddress' = '0.0.0.0' + AND r -> 'FirewallRuleProperties' ->> 'startIpAddress' = '0.0.0.0' + ) + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN a.id IS NOT NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN a.id IS NOT NULL THEN s.title || ' does not restrict access to Azure services.' + ELSE s.title || ' restricts access to Azure services.' + END AS reason + FROM + azure_postgresql_server AS s + LEFT JOIN + postgres_db_with_allow_access_to_azure_services AS a ON a.id = s.id, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_4_3_8.yaml b/compliance/controls/azure/azure_cis_v210_4_3_8.yaml index 3d69a3a4c..a52d1550d 100644 --- a/compliance/controls/azure/azure_cis_v210_4_3_8.yaml +++ b/compliance/controls/azure/azure_cis_v210_4_3_8.yaml @@ -1,29 +1,30 @@ id: azure_cis_v210_4_3_8 title: 4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' +type: control description: Azure Database for PostgreSQL servers should be created with 'infrastructure double encryption' enabled. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_postgresql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN infrastructure_encryption = 'Enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN infrastructure_encryption = 'Enabled' THEN name || ' infrastructure encryption enabled.' - ELSE name || ' infrastructure encryption disabled.' - END AS reason - FROM - azure_postgresql_server AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_postgresql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN infrastructure_encryption = 'Enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN infrastructure_encryption = 'Enabled' THEN name || ' infrastructure encryption enabled.' + ELSE name || ' infrastructure encryption disabled.' + END AS reason + FROM + azure_postgresql_server AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_4_4_1.yaml b/compliance/controls/azure/azure_cis_v210_4_4_1.yaml index 40246907e..de6c6eb6b 100644 --- a/compliance/controls/azure/azure_cis_v210_4_4_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_4_4_1.yaml @@ -1,29 +1,30 @@ id: azure_cis_v210_4_4_1 title: 4.4.1 Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server +type: control description: Enable SSL connection on MySQL Servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_mysql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN ssl_enforcement = 'Disabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN ssl_enforcement = 'Disabled' THEN s.name || ' SSL connection disabled.' - ELSE s.name || ' SSL connection enabled.' - END AS reason - FROM - azure_mysql_server AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_mysql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN ssl_enforcement = 'Disabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN ssl_enforcement = 'Disabled' THEN s.name || ' SSL connection disabled.' + ELSE s.name || ' SSL connection enabled.' + END AS reason + FROM + azure_mysql_server AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_4_4_2.yaml b/compliance/controls/azure/azure_cis_v210_4_4_2.yaml index 12e320e8e..1603337c0 100644 --- a/compliance/controls/azure/azure_cis_v210_4_4_2.yaml +++ b/compliance/controls/azure/azure_cis_v210_4_4_2.yaml @@ -1,31 +1,32 @@ id: azure_cis_v210_4_4_2 title: 4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server +type: control description: Ensure TLS version on MySQL flexible servers is set to use TLS version 1.2 or higher. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_mysql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN minimal_tls_version = 'TLSEnforcementDisabled' THEN 'alarm' - WHEN minimal_tls_version = 'TLS1_2' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN minimal_tls_version = 'TLSEnforcementDisabled' THEN s.name || ' TLS enforcement is disabled.' - WHEN minimal_tls_version = 'TLS1_2' THEN s.name || ' minimum TLS version set to ' || minimal_tls_version || '.' - ELSE s.name || ' minimum TLS version set to ' || minimal_tls_version || '.' - END AS reason - FROM - azure_mysql_server AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_mysql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN minimal_tls_version = 'TLSEnforcementDisabled' THEN 'alarm' + WHEN minimal_tls_version = 'TLS1_2' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN minimal_tls_version = 'TLSEnforcementDisabled' THEN s.name || ' TLS enforcement is disabled.' + WHEN minimal_tls_version = 'TLS1_2' THEN s.name || ' minimum TLS version set to ' || minimal_tls_version || '.' + ELSE s.name || ' minimum TLS version set to ' || minimal_tls_version || '.' + END AS reason + FROM + azure_mysql_server AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_4_5_1.yaml b/compliance/controls/azure/azure_cis_v210_4_5_1.yaml index 35ceda695..140478fe8 100644 --- a/compliance/controls/azure/azure_cis_v210_4_5_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_4_5_1.yaml @@ -1,31 +1,32 @@ id: azure_cis_v210_4_5_1 title: 4.5.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks +type: control description: Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_cosmosdb_account - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN public_network_access = 'Disabled' THEN 'ok' - WHEN public_network_access = 'Enabled' AND is_virtual_network_filter_enabled = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN public_network_access = 'Disabled' THEN a.name || ' public network access disabled.' - WHEN public_network_access = 'Enabled' AND is_virtual_network_filter_enabled = 'true' THEN a.name || ' virtual network filter enabled.' - ELSE a.name || ' virtual network filter disabled.' - END AS reason - FROM - azure_cosmosdb_account AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_cosmosdb_account + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN public_network_access = 'Disabled' THEN 'ok' + WHEN public_network_access = 'Enabled' AND is_virtual_network_filter_enabled = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN public_network_access = 'Disabled' THEN a.name || ' public network access disabled.' + WHEN public_network_access = 'Enabled' AND is_virtual_network_filter_enabled = 'true' THEN a.name || ' virtual network filter enabled.' + ELSE a.name || ' virtual network filter disabled.' + END AS reason + FROM + azure_cosmosdb_account AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_4_5_2.yaml b/compliance/controls/azure/azure_cis_v210_4_5_2.yaml index 234275578..d33f42095 100644 --- a/compliance/controls/azure/azure_cis_v210_4_5_2.yaml +++ b/compliance/controls/azure/azure_cis_v210_4_5_2.yaml @@ -1,40 +1,41 @@ id: azure_cis_v210_4_5_2 title: 4.5.2 Ensure That Private Endpoints Are Used Where Possible +type: control description: Private endpoints limit network traffic to approved sources. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_cosmosdb_account - definition: | - WITH cosmosdb_private_connection AS ( - SELECT - DISTINCT a.id - FROM - azure_cosmosdb_account AS a, - jsonb_array_elements(private_endpoint_connections) AS connection - WHERE - connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN c.id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN c.id IS NULL THEN a.name || ' not uses private link.' - ELSE a.name || ' uses private link.' - END AS reason - FROM - azure_cosmosdb_account AS a - LEFT JOIN - cosmosdb_private_connection AS c ON c.id = a.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_cosmosdb_account + definition: | + WITH cosmosdb_private_connection AS ( + SELECT + DISTINCT a.id + FROM + azure_cosmosdb_account AS a, + jsonb_array_elements(private_endpoint_connections) AS connection + WHERE + connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN c.id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN c.id IS NULL THEN a.name || ' not uses private link.' + ELSE a.name || ' uses private link.' + END AS reason + FROM + azure_cosmosdb_account AS a + LEFT JOIN + cosmosdb_private_connection AS c ON c.id = a.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_4_5_3.yaml b/compliance/controls/azure/azure_cis_v210_4_5_3.yaml index 63d973c6e..ea78fcffc 100644 --- a/compliance/controls/azure/azure_cis_v210_4_5_3.yaml +++ b/compliance/controls/azure/azure_cis_v210_4_5_3.yaml @@ -1,23 +1,24 @@ id: azure_cis_v210_4_5_3 title: 4.5.3 Use Entra ID Client Authentication and Azure RBAC where possible +type: control description: Cosmos DB can use tokens or AAD for client authentication which in turn will use Azure RBAC for authorization. Using AAD is significantly more secure because AAD handles the credentials and allows for MFA and centralized management, and the Azure RBAC better integrated with the rest of Azure. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_5_1_1.yaml b/compliance/controls/azure/azure_cis_v210_5_1_1.yaml index 1b0e4e214..ec4c93574 100644 --- a/compliance/controls/azure/azure_cis_v210_5_1_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_1_1.yaml @@ -1,23 +1,24 @@ id: azure_cis_v210_5_1_1 title: 5.1.1 Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs +type: control description: Enable Diagnostic settings for exporting activity logs. Diagnostic settings are available for each individual resource within a subscription. Settings should be configured for all appropriate resources for your environment. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_5_1_2.yaml b/compliance/controls/azure/azure_cis_v210_5_1_2.yaml index 7fdd3d560..8a1aeee6d 100644 --- a/compliance/controls/azure/azure_cis_v210_5_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_1_2.yaml @@ -1,59 +1,60 @@ id: azure_cis_v210_5_1_2 title: 5.1.2 Ensure Diagnostic Setting captures appropriate categories +type: control description: "A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: 'Ensure that a 'Diagnostic Setting' exists.' The diagnostic setting should be configured to log the appropriate activities from the control/management plane." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_diagnostic_setting - definition: | - WITH enabled_settings AS ( - SELECT - name, - id, - _ctx, - resource_group, - subscription_id, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - COUNT(*) FILTER (WHERE l ->> 'enabled' = 'true' - AND l ->> 'category' IN ('Administrative', 'Security', 'Alert', 'Policy') - ) AS valid_category_count, - STRING_AGG(l ->> 'category', ', ') FILTER (WHERE l ->> 'enabled' = 'true' - AND l ->> 'category' IN ('Administrative', 'Security', 'Alert', 'Policy') - ) AS valid_categories - FROM - azure_diagnostic_setting, - jsonb_array_elements(logs) AS l - GROUP BY - name, - id, - _ctx, - resource_group, - subscription_id, - platform_integration_id, - platform_resource_id - ) - SELECT - sett.id AS resource, - sett.platform_integration_id AS platform_integration_id, - sett.platform_resource_id AS platform_resource_id, - CASE - WHEN valid_category_count = 4 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN valid_category_count = 4 - THEN name || ' logs enabled for required categories administrative, security, alert and policy.' - WHEN valid_category_count > 0 - THEN sett.name || ' logs enabled for ' || valid_categories || ' categories.' - ELSE sett.name || ' logs not enabled for categories administrative, security, alert and policy.' - END AS reason - FROM - enabled_settings sett, - azure_subscription sub - WHERE - sub.subscription_id = sett.subscription_id; + language: sql + primary_resource: azure_diagnostic_setting + definition: | + WITH enabled_settings AS ( + SELECT + name, + id, + _ctx, + resource_group, + subscription_id, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + COUNT(*) FILTER (WHERE l ->> 'enabled' = 'true' + AND l ->> 'category' IN ('Administrative', 'Security', 'Alert', 'Policy') + ) AS valid_category_count, + STRING_AGG(l ->> 'category', ', ') FILTER (WHERE l ->> 'enabled' = 'true' + AND l ->> 'category' IN ('Administrative', 'Security', 'Alert', 'Policy') + ) AS valid_categories + FROM + azure_diagnostic_setting, + jsonb_array_elements(logs) AS l + GROUP BY + name, + id, + _ctx, + resource_group, + subscription_id, + platform_integration_id, + platform_resource_id + ) + SELECT + sett.id AS resource, + sett.platform_integration_id AS platform_integration_id, + sett.platform_resource_id AS platform_resource_id, + CASE + WHEN valid_category_count = 4 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN valid_category_count = 4 + THEN name || ' logs enabled for required categories administrative, security, alert and policy.' + WHEN valid_category_count > 0 + THEN sett.name || ' logs enabled for ' || valid_categories || ' categories.' + ELSE sett.name || ' logs not enabled for categories administrative, security, alert and policy.' + END AS reason + FROM + enabled_settings sett, + azure_subscription sub + WHERE + sub.subscription_id = sett.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_5_1_3.yaml b/compliance/controls/azure/azure_cis_v210_5_1_3.yaml index 9db72a194..0d007bff2 100644 --- a/compliance/controls/azure/azure_cis_v210_5_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_1_3.yaml @@ -1,33 +1,34 @@ id: azure_cis_v210_5_1_3 title: 5.1.3 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key +type: control description: Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.encryption_key_source = 'Microsoft.Keyvault' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.encryption_key_source = 'Microsoft.Keyvault' - THEN a.name || ' container insights-activity-logs encrypted with BYOK.' - ELSE a.name || ' container insights-activity-logs not encrypted with BYOK.' - END AS reason - FROM - azure_storage_container c, - azure_storage_account a, - azure_subscription sub - WHERE - c.name = 'insights-activity-logs' - AND c.account_name = a.name - AND sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.encryption_key_source = 'Microsoft.Keyvault' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.encryption_key_source = 'Microsoft.Keyvault' + THEN a.name || ' container insights-activity-logs encrypted with BYOK.' + ELSE a.name || ' container insights-activity-logs not encrypted with BYOK.' + END AS reason + FROM + azure_storage_container c, + azure_storage_account a, + azure_subscription sub + WHERE + c.name = 'insights-activity-logs' + AND c.account_name = a.name + AND sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_5_1_4.yaml b/compliance/controls/azure/azure_cis_v210_5_1_4.yaml index 4bc41f460..a0e713850 100644 --- a/compliance/controls/azure/azure_cis_v210_5_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_1_4.yaml @@ -1,46 +1,47 @@ id: azure_cis_v210_5_1_4 title: 5.1.4 Ensure that logging for Azure Key Vault is 'Enabled' +type: control description: Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - WITH logging_details AS ( - SELECT - name AS key_vault_name - FROM - azure_key_vault, - jsonb_array_elements(diagnostic_settings) setting, - jsonb_array_elements(setting -> 'properties' -> 'logs') log - WHERE - diagnostic_settings IS NOT NULL - AND setting -> 'properties' ->> 'storageAccountId' <> '' - AND (log ->> 'enabled')::BOOLEAN - AND log ->> 'category' = 'AuditEvent' - AND (log -> 'retentionPolicy')::JSONB ? 'days' - ) - SELECT - v.id AS resource, - v.platform_integration_id AS platform_integration_id, - v.platform_resource_id AS platform_resource_id, - CASE - WHEN v.diagnostic_settings IS NULL THEN 'alarm' - WHEN l.key_vault_name NOT LIKE CONCAT('%', v.name, '%') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN v.diagnostic_settings IS NULL THEN v.name || ' logging not enabled.' - WHEN l.key_vault_name NOT LIKE CONCAT('%', v.name, '%') THEN v.name || ' logging not enabled.' - ELSE v.name || ' logging enabled.' - END AS reason - FROM - azure_key_vault v, - logging_details l, - azure_subscription sub - WHERE - sub.subscription_id = v.subscription_id; + language: sql + primary_resource: azure_key_vault + definition: | + WITH logging_details AS ( + SELECT + name AS key_vault_name + FROM + azure_key_vault, + jsonb_array_elements(diagnostic_settings) setting, + jsonb_array_elements(setting -> 'properties' -> 'logs') log + WHERE + diagnostic_settings IS NOT NULL + AND setting -> 'properties' ->> 'storageAccountId' <> '' + AND (log ->> 'enabled')::BOOLEAN + AND log ->> 'category' = 'AuditEvent' + AND (log -> 'retentionPolicy')::JSONB ? 'days' + ) + SELECT + v.id AS resource, + v.platform_integration_id AS platform_integration_id, + v.platform_resource_id AS platform_resource_id, + CASE + WHEN v.diagnostic_settings IS NULL THEN 'alarm' + WHEN l.key_vault_name NOT LIKE CONCAT('%', v.name, '%') THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN v.diagnostic_settings IS NULL THEN v.name || ' logging not enabled.' + WHEN l.key_vault_name NOT LIKE CONCAT('%', v.name, '%') THEN v.name || ' logging not enabled.' + ELSE v.name || ' logging enabled.' + END AS reason + FROM + azure_key_vault v, + logging_details l, + azure_subscription sub + WHERE + sub.subscription_id = v.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_5_1_5.yaml b/compliance/controls/azure/azure_cis_v210_5_1_5.yaml index 70c761a11..61018d5f1 100644 --- a/compliance/controls/azure/azure_cis_v210_5_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_1_5.yaml @@ -1,23 +1,24 @@ id: azure_cis_v210_5_1_5 title: 5.1.5 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics +type: control description: Ensure that network flow logs are captured and fed into a central log analytics workspace. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_5_1_6.yaml b/compliance/controls/azure/azure_cis_v210_5_1_6.yaml index 4ec8e6d48..338790946 100644 --- a/compliance/controls/azure/azure_cis_v210_5_1_6.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_1_6.yaml @@ -1,23 +1,24 @@ id: azure_cis_v210_5_1_6 title: 5.1.6 Ensure that logging for Azure AppService 'HTTP logs' is enabled +type: control description: Enable AppServiceHTTPLogs diagnostic log category for Azure App Service instances to ensure all http requests are captured and centrally logged. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_5_2_1.yaml b/compliance/controls/azure/azure_cis_v210_5_2_1.yaml index 16c312115..4161adb51 100644 --- a/compliance/controls/azure/azure_cis_v210_5_2_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_2_1.yaml @@ -1,52 +1,53 @@ id: azure_cis_v210_5_2_1 title: 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment +type: control description: Create an activity log alert for the Create Policy Assignment event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/write"}]' - LIMIT 1 - ) - SELECT - a.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create policy assignment event.' - ELSE 'Activity log alert does not exist for create policy assignment event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - a.subscription_id, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub._ctx, - sub.display_name; + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/write"}]' + LIMIT 1 + ) + SELECT + a.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create policy assignment event.' + ELSE 'Activity log alert does not exist for create policy assignment event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + a.subscription_id, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub._ctx, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_5_2_10.yaml b/compliance/controls/azure/azure_cis_v210_5_2_10.yaml index 8293269da..ca74c6152 100644 --- a/compliance/controls/azure/azure_cis_v210_5_2_10.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_2_10.yaml @@ -1,57 +1,58 @@ id: azure_cis_v210_5_2_10 title: 5.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule +type: control description: Create an activity log alert for the Delete Public IP Address rule. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/publicIPAddresses/delete"}]') - OR - (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/publicipaddresses"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/publicIPAddresses/delete"}]') + OR + (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/publicipaddresses"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Delete Public IP Address rule.' - ELSE 'Activity Log Alert does not exist for Delete Public IP Address rule.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Delete Public IP Address rule.' + ELSE 'Activity Log Alert does not exist for Delete Public IP Address rule.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_5_2_2.yaml b/compliance/controls/azure/azure_cis_v210_5_2_2.yaml index 9eef304aa..5c7414572 100644 --- a/compliance/controls/azure/azure_cis_v210_5_2_2.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_2_2.yaml @@ -1,51 +1,52 @@ id: azure_cis_v210_5_2_2 title: 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment +type: control description: Create an activity log alert for the Delete Policy Assignment event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/delete"}]' - LIMIT 1 - ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete policy assignment event.' - ELSE 'Activity log alert does not exist for delete policy assignment event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/delete"}]' + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete policy assignment event.' + ELSE 'Activity log alert does not exist for delete policy assignment event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_5_2_3.yaml b/compliance/controls/azure/azure_cis_v210_5_2_3.yaml index 3d053ba87..d2f0a2521 100644 --- a/compliance/controls/azure/azure_cis_v210_5_2_3.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_2_3.yaml @@ -1,61 +1,62 @@ id: azure_cis_v210_5_2_3 title: 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group +type: control description: Create an Activity Log Alert for the Create or Update Network Security Group event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/write"}]' - ) - OR - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/write"}]' + ) + OR + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create or update Network Security Group event.' - ELSE 'Activity log alert does not exist for create or update Network Security Group event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create or update Network Security Group event.' + ELSE 'Activity log alert does not exist for create or update Network Security Group event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_5_2_4.yaml b/compliance/controls/azure/azure_cis_v210_5_2_4.yaml index 9200af03c..b8d8097fb 100644 --- a/compliance/controls/azure/azure_cis_v210_5_2_4.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_2_4.yaml @@ -1,62 +1,63 @@ id: azure_cis_v210_5_2_4 title: 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group +type: control description: Create an activity log alert for the Delete Network Security Group event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id, - jsonb_array_length(alert.condition -> 'allOf') - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/delete"}]' - ) - OR - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id, + jsonb_array_length(alert.condition -> 'allOf') + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/delete"}]' + ) + OR + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Network Security Group event.' - ELSE 'Activity log alert does not exist for delete Network Security Group event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Network Security Group event.' + ELSE 'Activity log alert does not exist for delete Network Security Group event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_5_2_5.yaml b/compliance/controls/azure/azure_cis_v210_5_2_5.yaml index 565ad8b1a..bb712e5c4 100644 --- a/compliance/controls/azure/azure_cis_v210_5_2_5.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_2_5.yaml @@ -1,60 +1,61 @@ id: azure_cis_v210_5_2_5 title: 5.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution +type: control description: Create an activity log alert for the Create or Update Security Solution event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Security/securitySolutions/write"}]' - ) - OR ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Security/securitySolutions/write"}]' + ) + OR ( + alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create or update Security Solution event.' - ELSE 'Activity log alert does not exist for create or update Security Solution event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create or update Security Solution event.' + ELSE 'Activity log alert does not exist for create or update Security Solution event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_5_2_6.yaml b/compliance/controls/azure/azure_cis_v210_5_2_6.yaml index edeaae60a..902df3043 100644 --- a/compliance/controls/azure/azure_cis_v210_5_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_2_6.yaml @@ -1,61 +1,62 @@ id: azure_cis_v210_5_2_6 title: 5.2.6 Ensure that Activity Log Alert exists for Delete Security Solution +type: control description: Create an activity log alert for the Delete Security Solution event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Security/securitySolutions/delete"}]' - ) - OR - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Security/securitySolutions/delete"}]' + ) + OR + ( + alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN count(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN count(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Security Solution event.' - ELSE 'Activity log alert does not exist for delete Security Solution event.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN count(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN count(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Security Solution event.' + ELSE 'Activity log alert does not exist for delete Security Solution event.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_5_2_7.yaml b/compliance/controls/azure/azure_cis_v210_5_2_7.yaml index 9d71f9d92..cc9d0ffc9 100644 --- a/compliance/controls/azure/azure_cis_v210_5_2_7.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_2_7.yaml @@ -1,57 +1,58 @@ id: azure_cis_v210_5_2_7 title: 5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule +type: control description: Create an activity log alert for the Create or Update SQL Server Firewall Rule event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Sql/servers/firewallRules/write"}]') - OR - (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.sql/servers/firewallrules"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Sql/servers/firewallRules/write"}]') + OR + (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.sql/servers/firewallrules"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Create or Update SQL Server Firewall Rule.' - ELSE 'Activity Log Alert does not exist for Create or Update SQL Server Firewall Rule.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Create or Update SQL Server Firewall Rule.' + ELSE 'Activity Log Alert does not exist for Create or Update SQL Server Firewall Rule.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_5_2_8.yaml b/compliance/controls/azure/azure_cis_v210_5_2_8.yaml index 1428857f5..e4e63dff8 100644 --- a/compliance/controls/azure/azure_cis_v210_5_2_8.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_2_8.yaml @@ -1,59 +1,60 @@ id: azure_cis_v210_5_2_8 title: 5.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule +type: control description: Create an activity log alert for the 'Delete SQL Server Firewall Rule.' integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field":"operationName","equals":"Microsoft.Sql/servers/firewallRules/delete"}]') - OR - (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field":"resourceType","equals":"microsoft.sql/servers/firewallrules"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field":"operationName","equals":"Microsoft.Sql/servers/firewallRules/delete"}]') + OR + (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field":"resourceType","equals":"microsoft.sql/servers/firewallrules"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2) ) - - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Delete SQL Server Firewall Rule.' - ELSE 'Activity Log Alert does not exist for Delete SQL Server Firewall Rule.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN - alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + LIMIT 1 + ) + + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Delete SQL Server Firewall Rule.' + ELSE 'Activity Log Alert does not exist for Delete SQL Server Firewall Rule.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN + alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_5_2_9.yaml b/compliance/controls/azure/azure_cis_v210_5_2_9.yaml index 1e4890193..8b14700c4 100644 --- a/compliance/controls/azure/azure_cis_v210_5_2_9.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_2_9.yaml @@ -1,62 +1,63 @@ id: azure_cis_v210_5_2_9 title: 5.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule +type: control description: Create an activity log alert for the Create or Update Public IP Addresses rule. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS + ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND - ( - (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/publicIPAddresses/write"}]' - ) - OR - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/publicipaddresses"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + (alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/publicIPAddresses/write"}]' + ) + OR + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/publicipaddresses"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Create or Update Public IP Address rule.' - ELSE 'Activity Log Alert does not exist for Create or Update Public IP Address rule.' - END AS reason - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Create or Update Public IP Address rule.' + ELSE 'Activity Log Alert does not exist for Create or Update Public IP Address rule.' + END AS reason + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_5_3_1.yaml b/compliance/controls/azure/azure_cis_v210_5_3_1.yaml index 325e0a6fb..fb44ce6fb 100644 --- a/compliance/controls/azure/azure_cis_v210_5_3_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_3_1.yaml @@ -1,37 +1,38 @@ id: azure_cis_v210_5_3_1 title: 5.3.1 Ensure Application Insights are Configured +type: control description: Application Insights within Azure act as an Application Performance Monitoring solution providing valuable data into how well an application performs and additional information when performing incident response. The types of log data collected include application metrics, telemetry data, and application trace logging data providing organizations with detailed information about application activity and application transactions. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH application_insights AS ( - SELECT - subscription_id, - COUNT(*) AS no_application_insight - FROM - azure_application_insight - GROUP BY - subscription_id - ) - SELECT - sub.id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN i.subscription_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN i.subscription_id IS NULL THEN sub.display_name || ' does not have application insights configured.' - ELSE sub.display_name || ' has ' || no_application_insight || ' application insights configured.' - END AS reason - FROM - azure_subscription AS sub - LEFT JOIN application_insights AS i - ON i.subscription_id = sub.subscription_id; + language: sql + primary_resource: azure_subscription + definition: | + WITH application_insights AS ( + SELECT + subscription_id, + COUNT(*) AS no_application_insight + FROM + azure_application_insight + GROUP BY + subscription_id + ) + SELECT + sub.id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN i.subscription_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN i.subscription_id IS NULL THEN sub.display_name || ' does not have application insights configured.' + ELSE sub.display_name || ' has ' || no_application_insight || ' application insights configured.' + END AS reason + FROM + azure_subscription AS sub + LEFT JOIN application_insights AS i + ON i.subscription_id = sub.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_5_4.yaml b/compliance/controls/azure/azure_cis_v210_5_4.yaml index ac9088da4..9f66dffcf 100644 --- a/compliance/controls/azure/azure_cis_v210_5_4.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_4.yaml @@ -1,23 +1,24 @@ id: azure_cis_v210_5_4 title: 5.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it +type: control description: Resource Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself; for example, reading or updating a secret from a Key Vault. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_6_1.yaml b/compliance/controls/azure/azure_cis_v210_6_1.yaml index bfbe916d6..e6bac0c65 100644 --- a/compliance/controls/azure/azure_cis_v210_6_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_6_1.yaml @@ -1,51 +1,52 @@ id: azure_cis_v210_6_1 title: 6.1 Ensure that RDP access from the Internet is evaluated and restricted +type: control description: Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH network_sg AS ( - SELECT - DISTINCT name AS sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules) sg, - jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange')::jsonb) AS dport, - jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix')::jsonb) AS sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') - AND ( - dport IN ('3389', '*') - OR ( - dport LIKE '%-%' - AND split_part(dport, '-', 1)::INTEGER <= 3389 - AND split_part(dport, '-', 2)::INTEGER >= 3389 - ) - ) + language: sql + primary_resource: azure_network_security_group + definition: | + WITH network_sg AS ( + SELECT + DISTINCT name AS sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules) sg, + jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange')::jsonb) AS dport, + jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix')::jsonb) AS sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('3389', '*') + OR ( + dport LIKE '%-%' + AND split_part(dport, '-', 1)::INTEGER <= 3389 + AND split_part(dport, '-', 2)::INTEGER >= 3389 + ) ) - SELECT - sg.id AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL - THEN sg.title || ' restricts RDP access from internet.' - ELSE sg.title || ' allows RDP access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL + THEN sg.title || ' restricts RDP access from internet.' + ELSE sg.title || ' allows RDP access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_6_2.yaml b/compliance/controls/azure/azure_cis_v210_6_2.yaml index 03a7c8eeb..f84592ecf 100644 --- a/compliance/controls/azure/azure_cis_v210_6_2.yaml +++ b/compliance/controls/azure/azure_cis_v210_6_2.yaml @@ -1,51 +1,52 @@ id: azure_cis_v210_6_2 title: 6.2 Ensure that SSH access from the Internet is evaluated and restricted +type: control description: Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH network_sg AS ( - SELECT - DISTINCT name AS sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules) sg, - jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange')::jsonb) AS dport, - jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix')::jsonb) AS sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') - AND ( - dport IN ('22', '*') - OR ( - dport LIKE '%-%' - AND split_part(dport, '-', 1)::integer <= 22 - AND split_part(dport, '-', 2)::integer >= 22 - ) - ) + language: sql + primary_resource: azure_network_security_group + definition: | + WITH network_sg AS ( + SELECT + DISTINCT name AS sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules) sg, + jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange')::jsonb) AS dport, + jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix')::jsonb) AS sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('22', '*') + OR ( + dport LIKE '%-%' + AND split_part(dport, '-', 1)::integer <= 22 + AND split_part(dport, '-', 2)::integer >= 22 + ) ) - SELECT - sg.id AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL - THEN sg.title || ' restricts SSH access from internet.' - ELSE sg.title || ' allows SSH access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL + THEN sg.title || ' restricts SSH access from internet.' + ELSE sg.title || ' allows SSH access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_6_3.yaml b/compliance/controls/azure/azure_cis_v210_6_3.yaml index 3eb153b84..4e2201417 100644 --- a/compliance/controls/azure/azure_cis_v210_6_3.yaml +++ b/compliance/controls/azure/azure_cis_v210_6_3.yaml @@ -1,56 +1,57 @@ id: azure_cis_v210_6_3 title: 6.3 Ensure that UDP access from the Internet is evaluated and restricted +type: control description: Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH network_sg AS ( - SELECT - DISTINCT name AS sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules) sg, - jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange') :: jsonb) dport, - jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND sg -> 'properties' ->> 'protocol' = 'UDP' - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + language: sql + primary_resource: azure_network_security_group + definition: | + WITH network_sg AS ( + SELECT + DISTINCT name AS sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules) sg, + jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange') :: jsonb) dport, + jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND sg -> 'properties' ->> 'protocol' = 'UDP' + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport = '*' + OR ( + dport LIKE '%-%' AND ( - dport = '*' - OR ( - dport LIKE '%-%' - AND ( - 53 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER - OR 123 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER - OR 161 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER - OR 389 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER - OR 1900 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER - ) - ) + 53 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER + OR 123 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER + OR 161 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER + OR 389 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER + OR 1900 BETWEEN split_part(dport, '-', 1) :: INTEGER AND split_part(dport, '-', 2) :: INTEGER ) + ) ) - SELECT - sg.id AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL - THEN sg.title || ' restricts UDP services from internet.' - ELSE sg.title || ' allows UDP services from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL + THEN sg.title || ' restricts UDP services from internet.' + ELSE sg.title || ' allows UDP services from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_6_4.yaml b/compliance/controls/azure/azure_cis_v210_6_4.yaml index c3f20f003..d702e4a7d 100644 --- a/compliance/controls/azure/azure_cis_v210_6_4.yaml +++ b/compliance/controls/azure/azure_cis_v210_6_4.yaml @@ -1,61 +1,62 @@ id: azure_cis_v210_6_4 title: 6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted +type: control description: Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH network_sg AS ( - SELECT DISTINCT - name sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules) sg, - jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange')::jsonb) dport, - jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix')::jsonb) sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND sg -> 'properties' ->> 'protocol' ILIKE 'TCP' - AND sip IN ( - '*', - '0.0.0.0', - '0.0.0.0/0', - 'Internet', - 'any', - '/0', - '/0' - ) - AND ( - dport IN ( - '80', - '*' - ) - OR ( - dport LIKE '%-%' - AND split_part(dport, '-', 1)::integer <= 80 - AND split_part(dport, '-', 2)::integer >= 80 - ) - ) + language: sql + primary_resource: azure_network_security_group + definition: | + WITH network_sg AS ( + SELECT DISTINCT + name sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules) sg, + jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange')::jsonb) dport, + jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix')::jsonb) sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND sg -> 'properties' ->> 'protocol' ILIKE 'TCP' + AND sip IN ( + '*', + '0.0.0.0', + '0.0.0.0/0', + 'Internet', + 'any', + '/0', + '/0' ) - SELECT - sg.id resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts HTTPS access from internet.' - ELSE sg.title || ' allows HTTPS access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + AND ( + dport IN ( + '80', + '*' + ) + OR ( + dport LIKE '%-%' + AND split_part(dport, '-', 1)::integer <= 80 + AND split_part(dport, '-', 2)::integer >= 80 + ) + ) + ) + SELECT + sg.id resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts HTTPS access from internet.' + ELSE sg.title || ' allows HTTPS access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_6_6.yaml b/compliance/controls/azure/azure_cis_v210_6_6.yaml index d098842bc..148967e9c 100644 --- a/compliance/controls/azure/azure_cis_v210_6_6.yaml +++ b/compliance/controls/azure/azure_cis_v210_6_6.yaml @@ -1,31 +1,32 @@ id: azure_cis_v210_6_6 title: 6.6 Ensure that Network Watcher is 'Enabled' +type: control description: Enable Network Watcher for Azure subscriptions. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_location - definition: | - SELECT - loc.id AS resource, - loc.platform_integration_id AS platform_integration_id, - loc.platform_resource_id AS platform_resource_id, - CASE - WHEN watcher.id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN watcher.id IS NULL THEN 'Network watcher not enabled in ' || loc.name || '.' - ELSE 'Network watcher enabled in ' || loc.name || '.' - END AS reason, - loc.name - FROM - azure_location loc - LEFT JOIN - azure_network_watcher watcher ON watcher.region = loc.name - JOIN - azure_subscription sub ON sub.subscription_id = loc.subscription_id; + language: sql + primary_resource: azure_location + definition: | + SELECT + loc.id AS resource, + loc.platform_integration_id AS platform_integration_id, + loc.platform_resource_id AS platform_resource_id, + CASE + WHEN watcher.id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN watcher.id IS NULL THEN 'Network watcher not enabled in ' || loc.name || '.' + ELSE 'Network watcher enabled in ' || loc.name || '.' + END AS reason, + loc.name + FROM + azure_location loc + LEFT JOIN + azure_network_watcher watcher ON watcher.region = loc.name + JOIN + azure_subscription sub ON sub.subscription_id = loc.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_6_7.yaml b/compliance/controls/azure/azure_cis_v210_6_7.yaml index 75a7b9ee6..7a6c10420 100644 --- a/compliance/controls/azure/azure_cis_v210_6_7.yaml +++ b/compliance/controls/azure/azure_cis_v210_6_7.yaml @@ -1,23 +1,24 @@ id: azure_cis_v210_6_7 title: 6.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis +type: control description: Public IP Addresses provide tenant accounts with Internet connectivity for resources contained within the tenant. During the creation of certain resources in Azure, a Public IP Address may be created. All Public IP Addresses within the tenant should be periodically reviewed for accuracy and necessity. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_7_1.yaml b/compliance/controls/azure/azure_cis_v210_7_1.yaml index 33768e127..5ad4a6788 100644 --- a/compliance/controls/azure/azure_cis_v210_7_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_7_1.yaml @@ -1,43 +1,44 @@ id: azure_cis_v210_7_1 title: 7.1 Ensure an Azure Bastion Host Exists +type: control description: The Azure Bastion service allows secure remote access to Azure Virtual Machines over the Internet without exposing remote access protocol ports and services directly to the Internet. The Azure Bastion service provides this access using TLS over 443/TCP, and subscribes to hardened configurations within an organization's Azure Active Directory service. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH bastion_hosts AS ( - SELECT - subscription_id, - _ctx, - region, - resource_group, - COUNT(*) AS no_bastion_host - FROM - azure_bastion_host - GROUP BY - subscription_id, - _ctx, - resource_group, - region - ) - SELECT - sub.id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN i.subscription_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN i.subscription_id IS NULL THEN sub.display_name || ' does not have bastion host.' - ELSE sub.display_name || ' has ' || no_bastion_host || ' bastion host(s).' - END AS reason - FROM - azure_subscription AS sub - LEFT JOIN bastion_hosts AS i - ON i.subscription_id = sub.subscription_id; + language: sql + primary_resource: azure_subscription + definition: | + WITH bastion_hosts AS ( + SELECT + subscription_id, + _ctx, + region, + resource_group, + COUNT(*) AS no_bastion_host + FROM + azure_bastion_host + GROUP BY + subscription_id, + _ctx, + resource_group, + region + ) + SELECT + sub.id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN i.subscription_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN i.subscription_id IS NULL THEN sub.display_name || ' does not have bastion host.' + ELSE sub.display_name || ' has ' || no_bastion_host || ' bastion host(s).' + END AS reason + FROM + azure_subscription AS sub + LEFT JOIN bastion_hosts AS i + ON i.subscription_id = sub.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_7_2.yaml b/compliance/controls/azure/azure_cis_v210_7_2.yaml index 2f4510cd4..fec8cec3d 100644 --- a/compliance/controls/azure/azure_cis_v210_7_2.yaml +++ b/compliance/controls/azure/azure_cis_v210_7_2.yaml @@ -1,29 +1,30 @@ id: azure_cis_v210_7_2 title: 7.2 Ensure Virtual Machines are utilizing Managed Disks +type: control description: Migrate blob-based VHDs to Managed Disks on Virtual Machines to exploit the default features of this configuration. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - SELECT - vm.id AS resource, - vm.platform_integration_id AS platform_integration_id, - vm.platform_resource_id AS platform_resource_id, - CASE - WHEN managed_disk_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN managed_disk_id IS NULL THEN vm.name || ' VM not utilizing managed disks.' - ELSE vm.name || ' VM utilizing managed disks.' - END AS reason - FROM - azure_compute_virtual_machine AS vm, - azure_subscription AS sub - WHERE - sub.subscription_id = vm.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + SELECT + vm.id AS resource, + vm.platform_integration_id AS platform_integration_id, + vm.platform_resource_id AS platform_resource_id, + CASE + WHEN managed_disk_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN managed_disk_id IS NULL THEN vm.name || ' VM not utilizing managed disks.' + ELSE vm.name || ' VM utilizing managed disks.' + END AS reason + FROM + azure_compute_virtual_machine AS vm, + azure_subscription AS sub + WHERE + sub.subscription_id = vm.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_7_3.yaml b/compliance/controls/azure/azure_cis_v210_7_3.yaml index 0ecfaa36d..b4623e6e7 100644 --- a/compliance/controls/azure/azure_cis_v210_7_3.yaml +++ b/compliance/controls/azure/azure_cis_v210_7_3.yaml @@ -1,30 +1,31 @@ id: azure_cis_v210_7_3 title: 7.3 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) +type: control description: Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption(SSE). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_disk - definition: | - SELECT - disk.id AS resource, - disk.platform_integration_id AS platform_integration_id, - disk.platform_resource_id AS platform_resource_id, - CASE - WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN disk.name || ' encrypted with CMK.' - ELSE disk.name || ' not encrypted with CMK.' - END AS reason - FROM - azure_compute_disk disk, - azure_subscription sub - WHERE - disk_state = 'Attached' - AND sub.subscription_id = disk.subscription_id; + language: sql + primary_resource: azure_compute_disk + definition: | + SELECT + disk.id AS resource, + disk.platform_integration_id AS platform_integration_id, + disk.platform_resource_id AS platform_resource_id, + CASE + WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN disk.name || ' encrypted with CMK.' + ELSE disk.name || ' not encrypted with CMK.' + END AS reason + FROM + azure_compute_disk disk, + azure_subscription sub + WHERE + disk_state = 'Attached' + AND sub.subscription_id = disk.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_7_4.yaml b/compliance/controls/azure/azure_cis_v210_7_4.yaml index 1a6fdc5fa..afd42049d 100644 --- a/compliance/controls/azure/azure_cis_v210_7_4.yaml +++ b/compliance/controls/azure/azure_cis_v210_7_4.yaml @@ -1,30 +1,31 @@ id: azure_cis_v210_7_4 title: 7.4 Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) +type: control description: Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_disk - definition: | - SELECT - disk.id AS resource, - disk.platform_integration_id AS platform_integration_id, - disk.platform_resource_id AS platform_resource_id, - CASE - WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN disk.name || ' encrypted with CMK.' - ELSE disk.name || ' not encrypted with CMK.' - END AS reason - FROM - azure_compute_disk disk, - azure_subscription sub - WHERE - disk_state != 'Attached' - AND sub.subscription_id = disk.subscription_id; + language: sql + primary_resource: azure_compute_disk + definition: | + SELECT + disk.id AS resource, + disk.platform_integration_id AS platform_integration_id, + disk.platform_resource_id AS platform_resource_id, + CASE + WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN disk.name || ' encrypted with CMK.' + ELSE disk.name || ' not encrypted with CMK.' + END AS reason + FROM + azure_compute_disk disk, + azure_subscription sub + WHERE + disk_state != 'Attached' + AND sub.subscription_id = disk.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_7_5.yaml b/compliance/controls/azure/azure_cis_v210_7_5.yaml index ff76175be..76626a210 100644 --- a/compliance/controls/azure/azure_cis_v210_7_5.yaml +++ b/compliance/controls/azure/azure_cis_v210_7_5.yaml @@ -1,23 +1,24 @@ id: azure_cis_v210_7_5 title: 7.5 Ensure that Only Approved Extensions Are Installed +type: control description: For added security, only install organization-approved extensions on VMs. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_7_6.yaml b/compliance/controls/azure/azure_cis_v210_7_6.yaml index d3d91522d..3da57b2b3 100644 --- a/compliance/controls/azure/azure_cis_v210_7_6.yaml +++ b/compliance/controls/azure/azure_cis_v210_7_6.yaml @@ -1,23 +1,24 @@ id: azure_cis_v210_7_6 title: 7.6 Ensure that Endpoint Protection for all Virtual Machines is installed +type: control description: Install endpoint protection for all virtual machines. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_7_7.yaml b/compliance/controls/azure/azure_cis_v210_7_7.yaml index 188eb840a..9aa54bfb0 100644 --- a/compliance/controls/azure/azure_cis_v210_7_7.yaml +++ b/compliance/controls/azure/azure_cis_v210_7_7.yaml @@ -1,23 +1,24 @@ id: azure_cis_v210_7_7 title: 7.7 [Legacy] Ensure that VHDs are Encrypted +type: control description: VHD (Virtual Hard Disks) are stored in blob storage and are the old-style disks that were attached to Virtual Machines. The blob VHD was then leased to the VM. By default, storage accounts are not encrypted, and Microsoft Defender will then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK. This should be turned on for storage accounts containing VHDs. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_7_8.yaml b/compliance/controls/azure/azure_cis_v210_7_8.yaml index 6925862b6..95c9595a5 100644 --- a/compliance/controls/azure/azure_cis_v210_7_8.yaml +++ b/compliance/controls/azure/azure_cis_v210_7_8.yaml @@ -1,23 +1,24 @@ id: azure_cis_v210_7_8 title: 7.8 Ensure only MFA enabled identities can access privileged Virtual Machine +type: control description: Verify identities without MFA that can log in to a privileged virtual machine using separate login credentials. An adversary can leverage the access to move laterally and perform actions with the virtual machine's managed identity. Make sure the virtual machine only has necessary permissions, and revoke the admin-level permissions according to the least privileges principal. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_7_9.yaml b/compliance/controls/azure/azure_cis_v210_7_9.yaml index cdb14c493..faf4beacc 100644 --- a/compliance/controls/azure/azure_cis_v210_7_9.yaml +++ b/compliance/controls/azure/azure_cis_v210_7_9.yaml @@ -1,23 +1,24 @@ id: azure_cis_v210_7_9 title: 7.9 Ensure Trusted Launch is enabled on Virtual Machines +type: control description: When Secure Boot and vTPM are enabled together, they provide a strong foundation for protecting your VM from boot attacks. For example, if an attacker attempts to replace the bootloader with a malicious version, Secure Boot will prevent the VM from booting. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_8_1.yaml b/compliance/controls/azure/azure_cis_v210_8_1.yaml index c2e3208c3..59f2dce54 100644 --- a/compliance/controls/azure/azure_cis_v210_8_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_8_1.yaml @@ -1,42 +1,43 @@ id: azure_cis_v210_8_1 title: 8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults +type: control description: Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_key - definition: | - WITH rbac_vault AS ( - SELECT - name - FROM - azure_key_vault - WHERE - enable_rbac_authorization - ) - SELECT - kvk.id AS resource, - kvk.platform_integration_id AS platform_integration_id, - kvk.platform_resource_id AS platform_resource_id, - CASE - WHEN v.name IS NULL THEN 'skip' - WHEN enabled AND expires_at IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - vault_name || ' key ' || kvk.name || - CASE - WHEN v.name IS NULL THEN ' not RBAC enabled vault.' - WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' - WHEN NOT enabled THEN ' disabled.' - ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - azure_key_vault_key kvk - LEFT JOIN rbac_vault AS v ON v.name = kvk.vault_name, - azure_subscription sub - WHERE - sub.subscription_id = kvk.subscription_id; + language: sql + primary_resource: azure_key_vault_key + definition: | + WITH rbac_vault AS ( + SELECT + name + FROM + azure_key_vault + WHERE + enable_rbac_authorization + ) + SELECT + kvk.id AS resource, + kvk.platform_integration_id AS platform_integration_id, + kvk.platform_resource_id AS platform_resource_id, + CASE + WHEN v.name IS NULL THEN 'skip' + WHEN enabled AND expires_at IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + vault_name || ' key ' || kvk.name || + CASE + WHEN v.name IS NULL THEN ' not RBAC enabled vault.' + WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' + WHEN NOT enabled THEN ' disabled.' + ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + azure_key_vault_key kvk + LEFT JOIN rbac_vault AS v ON v.name = kvk.vault_name, + azure_subscription sub + WHERE + sub.subscription_id = kvk.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_8_2.yaml b/compliance/controls/azure/azure_cis_v210_8_2.yaml index 10e7748d8..804fd39ad 100644 --- a/compliance/controls/azure/azure_cis_v210_8_2.yaml +++ b/compliance/controls/azure/azure_cis_v210_8_2.yaml @@ -1,42 +1,43 @@ id: azure_cis_v210_8_2 title: 8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults +type: control description: Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_key - definition: | - WITH non_rbac_vault AS ( - SELECT - name - FROM - azure_key_vault - WHERE - NOT enable_rbac_authorization - ) - SELECT - kvk.id AS resource, - kvk.platform_integration_id AS platform_integration_id, - kvk.platform_resource_id AS platform_resource_id, - CASE - WHEN v.name IS NULL THEN 'skip' - WHEN enabled AND expires_at IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - vault_name || ' key ' || kvk.name || - CASE - WHEN v.name IS NULL THEN ' RBAC enabled vault.' - WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' - WHEN NOT enabled THEN ' disabled.' - ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - azure_key_vault_key kvk - LEFT JOIN non_rbac_vault AS v ON v.name = kvk.vault_name, - azure_subscription sub - WHERE - sub.subscription_id = kvk.subscription_id; + language: sql + primary_resource: azure_key_vault_key + definition: | + WITH non_rbac_vault AS ( + SELECT + name + FROM + azure_key_vault + WHERE + NOT enable_rbac_authorization + ) + SELECT + kvk.id AS resource, + kvk.platform_integration_id AS platform_integration_id, + kvk.platform_resource_id AS platform_resource_id, + CASE + WHEN v.name IS NULL THEN 'skip' + WHEN enabled AND expires_at IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + vault_name || ' key ' || kvk.name || + CASE + WHEN v.name IS NULL THEN ' RBAC enabled vault.' + WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' + WHEN NOT enabled THEN ' disabled.' + ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + azure_key_vault_key kvk + LEFT JOIN non_rbac_vault AS v ON v.name = kvk.vault_name, + azure_subscription sub + WHERE + sub.subscription_id = kvk.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_8_3.yaml b/compliance/controls/azure/azure_cis_v210_8_3.yaml index 518d341d4..0cb2601b8 100644 --- a/compliance/controls/azure/azure_cis_v210_8_3.yaml +++ b/compliance/controls/azure/azure_cis_v210_8_3.yaml @@ -1,42 +1,43 @@ id: azure_cis_v210_8_3 title: 8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults +type: control description: Ensure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_secret - definition: | - WITH rbac_vault AS ( - SELECT - name - FROM - azure_key_vault - WHERE - enable_rbac_authorization - ) - SELECT - kvs.id AS resource, - kvs.platform_integration_id AS platform_integration_id, - kvs.platform_resource_id AS platform_resource_id, - CASE - WHEN v.name IS NULL THEN 'skip' - WHEN enabled AND expires_at IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - vault_name || ' key ' || kvs.name || - CASE - WHEN v.name IS NULL THEN ' not RBAC enabled vault.' - WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' - WHEN NOT enabled THEN ' disabled.' - ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - azure_key_vault_secret kvs - LEFT JOIN rbac_vault AS v ON v.name = kvs.vault_name, - azure_subscription sub - WHERE - sub.subscription_id = kvs.subscription_id; + language: sql + primary_resource: azure_key_vault_secret + definition: | + WITH rbac_vault AS ( + SELECT + name + FROM + azure_key_vault + WHERE + enable_rbac_authorization + ) + SELECT + kvs.id AS resource, + kvs.platform_integration_id AS platform_integration_id, + kvs.platform_resource_id AS platform_resource_id, + CASE + WHEN v.name IS NULL THEN 'skip' + WHEN enabled AND expires_at IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + vault_name || ' key ' || kvs.name || + CASE + WHEN v.name IS NULL THEN ' not RBAC enabled vault.' + WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' + WHEN NOT enabled THEN ' disabled.' + ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + azure_key_vault_secret kvs + LEFT JOIN rbac_vault AS v ON v.name = kvs.vault_name, + azure_subscription sub + WHERE + sub.subscription_id = kvs.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_8_4.yaml b/compliance/controls/azure/azure_cis_v210_8_4.yaml index c97dae067..571391818 100644 --- a/compliance/controls/azure/azure_cis_v210_8_4.yaml +++ b/compliance/controls/azure/azure_cis_v210_8_4.yaml @@ -1,42 +1,43 @@ id: azure_cis_v210_8_4 title: 8.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults +type: control description: Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_secret - definition: | - WITH non_rbac_vault AS ( - SELECT - name - FROM - azure_key_vault - WHERE - NOT enable_rbac_authorization - ) - SELECT - kvs.id AS resource, - kvs.platform_integration_id AS platform_integration_id, - kvs.platform_resource_id AS platform_resource_id, - CASE - WHEN v.name IS NULL THEN 'skip' - WHEN enabled AND expires_at IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - vault_name || ' key ' || kvs.name || - CASE - WHEN v.name IS NULL THEN ' RBAC enabled vault.' - WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' - WHEN NOT enabled THEN ' disabled.' - ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' - END AS reason - FROM - azure_key_vault_secret kvs - LEFT JOIN non_rbac_vault AS v ON v.name = kvs.vault_name, - azure_subscription sub - WHERE - sub.subscription_id = kvs.subscription_id; + language: sql + primary_resource: azure_key_vault_secret + definition: | + WITH non_rbac_vault AS ( + SELECT + name + FROM + azure_key_vault + WHERE + NOT enable_rbac_authorization + ) + SELECT + kvs.id AS resource, + kvs.platform_integration_id AS platform_integration_id, + kvs.platform_resource_id AS platform_resource_id, + CASE + WHEN v.name IS NULL THEN 'skip' + WHEN enabled AND expires_at IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + vault_name || ' key ' || kvs.name || + CASE + WHEN v.name IS NULL THEN ' RBAC enabled vault.' + WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' + WHEN NOT enabled THEN ' disabled.' + ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' + END AS reason + FROM + azure_key_vault_secret kvs + LEFT JOIN non_rbac_vault AS v ON v.name = kvs.vault_name, + azure_subscription sub + WHERE + sub.subscription_id = kvs.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_8_5.yaml b/compliance/controls/azure/azure_cis_v210_8_5.yaml index 93a94204d..6480e4002 100644 --- a/compliance/controls/azure/azure_cis_v210_8_5.yaml +++ b/compliance/controls/azure/azure_cis_v210_8_5.yaml @@ -1,31 +1,32 @@ id: azure_cis_v210_8_5 title: 8.5 Ensure the Key Vault is Recoverable +type: control description: The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. It is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - SELECT - kv.id AS resource, - kv.platform_integration_id AS platform_integration_id, - kv.platform_resource_id AS platform_resource_id, - CASE - WHEN soft_delete_enabled AND purge_protection_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN NOT soft_delete_enabled AND NOT purge_protection_enabled THEN name || ' "soft delete" and "do not purge" not enabled.' - WHEN NOT soft_delete_enabled THEN name || ' "soft delete" not enabled.' - WHEN NOT purge_protection_enabled THEN name || ' "do not purge" not enabled.' - ELSE name || ' "soft delete" and "do not purge" enabled.' - END AS reason - FROM - azure_key_vault kv, - azure_subscription sub - WHERE - sub.subscription_id = kv.subscription_id; + language: sql + primary_resource: azure_key_vault + definition: | + SELECT + kv.id AS resource, + kv.platform_integration_id AS platform_integration_id, + kv.platform_resource_id AS platform_resource_id, + CASE + WHEN soft_delete_enabled AND purge_protection_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN NOT soft_delete_enabled AND NOT purge_protection_enabled THEN name || ' "soft delete" and "do not purge" not enabled.' + WHEN NOT soft_delete_enabled THEN name || ' "soft delete" not enabled.' + WHEN NOT purge_protection_enabled THEN name || ' "do not purge" not enabled.' + ELSE name || ' "soft delete" and "do not purge" enabled.' + END AS reason + FROM + azure_key_vault kv, + azure_subscription sub + WHERE + sub.subscription_id = kv.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_8_6.yaml b/compliance/controls/azure/azure_cis_v210_8_6.yaml index d0719c372..1c8fe886c 100644 --- a/compliance/controls/azure/azure_cis_v210_8_6.yaml +++ b/compliance/controls/azure/azure_cis_v210_8_6.yaml @@ -1,29 +1,30 @@ id: azure_cis_v210_8_6 title: 8.6 Enable Role Based Access Control for Azure Key Vault +type: control description: Role assignments disappear when a Key Vault has been deleted (soft-delete) and recovered. Afterwards it will be required to recreate all role assignments. This is a limitation of the soft-delete feature across all Azure services. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - SELECT - kv.id AS resource, - kv.platform_integration_id AS platform_integration_id, - kv.platform_resource_id AS platform_resource_id, - CASE - WHEN enable_rbac_authorization THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enable_rbac_authorization THEN name || ' has RBAC enabled.' - ELSE name || ' have RBAC disabled.' - END AS reason - FROM - azure_key_vault AS kv, - azure_subscription AS sub - WHERE - sub.subscription_id = kv.subscription_id; + language: sql + primary_resource: azure_key_vault + definition: | + SELECT + kv.id AS resource, + kv.platform_integration_id AS platform_integration_id, + kv.platform_resource_id AS platform_resource_id, + CASE + WHEN enable_rbac_authorization THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enable_rbac_authorization THEN name || ' has RBAC enabled.' + ELSE name || ' have RBAC disabled.' + END AS reason + FROM + azure_key_vault AS kv, + azure_subscription AS sub + WHERE + sub.subscription_id = kv.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_8_8.yaml b/compliance/controls/azure/azure_cis_v210_8_8.yaml index a0cb230d3..a1290b356 100644 --- a/compliance/controls/azure/azure_cis_v210_8_8.yaml +++ b/compliance/controls/azure/azure_cis_v210_8_8.yaml @@ -1,23 +1,24 @@ id: azure_cis_v210_8_8 title: 8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services +type: control description: Automatic Key Rotation is available in Public Preview. The currently supported applications are Key Vault, Managed Disks, and Storage accounts accessing keys within Key Vault. The number of supported applications will incrementally increased. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_9_1.yaml b/compliance/controls/azure/azure_cis_v210_9_1.yaml index d81951df3..c30650916 100644 --- a/compliance/controls/azure/azure_cis_v210_9_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_9_1.yaml @@ -1,30 +1,30 @@ id: azure_cis_v210_9_1 title: 9.1 Ensure App Service Authentication is set up for apps in Azure App Service +type: control description: Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. integration_type: - - azure_subscription - +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT (auth_settings -> 'properties' ->> 'enabled')::boolean THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT (auth_settings -> 'properties' ->> 'enabled')::boolean THEN name || ' authentication not set.' - ELSE name || ' authentication set.' - END AS reason - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT (auth_settings -> 'properties' ->> 'enabled')::boolean THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT (auth_settings -> 'properties' ->> 'enabled')::boolean THEN name || ' authentication not set.' + ELSE name || ' authentication set.' + END AS reason + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_9_10.yaml b/compliance/controls/azure/azure_cis_v210_9_10.yaml index 1cd7d4ce2..3c85c7a16 100644 --- a/compliance/controls/azure/azure_cis_v210_9_10.yaml +++ b/compliance/controls/azure/azure_cis_v210_9_10.yaml @@ -1,23 +1,24 @@ id: azure_cis_v210_9_10 title: 9.10 Ensure Azure Key Vaults are Used to Store Secrets +type: control description: Azure Key Vault will store multiple types of sensitive information such as encryption keys, certificate thumbprints, and Managed Identity Credentials. Access to these 'Secrets' can be controlled through granular permissions. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cis_v210_9_2.yaml b/compliance/controls/azure/azure_cis_v210_9_2.yaml index 4e8818601..1a7db0ebb 100644 --- a/compliance/controls/azure/azure_cis_v210_9_2.yaml +++ b/compliance/controls/azure/azure_cis_v210_9_2.yaml @@ -1,29 +1,30 @@ id: azure_cis_v210_9_2 title: 9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service +type: control description: Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT https_only THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT https_only THEN name || ' does not redirect all HTTP traffic to HTTPS.' - ELSE name || ' redirects all HTTP traffic to HTTPS.' - END AS reason - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT https_only THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT https_only THEN name || ' does not redirect all HTTP traffic to HTTPS.' + ELSE name || ' redirects all HTTP traffic to HTTPS.' + END AS reason + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_9_3.yaml b/compliance/controls/azure/azure_cis_v210_9_3.yaml index 1cc9012b9..d9da7698b 100644 --- a/compliance/controls/azure/azure_cis_v210_9_3.yaml +++ b/compliance/controls/azure/azure_cis_v210_9_3.yaml @@ -1,29 +1,30 @@ id: azure_cis_v210_9_3 title: 9.3 Ensure Web App is using the latest version of TLS encryption +type: control description: The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN configuration -> 'properties' ->> 'minTlsVersion' < '1.2' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN configuration -> 'properties' ->> 'minTlsVersion' < '1.2' THEN name || ' not using the latest version of TLS encryption.' - ELSE name || ' using the latest version of TLS encryption.' - END AS reason - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN configuration -> 'properties' ->> 'minTlsVersion' < '1.2' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN configuration -> 'properties' ->> 'minTlsVersion' < '1.2' THEN name || ' not using the latest version of TLS encryption.' + ELSE name || ' using the latest version of TLS encryption.' + END AS reason + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_9_4.yaml b/compliance/controls/azure/azure_cis_v210_9_4.yaml index 8b6517e41..631b7f7e0 100644 --- a/compliance/controls/azure/azure_cis_v210_9_4.yaml +++ b/compliance/controls/azure/azure_cis_v210_9_4.yaml @@ -1,29 +1,30 @@ id: azure_cis_v210_9_4 title: 9.4 Ensure that Register with Entra ID is enabled on App Service +type: control description: Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering an App Service with Entra ID, the app will connect to other Azure services securely without the need for usernames and passwords. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN identity = '{}' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN identity = '{}' THEN name || ' register with azure active directory disabled.' - ELSE name || ' register with azure active directory enabled.' - END AS reason - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN identity = '{}' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN identity = '{}' THEN name || ' register with azure active directory disabled.' + ELSE name || ' register with azure active directory enabled.' + END AS reason + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_9_5.yaml b/compliance/controls/azure/azure_cis_v210_9_5.yaml index 71fa9e18d..b59834817 100644 --- a/compliance/controls/azure/azure_cis_v210_9_5.yaml +++ b/compliance/controls/azure/azure_cis_v210_9_5.yaml @@ -1,56 +1,57 @@ id: azure_cis_v210_9_5 title: 9.5 Ensure That 'PHP version' is the Latest, If Used to Run the Web App +type: control description: Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - WITH all_web_app AS ( + language: sql + primary_resource: azure_app_service_web_app + definition: | + WITH all_web_app AS ( + SELECT + id + FROM + azure_app_service_web_app + WHERE + EXISTS ( SELECT - id FROM - azure_app_service_web_app + UNNEST(regexp_split_to_array(kind, ',')) elem WHERE - EXISTS ( - SELECT - FROM - UNNEST(regexp_split_to_array(kind, ',')) elem - WHERE - elem LIKE 'app%' - ) - AND EXISTS ( - SELECT - FROM - UNNEST(regexp_split_to_array(kind, ',')) elem - WHERE - elem = 'linux' - ) + elem LIKE 'app%' ) - - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.id IS NULL THEN 'skip' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'PHP%' THEN 'ok' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' = 'PHP|8.0' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'PHP%' THEN a.name || ' not using php version.' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' = 'PHP|8.0' THEN a.name || ' using the latest php version.' - ELSE a.name || ' not using latest php version.' - END AS reason - FROM - azure_app_service_web_app AS a - LEFT JOIN all_web_app AS b ON a.id = b.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + AND EXISTS ( + SELECT + FROM + UNNEST(regexp_split_to_array(kind, ',')) elem + WHERE + elem = 'linux' + ) + ) + + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.id IS NULL THEN 'skip' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'PHP%' THEN 'ok' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' = 'PHP|8.0' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'PHP%' THEN a.name || ' not using php version.' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' = 'PHP|8.0' THEN a.name || ' using the latest php version.' + ELSE a.name || ' not using latest php version.' + END AS reason + FROM + azure_app_service_web_app AS a + LEFT JOIN all_web_app AS b ON a.id = b.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_9_6.yaml b/compliance/controls/azure/azure_cis_v210_9_6.yaml index 11be98fbb..5a12c8fdc 100644 --- a/compliance/controls/azure/azure_cis_v210_9_6.yaml +++ b/compliance/controls/azure/azure_cis_v210_9_6.yaml @@ -1,55 +1,56 @@ id: azure_cis_v210_9_6 title: 9.6 Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App +type: control description: Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - WITH all_web_app AS ( + language: sql + primary_resource: azure_app_service_web_app + definition: | + WITH all_web_app AS ( + SELECT + id + FROM + azure_app_service_web_app + WHERE + EXISTS ( SELECT - id FROM - azure_app_service_web_app + UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem WHERE - EXISTS ( - SELECT - FROM - UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem - WHERE - elem LIKE 'app%' - ) - AND EXISTS ( - SELECT - FROM - UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem - WHERE - elem = 'linux' - ) + elem LIKE 'app%' ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.id IS NULL THEN 'skip' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'PYTHON%' THEN 'ok' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' = 'PYTHON|3.9' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.id IS NULL THEN a.title || ' is not of linux kind.' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'PYTHON%' THEN a.name || ' not using python version.' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' = 'PYTHON|3.9' THEN a.name || ' using the latest python version.' - ELSE a.name || ' not using latest python version.' - END AS reason - FROM - azure_app_service_web_app AS a - LEFT JOIN all_web_app AS b ON a.id = b.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + AND EXISTS ( + SELECT + FROM + UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem + WHERE + elem = 'linux' + ) + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.id IS NULL THEN 'skip' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'PYTHON%' THEN 'ok' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' = 'PYTHON|3.9' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.id IS NULL THEN a.title || ' is not of linux kind.' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'PYTHON%' THEN a.name || ' not using python version.' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' = 'PYTHON|3.9' THEN a.name || ' using the latest python version.' + ELSE a.name || ' not using latest python version.' + END AS reason + FROM + azure_app_service_web_app AS a + LEFT JOIN all_web_app AS b ON a.id = b.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_9_7.yaml b/compliance/controls/azure/azure_cis_v210_9_7.yaml index 0e3a198ee..ca9e094af 100644 --- a/compliance/controls/azure/azure_cis_v210_9_7.yaml +++ b/compliance/controls/azure/azure_cis_v210_9_7.yaml @@ -1,57 +1,58 @@ id: azure_cis_v210_9_7 title: 9.7 Ensure that 'Java version' is the latest, if used to run the Web App +type: control description: Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - WITH all_web_app AS ( + language: sql + primary_resource: azure_app_service_web_app + definition: | + WITH all_web_app AS ( + SELECT + id + FROM + azure_app_service_web_app + WHERE + EXISTS ( SELECT - id FROM - azure_app_service_web_app + UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem WHERE - EXISTS ( - SELECT - FROM - UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem - WHERE - elem LIKE 'app%' - ) - AND - EXISTS ( - SELECT - FROM - UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem - WHERE - elem = 'linux' - ) + elem LIKE 'app%' ) - - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.id IS NULL THEN 'skip' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'JAVA%' THEN 'ok' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' LIKE '%11' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'JAVA%' THEN a.name || ' not using JAVA version.' - WHEN configuration -> 'properties' ->> 'linuxFxVersion' LIKE '%11' THEN a.name || ' using the latest JAVA version.' - ELSE a.name || ' not using latest JAVA version.' - END AS reason - FROM - azure_app_service_web_app AS a - LEFT JOIN all_web_app AS b ON a.id = b.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + AND + EXISTS ( + SELECT + FROM + UNNEST(REGEXP_SPLIT_TO_ARRAY(kind, ',')) elem + WHERE + elem = 'linux' + ) + ) + + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.id IS NULL THEN 'skip' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'JAVA%' THEN 'ok' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' LIKE '%11' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.id IS NULL THEN a.title || ' is ' || a.kind || ' kind.' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' NOT LIKE 'JAVA%' THEN a.name || ' not using JAVA version.' + WHEN configuration -> 'properties' ->> 'linuxFxVersion' LIKE '%11' THEN a.name || ' using the latest JAVA version.' + ELSE a.name || ' not using latest JAVA version.' + END AS reason + FROM + azure_app_service_web_app AS a + LEFT JOIN all_web_app AS b ON a.id = b.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cis_v210_9_8.yaml b/compliance/controls/azure/azure_cis_v210_9_8.yaml index 2f925b5a3..14790ba94 100644 --- a/compliance/controls/azure/azure_cis_v210_9_8.yaml +++ b/compliance/controls/azure/azure_cis_v210_9_8.yaml @@ -1,29 +1,30 @@ id: azure_cis_v210_9_8 title: 9.8 Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App +type: control description: Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - app.id AS resource, - app.platform_integration_id AS platform_integration_id, - app.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT (configuration -> 'properties' ->> 'http20Enabled')::BOOLEAN THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT (configuration -> 'properties' ->> 'http20Enabled')::BOOLEAN THEN name || ' HTTP version not latest.' - ELSE name || ' HTTP version is latest.' - END AS reason - FROM - azure_app_service_web_app AS app, - azure_subscription AS sub - WHERE - sub.subscription_id = app.subscription_id; + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + app.id AS resource, + app.platform_integration_id AS platform_integration_id, + app.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT (configuration -> 'properties' ->> 'http20Enabled')::BOOLEAN THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT (configuration -> 'properties' ->> 'http20Enabled')::BOOLEAN THEN name || ' HTTP version not latest.' + ELSE name || ' HTTP version is latest.' + END AS reason + FROM + azure_app_service_web_app AS app, + azure_subscription AS sub + WHERE + sub.subscription_id = app.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cognitive_account_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_cognitive_account_encrypted_with_cmk.yaml index ddcdcca28..b19ffad5d 100644 --- a/compliance/controls/azure/azure_cognitive_account_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_cognitive_account_encrypted_with_cmk.yaml @@ -1,47 +1,48 @@ id: azure_cognitive_account_encrypted_with_cmk title: Cognitive Services accounts should enable data encryption with a customer-managed key +type: control description: Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_cognitive_account - definition: | - WITH cognitive_account_cmk AS ( - SELECT - DISTINCT a.id - FROM - azure_cognitive_account AS a, - jsonb_array_elements(capabilities) AS c - WHERE - c ->> 'name' = 'CustomerManagedKey' - ) - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN c.id IS NULL THEN 'ok' - WHEN c.id IS NOT NULL AND encryption ->> 'keySource' = 'Microsoft.KeyVault' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN c.id IS NULL THEN name || ' encryption not supported.' - WHEN c.id IS NOT NULL AND encryption ->> 'keySource' = 'Microsoft.KeyVault' THEN name || ' encrypted with CMK.' - ELSE name || ' not encrypted with CMK.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_cognitive_account AS s - LEFT JOIN cognitive_account_cmk AS c ON c.id = s.id, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_cognitive_account + definition: | + WITH cognitive_account_cmk AS ( + SELECT + DISTINCT a.id + FROM + azure_cognitive_account AS a, + jsonb_array_elements(capabilities) AS c + WHERE + c ->> 'name' = 'CustomerManagedKey' + ) + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN c.id IS NULL THEN 'ok' + WHEN c.id IS NOT NULL AND encryption ->> 'keySource' = 'Microsoft.KeyVault' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN c.id IS NULL THEN name || ' encryption not supported.' + WHEN c.id IS NOT NULL AND encryption ->> 'keySource' = 'Microsoft.KeyVault' THEN name || ' encrypted with CMK.' + ELSE name || ' not encrypted with CMK.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_cognitive_account AS s + LEFT JOIN cognitive_account_cmk AS c ON c.id = s.id, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/CognitiveServices + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/CognitiveServices diff --git a/compliance/controls/azure/azure_cognitive_account_private_link_used.yaml b/compliance/controls/azure/azure_cognitive_account_private_link_used.yaml index 9d09a0fdb..2207b1eb3 100644 --- a/compliance/controls/azure/azure_cognitive_account_private_link_used.yaml +++ b/compliance/controls/azure/azure_cognitive_account_private_link_used.yaml @@ -1,49 +1,50 @@ id: azure_cognitive_account_private_link_used title: Cognitive Services should use private link +type: control description: Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_cognitive_account - definition: | - WITH cognitive_account AS ( - SELECT DISTINCT a.id - FROM azure_cognitive_account AS a, - jsonb_array_elements(capabilities) AS c - WHERE c ->> 'name' = 'VirtualNetworks' - ), - cognitive_account_connections AS ( - SELECT DISTINCT a.id - FROM cognitive_account AS a - LEFT JOIN azure_cognitive_account AS b ON a.id = b.id, - jsonb_array_elements(private_endpoint_connections) AS c - WHERE c -> 'PrivateLinkServiceConnectionState' ->> 'status' = 'Approved' - ) - SELECT - b.id AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN jsonb_array_length(b.private_endpoint_connections) = 0 THEN 'info' - WHEN c.id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN jsonb_array_length(b.private_endpoint_connections) = 0 THEN b.name || ' no private link exists.' - WHEN c.id IS NOT NULL THEN b.name || ' uses private link.' - ELSE b.name || ' not uses private link.' - END AS reason, - b.resource_group AS resource_group, - sub.display_name AS subscription - FROM azure_cognitive_account AS b - LEFT JOIN cognitive_account_connections AS c ON b.id = c.id, - azure_subscription AS sub - WHERE sub.subscription_id = b.subscription_id; + language: sql + primary_resource: azure_cognitive_account + definition: | + WITH cognitive_account AS ( + SELECT DISTINCT a.id + FROM azure_cognitive_account AS a, + jsonb_array_elements(capabilities) AS c + WHERE c ->> 'name' = 'VirtualNetworks' + ), + cognitive_account_connections AS ( + SELECT DISTINCT a.id + FROM cognitive_account AS a + LEFT JOIN azure_cognitive_account AS b ON a.id = b.id, + jsonb_array_elements(private_endpoint_connections) AS c + WHERE c -> 'PrivateLinkServiceConnectionState' ->> 'status' = 'Approved' + ) + SELECT + b.id AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN jsonb_array_length(b.private_endpoint_connections) = 0 THEN 'info' + WHEN c.id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN jsonb_array_length(b.private_endpoint_connections) = 0 THEN b.name || ' no private link exists.' + WHEN c.id IS NOT NULL THEN b.name || ' uses private link.' + ELSE b.name || ' not uses private link.' + END AS reason, + b.resource_group AS resource_group, + sub.display_name AS subscription + FROM azure_cognitive_account AS b + LEFT JOIN cognitive_account_connections AS c ON b.id = c.id, + azure_subscription AS sub + WHERE sub.subscription_id = b.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/CognitiveServices + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/CognitiveServices diff --git a/compliance/controls/azure/azure_cognitive_account_public_network_access_disabled.yaml b/compliance/controls/azure/azure_cognitive_account_public_network_access_disabled.yaml index 69df5af2c..8a3c3f5e7 100644 --- a/compliance/controls/azure/azure_cognitive_account_public_network_access_disabled.yaml +++ b/compliance/controls/azure/azure_cognitive_account_public_network_access_disabled.yaml @@ -1,35 +1,36 @@ id: azure_cognitive_account_public_network_access_disabled title: Cognitive Services accounts should disable public network access +type: control description: Disabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_cognitive_account - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN public_network_access = 'Enabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN public_network_access = 'Enabled' THEN name || ' public network access enabled.' - ELSE name || ' public network access disabled.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_cognitive_account AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_cognitive_account + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN public_network_access = 'Enabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN public_network_access = 'Enabled' THEN name || ' public network access enabled.' + ELSE name || ' public network access disabled.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_cognitive_account AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/CognitiveServices + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/CognitiveServices diff --git a/compliance/controls/azure/azure_cognitive_account_restrict_public_access.yaml b/compliance/controls/azure/azure_cognitive_account_restrict_public_access.yaml index 611b7b4ee..d4088361b 100644 --- a/compliance/controls/azure/azure_cognitive_account_restrict_public_access.yaml +++ b/compliance/controls/azure/azure_cognitive_account_restrict_public_access.yaml @@ -1,47 +1,48 @@ id: azure_cognitive_account_restrict_public_access title: Cognitive Services accounts should restrict network access +type: control description: Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_cognitive_account - definition: | - WITH account_with_public_access_restricted AS ( - SELECT - a.id - FROM - azure_cognitive_account AS a, - jsonb_array_elements(capabilities) AS c - WHERE - c ->> 'name' = 'VirtualNetworks' - AND network_acls ->> 'defaultAction' <> 'Deny' - ) - SELECT - DISTINCT a.name AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.id IS NOT NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN b.id IS NOT NULL THEN a.name || ' publicly accessible.' - ELSE a.name || ' publicly not accessible.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_cognitive_account AS a - LEFT JOIN account_with_public_access_restricted AS b - ON a.id = b.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_cognitive_account + definition: | + WITH account_with_public_access_restricted AS ( + SELECT + a.id + FROM + azure_cognitive_account AS a, + jsonb_array_elements(capabilities) AS c + WHERE + c ->> 'name' = 'VirtualNetworks' + AND network_acls ->> 'defaultAction' <> 'Deny' + ) + SELECT + DISTINCT a.name AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.id IS NOT NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN b.id IS NOT NULL THEN a.name || ' publicly accessible.' + ELSE a.name || ' publicly not accessible.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_cognitive_account AS a + LEFT JOIN account_with_public_access_restricted AS b + ON a.id = b.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/CognitiveServices + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/CognitiveServices diff --git a/compliance/controls/azure/azure_cognitive_service_local_auth_disabled.yaml b/compliance/controls/azure/azure_cognitive_service_local_auth_disabled.yaml index 087baffcf..e3ab4e7c5 100644 --- a/compliance/controls/azure/azure_cognitive_service_local_auth_disabled.yaml +++ b/compliance/controls/azure/azure_cognitive_service_local_auth_disabled.yaml @@ -1,33 +1,34 @@ id: azure_cognitive_service_local_auth_disabled title: Cognitive Services accounts should have local authentication methods disabled +type: control description: Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_cognitive_account - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN disable_local_auth THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN disable_local_auth THEN a.name || ' account local authentication enabled.' - ELSE a.name || ' account local authentication disabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_cognitive_account a, - azure_subscription sub; + language: sql + primary_resource: azure_cognitive_account + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN disable_local_auth THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN disable_local_auth THEN a.name || ' account local authentication enabled.' + ELSE a.name || ' account local authentication disabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_cognitive_account a, + azure_subscription sub; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/CognitiveServices + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/CognitiveServices diff --git a/compliance/controls/azure/azure_compute_disk_access_uses_private_link.yaml b/compliance/controls/azure/azure_compute_disk_access_uses_private_link.yaml index ba8ad6458..520548169 100644 --- a/compliance/controls/azure/azure_compute_disk_access_uses_private_link.yaml +++ b/compliance/controls/azure/azure_compute_disk_access_uses_private_link.yaml @@ -1,40 +1,41 @@ id: azure_compute_disk_access_uses_private_link title: Disk access resources should use private link +type: control description: Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_disk_access - definition: | - WITH compute_disk_connection AS ( - SELECT DISTINCT a.id - FROM azure_compute_disk_access AS a, - jsonb_array_elements(private_endpoint_connections) AS connection - WHERE connection ->> 'PrivateLinkServiceConnectionStateStatus' = 'Approved' - ) - SELECT - b.id AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN c.id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN c.id IS NULL THEN b.name || ' not uses private link.' - ELSE b.name || ' uses private link.' - END AS reason, - b.resource_group AS resource_group, - sub.display_name AS subscription - FROM azure_compute_disk_access AS b - LEFT JOIN compute_disk_connection AS c ON b.id = c.id, - azure_subscription AS sub - WHERE sub.subscription_id = b.subscription_id; + language: sql + primary_resource: azure_compute_disk_access + definition: | + WITH compute_disk_connection AS ( + SELECT DISTINCT a.id + FROM azure_compute_disk_access AS a, + jsonb_array_elements(private_endpoint_connections) AS connection + WHERE connection ->> 'PrivateLinkServiceConnectionStateStatus' = 'Approved' + ) + SELECT + b.id AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN c.id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN c.id IS NULL THEN b.name || ' not uses private link.' + ELSE b.name || ' uses private link.' + END AS reason, + b.resource_group AS resource_group, + sub.display_name AS subscription + FROM azure_compute_disk_access AS b + LEFT JOIN compute_disk_connection AS c ON b.id = c.id, + azure_subscription AS sub + WHERE sub.subscription_id = b.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Compute + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_disk_unattached_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_compute_disk_unattached_encrypted_with_cmk.yaml index 8a8b2ae0b..30e7ba5f2 100644 --- a/compliance/controls/azure/azure_compute_disk_unattached_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_compute_disk_unattached_encrypted_with_cmk.yaml @@ -1,38 +1,39 @@ id: azure_compute_disk_unattached_encrypted_with_cmk title: Unattached Compute disks should be encrypted with ADE/CMK +type: control description: This policy identifies the disks which are unattached and are encrypted with default encryption instead of ADE/CMK. Azure encrypts disks by default Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK]. It is recommended to use either SSE with Azure Disk Encryption [SSE with PMK+ADE] or Customer Managed Key [SSE with CMK] which improves on platform-managed keys by giving you control of the encryption keys to meet your compliance need. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_disk - definition: | - SELECT - disk.id AS resource, - disk.platform_integration_id AS platform_integration_id, - disk.platform_resource_id AS platform_resource_id, - CASE - WHEN managed_by IS NOT NULL - OR managed_by != '' - OR encryption_type = 'EncryptionAtRestWithCustomerKey' - OR encryption_type = 'EncryptionAtRestWithPlatformAndCustomerKeys' - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN managed_by IS NOT NULL - OR managed_by != '' - OR encryption_type = 'EncryptionAtRestWithCustomerKey' - OR encryption_type = 'EncryptionAtRestWithPlatformAndCustomerKeys' - THEN disk.name || ' attached and encrypted with ADE/CMK.' - ELSE disk.name || ' unattached and encrypted with default encryption key.' - END AS reason - FROM - azure_compute_disk disk, - azure_subscription sub - WHERE - disk_state != 'Attached' - AND sub.subscription_id = disk.subscription_id; + language: sql + primary_resource: azure_compute_disk + definition: | + SELECT + disk.id AS resource, + disk.platform_integration_id AS platform_integration_id, + disk.platform_resource_id AS platform_resource_id, + CASE + WHEN managed_by IS NOT NULL + OR managed_by != '' + OR encryption_type = 'EncryptionAtRestWithCustomerKey' + OR encryption_type = 'EncryptionAtRestWithPlatformAndCustomerKeys' + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN managed_by IS NOT NULL + OR managed_by != '' + OR encryption_type = 'EncryptionAtRestWithCustomerKey' + OR encryption_type = 'EncryptionAtRestWithPlatformAndCustomerKeys' + THEN disk.name || ' attached and encrypted with ADE/CMK.' + ELSE disk.name || ' unattached and encrypted with default encryption key.' + END AS reason + FROM + azure_compute_disk disk, + azure_subscription sub + WHERE + disk_state != 'Attached' + AND sub.subscription_id = disk.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_compute_os_and_data_disk_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_compute_os_and_data_disk_encrypted_with_cmk.yaml index 224f670b0..8c00ddf01 100644 --- a/compliance/controls/azure/azure_compute_os_and_data_disk_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_compute_os_and_data_disk_encrypted_with_cmk.yaml @@ -1,50 +1,51 @@ id: azure_compute_os_and_data_disk_encrypted_with_cmk title: OS and data disks should be encrypted with a customer-managed key +type: control description: Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_disk - definition: | - SELECT - disk.id AS resource, - disk.platform_integration_id AS platform_integration_id, - disk.platform_resource_id AS platform_resource_id, - CASE - WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN disk.name || ' encrypted with CMK.' - ELSE disk.name || ' not encrypted with CMK.' - END AS reason, - disk.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_disk disk, - azure_subscription sub - WHERE - disk_state = 'Attached' - AND sub.subscription_id = disk.subscription_id; + language: sql + primary_resource: azure_compute_disk + definition: | + SELECT + disk.id AS resource, + disk.platform_integration_id AS platform_integration_id, + disk.platform_resource_id AS platform_resource_id, + CASE + WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN disk.name || ' encrypted with CMK.' + ELSE disk.name || ' not encrypted with CMK.' + END AS reason, + disk.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_disk disk, + azure_subscription sub + WHERE + disk_state = 'Attached' + AND sub.subscription_id = disk.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '7.2' - cis_level: - - '2' - cis_section_id: - - '7' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Compute + category: + - Compliance + cis: + - "true" + cis_item_id: + - "7.2" + cis_level: + - "2" + cis_section_id: + - "7" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed.yaml b/compliance/controls/azure/azure_compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed.yaml index c3dc07d74..f655038b7 100644 --- a/compliance/controls/azure/azure_compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed.yaml +++ b/compliance/controls/azure/azure_compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed.yaml @@ -1,36 +1,37 @@ id: azure_compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed title: Managed disks should be double encrypted with both platform-managed and customer-managed keys +type: control description: High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_disk - definition: | - SELECT - disk.id AS resource, - disk.platform_integration_id AS platform_integration_id, - disk.platform_resource_id AS platform_resource_id, - CASE - WHEN encryption_type = 'EncryptionAtRestWithPlatformAndCustomerKeys' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption_type = 'EncryptionAtRestWithPlatformAndCustomerKeys' THEN disk.name || ' encrypted with both platform-managed and customer-managed keys.' - ELSE disk.name || ' not encrypted with both platform-managed and customer-managed keys.' - END AS reason, - disk.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_disk disk, - azure_subscription sub - WHERE - disk_state = 'Attached' - AND sub.subscription_id = disk.subscription_id; + language: sql + primary_resource: azure_compute_disk + definition: | + SELECT + disk.id AS resource, + disk.platform_integration_id AS platform_integration_id, + disk.platform_resource_id AS platform_resource_id, + CASE + WHEN encryption_type = 'EncryptionAtRestWithPlatformAndCustomerKeys' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption_type = 'EncryptionAtRestWithPlatformAndCustomerKeys' THEN disk.name || ' encrypted with both platform-managed and customer-managed keys.' + ELSE disk.name || ' not encrypted with both platform-managed and customer-managed keys.' + END AS reason, + disk.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_disk disk, + azure_subscription sub + WHERE + disk_state = 'Attached' + AND sub.subscription_id = disk.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Compute + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_unattached_disk_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_compute_unattached_disk_encrypted_with_cmk.yaml index 8b9ac06f8..6af8d2c79 100644 --- a/compliance/controls/azure/azure_compute_unattached_disk_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_compute_unattached_disk_encrypted_with_cmk.yaml @@ -1,50 +1,51 @@ id: azure_compute_unattached_disk_encrypted_with_cmk title: Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) +type: control description: Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_disk - definition: | - SELECT - disk.id AS resource, - disk.platform_integration_id AS platform_integration_id, - disk.platform_resource_id AS platform_resource_id, - CASE - WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN disk.name || ' encrypted with CMK.' - ELSE disk.name || ' not encrypted with CMK.' - END AS reason, - disk.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_disk disk, - azure_subscription sub - WHERE - disk_state != 'Attached' - AND sub.subscription_id = disk.subscription_id; + language: sql + primary_resource: azure_compute_disk + definition: | + SELECT + disk.id AS resource, + disk.platform_integration_id AS platform_integration_id, + disk.platform_resource_id AS platform_resource_id, + CASE + WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN disk.name || ' encrypted with CMK.' + ELSE disk.name || ' not encrypted with CMK.' + END AS reason, + disk.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_disk disk, + azure_subscription sub + WHERE + disk_state != 'Attached' + AND sub.subscription_id = disk.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '7.3' - cis_level: - - '2' - cis_section_id: - - '7' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Compute + category: + - Compliance + cis: + - "true" + cis_item_id: + - "7.3" + cis_level: + - "2" + cis_section_id: + - "7" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_account_with_password_linux.yaml b/compliance/controls/azure/azure_compute_vm_account_with_password_linux.yaml index 25a675186..7a1b08fd5 100644 --- a/compliance/controls/azure/azure_compute_vm_account_with_password_linux.yaml +++ b/compliance/controls/azure/azure_compute_vm_account_with_password_linux.yaml @@ -1,48 +1,49 @@ id: azure_compute_vm_account_with_password_linux title: Audit Linux machines that have accounts without passwords +type: control description: Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Linux machines have accounts without passwords. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH vm_ssh_key_auth AS ( - SELECT - DISTINCT a.vm_id - FROM - azure_compute_virtual_machine AS a, - JSONB_ARRAY_ELEMENTS(guest_configuration_assignments) AS b - WHERE - b -> 'guestConfiguration' ->> 'name' = 'PasswordPolicy_msid232' - AND b ->> 'complianceStatus' = 'Compliant' - ) - SELECT - a.vm_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.os_type <> 'Linux' THEN 'skip' - WHEN b.vm_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.os_type <> 'Linux' THEN a.title || ' is of ' || a.os_type || ' operating system.' - WHEN b.vm_id IS NOT NULL THEN a.title || ' have accounts with passwords.' - ELSE a.title || ' does not have accounts with passwords.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS a - LEFT JOIN vm_ssh_key_auth AS b ON a.vm_id = b.vm_id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH vm_ssh_key_auth AS ( + SELECT + DISTINCT a.vm_id + FROM + azure_compute_virtual_machine AS a, + JSONB_ARRAY_ELEMENTS(guest_configuration_assignments) AS b + WHERE + b -> 'guestConfiguration' ->> 'name' = 'PasswordPolicy_msid232' + AND b ->> 'complianceStatus' = 'Compliant' + ) + SELECT + a.vm_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.os_type <> 'Linux' THEN 'skip' + WHEN b.vm_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.os_type <> 'Linux' THEN a.title || ' is of ' || a.os_type || ' operating system.' + WHEN b.vm_id IS NOT NULL THEN a.title || ' have accounts with passwords.' + ELSE a.title || ' does not have accounts with passwords.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a + LEFT JOIN vm_ssh_key_auth AS b ON a.vm_id = b.vm_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Compute + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_adaptive_application_controls_enabled.yaml b/compliance/controls/azure/azure_compute_vm_adaptive_application_controls_enabled.yaml index 45d73648c..eee9b659f 100644 --- a/compliance/controls/azure/azure_compute_vm_adaptive_application_controls_enabled.yaml +++ b/compliance/controls/azure/azure_compute_vm_adaptive_application_controls_enabled.yaml @@ -1,23 +1,24 @@ id: azure_compute_vm_adaptive_application_controls_enabled title: Adaptive application controls for defining safe applications should be enabled on your machines +type: control description: Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required. Check control description for more details.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required. Check control description for more details.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_compute_vm_adaptive_network_hardening_recommendation_applied.yaml b/compliance/controls/azure/azure_compute_vm_adaptive_network_hardening_recommendation_applied.yaml index 793b7d6b0..d2c160ec0 100644 --- a/compliance/controls/azure/azure_compute_vm_adaptive_network_hardening_recommendation_applied.yaml +++ b/compliance/controls/azure/azure_compute_vm_adaptive_network_hardening_recommendation_applied.yaml @@ -1,23 +1,24 @@ id: azure_compute_vm_adaptive_network_hardening_recommendation_applied title: Adaptive network hardening recommendations should be applied on internet facing virtual machines +type: control description: Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required. Check control description for more details.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required. Check control description for more details.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_compute_vm_administrators_group_with_extra_accounts_windows.yaml b/compliance/controls/azure/azure_compute_vm_administrators_group_with_extra_accounts_windows.yaml index 0b5451744..eae57c45c 100644 --- a/compliance/controls/azure/azure_compute_vm_administrators_group_with_extra_accounts_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_administrators_group_with_extra_accounts_windows.yaml @@ -1,23 +1,24 @@ id: azure_compute_vm_administrators_group_with_extra_accounts_windows title: Audit Windows machines that have extra accounts in the Administrators group +type: control description: Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required. Check control description for more details.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required. Check control description for more details.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_compute_vm_administrators_group_with_no_specified_members_windows.yaml b/compliance/controls/azure/azure_compute_vm_administrators_group_with_no_specified_members_windows.yaml index b082e7b6b..3c1c5fa3c 100644 --- a/compliance/controls/azure/azure_compute_vm_administrators_group_with_no_specified_members_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_administrators_group_with_no_specified_members_windows.yaml @@ -1,23 +1,24 @@ id: azure_compute_vm_administrators_group_with_no_specified_members_windows title: Audit Windows machines missing any of specified members in the Administrators group +type: control description: Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required. Check control description for more details.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required. Check control description for more details.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_compute_vm_administrators_group_with_specified_members_windows.yaml b/compliance/controls/azure/azure_compute_vm_administrators_group_with_specified_members_windows.yaml index 08795ec8e..2dda0fe73 100644 --- a/compliance/controls/azure/azure_compute_vm_administrators_group_with_specified_members_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_administrators_group_with_specified_members_windows.yaml @@ -1,23 +1,24 @@ id: azure_compute_vm_administrators_group_with_specified_members_windows title: Audit Windows machines that have the specified members in the Administrators group +type: control description: Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required. Check control description for more details.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required. Check control description for more details.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated.yaml b/compliance/controls/azure/azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated.yaml index 75a89e120..680114f40 100644 --- a/compliance/controls/azure/azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated.yaml +++ b/compliance/controls/azure/azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated.yaml @@ -1,23 +1,24 @@ id: azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated title: Allowlist rules in your adaptive application control policy should be updated +type: control description: Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_compute_vm_and_sacle_set_encryption_at_host_enabled.yaml b/compliance/controls/azure/azure_compute_vm_and_sacle_set_encryption_at_host_enabled.yaml index ab5f0677b..415879436 100644 --- a/compliance/controls/azure/azure_compute_vm_and_sacle_set_encryption_at_host_enabled.yaml +++ b/compliance/controls/azure/azure_compute_vm_and_sacle_set_encryption_at_host_enabled.yaml @@ -1,61 +1,62 @@ id: azure_compute_vm_and_sacle_set_encryption_at_host_enabled title: Virtual machines and virtual machine scale sets should have encryption at host enabled +type: control description: Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - ( - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - 'azure_compute_virtual_machine' AS platform_table_name, - CASE - WHEN security_profile -> 'encryptionAtHost' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN security_profile -> 'encryptionAtHost' = 'true' THEN a.name || ' encryption at host enabled.' - ELSE a.name || ' encryption at host disabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id - ) - UNION - ( - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - 'azure_compute_virtual_machine_scale_set' AS platform_table_name, - CASE - WHEN virtual_machine_security_profile -> 'encryptionAtHost' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN virtual_machine_security_profile -> 'encryptionAtHost' = 'true' THEN a.name || ' encryption at host enabled.' - ELSE a.name || ' encryption at host disabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine_scale_set AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id - ) + language: sql + primary_resource: "" + definition: | + ( + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + 'azure_compute_virtual_machine' AS platform_table_name, + CASE + WHEN security_profile -> 'encryptionAtHost' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN security_profile -> 'encryptionAtHost' = 'true' THEN a.name || ' encryption at host enabled.' + ELSE a.name || ' encryption at host disabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id + ) + UNION + ( + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + 'azure_compute_virtual_machine_scale_set' AS platform_table_name, + CASE + WHEN virtual_machine_security_profile -> 'encryptionAtHost' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN virtual_machine_security_profile -> 'encryptionAtHost' = 'true' THEN a.name || ' encryption at host enabled.' + ELSE a.name || ' encryption at host disabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine_scale_set AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id + ) severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Compute + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_attached_with_network.yaml b/compliance/controls/azure/azure_compute_vm_attached_with_network.yaml index d89481170..0d52a8cda 100644 --- a/compliance/controls/azure/azure_compute_vm_attached_with_network.yaml +++ b/compliance/controls/azure/azure_compute_vm_attached_with_network.yaml @@ -1,62 +1,63 @@ id: azure_compute_vm_attached_with_network title: Virtual machines should be connected to an approved virtual network +type: control description: This policy audits any virtual machine connected to a virtual network that is not approved. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH vm_with_network_interfaces AS ( - SELECT - vm.id AS vm_id, - n ->> 'id' AS network_id - FROM - azure_compute_virtual_machine AS vm, - jsonb_array_elements(network_interfaces) AS n - ), - vm_with_approved_networks AS ( - SELECT - vn.vm_id AS vm_id, - vn.network_id AS network_id, - t.title AS title - FROM - vm_with_network_interfaces AS vn - LEFT JOIN azure_network_interface AS t ON t.id = vn.network_id - WHERE EXISTS ( - SELECT - ip -> 'properties' -> 'subnet' ->> 'id' AS ip - FROM - azure_network_interface, - jsonb_array_elements(ip_configurations) AS ip - WHERE - ip -> 'properties' -> 'subnet' ->> 'id' IS NOT NULL - ) - ) + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH vm_with_network_interfaces AS ( + SELECT + vm.id AS vm_id, + n ->> 'id' AS network_id + FROM + azure_compute_virtual_machine AS vm, + jsonb_array_elements(network_interfaces) AS n + ), + vm_with_approved_networks AS ( + SELECT + vn.vm_id AS vm_id, + vn.network_id AS network_id, + t.title AS title + FROM + vm_with_network_interfaces AS vn + LEFT JOIN azure_network_interface AS t ON t.id = vn.network_id + WHERE EXISTS ( SELECT - a.vm_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.vm_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN b.vm_id IS NULL THEN a.title || ' not attached with virtual network.' - ELSE a.name || ' attached with virtual network ' || b.title || '.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription + ip -> 'properties' -> 'subnet' ->> 'id' AS ip FROM - azure_compute_virtual_machine AS a - LEFT JOIN vm_with_approved_networks AS b ON a.id = b.vm_id, - azure_subscription sub + azure_network_interface, + jsonb_array_elements(ip_configurations) AS ip WHERE - sub.subscription_id = a.subscription_id + ip -> 'properties' -> 'subnet' ->> 'id' IS NOT NULL + ) + ) + SELECT + a.vm_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.vm_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN b.vm_id IS NULL THEN a.title || ' not attached with virtual network.' + ELSE a.name || ' attached with virtual network ' || b.title || '.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a + LEFT JOIN vm_with_approved_networks AS b ON a.id = b.vm_id, + azure_subscription sub + WHERE + sub.subscription_id = a.subscription_id severity: medium tags: - hipaa_hitrust_v92: - - 'true' - service: - - Azure/Compute + hipaa_hitrust_v92: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_azure_backup_enabled.yaml b/compliance/controls/azure/azure_compute_vm_azure_backup_enabled.yaml index 12220625d..75772bce7 100644 --- a/compliance/controls/azure/azure_compute_vm_azure_backup_enabled.yaml +++ b/compliance/controls/azure/azure_compute_vm_azure_backup_enabled.yaml @@ -1,23 +1,24 @@ id: azure_compute_vm_azure_backup_enabled title: Azure Backup should be enabled for Virtual Machines +type: control description: Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_compute_vm_container_security_configurations_vulnerabilities_remediated.yaml b/compliance/controls/azure/azure_compute_vm_container_security_configurations_vulnerabilities_remediated.yaml index df8e7964f..be2a2b835 100644 --- a/compliance/controls/azure/azure_compute_vm_container_security_configurations_vulnerabilities_remediated.yaml +++ b/compliance/controls/azure/azure_compute_vm_container_security_configurations_vulnerabilities_remediated.yaml @@ -1,23 +1,24 @@ id: azure_compute_vm_container_security_configurations_vulnerabilities_remediated title: Vulnerabilities in container security configurations should be remediated +type: control description: Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_compute_vm_data_and_os_disk_uses_managed_disk.yaml b/compliance/controls/azure/azure_compute_vm_data_and_os_disk_uses_managed_disk.yaml index ebbe9055b..8a892c7f4 100644 --- a/compliance/controls/azure/azure_compute_vm_data_and_os_disk_uses_managed_disk.yaml +++ b/compliance/controls/azure/azure_compute_vm_data_and_os_disk_uses_managed_disk.yaml @@ -1,46 +1,47 @@ id: azure_compute_vm_data_and_os_disk_uses_managed_disk title: Compute virtual machines should use managed disk for OS and data disk +type: control description: This control checks whether virtual machines use managed disks for OS and data disks. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH data_disk_with_no_managed_disk AS ( - SELECT - id AS vm_id, - COUNT(*) AS count - FROM - azure_compute_virtual_machine, - jsonb_array_elements(data_disks) AS d - WHERE - d -> 'managedDisk' ->> 'id' IS NULL - GROUP BY - id - ) - SELECT - vm.id AS resource, - vm.platform_integration_id AS platform_integration_id, - vm.platform_resource_id AS platform_resource_id, - CASE - WHEN managed_disk_id IS NULL AND d.count > 0 THEN 'alarm' - WHEN managed_disk_id IS NULL THEN 'alarm' - WHEN d.count > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN managed_disk_id IS NULL AND d.count > 0 THEN vm.name || ' not utilizing managed disks for both data and OS disk.' - WHEN managed_disk_id IS NULL THEN vm.name || ' not utilizing managed disks for OS disk.' - WHEN d.count > 0 THEN vm.name || ' not utilizing managed disks for data disk.' - ELSE vm.name || ' utilizing managed disks for both data and OS disk.' - END AS reason - FROM - azure_compute_virtual_machine AS vm - LEFT JOIN data_disk_with_no_managed_disk AS d ON d.vm_id = vm.id, - azure_subscription AS sub - WHERE - sub.subscription_id = vm.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH data_disk_with_no_managed_disk AS ( + SELECT + id AS vm_id, + COUNT(*) AS count + FROM + azure_compute_virtual_machine, + jsonb_array_elements(data_disks) AS d + WHERE + d -> 'managedDisk' ->> 'id' IS NULL + GROUP BY + id + ) + SELECT + vm.id AS resource, + vm.platform_integration_id AS platform_integration_id, + vm.platform_resource_id AS platform_resource_id, + CASE + WHEN managed_disk_id IS NULL AND d.count > 0 THEN 'alarm' + WHEN managed_disk_id IS NULL THEN 'alarm' + WHEN d.count > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN managed_disk_id IS NULL AND d.count > 0 THEN vm.name || ' not utilizing managed disks for both data and OS disk.' + WHEN managed_disk_id IS NULL THEN vm.name || ' not utilizing managed disks for OS disk.' + WHEN d.count > 0 THEN vm.name || ' not utilizing managed disks for data disk.' + ELSE vm.name || ' utilizing managed disks for both data and OS disk.' + END AS reason + FROM + azure_compute_virtual_machine AS vm + LEFT JOIN data_disk_with_no_managed_disk AS d ON d.vm_id = vm.id, + azure_subscription AS sub + WHERE + sub.subscription_id = vm.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_compute_vm_disaster_recovery_enabled.yaml b/compliance/controls/azure/azure_compute_vm_disaster_recovery_enabled.yaml index ae2c6dd23..b9ca38509 100644 --- a/compliance/controls/azure/azure_compute_vm_disaster_recovery_enabled.yaml +++ b/compliance/controls/azure/azure_compute_vm_disaster_recovery_enabled.yaml @@ -1,47 +1,48 @@ id: azure_compute_vm_disaster_recovery_enabled title: Audit virtual machines without disaster recovery configured +type: control description: Audit virtual machines which do not have disaster recovery configured. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH vm_dr_enabled AS ( - SELECT - SUBSTR(source_id, 0, LENGTH(source_id)) AS source_id - FROM - azure_resource_link AS l - LEFT JOIN azure_compute_virtual_machine AS vm - ON LOWER(SUBSTR(source_id, 0, LENGTH(source_id))) = LOWER(vm.id) - WHERE - l.name LIKE 'ASR-Protect-%' - ) - SELECT - vm.vm_id AS resource, - vm.platform_integration_id AS platform_integration_id, - vm.platform_resource_id AS platform_resource_id, - CASE - WHEN l.source_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN l.source_id IS NULL THEN vm.title || ' disaster recovery disabled.' - ELSE vm.title || ' disaster recovery enabled.' - END AS reason, - vm.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS vm - LEFT JOIN vm_dr_enabled AS l - ON LOWER(vm.id) = LOWER(l.source_id), - azure_subscription sub - WHERE - sub.subscription_id = vm.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH vm_dr_enabled AS ( + SELECT + SUBSTR(source_id, 0, LENGTH(source_id)) AS source_id + FROM + azure_resource_link AS l + LEFT JOIN azure_compute_virtual_machine AS vm + ON LOWER(SUBSTR(source_id, 0, LENGTH(source_id))) = LOWER(vm.id) + WHERE + l.name LIKE 'ASR-Protect-%' + ) + SELECT + vm.vm_id AS resource, + vm.platform_integration_id AS platform_integration_id, + vm.platform_resource_id AS platform_resource_id, + CASE + WHEN l.source_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN l.source_id IS NULL THEN vm.title || ' disaster recovery disabled.' + ELSE vm.title || ' disaster recovery enabled.' + END AS reason, + vm.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS vm + LEFT JOIN vm_dr_enabled AS l + ON LOWER(vm.id) = LOWER(l.source_id), + azure_subscription sub + WHERE + sub.subscription_id = vm.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - service: - - Azure/Compute + hipaa_hitrust_v92: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_endpoint_protection_agent_installed.yaml b/compliance/controls/azure/azure_compute_vm_endpoint_protection_agent_installed.yaml index b5fb26879..aef1de680 100644 --- a/compliance/controls/azure/azure_compute_vm_endpoint_protection_agent_installed.yaml +++ b/compliance/controls/azure/azure_compute_vm_endpoint_protection_agent_installed.yaml @@ -1,23 +1,24 @@ id: azure_compute_vm_endpoint_protection_agent_installed title: Monitor missing Endpoint Protection in Azure Security Center +type: control description: Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required. Check control description for more details.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required. Check control description for more details.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_compute_vm_guest_configuration_installed.yaml b/compliance/controls/azure/azure_compute_vm_guest_configuration_installed.yaml index 43db622a9..ef9fb9930 100644 --- a/compliance/controls/azure/azure_compute_vm_guest_configuration_installed.yaml +++ b/compliance/controls/azure/azure_compute_vm_guest_configuration_installed.yaml @@ -1,46 +1,47 @@ id: azure_compute_vm_guest_configuration_installed title: Guest Configuration extension should be installed on your machines +type: control description: To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH agent_installed_vm AS ( - SELECT - DISTINCT a.vm_id - FROM - azure_compute_virtual_machine AS a, - jsonb_array_elements(extensions) AS b - WHERE - b ->> 'Publisher' = 'Microsoft.GuestConfiguration' - AND b ->> 'ProvisioningState' = 'Succeeded' - ) - SELECT - a.vm_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.vm_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.vm_id IS NOT NULL THEN a.title || ' have guest configuration extension installed.' - ELSE a.title || ' guest configuration extension not installed.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS a - LEFT JOIN agent_installed_vm AS b ON a.vm_id = b.vm_id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH agent_installed_vm AS ( + SELECT + DISTINCT a.vm_id + FROM + azure_compute_virtual_machine AS a, + jsonb_array_elements(extensions) AS b + WHERE + b ->> 'Publisher' = 'Microsoft.GuestConfiguration' + AND b ->> 'ProvisioningState' = 'Succeeded' + ) + SELECT + a.vm_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.vm_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.vm_id IS NOT NULL THEN a.title || ' have guest configuration extension installed.' + ELSE a.title || ' guest configuration extension not installed.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a + LEFT JOIN agent_installed_vm AS b ON a.vm_id = b.vm_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Compute + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_guest_configuration_installed_linux.yaml b/compliance/controls/azure/azure_compute_vm_guest_configuration_installed_linux.yaml index 9bc7c357c..dcdca5299 100644 --- a/compliance/controls/azure/azure_compute_vm_guest_configuration_installed_linux.yaml +++ b/compliance/controls/azure/azure_compute_vm_guest_configuration_installed_linux.yaml @@ -1,50 +1,51 @@ id: azure_compute_vm_guest_configuration_installed_linux title: Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs +type: control description: This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH agent_installed_vm AS ( - SELECT - DISTINCT a.vm_id - FROM - azure_compute_virtual_machine AS a, - JSONB_ARRAY_ELEMENTS(extensions) AS b - WHERE - b ->> 'Publisher' = 'Microsoft.GuestConfiguration' - AND b ->> 'ProvisioningState' = 'Succeeded' - AND b ->> 'ExtensionType' = 'ConfigurationforLinux' - AND b ->> 'Name' LIKE '%AzurePolicyforLinux' - ) - SELECT - a.vm_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.os_type <> 'Linux' THEN 'skip' - WHEN b.vm_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.os_type <> 'Linux' THEN a.title || ' is of ' || a.os_type || ' operating system.' - WHEN b.vm_id IS NOT NULL THEN a.title || ' have guest configuration extension installed.' - ELSE a.title || ' guest configuration extension not installed.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS a - LEFT JOIN agent_installed_vm AS b ON a.vm_id = b.vm_id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH agent_installed_vm AS ( + SELECT + DISTINCT a.vm_id + FROM + azure_compute_virtual_machine AS a, + JSONB_ARRAY_ELEMENTS(extensions) AS b + WHERE + b ->> 'Publisher' = 'Microsoft.GuestConfiguration' + AND b ->> 'ProvisioningState' = 'Succeeded' + AND b ->> 'ExtensionType' = 'ConfigurationforLinux' + AND b ->> 'Name' LIKE '%AzurePolicyforLinux' + ) + SELECT + a.vm_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.os_type <> 'Linux' THEN 'skip' + WHEN b.vm_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.os_type <> 'Linux' THEN a.title || ' is of ' || a.os_type || ' operating system.' + WHEN b.vm_id IS NOT NULL THEN a.title || ' have guest configuration extension installed.' + ELSE a.title || ' guest configuration extension not installed.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a + LEFT JOIN agent_installed_vm AS b ON a.vm_id = b.vm_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Compute + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_guest_configuration_installed_windows.yaml b/compliance/controls/azure/azure_compute_vm_guest_configuration_installed_windows.yaml index 3b8054afd..abf25677a 100644 --- a/compliance/controls/azure/azure_compute_vm_guest_configuration_installed_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_guest_configuration_installed_windows.yaml @@ -1,52 +1,53 @@ id: azure_compute_vm_guest_configuration_installed_windows title: Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs +type: control description: This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH agent_installed_vm AS ( - SELECT - DISTINCT a.vm_id - FROM - azure_compute_virtual_machine AS a, - jsonb_array_elements(extensions) AS b - WHERE - b ->> 'Publisher' = 'Microsoft.GuestConfiguration' - AND b ->> 'ProvisioningState' = 'Succeeded' - AND b ->> 'ExtensionType' = 'ConfigurationforWindows' - AND b ->> 'Name' LIKE '%AzurePolicyforWindows' - ) - SELECT - a.vm_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.os_type <> 'Windows' THEN 'skip' - WHEN b.vm_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.os_type <> 'Windows' THEN a.title || ' is of ' || a.os_type || ' operating system.' - WHEN b.vm_id IS NOT NULL THEN a.title || ' have guest configuration extension installed.' - ELSE a.title || ' guest configuration extension not installed.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS a - LEFT JOIN agent_installed_vm AS b ON a.vm_id = b.vm_id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH agent_installed_vm AS ( + SELECT + DISTINCT a.vm_id + FROM + azure_compute_virtual_machine AS a, + jsonb_array_elements(extensions) AS b + WHERE + b ->> 'Publisher' = 'Microsoft.GuestConfiguration' + AND b ->> 'ProvisioningState' = 'Succeeded' + AND b ->> 'ExtensionType' = 'ConfigurationforWindows' + AND b ->> 'Name' LIKE '%AzurePolicyforWindows' + ) + SELECT + a.vm_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.os_type <> 'Windows' THEN 'skip' + WHEN b.vm_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.os_type <> 'Windows' THEN a.title || ' is of ' || a.os_type || ' operating system.' + WHEN b.vm_id IS NOT NULL THEN a.title || ' have guest configuration extension installed.' + ELSE a.title || ' guest configuration extension not installed.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a + LEFT JOIN agent_installed_vm AS b ON a.vm_id = b.vm_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - pci_dss_v321: - - 'true' - service: - - Azure/Compute + nist_sp_800_53_rev_5: + - "true" + pci_dss_v321: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_guest_configuration_with_no_managed_identity.yaml b/compliance/controls/azure/azure_compute_vm_guest_configuration_with_no_managed_identity.yaml index 695182d05..f58d7852b 100644 --- a/compliance/controls/azure/azure_compute_vm_guest_configuration_with_no_managed_identity.yaml +++ b/compliance/controls/azure/azure_compute_vm_guest_configuration_with_no_managed_identity.yaml @@ -1,48 +1,49 @@ id: azure_compute_vm_guest_configuration_with_no_managed_identity title: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities +type: control description: This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH gc_installed_vm AS ( - SELECT - DISTINCT a.vm_id, - title - FROM - azure_compute_virtual_machine AS a, - jsonb_array_elements(extensions) AS b - WHERE - b ->> 'Publisher' = 'Microsoft.GuestConfiguration' - ) - SELECT - a.vm_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.vm_id IS NULL THEN 'skip' - WHEN b.vm_id IS NOT NULL AND identity ->> 'type' IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.vm_id IS NULL THEN a.title || ' guest configuration extension not installed.' - WHEN b.vm_id IS NOT NULL AND identity ->> 'type' IS NOT NULL THEN a.title || ' guest configuration extension installed with ' || (identity ->> 'type') || ' managed identity.' - ELSE a.title || ' guest configuration extension not installed with managed identity.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS a - LEFT JOIN gc_installed_vm AS b ON a.vm_id = b.vm_id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH gc_installed_vm AS ( + SELECT + DISTINCT a.vm_id, + title + FROM + azure_compute_virtual_machine AS a, + jsonb_array_elements(extensions) AS b + WHERE + b ->> 'Publisher' = 'Microsoft.GuestConfiguration' + ) + SELECT + a.vm_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.vm_id IS NULL THEN 'skip' + WHEN b.vm_id IS NOT NULL AND identity ->> 'type' IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.vm_id IS NULL THEN a.title || ' guest configuration extension not installed.' + WHEN b.vm_id IS NOT NULL AND identity ->> 'type' IS NOT NULL THEN a.title || ' guest configuration extension installed with ' || (identity ->> 'type') || ' managed identity.' + ELSE a.title || ' guest configuration extension not installed with managed identity.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a + LEFT JOIN gc_installed_vm AS b ON a.vm_id = b.vm_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id severity: medium tags: - pci_dss_v321: - - 'true' - service: - - Azure/Compute + pci_dss_v321: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_guest_configuration_with_system_assigned_managed_identity.yaml b/compliance/controls/azure/azure_compute_vm_guest_configuration_with_system_assigned_managed_identity.yaml index 6b194269c..d96dc4aac 100644 --- a/compliance/controls/azure/azure_compute_vm_guest_configuration_with_system_assigned_managed_identity.yaml +++ b/compliance/controls/azure/azure_compute_vm_guest_configuration_with_system_assigned_managed_identity.yaml @@ -1,48 +1,49 @@ id: azure_compute_vm_guest_configuration_with_system_assigned_managed_identity title: Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity +type: control description: The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH gc_installed_vm AS ( - SELECT - DISTINCT a.vm_id, - title - FROM - azure_compute_virtual_machine AS a, - jsonb_array_elements(extensions) AS b - WHERE - b ->> 'Publisher' = 'Microsoft.GuestConfiguration' - ) - SELECT - a.vm_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.vm_id IS NULL THEN 'skip' - WHEN b.vm_id IS NOT NULL AND string_to_array(identity ->> 'type', ', ') @> ARRAY['SystemAssigned'] THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.vm_id IS NULL THEN a.title || ' guest configuration extension not installed.' - WHEN b.vm_id IS NOT NULL AND string_to_array(identity ->> 'type', ', ') @> ARRAY['SystemAssigned'] THEN a.title || ' guest configuration extension installed with system-assigned managed identity.' - ELSE a.title || ' guest configuration extension not installed with system-assigned managed identity.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS a - LEFT JOIN gc_installed_vm AS b ON a.vm_id = b.vm_id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH gc_installed_vm AS ( + SELECT + DISTINCT a.vm_id, + title + FROM + azure_compute_virtual_machine AS a, + jsonb_array_elements(extensions) AS b + WHERE + b ->> 'Publisher' = 'Microsoft.GuestConfiguration' + ) + SELECT + a.vm_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.vm_id IS NULL THEN 'skip' + WHEN b.vm_id IS NOT NULL AND string_to_array(identity ->> 'type', ', ') @> ARRAY['SystemAssigned'] THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.vm_id IS NULL THEN a.title || ' guest configuration extension not installed.' + WHEN b.vm_id IS NOT NULL AND string_to_array(identity ->> 'type', ', ') @> ARRAY['SystemAssigned'] THEN a.title || ' guest configuration extension installed with system-assigned managed identity.' + ELSE a.title || ' guest configuration extension not installed with system-assigned managed identity.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a + LEFT JOIN gc_installed_vm AS b ON a.vm_id = b.vm_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Compute + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity.yaml b/compliance/controls/azure/azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity.yaml index a2be32a00..19db327ec 100644 --- a/compliance/controls/azure/azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity.yaml +++ b/compliance/controls/azure/azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity.yaml @@ -1,53 +1,54 @@ id: azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity title: Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity +type: control description: This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH gc_installed_vm AS ( - SELECT - DISTINCT a.vm_id, - title - FROM - azure_compute_virtual_machine AS a, - jsonb_array_elements(extensions) AS b - WHERE - b ->> 'Publisher' = 'Microsoft.GuestConfiguration' - ) - SELECT - a.vm_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.vm_id IS NULL THEN 'skip' - WHEN NOT string_to_array(a.identity ->> 'type', ', ') @> ARRAY['UserAssigned'] THEN 'skip' - WHEN string_to_array(a.identity ->> 'type', ', ') @> ARRAY['UserAssigned', 'SystemAssigned'] THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.vm_id IS NULL THEN a.title || ' guest configuration extension not installed.' - WHEN NOT string_to_array(a.identity ->> 'type', ', ') @> ARRAY['UserAssigned'] THEN a.title || ' does not have user assigned managed identity.' - WHEN string_to_array(a.identity ->> 'type', ', ') @> ARRAY['UserAssigned', 'SystemAssigned'] THEN a.title || ' guest configuration extension installed with user and system assigned managed identity.' - ELSE a.title || ' guest configuration extension not installed with user and system assigned managed identity.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS a - LEFT JOIN - gc_installed_vm AS b ON a.vm_id = b.vm_id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH gc_installed_vm AS ( + SELECT + DISTINCT a.vm_id, + title + FROM + azure_compute_virtual_machine AS a, + jsonb_array_elements(extensions) AS b + WHERE + b ->> 'Publisher' = 'Microsoft.GuestConfiguration' + ) + SELECT + a.vm_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.vm_id IS NULL THEN 'skip' + WHEN NOT string_to_array(a.identity ->> 'type', ', ') @> ARRAY['UserAssigned'] THEN 'skip' + WHEN string_to_array(a.identity ->> 'type', ', ') @> ARRAY['UserAssigned', 'SystemAssigned'] THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.vm_id IS NULL THEN a.title || ' guest configuration extension not installed.' + WHEN NOT string_to_array(a.identity ->> 'type', ', ') @> ARRAY['UserAssigned'] THEN a.title || ' does not have user assigned managed identity.' + WHEN string_to_array(a.identity ->> 'type', ', ') @> ARRAY['UserAssigned', 'SystemAssigned'] THEN a.title || ' guest configuration extension installed with user and system assigned managed identity.' + ELSE a.title || ' guest configuration extension not installed with user and system assigned managed identity.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a + LEFT JOIN + gc_installed_vm AS b ON a.vm_id = b.vm_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - pci_dss_v321: - - 'true' - service: - - Azure/Compute + nist_sp_800_53_rev_5: + - "true" + pci_dss_v321: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_image_builder_uses_private_link.yaml b/compliance/controls/azure/azure_compute_vm_image_builder_uses_private_link.yaml index 57310c0d3..8f15068df 100644 --- a/compliance/controls/azure/azure_compute_vm_image_builder_uses_private_link.yaml +++ b/compliance/controls/azure/azure_compute_vm_image_builder_uses_private_link.yaml @@ -1,23 +1,24 @@ id: azure_compute_vm_image_builder_uses_private_link title: VM Image Builder templates should use private link +type: control description: Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_compute_vm_jit_access_protected.yaml b/compliance/controls/azure/azure_compute_vm_jit_access_protected.yaml index b2653923f..a73d5e26b 100644 --- a/compliance/controls/azure/azure_compute_vm_jit_access_protected.yaml +++ b/compliance/controls/azure/azure_compute_vm_jit_access_protected.yaml @@ -1,53 +1,54 @@ id: azure_compute_vm_jit_access_protected title: Management ports of virtual machines should be protected with just-in-time network access control +type: control description: Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH compute AS ( - SELECT - vm.id AS resource, - 'alarm' AS status, - vm.name || ' not JIT protected.' AS reason, - vm.resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS vm, - azure_subscription sub - WHERE - vm.subscription_id = sub.subscription_id - ) - SELECT - DISTINCT vm.vm_id AS resource, - vm.platform_integration_id AS platform_integration_id, - vm.platform_resource_id AS platform_resource_id, - CASE - WHEN LOWER(vm.id) = LOWER(vms ->> 'id') THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN LOWER(vms ->> 'id') = LOWER(vm.id) THEN vm.name || ' JIT protected.' - ELSE vm.name || ' not JIT protected.' - END AS reason, - vm.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS vm, - azure_security_center_jit_network_access_policy AS jit, - jsonb_array_elements(virtual_machines) AS vms, - azure_subscription AS sub - LEFT JOIN compute ON TRUE - WHERE - jit.subscription_id = sub.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH compute AS ( + SELECT + vm.id AS resource, + 'alarm' AS status, + vm.name || ' not JIT protected.' AS reason, + vm.resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS vm, + azure_subscription sub + WHERE + vm.subscription_id = sub.subscription_id + ) + SELECT + DISTINCT vm.vm_id AS resource, + vm.platform_integration_id AS platform_integration_id, + vm.platform_resource_id AS platform_resource_id, + CASE + WHEN LOWER(vm.id) = LOWER(vms ->> 'id') THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN LOWER(vms ->> 'id') = LOWER(vm.id) THEN vm.name || ' JIT protected.' + ELSE vm.name || ' not JIT protected.' + END AS reason, + vm.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS vm, + azure_security_center_jit_network_access_policy AS jit, + jsonb_array_elements(virtual_machines) AS vms, + azure_subscription AS sub + LEFT JOIN compute ON TRUE + WHERE + jit.subscription_id = sub.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Compute + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_log_analytics_agent_installed.yaml b/compliance/controls/azure/azure_compute_vm_log_analytics_agent_installed.yaml index 1510cf0b3..8fa01748d 100644 --- a/compliance/controls/azure/azure_compute_vm_log_analytics_agent_installed.yaml +++ b/compliance/controls/azure/azure_compute_vm_log_analytics_agent_installed.yaml @@ -1,50 +1,51 @@ id: azure_compute_vm_log_analytics_agent_installed title: Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring +type: control description: This policy audits any Windows/Linux virtual machines if the Log Analytics extension is not installed. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH agent_installed_vm AS ( - SELECT - DISTINCT a.vm_id - FROM - azure_compute_virtual_machine AS a, - jsonb_array_elements(extensions) AS b - WHERE - b ->> 'Publisher' = 'Microsoft.EnterpriseCloud.Monitoring' - AND b ->> 'ExtensionType' = ANY(ARRAY ['MicrosoftMonitoringAgent', 'OmsAgentForLinux']) - AND b ->> 'ProvisioningState' = 'Succeeded' - AND b -> 'Settings' ->> 'workspaceId' IS NOT NULL - ) - SELECT - a.vm_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.vm_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.vm_id IS NOT NULL THEN a.title || ' have log analytics agent installed.' - ELSE a.title || ' log analytics agent not installed.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS a - LEFT JOIN agent_installed_vm AS b ON a.vm_id = b.vm_id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH agent_installed_vm AS ( + SELECT + DISTINCT a.vm_id + FROM + azure_compute_virtual_machine AS a, + jsonb_array_elements(extensions) AS b + WHERE + b ->> 'Publisher' = 'Microsoft.EnterpriseCloud.Monitoring' + AND b ->> 'ExtensionType' = ANY(ARRAY ['MicrosoftMonitoringAgent', 'OmsAgentForLinux']) + AND b ->> 'ProvisioningState' = 'Succeeded' + AND b -> 'Settings' ->> 'workspaceId' IS NOT NULL + ) + SELECT + a.vm_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.vm_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.vm_id IS NOT NULL THEN a.title || ' have log analytics agent installed.' + ELSE a.title || ' log analytics agent not installed.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a + LEFT JOIN agent_installed_vm AS b ON a.vm_id = b.vm_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Compute + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_log_analytics_agent_installed_windows.yaml b/compliance/controls/azure/azure_compute_vm_log_analytics_agent_installed_windows.yaml index 7da40c007..bf7f06acf 100644 --- a/compliance/controls/azure/azure_compute_vm_log_analytics_agent_installed_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_log_analytics_agent_installed_windows.yaml @@ -1,50 +1,51 @@ id: azure_compute_vm_log_analytics_agent_installed_windows title: Audit Windows machines on which the Log Analytics agent is not connected as expected +type: control description: Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH agent_installed_vm AS ( - SELECT - DISTINCT a.vm_id - FROM - azure_compute_virtual_machine AS a, - jsonb_array_elements(extensions) AS b - WHERE - b ->> 'Publisher' = 'Microsoft.EnterpriseCloud.Monitoring' - AND b ->> 'ExtensionType' = ANY(ARRAY ['MicrosoftMonitoringAgent', 'OmsAgentForLinux']) - AND b ->> 'ProvisioningState' = 'Succeeded' - AND b -> 'Settings' ->> 'workspaceId' IS NOT NULL - ) - SELECT - a.vm_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.os_type <> 'Windows' THEN 'skip' - WHEN b.vm_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.os_type <> 'Windows' THEN a.title || ' is of ' || a.os_type || ' operating system.' - WHEN b.vm_id IS NOT NULL THEN a.title || ' have log analytics agent installed.' - ELSE a.title || ' log analytics agent not installed.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS a - LEFT JOIN agent_installed_vm AS b ON a.vm_id = b.vm_id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH agent_installed_vm AS ( + SELECT + DISTINCT a.vm_id + FROM + azure_compute_virtual_machine AS a, + jsonb_array_elements(extensions) AS b + WHERE + b ->> 'Publisher' = 'Microsoft.EnterpriseCloud.Monitoring' + AND b ->> 'ExtensionType' = ANY(ARRAY ['MicrosoftMonitoringAgent', 'OmsAgentForLinux']) + AND b ->> 'ProvisioningState' = 'Succeeded' + AND b -> 'Settings' ->> 'workspaceId' IS NOT NULL + ) + SELECT + a.vm_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.os_type <> 'Windows' THEN 'skip' + WHEN b.vm_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.os_type <> 'Windows' THEN a.title || ' is of ' || a.os_type || ' operating system.' + WHEN b.vm_id IS NOT NULL THEN a.title || ' have log analytics agent installed.' + ELSE a.title || ' log analytics agent not installed.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a + LEFT JOIN agent_installed_vm AS b ON a.vm_id = b.vm_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id severity: high tags: - hipaa_hitrust_v92: - - 'true' - service: - - Azure/Compute + hipaa_hitrust_v92: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_malware_agent_automatic_upgrade_enabled.yaml b/compliance/controls/azure/azure_compute_vm_malware_agent_automatic_upgrade_enabled.yaml index be71d19a4..a62505612 100644 --- a/compliance/controls/azure/azure_compute_vm_malware_agent_automatic_upgrade_enabled.yaml +++ b/compliance/controls/azure/azure_compute_vm_malware_agent_automatic_upgrade_enabled.yaml @@ -1,49 +1,50 @@ id: azure_compute_vm_malware_agent_automatic_upgrade_enabled title: Microsoft Antimalware for Azure should be configured to automatically update protection signatures +type: control description: This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH malware_agent_installed_vm AS ( - SELECT - DISTINCT a.vm_id - FROM - azure_compute_virtual_machine AS a, - jsonb_array_elements(extensions) AS b - WHERE - b ->> 'Publisher' = 'Microsoft.Azure.Security' - AND b ->> 'ExtensionType' = 'IaaSAntimalware' - AND b ->> 'AutoUpgradeMinorVersion' = 'true' - ) - SELECT - a.vm_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.os_type <> 'Windows' THEN 'skip' - WHEN b.vm_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.os_type <> 'Windows' THEN a.title || ' is of ' || a.os_type || ' operating syetem.' - WHEN b.vm_id IS NOT NULL THEN a.title || ' automatic update of Microsoft Antimalware protection signatures enabled.' - ELSE a.title || ' automatic update of Microsoft Antimalware protection signatures not enabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS a - LEFT JOIN malware_agent_installed_vm AS b ON a.vm_id = b.vm_id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH malware_agent_installed_vm AS ( + SELECT + DISTINCT a.vm_id + FROM + azure_compute_virtual_machine AS a, + jsonb_array_elements(extensions) AS b + WHERE + b ->> 'Publisher' = 'Microsoft.Azure.Security' + AND b ->> 'ExtensionType' = 'IaaSAntimalware' + AND b ->> 'AutoUpgradeMinorVersion' = 'true' + ) + SELECT + a.vm_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.os_type <> 'Windows' THEN 'skip' + WHEN b.vm_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.os_type <> 'Windows' THEN a.title || ' is of ' || a.os_type || ' operating syetem.' + WHEN b.vm_id IS NOT NULL THEN a.title || ' automatic update of Microsoft Antimalware protection signatures enabled.' + ELSE a.title || ' automatic update of Microsoft Antimalware protection signatures not enabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a + LEFT JOIN malware_agent_installed_vm AS b ON a.vm_id = b.vm_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id severity: medium tags: - hipaa_hitrust_v92: - - 'true' - service: - - Azure/Compute + hipaa_hitrust_v92: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_malware_agent_installed.yaml b/compliance/controls/azure/azure_compute_vm_malware_agent_installed.yaml index c4a4475b2..1a7f6474d 100644 --- a/compliance/controls/azure/azure_compute_vm_malware_agent_installed.yaml +++ b/compliance/controls/azure/azure_compute_vm_malware_agent_installed.yaml @@ -1,46 +1,47 @@ id: azure_compute_vm_malware_agent_installed title: Deploy default Microsoft IaaSAntimalware extension for Windows Server +type: control description: This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH malware_agent_installed_vm AS ( - SELECT DISTINCT - a.vm_id - FROM - azure_compute_virtual_machine AS a, - jsonb_array_elements(extensions) AS b - WHERE - b ->> 'Publisher' = 'Microsoft.Azure.Security' - AND b ->> 'ExtensionType' = 'IaaSAntimalware' - ) - SELECT - a.vm_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.vm_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.vm_id IS NOT NULL THEN a.title || ' IaaSAntimalware extension installed.' - ELSE a.title || ' IaaSAntimalware extension not installed.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS a - LEFT JOIN malware_agent_installed_vm AS b ON a.vm_id = b.vm_id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH malware_agent_installed_vm AS ( + SELECT DISTINCT + a.vm_id + FROM + azure_compute_virtual_machine AS a, + jsonb_array_elements(extensions) AS b + WHERE + b ->> 'Publisher' = 'Microsoft.Azure.Security' + AND b ->> 'ExtensionType' = 'IaaSAntimalware' + ) + SELECT + a.vm_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.vm_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.vm_id IS NOT NULL THEN a.title || ' IaaSAntimalware extension installed.' + ELSE a.title || ' IaaSAntimalware extension not installed.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a + LEFT JOIN malware_agent_installed_vm AS b ON a.vm_id = b.vm_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - service: - - Azure/Compute + hipaa_hitrust_v92: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_max_password_age_70_days_windows.yaml b/compliance/controls/azure/azure_compute_vm_max_password_age_70_days_windows.yaml index c752e25ea..7769bf30b 100644 --- a/compliance/controls/azure/azure_compute_vm_max_password_age_70_days_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_max_password_age_70_days_windows.yaml @@ -1,50 +1,51 @@ id: azure_compute_vm_max_password_age_70_days_windows title: Audit Windows machines that do not have a maximum password age of 70 days +type: control description: Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines do not have a maximum password age of 70 days. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH vm_maximum_password_age AS ( - SELECT - DISTINCT a.vm_id - FROM - azure_compute_virtual_machine AS a, - jsonb_array_elements(guest_configuration_assignments) AS b - WHERE - b -> 'guestConfiguration' ->> 'name' = 'MaximumPasswordAge' - AND b ->> 'complianceStatus' = 'Compliant' - ) - SELECT - a.vm_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.os_type <> 'Windows' THEN 'skip' - WHEN b.vm_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.os_type <> 'Windows' THEN a.title || ' is of ' || a.os_type || ' operating system.' - WHEN b.vm_id IS NOT NULL THEN a.title || ' maximum password age is 70 days.' - ELSE a.title || ' maximum password age is not 70 days.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS a - LEFT JOIN vm_maximum_password_age AS b ON a.vm_id = b.vm_id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH vm_maximum_password_age AS ( + SELECT + DISTINCT a.vm_id + FROM + azure_compute_virtual_machine AS a, + jsonb_array_elements(guest_configuration_assignments) AS b + WHERE + b -> 'guestConfiguration' ->> 'name' = 'MaximumPasswordAge' + AND b ->> 'complianceStatus' = 'Compliant' + ) + SELECT + a.vm_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.os_type <> 'Windows' THEN 'skip' + WHEN b.vm_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.os_type <> 'Windows' THEN a.title || ' is of ' || a.os_type || ' operating system.' + WHEN b.vm_id IS NOT NULL THEN a.title || ' maximum password age is 70 days.' + ELSE a.title || ' maximum password age is not 70 days.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a + LEFT JOIN vm_maximum_password_age AS b ON a.vm_id = b.vm_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - pci_dss_v321: - - 'true' - service: - - Azure/Compute + nist_sp_800_53_rev_5: + - "true" + pci_dss_v321: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_meet_firewall_properties_windows.yaml b/compliance/controls/azure/azure_compute_vm_meet_firewall_properties_windows.yaml index 8f9b033c3..7c1146ade 100644 --- a/compliance/controls/azure/azure_compute_vm_meet_firewall_properties_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_meet_firewall_properties_windows.yaml @@ -1,23 +1,24 @@ id: azure_compute_vm_meet_firewall_properties_windows title: Windows machines should meet requirements for 'Windows Firewall Properties' +type: control description: Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required. Check control description for more details.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required. Check control description for more details.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_compute_vm_meet_security_baseline_requirements_linux.yaml b/compliance/controls/azure/azure_compute_vm_meet_security_baseline_requirements_linux.yaml index f3d29026a..0f0625b9f 100644 --- a/compliance/controls/azure/azure_compute_vm_meet_security_baseline_requirements_linux.yaml +++ b/compliance/controls/azure/azure_compute_vm_meet_security_baseline_requirements_linux.yaml @@ -1,51 +1,52 @@ id: azure_compute_vm_meet_security_baseline_requirements_linux title: Linux machines should meet requirements for the Azure compute security baseline +type: control description: Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH compute_machine AS ( - SELECT - id, - name, - subscription_id, - resource_group - FROM - azure_compute_virtual_machine, - jsonb_array_elements(guest_configuration_assignments) AS e - WHERE - e ->> 'name' = 'AzureLinuxBaseline' - AND e ->> 'complianceStatus' = 'Compliant' - ) - SELECT - a.vm_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.os_type <> 'Linux' THEN 'skip' - WHEN m.id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.os_type <> 'Linux' THEN a.name || ' is of ' || a.os_type || ' operating system.' - WHEN m.id IS NOT NULL THEN a.name || ' meet requirements for azure compute security baseline.' - ELSE a.name || ' does not meet requirements for azure compute security baseline.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS a - LEFT JOIN compute_machine AS m ON m.id = a.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH compute_machine AS ( + SELECT + id, + name, + subscription_id, + resource_group + FROM + azure_compute_virtual_machine, + jsonb_array_elements(guest_configuration_assignments) AS e + WHERE + e ->> 'name' = 'AzureLinuxBaseline' + AND e ->> 'complianceStatus' = 'Compliant' + ) + SELECT + a.vm_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.os_type <> 'Linux' THEN 'skip' + WHEN m.id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.os_type <> 'Linux' THEN a.name || ' is of ' || a.os_type || ' operating system.' + WHEN m.id IS NOT NULL THEN a.name || ' meet requirements for azure compute security baseline.' + ELSE a.name || ' does not meet requirements for azure compute security baseline.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a + LEFT JOIN compute_machine AS m ON m.id = a.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Compute + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_meet_security_baseline_requirements_windows.yaml b/compliance/controls/azure/azure_compute_vm_meet_security_baseline_requirements_windows.yaml index 56f3d0df5..03d52cf64 100644 --- a/compliance/controls/azure/azure_compute_vm_meet_security_baseline_requirements_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_meet_security_baseline_requirements_windows.yaml @@ -1,51 +1,52 @@ id: azure_compute_vm_meet_security_baseline_requirements_windows title: Windows machines should meet requirements of the Azure compute security baseline +type: control description: Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH compute_machine AS ( - SELECT - id, - name, - subscription_id, - resource_group - FROM - azure_compute_virtual_machine, - jsonb_array_elements(guest_configuration_assignments) AS e - WHERE - e ->> 'name' = 'AzureWindowsBaseline' - AND e ->> 'complianceStatus' = 'Compliant' - ) - SELECT - a.vm_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.os_type <> 'Windows' THEN 'skip' - WHEN m.id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.os_type <> 'Windows' THEN a.name || ' is of ' || a.os_type || ' operating system.' - WHEN m.id IS NOT NULL THEN a.name || ' meet requirements for azure compute security baseline.' - ELSE a.name || ' does not meet requirements for azure compute security baseline.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS a - LEFT JOIN compute_machine AS m ON m.id = a.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH compute_machine AS ( + SELECT + id, + name, + subscription_id, + resource_group + FROM + azure_compute_virtual_machine, + jsonb_array_elements(guest_configuration_assignments) AS e + WHERE + e ->> 'name' = 'AzureWindowsBaseline' + AND e ->> 'complianceStatus' = 'Compliant' + ) + SELECT + a.vm_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.os_type <> 'Windows' THEN 'skip' + WHEN m.id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.os_type <> 'Windows' THEN a.name || ' is of ' || a.os_type || ' operating system.' + WHEN m.id IS NOT NULL THEN a.name || ' meet requirements for azure compute security baseline.' + ELSE a.name || ' does not meet requirements for azure compute security baseline.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a + LEFT JOIN compute_machine AS m ON m.id = a.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Compute + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_meet_security_option_audit_requirement_windows.yaml b/compliance/controls/azure/azure_compute_vm_meet_security_option_audit_requirement_windows.yaml index c24b7fc32..c22742c10 100644 --- a/compliance/controls/azure/azure_compute_vm_meet_security_option_audit_requirement_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_meet_security_option_audit_requirement_windows.yaml @@ -1,23 +1,24 @@ id: azure_compute_vm_meet_security_option_audit_requirement_windows title: Windows machines should meet requirements for 'Security Options - Audit' +type: control description: Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required. Check control description for more details.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required. Check control description for more details.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_compute_vm_meet_security_option_requirement_windows.yaml b/compliance/controls/azure/azure_compute_vm_meet_security_option_requirement_windows.yaml index 397de0d75..b248385cc 100644 --- a/compliance/controls/azure/azure_compute_vm_meet_security_option_requirement_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_meet_security_option_requirement_windows.yaml @@ -1,23 +1,24 @@ id: azure_compute_vm_meet_security_option_requirement_windows title: Windows machines should meet requirements for 'Security Options - Accounts' +type: control description: Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required. Check control description for more details.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required. Check control description for more details.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_compute_vm_meet_security_options_network_access_requirement_windows.yaml b/compliance/controls/azure/azure_compute_vm_meet_security_options_network_access_requirement_windows.yaml index 72bf3a028..06c4b2e74 100644 --- a/compliance/controls/azure/azure_compute_vm_meet_security_options_network_access_requirement_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_meet_security_options_network_access_requirement_windows.yaml @@ -1,23 +1,24 @@ id: azure_compute_vm_meet_security_options_network_access_requirement_windows title: Windows machines should meet requirements for 'Security Options - Network Access' +type: control description: Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_compute_vm_meet_security_options_requirement_windows.yaml b/compliance/controls/azure/azure_compute_vm_meet_security_options_requirement_windows.yaml index a22a76dde..fbeee723a 100644 --- a/compliance/controls/azure/azure_compute_vm_meet_security_options_requirement_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_meet_security_options_requirement_windows.yaml @@ -1,23 +1,24 @@ id: azure_compute_vm_meet_security_options_requirement_windows title: Windows machines should meet requirements for 'Security Options - Recovery console' +type: control description: Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_compute_vm_meet_security_options_user_account_control_requirement_windows.yaml b/compliance/controls/azure/azure_compute_vm_meet_security_options_user_account_control_requirement_windows.yaml index 5354ed556..5facf574b 100644 --- a/compliance/controls/azure/azure_compute_vm_meet_security_options_user_account_control_requirement_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_meet_security_options_user_account_control_requirement_windows.yaml @@ -1,23 +1,24 @@ id: azure_compute_vm_meet_security_options_user_account_control_requirement_windows title: Windows machines should meet requirements for 'Security Options - User Account Control' +type: control description: Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_compute_vm_meet_system_audit_policies_requirement_windows.yaml b/compliance/controls/azure/azure_compute_vm_meet_system_audit_policies_requirement_windows.yaml index 06ccde27c..629fe5230 100644 --- a/compliance/controls/azure/azure_compute_vm_meet_system_audit_policies_requirement_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_meet_system_audit_policies_requirement_windows.yaml @@ -1,23 +1,24 @@ id: azure_compute_vm_meet_system_audit_policies_requirement_windows title: Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' +type: control description: Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required. Check control description for more details.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required. Check control description for more details.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_compute_vm_min_password_age_1_day_windows.yaml b/compliance/controls/azure/azure_compute_vm_min_password_age_1_day_windows.yaml index fdc7864c8..b0af9b61f 100644 --- a/compliance/controls/azure/azure_compute_vm_min_password_age_1_day_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_min_password_age_1_day_windows.yaml @@ -1,48 +1,49 @@ id: azure_compute_vm_min_password_age_1_day_windows title: Audit Windows machines that do not have a minimum password age of 1 day +type: control description: Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not have a minimum password age of 1 day. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH vm_min_password_age AS ( - SELECT - DISTINCT a.vm_id - FROM - azure_compute_virtual_machine AS a, - jsonb_array_elements(guest_configuration_assignments) AS b - WHERE - b -> 'guestConfiguration' ->> 'name' = 'MinimumPasswordAge' - AND b ->> 'complianceStatus' = 'Compliant' - ) - SELECT - a.vm_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.os_type <> 'Windows' THEN 'skip' - WHEN b.vm_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.os_type <> 'Windows' THEN a.title || ' is of ' || a.os_type || ' operating system.' - WHEN b.vm_id IS NOT NULL THEN a.title || ' minimum password age is 1 day.' - ELSE a.title || ' minimum password age is not 1 day.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS a - LEFT JOIN vm_min_password_age AS b ON a.vm_id = b.vm_id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH vm_min_password_age AS ( + SELECT + DISTINCT a.vm_id + FROM + azure_compute_virtual_machine AS a, + jsonb_array_elements(guest_configuration_assignments) AS b + WHERE + b -> 'guestConfiguration' ->> 'name' = 'MinimumPasswordAge' + AND b ->> 'complianceStatus' = 'Compliant' + ) + SELECT + a.vm_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.os_type <> 'Windows' THEN 'skip' + WHEN b.vm_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.os_type <> 'Windows' THEN a.title || ' is of ' || a.os_type || ' operating system.' + WHEN b.vm_id IS NOT NULL THEN a.title || ' minimum password age is 1 day.' + ELSE a.title || ' minimum password age is not 1 day.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a + LEFT JOIN vm_min_password_age AS b ON a.vm_id = b.vm_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Compute + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_min_password_length_14_windows.yaml b/compliance/controls/azure/azure_compute_vm_min_password_length_14_windows.yaml index fb1423685..cf486639d 100644 --- a/compliance/controls/azure/azure_compute_vm_min_password_length_14_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_min_password_length_14_windows.yaml @@ -1,50 +1,51 @@ id: azure_compute_vm_min_password_length_14_windows title: Audit Windows machines that do not restrict the minimum password length to 14 characters +type: control description: Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH vm_min_password_age AS ( - SELECT DISTINCT - a.vm_id - FROM - azure_compute_virtual_machine AS a, - jsonb_array_elements(guest_configuration_assignments) AS b - WHERE - b -> 'guestConfiguration' ->> 'name' = 'MinimumPasswordLength' - AND b ->> 'complianceStatus' = 'Compliant' - ) - SELECT - a.vm_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.os_type <> 'Windows' THEN 'skip' - WHEN b.vm_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.os_type <> 'Windows' THEN a.title || ' is of ' || a.os_type || ' operating system.' - WHEN b.vm_id IS NOT NULL THEN a.title || ' minimum password length is 14 characters.' - ELSE a.title || ' minimum password length is not 14 characters.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS a - LEFT JOIN vm_min_password_age AS b ON a.vm_id = b.vm_id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH vm_min_password_age AS ( + SELECT DISTINCT + a.vm_id + FROM + azure_compute_virtual_machine AS a, + jsonb_array_elements(guest_configuration_assignments) AS b + WHERE + b -> 'guestConfiguration' ->> 'name' = 'MinimumPasswordLength' + AND b ->> 'complianceStatus' = 'Compliant' + ) + SELECT + a.vm_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.os_type <> 'Windows' THEN 'skip' + WHEN b.vm_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.os_type <> 'Windows' THEN a.title || ' is of ' || a.os_type || ' operating system.' + WHEN b.vm_id IS NOT NULL THEN a.title || ' minimum password length is 14 characters.' + ELSE a.title || ' minimum password length is not 14 characters.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a + LEFT JOIN vm_min_password_age AS b ON a.vm_id = b.vm_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - pci_dss_v321: - - 'true' - service: - - Azure/Compute + nist_sp_800_53_rev_5: + - "true" + pci_dss_v321: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_monitor_missing_endpoint_protection_in_asc.yaml b/compliance/controls/azure/azure_compute_vm_monitor_missing_endpoint_protection_in_asc.yaml index c34c04091..addc48bc7 100644 --- a/compliance/controls/azure/azure_compute_vm_monitor_missing_endpoint_protection_in_asc.yaml +++ b/compliance/controls/azure/azure_compute_vm_monitor_missing_endpoint_protection_in_asc.yaml @@ -1,23 +1,24 @@ id: azure_compute_vm_monitor_missing_endpoint_protection_in_asc title: Monitor missing Endpoint Protection in Azure Security Center +type: control description: Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_compute_vm_network_traffic_data_collection_linux_agent_installed.yaml b/compliance/controls/azure/azure_compute_vm_network_traffic_data_collection_linux_agent_installed.yaml index ccf86a718..d4152b00c 100644 --- a/compliance/controls/azure/azure_compute_vm_network_traffic_data_collection_linux_agent_installed.yaml +++ b/compliance/controls/azure/azure_compute_vm_network_traffic_data_collection_linux_agent_installed.yaml @@ -1,51 +1,52 @@ id: azure_compute_vm_network_traffic_data_collection_linux_agent_installed title: Network traffic data collection agent should be installed on Linux virtual machines +type: control description: Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH agent_installed_vm AS ( - SELECT - DISTINCT a.vm_id - FROM - azure_compute_virtual_machine AS a, - jsonb_array_elements(extensions) AS b - WHERE - b ->> 'ExtensionType' = 'DependencyAgentLinux' - AND b ->> 'Publisher' = 'Microsoft.Azure.Monitoring.DependencyAgent' - AND b ->> 'ProvisioningState' = 'Succeeded' - ) - SELECT - a.vm_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.os_type <> 'Linux' THEN 'skip' - WHEN b.vm_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.os_type <> 'Linux' THEN a.title || ' is of ' || a.os_type || ' operating system.' - WHEN b.vm_id IS NOT NULL THEN a.title || ' have data collection agent installed.' - ELSE a.title || ' data collection agent not installed.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS a - LEFT JOIN agent_installed_vm AS b ON a.vm_id = b.vm_id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH agent_installed_vm AS ( + SELECT + DISTINCT a.vm_id + FROM + azure_compute_virtual_machine AS a, + jsonb_array_elements(extensions) AS b + WHERE + b ->> 'ExtensionType' = 'DependencyAgentLinux' + AND b ->> 'Publisher' = 'Microsoft.Azure.Monitoring.DependencyAgent' + AND b ->> 'ProvisioningState' = 'Succeeded' + ) + SELECT + a.vm_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.os_type <> 'Linux' THEN 'skip' + WHEN b.vm_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.os_type <> 'Linux' THEN a.title || ' is of ' || a.os_type || ' operating system.' + WHEN b.vm_id IS NOT NULL THEN a.title || ' have data collection agent installed.' + ELSE a.title || ' data collection agent not installed.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a + LEFT JOIN agent_installed_vm AS b ON a.vm_id = b.vm_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Compute + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_network_traffic_data_collection_windows_agent_installed.yaml b/compliance/controls/azure/azure_compute_vm_network_traffic_data_collection_windows_agent_installed.yaml index 029fc5793..36b5acac4 100644 --- a/compliance/controls/azure/azure_compute_vm_network_traffic_data_collection_windows_agent_installed.yaml +++ b/compliance/controls/azure/azure_compute_vm_network_traffic_data_collection_windows_agent_installed.yaml @@ -1,51 +1,52 @@ id: azure_compute_vm_network_traffic_data_collection_windows_agent_installed title: Network traffic data collection agent should be installed on Windows virtual machines +type: control description: Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH agent_installed_vm AS ( - SELECT - DISTINCT a.vm_id - FROM - azure_compute_virtual_machine AS a, - jsonb_array_elements(extensions) AS b - WHERE - b ->> 'ExtensionType' = 'DependencyAgentWindows' - AND b ->> 'Publisher' = 'Microsoft.Azure.Monitoring.DependencyAgent' - AND b ->> 'ProvisioningState' = 'Succeeded' - ) - SELECT - a.vm_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.os_type <> 'Windows' THEN 'skip' - WHEN b.vm_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.os_type <> 'Windows' THEN a.title || ' is of ' || a.os_type || ' operating system.' - WHEN b.vm_id IS NOT NULL THEN a.title || ' have data collection agent installed.' - ELSE a.title || ' data collection agent not installed.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS a - LEFT JOIN agent_installed_vm AS b ON a.vm_id = b.vm_id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH agent_installed_vm AS ( + SELECT + DISTINCT a.vm_id + FROM + azure_compute_virtual_machine AS a, + jsonb_array_elements(extensions) AS b + WHERE + b ->> 'ExtensionType' = 'DependencyAgentWindows' + AND b ->> 'Publisher' = 'Microsoft.Azure.Monitoring.DependencyAgent' + AND b ->> 'ProvisioningState' = 'Succeeded' + ) + SELECT + a.vm_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.os_type <> 'Windows' THEN 'skip' + WHEN b.vm_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.os_type <> 'Windows' THEN a.title || ' is of ' || a.os_type || ' operating system.' + WHEN b.vm_id IS NOT NULL THEN a.title || ' have data collection agent installed.' + ELSE a.title || ' data collection agent not installed.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a + LEFT JOIN agent_installed_vm AS b ON a.vm_id = b.vm_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Compute + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_non_internet_facing_protected_with_nsg.yaml b/compliance/controls/azure/azure_compute_vm_non_internet_facing_protected_with_nsg.yaml index 92921b5dd..323626dfc 100644 --- a/compliance/controls/azure/azure_compute_vm_non_internet_facing_protected_with_nsg.yaml +++ b/compliance/controls/azure/azure_compute_vm_non_internet_facing_protected_with_nsg.yaml @@ -1,23 +1,24 @@ id: azure_compute_vm_non_internet_facing_protected_with_nsg title: Non-internet-facing virtual machines should be protected with network security groups +type: control description: Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_compute_vm_password_complexity_setting_enabled_windows.yaml b/compliance/controls/azure/azure_compute_vm_password_complexity_setting_enabled_windows.yaml index 73b61f588..ad1640781 100644 --- a/compliance/controls/azure/azure_compute_vm_password_complexity_setting_enabled_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_password_complexity_setting_enabled_windows.yaml @@ -1,48 +1,49 @@ id: azure_compute_vm_password_complexity_setting_enabled_windows title: Audit Windows machines that do not have the password complexity setting enabled +type: control description: Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH vm_password_complexity_setting AS ( - SELECT - DISTINCT a.vm_id - FROM - azure_compute_virtual_machine AS a, - jsonb_array_elements(guest_configuration_assignments) AS b - WHERE - b -> 'guestConfiguration' ->> 'name' = 'PasswordMustMeetComplexityRequirements' - AND b ->> 'complianceStatus' = 'Compliant' - ) - SELECT - a.vm_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.os_type <> 'Windows' THEN 'skip' - WHEN b.vm_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.os_type <> 'Windows' THEN a.title || ' is of ' || a.os_type || ' operating system.' - WHEN b.vm_id IS NOT NULL THEN a.title || ' password complexity setting enabled.' - ELSE a.title || ' password complexity setting disabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS a - LEFT JOIN vm_password_complexity_setting AS b ON a.vm_id = b.vm_id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH vm_password_complexity_setting AS ( + SELECT + DISTINCT a.vm_id + FROM + azure_compute_virtual_machine AS a, + jsonb_array_elements(guest_configuration_assignments) AS b + WHERE + b -> 'guestConfiguration' ->> 'name' = 'PasswordMustMeetComplexityRequirements' + AND b ->> 'complianceStatus' = 'Compliant' + ) + SELECT + a.vm_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.os_type <> 'Windows' THEN 'skip' + WHEN b.vm_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.os_type <> 'Windows' THEN a.title || ' is of ' || a.os_type || ' operating system.' + WHEN b.vm_id IS NOT NULL THEN a.title || ' password complexity setting enabled.' + ELSE a.title || ' password complexity setting disabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a + LEFT JOIN vm_password_complexity_setting AS b ON a.vm_id = b.vm_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Compute + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_password_file_permissions_0644_linux.yaml b/compliance/controls/azure/azure_compute_vm_password_file_permissions_0644_linux.yaml index e1a738b63..e9e6aec88 100644 --- a/compliance/controls/azure/azure_compute_vm_password_file_permissions_0644_linux.yaml +++ b/compliance/controls/azure/azure_compute_vm_password_file_permissions_0644_linux.yaml @@ -1,23 +1,24 @@ id: azure_compute_vm_password_file_permissions_0644_linux title: Audit Linux machines that do not have the passwd file permissions set to 0644 +type: control description: Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_compute_vm_passwords_stored_using_reversible_encryption_windows.yaml b/compliance/controls/azure/azure_compute_vm_passwords_stored_using_reversible_encryption_windows.yaml index 3e57814da..d83109a68 100644 --- a/compliance/controls/azure/azure_compute_vm_passwords_stored_using_reversible_encryption_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_passwords_stored_using_reversible_encryption_windows.yaml @@ -1,48 +1,49 @@ id: azure_compute_vm_passwords_stored_using_reversible_encryption_windows title: Audit Windows machines that do not store passwords using reversible encryption +type: control description: Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH vm_password_reversible_encryption AS ( - SELECT - DISTINCT a.vm_id - FROM - azure_compute_virtual_machine AS a, - jsonb_array_elements(guest_configuration_assignments) AS b - WHERE - b -> 'guestConfiguration' ->> 'name' = 'StorePasswordsUsingReversibleEncryption' - AND b ->> 'complianceStatus' = 'Compliant' - ) - SELECT - a.vm_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.os_type <> 'Windows' THEN 'skip' - WHEN b.vm_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.os_type <> 'Windows' THEN a.title || ' is of ' || a.os_type || ' operating system.' - WHEN b.vm_id IS NOT NULL THEN a.title || ' store passwords using reversible encryption.' - ELSE a.title || ' not store passwords using reversible encryption' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS a - LEFT JOIN vm_password_reversible_encryption AS b ON a.vm_id = b.vm_id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH vm_password_reversible_encryption AS ( + SELECT + DISTINCT a.vm_id + FROM + azure_compute_virtual_machine AS a, + jsonb_array_elements(guest_configuration_assignments) AS b + WHERE + b -> 'guestConfiguration' ->> 'name' = 'StorePasswordsUsingReversibleEncryption' + AND b ->> 'complianceStatus' = 'Compliant' + ) + SELECT + a.vm_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.os_type <> 'Windows' THEN 'skip' + WHEN b.vm_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.os_type <> 'Windows' THEN a.title || ' is of ' || a.os_type || ' operating system.' + WHEN b.vm_id IS NOT NULL THEN a.title || ' store passwords using reversible encryption.' + ELSE a.title || ' not store passwords using reversible encryption' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a + LEFT JOIN vm_password_reversible_encryption AS b ON a.vm_id = b.vm_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Compute + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_remote_access_restricted_all_ports.yaml b/compliance/controls/azure/azure_compute_vm_remote_access_restricted_all_ports.yaml index ed75ca66f..16c210926 100644 --- a/compliance/controls/azure/azure_compute_vm_remote_access_restricted_all_ports.yaml +++ b/compliance/controls/azure/azure_compute_vm_remote_access_restricted_all_ports.yaml @@ -1,53 +1,54 @@ id: azure_compute_vm_remote_access_restricted_all_ports title: All network ports should be restricted on network security groups associated to your virtual machine +type: control description: Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH network_sg AS ( - SELECT - DISTINCT name AS sg_name, - network_interfaces - FROM - azure_network_security_group AS nsg, - jsonb_array_elements(security_rules) AS sg, - jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange')::jsonb) AS dport, - jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix')::jsonb) AS sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND sg -> 'properties' ->> 'protocol' IN ('TCP', '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', '/0', '/0') - ) - SELECT - vm.vm_id AS resource, - vm.platform_integration_id AS platform_integration_id, - vm.platform_resource_id AS platform_resource_id, - CASE - WHEN sg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN sg.sg_name IS NULL THEN vm.title || ' restricts remote access from internet.' - ELSE vm.title || ' allows remote access from internet.' - END AS reason, - vm.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS vm - LEFT JOIN network_sg AS sg ON sg.network_interfaces @> vm.network_interfaces - JOIN azure_subscription AS sub ON sub.subscription_id = vm.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH network_sg AS ( + SELECT + DISTINCT name AS sg_name, + network_interfaces + FROM + azure_network_security_group AS nsg, + jsonb_array_elements(security_rules) AS sg, + jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange')::jsonb) AS dport, + jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix')::jsonb) AS sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND sg -> 'properties' ->> 'protocol' IN ('TCP', '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', '/0', '/0') + ) + SELECT + vm.vm_id AS resource, + vm.platform_integration_id AS platform_integration_id, + vm.platform_resource_id AS platform_resource_id, + CASE + WHEN sg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN sg.sg_name IS NULL THEN vm.title || ' restricts remote access from internet.' + ELSE vm.title || ' allows remote access from internet.' + END AS reason, + vm.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS vm + LEFT JOIN network_sg AS sg ON sg.network_interfaces @> vm.network_interfaces + JOIN azure_subscription AS sub ON sub.subscription_id = vm.subscription_id; severity: high tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - pci_dss_v321: - - 'true' - service: - - Azure/Compute + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + pci_dss_v321: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_restrict_previous_24_passwords_resuse_windows.yaml b/compliance/controls/azure/azure_compute_vm_restrict_previous_24_passwords_resuse_windows.yaml index a9011531d..858d81325 100644 --- a/compliance/controls/azure/azure_compute_vm_restrict_previous_24_passwords_resuse_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_restrict_previous_24_passwords_resuse_windows.yaml @@ -1,51 +1,52 @@ id: azure_compute_vm_restrict_previous_24_passwords_resuse_windows title: Audit Windows machines that allow re-use of the previous 24 passwords +type: control description: Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH vm_enforce_password_history AS ( - SELECT DISTINCT - a.vm_id - FROM - azure_compute_virtual_machine AS a, - jsonb_array_elements(guest_configuration_assignments) AS b - WHERE - b -> 'guestConfiguration' ->> 'name' = 'EnforcePasswordHistory' - AND - b ->> 'complianceStatus' = 'Compliant' - ) - SELECT - a.vm_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.os_type <> 'Windows' THEN 'skip' - WHEN b.vm_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.os_type <> 'Windows' THEN a.title || ' is of ' || a.os_type || ' operating system.' - WHEN b.vm_id IS NOT NULL THEN a.title || ' enforce password history.' - ELSE a.title || ' does not enforce password history.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS a - LEFT JOIN vm_enforce_password_history AS b ON a.vm_id = b.vm_id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH vm_enforce_password_history AS ( + SELECT DISTINCT + a.vm_id + FROM + azure_compute_virtual_machine AS a, + jsonb_array_elements(guest_configuration_assignments) AS b + WHERE + b -> 'guestConfiguration' ->> 'name' = 'EnforcePasswordHistory' + AND + b ->> 'complianceStatus' = 'Compliant' + ) + SELECT + a.vm_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.os_type <> 'Windows' THEN 'skip' + WHEN b.vm_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.os_type <> 'Windows' THEN a.title || ' is of ' || a.os_type || ' operating system.' + WHEN b.vm_id IS NOT NULL THEN a.title || ' enforce password history.' + ELSE a.title || ' does not enforce password history.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a + LEFT JOIN vm_enforce_password_history AS b ON a.vm_id = b.vm_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - pci_dss_v321: - - 'true' - service: - - Azure/Compute + nist_sp_800_53_rev_5: + - "true" + pci_dss_v321: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux.yaml b/compliance/controls/azure/azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux.yaml index a1c2034ea..17794a05a 100644 --- a/compliance/controls/azure/azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux.yaml +++ b/compliance/controls/azure/azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux.yaml @@ -1,51 +1,52 @@ id: azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux title: Audit Linux machines that allow remote connections from accounts without passwords +type: control description: Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH compute_machine AS ( - SELECT - id, - name, - subscription_id, - resource_group - FROM - azure_compute_virtual_machine, - jsonb_array_elements(guest_configuration_assignments) AS e - WHERE - e ->> 'name' = 'PasswordPolicy_msid110' - AND e ->> 'complianceStatus' = 'Compliant' - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.os_type <> 'Linux' THEN 'skip' - WHEN m.id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.os_type <> 'Linux' THEN a.name || ' is of ' || a.os_type || ' operating system.' - WHEN m.id IS NOT NULL THEN a.name || ' restrict remote connections from accounts without passwords.' - ELSE a.name || ' allows remote connections from accounts without passwords.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS a - LEFT JOIN compute_machine AS m ON m.id = a.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH compute_machine AS ( + SELECT + id, + name, + subscription_id, + resource_group + FROM + azure_compute_virtual_machine, + jsonb_array_elements(guest_configuration_assignments) AS e + WHERE + e ->> 'name' = 'PasswordPolicy_msid110' + AND e ->> 'complianceStatus' = 'Compliant' + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.os_type <> 'Linux' THEN 'skip' + WHEN m.id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.os_type <> 'Linux' THEN a.name || ' is of ' || a.os_type || ' operating system.' + WHEN m.id IS NOT NULL THEN a.name || ' restrict remote connections from accounts without passwords.' + ELSE a.name || ' allows remote connections from accounts without passwords.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a + LEFT JOIN compute_machine AS m ON m.id = a.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Compute + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_scale_set_automatic_upgrade_enabled.yaml b/compliance/controls/azure/azure_compute_vm_scale_set_automatic_upgrade_enabled.yaml index 5e2e7655d..4378cba5b 100644 --- a/compliance/controls/azure/azure_compute_vm_scale_set_automatic_upgrade_enabled.yaml +++ b/compliance/controls/azure/azure_compute_vm_scale_set_automatic_upgrade_enabled.yaml @@ -1,31 +1,32 @@ id: azure_compute_vm_scale_set_automatic_upgrade_enabled title: Compute virtual machine scale sets should have automatic OS image patching enabled +type: control description: This control checks whether virtual machine scale sets have automatic OS image patching enabled. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine_scale_set - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN upgrade_policy IS NULL THEN 'skip' - WHEN upgrade_policy ->> 'mode' = 'Automatic' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN upgrade_policy IS NULL THEN a.title || ' upgrade policy not applicable.' - WHEN upgrade_policy ->> 'mode' = 'Automatic' THEN a.title || ' automatic update enabled.' - ELSE a.title || ' automatic update disabled.' - END AS reason - FROM - azure_compute_virtual_machine_scale_set AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine_scale_set + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN upgrade_policy IS NULL THEN 'skip' + WHEN upgrade_policy ->> 'mode' = 'Automatic' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN upgrade_policy IS NULL THEN a.title || ' upgrade policy not applicable.' + WHEN upgrade_policy ->> 'mode' = 'Automatic' THEN a.title || ' automatic update enabled.' + ELSE a.title || ' automatic update disabled.' + END AS reason + FROM + azure_compute_virtual_machine_scale_set AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_compute_vm_scale_set_boot_diagnostics_enabled.yaml b/compliance/controls/azure/azure_compute_vm_scale_set_boot_diagnostics_enabled.yaml index fcc0d5704..9e98f2b7d 100644 --- a/compliance/controls/azure/azure_compute_vm_scale_set_boot_diagnostics_enabled.yaml +++ b/compliance/controls/azure/azure_compute_vm_scale_set_boot_diagnostics_enabled.yaml @@ -1,29 +1,30 @@ id: azure_compute_vm_scale_set_boot_diagnostics_enabled title: Virtual Machine scale sets boot diagnostics should be enabled +type: control description: This policy identifies Azure Virtual Machines scale sets which has Boot Diagnostics setting Disabled. Boot Diagnostics when enabled for virtual machine, captures Screenshot and Console Output during virtual machine startup. This would help in troubleshooting virtual machine when it enters a non-bootable state. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine_scale_set - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN (virtual_machine_diagnostics_profile -> 'bootDiagnostics' ->> 'enabled') :: boolean THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (virtual_machine_diagnostics_profile -> 'bootDiagnostics' ->> 'enabled') :: boolean THEN a.title || ' boot diagnostics enabled.' - ELSE a.title || ' boot diagnostics disabled.' - END AS reason - FROM - azure_compute_virtual_machine_scale_set AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine_scale_set + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN (virtual_machine_diagnostics_profile -> 'bootDiagnostics' ->> 'enabled') :: boolean THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (virtual_machine_diagnostics_profile -> 'bootDiagnostics' ->> 'enabled') :: boolean THEN a.title || ' boot diagnostics enabled.' + ELSE a.title || ' boot diagnostics disabled.' + END AS reason + FROM + azure_compute_virtual_machine_scale_set AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_compute_vm_scale_set_endpoint_protection_solution_installed.yaml b/compliance/controls/azure/azure_compute_vm_scale_set_endpoint_protection_solution_installed.yaml index 3edd6de72..f58d0a30d 100644 --- a/compliance/controls/azure/azure_compute_vm_scale_set_endpoint_protection_solution_installed.yaml +++ b/compliance/controls/azure/azure_compute_vm_scale_set_endpoint_protection_solution_installed.yaml @@ -1,23 +1,24 @@ id: azure_compute_vm_scale_set_endpoint_protection_solution_installed title: Endpoint protection solution should be installed on virtual machine scale sets +type: control description: Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_compute_vm_scale_set_log_analytics_agent_installed.yaml b/compliance/controls/azure/azure_compute_vm_scale_set_log_analytics_agent_installed.yaml index fa5b0671d..d06ca255a 100644 --- a/compliance/controls/azure/azure_compute_vm_scale_set_log_analytics_agent_installed.yaml +++ b/compliance/controls/azure/azure_compute_vm_scale_set_log_analytics_agent_installed.yaml @@ -1,49 +1,50 @@ id: azure_compute_vm_scale_set_log_analytics_agent_installed title: Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring +type: control description: This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics extension is not installed. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine_scale_set - definition: | - WITH agent_installed_vm_scale_set AS ( - SELECT - DISTINCT a.id AS vm_id - FROM - azure_compute_virtual_machine_scale_set AS a, - jsonb_array_elements(extensions) AS b - WHERE - b ->> 'Publisher' = 'Microsoft.EnterpriseCloud.Monitoring' - AND b ->> 'ExtensionType' = ANY(ARRAY ['MicrosoftMonitoringAgent', 'OmsAgentForLinux']) - AND b ->> 'ProvisioningState' = 'Succeeded' - AND b -> 'Settings' ->> 'workspaceId' IS NOT NULL - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.vm_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.vm_id IS NOT NULL THEN a.title || ' have log analytics agent installed.' - ELSE a.title || ' log analytics agent not installed.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine_scale_set AS a - LEFT JOIN agent_installed_vm_scale_set AS b - ON a.id = b.vm_id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine_scale_set + definition: | + WITH agent_installed_vm_scale_set AS ( + SELECT + DISTINCT a.id AS vm_id + FROM + azure_compute_virtual_machine_scale_set AS a, + jsonb_array_elements(extensions) AS b + WHERE + b ->> 'Publisher' = 'Microsoft.EnterpriseCloud.Monitoring' + AND b ->> 'ExtensionType' = ANY(ARRAY ['MicrosoftMonitoringAgent', 'OmsAgentForLinux']) + AND b ->> 'ProvisioningState' = 'Succeeded' + AND b -> 'Settings' ->> 'workspaceId' IS NOT NULL + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.vm_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.vm_id IS NOT NULL THEN a.title || ' have log analytics agent installed.' + ELSE a.title || ' log analytics agent not installed.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine_scale_set AS a + LEFT JOIN agent_installed_vm_scale_set AS b + ON a.id = b.vm_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - service: - - Azure/Compute + hipaa_hitrust_v92: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_scale_set_logging_enabled.yaml b/compliance/controls/azure/azure_compute_vm_scale_set_logging_enabled.yaml index 015d46e99..0d2528670 100644 --- a/compliance/controls/azure/azure_compute_vm_scale_set_logging_enabled.yaml +++ b/compliance/controls/azure/azure_compute_vm_scale_set_logging_enabled.yaml @@ -1,51 +1,52 @@ id: azure_compute_vm_scale_set_logging_enabled title: Resource logs in Virtual Machine Scale Sets should be enabled +type: control description: It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH malware_agent_installed_vm AS ( - SELECT - DISTINCT a.vm_id - FROM - azure_compute_virtual_machine AS a, - jsonb_array_elements(extensions) AS b - WHERE - b ->> 'Publisher' = 'Microsoft.Azure.Security' - AND b ->> 'ExtensionType' = 'IaaSAntimalware' - AND b ->> 'AutoUpgradeMinorVersion' = 'true' - ) + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH malware_agent_installed_vm AS ( SELECT - a.vm_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.os_type <> 'Windows' THEN 'skip' - WHEN b.vm_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.os_type <> 'Windows' THEN a.title || ' is of ' || a.os_type || ' operating system.' - WHEN b.vm_id IS NOT NULL THEN a.title || ' automatic update of Microsoft Antimalware protection signatures enabled.' - ELSE a.title || ' automatic update of Microsoft Antimalware protection signatures not enabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS a - LEFT JOIN malware_agent_installed_vm AS b ON a.vm_id = b.vm_id, - azure_subscription AS sub + DISTINCT a.vm_id + FROM + azure_compute_virtual_machine AS a, + jsonb_array_elements(extensions) AS b WHERE - sub.subscription_id = a.subscription_id; + b ->> 'Publisher' = 'Microsoft.Azure.Security' + AND b ->> 'ExtensionType' = 'IaaSAntimalware' + AND b ->> 'AutoUpgradeMinorVersion' = 'true' + ) + SELECT + a.vm_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.os_type <> 'Windows' THEN 'skip' + WHEN b.vm_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.os_type <> 'Windows' THEN a.title || ' is of ' || a.os_type || ' operating system.' + WHEN b.vm_id IS NOT NULL THEN a.title || ' automatic update of Microsoft Antimalware protection signatures enabled.' + ELSE a.title || ' automatic update of Microsoft Antimalware protection signatures not enabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a + LEFT JOIN malware_agent_installed_vm AS b ON a.vm_id = b.vm_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Compute + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated.yaml b/compliance/controls/azure/azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated.yaml index 6c1ae24ec..9a3521efc 100644 --- a/compliance/controls/azure/azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated.yaml +++ b/compliance/controls/azure/azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated.yaml @@ -1,23 +1,24 @@ id: azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated title: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated +type: control description: Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required. Check control description for more details.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required. Check control description for more details.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_compute_vm_scale_set_ssh_key_authentication_linux.yaml b/compliance/controls/azure/azure_compute_vm_scale_set_ssh_key_authentication_linux.yaml index 95b77c2d6..5dab254af 100644 --- a/compliance/controls/azure/azure_compute_vm_scale_set_ssh_key_authentication_linux.yaml +++ b/compliance/controls/azure/azure_compute_vm_scale_set_ssh_key_authentication_linux.yaml @@ -1,31 +1,32 @@ id: azure_compute_vm_scale_set_ssh_key_authentication_linux title: Compute virtual machine scale sets with linux OS should have SSH key authentication enabled +type: control description: This control checks whether virtual machine scale sets have SSH key authentication enabled. This control is only applicable for Linux-type operating systems. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine_scale_set - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN virtual_machine_storage_profile -> 'osDisk' ->> 'osType' = 'Windows' THEN 'skip' - WHEN virtual_machine_os_profile -> 'linuxConfiguration' ->> 'disablePasswordAuthentication' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN virtual_machine_storage_profile -> 'osDisk' ->> 'osType' = 'Windows' THEN a.title || ' is using windows OS.' - WHEN virtual_machine_os_profile -> 'linuxConfiguration' ->> 'disablePasswordAuthentication' = 'true' THEN a.title || ' has SSH key authentication enabled.' - ELSE a.title || ' has password authentication enabled.' - END AS reason - FROM - azure_compute_virtual_machine_scale_set AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine_scale_set + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN virtual_machine_storage_profile -> 'osDisk' ->> 'osType' = 'Windows' THEN 'skip' + WHEN virtual_machine_os_profile -> 'linuxConfiguration' ->> 'disablePasswordAuthentication' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN virtual_machine_storage_profile -> 'osDisk' ->> 'osType' = 'Windows' THEN a.title || ' is using windows OS.' + WHEN virtual_machine_os_profile -> 'linuxConfiguration' ->> 'disablePasswordAuthentication' = 'true' THEN a.title || ' has SSH key authentication enabled.' + ELSE a.title || ' has password authentication enabled.' + END AS reason + FROM + azure_compute_virtual_machine_scale_set AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_compute_vm_scale_set_system_updates_installed.yaml b/compliance/controls/azure/azure_compute_vm_scale_set_system_updates_installed.yaml index 3529ec10b..77a3263bb 100644 --- a/compliance/controls/azure/azure_compute_vm_scale_set_system_updates_installed.yaml +++ b/compliance/controls/azure/azure_compute_vm_scale_set_system_updates_installed.yaml @@ -1,23 +1,24 @@ id: azure_compute_vm_scale_set_system_updates_installed title: System updates on virtual machine scale sets should be installed +type: control description: Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_compute_vm_scale_set_uses_managed_disks.yaml b/compliance/controls/azure/azure_compute_vm_scale_set_uses_managed_disks.yaml index b6ebc7e03..c5d005d43 100644 --- a/compliance/controls/azure/azure_compute_vm_scale_set_uses_managed_disks.yaml +++ b/compliance/controls/azure/azure_compute_vm_scale_set_uses_managed_disks.yaml @@ -1,29 +1,30 @@ id: azure_compute_vm_scale_set_uses_managed_disks title: Virtual machine scale sets should use managed disks +type: control description: This policy identifies Azure Virtual machine scale sets which are not utilising Managed Disks. Using Azure Managed disk over traditional BLOB storage based VHD's has more advantage features like Managed disks are by default encrypted, reduces cost over storage accounts and more resilient as Microsoft will manage the disk storage and move around if underlying hardware goes faulty. It is recommended to move BLOB based VHD's to Managed Disks. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine_scale_set - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN virtual_machine_storage_profile -> 'osDisk' -> 'osType' -> 'vhdContainers' != NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN virtual_machine_storage_profile -> 'osDisk' -> 'osType' -> 'vhdContainers' != NULL THEN a.title || ' utilising managed disks.' - ELSE a.title || ' not utilising managed disks.' - END AS reason - FROM - azure_compute_virtual_machine_scale_set AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine_scale_set + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN virtual_machine_storage_profile -> 'osDisk' -> 'osType' -> 'vhdContainers' != NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN virtual_machine_storage_profile -> 'osDisk' -> 'osType' -> 'vhdContainers' != NULL THEN a.title || ' utilising managed disks.' + ELSE a.title || ' not utilising managed disks.' + END AS reason + FROM + azure_compute_virtual_machine_scale_set AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_compute_vm_secure_communication_protocols_configured.yaml b/compliance/controls/azure/azure_compute_vm_secure_communication_protocols_configured.yaml index 88bf2d7f8..cf51ff1c9 100644 --- a/compliance/controls/azure/azure_compute_vm_secure_communication_protocols_configured.yaml +++ b/compliance/controls/azure/azure_compute_vm_secure_communication_protocols_configured.yaml @@ -1,55 +1,56 @@ id: azure_compute_vm_secure_communication_protocols_configured title: Windows web servers should be configured to use secure communication protocols +type: control description: To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH compute_machine AS ( - SELECT - id, - name, - subscription_id, - resource_group, - c - FROM - azure_compute_virtual_machine, - jsonb_array_elements(guest_configuration_assignments) AS e, - jsonb_array_elements(e -> 'guestConfiguration' -> 'configurationParameter') AS c - WHERE - e ->> 'name' = 'AuditSecureProtocol' - AND e ->> 'complianceStatus' = 'Compliant' - AND c ->> 'name' = 'MinimumTLSVersion' - AND c ->> 'value' = '1.3' - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.os_type <> 'Windows' THEN 'skip' - WHEN m.id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.os_type <> 'Windows' THEN a.name || ' is of ' || a.os_type || ' operating system.' - WHEN m.id IS NOT NULL THEN a.name || ' configured to use secure communication protocols.' - ELSE a.name || ' not configured to use secure communication protocols.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS a - LEFT JOIN compute_machine AS m ON m.id = a.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH compute_machine AS ( + SELECT + id, + name, + subscription_id, + resource_group, + c + FROM + azure_compute_virtual_machine, + jsonb_array_elements(guest_configuration_assignments) AS e, + jsonb_array_elements(e -> 'guestConfiguration' -> 'configurationParameter') AS c + WHERE + e ->> 'name' = 'AuditSecureProtocol' + AND e ->> 'complianceStatus' = 'Compliant' + AND c ->> 'name' = 'MinimumTLSVersion' + AND c ->> 'value' = '1.3' + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.os_type <> 'Windows' THEN 'skip' + WHEN m.id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.os_type <> 'Windows' THEN a.name || ' is of ' || a.os_type || ' operating system.' + WHEN m.id IS NOT NULL THEN a.name || ' configured to use secure communication protocols.' + ELSE a.name || ' not configured to use secure communication protocols.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a + LEFT JOIN compute_machine AS m ON m.id = a.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Compute + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_security_configuration_vulnerabilities_remediated.yaml b/compliance/controls/azure/azure_compute_vm_security_configuration_vulnerabilities_remediated.yaml index 0604c4c7c..8c76ec70b 100644 --- a/compliance/controls/azure/azure_compute_vm_security_configuration_vulnerabilities_remediated.yaml +++ b/compliance/controls/azure/azure_compute_vm_security_configuration_vulnerabilities_remediated.yaml @@ -1,23 +1,24 @@ id: azure_compute_vm_security_configuration_vulnerabilities_remediated title: Vulnerabilities in security configuration on your machines should be remediated +type: control description: Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required. Check control description for more details.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required. Check control description for more details.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_compute_vm_ssh_key_authentication_linux.yaml b/compliance/controls/azure/azure_compute_vm_ssh_key_authentication_linux.yaml index c6c7915bc..dc2192c87 100644 --- a/compliance/controls/azure/azure_compute_vm_ssh_key_authentication_linux.yaml +++ b/compliance/controls/azure/azure_compute_vm_ssh_key_authentication_linux.yaml @@ -1,48 +1,49 @@ id: azure_compute_vm_ssh_key_authentication_linux title: Authentication to Linux machines should require SSH keys +type: control description: Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH vm_ssh_key_auth AS ( - SELECT - DISTINCT a.vm_id - FROM - azure_compute_virtual_machine AS a, - jsonb_array_elements(guest_configuration_assignments) AS b - WHERE - b -> 'guestConfiguration' ->> 'name' = 'LinuxNoPasswordForSSH' - AND b ->> 'complianceStatus' = 'Compliant' - ) - SELECT - a.vm_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.os_type <> 'Linux' THEN 'skip' - WHEN b.vm_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.os_type <> 'Linux' THEN a.title || ' is of ' || a.os_type || ' operating system.' - WHEN b.vm_id IS NOT NULL THEN a.title || ' have SSH keys authentication.' - ELSE a.title || ' does not have SSH keys authentication.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS a - LEFT JOIN vm_ssh_key_auth AS b ON a.vm_id = b.vm_id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH vm_ssh_key_auth AS ( + SELECT + DISTINCT a.vm_id + FROM + azure_compute_virtual_machine AS a, + jsonb_array_elements(guest_configuration_assignments) AS b + WHERE + b -> 'guestConfiguration' ->> 'name' = 'LinuxNoPasswordForSSH' + AND b ->> 'complianceStatus' = 'Compliant' + ) + SELECT + a.vm_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.os_type <> 'Linux' THEN 'skip' + WHEN b.vm_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.os_type <> 'Linux' THEN a.title || ' is of ' || a.os_type || ' operating system.' + WHEN b.vm_id IS NOT NULL THEN a.title || ' have SSH keys authentication.' + ELSE a.title || ' does not have SSH keys authentication.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a + LEFT JOIN vm_ssh_key_auth AS b ON a.vm_id = b.vm_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Compute + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_system_updates_installed.yaml b/compliance/controls/azure/azure_compute_vm_system_updates_installed.yaml index a3972210b..efaccfa9f 100644 --- a/compliance/controls/azure/azure_compute_vm_system_updates_installed.yaml +++ b/compliance/controls/azure/azure_compute_vm_system_updates_installed.yaml @@ -1,37 +1,38 @@ id: azure_compute_vm_system_updates_installed title: System updates should be installed on your machines +type: control description: Missing security system updates on your servers will be monitored by Azure Security Center as recommendations. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - SELECT - vm.vm_id AS resource, - vm.platform_integration_id AS platform_integration_id, - vm.platform_resource_id AS platform_resource_id, - CASE - WHEN enable_automatic_updates THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enable_automatic_updates THEN vm.title || ' automatic system updates enabled.' - ELSE vm.title || ' automatic system updates disabled.' - END AS reason, - vm.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS vm, - azure_subscription AS sub - WHERE - sub.subscription_id = vm.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + SELECT + vm.vm_id AS resource, + vm.platform_integration_id AS platform_integration_id, + vm.platform_resource_id AS platform_resource_id, + CASE + WHEN enable_automatic_updates THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enable_automatic_updates THEN vm.title || ' automatic system updates enabled.' + ELSE vm.title || ' automatic system updates disabled.' + END AS reason, + vm.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS vm, + azure_subscription AS sub + WHERE + sub.subscription_id = vm.subscription_id; severity: high tags: - hipaa_hitrust_v92: - - 'true' - pci_dss_v321: - - 'true' - service: - - Azure/Compute + hipaa_hitrust_v92: + - "true" + pci_dss_v321: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_tcp_udp_access_restricted_internet.yaml b/compliance/controls/azure/azure_compute_vm_tcp_udp_access_restricted_internet.yaml index bdcf26f58..618adf01e 100644 --- a/compliance/controls/azure/azure_compute_vm_tcp_udp_access_restricted_internet.yaml +++ b/compliance/controls/azure/azure_compute_vm_tcp_udp_access_restricted_internet.yaml @@ -1,70 +1,71 @@ id: azure_compute_vm_tcp_udp_access_restricted_internet title: Internet-facing virtual machines should be protected with network security groups +type: control description: Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH network_sg AS ( - SELECT - DISTINCT name AS sg_name, - network_interfaces - FROM - azure_network_security_group AS nsg, - jsonb_array_elements(security_rules) AS sg, - jsonb_array_elements_text( - sg -> 'properties' -> 'destinationPortRanges' - || (sg -> 'properties' -> 'destinationPortRange') :: jsonb - ) AS dport, - jsonb_array_elements_text( - sg -> 'properties' -> 'sourceAddressPrefixes' - || (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb - ) AS sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND sg -> 'properties' ->> 'protocol' IN ('TCP', 'UDP') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH network_sg AS ( + SELECT + DISTINCT name AS sg_name, + network_interfaces + FROM + azure_network_security_group AS nsg, + jsonb_array_elements(security_rules) AS sg, + jsonb_array_elements_text( + sg -> 'properties' -> 'destinationPortRanges' + || (sg -> 'properties' -> 'destinationPortRange') :: jsonb + ) AS dport, + jsonb_array_elements_text( + sg -> 'properties' -> 'sourceAddressPrefixes' + || (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb + ) AS sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND sg -> 'properties' ->> 'protocol' IN ('TCP', 'UDP') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('22', '3389', '*') + OR ( + dport LIKE '%-%' AND ( - dport IN ('22', '3389', '*') - OR ( - dport LIKE '%-%' - AND ( - (53 BETWEEN split_part(dport, '-', 1) :: integer AND split_part(dport, '-', 2) :: integer) - OR (123 BETWEEN split_part(dport, '-', 1) :: integer AND split_part(dport, '-', 2) :: integer) - OR (161 BETWEEN split_part(dport, '-', 1) :: integer AND split_part(dport, '-', 2) :: integer) - OR (389 BETWEEN split_part(dport, '-', 1) :: integer AND split_part(dport, '-', 2) :: integer) - OR (1900 BETWEEN split_part(dport, '-', 1) :: integer AND split_part(dport, '-', 2) :: integer) - ) - OR (split_part(dport, '-', 1) :: integer <= 3389 AND split_part(dport, '-', 2) :: integer >= 3389) - OR (split_part(dport, '-', 1) :: integer <= 22 AND split_part(dport, '-', 2) :: integer >= 22) - ) + (53 BETWEEN split_part(dport, '-', 1) :: integer AND split_part(dport, '-', 2) :: integer) + OR (123 BETWEEN split_part(dport, '-', 1) :: integer AND split_part(dport, '-', 2) :: integer) + OR (161 BETWEEN split_part(dport, '-', 1) :: integer AND split_part(dport, '-', 2) :: integer) + OR (389 BETWEEN split_part(dport, '-', 1) :: integer AND split_part(dport, '-', 2) :: integer) + OR (1900 BETWEEN split_part(dport, '-', 1) :: integer AND split_part(dport, '-', 2) :: integer) ) + OR (split_part(dport, '-', 1) :: integer <= 3389 AND split_part(dport, '-', 2) :: integer >= 3389) + OR (split_part(dport, '-', 1) :: integer <= 22 AND split_part(dport, '-', 2) :: integer >= 22) + ) ) - SELECT - vm.vm_id AS resource, - vm.platform_integration_id AS platform_integration_id, - vm.platform_resource_id AS platform_resource_id, - CASE - WHEN sg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN sg.sg_name IS NULL THEN vm.title || ' restricts remote access from internet.' - ELSE vm.title || ' allows remote access from internet.' - END AS reason, - vm.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS vm - LEFT JOIN network_sg AS sg ON sg.network_interfaces @> vm.network_interfaces - JOIN azure_subscription AS sub ON sub.subscription_id = vm.subscription_id; + ) + SELECT + vm.vm_id AS resource, + vm.platform_integration_id AS platform_integration_id, + vm.platform_resource_id AS platform_resource_id, + CASE + WHEN sg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN sg.sg_name IS NULL THEN vm.title || ' restricts remote access from internet.' + ELSE vm.title || ' allows remote access from internet.' + END AS reason, + vm.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS vm + LEFT JOIN network_sg AS sg ON sg.network_interfaces @> vm.network_interfaces + JOIN azure_subscription AS sub ON sub.subscription_id = vm.subscription_id; severity: high tags: - hipaa_hitrust_v92: - - 'true' - service: - - Azure/Compute + hipaa_hitrust_v92: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_temp_disks_cache_and_data_flows_encrypted.yaml b/compliance/controls/azure/azure_compute_vm_temp_disks_cache_and_data_flows_encrypted.yaml index 30b2c6e0b..017488eb6 100644 --- a/compliance/controls/azure/azure_compute_vm_temp_disks_cache_and_data_flows_encrypted.yaml +++ b/compliance/controls/azure/azure_compute_vm_temp_disks_cache_and_data_flows_encrypted.yaml @@ -1,23 +1,24 @@ id: azure_compute_vm_temp_disks_cache_and_data_flows_encrypted title: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources +type: control description: "By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison" integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_compute_vm_uses_azure_resource_manager.yaml b/compliance/controls/azure/azure_compute_vm_uses_azure_resource_manager.yaml index d6d0de1f7..e707ee706 100644 --- a/compliance/controls/azure/azure_compute_vm_uses_azure_resource_manager.yaml +++ b/compliance/controls/azure/azure_compute_vm_uses_azure_resource_manager.yaml @@ -1,39 +1,40 @@ id: azure_compute_vm_uses_azure_resource_manager title: Virtual machines should be migrated to new Azure Resource Manager resources -description: 'Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management.' +type: control +description: "Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - SELECT - vm.vm_id AS resource, - vm.platform_integration_id AS platform_integration_id, - vm.platform_resource_id AS platform_resource_id, - CASE - WHEN resource_group IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN resource_group IS NOT NULL THEN vm.title || ' uses Azure Resource Manager.' - ELSE vm.title || ' not uses Azure Resource Manager.' - END AS reason, - vm.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS vm, - azure_subscription AS sub - WHERE - sub.subscription_id = vm.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + SELECT + vm.vm_id AS resource, + vm.platform_integration_id AS platform_integration_id, + vm.platform_resource_id AS platform_resource_id, + CASE + WHEN resource_group IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN resource_group IS NOT NULL THEN vm.title || ' uses Azure Resource Manager.' + ELSE vm.title || ' not uses Azure Resource Manager.' + END AS reason, + vm.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS vm, + azure_subscription AS sub + WHERE + sub.subscription_id = vm.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - pci_dss_v321: - - 'true' - service: - - Azure/Compute + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + pci_dss_v321: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_utilizing_managed_disk.yaml b/compliance/controls/azure/azure_compute_vm_utilizing_managed_disk.yaml index fa4297dc2..67712afef 100644 --- a/compliance/controls/azure/azure_compute_vm_utilizing_managed_disk.yaml +++ b/compliance/controls/azure/azure_compute_vm_utilizing_managed_disk.yaml @@ -1,49 +1,50 @@ id: azure_compute_vm_utilizing_managed_disk title: Ensure Virtual Machines are utilizing Managed Disks +type: control description: Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - SELECT - vm.id AS resource, - vm.platform_integration_id AS platform_integration_id, - vm.platform_resource_id AS platform_resource_id, - CASE - WHEN managed_disk_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN managed_disk_id IS NULL THEN vm.name || ' VM not utilizing managed disks.' - ELSE vm.name || ' VM utilizing managed disks.' - END AS reason, - vm.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS vm, - azure_subscription AS sub - WHERE - sub.subscription_id = vm.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + SELECT + vm.id AS resource, + vm.platform_integration_id AS platform_integration_id, + vm.platform_resource_id AS platform_resource_id, + CASE + WHEN managed_disk_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN managed_disk_id IS NULL THEN vm.name || ' VM not utilizing managed disks.' + ELSE vm.name || ' VM utilizing managed disks.' + END AS reason, + vm.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS vm, + azure_subscription AS sub + WHERE + sub.subscription_id = vm.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '7.1' - cis_level: - - '1' - cis_section_id: - - '7' - cis_type: - - manual - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Compute + category: + - Compliance + cis: + - "true" + cis_item_id: + - "7.1" + cis_level: + - "1" + cis_section_id: + - "7" + cis_type: + - manual + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_vulnerability_assessment_solution_enabled.yaml b/compliance/controls/azure/azure_compute_vm_vulnerability_assessment_solution_enabled.yaml index 4ff313bfd..003251777 100644 --- a/compliance/controls/azure/azure_compute_vm_vulnerability_assessment_solution_enabled.yaml +++ b/compliance/controls/azure/azure_compute_vm_vulnerability_assessment_solution_enabled.yaml @@ -1,62 +1,63 @@ id: azure_compute_vm_vulnerability_assessment_solution_enabled title: A vulnerability assessment solution should be enabled on your virtual machines +type: control description: Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH defender_enabled_vms AS ( - SELECT - DISTINCT a.vm_id AS vm_id - FROM - azure_compute_virtual_machine AS a, - jsonb_array_elements(extensions) AS b - WHERE - b ->> 'ExtensionType' = ANY(ARRAY ['MDE.Linux', 'MDE.Windows']) - AND b ->> 'ProvisioningState' = 'Succeeded' - ), - agent_installed_vm AS ( - SELECT - DISTINCT a.vm_id AS vm_id - FROM - defender_enabled_vms AS a - LEFT JOIN azure_compute_virtual_machine AS w ON w.vm_id = a.vm_id, - jsonb_array_elements(extensions) AS b - WHERE - b ->> 'Publisher' = 'Qualys' - AND b ->> 'ExtensionType' = ANY(ARRAY ['WindowsAgent.AzureSecurityCenter', 'LinuxAgent.AzureSecurityCenter']) - AND b ->> 'ProvisioningState' = 'Succeeded' - ) - SELECT - a.vm_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.vm_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.vm_id IS NOT NULL THEN a.title || ' have vulnerability assessment solution enabled.' - ELSE a.title || ' have vulnerability assessment solution disabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS a - LEFT JOIN agent_installed_vm AS b ON a.vm_id = b.vm_id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH defender_enabled_vms AS ( + SELECT + DISTINCT a.vm_id AS vm_id + FROM + azure_compute_virtual_machine AS a, + jsonb_array_elements(extensions) AS b + WHERE + b ->> 'ExtensionType' = ANY(ARRAY ['MDE.Linux', 'MDE.Windows']) + AND b ->> 'ProvisioningState' = 'Succeeded' + ), + agent_installed_vm AS ( + SELECT + DISTINCT a.vm_id AS vm_id + FROM + defender_enabled_vms AS a + LEFT JOIN azure_compute_virtual_machine AS w ON w.vm_id = a.vm_id, + jsonb_array_elements(extensions) AS b + WHERE + b ->> 'Publisher' = 'Qualys' + AND b ->> 'ExtensionType' = ANY(ARRAY ['WindowsAgent.AzureSecurityCenter', 'LinuxAgent.AzureSecurityCenter']) + AND b ->> 'ProvisioningState' = 'Succeeded' + ) + SELECT + a.vm_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.vm_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.vm_id IS NOT NULL THEN a.title || ' have vulnerability assessment solution enabled.' + ELSE a.title || ' have vulnerability assessment solution disabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a + LEFT JOIN agent_installed_vm AS b ON a.vm_id = b.vm_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - pci_dss_v321: - - 'true' - service: - - Azure/Compute + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + pci_dss_v321: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_vulnerability_findings_resolved_for_sql_server.yaml b/compliance/controls/azure/azure_compute_vm_vulnerability_findings_resolved_for_sql_server.yaml index dc19e15b1..907904a9c 100644 --- a/compliance/controls/azure/azure_compute_vm_vulnerability_findings_resolved_for_sql_server.yaml +++ b/compliance/controls/azure/azure_compute_vm_vulnerability_findings_resolved_for_sql_server.yaml @@ -1,23 +1,24 @@ id: azure_compute_vm_vulnerability_findings_resolved_for_sql_server title: SQL servers on machines should have vulnerability findings resolved +type: control description: SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_compute_vm_windows_defender_exploit_guard_enabled.yaml b/compliance/controls/azure/azure_compute_vm_windows_defender_exploit_guard_enabled.yaml index 509c50d4e..ec27f96c0 100644 --- a/compliance/controls/azure/azure_compute_vm_windows_defender_exploit_guard_enabled.yaml +++ b/compliance/controls/azure/azure_compute_vm_windows_defender_exploit_guard_enabled.yaml @@ -1,51 +1,52 @@ id: azure_compute_vm_windows_defender_exploit_guard_enabled title: Windows Defender Exploit Guard should be enabled on your machines +type: control description: Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH compute_machine AS ( - SELECT - id, - name, - subscription_id, - resource_group - FROM - azure_compute_virtual_machine, - jsonb_array_elements(guest_configuration_assignments) AS e - WHERE - e ->> 'name' = 'WindowsDefenderExploitGuard' - AND e ->> 'complianceStatus' = 'Compliant' - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.os_type <> 'Windows' THEN 'skip' - WHEN m.id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.os_type <> 'Windows' THEN a.name || ' is of ' || a.os_type || ' operating system.' - WHEN m.id IS NOT NULL THEN a.name || ' windows defender exploit guard enabled.' - ELSE a.name || ' windows defender exploit guard disabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS a - LEFT JOIN compute_machine AS m ON m.id = a.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH compute_machine AS ( + SELECT + id, + name, + subscription_id, + resource_group + FROM + azure_compute_virtual_machine, + jsonb_array_elements(guest_configuration_assignments) AS e + WHERE + e ->> 'name' = 'WindowsDefenderExploitGuard' + AND e ->> 'complianceStatus' = 'Compliant' + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.os_type <> 'Windows' THEN 'skip' + WHEN m.id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.os_type <> 'Windows' THEN a.name || ' is of ' || a.os_type || ' operating system.' + WHEN m.id IS NOT NULL THEN a.name || ' windows defender exploit guard enabled.' + ELSE a.name || ' windows defender exploit guard disabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS a + LEFT JOIN compute_machine AS m ON m.id = a.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Compute + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_compute_vm_with_no_specified_certificates_in_trusted_root_windows.yaml b/compliance/controls/azure/azure_compute_vm_with_no_specified_certificates_in_trusted_root_windows.yaml index a0dd730a0..e14a8e650 100644 --- a/compliance/controls/azure/azure_compute_vm_with_no_specified_certificates_in_trusted_root_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_with_no_specified_certificates_in_trusted_root_windows.yaml @@ -1,23 +1,24 @@ id: azure_compute_vm_with_no_specified_certificates_in_trusted_root_windows title: Audit Windows machines that do not contain the specified certificates in Trusted Root +type: control description: Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the machine Trusted Root certificate store does not contain one or more of the certificates listed by the policy parameter. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required. Check control description for more details.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required. Check control description for more details.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_container_instance_container_group_encrypted_using_cmk.yaml b/compliance/controls/azure/azure_container_instance_container_group_encrypted_using_cmk.yaml index c9191485f..4a21f8ad6 100644 --- a/compliance/controls/azure/azure_container_instance_container_group_encrypted_using_cmk.yaml +++ b/compliance/controls/azure/azure_container_instance_container_group_encrypted_using_cmk.yaml @@ -1,33 +1,34 @@ id: azure_container_instance_container_group_encrypted_using_cmk title: Container Instance container group should use customer-managed key for encryption +type: control description: Secure your containers with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_container_group - definition: | - SELECT - cg.id AS resource, - cg.platform_integration_id AS platform_integration_id, - cg.platform_resource_id AS platform_resource_id, - CASE - WHEN encryption_properties ->> 'keyName' IS NOT NULL - AND encryption_properties ->> 'vaultBaseUrl' IS NOT NULL - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption_properties ->> 'keyName' IS NOT NULL - AND encryption_properties ->> 'vaultBaseUrl' IS NOT NULL - THEN cg.title || ' encrypted with CMK.' - ELSE cg.title || ' not encrypted with CMK.' - END AS reason - FROM - azure_container_group AS cg, - azure_subscription AS sub - WHERE - sub.subscription_id = cg.subscription_id; + language: sql + primary_resource: azure_container_group + definition: | + SELECT + cg.id AS resource, + cg.platform_integration_id AS platform_integration_id, + cg.platform_resource_id AS platform_resource_id, + CASE + WHEN encryption_properties ->> 'keyName' IS NOT NULL + AND encryption_properties ->> 'vaultBaseUrl' IS NOT NULL + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption_properties ->> 'keyName' IS NOT NULL + AND encryption_properties ->> 'vaultBaseUrl' IS NOT NULL + THEN cg.title || ' encrypted with CMK.' + ELSE cg.title || ' not encrypted with CMK.' + END AS reason + FROM + azure_container_group AS cg, + azure_subscription AS sub + WHERE + sub.subscription_id = cg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_container_instance_container_group_identity_provider_enabled.yaml b/compliance/controls/azure/azure_container_instance_container_group_identity_provider_enabled.yaml index 8ed006868..df0cf5bc5 100644 --- a/compliance/controls/azure/azure_container_instance_container_group_identity_provider_enabled.yaml +++ b/compliance/controls/azure/azure_container_instance_container_group_identity_provider_enabled.yaml @@ -1,29 +1,30 @@ id: azure_container_instance_container_group_identity_provider_enabled title: Container instance container groups identity provider should be enabled +type: control description: Ensure that managed identity provider is enabled for the container instance container group. This control is non-compliant if container instance container group identity provider is disabled. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_container_group - definition: | - SELECT - cg.id AS resource, - cg.platform_integration_id AS platform_integration_id, - cg.platform_resource_id AS platform_resource_id, - CASE - WHEN identity IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN identity IS NULL THEN cg.name || ' identity provider disabled.' - ELSE cg.name || ' identity provider enabled.' - END AS reason - FROM - azure_container_group AS cg, - azure_subscription AS sub - WHERE - sub.subscription_id = cg.subscription_id; + language: sql + primary_resource: azure_container_group + definition: | + SELECT + cg.id AS resource, + cg.platform_integration_id AS platform_integration_id, + cg.platform_resource_id AS platform_resource_id, + CASE + WHEN identity IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN identity IS NULL THEN cg.name || ' identity provider disabled.' + ELSE cg.name || ' identity provider enabled.' + END AS reason + FROM + azure_container_group AS cg, + azure_subscription AS sub + WHERE + sub.subscription_id = cg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_container_instance_container_group_in_virtual_network.yaml b/compliance/controls/azure/azure_container_instance_container_group_in_virtual_network.yaml index ec9648ab4..5aae60335 100644 --- a/compliance/controls/azure/azure_container_instance_container_group_in_virtual_network.yaml +++ b/compliance/controls/azure/azure_container_instance_container_group_in_virtual_network.yaml @@ -1,29 +1,30 @@ id: azure_container_instance_container_group_in_virtual_network title: Container instance container groups should be in virtual network +type: control description: This control ensures that the container group is deployed into a virtual network. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_container_group - definition: | - SELECT - cg.id AS resource, - cg.platform_integration_id AS platform_integration_id, - cg.platform_resource_id AS platform_resource_id, - CASE - WHEN subnet_ids IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN subnet_ids IS NOT NULL THEN cg.title || ' in virtual network.' - ELSE cg.title || ' not in virtual network.' - END AS reason - FROM - azure_container_group AS cg, - azure_subscription AS sub - WHERE - sub.subscription_id = cg.subscription_id; + language: sql + primary_resource: azure_container_group + definition: | + SELECT + cg.id AS resource, + cg.platform_integration_id AS platform_integration_id, + cg.platform_resource_id AS platform_resource_id, + CASE + WHEN subnet_ids IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN subnet_ids IS NOT NULL THEN cg.title || ' in virtual network.' + ELSE cg.title || ' not in virtual network.' + END AS reason + FROM + azure_container_group AS cg, + azure_subscription AS sub + WHERE + sub.subscription_id = cg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_container_instance_container_group_secured_environment_variable.yaml b/compliance/controls/azure/azure_container_instance_container_group_secured_environment_variable.yaml index db4784d6f..676b92bac 100644 --- a/compliance/controls/azure/azure_container_instance_container_group_secured_environment_variable.yaml +++ b/compliance/controls/azure/azure_container_instance_container_group_secured_environment_variable.yaml @@ -1,40 +1,41 @@ id: azure_container_instance_container_group_secured_environment_variable title: Container instance container groups should use secured environment variable +type: control description: Ensure that container instance container group uses secured environment variables. This control is non-compliant if container instance container group does not use secured environment variables. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_container_group - definition: | - WITH not_secured_environment_variable_container_group AS ( - SELECT - id - FROM - azure_container_group, - jsonb_array_elements(containers) AS c, - jsonb_array_elements(c -> 'properties' -> 'environmentVariables') AS v - WHERE - v -> 'value' IS NOT NULL - ) - SELECT - cg.id AS resource, - cg.platform_integration_id AS platform_integration_id, - cg.platform_resource_id AS platform_resource_id, - CASE - WHEN g.id IS NOT NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN g.id IS NOT NULL THEN cg.name || ' have unsecured environment variable.' - ELSE cg.name || ' have secured environment variable.' - END AS reason - FROM - azure_container_group AS cg - LEFT JOIN not_secured_environment_variable_container_group AS g ON g.id = cg.id, - azure_subscription AS sub - WHERE - sub.subscription_id = cg.subscription_id; + language: sql + primary_resource: azure_container_group + definition: | + WITH not_secured_environment_variable_container_group AS ( + SELECT + id + FROM + azure_container_group, + jsonb_array_elements(containers) AS c, + jsonb_array_elements(c -> 'properties' -> 'environmentVariables') AS v + WHERE + v -> 'value' IS NOT NULL + ) + SELECT + cg.id AS resource, + cg.platform_integration_id AS platform_integration_id, + cg.platform_resource_id AS platform_resource_id, + CASE + WHEN g.id IS NOT NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN g.id IS NOT NULL THEN cg.name || ' have unsecured environment variable.' + ELSE cg.name || ' have secured environment variable.' + END AS reason + FROM + azure_container_group AS cg + LEFT JOIN not_secured_environment_variable_container_group AS g ON g.id = cg.id, + azure_subscription AS sub + WHERE + sub.subscription_id = cg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_container_registry_admin_user_disabled.yaml b/compliance/controls/azure/azure_container_registry_admin_user_disabled.yaml index 6e05f5691..afe3543ae 100644 --- a/compliance/controls/azure/azure_container_registry_admin_user_disabled.yaml +++ b/compliance/controls/azure/azure_container_registry_admin_user_disabled.yaml @@ -1,29 +1,30 @@ id: azure_container_registry_admin_user_disabled title: Container registries admin user should be disabled +type: control description: Ensure container registry admin user is disabled. This control is non-compliant if admin user is enabled. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_container_registry - definition: | - SELECT - DISTINCT a.name AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN admin_user_enabled THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN admin_user_enabled THEN a.name || ' admin user enabled.' - ELSE a.name || ' admin user disabled.' - END AS reason - FROM - azure_container_registry AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_container_registry + definition: | + SELECT + DISTINCT a.name AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN admin_user_enabled THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN admin_user_enabled THEN a.name || ' admin user enabled.' + ELSE a.name || ' admin user disabled.' + END AS reason + FROM + azure_container_registry AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_container_registry_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_container_registry_encrypted_with_cmk.yaml index 001316836..9d13a5a05 100644 --- a/compliance/controls/azure/azure_container_registry_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_container_registry_encrypted_with_cmk.yaml @@ -1,35 +1,36 @@ id: azure_container_registry_encrypted_with_cmk title: Container registries should be encrypted with a customer-managed key +type: control description: Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_container_registry - definition: | - SELECT DISTINCT - a.name AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN encryption ->> 'status' = 'enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption ->> 'status' = 'enabled' THEN a.name || ' encrypted with CMK.' - ELSE a.name || ' not encrypted with CMK.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_container_registry AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_container_registry + definition: | + SELECT DISTINCT + a.name AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN encryption ->> 'status' = 'enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption ->> 'status' = 'enabled' THEN a.name || ' encrypted with CMK.' + ELSE a.name || ' not encrypted with CMK.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_container_registry AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/ContainerRegistry + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/ContainerRegistry diff --git a/compliance/controls/azure/azure_container_registry_geo_replication_enabled.yaml b/compliance/controls/azure/azure_container_registry_geo_replication_enabled.yaml index 14e475345..42e4352b8 100644 --- a/compliance/controls/azure/azure_container_registry_geo_replication_enabled.yaml +++ b/compliance/controls/azure/azure_container_registry_geo_replication_enabled.yaml @@ -1,46 +1,47 @@ id: azure_container_registry_geo_replication_enabled title: Container registries should be geo-replicated +type: control description: Ensure that container registries are geo-replicated to align with multi-region container deployments. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_container_registry - definition: | - WITH geo_replication_count AS ( - SELECT - name AS name, - subscription_id, - (v ->> 'currentValue')::int AS geo_replication_count - FROM - azure_container_registry, - jsonb_array_elements(usages -> 'value') AS v - WHERE - v ->> 'name' = 'Geo-replications' - AND v ->> 'unit' = 'Count' - ) - SELECT - DISTINCT a.name AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN sku_name <> 'Premium' THEN 'skip' - WHEN c.geo_replication_count > 1 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN sku_name <> 'Premium' THEN a.name || ' is of ' || sku_tier || ' tier.' - WHEN c.geo_replication_count > 1 THEN a.name || ' ' || c.geo_replication_count || ' geo replication configured.' - ELSE a.name || ' geo replication not configured.' - END AS reason - FROM - azure_container_registry AS a - LEFT JOIN geo_replication_count AS c - ON a.name = c.name - AND a.subscription_id = c.subscription_id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_container_registry + definition: | + WITH geo_replication_count AS ( + SELECT + name AS name, + subscription_id, + (v ->> 'currentValue')::int AS geo_replication_count + FROM + azure_container_registry, + jsonb_array_elements(usages -> 'value') AS v + WHERE + v ->> 'name' = 'Geo-replications' + AND v ->> 'unit' = 'Count' + ) + SELECT + DISTINCT a.name AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN sku_name <> 'Premium' THEN 'skip' + WHEN c.geo_replication_count > 1 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN sku_name <> 'Premium' THEN a.name || ' is of ' || sku_tier || ' tier.' + WHEN c.geo_replication_count > 1 THEN a.name || ' ' || c.geo_replication_count || ' geo replication configured.' + ELSE a.name || ' geo replication not configured.' + END AS reason + FROM + azure_container_registry AS a + LEFT JOIN geo_replication_count AS c + ON a.name = c.name + AND a.subscription_id = c.subscription_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_container_registry_public_network_access_disabled.yaml b/compliance/controls/azure/azure_container_registry_public_network_access_disabled.yaml index 2bc4e86e1..4b24626c6 100644 --- a/compliance/controls/azure/azure_container_registry_public_network_access_disabled.yaml +++ b/compliance/controls/azure/azure_container_registry_public_network_access_disabled.yaml @@ -1,29 +1,30 @@ id: azure_container_registry_public_network_access_disabled title: Container registries public network access should be disabled +type: control description: Ensure that container registries public network access is disabled. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_container_registry - definition: | - SELECT - DISTINCT a.name AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN public_network_access = 'Enabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN public_network_access = 'Enabled' THEN a.name || ' public network access enabled.' - ELSE a.name || ' public network access disabled.' - END AS reason - FROM - azure_container_registry AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_container_registry + definition: | + SELECT + DISTINCT a.name AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN public_network_access = 'Enabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN public_network_access = 'Enabled' THEN a.name || ' public network access enabled.' + ELSE a.name || ' public network access disabled.' + END AS reason + FROM + azure_container_registry AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_container_registry_quarantine_policy_enabled.yaml b/compliance/controls/azure/azure_container_registry_quarantine_policy_enabled.yaml index b203e2351..cf0d6d130 100644 --- a/compliance/controls/azure/azure_container_registry_quarantine_policy_enabled.yaml +++ b/compliance/controls/azure/azure_container_registry_quarantine_policy_enabled.yaml @@ -1,29 +1,30 @@ id: azure_container_registry_quarantine_policy_enabled title: Container registries quarantine policy should be enabled +type: control description: Ensure container registry quarantine policy is enabled. This control is non-compliant if quarantine policy is disabled. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_container_registry - definition: | - SELECT DISTINCT - a.name AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN policies -> 'quarantinePolicy' ->> 'status' = 'enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN policies -> 'quarantinePolicy' ->> 'status' = 'enabled' THEN a.name || ' quarantine policy enabled.' - ELSE a.name || ' quarantine policy disabled.' - END AS reason - FROM - azure_container_registry AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_container_registry + definition: | + SELECT DISTINCT + a.name AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN policies -> 'quarantinePolicy' ->> 'status' = 'enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN policies -> 'quarantinePolicy' ->> 'status' = 'enabled' THEN a.name || ' quarantine policy enabled.' + ELSE a.name || ' quarantine policy disabled.' + END AS reason + FROM + azure_container_registry AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_container_registry_restrict_public_access.yaml b/compliance/controls/azure/azure_container_registry_restrict_public_access.yaml index 72d173bf3..452f1a277 100644 --- a/compliance/controls/azure/azure_container_registry_restrict_public_access.yaml +++ b/compliance/controls/azure/azure_container_registry_restrict_public_access.yaml @@ -1,35 +1,36 @@ id: azure_container_registry_restrict_public_access title: Container registries should not allow unrestricted network access +type: control description: Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_container_registry - definition: | - SELECT DISTINCT - a.name AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN network_rule_set ->> 'defaultAction' = 'Deny' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN network_rule_set ->> 'defaultAction' = 'Deny' THEN a.name || ' publicly not accessible.' - ELSE a.name || ' publicly accessible.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_container_registry AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_container_registry + definition: | + SELECT DISTINCT + a.name AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN network_rule_set ->> 'defaultAction' = 'Deny' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN network_rule_set ->> 'defaultAction' = 'Deny' THEN a.name || ' publicly not accessible.' + ELSE a.name || ' publicly accessible.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_container_registry AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/ContainerRegistry + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/ContainerRegistry diff --git a/compliance/controls/azure/azure_container_registry_retention_policy_enabled.yaml b/compliance/controls/azure/azure_container_registry_retention_policy_enabled.yaml index 5d46f9a70..fe5026552 100644 --- a/compliance/controls/azure/azure_container_registry_retention_policy_enabled.yaml +++ b/compliance/controls/azure/azure_container_registry_retention_policy_enabled.yaml @@ -1,29 +1,30 @@ id: azure_container_registry_retention_policy_enabled title: Container registries retention policy should be enabled +type: control description: Ensure container registry retention policy is enabled. This control is non-compliant if retention policy is disabled. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_container_registry - definition: | - SELECT - DISTINCT a.name AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN policies -> 'retentionPolicy' ->> 'status' = 'enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN policies -> 'retentionPolicy' ->> 'status' = 'enabled' THEN a.name || ' retention policy enabled.' - ELSE a.name || ' retention policy disabled.' - END AS reason - FROM - azure_container_registry AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_container_registry + definition: | + SELECT + DISTINCT a.name AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN policies -> 'retentionPolicy' ->> 'status' = 'enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN policies -> 'retentionPolicy' ->> 'status' = 'enabled' THEN a.name || ' retention policy enabled.' + ELSE a.name || ' retention policy disabled.' + END AS reason + FROM + azure_container_registry AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_container_registry_trust_policy_enabled.yaml b/compliance/controls/azure/azure_container_registry_trust_policy_enabled.yaml index 00f867cc0..5e2b5a80f 100644 --- a/compliance/controls/azure/azure_container_registry_trust_policy_enabled.yaml +++ b/compliance/controls/azure/azure_container_registry_trust_policy_enabled.yaml @@ -1,29 +1,30 @@ id: azure_container_registry_trust_policy_enabled title: Container registries trust policy should be enabled +type: control description: Ensure container registry trust policy is enabled. This control is non-compliant if trust policy is disabled. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_container_registry - definition: | - SELECT - DISTINCT a.name AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN policies -> 'trustPolicy' ->> 'status' = 'enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN policies -> 'trustPolicy' ->> 'status' = 'enabled' THEN a.name || ' trust policy enabled.' - ELSE a.name || ' trust policy disabled.' - END AS reason - FROM - azure_container_registry AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_container_registry + definition: | + SELECT + DISTINCT a.name AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN policies -> 'trustPolicy' ->> 'status' = 'enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN policies -> 'trustPolicy' ->> 'status' = 'enabled' THEN a.name || ' trust policy enabled.' + ELSE a.name || ' trust policy disabled.' + END AS reason + FROM + azure_container_registry AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_container_registry_use_virtual_service_endpoint.yaml b/compliance/controls/azure/azure_container_registry_use_virtual_service_endpoint.yaml index 8ec801c9b..053176f61 100644 --- a/compliance/controls/azure/azure_container_registry_use_virtual_service_endpoint.yaml +++ b/compliance/controls/azure/azure_container_registry_use_virtual_service_endpoint.yaml @@ -1,47 +1,48 @@ id: azure_container_registry_use_virtual_service_endpoint title: Container Registry should use a virtual network service endpoint +type: control description: This policy audits any Container Registry not configured to use a virtual network service endpoint. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_container_registry - definition: | - WITH container_registry_subnet AS ( - SELECT - DISTINCT a.name, - rule ->> 'id' AS id - FROM - azure_container_registry AS a, - jsonb_array_elements(network_rule_set -> 'virtualNetworkRules') AS rule, - azure_subnet AS subnet - ) - SELECT - DISTINCT a.name AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN network_rule_set ->> 'defaultAction' <> 'Deny' THEN 'alarm' - WHEN s.name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN network_rule_set ->> 'defaultAction' <> 'Deny' THEN a.name || ' not configured with virtual service endpoint.' - WHEN s.name IS NULL THEN a.name || ' not configured with virtual service endpoint.' - ELSE a.name || ' configured with virtual service endpoint.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_container_registry AS a - LEFT JOIN container_registry_subnet AS s ON a.name = s.name, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_container_registry + definition: | + WITH container_registry_subnet AS ( + SELECT + DISTINCT a.name, + rule ->> 'id' AS id + FROM + azure_container_registry AS a, + jsonb_array_elements(network_rule_set -> 'virtualNetworkRules') AS rule, + azure_subnet AS subnet + ) + SELECT + DISTINCT a.name AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN network_rule_set ->> 'defaultAction' <> 'Deny' THEN 'alarm' + WHEN s.name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN network_rule_set ->> 'defaultAction' <> 'Deny' THEN a.name || ' not configured with virtual service endpoint.' + WHEN s.name IS NULL THEN a.name || ' not configured with virtual service endpoint.' + ELSE a.name || ' configured with virtual service endpoint.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_container_registry AS a + LEFT JOIN container_registry_subnet AS s ON a.name = s.name, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - service: - - Azure/ContainerRegistry + hipaa_hitrust_v92: + - "true" + service: + - Azure/ContainerRegistry diff --git a/compliance/controls/azure/azure_container_registry_uses_private_link.yaml b/compliance/controls/azure/azure_container_registry_uses_private_link.yaml index ce270bb8e..f281d9af8 100644 --- a/compliance/controls/azure/azure_container_registry_uses_private_link.yaml +++ b/compliance/controls/azure/azure_container_registry_uses_private_link.yaml @@ -1,45 +1,46 @@ id: azure_container_registry_uses_private_link title: Container registries should use private link +type: control description: Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_container_registry - definition: | - WITH container_registry_private_connection AS ( - SELECT - DISTINCT a.id - FROM - azure_container_registry AS a, - jsonb_array_elements(private_endpoint_connections) AS connection - WHERE - connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN c.id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN c.id IS NULL THEN a.name || ' not uses private link.' - ELSE a.name || ' uses private link.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_container_registry AS a - LEFT JOIN container_registry_private_connection AS c ON c.id = a.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_container_registry + definition: | + WITH container_registry_private_connection AS ( + SELECT + DISTINCT a.id + FROM + azure_container_registry AS a, + jsonb_array_elements(private_endpoint_connections) AS connection + WHERE + connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN c.id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN c.id IS NULL THEN a.name || ' not uses private link.' + ELSE a.name || ' uses private link.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_container_registry AS a + LEFT JOIN container_registry_private_connection AS c ON c.id = a.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/ContainerRegistry + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/ContainerRegistry diff --git a/compliance/controls/azure/azure_container_registry_vulnerabilities_remediated.yaml b/compliance/controls/azure/azure_container_registry_vulnerabilities_remediated.yaml index bf728ab2c..1e193be2d 100644 --- a/compliance/controls/azure/azure_container_registry_vulnerabilities_remediated.yaml +++ b/compliance/controls/azure/azure_container_registry_vulnerabilities_remediated.yaml @@ -1,23 +1,24 @@ id: azure_container_registry_vulnerabilities_remediated title: Container registry images should have vulnerability findings resolved +type: control description: Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_cosmosdb_account_encryption_at_rest_using_cmk.yaml b/compliance/controls/azure/azure_cosmosdb_account_encryption_at_rest_using_cmk.yaml index 636eb878c..c2ed288a1 100644 --- a/compliance/controls/azure/azure_cosmosdb_account_encryption_at_rest_using_cmk.yaml +++ b/compliance/controls/azure/azure_cosmosdb_account_encryption_at_rest_using_cmk.yaml @@ -1,35 +1,36 @@ id: azure_cosmosdb_account_encryption_at_rest_using_cmk title: Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest +type: control description: Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_cosmosdb_account - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN key_vault_key_uri IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN key_vault_key_uri IS NOT NULL THEN a.name || ' encrypted at rest using CMK.' - ELSE a.name || ' not encrypted at rest using CMK.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_cosmosdb_account AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_cosmosdb_account + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN key_vault_key_uri IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN key_vault_key_uri IS NOT NULL THEN a.name || ' encrypted at rest using CMK.' + ELSE a.name || ' not encrypted at rest using CMK.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_cosmosdb_account AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/CosmosDB + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/CosmosDB diff --git a/compliance/controls/azure/azure_cosmosdb_account_key_based_metadata_write_access_disabled.yaml b/compliance/controls/azure/azure_cosmosdb_account_key_based_metadata_write_access_disabled.yaml index a5023c2d3..f928b1cf2 100644 --- a/compliance/controls/azure/azure_cosmosdb_account_key_based_metadata_write_access_disabled.yaml +++ b/compliance/controls/azure/azure_cosmosdb_account_key_based_metadata_write_access_disabled.yaml @@ -1,29 +1,30 @@ id: azure_cosmosdb_account_key_based_metadata_write_access_disabled title: Cosmos DB accounts should disable key based metadata write access +type: control description: Ensure Cosmos DB accounts have key-based metadata write_access disabled. This control is non-compliant if Cosmos DB accounts have key-based metadata write access enabled. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_cosmosdb_account - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN disable_key_based_metadata_write_access THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN disable_key_based_metadata_write_access THEN a.name || ' key based metadata write_access disabled.' - ELSE a.name || ' key based metadata write_access enabled.' - END AS reason - FROM - azure_cosmosdb_account AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_cosmosdb_account + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN disable_key_based_metadata_write_access THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN disable_key_based_metadata_write_access THEN a.name || ' key based metadata write_access disabled.' + ELSE a.name || ' key based metadata write_access enabled.' + END AS reason + FROM + azure_cosmosdb_account AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cosmosdb_account_uses_aad_and_rbac.yaml b/compliance/controls/azure/azure_cosmosdb_account_uses_aad_and_rbac.yaml index e22f574e6..e0d91b7c8 100644 --- a/compliance/controls/azure/azure_cosmosdb_account_uses_aad_and_rbac.yaml +++ b/compliance/controls/azure/azure_cosmosdb_account_uses_aad_and_rbac.yaml @@ -1,29 +1,30 @@ id: azure_cosmosdb_account_uses_aad_and_rbac title: Cosmos DB account 'Access Control' should be configured to use Azure Active Directory (AAD) and Role-Based Access Control (RBAC) +type: control description: Azure Cosmos DB accounts should use Azure Active Directory (AAD) Client Authentication and Role-Based Access Control (RBAC) for access control. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_cosmosdb_account - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN disable_local_auth THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN disable_local_auth THEN a.name || ' is using AAD and RBAC.' - ELSE a.name || ' is not using AAD and RBAC.' - END AS reason - FROM - azure_cosmosdb_account AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_cosmosdb_account + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN disable_local_auth THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN disable_local_auth THEN a.name || ' is using AAD and RBAC.' + ELSE a.name || ' is not using AAD and RBAC.' + END AS reason + FROM + azure_cosmosdb_account AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_cosmosdb_account_uses_private_link.yaml b/compliance/controls/azure/azure_cosmosdb_account_uses_private_link.yaml index dc4b489d0..4952916b0 100644 --- a/compliance/controls/azure/azure_cosmosdb_account_uses_private_link.yaml +++ b/compliance/controls/azure/azure_cosmosdb_account_uses_private_link.yaml @@ -1,59 +1,60 @@ id: azure_cosmosdb_account_uses_private_link title: CosmosDB accounts should use private link +type: control description: Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_cosmosdb_account - definition: | - WITH cosmosdb_private_connection AS ( - SELECT - DISTINCT a.id - FROM - azure_cosmosdb_account AS a, - jsonb_array_elements(private_endpoint_connections) AS connection - WHERE - connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN c.id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN c.id IS NULL THEN a.name || ' not uses private link.' - ELSE a.name || ' uses private link.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_cosmosdb_account AS a - LEFT JOIN cosmosdb_private_connection AS c ON c.id = a.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_cosmosdb_account + definition: | + WITH cosmosdb_private_connection AS ( + SELECT + DISTINCT a.id + FROM + azure_cosmosdb_account AS a, + jsonb_array_elements(private_endpoint_connections) AS connection + WHERE + connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN c.id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN c.id IS NULL THEN a.name || ' not uses private link.' + ELSE a.name || ' uses private link.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_cosmosdb_account AS a + LEFT JOIN cosmosdb_private_connection AS c ON c.id = a.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 4.5.2 - cis_level: - - '2' - cis_section_id: - - '4.5' - cis_type: - - manual - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/SQL + category: + - Compliance + cis: + - "true" + cis_item_id: + - 4.5.2 + cis_level: + - "2" + cis_section_id: + - "4.5" + cis_type: + - manual + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/SQL diff --git a/compliance/controls/azure/azure_cosmosdb_account_virtual_network_filter_enabled.yaml b/compliance/controls/azure/azure_cosmosdb_account_virtual_network_filter_enabled.yaml index 2fdf01050..f814a3294 100644 --- a/compliance/controls/azure/azure_cosmosdb_account_virtual_network_filter_enabled.yaml +++ b/compliance/controls/azure/azure_cosmosdb_account_virtual_network_filter_enabled.yaml @@ -1,51 +1,52 @@ id: azure_cosmosdb_account_virtual_network_filter_enabled title: Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks -description: '' +type: control +description: "" integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_cosmosdb_account - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN public_network_access = 'Disabled' THEN 'ok' - WHEN public_network_access = 'Enabled' AND is_virtual_network_filter_enabled = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN public_network_access = 'Disabled' THEN a.name || ' public network access disabled.' - WHEN public_network_access = 'Enabled' AND is_virtual_network_filter_enabled = 'true' THEN a.name || ' virtual network filter enabled.' - ELSE a.name || ' virtual network filter disabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_cosmosdb_account AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_cosmosdb_account + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN public_network_access = 'Disabled' THEN 'ok' + WHEN public_network_access = 'Enabled' AND is_virtual_network_filter_enabled = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN public_network_access = 'Disabled' THEN a.name || ' public network access disabled.' + WHEN public_network_access = 'Enabled' AND is_virtual_network_filter_enabled = 'true' THEN a.name || ' virtual network filter enabled.' + ELSE a.name || ' virtual network filter disabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_cosmosdb_account AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: critical tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 4.5.1 - cis_level: - - '2' - cis_section_id: - - '4.5' - cis_type: - - manual - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/SQL + category: + - Compliance + cis: + - "true" + cis_item_id: + - 4.5.1 + cis_level: + - "2" + cis_section_id: + - "4.5" + cis_type: + - manual + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/SQL diff --git a/compliance/controls/azure/azure_cosmosdb_account_with_firewall_rules.yaml b/compliance/controls/azure/azure_cosmosdb_account_with_firewall_rules.yaml index 51f2e4e7d..717dd4af6 100644 --- a/compliance/controls/azure/azure_cosmosdb_account_with_firewall_rules.yaml +++ b/compliance/controls/azure/azure_cosmosdb_account_with_firewall_rules.yaml @@ -1,43 +1,44 @@ id: azure_cosmosdb_account_with_firewall_rules title: Azure Cosmos DB accounts should have firewall rules +type: control description: Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_cosmosdb_account - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN - public_network_access = 'Enabled' - AND is_virtual_network_filter_enabled = 'false' - AND jsonb_array_length(ip_rules) = 0 - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN - public_network_access = 'Enabled' - AND is_virtual_network_filter_enabled = 'false' - AND jsonb_array_length(ip_rules) = 0 - THEN a.name || ' not have firewall rules.' - ELSE a.name || ' have firewall rules.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_cosmosdb_account AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_cosmosdb_account + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN + public_network_access = 'Enabled' + AND is_virtual_network_filter_enabled = 'false' + AND jsonb_array_length(ip_rules) = 0 + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN + public_network_access = 'Enabled' + AND is_virtual_network_filter_enabled = 'false' + AND jsonb_array_length(ip_rules) = 0 + THEN a.name || ' not have firewall rules.' + ELSE a.name || ' have firewall rules.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_cosmosdb_account AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/CosmosDB + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/CosmosDB diff --git a/compliance/controls/azure/azure_cosmosdb_use_virtual_service_endpoint.yaml b/compliance/controls/azure/azure_cosmosdb_use_virtual_service_endpoint.yaml index 955ba22b1..01ad0a072 100644 --- a/compliance/controls/azure/azure_cosmosdb_use_virtual_service_endpoint.yaml +++ b/compliance/controls/azure/azure_cosmosdb_use_virtual_service_endpoint.yaml @@ -1,45 +1,46 @@ id: azure_cosmosdb_use_virtual_service_endpoint title: Cosmos DB should use a virtual network service endpoint +type: control description: This policy audits any Cosmos DB not configured to use a virtual network service endpoint. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_cosmosdb_account - definition: | - WITH cosmosdb_with_virtual_network AS ( - SELECT - DISTINCT a.id - FROM - azure_cosmosdb_account AS a, - jsonb_array_elements(virtual_network_rules) AS rule - WHERE - rule ->> 'id' IS NOT NULL - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN c.id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN c.id IS NULL THEN a.name || ' not configured with virtual network service endpoint.' - ELSE a.name || ' configured with virtual network service endpoint.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_cosmosdb_account AS a - LEFT JOIN cosmosdb_with_virtual_network AS c ON c.id = a.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_cosmosdb_account + definition: | + WITH cosmosdb_with_virtual_network AS ( + SELECT + DISTINCT a.id + FROM + azure_cosmosdb_account AS a, + jsonb_array_elements(virtual_network_rules) AS rule + WHERE + rule ->> 'id' IS NOT NULL + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN c.id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN c.id IS NULL THEN a.name || ' not configured with virtual network service endpoint.' + ELSE a.name || ' configured with virtual network service endpoint.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_cosmosdb_account AS a + LEFT JOIN cosmosdb_with_virtual_network AS c ON c.id = a.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - service: - - Azure/CosmosDB + hipaa_hitrust_v92: + - "true" + service: + - Azure/CosmosDB diff --git a/compliance/controls/azure/azure_data_factory_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_data_factory_encrypted_with_cmk.yaml index a56f09af1..1da2eff9a 100644 --- a/compliance/controls/azure/azure_data_factory_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_data_factory_encrypted_with_cmk.yaml @@ -1,35 +1,36 @@ id: azure_data_factory_encrypted_with_cmk title: Azure data factories should be encrypted with a customer-managed key +type: control description: Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_data_factory - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN encryption ->> 'vaultBaseUrl' IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption ->> 'vaultBaseUrl' IS NOT NULL THEN a.name || ' encrypted with CMK.' - ELSE a.name || ' not encrypted with CMK.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_data_factory AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_data_factory + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN encryption ->> 'vaultBaseUrl' IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption ->> 'vaultBaseUrl' IS NOT NULL THEN a.name || ' encrypted with CMK.' + ELSE a.name || ' not encrypted with CMK.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_data_factory AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/DataFactory + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/DataFactory diff --git a/compliance/controls/azure/azure_data_factory_public_network_access_disabled.yaml b/compliance/controls/azure/azure_data_factory_public_network_access_disabled.yaml index 31502cecc..4159ca638 100644 --- a/compliance/controls/azure/azure_data_factory_public_network_access_disabled.yaml +++ b/compliance/controls/azure/azure_data_factory_public_network_access_disabled.yaml @@ -1,29 +1,30 @@ id: azure_data_factory_public_network_access_disabled title: Data factories should disable public network access +type: control description: Disabling public network access improves security by ensuring that your Data Factory is not exposed on the public internet. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_data_factory - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN public_network_access = 'Enabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN public_network_access = 'Enabled' THEN a.name || ' public network access enabled.' - ELSE a.name || ' public network access disabled.' - END AS reason - FROM - azure_data_factory AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_data_factory + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN public_network_access = 'Enabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN public_network_access = 'Enabled' THEN a.name || ' public network access enabled.' + ELSE a.name || ' public network access disabled.' + END AS reason + FROM + azure_data_factory AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_data_factory_uses_git_repository.yaml b/compliance/controls/azure/azure_data_factory_uses_git_repository.yaml index fdfcdc6d9..95c0724be 100644 --- a/compliance/controls/azure/azure_data_factory_uses_git_repository.yaml +++ b/compliance/controls/azure/azure_data_factory_uses_git_repository.yaml @@ -1,29 +1,30 @@ id: azure_data_factory_uses_git_repository title: Data factories should use GitHub repository +type: control description: Ensure that Data Factory utilizes a Git repository as its source control mechanism. This control is non-compliant if Data Factory Git repository is not configured. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_data_factory - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN repo_configuration->>'repositoryName' IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN repo_configuration->>'repositoryName' IS NOT NULL THEN a.name || ' uses git repository.' - ELSE a.name || ' not uses git repository.' - END AS reason - FROM - azure_data_factory AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_data_factory + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN repo_configuration->>'repositoryName' IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN repo_configuration->>'repositoryName' IS NOT NULL THEN a.name || ' uses git repository.' + ELSE a.name || ' not uses git repository.' + END AS reason + FROM + azure_data_factory AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_data_factory_uses_private_link.yaml b/compliance/controls/azure/azure_data_factory_uses_private_link.yaml index f1f3147dd..a81213c57 100644 --- a/compliance/controls/azure/azure_data_factory_uses_private_link.yaml +++ b/compliance/controls/azure/azure_data_factory_uses_private_link.yaml @@ -1,45 +1,46 @@ id: azure_data_factory_uses_private_link title: Azure Data Factory should use private link +type: control description: Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_data_factory - definition: | - WITH data_factory_connection AS ( - SELECT - DISTINCT a.id - FROM - azure_data_factory AS a, - jsonb_array_elements(private_endpoint_connections) AS connection - WHERE - connection ->> 'PrivateLinkServiceConnectionStateStatus' = 'Approved' - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN c.id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN c.id IS NULL THEN a.name || ' not uses private link.' - ELSE a.name || ' uses private link.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_data_factory AS a - LEFT JOIN data_factory_connection AS c ON c.id = a.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_data_factory + definition: | + WITH data_factory_connection AS ( + SELECT + DISTINCT a.id + FROM + azure_data_factory AS a, + jsonb_array_elements(private_endpoint_connections) AS connection + WHERE + connection ->> 'PrivateLinkServiceConnectionStateStatus' = 'Approved' + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN c.id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN c.id IS NULL THEN a.name || ' not uses private link.' + ELSE a.name || ' uses private link.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_data_factory AS a + LEFT JOIN data_factory_connection AS c ON c.id = a.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/DataFactory + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/DataFactory diff --git a/compliance/controls/azure/azure_databox_edge_device_double_encryption_enabled.yaml b/compliance/controls/azure/azure_databox_edge_device_double_encryption_enabled.yaml index ac2d4e181..f5083445c 100644 --- a/compliance/controls/azure/azure_databox_edge_device_double_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_databox_edge_device_double_encryption_enabled.yaml @@ -1,35 +1,36 @@ id: azure_databox_edge_device_double_encryption_enabled title: Azure Stack Edge devices should use double-encryption +type: control description: "To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_databox_edge_device - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN sku_name = ANY (ARRAY ['TEA_1Node', 'TEA_1Node_UPS', 'TEA_1Node_Heater', 'TEA_1Node_UPS_Heater', 'TEA_4Node_Heater', 'TEA_4Node_UPS_Heater', 'TMA', 'EdgePR_Base', 'EdgePR_Base_UPS', 'EdgeMR_Mini']) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN sku_name = ANY (ARRAY ['TEA_1Node', 'TEA_1Node_UPS', 'TEA_1Node_Heater', 'TEA_1Node_UPS_Heater', 'TEA_4Node_Heater', 'TEA_4Node_UPS_Heater', 'TMA', 'EdgePR_Base', 'EdgePR_Base_UPS', 'EdgeMR_Mini']) THEN a.name || ' double encryption enabled.' - ELSE a.name || ' double encryption disabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_databox_edge_device AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_databox_edge_device + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN sku_name = ANY (ARRAY ['TEA_1Node', 'TEA_1Node_UPS', 'TEA_1Node_Heater', 'TEA_1Node_UPS_Heater', 'TEA_4Node_Heater', 'TEA_4Node_UPS_Heater', 'TMA', 'EdgePR_Base', 'EdgePR_Base_UPS', 'EdgeMR_Mini']) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN sku_name = ANY (ARRAY ['TEA_1Node', 'TEA_1Node_UPS', 'TEA_1Node_Heater', 'TEA_1Node_UPS_Heater', 'TEA_4Node_Heater', 'TEA_4Node_UPS_Heater', 'TMA', 'EdgePR_Base', 'EdgePR_Base_UPS', 'EdgeMR_Mini']) THEN a.name || ' double encryption enabled.' + ELSE a.name || ' double encryption disabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_databox_edge_device AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/DataBox + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/DataBox diff --git a/compliance/controls/azure/azure_databox_job_double_encryption_enabled.yaml b/compliance/controls/azure/azure_databox_job_double_encryption_enabled.yaml index 4fde4d290..4fbfdff05 100644 --- a/compliance/controls/azure/azure_databox_job_double_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_databox_job_double_encryption_enabled.yaml @@ -1,23 +1,24 @@ id: azure_databox_job_double_encryption_enabled title: Azure Data Box jobs should enable double encryption for data at rest on the device +type: control description: Enable a second layer of software-based encryption for data at rest on the device. The device is already protected via Advanced Encryption Standard 256-bit encryption for data at rest. This option adds a second layer of data encryption. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_databox_job_unlock_password_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_databox_job_unlock_password_encrypted_with_cmk.yaml index a0e42bdbb..f0dc82193 100644 --- a/compliance/controls/azure/azure_databox_job_unlock_password_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_databox_job_unlock_password_encrypted_with_cmk.yaml @@ -1,23 +1,24 @@ id: azure_databox_job_unlock_password_encrypted_with_cmk title: Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password +type: control description: Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_datalake_analytics_account_logging_enabled.yaml b/compliance/controls/azure/azure_datalake_analytics_account_logging_enabled.yaml index a42fc7aa2..6fd6fbaa1 100644 --- a/compliance/controls/azure/azure_datalake_analytics_account_logging_enabled.yaml +++ b/compliance/controls/azure/azure_datalake_analytics_account_logging_enabled.yaml @@ -1,65 +1,66 @@ id: azure_datalake_analytics_account_logging_enabled title: Resource logs in Data Lake Analytics should be enabled +type: control description: Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_data_lake_analytics_account - definition: | - WITH logging_details AS ( - SELECT - DISTINCT account_id AS account_id - FROM - azure_data_lake_analytics_account, - jsonb_array_elements(diagnostic_settings) setting, - jsonb_array_elements(setting -> 'properties' -> 'logs') log - WHERE - diagnostic_settings IS NOT NULL + language: sql + primary_resource: azure_data_lake_analytics_account + definition: | + WITH logging_details AS ( + SELECT + DISTINCT account_id AS account_id + FROM + azure_data_lake_analytics_account, + jsonb_array_elements(diagnostic_settings) setting, + jsonb_array_elements(setting -> 'properties' -> 'logs') log + WHERE + diagnostic_settings IS NOT NULL + AND ( + ( + (log ->> 'enabled')::BOOLEAN + AND (log -> 'retentionPolicy' ->> 'enabled')::BOOLEAN + AND (log -> 'retentionPolicy')::JSONB ? 'days' + ) + OR + ( + (log ->> 'enabled')::BOOLEAN AND ( - ( - (log ->> 'enabled')::BOOLEAN - AND (log -> 'retentionPolicy' ->> 'enabled')::BOOLEAN - AND (log -> 'retentionPolicy')::JSONB ? 'days' - ) - OR - ( - (log ->> 'enabled')::BOOLEAN - AND ( - log -> 'retentionPolicy' ->> 'enabled' <> 'true' - OR setting -> 'properties' ->> 'storageAccountId' = '' - ) - ) + log -> 'retentionPolicy' ->> 'enabled' <> 'true' + OR setting -> 'properties' ->> 'storageAccountId' = '' ) + ) ) - SELECT - a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.diagnostic_settings IS NULL THEN 'alarm' - WHEN l.account_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.diagnostic_settings IS NULL THEN a.name || ' logging disabled.' - WHEN l.account_id IS NOT NULL THEN a.name || ' logging enabled.' - ELSE a.name || ' logging disabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_data_lake_analytics_account AS a - LEFT JOIN logging_details AS l ON a.account_id = l.account_id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id + ) + SELECT + a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.diagnostic_settings IS NULL THEN 'alarm' + WHEN l.account_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.diagnostic_settings IS NULL THEN a.name || ' logging disabled.' + WHEN l.account_id IS NOT NULL THEN a.name || ' logging enabled.' + ELSE a.name || ' logging disabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_data_lake_analytics_account AS a + LEFT JOIN logging_details AS l ON a.account_id = l.account_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/DataLakeAnalytics + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/DataLakeAnalytics diff --git a/compliance/controls/azure/azure_datalake_store_account_encryption_enabled.yaml b/compliance/controls/azure/azure_datalake_store_account_encryption_enabled.yaml index d315f651d..2f88be131 100644 --- a/compliance/controls/azure/azure_datalake_store_account_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_datalake_store_account_encryption_enabled.yaml @@ -1,35 +1,36 @@ id: azure_datalake_store_account_encryption_enabled title: Require encryption on Data Lake Store accounts +type: control description: This policy ensures encryption is enabled on all Data Lake Store accounts. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_data_lake_store - definition: | - SELECT - b.account_id AS resource, - b.platform_integration_id AS platform_integration_id, - b.platform_resource_id AS platform_resource_id, - CASE - WHEN encryption_state = 'Enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption_state = 'Enabled' THEN b.name || ' encryption enabled.' - ELSE b.name || ' encryption disabled.' - END AS reason, - b.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_data_lake_store AS b, - azure_subscription AS sub - WHERE - sub.subscription_id = b.subscription_id; + language: sql + primary_resource: azure_data_lake_store + definition: | + SELECT + b.account_id AS resource, + b.platform_integration_id AS platform_integration_id, + b.platform_resource_id AS platform_resource_id, + CASE + WHEN encryption_state = 'Enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption_state = 'Enabled' THEN b.name || ' encryption enabled.' + ELSE b.name || ' encryption disabled.' + END AS reason, + b.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_data_lake_store AS b, + azure_subscription AS sub + WHERE + sub.subscription_id = b.subscription_id; severity: high tags: - hipaa_hitrust_v92: - - 'true' - service: - - Azure/DataLakeStorage + hipaa_hitrust_v92: + - "true" + service: + - Azure/DataLakeStorage diff --git a/compliance/controls/azure/azure_datalake_store_account_logging_enabled.yaml b/compliance/controls/azure/azure_datalake_store_account_logging_enabled.yaml index f53d86476..cc2ef0df3 100644 --- a/compliance/controls/azure/azure_datalake_store_account_logging_enabled.yaml +++ b/compliance/controls/azure/azure_datalake_store_account_logging_enabled.yaml @@ -1,65 +1,66 @@ id: azure_datalake_store_account_logging_enabled title: Resource logs in Azure Data Lake Store should be enabled +type: control description: Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_data_lake_store - definition: | - WITH logging_details AS ( - SELECT DISTINCT - account_id AS account_id - FROM - azure_data_lake_store, - jsonb_array_elements(diagnostic_settings) setting, - jsonb_array_elements(setting -> 'properties' -> 'logs') log - WHERE - diagnostic_settings IS NOT NULL + language: sql + primary_resource: azure_data_lake_store + definition: | + WITH logging_details AS ( + SELECT DISTINCT + account_id AS account_id + FROM + azure_data_lake_store, + jsonb_array_elements(diagnostic_settings) setting, + jsonb_array_elements(setting -> 'properties' -> 'logs') log + WHERE + diagnostic_settings IS NOT NULL + AND ( + ( + (log ->> 'enabled')::BOOLEAN + AND (log -> 'retentionPolicy' ->> 'enabled')::BOOLEAN + AND (log -> 'retentionPolicy')::JSONB ? 'days' + ) + OR + ( + (log ->> 'enabled')::BOOLEAN AND ( - ( - (log ->> 'enabled')::BOOLEAN - AND (log -> 'retentionPolicy' ->> 'enabled')::BOOLEAN - AND (log -> 'retentionPolicy')::JSONB ? 'days' - ) - OR - ( - (log ->> 'enabled')::BOOLEAN - AND ( - log -> 'retentionPolicy' ->> 'enabled' <> 'true' - OR setting -> 'properties' ->> 'storageAccountId' = '' - ) - ) + log -> 'retentionPolicy' ->> 'enabled' <> 'true' + OR setting -> 'properties' ->> 'storageAccountId' = '' ) + ) ) - SELECT - a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.diagnostic_settings IS NULL THEN 'alarm' - WHEN l.account_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.diagnostic_settings IS NULL THEN a.name || ' logging disabled.' - WHEN l.account_id IS NOT NULL THEN a.name || ' logging enabled.' - ELSE a.name || ' logging disabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_data_lake_store AS a - LEFT JOIN logging_details AS l ON a.account_id = l.account_id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + ) + SELECT + a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.diagnostic_settings IS NULL THEN 'alarm' + WHEN l.account_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.diagnostic_settings IS NULL THEN a.name || ' logging disabled.' + WHEN l.account_id IS NOT NULL THEN a.name || ' logging enabled.' + ELSE a.name || ' logging disabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_data_lake_store AS a + LEFT JOIN logging_details AS l ON a.account_id = l.account_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/DataLakeStorage + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/DataLakeStorage diff --git a/compliance/controls/azure/azure_eventgrid_domain_identity_provider_enabled.yaml b/compliance/controls/azure/azure_eventgrid_domain_identity_provider_enabled.yaml index 04c734259..45359a902 100644 --- a/compliance/controls/azure/azure_eventgrid_domain_identity_provider_enabled.yaml +++ b/compliance/controls/azure/azure_eventgrid_domain_identity_provider_enabled.yaml @@ -1,27 +1,28 @@ id: azure_eventgrid_domain_identity_provider_enabled title: Event Grid domains identity provider should be enabled +type: control description: Ensure that managed identity provider is enabled for Event Grid Domain. This control is non-compliant if Event Grid domain identity provider is disabled. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_eventgrid_domain - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN identity_type = 'None' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN identity_type = 'None' THEN a.name || ' identity provider disabled.' - ELSE a.name || ' identity provider enabled.' - END AS reason - FROM - azure_eventgrid_domain a, - azure_subscription sub; + language: sql + primary_resource: azure_eventgrid_domain + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN identity_type = 'None' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN identity_type = 'None' THEN a.name || ' identity provider disabled.' + ELSE a.name || ' identity provider enabled.' + END AS reason + FROM + azure_eventgrid_domain a, + azure_subscription sub; severity: low tags: {} diff --git a/compliance/controls/azure/azure_eventgrid_domain_private_link_used.yaml b/compliance/controls/azure/azure_eventgrid_domain_private_link_used.yaml index c4f727813..7eb286b25 100644 --- a/compliance/controls/azure/azure_eventgrid_domain_private_link_used.yaml +++ b/compliance/controls/azure/azure_eventgrid_domain_private_link_used.yaml @@ -1,37 +1,38 @@ id: azure_eventgrid_domain_private_link_used title: Azure Event Grid domains should use private link +type: control description: Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_eventgrid_domain - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN public_network_access = 'Enabled' THEN 'alarm' - WHEN private_endpoint_connections IS NULL THEN 'info' - WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN public_network_access = 'Enabled' THEN a.name || ' using public networks.' - WHEN private_endpoint_connections IS NULL THEN a.name || ' no private link exists.' - WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb THEN a.name || ' using private link.' - ELSE a.name || ' not using private link.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_eventgrid_domain a, - azure_subscription sub; + language: sql + primary_resource: azure_eventgrid_domain + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN public_network_access = 'Enabled' THEN 'alarm' + WHEN private_endpoint_connections IS NULL THEN 'info' + WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN public_network_access = 'Enabled' THEN a.name || ' using public networks.' + WHEN private_endpoint_connections IS NULL THEN a.name || ' no private link exists.' + WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb THEN a.name || ' using private link.' + ELSE a.name || ' not using private link.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_eventgrid_domain a, + azure_subscription sub; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/EventGrid + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/EventGrid diff --git a/compliance/controls/azure/azure_eventgrid_domain_restrict_public_access.yaml b/compliance/controls/azure/azure_eventgrid_domain_restrict_public_access.yaml index ed98042ea..032e65118 100644 --- a/compliance/controls/azure/azure_eventgrid_domain_restrict_public_access.yaml +++ b/compliance/controls/azure/azure_eventgrid_domain_restrict_public_access.yaml @@ -1,27 +1,28 @@ id: azure_eventgrid_domain_restrict_public_access title: Event Grid domains should restrict public network access +type: control description: Ensure that Event Grid Domain public network access is disabled. This control is non-compliant if Event Grid domains have public network access enabled. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_eventgrid_domain - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN public_network_access = 'Enabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN public_network_access = 'Enabled' THEN a.name || ' publicly accessible.' - ELSE a.name || ' not publicly accessible.' - END AS reason - FROM - azure_eventgrid_domain a, - azure_subscription sub; + language: sql + primary_resource: azure_eventgrid_domain + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN public_network_access = 'Enabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN public_network_access = 'Enabled' THEN a.name || ' publicly accessible.' + ELSE a.name || ' not publicly accessible.' + END AS reason + FROM + azure_eventgrid_domain a, + azure_subscription sub; severity: low tags: {} diff --git a/compliance/controls/azure/azure_eventgrid_topic_identity_provider_enabled.yaml b/compliance/controls/azure/azure_eventgrid_topic_identity_provider_enabled.yaml index 02acaf5ae..b2932ae22 100644 --- a/compliance/controls/azure/azure_eventgrid_topic_identity_provider_enabled.yaml +++ b/compliance/controls/azure/azure_eventgrid_topic_identity_provider_enabled.yaml @@ -1,27 +1,28 @@ id: azure_eventgrid_topic_identity_provider_enabled title: Event Grid topics identity provider should be enabled +type: control description: Ensure that managed identity provider is enabled for the Event Grid Topic. This control is non-compliant if Event Grid topic identity provider is disabled. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_eventgrid_topic - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN identity ->> 'type' = 'None' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN identity ->> 'type' = 'None' THEN a.name || ' identity provider disabled.' - ELSE a.name || ' identity provider enabled.' - END AS reason - FROM - azure_eventgrid_topic a, - azure_subscription sub; + language: sql + primary_resource: azure_eventgrid_topic + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN identity ->> 'type' = 'None' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN identity ->> 'type' = 'None' THEN a.name || ' identity provider disabled.' + ELSE a.name || ' identity provider enabled.' + END AS reason + FROM + azure_eventgrid_topic a, + azure_subscription sub; severity: low tags: {} diff --git a/compliance/controls/azure/azure_eventgrid_topic_local_auth_enabled.yaml b/compliance/controls/azure/azure_eventgrid_topic_local_auth_enabled.yaml index b9f07f357..c37f78465 100644 --- a/compliance/controls/azure/azure_eventgrid_topic_local_auth_enabled.yaml +++ b/compliance/controls/azure/azure_eventgrid_topic_local_auth_enabled.yaml @@ -1,27 +1,28 @@ id: azure_eventgrid_topic_local_auth_enabled title: Event Grid topics should have local authentication enabled +type: control description: This control checks if Event Grid topics have local authentication enabled. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_eventgrid_domain - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN disable_local_auth THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN disable_local_auth THEN a.name || ' local authentication disabled.' - ELSE a.name || ' local authentication enabled.' - END AS reason - FROM - azure_eventgrid_domain a, - azure_subscription sub; + language: sql + primary_resource: azure_eventgrid_domain + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN disable_local_auth THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN disable_local_auth THEN a.name || ' local authentication disabled.' + ELSE a.name || ' local authentication enabled.' + END AS reason + FROM + azure_eventgrid_domain a, + azure_subscription sub; severity: low tags: {} diff --git a/compliance/controls/azure/azure_eventgrid_topic_private_link_used.yaml b/compliance/controls/azure/azure_eventgrid_topic_private_link_used.yaml index d47a9cbe0..2496b1a42 100644 --- a/compliance/controls/azure/azure_eventgrid_topic_private_link_used.yaml +++ b/compliance/controls/azure/azure_eventgrid_topic_private_link_used.yaml @@ -1,37 +1,38 @@ id: azure_eventgrid_topic_private_link_used title: Azure Event Grid topics should use private link +type: control description: Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_eventgrid_topic - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN public_network_access = 'Enabled' THEN 'alarm' - WHEN private_endpoint_connections IS NULL THEN 'info' - WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN public_network_access = 'Enabled' THEN a.name || ' using public networks.' - WHEN private_endpoint_connections IS NULL THEN a.name || ' no private link exists.' - WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb THEN a.name || ' using private link.' - ELSE a.name || ' not using private link.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_eventgrid_topic a, - azure_subscription sub; + language: sql + primary_resource: azure_eventgrid_topic + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN public_network_access = 'Enabled' THEN 'alarm' + WHEN private_endpoint_connections IS NULL THEN 'info' + WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN public_network_access = 'Enabled' THEN a.name || ' using public networks.' + WHEN private_endpoint_connections IS NULL THEN a.name || ' no private link exists.' + WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb THEN a.name || ' using private link.' + ELSE a.name || ' not using private link.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_eventgrid_topic a, + azure_subscription sub; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/EventGrid + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/EventGrid diff --git a/compliance/controls/azure/azure_eventhub_namespace_cmk_encryption_enabled.yaml b/compliance/controls/azure/azure_eventhub_namespace_cmk_encryption_enabled.yaml index 1294afd6d..aba4a4360 100644 --- a/compliance/controls/azure/azure_eventhub_namespace_cmk_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_eventhub_namespace_cmk_encryption_enabled.yaml @@ -1,29 +1,30 @@ id: azure_eventhub_namespace_cmk_encryption_enabled title: Event Hub namespaces should use a customer-managed key for encryption +type: control description: Azure Event Hubs supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Event Hub will use to encrypt data in your namespace. Note that Event Hub only supports encryption with customer-managed keys for namespaces in dedicated clusters. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_eventhub_namespace - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN encryption ->> 'keySource' = 'Microsoft.KeyVault' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption ->> 'keySource' = 'Microsoft.KeyVault' THEN a.name || ' CMK encryption enabled.' - ELSE a.name || ' CMK encryption disabled.' - END AS reason - FROM - azure_eventhub_namespace AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_eventhub_namespace + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN encryption ->> 'keySource' = 'Microsoft.KeyVault' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption ->> 'keySource' = 'Microsoft.KeyVault' THEN a.name || ' CMK encryption enabled.' + ELSE a.name || ' CMK encryption disabled.' + END AS reason + FROM + azure_eventhub_namespace AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_eventhub_namespace_logging_enabled.yaml b/compliance/controls/azure/azure_eventhub_namespace_logging_enabled.yaml index 1ccb72302..4624088a1 100644 --- a/compliance/controls/azure/azure_eventhub_namespace_logging_enabled.yaml +++ b/compliance/controls/azure/azure_eventhub_namespace_logging_enabled.yaml @@ -1,66 +1,67 @@ id: azure_eventhub_namespace_logging_enabled title: Resource logs in Event Hub should be enabled +type: control description: Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_eventhub_namespace - definition: | - WITH logging_details AS ( - SELECT DISTINCT - name AS namespace_name - FROM - azure_eventhub_namespace, - jsonb_array_elements(diagnostic_settings) setting, - jsonb_array_elements(setting -> 'properties' -> 'logs') log - WHERE - diagnostic_settings IS NOT NULL + language: sql + primary_resource: azure_eventhub_namespace + definition: | + WITH logging_details AS ( + SELECT DISTINCT + name AS namespace_name + FROM + azure_eventhub_namespace, + jsonb_array_elements(diagnostic_settings) setting, + jsonb_array_elements(setting -> 'properties' -> 'logs') log + WHERE + diagnostic_settings IS NOT NULL + AND ( + ( + (log ->> 'enabled')::BOOLEAN + AND (log -> 'retentionPolicy' ->> 'enabled')::BOOLEAN + AND (log -> 'retentionPolicy')::JSONB ? 'days' + ) + OR + ( + (log ->> 'enabled')::BOOLEAN AND ( - ( - (log ->> 'enabled')::BOOLEAN - AND (log -> 'retentionPolicy' ->> 'enabled')::BOOLEAN - AND (log -> 'retentionPolicy')::JSONB ? 'days' - ) - OR - ( - (log ->> 'enabled')::BOOLEAN - AND ( - log -> 'retentionPolicy' ->> 'enabled' <> 'true' - OR setting -> 'properties' ->> 'storageAccountId' = '' - ) - ) + log -> 'retentionPolicy' ->> 'enabled' <> 'true' + OR setting -> 'properties' ->> 'storageAccountId' = '' ) + ) ) - SELECT - v.id AS resource, - v.platform_integration_id AS platform_integration_id, - v.platform_resource_id AS platform_resource_id, - CASE - WHEN v.diagnostic_settings IS NULL THEN 'alarm' - WHEN l.namespace_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN v.diagnostic_settings IS NULL THEN v.name || ' logging not enabled.' - WHEN l.namespace_name IS NULL THEN v.name || ' logging not enabled.' - ELSE v.name || ' logging enabled.' - END AS reason, - v.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_eventhub_namespace AS v - LEFT JOIN - logging_details AS l ON v.name = l.namespace_name, - azure_subscription AS sub - WHERE - sub.subscription_id = v.subscription_id; + ) + SELECT + v.id AS resource, + v.platform_integration_id AS platform_integration_id, + v.platform_resource_id AS platform_resource_id, + CASE + WHEN v.diagnostic_settings IS NULL THEN 'alarm' + WHEN l.namespace_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN v.diagnostic_settings IS NULL THEN v.name || ' logging not enabled.' + WHEN l.namespace_name IS NULL THEN v.name || ' logging not enabled.' + ELSE v.name || ' logging enabled.' + END AS reason, + v.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_eventhub_namespace AS v + LEFT JOIN + logging_details AS l ON v.name = l.namespace_name, + azure_subscription AS sub + WHERE + sub.subscription_id = v.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/EventHub + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/EventHub diff --git a/compliance/controls/azure/azure_eventhub_namespace_private_link_used.yaml b/compliance/controls/azure/azure_eventhub_namespace_private_link_used.yaml index 561c44ba1..f48735859 100644 --- a/compliance/controls/azure/azure_eventhub_namespace_private_link_used.yaml +++ b/compliance/controls/azure/azure_eventhub_namespace_private_link_used.yaml @@ -1,47 +1,48 @@ id: azure_eventhub_namespace_private_link_used title: Event Hub namespaces should use private link +type: control description: Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_eventhub_namespace - definition: | - WITH eventhub_service_connection AS ( - SELECT - DISTINCT a.id - FROM - azure_eventhub_namespace AS a, - jsonb_array_elements(private_endpoint_connections) AS connection - WHERE - connection -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN sku_tier = 'Basic' THEN 'skip' - WHEN c.id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN sku_tier = 'Basic' THEN a.name || ' is of ' || sku_tier || ' tier.' - WHEN c.id IS NULL THEN a.name || ' not uses private link.' - ELSE a.name || ' uses private link.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_eventhub_namespace AS a - LEFT JOIN eventhub_service_connection AS c ON c.id = a.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_eventhub_namespace + definition: | + WITH eventhub_service_connection AS ( + SELECT + DISTINCT a.id + FROM + azure_eventhub_namespace AS a, + jsonb_array_elements(private_endpoint_connections) AS connection + WHERE + connection -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN sku_tier = 'Basic' THEN 'skip' + WHEN c.id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN sku_tier = 'Basic' THEN a.name || ' is of ' || sku_tier || ' tier.' + WHEN c.id IS NULL THEN a.name || ' not uses private link.' + ELSE a.name || ' uses private link.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_eventhub_namespace AS a + LEFT JOIN eventhub_service_connection AS c ON c.id = a.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/EventHub + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/EventHub diff --git a/compliance/controls/azure/azure_eventhub_namespace_use_virtual_service_endpoint.yaml b/compliance/controls/azure/azure_eventhub_namespace_use_virtual_service_endpoint.yaml index e96e3c10c..bde65d4c5 100644 --- a/compliance/controls/azure/azure_eventhub_namespace_use_virtual_service_endpoint.yaml +++ b/compliance/controls/azure/azure_eventhub_namespace_use_virtual_service_endpoint.yaml @@ -1,45 +1,46 @@ id: azure_eventhub_namespace_use_virtual_service_endpoint title: Event Hub should use a virtual network service endpoint +type: control description: This policy audits any Event Hub not configured to use a virtual network service endpoint. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_eventhub_namespace - definition: | - WITH eventhub_namespace_with_virtual_network AS ( - SELECT - DISTINCT a.id - FROM - azure_eventhub_namespace AS a, - jsonb_array_elements(network_rule_set -> 'properties' -> 'virtualNetworkRules') AS rule - WHERE - rule -> 'subnet' ->> 'id' IS NOT NULL - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN c.id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN c.id IS NULL THEN a.name || ' not configured with virtual network service endpoint.' - ELSE a.name || ' configured with virtual network service endpoint.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_eventhub_namespace AS a - LEFT JOIN eventhub_namespace_with_virtual_network AS c ON c.id = a.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_eventhub_namespace + definition: | + WITH eventhub_namespace_with_virtual_network AS ( + SELECT + DISTINCT a.id + FROM + azure_eventhub_namespace AS a, + jsonb_array_elements(network_rule_set -> 'properties' -> 'virtualNetworkRules') AS rule + WHERE + rule -> 'subnet' ->> 'id' IS NOT NULL + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN c.id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN c.id IS NULL THEN a.name || ' not configured with virtual network service endpoint.' + ELSE a.name || ' configured with virtual network service endpoint.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_eventhub_namespace AS a + LEFT JOIN eventhub_namespace_with_virtual_network AS c ON c.id = a.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - service: - - Azure/EventHub + hipaa_hitrust_v92: + - "true" + service: + - Azure/EventHub diff --git a/compliance/controls/azure/azure_frontdoor_waf_enabled.yaml b/compliance/controls/azure/azure_frontdoor_waf_enabled.yaml index e1d8f3a33..590c1f22e 100644 --- a/compliance/controls/azure/azure_frontdoor_waf_enabled.yaml +++ b/compliance/controls/azure/azure_frontdoor_waf_enabled.yaml @@ -1,45 +1,46 @@ id: azure_frontdoor_waf_enabled title: Web Application Firewall (WAF) should be enabled for Azure Front Door Service +type: control description: Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_frontdoor - definition: | - WITH frontdoor_with_waf AS ( - SELECT - DISTINCT a.front_door_id - FROM - azure_frontdoor AS a, - jsonb_array_elements(frontend_endpoints) AS endpoint - WHERE - endpoint -> 'properties' -> 'webApplicationFirewallPolicyLink' ->> 'id' IS NOT NULL - ) - SELECT - a.front_door_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN c.front_door_id IS NOT NULL THEN 'OK' - ELSE 'ALARM' - END AS status, - CASE - WHEN c.front_door_id IS NOT NULL THEN a.name || ' WAF enabled.' - ELSE a.name || ' WAF disabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_frontdoor AS a - LEFT JOIN frontdoor_with_waf AS c ON c.front_door_id = a.front_door_id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_frontdoor + definition: | + WITH frontdoor_with_waf AS ( + SELECT + DISTINCT a.front_door_id + FROM + azure_frontdoor AS a, + jsonb_array_elements(frontend_endpoints) AS endpoint + WHERE + endpoint -> 'properties' -> 'webApplicationFirewallPolicyLink' ->> 'id' IS NOT NULL + ) + SELECT + a.front_door_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN c.front_door_id IS NOT NULL THEN 'OK' + ELSE 'ALARM' + END AS status, + CASE + WHEN c.front_door_id IS NOT NULL THEN a.name || ' WAF enabled.' + ELSE a.name || ' WAF disabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_frontdoor AS a + LEFT JOIN frontdoor_with_waf AS c ON c.front_door_id = a.front_door_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/FrontDoor + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/FrontDoor diff --git a/compliance/controls/azure/azure_hdinsight_cluster_encrypted_at_rest_with_cmk.yaml b/compliance/controls/azure/azure_hdinsight_cluster_encrypted_at_rest_with_cmk.yaml index b25389460..0f1b7fa61 100644 --- a/compliance/controls/azure/azure_hdinsight_cluster_encrypted_at_rest_with_cmk.yaml +++ b/compliance/controls/azure/azure_hdinsight_cluster_encrypted_at_rest_with_cmk.yaml @@ -1,37 +1,38 @@ id: azure_hdinsight_cluster_encrypted_at_rest_with_cmk title: Azure HDInsight clusters should use customer-managed keys to encrypt data at rest +type: control description: Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_hdinsight_cluster - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN provisioning_state <> 'Succeeded' THEN 'skip' - WHEN disk_encryption_properties -> 'keyName' IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN provisioning_state <> 'Succeeded' THEN a.name || ' is in ' || provisioning_state || ' state.' - WHEN disk_encryption_properties -> 'keyName' IS NOT NULL THEN a.name || ' encrypted with CMK.' - ELSE a.name || ' not encrypted with CMK.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_hdinsight_cluster AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_hdinsight_cluster + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN provisioning_state <> 'Succeeded' THEN 'skip' + WHEN disk_encryption_properties -> 'keyName' IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN provisioning_state <> 'Succeeded' THEN a.name || ' is in ' || provisioning_state || ' state.' + WHEN disk_encryption_properties -> 'keyName' IS NOT NULL THEN a.name || ' encrypted with CMK.' + ELSE a.name || ' not encrypted with CMK.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_hdinsight_cluster AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/HDInsight + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/HDInsight diff --git a/compliance/controls/azure/azure_hdinsight_cluster_encryption_at_host_enabled.yaml b/compliance/controls/azure/azure_hdinsight_cluster_encryption_at_host_enabled.yaml index 6e867ad40..3c93fc3da 100644 --- a/compliance/controls/azure/azure_hdinsight_cluster_encryption_at_host_enabled.yaml +++ b/compliance/controls/azure/azure_hdinsight_cluster_encryption_at_host_enabled.yaml @@ -1,37 +1,38 @@ id: azure_hdinsight_cluster_encryption_at_host_enabled title: Azure HDInsight clusters should use encryption at host to encrypt data at rest +type: control description: Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_hdinsight_cluster - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN provisioning_state <> 'Succeeded' THEN 'skip' - WHEN disk_encryption_properties -> 'encryptionAtHost' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN provisioning_state <> 'Succeeded' THEN a.name || ' is in ' || provisioning_state || ' state.' - WHEN disk_encryption_properties -> 'encryptionAtHost' = 'true' THEN a.name || ' uses encryption at host to encrypt data at rest.' - ELSE a.name || ' not uses encryption at host to encrypt data at rest.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_hdinsight_cluster AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_hdinsight_cluster + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN provisioning_state <> 'Succeeded' THEN 'skip' + WHEN disk_encryption_properties -> 'encryptionAtHost' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN provisioning_state <> 'Succeeded' THEN a.name || ' is in ' || provisioning_state || ' state.' + WHEN disk_encryption_properties -> 'encryptionAtHost' = 'true' THEN a.name || ' uses encryption at host to encrypt data at rest.' + ELSE a.name || ' not uses encryption at host to encrypt data at rest.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_hdinsight_cluster AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/HDInsight + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/HDInsight diff --git a/compliance/controls/azure/azure_hdinsight_cluster_encryption_in_transit_enabled.yaml b/compliance/controls/azure/azure_hdinsight_cluster_encryption_in_transit_enabled.yaml index 9a01b8134..5745fa5b5 100644 --- a/compliance/controls/azure/azure_hdinsight_cluster_encryption_in_transit_enabled.yaml +++ b/compliance/controls/azure/azure_hdinsight_cluster_encryption_in_transit_enabled.yaml @@ -1,37 +1,38 @@ id: azure_hdinsight_cluster_encryption_in_transit_enabled title: Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes +type: control description: Data can be tampered with during transmission between Azure HDInsight cluster nodes. Enabling encryption in transit addresses problems of misuse and tampering during this transmission. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_hdinsight_cluster - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN provisioning_state <> 'Succeeded' THEN 'skip' - WHEN encryption_in_transit_properties -> 'isEncryptionInTransitEnabled' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN provisioning_state <> 'Succeeded' THEN a.name || ' is in ' || provisioning_state || ' state.' - WHEN encryption_in_transit_properties -> 'isEncryptionInTransitEnabled' = 'true' THEN a.name || ' encryption in transit enabled.' - ELSE a.name || ' encryption in transit disabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_hdinsight_cluster AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_hdinsight_cluster + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN provisioning_state <> 'Succeeded' THEN 'skip' + WHEN encryption_in_transit_properties -> 'isEncryptionInTransitEnabled' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN provisioning_state <> 'Succeeded' THEN a.name || ' is in ' || provisioning_state || ' state.' + WHEN encryption_in_transit_properties -> 'isEncryptionInTransitEnabled' = 'true' THEN a.name || ' encryption in transit enabled.' + ELSE a.name || ' encryption in transit disabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_hdinsight_cluster AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/HDInsight + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/HDInsight diff --git a/compliance/controls/azure/azure_healthcare_fhir_azure_api_encrypted_at_rest_with_cmk.yaml b/compliance/controls/azure/azure_healthcare_fhir_azure_api_encrypted_at_rest_with_cmk.yaml index 740df2738..52b876b3a 100644 --- a/compliance/controls/azure/azure_healthcare_fhir_azure_api_encrypted_at_rest_with_cmk.yaml +++ b/compliance/controls/azure/azure_healthcare_fhir_azure_api_encrypted_at_rest_with_cmk.yaml @@ -1,36 +1,37 @@ id: azure_healthcare_fhir_azure_api_encrypted_at_rest_with_cmk title: Azure API for FHIR should use a customer-managed key to encrypt data at rest +type: control description: Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_healthcare_service - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN cosmos_db_configuration -> 'keyVaultKeyUri' IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN cosmos_db_configuration -> 'keyVaultKeyUri' IS NOT NULL - THEN a.name || ' encrypted with CMK.' - ELSE a.name || ' not encrypted with CMK.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_healthcare_service AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_healthcare_service + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN cosmos_db_configuration -> 'keyVaultKeyUri' IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN cosmos_db_configuration -> 'keyVaultKeyUri' IS NOT NULL + THEN a.name || ' encrypted with CMK.' + ELSE a.name || ' not encrypted with CMK.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_healthcare_service AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/HealthcareAPIs + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/HealthcareAPIs diff --git a/compliance/controls/azure/azure_healthcare_fhir_uses_private_link.yaml b/compliance/controls/azure/azure_healthcare_fhir_uses_private_link.yaml index 145ca1b64..9e08e10e1 100644 --- a/compliance/controls/azure/azure_healthcare_fhir_uses_private_link.yaml +++ b/compliance/controls/azure/azure_healthcare_fhir_uses_private_link.yaml @@ -1,35 +1,36 @@ id: azure_healthcare_fhir_uses_private_link title: Azure API for FHIR should use private link +type: control description: Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_healthcare_service - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN private_endpoint_connections IS NULL THEN 'info' - WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionState": "Approved"}]'::jsonb THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN private_endpoint_connections IS NULL THEN a.name || ' no private link exists.' - WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionState": "Approved"}]'::jsonb THEN a.name || ' using private link.' - ELSE a.name || ' not using private link.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_healthcare_service a, - azure_subscription sub; + language: sql + primary_resource: azure_healthcare_service + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN private_endpoint_connections IS NULL THEN 'info' + WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionState": "Approved"}]'::jsonb THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN private_endpoint_connections IS NULL THEN a.name || ' no private link exists.' + WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionState": "Approved"}]'::jsonb THEN a.name || ' using private link.' + ELSE a.name || ' not using private link.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_healthcare_service a, + azure_subscription sub; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/HealthcareAPIs + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/HealthcareAPIs diff --git a/compliance/controls/azure/azure_hpc_cache_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_hpc_cache_encrypted_with_cmk.yaml index dbfc0e2ca..3a9a6e57c 100644 --- a/compliance/controls/azure/azure_hpc_cache_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_hpc_cache_encrypted_with_cmk.yaml @@ -1,41 +1,42 @@ id: azure_hpc_cache_encrypted_with_cmk title: HPC Cache accounts should use customer-managed key for encryption +type: control description: Manage encryption at rest of Azure HPC Cache with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_hpc_cache - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN - a.encryption_settings -> 'keyEncryptionKey' -> 'keyUrl' IS NOT NULL - AND a.encryption_settings -> 'keyEncryptionKey' -> 'sourceVault' ->> 'id' IS NOT NULL - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN - a.encryption_settings -> 'keyEncryptionKey' -> 'keyUrl' IS NOT NULL - AND a.encryption_settings -> 'keyEncryptionKey' -> 'sourceVault' ->> 'id' IS NOT NULL - THEN a.name || ' encrypted with CMK.' - ELSE a.name || ' not encrypted with CMK.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_hpc_cache AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_hpc_cache + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN + a.encryption_settings -> 'keyEncryptionKey' -> 'keyUrl' IS NOT NULL + AND a.encryption_settings -> 'keyEncryptionKey' -> 'sourceVault' ->> 'id' IS NOT NULL + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN + a.encryption_settings -> 'keyEncryptionKey' -> 'keyUrl' IS NOT NULL + AND a.encryption_settings -> 'keyEncryptionKey' -> 'sourceVault' ->> 'id' IS NOT NULL + THEN a.name || ' encrypted with CMK.' + ELSE a.name || ' not encrypted with CMK.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_hpc_cache AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/HPCCache + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/HPCCache diff --git a/compliance/controls/azure/azure_iam_conditional_access_mfa_enabled.yaml b/compliance/controls/azure/azure_iam_conditional_access_mfa_enabled.yaml index 56ab13cf3..7c9910701 100644 --- a/compliance/controls/azure/azure_iam_conditional_access_mfa_enabled.yaml +++ b/compliance/controls/azure/azure_iam_conditional_access_mfa_enabled.yaml @@ -1,46 +1,47 @@ id: azure_iam_conditional_access_mfa_enabled title: Ensure Multi-factor Authentication is required for Azure Management +type: control description: For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: entraid_conditional_access_policy - definition: | - SELECT - p.id AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN p.built_in_controls @> '["mfa"]' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.built_in_controls @> '["mfa"]' THEN p.display_name || ' MFA enabled.' - ELSE p.display_name || ' MFA disabled.' - END AS reason, - t.tenant_id - FROM - azure_tenant AS t, - entraid_conditional_access_policy AS p; + language: sql + primary_resource: entraid_conditional_access_policy + definition: | + SELECT + p.id AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN p.built_in_controls @> '["mfa"]' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.built_in_controls @> '["mfa"]' THEN p.display_name || ' MFA enabled.' + ELSE p.display_name || ' MFA disabled.' + END AS reason, + t.tenant_id + FROM + azure_tenant AS t, + entraid_conditional_access_policy AS p; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 1.2.6 - cis_level: - - '1' - cis_section_id: - - '1.2' - cis_type: - - manual - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/ActiveDirectory + category: + - Compliance + cis: + - "true" + cis_item_id: + - 1.2.6 + cis_level: + - "1" + cis_section_id: + - "1.2" + cis_type: + - manual + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/ActiveDirectory diff --git a/compliance/controls/azure/azure_iam_deprecated_account.yaml b/compliance/controls/azure/azure_iam_deprecated_account.yaml index a0bc5921f..41acc3b61 100644 --- a/compliance/controls/azure/azure_iam_deprecated_account.yaml +++ b/compliance/controls/azure/azure_iam_deprecated_account.yaml @@ -1,52 +1,53 @@ id: azure_iam_deprecated_account title: Blocked accounts with read and write permissions on Azure resources should be removed +type: control description: Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: entraid_user - definition: | - WITH disabled_users AS ( - SELECT - DISTINCT - u.display_name, - u.account_enabled, - u.user_principal_name, - u.id, - d.subscription_id - FROM - entraid_user AS u - LEFT JOIN azure_role_assignment AS a ON a.principal_id = u.id - LEFT JOIN azure_role_definition AS d ON d.id = a.role_definition_id - WHERE - NOT u.account_enabled - ) - SELECT - u.user_principal_name AS resource, - u.platform_integration_id AS platform_integration_id, - u.platform_resource_id AS platform_resource_id, - CASE - WHEN d.id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN d.id IS NULL THEN u.display_name || ' sign-in enabled.' - ELSE u.display_name || ' sign-in disabled.' - END AS reason, - t.tenant_id - FROM - azure_tenant AS t, - entraid_user AS u - LEFT JOIN disabled_users AS d ON d.id = u.id; + language: sql + primary_resource: entraid_user + definition: | + WITH disabled_users AS ( + SELECT + DISTINCT + u.display_name, + u.account_enabled, + u.user_principal_name, + u.id, + d.subscription_id + FROM + entraid_user AS u + LEFT JOIN azure_role_assignment AS a ON a.principal_id = u.id + LEFT JOIN azure_role_definition AS d ON d.id = a.role_definition_id + WHERE + NOT u.account_enabled + ) + SELECT + u.user_principal_name AS resource, + u.platform_integration_id AS platform_integration_id, + u.platform_resource_id AS platform_resource_id, + CASE + WHEN d.id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN d.id IS NULL THEN u.display_name || ' sign-in enabled.' + ELSE u.display_name || ' sign-in disabled.' + END AS reason, + t.tenant_id + FROM + azure_tenant AS t, + entraid_user AS u + LEFT JOIN disabled_users AS d ON d.id = u.id; severity: high tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - pci_dss_v321: - - 'true' - service: - - Azure/ActiveDirectory + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + pci_dss_v321: + - "true" + service: + - Azure/ActiveDirectory diff --git a/compliance/controls/azure/azure_iam_deprecated_account_with_owner_roles.yaml b/compliance/controls/azure/azure_iam_deprecated_account_with_owner_roles.yaml index cad3ac110..c4b15be3f 100644 --- a/compliance/controls/azure/azure_iam_deprecated_account_with_owner_roles.yaml +++ b/compliance/controls/azure/azure_iam_deprecated_account_with_owner_roles.yaml @@ -1,40 +1,41 @@ id: azure_iam_deprecated_account_with_owner_roles title: Blocked accounts with owner permissions on Azure resources should be removed +type: control description: Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: entraid_user - definition: | - SELECT DISTINCT - u.user_principal_name AS resource, - u.platform_integration_id AS platform_integration_id, - u.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT u.account_enabled THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT u.account_enabled THEN u.display_name || ' signing-in disabled state with ' || d.role_name || ' role.' - ELSE u.display_name || ' signing-in enabled.' - END AS reason, - t.tenant_id - FROM - azure_tenant AS t, - entraid_user AS u - LEFT JOIN azure_role_assignment AS a ON a.principal_id = u.id - LEFT JOIN azure_role_definition AS d ON d.id = a.role_definition_id - WHERE - d.role_name = 'Owner'; + language: sql + primary_resource: entraid_user + definition: | + SELECT DISTINCT + u.user_principal_name AS resource, + u.platform_integration_id AS platform_integration_id, + u.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT u.account_enabled THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT u.account_enabled THEN u.display_name || ' signing-in disabled state with ' || d.role_name || ' role.' + ELSE u.display_name || ' signing-in enabled.' + END AS reason, + t.tenant_id + FROM + azure_tenant AS t, + entraid_user AS u + LEFT JOIN azure_role_assignment AS a ON a.principal_id = u.id + LEFT JOIN azure_role_definition AS d ON d.id = a.role_definition_id + WHERE + d.role_name = 'Owner'; severity: high tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - pci_dss_v321: - - 'true' - service: - - Azure/ActiveDirectory + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + pci_dss_v321: + - "true" + service: + - Azure/ActiveDirectory diff --git a/compliance/controls/azure/azure_iam_external_user_with_owner_role.yaml b/compliance/controls/azure/azure_iam_external_user_with_owner_role.yaml index 5a273a9db..9b4d71cf5 100644 --- a/compliance/controls/azure/azure_iam_external_user_with_owner_role.yaml +++ b/compliance/controls/azure/azure_iam_external_user_with_owner_role.yaml @@ -1,52 +1,53 @@ id: azure_iam_external_user_with_owner_role title: Guest accounts with owner permissions on Azure resources should be removed +type: control description: External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: entraid_user - definition: | - WITH all_owner_users AS ( - SELECT DISTINCT - u.display_name, - d.role_name, - u.account_enabled, - u.user_principal_name, - d.subscription_id, - u.platform_integration_id AS platform_integration_id, - u.platform_resource_id AS platform_resource_id - FROM - entraid_user AS u - LEFT JOIN azure_role_assignment AS a ON a.principal_id = u.id - LEFT JOIN azure_role_definition AS d ON d.id = a.role_definition_id - WHERE - d.role_name = 'Owner' - ) - SELECT - a.user_principal_name AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.user_principal_name LIKE '%EXT%' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN a.user_principal_name LIKE '%EXT%' THEN a.display_name || ' is external user with ' || a.role_name || ' role.' - ELSE a.display_name || ' is domain user with ' || a.role_name || ' role.' - END AS reason, - t.tenant_id - FROM - azure_tenant AS t, - all_owner_users AS a; + language: sql + primary_resource: entraid_user + definition: | + WITH all_owner_users AS ( + SELECT DISTINCT + u.display_name, + d.role_name, + u.account_enabled, + u.user_principal_name, + d.subscription_id, + u.platform_integration_id AS platform_integration_id, + u.platform_resource_id AS platform_resource_id + FROM + entraid_user AS u + LEFT JOIN azure_role_assignment AS a ON a.principal_id = u.id + LEFT JOIN azure_role_definition AS d ON d.id = a.role_definition_id + WHERE + d.role_name = 'Owner' + ) + SELECT + a.user_principal_name AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.user_principal_name LIKE '%EXT%' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN a.user_principal_name LIKE '%EXT%' THEN a.display_name || ' is external user with ' || a.role_name || ' role.' + ELSE a.display_name || ' is domain user with ' || a.role_name || ' role.' + END AS reason, + t.tenant_id + FROM + azure_tenant AS t, + all_owner_users AS a; severity: high tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - pci_dss_v321: - - 'true' - service: - - Azure/ActiveDirectory + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + pci_dss_v321: + - "true" + service: + - Azure/ActiveDirectory diff --git a/compliance/controls/azure/azure_iam_external_user_with_read_permission.yaml b/compliance/controls/azure/azure_iam_external_user_with_read_permission.yaml index 02bb82bab..6294ddf9d 100644 --- a/compliance/controls/azure/azure_iam_external_user_with_read_permission.yaml +++ b/compliance/controls/azure/azure_iam_external_user_with_read_permission.yaml @@ -1,51 +1,52 @@ id: azure_iam_external_user_with_read_permission title: Guest accounts with read permissions on Azure resources should be removed +type: control description: External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: entraid_user - definition: | - WITH all_write_permission_users AS ( - SELECT DISTINCT - u.display_name, - d.role_name, - u.account_enabled, - u.user_principal_name, - d.subscription_id, - u.platform_integration_id AS platform_integration_id, - u.platform_resource_id AS platform_resource_id - FROM - entraid_user AS u - LEFT JOIN azure_role_assignment AS a ON a.principal_id = u.id - LEFT JOIN azure_role_definition AS d ON d.id = a.role_definition_id - WHERE d.role_name = 'Reader' - ) - SELECT - a.user_principal_name AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.user_principal_name LIKE '%EXT%' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN a.user_principal_name LIKE '%EXT%' THEN a.display_name || ' is external user with ' || a.role_name || ' role.' - ELSE a.display_name || ' is domain user with ' || a.role_name || ' role.' - END AS reason, - t.tenant_id - FROM - azure_tenant AS t, - all_write_permission_users AS a; + language: sql + primary_resource: entraid_user + definition: | + WITH all_write_permission_users AS ( + SELECT DISTINCT + u.display_name, + d.role_name, + u.account_enabled, + u.user_principal_name, + d.subscription_id, + u.platform_integration_id AS platform_integration_id, + u.platform_resource_id AS platform_resource_id + FROM + entraid_user AS u + LEFT JOIN azure_role_assignment AS a ON a.principal_id = u.id + LEFT JOIN azure_role_definition AS d ON d.id = a.role_definition_id + WHERE d.role_name = 'Reader' + ) + SELECT + a.user_principal_name AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.user_principal_name LIKE '%EXT%' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN a.user_principal_name LIKE '%EXT%' THEN a.display_name || ' is external user with ' || a.role_name || ' role.' + ELSE a.display_name || ' is domain user with ' || a.role_name || ' role.' + END AS reason, + t.tenant_id + FROM + azure_tenant AS t, + all_write_permission_users AS a; severity: high tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - pci_dss_v321: - - 'true' - service: - - Azure/ActiveDirectory + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + pci_dss_v321: + - "true" + service: + - Azure/ActiveDirectory diff --git a/compliance/controls/azure/azure_iam_external_user_with_write_permission.yaml b/compliance/controls/azure/azure_iam_external_user_with_write_permission.yaml index 069212c10..3affd8f4c 100644 --- a/compliance/controls/azure/azure_iam_external_user_with_write_permission.yaml +++ b/compliance/controls/azure/azure_iam_external_user_with_write_permission.yaml @@ -1,53 +1,54 @@ id: azure_iam_external_user_with_write_permission title: Guest accounts with write permissions on Azure resources should be removed +type: control description: External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: entraid_user - definition: | - WITH all_write_permission_users AS ( - SELECT - DISTINCT - u.display_name, - d.role_name, - u.account_enabled, - u.user_principal_name, - d.subscription_id, - u.platform_integration_id AS platform_integration_id, - u.platform_resource_id AS platform_resource_id - FROM - entraid_user AS u - LEFT JOIN azure_role_assignment AS a ON a.principal_id = u.id - LEFT JOIN azure_role_definition AS d ON d.id = a.role_definition_id - WHERE - d.role_name = ANY(ARRAY['Owner', 'Contributor']) - ) - SELECT - a.user_principal_name AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.user_principal_name LIKE '%EXT%' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN a.user_principal_name LIKE '%EXT%' THEN a.display_name || ' is external user with ' || a.role_name || ' role.' - ELSE a.display_name || ' is domain user with ' || a.role_name || ' role.' - END AS reason, - t.tenant_id - FROM - azure_tenant AS t, - all_write_permission_users AS a; + language: sql + primary_resource: entraid_user + definition: | + WITH all_write_permission_users AS ( + SELECT + DISTINCT + u.display_name, + d.role_name, + u.account_enabled, + u.user_principal_name, + d.subscription_id, + u.platform_integration_id AS platform_integration_id, + u.platform_resource_id AS platform_resource_id + FROM + entraid_user AS u + LEFT JOIN azure_role_assignment AS a ON a.principal_id = u.id + LEFT JOIN azure_role_definition AS d ON d.id = a.role_definition_id + WHERE + d.role_name = ANY(ARRAY['Owner', 'Contributor']) + ) + SELECT + a.user_principal_name AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.user_principal_name LIKE '%EXT%' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN a.user_principal_name LIKE '%EXT%' THEN a.display_name || ' is external user with ' || a.role_name || ' role.' + ELSE a.display_name || ' is domain user with ' || a.role_name || ' role.' + END AS reason, + t.tenant_id + FROM + azure_tenant AS t, + all_write_permission_users AS a; severity: high tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - pci_dss_v321: - - 'true' - service: - - Azure/ActiveDirectory + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + pci_dss_v321: + - "true" + service: + - Azure/ActiveDirectory diff --git a/compliance/controls/azure/azure_iam_no_custom_role.yaml b/compliance/controls/azure/azure_iam_no_custom_role.yaml index aec299f4a..f63a860f9 100644 --- a/compliance/controls/azure/azure_iam_no_custom_role.yaml +++ b/compliance/controls/azure/azure_iam_no_custom_role.yaml @@ -1,54 +1,55 @@ id: azure_iam_no_custom_role title: Audit usage of custom RBAC roles +type: control description: Audit built-in roles such as 'Owner, Contributor, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH custom_roles AS ( - SELECT - role_name, - role_type, - subscription_id, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - _ctx - FROM - azure_role_definition - WHERE - role_type = 'CustomRole' - ) - SELECT - cr.subscription_id AS resource, - cr.platform_integration_id AS platform_integration_id, - cr.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(*) > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - 'There are ' || COUNT(*) || ' custom roles.' AS reason, - sub.display_name AS subscription - FROM - custom_roles AS cr, - azure_subscription AS sub - WHERE - sub.subscription_id = cr.subscription_id - GROUP BY - cr.subscription_id, - cr._ctx, - sub.display_name, - cr.platform_integration_id, - cr.platform_resource_id + language: sql + primary_resource: azure_subscription + definition: | + WITH custom_roles AS ( + SELECT + role_name, + role_type, + subscription_id, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + _ctx + FROM + azure_role_definition + WHERE + role_type = 'CustomRole' + ) + SELECT + cr.subscription_id AS resource, + cr.platform_integration_id AS platform_integration_id, + cr.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(*) > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + 'There are ' || COUNT(*) || ' custom roles.' AS reason, + sub.display_name AS subscription + FROM + custom_roles AS cr, + azure_subscription AS sub + WHERE + sub.subscription_id = cr.subscription_id + GROUP BY + cr.subscription_id, + cr._ctx, + sub.display_name, + cr.platform_integration_id, + cr.platform_resource_id severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - pci_dss_v321: - - 'true' - service: - - Azure/ActiveDirectory + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + pci_dss_v321: + - "true" + service: + - Azure/ActiveDirectory diff --git a/compliance/controls/azure/azure_iam_no_custom_subscription_owner_roles_created.yaml b/compliance/controls/azure/azure_iam_no_custom_subscription_owner_roles_created.yaml index ecd55da27..1a77f2e29 100644 --- a/compliance/controls/azure/azure_iam_no_custom_subscription_owner_roles_created.yaml +++ b/compliance/controls/azure/azure_iam_no_custom_subscription_owner_roles_created.yaml @@ -1,73 +1,74 @@ id: azure_iam_no_custom_subscription_owner_roles_created title: Ensure that no Custom Subscription Administrator roles exist +type: control description: The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH owner_custom_roles AS ( - SELECT - role_name, - role_type, - title, - action, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - _ctx, - subscription_id - FROM - azure_role_definition, - jsonb_array_elements(permissions) AS s, - jsonb_array_elements_text(s -> 'actions') AS action - WHERE - role_type = 'CustomRole' - AND action IN ('*', '*:*') - ) - SELECT - cr.subscription_id AS resource, - cr.platform_integration_id AS platform_integration_id, - cr.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(*) > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN COUNT(*) = 1 THEN 'There is one custom owner role.' - WHEN COUNT(*) > 1 THEN 'There are ' || COUNT(*) || ' custom owner roles.' - ELSE 'There are no custom owner roles.' - END AS reason, - sub.display_name AS subscription - FROM - owner_custom_roles cr, - azure_subscription sub - WHERE - sub.subscription_id = cr.subscription_id - GROUP BY - cr.subscription_id, - cr.platform_integration_id, - cr.platform_resource_id, - cr._ctx, - sub.display_name + language: sql + primary_resource: azure_subscription + definition: | + WITH owner_custom_roles AS ( + SELECT + role_name, + role_type, + title, + action, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + _ctx, + subscription_id + FROM + azure_role_definition, + jsonb_array_elements(permissions) AS s, + jsonb_array_elements_text(s -> 'actions') AS action + WHERE + role_type = 'CustomRole' + AND action IN ('*', '*:*') + ) + SELECT + cr.subscription_id AS resource, + cr.platform_integration_id AS platform_integration_id, + cr.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(*) > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN COUNT(*) = 1 THEN 'There is one custom owner role.' + WHEN COUNT(*) > 1 THEN 'There are ' || COUNT(*) || ' custom owner roles.' + ELSE 'There are no custom owner roles.' + END AS reason, + sub.display_name AS subscription + FROM + owner_custom_roles cr, + azure_subscription sub + WHERE + sub.subscription_id = cr.subscription_id + GROUP BY + cr.subscription_id, + cr.platform_integration_id, + cr.platform_resource_id, + cr._ctx, + sub.display_name severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '1.21' - cis_level: - - '2' - cis_section_id: - - '1' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/ActiveDirectory + category: + - Compliance + cis: + - "true" + cis_item_id: + - "1.21" + cis_level: + - "2" + cis_section_id: + - "1" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/ActiveDirectory diff --git a/compliance/controls/azure/azure_iam_subscription_owner_max_3.yaml b/compliance/controls/azure/azure_iam_subscription_owner_max_3.yaml index c6b79af9a..aa8d035ab 100644 --- a/compliance/controls/azure/azure_iam_subscription_owner_max_3.yaml +++ b/compliance/controls/azure/azure_iam_subscription_owner_max_3.yaml @@ -1,60 +1,61 @@ id: azure_iam_subscription_owner_max_3 title: A maximum of 3 owners should be designated for your subscription +type: control description: It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH owner_roles AS ( - SELECT - d.role_name, - d.role_type, - d.name, - d.title, - d.platform_integration_id AS platform_integration_id, - d.platform_resource_id AS platform_resource_id, - d._ctx, - d.subscription_id - FROM - azure_role_definition AS d - LEFT JOIN - azure_role_assignment AS a - ON - d.id = a.role_definition_id - WHERE - d.role_name = 'Owner' - ) - SELECT - owner.subscription_id AS resource, - owner.platform_integration_id AS platform_integration_id, - owner.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(*) <= 3 THEN 'ok' - ELSE 'alarm' - END AS status, - COUNT(*) || ' owner(s) associated.' AS reason, - sub.display_name AS subscription - FROM - owner_roles AS owner, - azure_subscription AS sub - WHERE - sub.subscription_id = owner.subscription_id - GROUP BY - owner.subscription_id, - owner.platform_integration_id, - owner.platform_resource_id, - owner._ctx, - sub.display_name + language: sql + primary_resource: azure_subscription + definition: | + WITH owner_roles AS ( + SELECT + d.role_name, + d.role_type, + d.name, + d.title, + d.platform_integration_id AS platform_integration_id, + d.platform_resource_id AS platform_resource_id, + d._ctx, + d.subscription_id + FROM + azure_role_definition AS d + LEFT JOIN + azure_role_assignment AS a + ON + d.id = a.role_definition_id + WHERE + d.role_name = 'Owner' + ) + SELECT + owner.subscription_id AS resource, + owner.platform_integration_id AS platform_integration_id, + owner.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(*) <= 3 THEN 'ok' + ELSE 'alarm' + END AS status, + COUNT(*) || ' owner(s) associated.' AS reason, + sub.display_name AS subscription + FROM + owner_roles AS owner, + azure_subscription AS sub + WHERE + sub.subscription_id = owner.subscription_id + GROUP BY + owner.subscription_id, + owner.platform_integration_id, + owner.platform_resource_id, + owner._ctx, + sub.display_name severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - pci_dss_v321: - - 'true' - service: - - Azure/ActiveDirectory + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + pci_dss_v321: + - "true" + service: + - Azure/ActiveDirectory diff --git a/compliance/controls/azure/azure_iam_subscription_owner_more_than_1.yaml b/compliance/controls/azure/azure_iam_subscription_owner_more_than_1.yaml index 52e8d6adb..e601264bd 100644 --- a/compliance/controls/azure/azure_iam_subscription_owner_more_than_1.yaml +++ b/compliance/controls/azure/azure_iam_subscription_owner_more_than_1.yaml @@ -1,55 +1,56 @@ id: azure_iam_subscription_owner_more_than_1 title: There should be more than one owner assigned to your subscription +type: control description: It is recommended to designate more than one subscription owner in order to have administrator access redundancy. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH owner_roles AS ( - SELECT - d.role_name, - d.role_type, - d.name, - d.title, - d.platform_integration_id AS platform_integration_id, - d.platform_resource_id AS platform_resource_id, - d._ctx, - d.subscription_id - FROM - azure_role_definition AS d - LEFT JOIN azure_role_assignment AS a ON d.id = a.role_definition_id - WHERE - d.role_name = 'Owner' - ) - SELECT - owner.subscription_id AS resource, - owner.platform_integration_id AS platform_integration_id, - owner.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(*) > 1 THEN 'ok' - ELSE 'alarm' - END AS status, - COUNT(*) || ' owner(s) associated.' AS reason, - sub.display_name AS subscription - FROM - owner_roles AS owner, - azure_subscription AS sub - WHERE - sub.subscription_id = owner.subscription_id - GROUP BY - owner.subscription_id, - owner.platform_integration_id, - owner.platform_resource_id, - owner._ctx, - sub.display_name + language: sql + primary_resource: azure_subscription + definition: | + WITH owner_roles AS ( + SELECT + d.role_name, + d.role_type, + d.name, + d.title, + d.platform_integration_id AS platform_integration_id, + d.platform_resource_id AS platform_resource_id, + d._ctx, + d.subscription_id + FROM + azure_role_definition AS d + LEFT JOIN azure_role_assignment AS a ON d.id = a.role_definition_id + WHERE + d.role_name = 'Owner' + ) + SELECT + owner.subscription_id AS resource, + owner.platform_integration_id AS platform_integration_id, + owner.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(*) > 1 THEN 'ok' + ELSE 'alarm' + END AS status, + COUNT(*) || ' owner(s) associated.' AS reason, + sub.display_name AS subscription + FROM + owner_roles AS owner, + azure_subscription AS sub + WHERE + sub.subscription_id = owner.subscription_id + GROUP BY + owner.subscription_id, + owner.platform_integration_id, + owner.platform_resource_id, + owner._ctx, + sub.display_name severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/ActiveDirectory + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/ActiveDirectory diff --git a/compliance/controls/azure/azure_iam_subscriptions_with_custom_roles_no_overly_permissive.yaml b/compliance/controls/azure/azure_iam_subscriptions_with_custom_roles_no_overly_permissive.yaml index b04e93cb4..88a074a16 100644 --- a/compliance/controls/azure/azure_iam_subscriptions_with_custom_roles_no_overly_permissive.yaml +++ b/compliance/controls/azure/azure_iam_subscriptions_with_custom_roles_no_overly_permissive.yaml @@ -1,55 +1,56 @@ id: azure_iam_subscriptions_with_custom_roles_no_overly_permissive title: Subscriptions with custom roles should not be overly permissive +type: control description: This policy identifies azure subscriptions with custom roles that are overly permissive. Least privilege access rule should be followed and only necessary privileges should be assigned instead of allowing full administrative access. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_role_definition - definition: | - WITH custom_roles AS ( - SELECT - role_name, - role_type, - platform_integration_id, - platform_resource_id, - title, - action, - _ctx, - subscription_id - FROM - azure_role_definition, - jsonb_array_elements(permissions) AS s, - jsonb_array_elements_text(s -> 'actions') AS action - WHERE - role_type = 'CustomRole' - AND assignable_scopes @> '["/"]' - AND action IN ('*', '*:*') - ) - SELECT - cr.subscription_id AS resource, - cr.platform_integration_id AS platform_integration_id, - cr.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(*) > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN COUNT(*) = 1 THEN 'There is one subscription where custom roles are overly permissive.' - WHEN COUNT(*) > 1 THEN 'There are ' || COUNT(*) || ' subscriptions where custom roles are overly permissive.' - ELSE 'There is no subscription where custom roles are overly permissive.' - END AS reason - FROM - custom_roles cr, - azure_subscription sub - WHERE - sub.subscription_id = cr.subscription_id - GROUP BY - cr.subscription_id, - cr._ctx, - cr.platform_integration_id, - cr.platform_resource_id, - sub.display_name; + language: sql + primary_resource: azure_role_definition + definition: | + WITH custom_roles AS ( + SELECT + role_name, + role_type, + platform_integration_id, + platform_resource_id, + title, + action, + _ctx, + subscription_id + FROM + azure_role_definition, + jsonb_array_elements(permissions) AS s, + jsonb_array_elements_text(s -> 'actions') AS action + WHERE + role_type = 'CustomRole' + AND assignable_scopes @> '["/"]' + AND action IN ('*', '*:*') + ) + SELECT + cr.subscription_id AS resource, + cr.platform_integration_id AS platform_integration_id, + cr.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(*) > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN COUNT(*) = 1 THEN 'There is one subscription where custom roles are overly permissive.' + WHEN COUNT(*) > 1 THEN 'There are ' || COUNT(*) || ' subscriptions where custom roles are overly permissive.' + ELSE 'There is no subscription where custom roles are overly permissive.' + END AS reason + FROM + custom_roles cr, + azure_subscription sub + WHERE + sub.subscription_id = cr.subscription_id + GROUP BY + cr.subscription_id, + cr._ctx, + cr.platform_integration_id, + cr.platform_resource_id, + sub.display_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_iam_user_no_built_in_contributor_role.yaml b/compliance/controls/azure/azure_iam_user_no_built_in_contributor_role.yaml index c5bde65f5..b79ea5d7d 100644 --- a/compliance/controls/azure/azure_iam_user_no_built_in_contributor_role.yaml +++ b/compliance/controls/azure/azure_iam_user_no_built_in_contributor_role.yaml @@ -1,51 +1,52 @@ id: azure_iam_user_no_built_in_contributor_role title: IAM users should not have built in contributor role +type: control description: Ensure that IAM user does not have built in contributor role. This rule is non-compliant if IAM user have built in contributor role. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: entraid_user - definition: | - WITH all_contributor_permission_users AS ( - SELECT - DISTINCT - u.display_name, - d.role_name, - u.account_enabled, - u.user_principal_name, - d.subscription_id - FROM - entraid_user AS u - LEFT JOIN azure_role_assignment AS a ON a.principal_id = u.id - LEFT JOIN azure_role_definition AS d ON d.id = a.role_definition_id - WHERE - d.role_name = 'Contributor' - ), distinct_tenant AS ( - SELECT - DISTINCT tenant_id, - subscription_id, - _ctx - FROM - azure_tenant - ) - SELECT - u.user_principal_name AS resource, - u.platform_integration_id AS platform_integration_id, - u.platform_resource_id AS platform_resource_id, - CASE - WHEN c.user_principal_name IS NOT NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN c.user_principal_name IS NOT NULL THEN u.display_name || ' has contributor role assigned.' - ELSE u.display_name || ' does not have contributor role assigned.' - END AS reason, - t.tenant_id - FROM - distinct_tenant AS t, - entraid_user AS u - LEFT JOIN all_contributor_permission_users AS c ON c.user_principal_name = u.user_principal_name; + language: sql + primary_resource: entraid_user + definition: | + WITH all_contributor_permission_users AS ( + SELECT + DISTINCT + u.display_name, + d.role_name, + u.account_enabled, + u.user_principal_name, + d.subscription_id + FROM + entraid_user AS u + LEFT JOIN azure_role_assignment AS a ON a.principal_id = u.id + LEFT JOIN azure_role_definition AS d ON d.id = a.role_definition_id + WHERE + d.role_name = 'Contributor' + ), distinct_tenant AS ( + SELECT + DISTINCT tenant_id, + subscription_id, + _ctx + FROM + azure_tenant + ) + SELECT + u.user_principal_name AS resource, + u.platform_integration_id AS platform_integration_id, + u.platform_resource_id AS platform_resource_id, + CASE + WHEN c.user_principal_name IS NOT NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN c.user_principal_name IS NOT NULL THEN u.display_name || ' has contributor role assigned.' + ELSE u.display_name || ' does not have contributor role assigned.' + END AS reason, + t.tenant_id + FROM + distinct_tenant AS t, + entraid_user AS u + LEFT JOIN all_contributor_permission_users AS c ON c.user_principal_name = u.user_principal_name; severity: low tags: {} diff --git a/compliance/controls/azure/azure_iam_user_not_allowed_to_create_security_group.yaml b/compliance/controls/azure/azure_iam_user_not_allowed_to_create_security_group.yaml index 4d8eabc26..7183308a7 100644 --- a/compliance/controls/azure/azure_iam_user_not_allowed_to_create_security_group.yaml +++ b/compliance/controls/azure/azure_iam_user_not_allowed_to_create_security_group.yaml @@ -1,46 +1,47 @@ id: azure_iam_user_not_allowed_to_create_security_group title: Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' +type: control description: Restrict security group creation to administrators only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: entraid_authorization_policy - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' THEN a.display_name || ' does not allow user to create security groups.' - ELSE a.display_name || ' allows user to create security groups.' - END AS reason, - t.tenant_id - FROM - azure_tenant AS t, - entraid_authorization_policy AS a; + language: sql + primary_resource: entraid_authorization_policy + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' THEN a.display_name || ' does not allow user to create security groups.' + ELSE a.display_name || ' allows user to create security groups.' + END AS reason, + t.tenant_id + FROM + azure_tenant AS t, + entraid_authorization_policy AS a; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '1.19' - cis_level: - - '2' - cis_section_id: - - '1' - cis_type: - - manual - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/ActiveDirectory + category: + - Compliance + cis: + - "true" + cis_item_id: + - "1.19" + cis_level: + - "2" + cis_section_id: + - "1" + cis_type: + - manual + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/ActiveDirectory diff --git a/compliance/controls/azure/azure_iam_user_not_allowed_to_create_tenants.yaml b/compliance/controls/azure/azure_iam_user_not_allowed_to_create_tenants.yaml index 4b4952e63..7429c3575 100644 --- a/compliance/controls/azure/azure_iam_user_not_allowed_to_create_tenants.yaml +++ b/compliance/controls/azure/azure_iam_user_not_allowed_to_create_tenants.yaml @@ -1,36 +1,37 @@ id: azure_iam_user_not_allowed_to_create_tenants title: Ensure that 'Users Can Create Tenants' is set to 'No' +type: control description: Restrict tenant creation to administrators only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: entraid_authorization_policy - definition: | - WITH distinct_tenant AS ( - SELECT - DISTINCT tenant_id, - subscription_id, - _ctx - FROM - azure_tenant - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.default_user_role_permissions ->> 'allowedToCreateTenants' = 'true' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN a.default_user_role_permissions ->> 'allowedToCreateTenants' = 'true' THEN a.display_name || ' allows user to create tenants.' - ELSE a.display_name || ' restricts the user to create tenants.' - END AS reason, - t.tenant_id - FROM - distinct_tenant AS t, - entraid_authorization_policy AS a; + language: sql + primary_resource: entraid_authorization_policy + definition: | + WITH distinct_tenant AS ( + SELECT + DISTINCT tenant_id, + subscription_id, + _ctx + FROM + azure_tenant + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.default_user_role_permissions ->> 'allowedToCreateTenants' = 'true' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN a.default_user_role_permissions ->> 'allowedToCreateTenants' = 'true' THEN a.display_name || ' allows user to create tenants.' + ELSE a.display_name || ' restricts the user to create tenants.' + END AS reason, + t.tenant_id + FROM + distinct_tenant AS t, + entraid_authorization_policy AS a; severity: low tags: {} diff --git a/compliance/controls/azure/azure_iam_user_not_allowed_to_register_application.yaml b/compliance/controls/azure/azure_iam_user_not_allowed_to_register_application.yaml index 9a8449254..7d195dc3d 100644 --- a/compliance/controls/azure/azure_iam_user_not_allowed_to_register_application.yaml +++ b/compliance/controls/azure/azure_iam_user_not_allowed_to_register_application.yaml @@ -1,47 +1,48 @@ id: azure_iam_user_not_allowed_to_register_application title: Ensure that 'Users Can Register Applications' is set to 'No' +type: control description: Require administrators or appropriately delegated users to register third-party applications. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: entraid_authorization_policy - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' - THEN a.display_name || ' does not allow user to register applications.' - ELSE a.display_name || ' allows user to register applications.' - END AS reason, - t.tenant_id - FROM - azure_tenant AS t, - entraid_authorization_policy AS a; + language: sql + primary_resource: entraid_authorization_policy + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' + THEN a.display_name || ' does not allow user to register applications.' + ELSE a.display_name || ' allows user to register applications.' + END AS reason, + t.tenant_id + FROM + azure_tenant AS t, + entraid_authorization_policy AS a; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '1.14' - cis_level: - - '1' - cis_section_id: - - '1' - cis_type: - - manual - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/ActiveDirectory + category: + - Compliance + cis: + - "true" + cis_item_id: + - "1.14" + cis_level: + - "1" + cis_section_id: + - "1" + cis_type: + - manual + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/ActiveDirectory diff --git a/compliance/controls/azure/azure_iam_user_with_owner_permission_on_subscription_mfa_enabled.yaml b/compliance/controls/azure/azure_iam_user_with_owner_permission_on_subscription_mfa_enabled.yaml index e43065800..6872480f9 100644 --- a/compliance/controls/azure/azure_iam_user_with_owner_permission_on_subscription_mfa_enabled.yaml +++ b/compliance/controls/azure/azure_iam_user_with_owner_permission_on_subscription_mfa_enabled.yaml @@ -1,23 +1,24 @@ id: azure_iam_user_with_owner_permission_on_subscription_mfa_enabled title: Accounts with owner permissions on Azure resources should be MFA enabled +type: control description: Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_iam_user_with_read_permission_on_subscription_mfa_enabled.yaml b/compliance/controls/azure/azure_iam_user_with_read_permission_on_subscription_mfa_enabled.yaml index 344a747f3..ff695b5b9 100644 --- a/compliance/controls/azure/azure_iam_user_with_read_permission_on_subscription_mfa_enabled.yaml +++ b/compliance/controls/azure/azure_iam_user_with_read_permission_on_subscription_mfa_enabled.yaml @@ -1,23 +1,24 @@ id: azure_iam_user_with_read_permission_on_subscription_mfa_enabled title: Accounts with read permissions on Azure resources should be MFA enabled +type: control description: Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_iam_user_with_write_permission_on_subscription_mfa_enabled.yaml b/compliance/controls/azure/azure_iam_user_with_write_permission_on_subscription_mfa_enabled.yaml index 1914197de..55bec46b9 100644 --- a/compliance/controls/azure/azure_iam_user_with_write_permission_on_subscription_mfa_enabled.yaml +++ b/compliance/controls/azure/azure_iam_user_with_write_permission_on_subscription_mfa_enabled.yaml @@ -1,23 +1,24 @@ id: azure_iam_user_with_write_permission_on_subscription_mfa_enabled title: Accounts with write permissions on Azure resources should be MFA enabled +type: control description: Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_iot_hub_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_iot_hub_encrypted_with_cmk.yaml index 6863c8099..e43a864aa 100644 --- a/compliance/controls/azure/azure_iot_hub_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_iot_hub_encrypted_with_cmk.yaml @@ -1,23 +1,24 @@ id: azure_iot_hub_encrypted_with_cmk title: IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK) +type: control description: Use customer-managed keys to manage the encryption at rest of your IoT Hub device provisioning service. The data is automatically encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. Learn more about CMK encryption at https://aka.ms/dps/CMK. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_iot_hub_logging_enabled.yaml b/compliance/controls/azure/azure_iot_hub_logging_enabled.yaml index cf2a9232f..1a848a994 100644 --- a/compliance/controls/azure/azure_iot_hub_logging_enabled.yaml +++ b/compliance/controls/azure/azure_iot_hub_logging_enabled.yaml @@ -1,62 +1,63 @@ id: azure_iot_hub_logging_enabled title: Resource logs in IoT Hub should be enabled +type: control description: Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_iothub - definition: | - WITH logging_details AS ( - SELECT - DISTINCT id AS id - FROM - azure_iothub, - jsonb_array_elements(diagnostic_settings) setting, - jsonb_array_elements(setting -> 'properties' -> 'logs') log - WHERE - diagnostic_settings IS NOT NULL - AND ( - ( - (log ->> 'enabled')::boolean - AND (log -> 'retentionPolicy' ->> 'enabled')::boolean - AND (log -> 'retentionPolicy')::jsonb ? 'days' - ) - OR - ( - (log ->> 'enabled')::boolean - AND log -> 'retentionPolicy' ->> 'enabled' <> 'true' - ) - ) + language: sql + primary_resource: azure_iothub + definition: | + WITH logging_details AS ( + SELECT + DISTINCT id AS id + FROM + azure_iothub, + jsonb_array_elements(diagnostic_settings) setting, + jsonb_array_elements(setting -> 'properties' -> 'logs') log + WHERE + diagnostic_settings IS NOT NULL + AND ( + ( + (log ->> 'enabled')::boolean + AND (log -> 'retentionPolicy' ->> 'enabled')::boolean + AND (log -> 'retentionPolicy')::jsonb ? 'days' + ) + OR + ( + (log ->> 'enabled')::boolean + AND log -> 'retentionPolicy' ->> 'enabled' <> 'true' + ) ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.diagnostic_settings IS NULL THEN 'alarm' - WHEN l.id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.diagnostic_settings IS NULL THEN a.name || ' logging disabled.' - WHEN l.id IS NOT NULL THEN a.name || ' logging enabled.' - ELSE a.name || ' logging disabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_iothub AS a - LEFT JOIN logging_details AS l ON a.id = l.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.diagnostic_settings IS NULL THEN 'alarm' + WHEN l.id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.diagnostic_settings IS NULL THEN a.name || ' logging disabled.' + WHEN l.id IS NOT NULL THEN a.name || ' logging enabled.' + ELSE a.name || ' logging disabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_iothub AS a + LEFT JOIN logging_details AS l ON a.id = l.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/IoTHub + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/IoTHub diff --git a/compliance/controls/azure/azure_keyvault_certificate_validity_12_months.yaml b/compliance/controls/azure/azure_keyvault_certificate_validity_12_months.yaml index db22a4af5..47ba3935f 100644 --- a/compliance/controls/azure/azure_keyvault_certificate_validity_12_months.yaml +++ b/compliance/controls/azure/azure_keyvault_certificate_validity_12_months.yaml @@ -1,23 +1,24 @@ id: azure_keyvault_certificate_validity_12_months title: Certificates should have the specified maximum validity period +type: control description: Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_keyvault_firewall_enabled.yaml b/compliance/controls/azure/azure_keyvault_firewall_enabled.yaml index 3a19bc159..04234e7d9 100644 --- a/compliance/controls/azure/azure_keyvault_firewall_enabled.yaml +++ b/compliance/controls/azure/azure_keyvault_firewall_enabled.yaml @@ -1,29 +1,30 @@ id: azure_keyvault_firewall_enabled title: Azure Key Vault should have firewall enabled +type: control description: Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - SELECT - kv.id AS resource, - kv.platform_integration_id AS platform_integration_id, - kv.platform_resource_id AS platform_resource_id, - CASE - WHEN jsonb_array_length(network_acls -> 'ipRules') > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN jsonb_array_length(network_acls -> 'ipRules') > 0 THEN name || ' firewall enabled.' - ELSE name || ' firewall disabled.' - END AS reason - FROM - azure_key_vault kv, - azure_subscription sub - WHERE - sub.subscription_id = kv.subscription_id; + language: sql + primary_resource: azure_key_vault + definition: | + SELECT + kv.id AS resource, + kv.platform_integration_id AS platform_integration_id, + kv.platform_resource_id AS platform_resource_id, + CASE + WHEN jsonb_array_length(network_acls -> 'ipRules') > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN jsonb_array_length(network_acls -> 'ipRules') > 0 THEN name || ' firewall enabled.' + ELSE name || ' firewall disabled.' + END AS reason + FROM + azure_key_vault kv, + azure_subscription sub + WHERE + sub.subscription_id = kv.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_keyvault_key_expiration_set.yaml b/compliance/controls/azure/azure_keyvault_key_expiration_set.yaml index 7601d9886..72b762f33 100644 --- a/compliance/controls/azure/azure_keyvault_key_expiration_set.yaml +++ b/compliance/controls/azure/azure_keyvault_key_expiration_set.yaml @@ -1,51 +1,52 @@ id: azure_keyvault_key_expiration_set title: Key Vault keys should have an expiration date +type: control description: Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_key - definition: | - SELECT - kvk.id AS resource, - kvk.platform_integration_id AS platform_integration_id, - kvk.platform_resource_id AS platform_resource_id, - CASE - WHEN enabled AND expires_at IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - vault_name || ' key ' || name || - CASE - WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' - WHEN NOT enabled THEN ' disabled.' - ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' - END AS reason, - kvk.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault_key kvk, - azure_subscription sub - WHERE - sub.subscription_id = kvk.subscription_id; + language: sql + primary_resource: azure_key_vault_key + definition: | + SELECT + kvk.id AS resource, + kvk.platform_integration_id AS platform_integration_id, + kvk.platform_resource_id AS platform_resource_id, + CASE + WHEN enabled AND expires_at IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + vault_name || ' key ' || name || + CASE + WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' + WHEN NOT enabled THEN ' disabled.' + ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' + END AS reason, + kvk.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault_key kvk, + azure_subscription sub + WHERE + sub.subscription_id = kvk.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '8.1' - cis_level: - - '1' - cis_section_id: - - '8' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/KeyVault + category: + - Compliance + cis: + - "true" + cis_item_id: + - "8.1" + cis_level: + - "1" + cis_section_id: + - "8" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/KeyVault diff --git a/compliance/controls/azure/azure_keyvault_logging_enabled.yaml b/compliance/controls/azure/azure_keyvault_logging_enabled.yaml index e43978323..6b27dc0d0 100644 --- a/compliance/controls/azure/azure_keyvault_logging_enabled.yaml +++ b/compliance/controls/azure/azure_keyvault_logging_enabled.yaml @@ -1,68 +1,69 @@ id: azure_keyvault_logging_enabled title: Resource logs in Key Vault should be enabled +type: control description: Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - WITH logging_details AS ( - SELECT - name AS key_vault_name - FROM - azure_key_vault, - jsonb_array_elements(diagnostic_settings) setting, - jsonb_array_elements(setting -> 'properties' -> 'logs') log - WHERE - diagnostic_settings IS NOT NULL - AND setting -> 'properties' ->> 'storageAccountId' <> '' - AND (log ->> 'enabled')::BOOLEAN - AND log ->> 'category' = 'AuditEvent' - AND (log -> 'retentionPolicy')::JSONB ? 'days' - ) - SELECT - v.id AS resource, - v.platform_integration_id AS platform_integration_id, - v.platform_resource_id AS platform_resource_id, - CASE - WHEN v.diagnostic_settings IS NULL THEN 'alarm' - WHEN l.key_vault_name NOT LIKE CONCAT('%', v.name, '%') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN v.diagnostic_settings IS NULL THEN v.name || ' logging not enabled.' - WHEN l.key_vault_name NOT LIKE CONCAT('%', v.name, '%') THEN v.name || ' logging not enabled.' - ELSE v.name || ' logging enabled.' - END AS reason, - v.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault v - LEFT JOIN - logging_details l ON l.key_vault_name = v.name - JOIN - azure_subscription sub ON sub.subscription_id = v.subscription_id; + language: sql + primary_resource: azure_key_vault + definition: | + WITH logging_details AS ( + SELECT + name AS key_vault_name + FROM + azure_key_vault, + jsonb_array_elements(diagnostic_settings) setting, + jsonb_array_elements(setting -> 'properties' -> 'logs') log + WHERE + diagnostic_settings IS NOT NULL + AND setting -> 'properties' ->> 'storageAccountId' <> '' + AND (log ->> 'enabled')::BOOLEAN + AND log ->> 'category' = 'AuditEvent' + AND (log -> 'retentionPolicy')::JSONB ? 'days' + ) + SELECT + v.id AS resource, + v.platform_integration_id AS platform_integration_id, + v.platform_resource_id AS platform_resource_id, + CASE + WHEN v.diagnostic_settings IS NULL THEN 'alarm' + WHEN l.key_vault_name NOT LIKE CONCAT('%', v.name, '%') THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN v.diagnostic_settings IS NULL THEN v.name || ' logging not enabled.' + WHEN l.key_vault_name NOT LIKE CONCAT('%', v.name, '%') THEN v.name || ' logging not enabled.' + ELSE v.name || ' logging enabled.' + END AS reason, + v.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault v + LEFT JOIN + logging_details l ON l.key_vault_name = v.name + JOIN + azure_subscription sub ON sub.subscription_id = v.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 5.1.5 - cis_level: - - '1' - cis_section_id: - - '5.1' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - score_service_name: - - Azure KeyVault - score_tags: - - Observability + category: + - Compliance + cis: + - "true" + cis_item_id: + - 5.1.5 + cis_level: + - "1" + cis_section_id: + - "5.1" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + score_service_name: + - Azure KeyVault + score_tags: + - Observability diff --git a/compliance/controls/azure/azure_keyvault_managed_hms_logging_enabled.yaml b/compliance/controls/azure/azure_keyvault_managed_hms_logging_enabled.yaml index 3a6e54661..4c2807c80 100644 --- a/compliance/controls/azure/azure_keyvault_managed_hms_logging_enabled.yaml +++ b/compliance/controls/azure/azure_keyvault_managed_hms_logging_enabled.yaml @@ -1,53 +1,54 @@ id: azure_keyvault_managed_hms_logging_enabled title: Resource logs in Azure Key Vault Managed HSM should be enabled +type: control description: To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_managed_hardware_security_module - definition: | - WITH logging_details AS ( - SELECT - name AS key_vault_name - FROM - azure_key_vault_managed_hardware_security_module, - jsonb_array_elements(diagnostic_settings) setting, - jsonb_array_elements(setting -> 'properties' -> 'logs') log - WHERE - diagnostic_settings IS NOT NULL - AND setting -> 'properties' ->> 'storageAccountId' <> '' - AND (log ->> 'enabled')::BOOLEAN - AND log ->> 'category' = 'AuditEvent' - AND (log -> 'retentionPolicy')::JSONB ? 'days' - ) - SELECT - v.id AS resource, - v.platform_integration_id AS platform_integration_id, - v.platform_resource_id AS platform_resource_id, - CASE - WHEN v.diagnostic_settings IS NULL THEN 'alarm' - WHEN l.key_vault_name NOT LIKE CONCAT('%', v.name, '%') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN v.diagnostic_settings IS NULL THEN v.name || ' logging not enabled.' - WHEN l.key_vault_name NOT LIKE CONCAT('%', v.name, '%') - THEN v.name || ' logging not enabled.' - ELSE v.name || ' logging enabled.' - END AS reason, - v.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault_managed_hardware_security_module AS v, - logging_details AS l, - azure_subscription AS sub - WHERE - sub.subscription_id = v.subscription_id; + language: sql + primary_resource: azure_key_vault_managed_hardware_security_module + definition: | + WITH logging_details AS ( + SELECT + name AS key_vault_name + FROM + azure_key_vault_managed_hardware_security_module, + jsonb_array_elements(diagnostic_settings) setting, + jsonb_array_elements(setting -> 'properties' -> 'logs') log + WHERE + diagnostic_settings IS NOT NULL + AND setting -> 'properties' ->> 'storageAccountId' <> '' + AND (log ->> 'enabled')::BOOLEAN + AND log ->> 'category' = 'AuditEvent' + AND (log -> 'retentionPolicy')::JSONB ? 'days' + ) + SELECT + v.id AS resource, + v.platform_integration_id AS platform_integration_id, + v.platform_resource_id AS platform_resource_id, + CASE + WHEN v.diagnostic_settings IS NULL THEN 'alarm' + WHEN l.key_vault_name NOT LIKE CONCAT('%', v.name, '%') THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN v.diagnostic_settings IS NULL THEN v.name || ' logging not enabled.' + WHEN l.key_vault_name NOT LIKE CONCAT('%', v.name, '%') + THEN v.name || ' logging not enabled.' + ELSE v.name || ' logging enabled.' + END AS reason, + v.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault_managed_hardware_security_module AS v, + logging_details AS l, + azure_subscription AS sub + WHERE + sub.subscription_id = v.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - service: - - Azure/KeyVault + hipaa_hitrust_v92: + - "true" + service: + - Azure/KeyVault diff --git a/compliance/controls/azure/azure_keyvault_managed_hms_purge_protection_enabled.yaml b/compliance/controls/azure/azure_keyvault_managed_hms_purge_protection_enabled.yaml index cce9e21ff..4ca391cd6 100644 --- a/compliance/controls/azure/azure_keyvault_managed_hms_purge_protection_enabled.yaml +++ b/compliance/controls/azure/azure_keyvault_managed_hms_purge_protection_enabled.yaml @@ -1,35 +1,36 @@ id: azure_keyvault_managed_hms_purge_protection_enabled title: Azure Key Vault Managed HSM should have purge protection enabled +type: control description: Malicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_managed_hardware_security_module - definition: | - SELECT - kv.id AS resource, - kv.platform_integration_id AS platform_integration_id, - kv.platform_resource_id AS platform_resource_id, - CASE - WHEN enable_purge_protection THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enable_purge_protection THEN name || ' purge protection enabled.' - ELSE name || ' purge protection disabled.' - END AS reason, - kv.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault_managed_hardware_security_module AS kv, - azure_subscription AS sub - WHERE - sub.subscription_id = kv.subscription_id; + language: sql + primary_resource: azure_key_vault_managed_hardware_security_module + definition: | + SELECT + kv.id AS resource, + kv.platform_integration_id AS platform_integration_id, + kv.platform_resource_id AS platform_resource_id, + CASE + WHEN enable_purge_protection THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enable_purge_protection THEN name || ' purge protection enabled.' + ELSE name || ' purge protection disabled.' + END AS reason, + kv.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault_managed_hardware_security_module AS kv, + azure_subscription AS sub + WHERE + sub.subscription_id = kv.subscription_id; severity: critical tags: - hipaa_hitrust_v92: - - 'true' - service: - - Azure/KeyVault + hipaa_hitrust_v92: + - "true" + service: + - Azure/KeyVault diff --git a/compliance/controls/azure/azure_keyvault_purge_protection_enabled.yaml b/compliance/controls/azure/azure_keyvault_purge_protection_enabled.yaml index da6adaa3d..35b297d8a 100644 --- a/compliance/controls/azure/azure_keyvault_purge_protection_enabled.yaml +++ b/compliance/controls/azure/azure_keyvault_purge_protection_enabled.yaml @@ -1,37 +1,38 @@ id: azure_keyvault_purge_protection_enabled title: Key vaults should have deletion protection enabled +type: control description: Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - SELECT - kv.id AS resource, - kv.platform_integration_id AS platform_integration_id, - kv.platform_resource_id AS platform_resource_id, - CASE - WHEN purge_protection_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN purge_protection_enabled THEN name || ' purge protection enabled.' - ELSE name || ' purge protection disabled.' - END AS reason, - kv.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault AS kv, - azure_subscription AS sub - WHERE - sub.subscription_id = kv.subscription_id; + language: sql + primary_resource: azure_key_vault + definition: | + SELECT + kv.id AS resource, + kv.platform_integration_id AS platform_integration_id, + kv.platform_resource_id AS platform_resource_id, + CASE + WHEN purge_protection_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN purge_protection_enabled THEN name || ' purge protection enabled.' + ELSE name || ' purge protection disabled.' + END AS reason, + kv.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault AS kv, + azure_subscription AS sub + WHERE + sub.subscription_id = kv.subscription_id; severity: critical tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/KeyVault + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/KeyVault diff --git a/compliance/controls/azure/azure_keyvault_rbac_enabled.yaml b/compliance/controls/azure/azure_keyvault_rbac_enabled.yaml index 15094061e..ebccb9b7f 100644 --- a/compliance/controls/azure/azure_keyvault_rbac_enabled.yaml +++ b/compliance/controls/azure/azure_keyvault_rbac_enabled.yaml @@ -1,49 +1,50 @@ id: azure_keyvault_rbac_enabled title: Enable Role Based Access Control for Azure Key Vault +type: control description: Role assignments disappear when a Key Vault has been deleted (soft- delete) and recovered. Afterwards it will be required to recreate all role assignments. This is a limitation of the soft-delete feature across all Azure services. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - SELECT - kv.id AS resource, - kv.platform_integration_id AS platform_integration_id, - kv.platform_resource_id AS platform_resource_id, - CASE - WHEN enable_rbac_authorization THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enable_rbac_authorization THEN name || ' has RBAC enabled.' - ELSE name || ' have RBAC disabled.' - END AS reason, - kv.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault AS kv, - azure_subscription AS sub - WHERE - sub.subscription_id = kv.subscription_id; + language: sql + primary_resource: azure_key_vault + definition: | + SELECT + kv.id AS resource, + kv.platform_integration_id AS platform_integration_id, + kv.platform_resource_id AS platform_resource_id, + CASE + WHEN enable_rbac_authorization THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enable_rbac_authorization THEN name || ' has RBAC enabled.' + ELSE name || ' have RBAC disabled.' + END AS reason, + kv.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault AS kv, + azure_subscription AS sub + WHERE + sub.subscription_id = kv.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '8.6' - cis_level: - - '2' - cis_section_id: - - '8' - cis_type: - - manual - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/KeyVault + category: + - Compliance + cis: + - "true" + cis_item_id: + - "8.6" + cis_level: + - "2" + cis_section_id: + - "8" + cis_type: + - manual + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/KeyVault diff --git a/compliance/controls/azure/azure_keyvault_secret_expiration_set.yaml b/compliance/controls/azure/azure_keyvault_secret_expiration_set.yaml index 5dc1cbcc3..d74028f31 100644 --- a/compliance/controls/azure/azure_keyvault_secret_expiration_set.yaml +++ b/compliance/controls/azure/azure_keyvault_secret_expiration_set.yaml @@ -1,51 +1,52 @@ id: azure_keyvault_secret_expiration_set title: Key Vault secrets should have an expiration date +type: control description: Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_secret - definition: | - SELECT - kvs.id AS resource, - kvs.platform_integration_id AS platform_integration_id, - kvs.platform_resource_id AS platform_resource_id, - CASE - WHEN enabled AND expires_at IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - vault_name || ' secret ' || name || - CASE - WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' - WHEN NOT enabled THEN ' disabled.' - ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' - END AS reason, - kvs.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault_secret AS kvs, - azure_subscription AS sub - WHERE - sub.subscription_id = kvs.subscription_id; + language: sql + primary_resource: azure_key_vault_secret + definition: | + SELECT + kvs.id AS resource, + kvs.platform_integration_id AS platform_integration_id, + kvs.platform_resource_id AS platform_resource_id, + CASE + WHEN enabled AND expires_at IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + vault_name || ' secret ' || name || + CASE + WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' + WHEN NOT enabled THEN ' disabled.' + ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' + END AS reason, + kvs.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault_secret AS kvs, + azure_subscription AS sub + WHERE + sub.subscription_id = kvs.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '8.2' - cis_level: - - '1' - cis_section_id: - - '8' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/KeyVault + category: + - Compliance + cis: + - "true" + cis_item_id: + - "8.2" + cis_level: + - "1" + cis_section_id: + - "8" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/KeyVault diff --git a/compliance/controls/azure/azure_keyvault_soft_delete_enabled.yaml b/compliance/controls/azure/azure_keyvault_soft_delete_enabled.yaml index 6d5457901..6002448f9 100644 --- a/compliance/controls/azure/azure_keyvault_soft_delete_enabled.yaml +++ b/compliance/controls/azure/azure_keyvault_soft_delete_enabled.yaml @@ -1,35 +1,36 @@ id: azure_keyvault_soft_delete_enabled title: Key vaults should have soft delete enabled +type: control description: Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - SELECT - kv.id AS resource, - kv.platform_integration_id AS platform_integration_id, - kv.platform_resource_id AS platform_resource_id, - CASE - WHEN soft_delete_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN soft_delete_enabled THEN name || ' soft delete enabled.' - ELSE name || ' soft delete disabled.' - END AS reason, - kv.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault AS kv, - azure_subscription AS sub - WHERE - sub.subscription_id = kv.subscription_id; + language: sql + primary_resource: azure_key_vault + definition: | + SELECT + kv.id AS resource, + kv.platform_integration_id AS platform_integration_id, + kv.platform_resource_id AS platform_resource_id, + CASE + WHEN soft_delete_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN soft_delete_enabled THEN name || ' soft delete enabled.' + ELSE name || ' soft delete disabled.' + END AS reason, + kv.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault AS kv, + azure_subscription AS sub + WHERE + sub.subscription_id = kv.subscription_id; severity: critical tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/KeyVault + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/KeyVault diff --git a/compliance/controls/azure/azure_keyvault_vault_private_link_used.yaml b/compliance/controls/azure/azure_keyvault_vault_private_link_used.yaml index c0ea22741..f5bab2ea0 100644 --- a/compliance/controls/azure/azure_keyvault_vault_private_link_used.yaml +++ b/compliance/controls/azure/azure_keyvault_vault_private_link_used.yaml @@ -1,51 +1,52 @@ id: azure_keyvault_vault_private_link_used title: Azure Key Vaults should use private link +type: control description: Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN network_acls IS NULL OR network_acls ->> 'defaultAction' = 'Allow' THEN 'alarm' - WHEN private_endpoint_connections IS NULL THEN 'info' - WHEN private_endpoint_connections @> '[{"PrivateLinkServiceConnectionStateStatus": "Approved"}]' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN network_acls IS NULL OR network_acls ->> 'defaultAction' = 'Allow' THEN a.name || ' using public networks.' - WHEN private_endpoint_connections IS NULL THEN a.name || ' no private link exists.' - WHEN private_endpoint_connections @> '[{"PrivateLinkServiceConnectionStateStatus": "Approved"}]' THEN a.name || ' using private link.' - ELSE a.name || ' private link not enabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault a, - azure_subscription sub; + language: sql + primary_resource: azure_key_vault + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN network_acls IS NULL OR network_acls ->> 'defaultAction' = 'Allow' THEN 'alarm' + WHEN private_endpoint_connections IS NULL THEN 'info' + WHEN private_endpoint_connections @> '[{"PrivateLinkServiceConnectionStateStatus": "Approved"}]' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN network_acls IS NULL OR network_acls ->> 'defaultAction' = 'Allow' THEN a.name || ' using public networks.' + WHEN private_endpoint_connections IS NULL THEN a.name || ' no private link exists.' + WHEN private_endpoint_connections @> '[{"PrivateLinkServiceConnectionStateStatus": "Approved"}]' THEN a.name || ' using private link.' + ELSE a.name || ' private link not enabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault a, + azure_subscription sub; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '8.7' - cis_level: - - '2' - cis_section_id: - - '8' - cis_type: - - manual - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/KeyVault + category: + - Compliance + cis: + - "true" + cis_item_id: + - "8.7" + cis_level: + - "2" + cis_section_id: + - "8" + cis_type: + - manual + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/KeyVault diff --git a/compliance/controls/azure/azure_keyvault_vault_public_network_access_disabled.yaml b/compliance/controls/azure/azure_keyvault_vault_public_network_access_disabled.yaml index 36e097c31..aaff49263 100644 --- a/compliance/controls/azure/azure_keyvault_vault_public_network_access_disabled.yaml +++ b/compliance/controls/azure/azure_keyvault_vault_public_network_access_disabled.yaml @@ -1,33 +1,34 @@ id: azure_keyvault_vault_public_network_access_disabled title: Azure Key Vault should disable public network access +type: control description: Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN network_acls IS NULL OR network_acls ->> 'defaultAction' != 'Deny' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN network_acls IS NULL OR network_acls ->> 'defaultAction' != 'Deny' THEN a.name || ' public network access enabled.' - ELSE a.name || ' public network access disabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault a, - azure_subscription sub; + language: sql + primary_resource: azure_key_vault + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN network_acls IS NULL OR network_acls ->> 'defaultAction' != 'Deny' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN network_acls IS NULL OR network_acls ->> 'defaultAction' != 'Deny' THEN a.name || ' public network access enabled.' + ELSE a.name || ' public network access disabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault a, + azure_subscription sub; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/KeyVault + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/KeyVault diff --git a/compliance/controls/azure/azure_keyvault_vault_recoverable.yaml b/compliance/controls/azure/azure_keyvault_vault_recoverable.yaml index 80ff3b911..65245d280 100644 --- a/compliance/controls/azure/azure_keyvault_vault_recoverable.yaml +++ b/compliance/controls/azure/azure_keyvault_vault_recoverable.yaml @@ -1,51 +1,52 @@ id: azure_keyvault_vault_recoverable title: Ensure the key vault is recoverable +type: control description: The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. It is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - SELECT - kv.id AS resource, - kv.platform_integration_id AS platform_integration_id, - kv.platform_resource_id AS platform_resource_id, - CASE - WHEN soft_delete_enabled AND purge_protection_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN NOT soft_delete_enabled AND NOT purge_protection_enabled THEN name || ' "soft delete" and "do not purge" not enabled.' - WHEN NOT soft_delete_enabled THEN name || ' "soft delete" not enabled.' - WHEN NOT purge_protection_enabled THEN name || ' "do not purge" not enabled.' - ELSE name || ' "soft delete" and "do not purge" enabled.' - END AS reason, - kv.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault kv, - azure_subscription sub - WHERE - sub.subscription_id = kv.subscription_id; + language: sql + primary_resource: azure_key_vault + definition: | + SELECT + kv.id AS resource, + kv.platform_integration_id AS platform_integration_id, + kv.platform_resource_id AS platform_resource_id, + CASE + WHEN soft_delete_enabled AND purge_protection_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN NOT soft_delete_enabled AND NOT purge_protection_enabled THEN name || ' "soft delete" and "do not purge" not enabled.' + WHEN NOT soft_delete_enabled THEN name || ' "soft delete" not enabled.' + WHEN NOT purge_protection_enabled THEN name || ' "do not purge" not enabled.' + ELSE name || ' "soft delete" and "do not purge" enabled.' + END AS reason, + kv.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault kv, + azure_subscription sub + WHERE + sub.subscription_id = kv.subscription_id; severity: critical tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '8.4' - cis_level: - - '1' - cis_section_id: - - '8' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/KeyVault + category: + - Compliance + cis: + - "true" + cis_item_id: + - "8.4" + cis_level: + - "1" + cis_section_id: + - "8" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/KeyVault diff --git a/compliance/controls/azure/azure_keyvault_vault_use_virtual_service_endpoint.yaml b/compliance/controls/azure/azure_keyvault_vault_use_virtual_service_endpoint.yaml index ee044bb4e..4ce213ed7 100644 --- a/compliance/controls/azure/azure_keyvault_vault_use_virtual_service_endpoint.yaml +++ b/compliance/controls/azure/azure_keyvault_vault_use_virtual_service_endpoint.yaml @@ -1,48 +1,49 @@ id: azure_keyvault_vault_use_virtual_service_endpoint title: Key Vault should use a virtual network service endpoint +type: control description: This policy audits any Key Vault not configured to use a virtual network service endpoint. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - WITH keyvault_vault_subnet AS ( - SELECT - DISTINCT a.name, - rule ->> 'id' AS id - FROM - azure_key_vault AS a, - jsonb_array_elements(network_acls -> 'virtualNetworkRules') AS rule - WHERE - rule ->> 'id' IS NOT NULL - ) - SELECT - DISTINCT a.name AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN network_acls ->> 'defaultAction' <> 'Deny' THEN 'alarm' - WHEN s.name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN network_acls ->> 'defaultAction' <> 'Deny' THEN a.name || ' not configured with virtual service endpoint.' - WHEN s.name IS NULL THEN a.name || ' not configured with virtual service endpoint.' - ELSE a.name || ' configured with virtual service endpoint.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault AS a - LEFT JOIN keyvault_vault_subnet AS s ON a.name = s.name, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_key_vault + definition: | + WITH keyvault_vault_subnet AS ( + SELECT + DISTINCT a.name, + rule ->> 'id' AS id + FROM + azure_key_vault AS a, + jsonb_array_elements(network_acls -> 'virtualNetworkRules') AS rule + WHERE + rule ->> 'id' IS NOT NULL + ) + SELECT + DISTINCT a.name AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN network_acls ->> 'defaultAction' <> 'Deny' THEN 'alarm' + WHEN s.name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN network_acls ->> 'defaultAction' <> 'Deny' THEN a.name || ' not configured with virtual service endpoint.' + WHEN s.name IS NULL THEN a.name || ' not configured with virtual service endpoint.' + ELSE a.name || ' configured with virtual service endpoint.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault AS a + LEFT JOIN keyvault_vault_subnet AS s ON a.name = s.name, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - service: - - Azure/KeyVault + hipaa_hitrust_v92: + - "true" + service: + - Azure/KeyVault diff --git a/compliance/controls/azure/azure_keyvault_with_non_rbac_key_expiration_set.yaml b/compliance/controls/azure/azure_keyvault_with_non_rbac_key_expiration_set.yaml index d9e4e5689..707205d77 100644 --- a/compliance/controls/azure/azure_keyvault_with_non_rbac_key_expiration_set.yaml +++ b/compliance/controls/azure/azure_keyvault_with_non_rbac_key_expiration_set.yaml @@ -1,63 +1,64 @@ id: azure_keyvault_with_non_rbac_key_expiration_set title: Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults +type: control description: Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_key - definition: | - WITH non_rbac_vault AS ( - SELECT - name - FROM - azure_key_vault - WHERE - NOT enable_rbac_authorization - ) - - SELECT - kvk.id AS resource, - kvk.platform_integration_id AS platform_integration_id, - kvk.platform_resource_id AS platform_resource_id, - CASE - WHEN v.name IS NULL THEN 'skip' - WHEN enabled AND expires_at IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - vault_name || ' key ' || kvk.name || - CASE - WHEN v.name IS NULL THEN ' RBAC enabled vault.' - WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' - WHEN NOT enabled THEN ' disabled.' - ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' - END AS reason, - kvk.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault_key kvk - LEFT JOIN non_rbac_vault AS v ON v.name = kvk.vault_name, - azure_subscription sub - WHERE - sub.subscription_id = kvk.subscription_id; + language: sql + primary_resource: azure_key_vault_key + definition: | + WITH non_rbac_vault AS ( + SELECT + name + FROM + azure_key_vault + WHERE + NOT enable_rbac_authorization + ) + + SELECT + kvk.id AS resource, + kvk.platform_integration_id AS platform_integration_id, + kvk.platform_resource_id AS platform_resource_id, + CASE + WHEN v.name IS NULL THEN 'skip' + WHEN enabled AND expires_at IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + vault_name || ' key ' || kvk.name || + CASE + WHEN v.name IS NULL THEN ' RBAC enabled vault.' + WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' + WHEN NOT enabled THEN ' disabled.' + ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' + END AS reason, + kvk.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault_key kvk + LEFT JOIN non_rbac_vault AS v ON v.name = kvk.vault_name, + azure_subscription sub + WHERE + sub.subscription_id = kvk.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '8.2' - cis_level: - - '1' - cis_section_id: - - '8' - cis_type: - - automated - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure/KeyVault + category: + - Compliance + cis: + - "true" + cis_item_id: + - "8.2" + cis_level: + - "1" + cis_section_id: + - "8" + cis_type: + - automated + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure/KeyVault diff --git a/compliance/controls/azure/azure_keyvault_with_non_rbac_secret_expiration_set.yaml b/compliance/controls/azure/azure_keyvault_with_non_rbac_secret_expiration_set.yaml index d654ad5e9..6d4d20d8f 100644 --- a/compliance/controls/azure/azure_keyvault_with_non_rbac_secret_expiration_set.yaml +++ b/compliance/controls/azure/azure_keyvault_with_non_rbac_secret_expiration_set.yaml @@ -1,63 +1,64 @@ id: azure_keyvault_with_non_rbac_secret_expiration_set title: Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults +type: control description: Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_secret - definition: | - WITH non_rbac_vault AS ( - SELECT - name - FROM - azure_key_vault - WHERE - NOT enable_rbac_authorization - ) - SELECT - kvs.id AS resource, - kvs.platform_integration_id AS platform_integration_id, - kvs.platform_resource_id AS platform_resource_id, - CASE - WHEN v.name IS NULL THEN 'skip' - WHEN enabled AND expires_at IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - vault_name || ' key ' || kvs.name || - CASE - WHEN v.name IS NULL THEN ' RBAC enabled vault.' - WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' - WHEN NOT enabled THEN ' disabled.' - ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' - END AS reason, - kvs.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault_secret kvs - LEFT JOIN non_rbac_vault AS v - ON v.name = kvs.vault_name, - azure_subscription sub - WHERE - sub.subscription_id = kvs.subscription_id; + language: sql + primary_resource: azure_key_vault_secret + definition: | + WITH non_rbac_vault AS ( + SELECT + name + FROM + azure_key_vault + WHERE + NOT enable_rbac_authorization + ) + SELECT + kvs.id AS resource, + kvs.platform_integration_id AS platform_integration_id, + kvs.platform_resource_id AS platform_resource_id, + CASE + WHEN v.name IS NULL THEN 'skip' + WHEN enabled AND expires_at IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + vault_name || ' key ' || kvs.name || + CASE + WHEN v.name IS NULL THEN ' RBAC enabled vault.' + WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' + WHEN NOT enabled THEN ' disabled.' + ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' + END AS reason, + kvs.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault_secret kvs + LEFT JOIN non_rbac_vault AS v + ON v.name = kvs.vault_name, + azure_subscription sub + WHERE + sub.subscription_id = kvs.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '8.4' - cis_level: - - '1' - cis_section_id: - - '8' - cis_type: - - automated - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure/KeyVault + category: + - Compliance + cis: + - "true" + cis_item_id: + - "8.4" + cis_level: + - "1" + cis_section_id: + - "8" + cis_type: + - automated + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure/KeyVault diff --git a/compliance/controls/azure/azure_keyvault_with_rbac_key_expiration_set.yaml b/compliance/controls/azure/azure_keyvault_with_rbac_key_expiration_set.yaml index 9e4e1039d..c4816015a 100644 --- a/compliance/controls/azure/azure_keyvault_with_rbac_key_expiration_set.yaml +++ b/compliance/controls/azure/azure_keyvault_with_rbac_key_expiration_set.yaml @@ -1,61 +1,62 @@ id: azure_keyvault_with_rbac_key_expiration_set title: Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults +type: control description: Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_key - definition: | - WITH rbac_vault AS ( - SELECT - name - FROM - azure_key_vault - WHERE enable_rbac_authorization - ) - SELECT - kvk.id AS resource, - kvk.platform_integration_id AS platform_integration_id, - kvk.platform_resource_id AS platform_resource_id, - CASE - WHEN v.name IS NULL THEN 'skip' - WHEN enabled AND expires_at IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - vault_name || ' key ' || kvk.name || - CASE - WHEN v.name IS NULL THEN ' not RBAC enabled vault.' - WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' - WHEN NOT enabled THEN ' disabled.' - ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' - END AS reason, - kvk.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault_key kvk - LEFT JOIN rbac_vault AS v ON v.name = kvk.vault_name, - azure_subscription sub - WHERE - sub.subscription_id = kvk.subscription_id; + language: sql + primary_resource: azure_key_vault_key + definition: | + WITH rbac_vault AS ( + SELECT + name + FROM + azure_key_vault + WHERE enable_rbac_authorization + ) + SELECT + kvk.id AS resource, + kvk.platform_integration_id AS platform_integration_id, + kvk.platform_resource_id AS platform_resource_id, + CASE + WHEN v.name IS NULL THEN 'skip' + WHEN enabled AND expires_at IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + vault_name || ' key ' || kvk.name || + CASE + WHEN v.name IS NULL THEN ' not RBAC enabled vault.' + WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' + WHEN NOT enabled THEN ' disabled.' + ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' + END AS reason, + kvk.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault_key kvk + LEFT JOIN rbac_vault AS v ON v.name = kvk.vault_name, + azure_subscription sub + WHERE + sub.subscription_id = kvk.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '8.1' - cis_level: - - '1' - cis_section_id: - - '8' - cis_type: - - automated - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure/KeyVault + category: + - Compliance + cis: + - "true" + cis_item_id: + - "8.1" + cis_level: + - "1" + cis_section_id: + - "8" + cis_type: + - automated + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure/KeyVault diff --git a/compliance/controls/azure/azure_keyvault_with_rbac_secret_expiration_set.yaml b/compliance/controls/azure/azure_keyvault_with_rbac_secret_expiration_set.yaml index 89e1827f7..88a39b5aa 100644 --- a/compliance/controls/azure/azure_keyvault_with_rbac_secret_expiration_set.yaml +++ b/compliance/controls/azure/azure_keyvault_with_rbac_secret_expiration_set.yaml @@ -1,62 +1,63 @@ id: azure_keyvault_with_rbac_secret_expiration_set title: Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults +type: control description: Ensure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_secret - definition: | - WITH rbac_vault AS ( - SELECT - name - FROM - azure_key_vault - WHERE - enable_rbac_authorization - ) - SELECT - kvs.id AS resource, - kvs.platform_integration_id AS platform_integration_id, - kvs.platform_resource_id AS platform_resource_id, - CASE - WHEN v.name IS NULL THEN 'skip' - WHEN enabled AND expires_at IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - vault_name || ' key ' || kvs.name || - CASE - WHEN v.name IS NULL THEN ' not RBAC enabled vault.' - WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' - WHEN NOT enabled THEN ' disabled.' - ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' - END AS reason, - kvs.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault_secret kvs - LEFT JOIN rbac_vault AS v ON v.name = kvs.vault_name, - azure_subscription sub - WHERE - sub.subscription_id = kvs.subscription_id; + language: sql + primary_resource: azure_key_vault_secret + definition: | + WITH rbac_vault AS ( + SELECT + name + FROM + azure_key_vault + WHERE + enable_rbac_authorization + ) + SELECT + kvs.id AS resource, + kvs.platform_integration_id AS platform_integration_id, + kvs.platform_resource_id AS platform_resource_id, + CASE + WHEN v.name IS NULL THEN 'skip' + WHEN enabled AND expires_at IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + vault_name || ' key ' || kvs.name || + CASE + WHEN v.name IS NULL THEN ' not RBAC enabled vault.' + WHEN enabled AND expires_at IS NULL THEN ' expiration date not set.' + WHEN NOT enabled THEN ' disabled.' + ELSE ' expiration date set to ' || TO_CHAR(expires_at, 'DD-Mon-YYYY') || '.' + END AS reason, + kvs.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault_secret kvs + LEFT JOIN rbac_vault AS v ON v.name = kvs.vault_name, + azure_subscription sub + WHERE + sub.subscription_id = kvs.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '8.3' - cis_level: - - '1' - cis_section_id: - - '8' - cis_type: - - automated - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure/KeyVault + category: + - Compliance + cis: + - "true" + cis_item_id: + - "8.3" + cis_level: + - "1" + cis_section_id: + - "8" + cis_type: + - automated + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure/KeyVault diff --git a/compliance/controls/azure/azure_kubernetes_cluster_add_on_azure_policy_enabled.yaml b/compliance/controls/azure/azure_kubernetes_cluster_add_on_azure_policy_enabled.yaml index 52ea02adc..c15484494 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_add_on_azure_policy_enabled.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_add_on_azure_policy_enabled.yaml @@ -1,35 +1,36 @@ id: azure_kubernetes_cluster_add_on_azure_policy_enabled title: Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters +type: control description: Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kubernetes_cluster - definition: | - SELECT - kc.id AS resource, - kc.platform_integration_id AS platform_integration_id, - kc.platform_resource_id AS platform_resource_id, - CASE - WHEN addon_profiles -> 'azurepolicy' ->> 'enabled' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN addon_profiles -> 'azurepolicy' ->> 'enabled' = 'true' THEN name || ' add on azure policy enabled.' - ELSE name || ' add on azure policy disabled.' - END AS reason, - kc.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_kubernetes_cluster kc, - azure_subscription sub - WHERE - sub.subscription_id = kc.subscription_id; + language: sql + primary_resource: azure_kubernetes_cluster + definition: | + SELECT + kc.id AS resource, + kc.platform_integration_id AS platform_integration_id, + kc.platform_resource_id AS platform_resource_id, + CASE + WHEN addon_profiles -> 'azurepolicy' ->> 'enabled' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN addon_profiles -> 'azurepolicy' ->> 'enabled' = 'true' THEN name || ' add on azure policy enabled.' + ELSE name || ' add on azure policy disabled.' + END AS reason, + kc.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_kubernetes_cluster kc, + azure_subscription sub + WHERE + sub.subscription_id = kc.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/KubernetesService + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/KubernetesService diff --git a/compliance/controls/azure/azure_kubernetes_cluster_addon_azure_policy_enabled.yaml b/compliance/controls/azure/azure_kubernetes_cluster_addon_azure_policy_enabled.yaml index 8187eff99..37653c742 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_addon_azure_policy_enabled.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_addon_azure_policy_enabled.yaml @@ -1,29 +1,30 @@ id: azure_kubernetes_cluster_addon_azure_policy_enabled title: Kubernetes cluster addon Azure policy should be enabled +type: control description: Ensure that Kubernetes cluster uses Azure Policies Add-on. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kubernetes_cluster - definition: | - SELECT - c.id AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN addon_profiles -> 'azurepolicy' ->> 'enabled' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN addon_profiles -> 'azurepolicy' ->> 'enabled' = 'true' THEN c.name || ' addon azure policy enabled.' - ELSE c.name || ' addon azure policy disabled.' - END AS reason - FROM - azure_kubernetes_cluster c, - azure_subscription sub - WHERE - sub.subscription_id = c.subscription_id; + language: sql + primary_resource: azure_kubernetes_cluster + definition: | + SELECT + c.id AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN addon_profiles -> 'azurepolicy' ->> 'enabled' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN addon_profiles -> 'azurepolicy' ->> 'enabled' = 'true' THEN c.name || ' addon azure policy enabled.' + ELSE c.name || ' addon azure policy disabled.' + END AS reason + FROM + azure_kubernetes_cluster c, + azure_subscription sub + WHERE + sub.subscription_id = c.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_kubernetes_cluster_authorized_ip_range_defined.yaml b/compliance/controls/azure/azure_kubernetes_cluster_authorized_ip_range_defined.yaml index 4a7dacb31..a4cecf6d1 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_authorized_ip_range_defined.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_authorized_ip_range_defined.yaml @@ -1,35 +1,36 @@ id: azure_kubernetes_cluster_authorized_ip_range_defined title: Authorized IP ranges should be defined on Kubernetes Services +type: control description: ARestrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kubernetes_cluster - definition: | - SELECT - c.id AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN api_server_access_profile -> 'AuthorizedIPRanges' IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN api_server_access_profile -> 'AuthorizedIPRanges' IS NOT NULL THEN c.title || ' authorized IP ranges defined.' - ELSE c.title || ' authorized IP ranges not defined.' - END AS reason, - c.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_kubernetes_cluster AS c, - azure_subscription AS sub - WHERE - sub.subscription_id = c.subscription_id; + language: sql + primary_resource: azure_kubernetes_cluster + definition: | + SELECT + c.id AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN api_server_access_profile -> 'AuthorizedIPRanges' IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN api_server_access_profile -> 'AuthorizedIPRanges' IS NOT NULL THEN c.title || ' authorized IP ranges defined.' + ELSE c.title || ' authorized IP ranges not defined.' + END AS reason, + c.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_kubernetes_cluster AS c, + azure_subscription AS sub + WHERE + sub.subscription_id = c.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/KubernetesService + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/KubernetesService diff --git a/compliance/controls/azure/azure_kubernetes_cluster_container_cpu_and_memory_resource_limit.yaml b/compliance/controls/azure/azure_kubernetes_cluster_container_cpu_and_memory_resource_limit.yaml index df8a34bbb..47b05b3f6 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_container_cpu_and_memory_resource_limit.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_container_cpu_and_memory_resource_limit.yaml @@ -1,23 +1,24 @@ id: azure_kubernetes_cluster_container_cpu_and_memory_resource_limit title: Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits +type: control description: Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_kubernetes_cluster_container_host_process_id_not_shared.yaml b/compliance/controls/azure/azure_kubernetes_cluster_container_host_process_id_not_shared.yaml index 7610b638d..3ac6ded3b 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_container_host_process_id_not_shared.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_container_host_process_id_not_shared.yaml @@ -1,23 +1,24 @@ id: azure_kubernetes_cluster_container_host_process_id_not_shared title: Kubernetes cluster containers should not share host process ID or host IPC namespace +type: control description: Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_kubernetes_cluster_container_privilege_escalation_restricted.yaml b/compliance/controls/azure/azure_kubernetes_cluster_container_privilege_escalation_restricted.yaml index 58965109d..62c502bba 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_container_privilege_escalation_restricted.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_container_privilege_escalation_restricted.yaml @@ -1,23 +1,24 @@ id: azure_kubernetes_cluster_container_privilege_escalation_restricted title: Kubernetes clusters should not allow container privilege escalation +type: control description: Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_kubernetes_cluster_container_use_allowed_apparmor_profile.yaml b/compliance/controls/azure/azure_kubernetes_cluster_container_use_allowed_apparmor_profile.yaml index 874a69e2f..3a26a934c 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_container_use_allowed_apparmor_profile.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_container_use_allowed_apparmor_profile.yaml @@ -1,23 +1,24 @@ id: azure_kubernetes_cluster_container_use_allowed_apparmor_profile title: Kubernetes cluster containers should only use allowed AppArmor profiles +type: control description: Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_kubernetes_cluster_container_use_allowed_capabilities.yaml b/compliance/controls/azure/azure_kubernetes_cluster_container_use_allowed_capabilities.yaml index 7c5008c0f..c30c2f0a1 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_container_use_allowed_capabilities.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_container_use_allowed_capabilities.yaml @@ -1,23 +1,24 @@ id: azure_kubernetes_cluster_container_use_allowed_capabilities title: Kubernetes cluster containers should only use allowed capabilities +type: control description: Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_kubernetes_cluster_container_use_allowed_images.yaml b/compliance/controls/azure/azure_kubernetes_cluster_container_use_allowed_images.yaml index 3e327947a..9ee621688 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_container_use_allowed_images.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_container_use_allowed_images.yaml @@ -1,23 +1,24 @@ id: azure_kubernetes_cluster_container_use_allowed_images title: Kubernetes cluster containers should only use allowed images +type: control description: Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_kubernetes_cluster_container_with_read_only_root_file_system.yaml b/compliance/controls/azure/azure_kubernetes_cluster_container_with_read_only_root_file_system.yaml index 1c032df3c..b75187021 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_container_with_read_only_root_file_system.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_container_with_read_only_root_file_system.yaml @@ -1,23 +1,24 @@ id: azure_kubernetes_cluster_container_with_read_only_root_file_system title: Kubernetes cluster containers should run with a read only root file system +type: control description: Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_kubernetes_cluster_http_application_routing_disabled.yaml b/compliance/controls/azure/azure_kubernetes_cluster_http_application_routing_disabled.yaml index 0435827e1..d3ba6df1a 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_http_application_routing_disabled.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_http_application_routing_disabled.yaml @@ -1,29 +1,30 @@ id: azure_kubernetes_cluster_http_application_routing_disabled title: Kubernetes clusters HTTP application routing should be disabled +type: control description: This control checks if HTTP application routing is disabled for Kubernetes cluster. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kubernetes_cluster - definition: | - SELECT - c.id AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN addon_profiles -> 'httpApplicationRouting' ->> 'enabled' = 'true' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN addon_profiles -> 'httpApplicationRouting' ->> 'enabled' = 'true' THEN c.name || ' HTTP application routing enabled.' - ELSE c.name || ' HTTP application routing disabled.' - END AS reason - FROM - azure_kubernetes_cluster c, - azure_subscription sub - WHERE - sub.subscription_id = c.subscription_id; + language: sql + primary_resource: azure_kubernetes_cluster + definition: | + SELECT + c.id AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN addon_profiles -> 'httpApplicationRouting' ->> 'enabled' = 'true' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN addon_profiles -> 'httpApplicationRouting' ->> 'enabled' = 'true' THEN c.name || ' HTTP application routing enabled.' + ELSE c.name || ' HTTP application routing disabled.' + END AS reason + FROM + azure_kubernetes_cluster c, + azure_subscription sub + WHERE + sub.subscription_id = c.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_kubernetes_cluster_https_enabled.yaml b/compliance/controls/azure/azure_kubernetes_cluster_https_enabled.yaml index 1d1e073be..b3bad52a4 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_https_enabled.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_https_enabled.yaml @@ -1,23 +1,24 @@ id: azure_kubernetes_cluster_https_enabled title: Kubernetes clusters should be accessible only over HTTPS +type: control description: Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_kubernetes_cluster_key_vault_secret_rotation_enabled.yaml b/compliance/controls/azure/azure_kubernetes_cluster_key_vault_secret_rotation_enabled.yaml index 85a301440..0f8853abf 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_key_vault_secret_rotation_enabled.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_key_vault_secret_rotation_enabled.yaml @@ -1,31 +1,32 @@ id: azure_kubernetes_cluster_key_vault_secret_rotation_enabled title: Kubernetes clusters key vault secret rotation should be enabled +type: control description: This control checks if key vault secret rotation is enabled for Kubernetes cluster. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kubernetes_cluster - definition: | - SELECT - c.id AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN addon_profiles -> 'azureKeyvaultSecretsProvider' -> 'config' ->> 'enableSecretRotation' = 'true' - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN addon_profiles -> 'azureKeyvaultSecretsProvider' -> 'config' ->> 'enableSecretRotation' = 'true' - THEN c.name || ' key vault secret rotation enabled.' - ELSE c.name || ' key vault secret rotation disabled.' - END AS reason - FROM - azure_kubernetes_cluster c, - azure_subscription sub - WHERE - sub.subscription_id = c.subscription_id; + language: sql + primary_resource: azure_kubernetes_cluster + definition: | + SELECT + c.id AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN addon_profiles -> 'azureKeyvaultSecretsProvider' -> 'config' ->> 'enableSecretRotation' = 'true' + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN addon_profiles -> 'azureKeyvaultSecretsProvider' -> 'config' ->> 'enableSecretRotation' = 'true' + THEN c.name || ' key vault secret rotation enabled.' + ELSE c.name || ' key vault secret rotation disabled.' + END AS reason + FROM + azure_kubernetes_cluster c, + azure_subscription sub + WHERE + sub.subscription_id = c.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_kubernetes_cluster_logging_enabled.yaml b/compliance/controls/azure/azure_kubernetes_cluster_logging_enabled.yaml index d952cb006..2cebbd1ba 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_logging_enabled.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_logging_enabled.yaml @@ -1,33 +1,34 @@ id: azure_kubernetes_cluster_logging_enabled title: Kubernetes clusters should have logging enabled +type: control description: This control checks if OMS agent is enabled for Kubernetes cluster. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kubernetes_cluster - definition: | - SELECT - c.id AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN addon_profiles -> 'omsAgent' ->> 'enabled' = 'true' - AND addon_profiles -> 'omsAgent' ->> 'config' IS NOT NULL - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN addon_profiles -> 'omsAgent' ->> 'enabled' = 'true' - AND addon_profiles -> 'omsAgent' ->> 'config' IS NOT NULL - THEN c.name || ' logging enabled.' - ELSE c.name || ' logging disabled.' - END AS reason - FROM - azure_kubernetes_cluster c, - azure_subscription sub - WHERE - sub.subscription_id = c.subscription_id; + language: sql + primary_resource: azure_kubernetes_cluster + definition: | + SELECT + c.id AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN addon_profiles -> 'omsAgent' ->> 'enabled' = 'true' + AND addon_profiles -> 'omsAgent' ->> 'config' IS NOT NULL + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN addon_profiles -> 'omsAgent' ->> 'enabled' = 'true' + AND addon_profiles -> 'omsAgent' ->> 'config' IS NOT NULL + THEN c.name || ' logging enabled.' + ELSE c.name || ' logging disabled.' + END AS reason + FROM + azure_kubernetes_cluster c, + azure_subscription sub + WHERE + sub.subscription_id = c.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_kubernetes_cluster_max_pod_50.yaml b/compliance/controls/azure/azure_kubernetes_cluster_max_pod_50.yaml index 860ad5b96..afe429212 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_max_pod_50.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_max_pod_50.yaml @@ -1,39 +1,40 @@ id: azure_kubernetes_cluster_max_pod_50 title: Kubernetes clusters should use a minimum number of 50 pods +type: control description: This control checks if Kubernetes clusters is using a minimum number of 50 pods. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kubernetes_cluster - definition: | - WITH max_node AS ( - SELECT - DISTINCT id - FROM - azure_kubernetes_cluster, - jsonb_array_elements(agent_pool_profiles) AS p - WHERE - (p ->> 'maxPods')::INT < 50 - ) + language: sql + primary_resource: azure_kubernetes_cluster + definition: | + WITH max_node AS ( SELECT - c.id AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN n.id IS NOT NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN n.id IS NOT NULL THEN c.name || ' nodes have less than 50 pods.' - ELSE c.name || ' nodes have greater than 50 pods.' - END AS reason + DISTINCT id FROM - azure_kubernetes_cluster c - LEFT JOIN max_node AS n ON n.id = c.id, - azure_subscription sub + azure_kubernetes_cluster, + jsonb_array_elements(agent_pool_profiles) AS p WHERE - sub.subscription_id = c.subscription_id; + (p ->> 'maxPods')::INT < 50 + ) + SELECT + c.id AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN n.id IS NOT NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN n.id IS NOT NULL THEN c.name || ' nodes have less than 50 pods.' + ELSE c.name || ' nodes have greater than 50 pods.' + END AS reason + FROM + azure_kubernetes_cluster c + LEFT JOIN max_node AS n ON n.id = c.id, + azure_subscription sub + WHERE + sub.subscription_id = c.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_kubernetes_cluster_network_plugin_azure.yaml b/compliance/controls/azure/azure_kubernetes_cluster_network_plugin_azure.yaml index 0dace4770..d7d512c26 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_network_plugin_azure.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_network_plugin_azure.yaml @@ -1,29 +1,30 @@ id: azure_kubernetes_cluster_network_plugin_azure title: Kubernetes clusters should have Azure network plugin +type: control description: This control checks if Azure CNI networking is enabled for Kubernetes cluster. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kubernetes_cluster - definition: | - SELECT - c.id AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN network_profile ->> 'networkPlugin' = 'azure' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN network_profile ->> 'networkPlugin' = 'azure' THEN c.name || ' Azure CNI networking enabled.' - ELSE c.name || ' Azure CNI networking disabled.' - END AS reason - FROM - azure_kubernetes_cluster c, - azure_subscription sub - WHERE - sub.subscription_id = c.subscription_id; + language: sql + primary_resource: azure_kubernetes_cluster + definition: | + SELECT + c.id AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN network_profile ->> 'networkPlugin' = 'azure' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN network_profile ->> 'networkPlugin' = 'azure' THEN c.name || ' Azure CNI networking enabled.' + ELSE c.name || ' Azure CNI networking disabled.' + END AS reason + FROM + azure_kubernetes_cluster c, + azure_subscription sub + WHERE + sub.subscription_id = c.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_kubernetes_cluster_network_policy_enabled.yaml b/compliance/controls/azure/azure_kubernetes_cluster_network_policy_enabled.yaml index 77711d4a9..61627f331 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_network_policy_enabled.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_network_policy_enabled.yaml @@ -1,29 +1,30 @@ id: azure_kubernetes_cluster_network_policy_enabled title: Kubernetes clusters should have network policy enabled +type: control description: This control checks if network policy is enabled for Kubernetes cluster. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kubernetes_cluster - definition: | - SELECT - c.id AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN network_profile ->> 'networkPolicy' IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN network_profile ->> 'networkPolicy' IS NOT NULL THEN c.name || ' network policy enabled.' - ELSE c.name || ' network policy disabled.' - END AS reason - FROM - azure_kubernetes_cluster c, - azure_subscription sub - WHERE - sub.subscription_id = c.subscription_id; + language: sql + primary_resource: azure_kubernetes_cluster + definition: | + SELECT + c.id AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN network_profile ->> 'networkPolicy' IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN network_profile ->> 'networkPolicy' IS NOT NULL THEN c.name || ' network policy enabled.' + ELSE c.name || ' network policy disabled.' + END AS reason + FROM + azure_kubernetes_cluster c, + azure_subscription sub + WHERE + sub.subscription_id = c.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_kubernetes_cluster_node_restrict_public_access.yaml b/compliance/controls/azure/azure_kubernetes_cluster_node_restrict_public_access.yaml index 24ae71e89..319ad3e1f 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_node_restrict_public_access.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_node_restrict_public_access.yaml @@ -1,41 +1,42 @@ id: azure_kubernetes_cluster_node_restrict_public_access title: Kubernetes cluster nodes should prohibit public access +type: control description: Ensure Kubernetes cluster nodes do not have public IP addresses. This control is non-compliant if Kubernetes cluster nodes have a public IP address assigned. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kubernetes_cluster - definition: | - WITH public_node AS ( - SELECT - DISTINCT id - FROM - azure_kubernetes_cluster, - jsonb_array_elements(agent_pool_profiles) AS p - WHERE - p ->> 'enableNodePublicIP' = 'true' - GROUP BY - id - ) - SELECT - c.id AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN n.id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN n.id IS NULL THEN c.name || ' has no public node.' - ELSE c.name || ' has public node.' - END AS reason - FROM - azure_kubernetes_cluster c - LEFT JOIN public_node AS n ON n.id = c.id, - azure_subscription sub - WHERE - sub.subscription_id = c.subscription_id; + language: sql + primary_resource: azure_kubernetes_cluster + definition: | + WITH public_node AS ( + SELECT + DISTINCT id + FROM + azure_kubernetes_cluster, + jsonb_array_elements(agent_pool_profiles) AS p + WHERE + p ->> 'enableNodePublicIP' = 'true' + GROUP BY + id + ) + SELECT + c.id AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN n.id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN n.id IS NULL THEN c.name || ' has no public node.' + ELSE c.name || ' has public node.' + END AS reason + FROM + azure_kubernetes_cluster c + LEFT JOIN public_node AS n ON n.id = c.id, + azure_subscription sub + WHERE + sub.subscription_id = c.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_kubernetes_cluster_os_and_data_disks_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_kubernetes_cluster_os_and_data_disks_encrypted_with_cmk.yaml index a22bd392c..fb7ab4acd 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_os_and_data_disks_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_os_and_data_disks_encrypted_with_cmk.yaml @@ -1,35 +1,36 @@ id: azure_kubernetes_cluster_os_and_data_disks_encrypted_with_cmk title: Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys +type: control description: Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kubernetes_cluster - definition: | - SELECT - c.id AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN disk_encryption_set_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN disk_encryption_set_id IS NOT NULL THEN c.name || ' os and data disks encrypted with CMK.' - ELSE c.name || ' os and data disks not encrypted with CMK.' - END AS reason, - c.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_kubernetes_cluster c, - azure_subscription sub - WHERE - sub.subscription_id = c.subscription_id; + language: sql + primary_resource: azure_kubernetes_cluster + definition: | + SELECT + c.id AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN disk_encryption_set_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN disk_encryption_set_id IS NOT NULL THEN c.name || ' os and data disks encrypted with CMK.' + ELSE c.name || ' os and data disks not encrypted with CMK.' + END AS reason, + c.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_kubernetes_cluster c, + azure_subscription sub + WHERE + sub.subscription_id = c.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/KubernetesService + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/KubernetesService diff --git a/compliance/controls/azure/azure_kubernetes_cluster_pod_host_path_volume_use_allowed_host_path.yaml b/compliance/controls/azure/azure_kubernetes_cluster_pod_host_path_volume_use_allowed_host_path.yaml index e603caf80..267d13dc9 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_pod_host_path_volume_use_allowed_host_path.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_pod_host_path_volume_use_allowed_host_path.yaml @@ -1,23 +1,24 @@ id: azure_kubernetes_cluster_pod_host_path_volume_use_allowed_host_path title: Kubernetes cluster pod hostPath volumes should only use allowed host paths +type: control description: Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_kubernetes_cluster_pod_use_approved_host_network_and_port_range.yaml b/compliance/controls/azure/azure_kubernetes_cluster_pod_use_approved_host_network_and_port_range.yaml index 2ae661859..7179a46fc 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_pod_use_approved_host_network_and_port_range.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_pod_use_approved_host_network_and_port_range.yaml @@ -1,23 +1,24 @@ id: azure_kubernetes_cluster_pod_use_approved_host_network_and_port_range title: Kubernetes cluster pods should only use approved host network and port range +type: control description: Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_kubernetes_cluster_pods_and_containers_uses_approved_user_and_group_id.yaml b/compliance/controls/azure/azure_kubernetes_cluster_pods_and_containers_uses_approved_user_and_group_id.yaml index 323aa7114..4bc3895e1 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_pods_and_containers_uses_approved_user_and_group_id.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_pods_and_containers_uses_approved_user_and_group_id.yaml @@ -1,23 +1,24 @@ id: azure_kubernetes_cluster_pods_and_containers_uses_approved_user_and_group_id title: Kubernetes cluster pods and containers should only run with approved user and group IDs +type: control description: Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_kubernetes_cluster_privilege_containers_restricted.yaml b/compliance/controls/azure/azure_kubernetes_cluster_privilege_containers_restricted.yaml index 9a95c5e97..1fc6a0756 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_privilege_containers_restricted.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_privilege_containers_restricted.yaml @@ -1,23 +1,24 @@ id: azure_kubernetes_cluster_privilege_containers_restricted title: Kubernetes cluster should not allow privileged containers +type: control description: Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_kubernetes_cluster_restrict_public_access.yaml b/compliance/controls/azure/azure_kubernetes_cluster_restrict_public_access.yaml index c99af277a..b4fce7f81 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_restrict_public_access.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_restrict_public_access.yaml @@ -1,29 +1,30 @@ id: azure_kubernetes_cluster_restrict_public_access title: Kubernetes cluster should restrict public access +type: control description: Ensure that Kubernetes cluster enables private clusters to restrict public access. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kubernetes_cluster - definition: | - SELECT - c.id AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN api_server_access_profile ->> 'enablePrivateCluster' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN api_server_access_profile ->> 'enablePrivateCluster' = 'true' THEN c.name || ' not publicly accessible.' - ELSE c.name || ' publicly accessible.' - END AS reason - FROM - azure_kubernetes_cluster c, - azure_subscription sub - WHERE - sub.subscription_id = c.subscription_id; + language: sql + primary_resource: azure_kubernetes_cluster + definition: | + SELECT + c.id AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN api_server_access_profile ->> 'enablePrivateCluster' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN api_server_access_profile ->> 'enablePrivateCluster' = 'true' THEN c.name || ' not publicly accessible.' + ELSE c.name || ' publicly accessible.' + END AS reason + FROM + azure_kubernetes_cluster c, + azure_subscription sub + WHERE + sub.subscription_id = c.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_kubernetes_cluster_service_listen_to_allowed_ports.yaml b/compliance/controls/azure/azure_kubernetes_cluster_service_listen_to_allowed_ports.yaml index caf5d6bee..a7f74634c 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_service_listen_to_allowed_ports.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_service_listen_to_allowed_ports.yaml @@ -1,23 +1,24 @@ id: azure_kubernetes_cluster_service_listen_to_allowed_ports title: Kubernetes cluster services should listen only on allowed ports +type: control description: Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_kubernetes_cluster_sku_standard.yaml b/compliance/controls/azure/azure_kubernetes_cluster_sku_standard.yaml index 243e318da..82a63e82a 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_sku_standard.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_sku_standard.yaml @@ -1,29 +1,30 @@ id: azure_kubernetes_cluster_sku_standard title: Kubernetes clusters should use standard SKU +type: control description: Ensure that Kubernetes clusters use standard SKU tier for production workloads. This control is non-compliant if App Configuration does not use standard SKU. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kubernetes_cluster - definition: | - SELECT - c.id AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN sku ->> 'tier' = 'Paid' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN sku ->> 'tier' = 'Paid' THEN c.name || ' uses standard SKU tier.' - ELSE c.name || ' uses free SKU tier.' - END AS reason - FROM - azure_kubernetes_cluster c, - azure_subscription sub - WHERE - sub.subscription_id = c.subscription_id; + language: sql + primary_resource: azure_kubernetes_cluster + definition: | + SELECT + c.id AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN sku ->> 'tier' = 'Paid' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN sku ->> 'tier' = 'Paid' THEN c.name || ' uses standard SKU tier.' + ELSE c.name || ' uses free SKU tier.' + END AS reason + FROM + azure_kubernetes_cluster c, + azure_subscription sub + WHERE + sub.subscription_id = c.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host.yaml b/compliance/controls/azure/azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host.yaml index ef68d1d10..aee345b84 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host.yaml @@ -1,48 +1,49 @@ id: azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host title: Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host +type: control description: To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kubernetes_cluster - definition: | - WITH kubernetes_cluster AS ( - SELECT - id, - name, - subscription_id, - resource_group - FROM - azure_kubernetes_cluster, - JSONB_ARRAY_ELEMENTS(agent_pool_profiles) AS p - WHERE - p -> 'enableEncryptionAtHost' = 'true' - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN s.id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN s.id IS NOT NULL THEN a.name || ' encrypted at host.' - ELSE a.name || ' not encrypted at host.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_kubernetes_cluster AS a - LEFT JOIN kubernetes_cluster AS s ON s.id = a.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_kubernetes_cluster + definition: | + WITH kubernetes_cluster AS ( + SELECT + id, + name, + subscription_id, + resource_group + FROM + azure_kubernetes_cluster, + JSONB_ARRAY_ELEMENTS(agent_pool_profiles) AS p + WHERE + p -> 'enableEncryptionAtHost' = 'true' + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN s.id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN s.id IS NOT NULL THEN a.name || ' encrypted at host.' + ELSE a.name || ' not encrypted at host.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_kubernetes_cluster AS a + LEFT JOIN kubernetes_cluster AS s ON s.id = a.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/KubernetesService + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/KubernetesService diff --git a/compliance/controls/azure/azure_kubernetes_cluster_upgrade_channel.yaml b/compliance/controls/azure/azure_kubernetes_cluster_upgrade_channel.yaml index 56b7d3a14..357796b90 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_upgrade_channel.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_upgrade_channel.yaml @@ -1,29 +1,30 @@ id: azure_kubernetes_cluster_upgrade_channel title: Kubernetes clusters upgrade channel should be configured +type: control description: Ensure Kubernetes clusters upgrade channel is configured. This control is non-compliant if Kubernetes clusters upgrade channel is set to none. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kubernetes_cluster - definition: | - SELECT - c.id AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN auto_upgrade_profile ->> 'upgradeChannel' = 'none' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN auto_upgrade_profile ->> 'upgradeChannel' = 'none' THEN c.name || ' upgrade channel not configured.' - ELSE c.name || ' upgrade channel configured.' - END AS reason - FROM - azure_kubernetes_cluster c, - azure_subscription sub - WHERE - sub.subscription_id = c.subscription_id; + language: sql + primary_resource: azure_kubernetes_cluster + definition: | + SELECT + c.id AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN auto_upgrade_profile ->> 'upgradeChannel' = 'none' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN auto_upgrade_profile ->> 'upgradeChannel' = 'none' THEN c.name || ' upgrade channel not configured.' + ELSE c.name || ' upgrade channel configured.' + END AS reason + FROM + azure_kubernetes_cluster c, + azure_subscription sub + WHERE + sub.subscription_id = c.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_kubernetes_cluster_upgraded_with_non_vulnerable_version.yaml b/compliance/controls/azure/azure_kubernetes_cluster_upgraded_with_non_vulnerable_version.yaml index 83413f677..930a2cf0e 100644 --- a/compliance/controls/azure/azure_kubernetes_cluster_upgraded_with_non_vulnerable_version.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_upgraded_with_non_vulnerable_version.yaml @@ -1,43 +1,44 @@ id: azure_kubernetes_cluster_upgraded_with_non_vulnerable_version title: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version +type: control description: Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kubernetes_cluster - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN - a.kubernetes_version ~ '1\.13\.[0-4]' - OR a.kubernetes_version ~ '1\.12\.[0-6]' - OR a.kubernetes_version ~ '1\.11\.[0-8]' - OR a.kubernetes_version ~ '1\.\d|10\.*' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN - a.kubernetes_version ~ '1\.13\.[0-4]' - OR a.kubernetes_version ~ '1\.12\.[0-6]' - OR a.kubernetes_version ~ '1\.11\.[0-8]' - OR a.kubernetes_version ~ '1\.\d|10\.*' THEN a.name || ' not upgraded to a non-vulnerable Kubernetes version.' - ELSE a.name || ' upgraded to a non-vulnerable Kubernetes version.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_kubernetes_cluster AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_kubernetes_cluster + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN + a.kubernetes_version ~ '1\.13\.[0-4]' + OR a.kubernetes_version ~ '1\.12\.[0-6]' + OR a.kubernetes_version ~ '1\.11\.[0-8]' + OR a.kubernetes_version ~ '1\.\d|10\.*' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN + a.kubernetes_version ~ '1\.13\.[0-4]' + OR a.kubernetes_version ~ '1\.12\.[0-6]' + OR a.kubernetes_version ~ '1\.11\.[0-8]' + OR a.kubernetes_version ~ '1\.\d|10\.*' THEN a.name || ' not upgraded to a non-vulnerable Kubernetes version.' + ELSE a.name || ' upgraded to a non-vulnerable Kubernetes version.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_kubernetes_cluster AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/KubernetesService + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/KubernetesService diff --git a/compliance/controls/azure/azure_kubernetes_instance_rbac_enabled.yaml b/compliance/controls/azure/azure_kubernetes_instance_rbac_enabled.yaml index 642b33557..98da89dbd 100644 --- a/compliance/controls/azure/azure_kubernetes_instance_rbac_enabled.yaml +++ b/compliance/controls/azure/azure_kubernetes_instance_rbac_enabled.yaml @@ -1,38 +1,39 @@ id: azure_kubernetes_instance_rbac_enabled title: Role-Based Access Control (RBAC) should be used on Kubernetes Services +type: control description: To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kubernetes_cluster - definition: | - SELECT - kc.id AS resource, - kc.platform_integration_id AS platform_integration_id, - kc.platform_resource_id AS platform_resource_id, - CASE - WHEN enable_rbac THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enable_rbac THEN name || ' role based access control enabled.' - ELSE name || ' role based access control disabled.' - END AS reason, - enable_rbac, - kc.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_kubernetes_cluster kc, - azure_subscription sub - WHERE - sub.subscription_id = kc.subscription_id; + language: sql + primary_resource: azure_kubernetes_cluster + definition: | + SELECT + kc.id AS resource, + kc.platform_integration_id AS platform_integration_id, + kc.platform_resource_id AS platform_resource_id, + CASE + WHEN enable_rbac THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enable_rbac THEN name || ' role based access control enabled.' + ELSE name || ' role based access control disabled.' + END AS reason, + enable_rbac, + kc.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_kubernetes_cluster kc, + azure_subscription sub + WHERE + sub.subscription_id = kc.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/KubernetesService + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/KubernetesService diff --git a/compliance/controls/azure/azure_kusto_cluster_disk_encryption_enabled.yaml b/compliance/controls/azure/azure_kusto_cluster_disk_encryption_enabled.yaml index 519890c70..d13417597 100644 --- a/compliance/controls/azure/azure_kusto_cluster_disk_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_kusto_cluster_disk_encryption_enabled.yaml @@ -1,35 +1,36 @@ id: azure_kusto_cluster_disk_encryption_enabled title: Disk encryption should be enabled on Azure Data Explorer +type: control description: Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kusto_cluster - definition: | - SELECT - kv.id AS resource, - kv.platform_integration_id AS platform_integration_id, - kv.platform_resource_id AS platform_resource_id, - CASE - WHEN enable_disk_encryption THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enable_disk_encryption THEN name || ' disk encryption enabled.' - ELSE name || ' disk encryption disabled.' - END AS reason, - kv.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_kusto_cluster AS kv, - azure_subscription AS sub - WHERE - sub.subscription_id = kv.subscription_id; + language: sql + primary_resource: azure_kusto_cluster + definition: | + SELECT + kv.id AS resource, + kv.platform_integration_id AS platform_integration_id, + kv.platform_resource_id AS platform_resource_id, + CASE + WHEN enable_disk_encryption THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enable_disk_encryption THEN name || ' disk encryption enabled.' + ELSE name || ' disk encryption disabled.' + END AS reason, + kv.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_kusto_cluster AS kv, + azure_subscription AS sub + WHERE + sub.subscription_id = kv.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/DataExplorer + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/DataExplorer diff --git a/compliance/controls/azure/azure_kusto_cluster_double_encryption_enabled.yaml b/compliance/controls/azure/azure_kusto_cluster_double_encryption_enabled.yaml index e8eb0e2f0..f47a234c4 100644 --- a/compliance/controls/azure/azure_kusto_cluster_double_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_kusto_cluster_double_encryption_enabled.yaml @@ -1,35 +1,36 @@ id: azure_kusto_cluster_double_encryption_enabled title: Double encryption should be enabled on Azure Data Explorer +type: control description: Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kusto_cluster - definition: | - SELECT - kv.id AS resource, - kv.platform_integration_id AS platform_integration_id, - kv.platform_resource_id AS platform_resource_id, - CASE - WHEN enable_double_encryption THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enable_double_encryption THEN name || ' double encryption enabled.' - ELSE name || ' double encryption disabled.' - END AS reason, - kv.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_kusto_cluster AS kv, - azure_subscription AS sub - WHERE - sub.subscription_id = kv.subscription_id; + language: sql + primary_resource: azure_kusto_cluster + definition: | + SELECT + kv.id AS resource, + kv.platform_integration_id AS platform_integration_id, + kv.platform_resource_id AS platform_resource_id, + CASE + WHEN enable_double_encryption THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enable_double_encryption THEN name || ' double encryption enabled.' + ELSE name || ' double encryption disabled.' + END AS reason, + kv.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_kusto_cluster AS kv, + azure_subscription AS sub + WHERE + sub.subscription_id = kv.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/DataExplorer + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/DataExplorer diff --git a/compliance/controls/azure/azure_kusto_cluster_encrypted_at_rest_with_cmk.yaml b/compliance/controls/azure/azure_kusto_cluster_encrypted_at_rest_with_cmk.yaml index bb00ccf14..4513caa79 100644 --- a/compliance/controls/azure/azure_kusto_cluster_encrypted_at_rest_with_cmk.yaml +++ b/compliance/controls/azure/azure_kusto_cluster_encrypted_at_rest_with_cmk.yaml @@ -1,43 +1,44 @@ id: azure_kusto_cluster_encrypted_at_rest_with_cmk title: Azure Data Explorer encryption at rest should use a customer-managed key +type: control description: Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kusto_cluster - definition: | - SELECT - kv.id AS resource, - kv.platform_integration_id AS platform_integration_id, - kv.platform_resource_id AS platform_resource_id, - CASE - WHEN - key_vault_properties -> 'keyName' IS NOT NULL - AND key_vault_properties -> 'keyVaultUri' IS NOT NULL - AND key_vault_properties -> 'keyVersion' IS NOT NULL - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN - key_vault_properties -> 'keyName' IS NOT NULL - AND key_vault_properties -> 'keyVaultUri' IS NOT NULL - AND key_vault_properties -> 'keyVersion' IS NOT NULL - THEN name || ' encrypted at rest with CMK.' - ELSE name || ' not encrypted at rest with CMK.' - END AS reason, - kv.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_kusto_cluster AS kv, - azure_subscription AS sub - WHERE - sub.subscription_id = kv.subscription_id + language: sql + primary_resource: azure_kusto_cluster + definition: | + SELECT + kv.id AS resource, + kv.platform_integration_id AS platform_integration_id, + kv.platform_resource_id AS platform_resource_id, + CASE + WHEN + key_vault_properties -> 'keyName' IS NOT NULL + AND key_vault_properties -> 'keyVaultUri' IS NOT NULL + AND key_vault_properties -> 'keyVersion' IS NOT NULL + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN + key_vault_properties -> 'keyName' IS NOT NULL + AND key_vault_properties -> 'keyVaultUri' IS NOT NULL + AND key_vault_properties -> 'keyVersion' IS NOT NULL + THEN name || ' encrypted at rest with CMK.' + ELSE name || ' not encrypted at rest with CMK.' + END AS reason, + kv.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_kusto_cluster AS kv, + azure_subscription AS sub + WHERE + sub.subscription_id = kv.subscription_id severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/DataExplorer + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/DataExplorer diff --git a/compliance/controls/azure/azure_kusto_cluster_sku_with_sla.yaml b/compliance/controls/azure/azure_kusto_cluster_sku_with_sla.yaml index d4ca5f640..7ebf954d7 100644 --- a/compliance/controls/azure/azure_kusto_cluster_sku_with_sla.yaml +++ b/compliance/controls/azure/azure_kusto_cluster_sku_with_sla.yaml @@ -1,26 +1,27 @@ id: azure_kusto_cluster_sku_with_sla title: Kusto clusters should use SKU with an SLA +type: control description: This control checks if Kusto clusters use SKU with an SLA. This control is considered non-compliant if Kusto clusters use SKUs without an SLA. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kusto_cluster - definition: | - SELECT - kv.id AS resource, - kv.platform_integration_id AS platform_integration_id, - kv.platform_resource_id AS platform_resource_id, - CASE - WHEN sku_name IN ('Dev(No SLA)_Standard_E2a_v4', 'Dev(No SLA)_Standard_D11_v2') THEN 'alarm' - ELSE 'ok' - END AS status, - name || ' using ' || sku_name || ' SKU tier.' AS reason - FROM - azure_kusto_cluster AS kv, - azure_subscription AS sub - WHERE - sub.subscription_id = kv.subscription_id; + language: sql + primary_resource: azure_kusto_cluster + definition: | + SELECT + kv.id AS resource, + kv.platform_integration_id AS platform_integration_id, + kv.platform_resource_id AS platform_resource_id, + CASE + WHEN sku_name IN ('Dev(No SLA)_Standard_E2a_v4', 'Dev(No SLA)_Standard_D11_v2') THEN 'alarm' + ELSE 'ok' + END AS status, + name || ' using ' || sku_name || ' SKU tier.' AS reason + FROM + azure_kusto_cluster AS kv, + azure_subscription AS sub + WHERE + sub.subscription_id = kv.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_log_analytics_workspace_block_log_ingestion_and_querying_from_public.yaml b/compliance/controls/azure/azure_log_analytics_workspace_block_log_ingestion_and_querying_from_public.yaml index 402547b99..511a508ec 100644 --- a/compliance/controls/azure/azure_log_analytics_workspace_block_log_ingestion_and_querying_from_public.yaml +++ b/compliance/controls/azure/azure_log_analytics_workspace_block_log_ingestion_and_querying_from_public.yaml @@ -1,33 +1,34 @@ id: azure_log_analytics_workspace_block_log_ingestion_and_querying_from_public title: Log Analytics workspaces should block log ingestion and querying from public networks -description: Improve workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-log-analytics. +type: control +description: "Improve workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-log-analytics." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_log_analytics_workspace - definition: | - SELECT - w.id AS resource, - w.platform_integration_id AS platform_integration_id, - w.platform_resource_id AS platform_resource_id, - CASE - WHEN type = 'Microsoft.OperationalInsights/workspaces' - AND public_network_access_for_ingestion = 'Enabled' - AND public_network_access_for_query = 'Enabled' - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN type = 'Microsoft.OperationalInsights/workspaces' - AND public_network_access_for_ingestion = 'Enabled' - AND public_network_access_for_query = 'Enabled' - THEN w.name || ' workspace allows log ingestion and querying from public network.' - ELSE w.name || ' workspace does not allow log ingestion and querying from public network.' - END AS reason - FROM - azure_log_analytics_workspace AS w - LEFT JOIN azure_subscription sub ON sub.subscription_id = w.subscription_id; + language: sql + primary_resource: azure_log_analytics_workspace + definition: | + SELECT + w.id AS resource, + w.platform_integration_id AS platform_integration_id, + w.platform_resource_id AS platform_resource_id, + CASE + WHEN type = 'Microsoft.OperationalInsights/workspaces' + AND public_network_access_for_ingestion = 'Enabled' + AND public_network_access_for_query = 'Enabled' + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN type = 'Microsoft.OperationalInsights/workspaces' + AND public_network_access_for_ingestion = 'Enabled' + AND public_network_access_for_query = 'Enabled' + THEN w.name || ' workspace allows log ingestion and querying from public network.' + ELSE w.name || ' workspace does not allow log ingestion and querying from public network.' + END AS reason + FROM + azure_log_analytics_workspace AS w + LEFT JOIN azure_subscription sub ON sub.subscription_id = w.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_log_analytics_workspace_block_non_azure_ingestion.yaml b/compliance/controls/azure/azure_log_analytics_workspace_block_non_azure_ingestion.yaml index 35bc902c6..dcc753f08 100644 --- a/compliance/controls/azure/azure_log_analytics_workspace_block_non_azure_ingestion.yaml +++ b/compliance/controls/azure/azure_log_analytics_workspace_block_non_azure_ingestion.yaml @@ -1,30 +1,31 @@ id: azure_log_analytics_workspace_block_non_azure_ingestion title: Log Analytics Workspaces should block non-Azure Active Directory based ingestion +type: control description: Enforcing log ingestion to require Azure Active Directory authentication prevents unauthenticated logs from an attacker which could lead to incorrect status, false alerts, and incorrect logs stored in the system. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_log_analytics_workspace - definition: | - SELECT - w.id AS resource, - w.platform_integration_id AS platform_integration_id, - w.platform_resource_id AS platform_resource_id, - CASE - WHEN type = 'Microsoft.OperationalInsights/workspaces' AND disable_local_auth = 'true' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN type = 'Microsoft.OperationalInsights/workspaces' AND disable_local_auth = 'true' THEN w.name || ' workspace allows non-Azure log ingestion.' - ELSE w.name || ' workspace does not allow non-Azure log ingestion.' - END AS reason - FROM - azure_log_analytics_workspace AS w - LEFT JOIN - azure_subscription sub - ON - sub.subscription_id = w.subscription_id; + language: sql + primary_resource: azure_log_analytics_workspace + definition: | + SELECT + w.id AS resource, + w.platform_integration_id AS platform_integration_id, + w.platform_resource_id AS platform_resource_id, + CASE + WHEN type = 'Microsoft.OperationalInsights/workspaces' AND disable_local_auth = 'true' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN type = 'Microsoft.OperationalInsights/workspaces' AND disable_local_auth = 'true' THEN w.name || ' workspace allows non-Azure log ingestion.' + ELSE w.name || ' workspace does not allow non-Azure log ingestion.' + END AS reason + FROM + azure_log_analytics_workspace AS w + LEFT JOIN + azure_subscription sub + ON + sub.subscription_id = w.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_log_profile_enabled_for_all_subscription.yaml b/compliance/controls/azure/azure_log_profile_enabled_for_all_subscription.yaml index d41ce7b49..8cfce60d6 100644 --- a/compliance/controls/azure/azure_log_profile_enabled_for_all_subscription.yaml +++ b/compliance/controls/azure/azure_log_profile_enabled_for_all_subscription.yaml @@ -1,35 +1,36 @@ id: azure_log_profile_enabled_for_all_subscription title: Azure subscriptions should have a log profile for Activity Log +type: control description: This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage account or to an event hub. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH log_profiles AS ( - SELECT - subscription_id - FROM - azure_log_profile - GROUP BY - subscription_id - ) - SELECT - sub.id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN i.subscription_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN i.subscription_id IS NULL THEN sub.display_name || ' does not collect activity logs.' - ELSE sub.display_name || ' collects activity logs.' - END AS reason - FROM - azure_subscription AS sub - LEFT JOIN log_profiles AS i ON i.subscription_id = sub.subscription_id; + language: sql + primary_resource: azure_subscription + definition: | + WITH log_profiles AS ( + SELECT + subscription_id + FROM + azure_log_profile + GROUP BY + subscription_id + ) + SELECT + sub.id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN i.subscription_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN i.subscription_id IS NULL THEN sub.display_name || ' does not collect activity logs.' + ELSE sub.display_name || ' collects activity logs.' + END AS reason + FROM + azure_subscription AS sub + LEFT JOIN log_profiles AS i ON i.subscription_id = sub.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_logic_app_integration_service_environment_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_logic_app_integration_service_environment_encrypted_with_cmk.yaml index 230d12e7c..0363d91c6 100644 --- a/compliance/controls/azure/azure_logic_app_integration_service_environment_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_logic_app_integration_service_environment_encrypted_with_cmk.yaml @@ -1,23 +1,24 @@ id: azure_logic_app_integration_service_environment_encrypted_with_cmk title: Logic Apps Integration Service Environment should be encrypted with customer-managed keys +type: control description: Deploy into Integration Service Environment to manage encryption at rest of Logic Apps data using customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_logic_app_workflow_logging_enabled.yaml b/compliance/controls/azure/azure_logic_app_workflow_logging_enabled.yaml index 4624e3c37..bcf8e5275 100644 --- a/compliance/controls/azure/azure_logic_app_workflow_logging_enabled.yaml +++ b/compliance/controls/azure/azure_logic_app_workflow_logging_enabled.yaml @@ -1,65 +1,66 @@ id: azure_logic_app_workflow_logging_enabled title: Resource logs in Logic Apps should be enabled +type: control description: Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_logic_app_workflow - definition: | - WITH logging_details AS ( - SELECT - DISTINCT id AS workflow_id - FROM - azure_logic_app_workflow, - jsonb_array_elements(diagnostic_settings) setting, - jsonb_array_elements(setting -> 'properties' -> 'logs') log - WHERE - diagnostic_settings IS NOT NULL + language: sql + primary_resource: azure_logic_app_workflow + definition: | + WITH logging_details AS ( + SELECT + DISTINCT id AS workflow_id + FROM + azure_logic_app_workflow, + jsonb_array_elements(diagnostic_settings) setting, + jsonb_array_elements(setting -> 'properties' -> 'logs') log + WHERE + diagnostic_settings IS NOT NULL + AND ( + ( + (log ->> 'enabled')::BOOLEAN + AND (log -> 'retentionPolicy' ->> 'enabled')::BOOLEAN + AND (log -> 'retentionPolicy')::JSONB ? 'days' + ) + OR + ( + (log ->> 'enabled')::BOOLEAN AND ( - ( - (log ->> 'enabled')::BOOLEAN - AND (log -> 'retentionPolicy' ->> 'enabled')::BOOLEAN - AND (log -> 'retentionPolicy')::JSONB ? 'days' - ) - OR - ( - (log ->> 'enabled')::BOOLEAN - AND ( - log -> 'retentionPolicy' ->> 'enabled' <> 'true' - OR setting -> 'properties' ->> 'storageAccountId' = '' - ) - ) + log -> 'retentionPolicy' ->> 'enabled' <> 'true' + OR setting -> 'properties' ->> 'storageAccountId' = '' ) + ) ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.diagnostic_settings IS NULL THEN 'alarm' - WHEN l.workflow_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.diagnostic_settings IS NULL THEN a.name || ' logging disabled.' - WHEN l.workflow_id IS NOT NULL THEN a.name || ' logging enabled.' - ELSE a.name || ' logging disabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_logic_app_workflow AS a - LEFT JOIN logging_details AS l ON a.id = l.workflow_id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.diagnostic_settings IS NULL THEN 'alarm' + WHEN l.workflow_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.diagnostic_settings IS NULL THEN a.name || ' logging disabled.' + WHEN l.workflow_id IS NOT NULL THEN a.name || ' logging enabled.' + ELSE a.name || ' logging disabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_logic_app_workflow AS a + LEFT JOIN logging_details AS l ON a.id = l.workflow_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Logic + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Logic diff --git a/compliance/controls/azure/azure_machine_learning_workspace_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_machine_learning_workspace_encrypted_with_cmk.yaml index 8c7306dc1..08a5c29eb 100644 --- a/compliance/controls/azure/azure_machine_learning_workspace_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_machine_learning_workspace_encrypted_with_cmk.yaml @@ -1,35 +1,36 @@ id: azure_machine_learning_workspace_encrypted_with_cmk title: Azure Machine Learning workspaces should be encrypted with a customer-managed key +type: control description: Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_machine_learning_workspace - definition: | - SELECT - c.id AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN encryption ->> 'status' = 'Enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption ->> 'status' = 'Enabled' THEN c.name || ' encrypted with CMK.' - ELSE c.name || ' not encrypted with CMK.' - END AS reason, - c.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_machine_learning_workspace c, - azure_subscription sub - WHERE - sub.subscription_id = c.subscription_id; + language: sql + primary_resource: azure_machine_learning_workspace + definition: | + SELECT + c.id AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN encryption ->> 'status' = 'Enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption ->> 'status' = 'Enabled' THEN c.name || ' encrypted with CMK.' + ELSE c.name || ' not encrypted with CMK.' + END AS reason, + c.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_machine_learning_workspace c, + azure_subscription sub + WHERE + sub.subscription_id = c.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/MachineLearning + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/MachineLearning diff --git a/compliance/controls/azure/azure_machine_learning_workspace_private_link_used.yaml b/compliance/controls/azure/azure_machine_learning_workspace_private_link_used.yaml index 02fa3c4be..e2d00663a 100644 --- a/compliance/controls/azure/azure_machine_learning_workspace_private_link_used.yaml +++ b/compliance/controls/azure/azure_machine_learning_workspace_private_link_used.yaml @@ -1,23 +1,24 @@ id: azure_machine_learning_workspace_private_link_used title: Azure Machine Learning workspaces should use private link -description: 'Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link.' +type: control +description: "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_api_management_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_api_management_mandatory.yaml index 1bb668989..6a6fe9d45 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_api_management_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_api_management_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_api_management_mandatory title: API Management services should have mandatory tags +type: control description: Check if API Management services have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_api_management - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_api_management - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_api_management + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_api_management + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_environment_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_environment_mandatory.yaml index b928de8cb..7390893d5 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_environment_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_environment_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_app_service_environment_mandatory title: App Service environments should have mandatory tags +type: control description: Check if App Service environments have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_app_service_environment - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_app_service_environment - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_app_service_environment + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_app_service_environment + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_function_app_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_function_app_mandatory.yaml index 992a9ef4c..e1456977c 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_function_app_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_function_app_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_app_service_function_app_mandatory title: App Service function apps should have mandatory tags +type: control description: Check if App Service function apps have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_app_service_function_app - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_app_service_function_app - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_app_service_function_app + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_app_service_function_app + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_plan_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_plan_mandatory.yaml index 67e047d46..071eab6b5 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_plan_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_plan_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_app_service_plan_mandatory title: App Service plans should have mandatory tags +type: control description: Check if App Service plans have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_app_service_plan - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_app_service_plan - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_app_service_plan + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_app_service_plan + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_web_app_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_web_app_mandatory.yaml index 583941e51..8b3ee7eb0 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_web_app_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_web_app_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_app_service_web_app_mandatory title: App Service web apps should have mandatory tags +type: control description: Check if App Service web apps have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_app_service_web_app - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_app_service_web_app + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_app_service_web_app + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_application_security_group_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_application_security_group_mandatory.yaml index 6dfbddd9a..2dfc9f657 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_application_security_group_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_application_security_group_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_application_security_group_mandatory title: Application security groups should have mandatory tags +type: control description: Check if Application security groups have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_application_security_group - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_application_security_group - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_application_security_group + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_application_security_group + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_batch_account_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_batch_account_mandatory.yaml index aa501b734..389e00c74 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_batch_account_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_batch_account_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_batch_account_mandatory title: Batch accounts should have mandatory tags +type: control description: Check if Batch accounts have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_batch_account - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_batch_account - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'OK' - ELSE 'ALARM' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_batch_account + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_batch_account + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'OK' + ELSE 'ALARM' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_availability_set_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_availability_set_mandatory.yaml index 12d6eb29c..7e86227fc 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_availability_set_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_availability_set_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_compute_availability_set_mandatory title: Compute availability sets should have mandatory tags +type: control description: Check if Compute availability sets have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_compute_availability_set - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::TEXT[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::TEXT[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_compute_availability_set - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_compute_availability_set + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::TEXT[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::TEXT[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_compute_availability_set + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_disk_encryption_set_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_disk_encryption_set_mandatory.yaml index d606c5a5e..05db93ee5 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_disk_encryption_set_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_disk_encryption_set_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_compute_disk_encryption_set_mandatory title: Compute disk encryption sets should have mandatory tags +type: control description: Check if Compute disk encryption sets have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_compute_disk_encryption_set - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT JSONB_OBJECT_KEYS(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_compute_disk_encryption_set - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT JSONB_ARRAY_ELEMENTS_TEXT(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_compute_disk_encryption_set + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT JSONB_OBJECT_KEYS(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_compute_disk_encryption_set + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT JSONB_ARRAY_ELEMENTS_TEXT(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_disk_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_disk_mandatory.yaml index fc2854ced..cdaacbb9d 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_disk_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_disk_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_compute_disk_mandatory title: Compute disks should have mandatory tags +type: control description: Check if Compute disks have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_compute_disk - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_compute_disk - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_compute_disk + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_compute_disk + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_image_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_image_mandatory.yaml index b8d62be87..f98fa81a0 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_image_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_image_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_compute_image_mandatory title: Compute images should have mandatory tags +type: control description: Check if Compute images have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_compute_image - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::TEXT[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::TEXT[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_compute_image - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_compute_image + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::TEXT[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::TEXT[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_compute_image + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_snapshot_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_snapshot_mandatory.yaml index bf33aef07..2e7fcde79 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_snapshot_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_snapshot_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_compute_snapshot_mandatory title: Compute snapshots should have mandatory tags +type: control description: Check if Compute snapshots have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_compute_snapshot - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_compute_snapshot - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_compute_snapshot + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_compute_snapshot + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_virtual_machine_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_virtual_machine_mandatory.yaml index bbdba2c5f..c7d5f2334 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_virtual_machine_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_virtual_machine_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_compute_virtual_machine_mandatory title: Compute virtual machines should have mandatory tags +type: control description: Check if Compute virtual machines have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_compute_virtual_machine - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_compute_virtual_machine + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_virtual_machine_scale_set_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_virtual_machine_scale_set_mandatory.yaml index e0ede0070..8c18d048d 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_virtual_machine_scale_set_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_virtual_machine_scale_set_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_compute_virtual_machine_scale_set_mandatory title: Compute virtual machine scale sets should have mandatory tags +type: control description: Check if Compute virtual machine scale sets have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_compute_virtual_machine_scale_set - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_compute_virtual_machine_scale_set - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_compute_virtual_machine_scale_set + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_compute_virtual_machine_scale_set + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_container_registry_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_container_registry_mandatory.yaml index 6bf6cde59..0668423af 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_container_registry_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_container_registry_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_container_registry_mandatory title: Container registries should have mandatory tags +type: control description: Check if Container registries have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_container_registry - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_container_registry - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_container_registry + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_container_registry + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_cosmosdb_account_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_cosmosdb_account_mandatory.yaml index 1da78ffd1..109c0cf4e 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_cosmosdb_account_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_cosmosdb_account_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_cosmosdb_account_mandatory title: CosmosDB accounts should have mandatory tags +type: control description: Check if CosmosDB accounts have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_cosmosdb_account - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::TEXT[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::TEXT[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_cosmosdb_account - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_cosmosdb_account + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::TEXT[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::TEXT[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_cosmosdb_account + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_cosmosdb_mongo_database_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_cosmosdb_mongo_database_mandatory.yaml index 8fc74f35a..7b91b6a0b 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_cosmosdb_mongo_database_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_cosmosdb_mongo_database_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_cosmosdb_mongo_database_mandatory title: CosmosDB mongo databases should have mandatory tags +type: control description: Check if CosmosDB mongo databases have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_cosmosdb_mongo_database - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_cosmosdb_mongo_database - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_cosmosdb_mongo_database + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_cosmosdb_mongo_database + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_cosmosdb_sql_database_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_cosmosdb_sql_database_mandatory.yaml index ff49cec85..564b0bef9 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_cosmosdb_sql_database_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_cosmosdb_sql_database_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_cosmosdb_sql_database_mandatory title: CosmosDB sql databases should have mandatory tags +type: control description: Check if CosmosDB sql databases have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_cosmosdb_sql_database - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_cosmosdb_sql_database - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_cosmosdb_sql_database + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_cosmosdb_sql_database + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_data_factory_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_data_factory_mandatory.yaml index d022879cd..e909db03d 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_data_factory_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_data_factory_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_data_factory_mandatory title: Data factories should have mandatory tags +type: control description: Check if Data factories have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_data_factory - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_data_factory - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_data_factory + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_data_factory + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_data_lake_analytics_account_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_data_lake_analytics_account_mandatory.yaml index bb4b14745..92497d2d3 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_data_lake_analytics_account_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_data_lake_analytics_account_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_data_lake_analytics_account_mandatory title: Data lake analytics accounts should have mandatory tags +type: control description: Check if Data lake analytics accounts have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_data_lake_analytics_account - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_data_lake_analytics_account - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_data_lake_analytics_account + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_data_lake_analytics_account + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_data_lake_store_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_data_lake_store_mandatory.yaml index c03343e07..bdfad8869 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_data_lake_store_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_data_lake_store_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_data_lake_store_mandatory title: Data lake stores should have mandatory tags +type: control description: Check if Data lake stores have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_data_lake_store - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_data_lake_store - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_data_lake_store + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_data_lake_store + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_eventhub_namespace_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_eventhub_namespace_mandatory.yaml index 3d07d0ed7..c67827a82 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_eventhub_namespace_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_eventhub_namespace_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_eventhub_namespace_mandatory title: Event Hub namespaces should have mandatory tags +type: control description: Check if Event Hub namespaces have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_eventhub_namespace - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_eventhub_namespace - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_eventhub_namespace + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_eventhub_namespace + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_express_route_circuit_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_express_route_circuit_mandatory.yaml index 54226f415..f59ffde19 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_express_route_circuit_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_express_route_circuit_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_express_route_circuit_mandatory title: ExpressRoute circuits should have mandatory tags +type: control description: Check if ExpressRoute circuits have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_express_route_circuit - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::TEXT[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::TEXT[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_express_route_circuit - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'OK' - ELSE 'ALARM' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_express_route_circuit + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::TEXT[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::TEXT[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_express_route_circuit + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'OK' + ELSE 'ALARM' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_firewall_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_firewall_mandatory.yaml index 32cb02437..adc216f3d 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_firewall_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_firewall_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_firewall_mandatory title: Firewalls should have mandatory tags +type: control description: Check if Firewalls have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_firewall - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_firewall - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_firewall + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_firewall + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_iothub_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_iothub_mandatory.yaml index 386fc0f91..3318431be 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_iothub_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_iothub_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_iothub_mandatory title: IoT Hubs should have mandatory tags +type: control description: Check if IoT Hubs have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_iothub - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_iothub - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_iothub + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_iothub + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_deleted_vault_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_deleted_vault_mandatory.yaml index b415c140f..bc89b4cab 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_deleted_vault_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_deleted_vault_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_key_vault_deleted_vault_mandatory title: Key vault deleted vaults should have mandatory tags +type: control description: Check if Key vault deleted vaults have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_key_vault_deleted_vault - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_key_vault_deleted_vault - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_key_vault_deleted_vault + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_key_vault_deleted_vault + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_key_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_key_mandatory.yaml index a1b9e4999..628919f1d 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_key_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_key_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_key_vault_key_mandatory title: Key vault keys should have mandatory tags +type: control description: Check if Key vault keys have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_key_vault_key - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_key_vault_key - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_key_vault_key + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_key_vault_key + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_managed_hardware_security_module_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_managed_hardware_security_module_mandatory.yaml index ee5384586..0db61e666 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_managed_hardware_security_module_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_managed_hardware_security_module_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_key_vault_managed_hardware_security_module_mandatory title: Key vault managed hardware security modules should have mandatory tags +type: control description: Check if Key vault managed hardware security modules have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_key_vault_managed_hardware_security_module - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_key_vault_managed_hardware_security_module - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_key_vault_managed_hardware_security_module + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_key_vault_managed_hardware_security_module + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_mandatory.yaml index 2a7b7f428..b5cba6b48 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_key_vault_mandatory title: Key vaults should have mandatory tags +type: control description: Check if Key vaults have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_key_vault - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_key_vault - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_key_vault + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_key_vault + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_secret_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_secret_mandatory.yaml index c473f566d..0edabddad 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_secret_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_secret_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_key_vault_secret_mandatory title: Key vault secrets should have mandatory tags +type: control description: Check if Key vault secrets have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_key_vault_secret - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::TEXT[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::TEXT[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_key_vault_secret - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_key_vault_secret + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::TEXT[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::TEXT[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_key_vault_secret + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_kubernetes_cluster_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_kubernetes_cluster_mandatory.yaml index 70ef1a626..65fc7c456 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_kubernetes_cluster_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_kubernetes_cluster_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_kubernetes_cluster_mandatory title: Kubernetes clusters should have mandatory tags +type: control description: Check if Kubernetes clusters have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_kubernetes_cluster - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_kubernetes_cluster - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_kubernetes_cluster + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_kubernetes_cluster + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_lb_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_lb_mandatory.yaml index 58e2bd1ff..ecac1994c 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_lb_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_lb_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_lb_mandatory title: Load balancers should have mandatory tags +type: control description: Check if Load balancers have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_lb - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_lb - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_lb + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_lb + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_log_alert_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_log_alert_mandatory.yaml index e08e770a2..4ae148c35 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_log_alert_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_log_alert_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_log_alert_mandatory title: Log alerts should have mandatory tags +type: control description: Check if Log alerts have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_log_alert - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::TEXT[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::TEXT[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_log_alert - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_log_alert + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::TEXT[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::TEXT[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_log_alert + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_log_profile_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_log_profile_mandatory.yaml index 5f6edcb1f..8d586288a 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_log_profile_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_log_profile_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_log_profile_mandatory title: Log profiles should have mandatory tags +type: control description: Check if Log profiles have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_log_profile - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::TEXT[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::TEXT[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_log_profile - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_log_profile + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::TEXT[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::TEXT[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_log_profile + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_logic_app_workflow_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_logic_app_workflow_mandatory.yaml index 7d5755328..8479591c4 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_logic_app_workflow_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_logic_app_workflow_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_logic_app_workflow_mandatory title: Logic app workflows should have mandatory tags +type: control description: Check if Logic app workflows have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_logic_app_workflow - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_logic_app_workflow - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_logic_app_workflow + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_logic_app_workflow + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_mariadb_server_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_mariadb_server_mandatory.yaml index 72fa42c87..5d05bb96c 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_mariadb_server_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_mariadb_server_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_mariadb_server_mandatory title: MariaDB servers should have mandatory tags +type: control description: Check if MariaDB servers have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_mariadb_server - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT JSONB_OBJECT_KEYS(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_mariadb_server - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT JSONB_ARRAY_ELEMENTS_TEXT(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_mariadb_server + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT JSONB_OBJECT_KEYS(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_mariadb_server + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT JSONB_ARRAY_ELEMENTS_TEXT(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_mssql_elasticpool_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_mssql_elasticpool_mandatory.yaml index b61a0d595..c3bf04db2 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_mssql_elasticpool_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_mssql_elasticpool_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_mssql_elasticpool_mandatory title: Microsoft SQL elasticpools should have mandatory tags +type: control description: Check if Microsoft SQL elasticpools have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_mssql_elasticpool - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_mssql_elasticpool - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_mssql_elasticpool + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_mssql_elasticpool + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_mssql_managed_instance_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_mssql_managed_instance_mandatory.yaml index 3e9fb4a2b..8fce80b8e 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_mssql_managed_instance_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_mssql_managed_instance_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_mssql_managed_instance_mandatory title: Microsoft SQL managed instances should have mandatory tags +type: control description: Check if Microsoft SQL managed instances have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_mssql_managed_instance - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_mssql_managed_instance - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_mssql_managed_instance + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_mssql_managed_instance + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_mysql_server_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_mysql_server_mandatory.yaml index 109c20e42..048fac45b 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_mysql_server_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_mysql_server_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_mysql_server_mandatory title: MySQL servers should have mandatory tags +type: control description: Check if MySQL servers have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_mysql_server - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_mysql_server - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_mysql_server + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_mysql_server + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_network_interface_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_network_interface_mandatory.yaml index ef874e567..98256d938 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_network_interface_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_network_interface_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_network_interface_mandatory title: Network interfaces should have mandatory tags +type: control description: Check if Network interfaces have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_network_interface - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::TEXT[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::TEXT[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_network_interface - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_network_interface + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::TEXT[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::TEXT[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_network_interface + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_network_security_group_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_network_security_group_mandatory.yaml index dc7ccd86c..a5f98e4d4 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_network_security_group_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_network_security_group_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_network_security_group_mandatory title: Network security groups should have mandatory tags +type: control description: Check if Network security groups have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_network_security_group - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_network_security_group + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_network_security_group + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_network_watcher_flow_log_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_network_watcher_flow_log_mandatory.yaml index fb262eee6..415d39d63 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_network_watcher_flow_log_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_network_watcher_flow_log_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_network_watcher_flow_log_mandatory title: Network watcher flow logs should have mandatory tags +type: control description: Check if Network watcher flow logs have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_network_watcher_flow_log - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_network_watcher_flow_log - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_network_watcher_flow_log + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_network_watcher_flow_log + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_network_watcher_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_network_watcher_mandatory.yaml index daff6b50d..6b5e70b8d 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_network_watcher_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_network_watcher_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_network_watcher_mandatory title: Network watchers should have mandatory tags +type: control description: Check if Network watchers have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_network_watcher - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_network_watcher - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_network_watcher + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_network_watcher + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_postgresql_server_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_postgresql_server_mandatory.yaml index 0e3a557e8..809f3d9c7 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_postgresql_server_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_postgresql_server_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_postgresql_server_mandatory title: PostgreSQL servers should have mandatory tags +type: control description: Check if PostgreSQL servers have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_postgresql_server - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::TEXT[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::TEXT[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_postgresql_server - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_postgresql_server + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::TEXT[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::TEXT[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_postgresql_server + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_public_ip_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_public_ip_mandatory.yaml index e2bbb4524..696d684c4 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_public_ip_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_public_ip_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_public_ip_mandatory title: Public IPs should have mandatory tags +type: control description: Check if Public ips have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_public_ip - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_public_ip - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_public_ip + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_public_ip + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_recovery_services_vault_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_recovery_services_vault_mandatory.yaml index 60164c7a1..4681d3464 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_recovery_services_vault_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_recovery_services_vault_mandatory.yaml @@ -1,48 +1,50 @@ id: azure_mandatory_sql_resource_group_recovery_services_vault_mandatory title: Recovery services vaults should have mandatory tags +type: control description: Check if Recovery services vaults have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_recovery_services_vault - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY( - SELECT jsonb_object_keys(tags) - ) AS missing_tags, - resource_group, - subscription_id - FROM - azure_recovery_services_vault - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string( - ARRAY( - SELECT jsonb_array_elements_text(missing_tags) - ), ', ' - ) || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_recovery_services_vault + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY( + SELECT jsonb_object_keys(tags) + ) AS missing_tags, + resource_group, + subscription_id + FROM + azure_recovery_services_vault + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string( + ARRAY( + SELECT jsonb_array_elements_text(missing_tags) + ), ', ' + ) || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_redis_cache_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_redis_cache_mandatory.yaml index 441188964..c6e76e72f 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_redis_cache_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_redis_cache_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_redis_cache_mandatory title: Redis caches should have mandatory tags +type: control description: Check if Redis caches have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_redis_cache - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_redis_cache - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_redis_cache + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_redis_cache + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_route_table_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_route_table_mandatory.yaml index c605932a2..67074e2f2 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_route_table_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_route_table_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_route_table_mandatory title: Route tables should have mandatory tags +type: control description: Check if Route tables have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_route_table - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::TEXT[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::TEXT[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_route_table - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'OK' - ELSE 'ALARM' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_route_table + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::TEXT[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::TEXT[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_route_table + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'OK' + ELSE 'ALARM' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_search_service_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_search_service_mandatory.yaml index 9af60e11f..de75ff7c3 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_search_service_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_search_service_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_search_service_mandatory title: Search services should have mandatory tags +type: control description: Check if Search services have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_search_service - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::TEXT[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::TEXT[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_search_service - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_search_service + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::TEXT[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::TEXT[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_search_service + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_servicebus_namespace_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_servicebus_namespace_mandatory.yaml index f4fa9bbea..821666f99 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_servicebus_namespace_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_servicebus_namespace_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_servicebus_namespace_mandatory title: Service Bus namespaces should have mandatory tags +type: control description: Check if Service Bus namespaces have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_servicebus_namespace - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_servicebus_namespace - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_servicebus_namespace + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_servicebus_namespace + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_sql_database_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_sql_database_mandatory.yaml index 4acea8b8f..e8e302d78 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_sql_database_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_sql_database_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_sql_database_mandatory title: SQL databases should have mandatory tags +type: control description: Check if SQL databases have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_sql_database - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_sql_database - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_sql_database + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_sql_database + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_sql_server_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_sql_server_mandatory.yaml index ae0f2054d..533fdcf36 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_sql_server_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_sql_server_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_sql_server_mandatory title: SQL servers should have mandatory tags +type: control description: Check if SQL servers have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_sql_server - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_sql_server - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_sql_server + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_sql_server + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_storage_account_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_storage_account_mandatory.yaml index 6f575165e..876c6138b 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_storage_account_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_storage_account_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_storage_account_mandatory title: Storage accounts should have mandatory tags +type: control description: Check if Storage accounts have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_storage_account - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_storage_account - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_storage_account + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + to_jsonb('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_storage_account + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || array_to_string(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_stream_analytics_job_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_stream_analytics_job_mandatory.yaml index 71d212cb8..d7702262e 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_stream_analytics_job_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_stream_analytics_job_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_stream_analytics_job_mandatory title: Stream Analytics jobs should have mandatory tags +type: control description: Check if Stream Analytics jobs have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_stream_analytics_job - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_stream_analytics_job - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_stream_analytics_job + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::text[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::text[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_stream_analytics_job + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_virtual_network_gateway_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_virtual_network_gateway_mandatory.yaml index dc30f45bd..09533a117 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_virtual_network_gateway_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_virtual_network_gateway_mandatory.yaml @@ -1,42 +1,44 @@ id: azure_mandatory_sql_resource_group_virtual_network_gateway_mandatory title: Virtual network gateways should have mandatory tags +type: control description: Check if Virtual network gateways have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_virtual_network_gateway - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::TEXT[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::TEXT[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_virtual_network_gateway - ) - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_virtual_network_gateway + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::TEXT[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::TEXT[]) - ARRAY(SELECT jsonb_object_keys(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_virtual_network_gateway + ) + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT jsonb_array_elements_text(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_virtual_network_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_virtual_network_mandatory.yaml index d3f9a9261..2dfc7a90e 100644 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_virtual_network_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_virtual_network_mandatory.yaml @@ -1,43 +1,45 @@ id: azure_mandatory_sql_resource_group_virtual_network_mandatory title: Virtual networks should have mandatory tags +type: control description: Check if Virtual networks have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags +- key: azureMandatoryTags + value: "" policy: - language: sql - primary_resource: azure_virtual_network - definition: | - WITH analysis AS ( - SELECT - platform_integration_id, - platform_resource_id, - id, - title, - tags ?& '{{.azureMandatoryTags}}'::TEXT[] AS has_mandatory_tags, - TO_JSONB('{{.azureMandatoryTags}}'::TEXT[]) - ARRAY(SELECT JSONB_OBJECT_KEYS(tags)) AS missing_tags, - resource_group, - subscription_id - FROM - azure_virtual_network - ) - - SELECT - platform_integration_id, - platform_resource_id, - id AS resource, - CASE - WHEN has_mandatory_tags THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' - ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT JSONB_ARRAY_ELEMENTS_TEXT(missing_tags)), ', ') || '.' - END AS reason, - resource_group, - subscription_id - FROM - analysis; + language: sql + primary_resource: azure_virtual_network + definition: | + WITH analysis AS ( + SELECT + platform_integration_id, + platform_resource_id, + id, + title, + tags ?& '{{.azureMandatoryTags}}'::TEXT[] AS has_mandatory_tags, + TO_JSONB('{{.azureMandatoryTags}}'::TEXT[]) - ARRAY(SELECT JSONB_OBJECT_KEYS(tags)) AS missing_tags, + resource_group, + subscription_id + FROM + azure_virtual_network + ) + + SELECT + platform_integration_id, + platform_resource_id, + id AS resource, + CASE + WHEN has_mandatory_tags THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN has_mandatory_tags THEN title || ' has all mandatory tags.' + ELSE title || ' is missing tags: ' || ARRAY_TO_STRING(ARRAY(SELECT JSONB_ARRAY_ELEMENTS_TEXT(missing_tags)), ', ') || '.' + END AS reason, + resource_group, + subscription_id + FROM + analysis; severity: high tags: {} diff --git a/compliance/controls/azure/azure_mandatory_sql_subscription_resource_group_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_subscription_resource_group_mandatory.yaml index e28b5e9b9..776f5ef62 100644 --- a/compliance/controls/azure/azure_mandatory_sql_subscription_resource_group_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_subscription_resource_group_mandatory.yaml @@ -1,11 +1,12 @@ id: azure_mandatory_sql_subscription_resource_group_mandatory title: Resource groups should have mandatory tags +type: control description: Check if Resource groups have mandatory tags. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureMandatoryTags - value: '["name","environment"]' +- key: azureMandatoryTags + value: "[\"name\",\"environment\"]" policy: language: sql primary_resource: azure_resource_group diff --git a/compliance/controls/azure/azure_mariadb_server_geo_redundant_backup_enabled.yaml b/compliance/controls/azure/azure_mariadb_server_geo_redundant_backup_enabled.yaml index 978621856..483224a2b 100644 --- a/compliance/controls/azure/azure_mariadb_server_geo_redundant_backup_enabled.yaml +++ b/compliance/controls/azure/azure_mariadb_server_geo_redundant_backup_enabled.yaml @@ -1,38 +1,39 @@ id: azure_mariadb_server_geo_redundant_backup_enabled title: Geo-redundant backup should be enabled for Azure Database for MariaDB +type: control description: Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_mariadb_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN s.geo_redundant_backup_enabled = 'Enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN s.geo_redundant_backup_enabled = 'Enabled' THEN s.title || ' geo-redundant backup enabled.' - ELSE s.title || ' geo-redundant backup disabled.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_mariadb_server AS s - JOIN - azure_subscription AS sub - ON - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_mariadb_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN s.geo_redundant_backup_enabled = 'Enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN s.geo_redundant_backup_enabled = 'Enabled' THEN s.title || ' geo-redundant backup enabled.' + ELSE s.title || ' geo-redundant backup disabled.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_mariadb_server AS s + JOIN + azure_subscription AS sub + ON + sub.subscription_id = s.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/MariaDB + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/MariaDB diff --git a/compliance/controls/azure/azure_mariadb_server_public_network_access_disabled.yaml b/compliance/controls/azure/azure_mariadb_server_public_network_access_disabled.yaml index 98201db3d..f8dbad4ae 100644 --- a/compliance/controls/azure/azure_mariadb_server_public_network_access_disabled.yaml +++ b/compliance/controls/azure/azure_mariadb_server_public_network_access_disabled.yaml @@ -1,35 +1,36 @@ id: azure_mariadb_server_public_network_access_disabled title: Public network access should be disabled for MariaDB servers +type: control description: Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_mariadb_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN public_network_access = 'Enabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN public_network_access = 'Enabled' THEN name || ' public network access enabled.' - ELSE name || ' public network access disabled.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_mariadb_server AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_mariadb_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN public_network_access = 'Enabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN public_network_access = 'Enabled' THEN name || ' public network access enabled.' + ELSE name || ' public network access disabled.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_mariadb_server AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/MariaDB + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/MariaDB diff --git a/compliance/controls/azure/azure_mariadb_server_ssl_enabled.yaml b/compliance/controls/azure/azure_mariadb_server_ssl_enabled.yaml index 7f9b6ba73..1c1879192 100644 --- a/compliance/controls/azure/azure_mariadb_server_ssl_enabled.yaml +++ b/compliance/controls/azure/azure_mariadb_server_ssl_enabled.yaml @@ -1,29 +1,30 @@ id: azure_mariadb_server_ssl_enabled title: MariaDB servers should have 'Enforce SSL connection' set to 'ENABLED' +type: control description: This control checks whether MariaDB servers SSL enforcement is enabled. This control is non-compliant if SSL enforcement is disabled. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_mariadb_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN ssl_enforcement = 'Enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN ssl_enforcement = 'Enabled' THEN name || ' SSL connection enabled.' - ELSE name || ' SSL connection disabled.' - END AS reason - FROM - azure_mariadb_server AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_mariadb_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN ssl_enforcement = 'Enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN ssl_enforcement = 'Enabled' THEN name || ' SSL connection enabled.' + ELSE name || ' SSL connection disabled.' + END AS reason + FROM + azure_mariadb_server AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_monitor_application_insights_configured.yaml b/compliance/controls/azure/azure_monitor_application_insights_configured.yaml index 0a1f3c799..138a72345 100644 --- a/compliance/controls/azure/azure_monitor_application_insights_configured.yaml +++ b/compliance/controls/azure/azure_monitor_application_insights_configured.yaml @@ -1,55 +1,56 @@ id: azure_monitor_application_insights_configured title: Ensure Application Insights are Configured +type: control description: Application Insights within Azure act as an Application Performance Monitoring solution providing valuable data into how well an application performs and additional information when performing incident response. The types of log data collected include application metrics, telemetry data, and application trace logging data providing organizations with detailed information about application activity and application transactions. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH application_insights AS ( - SELECT - subscription_id, - COUNT(*) AS no_application_insight - FROM - azure_application_insight - GROUP BY - subscription_id - ) - SELECT - sub.id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN i.subscription_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN i.subscription_id IS NULL THEN sub.display_name || ' does not have application insights configured.' - ELSE sub.display_name || ' has ' || no_application_insight || ' application insights configured.' - END AS reason, - sub.display_name AS subscription - FROM - azure_subscription AS sub - LEFT JOIN application_insights AS i ON i.subscription_id = sub.subscription_id; + language: sql + primary_resource: azure_subscription + definition: | + WITH application_insights AS ( + SELECT + subscription_id, + COUNT(*) AS no_application_insight + FROM + azure_application_insight + GROUP BY + subscription_id + ) + SELECT + sub.id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN i.subscription_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN i.subscription_id IS NULL THEN sub.display_name || ' does not have application insights configured.' + ELSE sub.display_name || ' has ' || no_application_insight || ' application insights configured.' + END AS reason, + sub.display_name AS subscription + FROM + azure_subscription AS sub + LEFT JOIN application_insights AS i ON i.subscription_id = sub.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 5.3.1 - cis_level: - - '2' - cis_section_id: - - '5' - cis_type: - - automated - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure/Monitor + category: + - Compliance + cis: + - "true" + cis_item_id: + - 5.3.1 + cis_level: + - "2" + cis_section_id: + - "5" + cis_type: + - automated + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure/Monitor diff --git a/compliance/controls/azure/azure_monitor_diagnostic_settings_captures_proper_categories.yaml b/compliance/controls/azure/azure_monitor_diagnostic_settings_captures_proper_categories.yaml index 42a365abe..eef1fadd0 100644 --- a/compliance/controls/azure/azure_monitor_diagnostic_settings_captures_proper_categories.yaml +++ b/compliance/controls/azure/azure_monitor_diagnostic_settings_captures_proper_categories.yaml @@ -1,79 +1,80 @@ id: azure_monitor_diagnostic_settings_captures_proper_categories title: Ensure Diagnostic Setting captures appropriate categories +type: control description: "A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: 'Ensure that a 'Diagnostic Setting' exists.' The diagnostic setting should be configured to log the appropriate activities from the control/management plane." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_diagnostic_setting - definition: | - WITH enabled_settings AS ( - SELECT - name, - id, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - _ctx, - resource_group, - subscription_id, - COUNT(*) FILTER (WHERE l ->> 'enabled' = 'true' - AND l ->> 'category' IN ('Administrative', 'Security', 'Alert', 'Policy') - ) AS valid_category_count, - STRING_AGG(l ->> 'category', ', ') FILTER (WHERE l ->> 'enabled' = 'true' - AND l ->> 'category' IN ('Administrative', 'Security', 'Alert', 'Policy') - ) AS valid_categories - FROM - azure_diagnostic_setting, - jsonb_array_elements(logs) AS l - GROUP BY - name, - id, - platform_integration_id, - platform_resource_id, - _ctx, - resource_group, - subscription_id - ) - SELECT - sett.id AS resource, - sett.platform_integration_id AS platform_integration_id, - sett.platform_resource_id AS platform_resource_id, - CASE - WHEN valid_category_count = 4 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN valid_category_count = 4 - THEN name || ' logs enabled for required categories administrative, security, alert and policy.' - WHEN valid_category_count > 0 - THEN sett.name || ' logs enabled for ' || valid_categories || ' categories.' - ELSE sett.name || ' logs not enabled for categories administrative, security, alert and policy.' - END AS reason, - sett.resource_group AS resource_group, - sub.display_name AS subscription - FROM - enabled_settings sett, - azure_subscription sub - WHERE - sub.subscription_id = sett.subscription_id; + language: sql + primary_resource: azure_diagnostic_setting + definition: | + WITH enabled_settings AS ( + SELECT + name, + id, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + _ctx, + resource_group, + subscription_id, + COUNT(*) FILTER (WHERE l ->> 'enabled' = 'true' + AND l ->> 'category' IN ('Administrative', 'Security', 'Alert', 'Policy') + ) AS valid_category_count, + STRING_AGG(l ->> 'category', ', ') FILTER (WHERE l ->> 'enabled' = 'true' + AND l ->> 'category' IN ('Administrative', 'Security', 'Alert', 'Policy') + ) AS valid_categories + FROM + azure_diagnostic_setting, + jsonb_array_elements(logs) AS l + GROUP BY + name, + id, + platform_integration_id, + platform_resource_id, + _ctx, + resource_group, + subscription_id + ) + SELECT + sett.id AS resource, + sett.platform_integration_id AS platform_integration_id, + sett.platform_resource_id AS platform_resource_id, + CASE + WHEN valid_category_count = 4 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN valid_category_count = 4 + THEN name || ' logs enabled for required categories administrative, security, alert and policy.' + WHEN valid_category_count > 0 + THEN sett.name || ' logs enabled for ' || valid_categories || ' categories.' + ELSE sett.name || ' logs not enabled for categories administrative, security, alert and policy.' + END AS reason, + sett.resource_group AS resource_group, + sub.display_name AS subscription + FROM + enabled_settings sett, + azure_subscription sub + WHERE + sub.subscription_id = sett.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 5.1.2 - cis_level: - - '1' - cis_section_id: - - '5.1' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Monitor + category: + - Compliance + cis: + - "true" + cis_item_id: + - 5.1.2 + cis_level: + - "1" + cis_section_id: + - "5.1" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Monitor diff --git a/compliance/controls/azure/azure_monitor_log_alert_create_policy_assignment.yaml b/compliance/controls/azure/azure_monitor_log_alert_create_policy_assignment.yaml index d651c0a1c..fded83919 100644 --- a/compliance/controls/azure/azure_monitor_log_alert_create_policy_assignment.yaml +++ b/compliance/controls/azure/azure_monitor_log_alert_create_policy_assignment.yaml @@ -1,73 +1,74 @@ id: azure_monitor_log_alert_create_policy_assignment title: Ensure that Activity Log Alert exists for Create Policy Assignment +type: control description: Create an activity log alert for the Create Policy Assignment event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.platform_integration_id AS platform_integration_id, - alert.platform_resource_id AS platform_resource_id, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'Global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.authorization/policyassignments"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/write"}]' - LIMIT 1 - ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create policy assignment event.' - ELSE 'Activity log alert does not exist for create policy assignment event.' - END AS reason, - sub.display_name AS subscription - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub._ctx, - sub.display_name + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.platform_integration_id AS platform_integration_id, + alert.platform_resource_id AS platform_resource_id, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'Global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.authorization/policyassignments"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/write"}]' + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create policy assignment event.' + ELSE 'Activity log alert does not exist for create policy assignment event.' + END AS reason, + sub.display_name AS subscription + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub._ctx, + sub.display_name severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 5.2.1 - cis_level: - - '1' - cis_section_id: - - '5.2' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Monitor + category: + - Compliance + cis: + - "true" + cis_item_id: + - 5.2.1 + cis_level: + - "1" + cis_section_id: + - "5.2" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Monitor diff --git a/compliance/controls/azure/azure_monitor_log_alert_create_update_nsg.yaml b/compliance/controls/azure/azure_monitor_log_alert_create_update_nsg.yaml index f08f56029..ef8dd3fbf 100644 --- a/compliance/controls/azure/azure_monitor_log_alert_create_update_nsg.yaml +++ b/compliance/controls/azure/azure_monitor_log_alert_create_update_nsg.yaml @@ -1,81 +1,82 @@ id: azure_monitor_log_alert_create_update_nsg title: Ensure that Activity Log Alert exists for Create or Update Network Security Group +type: control description: Create an Activity Log Alert for the Create or Update Network Security Group event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'Global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/write"}]' - ) - OR - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'Global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/write"}]' + ) + OR + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create or update Network Security Group event.' - ELSE 'Activity log alert does not exist for create or update Network Security Group event.' - END AS reason, - sub.display_name AS subscription - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.subscription_id, - sub.platform_integration_id, - sub.platform_resource_id, - sub.display_name + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create or update Network Security Group event.' + ELSE 'Activity log alert does not exist for create or update Network Security Group event.' + END AS reason, + sub.display_name AS subscription + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.subscription_id, + sub.platform_integration_id, + sub.platform_resource_id, + sub.display_name severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 5.2.3 - cis_level: - - '1' - cis_section_id: - - '5.2' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Monitor + category: + - Compliance + cis: + - "true" + cis_item_id: + - 5.2.3 + cis_level: + - "1" + cis_section_id: + - "5.2" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Monitor diff --git a/compliance/controls/azure/azure_monitor_log_alert_create_update_nsg_rule.yaml b/compliance/controls/azure/azure_monitor_log_alert_create_update_nsg_rule.yaml index 9fb7c1755..c1c360362 100644 --- a/compliance/controls/azure/azure_monitor_log_alert_create_update_nsg_rule.yaml +++ b/compliance/controls/azure/azure_monitor_log_alert_create_update_nsg_rule.yaml @@ -1,81 +1,82 @@ id: azure_monitor_log_alert_create_update_nsg_rule title: Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule +type: control description: Create an activity log alert for the Create or Update Network Security Group Rule event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'Global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups/securityrules"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networksecuritygroups/securityrules/write"}]' - ) - OR - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups/securityrules"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'Global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups/securityrules"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networksecuritygroups/securityrules/write"}]' + ) + OR + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups/securityrules"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create or update Network Security Group Rule event.' - ELSE 'Activity log alert does not exist for create or update Network Security Group Rule event.' - END AS reason, - sub.display_name AS subscription - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub._ctx, - sub.platform_integration_id, - sub.platform_resource_id, - sub.subscription_id, - sub.display_name + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create or update Network Security Group Rule event.' + ELSE 'Activity log alert does not exist for create or update Network Security Group Rule event.' + END AS reason, + sub.display_name AS subscription + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub._ctx, + sub.platform_integration_id, + sub.platform_resource_id, + sub.subscription_id, + sub.display_name severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 5.2.5 - cis_level: - - '1' - cis_section_id: - - '5.2' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Monitor + category: + - Compliance + cis: + - "true" + cis_item_id: + - 5.2.5 + cis_level: + - "1" + cis_section_id: + - "5.2" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Monitor diff --git a/compliance/controls/azure/azure_monitor_log_alert_create_update_public_ip_address.yaml b/compliance/controls/azure/azure_monitor_log_alert_create_update_public_ip_address.yaml index 4ad012b29..63a32e357 100644 --- a/compliance/controls/azure/azure_monitor_log_alert_create_update_public_ip_address.yaml +++ b/compliance/controls/azure/azure_monitor_log_alert_create_update_public_ip_address.yaml @@ -1,79 +1,80 @@ id: azure_monitor_log_alert_create_update_public_ip_address title: Ensure that Activity Log Alert exists for Create or Update Public IP Address rule +type: control description: Create an activity log alert for the Create or Update Public IP Addresses rule. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location ILIKE 'Global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/publicipaddresses"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/publicIPAddresses/write"}]' - ) OR ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/publicipaddresses"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location ILIKE 'Global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/publicipaddresses"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/publicIPAddresses/write"}]' + ) OR ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/publicipaddresses"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Create or Update Public IP Address rule.' - ELSE 'Activity Log Alert does not exist for Create or Update Public IP Address rule.' - END AS reason, - sub.display_name AS subscription - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub.platform_integration_id, - sub.platform_resource_id, - sub._ctx, - sub.subscription_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Create or Update Public IP Address rule.' + ELSE 'Activity Log Alert does not exist for Create or Update Public IP Address rule.' + END AS reason, + sub.display_name AS subscription + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub.platform_integration_id, + sub.platform_resource_id, + sub._ctx, + sub.subscription_id, + sub.display_name; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 5.2.9 - cis_level: - - '1' - cis_section_id: - - '5.2' - cis_type: - - automated - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/Monitor + category: + - Compliance + cis: + - "true" + cis_item_id: + - 5.2.9 + cis_level: + - "1" + cis_section_id: + - "5.2" + cis_type: + - automated + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/Monitor diff --git a/compliance/controls/azure/azure_monitor_log_alert_create_update_security_solution.yaml b/compliance/controls/azure/azure_monitor_log_alert_create_update_security_solution.yaml index 1ac07578f..8a44ee36f 100644 --- a/compliance/controls/azure/azure_monitor_log_alert_create_update_security_solution.yaml +++ b/compliance/controls/azure/azure_monitor_log_alert_create_update_security_solution.yaml @@ -1,81 +1,82 @@ id: azure_monitor_log_alert_create_update_security_solution title: Ensure that Activity Log Alert exists for Create or Update Security Solution +type: control description: Create an activity log alert for the Create or Update Security Solution event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'Global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Security/securitySolutions/write"}]' - ) - OR - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'Global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Security/securitySolutions/write"}]' + ) + OR + ( + alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create or update Security Solution event.' - ELSE 'Activity log alert does not exists for create or update Security Solution event.' - END AS reason, - sub.display_name AS subscription - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub.platform_integration_id, - sub.platform_resource_id, - sub._ctx, - sub.subscription_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create or update Security Solution event.' + ELSE 'Activity log alert does not exists for create or update Security Solution event.' + END AS reason, + sub.display_name AS subscription + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub.platform_integration_id, + sub.platform_resource_id, + sub._ctx, + sub.subscription_id, + sub.display_name; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 5.2.7 - cis_level: - - '1' - cis_section_id: - - '5.2' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Monitor + category: + - Compliance + cis: + - "true" + cis_item_id: + - 5.2.7 + cis_level: + - "1" + cis_section_id: + - "5.2" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Monitor diff --git a/compliance/controls/azure/azure_monitor_log_alert_create_update_sql_servers_firewall_rule.yaml b/compliance/controls/azure/azure_monitor_log_alert_create_update_sql_servers_firewall_rule.yaml index aac0402f8..e5a5b2932 100644 --- a/compliance/controls/azure/azure_monitor_log_alert_create_update_sql_servers_firewall_rule.yaml +++ b/compliance/controls/azure/azure_monitor_log_alert_create_update_sql_servers_firewall_rule.yaml @@ -1,81 +1,82 @@ id: azure_monitor_log_alert_create_update_sql_servers_firewall_rule title: Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule +type: control description: Create an activity log alert for the Create or Update SQL Server Firewall Rule event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'Global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.sql/servers/firewallrules"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Sql/servers/firewallRules/write"}]' - ) - OR ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.sql/servers/firewallrules"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'Global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.sql/servers/firewallrules"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Sql/servers/firewallRules/write"}]' + ) + OR ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.sql/servers/firewallrules"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN count(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN count(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Create or Update SQL Server Firewall Rule.' - ELSE 'Activity Log Alert does not exist for Create or Update SQL Server Firewall Rule.' - END AS reason, - sub.display_name AS subscription - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub.platform_integration_id, - sub.platform_resource_id, - sub._ctx, - sub.subscription_id, - sub.display_name + LIMIT 1 + ) + + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN count(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN count(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Create or Update SQL Server Firewall Rule.' + ELSE 'Activity Log Alert does not exist for Create or Update SQL Server Firewall Rule.' + END AS reason, + sub.display_name AS subscription + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub.platform_integration_id, + sub.platform_resource_id, + sub._ctx, + sub.subscription_id, + sub.display_name severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 5.2.7 - cis_level: - - '1' - cis_section_id: - - '5.2' - cis_type: - - automated - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/Monitor + category: + - Compliance + cis: + - "true" + cis_item_id: + - 5.2.7 + cis_level: + - "1" + cis_section_id: + - "5.2" + cis_type: + - automated + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/Monitor diff --git a/compliance/controls/azure/azure_monitor_log_alert_delete_nsg.yaml b/compliance/controls/azure/azure_monitor_log_alert_delete_nsg.yaml index be6a3890e..244b1e098 100644 --- a/compliance/controls/azure/azure_monitor_log_alert_delete_nsg.yaml +++ b/compliance/controls/azure/azure_monitor_log_alert_delete_nsg.yaml @@ -1,82 +1,83 @@ id: azure_monitor_log_alert_delete_nsg title: Ensure that Activity Log Alert exists for Delete Network Security Group +type: control description: Create an activity log alert for the Delete Network Security Group event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id, - jsonb_array_length(alert.condition -> 'allOf') - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'Global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/delete"}]' - ) - OR - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id, + jsonb_array_length(alert.condition -> 'allOf') + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'Global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/delete"}]' + ) + OR + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Network Security Group event.' - ELSE 'Activity log alert does not exist for delete Network Security Group event.' - END AS reason, - sub.display_name AS subscription - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - platform_integration_id, - platform_resource_id, - sub._ctx, - sub.subscription_id, - sub.display_name + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Network Security Group event.' + ELSE 'Activity log alert does not exist for delete Network Security Group event.' + END AS reason, + sub.display_name AS subscription + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + platform_integration_id, + platform_resource_id, + sub._ctx, + sub.subscription_id, + sub.display_name severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 5.2.4 - cis_level: - - '1' - cis_section_id: - - '5.2' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Monitor + category: + - Compliance + cis: + - "true" + cis_item_id: + - 5.2.4 + cis_level: + - "1" + cis_section_id: + - "5.2" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Monitor diff --git a/compliance/controls/azure/azure_monitor_log_alert_delete_nsg_rule.yaml b/compliance/controls/azure/azure_monitor_log_alert_delete_nsg_rule.yaml index 7144baaa8..7c05a9c79 100644 --- a/compliance/controls/azure/azure_monitor_log_alert_delete_nsg_rule.yaml +++ b/compliance/controls/azure/azure_monitor_log_alert_delete_nsg_rule.yaml @@ -1,81 +1,82 @@ id: azure_monitor_log_alert_delete_nsg_rule title: Ensure that Activity Log Alert exists for Delete Network Security Group Rule +type: control description: Create an activity log alert for the Delete Network Security Group Rule event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'Global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field":"resourceType","equals":"microsoft.network/networksecuritygroups/securityrules"}]' - AND alert.condition -> 'allOf' @> '[{"field":"operationName","equals":"Microsoft.Network/networksecuritygroups/securityrules/delete"}]' - ) - OR - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field":"resourceType","equals":"microsoft.network/networksecuritygroups/securityrules"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'Global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field":"resourceType","equals":"microsoft.network/networksecuritygroups/securityrules"}]' + AND alert.condition -> 'allOf' @> '[{"field":"operationName","equals":"Microsoft.Network/networksecuritygroups/securityrules/delete"}]' + ) + OR + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field":"resourceType","equals":"microsoft.network/networksecuritygroups/securityrules"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN count(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN count(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Network Security Group Rule event.' - ELSE 'Activity log alert does not exist for delete Network Security Group Rule event.' - END AS reason, - sub.display_name AS subscription - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub.platform_integration_id, - sub.platform_resource_id, - sub._ctx, - sub.subscription_id, - sub.display_name + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN count(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN count(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Network Security Group Rule event.' + ELSE 'Activity log alert does not exist for delete Network Security Group Rule event.' + END AS reason, + sub.display_name AS subscription + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub.platform_integration_id, + sub.platform_resource_id, + sub._ctx, + sub.subscription_id, + sub.display_name severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 5.2.6 - cis_level: - - '1' - cis_section_id: - - '5.2' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Monitor + category: + - Compliance + cis: + - "true" + cis_item_id: + - 5.2.6 + cis_level: + - "1" + cis_section_id: + - "5.2" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Monitor diff --git a/compliance/controls/azure/azure_monitor_log_alert_delete_policy_assignment.yaml b/compliance/controls/azure/azure_monitor_log_alert_delete_policy_assignment.yaml index 2c465a1f1..04d7f9706 100644 --- a/compliance/controls/azure/azure_monitor_log_alert_delete_policy_assignment.yaml +++ b/compliance/controls/azure/azure_monitor_log_alert_delete_policy_assignment.yaml @@ -1,71 +1,72 @@ id: azure_monitor_log_alert_delete_policy_assignment title: Ensure that Activity Log Alert exists for Delete Policy Assignment +type: control description: Create an activity log alert for the Delete Policy Assignment event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'Global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.authorization/policyassignments"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/delete"}]' - LIMIT 1 - ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete policy assignment event.' - ELSE 'Activity log alert does not exist for delete policy assignment event.' - END AS reason, - sub.display_name AS subscription - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub.platform_integration_id, - sub.platform_resource_id, - sub._ctx, - sub.subscription_id, - sub.display_name + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'Global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.authorization/policyassignments"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/delete"}]' + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete policy assignment event.' + ELSE 'Activity log alert does not exist for delete policy assignment event.' + END AS reason, + sub.display_name AS subscription + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub.platform_integration_id, + sub.platform_resource_id, + sub._ctx, + sub.subscription_id, + sub.display_name severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 5.2.2 - cis_level: - - '1' - cis_section_id: - - '5.2' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Monitor + category: + - Compliance + cis: + - "true" + cis_item_id: + - 5.2.2 + cis_level: + - "1" + cis_section_id: + - "5.2" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Monitor diff --git a/compliance/controls/azure/azure_monitor_log_alert_delete_public_ip_address.yaml b/compliance/controls/azure/azure_monitor_log_alert_delete_public_ip_address.yaml index df1634579..b00628604 100644 --- a/compliance/controls/azure/azure_monitor_log_alert_delete_public_ip_address.yaml +++ b/compliance/controls/azure/azure_monitor_log_alert_delete_public_ip_address.yaml @@ -1,80 +1,81 @@ id: azure_monitor_log_alert_delete_public_ip_address title: Ensure that Activity Log Alert exists for Delete Public IP Address rule +type: control description: Create an activity log alert for the Delete Public IP Address rule. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'Global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/publicipaddresses"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/publicIPAddresses/delete"}]' - ) - OR ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/publicipaddresses"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'Global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/publicipaddresses"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/publicIPAddresses/delete"}]' + ) + OR ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/publicipaddresses"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Delete Public IP Address rule.' - ELSE 'Activity Log Alert does not exist for Delete Public IP Address rule.' - END AS reason, - sub.display_name AS subscription - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub.platform_integration_id, - sub.platform_resource_id, - sub._ctx, - sub.subscription_id, - sub.display_name + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Delete Public IP Address rule.' + ELSE 'Activity Log Alert does not exist for Delete Public IP Address rule.' + END AS reason, + sub.display_name AS subscription + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub.platform_integration_id, + sub.platform_resource_id, + sub._ctx, + sub.subscription_id, + sub.display_name severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 5.2.10 - cis_level: - - '1' - cis_section_id: - - '5' - cis_type: - - automated - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/Monitor + category: + - Compliance + cis: + - "true" + cis_item_id: + - 5.2.10 + cis_level: + - "1" + cis_section_id: + - "5" + cis_type: + - automated + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/Monitor diff --git a/compliance/controls/azure/azure_monitor_log_alert_delete_security_solution.yaml b/compliance/controls/azure/azure_monitor_log_alert_delete_security_solution.yaml index 8f4ae9c5b..21e1b4040 100644 --- a/compliance/controls/azure/azure_monitor_log_alert_delete_security_solution.yaml +++ b/compliance/controls/azure/azure_monitor_log_alert_delete_security_solution.yaml @@ -1,74 +1,75 @@ id: azure_monitor_log_alert_delete_security_solution title: Ensure that Activity Log Alert exists for Delete Security Solution +type: control description: Create an activity log alert for the Delete Security Solution event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location ILIKE 'Global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Security/securitySolutions/delete"}]' - ) - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location ILIKE 'Global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + ( + alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Security/securitySolutions/delete"}]' + ) ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Security Solution event.' - ELSE 'Activity log alert does not exist for delete Security Solution event.' - END AS reason, - sub.display_name AS subscription - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub.platform_integration_id, - sub.platform_resource_id, - sub._ctx, - sub.subscription_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for delete Security Solution event.' + ELSE 'Activity log alert does not exist for delete Security Solution event.' + END AS reason, + sub.display_name AS subscription + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub.platform_integration_id, + sub.platform_resource_id, + sub._ctx, + sub.subscription_id, + sub.display_name; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 5.2.8 - cis_level: - - '1' - cis_section_id: - - '5.2' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Monitor + category: + - Compliance + cis: + - "true" + cis_item_id: + - 5.2.8 + cis_level: + - "1" + cis_section_id: + - "5.2" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Monitor diff --git a/compliance/controls/azure/azure_monitor_log_alert_delete_sql_servers_firewall_rule.yaml b/compliance/controls/azure/azure_monitor_log_alert_delete_sql_servers_firewall_rule.yaml index 287a5b503..ac47e8a0e 100644 --- a/compliance/controls/azure/azure_monitor_log_alert_delete_sql_servers_firewall_rule.yaml +++ b/compliance/controls/azure/azure_monitor_log_alert_delete_sql_servers_firewall_rule.yaml @@ -1,72 +1,73 @@ id: azure_monitor_log_alert_delete_sql_servers_firewall_rule title: Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule +type: control description: Create an activity log alert for the 'Delete SQL Server Firewall Rule.' integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location ILIKE 'Global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Sql/servers/firewallRules/delete"}]' - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location ILIKE 'Global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND ( + alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Sql/servers/firewallRules/delete"}]' ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Delete SQL Server Firewall Rule.' - ELSE 'Activity Log Alert does not exist for Delete SQL Server Firewall Rule.' - END AS reason, - sub.display_name AS subscription - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub.platform_integration_id, - sub.platform_resource_id, - sub._ctx, - sub.subscription_id, - sub.display_name; + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity Log Alert exists for Delete SQL Server Firewall Rule.' + ELSE 'Activity Log Alert does not exist for Delete SQL Server Firewall Rule.' + END AS reason, + sub.display_name AS subscription + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub.platform_integration_id, + sub.platform_resource_id, + sub._ctx, + sub.subscription_id, + sub.display_name; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 5.2.8 - cis_level: - - '1' - cis_section_id: - - '5.2' - cis_type: - - automated - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/Monitor + category: + - Compliance + cis: + - "true" + cis_item_id: + - 5.2.8 + cis_level: + - "1" + cis_section_id: + - "5.2" + cis_type: + - automated + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/Monitor diff --git a/compliance/controls/azure/azure_monitor_log_alert_for_administrative_operations.yaml b/compliance/controls/azure/azure_monitor_log_alert_for_administrative_operations.yaml index c8f2b58fd..59cde4f28 100644 --- a/compliance/controls/azure/azure_monitor_log_alert_for_administrative_operations.yaml +++ b/compliance/controls/azure/azure_monitor_log_alert_for_administrative_operations.yaml @@ -1,67 +1,68 @@ id: azure_monitor_log_alert_for_administrative_operations title: An activity log alert should exist for specific Administrative operations +type: control description: This policy audits specific Administrative operations with no activity log alerts configured. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'Global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND ( - alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Sql/servers/firewallRules/write"}]' - OR alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Sql/servers/firewallRules/delete"}]' - OR alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/write"}]' - OR alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/delete"}]' - OR alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.ClassicNetwork/networkSecurityGroups/write"}]' - OR alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.ClassicNetwork/networkSecurityGroups/delete"}]' - OR alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/securityRules/write"}]' - OR alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/securityRules/delete"}]' - OR alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write"}]' - OR alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete"}]' - ) - LIMIT 1 + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'Global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND ( + alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Sql/servers/firewallRules/write"}]' + OR alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Sql/servers/firewallRules/delete"}]' + OR alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/write"}]' + OR alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/delete"}]' + OR alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.ClassicNetwork/networkSecurityGroups/write"}]' + OR alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.ClassicNetwork/networkSecurityGroups/delete"}]' + OR alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/securityRules/write"}]' + OR alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/securityRules/delete"}]' + OR alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write"}]' + OR alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete"}]' ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for administrative operations.' - ELSE 'Activity log alert does not exists for administrative operations.' - END AS reason, - sub.display_name AS subscription - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub.platform_integration_id, - sub.platform_resource_id, - sub._ctx, - sub.subscription_id, - sub.display_name + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for administrative operations.' + ELSE 'Activity log alert does not exists for administrative operations.' + END AS reason, + sub.display_name AS subscription + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub.platform_integration_id, + sub.platform_resource_id, + sub._ctx, + sub.subscription_id, + sub.display_name severity: medium tags: - hipaa_hitrust_v92: - - 'true' - service: - - Azure/Monitor + hipaa_hitrust_v92: + - "true" + service: + - Azure/Monitor diff --git a/compliance/controls/azure/azure_monitor_log_alert_sql_firewall_rule.yaml b/compliance/controls/azure/azure_monitor_log_alert_sql_firewall_rule.yaml index f24fcbb00..e6dd2b538 100644 --- a/compliance/controls/azure/azure_monitor_log_alert_sql_firewall_rule.yaml +++ b/compliance/controls/azure/azure_monitor_log_alert_sql_firewall_rule.yaml @@ -1,71 +1,72 @@ id: azure_monitor_log_alert_sql_firewall_rule title: Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule +type: control description: Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH alert_rule AS ( - SELECT - alert.id AS alert_id, - alert.name AS alert_name, - alert.enabled, - alert.location, - alert.subscription_id - FROM - azure_log_alert AS alert, - jsonb_array_elements_text(scopes) AS sc - WHERE - alert.location = 'Global' - AND alert.enabled - AND sc = '/subscriptions/' || alert.subscription_id - AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.sql/servers"}]' - AND jsonb_array_length(alert.condition -> 'allOf') = 2 - LIMIT 1 - ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create, update and delete SQL Server Firewall Rule event.' - ELSE 'Activity log alert does not exist for create, update and delete SQL Server Firewall Rule event.' - END AS reason, - sub.display_name AS subscription - FROM - azure_subscription sub - LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id - GROUP BY - sub.platform_integration_id, - sub.platform_resource_id, - sub._ctx, - sub.subscription_id, - sub.display_name + language: sql + primary_resource: azure_subscription + definition: | + WITH alert_rule AS ( + SELECT + alert.id AS alert_id, + alert.name AS alert_name, + alert.enabled, + alert.location, + alert.subscription_id + FROM + azure_log_alert AS alert, + jsonb_array_elements_text(scopes) AS sc + WHERE + alert.location = 'Global' + AND alert.enabled + AND sc = '/subscriptions/' || alert.subscription_id + AND alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' + AND alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.sql/servers"}]' + AND jsonb_array_length(alert.condition -> 'allOf') = 2 + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN COUNT(a.subscription_id) > 0 THEN 'Activity log alert exists for create, update and delete SQL Server Firewall Rule event.' + ELSE 'Activity log alert does not exist for create, update and delete SQL Server Firewall Rule event.' + END AS reason, + sub.display_name AS subscription + FROM + azure_subscription sub + LEFT JOIN alert_rule a ON sub.subscription_id = a.subscription_id + GROUP BY + sub.platform_integration_id, + sub.platform_resource_id, + sub._ctx, + sub.subscription_id, + sub.display_name severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 5.2.9 - cis_level: - - '1' - cis_section_id: - - '5.2' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Monitor + category: + - Compliance + cis: + - "true" + cis_item_id: + - 5.2.9 + cis_level: + - "1" + cis_section_id: + - "5.2" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Monitor diff --git a/compliance/controls/azure/azure_monitor_log_analytics_workspace_integrated_with_encrypted_storage_account.yaml b/compliance/controls/azure/azure_monitor_log_analytics_workspace_integrated_with_encrypted_storage_account.yaml index 0369bf7ba..e48f5b7f0 100644 --- a/compliance/controls/azure/azure_monitor_log_analytics_workspace_integrated_with_encrypted_storage_account.yaml +++ b/compliance/controls/azure/azure_monitor_log_analytics_workspace_integrated_with_encrypted_storage_account.yaml @@ -1,23 +1,24 @@ id: azure_monitor_log_analytics_workspace_integrated_with_encrypted_storage_account title: Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption +type: control description: Link storage account to Log Analytics workspace to protect saved-queries with storage account encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your saved-queries in Azure Monitor. For more details on the above, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys?tabs integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_monitor_log_cluster_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_monitor_log_cluster_encrypted_with_cmk.yaml index 420e69207..d245cfc75 100644 --- a/compliance/controls/azure/azure_monitor_log_cluster_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_monitor_log_cluster_encrypted_with_cmk.yaml @@ -1,23 +1,24 @@ id: azure_monitor_log_cluster_encrypted_with_cmk title: Azure Monitor Logs clusters should be encrypted with customer-managed key +type: control description: Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_monitor_log_cluster_infrastructure_encryption_enabled.yaml b/compliance/controls/azure/azure_monitor_log_cluster_infrastructure_encryption_enabled.yaml index 6460af9c8..c41129390 100644 --- a/compliance/controls/azure/azure_monitor_log_cluster_infrastructure_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_monitor_log_cluster_infrastructure_encryption_enabled.yaml @@ -1,23 +1,24 @@ id: azure_monitor_log_cluster_infrastructure_encryption_enabled title: Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption) -description: To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. +type: control +description: "To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_monitor_log_profile_enabled_for_all_categories.yaml b/compliance/controls/azure/azure_monitor_log_profile_enabled_for_all_categories.yaml index 00a062dbf..49c62c32e 100644 --- a/compliance/controls/azure/azure_monitor_log_profile_enabled_for_all_categories.yaml +++ b/compliance/controls/azure/azure_monitor_log_profile_enabled_for_all_categories.yaml @@ -1,34 +1,35 @@ id: azure_monitor_log_profile_enabled_for_all_categories title: Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' +type: control description: This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action'. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_log_profile - definition: | - SELECT - p.id AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN p.categories @> '["Write", "Action", "Delete"]' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.categories @> '["Write", "Action", "Delete"]' - THEN p.name || ' collects logs for categories write, delete and action' - ELSE p.name || ' does not collects logs for all categories.' - END AS reason, - p.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_log_profile AS p - LEFT JOIN azure_subscription sub ON sub.subscription_id = p.subscription_id; + language: sql + primary_resource: azure_log_profile + definition: | + SELECT + p.id AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN p.categories @> '["Write", "Action", "Delete"]' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.categories @> '["Write", "Action", "Delete"]' + THEN p.name || ' collects logs for categories write, delete and action' + ELSE p.name || ' does not collects logs for all categories.' + END AS reason, + p.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_log_profile AS p + LEFT JOIN azure_subscription sub ON sub.subscription_id = p.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - service: - - Azure/Monitor + hipaa_hitrust_v92: + - "true" + service: + - Azure/Monitor diff --git a/compliance/controls/azure/azure_monitor_log_profile_enabled_for_all_regions.yaml b/compliance/controls/azure/azure_monitor_log_profile_enabled_for_all_regions.yaml index acc8df9f0..9872e89b0 100644 --- a/compliance/controls/azure/azure_monitor_log_profile_enabled_for_all_regions.yaml +++ b/compliance/controls/azure/azure_monitor_log_profile_enabled_for_all_regions.yaml @@ -1,33 +1,34 @@ id: azure_monitor_log_profile_enabled_for_all_regions title: Azure Monitor should collect activity logs from all regions +type: control description: This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_log_profile - definition: | - SELECT - p.id AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN p.log_event_location @> '["global", "australiacentral", "australiacentral2", "australiaeast", "australiasoutheast", "brazilsouth", "brazilsoutheast", "canadacentral", "canadaeast", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "francesouth", "germanynorth", "germanywestcentral", "japaneast", "japanwest", "jioindiawest", "koreacentral", "koreasouth", "northcentralus", "northeurope", "norwayeast", "norwaywest", "southafricanorth", "southafricawest", "southcentralus", "southeastasia", "southindia", "switzerlandnorth", "switzerlandwest", "uaecentral", "uaenorth", "uksouth", "ukwest", "westcentralus", "westeurope", "westindia", "westus", "westus2", "westus3"]' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.log_event_location @> '["global", "australiacentral", "australiacentral2", "australiaeast", "australiasoutheast", "brazilsouth", "brazilsoutheast", "canadacentral", "canadaeast", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "francesouth", "germanynorth", "germanywestcentral", "japaneast", "japanwest", "jioindiawest", "koreacentral", "koreasouth", "northcentralus", "northeurope", "norwayeast", "norwaywest", "southafricanorth", "southafricawest", "southcentralus", "southeastasia", "southindia", "switzerlandnorth", "switzerlandwest", "uaecentral", "uaenorth", "uksouth", "ukwest", "westcentralus", "westeurope", "westindia", "westus", "westus2", "westus3"]' THEN p.name || ' collect activity logs from all regions.' - ELSE p.name || ' not collect activity logs from all regions.' - END AS reason, - p.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_log_profile AS p - LEFT JOIN azure_subscription sub ON sub.subscription_id = p.subscription_id; + language: sql + primary_resource: azure_log_profile + definition: | + SELECT + p.id AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN p.log_event_location @> '["global", "australiacentral", "australiacentral2", "australiaeast", "australiasoutheast", "brazilsouth", "brazilsoutheast", "canadacentral", "canadaeast", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "francesouth", "germanynorth", "germanywestcentral", "japaneast", "japanwest", "jioindiawest", "koreacentral", "koreasouth", "northcentralus", "northeurope", "norwayeast", "norwaywest", "southafricanorth", "southafricawest", "southcentralus", "southeastasia", "southindia", "switzerlandnorth", "switzerlandwest", "uaecentral", "uaenorth", "uksouth", "ukwest", "westcentralus", "westeurope", "westindia", "westus", "westus2", "westus3"]' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.log_event_location @> '["global", "australiacentral", "australiacentral2", "australiaeast", "australiasoutheast", "brazilsouth", "brazilsoutheast", "canadacentral", "canadaeast", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "francesouth", "germanynorth", "germanywestcentral", "japaneast", "japanwest", "jioindiawest", "koreacentral", "koreasouth", "northcentralus", "northeurope", "norwayeast", "norwaywest", "southafricanorth", "southafricawest", "southcentralus", "southeastasia", "southindia", "switzerlandnorth", "switzerlandwest", "uaecentral", "uaenorth", "uksouth", "ukwest", "westcentralus", "westeurope", "westindia", "westus", "westus2", "westus3"]' THEN p.name || ' collect activity logs from all regions.' + ELSE p.name || ' not collect activity logs from all regions.' + END AS reason, + p.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_log_profile AS p + LEFT JOIN azure_subscription sub ON sub.subscription_id = p.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - service: - - Azure/Monitor + hipaa_hitrust_v92: + - "true" + service: + - Azure/Monitor diff --git a/compliance/controls/azure/azure_monitor_log_profile_retention_365_days.yaml b/compliance/controls/azure/azure_monitor_log_profile_retention_365_days.yaml index 2246cfe48..d6b34767e 100644 --- a/compliance/controls/azure/azure_monitor_log_profile_retention_365_days.yaml +++ b/compliance/controls/azure/azure_monitor_log_profile_retention_365_days.yaml @@ -1,28 +1,29 @@ id: azure_monitor_log_profile_retention_365_days title: Monitor log profiles should have retention set to 365 days or greater +type: control description: This control is non-compliant if Monitor log profile retention is set to less than 365 days. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_log_profile - definition: | - SELECT - p.id AS resource, - p.platform_integration_id AS platform_integration_id, - p.platform_resource_id AS platform_resource_id, - CASE - WHEN p.retention_policy ->> 'enabled' = 'false' THEN 'alarm' - WHEN p.retention_policy ->> 'enabled' = 'true' AND (p.retention_policy ->> 'days')::int >= 365 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.retention_policy ->> 'enabled' = 'false' THEN p.name || ' retention policy disabled.' - ELSE p.name || ' retention is set to ' || (p.retention_policy ->> 'days') || ' day(s).' - END AS reason - FROM - azure_log_profile AS p - LEFT JOIN azure_subscription sub ON sub.subscription_id = p.subscription_id; + language: sql + primary_resource: azure_log_profile + definition: | + SELECT + p.id AS resource, + p.platform_integration_id AS platform_integration_id, + p.platform_resource_id AS platform_resource_id, + CASE + WHEN p.retention_policy ->> 'enabled' = 'false' THEN 'alarm' + WHEN p.retention_policy ->> 'enabled' = 'true' AND (p.retention_policy ->> 'days')::int >= 365 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.retention_policy ->> 'enabled' = 'false' THEN p.name || ' retention policy disabled.' + ELSE p.name || ' retention is set to ' || (p.retention_policy ->> 'days') || ' day(s).' + END AS reason + FROM + azure_log_profile AS p + LEFT JOIN azure_subscription sub ON sub.subscription_id = p.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_monitor_logs_storage_container_encryptes_with_byok.yaml b/compliance/controls/azure/azure_monitor_logs_storage_container_encryptes_with_byok.yaml index 78b46027d..9e0bbbaef 100644 --- a/compliance/controls/azure/azure_monitor_logs_storage_container_encryptes_with_byok.yaml +++ b/compliance/controls/azure/azure_monitor_logs_storage_container_encryptes_with_byok.yaml @@ -1,53 +1,54 @@ id: azure_monitor_logs_storage_container_encryptes_with_byok title: Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key) +type: control description: The storage account with the activity log export container is configured to use BYOK (Use Your Own Key). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.encryption_key_source = 'Microsoft.Keyvault' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.encryption_key_source = 'Microsoft.Keyvault' - THEN a.name || ' container insights-operational-logs encrypted with BYOK.' - ELSE a.name || ' container insights-operational-logs not encrypted with BYOK.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_storage_container c, - azure_storage_account a, - azure_subscription sub - WHERE - c.name = 'insights-operational-logs' - AND c.account_name = a.name - AND sub.subscription_id = a.subscription_id + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.encryption_key_source = 'Microsoft.Keyvault' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.encryption_key_source = 'Microsoft.Keyvault' + THEN a.name || ' container insights-operational-logs encrypted with BYOK.' + ELSE a.name || ' container insights-operational-logs not encrypted with BYOK.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_storage_container c, + azure_storage_account a, + azure_subscription sub + WHERE + c.name = 'insights-operational-logs' + AND c.account_name = a.name + AND sub.subscription_id = a.subscription_id severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 5.1.4 - cis_level: - - '2' - cis_section_id: - - '5.1' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Monitor + category: + - Compliance + cis: + - "true" + cis_item_id: + - 5.1.4 + cis_level: + - "2" + cis_section_id: + - "5.1" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Monitor diff --git a/compliance/controls/azure/azure_monitor_logs_storage_container_insights_activity_logs_not_public_accessible.yaml b/compliance/controls/azure/azure_monitor_logs_storage_container_insights_activity_logs_not_public_accessible.yaml index 9cee67aa3..00fabb4b6 100644 --- a/compliance/controls/azure/azure_monitor_logs_storage_container_insights_activity_logs_not_public_accessible.yaml +++ b/compliance/controls/azure/azure_monitor_logs_storage_container_insights_activity_logs_not_public_accessible.yaml @@ -1,31 +1,32 @@ id: azure_monitor_logs_storage_container_insights_activity_logs_not_public_accessible title: Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible +type: control description: The storage account container containing the activity log export should not be publicly accessible. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_container - definition: | - SELECT - sc.id AS resource, - sc.platform_integration_id AS platform_integration_id, - sc.platform_resource_id AS platform_resource_id, - CASE - WHEN public_access != 'None' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN public_access != 'None' - THEN account_name || ' container insights-activity-logs storing activity logs publicly accessible.' - ELSE account_name || ' container insights-activity-logs storing activity logs not publicly accessible.' - END AS reason - FROM - azure_storage_container sc, - azure_subscription sub - WHERE - name = 'insights-activity-logs' - AND sub.subscription_id = sc.subscription_id; + language: sql + primary_resource: azure_storage_container + definition: | + SELECT + sc.id AS resource, + sc.platform_integration_id AS platform_integration_id, + sc.platform_resource_id AS platform_resource_id, + CASE + WHEN public_access != 'None' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN public_access != 'None' + THEN account_name || ' container insights-activity-logs storing activity logs publicly accessible.' + ELSE account_name || ' container insights-activity-logs storing activity logs not publicly accessible.' + END AS reason + FROM + azure_storage_container sc, + azure_subscription sub + WHERE + name = 'insights-activity-logs' + AND sub.subscription_id = sc.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_monitor_logs_storage_container_insights_operational_logs_not_public_accessible.yaml b/compliance/controls/azure/azure_monitor_logs_storage_container_insights_operational_logs_not_public_accessible.yaml index f355be673..4587b1b76 100644 --- a/compliance/controls/azure/azure_monitor_logs_storage_container_insights_operational_logs_not_public_accessible.yaml +++ b/compliance/controls/azure/azure_monitor_logs_storage_container_insights_operational_logs_not_public_accessible.yaml @@ -1,31 +1,32 @@ id: azure_monitor_logs_storage_container_insights_operational_logs_not_public_accessible title: Ensure the storage container storing the operational logs is not publicly accessible +type: control description: The storage account container containing the operational log export should not be publicly accessible. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_container - definition: | - SELECT - sc.id AS resource, - sc.platform_integration_id AS platform_integration_id, - sc.platform_resource_id AS platform_resource_id, - CASE - WHEN public_access != 'None' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN public_access != 'None' - THEN account_name || ' container insights-operational-logs storing activity logs publicly accessible.' - ELSE account_name || ' container insights-operational-logs storing activity logs not publicly accessible.' - END AS reason - FROM - azure_storage_container sc, - azure_subscription sub - WHERE - name = 'insights-operational-logs' - AND sub.subscription_id = sc.subscription_id; + language: sql + primary_resource: azure_storage_container + definition: | + SELECT + sc.id AS resource, + sc.platform_integration_id AS platform_integration_id, + sc.platform_resource_id AS platform_resource_id, + CASE + WHEN public_access != 'None' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN public_access != 'None' + THEN account_name || ' container insights-operational-logs storing activity logs publicly accessible.' + ELSE account_name || ' container insights-operational-logs storing activity logs not publicly accessible.' + END AS reason + FROM + azure_storage_container sc, + azure_subscription sub + WHERE + name = 'insights-operational-logs' + AND sub.subscription_id = sc.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_monitor_logs_storage_container_not_public_accessible.yaml b/compliance/controls/azure/azure_monitor_logs_storage_container_not_public_accessible.yaml index 5bd9f378e..864fb6f31 100644 --- a/compliance/controls/azure/azure_monitor_logs_storage_container_not_public_accessible.yaml +++ b/compliance/controls/azure/azure_monitor_logs_storage_container_not_public_accessible.yaml @@ -1,51 +1,52 @@ id: azure_monitor_logs_storage_container_not_public_accessible title: Ensure the storage container storing the activity logs is not publicly accessible +type: control description: The storage account container containing the activity log export should not be publicly accessible. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_container - definition: | - SELECT - sc.id AS resource, - sc.platform_integration_id AS platform_integration_id, - sc.platform_resource_id AS platform_resource_id, - CASE - WHEN public_access != 'None' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN public_access != 'None' - THEN account_name || ' container insights-operational-logs storing activity logs publicly accessible.' - ELSE account_name || ' container insights-operational-logs storing activity logs not publicly accessible.' - END AS reason, - sc.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_storage_container sc, - azure_subscription sub - WHERE - name LIKE 'insight%logs%' - AND sub.subscription_id = sc.subscription_id; + language: sql + primary_resource: azure_storage_container + definition: | + SELECT + sc.id AS resource, + sc.platform_integration_id AS platform_integration_id, + sc.platform_resource_id AS platform_resource_id, + CASE + WHEN public_access != 'None' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN public_access != 'None' + THEN account_name || ' container insights-operational-logs storing activity logs publicly accessible.' + ELSE account_name || ' container insights-operational-logs storing activity logs not publicly accessible.' + END AS reason, + sc.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_storage_container sc, + azure_subscription sub + WHERE + name LIKE 'insight%logs%' + AND sub.subscription_id = sc.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 5.1.3 - cis_level: - - '1' - cis_section_id: - - '5.1' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Monitor + category: + - Compliance + cis: + - "true" + cis_item_id: + - 5.1.3 + cis_level: + - "1" + cis_section_id: + - "5.1" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Monitor diff --git a/compliance/controls/azure/azure_mssql_managed_instance_encryption_at_rest_using_cmk.yaml b/compliance/controls/azure/azure_mssql_managed_instance_encryption_at_rest_using_cmk.yaml index 74097fc1f..e0bdb51fc 100644 --- a/compliance/controls/azure/azure_mssql_managed_instance_encryption_at_rest_using_cmk.yaml +++ b/compliance/controls/azure/azure_mssql_managed_instance_encryption_at_rest_using_cmk.yaml @@ -1,48 +1,49 @@ id: azure_mssql_managed_instance_encryption_at_rest_using_cmk title: SQL managed instances should use customer-managed keys to encrypt data at rest +type: control description: Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_mssql_managed_instance - definition: | - WITH encryption_protector AS ( - SELECT - DISTINCT i.id AS id - FROM - azure_mssql_managed_instance AS i, - jsonb_array_elements(encryption_protectors) a - WHERE - a ->> 'serverKeyType' = 'AzureKeyVault' - AND a ->> 'uri' IS NOT NULL - ) - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN a.id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.id IS NOT NULL THEN s.title || ' encrypted with CMK.' - ELSE s.title || ' not encrypted with CMK.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_mssql_managed_instance AS s - LEFT JOIN encryption_protector AS a ON s.id = a.id, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id + language: sql + primary_resource: azure_mssql_managed_instance + definition: | + WITH encryption_protector AS ( + SELECT + DISTINCT i.id AS id + FROM + azure_mssql_managed_instance AS i, + jsonb_array_elements(encryption_protectors) a + WHERE + a ->> 'serverKeyType' = 'AzureKeyVault' + AND a ->> 'uri' IS NOT NULL + ) + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN a.id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.id IS NOT NULL THEN s.title || ' encrypted with CMK.' + ELSE s.title || ' not encrypted with CMK.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_mssql_managed_instance AS s + LEFT JOIN encryption_protector AS a ON s.id = a.id, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id severity: high tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/MySQL + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/MySQL diff --git a/compliance/controls/azure/azure_mssql_managed_instance_vulnerability_assessment_enabled.yaml b/compliance/controls/azure/azure_mssql_managed_instance_vulnerability_assessment_enabled.yaml index 896b59d3f..4788f4c0c 100644 --- a/compliance/controls/azure/azure_mssql_managed_instance_vulnerability_assessment_enabled.yaml +++ b/compliance/controls/azure/azure_mssql_managed_instance_vulnerability_assessment_enabled.yaml @@ -1,48 +1,49 @@ id: azure_mssql_managed_instance_vulnerability_assessment_enabled title: Vulnerability assessment should be enabled on SQL Managed Instance +type: control description: Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_mssql_managed_instance - definition: | - WITH vulnerability_assessments AS ( - SELECT - DISTINCT i.id AS id - FROM - azure_mssql_managed_instance AS i, - jsonb_array_elements(vulnerability_assessments) a - WHERE - a -> 'recurringScans' ->> 'isEnabled' = 'true' - AND a ->> 'name' = 'Default' - ) - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN a.id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.id IS NOT NULL THEN s.title || ' vulnerability assessment enabled.' - ELSE s.title || ' vulnerability assessment disabled.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_mssql_managed_instance AS s - LEFT JOIN vulnerability_assessments AS a ON s.id = a.id, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_mssql_managed_instance + definition: | + WITH vulnerability_assessments AS ( + SELECT + DISTINCT i.id AS id + FROM + azure_mssql_managed_instance AS i, + jsonb_array_elements(vulnerability_assessments) a + WHERE + a -> 'recurringScans' ->> 'isEnabled' = 'true' + AND a ->> 'name' = 'Default' + ) + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN a.id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.id IS NOT NULL THEN s.title || ' vulnerability assessment enabled.' + ELSE s.title || ' vulnerability assessment disabled.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_mssql_managed_instance AS s + LEFT JOIN vulnerability_assessments AS a ON s.id = a.id, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/MySQL + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/MySQL diff --git a/compliance/controls/azure/azure_mysql_db_server_geo_redundant_backup_enabled.yaml b/compliance/controls/azure/azure_mysql_db_server_geo_redundant_backup_enabled.yaml index 5f6eeae9e..827d788e4 100644 --- a/compliance/controls/azure/azure_mysql_db_server_geo_redundant_backup_enabled.yaml +++ b/compliance/controls/azure/azure_mysql_db_server_geo_redundant_backup_enabled.yaml @@ -1,37 +1,38 @@ id: azure_mysql_db_server_geo_redundant_backup_enabled title: Geo-redundant backup should be enabled for Azure Database for MySQL +type: control description: Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_mysql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN geo_redundant_backup = 'Enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN geo_redundant_backup = 'Enabled' THEN name || ' Geo-redundant backup enabled.' - ELSE name || ' Geo-redundant backup disabled.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_mysql_server AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_mysql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN geo_redundant_backup = 'Enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN geo_redundant_backup = 'Enabled' THEN name || ' Geo-redundant backup enabled.' + ELSE name || ' Geo-redundant backup disabled.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_mysql_server AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/MySQL + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/MySQL diff --git a/compliance/controls/azure/azure_mysql_server_audit_logging_enabled.yaml b/compliance/controls/azure/azure_mysql_server_audit_logging_enabled.yaml index 8c67dba9e..7ba2242c5 100644 --- a/compliance/controls/azure/azure_mysql_server_audit_logging_enabled.yaml +++ b/compliance/controls/azure/azure_mysql_server_audit_logging_enabled.yaml @@ -1,51 +1,52 @@ id: azure_mysql_server_audit_logging_enabled title: Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server +type: control description: Enable audit logging on MySQL Servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_mysql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN s.name || ' server parameter audit_log_enabled off.' - ELSE s.name || ' server parameter audit_log_enabled on.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_mysql_server AS s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - WHERE - config ->> 'Name' = 'audit_log_enabled' - AND sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_mysql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN s.name || ' server parameter audit_log_enabled off.' + ELSE s.name || ' server parameter audit_log_enabled on.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_mysql_server AS s, + jsonb_array_elements(server_configurations) config, + azure_subscription sub + WHERE + config ->> 'Name' = 'audit_log_enabled' + AND sub.subscription_id = s.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 4.4.3 - cis_level: - - '2' - cis_section_id: - - '4.4' - cis_type: - - manual - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/MySQL + category: + - Compliance + cis: + - "true" + cis_item_id: + - 4.4.3 + cis_level: + - "2" + cis_section_id: + - "4.4" + cis_type: + - manual + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/MySQL diff --git a/compliance/controls/azure/azure_mysql_server_audit_logging_events_connection_set.yaml b/compliance/controls/azure/azure_mysql_server_audit_logging_events_connection_set.yaml index e4ffa6732..17fbfc5e2 100644 --- a/compliance/controls/azure/azure_mysql_server_audit_logging_events_connection_set.yaml +++ b/compliance/controls/azure/azure_mysql_server_audit_logging_events_connection_set.yaml @@ -1,51 +1,52 @@ id: azure_mysql_server_audit_logging_events_connection_set title: Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server +type: control description: Set audit_log_enabled to include CONNECTION on MySQL Servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_mysql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') = 'connection' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') = 'connection' THEN s.name || ' server parameter audit_log_events has connection set.' - ELSE s.name || ' server parameter audit_log_events connection not set.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_mysql_server AS s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - WHERE - config ->> 'Name' = 'audit_log_events' - AND sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_mysql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') = 'connection' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') = 'connection' THEN s.name || ' server parameter audit_log_events has connection set.' + ELSE s.name || ' server parameter audit_log_events connection not set.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_mysql_server AS s, + jsonb_array_elements(server_configurations) config, + azure_subscription sub + WHERE + config ->> 'Name' = 'audit_log_events' + AND sub.subscription_id = s.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 4.4.4 - cis_level: - - '2' - cis_section_id: - - '4.4' - cis_type: - - manual - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/MySQL + category: + - Compliance + cis: + - "true" + cis_item_id: + - 4.4.4 + cis_level: + - "2" + cis_section_id: + - "4.4" + cis_type: + - manual + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/MySQL diff --git a/compliance/controls/azure/azure_mysql_server_encrypted_at_rest_using_cmk.yaml b/compliance/controls/azure/azure_mysql_server_encrypted_at_rest_using_cmk.yaml index d511284fb..5870c7fb2 100644 --- a/compliance/controls/azure/azure_mysql_server_encrypted_at_rest_using_cmk.yaml +++ b/compliance/controls/azure/azure_mysql_server_encrypted_at_rest_using_cmk.yaml @@ -1,46 +1,47 @@ id: azure_mysql_server_encrypted_at_rest_using_cmk title: MySQL servers should use customer-managed keys to encrypt data at rest +type: control description: Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_mysql_server - definition: | - WITH mysql_server_encrypted AS ( - SELECT - DISTINCT i.id AS id - FROM - azure_mysql_server AS i, - jsonb_array_elements(server_keys) a - WHERE - a ->> 'serverKeyType' = 'AzureKeyVault' - AND a ->> 'uri' IS NOT NULL - ) - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN a.id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.id IS NOT NULL THEN s.title || ' encrypted with CMK.' - ELSE s.title || ' not encrypted with CMK.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_mysql_server AS s - LEFT JOIN mysql_server_encrypted AS a ON s.id = a.id, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_mysql_server + definition: | + WITH mysql_server_encrypted AS ( + SELECT + DISTINCT i.id AS id + FROM + azure_mysql_server AS i, + jsonb_array_elements(server_keys) a + WHERE + a ->> 'serverKeyType' = 'AzureKeyVault' + AND a ->> 'uri' IS NOT NULL + ) + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN a.id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.id IS NOT NULL THEN s.title || ' encrypted with CMK.' + ELSE s.title || ' not encrypted with CMK.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_mysql_server AS s + LEFT JOIN mysql_server_encrypted AS a ON s.id = a.id, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/MySQL + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/MySQL diff --git a/compliance/controls/azure/azure_mysql_server_infrastructure_encryption_enabled.yaml b/compliance/controls/azure/azure_mysql_server_infrastructure_encryption_enabled.yaml index d4fc53f1b..b3e531d47 100644 --- a/compliance/controls/azure/azure_mysql_server_infrastructure_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_mysql_server_infrastructure_encryption_enabled.yaml @@ -1,35 +1,36 @@ id: azure_mysql_server_infrastructure_encryption_enabled title: Infrastructure encryption should be enabled for Azure Database for MySQL servers +type: control description: Enable infrastructure encryption for Azure Database for MySQL servers to have a higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_mysql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN infrastructure_encryption = 'Enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN infrastructure_encryption = 'Enabled' THEN s.name || ' infrastructure encryption enabled.' - ELSE s.name || ' infrastructure encryption disabled.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_mysql_server AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_mysql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN infrastructure_encryption = 'Enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN infrastructure_encryption = 'Enabled' THEN s.name || ' infrastructure encryption enabled.' + ELSE s.name || ' infrastructure encryption disabled.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_mysql_server AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/MySQL + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/MySQL diff --git a/compliance/controls/azure/azure_mysql_server_min_tls_1_2.yaml b/compliance/controls/azure/azure_mysql_server_min_tls_1_2.yaml index 6ca3dd098..3a1bb4aa1 100644 --- a/compliance/controls/azure/azure_mysql_server_min_tls_1_2.yaml +++ b/compliance/controls/azure/azure_mysql_server_min_tls_1_2.yaml @@ -1,51 +1,52 @@ id: azure_mysql_server_min_tls_1_2 title: Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server +type: control description: Ensure TLS version on MySQL flexible servers is set to the default value. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_mysql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN minimal_tls_version = 'TLSEnforcementDisabled' THEN 'alarm' - WHEN minimal_tls_version = 'TLS1_2' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN minimal_tls_version = 'TLSEnforcementDisabled' THEN s.name || ' TLS enforcement is disabled.' - WHEN minimal_tls_version = 'TLS1_2' THEN s.name || ' minimum TLS version set to ' || minimal_tls_version || '.' - ELSE s.name || ' minimum TLS version set to ' || minimal_tls_version || '.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_mysql_server AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_mysql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN minimal_tls_version = 'TLSEnforcementDisabled' THEN 'alarm' + WHEN minimal_tls_version = 'TLS1_2' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN minimal_tls_version = 'TLSEnforcementDisabled' THEN s.name || ' TLS enforcement is disabled.' + WHEN minimal_tls_version = 'TLS1_2' THEN s.name || ' minimum TLS version set to ' || minimal_tls_version || '.' + ELSE s.name || ' minimum TLS version set to ' || minimal_tls_version || '.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_mysql_server AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 4.4.2 - cis_level: - - '1' - cis_section_id: - - '4.4' - cis_type: - - automated - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure/MySQL + category: + - Compliance + cis: + - "true" + cis_item_id: + - 4.4.2 + cis_level: + - "1" + cis_section_id: + - "4.4" + cis_type: + - automated + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure/MySQL diff --git a/compliance/controls/azure/azure_mysql_server_private_link_used.yaml b/compliance/controls/azure/azure_mysql_server_private_link_used.yaml index e10253088..26fb3a962 100644 --- a/compliance/controls/azure/azure_mysql_server_private_link_used.yaml +++ b/compliance/controls/azure/azure_mysql_server_private_link_used.yaml @@ -1,35 +1,36 @@ id: azure_mysql_server_private_link_used title: Private endpoint should be enabled for MySQL servers +type: control description: Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_mysql_server - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN sku_tier = 'Basic' THEN 'skip' - WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN sku_tier = 'Basic' THEN a.name || ' is of ' || sku_tier || ' tier.' - WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb THEN a.name || ' using private link.' - ELSE a.name || ' not using private link.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_mysql_server a, - azure_subscription sub; + language: sql + primary_resource: azure_mysql_server + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN sku_tier = 'Basic' THEN 'skip' + WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN sku_tier = 'Basic' THEN a.name || ' is of ' || sku_tier || ' tier.' + WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb THEN a.name || ' using private link.' + ELSE a.name || ' not using private link.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_mysql_server a, + azure_subscription sub; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/MySQL + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/MySQL diff --git a/compliance/controls/azure/azure_mysql_server_public_network_access_disabled.yaml b/compliance/controls/azure/azure_mysql_server_public_network_access_disabled.yaml index 6a9a4c575..7a9359ccd 100644 --- a/compliance/controls/azure/azure_mysql_server_public_network_access_disabled.yaml +++ b/compliance/controls/azure/azure_mysql_server_public_network_access_disabled.yaml @@ -1,35 +1,36 @@ id: azure_mysql_server_public_network_access_disabled title: Public network access should be disabled for MySQL servers +type: control description: Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_mysql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN public_network_access = 'Enabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN public_network_access = 'Enabled' THEN name || ' public network access enabled.' - ELSE name || ' public network access disabled.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_mysql_server AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_mysql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN public_network_access = 'Enabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN public_network_access = 'Enabled' THEN name || ' public network access enabled.' + ELSE name || ' public network access disabled.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_mysql_server AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/MySQL + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/MySQL diff --git a/compliance/controls/azure/azure_mysql_ssl_enabled.yaml b/compliance/controls/azure/azure_mysql_ssl_enabled.yaml index 0ebc9e775..35a34ce0b 100644 --- a/compliance/controls/azure/azure_mysql_ssl_enabled.yaml +++ b/compliance/controls/azure/azure_mysql_ssl_enabled.yaml @@ -1,49 +1,50 @@ id: azure_mysql_ssl_enabled title: Enforce SSL connection should be enabled for MySQL database servers +type: control description: Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_mysql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN ssl_enforcement = 'Disabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN ssl_enforcement = 'Disabled' THEN s.name || ' SSL connection disabled.' - ELSE s.name || ' SSL connection enabled.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_mysql_server AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_mysql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN ssl_enforcement = 'Disabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN ssl_enforcement = 'Disabled' THEN s.name || ' SSL connection disabled.' + ELSE s.name || ' SSL connection enabled.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_mysql_server AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 4.3.2 - cis_level: - - '1' - cis_section_id: - - '4.3' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/MySQL + category: + - Compliance + cis: + - "true" + cis_item_id: + - 4.3.2 + cis_level: + - "1" + cis_section_id: + - "4.3" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/MySQL diff --git a/compliance/controls/azure/azure_network_bastion_host_min_1.yaml b/compliance/controls/azure/azure_network_bastion_host_min_1.yaml index a1bb732ae..775cdca8f 100644 --- a/compliance/controls/azure/azure_network_bastion_host_min_1.yaml +++ b/compliance/controls/azure/azure_network_bastion_host_min_1.yaml @@ -1,62 +1,63 @@ id: azure_network_bastion_host_min_1 title: Ensure an Azure Bastion Host exists +type: control description: The Azure Bastion service allows secure remote access to Azure Virtual Machines over the Internet without exposing remote access protocol ports and services directly to the Internet. The Azure Bastion service provides this access using TLS over 443/TCP, and subscribes to hardened configurations within an organization's Azure Active Directory service. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH bastion_hosts AS ( - SELECT - subscription_id, - _ctx, - region, - resource_group, - COUNT(*) AS no_bastion_host - FROM - azure_bastion_host - GROUP BY - subscription_id, - _ctx, - resource_group, - region - ) - SELECT - sub.id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN i.subscription_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN i.subscription_id IS NULL THEN sub.display_name || ' does not have bastion host.' - ELSE sub.display_name || ' has ' || no_bastion_host || ' bastion host(s).' - END AS reason, - i.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_subscription AS sub - LEFT JOIN bastion_hosts AS i ON i.subscription_id = sub.subscription_id; + language: sql + primary_resource: azure_subscription + definition: | + WITH bastion_hosts AS ( + SELECT + subscription_id, + _ctx, + region, + resource_group, + COUNT(*) AS no_bastion_host + FROM + azure_bastion_host + GROUP BY + subscription_id, + _ctx, + resource_group, + region + ) + SELECT + sub.id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN i.subscription_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN i.subscription_id IS NULL THEN sub.display_name || ' does not have bastion host.' + ELSE sub.display_name || ' has ' || no_bastion_host || ' bastion host(s).' + END AS reason, + i.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_subscription AS sub + LEFT JOIN bastion_hosts AS i ON i.subscription_id = sub.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '7.1' - cis_level: - - '2' - cis_section_id: - - '7' - cis_type: - - automated - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/Compute + category: + - Compliance + cis: + - "true" + cis_item_id: + - "7.1" + cis_level: + - "2" + cis_section_id: + - "7" + cis_type: + - automated + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_network_ddos_enabled.yaml b/compliance/controls/azure/azure_network_ddos_enabled.yaml index ad690e64a..78ad07d3d 100644 --- a/compliance/controls/azure/azure_network_ddos_enabled.yaml +++ b/compliance/controls/azure/azure_network_ddos_enabled.yaml @@ -1,43 +1,44 @@ id: azure_network_ddos_enabled title: Azure DDoS Protection Standard should be enabled +type: control description: DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_virtual_network - definition: | - WITH application_gateway_subnet AS ( - SELECT - DISTINCT (SPLIT_PART(c -> 'properties' -> 'subnet' ->> 'id', '/', 9)) AS vn_name - FROM - azure_application_gateway AS ag, - JSONB_ARRAY_ELEMENTS(gateway_ip_configurations) AS c - ) - SELECT - a.name AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.vn_name IS NULL THEN 'ok' - WHEN b.vn_name IS NOT NULL AND enable_ddos_protection::bool THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.vn_name IS NULL THEN 'DDoS protection not required.' - WHEN b.vn_name IS NOT NULL AND enable_ddos_protection::bool THEN a.name || ' DDoS protection enabled.' - ELSE a.name || ' DDoS protection disabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_virtual_network AS a - LEFT JOIN application_gateway_subnet AS b ON a.name = b.vn_name - JOIN azure_subscription sub ON sub.subscription_id = a.subscription_id + language: sql + primary_resource: azure_virtual_network + definition: | + WITH application_gateway_subnet AS ( + SELECT + DISTINCT (SPLIT_PART(c -> 'properties' -> 'subnet' ->> 'id', '/', 9)) AS vn_name + FROM + azure_application_gateway AS ag, + JSONB_ARRAY_ELEMENTS(gateway_ip_configurations) AS c + ) + SELECT + a.name AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.vn_name IS NULL THEN 'ok' + WHEN b.vn_name IS NOT NULL AND enable_ddos_protection::bool THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.vn_name IS NULL THEN 'DDoS protection not required.' + WHEN b.vn_name IS NOT NULL AND enable_ddos_protection::bool THEN a.name || ' DDoS protection enabled.' + ELSE a.name || ' DDoS protection disabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_virtual_network AS a + LEFT JOIN application_gateway_subnet AS b ON a.name = b.vn_name + JOIN azure_subscription sub ON sub.subscription_id = a.subscription_id severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Network + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Network diff --git a/compliance/controls/azure/azure_network_interface_ip_forwarding_disabled.yaml b/compliance/controls/azure/azure_network_interface_ip_forwarding_disabled.yaml index f70cb4a80..db0c6f0f1 100644 --- a/compliance/controls/azure/azure_network_interface_ip_forwarding_disabled.yaml +++ b/compliance/controls/azure/azure_network_interface_ip_forwarding_disabled.yaml @@ -1,49 +1,50 @@ id: azure_network_interface_ip_forwarding_disabled title: IP Forwarding on your virtual machine should be disabled +type: control description: Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - WITH vm_using_nic AS ( - SELECT - id AS vm_id, - name AS vm_name, - resource_group, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - _ctx, - region, - subscription_id, - b ->> 'id' AS nic_id - FROM - azure_compute_virtual_machine AS c, - jsonb_array_elements(network_interfaces) AS b - ) - SELECT - v.vm_id AS resource, - v.platform_integration_id AS platform_integration_id, - v.platform_resource_id AS platform_resource_id, - CASE - WHEN i.enable_ip_forwarding THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN i.enable_ip_forwarding THEN v.vm_name || ' using ' || i.name || ' network interface enabled with IP forwarding.' - ELSE v.vm_name || ' using ' || i.name || ' network interface disabled with IP forwarding.' - END AS reason, - v.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_subscription AS sub, - vm_using_nic AS v - LEFT JOIN azure_network_interface AS i ON i.id = v.nic_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + WITH vm_using_nic AS ( + SELECT + id AS vm_id, + name AS vm_name, + resource_group, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + _ctx, + region, + subscription_id, + b ->> 'id' AS nic_id + FROM + azure_compute_virtual_machine AS c, + jsonb_array_elements(network_interfaces) AS b + ) + SELECT + v.vm_id AS resource, + v.platform_integration_id AS platform_integration_id, + v.platform_resource_id AS platform_resource_id, + CASE + WHEN i.enable_ip_forwarding THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN i.enable_ip_forwarding THEN v.vm_name || ' using ' || i.name || ' network interface enabled with IP forwarding.' + ELSE v.vm_name || ' using ' || i.name || ' network interface disabled with IP forwarding.' + END AS reason, + v.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_subscription AS sub, + vm_using_nic AS v + LEFT JOIN azure_network_interface AS i ON i.id = v.nic_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Compute + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Compute diff --git a/compliance/controls/azure/azure_network_lb_no_basic_sku.yaml b/compliance/controls/azure/azure_network_lb_no_basic_sku.yaml index da658b2d7..a33f81c20 100644 --- a/compliance/controls/azure/azure_network_lb_no_basic_sku.yaml +++ b/compliance/controls/azure/azure_network_lb_no_basic_sku.yaml @@ -1,35 +1,36 @@ id: azure_network_lb_no_basic_sku title: Network load balancers should use standard SKUs as a minimum +type: control description: The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU’s do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_lb - definition: | - SELECT - l.id AS resource, - l.platform_integration_id AS platform_integration_id, - l.platform_resource_id AS platform_resource_id, - CASE - WHEN l.sku_name = 'Basic' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN l.sku_name = 'Basic' THEN l.title || ' using basic SKU.' - ELSE l.title || ' using ' || sku_name || ' SKU.' - END AS reason, - l.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_lb AS l, - azure_subscription AS sub - WHERE - sub.subscription_id = l.subscription_id; + language: sql + primary_resource: azure_lb + definition: | + SELECT + l.id AS resource, + l.platform_integration_id AS platform_integration_id, + l.platform_resource_id AS platform_resource_id, + CASE + WHEN l.sku_name = 'Basic' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN l.sku_name = 'Basic' THEN l.title || ' using basic SKU.' + ELSE l.title || ' using ' || sku_name || ' SKU.' + END AS reason, + l.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_lb AS l, + azure_subscription AS sub + WHERE + sub.subscription_id = l.subscription_id; severity: medium tags: - cis: - - 'true' - service: - - Azure/Network + cis: + - "true" + service: + - Azure/Network diff --git a/compliance/controls/azure/azure_network_network_peering_connected.yaml b/compliance/controls/azure/azure_network_network_peering_connected.yaml index fc627dcad..6fd579982 100644 --- a/compliance/controls/azure/azure_network_network_peering_connected.yaml +++ b/compliance/controls/azure/azure_network_network_peering_connected.yaml @@ -1,39 +1,40 @@ id: azure_network_network_peering_connected title: Virtual network network peering should be in connected state +type: control description: This control ensures whether virtual network network peering is in connected state. This control is non-compliant if network peering is not in connected state. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_virtual_network - definition: | - WITH disconnected_network_peering AS ( - SELECT - DISTINCT id AS vn_id - FROM - azure_virtual_network AS n, - jsonb_array_elements(network_peerings) AS p - WHERE - p -> 'properties' ->> 'peeringState' = 'Disconnected' - ) - SELECT - n.id AS resource, - n.platform_integration_id AS platform_integration_id, - n.platform_resource_id AS platform_resource_id, - CASE - WHEN jsonb_array_length(network_peerings) = 0 THEN 'ok' - WHEN p.vn_id IS NOT NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN jsonb_array_length(network_peerings) = 0 THEN n.title || ' has no network peering.' - WHEN p.vn_id IS NOT NULL THEN n.title || ' has network peering in disconnected state.' - ELSE n.title || ' has network peering in connected state.' - END AS reason - FROM - azure_virtual_network AS n - LEFT JOIN disconnected_network_peering AS p ON p.vn_id = n.id - JOIN azure_subscription sub ON sub.subscription_id = n.subscription_id; + language: sql + primary_resource: azure_virtual_network + definition: | + WITH disconnected_network_peering AS ( + SELECT + DISTINCT id AS vn_id + FROM + azure_virtual_network AS n, + jsonb_array_elements(network_peerings) AS p + WHERE + p -> 'properties' ->> 'peeringState' = 'Disconnected' + ) + SELECT + n.id AS resource, + n.platform_integration_id AS platform_integration_id, + n.platform_resource_id AS platform_resource_id, + CASE + WHEN jsonb_array_length(network_peerings) = 0 THEN 'ok' + WHEN p.vn_id IS NOT NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN jsonb_array_length(network_peerings) = 0 THEN n.title || ' has no network peering.' + WHEN p.vn_id IS NOT NULL THEN n.title || ' has network peering in disconnected state.' + ELSE n.title || ' has network peering in connected state.' + END AS reason + FROM + azure_virtual_network AS n + LEFT JOIN disconnected_network_peering AS p ON p.vn_id = n.id + JOIN azure_subscription sub ON sub.subscription_id = n.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_network_public_ip_no_basic_sku.yaml b/compliance/controls/azure/azure_network_public_ip_no_basic_sku.yaml index 961616bcf..e0b2335c9 100644 --- a/compliance/controls/azure/azure_network_public_ip_no_basic_sku.yaml +++ b/compliance/controls/azure/azure_network_public_ip_no_basic_sku.yaml @@ -1,35 +1,36 @@ id: azure_network_public_ip_no_basic_sku title: Network public IPs should use standard SKUs as a minimum +type: control description: The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU’s do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_public_ip - definition: | - SELECT - i.id AS resource, - i.platform_integration_id AS platform_integration_id, - i.platform_resource_id AS platform_resource_id, - CASE - WHEN i.sku_name = 'Basic' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN i.sku_name = 'Basic' THEN i.title || ' using basic SKU.' - ELSE i.title || ' using ' || sku_name || ' SKU.' - END AS reason, - i.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_public_ip AS i, - azure_subscription AS sub - WHERE - sub.subscription_id = i.subscription_id; + language: sql + primary_resource: azure_public_ip + definition: | + SELECT + i.id AS resource, + i.platform_integration_id AS platform_integration_id, + i.platform_resource_id AS platform_resource_id, + CASE + WHEN i.sku_name = 'Basic' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN i.sku_name = 'Basic' THEN i.title || ' using basic SKU.' + ELSE i.title || ' using ' || sku_name || ' SKU.' + END AS reason, + i.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_public_ip AS i, + azure_subscription AS sub + WHERE + sub.subscription_id = i.subscription_id; severity: low tags: - cis: - - 'true' - service: - - Azure/Network + cis: + - "true" + service: + - Azure/Network diff --git a/compliance/controls/azure/azure_network_security_group_diagnostic_setting_deployed.yaml b/compliance/controls/azure/azure_network_security_group_diagnostic_setting_deployed.yaml index 6d7c3844e..b776e486c 100644 --- a/compliance/controls/azure/azure_network_security_group_diagnostic_setting_deployed.yaml +++ b/compliance/controls/azure/azure_network_security_group_diagnostic_setting_deployed.yaml @@ -1,48 +1,49 @@ id: azure_network_security_group_diagnostic_setting_deployed title: Deploy Diagnostic Settings for Network Security Groups +type: control description: This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH logging_details AS ( - SELECT - DISTINCT name AS nsg_name - FROM - azure_network_security_group, - jsonb_array_elements(diagnostic_settings) setting - WHERE - diagnostic_settings IS NOT NULL - AND setting ->> 'name' = 'setbypolicy' - ) - SELECT - a.resource_guid AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN a.diagnostic_settings IS NULL THEN 'alarm' - WHEN l.nsg_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN a.diagnostic_settings IS NULL THEN a.name || ' logging not enabled.' - WHEN l.nsg_name IS NULL THEN a.name || ' logging not enabled.' - ELSE a.name || ' logging enabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_network_security_group AS a - LEFT JOIN logging_details AS l ON a.name = l.nsg_name, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id + language: sql + primary_resource: azure_network_security_group + definition: | + WITH logging_details AS ( + SELECT + DISTINCT name AS nsg_name + FROM + azure_network_security_group, + jsonb_array_elements(diagnostic_settings) setting + WHERE + diagnostic_settings IS NOT NULL + AND setting ->> 'name' = 'setbypolicy' + ) + SELECT + a.resource_guid AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN a.diagnostic_settings IS NULL THEN 'alarm' + WHEN l.nsg_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN a.diagnostic_settings IS NULL THEN a.name || ' logging not enabled.' + WHEN l.nsg_name IS NULL THEN a.name || ' logging not enabled.' + ELSE a.name || ' logging enabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_network_security_group AS a + LEFT JOIN logging_details AS l ON a.name = l.nsg_name, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id severity: medium tags: - hipaa_hitrust_v92: - - 'true' - service: - - Azure/Network + hipaa_hitrust_v92: + - "true" + service: + - Azure/Network diff --git a/compliance/controls/azure/azure_network_security_group_https_access_restricted.yaml b/compliance/controls/azure/azure_network_security_group_https_access_restricted.yaml index 963152ac7..3092843d3 100644 --- a/compliance/controls/azure/azure_network_security_group_https_access_restricted.yaml +++ b/compliance/controls/azure/azure_network_security_group_https_access_restricted.yaml @@ -1,80 +1,81 @@ id: azure_network_security_group_https_access_restricted title: Ensure that HTTP(S) access from the Internet is evaluated and restricted +type: control description: Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH network_sg AS ( - SELECT DISTINCT - name sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules) sg, - jsonb_array_elements_text( - CASE jsonb_typeof(COALESCE(sg -> 'properties' -> 'destinationPortRanges', sg -> 'properties' -> 'destinationPortRange') :: jsonb) - WHEN 'array' THEN COALESCE(sg -> 'properties' -> 'destinationPortRanges', sg -> 'properties' -> 'destinationPortRange') :: jsonb - ELSE ('[' || COALESCE(sg -> 'properties' -> 'destinationPortRanges', sg -> 'properties' -> 'destinationPortRange') :: jsonb :: text || ']') :: jsonb - END - ) dport, - jsonb_array_elements_text( - CASE jsonb_typeof(COALESCE(sg -> 'properties' -> 'sourceAddressPrefixes', sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) - WHEN 'array' THEN COALESCE(sg -> 'properties' -> 'sourceAddressPrefixes', sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb - ELSE ('[' || COALESCE(sg -> 'properties' -> 'sourceAddressPrefixes', sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb :: text || ']') :: jsonb - END - ) sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND sg -> 'properties' ->> 'protocol' ILIKE 'TCP' - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') - AND ( - dport IN ('80', '*') - OR ( - dport LIKE '%-%' - AND split_part(dport, '-', 1) :: integer <= 80 - AND split_part(dport, '-', 2) :: integer >= 80 - ) - ) + language: sql + primary_resource: azure_network_security_group + definition: | + WITH network_sg AS ( + SELECT DISTINCT + name sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules) sg, + jsonb_array_elements_text( + CASE jsonb_typeof(COALESCE(sg -> 'properties' -> 'destinationPortRanges', sg -> 'properties' -> 'destinationPortRange') :: jsonb) + WHEN 'array' THEN COALESCE(sg -> 'properties' -> 'destinationPortRanges', sg -> 'properties' -> 'destinationPortRange') :: jsonb + ELSE ('[' || COALESCE(sg -> 'properties' -> 'destinationPortRanges', sg -> 'properties' -> 'destinationPortRange') :: jsonb :: text || ']') :: jsonb + END + ) dport, + jsonb_array_elements_text( + CASE jsonb_typeof(COALESCE(sg -> 'properties' -> 'sourceAddressPrefixes', sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) + WHEN 'array' THEN COALESCE(sg -> 'properties' -> 'sourceAddressPrefixes', sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb + ELSE ('[' || COALESCE(sg -> 'properties' -> 'sourceAddressPrefixes', sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb :: text || ']') :: jsonb + END + ) sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND sg -> 'properties' ->> 'protocol' ILIKE 'TCP' + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('80', '*') + OR ( + dport LIKE '%-%' + AND split_part(dport, '-', 1) :: integer <= 80 + AND split_part(dport, '-', 2) :: integer >= 80 + ) ) - SELECT - sg.id resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts HTTPS access from internet.' - ELSE sg.title || ' allows HTTPS access from internet.' - END AS reason, - sg.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_network_security_group sg - LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts HTTPS access from internet.' + ELSE sg.title || ' allows HTTPS access from internet.' + END AS reason, + sg.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_network_security_group sg + LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '6.4' - cis_level: - - '1' - cis_section_id: - - '6' - cis_type: - - automated - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/Network + category: + - Compliance + cis: + - "true" + cis_item_id: + - "6.4" + cis_level: + - "1" + cis_section_id: + - "6" + cis_type: + - automated + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/Network diff --git a/compliance/controls/azure/azure_network_security_group_not_configured_gateway_subnets.yaml b/compliance/controls/azure/azure_network_security_group_not_configured_gateway_subnets.yaml index a9876b5e6..015220c45 100644 --- a/compliance/controls/azure/azure_network_security_group_not_configured_gateway_subnets.yaml +++ b/compliance/controls/azure/azure_network_security_group_not_configured_gateway_subnets.yaml @@ -1,36 +1,37 @@ id: azure_network_security_group_not_configured_gateway_subnets title: Gateway subnets should not be configured with a network security group +type: control description: Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subnet - definition: | - SELECT - subnet.id AS resource, - subnet.platform_integration_id AS platform_integration_id, - subnet.platform_resource_id AS platform_resource_id, - CASE - WHEN subnet.name = 'GatewaySubnet' AND network_security_group_id IS NOT NULL THEN 'alarm' - WHEN subnet.name = 'GatewaySubnet' AND network_security_group_id IS NULL THEN 'ok' - ELSE 'skip' - END AS status, - CASE - WHEN subnet.name = 'GatewaySubnet' AND network_security_group_id IS NOT NULL THEN 'Gateway subnet configured with network security group.' - WHEN subnet.name = 'GatewaySubnet' AND network_security_group_id IS NULL THEN 'Gateway subnet not configured with network security group.' - ELSE subnet.name || ' not of gateway subnet type.' - END AS reason, - subnet.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_subnet AS subnet - JOIN - azure_subscription AS sub ON sub.subscription_id = subnet.subscription_id; + language: sql + primary_resource: azure_subnet + definition: | + SELECT + subnet.id AS resource, + subnet.platform_integration_id AS platform_integration_id, + subnet.platform_resource_id AS platform_resource_id, + CASE + WHEN subnet.name = 'GatewaySubnet' AND network_security_group_id IS NOT NULL THEN 'alarm' + WHEN subnet.name = 'GatewaySubnet' AND network_security_group_id IS NULL THEN 'ok' + ELSE 'skip' + END AS status, + CASE + WHEN subnet.name = 'GatewaySubnet' AND network_security_group_id IS NOT NULL THEN 'Gateway subnet configured with network security group.' + WHEN subnet.name = 'GatewaySubnet' AND network_security_group_id IS NULL THEN 'Gateway subnet not configured with network security group.' + ELSE subnet.name || ' not of gateway subnet type.' + END AS reason, + subnet.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_subnet AS subnet + JOIN + azure_subscription AS sub ON sub.subscription_id = subnet.subscription_id; severity: high tags: - hipaa_hitrust_v92: - - 'true' - service: - - Azure/Network + hipaa_hitrust_v92: + - "true" + service: + - Azure/Network diff --git a/compliance/controls/azure/azure_network_security_group_outbound_access_restricted.yaml b/compliance/controls/azure/azure_network_security_group_outbound_access_restricted.yaml index 9f4224d5f..fffb28cff 100644 --- a/compliance/controls/azure/azure_network_security_group_outbound_access_restricted.yaml +++ b/compliance/controls/azure/azure_network_security_group_outbound_access_restricted.yaml @@ -1,54 +1,55 @@ id: azure_network_security_group_outbound_access_restricted title: Network security groups should restrict outbound access from internet +type: control description: Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted outbound access. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH unrestricted_outbound AS ( - SELECT - DISTINCT name sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules || default_security_rules) sg, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 - THEN (sg -> 'properties' -> 'destinationPortRanges') - ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') - END - ) AS dport, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 - THEN (sg -> 'properties' -> 'sourceAddressPrefixes') - ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') - END - ) AS sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Outbound' - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') - AND dport = '*' - ) - SELECT - sg.id resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, + language: sql + primary_resource: azure_network_security_group + definition: | + WITH unrestricted_outbound AS ( + SELECT + DISTINCT name sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules || default_security_rules) sg, + jsonb_array_elements_text( CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, + WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 + THEN (sg -> 'properties' -> 'destinationPortRanges') + ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') + END + ) AS dport, + jsonb_array_elements_text( CASE - WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts outbound access from internet.' - ELSE sg.title || ' allows outbound access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN unrestricted_outbound nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 + THEN (sg -> 'properties' -> 'sourceAddressPrefixes') + ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') + END + ) AS sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Outbound' + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND dport = '*' + ) + SELECT + sg.id resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts outbound access from internet.' + ELSE sg.title || ' allows outbound access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN unrestricted_outbound nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_network_security_group_rdp_access_restricted.yaml b/compliance/controls/azure/azure_network_security_group_rdp_access_restricted.yaml index d2df615a4..e6ea63224 100644 --- a/compliance/controls/azure/azure_network_security_group_rdp_access_restricted.yaml +++ b/compliance/controls/azure/azure_network_security_group_rdp_access_restricted.yaml @@ -1,77 +1,78 @@ id: azure_network_security_group_rdp_access_restricted title: Windows machines should meet requirements for 'User Rights Assignment' +type: control description: Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH network_sg AS ( - SELECT - DISTINCT name sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules) sg, - jsonb_array_elements_text(CASE jsonb_typeof(COALESCE(sg -> 'properties' -> 'destinationPortRanges', sg -> 'properties' -> 'destinationPortRange')::jsonb) - WHEN 'array' THEN COALESCE(sg -> 'properties' -> 'destinationPortRanges', sg -> 'properties' -> 'destinationPortRange')::jsonb - ELSE ('[' || COALESCE(sg -> 'properties' -> 'destinationPortRanges', sg -> 'properties' -> 'destinationPortRange')::jsonb::text || ']')::jsonb - END) dport, - jsonb_array_elements_text(CASE jsonb_typeof(COALESCE(sg -> 'properties' -> 'sourceAddressPrefixes', sg -> 'properties' -> 'sourceAddressPrefix')::jsonb) - WHEN 'array' THEN COALESCE(sg -> 'properties' -> 'sourceAddressPrefixes', sg -> 'properties' -> 'sourceAddressPrefix')::jsonb - ELSE ('[' || COALESCE(sg -> 'properties' -> 'sourceAddressPrefixes', sg -> 'properties' -> 'sourceAddressPrefix')::jsonb::text || ']')::jsonb - END) sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') - AND ( - dport IN ('3389', '*') - OR ( - dport LIKE '%-%' - AND split_part(dport, '-', 1)::integer <= 3389 - AND split_part(dport, '-', 2)::integer >= 3389 - ) - ) + language: sql + primary_resource: azure_network_security_group + definition: | + WITH network_sg AS ( + SELECT + DISTINCT name sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules) sg, + jsonb_array_elements_text(CASE jsonb_typeof(COALESCE(sg -> 'properties' -> 'destinationPortRanges', sg -> 'properties' -> 'destinationPortRange')::jsonb) + WHEN 'array' THEN COALESCE(sg -> 'properties' -> 'destinationPortRanges', sg -> 'properties' -> 'destinationPortRange')::jsonb + ELSE ('[' || COALESCE(sg -> 'properties' -> 'destinationPortRanges', sg -> 'properties' -> 'destinationPortRange')::jsonb::text || ']')::jsonb + END) dport, + jsonb_array_elements_text(CASE jsonb_typeof(COALESCE(sg -> 'properties' -> 'sourceAddressPrefixes', sg -> 'properties' -> 'sourceAddressPrefix')::jsonb) + WHEN 'array' THEN COALESCE(sg -> 'properties' -> 'sourceAddressPrefixes', sg -> 'properties' -> 'sourceAddressPrefix')::jsonb + ELSE ('[' || COALESCE(sg -> 'properties' -> 'sourceAddressPrefixes', sg -> 'properties' -> 'sourceAddressPrefix')::jsonb::text || ']')::jsonb + END) sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('3389', '*') + OR ( + dport LIKE '%-%' + AND split_part(dport, '-', 1)::integer <= 3389 + AND split_part(dport, '-', 2)::integer >= 3389 + ) ) - SELECT - sg.id resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL - THEN sg.title || ' restricts RDP access from internet.' - ELSE sg.title || ' allows RDP access from internet.' - END AS reason, - sg.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_network_security_group sg - LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL + THEN sg.title || ' restricts RDP access from internet.' + ELSE sg.title || ' allows RDP access from internet.' + END AS reason, + sg.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_network_security_group sg + LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '6.1' - cis_level: - - '1' - cis_section_id: - - '6' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Network + category: + - Compliance + cis: + - "true" + cis_item_id: + - "6.1" + cis_level: + - "1" + cis_section_id: + - "6" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Network diff --git a/compliance/controls/azure/azure_network_security_group_remote_access_restricted.yaml b/compliance/controls/azure/azure_network_security_group_remote_access_restricted.yaml index d57e526d6..47a0a4563 100644 --- a/compliance/controls/azure/azure_network_security_group_remote_access_restricted.yaml +++ b/compliance/controls/azure/azure_network_security_group_remote_access_restricted.yaml @@ -1,68 +1,69 @@ id: azure_network_security_group_remote_access_restricted title: Management ports should be closed on your virtual machines +type: control description: Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH network_sg AS ( - SELECT - DISTINCT name sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules) sg, - jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || - (sg -> 'properties' -> 'destinationPortRange') :: jsonb) dport, - jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || - (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + language: sql + primary_resource: azure_network_security_group + definition: | + WITH network_sg AS ( + SELECT + DISTINCT name sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules) sg, + jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || + (sg -> 'properties' -> 'destinationPortRange') :: jsonb) dport, + jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || + (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('22', '3389', '*') + OR ( + dport LIKE '%-%' AND ( - dport IN ('22', '3389', '*') + ( + split_part(dport, '-', 1) :: INTEGER <= 3389 + AND split_part(dport, '-', 2) :: INTEGER >= 3389 + ) OR ( - dport LIKE '%-%' - AND ( - ( - split_part(dport, '-', 1) :: INTEGER <= 3389 - AND split_part(dport, '-', 2) :: INTEGER >= 3389 - ) - OR ( - split_part(dport, '-', 1) :: INTEGER <= 22 - AND split_part(dport, '-', 2) :: INTEGER >= 22 - ) - ) + split_part(dport, '-', 1) :: INTEGER <= 22 + AND split_part(dport, '-', 2) :: INTEGER >= 22 ) ) + ) ) - SELECT - sg.id resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts remote access from internet.' - ELSE sg.title || ' allows remote access from internet.' - END AS reason, - sg.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_network_security_group AS sg - LEFT JOIN network_sg AS nsg ON nsg.sg_name = sg.name - JOIN azure_subscription AS sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts remote access from internet.' + ELSE sg.title || ' allows remote access from internet.' + END AS reason, + sg.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_network_security_group AS sg + LEFT JOIN network_sg AS nsg ON nsg.sg_name = sg.name + JOIN azure_subscription AS sub ON sub.subscription_id = sg.subscription_id; severity: high tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Network + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Network diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_icmp_port.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_icmp_port.yaml index fbead262b..f32873ed0 100644 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_icmp_port.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_icmp_port.yaml @@ -1,62 +1,63 @@ id: azure_network_security_group_restrict_inbound_icmp_port title: Network security groups should restrict inbound ICMP port access from internet +type: control description: Network security group provides stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to ICMP port. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH unrestricted_inbound AS ( - SELECT - DISTINCT name AS sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules || default_security_rules) AS sg, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 THEN (sg -> 'properties' -> 'destinationPortRanges') - ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') - END - ) AS dport, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 THEN (sg -> 'properties' -> 'sourceAddressPrefixes') - ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') - END - ) AS sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'ICMP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + language: sql + primary_resource: azure_network_security_group + definition: | + WITH unrestricted_inbound AS ( + SELECT + DISTINCT name AS sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules || default_security_rules) AS sg, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 THEN (sg -> 'properties' -> 'destinationPortRanges') + ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') + END + ) AS dport, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 THEN (sg -> 'properties' -> 'sourceAddressPrefixes') + ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') + END + ) AS sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'ICMP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport = '*' + OR ( + dport LIKE '%-%' AND ( - dport = '*' - OR ( - dport LIKE '%-%' - AND ( - split_part(dport, '-', 1) :: integer = 0 - AND split_part(dport, '-', 2) :: integer = 65535 - ) - ) + split_part(dport, '-', 1) :: integer = 0 + AND split_part(dport, '-', 2) :: integer = 65535 ) + ) ) - SELECT - sg.id AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts ICMP access from internet.' - ELSE sg.title || ' allows ICMP access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts ICMP access from internet.' + ELSE sg.title || ' allows ICMP access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_135.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_135.yaml index cf4e013e1..abddca0b3 100644 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_135.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_135.yaml @@ -1,62 +1,63 @@ id: azure_network_security_group_restrict_inbound_tcp_port_135 title: Network security groups should restrict inbound TCP port 135 access from internet +type: control description: Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 135. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH unrestricted_inbound AS ( - SELECT - DISTINCT name AS sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules || default_security_rules) AS sg, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 THEN (sg -> 'properties' -> 'destinationPortRanges') - ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') - END - ) AS dport, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 THEN (sg -> 'properties' -> 'sourceAddressPrefixes') - ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') - END - ) AS sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + language: sql + primary_resource: azure_network_security_group + definition: | + WITH unrestricted_inbound AS ( + SELECT + DISTINCT name AS sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules || default_security_rules) AS sg, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 THEN (sg -> 'properties' -> 'destinationPortRanges') + ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') + END + ) AS dport, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 THEN (sg -> 'properties' -> 'sourceAddressPrefixes') + ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') + END + ) AS sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('135', '*') + OR ( + dport LIKE '%-%' AND ( - dport IN ('135', '*') - OR ( - dport LIKE '%-%' - AND ( - split_part(dport, '-', 1)::INTEGER = 135 - AND split_part(dport, '-', 2)::INTEGER = 135 - ) - ) + split_part(dport, '-', 1)::INTEGER = 135 + AND split_part(dport, '-', 2)::INTEGER = 135 ) + ) ) - SELECT - sg.id AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts TCP port 135 access from internet.' - ELSE sg.title || ' allows TCP port 135 access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts TCP port 135 access from internet.' + ELSE sg.title || ' allows TCP port 135 access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_1433.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_1433.yaml index 8e49d7edc..1186036ed 100644 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_1433.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_1433.yaml @@ -1,62 +1,63 @@ id: azure_network_security_group_restrict_inbound_tcp_port_1433 title: Network security groups should restrict inbound TCP port 1433 access from internet +type: control description: Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 1433. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH unrestricted_inbound AS ( - SELECT - DISTINCT name AS sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules || default_security_rules) sg, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 THEN (sg -> 'properties' -> 'destinationPortRanges') - ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') - END - ) AS dport, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 THEN (sg -> 'properties' -> 'sourceAddressPrefixes') - ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') - END - ) AS sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + language: sql + primary_resource: azure_network_security_group + definition: | + WITH unrestricted_inbound AS ( + SELECT + DISTINCT name AS sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules || default_security_rules) sg, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 THEN (sg -> 'properties' -> 'destinationPortRanges') + ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') + END + ) AS dport, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 THEN (sg -> 'properties' -> 'sourceAddressPrefixes') + ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') + END + ) AS sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('1433', '*') + OR ( + dport LIKE '%-%' AND ( - dport IN ('1433', '*') - OR ( - dport LIKE '%-%' - AND ( - split_part(dport, '-', 1)::integer = 1433 - AND split_part(dport, '-', 2)::integer = 214335 - ) - ) + split_part(dport, '-', 1)::integer = 1433 + AND split_part(dport, '-', 2)::integer = 214335 ) + ) ) - SELECT - sg.id AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts TCP port 1433 access from internet.' - ELSE sg.title || ' allows TCP port 1433 access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts TCP port 1433 access from internet.' + ELSE sg.title || ' allows TCP port 1433 access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_20.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_20.yaml index 10580c853..19cd256c8 100644 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_20.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_20.yaml @@ -1,60 +1,61 @@ id: azure_network_security_group_restrict_inbound_tcp_port_20 title: Network security groups should restrict inbound TCP port 20 access from internet +type: control description: Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 20. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH unrestricted_inbound AS ( - SELECT - DISTINCT name AS sg_name - FROM - azure_network_security_group AS nsg, - jsonb_array_elements(security_rules || default_security_rules) AS sg, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 THEN (sg -> 'properties' -> 'destinationPortRanges') - ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') - END - ) AS dport, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 THEN (sg -> 'properties' -> 'sourceAddressPrefixes') - ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') - END - ) AS sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') - AND ( - dport IN ('20', '*') - OR ( - dport LIKE '%-%' - AND split_part(dport, '-', 1) :: INTEGER <= 20 - AND split_part(dport, '-', 2) :: INTEGER >= 20 - ) - ) - ) - SELECT - sg.id AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, + language: sql + primary_resource: azure_network_security_group + definition: | + WITH unrestricted_inbound AS ( + SELECT + DISTINCT name AS sg_name + FROM + azure_network_security_group AS nsg, + jsonb_array_elements(security_rules || default_security_rules) AS sg, + jsonb_array_elements_text( CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, + WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 THEN (sg -> 'properties' -> 'destinationPortRanges') + ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') + END + ) AS dport, + jsonb_array_elements_text( CASE - WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts TCP port 20 access from internet.' - ELSE sg.title || ' allows TCP port 20 access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 THEN (sg -> 'properties' -> 'sourceAddressPrefixes') + ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') + END + ) AS sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('20', '*') + OR ( + dport LIKE '%-%' + AND split_part(dport, '-', 1) :: INTEGER <= 20 + AND split_part(dport, '-', 2) :: INTEGER >= 20 + ) + ) + ) + SELECT + sg.id AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts TCP port 20 access from internet.' + ELSE sg.title || ' allows TCP port 20 access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_21.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_21.yaml index e49566ed2..dc0549835 100644 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_21.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_21.yaml @@ -1,60 +1,61 @@ id: azure_network_security_group_restrict_inbound_tcp_port_21 title: Network security groups should restrict inbound TCP port 21 access from internet +type: control description: Network security group provides stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 21. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH unrestricted_inbound AS ( - SELECT - DISTINCT name sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules || default_security_rules) sg, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 THEN (sg -> 'properties' -> 'destinationPortRanges') - ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') - END - ) AS dport, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 THEN (sg -> 'properties' -> 'sourceAddressPrefixes') - ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') - END - ) AS sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') - AND ( - dport IN ('21', '*') - OR ( - dport LIKE '%-%' - AND split_part(dport, '-', 1)::integer <= 21 - AND split_part(dport, '-', 2)::integer >= 21 - ) - ) - ) - SELECT - sg.id resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, + language: sql + primary_resource: azure_network_security_group + definition: | + WITH unrestricted_inbound AS ( + SELECT + DISTINCT name sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules || default_security_rules) sg, + jsonb_array_elements_text( CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, + WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 THEN (sg -> 'properties' -> 'destinationPortRanges') + ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') + END + ) AS dport, + jsonb_array_elements_text( CASE - WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts TCP port 21 access from internet.' - ELSE sg.title || ' allows TCP port 21 access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 THEN (sg -> 'properties' -> 'sourceAddressPrefixes') + ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') + END + ) AS sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('21', '*') + OR ( + dport LIKE '%-%' + AND split_part(dport, '-', 1)::integer <= 21 + AND split_part(dport, '-', 2)::integer >= 21 + ) + ) + ) + SELECT + sg.id resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts TCP port 21 access from internet.' + ELSE sg.title || ' allows TCP port 21 access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_23.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_23.yaml index 3e3be78c4..6fea6d73c 100644 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_23.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_23.yaml @@ -1,60 +1,61 @@ id: azure_network_security_group_restrict_inbound_tcp_port_23 title: Network security groups should restrict inbound TCP port 23 access from internet +type: control description: Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 23. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH unrestricted_inbound AS ( - SELECT - DISTINCT name AS sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules || default_security_rules) sg, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 THEN (sg -> 'properties' -> 'destinationPortRanges') - ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') - END) AS dport, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 THEN (sg -> 'properties' -> 'sourceAddressPrefixes') - ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') - END) AS sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + language: sql + primary_resource: azure_network_security_group + definition: | + WITH unrestricted_inbound AS ( + SELECT + DISTINCT name AS sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules || default_security_rules) sg, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 THEN (sg -> 'properties' -> 'destinationPortRanges') + ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') + END) AS dport, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 THEN (sg -> 'properties' -> 'sourceAddressPrefixes') + ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') + END) AS sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('23', '*') + OR ( + dport LIKE '%-%' AND ( - dport IN ('23', '*') - OR ( - dport LIKE '%-%' - AND ( - split_part(dport, '-', 1)::INTEGER = 23 - AND split_part(dport, '-', 2)::INTEGER = 23 - ) - ) + split_part(dport, '-', 1)::INTEGER = 23 + AND split_part(dport, '-', 2)::INTEGER = 23 ) + ) ) - SELECT - sg.id AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts TCP port 23 access from internet.' - ELSE sg.title || ' allows TCP port 23 access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts TCP port 23 access from internet.' + ELSE sg.title || ' allows TCP port 23 access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_25.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_25.yaml index 230d34c0f..4a24dba1f 100644 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_25.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_25.yaml @@ -1,62 +1,63 @@ id: azure_network_security_group_restrict_inbound_tcp_port_25 title: Network security groups should restrict inbound TCP port 25 access from internet +type: control description: Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 25. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH unrestricted_inbound AS ( - SELECT - DISTINCT name sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules || default_security_rules) sg, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 THEN (sg -> 'properties' -> 'destinationPortRanges') - ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') - END - ) AS dport, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 THEN (sg -> 'properties' -> 'sourceAddressPrefixes') - ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') - END - ) AS sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + language: sql + primary_resource: azure_network_security_group + definition: | + WITH unrestricted_inbound AS ( + SELECT + DISTINCT name sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules || default_security_rules) sg, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 THEN (sg -> 'properties' -> 'destinationPortRanges') + ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') + END + ) AS dport, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 THEN (sg -> 'properties' -> 'sourceAddressPrefixes') + ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') + END + ) AS sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('25', '*') + OR ( + dport LIKE '%-%' AND ( - dport IN ('25', '*') - OR ( - dport LIKE '%-%' - AND ( - split_part(dport, '-', 1)::INTEGER = 25 - AND split_part(dport, '-', 2)::INTEGER = 25 - ) - ) + split_part(dport, '-', 1)::INTEGER = 25 + AND split_part(dport, '-', 2)::INTEGER = 25 ) + ) ) - SELECT - sg.id resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts TCP port 25 access from internet.' - ELSE sg.title || ' allows TCP port 25 access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts TCP port 25 access from internet.' + ELSE sg.title || ' allows TCP port 25 access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_3306.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_3306.yaml index f94dd90e7..48346589e 100644 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_3306.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_3306.yaml @@ -1,64 +1,65 @@ id: azure_network_security_group_restrict_inbound_tcp_port_3306 title: Network security groups should restrict inbound TCP port 3306 access from internet +type: control description: Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 3306. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH unrestricted_inbound AS ( - SELECT - DISTINCT name sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules || default_security_rules) sg, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 - THEN (sg -> 'properties' -> 'destinationPortRanges') - ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') - END - ) AS dport, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 - THEN (sg -> 'properties' -> 'sourceAddressPrefixes') - ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') - END - ) AS sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + language: sql + primary_resource: azure_network_security_group + definition: | + WITH unrestricted_inbound AS ( + SELECT + DISTINCT name sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules || default_security_rules) sg, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 + THEN (sg -> 'properties' -> 'destinationPortRanges') + ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') + END + ) AS dport, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 + THEN (sg -> 'properties' -> 'sourceAddressPrefixes') + ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') + END + ) AS sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('3306', '*') + OR ( + dport LIKE '%-%' AND ( - dport IN ('3306', '*') - OR ( - dport LIKE '%-%' - AND ( - split_part(dport, '-', 1)::integer = 3306 - AND split_part(dport, '-', 2)::integer = 3306 - ) - ) + split_part(dport, '-', 1)::integer = 3306 + AND split_part(dport, '-', 2)::integer = 3306 ) + ) ) - SELECT - sg.id resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts TCP port 3306 access from internet.' - ELSE sg.title || ' allows TCP port 3306 access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts TCP port 3306 access from internet.' + ELSE sg.title || ' allows TCP port 3306 access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_4333.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_4333.yaml index cbb9d0eb3..b33ddf350 100644 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_4333.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_4333.yaml @@ -1,60 +1,61 @@ id: azure_network_security_group_restrict_inbound_tcp_port_4333 title: Network security groups should restrict inbound TCP port 4333 access from internet +type: control description: Network security group provides stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 4333. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH unrestricted_inbound AS ( - SELECT - DISTINCT name AS sg_name - FROM - azure_network_security_group nsg, - JSONB_ARRAY_ELEMENTS(security_rules || default_security_rules) sg, - JSONB_ARRAY_ELEMENTS_TEXT( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 THEN (sg -> 'properties' -> 'destinationPortRanges') - ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') - END) AS dport, - JSONB_ARRAY_ELEMENTS_TEXT( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 THEN (sg -> 'properties' -> 'sourceAddressPrefixes') - ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') - END) AS sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + language: sql + primary_resource: azure_network_security_group + definition: | + WITH unrestricted_inbound AS ( + SELECT + DISTINCT name AS sg_name + FROM + azure_network_security_group nsg, + JSONB_ARRAY_ELEMENTS(security_rules || default_security_rules) sg, + JSONB_ARRAY_ELEMENTS_TEXT( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 THEN (sg -> 'properties' -> 'destinationPortRanges') + ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') + END) AS dport, + JSONB_ARRAY_ELEMENTS_TEXT( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 THEN (sg -> 'properties' -> 'sourceAddressPrefixes') + ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') + END) AS sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('4333', '*') + OR ( + dport LIKE '%-%' AND ( - dport IN ('4333', '*') - OR ( - dport LIKE '%-%' - AND ( - SPLIT_PART(dport, '-', 1)::integer = 4333 - AND SPLIT_PART(dport, '-', 2)::integer = 4333 - ) - ) + SPLIT_PART(dport, '-', 1)::integer = 4333 + AND SPLIT_PART(dport, '-', 2)::integer = 4333 ) + ) ) - SELECT - sg.id AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts TCP port 4333 access from internet.' - ELSE sg.title || ' allows TCP port 4333 access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts TCP port 4333 access from internet.' + ELSE sg.title || ' allows TCP port 4333 access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_445.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_445.yaml index 27e5ebbd0..3d12d6f60 100644 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_445.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_445.yaml @@ -1,64 +1,65 @@ id: azure_network_security_group_restrict_inbound_tcp_port_445 title: Network security groups should restrict inbound TCP port 445 access from internet +type: control description: Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 445. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH unrestricted_inbound AS ( - SELECT - DISTINCT name sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules || default_security_rules) sg, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 - THEN (sg -> 'properties' -> 'destinationPortRanges') - ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') - END - ) AS dport, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 - THEN (sg -> 'properties' -> 'sourceAddressPrefixes') - ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') - END - ) AS sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + language: sql + primary_resource: azure_network_security_group + definition: | + WITH unrestricted_inbound AS ( + SELECT + DISTINCT name sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules || default_security_rules) sg, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 + THEN (sg -> 'properties' -> 'destinationPortRanges') + ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') + END + ) AS dport, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 + THEN (sg -> 'properties' -> 'sourceAddressPrefixes') + ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') + END + ) AS sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('445', '*') + OR ( + dport LIKE '%-%' AND ( - dport IN ('445', '*') - OR ( - dport LIKE '%-%' - AND ( - split_part(dport, '-', 1) :: INTEGER = 445 - AND split_part(dport, '-', 2) :: INTEGER = 445 - ) - ) + split_part(dport, '-', 1) :: INTEGER = 445 + AND split_part(dport, '-', 2) :: INTEGER = 445 ) + ) ) - SELECT - sg.id resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts TCP port 445 access from internet.' - ELSE sg.title || ' allows TCP port 445 access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts TCP port 445 access from internet.' + ELSE sg.title || ' allows TCP port 445 access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_53.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_53.yaml index ce30e3ef7..647091806 100644 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_53.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_53.yaml @@ -1,64 +1,65 @@ id: azure_network_security_group_restrict_inbound_tcp_port_53 title: Network security groups should restrict inbound TCP port 53 access from internet +type: control description: Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 53. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH unrestricted_inbound AS ( - SELECT - DISTINCT name sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules || default_security_rules) sg, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 - THEN (sg -> 'properties' -> 'destinationPortRanges') - ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') - END - ) AS dport, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 - THEN (sg -> 'properties' -> 'sourceAddressPrefixes') - ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') - END - ) AS sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + language: sql + primary_resource: azure_network_security_group + definition: | + WITH unrestricted_inbound AS ( + SELECT + DISTINCT name sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules || default_security_rules) sg, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 + THEN (sg -> 'properties' -> 'destinationPortRanges') + ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') + END + ) AS dport, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 + THEN (sg -> 'properties' -> 'sourceAddressPrefixes') + ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') + END + ) AS sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('53', '*') + OR ( + dport LIKE '%-%' AND ( - dport IN ('53', '*') - OR ( - dport LIKE '%-%' - AND ( - split_part(dport, '-', 1)::integer = 53 - AND split_part(dport, '-', 2)::integer = 53 - ) - ) + split_part(dport, '-', 1)::integer = 53 + AND split_part(dport, '-', 2)::integer = 53 ) + ) ) - SELECT - sg.id resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts TCP port 53 access from internet.' - ELSE sg.title || ' allows TCP port 53 access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts TCP port 53 access from internet.' + ELSE sg.title || ' allows TCP port 53 access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_5432.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_5432.yaml index 92696480e..074f2c3c8 100644 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_5432.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_5432.yaml @@ -1,69 +1,70 @@ id: azure_network_security_group_restrict_inbound_tcp_port_5432 title: Network security groups should restrict inbound TCP port 5432 access from internet +type: control description: Network security group provides stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 5432. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH unrestricted_inbound AS ( - SELECT DISTINCT - name AS sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules || default_security_rules) AS sg, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 - THEN (sg -> 'properties' -> 'destinationPortRanges') - ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') - END - ) AS dport, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 - THEN (sg -> 'properties' -> 'sourceAddressPrefixes') - ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') - END - ) AS sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND ( - sg -> 'properties' ->> 'protocol' ILIKE 'TCP' - OR sg -> 'properties' ->> 'protocol' = '*' - ) - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + language: sql + primary_resource: azure_network_security_group + definition: | + WITH unrestricted_inbound AS ( + SELECT DISTINCT + name AS sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules || default_security_rules) AS sg, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 + THEN (sg -> 'properties' -> 'destinationPortRanges') + ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') + END + ) AS dport, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 + THEN (sg -> 'properties' -> 'sourceAddressPrefixes') + ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') + END + ) AS sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND ( + sg -> 'properties' ->> 'protocol' ILIKE 'TCP' + OR sg -> 'properties' ->> 'protocol' = '*' + ) + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('5432', '*') + OR ( + dport LIKE '%-%' AND ( - dport IN ('5432', '*') - OR ( - dport LIKE '%-%' - AND ( - split_part(dport, '-', 1)::integer = 5432 - AND split_part(dport, '-', 2)::integer = 5432 - ) - ) + split_part(dport, '-', 1)::integer = 5432 + AND split_part(dport, '-', 2)::integer = 5432 ) + ) ) - SELECT - sg.id AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts TCP port 5432 access from internet.' - ELSE sg.title || ' allows TCP port 5432 access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN unrestricted_inbound nsg - ON nsg.sg_name = sg.name - JOIN azure_subscription sub - ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts TCP port 5432 access from internet.' + ELSE sg.title || ' allows TCP port 5432 access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN unrestricted_inbound nsg + ON nsg.sg_name = sg.name + JOIN azure_subscription sub + ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_5500.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_5500.yaml index eef731ee1..2162073fb 100644 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_5500.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_5500.yaml @@ -1,66 +1,67 @@ id: azure_network_security_group_restrict_inbound_tcp_port_5500 title: Network security groups should restrict inbound TCP port 5500 access from internet +type: control description: Network security group provides stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 5500. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH unrestricted_inbound AS ( - SELECT DISTINCT - name AS sg_name - FROM - azure_network_security_group AS nsg, - jsonb_array_elements(security_rules || default_security_rules) AS sg, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 - THEN (sg -> 'properties' -> 'destinationPortRanges') - ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') - END - ) AS dport, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 - THEN (sg -> 'properties' -> 'sourceAddressPrefixes') - ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') - END - ) AS sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + language: sql + primary_resource: azure_network_security_group + definition: | + WITH unrestricted_inbound AS ( + SELECT DISTINCT + name AS sg_name + FROM + azure_network_security_group AS nsg, + jsonb_array_elements(security_rules || default_security_rules) AS sg, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 + THEN (sg -> 'properties' -> 'destinationPortRanges') + ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') + END + ) AS dport, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 + THEN (sg -> 'properties' -> 'sourceAddressPrefixes') + ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') + END + ) AS sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('5500', '*') + OR ( + dport LIKE '%-%' AND ( - dport IN ('5500', '*') - OR ( - dport LIKE '%-%' - AND ( - split_part(dport, '-', 1)::INTEGER = 5500 - AND split_part(dport, '-', 2)::INTEGER = 5500 - ) - ) + split_part(dport, '-', 1)::INTEGER = 5500 + AND split_part(dport, '-', 2)::INTEGER = 5500 ) + ) ) - SELECT - sg.id AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL - THEN sg.title || ' restricts TCP port 5500 access from internet.' - ELSE sg.title || ' allows TCP port 5500 access from internet.' - END AS reason - FROM - azure_network_security_group AS sg - LEFT JOIN unrestricted_inbound AS nsg ON nsg.sg_name = sg.name - JOIN azure_subscription AS sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL + THEN sg.title || ' restricts TCP port 5500 access from internet.' + ELSE sg.title || ' allows TCP port 5500 access from internet.' + END AS reason + FROM + azure_network_security_group AS sg + LEFT JOIN unrestricted_inbound AS nsg ON nsg.sg_name = sg.name + JOIN azure_subscription AS sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_5900.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_5900.yaml index 7f68615ad..2dc39aeb8 100644 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_5900.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_5900.yaml @@ -1,62 +1,63 @@ id: azure_network_security_group_restrict_inbound_tcp_port_5900 title: Network security groups should restrict inbound TCP port 5900 access from internet +type: control description: Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 5900. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH unrestricted_inbound AS ( - SELECT - DISTINCT name sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules || default_security_rules) sg, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 THEN (sg -> 'properties' -> 'destinationPortRanges') - ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') - END - ) AS dport, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 THEN (sg -> 'properties' -> 'sourceAddressPrefixes') - ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') - END - ) AS sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + language: sql + primary_resource: azure_network_security_group + definition: | + WITH unrestricted_inbound AS ( + SELECT + DISTINCT name sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules || default_security_rules) sg, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 THEN (sg -> 'properties' -> 'destinationPortRanges') + ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') + END + ) AS dport, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 THEN (sg -> 'properties' -> 'sourceAddressPrefixes') + ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') + END + ) AS sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('5900', '*') + OR ( + dport LIKE '%-%' AND ( - dport IN ('5900', '*') - OR ( - dport LIKE '%-%' - AND ( - split_part(dport, '-', 1) :: INTEGER = 5900 - AND split_part(dport, '-', 2) :: INTEGER = 5900 - ) - ) + split_part(dport, '-', 1) :: INTEGER = 5900 + AND split_part(dport, '-', 2) :: INTEGER = 5900 ) + ) ) - SELECT - sg.id resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts TCP port 5900 access from internet.' - ELSE sg.title || ' allows TCP port 5900 access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts TCP port 5900 access from internet.' + ELSE sg.title || ' allows TCP port 5900 access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_137.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_137.yaml index 5eb5a6807..9790fc9cc 100644 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_137.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_137.yaml @@ -1,62 +1,63 @@ id: azure_network_security_group_restrict_inbound_udp_port_137 title: Network security groups should restrict inbound UDP port 137 access from internet +type: control description: Network security group provides stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to UDP port 137. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH unrestricted_inbound AS ( - SELECT - DISTINCT name AS sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules || default_security_rules ) sg, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 THEN (sg -> 'properties' -> 'destinationPortRanges') - ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') - END - ) AS dport, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 THEN (sg -> 'properties' -> 'sourceAddressPrefixes') - ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') - END - ) AS sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'UDP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + language: sql + primary_resource: azure_network_security_group + definition: | + WITH unrestricted_inbound AS ( + SELECT + DISTINCT name AS sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules || default_security_rules ) sg, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 THEN (sg -> 'properties' -> 'destinationPortRanges') + ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') + END + ) AS dport, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 THEN (sg -> 'properties' -> 'sourceAddressPrefixes') + ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') + END + ) AS sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'UDP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('137', '*') + OR ( + dport LIKE '%-%' AND ( - dport IN ('137', '*') - OR ( - dport LIKE '%-%' - AND ( - split_part(dport, '-', 1)::INTEGER = 137 - AND split_part(dport, '-', 2)::INTEGER = 137 - ) - ) + split_part(dport, '-', 1)::INTEGER = 137 + AND split_part(dport, '-', 2)::INTEGER = 137 ) + ) ) - SELECT - sg.id AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts UDP port 137 access from internet.' - ELSE sg.title || ' allows UDP port 137 access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts UDP port 137 access from internet.' + ELSE sg.title || ' allows UDP port 137 access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_138.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_138.yaml index 061c3c8f2..d3547fb06 100644 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_138.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_138.yaml @@ -1,62 +1,63 @@ id: azure_network_security_group_restrict_inbound_udp_port_138 title: Network security groups should restrict inbound UDP port 137 access from internet +type: control description: Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to UDP port 137. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH unrestricted_inbound AS ( - SELECT - DISTINCT name sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules || default_security_rules) sg, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 THEN (sg -> 'properties' -> 'destinationPortRanges') - ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') - END - ) AS dport, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 THEN (sg -> 'properties' -> 'sourceAddressPrefixes') - ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') - END - ) AS sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'UDP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + language: sql + primary_resource: azure_network_security_group + definition: | + WITH unrestricted_inbound AS ( + SELECT + DISTINCT name sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules || default_security_rules) sg, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 THEN (sg -> 'properties' -> 'destinationPortRanges') + ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') + END + ) AS dport, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 THEN (sg -> 'properties' -> 'sourceAddressPrefixes') + ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') + END + ) AS sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'UDP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('138', '*') + OR ( + dport LIKE '%-%' AND ( - dport IN ('138', '*') - OR ( - dport LIKE '%-%' - AND ( - split_part(dport, '-', 1)::INTEGER = 138 - AND split_part(dport, '-', 2)::INTEGER = 138 - ) - ) + split_part(dport, '-', 1)::INTEGER = 138 + AND split_part(dport, '-', 2)::INTEGER = 138 ) + ) ) - SELECT - sg.id resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts UDP port 138 access from internet.' - ELSE sg.title || ' allows UDP port 138 access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts UDP port 138 access from internet.' + ELSE sg.title || ' allows UDP port 138 access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_1434.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_1434.yaml index 80b9682cc..5c0169164 100644 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_1434.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_1434.yaml @@ -1,62 +1,63 @@ id: azure_network_security_group_restrict_inbound_udp_port_1434 title: Network security groups should restrict inbound UDP port 1434 access from internet +type: control description: Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to UDP port 1434. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH unrestricted_inbound AS ( - SELECT - DISTINCT name sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules || default_security_rules) sg, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 THEN (sg -> 'properties' -> 'destinationPortRanges') - ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') - END - ) AS dport, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 THEN (sg -> 'properties' -> 'sourceAddressPrefixes') - ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') - END - ) AS sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'UDP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + language: sql + primary_resource: azure_network_security_group + definition: | + WITH unrestricted_inbound AS ( + SELECT + DISTINCT name sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules || default_security_rules) sg, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 THEN (sg -> 'properties' -> 'destinationPortRanges') + ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') + END + ) AS dport, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 THEN (sg -> 'properties' -> 'sourceAddressPrefixes') + ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') + END + ) AS sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'UDP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('1434', '*') + OR ( + dport LIKE '%-%' AND ( - dport IN ('1434', '*') - OR ( - dport LIKE '%-%' - AND ( - split_part(dport, '-', 1)::integer = 1434 - AND split_part(dport, '-', 2)::integer = 1434 - ) - ) + split_part(dport, '-', 1)::integer = 1434 + AND split_part(dport, '-', 2)::integer = 1434 ) + ) ) - SELECT - sg.id resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts UDP port 1434 access from internet.' - ELSE sg.title || ' allows UDP port 1434 access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts UDP port 1434 access from internet.' + ELSE sg.title || ' allows UDP port 1434 access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_445.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_445.yaml index 33f695696..4733e7a78 100644 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_445.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_445.yaml @@ -1,58 +1,59 @@ id: azure_network_security_group_restrict_inbound_udp_port_445 title: Network security groups should restrict inbound UDP port 445 access from internet +type: control description: Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to UDP port 445. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH unrestricted_inbound AS ( - SELECT - DISTINCT name sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules || default_security_rules) sg, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 THEN (sg -> 'properties' -> 'destinationPortRanges') - ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') - END) AS dport, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 THEN (sg -> 'properties' -> 'sourceAddressPrefixes') - ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') - END) AS sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'UDP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') - AND ( - dport IN ('445', '*') - OR ( - dport LIKE '%-%' - AND split_part(dport, '-', 1)::integer <= 445 - AND split_part(dport, '-', 2)::integer >= 445 - ) - ) - ) - SELECT - sg.id resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, + language: sql + primary_resource: azure_network_security_group + definition: | + WITH unrestricted_inbound AS ( + SELECT + DISTINCT name sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules || default_security_rules) sg, + jsonb_array_elements_text( CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, + WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 THEN (sg -> 'properties' -> 'destinationPortRanges') + ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') + END) AS dport, + jsonb_array_elements_text( CASE - WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts UDP port 445 access from internet.' - ELSE sg.title || ' allows UDP port 445 access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 THEN (sg -> 'properties' -> 'sourceAddressPrefixes') + ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') + END) AS sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'UDP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('445', '*') + OR ( + dport LIKE '%-%' + AND split_part(dport, '-', 1)::integer <= 445 + AND split_part(dport, '-', 2)::integer >= 445 + ) + ) + ) + SELECT + sg.id resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts UDP port 445 access from internet.' + ELSE sg.title || ' allows UDP port 445 access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_53.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_53.yaml index edbadd718..c761bdcdf 100644 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_53.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_53.yaml @@ -1,62 +1,63 @@ id: azure_network_security_group_restrict_inbound_udp_port_53 title: Network security groups should restrict inbound UDP port 53 access from internet +type: control description: Network security group provides stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to UDP port 53. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH unrestricted_inbound AS ( - SELECT - DISTINCT name sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules || default_security_rules) sg, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 THEN (sg -> 'properties' -> 'destinationPortRanges') - ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') - END - ) AS dport, - jsonb_array_elements_text( - CASE - WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 THEN (sg -> 'properties' -> 'sourceAddressPrefixes') - ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') - END - ) AS sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'UDP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + language: sql + primary_resource: azure_network_security_group + definition: | + WITH unrestricted_inbound AS ( + SELECT + DISTINCT name sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules || default_security_rules) sg, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'destinationPortRanges') > 0 THEN (sg -> 'properties' -> 'destinationPortRanges') + ELSE jsonb_build_array(sg -> 'properties' -> 'destinationPortRange') + END + ) AS dport, + jsonb_array_elements_text( + CASE + WHEN jsonb_array_length(sg -> 'properties' -> 'sourceAddressPrefixes') > 0 THEN (sg -> 'properties' -> 'sourceAddressPrefixes') + ELSE jsonb_build_array(sg -> 'properties' -> 'sourceAddressPrefix') + END + ) AS sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'UDP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('53', '*') + OR ( + dport LIKE '%-%' AND ( - dport IN ('53', '*') - OR ( - dport LIKE '%-%' - AND ( - split_part(dport, '-', 1)::integer = 53 - AND split_part(dport, '-', 2)::integer = 53 - ) - ) + split_part(dport, '-', 1)::integer = 53 + AND split_part(dport, '-', 2)::integer = 53 ) + ) ) - SELECT - sg.id resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts UDP port 53 access from internet.' - ELSE sg.title || ' allows UDP port 53 access from internet.' - END AS reason - FROM - azure_network_security_group sg - LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL THEN sg.title || ' restricts UDP port 53 access from internet.' + ELSE sg.title || ' allows UDP port 53 access from internet.' + END AS reason + FROM + azure_network_security_group sg + LEFT JOIN unrestricted_inbound nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_network_security_group_ssh_access_restricted.yaml b/compliance/controls/azure/azure_network_security_group_ssh_access_restricted.yaml index d35f84a43..8deb6ac9a 100644 --- a/compliance/controls/azure/azure_network_security_group_ssh_access_restricted.yaml +++ b/compliance/controls/azure/azure_network_security_group_ssh_access_restricted.yaml @@ -1,83 +1,84 @@ id: azure_network_security_group_ssh_access_restricted title: Ensure that SSH access is restricted from the internet +type: control description: Disable SSH access on network security groups from the Internet. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH network_sg AS ( - SELECT DISTINCT - name sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules) sg, - jsonb_array_elements_text( - CASE jsonb_typeof( - COALESCE(sg -> 'properties' -> 'destinationPortRanges', sg -> 'properties' -> 'destinationPortRange') :: jsonb) - WHEN 'array' THEN COALESCE(sg -> 'properties' -> 'destinationPortRanges', sg -> 'properties' -> 'destinationPortRange') :: jsonb - ELSE ('[' || (COALESCE(sg -> 'properties' -> 'destinationPortRanges', sg -> 'properties' -> 'destinationPortRange') :: jsonb :: text) || ']') :: jsonb - END - ) dport, - jsonb_array_elements_text( - CASE jsonb_typeof( - COALESCE(sg -> 'properties' -> 'sourceAddressPrefixes', sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) - WHEN 'array' THEN COALESCE(sg -> 'properties' -> 'sourceAddressPrefixes', sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb - ELSE ('[' || (COALESCE(sg -> 'properties' -> 'sourceAddressPrefixes', sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb :: text) || ']') :: jsonb - END - ) sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') - AND ( - dport IN ('22', '*') - OR ( - dport LIKE '%-%' - AND split_part(dport, '-', 1) :: integer <= 22 - AND split_part(dport, '-', 2) :: integer >= 22 - ) - ) + language: sql + primary_resource: azure_network_security_group + definition: | + WITH network_sg AS ( + SELECT DISTINCT + name sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules) sg, + jsonb_array_elements_text( + CASE jsonb_typeof( + COALESCE(sg -> 'properties' -> 'destinationPortRanges', sg -> 'properties' -> 'destinationPortRange') :: jsonb) + WHEN 'array' THEN COALESCE(sg -> 'properties' -> 'destinationPortRanges', sg -> 'properties' -> 'destinationPortRange') :: jsonb + ELSE ('[' || (COALESCE(sg -> 'properties' -> 'destinationPortRanges', sg -> 'properties' -> 'destinationPortRange') :: jsonb :: text) || ']') :: jsonb + END + ) dport, + jsonb_array_elements_text( + CASE jsonb_typeof( + COALESCE(sg -> 'properties' -> 'sourceAddressPrefixes', sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) + WHEN 'array' THEN COALESCE(sg -> 'properties' -> 'sourceAddressPrefixes', sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb + ELSE ('[' || (COALESCE(sg -> 'properties' -> 'sourceAddressPrefixes', sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb :: text) || ']') :: jsonb + END + ) sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND (sg -> 'properties' ->> 'protocol' ILIKE 'TCP' OR sg -> 'properties' ->> 'protocol' = '*') + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport IN ('22', '*') + OR ( + dport LIKE '%-%' + AND split_part(dport, '-', 1) :: integer <= 22 + AND split_part(dport, '-', 2) :: integer >= 22 + ) ) - SELECT - sg.id resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL - THEN sg.title || ' restricts SSH access from internet.' - ELSE sg.title || ' allows SSH access from internet.' - END AS reason, - sg.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_network_security_group sg - LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL + THEN sg.title || ' restricts SSH access from internet.' + ELSE sg.title || ' allows SSH access from internet.' + END AS reason, + sg.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_network_security_group sg + LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '6.2' - cis_level: - - '1' - cis_section_id: - - '6' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Network + category: + - Compliance + cis: + - "true" + cis_item_id: + - "6.2" + cis_level: + - "1" + cis_section_id: + - "6" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Network diff --git a/compliance/controls/azure/azure_network_security_group_subnet_associated.yaml b/compliance/controls/azure/azure_network_security_group_subnet_associated.yaml index 1dfeaea72..ecf8e520d 100644 --- a/compliance/controls/azure/azure_network_security_group_subnet_associated.yaml +++ b/compliance/controls/azure/azure_network_security_group_subnet_associated.yaml @@ -1,36 +1,37 @@ id: azure_network_security_group_subnet_associated title: Subnets should be associated with a Network Security Group +type: control description: This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - SELECT - sg.id AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN subnets IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN subnets IS NULL THEN name || ' not associated with subnet.' - ELSE name || ' associated with ' || SPLIT_PART(RTRIM((subnet -> 'id')::TEXT, '\"'), '/subnets/', 2) || '.' - END AS reason, - sg.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_network_security_group AS sg - JOIN azure_subscription AS sub ON sub.subscription_id = sg.subscription_id - LEFT JOIN JSONB_ARRAY_ELEMENTS(subnets) AS subnet ON TRUE; + language: sql + primary_resource: azure_network_security_group + definition: | + SELECT + sg.id AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN subnets IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN subnets IS NULL THEN name || ' not associated with subnet.' + ELSE name || ' associated with ' || SPLIT_PART(RTRIM((subnet -> 'id')::TEXT, '\"'), '/subnets/', 2) || '.' + END AS reason, + sg.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_network_security_group AS sg + JOIN azure_subscription AS sub ON sub.subscription_id = sg.subscription_id + LEFT JOIN JSONB_ARRAY_ELEMENTS(subnets) AS subnet ON TRUE; severity: high tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Network + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Network diff --git a/compliance/controls/azure/azure_network_security_group_udp_service_restricted.yaml b/compliance/controls/azure/azure_network_security_group_udp_service_restricted.yaml index 74a5ee2e5..2a1c2a073 100644 --- a/compliance/controls/azure/azure_network_security_group_udp_service_restricted.yaml +++ b/compliance/controls/azure/azure_network_security_group_udp_service_restricted.yaml @@ -1,90 +1,91 @@ id: azure_network_security_group_udp_service_restricted title: Ensure that UDP Services are restricted from the Internet +type: control description: Disable Internet exposed UDP ports on network security groups. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - WITH network_sg AS ( - SELECT - DISTINCT name sg_name - FROM - azure_network_security_group nsg, - jsonb_array_elements(security_rules) sg, - jsonb_array_elements_text( - CASE jsonb_typeof( - COALESCE(sg -> 'properties' -> 'destinationPortRanges', sg -> 'properties' -> 'destinationPortRange')::jsonb - ) - WHEN 'array' THEN COALESCE(sg -> 'properties' -> 'destinationPortRanges', sg -> 'properties' -> 'destinationPortRange')::jsonb - ELSE ('[' || (COALESCE(sg -> 'properties' -> 'destinationPortRanges', sg -> 'properties' -> 'destinationPortRange')::jsonb::text) || ']')::jsonb - END - ) dport, - jsonb_array_elements_text( - CASE jsonb_typeof( - COALESCE(sg -> 'properties' -> 'sourceAddressPrefixes', sg -> 'properties' -> 'sourceAddressPrefix')::jsonb - ) - WHEN 'array' THEN COALESCE(sg -> 'properties' -> 'sourceAddressPrefixes', sg -> 'properties' -> 'sourceAddressPrefix')::jsonb - ELSE ('[' || (COALESCE(sg -> 'properties' -> 'sourceAddressPrefixes', sg -> 'properties' -> 'sourceAddressPrefix')::jsonb::text) || ']')::jsonb - END - ) sip - WHERE - sg -> 'properties' ->> 'access' = 'Allow' - AND sg -> 'properties' ->> 'direction' = 'Inbound' - AND sg -> 'properties' ->> 'protocol' = 'UDP' - AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + language: sql + primary_resource: azure_network_security_group + definition: | + WITH network_sg AS ( + SELECT + DISTINCT name sg_name + FROM + azure_network_security_group nsg, + jsonb_array_elements(security_rules) sg, + jsonb_array_elements_text( + CASE jsonb_typeof( + COALESCE(sg -> 'properties' -> 'destinationPortRanges', sg -> 'properties' -> 'destinationPortRange')::jsonb + ) + WHEN 'array' THEN COALESCE(sg -> 'properties' -> 'destinationPortRanges', sg -> 'properties' -> 'destinationPortRange')::jsonb + ELSE ('[' || (COALESCE(sg -> 'properties' -> 'destinationPortRanges', sg -> 'properties' -> 'destinationPortRange')::jsonb::text) || ']')::jsonb + END + ) dport, + jsonb_array_elements_text( + CASE jsonb_typeof( + COALESCE(sg -> 'properties' -> 'sourceAddressPrefixes', sg -> 'properties' -> 'sourceAddressPrefix')::jsonb + ) + WHEN 'array' THEN COALESCE(sg -> 'properties' -> 'sourceAddressPrefixes', sg -> 'properties' -> 'sourceAddressPrefix')::jsonb + ELSE ('[' || (COALESCE(sg -> 'properties' -> 'sourceAddressPrefixes', sg -> 'properties' -> 'sourceAddressPrefix')::jsonb::text) || ']')::jsonb + END + ) sip + WHERE + sg -> 'properties' ->> 'access' = 'Allow' + AND sg -> 'properties' ->> 'direction' = 'Inbound' + AND sg -> 'properties' ->> 'protocol' = 'UDP' + AND sip IN ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') + AND ( + dport = '*' + OR ( + dport LIKE '%-%' AND ( - dport = '*' - OR ( - dport LIKE '%-%' - AND ( - 53 BETWEEN split_part(dport, '-', 1)::integer AND split_part(dport, '-', 2)::integer - OR 123 BETWEEN split_part(dport, '-', 1)::integer AND split_part(dport, '-', 2)::integer - OR 161 BETWEEN split_part(dport, '-', 1)::integer AND split_part(dport, '-', 2)::integer - OR 389 BETWEEN split_part(dport, '-', 1)::integer AND split_part(dport, '-', 2)::integer - OR 1900 BETWEEN split_part(dport, '-', 1)::integer AND split_part(dport, '-', 2)::integer - ) - ) + 53 BETWEEN split_part(dport, '-', 1)::integer AND split_part(dport, '-', 2)::integer + OR 123 BETWEEN split_part(dport, '-', 1)::integer AND split_part(dport, '-', 2)::integer + OR 161 BETWEEN split_part(dport, '-', 1)::integer AND split_part(dport, '-', 2)::integer + OR 389 BETWEEN split_part(dport, '-', 1)::integer AND split_part(dport, '-', 2)::integer + OR 1900 BETWEEN split_part(dport, '-', 1)::integer AND split_part(dport, '-', 2)::integer ) + ) ) - SELECT - sg.id resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN nsg.sg_name IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nsg.sg_name IS NULL - THEN sg.title || ' restricts UDP services from internet.' - ELSE sg.title || ' allows UDP services from internet.' - END AS reason, - sg.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_network_security_group sg - LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + ) + SELECT + sg.id resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN nsg.sg_name IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nsg.sg_name IS NULL + THEN sg.title || ' restricts UDP services from internet.' + ELSE sg.title || ' allows UDP services from internet.' + END AS reason, + sg.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_network_security_group sg + LEFT JOIN network_sg nsg ON nsg.sg_name = sg.name + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '6.6' - cis_level: - - '1' - cis_section_id: - - '6' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Network + category: + - Compliance + cis: + - "true" + cis_item_id: + - "6.6" + cis_level: + - "1" + cis_section_id: + - "6" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Network diff --git a/compliance/controls/azure/azure_network_sg_flowlog_enabled.yaml b/compliance/controls/azure/azure_network_sg_flowlog_enabled.yaml index ae25048de..a15236445 100644 --- a/compliance/controls/azure/azure_network_sg_flowlog_enabled.yaml +++ b/compliance/controls/azure/azure_network_sg_flowlog_enabled.yaml @@ -1,28 +1,29 @@ id: azure_network_sg_flowlog_enabled title: Flow logs should be configured for every network security group +type: control description: Audit for network security groups to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - SELECT - sg.id AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN sg.flow_logs IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN sg.flow_logs IS NOT NULL THEN sg.name || ' flowlog enabled.' - ELSE sg.name || ' flowlog disabled.' - END AS reason - FROM - azure_network_security_group AS sg - JOIN - azure_subscription sub ON sub.subscription_id = sg.subscription_id; + language: sql + primary_resource: azure_network_security_group + definition: | + SELECT + sg.id AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN sg.flow_logs IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN sg.flow_logs IS NOT NULL THEN sg.name || ' flowlog enabled.' + ELSE sg.name || ' flowlog disabled.' + END AS reason + FROM + azure_network_security_group AS sg + JOIN + azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_network_sg_flowlog_retention_period_greater_than_90.yaml b/compliance/controls/azure/azure_network_sg_flowlog_retention_period_greater_than_90.yaml index a241274a4..33e1c81b2 100644 --- a/compliance/controls/azure/azure_network_sg_flowlog_retention_period_greater_than_90.yaml +++ b/compliance/controls/azure/azure_network_sg_flowlog_retention_period_greater_than_90.yaml @@ -1,51 +1,52 @@ id: azure_network_sg_flowlog_retention_period_greater_than_90 title: Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' +type: control description: Network Security Group Flow Logs should be enabled and the retention period is set to greater than or equal to 90 days. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - SELECT - sg.id AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN fl.id IS NULL OR NOT fl.enabled OR fl.retention_policy_days < 90 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN fl.id IS NULL OR NOT fl.enabled - THEN sg.name || ' flowlog not enabled.' - WHEN fl.retention_policy_days < 90 - THEN sg.name || ' flowlog ' || fl.title || ' retention period is less than 90 days.' - ELSE sg.name || ' flowlog ' || fl.title || ' retention period is ' || fl.retention_policy_days || ' days.' - END AS reason, - sg.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_network_security_group sg - LEFT JOIN azure_network_watcher_flow_log fl ON sg.id = fl.target_resource_id - JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; + language: sql + primary_resource: azure_network_security_group + definition: | + SELECT + sg.id AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN fl.id IS NULL OR NOT fl.enabled OR fl.retention_policy_days < 90 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN fl.id IS NULL OR NOT fl.enabled + THEN sg.name || ' flowlog not enabled.' + WHEN fl.retention_policy_days < 90 + THEN sg.name || ' flowlog ' || fl.title || ' retention period is less than 90 days.' + ELSE sg.name || ' flowlog ' || fl.title || ' retention period is ' || fl.retention_policy_days || ' days.' + END AS reason, + sg.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_network_security_group sg + LEFT JOIN azure_network_watcher_flow_log fl ON sg.id = fl.target_resource_id + JOIN azure_subscription sub ON sub.subscription_id = sg.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '6.4' - cis_level: - - '2' - cis_section_id: - - '6' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Network + category: + - Compliance + cis: + - "true" + cis_item_id: + - "6.4" + cis_level: + - "2" + cis_section_id: + - "6" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Network diff --git a/compliance/controls/azure/azure_network_subnet_protected_by_firewall.yaml b/compliance/controls/azure/azure_network_subnet_protected_by_firewall.yaml index 77d5e937c..353ac4a6e 100644 --- a/compliance/controls/azure/azure_network_subnet_protected_by_firewall.yaml +++ b/compliance/controls/azure/azure_network_subnet_protected_by_firewall.yaml @@ -1,23 +1,24 @@ id: azure_network_subnet_protected_by_firewall title: All Internet traffic should be routed via your deployed Azure Firewall +type: control description: Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_network_virtual_network_gateway_no_basic_sku.yaml b/compliance/controls/azure/azure_network_virtual_network_gateway_no_basic_sku.yaml index 5ebe40804..e89df07ea 100644 --- a/compliance/controls/azure/azure_network_virtual_network_gateway_no_basic_sku.yaml +++ b/compliance/controls/azure/azure_network_virtual_network_gateway_no_basic_sku.yaml @@ -1,35 +1,36 @@ id: azure_network_virtual_network_gateway_no_basic_sku title: Virtual network gateways should use standard SKUs as a minimum +type: control description: The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU’s do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_virtual_network_gateway - definition: | - SELECT - g.id AS resource, - g.platform_integration_id AS platform_integration_id, - g.platform_resource_id AS platform_resource_id, - CASE - WHEN g.sku_name = 'Basic' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN g.sku_name = 'Basic' THEN g.title || ' using basic SKU.' - ELSE g.title || ' using ' || sku_name || ' SKU.' - END AS reason, - g.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_virtual_network_gateway AS g, - azure_subscription AS sub - WHERE - sub.subscription_id = g.subscription_id; + language: sql + primary_resource: azure_virtual_network_gateway + definition: | + SELECT + g.id AS resource, + g.platform_integration_id AS platform_integration_id, + g.platform_resource_id AS platform_resource_id, + CASE + WHEN g.sku_name = 'Basic' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN g.sku_name = 'Basic' THEN g.title || ' using basic SKU.' + ELSE g.title || ' using ' || sku_name || ' SKU.' + END AS reason, + g.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_virtual_network_gateway AS g, + azure_subscription AS sub + WHERE + sub.subscription_id = g.subscription_id; severity: medium tags: - cis: - - 'true' - service: - - Azure/Network + cis: + - "true" + service: + - Azure/Network diff --git a/compliance/controls/azure/azure_network_watcher_enabled.yaml b/compliance/controls/azure/azure_network_watcher_enabled.yaml index d2275c5da..09eeba7ae 100644 --- a/compliance/controls/azure/azure_network_watcher_enabled.yaml +++ b/compliance/controls/azure/azure_network_watcher_enabled.yaml @@ -1,50 +1,51 @@ id: azure_network_watcher_enabled title: Network Watcher should be enabled +type: control description: Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_location - definition: | - SELECT - loc.id AS resource, - loc.platform_integration_id AS platform_integration_id, - loc.platform_resource_id AS platform_resource_id, - CASE - WHEN watcher.id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN watcher.id IS NULL THEN 'Network watcher not enabled in ' || loc.name || '.' - ELSE 'Network watcher enabled in ' || loc.name || '.' - END AS reason, - loc.name, - sub.display_name AS subscription - FROM - azure_location loc - LEFT JOIN azure_network_watcher watcher - ON watcher.region = loc.name - JOIN azure_subscription sub - ON sub.subscription_id = loc.subscription_id; + language: sql + primary_resource: azure_location + definition: | + SELECT + loc.id AS resource, + loc.platform_integration_id AS platform_integration_id, + loc.platform_resource_id AS platform_resource_id, + CASE + WHEN watcher.id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN watcher.id IS NULL THEN 'Network watcher not enabled in ' || loc.name || '.' + ELSE 'Network watcher enabled in ' || loc.name || '.' + END AS reason, + loc.name, + sub.display_name AS subscription + FROM + azure_location loc + LEFT JOIN azure_network_watcher watcher + ON watcher.region = loc.name + JOIN azure_subscription sub + ON sub.subscription_id = loc.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '6.5' - cis_level: - - '1' - cis_section_id: - - '6' - cis_type: - - manual - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Network + category: + - Compliance + cis: + - "true" + cis_item_id: + - "6.5" + cis_level: + - "1" + cis_section_id: + - "6" + cis_type: + - manual + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Network diff --git a/compliance/controls/azure/azure_network_watcher_flow_log_enabled.yaml b/compliance/controls/azure/azure_network_watcher_flow_log_enabled.yaml index 6b8884fb4..03a8a4bf6 100644 --- a/compliance/controls/azure/azure_network_watcher_flow_log_enabled.yaml +++ b/compliance/controls/azure/azure_network_watcher_flow_log_enabled.yaml @@ -1,28 +1,29 @@ id: azure_network_watcher_flow_log_enabled title: All flow log resources should be in enabled state +type: control description: Audit for flow log resources to verify if flow log status is enabled. Enabling flow logs allows to log information about IP traffic flowing. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_watcher_flow_log - definition: | - SELECT - sg.id AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN sg.enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN sg.enabled THEN sg.name || ' flowlog enabled.' - ELSE sg.name || ' flowlog disabled.' - END AS reason - FROM - azure_network_watcher_flow_log AS sg - JOIN azure_subscription sub - ON sub.subscription_id = sg.subscription_id; + language: sql + primary_resource: azure_network_watcher_flow_log + definition: | + SELECT + sg.id AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN sg.enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN sg.enabled THEN sg.name || ' flowlog enabled.' + ELSE sg.name || ' flowlog disabled.' + END AS reason + FROM + azure_network_watcher_flow_log AS sg + JOIN azure_subscription sub + ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_network_watcher_flow_log_traffic_analytics_enabled.yaml b/compliance/controls/azure/azure_network_watcher_flow_log_traffic_analytics_enabled.yaml index 4fb199d23..641a707f7 100644 --- a/compliance/controls/azure/azure_network_watcher_flow_log_traffic_analytics_enabled.yaml +++ b/compliance/controls/azure/azure_network_watcher_flow_log_traffic_analytics_enabled.yaml @@ -1,34 +1,35 @@ id: azure_network_watcher_flow_log_traffic_analytics_enabled title: Network Watcher flow logs should have traffic analytics enabled +type: control description: Traffic analytics analyzes flow logs to provide insights into traffic flow in your Azure cloud. It can be used to visualize network activity across your Azure subscriptions and identify hot spots, identify security threats, understand traffic flow patterns, pinpoint network misconfigurations and more. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_watcher_flow_log - definition: | - SELECT - sg.id AS resource, - sg.platform_integration_id AS platform_integration_id, - sg.platform_resource_id AS platform_resource_id, - CASE - WHEN sg.enabled - AND traffic_analytics ->> 'enabled' = 'true' - AND (traffic_analytics ->> 'trafficAnalyticsInterval')::int BETWEEN 10 AND 60 - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN sg.enabled - AND traffic_analytics ->> 'enabled' = 'true' - AND (traffic_analytics ->> 'trafficAnalyticsInterval')::int BETWEEN 10 AND 60 - THEN sg.name || ' flowlog traffic analytics enabled.' - ELSE sg.name || ' flowlog traffic analytics disabled.' - END AS reason - FROM - azure_network_watcher_flow_log AS sg - JOIN azure_subscription sub - ON sub.subscription_id = sg.subscription_id; + language: sql + primary_resource: azure_network_watcher_flow_log + definition: | + SELECT + sg.id AS resource, + sg.platform_integration_id AS platform_integration_id, + sg.platform_resource_id AS platform_resource_id, + CASE + WHEN sg.enabled + AND traffic_analytics ->> 'enabled' = 'true' + AND (traffic_analytics ->> 'trafficAnalyticsInterval')::int BETWEEN 10 AND 60 + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN sg.enabled + AND traffic_analytics ->> 'enabled' = 'true' + AND (traffic_analytics ->> 'trafficAnalyticsInterval')::int BETWEEN 10 AND 60 + THEN sg.name || ' flowlog traffic analytics enabled.' + ELSE sg.name || ' flowlog traffic analytics disabled.' + END AS reason + FROM + azure_network_watcher_flow_log AS sg + JOIN azure_subscription sub + ON sub.subscription_id = sg.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_network_watcher_in_regions_with_virtual_network.yaml b/compliance/controls/azure/azure_network_watcher_in_regions_with_virtual_network.yaml index 52e7eb669..c494ca286 100644 --- a/compliance/controls/azure/azure_network_watcher_in_regions_with_virtual_network.yaml +++ b/compliance/controls/azure/azure_network_watcher_in_regions_with_virtual_network.yaml @@ -1,36 +1,37 @@ id: azure_network_watcher_in_regions_with_virtual_network title: Deploy network watcher when virtual networks are created +type: control description: This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_virtual_network - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN b.region IS NULL THEN 'alarm' - WHEN LOWER(b.resource_group) = 'networkwatcherrg' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.region IS NULL THEN 'Network watcher does not exist in region' || a.region || '.' - WHEN LOWER(b.resource_group) = 'networkwatcherrg' THEN b.name || ' exist in networkWatcherRG resource group.' - ELSE b.name || ' does not exist in networkWatcherRG resource group.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_virtual_network AS a - LEFT JOIN azure_network_watcher AS b ON a.region = b.region - JOIN azure_subscription sub ON sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_virtual_network + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN b.region IS NULL THEN 'alarm' + WHEN LOWER(b.resource_group) = 'networkwatcherrg' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.region IS NULL THEN 'Network watcher does not exist in region' || a.region || '.' + WHEN LOWER(b.resource_group) = 'networkwatcherrg' THEN b.name || ' exist in networkWatcherRG resource group.' + ELSE b.name || ' does not exist in networkWatcherRG resource group.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_virtual_network AS a + LEFT JOIN azure_network_watcher AS b ON a.region = b.region + JOIN azure_subscription sub ON sub.subscription_id = a.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - service: - - Azure/Network + hipaa_hitrust_v92: + - "true" + service: + - Azure/Network diff --git a/compliance/controls/azure/azure_postgres_db_server_allow_access_to_azure_services_disabled.yaml b/compliance/controls/azure/azure_postgres_db_server_allow_access_to_azure_services_disabled.yaml index 082831719..92fc774b8 100644 --- a/compliance/controls/azure/azure_postgres_db_server_allow_access_to_azure_services_disabled.yaml +++ b/compliance/controls/azure/azure_postgres_db_server_allow_access_to_azure_services_disabled.yaml @@ -1,60 +1,61 @@ id: azure_postgres_db_server_allow_access_to_azure_services_disabled title: Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled +type: control description: Disable access from Azure services to PostgreSQL Database Server. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_postgresql_server - definition: | - WITH postgres_db_with_allow_access_to_azure_services AS ( - SELECT - id - FROM - azure_postgresql_server, - jsonb_array_elements(firewall_rules) AS r - WHERE - r -> 'properties' ->> 'endIpAddress' = '255.255.255.255' - AND r -> 'properties' ->> 'startIpAddress' = '0.0.0.0' - ) - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN a.id IS NOT NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN a.id IS NOT NULL THEN s.title || ' does not restrict access to azure services.' - ELSE s.title || ' restricts access to azure services.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_postgresql_server AS s - LEFT JOIN postgres_db_with_allow_access_to_azure_services AS a ON a.id = s.id, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_postgresql_server + definition: | + WITH postgres_db_with_allow_access_to_azure_services AS ( + SELECT + id + FROM + azure_postgresql_server, + jsonb_array_elements(firewall_rules) AS r + WHERE + r -> 'properties' ->> 'endIpAddress' = '255.255.255.255' + AND r -> 'properties' ->> 'startIpAddress' = '0.0.0.0' + ) + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN a.id IS NOT NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN a.id IS NOT NULL THEN s.title || ' does not restrict access to azure services.' + ELSE s.title || ' restricts access to azure services.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_postgresql_server AS s + LEFT JOIN postgres_db_with_allow_access_to_azure_services AS a ON a.id = s.id, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 4.3.7 - cis_level: - - '1' - cis_section_id: - - '4.3' - cis_type: - - automated - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/PostgreSQL + category: + - Compliance + cis: + - "true" + cis_item_id: + - 4.3.7 + cis_level: + - "1" + cis_section_id: + - "4.3" + cis_type: + - automated + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/PostgreSQL diff --git a/compliance/controls/azure/azure_postgres_db_server_connection_throttling_on.yaml b/compliance/controls/azure/azure_postgres_db_server_connection_throttling_on.yaml index b640b8511..473411961 100644 --- a/compliance/controls/azure/azure_postgres_db_server_connection_throttling_on.yaml +++ b/compliance/controls/azure/azure_postgres_db_server_connection_throttling_on.yaml @@ -1,51 +1,52 @@ id: azure_postgres_db_server_connection_throttling_on title: Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server +type: control description: Enable connection_throttling on PostgreSQL Servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_postgresql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN s.name || ' server parameter connection_throttling off.' - ELSE s.name || ' server parameter connection_throttling on.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_postgresql_server s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - WHERE - config ->> 'Name' = 'connection_throttling' - AND sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_postgresql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN s.name || ' server parameter connection_throttling off.' + ELSE s.name || ' server parameter connection_throttling on.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_postgresql_server s, + jsonb_array_elements(server_configurations) config, + azure_subscription sub + WHERE + config ->> 'Name' = 'connection_throttling' + AND sub.subscription_id = s.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 4.3.6 - cis_level: - - '1' - cis_section_id: - - '4.3' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/PostgreSQL + category: + - Compliance + cis: + - "true" + cis_item_id: + - 4.3.6 + cis_level: + - "1" + cis_section_id: + - "4.3" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/PostgreSQL diff --git a/compliance/controls/azure/azure_postgres_db_server_geo_redundant_backup_enabled.yaml b/compliance/controls/azure/azure_postgres_db_server_geo_redundant_backup_enabled.yaml index 4b619a3d0..e2a231c82 100644 --- a/compliance/controls/azure/azure_postgres_db_server_geo_redundant_backup_enabled.yaml +++ b/compliance/controls/azure/azure_postgres_db_server_geo_redundant_backup_enabled.yaml @@ -1,37 +1,38 @@ id: azure_postgres_db_server_geo_redundant_backup_enabled title: Geo-redundant backup should be enabled for Azure Database for PostgreSQL +type: control description: Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_postgresql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN geo_redundant_backup = 'Enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN geo_redundant_backup = 'Enabled' THEN name || ' Geo-redundant backup enabled.' - ELSE name || ' Geo-redundant backup disabled.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_postgresql_server AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_postgresql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN geo_redundant_backup = 'Enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN geo_redundant_backup = 'Enabled' THEN name || ' Geo-redundant backup enabled.' + ELSE name || ' Geo-redundant backup disabled.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_postgresql_server AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/PostgreSQL + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/PostgreSQL diff --git a/compliance/controls/azure/azure_postgres_db_server_latest_tls_version.yaml b/compliance/controls/azure/azure_postgres_db_server_latest_tls_version.yaml index 58134559d..96103747b 100644 --- a/compliance/controls/azure/azure_postgres_db_server_latest_tls_version.yaml +++ b/compliance/controls/azure/azure_postgres_db_server_latest_tls_version.yaml @@ -1,29 +1,30 @@ id: azure_postgres_db_server_latest_tls_version title: PostgreSQL servers should have the latest TLS version +type: control description: This control checks if the PostgreSQL server is upgraded to the latest TLS version. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_postgresql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN minimal_tls_version = 'TLS1_2' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN minimal_tls_version = 'TLS1_2' THEN name || ' uses the latest version of TLS encryption.' - ELSE name || ' does not use the latest version of TLS encryption.' - END AS reason - FROM - azure_postgresql_server AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_postgresql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN minimal_tls_version = 'TLS1_2' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN minimal_tls_version = 'TLS1_2' THEN name || ' uses the latest version of TLS encryption.' + ELSE name || ' does not use the latest version of TLS encryption.' + END AS reason + FROM + azure_postgresql_server AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_postgres_db_server_log_checkpoints_on.yaml b/compliance/controls/azure/azure_postgres_db_server_log_checkpoints_on.yaml index e65acee43..b6bdd5acb 100644 --- a/compliance/controls/azure/azure_postgres_db_server_log_checkpoints_on.yaml +++ b/compliance/controls/azure/azure_postgres_db_server_log_checkpoints_on.yaml @@ -1,51 +1,52 @@ id: azure_postgres_db_server_log_checkpoints_on title: Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server +type: control description: Enable log_checkpoints on PostgreSQL Servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_postgresql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN s.name || ' server parameter log_checkpoints off.' - ELSE s.name || ' server parameter log_checkpoints on.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_postgresql_server s, - JSONB_ARRAY_ELEMENTS(server_configurations) config, - azure_subscription sub - WHERE - config ->> 'Name' = 'log_checkpoints' - AND sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_postgresql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN s.name || ' server parameter log_checkpoints off.' + ELSE s.name || ' server parameter log_checkpoints on.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_postgresql_server s, + JSONB_ARRAY_ELEMENTS(server_configurations) config, + azure_subscription sub + WHERE + config ->> 'Name' = 'log_checkpoints' + AND sub.subscription_id = s.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 4.3.3 - cis_level: - - '1' - cis_section_id: - - '4.3' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/PostgreSQL + category: + - Compliance + cis: + - "true" + cis_item_id: + - 4.3.3 + cis_level: + - "1" + cis_section_id: + - "4.3" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/PostgreSQL diff --git a/compliance/controls/azure/azure_postgres_db_server_log_connections_on.yaml b/compliance/controls/azure/azure_postgres_db_server_log_connections_on.yaml index eae5e89fc..9e539f3d9 100644 --- a/compliance/controls/azure/azure_postgres_db_server_log_connections_on.yaml +++ b/compliance/controls/azure/azure_postgres_db_server_log_connections_on.yaml @@ -1,51 +1,52 @@ id: azure_postgres_db_server_log_connections_on title: Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server +type: control description: Enable log_connections on PostgreSQL Servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_postgresql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN s.name || ' server parameter log_connections off.' - ELSE s.name || ' server parameter log_connections on.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_postgresql_server s, - JSONB_ARRAY_ELEMENTS(server_configurations) config, - azure_subscription sub - WHERE - config ->> 'Name' = 'log_connections' - AND sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_postgresql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN s.name || ' server parameter log_connections off.' + ELSE s.name || ' server parameter log_connections on.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_postgresql_server s, + JSONB_ARRAY_ELEMENTS(server_configurations) config, + azure_subscription sub + WHERE + config ->> 'Name' = 'log_connections' + AND sub.subscription_id = s.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 4.3.4 - cis_level: - - '1' - cis_section_id: - - '4.3' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/PostgreSQL + category: + - Compliance + cis: + - "true" + cis_item_id: + - 4.3.4 + cis_level: + - "1" + cis_section_id: + - "4.3" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/PostgreSQL diff --git a/compliance/controls/azure/azure_postgres_db_server_log_disconnections_on.yaml b/compliance/controls/azure/azure_postgres_db_server_log_disconnections_on.yaml index 824f84f11..c813ed112 100644 --- a/compliance/controls/azure/azure_postgres_db_server_log_disconnections_on.yaml +++ b/compliance/controls/azure/azure_postgres_db_server_log_disconnections_on.yaml @@ -1,51 +1,52 @@ id: azure_postgres_db_server_log_disconnections_on title: Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server +type: control description: Enable log_disconnections on PostgreSQL Servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_postgresql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN name || ' server parameter log_disconnections off.' - ELSE name || ' server parameter log_disconnections on.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_postgresql_server s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - WHERE - config ->> 'Name' = 'log_disconnections' - AND sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_postgresql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN LOWER(config -> 'ConfigurationProperties' ->> 'value') != 'on' THEN name || ' server parameter log_disconnections off.' + ELSE name || ' server parameter log_disconnections on.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_postgresql_server s, + jsonb_array_elements(server_configurations) config, + azure_subscription sub + WHERE + config ->> 'Name' = 'log_disconnections' + AND sub.subscription_id = s.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 4.3.5 - cis_level: - - '1' - cis_section_id: - - '4.3' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/PostgreSQL + category: + - Compliance + cis: + - "true" + cis_item_id: + - 4.3.5 + cis_level: + - "1" + cis_section_id: + - "4.3" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/PostgreSQL diff --git a/compliance/controls/azure/azure_postgres_db_server_log_retention_days_3.yaml b/compliance/controls/azure/azure_postgres_db_server_log_retention_days_3.yaml index 62b989b4d..195171158 100644 --- a/compliance/controls/azure/azure_postgres_db_server_log_retention_days_3.yaml +++ b/compliance/controls/azure/azure_postgres_db_server_log_retention_days_3.yaml @@ -1,51 +1,52 @@ id: azure_postgres_db_server_log_retention_days_3 title: Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server +type: control description: Enable log_retention_days on PostgreSQL Servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_postgresql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN (config -> 'ConfigurationProperties' ->> 'value')::integer <= 3 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (config -> 'ConfigurationProperties' ->> 'value')::integer <= 3 THEN s.name || ' log files are retained for 3 days or lesser.' - ELSE s.name || ' log files are retained for more than 3 days.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_postgresql_server s, - jsonb_array_elements(server_configurations) AS config, - azure_subscription sub - WHERE - config ->> 'Name' = 'log_retention_days' - AND sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_postgresql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN (config -> 'ConfigurationProperties' ->> 'value')::integer <= 3 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (config -> 'ConfigurationProperties' ->> 'value')::integer <= 3 THEN s.name || ' log files are retained for 3 days or lesser.' + ELSE s.name || ' log files are retained for more than 3 days.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_postgresql_server s, + jsonb_array_elements(server_configurations) AS config, + azure_subscription sub + WHERE + config ->> 'Name' = 'log_retention_days' + AND sub.subscription_id = s.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 4.3.7 - cis_level: - - '1' - cis_section_id: - - '4.3' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/PostgreSQL + category: + - Compliance + cis: + - "true" + cis_item_id: + - 4.3.7 + cis_level: + - "1" + cis_section_id: + - "4.3" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/PostgreSQL diff --git a/compliance/controls/azure/azure_postgres_server_private_link_used.yaml b/compliance/controls/azure/azure_postgres_server_private_link_used.yaml index d6eda0b38..3e0dd7d86 100644 --- a/compliance/controls/azure/azure_postgres_server_private_link_used.yaml +++ b/compliance/controls/azure/azure_postgres_server_private_link_used.yaml @@ -1,35 +1,36 @@ id: azure_postgres_server_private_link_used title: Private endpoint should be enabled for PostgreSQL servers +type: control description: Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_postgresql_server - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN sku_tier = 'Basic' THEN 'skip' - WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN sku_tier = 'Basic' THEN a.name || ' is of ' || sku_tier || ' tier.' - WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb THEN a.name || ' using private link.' - ELSE a.name || ' not using private link.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_postgresql_server a, - azure_subscription sub; + language: sql + primary_resource: azure_postgresql_server + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN sku_tier = 'Basic' THEN 'skip' + WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN sku_tier = 'Basic' THEN a.name || ' is of ' || sku_tier || ' tier.' + WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb THEN a.name || ' using private link.' + ELSE a.name || ' not using private link.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_postgresql_server a, + azure_subscription sub; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/PostgreSQL + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/PostgreSQL diff --git a/compliance/controls/azure/azure_postgres_sql_server_encrypted_at_rest_using_cmk.yaml b/compliance/controls/azure/azure_postgres_sql_server_encrypted_at_rest_using_cmk.yaml index ba6d5ab6f..bbbbea162 100644 --- a/compliance/controls/azure/azure_postgres_sql_server_encrypted_at_rest_using_cmk.yaml +++ b/compliance/controls/azure/azure_postgres_sql_server_encrypted_at_rest_using_cmk.yaml @@ -1,40 +1,41 @@ id: azure_postgres_sql_server_encrypted_at_rest_using_cmk title: PostgreSQL servers should use customer-managed keys to encrypt data at rest +type: control description: Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_postgresql_server - definition: | - WITH pgql_server_encrypted AS ( - SELECT DISTINCT i.id AS id - FROM azure_mysql_server AS i, - jsonb_array_elements(server_keys) a - WHERE a ->> 'serverKeyType' = 'AzureKeyVault' - AND a ->> 'uri' IS NOT NULL - ) - SELECT s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN a.id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.id IS NOT NULL THEN s.title || ' encrypted with CMK.' - ELSE s.title || ' not encrypted with CMK.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM azure_postgresql_server AS s - LEFT JOIN pgql_server_encrypted AS a ON s.id = a.id, - azure_subscription AS sub - WHERE sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_postgresql_server + definition: | + WITH pgql_server_encrypted AS ( + SELECT DISTINCT i.id AS id + FROM azure_mysql_server AS i, + jsonb_array_elements(server_keys) a + WHERE a ->> 'serverKeyType' = 'AzureKeyVault' + AND a ->> 'uri' IS NOT NULL + ) + SELECT s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN a.id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.id IS NOT NULL THEN s.title || ' encrypted with CMK.' + ELSE s.title || ' not encrypted with CMK.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM azure_postgresql_server AS s + LEFT JOIN pgql_server_encrypted AS a ON s.id = a.id, + azure_subscription AS sub + WHERE sub.subscription_id = s.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/PostgreSQL + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/PostgreSQL diff --git a/compliance/controls/azure/azure_postgres_sql_ssl_enabled.yaml b/compliance/controls/azure/azure_postgres_sql_ssl_enabled.yaml index bc73c3d03..bd9537270 100644 --- a/compliance/controls/azure/azure_postgres_sql_ssl_enabled.yaml +++ b/compliance/controls/azure/azure_postgres_sql_ssl_enabled.yaml @@ -1,49 +1,50 @@ id: azure_postgres_sql_ssl_enabled title: Enforce SSL connection should be enabled for PostgreSQL database servers +type: control description: Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_postgresql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN ssl_enforcement = 'Disabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN ssl_enforcement = 'Disabled' THEN name || ' SSL connection disabled.' - ELSE name || ' SSL connection enabled.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_postgresql_server s, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_postgresql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN ssl_enforcement = 'Disabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN ssl_enforcement = 'Disabled' THEN name || ' SSL connection disabled.' + ELSE name || ' SSL connection enabled.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_postgresql_server s, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 4.3.1 - cis_level: - - '1' - cis_section_id: - - '4.3' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/PostgreSQL + category: + - Compliance + cis: + - "true" + cis_item_id: + - 4.3.1 + cis_level: + - "1" + cis_section_id: + - "4.3" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/PostgreSQL diff --git a/compliance/controls/azure/azure_postgresql_server_infrastructure_encryption_enabled.yaml b/compliance/controls/azure/azure_postgresql_server_infrastructure_encryption_enabled.yaml index e61cb522d..29365b5dd 100644 --- a/compliance/controls/azure/azure_postgresql_server_infrastructure_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_postgresql_server_infrastructure_encryption_enabled.yaml @@ -1,49 +1,50 @@ id: azure_postgresql_server_infrastructure_encryption_enabled title: Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers +type: control description: Enable infrastructure encryption for Azure Database for PostgreSQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_postgresql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN infrastructure_encryption = 'Enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN infrastructure_encryption = 'Enabled' THEN name || ' infrastructure encryption enabled.' - ELSE name || ' infrastructure encryption disabled.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_postgresql_server AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_postgresql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN infrastructure_encryption = 'Enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN infrastructure_encryption = 'Enabled' THEN name || ' infrastructure encryption enabled.' + ELSE name || ' infrastructure encryption disabled.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_postgresql_server AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 4.3.8 - cis_level: - - '1' - cis_section_id: - - '4.3' - cis_type: - - manual - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure/PostgreSQL + category: + - Compliance + cis: + - "true" + cis_item_id: + - 4.3.8 + cis_level: + - "1" + cis_section_id: + - "4.3" + cis_type: + - manual + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure/PostgreSQL diff --git a/compliance/controls/azure/azure_postgresql_server_public_network_access_disabled.yaml b/compliance/controls/azure/azure_postgresql_server_public_network_access_disabled.yaml index e0f723fc5..22e033026 100644 --- a/compliance/controls/azure/azure_postgresql_server_public_network_access_disabled.yaml +++ b/compliance/controls/azure/azure_postgresql_server_public_network_access_disabled.yaml @@ -1,35 +1,36 @@ id: azure_postgresql_server_public_network_access_disabled title: Public network access should be disabled for PostgreSQL servers +type: control description: Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_postgresql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN public_network_access = 'Enabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN public_network_access = 'Enabled' THEN name || ' public network access enabled.' - ELSE name || ' public network access disabled.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_postgresql_server AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_postgresql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN public_network_access = 'Enabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN public_network_access = 'Enabled' THEN name || ' public network access enabled.' + ELSE name || ' public network access disabled.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_postgresql_server AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/PostgreSQL + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/PostgreSQL diff --git a/compliance/controls/azure/azure_recovery_service_vault_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_recovery_service_vault_encrypted_with_cmk.yaml index 1108b1d86..ca329f348 100644 --- a/compliance/controls/azure/azure_recovery_service_vault_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_recovery_service_vault_encrypted_with_cmk.yaml @@ -1,23 +1,24 @@ id: azure_recovery_service_vault_encrypted_with_cmk title: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data +type: control description: Use customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/AB-CmkEncryption. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_recovery_service_vault_uses_managed_identity.yaml b/compliance/controls/azure/azure_recovery_service_vault_uses_managed_identity.yaml index 3136c8a7c..67db15269 100644 --- a/compliance/controls/azure/azure_recovery_service_vault_uses_managed_identity.yaml +++ b/compliance/controls/azure/azure_recovery_service_vault_uses_managed_identity.yaml @@ -1,29 +1,30 @@ id: azure_recovery_service_vault_uses_managed_identity title: Recovery Services vaults should use managed identity +type: control description: Recovery Services vaults should use a managed identity for enhanced authentication security. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_recovery_services_vault - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN identity IS NULL OR identity ->> 'type' = 'None' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN identity IS NULL OR identity ->> 'type' = 'None' THEN name || ' not uses managed identity.' - ELSE name || ' uses managed identity.' - END AS reason - FROM - azure_recovery_services_vault AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_recovery_services_vault + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN identity IS NULL OR identity ->> 'type' = 'None' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN identity IS NULL OR identity ->> 'type' = 'None' THEN name || ' not uses managed identity.' + ELSE name || ' uses managed identity.' + END AS reason + FROM + azure_recovery_services_vault AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_recovery_service_vault_uses_private_link.yaml b/compliance/controls/azure/azure_recovery_service_vault_uses_private_link.yaml index 751d9ce2d..2985ecfe5 100644 --- a/compliance/controls/azure/azure_recovery_service_vault_uses_private_link.yaml +++ b/compliance/controls/azure/azure_recovery_service_vault_uses_private_link.yaml @@ -1,29 +1,30 @@ id: azure_recovery_service_vault_uses_private_link title: Recovery Services vaults should use private link -description: 'Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links for Azure Site Recovery at: https://aka.ms/HybridScenarios-PrivateLink and https://aka.ms/AzureToAzure-PrivateLink.' +type: control +description: "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links for Azure Site Recovery at: https://aka.ms/HybridScenarios-PrivateLink and https://aka.ms/AzureToAzure-PrivateLink." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_recovery_services_vault - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN private_endpoint_state_for_site_recovery = 'Enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN private_endpoint_state_for_site_recovery = 'Enabled' THEN 'Private link for site recovery is enabled.' - ELSE 'Private link for site recovery is disabled.' - END AS reason - FROM - azure_recovery_services_vault AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_recovery_services_vault + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN private_endpoint_state_for_site_recovery = 'Enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN private_endpoint_state_for_site_recovery = 'Enabled' THEN 'Private link for site recovery is enabled.' + ELSE 'Private link for site recovery is disabled.' + END AS reason + FROM + azure_recovery_services_vault AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_recovery_service_vault_uses_private_link_for_backup.yaml b/compliance/controls/azure/azure_recovery_service_vault_uses_private_link_for_backup.yaml index 2759b00b2..6fe38a5c5 100644 --- a/compliance/controls/azure/azure_recovery_service_vault_uses_private_link_for_backup.yaml +++ b/compliance/controls/azure/azure_recovery_service_vault_uses_private_link_for_backup.yaml @@ -1,29 +1,30 @@ id: azure_recovery_service_vault_uses_private_link_for_backup title: Azure Recovery Services vaults should use private link for backup -description: 'Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links at: https://aka.ms/AB-PrivateEndpoints.' +type: control +description: "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links at: https://aka.ms/AB-PrivateEndpoints." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_recovery_services_vault - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN private_endpoint_state_for_backup = 'Enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN private_endpoint_state_for_backup = 'Enabled' THEN 'Private link for backup is enabled.' - ELSE 'Private link for backup is disabled.' - END AS reason - FROM - azure_recovery_services_vault AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_recovery_services_vault + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN private_endpoint_state_for_backup = 'Enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN private_endpoint_state_for_backup = 'Enabled' THEN 'Private link for backup is enabled.' + ELSE 'Private link for backup is disabled.' + END AS reason + FROM + azure_recovery_services_vault AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_redis_cache_in_virtual_network.yaml b/compliance/controls/azure/azure_redis_cache_in_virtual_network.yaml index 7e22b23c0..617ee097b 100644 --- a/compliance/controls/azure/azure_redis_cache_in_virtual_network.yaml +++ b/compliance/controls/azure/azure_redis_cache_in_virtual_network.yaml @@ -1,29 +1,30 @@ id: azure_redis_cache_in_virtual_network title: Azure Cache for Redis should reside within a virtual network +type: control description: Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access. When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_redis_cache - definition: | - SELECT - redis.id AS resource, - redis.platform_integration_id AS platform_integration_id, - redis.platform_resource_id AS platform_resource_id, - CASE - WHEN subnet_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN subnet_id IS NOT NULL THEN redis.name || ' in virtual network.' - ELSE redis.name || ' not in virtual network.' - END AS reason - FROM - azure_redis_cache AS redis, - azure_subscription AS sub - WHERE - sub.subscription_id = redis.subscription_id; + language: sql + primary_resource: azure_redis_cache + definition: | + SELECT + redis.id AS resource, + redis.platform_integration_id AS platform_integration_id, + redis.platform_resource_id AS platform_resource_id, + CASE + WHEN subnet_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN subnet_id IS NOT NULL THEN redis.name || ' in virtual network.' + ELSE redis.name || ' not in virtual network.' + END AS reason + FROM + azure_redis_cache AS redis, + azure_subscription AS sub + WHERE + sub.subscription_id = redis.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_redis_cache_min_tls_1_2.yaml b/compliance/controls/azure/azure_redis_cache_min_tls_1_2.yaml index a9b34296f..c6c5617cd 100644 --- a/compliance/controls/azure/azure_redis_cache_min_tls_1_2.yaml +++ b/compliance/controls/azure/azure_redis_cache_min_tls_1_2.yaml @@ -1,30 +1,31 @@ id: azure_redis_cache_min_tls_1_2 title: Redis Caches 'Minimum TLS version' should be set to 'Version 1.2' +type: control description: This control checks whether 'Minimum TLS version' is set to 1.2. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to later protocols such as TLS 1.2. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_redis_cache - definition: | - SELECT - c.id AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN minimum_tls_version IS NULL THEN 'alarm' - WHEN minimum_tls_version = '1.2' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN minimum_tls_version IS NULL THEN c.name || ' minimum TLS version not set.' - ELSE c.name || ' minimum TLS version set to ' || minimum_tls_version || '.' - END AS reason - FROM - azure_redis_cache AS c, - azure_subscription sub - WHERE - sub.subscription_id = c.subscription_id; + language: sql + primary_resource: azure_redis_cache + definition: | + SELECT + c.id AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN minimum_tls_version IS NULL THEN 'alarm' + WHEN minimum_tls_version = '1.2' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN minimum_tls_version IS NULL THEN c.name || ' minimum TLS version not set.' + ELSE c.name || ' minimum TLS version set to ' || minimum_tls_version || '.' + END AS reason + FROM + azure_redis_cache AS c, + azure_subscription sub + WHERE + sub.subscription_id = c.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_redis_cache_no_basic_sku.yaml b/compliance/controls/azure/azure_redis_cache_no_basic_sku.yaml index 5bd6f3973..368521adb 100644 --- a/compliance/controls/azure/azure_redis_cache_no_basic_sku.yaml +++ b/compliance/controls/azure/azure_redis_cache_no_basic_sku.yaml @@ -1,35 +1,36 @@ id: azure_redis_cache_no_basic_sku title: Azure Cache for Redis should use standard SKUs as a minimum +type: control description: The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU’s do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_redis_cache - definition: | - SELECT - c.id AS resource, - c.platform_integration_id AS platform_integration_id, - c.platform_resource_id AS platform_resource_id, - CASE - WHEN c.sku_name = 'Basic' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN c.sku_name = 'Basic' THEN c.title || ' using basic SKU.' - ELSE c.title || ' using ' || sku_name || ' SKU.' - END AS reason, - c.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_redis_cache AS c, - azure_subscription AS sub - WHERE - sub.subscription_id = c.subscription_id; + language: sql + primary_resource: azure_redis_cache + definition: | + SELECT + c.id AS resource, + c.platform_integration_id AS platform_integration_id, + c.platform_resource_id AS platform_resource_id, + CASE + WHEN c.sku_name = 'Basic' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN c.sku_name = 'Basic' THEN c.title || ' using basic SKU.' + ELSE c.title || ' using ' || sku_name || ' SKU.' + END AS reason, + c.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_redis_cache AS c, + azure_subscription AS sub + WHERE + sub.subscription_id = c.subscription_id; severity: medium tags: - cis: - - 'true' - service: - - Azure/Redis + cis: + - "true" + service: + - Azure/Redis diff --git a/compliance/controls/azure/azure_redis_cache_ssl_enabled.yaml b/compliance/controls/azure/azure_redis_cache_ssl_enabled.yaml index ce64b7346..e856331e7 100644 --- a/compliance/controls/azure/azure_redis_cache_ssl_enabled.yaml +++ b/compliance/controls/azure/azure_redis_cache_ssl_enabled.yaml @@ -1,29 +1,30 @@ id: azure_redis_cache_ssl_enabled title: Only secure connections to your Azure Cache for Redis should be enabled +type: control description: Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_redis_cache - definition: | - SELECT - redis.id AS resource, - redis.platform_integration_id AS platform_integration_id, - redis.platform_resource_id AS platform_resource_id, - CASE - WHEN enable_non_ssl_port THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN enable_non_ssl_port THEN redis.name || ' secure connections disabled.' - ELSE redis.name || ' secure connections enabled.' - END AS reason - FROM - azure_redis_cache AS redis, - azure_subscription AS sub - WHERE - sub.subscription_id = redis.subscription_id; + language: sql + primary_resource: azure_redis_cache + definition: | + SELECT + redis.id AS resource, + redis.platform_integration_id AS platform_integration_id, + redis.platform_resource_id AS platform_resource_id, + CASE + WHEN enable_non_ssl_port THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN enable_non_ssl_port THEN redis.name || ' secure connections disabled.' + ELSE redis.name || ' secure connections enabled.' + END AS reason + FROM + azure_redis_cache AS redis, + azure_subscription AS sub + WHERE + sub.subscription_id = redis.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_redis_cache_uses_private_link.yaml b/compliance/controls/azure/azure_redis_cache_uses_private_link.yaml index fb39adee5..d611a2fe5 100644 --- a/compliance/controls/azure/azure_redis_cache_uses_private_link.yaml +++ b/compliance/controls/azure/azure_redis_cache_uses_private_link.yaml @@ -1,39 +1,40 @@ id: azure_redis_cache_uses_private_link title: Azure Cache for Redis should use private link +type: control description: Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_redis_cache - definition: | - WITH redis_private_connection AS ( - SELECT - DISTINCT a.id - FROM - azure_redis_cache AS a, - jsonb_array_elements(private_endpoint_connections) AS connection - WHERE - connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN c.id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN c.id IS NULL THEN a.name || ' not uses private link.' - ELSE a.name || ' uses private link.' - END AS reason - FROM - azure_redis_cache AS a - LEFT JOIN redis_private_connection AS c ON c.id = a.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_redis_cache + definition: | + WITH redis_private_connection AS ( + SELECT + DISTINCT a.id + FROM + azure_redis_cache AS a, + jsonb_array_elements(private_endpoint_connections) AS connection + WHERE + connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN c.id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN c.id IS NULL THEN a.name || ' not uses private link.' + ELSE a.name || ' uses private link.' + END AS reason + FROM + azure_redis_cache AS a + LEFT JOIN redis_private_connection AS c ON c.id = a.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_search_service_logging_enabled.yaml b/compliance/controls/azure/azure_search_service_logging_enabled.yaml index 76f5ae948..2694a5c39 100644 --- a/compliance/controls/azure/azure_search_service_logging_enabled.yaml +++ b/compliance/controls/azure/azure_search_service_logging_enabled.yaml @@ -1,65 +1,66 @@ id: azure_search_service_logging_enabled title: Resource logs in Search services should be enabled +type: control description: Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_search_service - definition: | - WITH logging_details AS ( - SELECT - DISTINCT name AS search_service_name - FROM - azure_search_service, - jsonb_array_elements(diagnostic_settings) setting, - jsonb_array_elements(setting -> 'properties' -> 'logs') log - WHERE - diagnostic_settings IS NOT NULL + language: sql + primary_resource: azure_search_service + definition: | + WITH logging_details AS ( + SELECT + DISTINCT name AS search_service_name + FROM + azure_search_service, + jsonb_array_elements(diagnostic_settings) setting, + jsonb_array_elements(setting -> 'properties' -> 'logs') log + WHERE + diagnostic_settings IS NOT NULL + AND ( + ( + (log ->> 'enabled')::BOOLEAN + AND (log -> 'retentionPolicy' ->> 'enabled')::BOOLEAN + AND (log -> 'retentionPolicy')::JSONB ? 'days' + ) + OR + ( + (log ->> 'enabled')::BOOLEAN AND ( - ( - (log ->> 'enabled')::BOOLEAN - AND (log -> 'retentionPolicy' ->> 'enabled')::BOOLEAN - AND (log -> 'retentionPolicy')::JSONB ? 'days' - ) - OR - ( - (log ->> 'enabled')::BOOLEAN - AND ( - log -> 'retentionPolicy' ->> 'enabled' <> 'true' - OR setting -> 'properties' ->> 'storageAccountId' = '' - ) - ) + log -> 'retentionPolicy' ->> 'enabled' <> 'true' + OR setting -> 'properties' ->> 'storageAccountId' = '' ) + ) ) - SELECT - v.id AS resource, - v.platform_integration_id AS platform_integration_id, - v.platform_resource_id AS platform_resource_id, - CASE - WHEN v.diagnostic_settings IS NULL THEN 'alarm' - WHEN l.search_service_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN v.diagnostic_settings IS NULL THEN v.name || ' logging not enabled.' - WHEN l.search_service_name IS NULL THEN v.name || ' logging not enabled.' - ELSE v.name || ' logging enabled.' - END AS reason, - v.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_search_service AS v - LEFT JOIN logging_details AS l ON v.name = l.search_service_name, - azure_subscription AS sub - WHERE - sub.subscription_id = v.subscription_id; + ) + SELECT + v.id AS resource, + v.platform_integration_id AS platform_integration_id, + v.platform_resource_id AS platform_resource_id, + CASE + WHEN v.diagnostic_settings IS NULL THEN 'alarm' + WHEN l.search_service_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN v.diagnostic_settings IS NULL THEN v.name || ' logging not enabled.' + WHEN l.search_service_name IS NULL THEN v.name || ' logging not enabled.' + ELSE v.name || ' logging enabled.' + END AS reason, + v.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_search_service AS v + LEFT JOIN logging_details AS l ON v.name = l.search_service_name, + azure_subscription AS sub + WHERE + sub.subscription_id = v.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/CognitiveSearch + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/CognitiveSearch diff --git a/compliance/controls/azure/azure_search_service_public_network_access_disabled.yaml b/compliance/controls/azure/azure_search_service_public_network_access_disabled.yaml index a6861790c..d673870c7 100644 --- a/compliance/controls/azure/azure_search_service_public_network_access_disabled.yaml +++ b/compliance/controls/azure/azure_search_service_public_network_access_disabled.yaml @@ -1,35 +1,36 @@ id: azure_search_service_public_network_access_disabled title: Azure Cognitive Search services should disable public network access +type: control description: Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_search_service - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN public_network_access = 'Enabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN public_network_access = 'Enabled' THEN name || ' public network access enabled.' - ELSE name || ' public network access disabled.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_search_service AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_search_service + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN public_network_access = 'Enabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN public_network_access = 'Enabled' THEN name || ' public network access enabled.' + ELSE name || ' public network access disabled.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_search_service AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/CognitiveSearch + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/CognitiveSearch diff --git a/compliance/controls/azure/azure_search_service_replica_count_3.yaml b/compliance/controls/azure/azure_search_service_replica_count_3.yaml index c707a0081..b8b4679e5 100644 --- a/compliance/controls/azure/azure_search_service_replica_count_3.yaml +++ b/compliance/controls/azure/azure_search_service_replica_count_3.yaml @@ -1,26 +1,27 @@ id: azure_search_service_replica_count_3 title: Cognitive Search services should maintain SLA for index updates +type: control description: This control checks if Cognitive Search maintains SLA for index updates. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_search_service - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN replica_count > 3 THEN 'ok' - ELSE 'alarm' - END AS status, - name || ' has ' || replica_count || ' replica count.' AS reason - FROM - azure_search_service AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_search_service + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN replica_count > 3 THEN 'ok' + ELSE 'alarm' + END AS status, + name || ' has ' || replica_count || ' replica count.' AS reason + FROM + azure_search_service AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_search_service_uses_managed_identity.yaml b/compliance/controls/azure/azure_search_service_uses_managed_identity.yaml index b8f8f0d92..402e07ac3 100644 --- a/compliance/controls/azure/azure_search_service_uses_managed_identity.yaml +++ b/compliance/controls/azure/azure_search_service_uses_managed_identity.yaml @@ -1,29 +1,30 @@ id: azure_search_service_uses_managed_identity title: Cognitive Search services should use managed identity +type: control description: Cognitive Search services should use a managed identity for enhanced authentication security. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_search_service - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN identity ->> 'type' = 'SystemAssigned' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN identity ->> 'type' = 'SystemAssigned' THEN name || ' use managed identity.' - ELSE name || ' not use managed identity.' - END AS reason - FROM - azure_search_service AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_search_service + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN identity ->> 'type' = 'SystemAssigned' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN identity ->> 'type' = 'SystemAssigned' THEN name || ' use managed identity.' + ELSE name || ' not use managed identity.' + END AS reason + FROM + azure_search_service AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_search_service_uses_private_link.yaml b/compliance/controls/azure/azure_search_service_uses_private_link.yaml index b6c796a03..5220147fe 100644 --- a/compliance/controls/azure/azure_search_service_uses_private_link.yaml +++ b/compliance/controls/azure/azure_search_service_uses_private_link.yaml @@ -1,45 +1,46 @@ id: azure_search_service_uses_private_link title: Azure Cognitive Search services should use private link +type: control description: Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_search_service - definition: | - WITH search_service_connection AS ( - SELECT - DISTINCT a.id - FROM - azure_search_service AS a, - jsonb_array_elements(private_endpoint_connections) AS connection - WHERE - connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN c.id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN c.id IS NULL THEN a.title || ' not uses private link.' - ELSE a.title || ' uses private link.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_search_service AS a - LEFT JOIN search_service_connection AS c ON c.id = a.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_search_service + definition: | + WITH search_service_connection AS ( + SELECT + DISTINCT a.id + FROM + azure_search_service AS a, + jsonb_array_elements(private_endpoint_connections) AS connection + WHERE + connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN c.id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN c.id IS NULL THEN a.title || ' not uses private link.' + ELSE a.title || ' uses private link.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_search_service AS a + LEFT JOIN search_service_connection AS c ON c.id = a.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/CognitiveSearch + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/CognitiveSearch diff --git a/compliance/controls/azure/azure_search_service_uses_sku_supporting_private_link.yaml b/compliance/controls/azure/azure_search_service_uses_sku_supporting_private_link.yaml index 2135ac51d..54b57b4a8 100644 --- a/compliance/controls/azure/azure_search_service_uses_sku_supporting_private_link.yaml +++ b/compliance/controls/azure/azure_search_service_uses_sku_supporting_private_link.yaml @@ -1,35 +1,36 @@ id: azure_search_service_uses_sku_supporting_private_link title: Azure Cognitive Search service should use a SKU that supports private link +type: control description: With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_search_service - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN sku_name = 'free' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN sku_name = 'free' THEN s.title || ' SKU does not support private link.' - ELSE s.title || ' SKU supports private link.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_search_service AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_search_service + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN sku_name = 'free' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN sku_name = 'free' THEN s.title || ' SKU does not support private link.' + ELSE s.title || ' SKU supports private link.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_search_service AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/CognitiveSearch + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/CognitiveSearch diff --git a/compliance/controls/azure/azure_securitycenter_additional_email_configured.yaml b/compliance/controls/azure/azure_securitycenter_additional_email_configured.yaml index b450282b3..fe0e16ffd 100644 --- a/compliance/controls/azure/azure_securitycenter_additional_email_configured.yaml +++ b/compliance/controls/azure/azure_securitycenter_additional_email_configured.yaml @@ -1,60 +1,61 @@ id: azure_securitycenter_additional_email_configured title: Ensure 'Additional email addresses' is configured with a security contact email +type: control description: Security Center emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH contact_info AS ( - SELECT - jsonb_agg(email) FILTER (WHERE name = 'default' AND email != '') AS default_email, - COUNT(*) FILTER (WHERE name != 'default') AS non_default_count, - COUNT(*) FILTER (WHERE name = 'default') AS default_count, - subscription_id - FROM - azure_security_center_contact - GROUP BY - subscription_id - LIMIT 1 - ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN non_default_count > 0 THEN 'OK' - WHEN default_count = 1 AND jsonb_array_length(default_email) != 0 THEN 'OK' - ELSE 'ALARM' - END AS status, - CASE - WHEN non_default_count > 0 THEN 'Additional email addresses configured.' - WHEN default_count = 1 AND default_email IS NOT NULL THEN 'Additional email addresses configured.' - ELSE 'Additional email addresses not configured.' - END AS reason, - sub.display_name AS subscription - FROM - azure_subscription sub - LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; + language: sql + primary_resource: azure_subscription + definition: | + WITH contact_info AS ( + SELECT + jsonb_agg(email) FILTER (WHERE name = 'default' AND email != '') AS default_email, + COUNT(*) FILTER (WHERE name != 'default') AS non_default_count, + COUNT(*) FILTER (WHERE name = 'default') AS default_count, + subscription_id + FROM + azure_security_center_contact + GROUP BY + subscription_id + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN non_default_count > 0 THEN 'OK' + WHEN default_count = 1 AND jsonb_array_length(default_email) != 0 THEN 'OK' + ELSE 'ALARM' + END AS status, + CASE + WHEN non_default_count > 0 THEN 'Additional email addresses configured.' + WHEN default_count = 1 AND default_email IS NOT NULL THEN 'Additional email addresses configured.' + ELSE 'Additional email addresses not configured.' + END AS reason, + sub.display_name AS subscription + FROM + azure_subscription sub + LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '2.13' - cis_level: - - '1' - cis_section_id: - - '2' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SecurityCenter + category: + - Compliance + cis: + - "true" + cis_item_id: + - "2.13" + cis_level: + - "1" + cis_section_id: + - "2" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SecurityCenter diff --git a/compliance/controls/azure/azure_securitycenter_asc_default_setting_not_disabled.yaml b/compliance/controls/azure/azure_securitycenter_asc_default_setting_not_disabled.yaml index 0a4f53eb0..387b82aba 100644 --- a/compliance/controls/azure/azure_securitycenter_asc_default_setting_not_disabled.yaml +++ b/compliance/controls/azure/azure_securitycenter_asc_default_setting_not_disabled.yaml @@ -1,68 +1,69 @@ id: azure_securitycenter_asc_default_setting_not_disabled title: Ensure any of the ASC Default policy setting is not set to "Disabled" +type: control description: None of the settings offered by ASC Default policy should be set to effect "Disabled". integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH policy_assignment_parameters AS ( - SELECT - id, - name, - key, - parameters -> key ->> 'value' AS value, - subscription_id - FROM - azure_policy_assignment, - jsonb_object_keys(parameters) AS key - WHERE - name = 'SecurityCenterBuiltIn' - ) - SELECT - sub.id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN COUNT(value = 'Disabled') > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN COUNT(value = 'Disabled') > 0 THEN 'Settings disabled for ' || COUNT(*) FILTER (WHERE value = 'Disabled') || ' parameters.' - ELSE 'Settings enabled for all the parameters.' - END AS reason, - sub.display_name AS subscription - FROM - policy_assignment_parameters pol_assignment - RIGHT JOIN azure_subscription sub ON pol_assignment.subscription_id = sub.subscription_id - GROUP BY - sub.id, - sub.platform_integration_id, - sub.platform_resource_id, - pol_assignment.id, - sub._ctx, - sub.subscription_id, - pol_assignment.subscription_id, - sub.display_name + language: sql + primary_resource: azure_subscription + definition: | + WITH policy_assignment_parameters AS ( + SELECT + id, + name, + key, + parameters -> key ->> 'value' AS value, + subscription_id + FROM + azure_policy_assignment, + jsonb_object_keys(parameters) AS key + WHERE + name = 'SecurityCenterBuiltIn' + ) + SELECT + sub.id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN COUNT(value = 'Disabled') > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN COUNT(value = 'Disabled') > 0 THEN 'Settings disabled for ' || COUNT(*) FILTER (WHERE value = 'Disabled') || ' parameters.' + ELSE 'Settings enabled for all the parameters.' + END AS reason, + sub.display_name AS subscription + FROM + policy_assignment_parameters pol_assignment + RIGHT JOIN azure_subscription sub ON pol_assignment.subscription_id = sub.subscription_id + GROUP BY + sub.id, + sub.platform_integration_id, + sub.platform_resource_id, + pol_assignment.id, + sub._ctx, + sub.subscription_id, + pol_assignment.subscription_id, + sub.display_name severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '2.12' - cis_level: - - '1' - cis_section_id: - - '2' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SecurityCenter + category: + - Compliance + cis: + - "true" + cis_item_id: + - "2.12" + cis_level: + - "1" + cis_section_id: + - "2" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SecurityCenter diff --git a/compliance/controls/azure/azure_securitycenter_automatic_provisioning_monitoring_agent_on.yaml b/compliance/controls/azure/azure_securitycenter_automatic_provisioning_monitoring_agent_on.yaml index 55f1ad906..c19fa9014 100644 --- a/compliance/controls/azure/azure_securitycenter_automatic_provisioning_monitoring_agent_on.yaml +++ b/compliance/controls/azure/azure_securitycenter_automatic_provisioning_monitoring_agent_on.yaml @@ -1,46 +1,47 @@ id: azure_securitycenter_automatic_provisioning_monitoring_agent_on title: Auto provisioning of the Log Analytics agent should be enabled on your subscription +type: control description: To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_auto_provisioning - definition: | - SELECT - sc_prov.id AS resource, - sc_prov.platform_integration_id AS platform_integration_id, - sc_prov.platform_resource_id AS platform_resource_id, - CASE - WHEN auto_provision = 'On' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN auto_provision = 'On' THEN 'Automatic provisioning of monitoring agent is on.' - ELSE 'Automatic provisioning of monitoring agent is off.' - END AS reason, - sub.display_name AS subscription - FROM - azure_security_center_auto_provisioning sc_prov - RIGHT JOIN azure_subscription sub ON sc_prov.subscription_id = sub.subscription_id; + language: sql + primary_resource: azure_security_center_auto_provisioning + definition: | + SELECT + sc_prov.id AS resource, + sc_prov.platform_integration_id AS platform_integration_id, + sc_prov.platform_resource_id AS platform_resource_id, + CASE + WHEN auto_provision = 'On' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN auto_provision = 'On' THEN 'Automatic provisioning of monitoring agent is on.' + ELSE 'Automatic provisioning of monitoring agent is off.' + END AS reason, + sub.display_name AS subscription + FROM + azure_security_center_auto_provisioning sc_prov + RIGHT JOIN azure_subscription sub ON sc_prov.subscription_id = sub.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '2.11' - cis_level: - - '1' - cis_section_id: - - '2' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SecurityCenter + category: + - Compliance + cis: + - "true" + cis_item_id: + - "2.11" + cis_level: + - "1" + cis_section_id: + - "2" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SecurityCenter diff --git a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_appservice.yaml b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_appservice.yaml index feae30def..005b035fc 100644 --- a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_appservice.yaml +++ b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_appservice.yaml @@ -1,48 +1,49 @@ id: azure_securitycenter_azure_defender_on_for_appservice title: Azure Defender for App Service should be enabled +type: control description: Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for App Services.' - ELSE 'Azure Defender off for App Services.' - END AS reason, - sub.display_name AS subscription - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'AppServices'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for App Services.' + ELSE 'Azure Defender off for App Services.' + END AS reason, + sub.display_name AS subscription + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'AppServices'; severity: low tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '2.2' - cis_level: - - '2' - cis_section_id: - - '2' - cis_type: - - manual - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SecurityCenter + category: + - Compliance + cis: + - "true" + cis_item_id: + - "2.2" + cis_level: + - "2" + cis_section_id: + - "2" + cis_type: + - manual + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SecurityCenter diff --git a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_containerregistry.yaml b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_containerregistry.yaml index 123075351..52790ecab 100644 --- a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_containerregistry.yaml +++ b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_containerregistry.yaml @@ -1,51 +1,52 @@ id: azure_securitycenter_azure_defender_on_for_containerregistry title: Azure Defender for container registries should be enabled +type: control description: Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Container Registry.' - ELSE 'Azure Defender off for Container Registry.' - END AS reason, - sub.display_name AS subscription - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub - ON - sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'ContainerRegistry'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Container Registry.' + ELSE 'Azure Defender off for Container Registry.' + END AS reason, + sub.display_name AS subscription + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub + ON + sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'ContainerRegistry'; severity: low tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '2.7' - cis_level: - - '2' - cis_section_id: - - '2' - cis_type: - - manual - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SecurityCenter + category: + - Compliance + cis: + - "true" + cis_item_id: + - "2.7" + cis_level: + - "2" + cis_section_id: + - "2" + cis_type: + - manual + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SecurityCenter diff --git a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_containers.yaml b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_containers.yaml index bc015eaad..a37106640 100644 --- a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_containers.yaml +++ b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_containers.yaml @@ -1,30 +1,31 @@ id: azure_securitycenter_azure_defender_on_for_containers title: Microsoft Defender for Containers should be enabled +type: control description: Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Containers.' - ELSE 'Azure Defender off for Containers.' - END AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'Containers'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Containers.' + ELSE 'Azure Defender off for Containers.' + END AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'Containers'; severity: low tags: {} diff --git a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_cosmosdb.yaml b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_cosmosdb.yaml index 54b02e0fc..16f0ce038 100644 --- a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_cosmosdb.yaml +++ b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_cosmosdb.yaml @@ -1,49 +1,50 @@ id: azure_securitycenter_azure_defender_on_for_cosmosdb title: Ensure That Microsoft Defender for Azure Cosmos DB is set to 'On' +type: control description: Microsoft Defender for Azure Cosmos DB scans all incoming network requests for threats to your Azure Cosmos DB resources. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Cosmos DB.' - ELSE 'Azure Defender off for Cosmos DB.' - END AS reason, - sub.display_name AS subscription - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - sub_pricing.title = 'CosmosDbs'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Cosmos DB.' + ELSE 'Azure Defender off for Cosmos DB.' + END AS reason, + sub.display_name AS subscription + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + sub_pricing.title = 'CosmosDbs'; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 2.1.9 - cis_level: - - '2' - cis_section_id: - - '2.1' - cis_type: - - manual - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/SecurityCenter + category: + - Compliance + cis: + - "true" + cis_item_id: + - 2.1.9 + cis_level: + - "2" + cis_section_id: + - "2.1" + cis_type: + - manual + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/SecurityCenter diff --git a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_database.yaml b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_database.yaml index 7d8ae8d6c..c6ff8c01c 100644 --- a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_database.yaml +++ b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_database.yaml @@ -1,67 +1,68 @@ id: azure_securitycenter_azure_defender_on_for_database title: Ensure That Microsoft Defender for Databases is set to 'On' +type: control description: Turning on Microsoft Defender for Databases enables threat detection for the instances running your database software. This provides threat intelligence, anomaly detection, and behavior analytics in the Azure Microsoft Defender for Cloud. Instead of being enabled on services like Platform as a Service (PaaS), this implementation will run within your instances as Infrastructure as a Service (IaaS) on the Operating Systems hosting your databases. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH defender_list AS ( - SELECT - JSON_OBJECT_AGG(name, pricing_tier) AS data, - subscription_id - FROM - azure_security_center_subscription_pricing - WHERE - title = ANY(ARRAY ['CosmosDbs', 'OpenSourceRelationalDatabases', 'SqlServerVirtualMachines', 'SqlServers']) - GROUP BY - subscription_id - ) - SELECT - sub.id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN - data ->> 'CosmosDbs' = 'Standard' - AND data ->> 'OpenSourceRelationalDatabases' = 'Standard' - AND data ->> 'SqlServerVirtualMachines' = 'Standard' - AND data ->> 'SqlServers' = 'Standard' - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN - data ->> 'CosmosDbs' = 'Standard' - AND data ->> 'OpenSourceRelationalDatabases' = 'Standard' - AND data ->> 'SqlServerVirtualMachines' = 'Standard' - AND data ->> 'SqlServers' = 'Standard' - THEN 'Azure Defender on for Databases.' - ELSE 'Azure Defender off for Databases.' - END AS reason, - sub.display_name AS subscription - FROM - azure_subscription AS sub - LEFT JOIN defender_list AS l ON l.subscription_id = sub.subscription_id; + language: sql + primary_resource: azure_subscription + definition: | + WITH defender_list AS ( + SELECT + JSON_OBJECT_AGG(name, pricing_tier) AS data, + subscription_id + FROM + azure_security_center_subscription_pricing + WHERE + title = ANY(ARRAY ['CosmosDbs', 'OpenSourceRelationalDatabases', 'SqlServerVirtualMachines', 'SqlServers']) + GROUP BY + subscription_id + ) + SELECT + sub.id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN + data ->> 'CosmosDbs' = 'Standard' + AND data ->> 'OpenSourceRelationalDatabases' = 'Standard' + AND data ->> 'SqlServerVirtualMachines' = 'Standard' + AND data ->> 'SqlServers' = 'Standard' + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN + data ->> 'CosmosDbs' = 'Standard' + AND data ->> 'OpenSourceRelationalDatabases' = 'Standard' + AND data ->> 'SqlServerVirtualMachines' = 'Standard' + AND data ->> 'SqlServers' = 'Standard' + THEN 'Azure Defender on for Databases.' + ELSE 'Azure Defender off for Databases.' + END AS reason, + sub.display_name AS subscription + FROM + azure_subscription AS sub + LEFT JOIN defender_list AS l ON l.subscription_id = sub.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 2.1.3 - cis_level: - - '2' - cis_section_id: - - '2.1' - cis_type: - - manual - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/SecurityCenter + category: + - Compliance + cis: + - "true" + cis_item_id: + - 2.1.3 + cis_level: + - "2" + cis_section_id: + - "2.1" + cis_type: + - manual + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/SecurityCenter diff --git a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_dns.yaml b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_dns.yaml index 868a25817..270563178 100644 --- a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_dns.yaml +++ b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_dns.yaml @@ -1,51 +1,52 @@ id: azure_securitycenter_azure_defender_on_for_dns title: Azure Defender for DNS should be enabled +type: control description: Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for DNS.' - ELSE 'Azure Defender off for DNS.' - END AS reason, - sub.display_name AS subscription - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub - ON - sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'Dns'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for DNS.' + ELSE 'Azure Defender off for DNS.' + END AS reason, + sub.display_name AS subscription + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub + ON + sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'Dns'; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 2.1.11 - cis_level: - - '2' - cis_section_id: - - '2.1' - cis_type: - - manual - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/SecurityCenter + category: + - Compliance + cis: + - "true" + cis_item_id: + - 2.1.11 + cis_level: + - "2" + cis_section_id: + - "2.1" + cis_type: + - manual + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/SecurityCenter diff --git a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_k8s.yaml b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_k8s.yaml index 3d1b83389..7b49526ea 100644 --- a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_k8s.yaml +++ b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_k8s.yaml @@ -1,48 +1,49 @@ id: azure_securitycenter_azure_defender_on_for_k8s title: Azure Defender for Kubernetes should be enabled +type: control description: Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Kubernetes.' - ELSE 'Azure Defender off for Kubernetes.' - END AS reason, - sub.display_name AS subscription - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'KubernetesService'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Kubernetes.' + ELSE 'Azure Defender off for Kubernetes.' + END AS reason, + sub.display_name AS subscription + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'KubernetesService'; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '2.6' - cis_level: - - '2' - cis_section_id: - - '2' - cis_type: - - manual - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SecurityCenter + category: + - Compliance + cis: + - "true" + cis_item_id: + - "2.6" + cis_level: + - "2" + cis_section_id: + - "2" + cis_type: + - manual + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SecurityCenter diff --git a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_keyvault.yaml b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_keyvault.yaml index 7e32ccc47..123f9092b 100644 --- a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_keyvault.yaml +++ b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_keyvault.yaml @@ -1,48 +1,49 @@ id: azure_securitycenter_azure_defender_on_for_keyvault title: Azure Defender for Key Vault should be enabled +type: control description: Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Key Vaults.' - ELSE 'Azure Defender off for Key Vaults.' - END AS reason, - sub.display_name AS subscription - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'KeyVaults'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Key Vaults.' + ELSE 'Azure Defender off for Key Vaults.' + END AS reason, + sub.display_name AS subscription + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'KeyVaults'; severity: low tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '2.8' - cis_level: - - '2' - cis_section_id: - - '2' - cis_type: - - manual - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SecurityCenter + category: + - Compliance + cis: + - "true" + cis_item_id: + - "2.8" + cis_level: + - "2" + cis_section_id: + - "2" + cis_type: + - manual + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SecurityCenter diff --git a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_opensource_relational_db.yaml b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_opensource_relational_db.yaml index d3d705e75..08833d055 100644 --- a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_opensource_relational_db.yaml +++ b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_opensource_relational_db.yaml @@ -1,49 +1,50 @@ id: azure_securitycenter_azure_defender_on_for_opensource_relational_db title: Ensure That Microsoft Defender for Open-Source Relational Databases is set to 'On' +type: control description: Turning on Microsoft Defender for Open-source relational databases enables threat detection for Open-source relational databases, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Open Source Relational Databases.' - ELSE 'Azure Defender off for Open Source Relational Databases.' - END AS reason, - sub.display_name AS subscription - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - sub_pricing.title = 'OpenSourceRelationalDatabases'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Open Source Relational Databases.' + ELSE 'Azure Defender off for Open Source Relational Databases.' + END AS reason, + sub.display_name AS subscription + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + sub_pricing.title = 'OpenSourceRelationalDatabases'; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 2.1.6 - cis_level: - - '2' - cis_section_id: - - '2.1' - cis_type: - - manual - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/SecurityCenter + category: + - Compliance + cis: + - "true" + cis_item_id: + - 2.1.6 + cis_level: + - "2" + cis_section_id: + - "2.1" + cis_type: + - manual + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/SecurityCenter diff --git a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_resource_manager.yaml b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_resource_manager.yaml index 500683438..01400830e 100644 --- a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_resource_manager.yaml +++ b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_resource_manager.yaml @@ -1,49 +1,50 @@ id: azure_securitycenter_azure_defender_on_for_resource_manager title: Azure Defender for Resource Manager should be enabled +type: control description: Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Resource Manager.' - ELSE 'Azure Defender off for Resource Manager.' - END AS reason, - sub.display_name AS subscription - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'Arm'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Resource Manager.' + ELSE 'Azure Defender off for Resource Manager.' + END AS reason, + sub.display_name AS subscription + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'Arm'; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 2.1.13 - cis_level: - - '2' - cis_section_id: - - '2.1' - cis_type: - - manual - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/SecurityCenter + category: + - Compliance + cis: + - "true" + cis_item_id: + - 2.1.13 + cis_level: + - "2" + cis_section_id: + - "2.1" + cis_type: + - manual + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/SecurityCenter diff --git a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_server.yaml b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_server.yaml index 9d7c4e42c..fff74a9f6 100644 --- a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_server.yaml +++ b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_server.yaml @@ -1,48 +1,49 @@ id: azure_securitycenter_azure_defender_on_for_server title: Azure Defender for servers should be enabled +type: control description: Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Servers.' - ELSE 'Azure Defender off for Servers.' - END AS reason, - sub.display_name AS subscription - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'VirtualMachines'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Servers.' + ELSE 'Azure Defender off for Servers.' + END AS reason, + sub.display_name AS subscription + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'VirtualMachines'; severity: low tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '2.1' - cis_level: - - '2' - cis_section_id: - - '2' - cis_type: - - manual - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SecurityCenter + category: + - Compliance + cis: + - "true" + cis_item_id: + - "2.1" + cis_level: + - "2" + cis_section_id: + - "2" + cis_type: + - manual + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SecurityCenter diff --git a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_sqldb.yaml b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_sqldb.yaml index 717d6ae1b..eb04a78b2 100644 --- a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_sqldb.yaml +++ b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_sqldb.yaml @@ -1,49 +1,50 @@ id: azure_securitycenter_azure_defender_on_for_sqldb title: Azure Defender for Azure SQL Database servers should be enabled +type: control description: Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for SQL database servers.' - ELSE 'Azure Defender off for SQL database servers.' - END AS reason, - sub.display_name AS subscription - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'SqlServers'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for SQL database servers.' + ELSE 'Azure Defender off for SQL database servers.' + END AS reason, + sub.display_name AS subscription + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'SqlServers'; severity: low tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '2.3' - cis_level: - - '2' - cis_section_id: - - '2' - cis_type: - - manual - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SecurityCenter + category: + - Compliance + cis: + - "true" + cis_item_id: + - "2.3" + cis_level: + - "2" + cis_section_id: + - "2" + cis_type: + - manual + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SecurityCenter diff --git a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_sqlservervm.yaml b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_sqlservervm.yaml index 0c30d7ae0..0ea19287f 100644 --- a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_sqlservervm.yaml +++ b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_sqlservervm.yaml @@ -1,48 +1,49 @@ id: azure_securitycenter_azure_defender_on_for_sqlservervm title: Azure Defender for SQL should be enabled for unprotected SQL Managed Instances +type: control description: Audit each SQL Managed Instance without advanced data security. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for SQL servers on machines.' - ELSE 'Azure Defender off for SQL servers on machines.' - END AS reason, - sub.display_name AS subscription - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'SqlServerVirtualMachines'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for SQL servers on machines.' + ELSE 'Azure Defender off for SQL servers on machines.' + END AS reason, + sub.display_name AS subscription + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'SqlServerVirtualMachines'; severity: low tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '2.4' - cis_level: - - '2' - cis_section_id: - - '2' - cis_type: - - manual - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SecurityCenter + category: + - Compliance + cis: + - "true" + cis_item_id: + - "2.4" + cis_level: + - "2" + cis_section_id: + - "2" + cis_type: + - manual + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SecurityCenter diff --git a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_storage.yaml b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_storage.yaml index 7dda18900..e413666c6 100644 --- a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_storage.yaml +++ b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_storage.yaml @@ -1,48 +1,49 @@ id: azure_securitycenter_azure_defender_on_for_storage title: Microsoft Defender for Storage (Classic) should be enabled +type: control description: Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Storage.' - ELSE 'Azure Defender off for Storage.' - END AS reason, - sub.display_name AS subscription - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id - WHERE - name = 'StorageAccounts'; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN pricing_tier = 'Standard' THEN 'Azure Defender on for Storage.' + ELSE 'Azure Defender off for Storage.' + END AS reason, + sub.display_name AS subscription + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id + WHERE + name = 'StorageAccounts'; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '2.5' - cis_level: - - '2' - cis_section_id: - - '2' - cis_type: - - manual - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SecurityCenter + category: + - Compliance + cis: + - "true" + cis_item_id: + - "2.5" + cis_level: + - "2" + cis_section_id: + - "2" + cis_type: + - manual + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SecurityCenter diff --git a/compliance/controls/azure/azure_securitycenter_container_image_scan_enabled.yaml b/compliance/controls/azure/azure_securitycenter_container_image_scan_enabled.yaml index e99f988bd..09411e534 100644 --- a/compliance/controls/azure/azure_securitycenter_container_image_scan_enabled.yaml +++ b/compliance/controls/azure/azure_securitycenter_container_image_scan_enabled.yaml @@ -1,28 +1,29 @@ id: azure_securitycenter_container_image_scan_enabled title: Security Center container image scan should be enabled +type: control description: This control ensures that image scan for container registries are enabled. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_sub_assessment - definition: | - SELECT - sub_assessment.id AS resource, - sub_assessment.platform_integration_id AS platform_integration_id, - sub_assessment.platform_resource_id AS platform_resource_id, - CASE - WHEN container_registry_vulnerability_properties ->> 'AssessedResourceType' = 'ContainerRegistryVulnerability' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN container_registry_vulnerability_properties ->> 'AssessedResourceType' = 'ContainerRegistryVulnerability' THEN sub_assessment.name || ' container image scan enabled.' - ELSE sub_assessment.name || ' container image scan disabled.' - END AS reason - FROM - azure_security_center_sub_assessment sub_assessment - RIGHT JOIN azure_subscription sub - ON sub_assessment.subscription_id = sub.subscription_id; + language: sql + primary_resource: azure_security_center_sub_assessment + definition: | + SELECT + sub_assessment.id AS resource, + sub_assessment.platform_integration_id AS platform_integration_id, + sub_assessment.platform_resource_id AS platform_resource_id, + CASE + WHEN container_registry_vulnerability_properties ->> 'AssessedResourceType' = 'ContainerRegistryVulnerability' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN container_registry_vulnerability_properties ->> 'AssessedResourceType' = 'ContainerRegistryVulnerability' THEN sub_assessment.name || ' container image scan enabled.' + ELSE sub_assessment.name || ' container image scan disabled.' + END AS reason + FROM + azure_security_center_sub_assessment sub_assessment + RIGHT JOIN azure_subscription sub + ON sub_assessment.subscription_id = sub.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_securitycenter_email_configured.yaml b/compliance/controls/azure/azure_securitycenter_email_configured.yaml index 646d28553..68976f71d 100644 --- a/compliance/controls/azure/azure_securitycenter_email_configured.yaml +++ b/compliance/controls/azure/azure_securitycenter_email_configured.yaml @@ -1,46 +1,47 @@ id: azure_securitycenter_email_configured title: Subscriptions should have a contact email address for security issues +type: control description: To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH contact_info AS ( - SELECT - jsonb_agg(email) FILTER (WHERE name = 'default' AND email != '') AS default_email, - COUNT(*) FILTER (WHERE name != 'default') AS non_default_count, - COUNT(*) FILTER (WHERE name = 'default') AS default_count, - subscription_id - FROM - azure_security_center_contact - GROUP BY - subscription_id - LIMIT 1 - ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN non_default_count > 0 THEN 'ok' - WHEN default_count = 1 AND jsonb_array_length(default_email) != 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN non_default_count > 0 THEN 'Additional email addresses configured.' - WHEN default_count = 1 AND default_email IS NOT NULL THEN 'Additional email addresses configured.' - ELSE 'Additional email addresses not configured.' - END AS reason, - sub.display_name AS subscription - FROM - azure_subscription sub - LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id + language: sql + primary_resource: azure_subscription + definition: | + WITH contact_info AS ( + SELECT + jsonb_agg(email) FILTER (WHERE name = 'default' AND email != '') AS default_email, + COUNT(*) FILTER (WHERE name != 'default') AS non_default_count, + COUNT(*) FILTER (WHERE name = 'default') AS default_count, + subscription_id + FROM + azure_security_center_contact + GROUP BY + subscription_id + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN non_default_count > 0 THEN 'ok' + WHEN default_count = 1 AND jsonb_array_length(default_email) != 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN non_default_count > 0 THEN 'Additional email addresses configured.' + WHEN default_count = 1 AND default_email IS NOT NULL THEN 'Additional email addresses configured.' + ELSE 'Additional email addresses not configured.' + END AS reason, + sub.display_name AS subscription + FROM + azure_subscription sub + LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/SecurityCenter + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/SecurityCenter diff --git a/compliance/controls/azure/azure_securitycenter_mcas_integration.yaml b/compliance/controls/azure/azure_securitycenter_mcas_integration.yaml index 812e44725..88a0e460c 100644 --- a/compliance/controls/azure/azure_securitycenter_mcas_integration.yaml +++ b/compliance/controls/azure/azure_securitycenter_mcas_integration.yaml @@ -1,51 +1,52 @@ id: azure_securitycenter_mcas_integration title: Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is selected +type: control description: This setting enables Microsoft Defender for Cloud Apps (MCAS) integration with Microsoft Defender for Cloud. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_setting - definition: | - SELECT - sc_sett.id AS resource, - sc_sett.platform_integration_id AS platform_integration_id, - sc_sett.platform_resource_id AS platform_resource_id, - CASE - WHEN enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enabled THEN 'Windows Defender ATP (WDATP) integrated with Security Center.' - ELSE 'Windows Defender ATP (WDATP) not integrated with Security Center.' - END AS reason, - sub.display_name AS subscription - FROM - azure_security_center_setting sc_sett - RIGHT JOIN - azure_subscription sub - ON - sc_sett.subscription_id = sub.subscription_id - WHERE - name = 'MCAS'; + language: sql + primary_resource: azure_security_center_setting + definition: | + SELECT + sc_sett.id AS resource, + sc_sett.platform_integration_id AS platform_integration_id, + sc_sett.platform_resource_id AS platform_resource_id, + CASE + WHEN enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enabled THEN 'Windows Defender ATP (WDATP) integrated with Security Center.' + ELSE 'Windows Defender ATP (WDATP) not integrated with Security Center.' + END AS reason, + sub.display_name AS subscription + FROM + azure_security_center_setting sc_sett + RIGHT JOIN + azure_subscription sub + ON + sc_sett.subscription_id = sub.subscription_id + WHERE + name = 'MCAS'; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '2.10' - cis_level: - - '2' - cis_section_id: - - '2' - cis_type: - - manual - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SecurityCenter + category: + - Compliance + cis: + - "true" + cis_item_id: + - "2.10" + cis_level: + - "2" + cis_section_id: + - "2" + cis_type: + - manual + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SecurityCenter diff --git a/compliance/controls/azure/azure_securitycenter_notify_alerts_configured.yaml b/compliance/controls/azure/azure_securitycenter_notify_alerts_configured.yaml index deef33c02..d646dd9fc 100644 --- a/compliance/controls/azure/azure_securitycenter_notify_alerts_configured.yaml +++ b/compliance/controls/azure/azure_securitycenter_notify_alerts_configured.yaml @@ -1,56 +1,57 @@ id: azure_securitycenter_notify_alerts_configured title: Email notification for high severity alerts should be enabled +type: control description: To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH contact_info AS ( - SELECT - COUNT(*) FILTER (WHERE alert_notifications = 'On') AS notification_alert_count, - subscription_id - FROM - azure_security_center_contact - GROUP BY - subscription_id - LIMIT 1 - ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN notification_alert_count > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN notification_alert_count > 0 THEN '"Notify about alerts with the following severity" set to High.' - ELSE '"Notify about alerts with the following severity" not set to High.' - END AS reason, - sub.display_name AS subscription - FROM - azure_subscription sub - LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; + language: sql + primary_resource: azure_subscription + definition: | + WITH contact_info AS ( + SELECT + COUNT(*) FILTER (WHERE alert_notifications = 'On') AS notification_alert_count, + subscription_id + FROM + azure_security_center_contact + GROUP BY + subscription_id + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN notification_alert_count > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN notification_alert_count > 0 THEN '"Notify about alerts with the following severity" set to High.' + ELSE '"Notify about alerts with the following severity" not set to High.' + END AS reason, + sub.display_name AS subscription + FROM + azure_subscription sub + LEFT JOIN contact_info ci ON sub.subscription_id = ci.subscription_id; severity: low tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '2.14' - cis_level: - - '1' - cis_section_id: - - '2' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SecurityCenter + category: + - Compliance + cis: + - "true" + cis_item_id: + - "2.14" + cis_level: + - "1" + cis_section_id: + - "2" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SecurityCenter diff --git a/compliance/controls/azure/azure_securitycenter_pricing_standard.yaml b/compliance/controls/azure/azure_securitycenter_pricing_standard.yaml index e4f686c2a..2b942d0d6 100644 --- a/compliance/controls/azure/azure_securitycenter_pricing_standard.yaml +++ b/compliance/controls/azure/azure_securitycenter_pricing_standard.yaml @@ -1,25 +1,26 @@ id: azure_securitycenter_pricing_standard title: Security center pricing should be set to standard +type: control description: This control checks whether Security center pricing is set to standard. This control is non-compliant if pricing is set to free. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_subscription_pricing - definition: | - SELECT - sub_pricing.id AS resource, - sub_pricing.platform_integration_id AS platform_integration_id, - sub_pricing.platform_resource_id AS platform_resource_id, - CASE - WHEN pricing_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - sub_pricing.name || ' is using ' || pricing_tier || ' pricing tier.' AS reason - FROM - azure_security_center_subscription_pricing sub_pricing - RIGHT JOIN - azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id; + language: sql + primary_resource: azure_security_center_subscription_pricing + definition: | + SELECT + sub_pricing.id AS resource, + sub_pricing.platform_integration_id AS platform_integration_id, + sub_pricing.platform_resource_id AS platform_resource_id, + CASE + WHEN pricing_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + sub_pricing.name || ' is using ' || pricing_tier || ' pricing tier.' AS reason + FROM + azure_security_center_subscription_pricing sub_pricing + RIGHT JOIN + azure_subscription sub ON sub_pricing.subscription_id = sub.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_securitycenter_security_alerts_to_owner_enabled.yaml b/compliance/controls/azure/azure_securitycenter_security_alerts_to_owner_enabled.yaml index 79af5e93c..342c33ca9 100644 --- a/compliance/controls/azure/azure_securitycenter_security_alerts_to_owner_enabled.yaml +++ b/compliance/controls/azure/azure_securitycenter_security_alerts_to_owner_enabled.yaml @@ -1,57 +1,58 @@ id: azure_securitycenter_security_alerts_to_owner_enabled title: Email notification to subscription owner for high severity alerts should be enabled +type: control description: To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH contact_info AS ( - SELECT - COUNT(*) FILTER (WHERE alerts_to_admins = 'On') AS admin_alert_count, - subscription_id - FROM - azure_security_center_contact - GROUP BY - subscription_id - LIMIT 1 - ) - SELECT - sub.subscription_id AS resource, - sub.platform_integration_id AS platform_integration_id, - sub.platform_resource_id AS platform_resource_id, - CASE - WHEN admin_alert_count > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN admin_alert_count > 0 THEN '"All users with the following roles" set to Owner' - ELSE '"All users with the following roles" not set to Owner.' - END AS reason, - sub.display_name AS subscription - FROM - azure_subscription sub - LEFT JOIN contact_info ci - ON sub.subscription_id = ci.subscription_id; + language: sql + primary_resource: azure_subscription + definition: | + WITH contact_info AS ( + SELECT + COUNT(*) FILTER (WHERE alerts_to_admins = 'On') AS admin_alert_count, + subscription_id + FROM + azure_security_center_contact + GROUP BY + subscription_id + LIMIT 1 + ) + SELECT + sub.subscription_id AS resource, + sub.platform_integration_id AS platform_integration_id, + sub.platform_resource_id AS platform_resource_id, + CASE + WHEN admin_alert_count > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN admin_alert_count > 0 THEN '"All users with the following roles" set to Owner' + ELSE '"All users with the following roles" not set to Owner.' + END AS reason, + sub.display_name AS subscription + FROM + azure_subscription sub + LEFT JOIN contact_info ci + ON sub.subscription_id = ci.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '2.15' - cis_level: - - '1' - cis_section_id: - - '2' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SecurityCenter + category: + - Compliance + cis: + - "true" + cis_item_id: + - "2.15" + cis_level: + - "1" + cis_section_id: + - "2" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SecurityCenter diff --git a/compliance/controls/azure/azure_securitycenter_wdatp_integration.yaml b/compliance/controls/azure/azure_securitycenter_wdatp_integration.yaml index 87f238536..135e9a3ec 100644 --- a/compliance/controls/azure/azure_securitycenter_wdatp_integration.yaml +++ b/compliance/controls/azure/azure_securitycenter_wdatp_integration.yaml @@ -1,49 +1,50 @@ id: azure_securitycenter_wdatp_integration title: Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected +type: control description: This setting enables Windows Defender ATP (WDATP) integration with Security Center. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_security_center_setting - definition: | - SELECT - sc_sett.id AS resource, - sc_sett.platform_integration_id AS platform_integration_id, - sc_sett.platform_resource_id AS platform_resource_id, - CASE - WHEN enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enabled THEN 'Microsoft Cloud App Security (MCAS) integrated with Security Center.' - ELSE 'Microsoft Cloud App Security (MCAS) not integrated with Security Center.' - END AS reason, - sub.display_name AS subscription - FROM - azure_security_center_setting sc_sett - RIGHT JOIN azure_subscription sub - ON sc_sett.subscription_id = sub.subscription_id - WHERE - sc_sett.title = 'WDATP'; + language: sql + primary_resource: azure_security_center_setting + definition: | + SELECT + sc_sett.id AS resource, + sc_sett.platform_integration_id AS platform_integration_id, + sc_sett.platform_resource_id AS platform_resource_id, + CASE + WHEN enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enabled THEN 'Microsoft Cloud App Security (MCAS) integrated with Security Center.' + ELSE 'Microsoft Cloud App Security (MCAS) not integrated with Security Center.' + END AS reason, + sub.display_name AS subscription + FROM + azure_security_center_setting sc_sett + RIGHT JOIN azure_subscription sub + ON sc_sett.subscription_id = sub.subscription_id + WHERE + sc_sett.title = 'WDATP'; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '2.9' - cis_level: - - '2' - cis_section_id: - - '2' - cis_type: - - manual - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SecurityCenter + category: + - Compliance + cis: + - "true" + cis_item_id: + - "2.9" + cis_level: + - "2" + cis_section_id: + - "2" + cis_type: + - manual + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SecurityCenter diff --git a/compliance/controls/azure/azure_servicebus_name_space_private_link_used.yaml b/compliance/controls/azure/azure_servicebus_name_space_private_link_used.yaml index 3b835b83e..257c61a8d 100644 --- a/compliance/controls/azure/azure_servicebus_name_space_private_link_used.yaml +++ b/compliance/controls/azure/azure_servicebus_name_space_private_link_used.yaml @@ -1,37 +1,38 @@ id: azure_servicebus_name_space_private_link_used title: Azure Service Bus namespaces should use private link +type: control description: Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_servicebus_namespace - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN sku_name IN ('Basic', 'Standard') THEN 'skip' - WHEN private_endpoint_connections IS NULL THEN 'info' - WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN sku_name IN ('Basic', 'Standard') THEN a.name || ' is of ' || sku_name || ' tier.' - WHEN private_endpoint_connections IS NULL THEN a.name || ' no private link exists.' - WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb THEN a.name || ' using private link.' - ELSE a.name || ' not using private link.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_servicebus_namespace a, - azure_subscription sub; + language: sql + primary_resource: azure_servicebus_namespace + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN sku_name IN ('Basic', 'Standard') THEN 'skip' + WHEN private_endpoint_connections IS NULL THEN 'info' + WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN sku_name IN ('Basic', 'Standard') THEN a.name || ' is of ' || sku_name || ' tier.' + WHEN private_endpoint_connections IS NULL THEN a.name || ' no private link exists.' + WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb THEN a.name || ' using private link.' + ELSE a.name || ' not using private link.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_servicebus_namespace a, + azure_subscription sub; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/ServiceBus + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/ServiceBus diff --git a/compliance/controls/azure/azure_servicebus_namespace_azure_ad_authentication_enabled.yaml b/compliance/controls/azure/azure_servicebus_namespace_azure_ad_authentication_enabled.yaml index 5e2117227..ca64c6b98 100644 --- a/compliance/controls/azure/azure_servicebus_namespace_azure_ad_authentication_enabled.yaml +++ b/compliance/controls/azure/azure_servicebus_namespace_azure_ad_authentication_enabled.yaml @@ -1,29 +1,30 @@ id: azure_servicebus_namespace_azure_ad_authentication_enabled title: Service bus namespace should be configured with Azure Active Directory (Azure AD) authentication +type: control description: This policy identifies Service bus namespaces that are not configured with Azure Active Directory (Azure AD) authentication and are enabled with local authentication. Azure AD provides superior security and ease of use over shared access signatures (SAS). With Azure AD, there's no need to store the tokens in your code and risk potential security vulnerabilities. It is recommended to configure the Service bus namespaces with Azure AD authentication so that all actions are strongly authenticated. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_servicebus_namespace - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN status = 'Active' - AND NOT disable_local_auth THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN status = 'Active' - AND NOT disable_local_auth THEN a.name || ' namespace not configured with Azure AD authentication.' - ELSE a.name || ' namespace configured with Azure AD authentication.' - END AS reason - FROM - azure_servicebus_namespace a, - azure_subscription sub; + language: sql + primary_resource: azure_servicebus_namespace + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN status = 'Active' + AND NOT disable_local_auth THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN status = 'Active' + AND NOT disable_local_auth THEN a.name || ' namespace not configured with Azure AD authentication.' + ELSE a.name || ' namespace configured with Azure AD authentication.' + END AS reason + FROM + azure_servicebus_namespace a, + azure_subscription sub; severity: low tags: {} diff --git a/compliance/controls/azure/azure_servicebus_namespace_logging_enabled.yaml b/compliance/controls/azure/azure_servicebus_namespace_logging_enabled.yaml index 754ca3020..b7dea8f9d 100644 --- a/compliance/controls/azure/azure_servicebus_namespace_logging_enabled.yaml +++ b/compliance/controls/azure/azure_servicebus_namespace_logging_enabled.yaml @@ -1,65 +1,66 @@ id: azure_servicebus_namespace_logging_enabled title: Resource logs in Service Bus should be enabled +type: control description: Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_servicebus_namespace - definition: | - WITH logging_details AS ( - SELECT - DISTINCT name AS namespace_name - FROM - azure_servicebus_namespace, - jsonb_array_elements(diagnostic_settings) setting, - jsonb_array_elements(setting -> 'properties' -> 'logs') log - WHERE - diagnostic_settings IS NOT NULL + language: sql + primary_resource: azure_servicebus_namespace + definition: | + WITH logging_details AS ( + SELECT + DISTINCT name AS namespace_name + FROM + azure_servicebus_namespace, + jsonb_array_elements(diagnostic_settings) setting, + jsonb_array_elements(setting -> 'properties' -> 'logs') log + WHERE + diagnostic_settings IS NOT NULL + AND ( + ( + (log ->> 'enabled') :: BOOLEAN + AND (log -> 'retentionPolicy' ->> 'enabled') :: BOOLEAN + AND (log -> 'retentionPolicy') :: JSONB ? 'days' + ) + OR + ( + (log ->> 'enabled') :: BOOLEAN AND ( - ( - (log ->> 'enabled') :: BOOLEAN - AND (log -> 'retentionPolicy' ->> 'enabled') :: BOOLEAN - AND (log -> 'retentionPolicy') :: JSONB ? 'days' - ) - OR - ( - (log ->> 'enabled') :: BOOLEAN - AND ( - log -> 'retentionPolicy' ->> 'enabled' <> 'true' - OR setting -> 'properties' ->> 'storageAccountId' = '' - ) - ) + log -> 'retentionPolicy' ->> 'enabled' <> 'true' + OR setting -> 'properties' ->> 'storageAccountId' = '' ) + ) ) - SELECT - v.id AS resource, - v.platform_integration_id AS platform_integration_id, - v.platform_resource_id AS platform_resource_id, - CASE - WHEN v.diagnostic_settings IS NULL THEN 'alarm' - WHEN l.namespace_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN v.diagnostic_settings IS NULL THEN v.name || ' logging not enabled.' - WHEN l.namespace_name IS NULL THEN v.name || ' logging not enabled.' - ELSE v.name || ' logging enabled.' - END AS reason, - v.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_servicebus_namespace AS v - LEFT JOIN logging_details AS l ON v.name = l.namespace_name, - azure_subscription AS sub - WHERE - sub.subscription_id = v.subscription_id; + ) + SELECT + v.id AS resource, + v.platform_integration_id AS platform_integration_id, + v.platform_resource_id AS platform_resource_id, + CASE + WHEN v.diagnostic_settings IS NULL THEN 'alarm' + WHEN l.namespace_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN v.diagnostic_settings IS NULL THEN v.name || ' logging not enabled.' + WHEN l.namespace_name IS NULL THEN v.name || ' logging not enabled.' + ELSE v.name || ' logging enabled.' + END AS reason, + v.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_servicebus_namespace AS v + LEFT JOIN logging_details AS l ON v.name = l.namespace_name, + azure_subscription AS sub + WHERE + sub.subscription_id = v.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/ServiceBus + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/ServiceBus diff --git a/compliance/controls/azure/azure_servicebus_namespace_no_overly_permissive_network_access.yaml b/compliance/controls/azure/azure_servicebus_namespace_no_overly_permissive_network_access.yaml index 354a5dac7..0c96a1194 100644 --- a/compliance/controls/azure/azure_servicebus_namespace_no_overly_permissive_network_access.yaml +++ b/compliance/controls/azure/azure_servicebus_namespace_no_overly_permissive_network_access.yaml @@ -1,35 +1,36 @@ id: azure_servicebus_namespace_no_overly_permissive_network_access title: Service bus namespace should not be configured with overly permissive network access +type: control description: This policy identifies Azure Service bus namespaces configured with overly permissive network access. By default, Service Bus namespaces are accessible from the internet as long as the request comes with valid authentication and authorization. With an IP firewall, you can restrict it further to only a set of IPv4 addresses or IPv4 address ranges. With Virtual Networks, the network traffic path is secured on both ends. It is recommended to configure the Service bus namespace with an IP firewall or by Virtual Network; so that the Service bus namespace is accessible only to restricted entities. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_servicebus_namespace - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN status = 'Active' - AND sku_tier = 'Premium' - AND network_rule_set -> 'properties' ->> 'defaultAction' = 'Allow' - AND network_rule_set -> 'properties' ->> 'publicNetworkAccess' = 'Enabled' - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN status = 'Active' - AND sku_tier = 'Premium' - AND network_rule_set -> 'properties' ->> 'defaultAction' = 'Allow' - AND network_rule_set -> 'properties' ->> 'publicNetworkAccess' = 'Enabled' - THEN a.name || ' namespace configured with overly permissive network access.' - ELSE a.name || ' namespace not configured with overly permissive network access.' - END AS reason - FROM - azure_servicebus_namespace a, - azure_subscription sub; + language: sql + primary_resource: azure_servicebus_namespace + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN status = 'Active' + AND sku_tier = 'Premium' + AND network_rule_set -> 'properties' ->> 'defaultAction' = 'Allow' + AND network_rule_set -> 'properties' ->> 'publicNetworkAccess' = 'Enabled' + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN status = 'Active' + AND sku_tier = 'Premium' + AND network_rule_set -> 'properties' ->> 'defaultAction' = 'Allow' + AND network_rule_set -> 'properties' ->> 'publicNetworkAccess' = 'Enabled' + THEN a.name || ' namespace configured with overly permissive network access.' + ELSE a.name || ' namespace not configured with overly permissive network access.' + END AS reason + FROM + azure_servicebus_namespace a, + azure_subscription sub; severity: low tags: {} diff --git a/compliance/controls/azure/azure_servicebus_premium_namespace_cmk_encrypted.yaml b/compliance/controls/azure/azure_servicebus_premium_namespace_cmk_encrypted.yaml index 50d40fb7b..c72e096cd 100644 --- a/compliance/controls/azure/azure_servicebus_premium_namespace_cmk_encrypted.yaml +++ b/compliance/controls/azure/azure_servicebus_premium_namespace_cmk_encrypted.yaml @@ -1,35 +1,36 @@ id: azure_servicebus_premium_namespace_cmk_encrypted title: Service Bus Premium namespaces should use a customer-managed key for encryption +type: control description: Azure Service Bus supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Service Bus will use to encrypt data in your namespace. Note that Service Bus only supports encryption with customer-managed keys for premium namespaces. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_servicebus_namespace - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN sku_tier <> 'Premium' THEN 'skip' - WHEN encryption -> 'keySource' = '"Microsoft.KeyVault"' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN sku_tier <> 'Premium' THEN a.name || ' is of ' || sku_tier || ' tier.' - WHEN encryption -> 'keySource' = '"Microsoft.KeyVault"' THEN a.name || ' encrypted using CMK.' - ELSE a.name || ' not encrypted using CMK.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_servicebus_namespace a, - azure_subscription sub; + language: sql + primary_resource: azure_servicebus_namespace + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN sku_tier <> 'Premium' THEN 'skip' + WHEN encryption -> 'keySource' = '"Microsoft.KeyVault"' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN sku_tier <> 'Premium' THEN a.name || ' is of ' || sku_tier || ' tier.' + WHEN encryption -> 'keySource' = '"Microsoft.KeyVault"' THEN a.name || ' encrypted using CMK.' + ELSE a.name || ' not encrypted using CMK.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_servicebus_namespace a, + azure_subscription sub; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/ServiceBus + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/ServiceBus diff --git a/compliance/controls/azure/azure_servicebus_use_virtual_service_endpoint.yaml b/compliance/controls/azure/azure_servicebus_use_virtual_service_endpoint.yaml index bc1347e42..2cfa155a5 100644 --- a/compliance/controls/azure/azure_servicebus_use_virtual_service_endpoint.yaml +++ b/compliance/controls/azure/azure_servicebus_use_virtual_service_endpoint.yaml @@ -1,51 +1,52 @@ id: azure_servicebus_use_virtual_service_endpoint title: Service Bus should use virtual service endpoint +type: control description: Ensure that Service Bus uses virtual service endpoint. This control is non-compliant if service bus does not use a virtual service endpoint. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_servicebus_namespace - definition: | - WITH service_bus AS ( - SELECT - name, - region, - network_rule_set -> 'properties' -> 'virtualNetworkRules' AS virtual_network_rules - FROM - azure_servicebus_namespace - WHERE - sku_tier = 'Premium' - AND ( - jsonb_array_length(network_rule_set -> 'properties' -> 'virtualNetworkRules') = 0 - OR EXISTS ( - SELECT - * - FROM - jsonb_array_elements(network_rule_set -> 'properties' -> 'virtualNetworkRules') AS t - WHERE - t -> 'subnet' ->> 'id' IS NULL - ) - ) + language: sql + primary_resource: azure_servicebus_namespace + definition: | + WITH service_bus AS ( + SELECT + name, + region, + network_rule_set -> 'properties' -> 'virtualNetworkRules' AS virtual_network_rules + FROM + azure_servicebus_namespace + WHERE + sku_tier = 'Premium' + AND ( + jsonb_array_length(network_rule_set -> 'properties' -> 'virtualNetworkRules') = 0 + OR EXISTS ( + SELECT + * + FROM + jsonb_array_elements(network_rule_set -> 'properties' -> 'virtualNetworkRules') AS t + WHERE + t -> 'subnet' ->> 'id' IS NULL + ) ) - SELECT - bus.id AS resource, - bus.platform_integration_id AS platform_integration_id, - bus.platform_resource_id AS platform_resource_id, - CASE - WHEN bus.name != service_bus.name THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN bus.name != service_bus.name THEN bus.name || ' configured with virtual service endpoint.' - ELSE bus.name || ' not configured with virtual service endpoint.' - END AS reason - FROM - azure_servicebus_namespace AS bus, - azure_subscription AS sub - LEFT JOIN service_bus ON TRUE - WHERE - sub.subscription_id = bus.subscription_id; + ) + SELECT + bus.id AS resource, + bus.platform_integration_id AS platform_integration_id, + bus.platform_resource_id AS platform_resource_id, + CASE + WHEN bus.name != service_bus.name THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN bus.name != service_bus.name THEN bus.name || ' configured with virtual service endpoint.' + ELSE bus.name || ' not configured with virtual service endpoint.' + END AS reason + FROM + azure_servicebus_namespace AS bus, + azure_subscription AS sub + LEFT JOIN service_bus ON TRUE + WHERE + sub.subscription_id = bus.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_servicefabric_cluster_active_directory_authentication_enabled.yaml b/compliance/controls/azure/azure_servicefabric_cluster_active_directory_authentication_enabled.yaml index 5246ae902..fe0befc99 100644 --- a/compliance/controls/azure/azure_servicefabric_cluster_active_directory_authentication_enabled.yaml +++ b/compliance/controls/azure/azure_servicefabric_cluster_active_directory_authentication_enabled.yaml @@ -1,33 +1,34 @@ id: azure_servicefabric_cluster_active_directory_authentication_enabled title: Service Fabric clusters should only use Azure Active Directory for client authentication +type: control description: Audit usage of client authentication only via Azure Active Directory in Service Fabric. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_service_fabric_cluster - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN azure_active_directory IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN azure_active_directory IS NOT NULL THEN a.name || ' using Azure Active Directory for client authentication.' - ELSE a.name || ' not using Azure Active Directory for client authentication.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_service_fabric_cluster a, - azure_subscription sub; + language: sql + primary_resource: azure_service_fabric_cluster + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN azure_active_directory IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN azure_active_directory IS NOT NULL THEN a.name || ' using Azure Active Directory for client authentication.' + ELSE a.name || ' not using Azure Active Directory for client authentication.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_service_fabric_cluster a, + azure_subscription sub; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/ServiceFabric + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/ServiceFabric diff --git a/compliance/controls/azure/azure_servicefabric_cluster_protection_level_as_encrypt_and_sign.yaml b/compliance/controls/azure/azure_servicefabric_cluster_protection_level_as_encrypt_and_sign.yaml index 9b80843db..574e557ce 100644 --- a/compliance/controls/azure/azure_servicefabric_cluster_protection_level_as_encrypt_and_sign.yaml +++ b/compliance/controls/azure/azure_servicefabric_cluster_protection_level_as_encrypt_and_sign.yaml @@ -1,35 +1,36 @@ id: azure_servicefabric_cluster_protection_level_as_encrypt_and_sign title: Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign +type: control description: Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_service_fabric_cluster - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN fabric_settings @> '[{"parameters":[{"value": "EncryptAndSign"}]}]'::jsonb THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN fabric_settings @> '[{"parameters":[{"value": "EncryptAndSign"}]}]'::jsonb THEN a.name || ' ClusterProtectionLevel property set to EncryptAndSign.' - ELSE a.name || ' ClusterProtectionLevel property not set to EncryptAndSign.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_service_fabric_cluster a, - azure_subscription sub; + language: sql + primary_resource: azure_service_fabric_cluster + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN fabric_settings @> '[{"parameters":[{"value": "EncryptAndSign"}]}]'::jsonb THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN fabric_settings @> '[{"parameters":[{"value": "EncryptAndSign"}]}]'::jsonb THEN a.name || ' ClusterProtectionLevel property set to EncryptAndSign.' + ELSE a.name || ' ClusterProtectionLevel property not set to EncryptAndSign.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_service_fabric_cluster a, + azure_subscription sub; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - pci_dss_v321: - - 'true' - service: - - Azure/ServiceFabric + nist_sp_800_53_rev_5: + - "true" + pci_dss_v321: + - "true" + service: + - Azure/ServiceFabric diff --git a/compliance/controls/azure/azure_signalr_service_no_free_tier_sku.yaml b/compliance/controls/azure/azure_signalr_service_no_free_tier_sku.yaml index 6b97a5735..2afbd7f20 100644 --- a/compliance/controls/azure/azure_signalr_service_no_free_tier_sku.yaml +++ b/compliance/controls/azure/azure_signalr_service_no_free_tier_sku.yaml @@ -1,26 +1,27 @@ id: azure_signalr_service_no_free_tier_sku title: SignalR Service should not use free tier SKU +type: control description: This control checks whether SignalR service uses paid SKU for its SLA. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_signalr_service - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN sku ->> 'tier' = 'Free' THEN 'alarm' - ELSE 'ok' - END AS status, - a.name || ' is of ' || (sku ->> 'tier') || ' tier.' AS reason - FROM - azure_signalr_service AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_signalr_service + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN sku ->> 'tier' = 'Free' THEN 'alarm' + ELSE 'ok' + END AS status, + a.name || ' is of ' || (sku ->> 'tier') || ' tier.' AS reason + FROM + azure_signalr_service AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_signalr_service_private_link_used.yaml b/compliance/controls/azure/azure_signalr_service_private_link_used.yaml index 65df88ba4..a5f79b9e1 100644 --- a/compliance/controls/azure/azure_signalr_service_private_link_used.yaml +++ b/compliance/controls/azure/azure_signalr_service_private_link_used.yaml @@ -1,47 +1,48 @@ id: azure_signalr_service_private_link_used title: Azure SignalR Service should use private link +type: control description: Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_signalr_service - definition: | - WITH signalr_service_connection AS ( - SELECT DISTINCT - a.id - FROM - azure_signalr_service AS a, - jsonb_array_elements(private_endpoint_connections) AS connection - WHERE - connection -> 'PrivateLinkServiceConnectionState' ->> 'status' = 'Approved' - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN sku ->> 'tier' = 'Free' THEN 'skip' - WHEN c.id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN sku ->> 'tier' = 'Free' THEN a.name || ' is of ' || (sku ->> 'tier') || ' tier.' - WHEN c.id IS NULL THEN a.name || ' not uses private link.' - ELSE a.name || ' uses private link.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_signalr_service AS a - LEFT JOIN signalr_service_connection AS c ON c.id = a.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_signalr_service + definition: | + WITH signalr_service_connection AS ( + SELECT DISTINCT + a.id + FROM + azure_signalr_service AS a, + jsonb_array_elements(private_endpoint_connections) AS connection + WHERE + connection -> 'PrivateLinkServiceConnectionState' ->> 'status' = 'Approved' + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN sku ->> 'tier' = 'Free' THEN 'skip' + WHEN c.id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN sku ->> 'tier' = 'Free' THEN a.name || ' is of ' || (sku ->> 'tier') || ' tier.' + WHEN c.id IS NULL THEN a.name || ' not uses private link.' + ELSE a.name || ' uses private link.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_signalr_service AS a + LEFT JOIN signalr_service_connection AS c ON c.id = a.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/SignalRService + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/SignalRService diff --git a/compliance/controls/azure/azure_spring_cloud_service_network_injection_enabled.yaml b/compliance/controls/azure/azure_spring_cloud_service_network_injection_enabled.yaml index 97a849952..d0b763c09 100644 --- a/compliance/controls/azure/azure_spring_cloud_service_network_injection_enabled.yaml +++ b/compliance/controls/azure/azure_spring_cloud_service_network_injection_enabled.yaml @@ -1,37 +1,38 @@ id: azure_spring_cloud_service_network_injection_enabled title: Azure Spring Cloud should use network injection -description: 'Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud.' +type: control +description: "Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_spring_cloud_service - definition: | - SELECT - DISTINCT a.name AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN sku_tier <> 'Standard' THEN 'Skip' - WHEN sku_tier = 'Standard' AND network_profile ->> 'ServiceRuntimeSubnetID' IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN sku_tier <> 'Standard' THEN a.name || ' is of ' || sku_tier || ' tier.' - WHEN sku_tier = 'Standard' AND network_profile ->> 'ServiceRuntimeSubnetID' IS NOT NULL THEN a.name || ' network injection enabled.' - ELSE a.name || ' network injection disabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_spring_cloud_service AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_spring_cloud_service + definition: | + SELECT + DISTINCT a.name AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN sku_tier <> 'Standard' THEN 'Skip' + WHEN sku_tier = 'Standard' AND network_profile ->> 'ServiceRuntimeSubnetID' IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN sku_tier <> 'Standard' THEN a.name || ' is of ' || sku_tier || ' tier.' + WHEN sku_tier = 'Standard' AND network_profile ->> 'ServiceRuntimeSubnetID' IS NOT NULL THEN a.name || ' network injection enabled.' + ELSE a.name || ' network injection disabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_spring_cloud_service AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/SpringCloud + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/SpringCloud diff --git a/compliance/controls/azure/azure_sql_database_allow_internet_access.yaml b/compliance/controls/azure/azure_sql_database_allow_internet_access.yaml index abf5102bc..546fc0404 100644 --- a/compliance/controls/azure/azure_sql_database_allow_internet_access.yaml +++ b/compliance/controls/azure/azure_sql_database_allow_internet_access.yaml @@ -1,53 +1,54 @@ id: azure_sql_database_allow_internet_access title: Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) +type: control description: Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]' - OR firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]' - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]' - OR firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]' - THEN s.title || ' allows ingress 0.0.0.0/0 or any IP over internet.' - ELSE s.title || ' does not allow ingress 0.0.0.0/0 or any IP over internet.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_server s, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]' + OR firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]' + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]' + OR firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]' + THEN s.title || ' allows ingress 0.0.0.0/0 or any IP over internet.' + ELSE s.title || ' does not allow ingress 0.0.0.0/0 or any IP over internet.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_server s, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '6.3' - cis_level: - - '1' - cis_section_id: - - '6' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Network + category: + - Compliance + cis: + - "true" + cis_item_id: + - "6.3" + cis_level: + - "1" + cis_section_id: + - "6" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Network diff --git a/compliance/controls/azure/azure_sql_database_long_term_geo_redundant_backup_enabled.yaml b/compliance/controls/azure/azure_sql_database_long_term_geo_redundant_backup_enabled.yaml index 382fbf7b4..b12bfe007 100644 --- a/compliance/controls/azure/azure_sql_database_long_term_geo_redundant_backup_enabled.yaml +++ b/compliance/controls/azure/azure_sql_database_long_term_geo_redundant_backup_enabled.yaml @@ -1,44 +1,45 @@ id: azure_sql_database_long_term_geo_redundant_backup_enabled title: Long-term geo-redundant backup should be enabled for Azure SQL Databases +type: control description: This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_database - definition: | - SELECT - s.database_id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN retention_policy_property ->> 'monthlyRetention' <> 'PT0S' - OR retention_policy_property ->> 'weeklyRetention' <> 'PT0S' - OR retention_policy_property ->> 'yearlyRetention' <> 'PT0S' - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN retention_policy_property ->> 'monthlyRetention' <> 'PT0S' - OR retention_policy_property ->> 'weeklyRetention' <> 'PT0S' - OR retention_policy_property ->> 'yearlyRetention' <> 'PT0S' - THEN s.title || ' long-term geo-redundant backup enabled.' - ELSE s.title || ' long-term geo-redundant backup disabled.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_database s, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id - AND s.name <> 'master'; + language: sql + primary_resource: azure_sql_database + definition: | + SELECT + s.database_id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN retention_policy_property ->> 'monthlyRetention' <> 'PT0S' + OR retention_policy_property ->> 'weeklyRetention' <> 'PT0S' + OR retention_policy_property ->> 'yearlyRetention' <> 'PT0S' + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN retention_policy_property ->> 'monthlyRetention' <> 'PT0S' + OR retention_policy_property ->> 'weeklyRetention' <> 'PT0S' + OR retention_policy_property ->> 'yearlyRetention' <> 'PT0S' + THEN s.title || ' long-term geo-redundant backup enabled.' + ELSE s.title || ' long-term geo-redundant backup disabled.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_database s, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id + AND s.name <> 'master'; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/SQL + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/SQL diff --git a/compliance/controls/azure/azure_sql_database_transparent_data_encryption_enabled.yaml b/compliance/controls/azure/azure_sql_database_transparent_data_encryption_enabled.yaml index e341c8ce2..4a4adebc1 100644 --- a/compliance/controls/azure/azure_sql_database_transparent_data_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_sql_database_transparent_data_encryption_enabled.yaml @@ -1,54 +1,55 @@ id: azure_sql_database_transparent_data_encryption_enabled title: SQL databases transparent data encryption should be enabled +type: control description: Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_database - definition: | - SELECT - s.database_id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN transparent_data_encryption ->> 'status' = 'Enabled' - OR transparent_data_encryption ->> 'state' = 'Enabled' - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN transparent_data_encryption ->> 'status' = 'Enabled' - OR transparent_data_encryption ->> 'state' = 'Enabled' - THEN s.title || ' transparent data encryption enabled.' - ELSE s.title || ' transparent data encryption disabled.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_database AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id - AND s.name <> 'master'; + language: sql + primary_resource: azure_sql_database + definition: | + SELECT + s.database_id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN transparent_data_encryption ->> 'status' = 'Enabled' + OR transparent_data_encryption ->> 'state' = 'Enabled' + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN transparent_data_encryption ->> 'status' = 'Enabled' + OR transparent_data_encryption ->> 'state' = 'Enabled' + THEN s.title || ' transparent data encryption enabled.' + ELSE s.title || ' transparent data encryption disabled.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_database AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id + AND s.name <> 'master'; severity: The text does not provide information about a specific Azure Control to determine its suggested severity. tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 4.1.2 - cis_level: - - '1' - cis_section_id: - - '4.1' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SQL + category: + - Compliance + cis: + - "true" + cis_item_id: + - 4.1.2 + cis_level: + - "1" + cis_section_id: + - "4.1" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SQL diff --git a/compliance/controls/azure/azure_sql_database_vulnerability_findings_resolved.yaml b/compliance/controls/azure/azure_sql_database_vulnerability_findings_resolved.yaml index 890e924ed..71a552e37 100644 --- a/compliance/controls/azure/azure_sql_database_vulnerability_findings_resolved.yaml +++ b/compliance/controls/azure/azure_sql_database_vulnerability_findings_resolved.yaml @@ -1,56 +1,57 @@ id: azure_sql_database_vulnerability_findings_resolved title: SQL databases should have vulnerability findings resolved +type: control description: Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_database - definition: | - WITH vulnerability_findings AS ( - SELECT - db.id AS database_id, - scan ->> 'endTime' AS latest_scan_end_time, - scan ->> 'numberOfFailedSecurityChecks' AS no_of_failed_sec_checks - FROM - azure_sql_database AS db, - jsonb_array_elements(vulnerability_assessment_scan_records) AS scan - WHERE - (scan ->> 'numberOfFailedSecurityChecks')::int = 0 - ORDER BY - scan ->> 'endTime' DESC NULLS LAST - LIMIT 1 - ) - SELECT - DISTINCT a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN s.database_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN s.database_id IS NOT NULL THEN a.name || ' vulnerability findings resolved.' - ELSE a.title || ' vulnerability findings not resolved.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_database AS a - LEFT JOIN - vulnerability_findings AS s ON a.id = s.database_id, - azure_subscription AS sub - WHERE - a.name <> 'master' - AND sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_sql_database + definition: | + WITH vulnerability_findings AS ( + SELECT + db.id AS database_id, + scan ->> 'endTime' AS latest_scan_end_time, + scan ->> 'numberOfFailedSecurityChecks' AS no_of_failed_sec_checks + FROM + azure_sql_database AS db, + jsonb_array_elements(vulnerability_assessment_scan_records) AS scan + WHERE + (scan ->> 'numberOfFailedSecurityChecks')::int = 0 + ORDER BY + scan ->> 'endTime' DESC NULLS LAST + LIMIT 1 + ) + SELECT + DISTINCT a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN s.database_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN s.database_id IS NOT NULL THEN a.name || ' vulnerability findings resolved.' + ELSE a.title || ' vulnerability findings not resolved.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_database AS a + LEFT JOIN + vulnerability_findings AS s ON a.id = s.database_id, + azure_subscription AS sub + WHERE + a.name <> 'master' + AND sub.subscription_id = a.subscription_id; severity: high tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - pci_dss_v321: - - 'true' - service: - - Azure/SQL + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + pci_dss_v321: + - "true" + service: + - Azure/SQL diff --git a/compliance/controls/azure/azure_sql_db_active_directory_admin_configured.yaml b/compliance/controls/azure/azure_sql_db_active_directory_admin_configured.yaml index d09272098..6152d2c35 100644 --- a/compliance/controls/azure/azure_sql_db_active_directory_admin_configured.yaml +++ b/compliance/controls/azure/azure_sql_db_active_directory_admin_configured.yaml @@ -1,49 +1,50 @@ id: azure_sql_db_active_directory_admin_configured title: Ensure that Azure Active Directory Admin is configured +type: control description: Use Azure Active Directory Authentication for authentication with SQL Database. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN server_azure_ad_administrator IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN server_azure_ad_administrator IS NULL THEN name || ' Azure AD authentication not configured.' - ELSE name || ' Azure AD authentication configured.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_server s, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN server_azure_ad_administrator IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN server_azure_ad_administrator IS NULL THEN name || ' Azure AD authentication not configured.' + ELSE name || ' Azure AD authentication configured.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_server s, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '4.4' - cis_level: - - '1' - cis_section_id: - - '4' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SQL + category: + - Compliance + cis: + - "true" + cis_item_id: + - "4.4" + cis_level: + - "1" + cis_section_id: + - "4" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SQL diff --git a/compliance/controls/azure/azure_sql_db_public_network_access_disabled.yaml b/compliance/controls/azure/azure_sql_db_public_network_access_disabled.yaml index b649243cd..a47016e4c 100644 --- a/compliance/controls/azure/azure_sql_db_public_network_access_disabled.yaml +++ b/compliance/controls/azure/azure_sql_db_public_network_access_disabled.yaml @@ -1,35 +1,36 @@ id: azure_sql_db_public_network_access_disabled title: Public network access on Azure SQL Database should be disabled +type: control description: Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN public_network_access = 'Enabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN public_network_access = 'Enabled' THEN name || ' public network access enabled.' - ELSE name || ' public network access disabled.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_server AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN public_network_access = 'Enabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN public_network_access = 'Enabled' THEN name || ' public network access enabled.' + ELSE name || ' public network access disabled.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_server AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/SQL + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/SQL diff --git a/compliance/controls/azure/azure_sql_server_and_databases_va_enabled.yaml b/compliance/controls/azure/azure_sql_server_and_databases_va_enabled.yaml index 942c1acdb..af2fbb929 100644 --- a/compliance/controls/azure/azure_sql_server_and_databases_va_enabled.yaml +++ b/compliance/controls/azure/azure_sql_server_and_databases_va_enabled.yaml @@ -1,51 +1,52 @@ id: azure_sql_server_and_databases_va_enabled title: Vulnerability assessment should be enabled on your SQL servers +type: control description: Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN security -> 'properties' ->> 'state' = 'Disabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN security -> 'properties' ->> 'state' = 'Disabled' THEN s.name || ' VA setting disabled.' - ELSE s.name || ' VA setting enabled.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_server s, - JSONB_ARRAY_ELEMENTS(server_security_alert_policy) security, - JSONB_ARRAY_ELEMENTS(server_vulnerability_assessment) assessment, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN security -> 'properties' ->> 'state' = 'Disabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN security -> 'properties' ->> 'state' = 'Disabled' THEN s.name || ' VA setting disabled.' + ELSE s.name || ' VA setting enabled.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_server s, + JSONB_ARRAY_ELEMENTS(server_security_alert_policy) security, + JSONB_ARRAY_ELEMENTS(server_vulnerability_assessment) assessment, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 4.2.2 - cis_level: - - '2' - cis_section_id: - - '4.2' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SQL + category: + - Compliance + cis: + - "true" + cis_item_id: + - 4.2.2 + cis_level: + - "2" + cis_section_id: + - "4.2" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SQL diff --git a/compliance/controls/azure/azure_sql_server_atp_enabled.yaml b/compliance/controls/azure/azure_sql_server_atp_enabled.yaml index d11f5ac19..d49b02bba 100644 --- a/compliance/controls/azure/azure_sql_server_atp_enabled.yaml +++ b/compliance/controls/azure/azure_sql_server_atp_enabled.yaml @@ -1,50 +1,51 @@ id: azure_sql_server_atp_enabled title: Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers +type: control description: Enable "Azure Defender for SQL" on critical SQL Servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN security -> 'properties' ->> 'state' = 'Disabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN security -> 'properties' ->> 'state' = 'Disabled' THEN s.name || ' Azure defender disabled.' - ELSE s.name || ' Azure defender enabled.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN security -> 'properties' ->> 'state' = 'Disabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN security -> 'properties' ->> 'state' = 'Disabled' THEN s.name || ' Azure defender disabled.' + ELSE s.name || ' Azure defender enabled.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_server s, + jsonb_array_elements(server_security_alert_policy) security, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id; severity: critical tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 4.2.1 - cis_level: - - '2' - cis_section_id: - - '4.2' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SQL + category: + - Compliance + cis: + - "true" + cis_item_id: + - 4.2.1 + cis_level: + - "2" + cis_section_id: + - "4.2" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SQL diff --git a/compliance/controls/azure/azure_sql_server_auditing_on.yaml b/compliance/controls/azure/azure_sql_server_auditing_on.yaml index e4149493b..6543475d7 100644 --- a/compliance/controls/azure/azure_sql_server_auditing_on.yaml +++ b/compliance/controls/azure/azure_sql_server_auditing_on.yaml @@ -1,51 +1,52 @@ id: azure_sql_server_auditing_on title: Auditing on SQL server should be enabled +type: control description: Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN audit -> 'properties' ->> 'state' = 'Disabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN audit -> 'properties' ->> 'state' = 'Disabled' - THEN name || ' auditing disabled.' - ELSE name || ' auditing enabled.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_server s, - jsonb_array_elements(server_audit_policy) audit, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN audit -> 'properties' ->> 'state' = 'Disabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN audit -> 'properties' ->> 'state' = 'Disabled' + THEN name || ' auditing disabled.' + ELSE name || ' auditing enabled.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_server s, + jsonb_array_elements(server_audit_policy) audit, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 4.1.1 - cis_level: - - '1' - cis_section_id: - - '4.1' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SQL + category: + - Compliance + cis: + - "true" + cis_item_id: + - 4.1.1 + cis_level: + - "1" + cis_section_id: + - "4.1" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SQL diff --git a/compliance/controls/azure/azure_sql_server_auditing_retention_period_90.yaml b/compliance/controls/azure/azure_sql_server_auditing_retention_period_90.yaml index 981ac9a08..42a11fc69 100644 --- a/compliance/controls/azure/azure_sql_server_auditing_retention_period_90.yaml +++ b/compliance/controls/azure/azure_sql_server_auditing_retention_period_90.yaml @@ -1,52 +1,53 @@ id: azure_sql_server_auditing_retention_period_90 title: Ensure that 'Auditing' Retention is 'greater than 90 days' +type: control description: SQL Server Audit Retention should be configured to be greater than 90 days. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN (audit -> 'properties' ->> 'retentionDays')::integer = 0 THEN 'ok' - WHEN (audit -> 'properties' ->> 'retentionDays')::integer >= 90 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (audit -> 'properties' ->> 'retentionDays')::integer = 0 THEN name || ' audit retention set to unlimited days.' - WHEN (audit -> 'properties' ->> 'retentionDays')::integer >= 90 THEN name || ' audit retention greater than 90 days.' - ELSE name || ' audit retention less than 90 days.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_server s, - jsonb_array_elements(server_audit_policy) audit, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN (audit -> 'properties' ->> 'retentionDays')::integer = 0 THEN 'ok' + WHEN (audit -> 'properties' ->> 'retentionDays')::integer >= 90 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (audit -> 'properties' ->> 'retentionDays')::integer = 0 THEN name || ' audit retention set to unlimited days.' + WHEN (audit -> 'properties' ->> 'retentionDays')::integer >= 90 THEN name || ' audit retention greater than 90 days.' + ELSE name || ' audit retention less than 90 days.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_server s, + jsonb_array_elements(server_audit_policy) audit, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 4.1.3 - cis_level: - - '1' - cis_section_id: - - '4.1' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SQL + category: + - Compliance + cis: + - "true" + cis_item_id: + - 4.1.3 + cis_level: + - "1" + cis_section_id: + - "4.1" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SQL diff --git a/compliance/controls/azure/azure_sql_server_auditing_storage_account_destination_retention_90_days.yaml b/compliance/controls/azure/azure_sql_server_auditing_storage_account_destination_retention_90_days.yaml index 7f8a895c4..87409783c 100644 --- a/compliance/controls/azure/azure_sql_server_auditing_storage_account_destination_retention_90_days.yaml +++ b/compliance/controls/azure/azure_sql_server_auditing_storage_account_destination_retention_90_days.yaml @@ -1,54 +1,55 @@ id: azure_sql_server_auditing_storage_account_destination_retention_90_days title: SQL servers with auditing to storage account destination should be configured with 90 days retention or higher +type: control description: For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - WITH sql_server AS ( - SELECT - id, - name, - subscription_id, - resource_group, - p -> 'properties' ->> 'retentionDays' AS retentionDays - FROM - azure_sql_server, - jsonb_array_elements(server_audit_policy) AS p - WHERE - p -> 'properties' ->> 'state' = 'Enabled' - AND p -> 'properties' ->> 'storageEndpoint' IS NOT NULL - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN s.id IS NULL THEN 'skip' - WHEN s.retentionDays::INTEGER = 0 THEN 'ok' - WHEN s.retentionDays::INTEGER >= 90 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN s.id IS NULL THEN a.name || ' auditing to storage account destination not enabled.' - WHEN s.retentionDays::INTEGER = 0 THEN a.name || ' auditing to storage account destination configured with unlimited retention days.' - WHEN s.retentionDays::INTEGER >= 90 THEN a.name || ' auditing to storage account destination configured with 90 days retention or higher.' - ELSE a.name || ' auditing to storage account destination not configured with 90 days retention or higher.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_server AS a - LEFT JOIN sql_server AS s ON s.id = a.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_sql_server + definition: | + WITH sql_server AS ( + SELECT + id, + name, + subscription_id, + resource_group, + p -> 'properties' ->> 'retentionDays' AS retentionDays + FROM + azure_sql_server, + jsonb_array_elements(server_audit_policy) AS p + WHERE + p -> 'properties' ->> 'state' = 'Enabled' + AND p -> 'properties' ->> 'storageEndpoint' IS NOT NULL + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN s.id IS NULL THEN 'skip' + WHEN s.retentionDays::INTEGER = 0 THEN 'ok' + WHEN s.retentionDays::INTEGER >= 90 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN s.id IS NULL THEN a.name || ' auditing to storage account destination not enabled.' + WHEN s.retentionDays::INTEGER = 0 THEN a.name || ' auditing to storage account destination configured with unlimited retention days.' + WHEN s.retentionDays::INTEGER >= 90 THEN a.name || ' auditing to storage account destination configured with 90 days retention or higher.' + ELSE a.name || ' auditing to storage account destination not configured with 90 days retention or higher.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_server AS a + LEFT JOIN sql_server AS s ON s.id = a.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/SQL + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/SQL diff --git a/compliance/controls/azure/azure_sql_server_azure_ad_authentication_enabled.yaml b/compliance/controls/azure/azure_sql_server_azure_ad_authentication_enabled.yaml index 290e5c7a3..fe69b4c11 100644 --- a/compliance/controls/azure/azure_sql_server_azure_ad_authentication_enabled.yaml +++ b/compliance/controls/azure/azure_sql_server_azure_ad_authentication_enabled.yaml @@ -1,47 +1,48 @@ id: azure_sql_server_azure_ad_authentication_enabled title: An Azure Active Directory administrator should be provisioned for SQL servers +type: control description: Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - WITH sever_with_ad_admin AS ( - SELECT - DISTINCT a.id - FROM - azure_sql_server AS a, - jsonb_array_elements(server_azure_ad_administrator) AS ad_admin - WHERE - ad_admin ->> 'type' = 'Microsoft.Sql/servers/administrators' - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN s.id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN s.id IS NOT NULL THEN a.name || ' azure AD authentication enabled.' - ELSE a.name || ' azure AD authentication disabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_server AS a - LEFT JOIN sever_with_ad_admin AS s ON a.id = s.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_sql_server + definition: | + WITH sever_with_ad_admin AS ( + SELECT + DISTINCT a.id + FROM + azure_sql_server AS a, + jsonb_array_elements(server_azure_ad_administrator) AS ad_admin + WHERE + ad_admin ->> 'type' = 'Microsoft.Sql/servers/administrators' + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN s.id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN s.id IS NOT NULL THEN a.name || ' azure AD authentication enabled.' + ELSE a.name || ' azure AD authentication disabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_server AS a + LEFT JOIN sever_with_ad_admin AS s ON a.id = s.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - pci_dss_v321: - - 'true' - service: - - Azure/SQL + nist_sp_800_53_rev_5: + - "true" + pci_dss_v321: + - "true" + service: + - Azure/SQL diff --git a/compliance/controls/azure/azure_sql_server_azure_defender_enabled.yaml b/compliance/controls/azure/azure_sql_server_azure_defender_enabled.yaml index 817e8ac30..a530bda70 100644 --- a/compliance/controls/azure/azure_sql_server_azure_defender_enabled.yaml +++ b/compliance/controls/azure/azure_sql_server_azure_defender_enabled.yaml @@ -1,48 +1,49 @@ id: azure_sql_server_azure_defender_enabled title: Azure Defender for SQL should be enabled for unprotected Azure SQL servers +type: control description: Audit SQL servers without Advanced Data Security. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - WITH sql_server_policy AS ( - SELECT - DISTINCT a.name - FROM - azure_sql_server AS a, - jsonb_array_elements(server_security_alert_policy) AS policy - WHERE - policy ->> 'name' = 'Default' - AND policy -> 'properties' ->> 'state' = 'Enabled' - ) - SELECT - DISTINCT a.name AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN kind LIKE '%analytics%' THEN 'skip' - WHEN s.name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN kind LIKE '%analytics%' THEN a.name || ' azure defender not applicable.' - WHEN s.name IS NULL THEN a.name || ' sql azure defender disabled.' - ELSE a.name || ' sql azure defender enabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_server AS a - LEFT JOIN sql_server_policy AS s ON a.name = s.name, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_sql_server + definition: | + WITH sql_server_policy AS ( + SELECT + DISTINCT a.name + FROM + azure_sql_server AS a, + jsonb_array_elements(server_security_alert_policy) AS policy + WHERE + policy ->> 'name' = 'Default' + AND policy -> 'properties' ->> 'state' = 'Enabled' + ) + SELECT + DISTINCT a.name AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN kind LIKE '%analytics%' THEN 'skip' + WHEN s.name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN kind LIKE '%analytics%' THEN a.name || ' azure defender not applicable.' + WHEN s.name IS NULL THEN a.name || ' sql azure defender disabled.' + ELSE a.name || ' sql azure defender enabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_server AS a + LEFT JOIN sql_server_policy AS s ON a.name = s.name, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/SQL + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/SQL diff --git a/compliance/controls/azure/azure_sql_server_tde_protector_cmk_encrypted.yaml b/compliance/controls/azure/azure_sql_server_tde_protector_cmk_encrypted.yaml index edcc2f053..df895b290 100644 --- a/compliance/controls/azure/azure_sql_server_tde_protector_cmk_encrypted.yaml +++ b/compliance/controls/azure/azure_sql_server_tde_protector_cmk_encrypted.yaml @@ -1,50 +1,51 @@ id: azure_sql_server_tde_protector_cmk_encrypted title: SQL servers should use customer-managed keys to encrypt data at rest +type: control description: Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN encryption ->> 'kind' = 'servicemanaged' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN encryption ->> 'kind' = 'servicemanaged' THEN s.name || ' TDE protector not encrypted with CMK.' - ELSE s.name || ' TDE protector encrypted with CMK.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_server s, - jsonb_array_elements(encryption_protector) encryption, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN encryption ->> 'kind' = 'servicemanaged' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN encryption ->> 'kind' = 'servicemanaged' THEN s.name || ' TDE protector not encrypted with CMK.' + ELSE s.name || ' TDE protector encrypted with CMK.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_server s, + jsonb_array_elements(encryption_protector) encryption, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '4.5' - cis_level: - - '2' - cis_section_id: - - '4' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SQL + category: + - Compliance + cis: + - "true" + cis_item_id: + - "4.5" + cis_level: + - "2" + cis_section_id: + - "4" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SQL diff --git a/compliance/controls/azure/azure_sql_server_threat_detection_all_enabled.yaml b/compliance/controls/azure/azure_sql_server_threat_detection_all_enabled.yaml index 8aedb4e72..e8835dd69 100644 --- a/compliance/controls/azure/azure_sql_server_threat_detection_all_enabled.yaml +++ b/compliance/controls/azure/azure_sql_server_threat_detection_all_enabled.yaml @@ -1,39 +1,40 @@ id: azure_sql_server_threat_detection_all_enabled title: SQL server threat detection should be enabled for all +type: control description: This control ensures that SQL server threat detection is enabled for all. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - WITH threat_detection_disabled AS ( - SELECT - DISTINCT id - FROM - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) p - WHERE - NOT (p -> 'properties' -> 'disabledAlerts' = '[""]') - ) - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN t.id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN t.id IS NULL THEN name || ' threat detection enabled for all.' - ELSE name || ' threat detection not enabled for all.' - END AS reason - FROM - azure_sql_server s - LEFT JOIN threat_detection_disabled AS t ON t.id = s.id, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_sql_server + definition: | + WITH threat_detection_disabled AS ( + SELECT + DISTINCT id + FROM + azure_sql_server s, + jsonb_array_elements(server_security_alert_policy) p + WHERE + NOT (p -> 'properties' -> 'disabledAlerts' = '[""]') + ) + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN t.id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN t.id IS NULL THEN name || ' threat detection enabled for all.' + ELSE name || ' threat detection not enabled for all.' + END AS reason + FROM + azure_sql_server s + LEFT JOIN threat_detection_disabled AS t ON t.id = s.id, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_sql_server_transparent_data_encryption_enabled.yaml b/compliance/controls/azure/azure_sql_server_transparent_data_encryption_enabled.yaml index f18155064..6f40c4f58 100644 --- a/compliance/controls/azure/azure_sql_server_transparent_data_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_sql_server_transparent_data_encryption_enabled.yaml @@ -1,35 +1,36 @@ id: azure_sql_server_transparent_data_encryption_enabled title: Transparent Data Encryption on SQL databases should be enabled +type: control description: Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_database - definition: | - SELECT - db.id AS resource, - db.platform_integration_id AS platform_integration_id, - db.platform_resource_id AS platform_resource_id, - CASE - WHEN transparent_data_encryption ->> 'status' = 'Disabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN transparent_data_encryption ->> 'status' = 'Disabled' THEN db.name || ' transparent data encryption off.' - ELSE db.name || ' transparent data encryption on.' - END AS reason, - db.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_database db, - azure_subscription sub - WHERE - sub.subscription_id = db.subscription_id; + language: sql + primary_resource: azure_sql_database + definition: | + SELECT + db.id AS resource, + db.platform_integration_id AS platform_integration_id, + db.platform_resource_id AS platform_resource_id, + CASE + WHEN transparent_data_encryption ->> 'status' = 'Disabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN transparent_data_encryption ->> 'status' = 'Disabled' THEN db.name || ' transparent data encryption off.' + ELSE db.name || ' transparent data encryption on.' + END AS reason, + db.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_database db, + azure_subscription sub + WHERE + sub.subscription_id = db.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/SQL + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/SQL diff --git a/compliance/controls/azure/azure_sql_server_use_virtual_service_endpoint.yaml b/compliance/controls/azure/azure_sql_server_use_virtual_service_endpoint.yaml index 31873bb28..e5684ff6d 100644 --- a/compliance/controls/azure/azure_sql_server_use_virtual_service_endpoint.yaml +++ b/compliance/controls/azure/azure_sql_server_use_virtual_service_endpoint.yaml @@ -1,44 +1,45 @@ id: azure_sql_server_use_virtual_service_endpoint title: SQL Server should use a virtual network service endpoint +type: control description: This policy audits any SQL Server not configured to use a virtual network service endpoint. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - WITH sql_server_subnet AS ( - SELECT - DISTINCT a.name, - rule -> 'properties' -> 'virtualNetworkSubnetId' AS subnet_id - FROM - azure_sql_server AS a, - jsonb_array_elements(virtual_network_rules) AS rule - ) - SELECT - DISTINCT a.name AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN s.name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN s.name IS NULL THEN a.name || ' not configured with virtual service endpoint.' - ELSE a.name || ' configured with virtual service endpoint.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_server AS a - LEFT JOIN sql_server_subnet AS s ON a.name = s.name, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_sql_server + definition: | + WITH sql_server_subnet AS ( + SELECT + DISTINCT a.name, + rule -> 'properties' -> 'virtualNetworkSubnetId' AS subnet_id + FROM + azure_sql_server AS a, + jsonb_array_elements(virtual_network_rules) AS rule + ) + SELECT + DISTINCT a.name AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN s.name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN s.name IS NULL THEN a.name || ' not configured with virtual service endpoint.' + ELSE a.name || ' configured with virtual service endpoint.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_server AS a + LEFT JOIN sql_server_subnet AS s ON a.name = s.name, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - service: - - Azure/SQL + hipaa_hitrust_v92: + - "true" + service: + - Azure/SQL diff --git a/compliance/controls/azure/azure_sql_server_uses_private_link.yaml b/compliance/controls/azure/azure_sql_server_uses_private_link.yaml index 06a985b73..c6fdaf96e 100644 --- a/compliance/controls/azure/azure_sql_server_uses_private_link.yaml +++ b/compliance/controls/azure/azure_sql_server_uses_private_link.yaml @@ -1,47 +1,48 @@ id: azure_sql_server_uses_private_link title: Private endpoint connections on Azure SQL Database should be enabled +type: control description: Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - WITH sql_server_private_connection AS ( - SELECT - DISTINCT a.id - FROM - azure_sql_server AS a, - jsonb_array_elements(private_endpoint_connections) AS connection - WHERE - connection ->> 'PrivateLinkServiceConnectionStateStatus' = 'Approved' - ) - - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN c.id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN c.id IS NULL THEN a.name || ' not uses private link.' - ELSE a.name || ' uses private link.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_server AS a - LEFT JOIN - sql_server_private_connection AS c ON c.id = a.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_sql_server + definition: | + WITH sql_server_private_connection AS ( + SELECT + DISTINCT a.id + FROM + azure_sql_server AS a, + jsonb_array_elements(private_endpoint_connections) AS connection + WHERE + connection ->> 'PrivateLinkServiceConnectionStateStatus' = 'Approved' + ) + + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN c.id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN c.id IS NULL THEN a.name || ' not uses private link.' + ELSE a.name || ' uses private link.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_server AS a + LEFT JOIN + sql_server_private_connection AS c ON c.id = a.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/SQL + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/SQL diff --git a/compliance/controls/azure/azure_sql_server_va_setting_periodic_scan_enabled.yaml b/compliance/controls/azure/azure_sql_server_va_setting_periodic_scan_enabled.yaml index a4697a25a..a8c8382b3 100644 --- a/compliance/controls/azure/azure_sql_server_va_setting_periodic_scan_enabled.yaml +++ b/compliance/controls/azure/azure_sql_server_va_setting_periodic_scan_enabled.yaml @@ -1,67 +1,68 @@ id: azure_sql_server_va_setting_periodic_scan_enabled title: Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server +type: control description: Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN - security -> 'properties' ->> 'state' = 'Disabled' - OR - ( - security -> 'properties' ->> 'state' = 'Enabled' - AND assessment -> 'properties' ->> 'storageContainerPath' IS NOT NULL - AND assessment -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'false' - ) - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN - security -> 'properties' ->> 'state' = 'Disabled' - OR - ( - security -> 'properties' ->> 'state' = 'Enabled' - AND assessment -> 'properties' ->> 'storageContainerPath' IS NOT NULL - AND assessment -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'false' - ) - THEN s.name || ' VA setting periodic recurring scans disabled.' - ELSE s.name || ' VA setting periodic recurring scans enabled.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - jsonb_array_elements(server_vulnerability_assessment) assessment, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN + security -> 'properties' ->> 'state' = 'Disabled' + OR + ( + security -> 'properties' ->> 'state' = 'Enabled' + AND assessment -> 'properties' ->> 'storageContainerPath' IS NOT NULL + AND assessment -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'false' + ) + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN + security -> 'properties' ->> 'state' = 'Disabled' + OR + ( + security -> 'properties' ->> 'state' = 'Enabled' + AND assessment -> 'properties' ->> 'storageContainerPath' IS NOT NULL + AND assessment -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'false' + ) + THEN s.name || ' VA setting periodic recurring scans disabled.' + ELSE s.name || ' VA setting periodic recurring scans enabled.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_server s, + jsonb_array_elements(server_security_alert_policy) security, + jsonb_array_elements(server_vulnerability_assessment) assessment, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 4.2.3 - cis_level: - - '2' - cis_section_id: - - '4.2' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SQL + category: + - Compliance + cis: + - "true" + cis_item_id: + - 4.2.3 + cis_level: + - "2" + cis_section_id: + - "4.2" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SQL diff --git a/compliance/controls/azure/azure_sql_server_va_setting_reports_notify_admins.yaml b/compliance/controls/azure/azure_sql_server_va_setting_reports_notify_admins.yaml index f2f1c0181..5ae6d0ae4 100644 --- a/compliance/controls/azure/azure_sql_server_va_setting_reports_notify_admins.yaml +++ b/compliance/controls/azure/azure_sql_server_va_setting_reports_notify_admins.yaml @@ -1,67 +1,68 @@ id: azure_sql_server_va_setting_reports_notify_admins title: Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server +type: control description: Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners'. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN - security -> 'properties' ->> 'state' = 'Disabled' - OR - ( - security -> 'properties' ->> 'state' = 'Enabled' - AND assessment -> 'properties' ->> 'storageContainerPath' IS NOT NULL - AND assessment -> 'properties' -> 'recurringScans' ->> 'emailSubscriptionAdmins' = 'false' - ) - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN - security -> 'properties' ->> 'state' = 'Disabled' - OR - ( - security -> 'properties' ->> 'state' = 'Enabled' - AND assessment -> 'properties' ->> 'storageContainerPath' IS NOT NULL - AND assessment -> 'properties' -> 'recurringScans' ->> 'emailSubscriptionAdmins' = 'false' - ) - THEN s.name || ' VA setting not configured to send email notifications to subscription admins and owners.' - ELSE s.name || ' VA setting configured to send email notifications to subscription admins and owners.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - jsonb_array_elements(server_vulnerability_assessment) assessment, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN + security -> 'properties' ->> 'state' = 'Disabled' + OR + ( + security -> 'properties' ->> 'state' = 'Enabled' + AND assessment -> 'properties' ->> 'storageContainerPath' IS NOT NULL + AND assessment -> 'properties' -> 'recurringScans' ->> 'emailSubscriptionAdmins' = 'false' + ) + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN + security -> 'properties' ->> 'state' = 'Disabled' + OR + ( + security -> 'properties' ->> 'state' = 'Enabled' + AND assessment -> 'properties' ->> 'storageContainerPath' IS NOT NULL + AND assessment -> 'properties' -> 'recurringScans' ->> 'emailSubscriptionAdmins' = 'false' + ) + THEN s.name || ' VA setting not configured to send email notifications to subscription admins and owners.' + ELSE s.name || ' VA setting configured to send email notifications to subscription admins and owners.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_server s, + jsonb_array_elements(server_security_alert_policy) security, + jsonb_array_elements(server_vulnerability_assessment) assessment, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 4.2.5 - cis_level: - - '2' - cis_section_id: - - '4.2' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SQL + category: + - Compliance + cis: + - "true" + cis_item_id: + - 4.2.5 + cis_level: + - "2" + cis_section_id: + - "4.2" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SQL diff --git a/compliance/controls/azure/azure_sql_server_va_setting_scan_reports_configured.yaml b/compliance/controls/azure/azure_sql_server_va_setting_scan_reports_configured.yaml index 2b31e5956..46895f85e 100644 --- a/compliance/controls/azure/azure_sql_server_va_setting_scan_reports_configured.yaml +++ b/compliance/controls/azure/azure_sql_server_va_setting_scan_reports_configured.yaml @@ -1,67 +1,68 @@ id: azure_sql_server_va_setting_scan_reports_configured title: Ensure that VA setting 'Send scan reports to' is configured for a SQL server +type: control description: Configure 'Send scan reports to' with email ids of concerned data owners/stakeholders for a critical SQL servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN - security -> 'properties' ->> 'state' = 'Disabled' - OR - ( - security -> 'properties' ->> 'state' = 'Enabled' - AND assessment -> 'properties' ->> 'storageContainerPath' IS NOT NULL - AND assessment -> 'properties' -> 'recurringScans' ->> 'emails' = '[]' - ) - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN - security -> 'properties' ->> 'state' = 'Disabled' - OR - ( - security -> 'properties' ->> 'state' = 'Enabled' - AND assessment -> 'properties' ->> 'storageContainerPath' IS NOT NULL - AND assessment -> 'properties' -> 'recurringScans' ->> 'emails' = '[]' - ) - THEN s.name || ' VA scan reports and alerts not configured send email.' - ELSE s.name || ' VA scan reports and alerts configured to send email.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - jsonb_array_elements(server_vulnerability_assessment) assessment, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN + security -> 'properties' ->> 'state' = 'Disabled' + OR + ( + security -> 'properties' ->> 'state' = 'Enabled' + AND assessment -> 'properties' ->> 'storageContainerPath' IS NOT NULL + AND assessment -> 'properties' -> 'recurringScans' ->> 'emails' = '[]' + ) + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN + security -> 'properties' ->> 'state' = 'Disabled' + OR + ( + security -> 'properties' ->> 'state' = 'Enabled' + AND assessment -> 'properties' ->> 'storageContainerPath' IS NOT NULL + AND assessment -> 'properties' -> 'recurringScans' ->> 'emails' = '[]' + ) + THEN s.name || ' VA scan reports and alerts not configured send email.' + ELSE s.name || ' VA scan reports and alerts configured to send email.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_server s, + jsonb_array_elements(server_security_alert_policy) security, + jsonb_array_elements(server_vulnerability_assessment) assessment, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - 4.2.4 - cis_level: - - '2' - cis_section_id: - - '4.2' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SQL + category: + - Compliance + cis: + - "true" + cis_item_id: + - 4.2.4 + cis_level: + - "2" + cis_section_id: + - "4.2" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SQL diff --git a/compliance/controls/azure/azure_storage_account_blob_containers_public_access_private.yaml b/compliance/controls/azure/azure_storage_account_blob_containers_public_access_private.yaml index 55704b4bd..26fc03d34 100644 --- a/compliance/controls/azure/azure_storage_account_blob_containers_public_access_private.yaml +++ b/compliance/controls/azure/azure_storage_account_blob_containers_public_access_private.yaml @@ -1,49 +1,50 @@ id: azure_storage_account_blob_containers_public_access_private title: Ensure that 'Public access level' is set to Private for blob containers +type: control description: Disable anonymous access to blob containers and disallow blob public access on storage account. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_container - definition: | - SELECT - container.id AS resource, - container.platform_integration_id AS platform_integration_id, - container.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT account.allow_blob_public_access AND container.public_access = 'None' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN NOT account.allow_blob_public_access AND container.public_access = 'None' - THEN account.name || ' container ' || container.name || ' doesn''t allow anonymous access.' - ELSE account.name || ' container ' || container.name || ' allows anonymous access.' - END AS reason, - container.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_storage_container container - JOIN azure_storage_account account ON container.account_name = account.name - JOIN azure_subscription sub ON sub.subscription_id = account.subscription_id; + language: sql + primary_resource: azure_storage_container + definition: | + SELECT + container.id AS resource, + container.platform_integration_id AS platform_integration_id, + container.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT account.allow_blob_public_access AND container.public_access = 'None' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN NOT account.allow_blob_public_access AND container.public_access = 'None' + THEN account.name || ' container ' || container.name || ' doesn''t allow anonymous access.' + ELSE account.name || ' container ' || container.name || ' allows anonymous access.' + END AS reason, + container.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_storage_container container + JOIN azure_storage_account account ON container.account_name = account.name + JOIN azure_subscription sub ON sub.subscription_id = account.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '3.5' - cis_level: - - '1' - cis_section_id: - - '3' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Storage + category: + - Compliance + cis: + - "true" + cis_item_id: + - "3.5" + cis_level: + - "1" + cis_section_id: + - "3" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Storage diff --git a/compliance/controls/azure/azure_storage_account_blob_service_logging_enabled.yaml b/compliance/controls/azure/azure_storage_account_blob_service_logging_enabled.yaml index 1a78fd7e0..0ea5f17a6 100644 --- a/compliance/controls/azure/azure_storage_account_blob_service_logging_enabled.yaml +++ b/compliance/controls/azure/azure_storage_account_blob_service_logging_enabled.yaml @@ -1,58 +1,59 @@ id: azure_storage_account_blob_service_logging_enabled title: Ensure Storage logging is enabled for Blob service for read, write, and delete requests -description: 'The Storage Blob service provides scalable, cost-efficient objective storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages.' +type: control +description: "The Storage Blob service provides scalable, cost-efficient objective storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT (sa.blob_service_logging ->> 'Read')::BOOLEAN - OR NOT (sa.blob_service_logging ->> 'Write')::BOOLEAN - OR NOT (sa.blob_service_logging ->> 'Delete')::BOOLEAN THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT (sa.blob_service_logging ->> 'Read')::BOOLEAN - OR NOT (sa.blob_service_logging ->> 'Write')::BOOLEAN - OR NOT (sa.blob_service_logging ->> 'Delete')::BOOLEAN THEN name || ' blob service logging not enabled for ' || - CONCAT_WS(', ', - CASE WHEN NOT (sa.blob_service_logging ->> 'Write')::BOOLEAN THEN 'write' END, - CASE WHEN NOT (sa.blob_service_logging ->> 'Read')::BOOLEAN THEN 'read' END, - CASE WHEN NOT (sa.blob_service_logging ->> 'Delete')::BOOLEAN THEN 'delete' END - ) || ' requests.' - ELSE name || ' blob service logging enabled for read, write, delete requests.' - END AS reason, - sa.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT (sa.blob_service_logging ->> 'Read')::BOOLEAN + OR NOT (sa.blob_service_logging ->> 'Write')::BOOLEAN + OR NOT (sa.blob_service_logging ->> 'Delete')::BOOLEAN THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT (sa.blob_service_logging ->> 'Read')::BOOLEAN + OR NOT (sa.blob_service_logging ->> 'Write')::BOOLEAN + OR NOT (sa.blob_service_logging ->> 'Delete')::BOOLEAN THEN name || ' blob service logging not enabled for ' || + CONCAT_WS(', ', + CASE WHEN NOT (sa.blob_service_logging ->> 'Write')::BOOLEAN THEN 'write' END, + CASE WHEN NOT (sa.blob_service_logging ->> 'Read')::BOOLEAN THEN 'read' END, + CASE WHEN NOT (sa.blob_service_logging ->> 'Delete')::BOOLEAN THEN 'delete' END + ) || ' requests.' + ELSE name || ' blob service logging enabled for read, write, delete requests.' + END AS reason, + sa.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '3.10' - cis_level: - - '2' - cis_section_id: - - '3' - cis_type: - - manual - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Storage + category: + - Compliance + cis: + - "true" + cis_item_id: + - "3.10" + cis_level: + - "2" + cis_section_id: + - "3" + cis_type: + - manual + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Storage diff --git a/compliance/controls/azure/azure_storage_account_blobs_logging_enabled.yaml b/compliance/controls/azure/azure_storage_account_blobs_logging_enabled.yaml index e77edfbf5..112543589 100644 --- a/compliance/controls/azure/azure_storage_account_blobs_logging_enabled.yaml +++ b/compliance/controls/azure/azure_storage_account_blobs_logging_enabled.yaml @@ -1,40 +1,41 @@ id: azure_storage_account_blobs_logging_enabled title: Storage account logging (Classic Diagnostic Setting) for blobs should be enabled +type: control description: Storage Logging records details of requests (read, write, and delete operations) against your Azure blobs. This policy identifies Azure storage accounts that do not have logging enabled for blobs. As a best practice, enable logging for read, write, and delete request types on blobs. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN LOWER(sa.sku_tier) = 'standard' - AND (NOT (sa.blob_service_logging ->> 'Read')::boolean - OR NOT (sa.blob_service_logging ->> 'Write')::boolean - OR NOT (sa.blob_service_logging ->> 'Delete')::boolean) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN LOWER(sa.sku_tier) = 'standard' - AND (NOT (sa.blob_service_logging ->> 'Read')::boolean - OR NOT (sa.blob_service_logging ->> 'Write')::boolean - OR NOT (sa.blob_service_logging ->> 'Delete')::boolean) THEN name || ' storage account logging for blobs is disabled for' - || CONCAT_WS(', ', - CASE WHEN NOT (sa.blob_service_logging ->> 'Write')::boolean THEN 'write' END, - CASE WHEN NOT (sa.blob_service_logging ->> 'Read')::boolean THEN 'read' END, - CASE WHEN NOT (sa.blob_service_logging ->> 'Delete')::boolean THEN 'delete' END - ) || ' requests.' - ELSE name || ' storage account logging for blobs is enabled.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN LOWER(sa.sku_tier) = 'standard' + AND (NOT (sa.blob_service_logging ->> 'Read')::boolean + OR NOT (sa.blob_service_logging ->> 'Write')::boolean + OR NOT (sa.blob_service_logging ->> 'Delete')::boolean) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN LOWER(sa.sku_tier) = 'standard' + AND (NOT (sa.blob_service_logging ->> 'Read')::boolean + OR NOT (sa.blob_service_logging ->> 'Write')::boolean + OR NOT (sa.blob_service_logging ->> 'Delete')::boolean) THEN name || ' storage account logging for blobs is disabled for' + || CONCAT_WS(', ', + CASE WHEN NOT (sa.blob_service_logging ->> 'Write')::boolean THEN 'write' END, + CASE WHEN NOT (sa.blob_service_logging ->> 'Read')::boolean THEN 'read' END, + CASE WHEN NOT (sa.blob_service_logging ->> 'Delete')::boolean THEN 'delete' END + ) || ' requests.' + ELSE name || ' storage account logging for blobs is enabled.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_storage_account_block_public_access.yaml b/compliance/controls/azure/azure_storage_account_block_public_access.yaml index ff056738b..9cf0f10ad 100644 --- a/compliance/controls/azure/azure_storage_account_block_public_access.yaml +++ b/compliance/controls/azure/azure_storage_account_block_public_access.yaml @@ -1,41 +1,42 @@ id: azure_storage_account_block_public_access title: Storage account public access should be disallowed +type: control description: Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN sa.id NOT LIKE '%/resourceGroups/aro-%' - AND (sa.name NOT LIKE 'cluster%' OR sa.name NOT LIKE 'imageregistry%') - AND sa.allow_blob_public_access = 'false' - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN sa.id NOT LIKE '%/resourceGroups/aro-%' - AND (sa.name NOT LIKE 'cluster%' OR sa.name NOT LIKE 'imageregistry%') - AND sa.allow_blob_public_access = 'false' - THEN sa.name || ' not publicy accessible.' - ELSE sa.name || ' publicy accessible.' - END AS reason, - sa.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN sa.id NOT LIKE '%/resourceGroups/aro-%' + AND (sa.name NOT LIKE 'cluster%' OR sa.name NOT LIKE 'imageregistry%') + AND sa.allow_blob_public_access = 'false' + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN sa.id NOT LIKE '%/resourceGroups/aro-%' + AND (sa.name NOT LIKE 'cluster%' OR sa.name NOT LIKE 'imageregistry%') + AND sa.allow_blob_public_access = 'false' + THEN sa.name || ' not publicy accessible.' + ELSE sa.name || ' publicy accessible.' + END AS reason, + sa.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Storage + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Storage diff --git a/compliance/controls/azure/azure_storage_account_default_network_access_rule_denied.yaml b/compliance/controls/azure/azure_storage_account_default_network_access_rule_denied.yaml index a667bc292..c6ff54465 100644 --- a/compliance/controls/azure/azure_storage_account_default_network_access_rule_denied.yaml +++ b/compliance/controls/azure/azure_storage_account_default_network_access_rule_denied.yaml @@ -1,49 +1,50 @@ id: azure_storage_account_default_network_access_rule_denied title: Storage accounts should restrict network access +type: control description: Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN sa.network_rule_default_action = 'Allow' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN sa.network_rule_default_action = 'Allow' THEN name || ' allows traffic from all networks.' - ELSE name || ' allows traffic from specific networks.' - END AS reason, - sa.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN sa.network_rule_default_action = 'Allow' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN sa.network_rule_default_action = 'Allow' THEN name || ' allows traffic from all networks.' + ELSE name || ' allows traffic from specific networks.' + END AS reason, + sa.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '3.6' - cis_level: - - '2' - cis_section_id: - - '3' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Storage + category: + - Compliance + cis: + - "true" + cis_item_id: + - "3.6" + cis_level: + - "2" + cis_section_id: + - "3" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Storage diff --git a/compliance/controls/azure/azure_storage_account_encryption_at_rest_using_cmk.yaml b/compliance/controls/azure/azure_storage_account_encryption_at_rest_using_cmk.yaml index 10bfe39cd..257afb016 100644 --- a/compliance/controls/azure/azure_storage_account_encryption_at_rest_using_cmk.yaml +++ b/compliance/controls/azure/azure_storage_account_encryption_at_rest_using_cmk.yaml @@ -1,49 +1,50 @@ id: azure_storage_account_encryption_at_rest_using_cmk title: Storage accounts should use customer-managed key for encryption +type: control description: Secure your storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN sa.encryption_key_source = 'Microsoft.Storage' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN sa.encryption_key_source = 'Microsoft.Storage' THEN sa.name || ' not encrypted with CMK.' - ELSE sa.name || ' encrypted with CMK.' - END AS reason, - sa.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN sa.encryption_key_source = 'Microsoft.Storage' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN sa.encryption_key_source = 'Microsoft.Storage' THEN sa.name || ' not encrypted with CMK.' + ELSE sa.name || ' encrypted with CMK.' + END AS reason, + sa.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '3.9' - cis_level: - - '2' - cis_section_id: - - '3' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Storage + category: + - Compliance + cis: + - "true" + cis_item_id: + - "3.9" + cis_level: + - "2" + cis_section_id: + - "3" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Storage diff --git a/compliance/controls/azure/azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk.yaml b/compliance/controls/azure/azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk.yaml index 974f0091f..2f35a1583 100644 --- a/compliance/controls/azure/azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk.yaml +++ b/compliance/controls/azure/azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk.yaml @@ -1,50 +1,51 @@ id: azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk title: Storage account encryption scopes should use customer-managed keys to encrypt data at rest +type: control description: Use customer-managed keys to manage the encryption at rest of your storage account encryption scopes. Customer-managed keys enable the data to be encrypted with an Azure key-vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - WITH storage_account_encryption_scope AS ( - SELECT - e ->> 'Id' AS id, - e ->> 'Name' AS name, - e ->> 'Source' AS source, - subscription_id, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - _ctx, - region, - resource_group - FROM - azure_storage_account, - jsonb_array_elements(encryption_scope) AS e - ) - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN source = 'Microsoft.Keyvault' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN source = 'Microsoft.Keyvault' THEN s.name || ' uses customer-managed keys to encrypt data at rest.' - ELSE s.name || ' does not use customer-managed keys to encrypt data at rest.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - storage_account_encryption_scope AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + WITH storage_account_encryption_scope AS ( + SELECT + e ->> 'Id' AS id, + e ->> 'Name' AS name, + e ->> 'Source' AS source, + subscription_id, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + _ctx, + region, + resource_group + FROM + azure_storage_account, + jsonb_array_elements(encryption_scope) AS e + ) + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN source = 'Microsoft.Keyvault' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN source = 'Microsoft.Keyvault' THEN s.name || ' uses customer-managed keys to encrypt data at rest.' + ELSE s.name || ' does not use customer-managed keys to encrypt data at rest.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + storage_account_encryption_scope AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Storage + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Storage diff --git a/compliance/controls/azure/azure_storage_account_geo_redundant_enabled.yaml b/compliance/controls/azure/azure_storage_account_geo_redundant_enabled.yaml index ea3edc95a..e67f57979 100644 --- a/compliance/controls/azure/azure_storage_account_geo_redundant_enabled.yaml +++ b/compliance/controls/azure/azure_storage_account_geo_redundant_enabled.yaml @@ -1,35 +1,36 @@ id: azure_storage_account_geo_redundant_enabled title: Geo-redundant storage should be enabled for Storage Accounts +type: control description: Use geo-redundancy to create highly available applications. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN sku_name = ANY(ARRAY ['Standard_GRS', 'Standard_RAGRS', 'Standard_GZRS', 'Standard_RAGZRS']) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN sku_name = ANY(ARRAY ['Standard_GRS', 'Standard_RAGRS', 'Standard_GZRS', 'Standard_RAGZRS']) THEN name || ' geo-redundant enabled.' - ELSE name || ' geo-redundant disabled.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_storage_account AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN sku_name = ANY(ARRAY ['Standard_GRS', 'Standard_RAGRS', 'Standard_GZRS', 'Standard_RAGZRS']) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN sku_name = ANY(ARRAY ['Standard_GRS', 'Standard_RAGRS', 'Standard_GZRS', 'Standard_RAGZRS']) THEN name || ' geo-redundant enabled.' + ELSE name || ' geo-redundant disabled.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_storage_account AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/Storage + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/Storage diff --git a/compliance/controls/azure/azure_storage_account_infrastructure_encryption_enabled.yaml b/compliance/controls/azure/azure_storage_account_infrastructure_encryption_enabled.yaml index 499512cbd..ebad92287 100644 --- a/compliance/controls/azure/azure_storage_account_infrastructure_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_storage_account_infrastructure_encryption_enabled.yaml @@ -1,49 +1,50 @@ id: azure_storage_account_infrastructure_encryption_enabled title: Storage accounts should have infrastructure encryption +type: control description: Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN require_infrastructure_encryption THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN require_infrastructure_encryption THEN name || ' infrastructure encryption enabled.' - ELSE name || ' infrastructure encryption disabled.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_storage_account AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN require_infrastructure_encryption THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN require_infrastructure_encryption THEN name || ' infrastructure encryption enabled.' + ELSE name || ' infrastructure encryption disabled.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_storage_account AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '3.2' - cis_level: - - '2' - cis_section_id: - - '3' - cis_type: - - manual - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/Storage + category: + - Compliance + cis: + - "true" + cis_item_id: + - "3.2" + cis_level: + - "2" + cis_section_id: + - "3" + cis_type: + - manual + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/Storage diff --git a/compliance/controls/azure/azure_storage_account_min_tls_1_2.yaml b/compliance/controls/azure/azure_storage_account_min_tls_1_2.yaml index 02edd7387..9e5e7d256 100644 --- a/compliance/controls/azure/azure_storage_account_min_tls_1_2.yaml +++ b/compliance/controls/azure/azure_storage_account_min_tls_1_2.yaml @@ -1,51 +1,52 @@ id: azure_storage_account_min_tls_1_2 title: Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' +type: control description: In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN minimum_tls_version = 'TLSEnforcementDisabled' THEN 'alarm' - WHEN minimum_tls_version = 'TLS1_2' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN minimum_tls_version = 'TLSEnforcementDisabled' THEN sa.name || ' TLS enforcement is disabled.' - WHEN minimum_tls_version = 'TLS1_2' THEN sa.name || ' minimum TLS version set to ' || minimum_tls_version || '.' - ELSE sa.name || ' minimum TLS version set to ' || minimum_tls_version || '.' - END AS reason, - sa.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN minimum_tls_version = 'TLSEnforcementDisabled' THEN 'alarm' + WHEN minimum_tls_version = 'TLS1_2' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN minimum_tls_version = 'TLSEnforcementDisabled' THEN sa.name || ' TLS enforcement is disabled.' + WHEN minimum_tls_version = 'TLS1_2' THEN sa.name || ' minimum TLS version set to ' || minimum_tls_version || '.' + ELSE sa.name || ' minimum TLS version set to ' || minimum_tls_version || '.' + END AS reason, + sa.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '3.12' - cis_level: - - '1' - cis_section_id: - - '3' - cis_type: - - manual - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure/Storage + category: + - Compliance + cis: + - "true" + cis_item_id: + - "3.12" + cis_level: + - "1" + cis_section_id: + - "3" + cis_type: + - manual + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure/Storage diff --git a/compliance/controls/azure/azure_storage_account_queue_services_logging_enabled.yaml b/compliance/controls/azure/azure_storage_account_queue_services_logging_enabled.yaml index 0b9390159..eaeb5223e 100644 --- a/compliance/controls/azure/azure_storage_account_queue_services_logging_enabled.yaml +++ b/compliance/controls/azure/azure_storage_account_queue_services_logging_enabled.yaml @@ -1,55 +1,56 @@ id: azure_storage_account_queue_services_logging_enabled title: Ensure Storage logging is enabled for Queue service for read, write, and delete requests -description: 'The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages.' +type: control +description: "The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN queue_logging_read AND queue_logging_write AND queue_logging_delete THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN queue_logging_read AND queue_logging_write AND queue_logging_delete - THEN sa.name || ' queue service logging enabled for read, write, delete requests.' - ELSE sa.name || ' queue service logging not enabled for: ' || - CONCAT_WS(', ', - CASE WHEN NOT queue_logging_write THEN 'write' END, - CASE WHEN NOT queue_logging_read THEN 'read' END, - CASE WHEN NOT queue_logging_delete THEN 'delete' END - ) || ' requests.' - END AS reason, - sa.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN queue_logging_read AND queue_logging_write AND queue_logging_delete THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN queue_logging_read AND queue_logging_write AND queue_logging_delete + THEN sa.name || ' queue service logging enabled for read, write, delete requests.' + ELSE sa.name || ' queue service logging not enabled for: ' || + CONCAT_WS(', ', + CASE WHEN NOT queue_logging_write THEN 'write' END, + CASE WHEN NOT queue_logging_read THEN 'read' END, + CASE WHEN NOT queue_logging_delete THEN 'delete' END + ) || ' requests.' + END AS reason, + sa.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '3.3' - cis_level: - - '2' - cis_section_id: - - '3' - cis_type: - - manual - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Storage + category: + - Compliance + cis: + - "true" + cis_item_id: + - "3.3" + cis_level: + - "2" + cis_section_id: + - "3" + cis_type: + - manual + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Storage diff --git a/compliance/controls/azure/azure_storage_account_restrict_network_access.yaml b/compliance/controls/azure/azure_storage_account_restrict_network_access.yaml index 053bcaabc..e4a5c8860 100644 --- a/compliance/controls/azure/azure_storage_account_restrict_network_access.yaml +++ b/compliance/controls/azure/azure_storage_account_restrict_network_access.yaml @@ -1,37 +1,38 @@ id: azure_storage_account_restrict_network_access title: Storage accounts should restrict network access using virtual network rules +type: control description: Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN network_rule_default_action = 'Deny' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN network_rule_default_action = 'Deny' THEN sa.name || ' blocks network access.' - ELSE sa.name || ' allows network access.' - END AS reason, - sa.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN network_rule_default_action = 'Deny' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN network_rule_default_action = 'Deny' THEN sa.name || ' blocks network access.' + ELSE sa.name || ' allows network access.' + END AS reason, + sa.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - pci_dss_v321: - - 'true' - service: - - Azure/Storage + nist_sp_800_53_rev_5: + - "true" + pci_dss_v321: + - "true" + service: + - Azure/Storage diff --git a/compliance/controls/azure/azure_storage_account_secure_transfer_required_enabled.yaml b/compliance/controls/azure/azure_storage_account_secure_transfer_required_enabled.yaml index 6db17914c..d0d18273b 100644 --- a/compliance/controls/azure/azure_storage_account_secure_transfer_required_enabled.yaml +++ b/compliance/controls/azure/azure_storage_account_secure_transfer_required_enabled.yaml @@ -1,49 +1,50 @@ id: azure_storage_account_secure_transfer_required_enabled title: Secure transfer to storage accounts should be enabled +type: control description: Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT enable_https_traffic_only THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT enable_https_traffic_only THEN sa.name || ' encryption in transit not enabled.' - ELSE sa.name || ' encryption in transit enabled.' - END AS reason, - sa.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT enable_https_traffic_only THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT enable_https_traffic_only THEN sa.name || ' encryption in transit not enabled.' + ELSE sa.name || ' encryption in transit enabled.' + END AS reason, + sa.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '3.1' - cis_level: - - '1' - cis_section_id: - - '3' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Storage + category: + - Compliance + cis: + - "true" + cis_item_id: + - "3.1" + cis_level: + - "1" + cis_section_id: + - "3" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Storage diff --git a/compliance/controls/azure/azure_storage_account_soft_delete_enabled.yaml b/compliance/controls/azure/azure_storage_account_soft_delete_enabled.yaml index 7d356d26d..79faf82b8 100644 --- a/compliance/controls/azure/azure_storage_account_soft_delete_enabled.yaml +++ b/compliance/controls/azure/azure_storage_account_soft_delete_enabled.yaml @@ -1,49 +1,50 @@ id: azure_storage_account_soft_delete_enabled title: Ensure soft delete is enabled for Azure Storage +type: control description: The Azure Storage blobs contain data like ePHI, Financial, secret or personal. Erroneously modified or deleted accidentally by an application or other storage account user cause data loss or data unavailability. It is recommended the Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN NOT blob_soft_delete_enabled THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT blob_soft_delete_enabled THEN sa.name || ' blobs soft delete disabled.' - ELSE sa.name || ' blobs soft delete enabled.' - END AS reason, - sa.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN NOT blob_soft_delete_enabled THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT blob_soft_delete_enabled THEN sa.name || ' blobs soft delete disabled.' + ELSE sa.name || ' blobs soft delete enabled.' + END AS reason, + sa.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '3.8' - cis_level: - - '1' - cis_section_id: - - '3' - cis_type: - - automated - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Storage + category: + - Compliance + cis: + - "true" + cis_item_id: + - "3.8" + cis_level: + - "1" + cis_section_id: + - "3" + cis_type: + - automated + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Storage diff --git a/compliance/controls/azure/azure_storage_account_table_service_logging_enabled.yaml b/compliance/controls/azure/azure_storage_account_table_service_logging_enabled.yaml index 88398aa98..541c1afb1 100644 --- a/compliance/controls/azure/azure_storage_account_table_service_logging_enabled.yaml +++ b/compliance/controls/azure/azure_storage_account_table_service_logging_enabled.yaml @@ -1,55 +1,56 @@ id: azure_storage_account_table_service_logging_enabled title: Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' requests -description: 'Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.' +type: control +description: "Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN table_logging_write AND table_logging_read AND table_logging_delete THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN table_logging_write AND table_logging_read AND table_logging_delete - THEN sa.name || ' table service logging enabled for read, write, delete requests.' - ELSE sa.name || ' table service logging not enabled for: ' || - concat_ws(', ', - CASE WHEN NOT table_logging_write THEN 'write' END, - CASE WHEN NOT table_logging_read THEN 'read' END, - CASE WHEN NOT table_logging_delete THEN 'delete' END - ) || ' requests.' - END AS reason, - sa.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_storage_account AS sa, - azure_subscription AS sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN table_logging_write AND table_logging_read AND table_logging_delete THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN table_logging_write AND table_logging_read AND table_logging_delete + THEN sa.name || ' table service logging enabled for read, write, delete requests.' + ELSE sa.name || ' table service logging not enabled for: ' || + concat_ws(', ', + CASE WHEN NOT table_logging_write THEN 'write' END, + CASE WHEN NOT table_logging_read THEN 'read' END, + CASE WHEN NOT table_logging_delete THEN 'delete' END + ) || ' requests.' + END AS reason, + sa.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_storage_account AS sa, + azure_subscription AS sub + WHERE + sub.subscription_id = sa.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '3.14' - cis_level: - - '2' - cis_section_id: - - '3' - cis_type: - - automated - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/Storage + category: + - Compliance + cis: + - "true" + cis_item_id: + - "3.14" + cis_level: + - "2" + cis_section_id: + - "3" + cis_type: + - automated + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/Storage diff --git a/compliance/controls/azure/azure_storage_account_tables_logging_enabled.yaml b/compliance/controls/azure/azure_storage_account_tables_logging_enabled.yaml index adddc70e7..ab860b9a7 100644 --- a/compliance/controls/azure/azure_storage_account_tables_logging_enabled.yaml +++ b/compliance/controls/azure/azure_storage_account_tables_logging_enabled.yaml @@ -1,37 +1,38 @@ id: azure_storage_account_tables_logging_enabled title: Storage account logging (Classic Diagnostic Setting) for tables should be enabled +type: control description: Storage Logging records details of requests (read, write, and delete operations) against your Azure tables. This policy identifies Azure storage accounts that do not have logging enabled for tables. As a best practice, enable logging for read, write, and delete request types on tables. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN LOWER(sa.sku_tier) = 'standard' - AND (table_logging_write AND table_logging_read AND table_logging_delete) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN LOWER(sa.sku_tier) = 'standard' - AND (table_logging_write AND table_logging_read AND table_logging_delete) - THEN sa.name || ' storage account logging for tables is enabled.' - ELSE sa.name || ' storage account logging for tables is disabled for ' || - CONCAT_WS(', ', - CASE WHEN NOT table_logging_write THEN 'write' END, - CASE WHEN NOT table_logging_read THEN 'read' END, - CASE WHEN NOT table_logging_delete THEN 'delete' END - ) || ' requests.' - END AS reason - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN LOWER(sa.sku_tier) = 'standard' + AND (table_logging_write AND table_logging_read AND table_logging_delete) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN LOWER(sa.sku_tier) = 'standard' + AND (table_logging_write AND table_logging_read AND table_logging_delete) + THEN sa.name || ' storage account logging for tables is enabled.' + ELSE sa.name || ' storage account logging for tables is disabled for ' || + CONCAT_WS(', ', + CASE WHEN NOT table_logging_write THEN 'write' END, + CASE WHEN NOT table_logging_read THEN 'read' END, + CASE WHEN NOT table_logging_delete THEN 'delete' END + ) || ' requests.' + END AS reason + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_storage_account_trusted_microsoft_services_enabled.yaml b/compliance/controls/azure/azure_storage_account_trusted_microsoft_services_enabled.yaml index aa0defc56..91ba76930 100644 --- a/compliance/controls/azure/azure_storage_account_trusted_microsoft_services_enabled.yaml +++ b/compliance/controls/azure/azure_storage_account_trusted_microsoft_services_enabled.yaml @@ -1,49 +1,50 @@ id: azure_storage_account_trusted_microsoft_services_enabled title: Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access +type: control description: Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id AS platform_integration_id, - sa.platform_resource_id AS platform_resource_id, - CASE - WHEN network_rule_bypass NOT LIKE '%AzureServices%' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN network_rule_bypass NOT LIKE '%AzureServices%' THEN sa.name || ' trusted Microsoft services not enabled.' - ELSE sa.name || ' trusted Microsoft services enabled.' - END AS reason, - sa.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_storage_account sa, - azure_subscription sub - WHERE - sub.subscription_id = sa.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id AS platform_integration_id, + sa.platform_resource_id AS platform_resource_id, + CASE + WHEN network_rule_bypass NOT LIKE '%AzureServices%' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN network_rule_bypass NOT LIKE '%AzureServices%' THEN sa.name || ' trusted Microsoft services not enabled.' + ELSE sa.name || ' trusted Microsoft services enabled.' + END AS reason, + sa.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_storage_account sa, + azure_subscription sub + WHERE + sub.subscription_id = sa.subscription_id; severity: medium tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '3.7' - cis_level: - - '2' - cis_section_id: - - '3' - cis_type: - - manual - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Storage + category: + - Compliance + cis: + - "true" + cis_item_id: + - "3.7" + cis_level: + - "2" + cis_section_id: + - "3" + cis_type: + - manual + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Storage diff --git a/compliance/controls/azure/azure_storage_account_use_virtual_service_endpoint.yaml b/compliance/controls/azure/azure_storage_account_use_virtual_service_endpoint.yaml index e8771c831..e940f958b 100644 --- a/compliance/controls/azure/azure_storage_account_use_virtual_service_endpoint.yaml +++ b/compliance/controls/azure/azure_storage_account_use_virtual_service_endpoint.yaml @@ -1,50 +1,51 @@ id: azure_storage_account_use_virtual_service_endpoint title: Storage Accounts should use a virtual network service endpoint +type: control description: This policy audits any Storage Account not configured to use a virtual network service endpoint. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - WITH storage_account_subnet AS ( - SELECT DISTINCT - a.id AS storage_account_id, - rule ->> 'id' AS id - FROM - azure_storage_account AS a, - jsonb_array_elements(virtual_network_rules) AS rule, - azure_subnet AS subnet, - jsonb_array_elements(service_endpoints) AS endpoints - WHERE - endpoints ->> 'service' LIKE '%Microsoft.Storage%' - ) - SELECT DISTINCT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN network_rule_default_action <> 'Deny' THEN 'alarm' - WHEN s.storage_account_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN network_rule_default_action <> 'Deny' THEN a.name || ' not configured with virtual service endpoint.' - WHEN s.storage_account_id IS NULL THEN a.name || ' not configured with virtual service endpoint.' - ELSE a.name || ' configured with virtual service endpoint.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_storage_account AS a - LEFT JOIN storage_account_subnet AS s ON a.id = s.storage_account_id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + WITH storage_account_subnet AS ( + SELECT DISTINCT + a.id AS storage_account_id, + rule ->> 'id' AS id + FROM + azure_storage_account AS a, + jsonb_array_elements(virtual_network_rules) AS rule, + azure_subnet AS subnet, + jsonb_array_elements(service_endpoints) AS endpoints + WHERE + endpoints ->> 'service' LIKE '%Microsoft.Storage%' + ) + SELECT DISTINCT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN network_rule_default_action <> 'Deny' THEN 'alarm' + WHEN s.storage_account_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN network_rule_default_action <> 'Deny' THEN a.name || ' not configured with virtual service endpoint.' + WHEN s.storage_account_id IS NULL THEN a.name || ' not configured with virtual service endpoint.' + ELSE a.name || ' configured with virtual service endpoint.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_storage_account AS a + LEFT JOIN storage_account_subnet AS s ON a.id = s.storage_account_id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - service: - - Azure/Storage + hipaa_hitrust_v92: + - "true" + service: + - Azure/Storage diff --git a/compliance/controls/azure/azure_storage_account_uses_azure_resource_manager.yaml b/compliance/controls/azure/azure_storage_account_uses_azure_resource_manager.yaml index 1b4ea00fd..dbdabd7f5 100644 --- a/compliance/controls/azure/azure_storage_account_uses_azure_resource_manager.yaml +++ b/compliance/controls/azure/azure_storage_account_uses_azure_resource_manager.yaml @@ -1,37 +1,38 @@ id: azure_storage_account_uses_azure_resource_manager title: Storage accounts should be migrated to new Azure Resource Manager resources -description: 'Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management.' +type: control +description: "Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN resource_group IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN resource_group IS NOT NULL THEN s.title || ' uses azure resource manager.' - ELSE s.title || ' not uses azure resource manager.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_storage_account AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN resource_group IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN resource_group IS NOT NULL THEN s.title || ' uses azure resource manager.' + ELSE s.title || ' not uses azure resource manager.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_storage_account AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - pci_dss_v321: - - 'true' - service: - - Azure/Storage + nist_sp_800_53_rev_5: + - "true" + pci_dss_v321: + - "true" + service: + - Azure/Storage diff --git a/compliance/controls/azure/azure_storage_account_uses_private_link.yaml b/compliance/controls/azure/azure_storage_account_uses_private_link.yaml index 006598c77..21ccce465 100644 --- a/compliance/controls/azure/azure_storage_account_uses_private_link.yaml +++ b/compliance/controls/azure/azure_storage_account_uses_private_link.yaml @@ -1,59 +1,60 @@ id: azure_storage_account_uses_private_link title: Storage accounts should use private link +type: control description: Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - WITH storage_account_connection AS ( - SELECT - DISTINCT a.id - FROM - azure_storage_account AS a, - jsonb_array_elements(private_endpoint_connections) AS connection - WHERE - connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' - ) - SELECT - DISTINCT a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN s.id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN s.id IS NULL THEN a.name || ' not uses private link.' - ELSE a.name || ' uses private link.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_storage_account AS a - LEFT JOIN storage_account_connection AS s ON a.id = s.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_storage_account + definition: | + WITH storage_account_connection AS ( + SELECT + DISTINCT a.id + FROM + azure_storage_account AS a, + jsonb_array_elements(private_endpoint_connections) AS connection + WHERE + connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' + ) + SELECT + DISTINCT a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN s.id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN s.id IS NULL THEN a.name || ' not uses private link.' + ELSE a.name || ' uses private link.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_storage_account AS a + LEFT JOIN storage_account_connection AS s ON a.id = s.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - category: - - Compliance - cis: - - 'true' - cis_item_id: - - '3.10' - cis_level: - - '1' - cis_section_id: - - '3' - cis_type: - - manual - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/Storage + category: + - Compliance + cis: + - "true" + cis_item_id: + - "3.10" + cis_level: + - "1" + cis_section_id: + - "3" + cis_type: + - manual + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/Storage diff --git a/compliance/controls/azure/azure_storage_sync_private_link_used.yaml b/compliance/controls/azure/azure_storage_sync_private_link_used.yaml index 041ad66bd..56cac1b58 100644 --- a/compliance/controls/azure/azure_storage_sync_private_link_used.yaml +++ b/compliance/controls/azure/azure_storage_sync_private_link_used.yaml @@ -1,41 +1,42 @@ id: azure_storage_sync_private_link_used title: Azure File Sync should use private link +type: control description: Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_sync - definition: | - WITH storagesync_service_connection AS ( - SELECT DISTINCT a.id - FROM azure_storage_sync AS a, - jsonb_array_elements(private_endpoint_connections) AS connection - WHERE connection -> 'PrivateLinkServiceConnectionState' ->> 'status' = 'Approved' - ) - SELECT a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN incoming_traffic_policy = 'AllowAllTraffic' THEN 'alarm' - WHEN c.id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN incoming_traffic_policy = 'AllowAllTraffic' THEN a.name || ' using public networks.' - WHEN c.id IS NULL THEN a.name || ' not uses private link.' - ELSE a.name || ' uses private link.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM azure_storage_sync AS a - LEFT JOIN storagesync_service_connection AS c ON c.id = a.id, - azure_subscription AS sub - WHERE sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_storage_sync + definition: | + WITH storagesync_service_connection AS ( + SELECT DISTINCT a.id + FROM azure_storage_sync AS a, + jsonb_array_elements(private_endpoint_connections) AS connection + WHERE connection -> 'PrivateLinkServiceConnectionState' ->> 'status' = 'Approved' + ) + SELECT a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN incoming_traffic_policy = 'AllowAllTraffic' THEN 'alarm' + WHEN c.id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN incoming_traffic_policy = 'AllowAllTraffic' THEN a.name || ' using public networks.' + WHEN c.id IS NULL THEN a.name || ' not uses private link.' + ELSE a.name || ' uses private link.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM azure_storage_sync AS a + LEFT JOIN storagesync_service_connection AS c ON c.id = a.id, + azure_subscription AS sub + WHERE sub.subscription_id = a.subscription_id; severity: medium tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/FileSync + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/FileSync diff --git a/compliance/controls/azure/azure_stream_analytics_job_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_stream_analytics_job_encrypted_with_cmk.yaml index d93561257..bbaa1809a 100644 --- a/compliance/controls/azure/azure_stream_analytics_job_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_stream_analytics_job_encrypted_with_cmk.yaml @@ -1,23 +1,24 @@ id: azure_stream_analytics_job_encrypted_with_cmk title: Azure Stream Analytics jobs should use customer-managed keys to encrypt data +type: control description: Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azure_stream_analytics_job_logging_enabled.yaml b/compliance/controls/azure/azure_stream_analytics_job_logging_enabled.yaml index 66e6ac442..c133bca3b 100644 --- a/compliance/controls/azure/azure_stream_analytics_job_logging_enabled.yaml +++ b/compliance/controls/azure/azure_stream_analytics_job_logging_enabled.yaml @@ -1,65 +1,66 @@ id: azure_stream_analytics_job_logging_enabled title: Resource logs in Azure Stream Analytics should be enabled +type: control description: Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_stream_analytics_job - definition: | - WITH logging_details AS ( - SELECT - DISTINCT name AS job_name - FROM - azure_stream_analytics_job, - jsonb_array_elements(diagnostic_settings) setting, - jsonb_array_elements(setting -> 'properties' -> 'logs') log - WHERE - diagnostic_settings IS NOT NULL + language: sql + primary_resource: azure_stream_analytics_job + definition: | + WITH logging_details AS ( + SELECT + DISTINCT name AS job_name + FROM + azure_stream_analytics_job, + jsonb_array_elements(diagnostic_settings) setting, + jsonb_array_elements(setting -> 'properties' -> 'logs') log + WHERE + diagnostic_settings IS NOT NULL + AND ( + ( + (log ->> 'enabled')::BOOLEAN + AND (log -> 'retentionPolicy' ->> 'enabled')::BOOLEAN + AND (log -> 'retentionPolicy')::JSONB ? 'days' + ) + OR + ( + (log ->> 'enabled')::BOOLEAN AND ( - ( - (log ->> 'enabled')::BOOLEAN - AND (log -> 'retentionPolicy' ->> 'enabled')::BOOLEAN - AND (log -> 'retentionPolicy')::JSONB ? 'days' - ) - OR - ( - (log ->> 'enabled')::BOOLEAN - AND ( - log -> 'retentionPolicy' ->> 'enabled' <> 'true' - OR setting -> 'properties' ->> 'storageAccountId' = '' - ) - ) + log -> 'retentionPolicy' ->> 'enabled' <> 'true' + OR setting -> 'properties' ->> 'storageAccountId' = '' ) + ) ) - SELECT - v.job_id AS resource, - v.platform_integration_id AS platform_integration_id, - v.platform_resource_id AS platform_resource_id, - CASE - WHEN v.diagnostic_settings IS NULL THEN 'alarm' - WHEN l.job_name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN v.diagnostic_settings IS NULL THEN v.name || ' logging not enabled.' - WHEN l.job_name IS NULL THEN v.name || ' logging not enabled.' - ELSE v.name || ' logging enabled.' - END AS reason, - v.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_stream_analytics_job AS v - LEFT JOIN logging_details AS l ON v.name = l.job_name, - azure_subscription AS sub - WHERE - sub.subscription_id = v.subscription_id; + ) + SELECT + v.job_id AS resource, + v.platform_integration_id AS platform_integration_id, + v.platform_resource_id AS platform_resource_id, + CASE + WHEN v.diagnostic_settings IS NULL THEN 'alarm' + WHEN l.job_name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN v.diagnostic_settings IS NULL THEN v.name || ' logging not enabled.' + WHEN l.job_name IS NULL THEN v.name || ' logging not enabled.' + ELSE v.name || ' logging enabled.' + END AS reason, + v.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_stream_analytics_job AS v + LEFT JOIN logging_details AS l ON v.name = l.job_name, + azure_subscription AS sub + WHERE + sub.subscription_id = v.subscription_id; severity: medium tags: - hipaa_hitrust_v92: - - 'true' - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/StreamAnalytics + hipaa_hitrust_v92: + - "true" + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/StreamAnalytics diff --git a/compliance/controls/azure/azure_synapse_workspace_data_exfiltration_protection_enabled.yaml b/compliance/controls/azure/azure_synapse_workspace_data_exfiltration_protection_enabled.yaml index 0fd778272..415bbdd08 100644 --- a/compliance/controls/azure/azure_synapse_workspace_data_exfiltration_protection_enabled.yaml +++ b/compliance/controls/azure/azure_synapse_workspace_data_exfiltration_protection_enabled.yaml @@ -1,29 +1,30 @@ id: azure_synapse_workspace_data_exfiltration_protection_enabled title: Synapse workspaces should have data exfiltration protection enabled +type: control description: This control checks whether Synapse workspace has data exfiltration protection enabled. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_synapse_workspace - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN managed_virtual_network_settings ->> 'preventDataExfiltration' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN managed_virtual_network_settings ->> 'preventDataExfiltration' = 'true' THEN s.title || ' data exfiltration protection enabled.' - ELSE s.title || ' data exfiltration protection disabled.' - END AS reason - FROM - azure_synapse_workspace AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_synapse_workspace + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN managed_virtual_network_settings ->> 'preventDataExfiltration' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN managed_virtual_network_settings ->> 'preventDataExfiltration' = 'true' THEN s.title || ' data exfiltration protection enabled.' + ELSE s.title || ' data exfiltration protection disabled.' + END AS reason + FROM + azure_synapse_workspace AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: low tags: {} diff --git a/compliance/controls/azure/azure_synapse_workspace_encryption_at_rest_using_cmk.yaml b/compliance/controls/azure/azure_synapse_workspace_encryption_at_rest_using_cmk.yaml index 7496b88a6..77a59de20 100644 --- a/compliance/controls/azure/azure_synapse_workspace_encryption_at_rest_using_cmk.yaml +++ b/compliance/controls/azure/azure_synapse_workspace_encryption_at_rest_using_cmk.yaml @@ -1,35 +1,36 @@ id: azure_synapse_workspace_encryption_at_rest_using_cmk title: Azure Synapse workspaces should use customer-managed keys to encrypt data at rest +type: control description: Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_synapse_workspace - definition: | - SELECT - s.id AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN encryption -> 'CmkKey' ->> 'name' IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption -> 'CmkKey' ->> 'name' IS NOT NULL THEN s.title || ' encrypted with CMK.' - ELSE s.title || ' not encrypted with CMK.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_synapse_workspace AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_synapse_workspace + definition: | + SELECT + s.id AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN encryption -> 'CmkKey' ->> 'name' IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption -> 'CmkKey' ->> 'name' IS NOT NULL THEN s.title || ' encrypted with CMK.' + ELSE s.title || ' not encrypted with CMK.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_synapse_workspace AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/SynapseAnalytics + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/SynapseAnalytics diff --git a/compliance/controls/azure/azure_synapse_workspace_private_link_used.yaml b/compliance/controls/azure/azure_synapse_workspace_private_link_used.yaml index 7c976c07f..76f77ad13 100644 --- a/compliance/controls/azure/azure_synapse_workspace_private_link_used.yaml +++ b/compliance/controls/azure/azure_synapse_workspace_private_link_used.yaml @@ -1,35 +1,36 @@ id: azure_synapse_workspace_private_link_used title: Azure Synapse workspaces should use private link +type: control description: Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_synapse_workspace - definition: | - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]' THEN a.name || ' uses private link.' - ELSE a.name || ' not uses private link.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_synapse_workspace AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_synapse_workspace + definition: | + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]' THEN a.name || ' uses private link.' + ELSE a.name || ' not uses private link.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_synapse_workspace AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: low tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/SynapseAnalytics + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/SynapseAnalytics diff --git a/compliance/controls/azure/azure_synapse_workspace_vulnerability_assessment_enabled.yaml b/compliance/controls/azure/azure_synapse_workspace_vulnerability_assessment_enabled.yaml index a7db3f880..3ff9a2d6e 100644 --- a/compliance/controls/azure/azure_synapse_workspace_vulnerability_assessment_enabled.yaml +++ b/compliance/controls/azure/azure_synapse_workspace_vulnerability_assessment_enabled.yaml @@ -1,48 +1,49 @@ id: azure_synapse_workspace_vulnerability_assessment_enabled title: Vulnerability assessment should be enabled on your Synapse workspaces +type: control description: Discover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_synapse_workspace - definition: | - WITH synapse_workspace AS ( - SELECT - id, - name, - subscription_id, - resource_group - FROM - azure_synapse_workspace, - jsonb_array_elements(workspace_managed_sql_server_vulnerability_assessments) AS w - WHERE - w -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'true' - ) - SELECT - a.id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN s.id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN s.id IS NOT NULL THEN a.name || ' vulnerability assessment enabled.' - ELSE a.name || ' vulnerability assessment disabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_synapse_workspace AS a - LEFT JOIN synapse_workspace AS s ON s.id = a.id, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_synapse_workspace + definition: | + WITH synapse_workspace AS ( + SELECT + id, + name, + subscription_id, + resource_group + FROM + azure_synapse_workspace, + jsonb_array_elements(workspace_managed_sql_server_vulnerability_assessments) AS w + WHERE + w -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'true' + ) + SELECT + a.id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN s.id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN s.id IS NOT NULL THEN a.name || ' vulnerability assessment enabled.' + ELSE a.name || ' vulnerability assessment disabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_synapse_workspace AS a + LEFT JOIN synapse_workspace AS s ON s.id = a.id, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - nist_sp_800_53_rev_5: - - 'true' - service: - - Azure/SynapseAnalytics + nist_sp_800_53_rev_5: + - "true" + service: + - Azure/SynapseAnalytics diff --git a/compliance/controls/azure/azure_web_pub_sub_private_link_used.yaml b/compliance/controls/azure/azure_web_pub_sub_private_link_used.yaml index ffc3a7789..3d70094dd 100644 --- a/compliance/controls/azure/azure_web_pub_sub_private_link_used.yaml +++ b/compliance/controls/azure/azure_web_pub_sub_private_link_used.yaml @@ -1,23 +1,24 @@ id: azure_web_pub_sub_private_link_used title: Azure Web PubSub Service should use private link -description: 'Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink.' +type: control +description: "Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink." integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - 'info' AS status, - 'Manual verification required.' AS reason, - display_name AS subscription - FROM - azure_subscription; + language: sql + primary_resource: "" + definition: | + SELECT + id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + 'info' AS status, + 'Manual verification required.' AS reason, + display_name AS subscription + FROM + azure_subscription; severity: low tags: - manual-verification: - - 'true' + manual-verification: + - "true" diff --git a/compliance/controls/azure/azuread_spn_with_more_than_one_active_client_secret_created_x_days_ago.yaml b/compliance/controls/azure/azuread_spn_with_more_than_one_active_client_secret_created_x_days_ago.yaml index af70a765a..57f4bd19f 100644 --- a/compliance/controls/azure/azuread_spn_with_more_than_one_active_client_secret_created_x_days_ago.yaml +++ b/compliance/controls/azure/azuread_spn_with_more_than_one_active_client_secret_created_x_days_ago.yaml @@ -1,53 +1,54 @@ id: entraid_spn_with_active_client_secret_created_x_days_ago title: Service Principal Keys in AzureAD need to comply with Key Rotation Policy +type: control description: SPNs in AzureAD should not have more than one active Client Secret created X days ago integration_type: - - azure_subscription +- azure_subscription parameters: - - key: entraidClientSecretExpireDays - value: '' +- key: entraidClientSecretExpireDays + value: "" policy: - language: sql - primary_resource: entraid_service_principal - definition: | - WITH entraid_spn AS ( - SELECT - id, - display_name, - platform_integration_id, - platform_resource_id, - subscription_id, - ( - SELECT COUNT(*) - FROM jsonb_array_elements(password_credentials) AS pc - WHERE (pc ->> 'EndDateTime')::timestamp > NOW() AND - NOW() - (pc ->> 'StartDateTime')::timestamp > '{{.entraidClientSecretExpireDays}} days'::interval - ) AS active_client_secret_count, - ( - SELECT STRING_AGG(pc ->> 'DisplayName', ', ') - FROM jsonb_array_elements(password_credentials) AS pc - WHERE (pc ->> 'EndDateTime')::timestamp > NOW() AND - NOW() - (pc ->> 'StartDateTime')::timestamp > '{{.entraidClientSecretExpireDays}} days'::interval - ) AS Ids - FROM - entraid_service_principal - ) - SELECT - id AS resource, - CASE - WHEN active_client_secret_count > 1 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN active_client_secret_count > 0 THEN display_name || ' has ' || active_client_secret_count || ' active client secrets created {{.entraidClientSecretExpireDays}} days ago: [' || Ids || ']' - ELSE display_name || ' has no active client secrets created {{.entraidClientSecretExpireDays}} days ago' - END AS reason, - platform_integration_id, - platform_resource_id, - subscription_id - FROM - entraid_spn + language: sql + primary_resource: entraid_service_principal + definition: | + WITH entraid_spn AS ( + SELECT + id, + display_name, + platform_integration_id, + platform_resource_id, + subscription_id, + ( + SELECT COUNT(*) + FROM jsonb_array_elements(password_credentials) AS pc + WHERE (pc ->> 'EndDateTime')::timestamp > NOW() AND + NOW() - (pc ->> 'StartDateTime')::timestamp > '{{.entraidClientSecretExpireDays}} days'::interval + ) AS active_client_secret_count, + ( + SELECT STRING_AGG(pc ->> 'DisplayName', ', ') + FROM jsonb_array_elements(password_credentials) AS pc + WHERE (pc ->> 'EndDateTime')::timestamp > NOW() AND + NOW() - (pc ->> 'StartDateTime')::timestamp > '{{.entraidClientSecretExpireDays}} days'::interval + ) AS Ids + FROM + entraid_service_principal + ) + SELECT + id AS resource, + CASE + WHEN active_client_secret_count > 1 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN active_client_secret_count > 0 THEN display_name || ' has ' || active_client_secret_count || ' active client secrets created {{.entraidClientSecretExpireDays}} days ago: [' || Ids || ']' + ELSE display_name || ' has no active client secrets created {{.entraidClientSecretExpireDays}} days ago' + END AS reason, + platform_integration_id, + platform_resource_id, + subscription_id + FROM + entraid_spn severity: high tags: - score_service_name: - - Azure Active Directory (Azure AD) + score_service_name: + - Azure Active Directory (Azure AD) diff --git a/compliance/controls/azure/azuread_user_should_have_mfa_enabled_with_azure_subscription_role_assignment.yaml b/compliance/controls/azure/azuread_user_should_have_mfa_enabled_with_azure_subscription_role_assignment.yaml index 0bf7fb0f9..183866952 100644 --- a/compliance/controls/azure/azuread_user_should_have_mfa_enabled_with_azure_subscription_role_assignment.yaml +++ b/compliance/controls/azure/azuread_user_should_have_mfa_enabled_with_azure_subscription_role_assignment.yaml @@ -1,47 +1,48 @@ id: entraid_user_should_have_mfa_enabled_with_azure_subscription_role_assignment title: AzureAD Users should have MFA Enabled with Azure subscription role assignment +type: control description: AzureAD Users should have MFA Enabled with Azure subscription role assignment integration_type: - - azure_subscription +- azure_subscription parameters: - - key: entraidAccountStatusInclude - value: '' +- key: entraidAccountStatusInclude + value: "" policy: - language: sql - primary_resource: entraid_user - definition: | - WITH users_with_roles AS ( - SELECT DISTINCT - u.id AS id, - u.platform_integration_id AS platform_integration_id, - u.platform_resource_id AS platform_resource_id, - u.display_name AS display_name, - u.subscription_id AS subscription_id, - u.account_enabled AS account_enabled, - u.tenant_id AS tenant_id - FROM entraid_user AS u - JOIN azure_user_effective_access AS ea ON u.id = ea.principal_id - ) - SELECT - u.id AS resource, - u.platform_integration_id AS platform_integration_id, - u.platform_resource_id AS platform_resource_id, - CASE - WHEN COALESCE(NULLIF('{{.entraidAccountStatusInclude}}', ''), 'true,false,null') NOT LIKE ('%' || COALESCE(u.account_enabled::text, 'null') || '%') THEN 'skip' - WHEN rd.is_mfa_registered::bool = false OR rd.is_mfa_registered::bool IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN COALESCE(NULLIF('{{.entraidAccountStatusInclude}}', ''), 'true,false,null') NOT LIKE ('%' || COALESCE(u.account_enabled::text, 'null') || '%') THEN 'User is not included' - WHEN rd.is_mfa_registered::bool = false OR rd.is_mfa_registered::bool IS NULL THEN u.display_name || ' does not have MFA enabled' - ELSE u.display_name || ' has MFA' - END AS reason, - u.tenant_id - FROM - users_with_roles AS u - LEFT JOIN entraid_user_registration_details AS rd ON u.id = rd.id - WHERE EXISTS (SELECT 1 FROM azure_user_effective_access AS ea WHERE u.id = ea.principal_id) + language: sql + primary_resource: entraid_user + definition: | + WITH users_with_roles AS ( + SELECT DISTINCT + u.id AS id, + u.platform_integration_id AS platform_integration_id, + u.platform_resource_id AS platform_resource_id, + u.display_name AS display_name, + u.subscription_id AS subscription_id, + u.account_enabled AS account_enabled, + u.tenant_id AS tenant_id + FROM entraid_user AS u + JOIN azure_user_effective_access AS ea ON u.id = ea.principal_id + ) + SELECT + u.id AS resource, + u.platform_integration_id AS platform_integration_id, + u.platform_resource_id AS platform_resource_id, + CASE + WHEN COALESCE(NULLIF('{{.entraidAccountStatusInclude}}', ''), 'true,false,null') NOT LIKE ('%' || COALESCE(u.account_enabled::text, 'null') || '%') THEN 'skip' + WHEN rd.is_mfa_registered::bool = false OR rd.is_mfa_registered::bool IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN COALESCE(NULLIF('{{.entraidAccountStatusInclude}}', ''), 'true,false,null') NOT LIKE ('%' || COALESCE(u.account_enabled::text, 'null') || '%') THEN 'User is not included' + WHEN rd.is_mfa_registered::bool = false OR rd.is_mfa_registered::bool IS NULL THEN u.display_name || ' does not have MFA enabled' + ELSE u.display_name || ' has MFA' + END AS reason, + u.tenant_id + FROM + users_with_roles AS u + LEFT JOIN entraid_user_registration_details AS rd ON u.id = rd.id + WHERE EXISTS (SELECT 1 FROM azure_user_effective_access AS ea WHERE u.id = ea.principal_id) severity: high tags: - score_service_name: - - Azure Active Directory (Azure AD) + score_service_name: + - Azure Active Directory (Azure AD) diff --git a/compliance/controls/baseline/aws/IAM/aws_access_keys_during_initial_iam_user_setup.yaml b/compliance/controls/baseline/aws/IAM/aws_access_keys_during_initial_iam_user_setup.yaml index 9670292a6..f53efcb0a 100644 --- a/compliance/controls/baseline/aws/IAM/aws_access_keys_during_initial_iam_user_setup.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_access_keys_during_initial_iam_user_setup.yaml @@ -1,39 +1,40 @@ id: aws_access_keys_during_initial_iam_user_setup title: Access Keys During Initial IAM User Setup +type: control description: Ensure no access keys are created during IAM user initial setup with AWS Management Console. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_name AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN (access_key_1_last_rotated - user_creation_time < '5 second'::interval) - AND (access_key_1_last_used_date IS NULL) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (access_key_1_last_rotated - user_creation_time < '5 second'::interval) - AND (access_key_1_last_used_date IS NULL) THEN 'access key 1 is considered as unused and is better to be removed' - WHEN (access_key_1_last_rotated IS NULL) THEN 'access key 1 is not defined' - ELSE 'access key 1 is being used' - END AS reason, - region, - account_id - FROM - aws_iam_credential_report + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_name AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN (access_key_1_last_rotated - user_creation_time < '5 second'::interval) + AND (access_key_1_last_used_date IS NULL) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (access_key_1_last_rotated - user_creation_time < '5 second'::interval) + AND (access_key_1_last_used_date IS NULL) THEN 'access key 1 is considered as unused and is better to be removed' + WHEN (access_key_1_last_rotated IS NULL) THEN 'access key 1 is not defined' + ELSE 'access key 1 is being used' + END AS reason, + region, + account_id + FROM + aws_iam_credential_report severity: medium tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Insecure Keys - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Insecure Keys + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Insecure Keys + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Insecure Keys diff --git a/compliance/controls/baseline/aws/IAM/aws_access_keys_rotated_45_days.yaml b/compliance/controls/baseline/aws/IAM/aws_access_keys_rotated_45_days.yaml index e0b8cfbf6..b3b33bf1c 100644 --- a/compliance/controls/baseline/aws/IAM/aws_access_keys_rotated_45_days.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_access_keys_rotated_45_days.yaml @@ -1,38 +1,39 @@ id: aws_access_keys_rotated_45_days title: Access Keys Rotated 45 Days +type: control description: Ensure AWS IAM access keys are rotated on a periodic basis as a security best practice (45 Days). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_access_key - definition: | - SELECT - access_key_id AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN status <> 'Active' THEN 'skip' - WHEN create_date + '45 days'::interval < now() THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN status <> 'Active' THEN 'key is not activated' - WHEN create_date + '45 days'::interval < now() THEN 'key is too old' - ELSE 'key is not old yet' - END AS reason, - region, - account_id - FROM - aws_iam_access_key v + language: sql + primary_resource: aws_iam_access_key + definition: | + SELECT + access_key_id AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN status <> 'Active' THEN 'skip' + WHEN create_date + '45 days'::interval < now() THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN status <> 'Active' THEN 'key is not activated' + WHEN create_date + '45 days'::interval < now() THEN 'key is too old' + ELSE 'key is not old yet' + END AS reason, + region, + account_id + FROM + aws_iam_access_key v severity: medium tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Insecure Keys - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Insecure Keys + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Insecure Keys + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Insecure Keys diff --git a/compliance/controls/baseline/aws/IAM/aws_access_keys_rotated_x_days.yaml b/compliance/controls/baseline/aws/IAM/aws_access_keys_rotated_x_days.yaml index b609bd424..58d5f8a1a 100644 --- a/compliance/controls/baseline/aws/IAM/aws_access_keys_rotated_x_days.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_access_keys_rotated_x_days.yaml @@ -1,20 +1,24 @@ id: aws_access_keys_rotated_x_days title: Access Keys Rotated X Days +type: control description: Ensure AWS IAM access keys are rotated on a periodic basis as a security best practice (X Days). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsIamAccessKeyAge - value: '180' +- key: awsIamAccessKeyAge + value: "180" policy: - "@ref" : "aws_iam_access_keys_policy" + "@ref": aws_iam_access_keys_policy + language: "" + primary_resource: "" + definition: "" severity: medium tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Insecure Keys - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Insecure Keys + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Insecure Keys + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Insecure Keys diff --git a/compliance/controls/baseline/aws/IAM/aws_account_alternate_contacts.yaml b/compliance/controls/baseline/aws/IAM/aws_account_alternate_contacts.yaml index adc96cd78..be3f03171 100644 --- a/compliance/controls/baseline/aws/IAM/aws_account_alternate_contacts.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_account_alternate_contacts.yaml @@ -1,37 +1,38 @@ id: aws_account_alternate_contacts title: Account Alternate Contacts +type: control description: Ensure alternate contacts are set to improve the security of your AWS account. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - a.account_id AS resource, - a.platform_integration_id, - a.platform_resource_id, - CASE - WHEN c.name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN c.name IS NULL THEN 'account does not have any alternate contact' - ELSE 'account has an alternate contact' - END AS reason, - a.region, - a.account_id - FROM aws_account AS a - LEFT JOIN aws_account_alternate_contact AS c - ON a.account_id = c.account_id + language: sql + primary_resource: aws_account + definition: | + SELECT + a.account_id AS resource, + a.platform_integration_id, + a.platform_resource_id, + CASE + WHEN c.name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN c.name IS NULL THEN 'account does not have any alternate contact' + ELSE 'account has an alternate contact' + END AS reason, + a.region, + a.account_id + FROM aws_account AS a + LEFT JOIN aws_account_alternate_contact AS c + ON a.account_id = c.account_id severity: medium tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_allow_iam_users_to_change_their_own_password.yaml b/compliance/controls/baseline/aws/IAM/aws_allow_iam_users_to_change_their_own_password.yaml index 73c904536..3a294cff7 100644 --- a/compliance/controls/baseline/aws/IAM/aws_allow_iam_users_to_change_their_own_password.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_allow_iam_users_to_change_their_own_password.yaml @@ -1,36 +1,37 @@ id: aws_allow_iam_users_to_change_their_own_password title: Allow IAM Users to Change Their Own Password +type: control description: Ensure that all IAM users are allowed to change their own console password. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - SELECT - name AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN attached_policy_arns::text LIKE '%arn:aws:iam::aws:policy/IAMUserChangePassword%' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN attached_policy_arns::text LIKE '%arn:aws:iam::aws:policy/IAMUserChangePassword%' THEN 'user is able to change its own password' - ELSE 'user is not able to change its own password' - END AS reason, - region, - account_id - FROM - aws_iam_user v + language: sql + primary_resource: aws_iam_user + definition: | + SELECT + name AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN attached_policy_arns::text LIKE '%arn:aws:iam::aws:policy/IAMUserChangePassword%' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN attached_policy_arns::text LIKE '%arn:aws:iam::aws:policy/IAMUserChangePassword%' THEN 'user is able to change its own password' + ELSE 'user is not able to change its own password' + END AS reason, + region, + account_id + FROM + aws_iam_user v severity: high tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_approved_ecs_execute_command_access.yaml b/compliance/controls/baseline/aws/IAM/aws_approved_ecs_execute_command_access.yaml index e8ce45622..be224a212 100644 --- a/compliance/controls/baseline/aws/IAM/aws_approved_ecs_execute_command_access.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_approved_ecs_execute_command_access.yaml @@ -1,139 +1,140 @@ id: aws_approved_ecs_execute_command_access title: Approved ECS Execute Command Access +type: control description: Ensure that all access to the ECS Execute Command action is approved integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsEcsExecuteCommandIamArns - value: '' +- key: awsEcsExecuteCommandIamArns + value: "" policy: - language: sql - primary_resource: '' - definition: | - SELECT - name AS resource, - platform_integration_id, - platform_resource_id, - 'aws_iam_user' AS platform_table_name, - CASE - WHEN (inline_policies_std::text LIKE '%ecs:ExecuteCommand%') - AND ('{{.awsEcsExecuteCommandIamArns}}' NOT LIKE '%' || arn || '%') - THEN 'alarm' - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements_text(attached_policy_arns) AS ap - LEFT JOIN aws_iam_policy AS p ON p.arn = ap - WHERE p.policy::text LIKE '%ecs:ExecuteCommand%' - ) - AND ('{{.awsEcsExecuteCommandIamArns}}' NOT LIKE '%' || arn || '%') - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (inline_policies_std::text LIKE '%ecs:ExecuteCommand%') - AND ('{{.awsEcsExecuteCommandIamArns}}' NOT LIKE '%' || arn || '%') - THEN 'user is not authorized to do this ecs action' - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements_text(attached_policy_arns) AS ap - LEFT JOIN aws_iam_policy AS p ON p.arn = ap - WHERE p.policy::text LIKE '%ecs:ExecuteCommand%' - ) - AND ('{{.awsEcsExecuteCommandIamArns}}' NOT LIKE '%' || arn || '%') - THEN 'user is not authorized to do this ecs action' - ELSE 'ok' - END AS reason, - region, - account_id - FROM - aws_iam_user - - UNION ALL - - SELECT - name AS resource, - platform_integration_id, - platform_resource_id, - 'aws_iam_role' AS platform_table_name, - CASE - WHEN (inline_policies_std::text LIKE '%ecs:ExecuteCommand%') - AND ('{{.awsEcsExecuteCommandIamArns}}' NOT LIKE '%' || arn || '%') - THEN 'alarm' - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements_text(attached_policy_arns) AS ap - LEFT JOIN aws_iam_policy AS p ON p.arn = ap - WHERE p.policy::text LIKE '%ecs:ExecuteCommand%' - ) - AND ('{{.awsEcsExecuteCommandIamArns}}' NOT LIKE '%' || arn || '%') - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (inline_policies_std::text LIKE '%ecs:ExecuteCommand%') - AND ('{{.awsEcsExecuteCommandIamArns}}' NOT LIKE '%' || arn || '%') - THEN 'user is not authorized to do this ecs action' - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements_text(attached_policy_arns) AS ap - LEFT JOIN aws_iam_policy AS p ON p.arn = ap - WHERE p.policy::text LIKE '%ecs:ExecuteCommand%' - ) - AND ('{{.awsEcsExecuteCommandIamArns}}' NOT LIKE '%' || arn || '%') - THEN 'user is not authorized to do this ecs action' - ELSE 'ok' - END AS reason, - region, - account_id - FROM - aws_iam_role - - UNION ALL - - SELECT - name AS resource, - platform_integration_id, - platform_resource_id, - 'aws_iam_group' AS platform_table_name, - CASE - WHEN (inline_policies_std::text LIKE '%ecs:ExecuteCommand%') - AND ('{{.awsEcsExecuteCommandIamArns}}' NOT LIKE '%' || arn || '%') - THEN 'alarm' - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements_text(attached_policy_arns) AS ap - LEFT JOIN aws_iam_policy AS p ON p.arn = ap - WHERE p.policy::text LIKE '%ecs:ExecuteCommand%' - ) - AND ('{{.awsEcsExecuteCommandIamArns}}' NOT LIKE '%' || arn || '%') - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (inline_policies_std::text LIKE '%ecs:ExecuteCommand%') - AND ('{{.awsEcsExecuteCommandIamArns}}' NOT LIKE '%' || arn || '%') - THEN 'user is not authorized to do this ecs action' - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements_text(attached_policy_arns) AS ap - LEFT JOIN aws_iam_policy AS p ON p.arn = ap - WHERE p.policy::text LIKE '%ecs:ExecuteCommand%' - ) - AND ('{{.awsEcsExecuteCommandIamArns}}' NOT LIKE '%' || arn || '%') - THEN 'user is not authorized to do this ecs action' - ELSE 'ok' - END AS reason, - region, - account_id - FROM - aws_iam_group + language: sql + primary_resource: "" + definition: | + SELECT + name AS resource, + platform_integration_id, + platform_resource_id, + 'aws_iam_user' AS platform_table_name, + CASE + WHEN (inline_policies_std::text LIKE '%ecs:ExecuteCommand%') + AND ('{{.awsEcsExecuteCommandIamArns}}' NOT LIKE '%' || arn || '%') + THEN 'alarm' + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements_text(attached_policy_arns) AS ap + LEFT JOIN aws_iam_policy AS p ON p.arn = ap + WHERE p.policy::text LIKE '%ecs:ExecuteCommand%' + ) + AND ('{{.awsEcsExecuteCommandIamArns}}' NOT LIKE '%' || arn || '%') + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (inline_policies_std::text LIKE '%ecs:ExecuteCommand%') + AND ('{{.awsEcsExecuteCommandIamArns}}' NOT LIKE '%' || arn || '%') + THEN 'user is not authorized to do this ecs action' + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements_text(attached_policy_arns) AS ap + LEFT JOIN aws_iam_policy AS p ON p.arn = ap + WHERE p.policy::text LIKE '%ecs:ExecuteCommand%' + ) + AND ('{{.awsEcsExecuteCommandIamArns}}' NOT LIKE '%' || arn || '%') + THEN 'user is not authorized to do this ecs action' + ELSE 'ok' + END AS reason, + region, + account_id + FROM + aws_iam_user + + UNION ALL + + SELECT + name AS resource, + platform_integration_id, + platform_resource_id, + 'aws_iam_role' AS platform_table_name, + CASE + WHEN (inline_policies_std::text LIKE '%ecs:ExecuteCommand%') + AND ('{{.awsEcsExecuteCommandIamArns}}' NOT LIKE '%' || arn || '%') + THEN 'alarm' + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements_text(attached_policy_arns) AS ap + LEFT JOIN aws_iam_policy AS p ON p.arn = ap + WHERE p.policy::text LIKE '%ecs:ExecuteCommand%' + ) + AND ('{{.awsEcsExecuteCommandIamArns}}' NOT LIKE '%' || arn || '%') + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (inline_policies_std::text LIKE '%ecs:ExecuteCommand%') + AND ('{{.awsEcsExecuteCommandIamArns}}' NOT LIKE '%' || arn || '%') + THEN 'user is not authorized to do this ecs action' + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements_text(attached_policy_arns) AS ap + LEFT JOIN aws_iam_policy AS p ON p.arn = ap + WHERE p.policy::text LIKE '%ecs:ExecuteCommand%' + ) + AND ('{{.awsEcsExecuteCommandIamArns}}' NOT LIKE '%' || arn || '%') + THEN 'user is not authorized to do this ecs action' + ELSE 'ok' + END AS reason, + region, + account_id + FROM + aws_iam_role + + UNION ALL + + SELECT + name AS resource, + platform_integration_id, + platform_resource_id, + 'aws_iam_group' AS platform_table_name, + CASE + WHEN (inline_policies_std::text LIKE '%ecs:ExecuteCommand%') + AND ('{{.awsEcsExecuteCommandIamArns}}' NOT LIKE '%' || arn || '%') + THEN 'alarm' + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements_text(attached_policy_arns) AS ap + LEFT JOIN aws_iam_policy AS p ON p.arn = ap + WHERE p.policy::text LIKE '%ecs:ExecuteCommand%' + ) + AND ('{{.awsEcsExecuteCommandIamArns}}' NOT LIKE '%' || arn || '%') + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (inline_policies_std::text LIKE '%ecs:ExecuteCommand%') + AND ('{{.awsEcsExecuteCommandIamArns}}' NOT LIKE '%' || arn || '%') + THEN 'user is not authorized to do this ecs action' + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements_text(attached_policy_arns) AS ap + LEFT JOIN aws_iam_policy AS p ON p.arn = ap + WHERE p.policy::text LIKE '%ecs:ExecuteCommand%' + ) + AND ('{{.awsEcsExecuteCommandIamArns}}' NOT LIKE '%' || arn || '%') + THEN 'user is not authorized to do this ecs action' + ELSE 'ok' + END AS reason, + region, + account_id + FROM + aws_iam_group severity: medium tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_attach_policy_to_iam_roles_associated_with_app_tier_ec2_instances.yaml b/compliance/controls/baseline/aws/IAM/aws_attach_policy_to_iam_roles_associated_with_app_tier_ec2_instances.yaml index 3e7266048..ad41465ec 100644 --- a/compliance/controls/baseline/aws/IAM/aws_attach_policy_to_iam_roles_associated_with_app_tier_ec2_instances.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_attach_policy_to_iam_roles_associated_with_app_tier_ec2_instances.yaml @@ -1,45 +1,46 @@ id: aws_attach_policy_to_iam_roles_associated_with_app_tier_ec2_instances title: Attach Policy to IAM Roles Associated with App-Tier EC2 Instances +type: control description: Ensure IAM policy for EC2 IAM roles for app tier is configured. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsAppTierTags - value: '' +- key: awsAppTierTags + value: "" policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - instance_id AS resource, - i.platform_integration_id, - i.platform_resource_id, - CASE - WHEN r.inline_policies IS NULL AND r.attached_policy_arns IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN i.iam_instance_profile_arn IS NULL THEN instance_id || ' has no role attached' - WHEN r.inline_policies IS NULL AND r.attached_policy_arns IS NULL THEN instance_id || ' role does not have any policy' - ELSE instance_id || ' role has policy' - END AS reason, - i.region, - i.account_id - FROM - aws_ec2_instance AS i - LEFT JOIN aws_iam_role AS r ON split_part(i.iam_instance_profile_arn, ':instance-profile/', 2) = r.name - WHERE - i.tags::text LIKE '%' || REPLACE(REPLACE(( - SELECT jsonb_object_agg(key, value)::text - FROM jsonb_each_text('{{.awsAppTierTags}}'::jsonb) - ), '{', ''), '}', '') || '%' + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + instance_id AS resource, + i.platform_integration_id, + i.platform_resource_id, + CASE + WHEN r.inline_policies IS NULL AND r.attached_policy_arns IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN i.iam_instance_profile_arn IS NULL THEN instance_id || ' has no role attached' + WHEN r.inline_policies IS NULL AND r.attached_policy_arns IS NULL THEN instance_id || ' role does not have any policy' + ELSE instance_id || ' role has policy' + END AS reason, + i.region, + i.account_id + FROM + aws_ec2_instance AS i + LEFT JOIN aws_iam_role AS r ON split_part(i.iam_instance_profile_arn, ':instance-profile/', 2) = r.name + WHERE + i.tags::text LIKE '%' || REPLACE(REPLACE(( + SELECT jsonb_object_agg(key, value)::text + FROM jsonb_each_text('{{.awsAppTierTags}}'::jsonb) + ), '{', ''), '}', '') || '%' severity: medium tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_canary_access_token.yaml b/compliance/controls/baseline/aws/IAM/aws_canary_access_token.yaml index 417d7c193..e142d7c13 100644 --- a/compliance/controls/baseline/aws/IAM/aws_canary_access_token.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_canary_access_token.yaml @@ -1,50 +1,51 @@ id: aws_canary_access_token title: Canary Access Token +type: control description: Detects when a canary token access key has been used integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH users AS ( - SELECT - user_id, - u.account_id - FROM - aws_iam_user AS u - LEFT JOIN aws_iam_credential_report AS r ON r.user_arn = u.arn - WHERE - u.inline_policies IS NULL - AND u.attached_policy_arns IS NULL - AND ((NOT r.password_enabled::BOOL) - AND (r.access_key_1_active OR r.access_key_2_active)) - ) - - SELECT - account_id AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN EXISTS(SELECT 1 FROM users AS u WHERE u.account_id = a.account_id) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN EXISTS(SELECT 1 FROM users AS u WHERE u.account_id = a.account_id) THEN 'Canary access tokens are used within your AWS account.' - ELSE 'Canary access tokens are not currently used within your AWS account.' - END AS reason, - region, - account_id - FROM - aws_account AS a + language: sql + primary_resource: aws_account + definition: | + WITH users AS ( + SELECT + user_id, + u.account_id + FROM + aws_iam_user AS u + LEFT JOIN aws_iam_credential_report AS r ON r.user_arn = u.arn + WHERE + u.inline_policies IS NULL + AND u.attached_policy_arns IS NULL + AND ((NOT r.password_enabled::BOOL) + AND (r.access_key_1_active OR r.access_key_2_active)) + ) + + SELECT + account_id AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN EXISTS(SELECT 1 FROM users AS u WHERE u.account_id = a.account_id) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN EXISTS(SELECT 1 FROM users AS u WHERE u.account_id = a.account_id) THEN 'Canary access tokens are used within your AWS account.' + ELSE 'Canary access tokens are not currently used within your AWS account.' + END AS reason, + region, + account_id + FROM + aws_account AS a severity: critical tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Insecure Keys - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Insecure Keys + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Insecure Keys + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Insecure Keys diff --git a/compliance/controls/baseline/aws/IAM/aws_check_for_iam_user_group_membership.yaml b/compliance/controls/baseline/aws/IAM/aws_check_for_iam_user_group_membership.yaml index b6751f743..2fcff5503 100644 --- a/compliance/controls/baseline/aws/IAM/aws_check_for_iam_user_group_membership.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_check_for_iam_user_group_membership.yaml @@ -1,36 +1,37 @@ id: aws_check_for_iam_user_group_membership title: Check for IAM User Group Membership +type: control description: Ensure that all Amazon IAM users have group memberships. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - SELECT - name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN groups IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN groups IS NULL THEN name || ' does not belong to any IAM group.' - ELSE name || ' belongs to at least one IAM group.' - END AS reason, - region, - account_id - FROM - aws_iam_user + language: sql + primary_resource: aws_iam_user + definition: | + SELECT + name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN groups IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN groups IS NULL THEN name || ' does not belong to any IAM group.' + ELSE name || ' belongs to at least one IAM group.' + END AS reason, + region, + account_id + FROM + aws_iam_user severity: high tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_check_for_individual_iam_users.yaml b/compliance/controls/baseline/aws/IAM/aws_check_for_individual_iam_users.yaml index b40011b41..5570ebff9 100644 --- a/compliance/controls/baseline/aws/IAM/aws_check_for_individual_iam_users.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_check_for_individual_iam_users.yaml @@ -1,38 +1,39 @@ id: aws_check_for_individual_iam_users title: Check for Individual IAM Users +type: control description: Ensure there is at least one IAM user used to access your AWS cloud account. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - a.account_id AS resource, - a.platform_integration_id, - a.platform_resource_id, - CASE - WHEN user_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN u.user_id IS NULL THEN a.account_id || ' account has no user' - ELSE a.account_id || ' account has user' - END AS reason, - a.region, - a.account_id - FROM - aws_account AS a - LEFT JOIN aws_iam_user AS u - ON a.account_id = u.account_id + language: sql + primary_resource: aws_account + definition: | + SELECT + a.account_id AS resource, + a.platform_integration_id, + a.platform_resource_id, + CASE + WHEN user_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN u.user_id IS NULL THEN a.account_id || ' account has no user' + ELSE a.account_id || ' account has user' + END AS reason, + a.region, + a.account_id + FROM + aws_account AS a + LEFT JOIN aws_iam_user AS u + ON a.account_id = u.account_id severity: medium tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_check_for_overly_permissive_iam_group_policies.yaml b/compliance/controls/baseline/aws/IAM/aws_check_for_overly_permissive_iam_group_policies.yaml index 7ecf626e4..b8a105379 100644 --- a/compliance/controls/baseline/aws/IAM/aws_check_for_overly_permissive_iam_group_policies.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_check_for_overly_permissive_iam_group_policies.yaml @@ -1,76 +1,77 @@ id: aws_check_for_overly_permissive_iam_group_policies title: Check for Overly Permissive IAM Group Policies +type: control description: Ensure that Amazon IAM policies attached to IAM groups aren't too permissive. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_group - definition: | - WITH too_permissive_policies AS ( - SELECT - arn - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Action') AS action + language: sql + primary_resource: aws_iam_group + definition: | + WITH too_permissive_policies AS ( + SELECT + arn + FROM + aws_iam_policy, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + action IN ('*', '*:*') + AND s ->> 'Effect' = 'Allow' + ) + + SELECT + name AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements_text(attached_policy_arns) AS parn + LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn + WHERE tp.arn IS NOT NULL + ) THEN 'alarm' + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(inline_policies_std) AS p, + jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Action') AS action WHERE action IN ('*', '*:*') AND s ->> 'Effect' = 'Allow' - ) - - SELECT - name AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements_text(attached_policy_arns) AS parn - LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn - WHERE tp.arn IS NOT NULL - ) THEN 'alarm' - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(inline_policies_std) AS p, - jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - action IN ('*', '*:*') - AND s ->> 'Effect' = 'Allow' - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements_text(attached_policy_arns) AS parn - LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn - WHERE tp.arn IS NOT NULL - ) THEN 'there is too permissive attached policy' - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(inline_policies_std) AS p, - jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - action IN ('*', '*:*') - AND s ->> 'Effect' = 'Allow' - ) THEN 'there is too permissive inline policy' - ELSE 'there is no too permissive policy' - END AS reason, - region, - account_id - FROM - aws_iam_group AS g + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements_text(attached_policy_arns) AS parn + LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn + WHERE tp.arn IS NOT NULL + ) THEN 'there is too permissive attached policy' + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(inline_policies_std) AS p, + jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + action IN ('*', '*:*') + AND s ->> 'Effect' = 'Allow' + ) THEN 'there is too permissive inline policy' + ELSE 'there is no too permissive policy' + END AS reason, + region, + account_id + FROM + aws_iam_group AS g severity: medium tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_check_for_untrusted_cross_account_iam_roles.yaml b/compliance/controls/baseline/aws/IAM/aws_check_for_untrusted_cross_account_iam_roles.yaml index 20dad6852..f8be177dc 100644 --- a/compliance/controls/baseline/aws/IAM/aws_check_for_untrusted_cross_account_iam_roles.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_check_for_untrusted_cross_account_iam_roles.yaml @@ -1,56 +1,57 @@ id: aws_check_for_untrusted_cross_account_iam_roles title: Check for Untrusted Cross-Account IAM Roles +type: control description: Ensure that AWS IAM roles cannot be used by untrusted accounts via cross-account access feature. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsTrustedAccounts - value: '' +- key: awsTrustedAccounts + value: "" policy: - language: sql - primary_resource: aws_iam_role - definition: | - SELECT - name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN EXISTS ( - SELECT 1 FROM JSONB_ARRAY_ELEMENTS(assume_role_policy::jsonb -> 'Statement') AS s - WHERE (s ->> 'Effect') = 'Allow' AND ((s ->> 'Principal')::text = '\"*\"' OR - (s ->> 'Principal')::text = '{"AWS": "*"}') - ) THEN 'alarm' - WHEN '{{.awsTrustedAccounts}}' = '' THEN 'ok' - WHEN EXISTS ( - SELECT 1 FROM JSONB_ARRAY_ELEMENTS(assume_role_policy::jsonb -> 'Statement') AS s - WHERE (s ->> 'Effect') = 'Allow' AND NOT('{{.awsTrustedAccounts}}' LIKE ('%' || ((s -> 'Principal' ->> 'AWS')::text) || '%')) - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 FROM JSONB_ARRAY_ELEMENTS(assume_role_policy::jsonb -> 'Statement') AS s - WHERE (s ->> 'Effect') = 'Allow' AND ((s ->> 'Principal')::text = '\"*\"' OR - (s ->> 'Principal')::text = '{"AWS": "*"}') - ) THEN name || ' is publicly accessible' - WHEN '{{.awsTrustedAccounts}}' = '' THEN 'trusted AWS accounts are not defined' - WHEN EXISTS ( - SELECT 1 FROM JSONB_ARRAY_ELEMENTS(assume_role_policy::jsonb -> 'Statement') AS s - WHERE (s ->> 'Effect') = 'Allow' AND NOT('{{.awsTrustedAccounts}}' LIKE ('%' || ((s -> 'Principal' ->> 'AWS')::text) || '%')) - ) THEN name || ' is not configured to allow access only to trusted AWS accounts' - ELSE name || ' is configured to allow access only to trusted AWS accounts' - END AS reason, - region, - account_id - FROM - aws_iam_role + language: sql + primary_resource: aws_iam_role + definition: | + SELECT + name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN EXISTS ( + SELECT 1 FROM JSONB_ARRAY_ELEMENTS(assume_role_policy::jsonb -> 'Statement') AS s + WHERE (s ->> 'Effect') = 'Allow' AND ((s ->> 'Principal')::text = '\"*\"' OR + (s ->> 'Principal')::text = '{"AWS": "*"}') + ) THEN 'alarm' + WHEN '{{.awsTrustedAccounts}}' = '' THEN 'ok' + WHEN EXISTS ( + SELECT 1 FROM JSONB_ARRAY_ELEMENTS(assume_role_policy::jsonb -> 'Statement') AS s + WHERE (s ->> 'Effect') = 'Allow' AND NOT('{{.awsTrustedAccounts}}' LIKE ('%' || ((s -> 'Principal' ->> 'AWS')::text) || '%')) + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 FROM JSONB_ARRAY_ELEMENTS(assume_role_policy::jsonb -> 'Statement') AS s + WHERE (s ->> 'Effect') = 'Allow' AND ((s ->> 'Principal')::text = '\"*\"' OR + (s ->> 'Principal')::text = '{"AWS": "*"}') + ) THEN name || ' is publicly accessible' + WHEN '{{.awsTrustedAccounts}}' = '' THEN 'trusted AWS accounts are not defined' + WHEN EXISTS ( + SELECT 1 FROM JSONB_ARRAY_ELEMENTS(assume_role_policy::jsonb -> 'Statement') AS s + WHERE (s ->> 'Effect') = 'Allow' AND NOT('{{.awsTrustedAccounts}}' LIKE ('%' || ((s -> 'Principal' ->> 'AWS')::text) || '%')) + ) THEN name || ' is not configured to allow access only to trusted AWS accounts' + ELSE name || ' is configured to allow access only to trusted AWS accounts' + END AS reason, + region, + account_id + FROM + aws_iam_role severity: medium tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_check_that_only_safelisted_iam_users_exist.yaml b/compliance/controls/baseline/aws/IAM/aws_check_that_only_safelisted_iam_users_exist.yaml index 8795ebfb9..8a701944b 100644 --- a/compliance/controls/baseline/aws/IAM/aws_check_that_only_safelisted_iam_users_exist.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_check_that_only_safelisted_iam_users_exist.yaml @@ -1,38 +1,39 @@ id: aws_check_that_only_safelisted_iam_users_exist title: Check that only safelisted IAM Users exist +type: control description: Ensure that only safelisted IAM Users exist within your AWS account. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsApprovedIamUsers - value: '' +- key: awsApprovedIamUsers + value: "" policy: - language: sql - primary_resource: aws_iam_user - definition: | - SELECT - name AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN '{{.awsApprovedIamUsers}}' LIKE '%' || name || '%' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN '{{.awsApprovedIamUsers}}' LIKE '%' || name || '%' THEN name || ' user is approved' - ELSE name || ' user is not approved' - END AS reason, - region, - account_id - FROM - aws_iam_user v + language: sql + primary_resource: aws_iam_user + definition: | + SELECT + name AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN '{{.awsApprovedIamUsers}}' LIKE '%' || name || '%' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN '{{.awsApprovedIamUsers}}' LIKE '%' || name || '%' THEN name || ' user is approved' + ELSE name || ' user is not approved' + END AS reason, + region, + account_id + FROM + aws_iam_user v severity: high tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_credentials_last_used.yaml b/compliance/controls/baseline/aws/IAM/aws_credentials_last_used.yaml index dfb5a92b0..0bbba11c8 100644 --- a/compliance/controls/baseline/aws/IAM/aws_credentials_last_used.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_credentials_last_used.yaml @@ -1,77 +1,78 @@ id: aws_credentials_last_used title: Credentials Last Used +type: control description: Ensure that unused AWS IAM credentials are decommissioned to follow security best practices. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - user_name, - platform_integration_id, - platform_resource_id, - CASE - WHEN NOT password_enabled::bool THEN 'skip' - WHEN password_last_used < NOW() - INTERVAL '90 days' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT password_enabled::bool THEN 'password is disabled' - WHEN password_last_used < NOW() - INTERVAL '90 days' THEN 'the password is considered unused and its better to be removed' - ELSE 'the password is being used' - END AS reason, - region, - account_id - FROM aws_iam_credential_report - - UNION ALL - - SELECT - user_name, - platform_integration_id, - platform_resource_id, - CASE - WHEN NOT access_key_1_active::bool THEN 'skip' - WHEN access_key_1_last_used_date < NOW() - INTERVAL '90 days' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT access_key_1_active::bool THEN 'access key 1 is disabled' - WHEN access_key_1_last_used_date < NOW() - INTERVAL '90 days' THEN 'access key 1 is considered unused and its better to be removed' - ELSE 'access key 1 is being used' - END AS reason, - region, - account_id - FROM aws_iam_credential_report - - UNION ALL - - SELECT - user_name, - platform_integration_id, - platform_resource_id, - CASE - WHEN NOT access_key_2_active::bool THEN 'skip' - WHEN access_key_2_last_used_date < NOW() - INTERVAL '90 days' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT access_key_2_active::bool THEN 'access key 2 is disabled' - WHEN access_key_2_last_used_date < NOW() - INTERVAL '90 days' THEN 'access key 2 is considered unused and its better to be removed' - ELSE 'access key 2 is being used' - END AS reason, - region, - account_id - FROM aws_iam_credential_report; + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + user_name, + platform_integration_id, + platform_resource_id, + CASE + WHEN NOT password_enabled::bool THEN 'skip' + WHEN password_last_used < NOW() - INTERVAL '90 days' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT password_enabled::bool THEN 'password is disabled' + WHEN password_last_used < NOW() - INTERVAL '90 days' THEN 'the password is considered unused and its better to be removed' + ELSE 'the password is being used' + END AS reason, + region, + account_id + FROM aws_iam_credential_report + + UNION ALL + + SELECT + user_name, + platform_integration_id, + platform_resource_id, + CASE + WHEN NOT access_key_1_active::bool THEN 'skip' + WHEN access_key_1_last_used_date < NOW() - INTERVAL '90 days' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT access_key_1_active::bool THEN 'access key 1 is disabled' + WHEN access_key_1_last_used_date < NOW() - INTERVAL '90 days' THEN 'access key 1 is considered unused and its better to be removed' + ELSE 'access key 1 is being used' + END AS reason, + region, + account_id + FROM aws_iam_credential_report + + UNION ALL + + SELECT + user_name, + platform_integration_id, + platform_resource_id, + CASE + WHEN NOT access_key_2_active::bool THEN 'skip' + WHEN access_key_2_last_used_date < NOW() - INTERVAL '90 days' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT access_key_2_active::bool THEN 'access key 2 is disabled' + WHEN access_key_2_last_used_date < NOW() - INTERVAL '90 days' THEN 'access key 2 is considered unused and its better to be removed' + ELSE 'access key 2 is being used' + END AS reason, + region, + account_id + FROM aws_iam_credential_report; severity: high tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Insecure Keys - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Insecure Keys + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Insecure Keys + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Insecure Keys diff --git a/compliance/controls/baseline/aws/IAM/aws_cross_account_access_lacks_external_id_and_mfa.yaml b/compliance/controls/baseline/aws/IAM/aws_cross_account_access_lacks_external_id_and_mfa.yaml index b645dd811..ccd94d7e9 100644 --- a/compliance/controls/baseline/aws/IAM/aws_cross_account_access_lacks_external_id_and_mfa.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_cross_account_access_lacks_external_id_and_mfa.yaml @@ -1,43 +1,44 @@ id: aws_cross_account_access_lacks_external_id_and_mfa title: Cross-Account Access Lacks External ID and MFA +type: control description: Ensure cross-account access roles are using Multi-Factor Authentication (MFA) or External IDs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_role - definition: | - SELECT - r.arn AS resource, - r.platform_integration_id, - r.platform_resource_id, - CASE - WHEN (s -> 'Principal' ->> 'AWS') IS NULL - OR NOT ((s -> 'Principal' ->> 'AWS') ~ '^arn:aws:iam::[0-9]+:root$') THEN 'pass' - WHEN ((s ->> 'Condition') LIKE '%aws:MultiFactorAuthPresent%') - OR ((s ->> 'Condition') LIKE '%sts:ExternalId%') THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (s -> 'Principal' ->> 'AWS') IS NULL - OR NOT ((s -> 'Principal' ->> 'AWS') ~ '^arn:aws:iam::[0-9]+:root$') THEN r.title || ' cross-account access not enabled.' - WHEN ((s ->> 'Condition') LIKE '%aws:MultiFactorAuthPresent%') - OR ((s ->> 'Condition') LIKE '%sts:ExternalId%') THEN 'MFA enabled for cross-account access' - ELSE r.title || ' MFA not enabled for cross-account access' - END AS reason, - region, - account_id - FROM - aws_iam_role AS r, - jsonb_array_elements(assume_role_policy -> 'Statement') AS s + language: sql + primary_resource: aws_iam_role + definition: | + SELECT + r.arn AS resource, + r.platform_integration_id, + r.platform_resource_id, + CASE + WHEN (s -> 'Principal' ->> 'AWS') IS NULL + OR NOT ((s -> 'Principal' ->> 'AWS') ~ '^arn:aws:iam::[0-9]+:root$') THEN 'pass' + WHEN ((s ->> 'Condition') LIKE '%aws:MultiFactorAuthPresent%') + OR ((s ->> 'Condition') LIKE '%sts:ExternalId%') THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (s -> 'Principal' ->> 'AWS') IS NULL + OR NOT ((s -> 'Principal' ->> 'AWS') ~ '^arn:aws:iam::[0-9]+:root$') THEN r.title || ' cross-account access not enabled.' + WHEN ((s ->> 'Condition') LIKE '%aws:MultiFactorAuthPresent%') + OR ((s ->> 'Condition') LIKE '%sts:ExternalId%') THEN 'MFA enabled for cross-account access' + ELSE r.title || ' MFA not enabled for cross-account access' + END AS reason, + region, + account_id + FROM + aws_iam_role AS r, + jsonb_array_elements(assume_role_policy -> 'Statement') AS s severity: medium tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_ec2_purchase_restriction.yaml b/compliance/controls/baseline/aws/IAM/aws_ec2_purchase_restriction.yaml index 07b8db655..a9640d0d7 100644 --- a/compliance/controls/baseline/aws/IAM/aws_ec2_purchase_restriction.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_ec2_purchase_restriction.yaml @@ -1,77 +1,78 @@ id: aws_ec2_purchase_restriction title: Amazon EC2 Purchase Restriction +type: control description: Restrict unintended IAM users from purchasing Amazon EC2 Reserved Instances and/or Savings Plans. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsAllowedUsersPurchaseEc2 - value: '' +- key: awsAllowedUsersPurchaseEc2 + value: "" policy: - language: sql - primary_resource: aws_iam_user - definition: | - WITH too_permissive_policies AS ( - SELECT - arn - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Action') AS action + language: sql + primary_resource: aws_iam_user + definition: | + WITH too_permissive_policies AS ( + SELECT + arn + FROM + aws_iam_policy, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + action IN ('ec2:PurchaseReservedInstancesOffering', 'savingsplans:CreateSavingsPlan') + ) + + SELECT + name AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN EXISTS( + SELECT 1 + FROM jsonb_array_elements_text(attached_policy_arns) AS parn + LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn + WHERE tp.arn IS NOT NULL + ) + AND '{{.awsAllowedUsersPurchaseEc2}}' NOT LIKE '%' || name || '%' THEN 'alarm' + WHEN EXISTS( + SELECT 1 + FROM jsonb_array_elements(inline_policies_std) AS p, + jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + action IN ('ec2:PurchaseReservedInstancesOffering', 'savingsplans:CreateSavingsPlan') + AND s ->> 'Effect' = 'Allow' + ) + AND '{{.awsAllowedUsersPurchaseEc2}}' NOT LIKE '%' || name || '%' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS( + SELECT 1 + FROM jsonb_array_elements_text(attached_policy_arns) AS parn + LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn + WHERE tp.arn IS NOT NULL + ) + AND '{{.awsAllowedUsersPurchaseEc2}}' NOT LIKE '%' || name || '%' THEN 'User has access to purchase EC2 but is not in your organization allowed list' + WHEN EXISTS( + SELECT 1 + FROM jsonb_array_elements(inline_policies_std) AS p, + jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Action') AS action WHERE action IN ('ec2:PurchaseReservedInstancesOffering', 'savingsplans:CreateSavingsPlan') + AND s ->> 'Effect' = 'Allow' ) - - SELECT - name AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN EXISTS( - SELECT 1 - FROM jsonb_array_elements_text(attached_policy_arns) AS parn - LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn - WHERE tp.arn IS NOT NULL - ) - AND '{{.awsAllowedUsersPurchaseEc2}}' NOT LIKE '%' || name || '%' THEN 'alarm' - WHEN EXISTS( - SELECT 1 - FROM jsonb_array_elements(inline_policies_std) AS p, - jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - action IN ('ec2:PurchaseReservedInstancesOffering', 'savingsplans:CreateSavingsPlan') - AND s ->> 'Effect' = 'Allow' - ) - AND '{{.awsAllowedUsersPurchaseEc2}}' NOT LIKE '%' || name || '%' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS( - SELECT 1 - FROM jsonb_array_elements_text(attached_policy_arns) AS parn - LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn - WHERE tp.arn IS NOT NULL - ) - AND '{{.awsAllowedUsersPurchaseEc2}}' NOT LIKE '%' || name || '%' THEN 'User has access to purchase EC2 but is not in your organization allowed list' - WHEN EXISTS( - SELECT 1 - FROM jsonb_array_elements(inline_policies_std) AS p, - jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - action IN ('ec2:PurchaseReservedInstancesOffering', 'savingsplans:CreateSavingsPlan') - AND s ->> 'Effect' = 'Allow' - ) - AND '{{.awsAllowedUsersPurchaseEc2}}' NOT LIKE '%' || name || '%' THEN 'User has access to purchase EC2 but is not in your organization allowed list' - ELSE 'User either does not have access to purchase EC2 or is in the allowed list' - END AS reason, - region, - account_id - FROM - aws_iam_user + AND '{{.awsAllowedUsersPurchaseEc2}}' NOT LIKE '%' || name || '%' THEN 'User has access to purchase EC2 but is not in your organization allowed list' + ELSE 'User either does not have access to purchase EC2 or is in the allowed list' + END AS reason, + region, + account_id + FROM + aws_iam_user severity: medium tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - score_service_name: - - AWS Identity and Access Management (IAM) + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + score_service_name: + - AWS Identity and Access Management (IAM) diff --git a/compliance/controls/baseline/aws/IAM/aws_enable_mfa_for_iam_users_with_console_password.yaml b/compliance/controls/baseline/aws/IAM/aws_enable_mfa_for_iam_users_with_console_password.yaml index 4325566d4..d44acce63 100644 --- a/compliance/controls/baseline/aws/IAM/aws_enable_mfa_for_iam_users_with_console_password.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_enable_mfa_for_iam_users_with_console_password.yaml @@ -1,36 +1,37 @@ id: aws_enable_mfa_for_iam_users_with_console_password title: Enable MFA for IAM Users with Console Password +type: control description: Ensure that Multi-Factor Authentication (MFA) is enabled for all Amazon IAM users with console access. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - SELECT - name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN mfa_enabled = FALSE OR mfa_devices IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN mfa_enabled = FALSE OR mfa_devices IS NULL THEN name || ' is not MFA-protected.' - ELSE name || ' is MFA-protected.' - END AS reason, - region, - account_id - FROM - aws_iam_user + language: sql + primary_resource: aws_iam_user + definition: | + SELECT + name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN mfa_enabled = FALSE OR mfa_devices IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN mfa_enabled = FALSE OR mfa_devices IS NULL THEN name || ' is not MFA-protected.' + ELSE name || ' is MFA-protected.' + END AS reason, + region, + account_id + FROM + aws_iam_user severity: high tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_enforce_infrastructure_as_code_using_iam_policies.yaml b/compliance/controls/baseline/aws/IAM/aws_enforce_infrastructure_as_code_using_iam_policies.yaml index b1a3b0e06..1198df870 100644 --- a/compliance/controls/baseline/aws/IAM/aws_enforce_infrastructure_as_code_using_iam_policies.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_enforce_infrastructure_as_code_using_iam_policies.yaml @@ -1,77 +1,78 @@ id: aws_enforce_infrastructure_as_code_using_iam_policies title: Enforce Infrastructure as Code using IAM Policies +type: control description: Enforce Infrastructure as Code by controlling access for requests made on your behalf. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - WITH too_permissive_policies AS ( - SELECT - arn - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'NotAction') AS notAction + language: sql + primary_resource: aws_iam_user + definition: | + WITH too_permissive_policies AS ( + SELECT + arn + FROM + aws_iam_policy, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'NotAction') AS notAction + WHERE + notAction IN ('cloudformation:*') + AND s ->> 'Effect' = 'Deny' + AND (s -> 'Condition' -> 'StringNotEquals' ->> 'aws:CalledViaFirst') = 'cloudformation.amazonaws.com' + ) + + SELECT + name AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements_text(attached_policy_arns) AS parn + LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn + WHERE tp.arn IS NOT NULL + ) + THEN 'ok' + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(inline_policies_std) AS p, jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'NotAction') AS notAction + WHERE + notAction IN ('cloudformation:*') + AND s ->> 'Effect' = 'Deny' + AND (s -> 'Condition' -> 'StringNotEquals' ->> 'aws:CalledViaFirst') = 'cloudformation.amazonaws.com' + ) + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements_text(attached_policy_arns) AS parn + LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn + WHERE tp.arn IS NOT NULL + ) + THEN 'IAM user is forced to deploy AWS resources via CloudFormation only' + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(inline_policies_std) AS p, jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'NotAction') AS notAction WHERE notAction IN ('cloudformation:*') AND s ->> 'Effect' = 'Deny' AND (s -> 'Condition' -> 'StringNotEquals' ->> 'aws:CalledViaFirst') = 'cloudformation.amazonaws.com' ) - - SELECT - name AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements_text(attached_policy_arns) AS parn - LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn - WHERE tp.arn IS NOT NULL - ) - THEN 'ok' - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(inline_policies_std) AS p, jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'NotAction') AS notAction - WHERE - notAction IN ('cloudformation:*') - AND s ->> 'Effect' = 'Deny' - AND (s -> 'Condition' -> 'StringNotEquals' ->> 'aws:CalledViaFirst') = 'cloudformation.amazonaws.com' - ) - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements_text(attached_policy_arns) AS parn - LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn - WHERE tp.arn IS NOT NULL - ) - THEN 'IAM user is forced to deploy AWS resources via CloudFormation only' - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(inline_policies_std) AS p, jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'NotAction') AS notAction - WHERE - notAction IN ('cloudformation:*') - AND s ->> 'Effect' = 'Deny' - AND (s -> 'Condition' -> 'StringNotEquals' ->> 'aws:CalledViaFirst') = 'cloudformation.amazonaws.com' - ) - THEN 'IAM user is forced to deploy AWS resources via CloudFormation only' - ELSE 'IAM user is not forced to deploy AWS resources via CloudFormation only' - END AS reason, - region, - account_id - FROM - aws_iam_user AS g + THEN 'IAM user is forced to deploy AWS resources via CloudFormation only' + ELSE 'IAM user is not forced to deploy AWS resources via CloudFormation only' + END AS reason, + region, + account_id + FROM + aws_iam_user AS g severity: medium tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - score_service_name: - - AWS Identity and Access Management (IAM) + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + score_service_name: + - AWS Identity and Access Management (IAM) diff --git a/compliance/controls/baseline/aws/IAM/aws_expired_ssl_tls_certificate.yaml b/compliance/controls/baseline/aws/IAM/aws_expired_ssl_tls_certificate.yaml index 12b50827b..95570b4b7 100644 --- a/compliance/controls/baseline/aws/IAM/aws_expired_ssl_tls_certificate.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_expired_ssl_tls_certificate.yaml @@ -1,36 +1,37 @@ id: aws_expired_ssl_tls_certificate title: Expired SSL/TLS Certificate +type: control description: Ensure expired SSL/TLS certificates are removed from AWS IAM. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_server_certificate - definition: | - SELECT - name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN expiration < NOW() THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN expiration < NOW() THEN 'certificate has been expired' - ELSE 'certificate is not expired' - END AS reason, - region, - account_id - FROM - aws_iam_server_certificate + language: sql + primary_resource: aws_iam_server_certificate + definition: | + SELECT + name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN expiration < NOW() THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN expiration < NOW() THEN 'certificate has been expired' + ELSE 'certificate is not expired' + END AS reason, + region, + account_id + FROM + aws_iam_server_certificate severity: low tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Expiring Certificates - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Expiring Certificates + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Expiring Certificates + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Expiring Certificates diff --git a/compliance/controls/baseline/aws/IAM/aws_hardware_mfa_for_aws_root_account.yaml b/compliance/controls/baseline/aws/IAM/aws_hardware_mfa_for_aws_root_account.yaml index e95c5e257..90b08ffe6 100644 --- a/compliance/controls/baseline/aws/IAM/aws_hardware_mfa_for_aws_root_account.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_hardware_mfa_for_aws_root_account.yaml @@ -1,42 +1,43 @@ id: aws_hardware_mfa_for_aws_root_account title: Hardware MFA for AWS Root Account +type: control description: Ensure hardware MFA is enabled for the 'root' account. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - (r.user_name || ' in account ' || r.account_id) AS resource, - r.platform_integration_id, - r.platform_resource_id, - CASE - WHEN NOT r.mfa_active::bool THEN 'alarm' - WHEN m.serial_number IS NOT NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT r.mfa_active::bool THEN 'mfa is not activated' - WHEN m.serial_number IS NOT NULL THEN 'user is using virtual mfa' - ELSE 'user is using hardware mfa' - END AS reason, - r.region, - r.account_id - FROM - aws_iam_credential_report AS r - LEFT JOIN aws_iam_virtual_mfa_device AS m - ON (m.user -> 'Arn')::text = r.user_arn - WHERE - r.user_name = '' + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + (r.user_name || ' in account ' || r.account_id) AS resource, + r.platform_integration_id, + r.platform_resource_id, + CASE + WHEN NOT r.mfa_active::bool THEN 'alarm' + WHEN m.serial_number IS NOT NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT r.mfa_active::bool THEN 'mfa is not activated' + WHEN m.serial_number IS NOT NULL THEN 'user is using virtual mfa' + ELSE 'user is using hardware mfa' + END AS reason, + r.region, + r.account_id + FROM + aws_iam_credential_report AS r + LEFT JOIN aws_iam_virtual_mfa_device AS m + ON (m.user -> 'Arn')::text = r.user_arn + WHERE + r.user_name = '' severity: high tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_access_analyzer_findings.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_access_analyzer_findings.yaml index 85f2fe169..77af551dd 100644 --- a/compliance/controls/baseline/aws/IAM/aws_iam_access_analyzer_findings.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_access_analyzer_findings.yaml @@ -1,44 +1,45 @@ id: aws_iam_access_analyzer_findings title: IAM Access Analyzer Findings +type: control description: Ensure that IAM Access Analyzer findings are reviewed and resolved to maintain access security to your AWS resources. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_accessanalyzer_analyzer - definition: | - SELECT - a.name AS resource, - a.platform_integration_id, - a.platform_resource_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(findings) AS f - WHERE (f ->> 'Status') = 'ACTIVE' - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(findings) AS f - WHERE (f ->> 'Status') = 'ACTIVE' - ) THEN 'There are unresolved findings in this analyzer' - ELSE 'There is no unresolved findings in this analyzer' - END AS reason, - a.region, - a.account_id - FROM - aws_accessanalyzer_analyzer AS a + language: sql + primary_resource: aws_accessanalyzer_analyzer + definition: | + SELECT + a.name AS resource, + a.platform_integration_id, + a.platform_resource_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(findings) AS f + WHERE (f ->> 'Status') = 'ACTIVE' + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(findings) AS f + WHERE (f ->> 'Status') = 'ACTIVE' + ) THEN 'There are unresolved findings in this analyzer' + ELSE 'There is no unresolved findings in this analyzer' + END AS reason, + a.region, + a.account_id + FROM + aws_accessanalyzer_analyzer AS a severity: medium tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_access_analyzer_in_use.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_access_analyzer_in_use.yaml index 80646332c..d7d64bf0f 100644 --- a/compliance/controls/baseline/aws/IAM/aws_iam_access_analyzer_in_use.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_access_analyzer_in_use.yaml @@ -1,46 +1,47 @@ id: aws_iam_access_analyzer_in_use title: IAM Access Analyzer in Use +type: control description: Ensure that IAM Access Analyzer feature is enabled to maintain access security to your AWS resources. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - a.account_id AS resource, - a.platform_integration_id, - a.platform_resource_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM aws_accessanalyzer_analyzer AS an - WHERE a.account_id = an.account_id - LIMIT 1 - ) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM aws_accessanalyzer_analyzer AS an - WHERE a.account_id = an.account_id - LIMIT 1 - ) THEN 'Amazon IAM Access Analyzer feature is used to protect your cloud resources' - ELSE 'There are no access analyzers available on this account' - END AS reason, - a.region, - a.account_id - FROM - aws_account AS a + language: sql + primary_resource: aws_account + definition: | + SELECT + a.account_id AS resource, + a.platform_integration_id, + a.platform_resource_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM aws_accessanalyzer_analyzer AS an + WHERE a.account_id = an.account_id + LIMIT 1 + ) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM aws_accessanalyzer_analyzer AS an + WHERE a.account_id = an.account_id + LIMIT 1 + ) THEN 'Amazon IAM Access Analyzer feature is used to protect your cloud resources' + ELSE 'There are no access analyzers available on this account' + END AS reason, + a.region, + a.account_id + FROM + aws_account AS a severity: medium tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_group_with_inline_policies.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_group_with_inline_policies.yaml index 77a9d3177..8a6ce5f2c 100644 --- a/compliance/controls/baseline/aws/IAM/aws_iam_group_with_inline_policies.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_group_with_inline_policies.yaml @@ -1,36 +1,37 @@ id: aws_iam_group_with_inline_policies title: IAM Group With Inline Policies +type: control description: Ensure IAM groups don't have inline policies attached. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_group - definition: | - SELECT - name AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN inline_policies IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN inline_policies IS NULL THEN name || ' is not using inline policies' - ELSE name || ' is using inline policies' - END AS reason, - region, - account_id - FROM - aws_iam_group + language: sql + primary_resource: aws_iam_group + definition: | + SELECT + name AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN inline_policies IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN inline_policies IS NULL THEN name || ' is not using inline policies' + ELSE name || ' is using inline policies' + END AS reason, + region, + account_id + FROM + aws_iam_group severity: medium tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_groups_with_administrative_privileges.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_groups_with_administrative_privileges.yaml index 2d907cb1e..bd7ad4baa 100644 --- a/compliance/controls/baseline/aws/IAM/aws_iam_groups_with_administrative_privileges.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_groups_with_administrative_privileges.yaml @@ -1,36 +1,37 @@ id: aws_iam_groups_with_administrative_privileges title: IAM Groups with Administrative Privileges +type: control description: Ensure there are no IAM groups with administrative permissions available in your AWS cloud account. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_group - definition: | - SELECT - arn AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN attached_policy_arns::text LIKE '%arn:aws:iam::aws:policy/AdministratorAccess%' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN attached_policy_arns::text LIKE '%arn:aws:iam::aws:policy/AdministratorAccess%' THEN name || ' IAM group has AWS administrator-level permissions' - ELSE name || ' IAM group does not have AWS administrator-level permissions' - END AS reason, - region, - account_id - FROM - aws_iam_group + language: sql + primary_resource: aws_iam_group + definition: | + SELECT + arn AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN attached_policy_arns::text LIKE '%arn:aws:iam::aws:policy/AdministratorAccess%' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN attached_policy_arns::text LIKE '%arn:aws:iam::aws:policy/AdministratorAccess%' THEN name || ' IAM group has AWS administrator-level permissions' + ELSE name || ' IAM group does not have AWS administrator-level permissions' + END AS reason, + region, + account_id + FROM + aws_iam_group severity: high tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_password_policy.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_password_policy.yaml index a4096b7dc..e773dd25b 100644 --- a/compliance/controls/baseline/aws/IAM/aws_iam_password_policy.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_password_policy.yaml @@ -1,40 +1,41 @@ id: aws_iam_password_policy title: IAM Password Policy +type: control description: Ensure that your AWS cloud account has a strong IAM password policy in use. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - a.account_id AS resource, - a.platform_integration_id AS platform_integration_id, - a.platform_resource_id AS platform_resource_id, - CASE - WHEN p.account_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN p.account_id IS NULL THEN a.account_id || ' is not configured with a custom IAM password policy' - ELSE a.account_id || ' is configured with a custom IAM password policy' - END AS reason, - a.region, - a.account_id - FROM - aws_account a - LEFT JOIN - aws_iam_account_password_policy AS p - ON - p.account_id = a.account_id + language: sql + primary_resource: aws_account + definition: | + SELECT + a.account_id AS resource, + a.platform_integration_id AS platform_integration_id, + a.platform_resource_id AS platform_resource_id, + CASE + WHEN p.account_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN p.account_id IS NULL THEN a.account_id || ' is not configured with a custom IAM password policy' + ELSE a.account_id || ' is configured with a custom IAM password policy' + END AS reason, + a.region, + a.account_id + FROM + aws_account a + LEFT JOIN + aws_iam_account_password_policy AS p + ON + p.account_id = a.account_id severity: medium tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_policies_with_effect_set_to_allow_and_notaction.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_policies_with_effect_set_to_allow_and_notaction.yaml index 8a5f6355b..6553b81cc 100644 --- a/compliance/controls/baseline/aws/IAM/aws_iam_policies_with_effect_set_to_allow_and_notaction.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_policies_with_effect_set_to_allow_and_notaction.yaml @@ -1,37 +1,38 @@ id: aws_iam_policies_with_effect_set_to_allow_and_notaction title: IAM Policies with Effect set to Allow and NotAction +type: control description: Ensure that IAM policies do not use "Allow" in combination with "NotAction" element to follow IAM security best practices. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_policy - definition: | - SELECT - name AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN (s -> 'NotAction' IS NOT NULL AND s ->> 'Effect' = 'Allow') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (s -> 'NotAction' IS NOT NULL AND s ->> 'Effect' = 'Allow') THEN name || ' has allowed nonAction policy' - ELSE name || ' does not have allowed nonAction policy' - END AS reason, - region, - account_id - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS s + language: sql + primary_resource: aws_iam_policy + definition: | + SELECT + name AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN (s -> 'NotAction' IS NOT NULL AND s ->> 'Effect' = 'Allow') THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (s -> 'NotAction' IS NOT NULL AND s ->> 'Effect' = 'Allow') THEN name || ' has allowed nonAction policy' + ELSE name || ' does not have allowed nonAction policy' + END AS reason, + region, + account_id + FROM + aws_iam_policy, + jsonb_array_elements(policy_std -> 'Statement') AS s severity: medium tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_policies_with_full_administrative_privileges.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_policies_with_full_administrative_privileges.yaml index 8aafbe890..edfc4678d 100644 --- a/compliance/controls/baseline/aws/IAM/aws_iam_policies_with_full_administrative_privileges.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_policies_with_full_administrative_privileges.yaml @@ -1,51 +1,52 @@ id: aws_iam_policies_with_full_administrative_privileges title: IAM Policies With Full Administrative Privileges +type: control description: Ensure IAM policies that allow full '*:*' administrative privileges aren't created. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_policy - definition: | - SELECT - arn AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN EXISTS( - SELECT 1 - FROM jsonb_array_elements_text(stmt -> 'Action') AS a - WHERE a = '*' - ) - AND stmt ->> 'Effect' = 'Allow' - AND stmt ->> 'Resource' = '[\"*\"]' - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS( - SELECT 1 - FROM jsonb_array_elements_text(stmt -> 'Action') AS a - WHERE a = '*' - ) - AND stmt ->> 'Effect' = 'Allow' - AND stmt ->> 'Resource' = '[\"*\"]' - THEN 'policy allows full administrative privileges' - ELSE 'policy does not allow full administrative privileges' - END AS reason, - region, - account_id - FROM - aws_iam_policy AS p, - jsonb_array_elements(p.policy_std -> 'Statement') AS stmt + language: sql + primary_resource: aws_iam_policy + definition: | + SELECT + arn AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN EXISTS( + SELECT 1 + FROM jsonb_array_elements_text(stmt -> 'Action') AS a + WHERE a = '*' + ) + AND stmt ->> 'Effect' = 'Allow' + AND stmt ->> 'Resource' = '[\"*\"]' + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS( + SELECT 1 + FROM jsonb_array_elements_text(stmt -> 'Action') AS a + WHERE a = '*' + ) + AND stmt ->> 'Effect' = 'Allow' + AND stmt ->> 'Resource' = '[\"*\"]' + THEN 'policy allows full administrative privileges' + ELSE 'policy does not allow full administrative privileges' + END AS reason, + region, + account_id + FROM + aws_iam_policy AS p, + jsonb_array_elements(p.policy_std -> 'Statement') AS stmt severity: high tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_role_policy_too_permissive.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_role_policy_too_permissive.yaml index a9adef5df..8c75391d9 100644 --- a/compliance/controls/baseline/aws/IAM/aws_iam_role_policy_too_permissive.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_role_policy_too_permissive.yaml @@ -1,76 +1,77 @@ id: aws_iam_role_policy_too_permissive title: IAM Role Policy Too Permissive +type: control description: Ensure that the access policies attached to your IAM roles adhere to the principle of least privilege. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_role - definition: | - WITH too_permissive_policies AS ( - SELECT - arn - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Action') AS action + language: sql + primary_resource: aws_iam_role + definition: | + WITH too_permissive_policies AS ( + SELECT + arn + FROM + aws_iam_policy, + jsonb_array_elements(policy_std -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + action IN ('*', '*:*') + AND s ->> 'Effect' = 'Allow' + ) + + SELECT + name AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN EXISTS( + SELECT 1 + FROM jsonb_array_elements_text(attached_policy_arns) AS parn + LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn + WHERE tp.arn IS NOT NULL + ) THEN 'alarm' + WHEN EXISTS( + SELECT 1 + FROM jsonb_array_elements(inline_policies_std) AS p, + jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Action') AS action WHERE action IN ('*', '*:*') AND s ->> 'Effect' = 'Allow' - ) - - SELECT - name AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN EXISTS( - SELECT 1 - FROM jsonb_array_elements_text(attached_policy_arns) AS parn - LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn - WHERE tp.arn IS NOT NULL - ) THEN 'alarm' - WHEN EXISTS( - SELECT 1 - FROM jsonb_array_elements(inline_policies_std) AS p, - jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - action IN ('*', '*:*') - AND s ->> 'Effect' = 'Allow' - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS( - SELECT 1 - FROM jsonb_array_elements_text(attached_policy_arns) AS parn - LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn - WHERE tp.arn IS NOT NULL - ) THEN 'there is too permissive attached policy' - WHEN EXISTS( - SELECT 1 - FROM jsonb_array_elements(inline_policies_std) AS p, - jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - action IN ('*', '*:*') - AND s ->> 'Effect' = 'Allow' - ) THEN 'there is too permissive inline policy' - ELSE 'there is no too permissive policy' - END AS reason, - region, - account_id - FROM - aws_iam_role AS r + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS( + SELECT 1 + FROM jsonb_array_elements_text(attached_policy_arns) AS parn + LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn + WHERE tp.arn IS NOT NULL + ) THEN 'there is too permissive attached policy' + WHEN EXISTS( + SELECT 1 + FROM jsonb_array_elements(inline_policies_std) AS p, + jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s, + jsonb_array_elements_text(s -> 'Action') AS action + WHERE + action IN ('*', '*:*') + AND s ->> 'Effect' = 'Allow' + ) THEN 'there is too permissive inline policy' + ELSE 'there is no too permissive policy' + END AS reason, + region, + account_id + FROM + aws_iam_role AS r severity: medium tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_server_certificate_size.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_server_certificate_size.yaml index c8eba843c..48934b8b7 100644 --- a/compliance/controls/baseline/aws/IAM/aws_iam_server_certificate_size.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_server_certificate_size.yaml @@ -1,32 +1,33 @@ id: aws_iam_server_certificate_size title: AWS IAM Server Certificate Size +type: control description: Ensure that all your SSL/TLS certificates are using either 2048 or 4096 bit RSA keys instead of 1024-bit keys. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_server_certificate - definition: | - SELECT - name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN certificate_body_length < 2048 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN certificate_body_length < 2048 THEN 'The key length is 1024 therefore it is insecure' - ELSE 'Key is secure.' - END AS reason, - region, - account_id - FROM - aws_iam_server_certificate + language: sql + primary_resource: aws_iam_server_certificate + definition: | + SELECT + name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN certificate_body_length < 2048 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN certificate_body_length < 2048 THEN 'The key length is 1024 therefore it is insecure' + ELSE 'Key is secure.' + END AS reason, + region, + account_id + FROM + aws_iam_server_certificate severity: medium tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - score_service_name: - - AWS Identity and Access Management (IAM) + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + score_service_name: + - AWS Identity and Access Management (IAM) diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_support_role.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_support_role.yaml index e2f4b0e5b..e45134d41 100644 --- a/compliance/controls/baseline/aws/IAM/aws_iam_support_role.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_support_role.yaml @@ -1,47 +1,48 @@ id: aws_iam_support_role title: IAM Support Role +type: control description: Ensure there is an active IAM Support Role available within your AWS cloud account. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - WITH aws_support_access_roles AS ( - SELECT - arn, - account_id - FROM - aws_iam_role - WHERE - attached_policy_arns::TEXT ILIKE '%arn:aws:iam::aws:policy/AWSSupportAccess%' - ) - - SELECT - a.account_id AS resource, - a.platform_integration_id, - a.platform_resource_id, - CASE - WHEN r.arn IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN r.arn IS NULL THEN 'there is no AWS Support Access role for this account' - ELSE 'this account has AWS Support Access role' - END AS reason, - a.region, - a.account_id - FROM - aws_account AS a - LEFT JOIN aws_support_access_roles AS r ON a.account_id = r.account_id + language: sql + primary_resource: aws_account + definition: | + WITH aws_support_access_roles AS ( + SELECT + arn, + account_id + FROM + aws_iam_role + WHERE + attached_policy_arns::TEXT ILIKE '%arn:aws:iam::aws:policy/AWSSupportAccess%' + ) + + SELECT + a.account_id AS resource, + a.platform_integration_id, + a.platform_resource_id, + CASE + WHEN r.arn IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN r.arn IS NULL THEN 'there is no AWS Support Access role for this account' + ELSE 'this account has AWS Support Access role' + END AS reason, + a.region, + a.account_id + FROM + aws_account AS a + LEFT JOIN aws_support_access_roles AS r ON a.account_id = r.account_id severity: high tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_user_no_policies.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_user_no_policies.yaml index 86af7a85a..3553aaeb6 100644 --- a/compliance/controls/baseline/aws/IAM/aws_iam_user_no_policies.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_user_no_policies.yaml @@ -1,36 +1,37 @@ id: aws_iam_user_no_policies title: Receive Permissions via IAM Groups Only +type: control description: Ensure that IAM users receive permissions only through IAM groups. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - SELECT - name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN attached_policy_arns IS NULL AND inline_policies IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN attached_policy_arns IS NULL AND inline_policies IS NULL THEN name || ' does not receive access permissions through IAM groups only.' - ELSE name || ' does receive access permissions through IAM groups only.' - END AS reason, - region, - account_id - FROM - aws_iam_user + language: sql + primary_resource: aws_iam_user + definition: | + SELECT + name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN attached_policy_arns IS NULL AND inline_policies IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN attached_policy_arns IS NULL AND inline_policies IS NULL THEN name || ' does not receive access permissions through IAM groups only.' + ELSE name || ' does receive access permissions through IAM groups only.' + END AS reason, + region, + account_id + FROM + aws_iam_user severity: high tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_user_password_expiry_30_days.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_user_password_expiry_30_days.yaml index f6ec5597b..93e573a5e 100644 --- a/compliance/controls/baseline/aws/IAM/aws_iam_user_password_expiry_30_days.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_user_password_expiry_30_days.yaml @@ -1,44 +1,45 @@ id: aws_iam_user_password_expiry_30_days title: IAM User Password Expiry 30 Days +type: control description: Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (30 Days). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - r.user_name AS resource, - r.platform_integration_id, - r.platform_resource_id, - CASE - WHEN NOT password_enabled THEN 'skip' - WHEN password_last_changed IS NULL THEN 'alarm' - WHEN password_next_rotation IS NOT NULL THEN 'ok' - WHEN password_last_changed::timestamp + (COALESCE(p.max_password_age, '90') || ' days')::interval < NOW() - '30 days'::interval THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT password_enabled THEN 'password not enabled' - WHEN password_last_changed IS NULL THEN 'password last change not recognized' - WHEN password_next_rotation IS NOT NULL THEN 'password has password policy' - WHEN password_last_changed::timestamp + (COALESCE(p.max_password_age, '90') || ' days')::interval < NOW() - '30 days'::interval THEN 'password is about to expire' - ELSE 'password has been reseted recently' - END AS reason, - r.region, - r.account_id - FROM - aws_iam_credential_report AS r - LEFT JOIN aws_iam_account_password_policy AS p - ON r.account_id = p.account_id + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + r.user_name AS resource, + r.platform_integration_id, + r.platform_resource_id, + CASE + WHEN NOT password_enabled THEN 'skip' + WHEN password_last_changed IS NULL THEN 'alarm' + WHEN password_next_rotation IS NOT NULL THEN 'ok' + WHEN password_last_changed::timestamp + (COALESCE(p.max_password_age, '90') || ' days')::interval < NOW() - '30 days'::interval THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT password_enabled THEN 'password not enabled' + WHEN password_last_changed IS NULL THEN 'password last change not recognized' + WHEN password_next_rotation IS NOT NULL THEN 'password has password policy' + WHEN password_last_changed::timestamp + (COALESCE(p.max_password_age, '90') || ' days')::interval < NOW() - '30 days'::interval THEN 'password is about to expire' + ELSE 'password has been reseted recently' + END AS reason, + r.region, + r.account_id + FROM + aws_iam_credential_report AS r + LEFT JOIN aws_iam_account_password_policy AS p + ON r.account_id = p.account_id severity: medium tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_user_password_expiry_7_days.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_user_password_expiry_7_days.yaml index 953e504aa..76d22a6d6 100644 --- a/compliance/controls/baseline/aws/IAM/aws_iam_user_password_expiry_7_days.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_user_password_expiry_7_days.yaml @@ -1,44 +1,45 @@ id: aws_iam_user_password_expiry_7_days title: IAM User Password Expiry 7 Days +type: control description: Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (7 Days). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - r.user_name AS resource, - r.platform_integration_id, - r.platform_resource_id, - CASE - WHEN NOT password_enabled THEN 'skip' - WHEN password_last_changed IS NULL THEN 'alarm' - WHEN password_next_rotation IS NOT NULL THEN 'ok' - WHEN password_last_changed::timestamp + (COALESCE(p.max_password_age, '90') || ' days')::interval < NOW() - '7 days'::interval THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT password_enabled THEN 'password not enabled' - WHEN password_last_changed IS NULL THEN 'password last change not recognized' - WHEN password_next_rotation IS NOT NULL THEN 'password has password policy' - WHEN password_last_changed::timestamp + (COALESCE(p.max_password_age, '90') || ' days')::interval < NOW() - '7 days'::interval THEN 'password is about to expire' - ELSE 'password has been reset recently' - END AS reason, - r.region, - r.account_id - FROM - aws_iam_credential_report AS r - LEFT JOIN - aws_iam_account_password_policy AS p ON r.account_id = p.account_id + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + r.user_name AS resource, + r.platform_integration_id, + r.platform_resource_id, + CASE + WHEN NOT password_enabled THEN 'skip' + WHEN password_last_changed IS NULL THEN 'alarm' + WHEN password_next_rotation IS NOT NULL THEN 'ok' + WHEN password_last_changed::timestamp + (COALESCE(p.max_password_age, '90') || ' days')::interval < NOW() - '7 days'::interval THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT password_enabled THEN 'password not enabled' + WHEN password_last_changed IS NULL THEN 'password last change not recognized' + WHEN password_next_rotation IS NOT NULL THEN 'password has password policy' + WHEN password_last_changed::timestamp + (COALESCE(p.max_password_age, '90') || ' days')::interval < NOW() - '7 days'::interval THEN 'password is about to expire' + ELSE 'password has been reset recently' + END AS reason, + r.region, + r.account_id + FROM + aws_iam_credential_report AS r + LEFT JOIN + aws_iam_account_password_policy AS p ON r.account_id = p.account_id severity: high tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_user_password_expiry_x_days.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_user_password_expiry_x_days.yaml index 9e77cf7cb..aee11949c 100644 --- a/compliance/controls/baseline/aws/IAM/aws_iam_user_password_expiry_x_days.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_user_password_expiry_x_days.yaml @@ -1,46 +1,47 @@ id: aws_iam_user_password_expiry_x_days title: IAM User Password Expiry X Days +type: control description: Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (X Days). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsIamUserPasswordExpirationDays - value: '' +- key: awsIamUserPasswordExpirationDays + value: "" policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - r.user_name AS resource, - r.platform_integration_id, - r.platform_resource_id, - CASE - WHEN NOT password_enabled THEN 'skip' - WHEN password_last_changed IS NULL THEN 'alarm' - WHEN password_next_rotation IS NOT NULL THEN 'ok' - WHEN password_last_changed::timestamp + (COALESCE(p.max_password_age, '90') || ' days')::interval < NOW() - '{{.awsIamUserPasswordExpirationDays}} days'::interval THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT password_enabled THEN 'password not enabled' - WHEN password_last_changed IS NULL THEN 'password last change not recognized' - WHEN password_next_rotation IS NOT NULL THEN 'password has password policy' - WHEN password_last_changed::timestamp + (COALESCE(p.max_password_age, '90') || ' days')::interval < NOW() - '{{.awsIamUserPasswordExpirationDays}} days'::interval THEN 'password is about to expire' - ELSE 'password has been reset recently' - END AS reason, - r.region, - r.account_id - FROM - aws_iam_credential_report AS r - LEFT JOIN aws_iam_account_password_policy AS p - ON r.account_id = p.account_id + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + r.user_name AS resource, + r.platform_integration_id, + r.platform_resource_id, + CASE + WHEN NOT password_enabled THEN 'skip' + WHEN password_last_changed IS NULL THEN 'alarm' + WHEN password_next_rotation IS NOT NULL THEN 'ok' + WHEN password_last_changed::timestamp + (COALESCE(p.max_password_age, '90') || ' days')::interval < NOW() - '{{.awsIamUserPasswordExpirationDays}} days'::interval THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT password_enabled THEN 'password not enabled' + WHEN password_last_changed IS NULL THEN 'password last change not recognized' + WHEN password_next_rotation IS NOT NULL THEN 'password has password policy' + WHEN password_last_changed::timestamp + (COALESCE(p.max_password_age, '90') || ' days')::interval < NOW() - '{{.awsIamUserPasswordExpirationDays}} days'::interval THEN 'password is about to expire' + ELSE 'password has been reset recently' + END AS reason, + r.region, + r.account_id + FROM + aws_iam_credential_report AS r + LEFT JOIN aws_iam_account_password_policy AS p + ON r.account_id = p.account_id severity: high tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_user_policies.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_user_policies.yaml index 701c78dfc..e811991a5 100644 --- a/compliance/controls/baseline/aws/IAM/aws_iam_user_policies.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_user_policies.yaml @@ -1,36 +1,37 @@ id: aws_iam_user_policies title: IAM User Policies +type: control description: Ensure AWS IAM policies are attached to groups instead of users as an IAM best practice. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - SELECT - u.name AS resource, - u.platform_integration_id, - u.platform_resource_id, - CASE - WHEN attached_policy_arns IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN attached_policy_arns IS NULL THEN 'this user does not have any policies attached' - ELSE 'policies are better to be attached to only IAM groups' - END AS reason, - u.region, - u.account_id - FROM - aws_iam_user AS u + language: sql + primary_resource: aws_iam_user + definition: | + SELECT + u.name AS resource, + u.platform_integration_id, + u.platform_resource_id, + CASE + WHEN attached_policy_arns IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN attached_policy_arns IS NULL THEN 'this user does not have any policies attached' + ELSE 'policies are better to be attached to only IAM groups' + END AS reason, + u.region, + u.account_id + FROM + aws_iam_user AS u severity: low tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_user_with_password_and_access_keys.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_user_with_password_and_access_keys.yaml index 7cb759f5b..d8e16879b 100644 --- a/compliance/controls/baseline/aws/IAM/aws_iam_user_with_password_and_access_keys.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_user_with_password_and_access_keys.yaml @@ -1,40 +1,41 @@ id: aws_iam_user_with_password_and_access_keys title: IAM User with Password and Access Keys +type: control description: Ensure that IAM users have either API access or console access in order to follow IAM security best practices. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - SELECT - u.name AS resource, - u.platform_integration_id, - u.platform_resource_id, - CASE - WHEN (login_profile ->> 'UserName' IS NOT NULL) AND (k.access_key_id IS NOT NULL) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (login_profile ->> 'UserName' IS NOT NULL) AND (k.access_key_id IS NOT NULL) THEN u.name || ' is being used for both API access or for management console access' - ELSE u.name || ' is either being used for API access or for management console access' - END AS reason, - u.region, - u.account_id - FROM - aws_iam_user AS u - LEFT JOIN - aws_iam_access_key AS k - ON - u.name = k.user_name + language: sql + primary_resource: aws_iam_user + definition: | + SELECT + u.name AS resource, + u.platform_integration_id, + u.platform_resource_id, + CASE + WHEN (login_profile ->> 'UserName' IS NOT NULL) AND (k.access_key_id IS NOT NULL) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (login_profile ->> 'UserName' IS NOT NULL) AND (k.access_key_id IS NOT NULL) THEN u.name || ' is being used for both API access or for management console access' + ELSE u.name || ' is either being used for API access or for management console access' + END AS reason, + u.region, + u.account_id + FROM + aws_iam_user AS u + LEFT JOIN + aws_iam_access_key AS k + ON + u.name = k.user_name severity: medium tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_users_unauthorized_to_edit_access_policies.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_users_unauthorized_to_edit_access_policies.yaml index 76f2ee55d..7cec5c769 100644 --- a/compliance/controls/baseline/aws/IAM/aws_iam_users_unauthorized_to_edit_access_policies.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_users_unauthorized_to_edit_access_policies.yaml @@ -1,90 +1,91 @@ id: aws_iam_users_unauthorized_to_edit_access_policies title: IAM Users Unauthorized to Edit Access Policies +type: control description: Ensure AWS IAM users that are not authorized to edit IAM access policies are decommissioned. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsIamUsersAuthorizedToEditPolicy - value: '' +- key: awsIamUsersAuthorizedToEditPolicy + value: "" policy: - language: sql - primary_resource: aws_iam_user - definition: | - WITH authorize_to_edit_policy AS ( - SELECT - arn, - (SELECT ARRAY_AGG(action) - FROM jsonb_array_elements_text(s -> 'Action') AS action) - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS s - WHERE - (( - SELECT ARRAY_AGG(action) - FROM jsonb_array_elements_text(s -> 'Action') AS action - ) @> ARRAY[ - 'iam:CreatePolicy', - 'iam:CreatePolicyVersion', - 'iam:DeleteGroupPolicy', - 'iam:DeletePolicy', - 'iam:DeletePolicyVersion', - 'iam:DeleteRolePolicy', - 'iam:DeleteUserPolicy', - 'iam:DetachGroupPolicy', - 'iam:DetachRolePolicy', - 'iam:DetachUserPolicy', - 'iam:PutGroupPolicy', - 'iam:PutRolePolicy', - 'iam:PutUserPolicy', - 'iam:UpdateAssumeRolePolicy' - ] - AND (s ->> 'Effect') = 'Allow') - OR ( - ( - SELECT ARRAY_AGG(action) - FROM jsonb_array_elements_text(s -> 'Action') AS action - ) @> ARRAY['iam:*'] - AND (s ->> 'Effect') = 'Allow' - ) - ) - + language: sql + primary_resource: aws_iam_user + definition: | + WITH authorize_to_edit_policy AS ( SELECT - name AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN EXISTS( - SELECT 1 - FROM jsonb_array_elements_text(attached_policy_arns) AS parn - LEFT JOIN authorize_to_edit_policy AS ep ON parn = ep.arn - WHERE ep.arn IS NOT NULL - ) - AND ('{{.awsIamUsersAuthorizedToEditPolicy}}' NOT LIKE '%' || user_id || '%') - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS( - SELECT 1 - FROM jsonb_array_elements_text(attached_policy_arns) AS parn - LEFT JOIN authorize_to_edit_policy AS ep ON parn = ep.arn - WHERE ep.arn IS NOT NULL - ) - AND ('{{.awsIamUsersAuthorizedToEditPolicy}}' NOT LIKE '%' || user_id || '%') - THEN 'this iam user is not authorized to edit policies' - ELSE 'ok' - END AS reason, - region, - account_id + arn, + (SELECT ARRAY_AGG(action) + FROM jsonb_array_elements_text(s -> 'Action') AS action) FROM - aws_iam_user + aws_iam_policy, + jsonb_array_elements(policy_std -> 'Statement') AS s + WHERE + (( + SELECT ARRAY_AGG(action) + FROM jsonb_array_elements_text(s -> 'Action') AS action + ) @> ARRAY[ + 'iam:CreatePolicy', + 'iam:CreatePolicyVersion', + 'iam:DeleteGroupPolicy', + 'iam:DeletePolicy', + 'iam:DeletePolicyVersion', + 'iam:DeleteRolePolicy', + 'iam:DeleteUserPolicy', + 'iam:DetachGroupPolicy', + 'iam:DetachRolePolicy', + 'iam:DetachUserPolicy', + 'iam:PutGroupPolicy', + 'iam:PutRolePolicy', + 'iam:PutUserPolicy', + 'iam:UpdateAssumeRolePolicy' + ] + AND (s ->> 'Effect') = 'Allow') + OR ( + ( + SELECT ARRAY_AGG(action) + FROM jsonb_array_elements_text(s -> 'Action') AS action + ) @> ARRAY['iam:*'] + AND (s ->> 'Effect') = 'Allow' + ) + ) + + SELECT + name AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN EXISTS( + SELECT 1 + FROM jsonb_array_elements_text(attached_policy_arns) AS parn + LEFT JOIN authorize_to_edit_policy AS ep ON parn = ep.arn + WHERE ep.arn IS NOT NULL + ) + AND ('{{.awsIamUsersAuthorizedToEditPolicy}}' NOT LIKE '%' || user_id || '%') + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS( + SELECT 1 + FROM jsonb_array_elements_text(attached_policy_arns) AS parn + LEFT JOIN authorize_to_edit_policy AS ep ON parn = ep.arn + WHERE ep.arn IS NOT NULL + ) + AND ('{{.awsIamUsersAuthorizedToEditPolicy}}' NOT LIKE '%' || user_id || '%') + THEN 'this iam user is not authorized to edit policies' + ELSE 'ok' + END AS reason, + region, + account_id + FROM + aws_iam_user severity: high tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_users_with_administrative_privileges.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_users_with_administrative_privileges.yaml index 9bf1c3801..7f6a55a8e 100644 --- a/compliance/controls/baseline/aws/IAM/aws_iam_users_with_administrative_privileges.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_users_with_administrative_privileges.yaml @@ -1,44 +1,45 @@ id: aws_iam_users_with_administrative_privileges title: IAM Users with Administrative Privileges +type: control description: Ensure there are no IAM users with administrative permissions available in your AWS cloud account. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - SELECT - name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements_text(attached_policy_arns::jsonb) AS elem - WHERE SUBSTRING(elem::text FROM 'policy/(.*)') = 'AdministratorAccess' - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements_text(attached_policy_arns::jsonb) AS elem - WHERE SUBSTRING(elem::text FROM 'policy/(.*)') = 'AdministratorAccess' - ) THEN name || ' has administrator access' - ELSE name || ' does not have administrator access' - END AS reason, - region, - account_id - FROM - aws_iam_user + language: sql + primary_resource: aws_iam_user + definition: | + SELECT + name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements_text(attached_policy_arns::jsonb) AS elem + WHERE SUBSTRING(elem::text FROM 'policy/(.*)') = 'AdministratorAccess' + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements_text(attached_policy_arns::jsonb) AS elem + WHERE SUBSTRING(elem::text FROM 'policy/(.*)') = 'AdministratorAccess' + ) THEN name || ' has administrator access' + ELSE name || ' does not have administrator access' + END AS reason, + region, + account_id + FROM + aws_iam_user severity: high tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_inactive_iam_console_user.yaml b/compliance/controls/baseline/aws/IAM/aws_inactive_iam_console_user.yaml index 553d39b61..f27c7c385 100644 --- a/compliance/controls/baseline/aws/IAM/aws_inactive_iam_console_user.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_inactive_iam_console_user.yaml @@ -1,44 +1,45 @@ id: aws_inactive_iam_console_user title: Inactive IAM Console User +type: control description: Ensure no AWS IAM users have been inactive for a long (specified) period of time. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - SELECT - name AS resource, - u.platform_resource_id, - u.platform_integration_id, - CASE - WHEN (k.access_key_id IS NULL AND - (password_last_used IS NULL OR - password_last_used::timestamp < NOW() - '90 days'::interval) - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (k.access_key_id IS NULL AND - (password_last_used IS NULL OR - password_last_used::timestamp < NOW() - '90 days'::interval) - ) THEN 'certificate has been expired' - ELSE 'certificate is not expired' - END AS reason, - u.region, - u.account_id - FROM - aws_iam_user AS u - LEFT JOIN aws_iam_access_key AS k - ON u.name = k.user_name + language: sql + primary_resource: aws_iam_user + definition: | + SELECT + name AS resource, + u.platform_resource_id, + u.platform_integration_id, + CASE + WHEN (k.access_key_id IS NULL AND + (password_last_used IS NULL OR + password_last_used::timestamp < NOW() - '90 days'::interval) + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (k.access_key_id IS NULL AND + (password_last_used IS NULL OR + password_last_used::timestamp < NOW() - '90 days'::interval) + ) THEN 'certificate has been expired' + ELSE 'certificate is not expired' + END AS reason, + u.region, + u.account_id + FROM + aws_iam_user AS u + LEFT JOIN aws_iam_access_key AS k + ON u.name = k.user_name severity: medium tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_mfa_device_deactivated.yaml b/compliance/controls/baseline/aws/IAM/aws_mfa_device_deactivated.yaml index 0a27b891e..ce54793f1 100644 --- a/compliance/controls/baseline/aws/IAM/aws_mfa_device_deactivated.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_mfa_device_deactivated.yaml @@ -1,40 +1,41 @@ id: aws_mfa_device_deactivated title: MFA Device Deactivated +type: control description: A Multi-Factor Authentication (MFA) device deactivation for an IAM user has been detected. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - SELECT - a.arn AS resource, - a.platform_integration_id, - a.platform_resource_id, - CASE - WHEN mfa.serial_number IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN mfa.serial_number IS NULL THEN a.title || 'mfa device not activated.' - ELSE a.title || 'mfa device activated.' - END AS reason, - a.region, - a.account_id - FROM - aws_iam_user AS a - LEFT JOIN - aws_iam_virtual_mfa_device AS mfa - ON - a.user_id = mfa.user_id + language: sql + primary_resource: aws_iam_user + definition: | + SELECT + a.arn AS resource, + a.platform_integration_id, + a.platform_resource_id, + CASE + WHEN mfa.serial_number IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN mfa.serial_number IS NULL THEN a.title || 'mfa device not activated.' + ELSE a.title || 'mfa device activated.' + END AS reason, + a.region, + a.account_id + FROM + aws_iam_user AS a + LEFT JOIN + aws_iam_virtual_mfa_device AS mfa + ON + a.user_id = mfa.user_id severity: high tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_multi_account_centralized_management.yaml b/compliance/controls/baseline/aws/IAM/aws_multi_account_centralized_management.yaml index c8b69de24..b54b229f2 100644 --- a/compliance/controls/baseline/aws/IAM/aws_multi_account_centralized_management.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_multi_account_centralized_management.yaml @@ -1,38 +1,39 @@ id: aws_multi_account_centralized_management title: AWS Multi-Account Centralized Management +type: control description: Set up, organize and manage your AWS accounts for optimal security and manageability. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - organization_id AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN count(*) = 1 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN count(*) = 1 THEN organization_id || ' only has one account' - ELSE organization_id || ' has multiple accounts' - END AS reason - FROM - aws_account - GROUP BY - organization_id, - platform_integration_id, - platform_resource_id; + language: sql + primary_resource: aws_account + definition: | + SELECT + organization_id AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN count(*) = 1 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN count(*) = 1 THEN organization_id || ' only has one account' + ELSE organization_id || ' has multiple accounts' + END AS reason + FROM + aws_account + GROUP BY + organization_id, + platform_integration_id, + platform_resource_id; severity: high tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Tolerate Failures - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Tolerate Failures + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Tolerate Failures + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Tolerate Failures diff --git a/compliance/controls/baseline/aws/IAM/aws_pre_heartbleed_server_certificates.yaml b/compliance/controls/baseline/aws/IAM/aws_pre_heartbleed_server_certificates.yaml index 427123fa7..f8db4fadf 100644 --- a/compliance/controls/baseline/aws/IAM/aws_pre_heartbleed_server_certificates.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_pre_heartbleed_server_certificates.yaml @@ -1,36 +1,37 @@ id: aws_pre_heartbleed_server_certificates title: Pre-Heartbleed Server Certificates +type: control description: Ensure that your server certificates are not vulnerable to Heartbleed security bug. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_server_certificate - definition: | - SELECT - name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN upload_date < '2014-04-01' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN upload_date < '2014-04-01' THEN name || ' is vulnerable to Heartbleed security bug.' - ELSE name || ' is not vulnerable to Heartbleed security bug.' - END AS reason, - region, - account_id - FROM - aws_iam_server_certificate + language: sql + primary_resource: aws_iam_server_certificate + definition: | + SELECT + name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN upload_date < '2014-04-01' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN upload_date < '2014-04-01' THEN name || ' is vulnerable to Heartbleed security bug.' + ELSE name || ' is not vulnerable to Heartbleed security bug.' + END AS reason, + region, + account_id + FROM + aws_iam_server_certificate severity: high tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_root_account_access_keys_present.yaml b/compliance/controls/baseline/aws/IAM/aws_root_account_access_keys_present.yaml index 0a21ff25d..1d2de437a 100644 --- a/compliance/controls/baseline/aws/IAM/aws_root_account_access_keys_present.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_root_account_access_keys_present.yaml @@ -1,38 +1,39 @@ id: aws_root_account_access_keys_present title: Root Account Access Keys Present +type: control description: Ensure that your AWS root account is not using access keys as a security best practice. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - SELECT - name AS resource, - u.platform_resource_id, - u.platform_integration_id, - CASE - WHEN r.access_key_1_active OR r.access_key_2_active THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN r.access_key_1_active OR r.access_key_2_active THEN u.name || ' does not have any active access key pair' - ELSE u.name || ' has at least one active access key pair.' - END AS reason, - u.region, - u.account_id - FROM - aws_iam_user AS u - LEFT JOIN aws_iam_credential_report AS r - ON u.name = r.user_name + language: sql + primary_resource: aws_iam_user + definition: | + SELECT + name AS resource, + u.platform_resource_id, + u.platform_integration_id, + CASE + WHEN r.access_key_1_active OR r.access_key_2_active THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN r.access_key_1_active OR r.access_key_2_active THEN u.name || ' does not have any active access key pair' + ELSE u.name || ' has at least one active access key pair.' + END AS reason, + u.region, + u.account_id + FROM + aws_iam_user AS u + LEFT JOIN aws_iam_credential_report AS r + ON u.name = r.user_name severity: high tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Insecure Keys - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Insecure Keys + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Insecure Keys + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Insecure Keys diff --git a/compliance/controls/baseline/aws/IAM/aws_root_account_active_signing_certificates.yaml b/compliance/controls/baseline/aws/IAM/aws_root_account_active_signing_certificates.yaml index efd1ce1f0..b066d781e 100644 --- a/compliance/controls/baseline/aws/IAM/aws_root_account_active_signing_certificates.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_root_account_active_signing_certificates.yaml @@ -1,38 +1,39 @@ id: aws_root_account_active_signing_certificates title: Root Account Active Signing Certificates +type: control description: Ensure that your AWS root account user is not using X.509 certificates to validate API requests. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - (user_name || ' in account ' || account_id) AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN cert_1_active OR cert_2_active THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN cert_1_active OR cert_2_active THEN 'is using X.509 certificates to perform SOAP-protocol requests to AWS services. It is better to be disabled' - ELSE 'is not using X.509 certificates to perform SOAP-protocol requests to AWS services' - END AS reason, - region, - account_id - FROM - aws_iam_credential_report - WHERE - user_name = '' + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + (user_name || ' in account ' || account_id) AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN cert_1_active OR cert_2_active THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN cert_1_active OR cert_2_active THEN 'is using X.509 certificates to perform SOAP-protocol requests to AWS services. It is better to be disabled' + ELSE 'is not using X.509 certificates to perform SOAP-protocol requests to AWS services' + END AS reason, + region, + account_id + FROM + aws_iam_credential_report + WHERE + user_name = '' severity: high tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Insecure Keys - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Insecure Keys + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Insecure Keys + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Insecure Keys diff --git a/compliance/controls/baseline/aws/IAM/aws_root_account_credentials_usage.yaml b/compliance/controls/baseline/aws/IAM/aws_root_account_credentials_usage.yaml index b17e31005..594067124 100644 --- a/compliance/controls/baseline/aws/IAM/aws_root_account_credentials_usage.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_root_account_credentials_usage.yaml @@ -1,39 +1,40 @@ id: aws_root_account_credentials_usage title: Root Account Credentials Usage +type: control description: Ensure that root account credentials have not been used recently to access your AWS account. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - (user_name || ' in account ' || account_id) AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN password_last_used + '7 days'::interval > NOW() THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN password_last_used + '7 days'::interval > NOW() THEN - 'root user has been used recently (it is better to minimize root user usage)' - ELSE 'root user has not been used recently' - END AS reason, - region, - account_id - FROM - aws_iam_credential_report - WHERE - user_name = '' + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + (user_name || ' in account ' || account_id) AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN password_last_used + '7 days'::interval > NOW() THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN password_last_used + '7 days'::interval > NOW() THEN + 'root user has been used recently (it is better to minimize root user usage)' + ELSE 'root user has not been used recently' + END AS reason, + region, + account_id + FROM + aws_iam_credential_report + WHERE + user_name = '' severity: high tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Insecure Keys - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Insecure Keys + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Insecure Keys + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Insecure Keys diff --git a/compliance/controls/baseline/aws/IAM/aws_root_mfa_enabled.yaml b/compliance/controls/baseline/aws/IAM/aws_root_mfa_enabled.yaml index 106f09637..e80373ced 100644 --- a/compliance/controls/baseline/aws/IAM/aws_root_mfa_enabled.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_root_mfa_enabled.yaml @@ -1,38 +1,39 @@ id: aws_root_mfa_enabled title: Root MFA Enabled +type: control description: Ensure that Multi-Factor Authentication (MFA) is enabled for your AWS root account. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_credential_report - definition: | - SELECT - (user_name || ' in account ' || account_id) AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN mfa_active::bool THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN mfa_active::bool THEN 'mfa is active for root account' - ELSE 'mfa is not active for root account' - END AS reason, - region, - account_id - FROM - aws_iam_credential_report - WHERE - user_name = '' + language: sql + primary_resource: aws_iam_credential_report + definition: | + SELECT + (user_name || ' in account ' || account_id) AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN mfa_active::bool THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN mfa_active::bool THEN 'mfa is active for root account' + ELSE 'mfa is not active for root account' + END AS reason, + region, + account_id + FROM + aws_iam_credential_report + WHERE + user_name = '' severity: medium tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_ssh_public_keys_rotated_45_days.yaml b/compliance/controls/baseline/aws/IAM/aws_ssh_public_keys_rotated_45_days.yaml index 041d983fc..07e26a4a3 100644 --- a/compliance/controls/baseline/aws/IAM/aws_ssh_public_keys_rotated_45_days.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_ssh_public_keys_rotated_45_days.yaml @@ -1,32 +1,33 @@ id: aws_ssh_public_keys_rotated_45_days title: SSH Public Keys Rotated 45 Days +type: control description: Ensure IAM SSH public keys are rotated on a periodic basis to adhere to AWS security best practices. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_ssh_public_key - definition: | - SELECT - ssh_public_key_id AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN now() - update_date > '45 days'::interval THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN now() - update_date > '45 days'::interval THEN 'ssh key is too old and should be removed' - ELSE 'ssh key is not too old' - END AS reason, - region, - account_id - FROM - aws_iam_ssh_public_key + language: sql + primary_resource: aws_iam_ssh_public_key + definition: | + SELECT + ssh_public_key_id AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN now() - update_date > '45 days'::interval THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN now() - update_date > '45 days'::interval THEN 'ssh key is too old and should be removed' + ELSE 'ssh key is not too old' + END AS reason, + region, + account_id + FROM + aws_iam_ssh_public_key severity: medium tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - score_service_name: - - AWS Identity and Access Management (IAM) + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + score_service_name: + - AWS Identity and Access Management (IAM) diff --git a/compliance/controls/baseline/aws/IAM/aws_ssh_public_keys_rotated_90_days.yaml b/compliance/controls/baseline/aws/IAM/aws_ssh_public_keys_rotated_90_days.yaml index dcd54ed40..76172141f 100644 --- a/compliance/controls/baseline/aws/IAM/aws_ssh_public_keys_rotated_90_days.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_ssh_public_keys_rotated_90_days.yaml @@ -1,32 +1,33 @@ id: aws_ssh_public_keys_rotated_90_days title: SSH Public Keys Rotated 90 Days +type: control description: Ensure IAM SSH public keys are rotated on a periodic basis to adhere to AWS security best practices. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_ssh_public_key - definition: | - SELECT - ssh_public_key_id AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN now() - update_date > '90 days'::interval THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN now() - update_date > '90 days'::interval THEN 'ssh key is too old and should be removed' - ELSE 'ssh key is not too old' - END AS reason, - region, - account_id - FROM - aws_iam_ssh_public_key + language: sql + primary_resource: aws_iam_ssh_public_key + definition: | + SELECT + ssh_public_key_id AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN now() - update_date > '90 days'::interval THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN now() - update_date > '90 days'::interval THEN 'ssh key is too old and should be removed' + ELSE 'ssh key is not too old' + END AS reason, + region, + account_id + FROM + aws_iam_ssh_public_key severity: medium tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - score_service_name: - - AWS Identity and Access Management (IAM) + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + score_service_name: + - AWS Identity and Access Management (IAM) diff --git a/compliance/controls/baseline/aws/IAM/aws_ssh_public_keys_rotated_x_days.yaml b/compliance/controls/baseline/aws/IAM/aws_ssh_public_keys_rotated_x_days.yaml index c9b0023d3..6c75cf192 100644 --- a/compliance/controls/baseline/aws/IAM/aws_ssh_public_keys_rotated_x_days.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_ssh_public_keys_rotated_x_days.yaml @@ -1,34 +1,35 @@ id: aws_ssh_public_keys_rotated_x_days title: SSH Public Keys Rotated X Days +type: control description: Ensure IAM SSH public keys are rotated on a periodic basis to adhere to AWS security best practices. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsSshPublicKeyRotateDays - value: '' +- key: awsSshPublicKeyRotateDays + value: "" policy: - language: sql - primary_resource: aws_iam_ssh_public_key - definition: | - SELECT - ssh_public_key_id AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN now() - update_date > '{{.awsSshPublicKeyRotateDays}} days'::interval THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN now() - update_date > '{{.awsSshPublicKeyRotateDays}} days'::interval THEN 'ssh key is too old and should be removed' - ELSE 'ssh key is not too old' - END AS reason, - region, - account_id - FROM - aws_iam_ssh_public_key + language: sql + primary_resource: aws_iam_ssh_public_key + definition: | + SELECT + ssh_public_key_id AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN now() - update_date > '{{.awsSshPublicKeyRotateDays}} days'::interval THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN now() - update_date > '{{.awsSshPublicKeyRotateDays}} days'::interval THEN 'ssh key is too old and should be removed' + ELSE 'ssh key is not too old' + END AS reason, + region, + account_id + FROM + aws_iam_ssh_public_key severity: medium tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - score_service_name: - - AWS Identity and Access Management (IAM) + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + score_service_name: + - AWS Identity and Access Management (IAM) diff --git a/compliance/controls/baseline/aws/IAM/aws_ssl_tls_certificate_expiry_30_days.yaml b/compliance/controls/baseline/aws/IAM/aws_ssl_tls_certificate_expiry_30_days.yaml index baa5175c5..c498e3356 100644 --- a/compliance/controls/baseline/aws/IAM/aws_ssl_tls_certificate_expiry_30_days.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_ssl_tls_certificate_expiry_30_days.yaml @@ -1,37 +1,38 @@ id: aws_ssl_tls_certificate_expiry_30_days title: SSL/TLS Certificate Expiry 30 Days +type: control description: Ensure SSL/TLS certificates are renewed before their expiration. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_server_certificate - definition: | - SELECT - name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN expiration - '30 days'::interval < NOW() THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN expiration < NOW() THEN 'certificate has been expired' - WHEN expiration - '30 days'::interval < NOW() THEN 'certificate is about to expire in ' || expiration - ELSE 'certificate is not going to expire soon' - END AS reason, - region, - account_id - FROM - aws_iam_server_certificate + language: sql + primary_resource: aws_iam_server_certificate + definition: | + SELECT + name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN expiration - '30 days'::interval < NOW() THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN expiration < NOW() THEN 'certificate has been expired' + WHEN expiration - '30 days'::interval < NOW() THEN 'certificate is about to expire in ' || expiration + ELSE 'certificate is not going to expire soon' + END AS reason, + region, + account_id + FROM + aws_iam_server_certificate severity: high tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_ssl_tls_certificate_expiry_x_days.yaml b/compliance/controls/baseline/aws/IAM/aws_ssl_tls_certificate_expiry_x_days.yaml index e1dbb4e7d..690a804f3 100644 --- a/compliance/controls/baseline/aws/IAM/aws_ssl_tls_certificate_expiry_x_days.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_ssl_tls_certificate_expiry_x_days.yaml @@ -1,39 +1,40 @@ id: aws_ssl_tls_certificate_expiry_x_days title: SSL/TLS Certificate Expiry X Days +type: control description: Ensure SSL/TLS certificates are renewed before their expiration. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsIamServerCertificateAge - value: '' +- key: awsIamServerCertificateAge + value: "" policy: - language: sql - primary_resource: aws_iam_server_certificate - definition: | - SELECT - name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN expiration - ('{{.awsIamServerCertificateAge}}' || ' days')::interval < NOW() THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN expiration < NOW() THEN 'certificate has been expired' - WHEN expiration - ('{{.awsIamServerCertificateAge}}' || ' days')::interval < NOW() THEN 'certificate is about to expire in ' || expiration - ELSE 'certificate is not going to expire soon' - END AS reason, - region, - account_id - FROM - aws_iam_server_certificate + language: sql + primary_resource: aws_iam_server_certificate + definition: | + SELECT + name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN expiration - ('{{.awsIamServerCertificateAge}}' || ' days')::interval < NOW() THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN expiration < NOW() THEN 'certificate has been expired' + WHEN expiration - ('{{.awsIamServerCertificateAge}}' || ' days')::interval < NOW() THEN 'certificate is about to expire in ' || expiration + ELSE 'certificate is not going to expire soon' + END AS reason, + region, + account_id + FROM + aws_iam_server_certificate severity: high tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_unapproved_iam_policy_in_use.yaml b/compliance/controls/baseline/aws/IAM/aws_unapproved_iam_policy_in_use.yaml index b0c3eab55..65b3c23f9 100644 --- a/compliance/controls/baseline/aws/IAM/aws_unapproved_iam_policy_in_use.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_unapproved_iam_policy_in_use.yaml @@ -1,39 +1,40 @@ id: aws_unapproved_iam_policy_in_use title: Unapproved IAM Policy in Use +type: control description: Ensure there are no unapproved AWS Identity and Access Management (IAM) policies in use. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsUnapprovedIamPolicies - value: '' +- key: awsUnapprovedIamPolicies + value: "" policy: - language: sql - primary_resource: aws_iam_policy - definition: | - SELECT - name AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN attachment_count > 0 AND '{{.awsUnapprovedIamPolicies}}' LIKE '%' || name || '%' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN attachment_count > 0 AND '{{.awsUnapprovedIamPolicies}}' LIKE '%' || name || '%' THEN name || ' is an unapproved iam policy which is being used' - WHEN attachment_count > 0 THEN name || ' is not unapproved' - ELSE name || ' is not being used' - END AS reason, - region, - account_id - FROM - aws_iam_policy + language: sql + primary_resource: aws_iam_policy + definition: | + SELECT + name AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN attachment_count > 0 AND '{{.awsUnapprovedIamPolicies}}' LIKE '%' || name || '%' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN attachment_count > 0 AND '{{.awsUnapprovedIamPolicies}}' LIKE '%' || name || '%' THEN name || ' is an unapproved iam policy which is being used' + WHEN attachment_count > 0 THEN name || ' is not unapproved' + ELSE name || ' is not being used' + END AS reason, + region, + account_id + FROM + aws_iam_policy severity: medium tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_unnecessary_access_keys.yaml b/compliance/controls/baseline/aws/IAM/aws_unnecessary_access_keys.yaml index f6b866a61..cc95fe979 100644 --- a/compliance/controls/baseline/aws/IAM/aws_unnecessary_access_keys.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_unnecessary_access_keys.yaml @@ -1,37 +1,38 @@ id: aws_unnecessary_access_keys title: Unnecessary Access Keys +type: control description: Ensure there is a maximum of one active access key pair available for any single IAM user. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - SELECT - u.name AS resource, - u.platform_integration_id, - u.platform_resource_id, - CASE - WHEN (SELECT COUNT(*) FROM aws_iam_access_key AS k WHERE u.name = k.user_name) > 1 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (SELECT COUNT(*) FROM aws_iam_access_key AS k WHERE u.name = k.user_name) > 1 THEN u.name || ' user has more than one access keys' - WHEN (SELECT COUNT(*) FROM aws_iam_access_key AS k WHERE u.name = k.user_name) = 1 THEN u.name || ' user has only one access key' - ELSE u.name || ' user has no access key' - END AS reason, - u.region, - u.account_id - FROM - aws_iam_user AS u + language: sql + primary_resource: aws_iam_user + definition: | + SELECT + u.name AS resource, + u.platform_integration_id, + u.platform_resource_id, + CASE + WHEN (SELECT COUNT(*) FROM aws_iam_access_key AS k WHERE u.name = k.user_name) > 1 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (SELECT COUNT(*) FROM aws_iam_access_key AS k WHERE u.name = k.user_name) > 1 THEN u.name || ' user has more than one access keys' + WHEN (SELECT COUNT(*) FROM aws_iam_access_key AS k WHERE u.name = k.user_name) = 1 THEN u.name || ' user has only one access key' + ELSE u.name || ' user has no access key' + END AS reason, + u.region, + u.account_id + FROM + aws_iam_user AS u severity: medium tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Insecure Keys - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Insecure Keys + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Insecure Keys + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Insecure Keys diff --git a/compliance/controls/baseline/aws/IAM/aws_unnecessary_ssh_public_keys.yaml b/compliance/controls/baseline/aws/IAM/aws_unnecessary_ssh_public_keys.yaml index 83580047a..42458e4bb 100644 --- a/compliance/controls/baseline/aws/IAM/aws_unnecessary_ssh_public_keys.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_unnecessary_ssh_public_keys.yaml @@ -1,49 +1,50 @@ id: aws_unnecessary_ssh_public_keys title: Unnecessary SSH Public Keys +type: control description: Ensure there is a maximum of one active SSH public key assigned to any single IAM user. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_user - definition: | - WITH active_count AS ( - SELECT - user_name, - COUNT(*) - FROM - aws_iam_ssh_public_key - WHERE - status = 'Active' - GROUP BY - user_name - ) - SELECT - arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN c.count > 1 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN c.count > 1 THEN u.name || ' has more than one active ssh key' - ELSE u.name || ' does not have more than one active ssh key' - END AS reason, - region, - account_id - FROM - aws_iam_user AS u - LEFT JOIN active_count AS c - ON u.name = c.user_name; + language: sql + primary_resource: aws_iam_user + definition: | + WITH active_count AS ( + SELECT + user_name, + COUNT(*) + FROM + aws_iam_ssh_public_key + WHERE + status = 'Active' + GROUP BY + user_name + ) + SELECT + arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN c.count > 1 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN c.count > 1 THEN u.name || ' has more than one active ssh key' + ELSE u.name || ' does not have more than one active ssh key' + END AS reason, + region, + account_id + FROM + aws_iam_user AS u + LEFT JOIN active_count AS c + ON u.name = c.user_name; severity: high tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Insecure Keys - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Insecure Keys + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Insecure Keys + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Insecure Keys diff --git a/compliance/controls/baseline/aws/IAM/aws_unused_iam_group.yaml b/compliance/controls/baseline/aws/IAM/aws_unused_iam_group.yaml index 7083859c8..ec576c466 100644 --- a/compliance/controls/baseline/aws/IAM/aws_unused_iam_group.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_unused_iam_group.yaml @@ -1,36 +1,37 @@ id: aws_unused_iam_group title: Unused IAM Group +type: control description: Ensure all IAM groups have at least one user. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_iam_group - definition: | - SELECT - name AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN users IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN users IS NULL THEN name || ' group is unused and should be removed' - ELSE name || ' group is being used' - END AS reason, - region, - account_id - FROM - aws_iam_group + language: sql + primary_resource: aws_iam_group + definition: | + SELECT + name AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN users IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN users IS NULL THEN name || ' group is unused and should be removed' + ELSE name || ' group is being used' + END AS reason, + region, + account_id + FROM + aws_iam_group severity: low tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/IAM/aws_valid_iam_identity_providers.yaml b/compliance/controls/baseline/aws/IAM/aws_valid_iam_identity_providers.yaml index 1c1df4be8..72f914ce4 100644 --- a/compliance/controls/baseline/aws/IAM/aws_valid_iam_identity_providers.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_valid_iam_identity_providers.yaml @@ -1,69 +1,70 @@ id: aws_valid_iam_identity_providers title: Valid IAM Identity Providers +type: control description: Ensure valid IAM Identity Providers are used within your AWS account for secure user authentication and authorization. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsTrustedEndpoints - value: '' +- key: awsTrustedEndpoints + value: "" policy: - language: sql - primary_resource: aws_iam_saml_provider - definition: | - WITH locations AS ( - SELECT - platform_resource_id, + language: sql + primary_resource: aws_iam_saml_provider + definition: | + WITH locations AS ( + SELECT + platform_resource_id, + UNNEST( + XPATH( + '/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleLogoutService/@Location', UNNEST( XPATH( - '/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleLogoutService/@Location', - UNNEST( - XPATH( - '/md:EntityDescriptor', - saml_metadata_document::XML, - ARRAY[ARRAY['md', 'urn:oasis:names:tc:SAML:2.0:metadata']] - ) - ), + '/md:EntityDescriptor', + saml_metadata_document::XML, ARRAY[ARRAY['md', 'urn:oasis:names:tc:SAML:2.0:metadata']] ) - )::TEXT AS location - FROM aws_iam_saml_provider - ) - SELECT - arn AS resource, - platform_resource_id, - platform_integration_id, - saml_metadata_document, - CASE - WHEN '{{.awsTrustedEndpoints}}' = '' THEN 'ok' - WHEN EXISTS ( - SELECT 1 - FROM locations AS l - WHERE l.platform_resource_id = p.platform_resource_id - AND l.location NOT LIKE '{{.awsTrustedEndpoints}}' - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN '{{.awsTrustedEndpoints}}' = '' THEN 'trusted endpoints not provided' - WHEN EXISTS ( - SELECT 1 - FROM locations AS l - WHERE l.platform_resource_id = p.platform_resource_id - AND l.location NOT LIKE '{{.awsTrustedEndpoints}}' - ) THEN 'location is not inside trusted endpoints' - ELSE 'is inside trusted endpoints' - END AS reason, - region, - account_id - FROM - aws_iam_saml_provider AS p + ), + ARRAY[ARRAY['md', 'urn:oasis:names:tc:SAML:2.0:metadata']] + ) + )::TEXT AS location + FROM aws_iam_saml_provider + ) + SELECT + arn AS resource, + platform_resource_id, + platform_integration_id, + saml_metadata_document, + CASE + WHEN '{{.awsTrustedEndpoints}}' = '' THEN 'ok' + WHEN EXISTS ( + SELECT 1 + FROM locations AS l + WHERE l.platform_resource_id = p.platform_resource_id + AND l.location NOT LIKE '{{.awsTrustedEndpoints}}' + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN '{{.awsTrustedEndpoints}}' = '' THEN 'trusted endpoints not provided' + WHEN EXISTS ( + SELECT 1 + FROM locations AS l + WHERE l.platform_resource_id = p.platform_resource_id + AND l.location NOT LIKE '{{.awsTrustedEndpoints}}' + ) THEN 'location is not inside trusted endpoints' + ELSE 'is inside trusted endpoints' + END AS reason, + region, + account_id + FROM + aws_iam_saml_provider AS p severity: high tags: - platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Identity and Access Management (IAM) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Identity and Access Management (IAM) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Identity and Access Management (IAM) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificate_expired.yaml b/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificate_expired.yaml index e832744e6..6cdcf947b 100644 --- a/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificate_expired.yaml +++ b/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificate_expired.yaml @@ -1,36 +1,37 @@ id: aws_acm_certificate_expired title: ACM Certificate Expired +type: control description: Ensure expired SSL/TLS certificates are removed from AWS Certificate Manager (ACM). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_acm_certificate - definition: | - SELECT - certificate_arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN status = 'EXPIRED' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN status = 'EXPIRED' THEN 'certificate has been expired' - ELSE 'certificate not expired' - END AS reason, - region, - account_id - FROM - aws_acm_certificate + language: sql + primary_resource: aws_acm_certificate + definition: | + SELECT + certificate_arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN status = 'EXPIRED' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN status = 'EXPIRED' THEN 'certificate has been expired' + ELSE 'certificate not expired' + END AS reason, + region, + account_id + FROM + aws_acm_certificate severity: high tags: - platform_score_cloud_service_name: - - AWS Certificate Manager - platform_score_use_case: - - Tolerate Failures - score_service_name: - - AWS Certificate Manager - score_tags: - - Tolerate Failures + platform_score_cloud_service_name: + - AWS Certificate Manager + platform_score_use_case: + - Tolerate Failures + score_service_name: + - AWS Certificate Manager + score_tags: + - Tolerate Failures diff --git a/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificates_renewal_7_days_before_expiration.yaml b/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificates_renewal_7_days_before_expiration.yaml index e5a579bd0..5eb0d6a70 100644 --- a/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificates_renewal_7_days_before_expiration.yaml +++ b/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificates_renewal_7_days_before_expiration.yaml @@ -1,40 +1,41 @@ id: aws_acm_certificates_renewal_7_days_before_expiration title: AWS ACM Certificates Renewal (7 days before expiration) +type: control description: Ensure Amazon Certificate Manager (ACM) certificates are renewed before their expiration. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_acm_certificate - definition: | - SELECT - certificate_arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN not_after - '7 days'::interval < now() - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN not_after < now() - THEN 'certificate has been expired' - WHEN not_after - '7 days'::interval < now() - THEN 'certificate is about to expire in ' || not_after - ELSE 'certificate is not going to expire soon' - END AS reason, - region, - account_id - FROM - aws_acm_certificate + language: sql + primary_resource: aws_acm_certificate + definition: | + SELECT + certificate_arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN not_after - '7 days'::interval < now() + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN not_after < now() + THEN 'certificate has been expired' + WHEN not_after - '7 days'::interval < now() + THEN 'certificate is about to expire in ' || not_after + ELSE 'certificate is not going to expire soon' + END AS reason, + region, + account_id + FROM + aws_acm_certificate severity: high tags: - platform_score_cloud_service_name: - - AWS Certificate Manager - platform_score_use_case: - - Unencrypted Storage - score_service_name: - - AWS Certificate Manager - score_tags: - - Unencrypted Storage + platform_score_cloud_service_name: + - AWS Certificate Manager + platform_score_use_case: + - Unencrypted Storage + score_service_name: + - AWS Certificate Manager + score_tags: + - Unencrypted Storage diff --git a/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificates_validity.yaml b/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificates_validity.yaml index fbb5bbfe1..3557755e5 100644 --- a/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificates_validity.yaml +++ b/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificates_validity.yaml @@ -1,38 +1,39 @@ id: aws_acm_certificates_validity title: AWS ACM Certificates Validity +type: control description: Ensure expired SSL/TLS certificates are removed from AWS Certificate Manager (ACM). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_acm_certificate - definition: | - SELECT - certificate_arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN status = 'EXPIRED' THEN 'skip' - WHEN status = 'PENDING_VALIDATION' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN status = 'EXPIRED' THEN 'certificate has been expired' - WHEN status = 'PENDING_VALIDATION' THEN 'certificate validation is pending' - ELSE 'certificate has been validated' - END AS reason, - region, - account_id - FROM - aws_acm_certificate + language: sql + primary_resource: aws_acm_certificate + definition: | + SELECT + certificate_arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN status = 'EXPIRED' THEN 'skip' + WHEN status = 'PENDING_VALIDATION' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN status = 'EXPIRED' THEN 'certificate has been expired' + WHEN status = 'PENDING_VALIDATION' THEN 'certificate validation is pending' + ELSE 'certificate has been validated' + END AS reason, + region, + account_id + FROM + aws_acm_certificate severity: medium tags: - platform_score_cloud_service_name: - - AWS Certificate Manager - platform_score_use_case: - - Tolerate Failures - score_service_name: - - AWS Certificate Manager - score_tags: - - Tolerate Failures + platform_score_cloud_service_name: + - AWS Certificate Manager + platform_score_use_case: + - Tolerate Failures + score_service_name: + - AWS Certificate Manager + score_tags: + - Tolerate Failures diff --git a/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificates_with_wildcard_domain_names.yaml b/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificates_with_wildcard_domain_names.yaml index f6198ffab..42bb4daf7 100644 --- a/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificates_with_wildcard_domain_names.yaml +++ b/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificates_with_wildcard_domain_names.yaml @@ -1,36 +1,37 @@ id: aws_acm_certificates_with_wildcard_domain_names title: AWS ACM Certificates with Wildcard Domain Names +type: control description: Ensure that wildcard certificates issued by Amazon Certificate Manager (ACM) or imported to ACM are not in use. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_acm_certificate - definition: | - SELECT - certificate_arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN domain_name LIKE '*' THEN 'ALARM' - ELSE 'OK' - END AS status, - CASE - WHEN domain_name LIKE '*' THEN 'WILDCARD DOMAIN NAME CERTIFICATE IS USED' - ELSE 'SINGLE DOMAIN NAME CERTIFICATE IS USED' - END AS reason, - region, - account_id - FROM - aws_acm_certificate + language: sql + primary_resource: aws_acm_certificate + definition: | + SELECT + certificate_arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN domain_name LIKE '*' THEN 'ALARM' + ELSE 'OK' + END AS status, + CASE + WHEN domain_name LIKE '*' THEN 'WILDCARD DOMAIN NAME CERTIFICATE IS USED' + ELSE 'SINGLE DOMAIN NAME CERTIFICATE IS USED' + END AS reason, + region, + account_id + FROM + aws_acm_certificate severity: high tags: - platform_score_cloud_service_name: - - AWS Certificate Manager - platform_score_use_case: - - Tolerate Failures - score_service_name: - - AWS Certificate Manager - score_tags: - - Tolerate Failures + platform_score_cloud_service_name: + - AWS Certificate Manager + platform_score_use_case: + - Tolerate Failures + score_service_name: + - AWS Certificate Manager + score_tags: + - Tolerate Failures diff --git a/compliance/controls/baseline/aws/backup/aws_backup_service_lifecycle_configuration.yaml b/compliance/controls/baseline/aws/backup/aws_backup_service_lifecycle_configuration.yaml index ac52895b1..b7a7eabe4 100644 --- a/compliance/controls/baseline/aws/backup/aws_backup_service_lifecycle_configuration.yaml +++ b/compliance/controls/baseline/aws/backup/aws_backup_service_lifecycle_configuration.yaml @@ -1,47 +1,48 @@ id: aws_backup_service_lifecycle_configuration title: AWS Backup Service Lifecycle Configuration +type: control description: Ensure Amazon Backup plans have a compliant lifecycle configuration enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsBackupPlanDeleteAfterDays - value: '' - - key: awsBackupPlanMoveToColdStorageAfterDays - value: '' +- key: awsBackupPlanDeleteAfterDays + value: "" +- key: awsBackupPlanMoveToColdStorageAfterDays + value: "" policy: - language: sql - primary_resource: aws_backup_plan - definition: | - SELECT - account_id || ' backup region setting in ' || region AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN r -> 'Lifecycle' ->> 'DeleteAfterDays' IS NULL - AND r -> 'Lifecycle' ->> 'MoveToColdStorageAfterDays' IS NULL - THEN 'alarm' - WHEN r -> 'Lifecycle' ->> 'DeleteAfterDays' <> '{{.awsBackupPlanDeleteAfterDays}}' - OR r -> 'Lifecycle' ->> 'MoveToColdStorageAfterDays' <> '{{.awsBackupPlanMoveToColdStorageAfterDays}}' - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN r -> 'Lifecycle' ->> 'DeleteAfterDays' IS NULL - AND r -> 'Lifecycle' ->> 'MoveToColdStorageAfterDays' IS NULL - THEN 'there is no lifecycle configuration enabled' - WHEN r -> 'Lifecycle' ->> 'DeleteAfterDays' <> '{{.awsBackupPlanDeleteAfterDays}}' - OR r -> 'Lifecycle' ->> 'MoveToColdStorageAfterDays' <> '{{.awsBackupPlanMoveToColdStorageAfterDays}}' - THEN 'lifecycle configuration is not compatible with your setting' - ELSE 'lifecycle configuration is compatible with your setting' - END AS reason, - region, - account_id - FROM - aws_backup_plan, - jsonb_array_elements(rules) AS r + language: sql + primary_resource: aws_backup_plan + definition: | + SELECT + account_id || ' backup region setting in ' || region AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN r -> 'Lifecycle' ->> 'DeleteAfterDays' IS NULL + AND r -> 'Lifecycle' ->> 'MoveToColdStorageAfterDays' IS NULL + THEN 'alarm' + WHEN r -> 'Lifecycle' ->> 'DeleteAfterDays' <> '{{.awsBackupPlanDeleteAfterDays}}' + OR r -> 'Lifecycle' ->> 'MoveToColdStorageAfterDays' <> '{{.awsBackupPlanMoveToColdStorageAfterDays}}' + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN r -> 'Lifecycle' ->> 'DeleteAfterDays' IS NULL + AND r -> 'Lifecycle' ->> 'MoveToColdStorageAfterDays' IS NULL + THEN 'there is no lifecycle configuration enabled' + WHEN r -> 'Lifecycle' ->> 'DeleteAfterDays' <> '{{.awsBackupPlanDeleteAfterDays}}' + OR r -> 'Lifecycle' ->> 'MoveToColdStorageAfterDays' <> '{{.awsBackupPlanMoveToColdStorageAfterDays}}' + THEN 'lifecycle configuration is not compatible with your setting' + ELSE 'lifecycle configuration is compatible with your setting' + END AS reason, + region, + account_id + FROM + aws_backup_plan, + jsonb_array_elements(rules) AS r severity: medium tags: - platform_score_cloud_service_name: - - AWS Backup - score_service_name: - - AWS Backup + platform_score_cloud_service_name: + - AWS Backup + score_service_name: + - AWS Backup diff --git a/compliance/controls/baseline/aws/backup/aws_check_for_protected_amazon_backup_resource_types.yaml b/compliance/controls/baseline/aws/backup/aws_check_for_protected_amazon_backup_resource_types.yaml index 6f2eb69a9..02333ba09 100644 --- a/compliance/controls/baseline/aws/backup/aws_check_for_protected_amazon_backup_resource_types.yaml +++ b/compliance/controls/baseline/aws/backup/aws_check_for_protected_amazon_backup_resource_types.yaml @@ -1,34 +1,35 @@ id: aws_check_for_protected_amazon_backup_resource_types title: Check for Protected Amazon Backup Resource Types +type: control description: Ensure that the appropriate resource types are protected by Amazon Backup within your AWS account. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsBackupResourceTypeOptInPreference - value: '' +- key: awsBackupResourceTypeOptInPreference + value: "" policy: - language: sql - primary_resource: aws_backup_region_settings - definition: | - SELECT - account_id || ' backup region setting in ' || region AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN resource_type_opt_in_preference::jsonb = '{{.awsBackupResourceTypeOptInPreference}}'::jsonb THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN resource_type_opt_in_preference::jsonb = '{{.awsBackupResourceTypeOptInPreference}}'::jsonb THEN account_id || ' backup region setting in ' || region || ' is compliant.' - ELSE account_id || ' backup region setting in ' || region || ' is not compliant.' - END AS reason, - region, - account_id - FROM - aws_backup_region_settings + language: sql + primary_resource: aws_backup_region_settings + definition: | + SELECT + account_id || ' backup region setting in ' || region AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN resource_type_opt_in_preference::jsonb = '{{.awsBackupResourceTypeOptInPreference}}'::jsonb THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN resource_type_opt_in_preference::jsonb = '{{.awsBackupResourceTypeOptInPreference}}'::jsonb THEN account_id || ' backup region setting in ' || region || ' is compliant.' + ELSE account_id || ' backup region setting in ' || region || ' is not compliant.' + END AS reason, + region, + account_id + FROM + aws_backup_region_settings severity: medium tags: - platform_score_cloud_service_name: - - AWS Backup - score_service_name: - - AWS Backup + platform_score_cloud_service_name: + - AWS Backup + score_service_name: + - AWS Backup diff --git a/compliance/controls/baseline/aws/backup/aws_configure_aws_backup_vault_access_policy.yaml b/compliance/controls/baseline/aws/backup/aws_configure_aws_backup_vault_access_policy.yaml index 6f98d71cb..a1a26036d 100644 --- a/compliance/controls/baseline/aws/backup/aws_configure_aws_backup_vault_access_policy.yaml +++ b/compliance/controls/baseline/aws/backup/aws_configure_aws_backup_vault_access_policy.yaml @@ -1,52 +1,53 @@ id: aws_configure_aws_backup_vault_access_policy title: Configure AWS Backup Vault Access Policy +type: control description: Prevent deletion of backups using an Amazon Backup vault resource-based access policy. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_backup_vault - definition: | - SELECT - name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN policy IS NULL THEN 'alarm' - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(policy -> 'Statement') AS s - WHERE - (s ->> 'Effect') = 'Deny' - AND - (s ->> 'Action') LIKE '%backup:DeleteRecoveryPoint%' - ) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN policy IS NULL THEN 'there is no policy defined' - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(policy -> 'Statement') AS s - WHERE - (s ->> 'Effect') = 'Deny' - AND - (s ->> 'Action') LIKE '%backup:DeleteRecoveryPoint%' - ) THEN 'has deletion protection enabled for its backups.' - ELSE 'does not have deletion protection enabled for its backups.' - END AS reason, - region, - account_id - FROM - aws_backup_vault + language: sql + primary_resource: aws_backup_vault + definition: | + SELECT + name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN policy IS NULL THEN 'alarm' + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(policy -> 'Statement') AS s + WHERE + (s ->> 'Effect') = 'Deny' + AND + (s ->> 'Action') LIKE '%backup:DeleteRecoveryPoint%' + ) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN policy IS NULL THEN 'there is no policy defined' + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(policy -> 'Statement') AS s + WHERE + (s ->> 'Effect') = 'Deny' + AND + (s ->> 'Action') LIKE '%backup:DeleteRecoveryPoint%' + ) THEN 'has deletion protection enabled for its backups.' + ELSE 'does not have deletion protection enabled for its backups.' + END AS reason, + region, + account_id + FROM + aws_backup_vault severity: high tags: - platform_score_cloud_service_name: - - AWS Backup - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS Backup - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS Backup + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS Backup + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/backup/aws_dynamodb_instances_have_backup_with_lifecyclepolicy_above_35_days.yaml b/compliance/controls/baseline/aws/backup/aws_dynamodb_instances_have_backup_with_lifecyclepolicy_above_35_days.yaml index a6536d010..dc8c11e9c 100644 --- a/compliance/controls/baseline/aws/backup/aws_dynamodb_instances_have_backup_with_lifecyclepolicy_above_35_days.yaml +++ b/compliance/controls/baseline/aws/backup/aws_dynamodb_instances_have_backup_with_lifecyclepolicy_above_35_days.yaml @@ -1,53 +1,54 @@ id: aws_dynamodb_instances_have_backup_with_lifecyclepolicy_above_35_days title: DynamoDB Backup Retention > 35 Days +type: control description: Ensure all DynamoDB are covered by a backup plan with a minimum of Life Cycle Policy 35 days integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_dynamodb_table - definition: | - WITH points AS ( - SELECT - recovery_point_arn, - resource_arn - FROM - aws_backup_recovery_point - WHERE - NOW() - creation_date < '35 days'::interval - AND (lifecycle ->> 'DeleteAfterDays')::INT >= 35 - AND resource_type = 'DynamoDB' - AND status = 'COMPLETED' - ) - - SELECT - t.arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN p.recovery_point_arn IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN p.recovery_point_arn IS NULL THEN 'lacks a backup configuration with a minimum of 35 days' - ELSE '' - END AS reason, - region, - account_id - FROM - aws_dynamodb_table AS t - LEFT JOIN - points AS p - ON - t.arn = p.resource_arn + language: sql + primary_resource: aws_dynamodb_table + definition: | + WITH points AS ( + SELECT + recovery_point_arn, + resource_arn + FROM + aws_backup_recovery_point + WHERE + NOW() - creation_date < '35 days'::interval + AND (lifecycle ->> 'DeleteAfterDays')::INT >= 35 + AND resource_type = 'DynamoDB' + AND status = 'COMPLETED' + ) + + SELECT + t.arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN p.recovery_point_arn IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN p.recovery_point_arn IS NULL THEN 'lacks a backup configuration with a minimum of 35 days' + ELSE '' + END AS reason, + region, + account_id + FROM + aws_dynamodb_table AS t + LEFT JOIN + points AS p + ON + t.arn = p.resource_arn severity: medium tags: - platform_score_cloud_service_name: - - Amazon DynamoDB - platform_score_use_case: - - Missing Backup - score_service_name: - - Amazon DynamoDB - score_tags: - - Missing Backup + platform_score_cloud_service_name: + - Amazon DynamoDB + platform_score_use_case: + - Missing Backup + score_service_name: + - Amazon DynamoDB + score_tags: + - Missing Backup diff --git a/compliance/controls/baseline/aws/backup/aws_dynamodb_instances_have_backup_withing_48_hours.yaml b/compliance/controls/baseline/aws/backup/aws_dynamodb_instances_have_backup_withing_48_hours.yaml index d44c877e7..64093d345 100644 --- a/compliance/controls/baseline/aws/backup/aws_dynamodb_instances_have_backup_withing_48_hours.yaml +++ b/compliance/controls/baseline/aws/backup/aws_dynamodb_instances_have_backup_withing_48_hours.yaml @@ -1,45 +1,46 @@ id: aws_dynamodb_instances_have_backup_withing_48_hours title: Dynamodb Instances have backup within 48 hours +type: control description: Ensure all DynamoDB have a minimum of one restore point time in the last 48 hrs integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_dynamodb_table - definition: | - WITH points AS ( - SELECT recovery_point_arn, resource_arn - FROM aws_backup_recovery_point - WHERE now() - creation_date < '48 hours'::interval - AND resource_type = 'DynamoDB' - AND status = 'COMPLETED' - ) - - SELECT - t.arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN p.recovery_point_arn IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN p.recovery_point_arn IS NULL THEN 'lacks a backup with last 48 hours' - ELSE '' - END AS reason, - region, - account_id - FROM - aws_dynamodb_table AS t - LEFT JOIN points AS p ON t.arn = p.resource_arn + language: sql + primary_resource: aws_dynamodb_table + definition: | + WITH points AS ( + SELECT recovery_point_arn, resource_arn + FROM aws_backup_recovery_point + WHERE now() - creation_date < '48 hours'::interval + AND resource_type = 'DynamoDB' + AND status = 'COMPLETED' + ) + + SELECT + t.arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN p.recovery_point_arn IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN p.recovery_point_arn IS NULL THEN 'lacks a backup with last 48 hours' + ELSE '' + END AS reason, + region, + account_id + FROM + aws_dynamodb_table AS t + LEFT JOIN points AS p ON t.arn = p.resource_arn severity: medium tags: - platform_score_cloud_service_name: - - Amazon DynamoDB - platform_score_use_case: - - Missing Backup - score_service_name: - - Amazon DynamoDB - score_tags: - - Missing Backup + platform_score_cloud_service_name: + - Amazon DynamoDB + platform_score_use_case: + - Missing Backup + score_service_name: + - Amazon DynamoDB + score_tags: + - Missing Backup diff --git a/compliance/controls/baseline/aws/backup/aws_ebs_instances_have_backup_with_lifecyclepolicy_above_35_days.yaml b/compliance/controls/baseline/aws/backup/aws_ebs_instances_have_backup_with_lifecyclepolicy_above_35_days.yaml index c0179a123..c7eb3272e 100644 --- a/compliance/controls/baseline/aws/backup/aws_ebs_instances_have_backup_with_lifecyclepolicy_above_35_days.yaml +++ b/compliance/controls/baseline/aws/backup/aws_ebs_instances_have_backup_with_lifecyclepolicy_above_35_days.yaml @@ -1,53 +1,54 @@ id: aws_ebs_instances_have_backup_with_lifecyclepolicy_above_35_days title: EBS Instances Backup Retention > 35 Days +type: control description: Ensure all EBS are covered by a backup plan with a minimum of Life Cycle Policy 35 days integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_volume - definition: | - WITH points AS ( - SELECT - recovery_point_arn, - resource_arn - FROM - aws_backup_recovery_point - WHERE - now() - creation_date < '35 days'::interval - AND (lifecycle ->> 'DeleteAfterDays')::INT >= 35 - AND resource_type = 'EBS' - AND status = 'COMPLETED' - ) - - SELECT - v.arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN p.recovery_point_arn IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN p.recovery_point_arn IS NULL THEN 'lacks a backup configuration with a minimum of 35 days' - ELSE '' - END AS reason, - region, - account_id - FROM - aws_ebs_volume AS v - LEFT JOIN - points AS p - ON - v.arn = p.resource_arn + language: sql + primary_resource: aws_ebs_volume + definition: | + WITH points AS ( + SELECT + recovery_point_arn, + resource_arn + FROM + aws_backup_recovery_point + WHERE + now() - creation_date < '35 days'::interval + AND (lifecycle ->> 'DeleteAfterDays')::INT >= 35 + AND resource_type = 'EBS' + AND status = 'COMPLETED' + ) + + SELECT + v.arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN p.recovery_point_arn IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN p.recovery_point_arn IS NULL THEN 'lacks a backup configuration with a minimum of 35 days' + ELSE '' + END AS reason, + region, + account_id + FROM + aws_ebs_volume AS v + LEFT JOIN + points AS p + ON + v.arn = p.resource_arn severity: medium tags: - platform_score_cloud_service_name: - - AWS Elastic Block Store (EBS) - platform_score_use_case: - - Missing Backup - score_service_name: - - AWS Elastic Block Store (EBS) - score_tags: - - Missing Backup + platform_score_cloud_service_name: + - AWS Elastic Block Store (EBS) + platform_score_use_case: + - Missing Backup + score_service_name: + - AWS Elastic Block Store (EBS) + score_tags: + - Missing Backup diff --git a/compliance/controls/baseline/aws/backup/aws_ebs_instances_have_backup_withing_rpo_period.yaml b/compliance/controls/baseline/aws/backup/aws_ebs_instances_have_backup_withing_rpo_period.yaml index b3e938003..bc7ce7fe7 100644 --- a/compliance/controls/baseline/aws/backup/aws_ebs_instances_have_backup_withing_rpo_period.yaml +++ b/compliance/controls/baseline/aws/backup/aws_ebs_instances_have_backup_withing_rpo_period.yaml @@ -1,55 +1,56 @@ id: aws_ebs_instances_have_backup_withing_rpo_period title: Attached EBS Storage Volumes restoration needs meet RPO Standard +type: control description: AWS EBS Storage Volumes that are connected need to have restorable backup within the defined period integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsEbsInstancesBackupPeriod - value: '72' +- key: awsEbsInstancesBackupPeriod + value: "72" policy: - language: sql - primary_resource: aws_ebs_volume - definition: | - WITH all_backup AS ( - SELECT recovery_point_arn, resource_arn, creation_date - FROM aws_backup_recovery_point - WHERE now() - creation_date < '2 week'::interval - AND resource_type = 'EBS' - AND status = 'COMPLETED' - ), points AS ( - SELECT recovery_point_arn, resource_arn - FROM aws_backup_recovery_point - WHERE now() - creation_date < '{{.awsEbsInstancesBackupPeriod}} hours'::interval - AND resource_type = 'EBS' - AND status = 'COMPLETED' - ) - - SELECT - v.arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN p.recovery_point_arn IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN p.recovery_point_arn IS NULL AND a.recovery_point_arn IS NULL THEN 'there is no backup for this resource' - WHEN p.recovery_point_arn IS NULL THEN 'last backup at ' || a.creation_date::text - ELSE '' - END AS reason, - region, - account_id - FROM - aws_ebs_volume AS v - LEFT JOIN points AS p ON v.arn = p.resource_arn - LEFT JOIN all_backup AS a ON v.arn = a.resource_arn + language: sql + primary_resource: aws_ebs_volume + definition: | + WITH all_backup AS ( + SELECT recovery_point_arn, resource_arn, creation_date + FROM aws_backup_recovery_point + WHERE now() - creation_date < '2 week'::interval + AND resource_type = 'EBS' + AND status = 'COMPLETED' + ), points AS ( + SELECT recovery_point_arn, resource_arn + FROM aws_backup_recovery_point + WHERE now() - creation_date < '{{.awsEbsInstancesBackupPeriod}} hours'::interval + AND resource_type = 'EBS' + AND status = 'COMPLETED' + ) + + SELECT + v.arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN p.recovery_point_arn IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN p.recovery_point_arn IS NULL AND a.recovery_point_arn IS NULL THEN 'there is no backup for this resource' + WHEN p.recovery_point_arn IS NULL THEN 'last backup at ' || a.creation_date::text + ELSE '' + END AS reason, + region, + account_id + FROM + aws_ebs_volume AS v + LEFT JOIN points AS p ON v.arn = p.resource_arn + LEFT JOIN all_backup AS a ON v.arn = a.resource_arn severity: medium tags: - platform_score_cloud_service_name: - - AWS Elastic Block Store (EBS) - platform_score_use_case: - - Missing Backup - score_service_name: - - AWS Elastic Block Store (EBS) - score_tags: - - Missing Backup + platform_score_cloud_service_name: + - AWS Elastic Block Store (EBS) + platform_score_use_case: + - Missing Backup + score_service_name: + - AWS Elastic Block Store (EBS) + score_tags: + - Missing Backup diff --git a/compliance/controls/baseline/aws/backup/aws_ec2_instances_have_backup_with_lifecyclepolicy_above_35_days.yaml b/compliance/controls/baseline/aws/backup/aws_ec2_instances_have_backup_with_lifecyclepolicy_above_35_days.yaml index d9ce0a41c..86451627c 100644 --- a/compliance/controls/baseline/aws/backup/aws_ec2_instances_have_backup_with_lifecyclepolicy_above_35_days.yaml +++ b/compliance/controls/baseline/aws/backup/aws_ec2_instances_have_backup_with_lifecyclepolicy_above_35_days.yaml @@ -1,53 +1,54 @@ id: aws_ec2_instances_have_backup_with_lifecyclepolicy_above_35_days title: EC2 Instances Backup Retention > 35 Days +type: control description: Ensure all EC2 are covered by a backup plan with a minimum of Life Cycle Policy 35 days integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - WITH points AS ( - SELECT - recovery_point_arn, - resource_arn - FROM - aws_backup_recovery_point - WHERE - now() - creation_date < '35 days'::interval AND - (lifecycle ->> 'DeleteAfterDays')::INT >= 35 AND - resource_type = 'EC2' AND - status = 'COMPLETED' - ) - - SELECT - i.arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN p.recovery_point_arn IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN p.recovery_point_arn IS NULL THEN 'lacks a backup configuration with a minimum of 35 days' - ELSE '' - END AS reason, - region, - account_id - FROM - aws_ec2_instance AS i - LEFT JOIN - points AS p - ON - i.arn = p.resource_arn + language: sql + primary_resource: aws_ec2_instance + definition: | + WITH points AS ( + SELECT + recovery_point_arn, + resource_arn + FROM + aws_backup_recovery_point + WHERE + now() - creation_date < '35 days'::interval AND + (lifecycle ->> 'DeleteAfterDays')::INT >= 35 AND + resource_type = 'EC2' AND + status = 'COMPLETED' + ) + + SELECT + i.arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN p.recovery_point_arn IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN p.recovery_point_arn IS NULL THEN 'lacks a backup configuration with a minimum of 35 days' + ELSE '' + END AS reason, + region, + account_id + FROM + aws_ec2_instance AS i + LEFT JOIN + points AS p + ON + i.arn = p.resource_arn severity: medium tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Missing Backup - score_service_name: - - AWS EC2 - score_tags: - - Missing Backup + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Missing Backup + score_service_name: + - AWS EC2 + score_tags: + - Missing Backup diff --git a/compliance/controls/baseline/aws/backup/aws_ec2_instances_have_backup_withing_48_hours.yaml b/compliance/controls/baseline/aws/backup/aws_ec2_instances_have_backup_withing_48_hours.yaml index d7e518e45..0dda08394 100644 --- a/compliance/controls/baseline/aws/backup/aws_ec2_instances_have_backup_withing_48_hours.yaml +++ b/compliance/controls/baseline/aws/backup/aws_ec2_instances_have_backup_withing_48_hours.yaml @@ -1,69 +1,70 @@ id: aws_ec2_instances_have_backup_withing_48_hours title: Stateful EC2 Instances have operational backup within 48 hours. +type: control description: Verify that EC2 Instances, excluding shutdowns, spot VMs, and those under 24 hrs old, have at least one restore point in the past 48 hrs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - WITH all_backup AS ( - SELECT - recovery_point_arn, - resource_arn, - creation_date - FROM - aws_backup_recovery_point - WHERE - now() - creation_date < '48 hours'::interval - AND resource_type = 'EC2' - AND status = 'COMPLETED' - ), - points AS ( - SELECT - recovery_point_arn, - resource_arn - FROM - aws_backup_recovery_point - WHERE - now() - creation_date < '48 hours'::interval - AND resource_type = 'EC2' - AND status = 'COMPLETED' - ) - SELECT - v.arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN p.recovery_point_arn IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN p.recovery_point_arn IS NULL - AND a.recovery_point_arn IS NULL THEN 'there is no backup for this resource' - WHEN p.recovery_point_arn IS NULL THEN 'last backup at ' || a.creation_date::text - ELSE 'Last backup at ' || a.creation_date::text - END AS reason, - region, - account_id - FROM - aws_ec2_instance AS v - LEFT JOIN - points AS p ON v.arn = p.resource_arn - LEFT JOIN - all_backup AS a ON v.arn = a.resource_arn - WHERE - v.instance_lifecycle != 'spot' - AND instance_state = 'running' - AND state_transition_time <= (current_date - INTERVAL '24 hours') + language: sql + primary_resource: aws_ec2_instance + definition: | + WITH all_backup AS ( + SELECT + recovery_point_arn, + resource_arn, + creation_date + FROM + aws_backup_recovery_point + WHERE + now() - creation_date < '48 hours'::interval + AND resource_type = 'EC2' + AND status = 'COMPLETED' + ), + points AS ( + SELECT + recovery_point_arn, + resource_arn + FROM + aws_backup_recovery_point + WHERE + now() - creation_date < '48 hours'::interval + AND resource_type = 'EC2' + AND status = 'COMPLETED' + ) + SELECT + v.arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN p.recovery_point_arn IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN p.recovery_point_arn IS NULL + AND a.recovery_point_arn IS NULL THEN 'there is no backup for this resource' + WHEN p.recovery_point_arn IS NULL THEN 'last backup at ' || a.creation_date::text + ELSE 'Last backup at ' || a.creation_date::text + END AS reason, + region, + account_id + FROM + aws_ec2_instance AS v + LEFT JOIN + points AS p ON v.arn = p.resource_arn + LEFT JOIN + all_backup AS a ON v.arn = a.resource_arn + WHERE + v.instance_lifecycle != 'spot' + AND instance_state = 'running' + AND state_transition_time <= (current_date - INTERVAL '24 hours') severity: medium tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Missing Backup - score_service_name: - - AWS EC2 - score_tags: - - Missing Backup + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Missing Backup + score_service_name: + - AWS EC2 + score_tags: + - Missing Backup diff --git a/compliance/controls/baseline/aws/backup/aws_efs_files_have_backup_with_lifecyclepolicy_above_35_days.yaml b/compliance/controls/baseline/aws/backup/aws_efs_files_have_backup_with_lifecyclepolicy_above_35_days.yaml index c4d6640cd..b9de90f7f 100644 --- a/compliance/controls/baseline/aws/backup/aws_efs_files_have_backup_with_lifecyclepolicy_above_35_days.yaml +++ b/compliance/controls/baseline/aws/backup/aws_efs_files_have_backup_with_lifecyclepolicy_above_35_days.yaml @@ -1,53 +1,54 @@ id: aws_efs_files_have_backup_with_lifecyclepolicy_above_35_days title: EFS Filesystems have Backup Retention > 35 Days +type: control description: Ensure all EFS files are covered by a backup plan with a minimum of Life Cycle Policy 35 days integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_efs_file_system - definition: | - WITH points AS ( - SELECT - recovery_point_arn, - resource_arn - FROM - aws_backup_recovery_point - WHERE - now() - creation_date < '35 days'::interval - AND (lifecycle ->> 'DeleteAfterDays')::INT >= 35 - AND resource_type = 'EFS' - AND status = 'COMPLETED' - ) - - SELECT - f.arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN p.recovery_point_arn IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN p.recovery_point_arn IS NULL THEN 'lacks a backup configuration with a minimum of 35 days' - ELSE '' - END AS reason, - region, - account_id - FROM - aws_efs_file_system AS f - LEFT JOIN - points AS p - ON - f.arn = p.resource_arn + language: sql + primary_resource: aws_efs_file_system + definition: | + WITH points AS ( + SELECT + recovery_point_arn, + resource_arn + FROM + aws_backup_recovery_point + WHERE + now() - creation_date < '35 days'::interval + AND (lifecycle ->> 'DeleteAfterDays')::INT >= 35 + AND resource_type = 'EFS' + AND status = 'COMPLETED' + ) + + SELECT + f.arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN p.recovery_point_arn IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN p.recovery_point_arn IS NULL THEN 'lacks a backup configuration with a minimum of 35 days' + ELSE '' + END AS reason, + region, + account_id + FROM + aws_efs_file_system AS f + LEFT JOIN + points AS p + ON + f.arn = p.resource_arn severity: medium tags: - platform_score_cloud_service_name: - - Amazon Elastic File System (EFS) - platform_score_use_case: - - Missing Backup - score_service_name: - - Amazon Elastic File System (EFS) - score_tags: - - Missing Backup + platform_score_cloud_service_name: + - Amazon Elastic File System (EFS) + platform_score_use_case: + - Missing Backup + score_service_name: + - Amazon Elastic File System (EFS) + score_tags: + - Missing Backup diff --git a/compliance/controls/baseline/aws/backup/aws_efs_files_have_backup_withing_48_hours.yaml b/compliance/controls/baseline/aws/backup/aws_efs_files_have_backup_withing_48_hours.yaml index 515224d02..bb7bbbc65 100644 --- a/compliance/controls/baseline/aws/backup/aws_efs_files_have_backup_withing_48_hours.yaml +++ b/compliance/controls/baseline/aws/backup/aws_efs_files_have_backup_withing_48_hours.yaml @@ -1,51 +1,52 @@ id: aws_efs_files_have_backup_withing_48_hours title: EFS files have backup withing 48 hours +type: control description: Ensure all EFS files have a minimum of one restore point time in the last 48 hrs integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_efs_file_system - definition: | - WITH points AS ( - SELECT - recovery_point_arn, - resource_arn - FROM - aws_backup_recovery_point - WHERE - NOW() - creation_date < '48 hours'::interval - AND resource_type = 'EFS' - AND status = 'COMPLETED' - ) - SELECT - f.arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN p.recovery_point_arn IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN p.recovery_point_arn IS NULL THEN 'lacks a backup with last 48 hours' - ELSE '' - END AS reason, - region, - account_id - FROM - aws_efs_file_system AS f - LEFT JOIN - points AS p - ON - f.arn = p.resource_arn + language: sql + primary_resource: aws_efs_file_system + definition: | + WITH points AS ( + SELECT + recovery_point_arn, + resource_arn + FROM + aws_backup_recovery_point + WHERE + NOW() - creation_date < '48 hours'::interval + AND resource_type = 'EFS' + AND status = 'COMPLETED' + ) + SELECT + f.arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN p.recovery_point_arn IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN p.recovery_point_arn IS NULL THEN 'lacks a backup with last 48 hours' + ELSE '' + END AS reason, + region, + account_id + FROM + aws_efs_file_system AS f + LEFT JOIN + points AS p + ON + f.arn = p.resource_arn severity: medium tags: - platform_score_cloud_service_name: - - Amazon Elastic File System (EFS) - platform_score_use_case: - - Missing Backup - score_service_name: - - Amazon Elastic File System (EFS) - score_tags: - - Missing Backup + platform_score_cloud_service_name: + - Amazon Elastic File System (EFS) + platform_score_use_case: + - Missing Backup + score_service_name: + - Amazon Elastic File System (EFS) + score_tags: + - Missing Backup diff --git a/compliance/controls/baseline/aws/backup/aws_enable_alert_notifications_for_failed_backup_jobs.yaml b/compliance/controls/baseline/aws/backup/aws_enable_alert_notifications_for_failed_backup_jobs.yaml index 61df5d5bd..7c1540a89 100644 --- a/compliance/controls/baseline/aws/backup/aws_enable_alert_notifications_for_failed_backup_jobs.yaml +++ b/compliance/controls/baseline/aws/backup/aws_enable_alert_notifications_for_failed_backup_jobs.yaml @@ -1,36 +1,37 @@ id: aws_enable_alert_notifications_for_failed_backup_jobs title: Enable Alert Notifications for Failed Backup Jobs +type: control description: Ensure that email notifications for unsuccessful backup jobs are enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_backup_vault - definition: | - SELECT - name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN backup_vault_events::TEXT LIKE '%BACKUP_JOB_FAILED%' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN backup_vault_events::TEXT LIKE '%BACKUP_JOB_FAILED%' THEN 'Backup vault is configured to send alert notifications for failed Amazon Backup jobs.' - ELSE 'Backup vault is not configured to send alert notifications for failed Amazon Backup jobs.' - END AS reason, - region, - account_id - FROM - aws_backup_vault + language: sql + primary_resource: aws_backup_vault + definition: | + SELECT + name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN backup_vault_events::TEXT LIKE '%BACKUP_JOB_FAILED%' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN backup_vault_events::TEXT LIKE '%BACKUP_JOB_FAILED%' THEN 'Backup vault is configured to send alert notifications for failed Amazon Backup jobs.' + ELSE 'Backup vault is not configured to send alert notifications for failed Amazon Backup jobs.' + END AS reason, + region, + account_id + FROM + aws_backup_vault severity: medium tags: - platform_score_cloud_service_name: - - AWS Backup - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS Backup - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS Backup + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS Backup + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/backup/aws_rds_database_instances_have_a_minimum_acceptable_backup_policy.yaml b/compliance/controls/baseline/aws/backup/aws_rds_database_instances_have_a_minimum_acceptable_backup_policy.yaml index 391c004f4..dda34ae95 100644 --- a/compliance/controls/baseline/aws/backup/aws_rds_database_instances_have_a_minimum_acceptable_backup_policy.yaml +++ b/compliance/controls/baseline/aws/backup/aws_rds_database_instances_have_a_minimum_acceptable_backup_policy.yaml @@ -1,11 +1,12 @@ id: aws_rds_database_instances_have_a_minimum_acceptable_backup_policy title: AWS RDS Database Instances have a minimum acceptable backup policy +type: control description: Check for all AWS RDS Database Instances are configured with a minimum acceptable backup period integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - Key: awsRdsBaselineRetentionPeriodDays - Value: "7" +- key: "" + value: "" policy: language: sql primary_resource: aws_rds_db_instance @@ -27,10 +28,10 @@ policy: severity: medium tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) platform_score_use_case: - - Missing Backup + - Missing Backup score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_tags: - - Missing Backup + - Missing Backup diff --git a/compliance/controls/baseline/aws/backup/aws_rds_database_instances_must_have_a_minimum_acceptable_restore_time.yaml b/compliance/controls/baseline/aws/backup/aws_rds_database_instances_must_have_a_minimum_acceptable_restore_time.yaml index 7010ece52..6a1bc4677 100644 --- a/compliance/controls/baseline/aws/backup/aws_rds_database_instances_must_have_a_minimum_acceptable_restore_time.yaml +++ b/compliance/controls/baseline/aws/backup/aws_rds_database_instances_must_have_a_minimum_acceptable_restore_time.yaml @@ -1,49 +1,50 @@ id: aws_rds_database_instances_must_have_a_minimum_acceptable_restore_time title: AWS RDS Database Instances must have a minimum acceptable restore time +type: control description: Check for all AWS RDS Database Instances to see if they are meeting the required restore time defined. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsRdsBaselineRestorableTimeInHrs - value: '48' +- key: awsRdsBaselineRestorableTimeInHrs + value: "48" policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - i.arn AS resource, - i.platform_integration_id, - i.platform_resource_id, + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + i.arn AS resource, + i.platform_integration_id, + i.platform_resource_id, + CASE + WHEN c.latest_restorable_time IS NOT NULL THEN CASE - WHEN c.latest_restorable_time IS NOT NULL THEN - CASE - WHEN now() - c.latest_restorable_time < '{{.awsRdsBaselineRestorableTimeInHrs}} hours'::interval THEN 'ok' - ELSE 'alarm' - END - ELSE - CASE - WHEN now() - i.latest_restorable_time < '{{.awsRdsBaselineRestorableTimeInHrs}} hours'::interval THEN 'ok' - ELSE 'alarm' - END - END AS status, + WHEN now() - c.latest_restorable_time < '{{.awsRdsBaselineRestorableTimeInHrs}} hours'::interval THEN 'ok' + ELSE 'alarm' + END + ELSE CASE - WHEN c.latest_restorable_time IS NOT NULL THEN - i.title || ' backup retention period set to ' || c.latest_restorable_time || '.' - ELSE - i.title || ' backup retention period set to ' || i.latest_restorable_time || '.' - END AS reason, - i.region, - i.account_id - FROM - aws_rds_db_instance AS i - LEFT JOIN aws_rds_db_cluster AS c ON i.db_cluster_identifier = c.db_cluster_identifier + WHEN now() - i.latest_restorable_time < '{{.awsRdsBaselineRestorableTimeInHrs}} hours'::interval THEN 'ok' + ELSE 'alarm' + END + END AS status, + CASE + WHEN c.latest_restorable_time IS NOT NULL THEN + i.title || ' backup retention period set to ' || c.latest_restorable_time || '.' + ELSE + i.title || ' backup retention period set to ' || i.latest_restorable_time || '.' + END AS reason, + i.region, + i.account_id + FROM + aws_rds_db_instance AS i + LEFT JOIN aws_rds_db_cluster AS c ON i.db_cluster_identifier = c.db_cluster_identifier severity: medium tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - platform_score_use_case: - - Missing Backup - score_service_name: - - AWS Relational Database Service (RDS) - score_tags: - - Missing Backup + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + platform_score_use_case: + - Missing Backup + score_service_name: + - AWS Relational Database Service (RDS) + score_tags: + - Missing Backup diff --git a/compliance/controls/baseline/aws/backup/aws_use_kms_customer_master_keys_for_aws_backup.yaml b/compliance/controls/baseline/aws/backup/aws_use_kms_customer_master_keys_for_aws_backup.yaml index 01cd4095b..ac5844295 100644 --- a/compliance/controls/baseline/aws/backup/aws_use_kms_customer_master_keys_for_aws_backup.yaml +++ b/compliance/controls/baseline/aws/backup/aws_use_kms_customer_master_keys_for_aws_backup.yaml @@ -1,40 +1,41 @@ id: aws_use_kms_customer_master_keys_for_aws_backup title: Use KMS Customer Master Keys for AWS Backup +type: control description: Ensure that your backups are encrypted at rest using KMS Customer Master Keys (CMKs). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_backup_vault - definition: | - SELECT - name AS resource, - v.platform_resource_id, - v.platform_integration_id, - CASE - WHEN k.arn IS NULL THEN 'alarm' - WHEN k.key_manager = 'CUSTOMER' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN k.arn IS NULL THEN name || ' is not using a master key' - WHEN k.key_manager = 'CUSTOMER' THEN name || ' is using a customer master key' - ELSE name || ' is using an AWS-managed master key' - END AS reason, - v.region, - v.account_id - FROM - aws_backup_vault AS v - LEFT JOIN - aws_kms_key AS k ON v.encryption_key_arn = k.arn + language: sql + primary_resource: aws_backup_vault + definition: | + SELECT + name AS resource, + v.platform_resource_id, + v.platform_integration_id, + CASE + WHEN k.arn IS NULL THEN 'alarm' + WHEN k.key_manager = 'CUSTOMER' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN k.arn IS NULL THEN name || ' is not using a master key' + WHEN k.key_manager = 'CUSTOMER' THEN name || ' is using a customer master key' + ELSE name || ' is using an AWS-managed master key' + END AS reason, + v.region, + v.account_id + FROM + aws_backup_vault AS v + LEFT JOIN + aws_kms_key AS k ON v.encryption_key_arn = k.arn severity: high tags: - platform_score_cloud_service_name: - - AWS Backup - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS Backup - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS Backup + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS Backup + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/dynamoDb/aws_unused_dynamodb_table.yaml b/compliance/controls/baseline/aws/dynamoDb/aws_unused_dynamodb_table.yaml index dc6ba9aa6..17592c11d 100644 --- a/compliance/controls/baseline/aws/dynamoDb/aws_unused_dynamodb_table.yaml +++ b/compliance/controls/baseline/aws/dynamoDb/aws_unused_dynamodb_table.yaml @@ -1,32 +1,33 @@ id: aws_unused_dynamodb_table title: Unused DynamoDb Table +type: control description: Identify and remove any unused AWS DynamoDB tables to optimize AWS costs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_dynamodb_table - definition: | - SELECT - name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN item_count::int = 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN item_count::int = 0 THEN 'Dynamodb Table is unused' - ELSE 'Dynamodb Table is being used' - END AS reason, - region, - account_id - FROM - aws_dynamodb_table AS t + language: sql + primary_resource: aws_dynamodb_table + definition: | + SELECT + name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN item_count::int = 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN item_count::int = 0 THEN 'Dynamodb Table is unused' + ELSE 'Dynamodb Table is being used' + END AS reason, + region, + account_id + FROM + aws_dynamodb_table AS t severity: medium tags: - platform_score_cloud_service_name: - - Amazon DynamoDB - score_service_name: - - Amazon DynamoDB + platform_score_cloud_service_name: + - Amazon DynamoDB + score_service_name: + - Amazon DynamoDB diff --git a/compliance/controls/baseline/aws/ebs/aws_ebs_encrypted.yaml b/compliance/controls/baseline/aws/ebs/aws_ebs_encrypted.yaml index 724b1b6ed..470f1f97e 100644 --- a/compliance/controls/baseline/aws/ebs/aws_ebs_encrypted.yaml +++ b/compliance/controls/baseline/aws/ebs/aws_ebs_encrypted.yaml @@ -1,38 +1,39 @@ id: aws_ebs_encrypted title: EBS Volumes need to be encrypted +type: control description: Ensure EBS volumes are encrypted to meet security and encryption compliance requirements. Encryption is a key mechanism for you to ensure that you are in full control over who has access to your data. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_volume - definition: | - SELECT - arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encrypted THEN volume_id || ' encrypted.' - ELSE volume_id || ' not encrypted.' - END AS reason, - region, - account_id - FROM - aws_ebs_volume - WHERE - state = 'in-use' + language: sql + primary_resource: aws_ebs_volume + definition: | + SELECT + arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encrypted THEN volume_id || ' encrypted.' + ELSE volume_id || ' not encrypted.' + END AS reason, + region, + account_id + FROM + aws_ebs_volume + WHERE + state = 'in-use' severity: high tags: - platform_score_cloud_service_name: - - AWS Elastic Block Store (EBS) - platform_score_use_case: - - Unencrypted Storage - score_service_name: - - AWS Elastic Block Store (EBS) - score_tags: - - Unencrypted Storage + platform_score_cloud_service_name: + - AWS Elastic Block Store (EBS) + platform_score_use_case: + - Unencrypted Storage + score_service_name: + - AWS Elastic Block Store (EBS) + score_tags: + - Unencrypted Storage diff --git a/compliance/controls/baseline/aws/ebs/aws_ebs_encrypted_with_kms_customer_master_keys.yaml b/compliance/controls/baseline/aws/ebs/aws_ebs_encrypted_with_kms_customer_master_keys.yaml index 68ef72290..3353f00fb 100644 --- a/compliance/controls/baseline/aws/ebs/aws_ebs_encrypted_with_kms_customer_master_keys.yaml +++ b/compliance/controls/baseline/aws/ebs/aws_ebs_encrypted_with_kms_customer_master_keys.yaml @@ -1,41 +1,42 @@ id: aws_ebs_encrypted_with_kms_customer_master_keys title: EBS Encrypted With KMS Customer Master Keys +type: control description: Ensure EBS volumes are encrypted with CMKs to have full control over encrypting and decrypting data. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_volume - definition: | - SELECT - volume_id AS resource, - v.platform_resource_id, - v.platform_integration_id, - CASE - WHEN kms_key_id IS NULL THEN 'alarm' - WHEN k.key_manager = 'CUSTOMER' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN kms_key_id IS NULL THEN volume_id || ' is not using a master key' - WHEN k.key_manager = 'CUSTOMER' THEN volume_id || ' is using a customer master key' - ELSE volume_id || ' is using an AWS-managed master key' - END AS reason, - v.region, - v.account_id - FROM - aws_ebs_volume AS v - LEFT JOIN - aws_kms_key AS k - ON v.kms_key_id = k.arn + language: sql + primary_resource: aws_ebs_volume + definition: | + SELECT + volume_id AS resource, + v.platform_resource_id, + v.platform_integration_id, + CASE + WHEN kms_key_id IS NULL THEN 'alarm' + WHEN k.key_manager = 'CUSTOMER' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN kms_key_id IS NULL THEN volume_id || ' is not using a master key' + WHEN k.key_manager = 'CUSTOMER' THEN volume_id || ' is using a customer master key' + ELSE volume_id || ' is using an AWS-managed master key' + END AS reason, + v.region, + v.account_id + FROM + aws_ebs_volume AS v + LEFT JOIN + aws_kms_key AS k + ON v.kms_key_id = k.arn severity: high tags: - platform_score_cloud_service_name: - - AWS Elastic Block Store (EBS) - platform_score_use_case: - - Unencrypted Storage - score_service_name: - - AWS Elastic Block Store (EBS) - score_tags: - - Unencrypted Storage + platform_score_cloud_service_name: + - AWS Elastic Block Store (EBS) + platform_score_use_case: + - Unencrypted Storage + score_service_name: + - AWS Elastic Block Store (EBS) + score_tags: + - Unencrypted Storage diff --git a/compliance/controls/baseline/aws/ebs/aws_ebs_public_snapshots.yaml b/compliance/controls/baseline/aws/ebs/aws_ebs_public_snapshots.yaml index 42f686aae..d7a06298e 100644 --- a/compliance/controls/baseline/aws/ebs/aws_ebs_public_snapshots.yaml +++ b/compliance/controls/baseline/aws/ebs/aws_ebs_public_snapshots.yaml @@ -1,36 +1,37 @@ id: aws_ebs_public_snapshots title: Amazon EBS Public Snapshots +type: control description: Ensure that your Amazon EBS volume snapshots are not accessible to all AWS accounts. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_snapshot - definition: | - SELECT - 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':snapshot/' || snapshot_id AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN create_volume_permissions @> '[{"Group": "all", "UserId": null}]' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN create_volume_permissions @> '[{"Group": "all", "UserId": null}]' THEN title || ' is publicly restorable.' - ELSE title || ' is not publicly restorable.' - END AS reason, - region, - account_id - FROM - aws_ebs_snapshot; + language: sql + primary_resource: aws_ebs_snapshot + definition: | + SELECT + 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':snapshot/' || snapshot_id AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN create_volume_permissions @> '[{"Group": "all", "UserId": null}]' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN create_volume_permissions @> '[{"Group": "all", "UserId": null}]' THEN title || ' is publicly restorable.' + ELSE title || ' is not publicly restorable.' + END AS reason, + region, + account_id + FROM + aws_ebs_snapshot; severity: high tags: - platform_score_cloud_service_name: - - AWS Elastic Block Store (EBS) - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS Elastic Block Store (EBS) - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS Elastic Block Store (EBS) + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS Elastic Block Store (EBS) + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/ebs/aws_ebs_snapshot_encrypted.yaml b/compliance/controls/baseline/aws/ebs/aws_ebs_snapshot_encrypted.yaml index 70831d1ed..41885a191 100644 --- a/compliance/controls/baseline/aws/ebs/aws_ebs_snapshot_encrypted.yaml +++ b/compliance/controls/baseline/aws/ebs/aws_ebs_snapshot_encrypted.yaml @@ -1,36 +1,37 @@ id: aws_ebs_snapshot_encrypted title: EBS Snapshot Encrypted +type: control description: Ensure Amazon EBS snapshots are encrypted to meet security and compliance requirements. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_snapshot - definition: | - SELECT - arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encrypted THEN title || ' encryption enabled.' - ELSE title || ' encryption disabled.' - END AS reason, - region, - account_id - FROM - aws_ebs_snapshot; + language: sql + primary_resource: aws_ebs_snapshot + definition: | + SELECT + arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encrypted THEN title || ' encryption enabled.' + ELSE title || ' encryption disabled.' + END AS reason, + region, + account_id + FROM + aws_ebs_snapshot; severity: medium tags: - platform_score_cloud_service_name: - - AWS Elastic Block Store (EBS) - platform_score_use_case: - - Unencrypted Storage - score_service_name: - - AWS Elastic Block Store (EBS) - score_tags: - - Unencrypted Storage + platform_score_cloud_service_name: + - AWS Elastic Block Store (EBS) + platform_score_use_case: + - Unencrypted Storage + score_service_name: + - AWS Elastic Block Store (EBS) + score_tags: + - Unencrypted Storage diff --git a/compliance/controls/baseline/aws/ebs/aws_ebs_volume_unused.yaml b/compliance/controls/baseline/aws/ebs/aws_ebs_volume_unused.yaml index 4142418b2..3c3bb2995 100644 --- a/compliance/controls/baseline/aws/ebs/aws_ebs_volume_unused.yaml +++ b/compliance/controls/baseline/aws/ebs/aws_ebs_volume_unused.yaml @@ -1,36 +1,37 @@ id: aws_ebs_volume_unused title: Unused EBS Volumes +type: control description: Identify any unused Elastic Block Store volumes to improve cost optimization and security. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_volume - definition: | - SELECT - arn AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN state = 'in-use' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN state = 'in-use' THEN title || ' attached to EC2 instance.' - ELSE title || ' not attached to EC2 instance.' - END AS reason, - region, - account_id - FROM - aws_ebs_volume v + language: sql + primary_resource: aws_ebs_volume + definition: | + SELECT + arn AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN state = 'in-use' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN state = 'in-use' THEN title || ' attached to EC2 instance.' + ELSE title || ' not attached to EC2 instance.' + END AS reason, + region, + account_id + FROM + aws_ebs_volume v severity: medium tags: - platform_score_cloud_service_name: - - AWS Elastic Block Store (EBS) - platform_score_use_case: - - Optimization - score_service_name: - - AWS Elastic Block Store (EBS) - score_tags: - - Optimization + platform_score_cloud_service_name: + - AWS Elastic Block Store (EBS) + platform_score_use_case: + - Optimization + score_service_name: + - AWS Elastic Block Store (EBS) + score_tags: + - Optimization diff --git a/compliance/controls/baseline/aws/ebs/aws_ebs_volumes_attached_to_stopped_ec2_instances.yaml b/compliance/controls/baseline/aws/ebs/aws_ebs_volumes_attached_to_stopped_ec2_instances.yaml index cf03bc01b..acafd22dd 100644 --- a/compliance/controls/baseline/aws/ebs/aws_ebs_volumes_attached_to_stopped_ec2_instances.yaml +++ b/compliance/controls/baseline/aws/ebs/aws_ebs_volumes_attached_to_stopped_ec2_instances.yaml @@ -1,41 +1,42 @@ id: aws_ebs_volumes_attached_to_stopped_ec2_instances title: EBS Volumes Attached To Stopped EC2 Instances +type: control description: Identify Amazon EBS volumes attached to stopped EC2 instances (i.e. unused EBS volumes). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_volume - definition: | - SELECT - v.volume_id AS resource, - v.platform_resource_id, - v.platform_integration_id, - CASE - WHEN i.instance_state = 'running' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN i.instance_state = 'running' THEN v.volume_id || ' is attached to a running instance' - ELSE v.volume_id || ' is attached to a stopped instance' - END AS reason, - v.region, - v.account_id - FROM - aws_ebs_volume AS v, - jsonb_array_elements(attachments) AS att - LEFT JOIN - aws_ec2_instance AS i - ON - att ->> 'InstanceId' = i.instance_id + language: sql + primary_resource: aws_ebs_volume + definition: | + SELECT + v.volume_id AS resource, + v.platform_resource_id, + v.platform_integration_id, + CASE + WHEN i.instance_state = 'running' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN i.instance_state = 'running' THEN v.volume_id || ' is attached to a running instance' + ELSE v.volume_id || ' is attached to a stopped instance' + END AS reason, + v.region, + v.account_id + FROM + aws_ebs_volume AS v, + jsonb_array_elements(attachments) AS att + LEFT JOIN + aws_ec2_instance AS i + ON + att ->> 'InstanceId' = i.instance_id severity: high tags: - platform_score_cloud_service_name: - - AWS Elastic Block Store (EBS) - platform_score_use_case: - - Missing Tags - score_service_name: - - AWS Elastic Block Store (EBS) - score_tags: - - Missing Tags + platform_score_cloud_service_name: + - AWS Elastic Block Store (EBS) + platform_score_use_case: + - Missing Tags + score_service_name: + - AWS Elastic Block Store (EBS) + score_tags: + - Missing Tags diff --git a/compliance/controls/baseline/aws/ebs/aws_ebs_volumes_too_old_snapshots.yaml b/compliance/controls/baseline/aws/ebs/aws_ebs_volumes_too_old_snapshots.yaml index 9141f8836..6370f8503 100644 --- a/compliance/controls/baseline/aws/ebs/aws_ebs_volumes_too_old_snapshots.yaml +++ b/compliance/controls/baseline/aws/ebs/aws_ebs_volumes_too_old_snapshots.yaml @@ -1,45 +1,45 @@ id: aws_ec2_ami_too_old title: EC2 AMI Too Old +type: control description: Ensure EC2 Amazon Machine Images (AMIs) aren't too old integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsEbsAmiAgeMaxDays - value: '365' +- key: awsEbsAmiAgeMaxDays + value: "365" policy: - language: sql - primary_resource: aws_ec2_ami - definition: | - SELECT - image_id AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN is_aws_backup_managed THEN 'skip' - WHEN root_device_type <> 'ebs' THEN 'skip' - WHEN creation_date + ('{{.awsEbsAmiAgeMaxDays}} days')::interval < NOW() - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN is_aws_backup_managed THEN name || ' is managed by aws' - WHEN root_device_type <> 'ebs' THEN name || ' is not stored in ebs' - WHEN creation_date + ('{{.awsEbsAmiAgeMaxDays}} days')::interval < NOW() - THEN name || ' needs to be restarted' - ELSE name || ' launch time was not long ago' - END AS reason, - region, - account_id - FROM - aws_ec2_ami + language: sql + primary_resource: aws_ec2_ami + definition: | + SELECT + image_id AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN is_aws_backup_managed THEN 'skip' + WHEN root_device_type <> 'ebs' THEN 'skip' + WHEN creation_date + ('{{.awsEbsAmiAgeMaxDays}} days')::interval < NOW() + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN is_aws_backup_managed THEN name || ' is managed by aws' + WHEN root_device_type <> 'ebs' THEN name || ' is not stored in ebs' + WHEN creation_date + ('{{.awsEbsAmiAgeMaxDays}} days')::interval < NOW() + THEN name || ' needs to be restarted' + ELSE name || ' launch time was not long ago' + END AS reason, + region, + account_id + FROM + aws_ec2_ami severity: high tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Lacking High Availability - score_service_name: - - AWS EC2 - score_tags: - - Lacking High Availability - + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Lacking High Availability + score_service_name: + - AWS EC2 + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/aws/ebs/aws_use_gp3_not_gp2.yaml b/compliance/controls/baseline/aws/ebs/aws_use_gp3_not_gp2.yaml index f1180f774..ff54a71f3 100644 --- a/compliance/controls/baseline/aws/ebs/aws_use_gp3_not_gp2.yaml +++ b/compliance/controls/baseline/aws/ebs/aws_use_gp3_not_gp2.yaml @@ -1,34 +1,35 @@ id: aws_use_gp3_not_gp2 title: Use GP3, not GP2 +type: control description: EBS gp2 volumes are legacy, costly, and have lower performance than gp3. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_volume - definition: | - SELECT - arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN volume_type = 'gp2' THEN 'alarm' - WHEN volume_type = 'gp3' THEN 'ok' - ELSE 'skip' - END AS status, - volume_id || ' type is ' || volume_type || '.' AS reason, - region, - account_id - FROM - aws_ebs_volume; + language: sql + primary_resource: aws_ebs_volume + definition: | + SELECT + arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN volume_type = 'gp2' THEN 'alarm' + WHEN volume_type = 'gp3' THEN 'ok' + ELSE 'skip' + END AS status, + volume_id || ' type is ' || volume_type || '.' AS reason, + region, + account_id + FROM + aws_ebs_volume; severity: medium tags: - platform_score_cloud_service_name: - - AWS Elastic Block Store (EBS) - platform_score_use_case: - - General Efficiency - score_service_name: - - AWS Elastic Block Store (EBS) - score_tags: - - General Efficiency + platform_score_cloud_service_name: + - AWS Elastic Block Store (EBS) + platform_score_use_case: + - General Efficiency + score_service_name: + - AWS Elastic Block Store (EBS) + score_tags: + - General Efficiency diff --git a/compliance/controls/baseline/aws/ebs/aws_use_io2_not_io1.yaml b/compliance/controls/baseline/aws/ebs/aws_use_io2_not_io1.yaml index 649770f02..e2657b388 100644 --- a/compliance/controls/baseline/aws/ebs/aws_use_io2_not_io1.yaml +++ b/compliance/controls/baseline/aws/ebs/aws_use_io2_not_io1.yaml @@ -1,34 +1,35 @@ id: aws_use_io2_not_io1 title: Use io2, not io1 +type: control description: io1 Volumes are older generation less reliable than io2 for same cost. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ebs_volume - definition: | - SELECT - arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN volume_type = 'io1' THEN 'alarm' - WHEN volume_type = 'io2' THEN 'ok' - ELSE 'skip' - END AS status, - volume_id || ' type is ' || volume_type || '.' AS reason, - region, - account_id - FROM - aws_ebs_volume; + language: sql + primary_resource: aws_ebs_volume + definition: | + SELECT + arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN volume_type = 'io1' THEN 'alarm' + WHEN volume_type = 'io2' THEN 'ok' + ELSE 'skip' + END AS status, + volume_id || ' type is ' || volume_type || '.' AS reason, + region, + account_id + FROM + aws_ebs_volume; severity: medium tags: - platform_score_cloud_service_name: - - AWS Elastic Block Store (EBS) - platform_score_use_case: - - Lacking High Availability - score_service_name: - - AWS Elastic Block Store (EBS) - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - AWS Elastic Block Store (EBS) + platform_score_use_case: + - Lacking High Availability + score_service_name: + - AWS Elastic Block Store (EBS) + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/aws/ec2/aws_ami_encryption.yaml b/compliance/controls/baseline/aws/ec2/aws_ami_encryption.yaml index e0ce5d23a..ec7b787dd 100644 --- a/compliance/controls/baseline/aws/ec2/aws_ami_encryption.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_ami_encryption.yaml @@ -1,46 +1,47 @@ id: aws_ami_encryption title: AWS AMI Encryption +type: control description: Ensure that your existing AMIs are encrypted to meet security and compliance requirements. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_ami - definition: | - SELECT - name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(block_device_mappings) AS b - WHERE (b -> 'Ebs' ->> 'Encrypted')::bool = FALSE - ) - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(block_device_mappings) AS b - WHERE (b -> 'Ebs' ->> 'Encrypted')::bool = FALSE - ) - THEN name || ' has unencrypted data' - ELSE name || ' data is encrypted' - END AS reason, - region, - account_id - FROM - aws_ec2_ami + language: sql + primary_resource: aws_ec2_ami + definition: | + SELECT + name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(block_device_mappings) AS b + WHERE (b -> 'Ebs' ->> 'Encrypted')::bool = FALSE + ) + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(block_device_mappings) AS b + WHERE (b -> 'Ebs' ->> 'Encrypted')::bool = FALSE + ) + THEN name || ' has unencrypted data' + ELSE name || ' data is encrypted' + END AS reason, + region, + account_id + FROM + aws_ec2_ami severity: high tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Unencrypted Storage - score_service_name: - - AWS EC2 - score_tags: - - Unencrypted Storage + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Unencrypted Storage + score_service_name: + - AWS EC2 + score_tags: + - Unencrypted Storage diff --git a/compliance/controls/baseline/aws/ec2/aws_default_security_group_unrestricted.yaml b/compliance/controls/baseline/aws/ec2/aws_default_security_group_unrestricted.yaml index 29e985c32..fc1bb2c5f 100644 --- a/compliance/controls/baseline/aws/ec2/aws_default_security_group_unrestricted.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_default_security_group_unrestricted.yaml @@ -1,54 +1,55 @@ id: aws_default_security_group_unrestricted title: Default Security Group Unrestricted +type: control description: Ensure the default security group of every VPC restricts all traffic. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - SELECT - group_id AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p - WHERE EXISTS ( - SELECT 1 - FROM jsonb_array_elements((p -> 'IpRanges')::jsonb) AS r - WHERE r ->> 'CidrIp' = '0.0.0.0/0' - ) - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p - WHERE EXISTS ( - SELECT 1 - FROM jsonb_array_elements((p -> 'IpRanges')::jsonb) AS r - WHERE r ->> 'CidrIp' = '0.0.0.0/0' - ) - ) THEN group_id || ' is not secure and compliant' - ELSE group_id || ' is secure and compliant' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group - WHERE - group_name = 'default' + language: sql + primary_resource: aws_vpc_security_group + definition: | + SELECT + group_id AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p + WHERE EXISTS ( + SELECT 1 + FROM jsonb_array_elements((p -> 'IpRanges')::jsonb) AS r + WHERE r ->> 'CidrIp' = '0.0.0.0/0' + ) + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p + WHERE EXISTS ( + SELECT 1 + FROM jsonb_array_elements((p -> 'IpRanges')::jsonb) AS r + WHERE r ->> 'CidrIp' = '0.0.0.0/0' + ) + ) THEN group_id || ' is not secure and compliant' + ELSE group_id || ' is secure and compliant' + END AS reason, + region, + account_id + FROM + aws_vpc_security_group + WHERE + group_name = 'default' severity: low tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS EC2 - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS EC2 + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/ec2/aws_default_security_groups_in_use.yaml b/compliance/controls/baseline/aws/ec2/aws_default_security_groups_in_use.yaml index 9a9fa2ca1..b2e324cc2 100644 --- a/compliance/controls/baseline/aws/ec2/aws_default_security_groups_in_use.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_default_security_groups_in_use.yaml @@ -1,44 +1,45 @@ id: aws_default_security_groups_in_use title: Default Security Groups In Use +type: control description: Ensure default security groups aren't in use. Instead create unique security groups to better adhere to the principle of least privilege. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - instance_id AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(security_groups) AS sg - WHERE sg ->> 'GroupName' = 'default' - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(security_groups) AS sg - WHERE sg ->> 'GroupName' = 'default' - ) THEN instance_id || ' is using default security group' - ELSE instance_id || ' is not using default security group' - END AS reason, - region, - account_id - FROM - aws_ec2_instance + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + instance_id AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(security_groups) AS sg + WHERE sg ->> 'GroupName' = 'default' + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(security_groups) AS sg + WHERE sg ->> 'GroupName' = 'default' + ) THEN instance_id || ' is using default security group' + ELSE instance_id || ' is not using default security group' + END AS reason, + region, + account_id + FROM + aws_ec2_instance severity: medium tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS EC2 - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS EC2 + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/ec2/aws_disable_public_ip_address_assignment_for_ec2_instances.yaml b/compliance/controls/baseline/aws/ec2/aws_disable_public_ip_address_assignment_for_ec2_instances.yaml index d39a92121..194fdc4c3 100644 --- a/compliance/controls/baseline/aws/ec2/aws_disable_public_ip_address_assignment_for_ec2_instances.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_disable_public_ip_address_assignment_for_ec2_instances.yaml @@ -1,36 +1,37 @@ id: aws_disable_public_ip_address_assignment_for_ec2_instances title: Disable Public IP Address Assignment for EC2 Instances +type: control description: Ensure that Amazon EC2 instances are not using public IP addresses. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN public_ip_address IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN public_ip_address IS NULL THEN instance_id || ' not publicly accessible.' - ELSE instance_id || ' publicly accessible.' - END AS reason, - region, - account_id - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN public_ip_address IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN public_ip_address IS NULL THEN instance_id || ' not publicly accessible.' + ELSE instance_id || ' publicly accessible.' + END AS reason, + region, + account_id + FROM + aws_ec2_instance; severity: high tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Lacking High Availability - score_service_name: - - AWS EC2 - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Lacking High Availability + score_service_name: + - AWS EC2 + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/aws/ec2/aws_ec2_ami_too_old.yaml b/compliance/controls/baseline/aws/ec2/aws_ec2_ami_too_old.yaml index 6fc230ef3..85954242f 100644 --- a/compliance/controls/baseline/aws/ec2/aws_ec2_ami_too_old.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_ec2_ami_too_old.yaml @@ -1,42 +1,43 @@ id: aws_ec2_ami_too_old title: EC2 AMI Too Old +type: control description: Ensure EC2 Amazon Machine Images (AMIs) aren't too old integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsEbsAmiAgeMaxDays - value: '365' +- key: awsEbsAmiAgeMaxDays + value: "365" policy: - language: sql - primary_resource: aws_ec2_ami - definition: | - SELECT - image_id AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN is_aws_backup_managed THEN 'skip' - WHEN root_device_type <> 'ebs' THEN 'skip' - WHEN NOW() - (creation_date)::timestamp > '{{.awsEbsAmiAgeMaxDays}} days'::interval THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN is_aws_backup_managed THEN name || ' is managed by aws' - WHEN root_device_type <> 'ebs' THEN name || ' is not stored in ebs' - WHEN NOW() - (creation_date)::timestamp > '{{.awsEbsAmiAgeMaxDays}} days'::interval THEN name || ' needs to be restarted' - ELSE name || ' launch time was not much time ago' - END AS reason, - region, - account_id - FROM - aws_ec2_ami + language: sql + primary_resource: aws_ec2_ami + definition: | + SELECT + image_id AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN is_aws_backup_managed THEN 'skip' + WHEN root_device_type <> 'ebs' THEN 'skip' + WHEN NOW() - (creation_date)::timestamp > '{{.awsEbsAmiAgeMaxDays}} days'::interval THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN is_aws_backup_managed THEN name || ' is managed by aws' + WHEN root_device_type <> 'ebs' THEN name || ' is not stored in ebs' + WHEN NOW() - (creation_date)::timestamp > '{{.awsEbsAmiAgeMaxDays}} days'::interval THEN name || ' needs to be restarted' + ELSE name || ' launch time was not much time ago' + END AS reason, + region, + account_id + FROM + aws_ec2_ami severity: high tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Lacking High Availability - score_service_name: - - AWS EC2 - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Lacking High Availability + score_service_name: + - AWS EC2 + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/aws/ec2/aws_ec2_desired_instance_type.yaml b/compliance/controls/baseline/aws/ec2/aws_ec2_desired_instance_type.yaml index b788601b7..3c1cb9a44 100644 --- a/compliance/controls/baseline/aws/ec2/aws_ec2_desired_instance_type.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_ec2_desired_instance_type.yaml @@ -1,40 +1,41 @@ id: aws_ec2_desired_instance_type title: EC2 Instances types are Approved +type: control description: Ensure all EC2 instances are of a given instance type Optimal and Aligned with our Organization integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsAllowedInstanceTypes - value: '' +- key: awsAllowedInstanceTypes + value: "" policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - instance_id AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN '{{.awsAllowedInstanceTypes}}' = '' THEN 'ok' - WHEN '{{.awsAllowedInstanceTypes}}' LIKE '%' || instance_type || '%' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN '{{.awsAllowedInstanceTypes}}' = '' THEN 'allowed instance types not defined' - WHEN '{{.awsAllowedInstanceTypes}}' LIKE '%' || instance_type || '%' THEN instance_id || ' instance type is allowed by your organization' - ELSE instance_id || ' instance type is not allowed by your organization' - END AS reason, - region, - account_id - FROM - aws_ec2_instance + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + instance_id AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN '{{.awsAllowedInstanceTypes}}' = '' THEN 'ok' + WHEN '{{.awsAllowedInstanceTypes}}' LIKE '%' || instance_type || '%' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN '{{.awsAllowedInstanceTypes}}' = '' THEN 'allowed instance types not defined' + WHEN '{{.awsAllowedInstanceTypes}}' LIKE '%' || instance_type || '%' THEN instance_id || ' instance type is allowed by your organization' + ELSE instance_id || ' instance type is not allowed by your organization' + END AS reason, + region, + account_id + FROM + aws_ec2_instance severity: high tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Over Utilization - score_service_name: - - AWS EC2 - score_tags: - - Over Utilization + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Over Utilization + score_service_name: + - AWS EC2 + score_tags: + - Over Utilization diff --git a/compliance/controls/baseline/aws/ec2/aws_ec2_instance_in_vpc.yaml b/compliance/controls/baseline/aws/ec2/aws_ec2_instance_in_vpc.yaml index 0dda03a65..63a51dd56 100644 --- a/compliance/controls/baseline/aws/ec2/aws_ec2_instance_in_vpc.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_ec2_instance_in_vpc.yaml @@ -1,38 +1,39 @@ id: aws_ec2_instance_in_vpc title: EC2 Instance In VPC +type: control description: Ensure EC2 instances are launched using the EC2-VPC platform instead of EC2-Classic outdated platform. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN vpc_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN vpc_id IS NULL THEN title || ' not in VPC.' - ELSE title || ' in VPC.' - END AS reason, - region, - account_id - FROM - aws_ec2_instance - WHERE - instance_state = 'running'; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN vpc_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN vpc_id IS NULL THEN title || ' not in VPC.' + ELSE title || ' in VPC.' + END AS reason, + region, + account_id + FROM + aws_ec2_instance + WHERE + instance_state = 'running'; severity: medium tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS EC2 - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS EC2 + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/ec2/aws_ec2_instance_naming_conventions.yaml b/compliance/controls/baseline/aws/ec2/aws_ec2_instance_naming_conventions.yaml index 5c198b4ec..701dbb4ca 100644 --- a/compliance/controls/baseline/aws/ec2/aws_ec2_instance_naming_conventions.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_ec2_instance_naming_conventions.yaml @@ -1,40 +1,41 @@ id: aws_ec2_instance_naming_conventions title: EC2 Instance Naming Conventions +type: control description: Follow proper naming conventions for EC2 instances. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsEc2NamingPattern - value: '' +- key: awsEc2NamingPattern + value: "" policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - instance_id AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN '{{.awsEc2NamingPattern}}' = '' THEN 'ok' - WHEN tags ->> 'Name' LIKE '{{.awsEc2NamingPattern}}' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN '{{.awsEc2NamingPattern}}' = '' THEN 'ec2 naming pattern not defined' - WHEN tags ->> 'Name' LIKE '{{.awsEc2NamingPattern}}' THEN instance_id || ' name is followed by your organization naming pattern' - ELSE instance_id || ' name is not followed by your organization naming pattern' - END AS reason, - region, - account_id - FROM - aws_ec2_instance + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + instance_id AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN '{{.awsEc2NamingPattern}}' = '' THEN 'ok' + WHEN tags ->> 'Name' LIKE '{{.awsEc2NamingPattern}}' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN '{{.awsEc2NamingPattern}}' = '' THEN 'ec2 naming pattern not defined' + WHEN tags ->> 'Name' LIKE '{{.awsEc2NamingPattern}}' THEN instance_id || ' name is followed by your organization naming pattern' + ELSE instance_id || ' name is not followed by your organization naming pattern' + END AS reason, + region, + account_id + FROM + aws_ec2_instance severity: low tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Missing Tags - score_service_name: - - AWS EC2 - score_tags: - - Missing Tags + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Missing Tags + score_service_name: + - AWS EC2 + score_tags: + - Missing Tags diff --git a/compliance/controls/baseline/aws/ec2/aws_ec2_instance_not_in_public_subnet.yaml b/compliance/controls/baseline/aws/ec2/aws_ec2_instance_not_in_public_subnet.yaml index 37eefcc3f..414ce0d15 100644 --- a/compliance/controls/baseline/aws/ec2/aws_ec2_instance_not_in_public_subnet.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_ec2_instance_not_in_public_subnet.yaml @@ -1,36 +1,37 @@ id: aws_ec2_instance_not_in_public_subnet title: EC2 Instance Not In Public Subnet +type: control description: Ensure that no backend EC2 instances are provisioned in public subnets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN public_ip_address IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN public_ip_address IS NULL THEN instance_id || ' not publicly accessible.' - ELSE instance_id || ' publicly accessible.' - END AS reason, - region, - account_id - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN public_ip_address IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN public_ip_address IS NULL THEN instance_id || ' not publicly accessible.' + ELSE instance_id || ' publicly accessible.' + END AS reason, + region, + account_id + FROM + aws_ec2_instance; severity: high tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS EC2 - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS EC2 + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/ec2/aws_ec2_instance_termination_protection.yaml b/compliance/controls/baseline/aws/ec2/aws_ec2_instance_termination_protection.yaml index 848c190e2..a77cf1c67 100644 --- a/compliance/controls/baseline/aws/ec2/aws_ec2_instance_termination_protection.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_ec2_instance_termination_protection.yaml @@ -1,32 +1,33 @@ id: aws_ec2_instance_termination_protection title: EC2 Instance Termination Protection +type: control description: Ensure termination protection safety feature is enabled for EC2 instances that aren't part of ASGs integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - instance_id AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN disable_api_termination = 'false' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN disable_api_termination = 'false' THEN instance_id || ' Termination Protection safety feature is not enabled' - ELSE instance_id || ' Termination Protection safety feature is enabled.' - END AS reason, - region, - account_id - FROM - aws_ec2_instance + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + instance_id AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN disable_api_termination = 'false' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN disable_api_termination = 'false' THEN instance_id || ' Termination Protection safety feature is not enabled' + ELSE instance_id || ' Termination Protection safety feature is enabled.' + END AS reason, + region, + account_id + FROM + aws_ec2_instance severity: medium tags: - platform_score_cloud_service_name: - - AWS EC2 - score_service_name: - - AWS EC2 + platform_score_cloud_service_name: + - AWS EC2 + score_service_name: + - AWS EC2 diff --git a/compliance/controls/baseline/aws/ec2/aws_ec2_instance_too_old.yaml b/compliance/controls/baseline/aws/ec2/aws_ec2_instance_too_old.yaml index daae648a6..cbe1dc94d 100644 --- a/compliance/controls/baseline/aws/ec2/aws_ec2_instance_too_old.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_ec2_instance_too_old.yaml @@ -1,36 +1,37 @@ id: aws_ec2_instance_too_old title: EC2 Instance Too Old +type: control description: Ensure EC2 instances aren't too old. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - instance_id AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN now() - (platform_resource_description -> 'Instance' ->> 'LaunchTime')::timestamp > '180 days'::interval THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN now() - (platform_resource_description -> 'Instance' ->> 'LaunchTime')::timestamp > '180 days'::interval THEN instance_id || ' needs to be restarted' - ELSE instance_id || ' launch time was not much time ago' - END AS reason, - region, - account_id - FROM - aws_ec2_instance + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + instance_id AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN now() - (platform_resource_description -> 'Instance' ->> 'LaunchTime')::timestamp > '180 days'::interval THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN now() - (platform_resource_description -> 'Instance' ->> 'LaunchTime')::timestamp > '180 days'::interval THEN instance_id || ' needs to be restarted' + ELSE instance_id || ' launch time was not much time ago' + END AS reason, + region, + account_id + FROM + aws_ec2_instance severity: high tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Under Utilization - score_service_name: - - AWS EC2 - score_tags: - - Under Utilization + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Under Utilization + score_service_name: + - AWS EC2 + score_tags: + - Under Utilization diff --git a/compliance/controls/baseline/aws/ec2/aws_ec2_instances_with_multiple_elastic_network_interfaces.yaml b/compliance/controls/baseline/aws/ec2/aws_ec2_instances_with_multiple_elastic_network_interfaces.yaml index 003905cc4..7c6bbacf3 100644 --- a/compliance/controls/baseline/aws/ec2/aws_ec2_instances_with_multiple_elastic_network_interfaces.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_ec2_instances_with_multiple_elastic_network_interfaces.yaml @@ -1,49 +1,50 @@ id: aws_ec2_instances_with_multiple_elastic_network_interfaces title: EC2 Instances with Multiple Elastic Network Interfaces +type: control description: Ensure that Amazon EC2 instances are not using multiple ENIs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - WITH instance_nis AS ( - SELECT - i.instance_id, - COUNT(ni) - FROM - aws_ec2_instance AS i, - JSONB_ARRAY_ELEMENTS(network_interfaces) AS ni - WHERE - ni -> 'Attachment' ->> 'Status' = 'attached' - GROUP BY - i.instance_id - ) - - SELECT - i.instance_id AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN nis.count > 1 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN nis.count > 1 THEN i.instance_id || ' Has more than one network interfaces.' - ELSE i.instance_id || ' Has more than one network interfaces.' - END AS reason, - region, - account_id - FROM - aws_ec2_instance AS i - LEFT JOIN - instance_nis AS nis - ON - i.instance_id = nis.instance_id + language: sql + primary_resource: aws_ec2_instance + definition: | + WITH instance_nis AS ( + SELECT + i.instance_id, + COUNT(ni) + FROM + aws_ec2_instance AS i, + JSONB_ARRAY_ELEMENTS(network_interfaces) AS ni + WHERE + ni -> 'Attachment' ->> 'Status' = 'attached' + GROUP BY + i.instance_id + ) + + SELECT + i.instance_id AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN nis.count > 1 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN nis.count > 1 THEN i.instance_id || ' Has more than one network interfaces.' + ELSE i.instance_id || ' Has more than one network interfaces.' + END AS reason, + region, + account_id + FROM + aws_ec2_instance AS i + LEFT JOIN + instance_nis AS nis + ON + i.instance_id = nis.instance_id severity: high tags: - platform_score_cloud_service_name: - - AWS EC2 - score_service_name: - - AWS EC2 + platform_score_cloud_service_name: + - AWS EC2 + score_service_name: + - AWS EC2 diff --git a/compliance/controls/baseline/aws/ec2/aws_publicly_shared_ami.yaml b/compliance/controls/baseline/aws/ec2/aws_publicly_shared_ami.yaml index 58dc5a12b..ee655842c 100644 --- a/compliance/controls/baseline/aws/ec2/aws_publicly_shared_ami.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_publicly_shared_ami.yaml @@ -1,36 +1,37 @@ id: aws_publicly_shared_ami title: Publicly Shared AMI +type: control description: Ensure AMIs aren't publicly shared to avoid exposing sensitive data. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_ami - definition: | - SELECT - title AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN public THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN public THEN title || ' publicly accessible.' - ELSE title || ' not publicly accessible.' - END AS reason, - region, - account_id - FROM - aws_ec2_ami; + language: sql + primary_resource: aws_ec2_ami + definition: | + SELECT + title AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN public THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN public THEN title || ' publicly accessible.' + ELSE title || ' not publicly accessible.' + END AS reason, + region, + account_id + FROM + aws_ec2_ami; severity: medium tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS EC2 - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS EC2 + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/ec2/aws_require_imdsv2_for_ec2_instances.yaml b/compliance/controls/baseline/aws/ec2/aws_require_imdsv2_for_ec2_instances.yaml index 5889e9d67..816aca956 100644 --- a/compliance/controls/baseline/aws/ec2/aws_require_imdsv2_for_ec2_instances.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_require_imdsv2_for_ec2_instances.yaml @@ -1,36 +1,37 @@ id: aws_require_imdsv2_for_ec2_instances title: Require IMDSv2 for EC2 Instances +type: control description: Ensure that all the Amazon EC2 instances require the use of Instance Metadata Service Version 2 (IMDSv2). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - SELECT - arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN metadata_options ->> 'HttpTokens' = 'optional' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN metadata_options ->> 'HttpTokens' = 'optional' THEN title || ' not configured to use Instance Metadata Service Version 2 (IMDSv2).' - ELSE title || ' configured to use Instance Metadata Service Version 2 (IMDSv2).' - END AS reason, - region, - account_id - FROM - aws_ec2_instance; + language: sql + primary_resource: aws_ec2_instance + definition: | + SELECT + arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN metadata_options ->> 'HttpTokens' = 'optional' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN metadata_options ->> 'HttpTokens' = 'optional' THEN title || ' not configured to use Instance Metadata Service Version 2 (IMDSv2).' + ELSE title || ' configured to use Instance Metadata Service Version 2 (IMDSv2).' + END AS reason, + region, + account_id + FROM + aws_ec2_instance; severity: medium tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS EC2 - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS EC2 + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/ec2/aws_security_group_name_prefixed_with_launch_wizard.yaml b/compliance/controls/baseline/aws/ec2/aws_security_group_name_prefixed_with_launch_wizard.yaml index 28c3a3fc3..42337026f 100644 --- a/compliance/controls/baseline/aws/ec2/aws_security_group_name_prefixed_with_launch_wizard.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_security_group_name_prefixed_with_launch_wizard.yaml @@ -1,47 +1,48 @@ id: aws_security_group_name_prefixed_with_launch_wizard title: Security Group Name Prefixed With 'launch-wizard' +type: control description: Ensure no security group name is prefixed with 'launch-wizard'. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_instance - definition: | - WITH launch_wizard_sg_attached_instance AS ( - SELECT - DISTINCT arn AS arn - FROM - aws_ec2_instance, - jsonb_array_elements(security_groups) AS sg - WHERE - sg ->> 'GroupName' LIKE 'launch-wizard%' - ) - SELECT - i.arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN sg.arn IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN sg.arn IS NULL THEN i.title || ' not associated with launch-wizard security group.' - ELSE i.title || ' associated with launch-wizard security group.' - END AS reason, - i.region, - i.account_id - FROM - aws_ec2_instance AS i - LEFT JOIN launch_wizard_sg_attached_instance AS sg - ON i.arn = sg.arn; + language: sql + primary_resource: aws_ec2_instance + definition: | + WITH launch_wizard_sg_attached_instance AS ( + SELECT + DISTINCT arn AS arn + FROM + aws_ec2_instance, + jsonb_array_elements(security_groups) AS sg + WHERE + sg ->> 'GroupName' LIKE 'launch-wizard%' + ) + SELECT + i.arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN sg.arn IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN sg.arn IS NULL THEN i.title || ' not associated with launch-wizard security group.' + ELSE i.title || ' associated with launch-wizard security group.' + END AS reason, + i.region, + i.account_id + FROM + aws_ec2_instance AS i + LEFT JOIN launch_wizard_sg_attached_instance AS sg + ON i.arn = sg.arn; severity: low tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS EC2 - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS EC2 + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/ec2/aws_security_group_port_range.yaml b/compliance/controls/baseline/aws/ec2/aws_security_group_port_range.yaml index 3b65b2f0c..c5779d282 100644 --- a/compliance/controls/baseline/aws/ec2/aws_security_group_port_range.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_security_group_port_range.yaml @@ -1,48 +1,49 @@ id: aws_security_group_port_range title: Security Group Port Range +type: control description: Ensure no security group opens range of ports. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH ingress_sg AS ( - SELECT - group_id - FROM - aws_vpc_security_group_rule - WHERE - from_port = from_port - AND NOT is_egress - GROUP BY - group_id - ) - SELECT - sg.group_id AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN isg.group_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN isg.group_id IS NULL THEN sg.group_id || ' does not allow unrestricted FTP access' - ELSE sg.group_id || ' allows unrestricted FTP access' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group AS sg - LEFT JOIN ingress_sg AS isg ON sg.group_id = isg.group_id + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH ingress_sg AS ( + SELECT + group_id + FROM + aws_vpc_security_group_rule + WHERE + from_port = from_port + AND NOT is_egress + GROUP BY + group_id + ) + SELECT + sg.group_id AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN isg.group_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN isg.group_id IS NULL THEN sg.group_id || ' does not allow unrestricted FTP access' + ELSE sg.group_id || ' allows unrestricted FTP access' + END AS reason, + region, + account_id + FROM + aws_vpc_security_group AS sg + LEFT JOIN ingress_sg AS isg ON sg.group_id = isg.group_id severity: very high tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS EC2 - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS EC2 + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/ec2/aws_unassociated_elastic_ip_addresses.yaml b/compliance/controls/baseline/aws/ec2/aws_unassociated_elastic_ip_addresses.yaml index da56f8c4d..b7b42b8ad 100644 --- a/compliance/controls/baseline/aws/ec2/aws_unassociated_elastic_ip_addresses.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unassociated_elastic_ip_addresses.yaml @@ -1,40 +1,41 @@ id: aws_unassociated_elastic_ip_addresses title: Unassociated Elastic IP Addresses +type: control description: Identify unassociated Elastic IP addresses, and delete them to help lower the cost of your monthly AWS bill. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_eip - definition: | - SELECT - 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':eip/' || allocation_id AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN association_id IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN association_id IS NULL THEN title || ' is not associated with any resource.' - ELSE title || ' is associated with a resource.' - END AS reason, - CASE - WHEN association_id IS NULL THEN '3.6'::float - ELSE '0'::float - END AS cost_optimization, - region, - account_id - FROM - aws_vpc_eip; + language: sql + primary_resource: aws_vpc_eip + definition: | + SELECT + 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':eip/' || allocation_id AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN association_id IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN association_id IS NULL THEN title || ' is not associated with any resource.' + ELSE title || ' is associated with a resource.' + END AS reason, + CASE + WHEN association_id IS NULL THEN '3.6'::float + ELSE '0'::float + END AS cost_optimization, + region, + account_id + FROM + aws_vpc_eip; severity: high tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Orphaned Resources - score_service_name: - - AWS EC2 - score_tags: - - Orphaned Resources + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Orphaned Resources + score_service_name: + - AWS EC2 + score_tags: + - Orphaned Resources diff --git a/compliance/controls/baseline/aws/ec2/aws_unrestricted_cifs_access.yaml b/compliance/controls/baseline/aws/ec2/aws_unrestricted_cifs_access.yaml index 54b1b296d..5ff598a13 100644 --- a/compliance/controls/baseline/aws/ec2/aws_unrestricted_cifs_access.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unrestricted_cifs_access.yaml @@ -1,59 +1,60 @@ id: aws_unrestricted_cifs_access title: Unrestricted CIFS Access +type: control description: Ensure no security group allows unrestricted inbound access to UDP port 445 (CIFS). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsCifsTrustedIpRange - value: '' +- key: awsCifsTrustedIpRange + value: "" policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - SELECT - group_name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p, - jsonb_array_elements(p -> 'IpRanges') AS r - WHERE ('{{.awsCifsTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%') - AND ((p ->> 'FromPort') = '445') - AND ((p ->> 'ToPort') = '445') - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p, - jsonb_array_elements(p -> 'IpRanges') AS r - WHERE ('{{.awsCifsTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%') - AND ((p ->> 'FromPort') = '445') - AND ((p ->> 'ToPort') = '445') - ) THEN group_name || ' has Unrestricted CIFS Access' - ELSE group_name || ' CIFS Access is secure' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group - WHERE - EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p - WHERE ((p ->> 'FromPort') = '445') - AND ((p ->> 'ToPort') = '445') - ) + language: sql + primary_resource: aws_vpc_security_group + definition: | + SELECT + group_name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p, + jsonb_array_elements(p -> 'IpRanges') AS r + WHERE ('{{.awsCifsTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%') + AND ((p ->> 'FromPort') = '445') + AND ((p ->> 'ToPort') = '445') + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p, + jsonb_array_elements(p -> 'IpRanges') AS r + WHERE ('{{.awsCifsTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%') + AND ((p ->> 'FromPort') = '445') + AND ((p ->> 'ToPort') = '445') + ) THEN group_name || ' has Unrestricted CIFS Access' + ELSE group_name || ' CIFS Access is secure' + END AS reason, + region, + account_id + FROM + aws_vpc_security_group + WHERE + EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p + WHERE ((p ->> 'FromPort') = '445') + AND ((p ->> 'ToPort') = '445') + ) severity: medium tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS EC2 - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS EC2 + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/ec2/aws_unrestricted_icmp_access.yaml b/compliance/controls/baseline/aws/ec2/aws_unrestricted_icmp_access.yaml index 1c64c1b29..be5688d00 100644 --- a/compliance/controls/baseline/aws/ec2/aws_unrestricted_icmp_access.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unrestricted_icmp_access.yaml @@ -1,52 +1,53 @@ id: aws_unrestricted_icmp_access title: Unrestricted ICMP Access +type: control description: Ensure no security group allows unrestricted inbound access to ICMP. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsIcmpTrustedIpRange - value: '' +- key: awsIcmpTrustedIpRange + value: "" policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - SELECT - group_name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p, - jsonb_array_elements(p -> 'IpRanges') AS r - WHERE ('{{.awsIcmpTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%') - AND ((p ->> 'IpProtocol') = 'icmp') - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p, - jsonb_array_elements(p -> 'IpRanges') AS r - WHERE ('{{.awsIcmpTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%') - AND ((p ->> 'IpProtocol') = 'icmp') - ) THEN group_name || ' has Unrestricted ICMP Access' - ELSE group_name || ' ICMP Access is secure' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group - WHERE - EXISTS (SELECT 1 FROM jsonb_array_elements(ip_permissions) AS p WHERE (p ->> 'IpProtocol') = 'icmp') + language: sql + primary_resource: aws_vpc_security_group + definition: | + SELECT + group_name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p, + jsonb_array_elements(p -> 'IpRanges') AS r + WHERE ('{{.awsIcmpTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%') + AND ((p ->> 'IpProtocol') = 'icmp') + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p, + jsonb_array_elements(p -> 'IpRanges') AS r + WHERE ('{{.awsIcmpTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%') + AND ((p ->> 'IpProtocol') = 'icmp') + ) THEN group_name || ' has Unrestricted ICMP Access' + ELSE group_name || ' ICMP Access is secure' + END AS reason, + region, + account_id + FROM + aws_vpc_security_group + WHERE + EXISTS (SELECT 1 FROM jsonb_array_elements(ip_permissions) AS p WHERE (p ->> 'IpProtocol') = 'icmp') severity: medium tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS EC2 - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS EC2 + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/ec2/aws_unrestricted_mongodb_access.yaml b/compliance/controls/baseline/aws/ec2/aws_unrestricted_mongodb_access.yaml index 44bfb31ee..2d0d746dc 100644 --- a/compliance/controls/baseline/aws/ec2/aws_unrestricted_mongodb_access.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unrestricted_mongodb_access.yaml @@ -1,59 +1,60 @@ id: aws_unrestricted_mongodb_access title: Unrestricted MongoDB Access +type: control description: Ensure no security group allows unrestricted ingress access to MongoDB port 27017 integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMongodbTrustedIpRange - value: '' +- key: awsMongodbTrustedIpRange + value: "" policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - SELECT - group_name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p, - jsonb_array_elements(p -> 'IpRanges') AS r - WHERE '{{.awsMongodbTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%' - AND (p ->> 'FromPort') = '27017' - AND (p ->> 'ToPort') = '27017' - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p, - jsonb_array_elements(p -> 'IpRanges') AS r - WHERE '{{.awsMongodbTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%' - AND (p ->> 'FromPort') = '27017' - AND (p ->> 'ToPort') = '27017' - ) THEN group_name || ' has Unrestricted MongoDb Access' - ELSE group_name || ' MongoDb Access is secure' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group - WHERE - EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p - WHERE (p ->> 'FromPort') = '27017' - AND (p ->> 'ToPort') = '27017' - ) + language: sql + primary_resource: aws_vpc_security_group + definition: | + SELECT + group_name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p, + jsonb_array_elements(p -> 'IpRanges') AS r + WHERE '{{.awsMongodbTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%' + AND (p ->> 'FromPort') = '27017' + AND (p ->> 'ToPort') = '27017' + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p, + jsonb_array_elements(p -> 'IpRanges') AS r + WHERE '{{.awsMongodbTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%' + AND (p ->> 'FromPort') = '27017' + AND (p ->> 'ToPort') = '27017' + ) THEN group_name || ' has Unrestricted MongoDb Access' + ELSE group_name || ' MongoDb Access is secure' + END AS reason, + region, + account_id + FROM + aws_vpc_security_group + WHERE + EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p + WHERE (p ->> 'FromPort') = '27017' + AND (p ->> 'ToPort') = '27017' + ) severity: medium tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS EC2 - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS EC2 + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/ec2/aws_unrestricted_mssql_access.yaml b/compliance/controls/baseline/aws/ec2/aws_unrestricted_mssql_access.yaml index fe5469cc5..b033fc26b 100644 --- a/compliance/controls/baseline/aws/ec2/aws_unrestricted_mssql_access.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unrestricted_mssql_access.yaml @@ -1,59 +1,60 @@ id: aws_unrestricted_mssql_access title: Unrestricted MsSQL Access +type: control description: Ensure no security group allows unrestricted ingress access to port 1433. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMssqlTrustedIpRange - value: '' +- key: awsMssqlTrustedIpRange + value: "" policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - SELECT - group_name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p, - jsonb_array_elements(p -> 'IpRanges') AS r - WHERE '{{.awsMssqlTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%' - AND (p ->> 'FromPort') = '1433' - AND (p ->> 'ToPort') = '1433' - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p, - jsonb_array_elements(p -> 'IpRanges') AS r - WHERE '{{.awsMssqlTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%' - AND (p ->> 'FromPort') = '1433' - AND (p ->> 'ToPort') = '1433' - ) THEN group_name || ' has Unrestricted MsSQL Access' - ELSE group_name || ' MsSQL Access is secure' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group - WHERE - EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p - WHERE (p ->> 'FromPort') = '1433' - AND (p ->> 'ToPort') = '1433' - ) + language: sql + primary_resource: aws_vpc_security_group + definition: | + SELECT + group_name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p, + jsonb_array_elements(p -> 'IpRanges') AS r + WHERE '{{.awsMssqlTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%' + AND (p ->> 'FromPort') = '1433' + AND (p ->> 'ToPort') = '1433' + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p, + jsonb_array_elements(p -> 'IpRanges') AS r + WHERE '{{.awsMssqlTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%' + AND (p ->> 'FromPort') = '1433' + AND (p ->> 'ToPort') = '1433' + ) THEN group_name || ' has Unrestricted MsSQL Access' + ELSE group_name || ' MsSQL Access is secure' + END AS reason, + region, + account_id + FROM + aws_vpc_security_group + WHERE + EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p + WHERE (p ->> 'FromPort') = '1433' + AND (p ->> 'ToPort') = '1433' + ) severity: medium tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS EC2 - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS EC2 + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/ec2/aws_unrestricted_mysql_access.yaml b/compliance/controls/baseline/aws/ec2/aws_unrestricted_mysql_access.yaml index c8ea45810..6dc2e6850 100644 --- a/compliance/controls/baseline/aws/ec2/aws_unrestricted_mysql_access.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unrestricted_mysql_access.yaml @@ -1,61 +1,62 @@ id: aws_unrestricted_mysql_access title: Unrestricted MySQL Access +type: control description: Ensure no security group allows unrestricted ingress access to port 3306. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsMysqlTrustedIpRange - value: '' +- key: awsMysqlTrustedIpRange + value: "" policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - SELECT - group_name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p, - jsonb_array_elements(p -> 'IpRanges') AS r - WHERE ('{{.awsMysqlTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%') - AND ((p ->> 'FromPort') = '3306') - AND ((p ->> 'ToPort') = '3306') - ) - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p, - jsonb_array_elements(p -> 'IpRanges') AS r - WHERE ('{{.awsMysqlTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%') - AND ((p ->> 'FromPort') = '3306') - AND ((p ->> 'ToPort') = '3306') - ) - THEN group_name || ' has Unrestricted MySQL Access' - ELSE group_name || ' MySQL Access is secure' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group - WHERE - EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p - WHERE ((p ->> 'FromPort') = '3306') - AND ((p ->> 'ToPort') = '3306') - ) + language: sql + primary_resource: aws_vpc_security_group + definition: | + SELECT + group_name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p, + jsonb_array_elements(p -> 'IpRanges') AS r + WHERE ('{{.awsMysqlTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%') + AND ((p ->> 'FromPort') = '3306') + AND ((p ->> 'ToPort') = '3306') + ) + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p, + jsonb_array_elements(p -> 'IpRanges') AS r + WHERE ('{{.awsMysqlTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%') + AND ((p ->> 'FromPort') = '3306') + AND ((p ->> 'ToPort') = '3306') + ) + THEN group_name || ' has Unrestricted MySQL Access' + ELSE group_name || ' MySQL Access is secure' + END AS reason, + region, + account_id + FROM + aws_vpc_security_group + WHERE + EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p + WHERE ((p ->> 'FromPort') = '3306') + AND ((p ->> 'ToPort') = '3306') + ) severity: medium tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS EC2 - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS EC2 + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/ec2/aws_unrestricted_netbios_access.yaml b/compliance/controls/baseline/aws/ec2/aws_unrestricted_netbios_access.yaml index d831abace..4bdeee615 100644 --- a/compliance/controls/baseline/aws/ec2/aws_unrestricted_netbios_access.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unrestricted_netbios_access.yaml @@ -1,59 +1,60 @@ id: aws_unrestricted_netbios_access title: Unrestricted NetBIOS Access +type: control description: Ensure no security group allows unrestricted inbound access to port UDP/137, UDP/138, and TPC/139 (NetBIOS). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsNetBiosTrustedIpRange - value: '' +- key: awsNetBiosTrustedIpRange + value: "" policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - SELECT - group_name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p, - jsonb_array_elements(p -> 'IpRanges') AS r - WHERE '{{.awsNetBiosTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%' - AND (p ->> 'FromPort') IN ('137', '138', '139') - AND (p ->> 'ToPort') IN ('137', '138', '139') - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p, - jsonb_array_elements(p -> 'IpRanges') AS r - WHERE '{{.awsNetBiosTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%' - AND (p ->> 'FromPort') IN ('137', '138', '139') - AND (p ->> 'ToPort') IN ('137', '138', '139') - ) THEN group_name || ' has Unrestricted NetBIOS Access' - ELSE group_name || ' NetBIOS Access is secure' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group - WHERE - EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p - WHERE (p ->> 'FromPort') IN ('137', '138', '139') - AND (p ->> 'ToPort') IN ('137', '138', '139') - ) + language: sql + primary_resource: aws_vpc_security_group + definition: | + SELECT + group_name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p, + jsonb_array_elements(p -> 'IpRanges') AS r + WHERE '{{.awsNetBiosTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%' + AND (p ->> 'FromPort') IN ('137', '138', '139') + AND (p ->> 'ToPort') IN ('137', '138', '139') + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p, + jsonb_array_elements(p -> 'IpRanges') AS r + WHERE '{{.awsNetBiosTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%' + AND (p ->> 'FromPort') IN ('137', '138', '139') + AND (p ->> 'ToPort') IN ('137', '138', '139') + ) THEN group_name || ' has Unrestricted NetBIOS Access' + ELSE group_name || ' NetBIOS Access is secure' + END AS reason, + region, + account_id + FROM + aws_vpc_security_group + WHERE + EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p + WHERE (p ->> 'FromPort') IN ('137', '138', '139') + AND (p ->> 'ToPort') IN ('137', '138', '139') + ) severity: medium tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS EC2 - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS EC2 + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/ec2/aws_unrestricted_opensearch_access.yaml b/compliance/controls/baseline/aws/ec2/aws_unrestricted_opensearch_access.yaml index ecd624e3d..32d80a9ec 100644 --- a/compliance/controls/baseline/aws/ec2/aws_unrestricted_opensearch_access.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unrestricted_opensearch_access.yaml @@ -1,59 +1,60 @@ id: aws_unrestricted_opensearch_access title: Unrestricted OpenSearch Access +type: control description: Ensure no security group allows unrestricted inbound access to TCP port 9200 (OpenSearch). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsOpensearchTrustedIpRange - value: '' +- key: awsOpensearchTrustedIpRange + value: "" policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - SELECT - group_name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p, - jsonb_array_elements(p -> 'IpRanges') AS r - WHERE '{{.awsOpensearchTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%' - AND (p ->> 'FromPort') = '9200' - AND (p ->> 'ToPort') = '9200' - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p, - jsonb_array_elements(p -> 'IpRanges') AS r - WHERE '{{.awsOpensearchTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%' - AND (p ->> 'FromPort') = '9200' - AND (p ->> 'ToPort') = '9200' - ) THEN group_name || ' has Unrestricted OpenSearch Access' - ELSE group_name || ' OpenSearch Access is secure' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group - WHERE - EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p - WHERE (p ->> 'FromPort') = '9200' - AND (p ->> 'ToPort') = '9200' - ) + language: sql + primary_resource: aws_vpc_security_group + definition: | + SELECT + group_name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p, + jsonb_array_elements(p -> 'IpRanges') AS r + WHERE '{{.awsOpensearchTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%' + AND (p ->> 'FromPort') = '9200' + AND (p ->> 'ToPort') = '9200' + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p, + jsonb_array_elements(p -> 'IpRanges') AS r + WHERE '{{.awsOpensearchTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%' + AND (p ->> 'FromPort') = '9200' + AND (p ->> 'ToPort') = '9200' + ) THEN group_name || ' has Unrestricted OpenSearch Access' + ELSE group_name || ' OpenSearch Access is secure' + END AS reason, + region, + account_id + FROM + aws_vpc_security_group + WHERE + EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p + WHERE (p ->> 'FromPort') = '9200' + AND (p ->> 'ToPort') = '9200' + ) severity: medium tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS EC2 - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS EC2 + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/ec2/aws_unrestricted_oracle_access.yaml b/compliance/controls/baseline/aws/ec2/aws_unrestricted_oracle_access.yaml index 8a1cb522c..ed430eb63 100644 --- a/compliance/controls/baseline/aws/ec2/aws_unrestricted_oracle_access.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unrestricted_oracle_access.yaml @@ -1,59 +1,60 @@ id: aws_unrestricted_oracle_access title: Unrestricted Oracle Access +type: control description: Ensure no security group allows unrestricted ingress access to port 1521. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsOracleTrustedIpRange - value: '' +- key: awsOracleTrustedIpRange + value: "" policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - SELECT - group_name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p, - jsonb_array_elements(p -> 'IpRanges') AS r - WHERE '{{.awsOracleTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%' - AND (p ->> 'FromPort') = '1521' - AND (p ->> 'ToPort') = '1521' - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p, - jsonb_array_elements(p -> 'IpRanges') AS r - WHERE '{{.awsOracleTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%' - AND (p ->> 'FromPort') = '1521' - AND (p ->> 'ToPort') = '1521' - ) THEN group_name || ' has Unrestricted Oracle Access' - ELSE group_name || ' Oracle Access is secure' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group - WHERE - EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p - WHERE (p ->> 'FromPort') = '1521' - AND (p ->> 'ToPort') = '1521' - ) + language: sql + primary_resource: aws_vpc_security_group + definition: | + SELECT + group_name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p, + jsonb_array_elements(p -> 'IpRanges') AS r + WHERE '{{.awsOracleTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%' + AND (p ->> 'FromPort') = '1521' + AND (p ->> 'ToPort') = '1521' + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p, + jsonb_array_elements(p -> 'IpRanges') AS r + WHERE '{{.awsOracleTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%' + AND (p ->> 'FromPort') = '1521' + AND (p ->> 'ToPort') = '1521' + ) THEN group_name || ' has Unrestricted Oracle Access' + ELSE group_name || ' Oracle Access is secure' + END AS reason, + region, + account_id + FROM + aws_vpc_security_group + WHERE + EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p + WHERE (p ->> 'FromPort') = '1521' + AND (p ->> 'ToPort') = '1521' + ) severity: medium tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS EC2 - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS EC2 + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/ec2/aws_unrestricted_rpc_access.yaml b/compliance/controls/baseline/aws/ec2/aws_unrestricted_rpc_access.yaml index 6b260f4ba..4dbd06c6e 100644 --- a/compliance/controls/baseline/aws/ec2/aws_unrestricted_rpc_access.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unrestricted_rpc_access.yaml @@ -1,59 +1,60 @@ id: aws_unrestricted_rpc_access title: Unrestricted RPC Access +type: control description: Ensure no security group allows unrestricted inbound access to TCP port 135 (RPC). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsRpcTrustedIpRange - value: '' +- key: awsRpcTrustedIpRange + value: "" policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - SELECT - group_name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p, - jsonb_array_elements(p -> 'IpRanges') AS r - WHERE ('{{.awsRpcTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%') - AND (p ->> 'FromPort') = '135' - AND (p ->> 'ToPort') = '135' - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p, - jsonb_array_elements(p -> 'IpRanges') AS r - WHERE ('{{.awsRpcTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%') - AND (p ->> 'FromPort') = '135' - AND (p ->> 'ToPort') = '135' - ) THEN group_name || ' has Unrestricted RPC Access' - ELSE group_name || ' RPC Access is secure' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group - WHERE - EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p - WHERE (p ->> 'FromPort') = '135' - AND (p ->> 'ToPort') = '135' - ) + language: sql + primary_resource: aws_vpc_security_group + definition: | + SELECT + group_name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p, + jsonb_array_elements(p -> 'IpRanges') AS r + WHERE ('{{.awsRpcTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%') + AND (p ->> 'FromPort') = '135' + AND (p ->> 'ToPort') = '135' + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p, + jsonb_array_elements(p -> 'IpRanges') AS r + WHERE ('{{.awsRpcTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%') + AND (p ->> 'FromPort') = '135' + AND (p ->> 'ToPort') = '135' + ) THEN group_name || ' has Unrestricted RPC Access' + ELSE group_name || ' RPC Access is secure' + END AS reason, + region, + account_id + FROM + aws_vpc_security_group + WHERE + EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p + WHERE (p ->> 'FromPort') = '135' + AND (p ->> 'ToPort') = '135' + ) severity: medium tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS EC2 - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS EC2 + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/ec2/aws_unrestricted_security_group_ingress_on_uncommon_ports.yaml b/compliance/controls/baseline/aws/ec2/aws_unrestricted_security_group_ingress_on_uncommon_ports.yaml index d0f33556b..adceee02a 100644 --- a/compliance/controls/baseline/aws/ec2/aws_unrestricted_security_group_ingress_on_uncommon_ports.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unrestricted_security_group_ingress_on_uncommon_ports.yaml @@ -1,46 +1,47 @@ id: aws_unrestricted_security_group_ingress_on_uncommon_ports title: Unrestricted Security Group Ingress on Uncommon Ports +type: control description: Ensure no security group contains any 0.0.0.0/0 ingress rules. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - SELECT - group_name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p, - jsonb_array_elements(p -> 'IpRanges') AS r - WHERE ((p ->> 'IpRanges') LIKE '%0.0.0.0/0%' OR (p ->> 'IpRanges' LIKE '%::/0%')) - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p, - jsonb_array_elements(p -> 'IpRanges') AS r - WHERE ((p ->> 'IpRanges') LIKE '%0.0.0.0/0%' OR (p ->> 'IpRanges' LIKE '%::/0%')) - ) THEN group_name || ' has Unrestricted Access' - ELSE group_name || ' Access is secure' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group + language: sql + primary_resource: aws_vpc_security_group + definition: | + SELECT + group_name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p, + jsonb_array_elements(p -> 'IpRanges') AS r + WHERE ((p ->> 'IpRanges') LIKE '%0.0.0.0/0%' OR (p ->> 'IpRanges' LIKE '%::/0%')) + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p, + jsonb_array_elements(p -> 'IpRanges') AS r + WHERE ((p ->> 'IpRanges') LIKE '%0.0.0.0/0%' OR (p ->> 'IpRanges' LIKE '%::/0%')) + ) THEN group_name || ' has Unrestricted Access' + ELSE group_name || ' Access is secure' + END AS reason, + region, + account_id + FROM + aws_vpc_security_group severity: medium tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS EC2 - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS EC2 + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/ec2/aws_unrestricted_smtp_access.yaml b/compliance/controls/baseline/aws/ec2/aws_unrestricted_smtp_access.yaml index be2f35481..b7c48e27f 100644 --- a/compliance/controls/baseline/aws/ec2/aws_unrestricted_smtp_access.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unrestricted_smtp_access.yaml @@ -1,59 +1,60 @@ id: aws_unrestricted_smtp_access title: Unrestricted SMTP Access +type: control description: Ensure no security group allows unrestricted inbound access to TCP port 25 (SMTP). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsSmtpTrustedIpRange - value: '' +- key: awsSmtpTrustedIpRange + value: "" policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - SELECT - group_name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p, - jsonb_array_elements(p -> 'IpRanges') AS r - WHERE ('{{.awsSmtpTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%') - AND ((p ->> 'FromPort') = '25') - AND ((p ->> 'ToPort') = '25') - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p, - jsonb_array_elements(p -> 'IpRanges') AS r - WHERE ('{{.awsSmtpTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%') - AND ((p ->> 'FromPort') = '25') - AND ((p ->> 'ToPort') = '25') - ) THEN group_name || ' has Unrestricted SMTP Access' - ELSE group_name || ' SMTP Access is secure' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group - WHERE - EXISTS ( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS p - WHERE ((p ->> 'FromPort') = '25') - AND ((p ->> 'ToPort') = '25') - ) + language: sql + primary_resource: aws_vpc_security_group + definition: | + SELECT + group_name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p, + jsonb_array_elements(p -> 'IpRanges') AS r + WHERE ('{{.awsSmtpTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%') + AND ((p ->> 'FromPort') = '25') + AND ((p ->> 'ToPort') = '25') + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p, + jsonb_array_elements(p -> 'IpRanges') AS r + WHERE ('{{.awsSmtpTrustedIpRange}}' NOT LIKE '%' || (r ->> 'CidrIp') || '%') + AND ((p ->> 'FromPort') = '25') + AND ((p ->> 'ToPort') = '25') + ) THEN group_name || ' has Unrestricted SMTP Access' + ELSE group_name || ' SMTP Access is secure' + END AS reason, + region, + account_id + FROM + aws_vpc_security_group + WHERE + EXISTS ( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS p + WHERE ((p ->> 'FromPort') = '25') + AND ((p ->> 'ToPort') = '25') + ) severity: medium tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS EC2 - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS EC2 + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/ec2/aws_unrestricted_ssh_access.yaml b/compliance/controls/baseline/aws/ec2/aws_unrestricted_ssh_access.yaml index 7711f4ded..e0306aebd 100644 --- a/compliance/controls/baseline/aws/ec2/aws_unrestricted_ssh_access.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unrestricted_ssh_access.yaml @@ -1,54 +1,55 @@ id: aws_unrestricted_ssh_access title: Unrestricted SSH Access +type: control description: Ensure no security groups allow ingress from 0.0.0.0/0 to port 22. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_security_group - definition: | - WITH ingress_sg AS ( - SELECT - group_id - FROM - aws_vpc_security_group_rule - WHERE - ( - cidr_ipv4 = '0.0.0.0/0' - OR cidr_ipv6 = '::/0' - ) - AND ip_protocol <> 'icmp' - AND from_port = 22 - AND to_port = 22 - AND NOT is_egress - GROUP BY - group_id + language: sql + primary_resource: aws_vpc_security_group + definition: | + WITH ingress_sg AS ( + SELECT + group_id + FROM + aws_vpc_security_group_rule + WHERE + ( + cidr_ipv4 = '0.0.0.0/0' + OR cidr_ipv6 = '::/0' ) - SELECT - sg.group_id AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN isg.group_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN isg.group_id IS NULL THEN sg.group_id || ' does not allow unrestricted SSH access' - ELSE sg.group_id || ' allows unrestricted SSH access' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group AS sg - LEFT JOIN ingress_sg AS isg ON sg.group_id = isg.group_id + AND ip_protocol <> 'icmp' + AND from_port = 22 + AND to_port = 22 + AND NOT is_egress + GROUP BY + group_id + ) + SELECT + sg.group_id AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN isg.group_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN isg.group_id IS NULL THEN sg.group_id || ' does not allow unrestricted SSH access' + ELSE sg.group_id || ' allows unrestricted SSH access' + END AS reason, + region, + account_id + FROM + aws_vpc_security_group AS sg + LEFT JOIN ingress_sg AS isg ON sg.group_id = isg.group_id severity: very high tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS EC2 - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS EC2 + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/ec2/aws_unused_ami.yaml b/compliance/controls/baseline/aws/ec2/aws_unused_ami.yaml index d3a056887..117dcd2d5 100644 --- a/compliance/controls/baseline/aws/ec2/aws_unused_ami.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unused_ami.yaml @@ -1,55 +1,56 @@ id: aws_unused_ami title: Unused AMI +type: control description: Identify unused Amazon Machine Images (AMI) to help lower the cost of your monthly AWS bill. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_ami - definition: | - WITH dlm_managed AS ( - SELECT - platform_resource_id - FROM - aws_ec2_ami - CROSS JOIN - jsonb_each(tags) - WHERE - (key LIKE 'aws:dlm%' OR key = 'dlm:managed') - LIMIT 1 - ) - SELECT - ami.name AS resource, - ami.platform_resource_id, - ami.platform_integration_id, - CASE - WHEN is_aws_backup_managed THEN 'skip' - WHEN ami.root_device_type <> 'ebs' THEN 'skip' - WHEN i.arn IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN is_aws_backup_managed THEN name || ' is managed by aws' - WHEN ami.root_device_type <> 'ebs' THEN name || ' is not stored in ebs' - WHEN i.arn IS NULL THEN ami.name || ' is unused.' - ELSE ami.name || ' is used.' - END AS reason, - ami.region, - ami.account_id - FROM - aws_ec2_ami AS ami - LEFT JOIN - aws_ec2_instance AS i ON ami.image_id = i.image_id - WHERE - NOT (EXISTS (SELECT * FROM dlm_managed dl WHERE dl.platform_resource_id = ami.platform_resource_id)) + language: sql + primary_resource: aws_ec2_ami + definition: | + WITH dlm_managed AS ( + SELECT + platform_resource_id + FROM + aws_ec2_ami + CROSS JOIN + jsonb_each(tags) + WHERE + (key LIKE 'aws:dlm%' OR key = 'dlm:managed') + LIMIT 1 + ) + SELECT + ami.name AS resource, + ami.platform_resource_id, + ami.platform_integration_id, + CASE + WHEN is_aws_backup_managed THEN 'skip' + WHEN ami.root_device_type <> 'ebs' THEN 'skip' + WHEN i.arn IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN is_aws_backup_managed THEN name || ' is managed by aws' + WHEN ami.root_device_type <> 'ebs' THEN name || ' is not stored in ebs' + WHEN i.arn IS NULL THEN ami.name || ' is unused.' + ELSE ami.name || ' is used.' + END AS reason, + ami.region, + ami.account_id + FROM + aws_ec2_ami AS ami + LEFT JOIN + aws_ec2_instance AS i ON ami.image_id = i.image_id + WHERE + NOT (EXISTS (SELECT * FROM dlm_managed dl WHERE dl.platform_resource_id = ami.platform_resource_id)) severity: low tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Orphaned Resources - score_service_name: - - AWS EC2 - score_tags: - - Orphaned Resources + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Orphaned Resources + score_service_name: + - AWS EC2 + score_tags: + - Orphaned Resources diff --git a/compliance/controls/baseline/aws/ec2/aws_unused_aws_ec2_key_pairs.yaml b/compliance/controls/baseline/aws/ec2/aws_unused_aws_ec2_key_pairs.yaml index 3661c2ce7..2d7265390 100644 --- a/compliance/controls/baseline/aws/ec2/aws_unused_aws_ec2_key_pairs.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unused_aws_ec2_key_pairs.yaml @@ -1,37 +1,38 @@ id: aws_unused_aws_ec2_key_pairs title: Unused AWS EC2 Key Pairs +type: control description: Ensure unused AWS EC2 key pairs are decommissioned to follow AWS security best practices. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_key_pair - definition: | - SELECT - k.key_name AS resource, - k.platform_resource_id, - k.platform_integration_id, - CASE - WHEN i.arn IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN i.arn IS NULL THEN k.key_name || ' is unused.' - ELSE k.key_name || ' is used.' - END AS reason, - k.region, - k.account_id - FROM - aws_ec2_key_pair AS k - LEFT JOIN aws_ec2_instance AS i ON k.key_name = i.key_name + language: sql + primary_resource: aws_ec2_key_pair + definition: | + SELECT + k.key_name AS resource, + k.platform_resource_id, + k.platform_integration_id, + CASE + WHEN i.arn IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN i.arn IS NULL THEN k.key_name || ' is unused.' + ELSE k.key_name || ' is used.' + END AS reason, + k.region, + k.account_id + FROM + aws_ec2_key_pair AS k + LEFT JOIN aws_ec2_instance AS i ON k.key_name = i.key_name severity: medium tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Missing Tags - score_service_name: - - AWS EC2 - score_tags: - - Missing Tags + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Missing Tags + score_service_name: + - AWS EC2 + score_tags: + - Missing Tags diff --git a/compliance/controls/baseline/aws/ec2/aws_unused_elastic_network_interfaces.yaml b/compliance/controls/baseline/aws/ec2/aws_unused_elastic_network_interfaces.yaml index de9063c95..4560395a0 100644 --- a/compliance/controls/baseline/aws/ec2/aws_unused_elastic_network_interfaces.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unused_elastic_network_interfaces.yaml @@ -1,36 +1,37 @@ id: aws_unused_elastic_network_interfaces title: Unused Elastic Network Interfaces +type: control description: Identify and delete any unused Elastic Network Interfaces integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_network_interface - definition: | - SELECT - network_interface_id AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN status = 'available' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN status = 'available' THEN network_interface_id || ' is unused and can be safely removed' - ELSE network_interface_id || ' is used.' - END AS reason, - region, - account_id - FROM - aws_ec2_network_interface + language: sql + primary_resource: aws_ec2_network_interface + definition: | + SELECT + network_interface_id AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN status = 'available' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN status = 'available' THEN network_interface_id || ' is unused and can be safely removed' + ELSE network_interface_id || ' is used.' + END AS reason, + region, + account_id + FROM + aws_ec2_network_interface severity: low tags: - platform_score_cloud_service_name: - - AWS EC2 - platform_score_use_case: - - Under Utilization - score_service_name: - - AWS EC2 - score_tags: - - Under Utilization + platform_score_cloud_service_name: + - AWS EC2 + platform_score_use_case: + - Under Utilization + score_service_name: + - AWS EC2 + score_tags: + - Under Utilization diff --git a/compliance/controls/baseline/aws/ecr/aws_ecr_repository_exposed.yaml b/compliance/controls/baseline/aws/ecr/aws_ecr_repository_exposed.yaml index 9ba128d6c..433de7eaa 100644 --- a/compliance/controls/baseline/aws/ecr/aws_ecr_repository_exposed.yaml +++ b/compliance/controls/baseline/aws/ecr/aws_ecr_repository_exposed.yaml @@ -1,42 +1,43 @@ id: aws_ecr_repository_exposed title: ECR Repository Exposed +type: control description: Ensure that AWS Elastic Container Registry (ECR) repositories are not exposed to everyone. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecr_repository - definition: | - SELECT - repository_name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(policy_std -> 'Statement') AS p - WHERE p ->> 'Effect' = 'Allow' - AND p ->> 'Principal' = '*' - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(policy_std -> 'Statement') AS p - WHERE p ->> 'Effect' = 'Allow' - AND p ->> 'Principal' = '*' - ) THEN repository_name || ' repository is exposed to everyone.' - ELSE repository_name || ' repository is not exposed to everyone.' - END AS reason, - region, - account_id - FROM - aws_ecr_repository + language: sql + primary_resource: aws_ecr_repository + definition: | + SELECT + repository_name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(policy_std -> 'Statement') AS p + WHERE p ->> 'Effect' = 'Allow' + AND p ->> 'Principal' = '*' + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(policy_std -> 'Statement') AS p + WHERE p ->> 'Effect' = 'Allow' + AND p ->> 'Principal' = '*' + ) THEN repository_name || ' repository is exposed to everyone.' + ELSE repository_name || ' repository is not exposed to everyone.' + END AS reason, + region, + account_id + FROM + aws_ecr_repository severity: high tags: - platform_score_cloud_service_name: - - Elastic Container Registry (ECR) - score_service_name: - - Elastic Container Registry (ECR) + platform_score_cloud_service_name: + - Elastic Container Registry (ECR) + score_service_name: + - Elastic Container Registry (ECR) diff --git a/compliance/controls/baseline/aws/ecr/aws_enable_cross_region_replication.yaml b/compliance/controls/baseline/aws/ecr/aws_enable_cross_region_replication.yaml index e102f2ca5..94923118b 100644 --- a/compliance/controls/baseline/aws/ecr/aws_enable_cross_region_replication.yaml +++ b/compliance/controls/baseline/aws/ecr/aws_enable_cross_region_replication.yaml @@ -1,46 +1,47 @@ id: aws_enable_cross_region_replication title: Enable Cross-Region Replication +type: control description: Ensure that Cross-Region Replication feature is enabled for your Amazon ECR container images. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecr_registry - definition: | - SELECT - account_id || ' backup region setting in ' || region AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN rules::text = '[]' THEN 'alarm' - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(rules) AS r, - jsonb_array_elements(r -> 'Destinations') AS d - WHERE - d ->> 'RegistryId' = registry_id - ) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN rules::text = '[]' THEN 'Cross-Region Replication feature is not enabled' - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(rules) AS r, - jsonb_array_elements(r -> 'Destinations') AS d - WHERE - d ->> 'RegistryId' = registry_id - ) THEN 'Cross-Region Replication feature is enabled' - ELSE 'Cross-Region Replication feature is not enabled' - END AS reason, - region, - account_id - FROM - aws_ecr_registry + language: sql + primary_resource: aws_ecr_registry + definition: | + SELECT + account_id || ' backup region setting in ' || region AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN rules::text = '[]' THEN 'alarm' + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(rules) AS r, + jsonb_array_elements(r -> 'Destinations') AS d + WHERE + d ->> 'RegistryId' = registry_id + ) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN rules::text = '[]' THEN 'Cross-Region Replication feature is not enabled' + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(rules) AS r, + jsonb_array_elements(r -> 'Destinations') AS d + WHERE + d ->> 'RegistryId' = registry_id + ) THEN 'Cross-Region Replication feature is enabled' + ELSE 'Cross-Region Replication feature is not enabled' + END AS reason, + region, + account_id + FROM + aws_ecr_registry severity: medium tags: - platform_score_cloud_service_name: - - Elastic Container Registry (ECR) - score_service_name: - - Elastic Container Registry (ECR) + platform_score_cloud_service_name: + - Elastic Container Registry (ECR) + score_service_name: + - Elastic Container Registry (ECR) diff --git a/compliance/controls/baseline/aws/ecr/aws_enable_scan_on_push_for_ecr_container_images.yaml b/compliance/controls/baseline/aws/ecr/aws_enable_scan_on_push_for_ecr_container_images.yaml index b0a6a6ba8..7e41a35ed 100644 --- a/compliance/controls/baseline/aws/ecr/aws_enable_scan_on_push_for_ecr_container_images.yaml +++ b/compliance/controls/baseline/aws/ecr/aws_enable_scan_on_push_for_ecr_container_images.yaml @@ -1,32 +1,33 @@ id: aws_enable_scan_on_push_for_ecr_container_images title: Enable Scan on Push for ECR Container Images +type: control description: Ensure that each Amazon ECR container image is automatically scanned for vulnerabilities when pushed to a repository. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecr_repository - definition: | - SELECT - repository_name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN image_scanning_configuration ->> 'ScanOnPush' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN image_scanning_configuration ->> 'ScanOnPush' = 'true' THEN repository_name || ' container images are automatically scanned for vulnerabilities' - ELSE repository_name || ' container images are not automatically scanned for vulnerabilities' - END AS reason, - region, - account_id - FROM - aws_ecr_repository + language: sql + primary_resource: aws_ecr_repository + definition: | + SELECT + repository_name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN image_scanning_configuration ->> 'ScanOnPush' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN image_scanning_configuration ->> 'ScanOnPush' = 'true' THEN repository_name || ' container images are automatically scanned for vulnerabilities' + ELSE repository_name || ' container images are not automatically scanned for vulnerabilities' + END AS reason, + region, + account_id + FROM + aws_ecr_repository severity: medium tags: - platform_score_cloud_service_name: - - Elastic Container Registry (ECR) - score_service_name: - - Elastic Container Registry (ECR) + platform_score_cloud_service_name: + - Elastic Container Registry (ECR) + score_service_name: + - Elastic Container Registry (ECR) diff --git a/compliance/controls/baseline/aws/ecr/aws_lifecycle_policy_in_use.yaml b/compliance/controls/baseline/aws/ecr/aws_lifecycle_policy_in_use.yaml index 3730dc6be..b59a49937 100644 --- a/compliance/controls/baseline/aws/ecr/aws_lifecycle_policy_in_use.yaml +++ b/compliance/controls/baseline/aws/ecr/aws_lifecycle_policy_in_use.yaml @@ -1,47 +1,48 @@ id: aws_lifecycle_policy_in_use title: Lifecycle Policy in Use +type: control description: Ensure that each Amazon ECR container image is automatically scanned for vulnerabilities when pushed to a repository. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecr_repository - definition: | - WITH repo_with_policy AS ( - SELECT - repository_name - FROM - aws_ecr_repository, - jsonb_array_elements(lifecycle_policy -> 'rules') AS r - WHERE - ( - (r -> 'selection' ->> 'tagStatus' = 'untagged') - AND (r -> 'selection' ->> 'countType' = 'sinceImagePushed') - ) + language: sql + primary_resource: aws_ecr_repository + definition: | + WITH repo_with_policy AS ( + SELECT + repository_name + FROM + aws_ecr_repository, + jsonb_array_elements(lifecycle_policy -> 'rules') AS r + WHERE + ( + (r -> 'selection' ->> 'tagStatus' = 'untagged') + AND (r -> 'selection' ->> 'countType' = 'sinceImagePushed') ) - - SELECT - r.repository_name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN p.repository_name IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.repository_name IS NOT NULL THEN r.repository_name || ' associated lifecycle policy is configured to remove untagged and old images' - ELSE r.repository_name || ' associated lifecycle policy is not configured to remove untagged and old images' - END AS reason, - region, - account_id - FROM - aws_ecr_repository AS r - LEFT JOIN repo_with_policy AS p - ON r.repository_name = p.repository_name + ) + + SELECT + r.repository_name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN p.repository_name IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.repository_name IS NOT NULL THEN r.repository_name || ' associated lifecycle policy is configured to remove untagged and old images' + ELSE r.repository_name || ' associated lifecycle policy is not configured to remove untagged and old images' + END AS reason, + region, + account_id + FROM + aws_ecr_repository AS r + LEFT JOIN repo_with_policy AS p + ON r.repository_name = p.repository_name severity: low tags: - platform_score_cloud_service_name: - - Elastic Container Registry (ECR) - score_service_name: - - Elastic Container Registry (ECR) + platform_score_cloud_service_name: + - Elastic Container Registry (ECR) + score_service_name: + - Elastic Container Registry (ECR) diff --git a/compliance/controls/baseline/aws/ecs/aws_check_for_amazon_ecs_service_placement_strategy.yaml b/compliance/controls/baseline/aws/ecs/aws_check_for_amazon_ecs_service_placement_strategy.yaml index feacbdf5a..34f7a482d 100644 --- a/compliance/controls/baseline/aws/ecs/aws_check_for_amazon_ecs_service_placement_strategy.yaml +++ b/compliance/controls/baseline/aws/ecs/aws_check_for_amazon_ecs_service_placement_strategy.yaml @@ -1,40 +1,41 @@ id: aws_check_for_amazon_ecs_service_placement_strategy title: Check for Amazon ECS Service Placement Strategy +type: control description: Ensure that your Amazon ECS cluster services are using optimal placement strategies. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecs_service - definition: | - SELECT - service_name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN (SELECT ARRAY_AGG(ps ->> 'Type') - FROM jsonb_array_elements(placement_strategy) AS ps) = ARRAY['spread', 'binpack'] - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (SELECT ARRAY_AGG(ps ->> 'Type') - FROM jsonb_array_elements(placement_strategy) AS ps) = ARRAY['spread', 'binpack'] - THEN 'task placement strategy is compliant' - ELSE 'task placement strategy is not compliant' - END AS reason, - region, - account_id - FROM - aws_ecs_service + language: sql + primary_resource: aws_ecs_service + definition: | + SELECT + service_name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN (SELECT ARRAY_AGG(ps ->> 'Type') + FROM jsonb_array_elements(placement_strategy) AS ps) = ARRAY['spread', 'binpack'] + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (SELECT ARRAY_AGG(ps ->> 'Type') + FROM jsonb_array_elements(placement_strategy) AS ps) = ARRAY['spread', 'binpack'] + THEN 'task placement strategy is compliant' + ELSE 'task placement strategy is not compliant' + END AS reason, + region, + account_id + FROM + aws_ecs_service severity: medium tags: - platform_score_cloud_service_name: - - Elastic Container Service (ECS) - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - Elastic Container Service (ECS) - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - Elastic Container Service (ECS) + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - Elastic Container Service (ECS) + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/ecs/aws_check_for_ecs_container_instance_agent_version.yaml b/compliance/controls/baseline/aws/ecs/aws_check_for_ecs_container_instance_agent_version.yaml index 1209b2381..937fd64c5 100644 --- a/compliance/controls/baseline/aws/ecs/aws_check_for_ecs_container_instance_agent_version.yaml +++ b/compliance/controls/baseline/aws/ecs/aws_check_for_ecs_container_instance_agent_version.yaml @@ -1,38 +1,39 @@ id: aws_check_for_ecs_container_instance_agent_version title: Check for ECS Container Instance Agent Version +type: control description: Ensure that your Amazon ECS instances are using the latest ECS container agent version. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsEcsContainerInstanceAgentVersion - value: '' +- key: awsEcsContainerInstanceAgentVersion + value: "" policy: - language: sql - primary_resource: aws_ecs_container_instance - definition: | - SELECT - arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN version_info ->> 'AgentVersion' < '{{.awsEcsContainerInstanceAgentVersion}}' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN version_info ->> 'AgentVersion' < '{{.awsEcsContainerInstanceAgentVersion}}' THEN 'Container instance is not using the latest supported version of agent' - ELSE 'Container instance is using the latest supported version of agent' - END AS reason, - region, - account_id - FROM - aws_ecs_container_instance + language: sql + primary_resource: aws_ecs_container_instance + definition: | + SELECT + arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN version_info ->> 'AgentVersion' < '{{.awsEcsContainerInstanceAgentVersion}}' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN version_info ->> 'AgentVersion' < '{{.awsEcsContainerInstanceAgentVersion}}' THEN 'Container instance is not using the latest supported version of agent' + ELSE 'Container instance is using the latest supported version of agent' + END AS reason, + region, + account_id + FROM + aws_ecs_container_instance severity: medium tags: - platform_score_cloud_service_name: - - Elastic Container Service (ECS) - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - Elastic Container Service (ECS) - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - Elastic Container Service (ECS) + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - Elastic Container Service (ECS) + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/ecs/aws_check_for_fargate_platform_version.yaml b/compliance/controls/baseline/aws/ecs/aws_check_for_fargate_platform_version.yaml index 96b31d73c..2353fbd93 100644 --- a/compliance/controls/baseline/aws/ecs/aws_check_for_fargate_platform_version.yaml +++ b/compliance/controls/baseline/aws/ecs/aws_check_for_fargate_platform_version.yaml @@ -1,38 +1,39 @@ id: aws_check_for_fargate_platform_version title: Check for Fargate Platform Version +type: control description: Ensure that your Amazon ECS cluster services are using the latest Fargate platform version. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsEcsServicePlatformVersion - value: '' +- key: awsEcsServicePlatformVersion + value: "" policy: - language: sql - primary_resource: aws_ecs_service - definition: | - SELECT - arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN platform_version < '{{.awsEcsServicePlatformVersion}}' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN platform_version < '{{.awsEcsServicePlatformVersion}}' THEN 'Service is not using the latest supported version of platform' - ELSE 'Service is using the latest supported version of platform' - END AS reason, - region, - account_id - FROM - aws_ecs_service + language: sql + primary_resource: aws_ecs_service + definition: | + SELECT + arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN platform_version < '{{.awsEcsServicePlatformVersion}}' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN platform_version < '{{.awsEcsServicePlatformVersion}}' THEN 'Service is not using the latest supported version of platform' + ELSE 'Service is using the latest supported version of platform' + END AS reason, + region, + account_id + FROM + aws_ecs_service severity: medium tags: - platform_score_cloud_service_name: - - Elastic Container Service (ECS) - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - Elastic Container Service (ECS) - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - Elastic Container Service (ECS) + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - Elastic Container Service (ECS) + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/ecs/aws_ecs_task_log_driver_in_use.yaml b/compliance/controls/baseline/aws/ecs/aws_ecs_task_log_driver_in_use.yaml index a76bad418..d882e9f47 100644 --- a/compliance/controls/baseline/aws/ecs/aws_ecs_task_log_driver_in_use.yaml +++ b/compliance/controls/baseline/aws/ecs/aws_ecs_task_log_driver_in_use.yaml @@ -1,37 +1,38 @@ id: aws_ecs_task_log_driver_in_use title: Amazon ECS Task Log Driver in Use +type: control description: Ensure that a log driver has been defined for each active Amazon ECS task definition. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecs_task_definition - definition: | - SELECT - td.task_definition_arn || ' - ' || (c ->> 'Name') AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN (c -> 'LogConfiguration' ->> 'LogDriver') IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (c -> 'LogConfiguration' ->> 'LogDriver') IS NULL THEN td.task_definition_arn || ' - ' || (c ->> 'Name') || ' has no log driver' - ELSE td.task_definition_arn || ' - ' || (c ->> 'Name') || ' has log driver' - END AS reason, - region, - account_id - FROM - aws_ecs_task_definition AS td, - jsonb_array_elements(container_definitions) AS c + language: sql + primary_resource: aws_ecs_task_definition + definition: | + SELECT + td.task_definition_arn || ' - ' || (c ->> 'Name') AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN (c -> 'LogConfiguration' ->> 'LogDriver') IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (c -> 'LogConfiguration' ->> 'LogDriver') IS NULL THEN td.task_definition_arn || ' - ' || (c ->> 'Name') || ' has no log driver' + ELSE td.task_definition_arn || ' - ' || (c ->> 'Name') || ' has log driver' + END AS reason, + region, + account_id + FROM + aws_ecs_task_definition AS td, + jsonb_array_elements(container_definitions) AS c severity: high tags: - platform_score_cloud_service_name: - - Elastic Container Service (ECS) - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - Elastic Container Service (ECS) - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - Elastic Container Service (ECS) + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - Elastic Container Service (ECS) + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/ecs/aws_enable_cloudwatch_container_insights.yaml b/compliance/controls/baseline/aws/ecs/aws_enable_cloudwatch_container_insights.yaml index 2368d8df9..c0b452bd3 100644 --- a/compliance/controls/baseline/aws/ecs/aws_enable_cloudwatch_container_insights.yaml +++ b/compliance/controls/baseline/aws/ecs/aws_enable_cloudwatch_container_insights.yaml @@ -1,39 +1,40 @@ id: aws_enable_cloudwatch_container_insights title: Enable CloudWatch Container Insights +type: control description: Ensure that CloudWatch Container Insights feature is enabled for your AWS ECS clusters. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ecs_cluster - definition: | - SELECT - cluster_arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(settings) AS s - WHERE s ->> 'Name' = 'containerInsights' AND s ->> 'Value' = 'enabled' - ) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(settings) AS s - WHERE s ->> 'Name' = 'containerInsights' AND s ->> 'Value' = 'enabled' - ) THEN 'Container Insights feature is enabled' - ELSE 'Container Insights feature is not currently enabled' - END AS reason, - region, - account_id - FROM aws_ecs_cluster + language: sql + primary_resource: aws_ecs_cluster + definition: | + SELECT + cluster_arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(settings) AS s + WHERE s ->> 'Name' = 'containerInsights' AND s ->> 'Value' = 'enabled' + ) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(settings) AS s + WHERE s ->> 'Name' = 'containerInsights' AND s ->> 'Value' = 'enabled' + ) THEN 'Container Insights feature is enabled' + ELSE 'Container Insights feature is not currently enabled' + END AS reason, + region, + account_id + FROM aws_ecs_cluster severity: low tags: - platform_score_cloud_service_name: - - Elastic Container Service (ECS) - score_service_name: - - Elastic Container Service (ECS) + platform_score_cloud_service_name: + - Elastic Container Service (ECS) + score_service_name: + - Elastic Container Service (ECS) diff --git a/compliance/controls/baseline/aws/efs/aws_efs_encryption_enabled.yaml b/compliance/controls/baseline/aws/efs/aws_efs_encryption_enabled.yaml index e13d4618a..4c6ecced2 100644 --- a/compliance/controls/baseline/aws/efs/aws_efs_encryption_enabled.yaml +++ b/compliance/controls/baseline/aws/efs/aws_efs_encryption_enabled.yaml @@ -1,36 +1,37 @@ id: aws_efs_encryption_enabled title: EFS Encryption Enabled +type: control description: Ensure encryption is enabled for AWS EFS file systems to protect your data at rest. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_efs_file_system - definition: | - SELECT - arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN encrypted::bool THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encrypted::bool THEN title || ' encryption enabled.' - ELSE title || ' encryption not enabled.' - END AS reason, - region, - account_id - FROM - aws_efs_file_system + language: sql + primary_resource: aws_efs_file_system + definition: | + SELECT + arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN encrypted::bool THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encrypted::bool THEN title || ' encryption enabled.' + ELSE title || ' encryption not enabled.' + END AS reason, + region, + account_id + FROM + aws_efs_file_system severity: high tags: - platform_score_cloud_service_name: - - Amazon Elastic File System (EFS) - platform_score_use_case: - - Unencrypted Storage - score_service_name: - - Amazon Elastic File System (EFS) - score_tags: - - Unencrypted Storage + platform_score_cloud_service_name: + - Amazon Elastic File System (EFS) + platform_score_use_case: + - Unencrypted Storage + score_service_name: + - Amazon Elastic File System (EFS) + score_tags: + - Unencrypted Storage diff --git a/compliance/controls/baseline/aws/efs/aws_kms_customer_master_keys_for_efs_encryption.yaml b/compliance/controls/baseline/aws/efs/aws_kms_customer_master_keys_for_efs_encryption.yaml index c4b923d2b..f30fd4bca 100644 --- a/compliance/controls/baseline/aws/efs/aws_kms_customer_master_keys_for_efs_encryption.yaml +++ b/compliance/controls/baseline/aws/efs/aws_kms_customer_master_keys_for_efs_encryption.yaml @@ -1,39 +1,40 @@ id: aws_kms_customer_master_keys_for_efs_encryption title: AWS KMS Customer Master Keys for EFS Encryption +type: control description: Ensure EFS file systems are encrypted with KMS Customer Master Keys (CMKs) in order to have full control over data encryption and decryption. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_efs_file_system - definition: | - SELECT - fs.file_system_id AS resource, - fs.platform_resource_id, - fs.platform_integration_id, - CASE - WHEN k.arn IS NULL THEN 'alarm' - WHEN k.key_manager = 'CUSTOMER' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN k.arn IS NULL THEN fs.file_system_id || ' is not using a master key' - WHEN k.key_manager = 'CUSTOMER' THEN fs.file_system_id || ' is using a customer master key' - ELSE fs.file_system_id || ' is using an AWS-managed master key' - END AS reason, - fs.region, - fs.account_id - FROM - aws_efs_file_system AS fs - LEFT JOIN aws_kms_key AS k ON fs.kms_key_id = k.arn + language: sql + primary_resource: aws_efs_file_system + definition: | + SELECT + fs.file_system_id AS resource, + fs.platform_resource_id, + fs.platform_integration_id, + CASE + WHEN k.arn IS NULL THEN 'alarm' + WHEN k.key_manager = 'CUSTOMER' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN k.arn IS NULL THEN fs.file_system_id || ' is not using a master key' + WHEN k.key_manager = 'CUSTOMER' THEN fs.file_system_id || ' is using a customer master key' + ELSE fs.file_system_id || ' is using an AWS-managed master key' + END AS reason, + fs.region, + fs.account_id + FROM + aws_efs_file_system AS fs + LEFT JOIN aws_kms_key AS k ON fs.kms_key_id = k.arn severity: high tags: - platform_score_cloud_service_name: - - Amazon Elastic File System (EFS) - platform_score_use_case: - - Unencrypted Storage - score_service_name: - - Amazon Elastic File System (EFS) - score_tags: - - Unencrypted Storage + platform_score_cloud_service_name: + - Amazon Elastic File System (EFS) + platform_score_use_case: + - Unencrypted Storage + score_service_name: + - Amazon Elastic File System (EFS) + score_tags: + - Unencrypted Storage diff --git a/compliance/controls/baseline/aws/eks/aws_disable_remote_access_to_eks_cluster_node_groups.yaml b/compliance/controls/baseline/aws/eks/aws_disable_remote_access_to_eks_cluster_node_groups.yaml index bc8837794..df0ea4936 100644 --- a/compliance/controls/baseline/aws/eks/aws_disable_remote_access_to_eks_cluster_node_groups.yaml +++ b/compliance/controls/baseline/aws/eks/aws_disable_remote_access_to_eks_cluster_node_groups.yaml @@ -1,36 +1,37 @@ id: aws_disable_remote_access_to_eks_cluster_node_groups title: Disable Remote Access to EKS Cluster Node Groups +type: control description: Ensure that remote access to EKS cluster node groups is disabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_eks_node_group - definition: | - SELECT - nodegroup_name AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN remote_access ->> 'Ec2SshKey' IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN remote_access ->> 'Ec2SshKey' IS NULL THEN nodegroup_name || ' SSH remote access is disabled.' - ELSE nodegroup_name || ' SSH remote access is not disabled.' - END AS reason, - region, - account_id - FROM - aws_eks_node_group; + language: sql + primary_resource: aws_eks_node_group + definition: | + SELECT + nodegroup_name AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN remote_access ->> 'Ec2SshKey' IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN remote_access ->> 'Ec2SshKey' IS NULL THEN nodegroup_name || ' SSH remote access is disabled.' + ELSE nodegroup_name || ' SSH remote access is not disabled.' + END AS reason, + region, + account_id + FROM + aws_eks_node_group; severity: high tags: - platform_score_cloud_service_name: - - AWS Elastic Kubernetes Service (EKS) - platform_score_use_case: - - Lacking High Availability - score_service_name: - - AWS Elastic Kubernetes Service (EKS) - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - AWS Elastic Kubernetes Service (EKS) + platform_score_use_case: + - Lacking High Availability + score_service_name: + - AWS Elastic Kubernetes Service (EKS) + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/aws/eks/aws_eks_cluster_endpoint_public_access.yaml b/compliance/controls/baseline/aws/eks/aws_eks_cluster_endpoint_public_access.yaml index 20bea5ff2..216ffe6ed 100644 --- a/compliance/controls/baseline/aws/eks/aws_eks_cluster_endpoint_public_access.yaml +++ b/compliance/controls/baseline/aws/eks/aws_eks_cluster_endpoint_public_access.yaml @@ -1,40 +1,41 @@ id: aws_eks_cluster_endpoint_public_access title: EKS Cluster Endpoint Public Access +type: control description: Ensure that AWS EKS cluster endpoint access isn't public and prone to security risks. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_eks_cluster - definition: | - SELECT - name AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN resources_vpc_config ->> 'EndpointPublicAccess' = 'true' - AND (resources_vpc_config ->> 'PublicAccessCidrs')::text LIKE '%"0.0.0.0/0"%' - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN resources_vpc_config ->> 'EndpointPublicAccess' = 'true' - AND (resources_vpc_config ->> 'PublicAccessCidrs')::text LIKE '%"0.0.0.0/0"%' - THEN name || ' Kubernetes API endpoint configured is publicly accessible.' - ELSE name || ' Kubernetes API endpoint configured is not publicly accessible.' - END AS reason, - region, - account_id - FROM - aws_eks_cluster; + language: sql + primary_resource: aws_eks_cluster + definition: | + SELECT + name AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN resources_vpc_config ->> 'EndpointPublicAccess' = 'true' + AND (resources_vpc_config ->> 'PublicAccessCidrs')::text LIKE '%"0.0.0.0/0"%' + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN resources_vpc_config ->> 'EndpointPublicAccess' = 'true' + AND (resources_vpc_config ->> 'PublicAccessCidrs')::text LIKE '%"0.0.0.0/0"%' + THEN name || ' Kubernetes API endpoint configured is publicly accessible.' + ELSE name || ' Kubernetes API endpoint configured is not publicly accessible.' + END AS reason, + region, + account_id + FROM + aws_eks_cluster; severity: high tags: - platform_score_cloud_service_name: - - AWS Elastic Kubernetes Service (EKS) - platform_score_use_case: - - Lacking High Availability - score_service_name: - - AWS Elastic Kubernetes Service (EKS) - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - AWS Elastic Kubernetes Service (EKS) + platform_score_use_case: + - Lacking High Availability + score_service_name: + - AWS Elastic Kubernetes Service (EKS) + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/aws/eks/aws_eks_cluster_node_group_iam_role_policies.yaml b/compliance/controls/baseline/aws/eks/aws_eks_cluster_node_group_iam_role_policies.yaml index 828a0651e..9a70a21cf 100644 --- a/compliance/controls/baseline/aws/eks/aws_eks_cluster_node_group_iam_role_policies.yaml +++ b/compliance/controls/baseline/aws/eks/aws_eks_cluster_node_group_iam_role_policies.yaml @@ -1,49 +1,50 @@ id: aws_eks_cluster_node_group_iam_role_policies title: EKS Cluster Node Group IAM Role Policies +type: control description: Ensure that EKS Cluster node groups are using appropriate permissions. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_eks_node_group - definition: | - SELECT - ng.nodegroup_name AS resource, - ng.platform_integration_id, - ng.platform_resource_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements_text(attached_policy_arns) AS p - WHERE p <> 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly' - AND p <> 'arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy' - ) THEN 'alarm' - WHEN r.inline_policies IS NOT NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements_text(attached_policy_arns) AS p - WHERE p <> 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly' - AND p <> 'arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy' - ) THEN 'permissions configured for IAM role are too permissive' - WHEN r.inline_policies IS NOT NULL THEN 'permissions configured for IAM role are too permissive' - ELSE 'permissions configured for IAM role are not too permissive' - END AS reason, - ng.region, - ng.account_id - FROM - aws_eks_node_group AS ng - LEFT JOIN aws_iam_role AS r ON r.arn = ng.node_role + language: sql + primary_resource: aws_eks_node_group + definition: | + SELECT + ng.nodegroup_name AS resource, + ng.platform_integration_id, + ng.platform_resource_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements_text(attached_policy_arns) AS p + WHERE p <> 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly' + AND p <> 'arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy' + ) THEN 'alarm' + WHEN r.inline_policies IS NOT NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements_text(attached_policy_arns) AS p + WHERE p <> 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly' + AND p <> 'arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy' + ) THEN 'permissions configured for IAM role are too permissive' + WHEN r.inline_policies IS NOT NULL THEN 'permissions configured for IAM role are too permissive' + ELSE 'permissions configured for IAM role are not too permissive' + END AS reason, + ng.region, + ng.account_id + FROM + aws_eks_node_group AS ng + LEFT JOIN aws_iam_role AS r ON r.arn = ng.node_role severity: high tags: - platform_score_cloud_service_name: - - AWS Elastic Kubernetes Service (EKS) - platform_score_use_case: - - Lacking High Availability - score_service_name: - - AWS Elastic Kubernetes Service (EKS) - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - AWS Elastic Kubernetes Service (EKS) + platform_score_use_case: + - Lacking High Availability + score_service_name: + - AWS Elastic Kubernetes Service (EKS) + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/aws/eks/aws_eks_security_groups.yaml b/compliance/controls/baseline/aws/eks/aws_eks_security_groups.yaml index 7038672a6..aca00f8be 100644 --- a/compliance/controls/baseline/aws/eks/aws_eks_security_groups.yaml +++ b/compliance/controls/baseline/aws/eks/aws_eks_security_groups.yaml @@ -1,46 +1,47 @@ id: aws_eks_security_groups title: EKS Security Groups +type: control description: Ensure that AWS EKS security groups are configured to allow incoming traffic only on TCP port 443. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_eks_cluster - definition: | - SELECT - c.name AS resource, - c.platform_integration_id, - c.platform_resource_id, - CASE - WHEN EXISTS( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS ips - WHERE (ips ->> 'FromPort' <> '443') AND (ips ->> 'ToPort' <> '443') - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS( - SELECT 1 - FROM jsonb_array_elements(ip_permissions) AS ips - WHERE (ips ->> 'FromPort' <> '443') AND (ips ->> 'ToPort' <> '443') - ) THEN name || ' Amazon EKS security group is not compliant (allow access on ports different than TCP port 443 (HTTPS))' - ELSE name || ' Amazon EKS security group is compliant' - END AS reason, - c.region, - c.account_id - FROM - aws_eks_cluster AS c - CROSS JOIN jsonb_array_elements_text(resources_vpc_config -> 'SecurityGroupIds') AS sg_id - LEFT JOIN aws_vpc_security_group AS sg ON sg.group_id = sg_id + language: sql + primary_resource: aws_eks_cluster + definition: | + SELECT + c.name AS resource, + c.platform_integration_id, + c.platform_resource_id, + CASE + WHEN EXISTS( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS ips + WHERE (ips ->> 'FromPort' <> '443') AND (ips ->> 'ToPort' <> '443') + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS( + SELECT 1 + FROM jsonb_array_elements(ip_permissions) AS ips + WHERE (ips ->> 'FromPort' <> '443') AND (ips ->> 'ToPort' <> '443') + ) THEN name || ' Amazon EKS security group is not compliant (allow access on ports different than TCP port 443 (HTTPS))' + ELSE name || ' Amazon EKS security group is compliant' + END AS reason, + c.region, + c.account_id + FROM + aws_eks_cluster AS c + CROSS JOIN jsonb_array_elements_text(resources_vpc_config -> 'SecurityGroupIds') AS sg_id + LEFT JOIN aws_vpc_security_group AS sg ON sg.group_id = sg_id severity: medium tags: - platform_score_cloud_service_name: - - AWS Elastic Kubernetes Service (EKS) - platform_score_use_case: - - Lacking High Availability - score_service_name: - - AWS Elastic Kubernetes Service (EKS) - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - AWS Elastic Kubernetes Service (EKS) + platform_score_use_case: + - Lacking High Availability + score_service_name: + - AWS Elastic Kubernetes Service (EKS) + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/aws/eks/aws_enable_cloudtrail_logging_for_kubernetes_api_calls.yaml b/compliance/controls/baseline/aws/eks/aws_enable_cloudtrail_logging_for_kubernetes_api_calls.yaml index 1ac95313a..6cbe4e53a 100644 --- a/compliance/controls/baseline/aws/eks/aws_enable_cloudtrail_logging_for_kubernetes_api_calls.yaml +++ b/compliance/controls/baseline/aws/eks/aws_enable_cloudtrail_logging_for_kubernetes_api_calls.yaml @@ -1,46 +1,47 @@ id: aws_enable_cloudtrail_logging_for_kubernetes_api_calls title: Enable CloudTrail Logging for Kubernetes API Calls +type: control description: Ensure that all Kubernetes API calls are logged using Amazon CloudTrail. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT - account_id AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM aws_cloudtrail_trail AS ct - WHERE ct.platform_integration_id = a.platform_integration_id - AND ct.is_logging = 'true' - ) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM aws_cloudtrail_trail AS ct - WHERE ct.platform_integration_id = a.platform_integration_id - AND ct.is_logging = 'true' - ) THEN 'There are active trails' - ELSE 'There are no active trails' - END AS reason, - region, - account_id - FROM - aws_account AS a + language: sql + primary_resource: aws_account + definition: | + SELECT + account_id AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM aws_cloudtrail_trail AS ct + WHERE ct.platform_integration_id = a.platform_integration_id + AND ct.is_logging = 'true' + ) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM aws_cloudtrail_trail AS ct + WHERE ct.platform_integration_id = a.platform_integration_id + AND ct.is_logging = 'true' + ) THEN 'There are active trails' + ELSE 'There are no active trails' + END AS reason, + region, + account_id + FROM + aws_account AS a severity: high tags: - platform_score_cloud_service_name: - - AWS Elastic Kubernetes Service (EKS) - platform_score_use_case: - - Lacking High Availability - score_service_name: - - AWS Elastic Kubernetes Service (EKS) - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - AWS Elastic Kubernetes Service (EKS) + platform_score_use_case: + - Lacking High Availability + score_service_name: + - AWS Elastic Kubernetes Service (EKS) + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/aws/eks/aws_enable_envelope_encryption_for_eks_kubernetes_secrets.yaml b/compliance/controls/baseline/aws/eks/aws_enable_envelope_encryption_for_eks_kubernetes_secrets.yaml index 55919b869..0a8e191b5 100644 --- a/compliance/controls/baseline/aws/eks/aws_enable_envelope_encryption_for_eks_kubernetes_secrets.yaml +++ b/compliance/controls/baseline/aws/eks/aws_enable_envelope_encryption_for_eks_kubernetes_secrets.yaml @@ -1,44 +1,45 @@ id: aws_enable_envelope_encryption_for_eks_kubernetes_secrets title: Enable Envelope Encryption for EKS Kubernetes Secrets +type: control description: Ensure that envelope encryption of Kubernetes secrets using Amazon KMS is enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_eks_cluster - definition: | - SELECT - name AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(encryption_config) AS ec - WHERE ec -> 'Provider' ->> 'KeyArn' IS NOT NULL - ) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(encryption_config) AS ec - WHERE ec -> 'Provider' ->> 'KeyArn' IS NOT NULL - ) THEN name || ' KMS Customer Master Keys (CMKs) is not enabled' - ELSE name || ' KMS Customer Master Keys (CMKs) is enabled' - END AS reason, - region, - account_id - FROM - aws_eks_cluster; + language: sql + primary_resource: aws_eks_cluster + definition: | + SELECT + name AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(encryption_config) AS ec + WHERE ec -> 'Provider' ->> 'KeyArn' IS NOT NULL + ) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(encryption_config) AS ec + WHERE ec -> 'Provider' ->> 'KeyArn' IS NOT NULL + ) THEN name || ' KMS Customer Master Keys (CMKs) is not enabled' + ELSE name || ' KMS Customer Master Keys (CMKs) is enabled' + END AS reason, + region, + account_id + FROM + aws_eks_cluster; severity: high tags: - platform_score_cloud_service_name: - - AWS Elastic Kubernetes Service (EKS) - platform_score_use_case: - - Lacking High Availability - score_service_name: - - AWS Elastic Kubernetes Service (EKS) - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - AWS Elastic Kubernetes Service (EKS) + platform_score_use_case: + - Lacking High Availability + score_service_name: + - AWS Elastic Kubernetes Service (EKS) + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/aws/eks/aws_kubernetes_cluster_logging.yaml b/compliance/controls/baseline/aws/eks/aws_kubernetes_cluster_logging.yaml index 1a7e30bdf..5ee0a880e 100644 --- a/compliance/controls/baseline/aws/eks/aws_kubernetes_cluster_logging.yaml +++ b/compliance/controls/baseline/aws/eks/aws_kubernetes_cluster_logging.yaml @@ -1,44 +1,45 @@ id: aws_kubernetes_cluster_logging title: Kubernetes Cluster Logging +type: control description: Ensure that EKS control plane logging is enabled for your Amazon EKS clusters. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_eks_cluster - definition: | - SELECT - name AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(logging -> 'ClusterLogging') AS cl - WHERE cl ->> 'Enabled' = 'true' - ) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(logging -> 'ClusterLogging') AS cl - WHERE cl ->> 'Enabled' = 'true' - ) THEN name || ' EKS control plane logging is enabled' - ELSE name || ' EKS control plane logging is not enabled' - END AS reason, - region, - account_id - FROM - aws_eks_cluster; + language: sql + primary_resource: aws_eks_cluster + definition: | + SELECT + name AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(logging -> 'ClusterLogging') AS cl + WHERE cl ->> 'Enabled' = 'true' + ) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(logging -> 'ClusterLogging') AS cl + WHERE cl ->> 'Enabled' = 'true' + ) THEN name || ' EKS control plane logging is enabled' + ELSE name || ' EKS control plane logging is not enabled' + END AS reason, + region, + account_id + FROM + aws_eks_cluster; severity: low tags: - platform_score_cloud_service_name: - - AWS Elastic Kubernetes Service (EKS) - platform_score_use_case: - - Lacking High Availability - score_service_name: - - AWS Elastic Kubernetes Service (EKS) - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - AWS Elastic Kubernetes Service (EKS) + platform_score_use_case: + - Lacking High Availability + score_service_name: + - AWS Elastic Kubernetes Service (EKS) + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/aws/eks/aws_kubernetes_cluster_version.yaml b/compliance/controls/baseline/aws/eks/aws_kubernetes_cluster_version.yaml index 805329125..24cff5074 100644 --- a/compliance/controls/baseline/aws/eks/aws_kubernetes_cluster_version.yaml +++ b/compliance/controls/baseline/aws/eks/aws_kubernetes_cluster_version.yaml @@ -1,90 +1,91 @@ id: aws_kubernetes_cluster_version title: Kubernetes Cluster Version +type: control description: Ensure that the latest version of Kubernetes is installed on your Amazon EKS clusters. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsEksClusterLatestVersion - value: '1.29' +- key: awsEksClusterLatestVersion + value: "1.29" policy: - language: sql - primary_resource: aws_eks_cluster - definition: | - WITH cluster_versions AS ( - SELECT - -- Parse up to four segments from the cluster's 'version' field - COALESCE(NULLIF(split_part(version, '.', 1), ''), '0')::int AS major, - COALESCE(NULLIF(split_part(version, '.', 2), ''), '0')::int AS minor, - COALESCE(NULLIF(split_part(version, '.', 3), ''), '0')::int AS patch, - COALESCE(NULLIF(split_part(version, '.', 4), ''), '0')::int AS sub, - version, - arn, - platform_integration_id, - platform_resource_id, - title, - region, - account_id - FROM aws_eks_cluster - ), - - param_versions AS ( - SELECT - -- Parse up to four segments from the param {{.awsEksClusterLatestVersion}} - COALESCE(NULLIF(split_part('{{.awsEksClusterLatestVersion}}', '.', 1), ''), '0')::int AS major, - COALESCE(NULLIF(split_part('{{.awsEksClusterLatestVersion}}', '.', 2), ''), '0')::int AS minor, - COALESCE(NULLIF(split_part('{{.awsEksClusterLatestVersion}}', '.', 3), ''), '0')::int AS patch, - COALESCE(NULLIF(split_part('{{.awsEksClusterLatestVersion}}', '.', 4), ''), '0')::int AS sub + language: sql + primary_resource: aws_eks_cluster + definition: | + WITH cluster_versions AS ( + SELECT + -- Parse up to four segments from the cluster's 'version' field + COALESCE(NULLIF(split_part(version, '.', 1), ''), '0')::int AS major, + COALESCE(NULLIF(split_part(version, '.', 2), ''), '0')::int AS minor, + COALESCE(NULLIF(split_part(version, '.', 3), ''), '0')::int AS patch, + COALESCE(NULLIF(split_part(version, '.', 4), ''), '0')::int AS sub, + version, + arn, + platform_integration_id, + platform_resource_id, + title, + region, + account_id + FROM aws_eks_cluster + ), + + param_versions AS ( + SELECT + -- Parse up to four segments from the param {{.awsEksClusterLatestVersion}} + COALESCE(NULLIF(split_part('{{.awsEksClusterLatestVersion}}', '.', 1), ''), '0')::int AS major, + COALESCE(NULLIF(split_part('{{.awsEksClusterLatestVersion}}', '.', 2), ''), '0')::int AS minor, + COALESCE(NULLIF(split_part('{{.awsEksClusterLatestVersion}}', '.', 3), ''), '0')::int AS patch, + COALESCE(NULLIF(split_part('{{.awsEksClusterLatestVersion}}', '.', 4), ''), '0')::int AS sub + ) + + SELECT + arn AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN ( + -- Convert cluster version to a big integer + cluster_versions.major * 1000000000 + + cluster_versions.minor * 1000000 + + cluster_versions.patch * 1000 + + cluster_versions.sub + ) >= ( + -- Convert param version to a big integer + param_versions.major * 1000000000 + + param_versions.minor * 1000000 + + param_versions.patch * 1000 + + param_versions.sub ) - - SELECT - arn AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN ( - -- Convert cluster version to a big integer - cluster_versions.major * 1000000000 + - cluster_versions.minor * 1000000 + - cluster_versions.patch * 1000 + - cluster_versions.sub - ) >= ( - -- Convert param version to a big integer - param_versions.major * 1000000000 + - param_versions.minor * 1000000 + - param_versions.patch * 1000 + - param_versions.sub - ) - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN ( - cluster_versions.major * 1000000000 + - cluster_versions.minor * 1000000 + - cluster_versions.patch * 1000 + - cluster_versions.sub - ) >= ( - param_versions.major * 1000000000 + - param_versions.minor * 1000000 + - param_versions.patch * 1000 + - param_versions.sub - ) - THEN title || ' runs on a supported Kubernetes version.' - ELSE - title || ' is running on version ' || cluster_versions.version || - ' which is not supported. Supported versions are >= ' || '{{.awsEksClusterLatestVersion}}' - END AS reason, - region, - account_id - FROM cluster_versions - CROSS JOIN param_versions; + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN ( + cluster_versions.major * 1000000000 + + cluster_versions.minor * 1000000 + + cluster_versions.patch * 1000 + + cluster_versions.sub + ) >= ( + param_versions.major * 1000000000 + + param_versions.minor * 1000000 + + param_versions.patch * 1000 + + param_versions.sub + ) + THEN title || ' runs on a supported Kubernetes version.' + ELSE + title || ' is running on version ' || cluster_versions.version || + ' which is not supported. Supported versions are >= ' || '{{.awsEksClusterLatestVersion}}' + END AS reason, + region, + account_id + FROM cluster_versions + CROSS JOIN param_versions; severity: low tags: - platform_score_cloud_service_name: - - AWS Elastic Kubernetes Service (EKS) - platform_score_use_case: - - Lacking High Availability - score_service_name: - - AWS Elastic Kubernetes Service (EKS) - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - AWS Elastic Kubernetes Service (EKS) + platform_score_use_case: + - Lacking High Availability + score_service_name: + - AWS Elastic Kubernetes Service (EKS) + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/aws/eks/aws_use_aws_managed_policy_to_access_amazon_ecr_repositories.yaml b/compliance/controls/baseline/aws/eks/aws_use_aws_managed_policy_to_access_amazon_ecr_repositories.yaml index 8d4ebbefe..8f7db604e 100644 --- a/compliance/controls/baseline/aws/eks/aws_use_aws_managed_policy_to_access_amazon_ecr_repositories.yaml +++ b/compliance/controls/baseline/aws/eks/aws_use_aws_managed_policy_to_access_amazon_ecr_repositories.yaml @@ -1,37 +1,38 @@ id: aws_use_aws_managed_policy_to_access_amazon_ecr_repositories title: Use AWS-managed policy to access Amazon ECR Repositories +type: control description: Ensure that EKS cluster node groups implement the "AmazonEC2ContainerRegistryReadOnly" managed policy. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_eks_node_group - definition: | - SELECT - ng.nodegroup_name AS resource, - ng.platform_integration_id, - ng.platform_resource_id, - CASE - WHEN attached_policy_arns::text LIKE '%arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly%' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN attached_policy_arns::text LIKE '%arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly%' THEN 'node group policies contains AmazonEC2ContainerRegistryReadOnly' - ELSE 'node group policies does not contain AmazonEC2ContainerRegistryReadOnly' - END AS reason, - ng.region, - ng.account_id - FROM - aws_eks_node_group AS ng - LEFT JOIN aws_iam_role AS r ON r.arn = ng.node_role + language: sql + primary_resource: aws_eks_node_group + definition: | + SELECT + ng.nodegroup_name AS resource, + ng.platform_integration_id, + ng.platform_resource_id, + CASE + WHEN attached_policy_arns::text LIKE '%arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly%' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN attached_policy_arns::text LIKE '%arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly%' THEN 'node group policies contains AmazonEC2ContainerRegistryReadOnly' + ELSE 'node group policies does not contain AmazonEC2ContainerRegistryReadOnly' + END AS reason, + ng.region, + ng.account_id + FROM + aws_eks_node_group AS ng + LEFT JOIN aws_iam_role AS r ON r.arn = ng.node_role severity: high tags: - platform_score_cloud_service_name: - - AWS Elastic Kubernetes Service (EKS) - platform_score_use_case: - - Lacking High Availability - score_service_name: - - AWS Elastic Kubernetes Service (EKS) - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - AWS Elastic Kubernetes Service (EKS) + platform_score_use_case: + - Lacking High Availability + score_service_name: + - AWS Elastic Kubernetes Service (EKS) + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/aws/eks/aws_use_aws_managed_policy_to_manage_aws_resources.yaml b/compliance/controls/baseline/aws/eks/aws_use_aws_managed_policy_to_manage_aws_resources.yaml index a358d856b..4305eb2ac 100644 --- a/compliance/controls/baseline/aws/eks/aws_use_aws_managed_policy_to_manage_aws_resources.yaml +++ b/compliance/controls/baseline/aws/eks/aws_use_aws_managed_policy_to_manage_aws_resources.yaml @@ -1,37 +1,38 @@ id: aws_use_aws_managed_policy_to_manage_aws_resources title: Use AWS-managed policy to manage AWS resources +type: control description: Ensure that Amazon EKS clusters implement the "AmazonEKSClusterPolicy" managed policy. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_eks_node_group - definition: | - SELECT - ng.nodegroup_name AS resource, - ng.platform_integration_id, - ng.platform_resource_id, - CASE - WHEN attached_policy_arns::text LIKE '%arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly%' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN attached_policy_arns::text LIKE '%arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly%' THEN 'node group policies contain AmazonEC2ContainerRegistryReadOnly' - ELSE 'node group policies do not contain AmazonEC2ContainerRegistryReadOnly' - END AS reason, - ng.region, - ng.account_id - FROM - aws_eks_node_group AS ng - LEFT JOIN aws_iam_role AS r ON r.arn = ng.node_role + language: sql + primary_resource: aws_eks_node_group + definition: | + SELECT + ng.nodegroup_name AS resource, + ng.platform_integration_id, + ng.platform_resource_id, + CASE + WHEN attached_policy_arns::text LIKE '%arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly%' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN attached_policy_arns::text LIKE '%arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly%' THEN 'node group policies contain AmazonEC2ContainerRegistryReadOnly' + ELSE 'node group policies do not contain AmazonEC2ContainerRegistryReadOnly' + END AS reason, + ng.region, + ng.account_id + FROM + aws_eks_node_group AS ng + LEFT JOIN aws_iam_role AS r ON r.arn = ng.node_role severity: high tags: - platform_score_cloud_service_name: - - AWS Elastic Kubernetes Service (EKS) - platform_score_use_case: - - Lacking High Availability - score_service_name: - - AWS Elastic Kubernetes Service (EKS) - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - AWS Elastic Kubernetes Service (EKS) + platform_score_use_case: + - Lacking High Availability + score_service_name: + - AWS Elastic Kubernetes Service (EKS) + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/aws/eks/aws_use_aws_managed_policy_to_manage_networking_resources.yaml b/compliance/controls/baseline/aws/eks/aws_use_aws_managed_policy_to_manage_networking_resources.yaml index ebd412042..264b49bb4 100644 --- a/compliance/controls/baseline/aws/eks/aws_use_aws_managed_policy_to_manage_networking_resources.yaml +++ b/compliance/controls/baseline/aws/eks/aws_use_aws_managed_policy_to_manage_networking_resources.yaml @@ -1,38 +1,39 @@ id: aws_use_aws_managed_policy_to_manage_networking_resources title: Use AWS-managed policy to Manage Networking Resources +type: control description: Ensure that EKS cluster node groups implement the "AmazonEKS_CNI_Policy" managed policy. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_eks_node_group - definition: | - SELECT - ng.nodegroup_name AS resource, - ng.platform_integration_id, - ng.platform_resource_id, - CASE - WHEN attached_policy_arns::TEXT LIKE '%arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy%' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN attached_policy_arns::TEXT LIKE '%arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy%' THEN 'node group policies contains AmazonEKS_CNI_Policy' - ELSE 'node group policies does not contain AmazonEKS_CNI_Policy' - END AS reason, - ng.region, - ng.account_id - FROM - aws_eks_node_group AS ng - LEFT JOIN aws_iam_role AS r - ON r.arn = ng.node_role + language: sql + primary_resource: aws_eks_node_group + definition: | + SELECT + ng.nodegroup_name AS resource, + ng.platform_integration_id, + ng.platform_resource_id, + CASE + WHEN attached_policy_arns::TEXT LIKE '%arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy%' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN attached_policy_arns::TEXT LIKE '%arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy%' THEN 'node group policies contains AmazonEKS_CNI_Policy' + ELSE 'node group policies does not contain AmazonEKS_CNI_Policy' + END AS reason, + ng.region, + ng.account_id + FROM + aws_eks_node_group AS ng + LEFT JOIN aws_iam_role AS r + ON r.arn = ng.node_role severity: high tags: - platform_score_cloud_service_name: - - AWS Elastic Kubernetes Service (EKS) - platform_score_use_case: - - Lacking High Availability - score_service_name: - - AWS Elastic Kubernetes Service (EKS) - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - AWS Elastic Kubernetes Service (EKS) + platform_score_use_case: + - Lacking High Availability + score_service_name: + - AWS Elastic Kubernetes Service (EKS) + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/aws/eks/aws_use_oidc_provider_for_authenticating_kubernetes_api_calls.yaml b/compliance/controls/baseline/aws/eks/aws_use_oidc_provider_for_authenticating_kubernetes_api_calls.yaml index a35c290ae..40516a1c2 100644 --- a/compliance/controls/baseline/aws/eks/aws_use_oidc_provider_for_authenticating_kubernetes_api_calls.yaml +++ b/compliance/controls/baseline/aws/eks/aws_use_oidc_provider_for_authenticating_kubernetes_api_calls.yaml @@ -1,38 +1,39 @@ id: aws_use_oidc_provider_for_authenticating_kubernetes_api_calls title: Use OIDC Provider for Authenticating Kubernetes API Calls +type: control description: Ensure that Amazon EKS clusters are using an OpenID Connect (OIDC) provider. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_eks_cluster - definition: | - SELECT - c.name AS resource, - c.platform_integration_id, - c.platform_resource_id, - CASE - WHEN oidc.url IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN oidc.url IS NULL THEN 'Amazon EKS cluster is not using an OIDC provider for authenticating Kubernetes API calls.' - ELSE 'Amazon EKS cluster is using an OIDC provider for authenticating Kubernetes API calls.' - END AS reason, - c.region, - c.account_id - FROM - aws_eks_cluster AS c - LEFT JOIN aws_iam_open_id_connect_provider AS oidc - ON 'https://' || oidc.url = c.identity -> 'Oidc' ->> 'Issuer' + language: sql + primary_resource: aws_eks_cluster + definition: | + SELECT + c.name AS resource, + c.platform_integration_id, + c.platform_resource_id, + CASE + WHEN oidc.url IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN oidc.url IS NULL THEN 'Amazon EKS cluster is not using an OIDC provider for authenticating Kubernetes API calls.' + ELSE 'Amazon EKS cluster is using an OIDC provider for authenticating Kubernetes API calls.' + END AS reason, + c.region, + c.account_id + FROM + aws_eks_cluster AS c + LEFT JOIN aws_iam_open_id_connect_provider AS oidc + ON 'https://' || oidc.url = c.identity -> 'Oidc' ->> 'Issuer' severity: high tags: - platform_score_cloud_service_name: - - AWS Elastic Kubernetes Service (EKS) - platform_score_use_case: - - Lacking High Availability - score_service_name: - - AWS Elastic Kubernetes Service (EKS) - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - AWS Elastic Kubernetes Service (EKS) + platform_score_use_case: + - Lacking High Availability + score_service_name: + - AWS Elastic Kubernetes Service (EKS) + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/aws/fsx/aws_use_kms_customer_master_keys_for_fsx_windows_file_server_file_systems.yaml b/compliance/controls/baseline/aws/fsx/aws_use_kms_customer_master_keys_for_fsx_windows_file_server_file_systems.yaml index 9a5f0cb27..6a56f8935 100644 --- a/compliance/controls/baseline/aws/fsx/aws_use_kms_customer_master_keys_for_fsx_windows_file_server_file_systems.yaml +++ b/compliance/controls/baseline/aws/fsx/aws_use_kms_customer_master_keys_for_fsx_windows_file_server_file_systems.yaml @@ -1,39 +1,40 @@ id: aws_use_kms_customer_master_keys_for_fsx_windows_file_server_file_systems title: Use KMS Customer Master Keys for FSx Windows File Server File Systems +type: control description: Ensure AWS FSx for Windows File Server file systems data is encrypted using AWS KMS CMKs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_fsx_file_system - definition: | - SELECT - file_system_id AS resource, - v.platform_resource_id, - v.platform_integration_id, - CASE - WHEN kms_key_id IS NULL THEN 'alarm' - WHEN k.key_manager = 'CUSTOMER' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN kms_key_id IS NULL THEN file_system_id || ' is not using a master key' - WHEN k.key_manager = 'CUSTOMER' THEN file_system_id || ' is using a customer master key' - ELSE file_system_id || ' is using an AWS-managed master key' - END AS reason, - v.region, - v.account_id - FROM - aws_fsx_file_system AS v - LEFT JOIN aws_kms_key AS k ON v.kms_key_id = k.arn + language: sql + primary_resource: aws_fsx_file_system + definition: | + SELECT + file_system_id AS resource, + v.platform_resource_id, + v.platform_integration_id, + CASE + WHEN kms_key_id IS NULL THEN 'alarm' + WHEN k.key_manager = 'CUSTOMER' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN kms_key_id IS NULL THEN file_system_id || ' is not using a master key' + WHEN k.key_manager = 'CUSTOMER' THEN file_system_id || ' is using a customer master key' + ELSE file_system_id || ' is using an AWS-managed master key' + END AS reason, + v.region, + v.account_id + FROM + aws_fsx_file_system AS v + LEFT JOIN aws_kms_key AS k ON v.kms_key_id = k.arn severity: medium tags: - platform_score_cloud_service_name: - - AWS Elastic Block Store (EBS) - platform_score_use_case: - - Unencrypted Storage - score_service_name: - - AWS Elastic Block Store (EBS) - score_tags: - - Unencrypted Storage + platform_score_cloud_service_name: + - AWS Elastic Block Store (EBS) + platform_score_use_case: + - Unencrypted Storage + score_service_name: + - AWS Elastic Block Store (EBS) + score_tags: + - Unencrypted Storage diff --git a/compliance/controls/baseline/aws/load_balancer/aws_configure_http_desync_mitigation_mode_for_application_load_balancers.yaml b/compliance/controls/baseline/aws/load_balancer/aws_configure_http_desync_mitigation_mode_for_application_load_balancers.yaml index e5e0b44c1..c01390376 100644 --- a/compliance/controls/baseline/aws/load_balancer/aws_configure_http_desync_mitigation_mode_for_application_load_balancers.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_configure_http_desync_mitigation_mode_for_application_load_balancers.yaml @@ -1,46 +1,47 @@ id: aws_configure_http_desync_mitigation_mode_for_application_load_balancers title: Configure HTTP Desync Mitigation Mode for Application Load Balancers +type: control description: Ensure that the suitable Desync Mitigation mode is configured for your Application Load Balancers. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_application_load_balancer - definition: | - WITH app_lb_desync_mitigation_mode AS ( - SELECT - arn, - l ->> 'Key', - l ->> 'Value' AS v - FROM - aws_ec2_application_load_balancer, - jsonb_array_elements(load_balancer_attributes) AS l - WHERE - l ->> 'Key' = 'routing.http.desync_mitigation_mode' - ) - SELECT - a.arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN m.v = ANY(ARRAY ['defensive', 'strictest']) THEN 'ok' - ELSE 'alarm' - END AS status, - title || ' has ' || m.v || ' desync mitigation mode.' AS reason, - region, - account_id - FROM - aws_ec2_application_load_balancer AS a - LEFT JOIN app_lb_desync_mitigation_mode AS m - ON a.arn = m.arn; + language: sql + primary_resource: aws_ec2_application_load_balancer + definition: | + WITH app_lb_desync_mitigation_mode AS ( + SELECT + arn, + l ->> 'Key', + l ->> 'Value' AS v + FROM + aws_ec2_application_load_balancer, + jsonb_array_elements(load_balancer_attributes) AS l + WHERE + l ->> 'Key' = 'routing.http.desync_mitigation_mode' + ) + SELECT + a.arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN m.v = ANY(ARRAY ['defensive', 'strictest']) THEN 'ok' + ELSE 'alarm' + END AS status, + title || ' has ' || m.v || ' desync mitigation mode.' AS reason, + region, + account_id + FROM + aws_ec2_application_load_balancer AS a + LEFT JOIN app_lb_desync_mitigation_mode AS m + ON a.arn = m.arn; severity: medium tags: - platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/load_balancer/aws_configure_multiple_availability_zones_for_load_balancers.yaml b/compliance/controls/baseline/aws/load_balancer/aws_configure_multiple_availability_zones_for_load_balancers.yaml index 56ac0f431..bcefb1ff3 100644 --- a/compliance/controls/baseline/aws/load_balancer/aws_configure_multiple_availability_zones_for_load_balancers.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_configure_multiple_availability_zones_for_load_balancers.yaml @@ -1,61 +1,62 @@ id: aws_configure_multiple_availability_zones_for_load_balancers title: Configure Multiple Availability Zones for Load Balancers +type: control description: Ensure that Amazon Gateway Load Balancers are using Multi-AZ configurations. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: '' - definition: | - SELECT - arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN jsonb_array_length(availability_zones) < 2 THEN 'alarm' - ELSE 'ok' - END AS status, - title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' AS reason, - region, - account_id - FROM - aws_ec2_application_load_balancer - UNION - SELECT - arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN jsonb_array_length(availability_zones) < 2 THEN 'alarm' - ELSE 'ok' - END AS status, - title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' AS reason, - region, - account_id - FROM - aws_ec2_network_load_balancer - UNION - SELECT - arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN jsonb_array_length(availability_zones) < 2 THEN 'alarm' - ELSE 'ok' - END AS status, - title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' AS reason, - region, - account_id - FROM - aws_ec2_gateway_load_balancer; + language: sql + primary_resource: "" + definition: | + SELECT + arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN jsonb_array_length(availability_zones) < 2 THEN 'alarm' + ELSE 'ok' + END AS status, + title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' AS reason, + region, + account_id + FROM + aws_ec2_application_load_balancer + UNION + SELECT + arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN jsonb_array_length(availability_zones) < 2 THEN 'alarm' + ELSE 'ok' + END AS status, + title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' AS reason, + region, + account_id + FROM + aws_ec2_network_load_balancer + UNION + SELECT + arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN jsonb_array_length(availability_zones) < 2 THEN 'alarm' + ELSE 'ok' + END AS status, + title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' AS reason, + region, + account_id + FROM + aws_ec2_gateway_load_balancer; severity: high tags: - platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - platform_score_use_case: - - Lacking High Availability - score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + platform_score_use_case: + - Lacking High Availability + score_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/aws/load_balancer/aws_elb_access_log.yaml b/compliance/controls/baseline/aws/load_balancer/aws_elb_access_log.yaml index a591021d7..168fa1516 100644 --- a/compliance/controls/baseline/aws/load_balancer/aws_elb_access_log.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_elb_access_log.yaml @@ -1,32 +1,33 @@ id: aws_elb_access_log title: ELB Access Log +type: control description: Ensure ELB access logging is enabled for security, troubleshooting, and statistical analysis purposes integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_classic_load_balancer - definition: | - SELECT - a.arn AS resource, - a.platform_integration_id, - a.platform_resource_id, - CASE - WHEN platform_resource_description -> 'Attributes' -> 'AccessLog' ->> 'Enabled' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN platform_resource_description -> 'Attributes' -> 'AccessLog' ->> 'Enabled' = 'true' THEN a.title || ' Access Logging feature is enabled' - ELSE a.title || ' Access Logging feature is not enabled' - END AS reason, - a.region, - a.account_id - FROM - aws_ec2_classic_load_balancer a + language: sql + primary_resource: aws_ec2_classic_load_balancer + definition: | + SELECT + a.arn AS resource, + a.platform_integration_id, + a.platform_resource_id, + CASE + WHEN platform_resource_description -> 'Attributes' -> 'AccessLog' ->> 'Enabled' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN platform_resource_description -> 'Attributes' -> 'AccessLog' ->> 'Enabled' = 'true' THEN a.title || ' Access Logging feature is enabled' + ELSE a.title || ' Access Logging feature is not enabled' + END AS reason, + a.region, + a.account_id + FROM + aws_ec2_classic_load_balancer a severity: high tags: - platform_score_cloud_service_name: - - AWS Elastic Load Balancing (ELB) - score_service_name: - - AWS Elastic Load Balancing (ELB) + platform_score_cloud_service_name: + - AWS Elastic Load Balancing (ELB) + score_service_name: + - AWS Elastic Load Balancing (ELB) diff --git a/compliance/controls/baseline/aws/load_balancer/aws_elb_connection_draining_enabled.yaml b/compliance/controls/baseline/aws/load_balancer/aws_elb_connection_draining_enabled.yaml index ac4837470..499c74708 100644 --- a/compliance/controls/baseline/aws/load_balancer/aws_elb_connection_draining_enabled.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_elb_connection_draining_enabled.yaml @@ -1,32 +1,33 @@ id: aws_elb_connection_draining_enabled title: ELB Connection Draining Enabled +type: control description: Ensure ELB access logging is enabled for security, troubleshooting, and statistical analysis purposes integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_classic_load_balancer - definition: | - SELECT - a.arn AS resource, - a.platform_integration_id, - a.platform_resource_id, - CASE - WHEN platform_resource_description -> 'Attributes' -> 'ConnectionDraining' ->> 'Enabled' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN platform_resource_description -> 'Attributes' -> 'ConnectionDraining' ->> 'Enabled' = 'true' THEN a.title || ' Connection Draining feature is enabled' - ELSE a.title || ' Connection Draining feature is not enabled' - END AS reason, - a.region, - a.account_id - FROM - aws_ec2_classic_load_balancer a + language: sql + primary_resource: aws_ec2_classic_load_balancer + definition: | + SELECT + a.arn AS resource, + a.platform_integration_id, + a.platform_resource_id, + CASE + WHEN platform_resource_description -> 'Attributes' -> 'ConnectionDraining' ->> 'Enabled' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN platform_resource_description -> 'Attributes' -> 'ConnectionDraining' ->> 'Enabled' = 'true' THEN a.title || ' Connection Draining feature is enabled' + ELSE a.title || ' Connection Draining feature is not enabled' + END AS reason, + a.region, + a.account_id + FROM + aws_ec2_classic_load_balancer a severity: high tags: - platform_score_cloud_service_name: - - AWS Elastic Load Balancing (ELB) - score_service_name: - - AWS Elastic Load Balancing (ELB) + platform_score_cloud_service_name: + - AWS Elastic Load Balancing (ELB) + score_service_name: + - AWS Elastic Load Balancing (ELB) diff --git a/compliance/controls/baseline/aws/load_balancer/aws_elb_cross_zone_load_balancing_enabled.yaml b/compliance/controls/baseline/aws/load_balancer/aws_elb_cross_zone_load_balancing_enabled.yaml index 4bd53b142..9c550aa30 100644 --- a/compliance/controls/baseline/aws/load_balancer/aws_elb_cross_zone_load_balancing_enabled.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_elb_cross_zone_load_balancing_enabled.yaml @@ -1,32 +1,33 @@ id: aws_elb_cross_zone_load_balancing_enabled title: ELB Cross-Zone Load Balancing Enabled +type: control description: Ensure Cross-Zone Load Balancing is enabled for all load balancers. Also select at least two subnets in different availability zones to provide higher availability. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_classic_load_balancer - definition: | - SELECT - a.arn AS resource, - a.platform_integration_id, - a.platform_resource_id, - CASE - WHEN platform_resource_description -> 'Attributes' -> 'CrossZoneLoadBalancing' ->> 'Enabled' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN platform_resource_description -> 'Attributes' -> 'CrossZoneLoadBalancing' ->> 'Enabled' = 'true' THEN a.title || ' Cross-Zone Load Balancing feature is enabled' - ELSE a.title || ' Cross-Zone Load Balancing feature is not enabled' - END AS reason, - a.region, - a.account_id - FROM - aws_ec2_classic_load_balancer a + language: sql + primary_resource: aws_ec2_classic_load_balancer + definition: | + SELECT + a.arn AS resource, + a.platform_integration_id, + a.platform_resource_id, + CASE + WHEN platform_resource_description -> 'Attributes' -> 'CrossZoneLoadBalancing' ->> 'Enabled' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN platform_resource_description -> 'Attributes' -> 'CrossZoneLoadBalancing' ->> 'Enabled' = 'true' THEN a.title || ' Cross-Zone Load Balancing feature is enabled' + ELSE a.title || ' Cross-Zone Load Balancing feature is not enabled' + END AS reason, + a.region, + a.account_id + FROM + aws_ec2_classic_load_balancer a severity: medium tags: - platform_score_cloud_service_name: - - AWS Elastic Load Balancing (ELB) - score_service_name: - - AWS Elastic Load Balancing (ELB) + platform_score_cloud_service_name: + - AWS Elastic Load Balancing (ELB) + score_service_name: + - AWS Elastic Load Balancing (ELB) diff --git a/compliance/controls/baseline/aws/load_balancer/aws_elb_insecure_ssl_protocols.yaml b/compliance/controls/baseline/aws/load_balancer/aws_elb_insecure_ssl_protocols.yaml index 6e814a650..c2c74e196 100644 --- a/compliance/controls/baseline/aws/load_balancer/aws_elb_insecure_ssl_protocols.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_elb_insecure_ssl_protocols.yaml @@ -1,49 +1,50 @@ id: aws_elb_insecure_ssl_protocols title: ELB Insecure SSL Protocols +type: control description: Ensure ELBs don't use insecure SSL protocols. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_classic_load_balancer - definition: | - WITH detailed_classic_listeners AS ( - SELECT - name - FROM - aws_ec2_classic_load_balancer, - jsonb_array_elements(listener_descriptions) AS listener_description - WHERE - listener_description -> 'Listener' ->> 'Protocol' IN ('HTTPS', 'SSL', 'TLS') - AND listener_description -> 'Listener' ->> 'SSLCertificateId' LIKE 'arn:aws:acm%' - ) - SELECT - 'arn:' || a.partition || ':elasticloadbalancing:' || a.region || ':' || a.account_id || ':loadbalancer/' || a.name AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN a.listener_descriptions IS NULL THEN 'skip' - WHEN b.name IS NOT NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN a.listener_descriptions IS NULL THEN a.title || ' has no listener.' - WHEN b.name IS NOT NULL THEN a.title || ' does not use certificates provided by ACM.' - ELSE a.title || ' uses certificates provided by ACM.' - END AS reason, - region, - account_id - FROM - aws_ec2_classic_load_balancer AS a - LEFT JOIN detailed_classic_listeners AS b ON a.name = b.name; + language: sql + primary_resource: aws_ec2_classic_load_balancer + definition: | + WITH detailed_classic_listeners AS ( + SELECT + name + FROM + aws_ec2_classic_load_balancer, + jsonb_array_elements(listener_descriptions) AS listener_description + WHERE + listener_description -> 'Listener' ->> 'Protocol' IN ('HTTPS', 'SSL', 'TLS') + AND listener_description -> 'Listener' ->> 'SSLCertificateId' LIKE 'arn:aws:acm%' + ) + SELECT + 'arn:' || a.partition || ':elasticloadbalancing:' || a.region || ':' || a.account_id || ':loadbalancer/' || a.name AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN a.listener_descriptions IS NULL THEN 'skip' + WHEN b.name IS NOT NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN a.listener_descriptions IS NULL THEN a.title || ' has no listener.' + WHEN b.name IS NOT NULL THEN a.title || ' does not use certificates provided by ACM.' + ELSE a.title || ' uses certificates provided by ACM.' + END AS reason, + region, + account_id + FROM + aws_ec2_classic_load_balancer AS a + LEFT JOIN detailed_classic_listeners AS b ON a.name = b.name; severity: medium tags: - platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - platform_score_use_case: - - Unencrypted Traffic - score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - score_tags: - - Unencrypted Traffic + platform_score_cloud_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + platform_score_use_case: + - Unencrypted Traffic + score_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + score_tags: + - Unencrypted Traffic diff --git a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_access_log.yaml b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_access_log.yaml index ec1e8f9d3..8b7872265 100644 --- a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_access_log.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_access_log.yaml @@ -1,35 +1,36 @@ id: aws_elbv2_access_log title: ELBv2 Access Log +type: control description: Ensure that Amazon ALBs have Access Logging feature enabled for security, troubleshooting and statistical analysis purposes. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_application_load_balancer - definition: | - SELECT - a.arn AS resource, - a.platform_integration_id, - a.platform_resource_id, - CASE - WHEN lb ->> 'Value' = 'false' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN lb ->> 'Value' = 'false' THEN a.title || ' deletion protection is not enabled.' - ELSE a.title || ' deletion protection is enabled.' - END AS reason, - a.region, - a.account_id - FROM - aws_ec2_application_load_balancer a - CROSS JOIN jsonb_array_elements(load_balancer_attributes) AS lb - WHERE - lb ->> 'Key' = 'access_logs.s3.enabled' + language: sql + primary_resource: aws_ec2_application_load_balancer + definition: | + SELECT + a.arn AS resource, + a.platform_integration_id, + a.platform_resource_id, + CASE + WHEN lb ->> 'Value' = 'false' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN lb ->> 'Value' = 'false' THEN a.title || ' deletion protection is not enabled.' + ELSE a.title || ' deletion protection is enabled.' + END AS reason, + a.region, + a.account_id + FROM + aws_ec2_application_load_balancer a + CROSS JOIN jsonb_array_elements(load_balancer_attributes) AS lb + WHERE + lb ->> 'Key' = 'access_logs.s3.enabled' severity: high tags: - platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + platform_score_cloud_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + score_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) diff --git a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_listener_security.yaml b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_listener_security.yaml index 752396e40..7f415db89 100644 --- a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_listener_security.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_listener_security.yaml @@ -1,47 +1,48 @@ id: aws_elbv2_alb_listener_security title: ELBv2 ALB Listener Security +type: control description: Ensure ELBv2 ALBs are using a secure protocol. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_application_load_balancer - definition: | - SELECT - al.arn AS resource, - al.platform_resource_id, - al.platform_integration_id, - CASE - WHEN STRING_AGG(ll.protocol, ',') ILIKE '%HTTPS%' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN STRING_AGG(ll.protocol, ',') ILIKE '%HTTPS%' THEN 'alb is using a secure protocol' - ELSE 'alb is not using a secure protocol' - END AS reason, - al.region, - al.account_id - FROM - aws_ec2_application_load_balancer al - LEFT JOIN - aws_ec2_load_balancer_listener ll - ON - al.arn = ll.load_balancer_arn - GROUP BY - al.arn, - al.platform_resource_id, - al.platform_integration_id, - al.title, - al.region, - al.account_id; + language: sql + primary_resource: aws_ec2_application_load_balancer + definition: | + SELECT + al.arn AS resource, + al.platform_resource_id, + al.platform_integration_id, + CASE + WHEN STRING_AGG(ll.protocol, ',') ILIKE '%HTTPS%' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN STRING_AGG(ll.protocol, ',') ILIKE '%HTTPS%' THEN 'alb is using a secure protocol' + ELSE 'alb is not using a secure protocol' + END AS reason, + al.region, + al.account_id + FROM + aws_ec2_application_load_balancer al + LEFT JOIN + aws_ec2_load_balancer_listener ll + ON + al.arn = ll.load_balancer_arn + GROUP BY + al.arn, + al.platform_resource_id, + al.platform_integration_id, + al.title, + al.region, + al.account_id; severity: high tags: - platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - platform_score_use_case: - - Unencrypted Traffic - score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - score_tags: - - Unencrypted Traffic + platform_score_cloud_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + platform_score_use_case: + - Unencrypted Traffic + score_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + score_tags: + - Unencrypted Traffic diff --git a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_minimum_number_of_ec2_target_instances.yaml b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_minimum_number_of_ec2_target_instances.yaml index 81c533fec..5289decde 100644 --- a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_minimum_number_of_ec2_target_instances.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_minimum_number_of_ec2_target_instances.yaml @@ -1,48 +1,49 @@ id: aws_elbv2_alb_minimum_number_of_ec2_target_instances title: ELBv2 ALB Minimum Number of EC2 Target Instances +type: control description: Ensure there is a minimum number of two healthy target instances associated with each AWS ELBv2 application load balancer. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_application_load_balancer - definition: | - WITH target_resource AS ( - SELECT - load_balancer_arn, - COUNT(*) AS c - FROM - aws_ec2_target_group, - jsonb_array_elements_text(load_balancer_arns) AS load_balancer_arn - GROUP BY - load_balancer_arn - ) - SELECT - a.arn AS resource, - a.platform_integration_id, - a.platform_resource_id, - CASE - WHEN b.load_balancer_arn IS NULL OR b.c < 2 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN b.load_balancer_arn IS NULL OR b.c < 2 THEN a.title || ' is not using a fault-tolerant configuration.' - ELSE a.title || ' is using a fault-tolerant configuration.' - END AS reason, - a.region, - a.account_id - FROM - aws_ec2_application_load_balancer a - LEFT JOIN target_resource b - ON a.arn = b.load_balancer_arn; + language: sql + primary_resource: aws_ec2_application_load_balancer + definition: | + WITH target_resource AS ( + SELECT + load_balancer_arn, + COUNT(*) AS c + FROM + aws_ec2_target_group, + jsonb_array_elements_text(load_balancer_arns) AS load_balancer_arn + GROUP BY + load_balancer_arn + ) + SELECT + a.arn AS resource, + a.platform_integration_id, + a.platform_resource_id, + CASE + WHEN b.load_balancer_arn IS NULL OR b.c < 2 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN b.load_balancer_arn IS NULL OR b.c < 2 THEN a.title || ' is not using a fault-tolerant configuration.' + ELSE a.title || ' is using a fault-tolerant configuration.' + END AS reason, + a.region, + a.account_id + FROM + aws_ec2_application_load_balancer a + LEFT JOIN target_resource b + ON a.arn = b.load_balancer_arn; severity: high tags: - platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - platform_score_use_case: - - Lacking High Availability - score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + platform_score_use_case: + - Lacking High Availability + score_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_security_group.yaml b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_security_group.yaml index 37b94b466..0e291b319 100644 --- a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_security_group.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_security_group.yaml @@ -1,60 +1,61 @@ id: aws_elbv2_alb_security_group title: ELBv2 ALB Security Group +type: control description: Ensure ELBv2 load balancers have secure and valid security groups. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_application_load_balancer - definition: | - WITH sg AS ( - SELECT - group_id, - group_name, - ARRAY_AGG('(' || (p ->> 'ToPort') || ',' || LOWER(p ->> 'IpProtocol') || ')') AS ports_and_protocols - FROM - aws_vpc_security_group, - JSONB_ARRAY_ELEMENTS(ip_permissions) AS p - GROUP BY - group_id, group_name - ), lbl AS ( - SELECT - load_balancer_arn, - ARRAY_AGG('(' || port || ',' || LOWER(protocol) || ')') AS ports_and_protocols - FROM - aws_ec2_load_balancer_listener - GROUP BY - load_balancer_arn - ) - SELECT - al.name AS resource, - al.platform_integration_id, - al.platform_resource_id, - sg.ports_and_protocols, - lbl.ports_and_protocols, - CASE - WHEN sg.ports_and_protocols <@ lbl.ports_and_protocols THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN sg.ports_and_protocols <@ lbl.ports_and_protocols THEN al.name || ' is secure' - ELSE al.name || ' is not secure' - END AS reason, - al.region, - al.account_id - FROM - aws_ec2_application_load_balancer AS al - CROSS JOIN LATERAL JSONB_ARRAY_ELEMENTS_TEXT(al.security_groups) AS sgid - LEFT JOIN sg ON sgid = sg.group_id - LEFT JOIN lbl ON al.arn = lbl.load_balancer_arn + language: sql + primary_resource: aws_ec2_application_load_balancer + definition: | + WITH sg AS ( + SELECT + group_id, + group_name, + ARRAY_AGG('(' || (p ->> 'ToPort') || ',' || LOWER(p ->> 'IpProtocol') || ')') AS ports_and_protocols + FROM + aws_vpc_security_group, + JSONB_ARRAY_ELEMENTS(ip_permissions) AS p + GROUP BY + group_id, group_name + ), lbl AS ( + SELECT + load_balancer_arn, + ARRAY_AGG('(' || port || ',' || LOWER(protocol) || ')') AS ports_and_protocols + FROM + aws_ec2_load_balancer_listener + GROUP BY + load_balancer_arn + ) + SELECT + al.name AS resource, + al.platform_integration_id, + al.platform_resource_id, + sg.ports_and_protocols, + lbl.ports_and_protocols, + CASE + WHEN sg.ports_and_protocols <@ lbl.ports_and_protocols THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN sg.ports_and_protocols <@ lbl.ports_and_protocols THEN al.name || ' is secure' + ELSE al.name || ' is not secure' + END AS reason, + al.region, + al.account_id + FROM + aws_ec2_application_load_balancer AS al + CROSS JOIN LATERAL JSONB_ARRAY_ELEMENTS_TEXT(al.security_groups) AS sgid + LEFT JOIN sg ON sgid = sg.group_id + LEFT JOIN lbl ON al.arn = lbl.load_balancer_arn severity: high tags: - platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_security_policy.yaml b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_security_policy.yaml index a53cf4f40..6695af7f3 100644 --- a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_security_policy.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_security_policy.yaml @@ -1,36 +1,37 @@ id: aws_elbv2_alb_security_policy title: ELBv2 ALB Security Policy +type: control description: Ensure that Amazon ALBs are using the latest predefined security policy for their SSL negotiation configuration in order to follow security best practices and protect their front-end connections against SSL/TLS vulnerabilities. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsLatestPolicies - value: '' +- key: awsLatestPolicies + value: "" policy: - language: sql - primary_resource: aws_ec2_application_load_balancer - definition: | - SELECT - a.arn AS resource, - a.platform_integration_id, - a.platform_resource_id, - CASE - WHEN '{{.awsLatestPolicies}}' LIKE '%' || li.ssl_policy || '%' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN '{{.awsLatestPolicies}}' LIKE '%' || li.ssl_policy || '%' THEN a.title || ' is using one of the latest security policies.' - ELSE a.title || ' is not using one of the latest security policies.' - END AS reason, - a.region, - a.account_id - FROM - aws_ec2_application_load_balancer a - LEFT JOIN aws_ec2_load_balancer_listener AS li - ON li.load_balancer_arn = a.arn + language: sql + primary_resource: aws_ec2_application_load_balancer + definition: | + SELECT + a.arn AS resource, + a.platform_integration_id, + a.platform_resource_id, + CASE + WHEN '{{.awsLatestPolicies}}' LIKE '%' || li.ssl_policy || '%' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN '{{.awsLatestPolicies}}' LIKE '%' || li.ssl_policy || '%' THEN a.title || ' is using one of the latest security policies.' + ELSE a.title || ' is not using one of the latest security policies.' + END AS reason, + a.region, + a.account_id + FROM + aws_ec2_application_load_balancer a + LEFT JOIN aws_ec2_load_balancer_listener AS li + ON li.load_balancer_arn = a.arn severity: medium tags: - platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + platform_score_cloud_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + score_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) diff --git a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_elastic_load_balancing_deletion_protection.yaml b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_elastic_load_balancing_deletion_protection.yaml index 7f7a2ac78..0bba7912b 100644 --- a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_elastic_load_balancing_deletion_protection.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_elastic_load_balancing_deletion_protection.yaml @@ -1,49 +1,50 @@ id: aws_elbv2_elastic_load_balancing_deletion_protection title: ELBv2 Elastic Load Balancing Deletion Protection +type: control description: Ensure ELBv2 Load Balancers have Deletion Protection feature enabled in order to protect them from being accidentally deleted. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_application_load_balancer - definition: | - WITH app_lb_desync_mitigation_mode AS ( - SELECT - arn, - l ->> 'Key', - l ->> 'Value' AS v - FROM - aws_ec2_application_load_balancer, - jsonb_array_elements(load_balancer_attributes) AS l - WHERE - l ->> 'Key' = 'deletion_protection.enabled' - ) - SELECT - a.arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN m.v = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN m.v = 'true' THEN 'deletion protection enabled' - ELSE 'deletion protection not enabled' - END AS reason, - region, - account_id - FROM - aws_ec2_application_load_balancer AS a - LEFT JOIN app_lb_desync_mitigation_mode AS m - ON a.arn = m.arn; + language: sql + primary_resource: aws_ec2_application_load_balancer + definition: | + WITH app_lb_desync_mitigation_mode AS ( + SELECT + arn, + l ->> 'Key', + l ->> 'Value' AS v + FROM + aws_ec2_application_load_balancer, + jsonb_array_elements(load_balancer_attributes) AS l + WHERE + l ->> 'Key' = 'deletion_protection.enabled' + ) + SELECT + a.arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN m.v = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN m.v = 'true' THEN 'deletion protection enabled' + ELSE 'deletion protection not enabled' + END AS reason, + region, + account_id + FROM + aws_ec2_application_load_balancer AS a + LEFT JOIN app_lb_desync_mitigation_mode AS m + ON a.arn = m.arn; severity: medium tags: - platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_glb_minimum_number_of_ec2_target_instances.yaml b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_glb_minimum_number_of_ec2_target_instances.yaml index 3921eaf88..4330e02c0 100644 --- a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_glb_minimum_number_of_ec2_target_instances.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_glb_minimum_number_of_ec2_target_instances.yaml @@ -1,48 +1,49 @@ id: aws_elbv2_glb_minimum_number_of_ec2_target_instances title: ELBv2 GLB Minimum Number of EC2 Target Instances +type: control description: Ensure there is a minimum number of two healthy target instances associated with each AWS ELBv2 gateway load balancer. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_gateway_load_balancer - definition: | - WITH target_resource AS ( - SELECT - load_balancer_arn, - COUNT(*) AS c - FROM - aws_ec2_target_group, - JSONB_ARRAY_ELEMENTS_TEXT(load_balancer_arns) AS load_balancer_arn - GROUP BY - load_balancer_arn - ) - SELECT - a.arn AS resource, - a.platform_integration_id, - a.platform_resource_id, - CASE - WHEN b.load_balancer_arn IS NULL OR b.c < 2 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN b.load_balancer_arn IS NULL OR b.c < 2 THEN a.title || ' is not using a fault-tolerant configuration.' - ELSE a.title || ' is using a fault-tolerant configuration.' - END AS reason, - a.region, - a.account_id - FROM - aws_ec2_gateway_load_balancer a - LEFT JOIN - target_resource b ON a.arn = b.load_balancer_arn; + language: sql + primary_resource: aws_ec2_gateway_load_balancer + definition: | + WITH target_resource AS ( + SELECT + load_balancer_arn, + COUNT(*) AS c + FROM + aws_ec2_target_group, + JSONB_ARRAY_ELEMENTS_TEXT(load_balancer_arns) AS load_balancer_arn + GROUP BY + load_balancer_arn + ) + SELECT + a.arn AS resource, + a.platform_integration_id, + a.platform_resource_id, + CASE + WHEN b.load_balancer_arn IS NULL OR b.c < 2 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN b.load_balancer_arn IS NULL OR b.c < 2 THEN a.title || ' is not using a fault-tolerant configuration.' + ELSE a.title || ' is using a fault-tolerant configuration.' + END AS reason, + a.region, + a.account_id + FROM + aws_ec2_gateway_load_balancer a + LEFT JOIN + target_resource b ON a.arn = b.load_balancer_arn; severity: high tags: - platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - platform_score_use_case: - - Lacking High Availability - score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + platform_score_use_case: + - Lacking High Availability + score_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_nlb_listener_security.yaml b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_nlb_listener_security.yaml index fbecc2dad..eb2d837db 100644 --- a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_nlb_listener_security.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_nlb_listener_security.yaml @@ -1,78 +1,79 @@ id: aws_elbv2_nlb_listener_security title: ELBv2 NLB Listener Security +type: control description: Ensure that your AWS Network Load Balancer listeners are using a secure protocol such as TLS. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_network_load_balancer - definition: | - WITH tls_listeners AS ( + language: sql + primary_resource: aws_ec2_network_load_balancer + definition: | + WITH tls_listeners AS ( + SELECT + DISTINCT load_balancer_arn + FROM + aws_ec2_load_balancer_listener + WHERE + protocol = 'TLS' + AND ssl_policy NOT IN ( + 'ELBSecurityPolicy-2016-08', + 'ELBSecurityPolicy-FS-2018-0', + 'ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06', + 'ELBSecurityPolicy-TLS13-1-2-2021-06' + ) + GROUP BY + load_balancer_arn + ), + nwl_without_tls_listener AS ( + SELECT + load_balancer_arn, + COUNT(*) + FROM + aws_ec2_load_balancer_listener + WHERE + protocol = 'TLS' + GROUP BY + load_balancer_arn + ) + SELECT + lb.arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN l.load_balancer_arn IS NOT NULL + AND lb.arn IN ( SELECT - DISTINCT load_balancer_arn - FROM - aws_ec2_load_balancer_listener - WHERE - protocol = 'TLS' - AND ssl_policy NOT IN ( - 'ELBSecurityPolicy-2016-08', - 'ELBSecurityPolicy-FS-2018-0', - 'ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06', - 'ELBSecurityPolicy-TLS13-1-2-2021-06' - ) - GROUP BY load_balancer_arn - ), - nwl_without_tls_listener AS ( - SELECT - load_balancer_arn, - COUNT(*) FROM - aws_ec2_load_balancer_listener - WHERE - protocol = 'TLS' - GROUP BY + tls_listeners + ) THEN 'alarm' + WHEN l.load_balancer_arn IS NOT NULL THEN 'ok' + ELSE 'info' + END AS status, + CASE + WHEN l.load_balancer_arn IS NOT NULL + AND lb.arn IN ( + SELECT load_balancer_arn - ) - SELECT - lb.arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN l.load_balancer_arn IS NOT NULL - AND lb.arn IN ( - SELECT - load_balancer_arn - FROM - tls_listeners - ) THEN 'alarm' - WHEN l.load_balancer_arn IS NOT NULL THEN 'ok' - ELSE 'info' - END AS status, - CASE - WHEN l.load_balancer_arn IS NOT NULL - AND lb.arn IN ( - SELECT - load_balancer_arn - FROM - tls_listeners - ) THEN lb.title || ' TLS listener security policy not updated.' - WHEN l.load_balancer_arn IS NOT NULL THEN lb.title || ' TLS listener security policy updated.' - ELSE lb.title || ' does not use TLS listener.' - END AS reason, - lb.region, - lb.account_id - FROM - aws_ec2_network_load_balancer AS lb - LEFT JOIN nwl_without_tls_listener AS l ON l.load_balancer_arn = lb.arn; + FROM + tls_listeners + ) THEN lb.title || ' TLS listener security policy not updated.' + WHEN l.load_balancer_arn IS NOT NULL THEN lb.title || ' TLS listener security policy updated.' + ELSE lb.title || ' does not use TLS listener.' + END AS reason, + lb.region, + lb.account_id + FROM + aws_ec2_network_load_balancer AS lb + LEFT JOIN nwl_without_tls_listener AS l ON l.load_balancer_arn = lb.arn; severity: high tags: - platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - platform_score_use_case: - - Unencrypted Traffic - score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - score_tags: - - Unencrypted Traffic + platform_score_cloud_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + platform_score_use_case: + - Unencrypted Traffic + score_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + score_tags: + - Unencrypted Traffic diff --git a/compliance/controls/baseline/aws/load_balancer/aws_enable_amazon_waf_integration_for_application_load_balancers.yaml b/compliance/controls/baseline/aws/load_balancer/aws_enable_amazon_waf_integration_for_application_load_balancers.yaml index 03fe2b1ce..948b33929 100644 --- a/compliance/controls/baseline/aws/load_balancer/aws_enable_amazon_waf_integration_for_application_load_balancers.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_enable_amazon_waf_integration_for_application_load_balancers.yaml @@ -1,45 +1,46 @@ id: aws_enable_amazon_waf_integration_for_application_load_balancers title: Enable Amazon WAF Integration for Application Load Balancers +type: control description: Use Amazon WAF to protect Application Load Balancers from common web exploits. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_application_load_balancer - definition: | - WITH associated_resource AS ( - SELECT - arns - FROM - aws_wafv2_web_acl, - JSONB_ARRAY_ELEMENTS_TEXT(associated_resources) AS arns - ) - SELECT - arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN ar.arns IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN ar.arns IS NOT NULL THEN title || ' WAF enabled.' - ELSE title || ' WAF disabled.' - END AS reason, - region, - account_id - FROM - aws_ec2_application_load_balancer AS lb - LEFT JOIN associated_resource AS ar - ON lb.arn = ar.arns; + language: sql + primary_resource: aws_ec2_application_load_balancer + definition: | + WITH associated_resource AS ( + SELECT + arns + FROM + aws_wafv2_web_acl, + JSONB_ARRAY_ELEMENTS_TEXT(associated_resources) AS arns + ) + SELECT + arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN ar.arns IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN ar.arns IS NOT NULL THEN title || ' WAF enabled.' + ELSE title || ' WAF disabled.' + END AS reason, + region, + account_id + FROM + aws_ec2_application_load_balancer AS lb + LEFT JOIN associated_resource AS ar + ON lb.arn = ar.arns; severity: high tags: - platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/load_balancer/aws_enable_cross_zone_load_balancing.yaml b/compliance/controls/baseline/aws/load_balancer/aws_enable_cross_zone_load_balancing.yaml index c2d37b379..ee5bc9cc3 100644 --- a/compliance/controls/baseline/aws/load_balancer/aws_enable_cross_zone_load_balancing.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_enable_cross_zone_load_balancing.yaml @@ -1,35 +1,36 @@ id: aws_enable_cross_zone_load_balancing title: Enable Cross-Zone Load Balancing +type: control description: Ensure fault tolerance for your Amazon Gateway Load Balancers by enabling Cross-Zone Load Balancing. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_gateway_load_balancer - definition: | - SELECT - a.arn AS resource, - a.platform_integration_id, - a.platform_resource_id, - CASE - WHEN lb ->> 'Value' = 'false' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN lb ->> 'Value' = 'false' THEN a.title || ' deletion protection is not enabled.' - ELSE a.title || ' deletion protection is enabled.' - END AS reason, - a.region, - a.account_id - FROM - aws_ec2_gateway_load_balancer a - CROSS JOIN jsonb_array_elements(load_balancer_attributes) AS lb - WHERE - lb ->> 'Key' = 'load_balancing.cross_zone.enabled' + language: sql + primary_resource: aws_ec2_gateway_load_balancer + definition: | + SELECT + a.arn AS resource, + a.platform_integration_id, + a.platform_resource_id, + CASE + WHEN lb ->> 'Value' = 'false' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN lb ->> 'Value' = 'false' THEN a.title || ' deletion protection is not enabled.' + ELSE a.title || ' deletion protection is enabled.' + END AS reason, + a.region, + a.account_id + FROM + aws_ec2_gateway_load_balancer a + CROSS JOIN jsonb_array_elements(load_balancer_attributes) AS lb + WHERE + lb ->> 'Key' = 'load_balancing.cross_zone.enabled' severity: high tags: - platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + platform_score_cloud_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + score_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) diff --git a/compliance/controls/baseline/aws/load_balancer/aws_enable_deletion_protection.yaml b/compliance/controls/baseline/aws/load_balancer/aws_enable_deletion_protection.yaml index d7d4c9e3a..49e64abae 100644 --- a/compliance/controls/baseline/aws/load_balancer/aws_enable_deletion_protection.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_enable_deletion_protection.yaml @@ -1,35 +1,36 @@ id: aws_enable_deletion_protection title: Enable Deletion Protection +type: control description: Ensure that Deletion Protection is enabled for Amazon Gateway Load Balancers. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_gateway_load_balancer - definition: | - SELECT - a.arn AS resource, - a.platform_integration_id, - a.platform_resource_id, - CASE - WHEN lb ->> 'Value' = 'false' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN lb ->> 'Value' = 'false' THEN a.title || ' deletion protection is not enabled.' - ELSE a.title || ' deletion protection is enabled.' - END AS reason, - a.region, - a.account_id - FROM - aws_ec2_gateway_load_balancer a - CROSS JOIN jsonb_array_elements(load_balancer_attributes) AS lb - WHERE - lb ->> 'Key' = 'deletion_protection.enabled' + language: sql + primary_resource: aws_ec2_gateway_load_balancer + definition: | + SELECT + a.arn AS resource, + a.platform_integration_id, + a.platform_resource_id, + CASE + WHEN lb ->> 'Value' = 'false' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN lb ->> 'Value' = 'false' THEN a.title || ' deletion protection is not enabled.' + ELSE a.title || ' deletion protection is enabled.' + END AS reason, + a.region, + a.account_id + FROM + aws_ec2_gateway_load_balancer a + CROSS JOIN jsonb_array_elements(load_balancer_attributes) AS lb + WHERE + lb ->> 'Key' = 'deletion_protection.enabled' severity: high tags: - platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + platform_score_cloud_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + score_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) diff --git a/compliance/controls/baseline/aws/load_balancer/aws_enable_http_to_https_redirect_for_application_load_balancers.yaml b/compliance/controls/baseline/aws/load_balancer/aws_enable_http_to_https_redirect_for_application_load_balancers.yaml index 4059184d9..919a8e26d 100644 --- a/compliance/controls/baseline/aws/load_balancer/aws_enable_http_to_https_redirect_for_application_load_balancers.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_enable_http_to_https_redirect_for_application_load_balancers.yaml @@ -1,52 +1,53 @@ id: aws_enable_http_to_https_redirect_for_application_load_balancers title: Enable HTTP to HTTPS Redirect for Application Load Balancers +type: control description: Ensure that your Application Load Balancers have a rule that redirects HTTP traffic to HTTPS. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_application_load_balancer - definition: | - WITH detailed_listeners AS ( - SELECT - arn, - load_balancer_arn, - protocol - FROM - aws_ec2_load_balancer_listener, - jsonb_array_elements(default_actions) AS ac - WHERE - split_part(arn, '/', 2) = 'app' - AND protocol = 'HTTP' - AND ac ->> 'Type' = 'redirect' - AND ac -> 'RedirectConfig' ->> 'Protocol' = 'HTTPS' - ) - SELECT - a.arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN b.load_balancer_arn IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN b.load_balancer_arn IS NOT NULL THEN a.title || ' associated with HTTP redirection.' - ELSE a.title || ' not associated with HTTP redirection.' - END AS reason, - a.region, - a.account_id - FROM - aws_ec2_application_load_balancer a - LEFT JOIN detailed_listeners b - ON a.arn = b.load_balancer_arn; + language: sql + primary_resource: aws_ec2_application_load_balancer + definition: | + WITH detailed_listeners AS ( + SELECT + arn, + load_balancer_arn, + protocol + FROM + aws_ec2_load_balancer_listener, + jsonb_array_elements(default_actions) AS ac + WHERE + split_part(arn, '/', 2) = 'app' + AND protocol = 'HTTP' + AND ac ->> 'Type' = 'redirect' + AND ac -> 'RedirectConfig' ->> 'Protocol' = 'HTTPS' + ) + SELECT + a.arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN b.load_balancer_arn IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN b.load_balancer_arn IS NOT NULL THEN a.title || ' associated with HTTP redirection.' + ELSE a.title || ' not associated with HTTP redirection.' + END AS reason, + a.region, + a.account_id + FROM + aws_ec2_application_load_balancer a + LEFT JOIN detailed_listeners b + ON a.arn = b.load_balancer_arn; severity: high tags: - platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - platform_score_use_case: - - Unencrypted Traffic - score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - score_tags: - - Unencrypted Traffic + platform_score_cloud_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + platform_score_use_case: + - Unencrypted Traffic + score_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + score_tags: + - Unencrypted Traffic diff --git a/compliance/controls/baseline/aws/load_balancer/aws_enable_support_for_grpc_protocol.yaml b/compliance/controls/baseline/aws/load_balancer/aws_enable_support_for_grpc_protocol.yaml index 62a2fc1dc..dfda08ee9 100644 --- a/compliance/controls/baseline/aws/load_balancer/aws_enable_support_for_grpc_protocol.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_enable_support_for_grpc_protocol.yaml @@ -1,38 +1,39 @@ id: aws_enable_support_for_grpc_protocol title: Enable Support for gRPC Protocol +type: control description: Ensure that support for gRPC protocol is enabled for Application Load Balancers (ALBs). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_application_load_balancer - definition: | - SELECT - a.arn AS resource, - a.platform_integration_id, - a.platform_resource_id, - CASE - WHEN tg.platform_resource_description -> 'TargetGroup' ->> 'ProtocolVersion' = 'GRPC' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN tg.platform_resource_description -> 'TargetGroup' ->> 'ProtocolVersion' = 'GRPC' THEN - a.title || ' is configured to send requests to targets using the gRPC protocol.' - ELSE - a.title || ' is not configured to send requests to targets using the gRPC protocol.' - END AS reason, - a.region, - a.account_id - FROM - aws_ec2_application_load_balancer a - LEFT JOIN - aws_ec2_target_group AS tg - ON - tg.load_balancer_arns::text LIKE '%' || a.arn || '%' + language: sql + primary_resource: aws_ec2_application_load_balancer + definition: | + SELECT + a.arn AS resource, + a.platform_integration_id, + a.platform_resource_id, + CASE + WHEN tg.platform_resource_description -> 'TargetGroup' ->> 'ProtocolVersion' = 'GRPC' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN tg.platform_resource_description -> 'TargetGroup' ->> 'ProtocolVersion' = 'GRPC' THEN + a.title || ' is configured to send requests to targets using the gRPC protocol.' + ELSE + a.title || ' is not configured to send requests to targets using the gRPC protocol.' + END AS reason, + a.region, + a.account_id + FROM + aws_ec2_application_load_balancer a + LEFT JOIN + aws_ec2_target_group AS tg + ON + tg.load_balancer_arns::text LIKE '%' || a.arn || '%' severity: medium tags: - platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + platform_score_cloud_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + score_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) diff --git a/compliance/controls/baseline/aws/load_balancer/aws_internet_facing_elbs.yaml b/compliance/controls/baseline/aws/load_balancer/aws_internet_facing_elbs.yaml index 9acc5aeeb..22eeabaf5 100644 --- a/compliance/controls/baseline/aws/load_balancer/aws_internet_facing_elbs.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_internet_facing_elbs.yaml @@ -1,32 +1,33 @@ id: aws_internet_facing_elbs title: Internet Facing ELBs +type: control description: Ensure Amazon internet-facing ELBs/ALBs are regularly reviewed for security purposes. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_classic_load_balancer - definition: | - SELECT - a.arn AS resource, - a.platform_integration_id, - a.platform_resource_id, - CASE - WHEN scheme = 'internet-facing' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN scheme = 'internet-facing' THEN a.title || ' is internet-facing and routes requests from clients over the Internet to the registered EC2 instances.' - ELSE a.title || ' is not internet-facing and routes requests from clients over the Internet to the registered EC2 instances.' - END AS reason, - a.region, - a.account_id - FROM - aws_ec2_classic_load_balancer a + language: sql + primary_resource: aws_ec2_classic_load_balancer + definition: | + SELECT + a.arn AS resource, + a.platform_integration_id, + a.platform_resource_id, + CASE + WHEN scheme = 'internet-facing' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN scheme = 'internet-facing' THEN a.title || ' is internet-facing and routes requests from clients over the Internet to the registered EC2 instances.' + ELSE a.title || ' is not internet-facing and routes requests from clients over the Internet to the registered EC2 instances.' + END AS reason, + a.region, + a.account_id + FROM + aws_ec2_classic_load_balancer a severity: medium tags: - platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + platform_score_cloud_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + score_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) diff --git a/compliance/controls/baseline/aws/load_balancer/aws_internet_facing_elbv2s.yaml b/compliance/controls/baseline/aws/load_balancer/aws_internet_facing_elbv2s.yaml index f9ed51f1f..0744f9081 100644 --- a/compliance/controls/baseline/aws/load_balancer/aws_internet_facing_elbv2s.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_internet_facing_elbv2s.yaml @@ -1,32 +1,33 @@ id: aws_internet_facing_elbv2s title: Internet Facing ELBv2s +type: control description: Ensure Amazon internet-facing ELBs/ALBs are regularly reviewed for security purposes. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_application_load_balancer - definition: | - SELECT - a.arn AS resource, - a.platform_integration_id, - a.platform_resource_id, - CASE - WHEN scheme = 'internet-facing' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN scheme = 'internet-facing' THEN a.title || ' is internet-facing and routes requests from clients over the Internet to the registered EC2 instances.' - ELSE a.title || ' is not internet-facing and routes requests from clients over the Internet to the registered EC2 instances.' - END AS reason, - a.region, - a.account_id - FROM - aws_ec2_application_load_balancer a + language: sql + primary_resource: aws_ec2_application_load_balancer + definition: | + SELECT + a.arn AS resource, + a.platform_integration_id, + a.platform_resource_id, + CASE + WHEN scheme = 'internet-facing' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN scheme = 'internet-facing' THEN a.title || ' is internet-facing and routes requests from clients over the Internet to the registered EC2 instances.' + ELSE a.title || ' is not internet-facing and routes requests from clients over the Internet to the registered EC2 instances.' + END AS reason, + a.region, + a.account_id + FROM + aws_ec2_application_load_balancer a severity: medium tags: - platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + platform_score_cloud_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + score_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) diff --git a/compliance/controls/baseline/aws/load_balancer/aws_unused_application_load_balancers.yaml b/compliance/controls/baseline/aws/load_balancer/aws_unused_application_load_balancers.yaml index 044dcfd01..9a28ef4ed 100644 --- a/compliance/controls/baseline/aws/load_balancer/aws_unused_application_load_balancers.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_unused_application_load_balancers.yaml @@ -1,46 +1,47 @@ id: aws_unused_application_load_balancers title: Unused Application Load Balancers +type: control description: Identify unused Applications Load Balancers, and delete them to help lower the cost of your monthly AWS bill. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_application_load_balancer - definition: | - WITH target_resource AS ( - SELECT - load_balancer_arn, - target_health_descriptions, - target_type - FROM - aws_ec2_target_group, - jsonb_array_elements_text(load_balancer_arns) AS load_balancer_arn - ) - SELECT - a.arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN b.load_balancer_arn IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN b.load_balancer_arn IS NULL THEN a.title || ' has no target registered.' - ELSE a.title || ' has registered target of type ' || b.target_type || '.' - END AS reason, - a.region, - a.account_id - FROM - aws_ec2_application_load_balancer a - LEFT JOIN target_resource b ON a.arn = b.load_balancer_arn; + language: sql + primary_resource: aws_ec2_application_load_balancer + definition: | + WITH target_resource AS ( + SELECT + load_balancer_arn, + target_health_descriptions, + target_type + FROM + aws_ec2_target_group, + jsonb_array_elements_text(load_balancer_arns) AS load_balancer_arn + ) + SELECT + a.arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN b.load_balancer_arn IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN b.load_balancer_arn IS NULL THEN a.title || ' has no target registered.' + ELSE a.title || ' has registered target of type ' || b.target_type || '.' + END AS reason, + a.region, + a.account_id + FROM + aws_ec2_application_load_balancer a + LEFT JOIN target_resource b ON a.arn = b.load_balancer_arn; severity: high tags: - platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - platform_score_use_case: - - Orphaned Resources - score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - score_tags: - - Orphaned Resources + platform_score_cloud_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + platform_score_use_case: + - Orphaned Resources + score_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + score_tags: + - Orphaned Resources diff --git a/compliance/controls/baseline/aws/load_balancer/aws_unused_elastic_load_balancers.yaml b/compliance/controls/baseline/aws/load_balancer/aws_unused_elastic_load_balancers.yaml index a75b24e1f..04d438e86 100644 --- a/compliance/controls/baseline/aws/load_balancer/aws_unused_elastic_load_balancers.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_unused_elastic_load_balancers.yaml @@ -1,36 +1,37 @@ id: aws_unused_elastic_load_balancers title: Unused Elastic Load Balancers +type: control description: Identify unused Elastic Load Balancers, and delete them to help lower the cost of your monthly AWS bill. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_classic_load_balancer - definition: | - SELECT - arn AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN jsonb_array_length(instances) > 0 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN jsonb_array_length(instances) > 0 THEN title || ' has registered instances.' - ELSE title || ' has no instances registered.' - END AS reason, - region, - account_id - FROM - aws_ec2_classic_load_balancer AS lb + language: sql + primary_resource: aws_ec2_classic_load_balancer + definition: | + SELECT + arn AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN jsonb_array_length(instances) > 0 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN jsonb_array_length(instances) > 0 THEN title || ' has registered instances.' + ELSE title || ' has no instances registered.' + END AS reason, + region, + account_id + FROM + aws_ec2_classic_load_balancer AS lb severity: low tags: - platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - platform_score_use_case: - - Orphaned Resources - score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - score_tags: - - Orphaned Resources + platform_score_cloud_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + platform_score_use_case: + - Orphaned Resources + score_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + score_tags: + - Orphaned Resources diff --git a/compliance/controls/baseline/aws/load_balancer/aws_unused_gateway_load_balancers.yaml b/compliance/controls/baseline/aws/load_balancer/aws_unused_gateway_load_balancers.yaml index 8e207d2c0..e934a7dcd 100644 --- a/compliance/controls/baseline/aws/load_balancer/aws_unused_gateway_load_balancers.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_unused_gateway_load_balancers.yaml @@ -1,46 +1,47 @@ id: aws_unused_gateway_load_balancers title: Unused Gateway Load Balancers +type: control description: Identify unused Gateway Load Balancers, and delete them to help lower the cost of your monthly AWS bill. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_ec2_gateway_load_balancer - definition: | - WITH target_resource AS ( - SELECT - load_balancer_arn, - target_health_descriptions, - target_type - FROM - aws_ec2_target_group, - jsonb_array_elements_text(load_balancer_arns) AS load_balancer_arn - ) - SELECT - a.arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN jsonb_array_length(b.target_health_descriptions) = 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN jsonb_array_length(b.target_health_descriptions) = 0 THEN a.title || ' has no target registered.' - ELSE a.title || ' has registered target of type' || ' ' || b.target_type || '.' - END AS reason, - a.region, - a.account_id - FROM - aws_ec2_gateway_load_balancer a - LEFT JOIN target_resource b ON a.arn = b.load_balancer_arn; + language: sql + primary_resource: aws_ec2_gateway_load_balancer + definition: | + WITH target_resource AS ( + SELECT + load_balancer_arn, + target_health_descriptions, + target_type + FROM + aws_ec2_target_group, + jsonb_array_elements_text(load_balancer_arns) AS load_balancer_arn + ) + SELECT + a.arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN jsonb_array_length(b.target_health_descriptions) = 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN jsonb_array_length(b.target_health_descriptions) = 0 THEN a.title || ' has no target registered.' + ELSE a.title || ' has registered target of type' || ' ' || b.target_type || '.' + END AS reason, + a.region, + a.account_id + FROM + aws_ec2_gateway_load_balancer a + LEFT JOIN target_resource b ON a.arn = b.load_balancer_arn; severity: high tags: - platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - platform_score_use_case: - - Orphaned Resources - score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) - score_tags: - - Orphaned Resources + platform_score_cloud_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + platform_score_use_case: + - Orphaned Resources + score_service_name: + - AWS Elastic Load Balancing V2 (ELBv2) + score_tags: + - Orphaned Resources diff --git a/compliance/controls/baseline/aws/opensearch/aws_enable_audit_logs.yaml b/compliance/controls/baseline/aws/opensearch/aws_enable_audit_logs.yaml index 18e8ba4fb..79ed3ea8d 100644 --- a/compliance/controls/baseline/aws/opensearch/aws_enable_audit_logs.yaml +++ b/compliance/controls/baseline/aws/opensearch/aws_enable_audit_logs.yaml @@ -1,36 +1,37 @@ id: aws_enable_audit_logs title: Enable Audit Logs +type: control description: Ensure that audit logging is enabled for all your Amazon OpenSearch domains. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - domain_name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN log_publishing_options ->> 'AUDIT_LOGS' IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN log_publishing_options ->> 'AUDIT_LOGS' IS NOT NULL THEN domain_name || ' CloudWatch Logs are enabled.' - ELSE domain_name || ' CloudWatch Logs are not enabled.' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + domain_name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN log_publishing_options ->> 'AUDIT_LOGS' IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN log_publishing_options ->> 'AUDIT_LOGS' IS NOT NULL THEN domain_name || ' CloudWatch Logs are enabled.' + ELSE domain_name || ' CloudWatch Logs are not enabled.' + END AS reason, + region, + account_id + FROM + aws_opensearch_domain severity: medium tags: - platform_score_cloud_service_name: - - AWS OpenSearch Service - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS OpenSearch Service - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS OpenSearch Service + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS OpenSearch Service + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/opensearch/aws_enable_in_transit_encryption.yaml b/compliance/controls/baseline/aws/opensearch/aws_enable_in_transit_encryption.yaml index 98f35b1ec..18ccb7786 100644 --- a/compliance/controls/baseline/aws/opensearch/aws_enable_in_transit_encryption.yaml +++ b/compliance/controls/baseline/aws/opensearch/aws_enable_in_transit_encryption.yaml @@ -1,36 +1,37 @@ id: aws_enable_in_transit_encryption title: Enable In-Transit Encryption +type: control description: Ensure that in-transit encryption is enabled for your Amazon OpenSearch domains. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - domain_name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN (domain_endpoint_options ->> 'EnforceHTTPS')::bool THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (domain_endpoint_options ->> 'EnforceHTTPS')::bool THEN domain_name || ' in-transit encryption is enabled.' - ELSE domain_name || ' in-transit encryption is not enabled' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + domain_name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN (domain_endpoint_options ->> 'EnforceHTTPS')::bool THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (domain_endpoint_options ->> 'EnforceHTTPS')::bool THEN domain_name || ' in-transit encryption is enabled.' + ELSE domain_name || ' in-transit encryption is not enabled' + END AS reason, + region, + account_id + FROM + aws_opensearch_domain severity: high tags: - platform_score_cloud_service_name: - - AWS OpenSearch Service - platform_score_use_case: - - Unencrypted Traffic - score_service_name: - - AWS OpenSearch Service - score_tags: - - Unencrypted Traffic + platform_score_cloud_service_name: + - AWS OpenSearch Service + platform_score_use_case: + - Unencrypted Traffic + score_service_name: + - AWS OpenSearch Service + score_tags: + - Unencrypted Traffic diff --git a/compliance/controls/baseline/aws/opensearch/aws_encryption_at_rest.yaml b/compliance/controls/baseline/aws/opensearch/aws_encryption_at_rest.yaml index a63c8a48d..62bab6bca 100644 --- a/compliance/controls/baseline/aws/opensearch/aws_encryption_at_rest.yaml +++ b/compliance/controls/baseline/aws/opensearch/aws_encryption_at_rest.yaml @@ -1,36 +1,37 @@ id: aws_encryption_at_rest title: Encryption At Rest +type: control description: Ensure that your Amazon OpenSearch domains are encrypted in order to meet security and compliance requirements. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - domain_name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN (encryption_at_rest_options ->> 'Enabled')::bool THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (encryption_at_rest_options ->> 'Enabled')::bool THEN domain_name || ' encryption at rest is not enabled' - ELSE domain_name || ' encryption at rest is enabled' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + domain_name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN (encryption_at_rest_options ->> 'Enabled')::bool THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (encryption_at_rest_options ->> 'Enabled')::bool THEN domain_name || ' encryption at rest is not enabled' + ELSE domain_name || ' encryption at rest is enabled' + END AS reason, + region, + account_id + FROM + aws_opensearch_domain severity: high tags: - platform_score_cloud_service_name: - - AWS OpenSearch Service - platform_score_use_case: - - Unencrypted Storage - score_service_name: - - AWS OpenSearch Service - score_tags: - - Unencrypted Storage + platform_score_cloud_service_name: + - AWS OpenSearch Service + platform_score_use_case: + - Unencrypted Storage + score_service_name: + - AWS OpenSearch Service + score_tags: + - Unencrypted Storage diff --git a/compliance/controls/baseline/aws/opensearch/aws_opensearch_accessible_only_from_safelisted_ip_addresses.yaml b/compliance/controls/baseline/aws/opensearch/aws_opensearch_accessible_only_from_safelisted_ip_addresses.yaml index 4ea451e47..b97eae9c5 100644 --- a/compliance/controls/baseline/aws/opensearch/aws_opensearch_accessible_only_from_safelisted_ip_addresses.yaml +++ b/compliance/controls/baseline/aws/opensearch/aws_opensearch_accessible_only_from_safelisted_ip_addresses.yaml @@ -1,60 +1,61 @@ id: aws_opensearch_accessible_only_from_safelisted_ip_addresses title: Opensearch Accessible Only From Safelisted IP Addresses +type: control description: Ensure only safelisted IP addresses can access your Amazon OpenSearch domains. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsSafelistedIPs - value: '' +- key: awsSafelistedIPs + value: "" policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - domain_name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(access_policies::jsonb -> 'Statement') AS statement - WHERE statement ->> 'Condition' IS NULL - ) THEN 'alarm' - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(access_policies::jsonb -> 'Statement') AS statement, - jsonb_array_elements((statement -> 'Condition' -> 'IpAddress' ->> 'aws:SourceIp')::jsonb) AS ip - WHERE '{{.awsSafelistedIPs}}' LIKE '%' || ip.value::text || '%' - ) THEN 'ok' - WHEN '{{.awsSafelistedIPs}}' = '' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(access_policies::jsonb -> 'Statement') AS statement - WHERE statement ->> 'Condition' IS NULL - ) THEN domain_name || ' does not include specific IP addresses' - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(access_policies::jsonb -> 'Statement') AS statement, - jsonb_array_elements((statement -> 'Condition' -> 'IpAddress' ->> 'aws:SourceIp')::jsonb) AS ip - WHERE '{{.awsSafelistedIPs}}' LIKE '%' || ip.value::text || '%' - ) THEN domain_name || ' includes approved specific IP addresses' - WHEN '{{.awsSafelistedIPs}}' = '' THEN ' approved IP addresses not defined' - ELSE domain_name || ' includes not approved specific IP addresses' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain; + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + domain_name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(access_policies::jsonb -> 'Statement') AS statement + WHERE statement ->> 'Condition' IS NULL + ) THEN 'alarm' + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(access_policies::jsonb -> 'Statement') AS statement, + jsonb_array_elements((statement -> 'Condition' -> 'IpAddress' ->> 'aws:SourceIp')::jsonb) AS ip + WHERE '{{.awsSafelistedIPs}}' LIKE '%' || ip.value::text || '%' + ) THEN 'ok' + WHEN '{{.awsSafelistedIPs}}' = '' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(access_policies::jsonb -> 'Statement') AS statement + WHERE statement ->> 'Condition' IS NULL + ) THEN domain_name || ' does not include specific IP addresses' + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(access_policies::jsonb -> 'Statement') AS statement, + jsonb_array_elements((statement -> 'Condition' -> 'IpAddress' ->> 'aws:SourceIp')::jsonb) AS ip + WHERE '{{.awsSafelistedIPs}}' LIKE '%' || ip.value::text || '%' + ) THEN domain_name || ' includes approved specific IP addresses' + WHEN '{{.awsSafelistedIPs}}' = '' THEN ' approved IP addresses not defined' + ELSE domain_name || ' includes not approved specific IP addresses' + END AS reason, + region, + account_id + FROM + aws_opensearch_domain; severity: critical tags: - platform_score_cloud_service_name: - - AWS OpenSearch Service - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS OpenSearch Service - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS OpenSearch Service + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS OpenSearch Service + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/opensearch/aws_opensearch_dedicated_master_enabled.yaml b/compliance/controls/baseline/aws/opensearch/aws_opensearch_dedicated_master_enabled.yaml index 4d2df5d12..f28e5c4e5 100644 --- a/compliance/controls/baseline/aws/opensearch/aws_opensearch_dedicated_master_enabled.yaml +++ b/compliance/controls/baseline/aws/opensearch/aws_opensearch_dedicated_master_enabled.yaml @@ -1,36 +1,37 @@ id: aws_opensearch_dedicated_master_enabled title: OpenSearch Dedicated Master Enabled +type: control description: Ensure Amazon OpenSearch clusters are using dedicated master nodes to increase the production environment stability. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - domain_name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN (cluster_config ->> 'DedicatedMasterEnabled')::bool THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (cluster_config ->> 'DedicatedMasterEnabled')::bool THEN domain_name || ' is configured to use dedicated master nodes.' - ELSE domain_name || ' is not configured to use dedicated master nodes' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + domain_name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN (cluster_config ->> 'DedicatedMasterEnabled')::bool THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (cluster_config ->> 'DedicatedMasterEnabled')::bool THEN domain_name || ' is configured to use dedicated master nodes.' + ELSE domain_name || ' is not configured to use dedicated master nodes' + END AS reason, + region, + account_id + FROM + aws_opensearch_domain severity: medium tags: - platform_score_cloud_service_name: - - AWS OpenSearch Service - platform_score_use_case: - - Lacking High Availability - score_service_name: - - AWS OpenSearch Service - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - AWS OpenSearch Service + platform_score_use_case: + - Lacking High Availability + score_service_name: + - AWS OpenSearch Service + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/aws/opensearch/aws_opensearch_domain_encrypted_with_kms_cmks.yaml b/compliance/controls/baseline/aws/opensearch/aws_opensearch_domain_encrypted_with_kms_cmks.yaml index 60c0cd1f7..0597d89e3 100644 --- a/compliance/controls/baseline/aws/opensearch/aws_opensearch_domain_encrypted_with_kms_cmks.yaml +++ b/compliance/controls/baseline/aws/opensearch/aws_opensearch_domain_encrypted_with_kms_cmks.yaml @@ -1,40 +1,41 @@ id: aws_opensearch_domain_encrypted_with_kms_cmks title: OpenSearch Domain Encrypted with KMS CMKs +type: control description: Ensure that OpenSearch domains are encrypted with KMS Customer Master Keys (CMKs). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - domain_name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN kms.key_manager IS NULL THEN 'alarm' - WHEN kms.key_manager = 'AWS' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN kms.key_manager IS NULL THEN domain_name || ' encryption with kms key not enabled' - WHEN kms.key_manager = 'AWS' THEN domain_name || ' is not encrypted with CMK' - ELSE domain_name || ' is encrypted with CMK' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain - LEFT JOIN (SELECT arn, key_manager FROM aws_kms_key) kms - ON (encryption_at_rest_options ->> 'KmsKeyId') = kms.arn + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + domain_name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN kms.key_manager IS NULL THEN 'alarm' + WHEN kms.key_manager = 'AWS' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN kms.key_manager IS NULL THEN domain_name || ' encryption with kms key not enabled' + WHEN kms.key_manager = 'AWS' THEN domain_name || ' is not encrypted with CMK' + ELSE domain_name || ' is encrypted with CMK' + END AS reason, + region, + account_id + FROM + aws_opensearch_domain + LEFT JOIN (SELECT arn, key_manager FROM aws_kms_key) kms + ON (encryption_at_rest_options ->> 'KmsKeyId') = kms.arn severity: high tags: - platform_score_cloud_service_name: - - AWS OpenSearch Service - platform_score_use_case: - - Unencrypted Storage - score_service_name: - - AWS OpenSearch Service - score_tags: - - Unencrypted Storage + platform_score_cloud_service_name: + - AWS OpenSearch Service + platform_score_use_case: + - Unencrypted Storage + score_service_name: + - AWS OpenSearch Service + score_tags: + - Unencrypted Storage diff --git a/compliance/controls/baseline/aws/opensearch/aws_opensearch_domain_exposed.yaml b/compliance/controls/baseline/aws/opensearch/aws_opensearch_domain_exposed.yaml index 38e241d10..fc6e36c42 100644 --- a/compliance/controls/baseline/aws/opensearch/aws_opensearch_domain_exposed.yaml +++ b/compliance/controls/baseline/aws/opensearch/aws_opensearch_domain_exposed.yaml @@ -1,52 +1,53 @@ id: aws_opensearch_domain_exposed title: OpenSearch Domain Exposed +type: control description: Ensure Amazon OpenSearch domains aren't exposed to everyone. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - domain_name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(access_policies::jsonb -> 'Statement') AS s - WHERE (s ->> 'Effect') = 'Allow' - AND ( - (s ->> 'Principal')::text = '"*"' - OR (s ->> 'Principal')::text = '{"AWS": "*"}' - ) - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(access_policies::jsonb -> 'Statement') AS s - WHERE (s ->> 'Effect') = 'Allow' - AND ( - (s ->> 'Principal')::text = '"*"' - OR (s ->> 'Principal')::text = '{"AWS": "*"}' - ) - ) THEN domain_name || ' is publicly accessible' - ELSE domain_name || ' is not publicly accessible' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + domain_name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(access_policies::jsonb -> 'Statement') AS s + WHERE (s ->> 'Effect') = 'Allow' + AND ( + (s ->> 'Principal')::text = '"*"' + OR (s ->> 'Principal')::text = '{"AWS": "*"}' + ) + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(access_policies::jsonb -> 'Statement') AS s + WHERE (s ->> 'Effect') = 'Allow' + AND ( + (s ->> 'Principal')::text = '"*"' + OR (s ->> 'Principal')::text = '{"AWS": "*"}' + ) + ) THEN domain_name || ' is publicly accessible' + ELSE domain_name || ' is not publicly accessible' + END AS reason, + region, + account_id + FROM + aws_opensearch_domain severity: high tags: - platform_score_cloud_service_name: - - AWS OpenSearch Service - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS OpenSearch Service - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS OpenSearch Service + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS OpenSearch Service + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/opensearch/aws_opensearch_domain_in_vpc.yaml b/compliance/controls/baseline/aws/opensearch/aws_opensearch_domain_in_vpc.yaml index 1fc447bf2..845decab5 100644 --- a/compliance/controls/baseline/aws/opensearch/aws_opensearch_domain_in_vpc.yaml +++ b/compliance/controls/baseline/aws/opensearch/aws_opensearch_domain_in_vpc.yaml @@ -1,65 +1,66 @@ id: aws_opensearch_domain_in_vpc title: OpenSearch Domain In VPC +type: control description: Ensure that your Amazon OpenSearch domains are accessible only from AWS VPCs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - WITH public_subnets AS ( + language: sql + primary_resource: aws_opensearch_domain + definition: | + WITH public_subnets AS ( + SELECT + DISTINCT a -> 'SubnetId' AS SubnetId + FROM + aws_vpc_route_table AS t, + jsonb_array_elements(associations) AS a, + jsonb_array_elements(routes) AS r + WHERE + r ->> 'DestinationCidrBlock' = '0.0.0.0/0' + AND r ->> 'GatewayId' LIKE 'igw-%' + ), + opensearch_domain_with_public_subnet AS ( + SELECT + arn + FROM + aws_opensearch_domain, + jsonb_array_elements(vpc_options -> 'SubnetIds') AS s + WHERE + s IN ( SELECT - DISTINCT a -> 'SubnetId' AS SubnetId + SubnetId FROM - aws_vpc_route_table AS t, - jsonb_array_elements(associations) AS a, - jsonb_array_elements(routes) AS r - WHERE - r ->> 'DestinationCidrBlock' = '0.0.0.0/0' - AND r ->> 'GatewayId' LIKE 'igw-%' - ), - opensearch_domain_with_public_subnet AS ( - SELECT - arn - FROM - aws_opensearch_domain, - jsonb_array_elements(vpc_options -> 'SubnetIds') AS s - WHERE - s IN ( - SELECT - SubnetId - FROM - public_subnets - ) + public_subnets ) - SELECT - d.arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN d.vpc_options ->> 'VPCId' IS NULL THEN 'alarm' - WHEN d.vpc_options ->> 'VPCId' IS NOT NULL AND p.arn IS NOT NULL THEN 'alarm' - ELSE 'ok' - END status, - CASE - WHEN vpc_options ->> 'VPCId' IS NULL THEN title || ' not in VPC.' - WHEN d.vpc_options ->> 'VPCId' IS NOT NULL AND p.arn IS NOT NULL THEN title || ' attached to public subnet.' - ELSE title || ' in VPC ' || (vpc_options ->> 'VPCId') || '.' - END reason, - d.region, - d.account_id - FROM - aws_opensearch_domain AS d - LEFT JOIN opensearch_domain_with_public_subnet AS p - ON d.arn = p.arn; + ) + SELECT + d.arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN d.vpc_options ->> 'VPCId' IS NULL THEN 'alarm' + WHEN d.vpc_options ->> 'VPCId' IS NOT NULL AND p.arn IS NOT NULL THEN 'alarm' + ELSE 'ok' + END status, + CASE + WHEN vpc_options ->> 'VPCId' IS NULL THEN title || ' not in VPC.' + WHEN d.vpc_options ->> 'VPCId' IS NOT NULL AND p.arn IS NOT NULL THEN title || ' attached to public subnet.' + ELSE title || ' in VPC ' || (vpc_options ->> 'VPCId') || '.' + END reason, + d.region, + d.account_id + FROM + aws_opensearch_domain AS d + LEFT JOIN opensearch_domain_with_public_subnet AS p + ON d.arn = p.arn; severity: high tags: - platform_score_cloud_service_name: - - AWS OpenSearch Service - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS OpenSearch Service - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS OpenSearch Service + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS OpenSearch Service + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/opensearch/aws_opensearch_node_to_node_encryption.yaml b/compliance/controls/baseline/aws/opensearch/aws_opensearch_node_to_node_encryption.yaml index 936a89b59..a794a1965 100644 --- a/compliance/controls/baseline/aws/opensearch/aws_opensearch_node_to_node_encryption.yaml +++ b/compliance/controls/baseline/aws/opensearch/aws_opensearch_node_to_node_encryption.yaml @@ -1,36 +1,37 @@ id: aws_opensearch_node_to_node_encryption title: OpenSearch Node To Node Encryption +type: control description: Ensure that your Amazon OpenSearch clusters are using node to node encryption in order to meet security and compliance requirements. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - domain_name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN NOT node_to_node_encryption_options_enabled THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT node_to_node_encryption_options_enabled THEN domain_name || ' node-to-node encryption is not enabled' - ELSE domain_name || ' node-to-node encryption is enabled' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + domain_name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN NOT node_to_node_encryption_options_enabled THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT node_to_node_encryption_options_enabled THEN domain_name || ' node-to-node encryption is not enabled' + ELSE domain_name || ' node-to-node encryption is enabled' + END AS reason, + region, + account_id + FROM + aws_opensearch_domain severity: high tags: - platform_score_cloud_service_name: - - AWS OpenSearch Service - platform_score_use_case: - - Unencrypted Traffic - score_service_name: - - AWS OpenSearch Service - score_tags: - - Unencrypted Traffic + platform_score_cloud_service_name: + - AWS OpenSearch Service + platform_score_use_case: + - Unencrypted Traffic + score_service_name: + - AWS OpenSearch Service + score_tags: + - Unencrypted Traffic diff --git a/compliance/controls/baseline/aws/opensearch/aws_opensearch_slow_logs.yaml b/compliance/controls/baseline/aws/opensearch/aws_opensearch_slow_logs.yaml index cdab932a7..c8aa9838c 100644 --- a/compliance/controls/baseline/aws/opensearch/aws_opensearch_slow_logs.yaml +++ b/compliance/controls/baseline/aws/opensearch/aws_opensearch_slow_logs.yaml @@ -1,38 +1,39 @@ id: aws_opensearch_slow_logs title: AWS OpenSearch Slow Logs +type: control description: Ensure that your AWS OpenSearch domains publish slow logs to AWS CloudWatch Logs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - domain_name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN (COALESCE((log_publishing_options -> 'INDEX_SLOW_LOGS' ->> 'Enabled')::bool, false)::bool AND - COALESCE((log_publishing_options -> 'SEARCH_SLOW_LOGS' ->> 'Enabled')::bool, false)::bool) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (COALESCE((log_publishing_options -> 'INDEX_SLOW_LOGS' ->> 'Enabled')::bool, false)::bool AND - COALESCE((log_publishing_options -> 'SEARCH_SLOW_LOGS' ->> 'Enabled')::bool, false)::bool) THEN domain_name || ' Slow Logs feature is enabled' - ELSE domain_name || ' Slow Logs feature is not enabled' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + domain_name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN (COALESCE((log_publishing_options -> 'INDEX_SLOW_LOGS' ->> 'Enabled')::bool, false)::bool AND + COALESCE((log_publishing_options -> 'SEARCH_SLOW_LOGS' ->> 'Enabled')::bool, false)::bool) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (COALESCE((log_publishing_options -> 'INDEX_SLOW_LOGS' ->> 'Enabled')::bool, false)::bool AND + COALESCE((log_publishing_options -> 'SEARCH_SLOW_LOGS' ->> 'Enabled')::bool, false)::bool) THEN domain_name || ' Slow Logs feature is enabled' + ELSE domain_name || ' Slow Logs feature is not enabled' + END AS reason, + region, + account_id + FROM + aws_opensearch_domain severity: medium tags: - platform_score_cloud_service_name: - - AWS OpenSearch Service - platform_score_use_case: - - General Efficiency - score_service_name: - - AWS OpenSearch Service - score_tags: - - General Efficiency + platform_score_cloud_service_name: + - AWS OpenSearch Service + platform_score_use_case: + - General Efficiency + score_service_name: + - AWS OpenSearch Service + score_tags: + - General Efficiency diff --git a/compliance/controls/baseline/aws/opensearch/aws_opensearch_version.yaml b/compliance/controls/baseline/aws/opensearch/aws_opensearch_version.yaml index b5bcf8342..cac05f490 100644 --- a/compliance/controls/baseline/aws/opensearch/aws_opensearch_version.yaml +++ b/compliance/controls/baseline/aws/opensearch/aws_opensearch_version.yaml @@ -1,38 +1,39 @@ id: aws_opensearch_version title: OpenSearch Version +type: control description: Ensure that the latest version of OpenSearch engine is used for your OpenSearch domains. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsOpensearchLatestVersion - value: '' +- key: awsOpensearchLatestVersion + value: "" policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - domain_name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN engine_version = '{{.awsOpensearchLatestVersion}}' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN engine_version = '{{.awsOpensearchLatestVersion}}' THEN domain_name || ' is using the latest engine version' - ELSE domain_name || ' is not using the latest engine version' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + domain_name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN engine_version = '{{.awsOpensearchLatestVersion}}' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN engine_version = '{{.awsOpensearchLatestVersion}}' THEN domain_name || ' is using the latest engine version' + ELSE domain_name || ' is not using the latest engine version' + END AS reason, + region, + account_id + FROM + aws_opensearch_domain severity: high tags: - platform_score_cloud_service_name: - - AWS OpenSearch Service - platform_score_use_case: - - General Efficiency - score_service_name: - - AWS OpenSearch Service - score_tags: - - General Efficiency + platform_score_cloud_service_name: + - AWS OpenSearch Service + platform_score_use_case: + - General Efficiency + score_service_name: + - AWS OpenSearch Service + score_tags: + - General Efficiency diff --git a/compliance/controls/baseline/aws/opensearch/aws_opensearch_zone_awareness_enabled.yaml b/compliance/controls/baseline/aws/opensearch/aws_opensearch_zone_awareness_enabled.yaml index eef3181c5..bb7475756 100644 --- a/compliance/controls/baseline/aws/opensearch/aws_opensearch_zone_awareness_enabled.yaml +++ b/compliance/controls/baseline/aws/opensearch/aws_opensearch_zone_awareness_enabled.yaml @@ -1,36 +1,37 @@ id: aws_opensearch_zone_awareness_enabled title: OpenSearch Zone Awareness Enabled +type: control description: Ensure high availability for your Amazon OpenSearch clusters by enabling the Zone Awareness feature. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - domain_name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN (cluster_config ->> 'ZoneAwarenessEnabled')::bool THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (cluster_config ->> 'ZoneAwarenessEnabled')::bool THEN domain_name || ' cross-zone replication is enabled' - ELSE domain_name || ' cross-zone replication is not enabled' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + domain_name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN (cluster_config ->> 'ZoneAwarenessEnabled')::bool THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (cluster_config ->> 'ZoneAwarenessEnabled')::bool THEN domain_name || ' cross-zone replication is enabled' + ELSE domain_name || ' cross-zone replication is not enabled' + END AS reason, + region, + account_id + FROM + aws_opensearch_domain severity: medium tags: - platform_score_cloud_service_name: - - AWS OpenSearch Service - platform_score_use_case: - - Lacking High Availability - score_service_name: - - AWS OpenSearch Service - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - AWS OpenSearch Service + platform_score_use_case: + - Lacking High Availability + score_service_name: + - AWS OpenSearch Service + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/aws/opensearch/aws_tls_security_policy_version.yaml b/compliance/controls/baseline/aws/opensearch/aws_tls_security_policy_version.yaml index db40631fd..cffdb6454 100644 --- a/compliance/controls/baseline/aws/opensearch/aws_tls_security_policy_version.yaml +++ b/compliance/controls/baseline/aws/opensearch/aws_tls_security_policy_version.yaml @@ -1,36 +1,37 @@ id: aws_tls_security_policy_version title: TLS Security Policy Version +type: control description: Ensure that your OpenSearch domains are using the latest version of the TLS security policy. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_opensearch_domain - definition: | - SELECT - domain_name AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN log_publishing_options IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN log_publishing_options IS NULL THEN domain_name || ' the CloudWatch Logs are not enabled' - ELSE domain_name || ' the CloudWatch Logs are enabled' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain + language: sql + primary_resource: aws_opensearch_domain + definition: | + SELECT + domain_name AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN log_publishing_options IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN log_publishing_options IS NULL THEN domain_name || ' the CloudWatch Logs are not enabled' + ELSE domain_name || ' the CloudWatch Logs are enabled' + END AS reason, + region, + account_id + FROM + aws_opensearch_domain severity: medium tags: - platform_score_cloud_service_name: - - AWS OpenSearch Service - platform_score_use_case: - - Unencrypted Traffic - score_service_name: - - AWS OpenSearch Service - score_tags: - - Unencrypted Traffic + platform_score_cloud_service_name: + - AWS OpenSearch Service + platform_score_use_case: + - Unencrypted Traffic + score_service_name: + - AWS OpenSearch Service + score_tags: + - Unencrypted Traffic diff --git a/compliance/controls/baseline/aws/rds/aws_aurora_database_cluster_activity_streams.yaml b/compliance/controls/baseline/aws/rds/aws_aurora_database_cluster_activity_streams.yaml index e8d2a6e42..15e944b82 100644 --- a/compliance/controls/baseline/aws/rds/aws_aurora_database_cluster_activity_streams.yaml +++ b/compliance/controls/baseline/aws/rds/aws_aurora_database_cluster_activity_streams.yaml @@ -1,54 +1,55 @@ id: aws_aurora_database_cluster_activity_streams title: Aurora Database Cluster Activity Streams +type: control description: Ensure that Amazon Aurora clusters are configured to use database activity streams. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_cluster - definition: | - WITH access_count AS ( - SELECT - db_cluster_identifier, - COUNT(db_cluster_identifier) - FROM - aws_rds_db_instance - GROUP BY - db_cluster_identifier, - publicly_accessible - ) - - SELECT - c.db_cluster_identifier AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN a.count = 2 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN a.count = 2 THEN title || ' cluster database instances dont have the same accessibility' - ELSE title || ' cluster database instances have the same accessibility' - END AS reason, - region, - account_id - FROM - aws_rds_db_cluster c - LEFT JOIN - access_count AS a - ON - c.db_cluster_identifier = a.db_cluster_identifier - WHERE - c.engine = 'aurora-mysql' - OR c.engine = 'aurora-postgresql' + language: sql + primary_resource: aws_rds_db_cluster + definition: | + WITH access_count AS ( + SELECT + db_cluster_identifier, + COUNT(db_cluster_identifier) + FROM + aws_rds_db_instance + GROUP BY + db_cluster_identifier, + publicly_accessible + ) + + SELECT + c.db_cluster_identifier AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN a.count = 2 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN a.count = 2 THEN title || ' cluster database instances dont have the same accessibility' + ELSE title || ' cluster database instances have the same accessibility' + END AS reason, + region, + account_id + FROM + aws_rds_db_cluster c + LEFT JOIN + access_count AS a + ON + c.db_cluster_identifier = a.db_cluster_identifier + WHERE + c.engine = 'aurora-mysql' + OR c.engine = 'aurora-postgresql' severity: medium tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Relational Database Service (RDS) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Relational Database Service (RDS) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/rds/aws_aurora_database_instance_accessibility.yaml b/compliance/controls/baseline/aws/rds/aws_aurora_database_instance_accessibility.yaml index 02c1ba92d..a10f17398 100644 --- a/compliance/controls/baseline/aws/rds/aws_aurora_database_instance_accessibility.yaml +++ b/compliance/controls/baseline/aws/rds/aws_aurora_database_instance_accessibility.yaml @@ -1,50 +1,51 @@ id: aws_aurora_database_instance_accessibility title: Aurora Database Instance Accessibility +type: control description: Ensure that all database instances within an Amazon Aurora cluster have the same accessibility. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_cluster - definition: | - WITH access_count AS ( - SELECT - db_cluster_identifier, - COUNT(db_cluster_identifier) - FROM - aws_rds_db_instance - GROUP BY - db_cluster_identifier, - publicly_accessible - ) - - SELECT - c.db_cluster_identifier AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN a.count = 2 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN a.count = 2 THEN title || ' cluster database instances dont have the same accessibility' - ELSE title || ' cluster database instances have the same accessibility' - END AS reason, - region, - account_id - FROM - aws_rds_db_cluster c - LEFT JOIN access_count AS a ON c.db_cluster_identifier = a.db_cluster_identifier - WHERE - c.engine = 'aurora-mysql' OR c.engine = 'aurora-postgresql' + language: sql + primary_resource: aws_rds_db_cluster + definition: | + WITH access_count AS ( + SELECT + db_cluster_identifier, + COUNT(db_cluster_identifier) + FROM + aws_rds_db_instance + GROUP BY + db_cluster_identifier, + publicly_accessible + ) + + SELECT + c.db_cluster_identifier AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN a.count = 2 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN a.count = 2 THEN title || ' cluster database instances dont have the same accessibility' + ELSE title || ' cluster database instances have the same accessibility' + END AS reason, + region, + account_id + FROM + aws_rds_db_cluster c + LEFT JOIN access_count AS a ON c.db_cluster_identifier = a.db_cluster_identifier + WHERE + c.engine = 'aurora-mysql' OR c.engine = 'aurora-postgresql' severity: medium tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - platform_score_use_case: - - Lacking High Availability - score_service_name: - - AWS Relational Database Service (RDS) - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + platform_score_use_case: + - Lacking High Availability + score_service_name: + - AWS Relational Database Service (RDS) + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/aws/rds/aws_backtrack.yaml b/compliance/controls/baseline/aws/rds/aws_backtrack.yaml index 7cf5f639a..ae22901e5 100644 --- a/compliance/controls/baseline/aws/rds/aws_backtrack.yaml +++ b/compliance/controls/baseline/aws/rds/aws_backtrack.yaml @@ -1,38 +1,39 @@ id: aws_backtrack title: Amazon Aurora Backtrack is required for Production Clusters +type: control description: Enable Amazon Aurora Backtrack. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_cluster - definition: | - SELECT - db_cluster_identifier AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN backtrack_window IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN backtrack_window IS NULL THEN title || ' Backtrack feature is not enabled' - ELSE title || ' Backtrack feature is enabled' - END AS reason, - region, - account_id - FROM - aws_rds_db_cluster_error - WHERE - engine = 'aurora-mysql' OR engine = 'aurora-postgresql' + language: sql + primary_resource: aws_rds_db_cluster + definition: | + SELECT + db_cluster_identifier AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN backtrack_window IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN backtrack_window IS NULL THEN title || ' Backtrack feature is not enabled' + ELSE title || ' Backtrack feature is enabled' + END AS reason, + region, + account_id + FROM + aws_rds_db_cluster_error + WHERE + engine = 'aurora-mysql' OR engine = 'aurora-postgresql' severity: low tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - platform_score_use_case: - - Lacking High Availability - score_service_name: - - AWS Relational Database Service (RDS) - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + platform_score_use_case: + - Lacking High Availability + score_service_name: + - AWS Relational Database Service (RDS) + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/aws/rds/aws_cluster_deletion_protection.yaml b/compliance/controls/baseline/aws/rds/aws_cluster_deletion_protection.yaml index 4993af0de..2aff4e310 100644 --- a/compliance/controls/baseline/aws/rds/aws_cluster_deletion_protection.yaml +++ b/compliance/controls/baseline/aws/rds/aws_cluster_deletion_protection.yaml @@ -1,38 +1,39 @@ id: aws_cluster_deletion_protection title: Cluster Deletion Protection +type: control description: Enable AWS RDS Cluster Deletion Protection. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_cluster - definition: | - SELECT - db_cluster_identifier AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN NOT deletion_protection THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT deletion_protection THEN title || ' Deletion Protection safety feature is not enabled' - ELSE title || ' Deletion Protection safety feature is enabled' - END AS reason, - region, - account_id - FROM - aws_rds_db_cluster - WHERE - engine = 'aurora-mysql' OR engine = 'aurora-postgresql' + language: sql + primary_resource: aws_rds_db_cluster + definition: | + SELECT + db_cluster_identifier AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN NOT deletion_protection THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT deletion_protection THEN title || ' Deletion Protection safety feature is not enabled' + ELSE title || ' Deletion Protection safety feature is enabled' + END AS reason, + region, + account_id + FROM + aws_rds_db_cluster + WHERE + engine = 'aurora-mysql' OR engine = 'aurora-postgresql' severity: medium tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Relational Database Service (RDS) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Relational Database Service (RDS) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/rds/aws_db_instance_generation.yaml b/compliance/controls/baseline/aws/rds/aws_db_instance_generation.yaml index cc84e3efc..322411677 100644 --- a/compliance/controls/baseline/aws/rds/aws_db_instance_generation.yaml +++ b/compliance/controls/baseline/aws/rds/aws_db_instance_generation.yaml @@ -1,41 +1,42 @@ id: aws_db_instance_generation title: DB Instance Generation +type: control description: Ensure you always use the latest generation of DB instances to get better performance with lower cost. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - db_instance_identifier AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - class, - CASE - WHEN ARRAY['db.m1.small', 'db.m1.medium', 'db.m1.large', 'db.m1.xlarge', - 'db.m3.medium', 'db.m3.large', 'db.m3.xlarge', 'db.m3.2xlarge', - 'db.m2.xlarge', 'db.m2.2xlarge', 'db.m2.4xlarge', 'db.r3.large', - 'db.r3.xlarge', 'db.r3.2xlarge', 'db.r3.4xlarge', 'db.r3.8xlarge'] - @> ARRAY[class] THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN ARRAY['db.m1.small', 'db.m1.medium', 'db.m1.large', 'db.m1.xlarge', - 'db.m3.medium', 'db.m3.large', 'db.m3.xlarge', 'db.m3.2xlarge', - 'db.m2.xlarge', 'db.m2.2xlarge', 'db.m2.4xlarge', 'db.r3.large', - 'db.r3.xlarge', 'db.r3.2xlarge', 'db.r3.4xlarge', 'db.r3.8xlarge'] - @> ARRAY[class] THEN title || ' RDS Instance is using previous generation class' - ELSE title || ' RDS Instance is using class of latest generation' - END AS reason, - region, - account_id - FROM - aws_rds_db_instance + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + db_instance_identifier AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + class, + CASE + WHEN ARRAY['db.m1.small', 'db.m1.medium', 'db.m1.large', 'db.m1.xlarge', + 'db.m3.medium', 'db.m3.large', 'db.m3.xlarge', 'db.m3.2xlarge', + 'db.m2.xlarge', 'db.m2.2xlarge', 'db.m2.4xlarge', 'db.r3.large', + 'db.r3.xlarge', 'db.r3.2xlarge', 'db.r3.4xlarge', 'db.r3.8xlarge'] + @> ARRAY[class] THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN ARRAY['db.m1.small', 'db.m1.medium', 'db.m1.large', 'db.m1.xlarge', + 'db.m3.medium', 'db.m3.large', 'db.m3.xlarge', 'db.m3.2xlarge', + 'db.m2.xlarge', 'db.m2.2xlarge', 'db.m2.4xlarge', 'db.r3.large', + 'db.r3.xlarge', 'db.r3.2xlarge', 'db.r3.4xlarge', 'db.r3.8xlarge'] + @> ARRAY[class] THEN title || ' RDS Instance is using previous generation class' + ELSE title || ' RDS Instance is using class of latest generation' + END AS reason, + region, + account_id + FROM + aws_rds_db_instance severity: medium tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - score_service_name: - - AWS Relational Database Service (RDS) + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + score_service_name: + - AWS Relational Database Service (RDS) diff --git a/compliance/controls/baseline/aws/rds/aws_enable_aurora_cluster_copy_tags_to_snapshots.yaml b/compliance/controls/baseline/aws/rds/aws_enable_aurora_cluster_copy_tags_to_snapshots.yaml index 4558735da..52fc75307 100644 --- a/compliance/controls/baseline/aws/rds/aws_enable_aurora_cluster_copy_tags_to_snapshots.yaml +++ b/compliance/controls/baseline/aws/rds/aws_enable_aurora_cluster_copy_tags_to_snapshots.yaml @@ -1,38 +1,39 @@ id: aws_enable_aurora_cluster_copy_tags_to_snapshots title: Enable Aurora Cluster Copy Tags to Snapshots +type: control description: Ensure that Amazon Aurora clusters have Copy Tags to Snapshots feature enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_cluster - definition: | - SELECT - db_cluster_identifier AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN NOT copy_tags_to_snapshot THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT copy_tags_to_snapshot THEN title || ' Copy Tags to Snapshots feature is not enabled' - ELSE title || ' Copy Tags to Snapshots feature is enabled' - END AS reason, - region, - account_id - FROM - aws_rds_db_cluster - WHERE - engine = 'aurora-mysql' OR engine = 'aurora-postgresql' + language: sql + primary_resource: aws_rds_db_cluster + definition: | + SELECT + db_cluster_identifier AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN NOT copy_tags_to_snapshot THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT copy_tags_to_snapshot THEN title || ' Copy Tags to Snapshots feature is not enabled' + ELSE title || ' Copy Tags to Snapshots feature is enabled' + END AS reason, + region, + account_id + FROM + aws_rds_db_cluster + WHERE + engine = 'aurora-mysql' OR engine = 'aurora-postgresql' severity: high tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - platform_score_use_case: - - Observability - score_service_name: - - AWS Relational Database Service (RDS) - score_tags: - - Observability + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + platform_score_use_case: + - Observability + score_service_name: + - AWS Relational Database Service (RDS) + score_tags: + - Observability diff --git a/compliance/controls/baseline/aws/rds/aws_enable_aws_rds_transport_encryption.yaml b/compliance/controls/baseline/aws/rds/aws_enable_aws_rds_transport_encryption.yaml index 0470a2fa3..34634dc84 100644 --- a/compliance/controls/baseline/aws/rds/aws_enable_aws_rds_transport_encryption.yaml +++ b/compliance/controls/baseline/aws/rds/aws_enable_aws_rds_transport_encryption.yaml @@ -1,73 +1,74 @@ id: aws_enable_aws_rds_transport_encryption title: Enable AWS RDS Transport Encryption +type: control description: Ensure AWS RDS SQL Server and Postgre instances have Transport Encryption feature enabled. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - WITH instance_pg AS ( - SELECT - g ->> 'DBParameterGroupName' AS pg_name, - i.platform_integration_id, - i.platform_resource_id, - i.engine, - i.title, - i.arn, - i.tags, - i.region, - i.account_id, - i._ctx - FROM - aws_rds_db_instance AS i, - jsonb_array_elements(db_parameter_groups) AS g - ), - pg_with_ssl_enabled AS ( - SELECT - g.name - FROM - instance_pg AS i, - aws_rds_db_parameter_group AS g, - jsonb_array_elements(parameters) AS p - WHERE - i.pg_name = g.name - AND g.account_id = i.account_id - AND g.region = i.region - AND p ->> 'ParameterName' = 'rds.force_ssl' - AND p ->> 'ParameterValue' = '1' - ) - SELECT - i.arn AS resource, - i.engine, - i.platform_integration_id, - i.platform_resource_id, - CASE - WHEN i.engine NOT IN ('sqlserver', 'postgres') THEN 'skip' - WHEN p.name IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN i.engine NOT IN ('sqlserver', 'postgres') THEN title || ' has ' || engine || ' engine type.' - WHEN p.name IS NOT NULL THEN title || ' connections are SSL encrypted.' - ELSE title || ' connections are not SSL encrypted.' - END AS reason, - region, - account_id - FROM - instance_pg AS i - LEFT JOIN - pg_with_ssl_enabled AS p - ON - p.name = i.pg_name + language: sql + primary_resource: aws_rds_db_instance + definition: | + WITH instance_pg AS ( + SELECT + g ->> 'DBParameterGroupName' AS pg_name, + i.platform_integration_id, + i.platform_resource_id, + i.engine, + i.title, + i.arn, + i.tags, + i.region, + i.account_id, + i._ctx + FROM + aws_rds_db_instance AS i, + jsonb_array_elements(db_parameter_groups) AS g + ), + pg_with_ssl_enabled AS ( + SELECT + g.name + FROM + instance_pg AS i, + aws_rds_db_parameter_group AS g, + jsonb_array_elements(parameters) AS p + WHERE + i.pg_name = g.name + AND g.account_id = i.account_id + AND g.region = i.region + AND p ->> 'ParameterName' = 'rds.force_ssl' + AND p ->> 'ParameterValue' = '1' + ) + SELECT + i.arn AS resource, + i.engine, + i.platform_integration_id, + i.platform_resource_id, + CASE + WHEN i.engine NOT IN ('sqlserver', 'postgres') THEN 'skip' + WHEN p.name IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN i.engine NOT IN ('sqlserver', 'postgres') THEN title || ' has ' || engine || ' engine type.' + WHEN p.name IS NOT NULL THEN title || ' connections are SSL encrypted.' + ELSE title || ' connections are not SSL encrypted.' + END AS reason, + region, + account_id + FROM + instance_pg AS i + LEFT JOIN + pg_with_ssl_enabled AS p + ON + p.name = i.pg_name severity: high tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - platform_score_use_case: - - Unencrypted Traffic - score_service_name: - - AWS Relational Database Service (RDS) - score_tags: - - Unencrypted Traffic + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + platform_score_use_case: + - Unencrypted Traffic + score_service_name: + - AWS Relational Database Service (RDS) + score_tags: + - Unencrypted Traffic diff --git a/compliance/controls/baseline/aws/rds/aws_enable_instance_storage_auto_scaling.yaml b/compliance/controls/baseline/aws/rds/aws_enable_instance_storage_auto_scaling.yaml index 6e132c87d..012fca9b0 100644 --- a/compliance/controls/baseline/aws/rds/aws_enable_instance_storage_auto_scaling.yaml +++ b/compliance/controls/baseline/aws/rds/aws_enable_instance_storage_auto_scaling.yaml @@ -1,38 +1,39 @@ id: aws_enable_instance_storage_auto_scaling title: Enable Instance Storage AutoScaling +type: control description: Ensure that the Storage AutoScaling feature is enabled to support unpredictable database workload. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - db_instance_identifier AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN max_allocated_storage IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN max_allocated_storage IS NULL THEN title || ' Storage AutoScaling feature is not enabled' - ELSE title || ' Storage AutoScaling feature is enabled' - END AS reason, - region, - account_id - FROM - aws_rds_db_instance - WHERE - engine = 'mysql' OR engine = 'postgres' + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + db_instance_identifier AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN max_allocated_storage IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN max_allocated_storage IS NULL THEN title || ' Storage AutoScaling feature is not enabled' + ELSE title || ' Storage AutoScaling feature is enabled' + END AS reason, + region, + account_id + FROM + aws_rds_db_instance + WHERE + engine = 'mysql' OR engine = 'postgres' severity: medium tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - platform_score_use_case: - - Over Utilization - score_service_name: - - AWS Relational Database Service (RDS) - score_tags: - - Over Utilization + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + platform_score_use_case: + - Over Utilization + score_service_name: + - AWS Relational Database Service (RDS) + score_tags: + - Over Utilization diff --git a/compliance/controls/baseline/aws/rds/aws_enable_rds_snapshot_encryption.yaml b/compliance/controls/baseline/aws/rds/aws_enable_rds_snapshot_encryption.yaml index f9945f875..96c09ac2d 100644 --- a/compliance/controls/baseline/aws/rds/aws_enable_rds_snapshot_encryption.yaml +++ b/compliance/controls/baseline/aws/rds/aws_enable_rds_snapshot_encryption.yaml @@ -1,51 +1,52 @@ id: aws_enable_rds_snapshot_encryption title: Enable RDS Snapshot Encryption +type: control description: Ensure that AWS RDS snapshots are encrypted to meet security and compliance requirements. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - WITH snapshots AS ( - SELECT DISTINCT - db_instance_identifier, - encrypted - FROM - aws_rds_db_snapshot - WHERE - type = 'awsbackup' - ) - SELECT - r.db_instance_identifier AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN b.db_instance_identifier IS NULL THEN 'skip' - WHEN NOT b.encrypted THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN b.db_instance_identifier IS NULL THEN r.title || ' has no RDS database instance snapshots.' - WHEN NOT b.encrypted THEN r.title || ' snapshots not encrypted.' - ELSE r.title || ' snapshots encrypted.' - END AS reason, - r.region, - r.account_id - FROM - aws_rds_db_instance AS r - LEFT JOIN - snapshots AS b - ON - r.db_instance_identifier = b.db_instance_identifier; + language: sql + primary_resource: aws_rds_db_instance + definition: | + WITH snapshots AS ( + SELECT DISTINCT + db_instance_identifier, + encrypted + FROM + aws_rds_db_snapshot + WHERE + type = 'awsbackup' + ) + SELECT + r.db_instance_identifier AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN b.db_instance_identifier IS NULL THEN 'skip' + WHEN NOT b.encrypted THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN b.db_instance_identifier IS NULL THEN r.title || ' has no RDS database instance snapshots.' + WHEN NOT b.encrypted THEN r.title || ' snapshots not encrypted.' + ELSE r.title || ' snapshots encrypted.' + END AS reason, + r.region, + r.account_id + FROM + aws_rds_db_instance AS r + LEFT JOIN + snapshots AS b + ON + r.db_instance_identifier = b.db_instance_identifier; severity: medium tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - platform_score_use_case: - - Unencrypted Storage - score_service_name: - - AWS Relational Database Service (RDS) - score_tags: - - Unencrypted Storage + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + platform_score_use_case: + - Unencrypted Storage + score_service_name: + - AWS Relational Database Service (RDS) + score_tags: + - Unencrypted Storage diff --git a/compliance/controls/baseline/aws/rds/aws_enable_serverless_log_exports.yaml b/compliance/controls/baseline/aws/rds/aws_enable_serverless_log_exports.yaml index 196101cec..8c09fbd71 100644 --- a/compliance/controls/baseline/aws/rds/aws_enable_serverless_log_exports.yaml +++ b/compliance/controls/baseline/aws/rds/aws_enable_serverless_log_exports.yaml @@ -1,38 +1,39 @@ id: aws_enable_serverless_log_exports title: Enable Serverless Log Exports +type: control description: Ensure Log Exports feature is enabled for your Amazon Aurora Serverless databases. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_cluster - definition: | - SELECT - db_cluster_identifier AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN enabled_cloudwatch_logs_exports IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN enabled_cloudwatch_logs_exports IS NULL THEN title || ' Log Exports feature is not enabled' - ELSE title || ' Log Exports feature is enabled' - END AS reason, - region, - account_id - FROM - aws_rds_db_cluster - WHERE - engine_mode = 'serverless' + language: sql + primary_resource: aws_rds_db_cluster + definition: | + SELECT + db_cluster_identifier AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN enabled_cloudwatch_logs_exports IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN enabled_cloudwatch_logs_exports IS NULL THEN title || ' Log Exports feature is not enabled' + ELSE title || ' Log Exports feature is enabled' + END AS reason, + region, + account_id + FROM + aws_rds_db_cluster + WHERE + engine_mode = 'serverless' severity: low tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - platform_score_use_case: - - Lacking High Availability - score_service_name: - - AWS Relational Database Service (RDS) - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + platform_score_use_case: + - Lacking High Availability + score_service_name: + - AWS Relational Database Service (RDS) + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/aws/rds/aws_instance_deletion_protection.yaml b/compliance/controls/baseline/aws/rds/aws_instance_deletion_protection.yaml index 63393454a..da72b1a55 100644 --- a/compliance/controls/baseline/aws/rds/aws_instance_deletion_protection.yaml +++ b/compliance/controls/baseline/aws/rds/aws_instance_deletion_protection.yaml @@ -1,38 +1,39 @@ id: aws_instance_deletion_protection title: Instance Deletion Protection +type: control description: Enable AWS RDS Instance Deletion Protection. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - db_instance_identifier AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN engine LIKE ANY(ARRAY ['aurora%', 'docdb', 'neptune']) THEN 'skip' - WHEN deletion_protection THEN 'ok' - ELSE 'alarm' - END status, - CASE - WHEN engine LIKE ANY(ARRAY ['aurora%', 'docdb', 'neptune']) THEN title || ' has engine ' || engine || ' cluster, deletion protection is set at cluster level.' - WHEN deletion_protection THEN title || ' deletion protection enabled.' - ELSE title || ' deletion protection not enabled.' - END reason, - region, - account_id - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + db_instance_identifier AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN engine LIKE ANY(ARRAY ['aurora%', 'docdb', 'neptune']) THEN 'skip' + WHEN deletion_protection THEN 'ok' + ELSE 'alarm' + END status, + CASE + WHEN engine LIKE ANY(ARRAY ['aurora%', 'docdb', 'neptune']) THEN title || ' has engine ' || engine || ' cluster, deletion protection is set at cluster level.' + WHEN deletion_protection THEN title || ' deletion protection enabled.' + ELSE title || ' deletion protection not enabled.' + END reason, + region, + account_id + FROM + aws_rds_db_instance; severity: medium tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Relational Database Service (RDS) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Relational Database Service (RDS) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/rds/aws_instance_level_events_subscriptions.yaml b/compliance/controls/baseline/aws/rds/aws_instance_level_events_subscriptions.yaml index 696cd2593..f96ad19fd 100644 --- a/compliance/controls/baseline/aws/rds/aws_instance_level_events_subscriptions.yaml +++ b/compliance/controls/baseline/aws/rds/aws_instance_level_events_subscriptions.yaml @@ -1,38 +1,39 @@ id: aws_instance_level_events_subscriptions title: Instance Level Events Subscriptions +type: control description: Enable Event Subscriptions for Instance Level Events. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT DISTINCT - a.platform_integration_id, - a.platform_resource_id, - CASE - WHEN s.arn IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN s.arn IS NULL THEN 'Event notifications is not enabled for Amazon RDS instance level events' - ELSE 'Event notifications is enabled for Amazon RDS instance level events' - END AS reason, - a.account_id - FROM - aws_account a - LEFT JOIN ( - SELECT * FROM aws_rds_db_event_subscription - WHERE source_type = 'db-instance' - ) s ON s.platform_integration_id = a.platform_integration_id + language: sql + primary_resource: aws_account + definition: | + SELECT DISTINCT + a.platform_integration_id, + a.platform_resource_id, + CASE + WHEN s.arn IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN s.arn IS NULL THEN 'Event notifications is not enabled for Amazon RDS instance level events' + ELSE 'Event notifications is enabled for Amazon RDS instance level events' + END AS reason, + a.account_id + FROM + aws_account a + LEFT JOIN ( + SELECT * FROM aws_rds_db_event_subscription + WHERE source_type = 'db-instance' + ) s ON s.platform_integration_id = a.platform_integration_id severity: high tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - platform_score_use_case: - - General Efficiency - score_service_name: - - AWS Relational Database Service (RDS) - score_tags: - - General Efficiency + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + platform_score_use_case: + - General Efficiency + score_service_name: + - AWS Relational Database Service (RDS) + score_tags: + - General Efficiency diff --git a/compliance/controls/baseline/aws/rds/aws_log_exports.yaml b/compliance/controls/baseline/aws/rds/aws_log_exports.yaml index fd7c7936b..54068976e 100644 --- a/compliance/controls/baseline/aws/rds/aws_log_exports.yaml +++ b/compliance/controls/baseline/aws/rds/aws_log_exports.yaml @@ -1,38 +1,39 @@ id: aws_log_exports title: Log Exports +type: control description: Enable AWS RDS Log Exports. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - db_instance_identifier AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN enabled_cloudwatch_logs_exports IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN enabled_cloudwatch_logs_exports IS NULL THEN title || ' Log Exports feature is not enabled' - ELSE title || ' Log Exports feature is enabled' - END AS reason, - region, - account_id - FROM - aws_rds_db_instance - WHERE - engine = 'mysql' OR engine = 'mariadb' + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + db_instance_identifier AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN enabled_cloudwatch_logs_exports IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN enabled_cloudwatch_logs_exports IS NULL THEN title || ' Log Exports feature is not enabled' + ELSE title || ' Log Exports feature is enabled' + END AS reason, + region, + account_id + FROM + aws_rds_db_instance + WHERE + engine = 'mysql' OR engine = 'mariadb' severity: low tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - platform_score_use_case: - - Observability - score_service_name: - - AWS Relational Database Service (RDS) - score_tags: - - Observability + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + platform_score_use_case: + - Observability + score_service_name: + - AWS Relational Database Service (RDS) + score_tags: + - Observability diff --git a/compliance/controls/baseline/aws/rds/aws_performance_insights.yaml b/compliance/controls/baseline/aws/rds/aws_performance_insights.yaml index bc03f520f..dabaf359a 100644 --- a/compliance/controls/baseline/aws/rds/aws_performance_insights.yaml +++ b/compliance/controls/baseline/aws/rds/aws_performance_insights.yaml @@ -1,41 +1,42 @@ id: aws_performance_insights title: Performance Insights +type: control description: Enable AWS RDS Performance Insights. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - db_instance_identifier AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN NOT performance_insights_enabled THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT performance_insights_enabled THEN title || ' Performance Insights feature is not enabled' - ELSE title || ' Performance Insights feature is enabled' - END AS reason, - region, - account_id - FROM - aws_rds_db_instance - WHERE - engine = 'aurora-mysql' - OR engine = 'aurora-postgresql' - OR engine = 'mysql' - OR engine = 'postgres' + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + db_instance_identifier AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN NOT performance_insights_enabled THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT performance_insights_enabled THEN title || ' Performance Insights feature is not enabled' + ELSE title || ' Performance Insights feature is enabled' + END AS reason, + region, + account_id + FROM + aws_rds_db_instance + WHERE + engine = 'aurora-mysql' + OR engine = 'aurora-postgresql' + OR engine = 'mysql' + OR engine = 'postgres' severity: low tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - platform_score_use_case: - - Lacking High Availability - score_service_name: - - AWS Relational Database Service (RDS) - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + platform_score_use_case: + - Lacking High Availability + score_service_name: + - AWS Relational Database Service (RDS) + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/aws/rds/aws_rds_automated_backups_enabled.yaml b/compliance/controls/baseline/aws/rds/aws_rds_automated_backups_enabled.yaml index aeec66288..62cddf4ed 100644 --- a/compliance/controls/baseline/aws/rds/aws_rds_automated_backups_enabled.yaml +++ b/compliance/controls/baseline/aws/rds/aws_rds_automated_backups_enabled.yaml @@ -1,37 +1,38 @@ id: aws_rds_automated_backups_enabled title: RDS Automated Backups Enabled +type: control description: Ensure automated backups are enabled for RDS instances. This feature of Amazon RDS enables point-in-time recovery of your database instance. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - db_instance_identifier AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN backup_retention_period < 1 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN backup_retention_period < 1 THEN title || ' backups not enabled.' - ELSE title || ' backups enabled.' - END AS reason, - region, - account_id, - backup_retention_period - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + db_instance_identifier AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN backup_retention_period < 1 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN backup_retention_period < 1 THEN title || ' backups not enabled.' + ELSE title || ' backups enabled.' + END AS reason, + region, + account_id, + backup_retention_period + FROM + aws_rds_db_instance; severity: high tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - platform_score_use_case: - - Missing Backup - score_service_name: - - AWS Relational Database Service (RDS) - score_tags: - - Missing Backup + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + platform_score_use_case: + - Missing Backup + score_service_name: + - AWS Relational Database Service (RDS) + score_tags: + - Missing Backup diff --git a/compliance/controls/baseline/aws/rds/aws_rds_db_instance_no_public_subnet.yaml b/compliance/controls/baseline/aws/rds/aws_rds_db_instance_no_public_subnet.yaml index 0c98b3d28..6efb74dfa 100644 --- a/compliance/controls/baseline/aws/rds/aws_rds_db_instance_no_public_subnet.yaml +++ b/compliance/controls/baseline/aws/rds/aws_rds_db_instance_no_public_subnet.yaml @@ -1,112 +1,113 @@ id: aws_rds_db_instance_no_public_subnet title: RDS Instance Not In Public Subnet +type: control description: Ensure that no AWS RDS database instances are provisioned inside VPC public subnets. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - WITH subnets_with_explicit_route AS ( - SELECT - DISTINCT (a ->> 'SubnetId') AS all_sub - FROM - aws_vpc_route_table AS t, - jsonb_array_elements(associations) AS a - WHERE - a ->> 'SubnetId' IS NOT NULL - ), - public_subnets_with_explicit_route AS ( - SELECT - DISTINCT a ->> 'SubnetId' AS SubnetId - FROM - aws_vpc_route_table AS t, - jsonb_array_elements(associations) AS a, - jsonb_array_elements(routes) AS r - WHERE - r ->> 'DestinationCidrBlock' = '0.0.0.0/0' - AND ( - r ->> 'GatewayId' LIKE 'igw-%' - OR r ->> 'NatGatewayId' LIKE 'nat-%' - ) - AND a ->> 'SubnetId' IS NOT NULL - ), - public_subnets_with_implicit_route AS ( - SELECT - DISTINCT route_table_id, - vpc_id, - region - FROM - aws_vpc_route_table AS t, - jsonb_array_elements(associations) AS a, - jsonb_array_elements(routes) AS r - WHERE - a ->> 'Main' = 'true' - AND r ->> 'DestinationCidrBlock' = '0.0.0.0/0' - AND ( - r ->> 'GatewayId' LIKE 'igw-%' - OR r ->> 'NatGatewayId' LIKE 'nat-%' - ) - ), - subnet_accessibility AS ( - SELECT - subnet_id, - vpc_id, - CASE - WHEN s.subnet_id IN ( - SELECT - SubnetId - FROM - public_subnets_with_explicit_route - ) THEN 'private' - WHEN p.SubnetId IS NOT NULL OR s.vpc_id IN ( - SELECT - vpc_id - FROM - public_subnets_with_implicit_route - ) THEN 'public' - ELSE 'private' - END AS access - FROM - aws_vpc_subnet AS s - LEFT JOIN public_subnets_with_explicit_route AS p ON p.SubnetId = s.subnet_id - ), - cluster_public_subnet AS ( - SELECT - DISTINCT arn, - name AS subnet_group_name - FROM - aws_rds_db_subnet_group, - jsonb_array_elements(subnets) AS s - LEFT JOIN subnet_accessibility AS a ON a.subnet_id = s ->> 'SubnetIdentifier' - WHERE - a.access = 'public' + language: sql + primary_resource: aws_rds_db_instance + definition: | + WITH subnets_with_explicit_route AS ( + SELECT + DISTINCT (a ->> 'SubnetId') AS all_sub + FROM + aws_vpc_route_table AS t, + jsonb_array_elements(associations) AS a + WHERE + a ->> 'SubnetId' IS NOT NULL + ), + public_subnets_with_explicit_route AS ( + SELECT + DISTINCT a ->> 'SubnetId' AS SubnetId + FROM + aws_vpc_route_table AS t, + jsonb_array_elements(associations) AS a, + jsonb_array_elements(routes) AS r + WHERE + r ->> 'DestinationCidrBlock' = '0.0.0.0/0' + AND ( + r ->> 'GatewayId' LIKE 'igw-%' + OR r ->> 'NatGatewayId' LIKE 'nat-%' ) - SELECT - c.arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN s.subnet_group_name IS NOT NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN s.subnet_group_name IS NOT NULL THEN c.title || ' has public subnet.' - ELSE c.title || ' has private subnet.' - END AS reason, - region, - account_id - FROM - aws_rds_db_instance AS c - LEFT JOIN cluster_public_subnet AS s ON s.subnet_group_name = c.db_subnet_group_name; + AND a ->> 'SubnetId' IS NOT NULL + ), + public_subnets_with_implicit_route AS ( + SELECT + DISTINCT route_table_id, + vpc_id, + region + FROM + aws_vpc_route_table AS t, + jsonb_array_elements(associations) AS a, + jsonb_array_elements(routes) AS r + WHERE + a ->> 'Main' = 'true' + AND r ->> 'DestinationCidrBlock' = '0.0.0.0/0' + AND ( + r ->> 'GatewayId' LIKE 'igw-%' + OR r ->> 'NatGatewayId' LIKE 'nat-%' + ) + ), + subnet_accessibility AS ( + SELECT + subnet_id, + vpc_id, + CASE + WHEN s.subnet_id IN ( + SELECT + SubnetId + FROM + public_subnets_with_explicit_route + ) THEN 'private' + WHEN p.SubnetId IS NOT NULL OR s.vpc_id IN ( + SELECT + vpc_id + FROM + public_subnets_with_implicit_route + ) THEN 'public' + ELSE 'private' + END AS access + FROM + aws_vpc_subnet AS s + LEFT JOIN public_subnets_with_explicit_route AS p ON p.SubnetId = s.subnet_id + ), + cluster_public_subnet AS ( + SELECT + DISTINCT arn, + name AS subnet_group_name + FROM + aws_rds_db_subnet_group, + jsonb_array_elements(subnets) AS s + LEFT JOIN subnet_accessibility AS a ON a.subnet_id = s ->> 'SubnetIdentifier' + WHERE + a.access = 'public' + ) + SELECT + c.arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN s.subnet_group_name IS NOT NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN s.subnet_group_name IS NOT NULL THEN c.title || ' has public subnet.' + ELSE c.title || ' has private subnet.' + END AS reason, + region, + account_id + FROM + aws_rds_db_instance AS c + LEFT JOIN cluster_public_subnet AS s ON s.subnet_group_name = c.db_subnet_group_name; severity: medium tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - platform_score_use_case: - - Lacking High Availability - score_service_name: - - AWS Relational Database Service (RDS) - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + platform_score_use_case: + - Lacking High Availability + score_service_name: + - AWS Relational Database Service (RDS) + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/aws/rds/aws_rds_default_port.yaml b/compliance/controls/baseline/aws/rds/aws_rds_default_port.yaml index 9c9fcf075..5efbb136f 100644 --- a/compliance/controls/baseline/aws/rds/aws_rds_default_port.yaml +++ b/compliance/controls/baseline/aws/rds/aws_rds_default_port.yaml @@ -1,46 +1,47 @@ id: aws_rds_default_port title: RDS Default Port +type: control description: Ensure Amazon RDS database instances aren't using the default ports. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - db_instance_identifier AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN - endpoint_port = 3306 AND engine IN ('mysql', 'mariadb', 'aurora-mysql') OR - endpoint_port = 5431 AND engine IN ('postres', 'postgres-ee', 'aurora-postgresql') OR - endpoint_port = 1433 AND engine LIKE 'sqlserver%' OR - endpoint_port = 1521 AND engine = 'oracle-ee' - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN - endpoint_port = 3306 AND engine IN ('mysql', 'mariadb', 'aurora-mysql') OR - endpoint_port = 5431 AND engine IN ('postres', 'postgres-ee', 'aurora-postgresql') OR - endpoint_port = 1433 AND engine LIKE 'sqlserver%' OR - endpoint_port = 1521 AND engine = 'oracle-ee' - THEN title || ' port is set to default' - ELSE title || ' port is not set to default' - END AS reason, - region, - account_id - FROM - aws_rds_db_instance + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + db_instance_identifier AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN + endpoint_port = 3306 AND engine IN ('mysql', 'mariadb', 'aurora-mysql') OR + endpoint_port = 5431 AND engine IN ('postres', 'postgres-ee', 'aurora-postgresql') OR + endpoint_port = 1433 AND engine LIKE 'sqlserver%' OR + endpoint_port = 1521 AND engine = 'oracle-ee' + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN + endpoint_port = 3306 AND engine IN ('mysql', 'mariadb', 'aurora-mysql') OR + endpoint_port = 5431 AND engine IN ('postres', 'postgres-ee', 'aurora-postgresql') OR + endpoint_port = 1433 AND engine LIKE 'sqlserver%' OR + endpoint_port = 1521 AND engine = 'oracle-ee' + THEN title || ' port is set to default' + ELSE title || ' port is not set to default' + END AS reason, + region, + account_id + FROM + aws_rds_db_instance severity: low tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS Relational Database Service (RDS) - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS Relational Database Service (RDS) + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/rds/aws_rds_desired_instance_type.yaml b/compliance/controls/baseline/aws/rds/aws_rds_desired_instance_type.yaml index bb00a68fb..fffd74b59 100644 --- a/compliance/controls/baseline/aws/rds/aws_rds_desired_instance_type.yaml +++ b/compliance/controls/baseline/aws/rds/aws_rds_desired_instance_type.yaml @@ -1,34 +1,35 @@ id: aws_rds_desired_instance_type title: RDS Desired Instance Type +type: control description: Ensure fewer Amazon RDS instances than the established limit in your AWS account. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: - - key: awsRdsInstanceDesiredClasses - value: '' +- key: awsRdsInstanceDesiredClasses + value: "" policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - db_instance_identifier AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN '{{.awsRdsInstanceDesiredClasses}}' LIKE '%' || class || '%' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN '{{.awsRdsInstanceDesiredClasses}}' LIKE '%' || class || '%' THEN title || ' RDS Instance is using desired class' - ELSE title || ' RDS Instance is not using desired class' - END AS reason, - region, - account_id - FROM - aws_rds_db_instance + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + db_instance_identifier AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN '{{.awsRdsInstanceDesiredClasses}}' LIKE '%' || class || '%' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN '{{.awsRdsInstanceDesiredClasses}}' LIKE '%' || class || '%' THEN title || ' RDS Instance is using desired class' + ELSE title || ' RDS Instance is not using desired class' + END AS reason, + region, + account_id + FROM + aws_rds_db_instance severity: medium tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - score_service_name: - - AWS Relational Database Service (RDS) + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + score_service_name: + - AWS Relational Database Service (RDS) diff --git a/compliance/controls/baseline/aws/rds/aws_rds_encrypted_with_kms_customer_master_keys.yaml b/compliance/controls/baseline/aws/rds/aws_rds_encrypted_with_kms_customer_master_keys.yaml index 92da7dbcb..7d21abee3 100644 --- a/compliance/controls/baseline/aws/rds/aws_rds_encrypted_with_kms_customer_master_keys.yaml +++ b/compliance/controls/baseline/aws/rds/aws_rds_encrypted_with_kms_customer_master_keys.yaml @@ -1,37 +1,38 @@ id: aws_rds_encrypted_with_kms_customer_master_keys title: RDS Encrypted With KMS Customer Master Keys +type: control description: Ensure RDS instances are encrypted with CMKs to have full control over encrypting and decrypting data. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - db_instance_identifier AS resource, - v.platform_resource_id, - v.platform_integration_id, - CASE - WHEN storage_encrypted = 'false' THEN 'alarm' - WHEN k.arn IS NULL THEN 'alarm' - WHEN k.key_manager = 'CUSTOMER' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN storage_encrypted = 'false' THEN db_instance_identifier || ' is not encrypted' - WHEN k.arn IS NULL THEN db_instance_identifier || ' is not using a master key' - WHEN k.key_manager = 'CUSTOMER' THEN db_instance_identifier || ' is using a customer master key' - ELSE db_instance_identifier || ' is using a AWS-managed master key' - END AS reason, - v.region, - v.account_id - FROM - aws_rds_db_instance AS v - LEFT JOIN aws_kms_key AS k ON v.kms_key_id = k.arn + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + db_instance_identifier AS resource, + v.platform_resource_id, + v.platform_integration_id, + CASE + WHEN storage_encrypted = 'false' THEN 'alarm' + WHEN k.arn IS NULL THEN 'alarm' + WHEN k.key_manager = 'CUSTOMER' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN storage_encrypted = 'false' THEN db_instance_identifier || ' is not encrypted' + WHEN k.arn IS NULL THEN db_instance_identifier || ' is not using a master key' + WHEN k.key_manager = 'CUSTOMER' THEN db_instance_identifier || ' is using a customer master key' + ELSE db_instance_identifier || ' is using a AWS-managed master key' + END AS reason, + v.region, + v.account_id + FROM + aws_rds_db_instance AS v + LEFT JOIN aws_kms_key AS k ON v.kms_key_id = k.arn severity: medium tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - score_service_name: - - AWS Relational Database Service (RDS) + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + score_service_name: + - AWS Relational Database Service (RDS) diff --git a/compliance/controls/baseline/aws/rds/aws_rds_encryption_enabled.yaml b/compliance/controls/baseline/aws/rds/aws_rds_encryption_enabled.yaml index 79246ae73..7d6f42021 100644 --- a/compliance/controls/baseline/aws/rds/aws_rds_encryption_enabled.yaml +++ b/compliance/controls/baseline/aws/rds/aws_rds_encryption_enabled.yaml @@ -1,36 +1,37 @@ id: aws_rds_encryption_enabled title: RDS Encryption Enabled +type: control description: Ensure encryption is setup for RDS instances to fulfill compliance requirements for data-at-rest encryption. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - db_instance_identifier AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN storage_encrypted THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN storage_encrypted THEN title || ' encrypted at rest.' - ELSE title || ' not encrypted at rest.' - END AS reason, - region, - account_id - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + db_instance_identifier AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN storage_encrypted THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN storage_encrypted THEN title || ' encrypted at rest.' + ELSE title || ' not encrypted at rest.' + END AS reason, + region, + account_id + FROM + aws_rds_db_instance; severity: high tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - platform_score_use_case: - - Unencrypted Storage - score_service_name: - - AWS Relational Database Service (RDS) - score_tags: - - Unencrypted Storage + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + platform_score_use_case: + - Unencrypted Storage + score_service_name: + - AWS Relational Database Service (RDS) + score_tags: + - Unencrypted Storage diff --git a/compliance/controls/baseline/aws/rds/aws_rds_event_notifications.yaml b/compliance/controls/baseline/aws/rds/aws_rds_event_notifications.yaml index 4ed609f7b..1af355a51 100644 --- a/compliance/controls/baseline/aws/rds/aws_rds_event_notifications.yaml +++ b/compliance/controls/baseline/aws/rds/aws_rds_event_notifications.yaml @@ -1,35 +1,36 @@ id: aws_rds_event_notifications title: RDS Event Notifications +type: control description: Enable event notifications for RDS. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT DISTINCT - a.platform_integration_id, - a.platform_resource_id, - CASE - WHEN s.arn IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN s.arn IS NULL THEN 'Event notifications is not enabled for Amazon RDS' - ELSE 'Event notifications is enabled for Amazon RDS' - END AS reason, - a.account_id - FROM aws_account a - LEFT JOIN aws_rds_db_event_subscription s - ON s.platform_integration_id = a.platform_integration_id + language: sql + primary_resource: aws_account + definition: | + SELECT DISTINCT + a.platform_integration_id, + a.platform_resource_id, + CASE + WHEN s.arn IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN s.arn IS NULL THEN 'Event notifications is not enabled for Amazon RDS' + ELSE 'Event notifications is enabled for Amazon RDS' + END AS reason, + a.account_id + FROM aws_account a + LEFT JOIN aws_rds_db_event_subscription s + ON s.platform_integration_id = a.platform_integration_id severity: high tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - platform_score_use_case: - - Lacking High Availability - score_service_name: - - AWS Relational Database Service (RDS) - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + platform_score_use_case: + - Lacking High Availability + score_service_name: + - AWS Relational Database Service (RDS) + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/aws/rds/aws_rds_instance_counts.yaml b/compliance/controls/baseline/aws/rds/aws_rds_instance_counts.yaml index c1023c7f5..f2ce23de8 100644 --- a/compliance/controls/baseline/aws/rds/aws_rds_instance_counts.yaml +++ b/compliance/controls/baseline/aws/rds/aws_rds_instance_counts.yaml @@ -1,39 +1,40 @@ id: aws_rds_instance_counts title: RDS Instance Counts +type: control description: Ensure fewer Amazon RDS instances than the established limit in your AWS account. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - COUNT(*) AS RDS_Instances_Count, - CASE - WHEN COUNT(*) > 10 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN COUNT(*) > 10 THEN 'The limit the number of RDS instances exceeded' - ELSE 'The limit the number of RDS instances not exceeded' - END AS reason, - account_id - FROM - aws_rds_db_instance - GROUP BY - platform_integration_id, - platform_resource_id, - account_id; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + COUNT(*) AS RDS_Instances_Count, + CASE + WHEN COUNT(*) > 10 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN COUNT(*) > 10 THEN 'The limit the number of RDS instances exceeded' + ELSE 'The limit the number of RDS instances not exceeded' + END AS reason, + account_id + FROM + aws_rds_db_instance + GROUP BY + platform_integration_id, + platform_resource_id, + account_id; severity: medium tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - platform_score_use_case: - - Problem Identities - score_service_name: - - AWS Relational Database Service (RDS) - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + platform_score_use_case: + - Problem Identities + score_service_name: + - AWS Relational Database Service (RDS) + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/aws/rds/aws_rds_multi_az.yaml b/compliance/controls/baseline/aws/rds/aws_rds_multi_az.yaml index 6ff72023e..9bcc8ba88 100644 --- a/compliance/controls/baseline/aws/rds/aws_rds_multi_az.yaml +++ b/compliance/controls/baseline/aws/rds/aws_rds_multi_az.yaml @@ -1,36 +1,37 @@ id: aws_rds_multi_az title: RDS Multi-AZ +type: control description: Ensure RDS instances are launched into Multi-AZ. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - db_instance_identifier AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN NOT multi_az THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT multi_az THEN title || ' Multi-AZ feature is not enabled' - ELSE title || ' Multi-AZ feature is enabled' - END AS reason, - region, - account_id - FROM - aws_rds_db_instance + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + db_instance_identifier AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN NOT multi_az THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT multi_az THEN title || ' Multi-AZ feature is not enabled' + ELSE title || ' Multi-AZ feature is enabled' + END AS reason, + region, + account_id + FROM + aws_rds_db_instance severity: medium tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - platform_score_use_case: - - Lacking High Availability - score_service_name: - - AWS Relational Database Service (RDS) - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + platform_score_use_case: + - Lacking High Availability + score_service_name: + - AWS Relational Database Service (RDS) + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/aws/rds/aws_rds_public_snapshots.yaml b/compliance/controls/baseline/aws/rds/aws_rds_public_snapshots.yaml index 67cb95886..3d5069652 100644 --- a/compliance/controls/baseline/aws/rds/aws_rds_public_snapshots.yaml +++ b/compliance/controls/baseline/aws/rds/aws_rds_public_snapshots.yaml @@ -1,48 +1,49 @@ id: aws_rds_public_snapshots title: Amazon RDS Public Snapshots +type: control description: Ensure that your Amazon RDS database snapshots are not accessible to all AWS accounts. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_snapshot - definition: | - WITH restore_values AS ( - SELECT - db_snapshot_identifier, - attr ->> 'AttributeValues' AS attrValues - FROM - aws_rds_db_snapshot, - jsonb_array_elements(db_snapshot_attributes) attr - WHERE - attr ->> 'AttributeName' = 'restore' - ) - SELECT - s.db_snapshot_identifier AS resource, - s.platform_integration_id AS platform_integration_id, - s.platform_resource_id AS platform_resource_id, - CASE - WHEN rv.attrValues LIKE '%all%' - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN rv.attrValues LIKE '%all%' - THEN s.db_snapshot_identifier || ' is open to all accounts' - ELSE s.db_snapshot_identifier || ' is not open to all accounts' - END AS reason - FROM - aws_rds_db_snapshot AS s - LEFT JOIN restore_values AS rv - ON s.db_snapshot_identifier = rv.db_snapshot_identifier + language: sql + primary_resource: aws_rds_db_snapshot + definition: | + WITH restore_values AS ( + SELECT + db_snapshot_identifier, + attr ->> 'AttributeValues' AS attrValues + FROM + aws_rds_db_snapshot, + jsonb_array_elements(db_snapshot_attributes) attr + WHERE + attr ->> 'AttributeName' = 'restore' + ) + SELECT + s.db_snapshot_identifier AS resource, + s.platform_integration_id AS platform_integration_id, + s.platform_resource_id AS platform_resource_id, + CASE + WHEN rv.attrValues LIKE '%all%' + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN rv.attrValues LIKE '%all%' + THEN s.db_snapshot_identifier || ' is open to all accounts' + ELSE s.db_snapshot_identifier || ' is not open to all accounts' + END AS reason + FROM + aws_rds_db_snapshot AS s + LEFT JOIN restore_values AS rv + ON s.db_snapshot_identifier = rv.db_snapshot_identifier severity: high tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS Relational Database Service (RDS) - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS Relational Database Service (RDS) + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/rds/aws_rds_publicly_accessible.yaml b/compliance/controls/baseline/aws/rds/aws_rds_publicly_accessible.yaml index e5a56377e..fabacf92b 100644 --- a/compliance/controls/baseline/aws/rds/aws_rds_publicly_accessible.yaml +++ b/compliance/controls/baseline/aws/rds/aws_rds_publicly_accessible.yaml @@ -1,36 +1,37 @@ id: aws_rds_publicly_accessible title: RDS Publicly Accessible +type: control description: Ensure RDS instances aren't public facing to minimise security risks. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - arn AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN publicly_accessible THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN publicly_accessible THEN title || ' publicly accessible.' - ELSE title || ' not publicly accessible.' - END AS reason, - region, - account_id - FROM - aws_rds_db_instance; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + arn AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN publicly_accessible THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN publicly_accessible THEN title || ' publicly accessible.' + ELSE title || ' not publicly accessible.' + END AS reason, + region, + account_id + FROM + aws_rds_db_instance; severity: medium tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS Relational Database Service (RDS) - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS Relational Database Service (RDS) + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/rds/aws_rotate_ssltls_certificates_for_database_instances.yaml b/compliance/controls/baseline/aws/rds/aws_rotate_ssltls_certificates_for_database_instances.yaml index 595509f53..da089cbd8 100644 --- a/compliance/controls/baseline/aws/rds/aws_rotate_ssltls_certificates_for_database_instances.yaml +++ b/compliance/controls/baseline/aws/rds/aws_rotate_ssltls_certificates_for_database_instances.yaml @@ -1,39 +1,40 @@ id: aws_rotate_ssltls_certificates_for_database_instances title: Rotate SSL/TLS Certificates for Database Instances +type: control description: Ensure that SSL/TLS certificates for RDS database instances are rotated according to the AWS schedule. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - SELECT - db_instance_identifier AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN ((c ->> 'ValidTill')::DATE - CURRENT_DATE)::INT < 15 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN ((c ->> 'ValidTill')::DATE - CURRENT_DATE)::INT < 15 THEN - title || ' certificate is going to expire in ' || ((c ->> 'ValidTill')::DATE - CURRENT_DATE)::TEXT || ' days' - ELSE - title || ' certificate is ok' || master_user_name - END AS reason, - region, - account_id - FROM - aws_rds_db_instance, - json_array_elements(certificate::json) AS c; + language: sql + primary_resource: aws_rds_db_instance + definition: | + SELECT + db_instance_identifier AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN ((c ->> 'ValidTill')::DATE - CURRENT_DATE)::INT < 15 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN ((c ->> 'ValidTill')::DATE - CURRENT_DATE)::INT < 15 THEN + title || ' certificate is going to expire in ' || ((c ->> 'ValidTill')::DATE - CURRENT_DATE)::TEXT || ' days' + ELSE + title || ' certificate is ok' || master_user_name + END AS reason, + region, + account_id + FROM + aws_rds_db_instance, + json_array_elements(certificate::json) AS c; severity: high tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - platform_score_use_case: - - Unencrypted Traffic - score_service_name: - - AWS Relational Database Service (RDS) - score_tags: - - Unencrypted Traffic + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + platform_score_use_case: + - Unencrypted Traffic + score_service_name: + - AWS Relational Database Service (RDS) + score_tags: + - Unencrypted Traffic diff --git a/compliance/controls/baseline/aws/rds/aws_security_groups_events_subscriptions.yaml b/compliance/controls/baseline/aws/rds/aws_security_groups_events_subscriptions.yaml index 12ac4464c..ec6332722 100644 --- a/compliance/controls/baseline/aws/rds/aws_security_groups_events_subscriptions.yaml +++ b/compliance/controls/baseline/aws/rds/aws_security_groups_events_subscriptions.yaml @@ -1,39 +1,40 @@ id: aws_security_groups_events_subscriptions title: Security Groups Events Subscriptions +type: control description: Enable Event Subscriptions for DB Security Groups Events. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_account - definition: | - SELECT DISTINCT - a.platform_integration_id, - a.platform_resource_id, - CASE - WHEN s.arn IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN s.arn IS NULL THEN 'Event subscription is not enabled for database security groups' - ELSE 'Event subscription is enabled for database security groups' - END AS reason, - a.account_id - FROM - aws_account a - LEFT JOIN ( - SELECT * FROM aws_rds_db_event_subscription - WHERE source_type = 'db-security-group' - ) s - ON s.platform_integration_id = a.platform_integration_id + language: sql + primary_resource: aws_account + definition: | + SELECT DISTINCT + a.platform_integration_id, + a.platform_resource_id, + CASE + WHEN s.arn IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN s.arn IS NULL THEN 'Event subscription is not enabled for database security groups' + ELSE 'Event subscription is enabled for database security groups' + END AS reason, + a.account_id + FROM + aws_account a + LEFT JOIN ( + SELECT * FROM aws_rds_db_event_subscription + WHERE source_type = 'db-security-group' + ) s + ON s.platform_integration_id = a.platform_integration_id severity: high tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - platform_score_use_case: - - General Efficiency - score_service_name: - - AWS Relational Database Service (RDS) - score_tags: - - General Efficiency + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + platform_score_use_case: + - General Efficiency + score_service_name: + - AWS Relational Database Service (RDS) + score_tags: + - General Efficiency diff --git a/compliance/controls/baseline/aws/rds/aws_use_aws_backup_service_in_use_for_amazon_rds.yaml b/compliance/controls/baseline/aws/rds/aws_use_aws_backup_service_in_use_for_amazon_rds.yaml index af5cc307c..5243730a7 100644 --- a/compliance/controls/baseline/aws/rds/aws_use_aws_backup_service_in_use_for_amazon_rds.yaml +++ b/compliance/controls/baseline/aws/rds/aws_use_aws_backup_service_in_use_for_amazon_rds.yaml @@ -1,45 +1,46 @@ id: aws_use_aws_backup_service_in_use_for_amazon_rds title: Use AWS Backup Service in Use for Amazon RDS +type: control description: Ensure that Amazon Backup service is used to manage AWS RDS database snapshots. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_rds_db_instance - definition: | - WITH snapshots AS ( - SELECT DISTINCT - db_instance_identifier - FROM - aws_rds_db_snapshot - WHERE - type = 'awsbackup' - ) - SELECT - r.db_instance_identifier AS resource, - platform_integration_id AS platform_integration_id, - platform_resource_id AS platform_resource_id, - CASE - WHEN b.db_instance_identifier IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN b.db_instance_identifier IS NOT NULL THEN r.title || ' has RDS database instance snapshots.' - ELSE r.title || ' has no RDS database instance snapshots.' - END AS reason, - r.region, - r.account_id - FROM - aws_rds_db_instance AS r - LEFT JOIN snapshots AS b ON r.db_instance_identifier = b.db_instance_identifier; + language: sql + primary_resource: aws_rds_db_instance + definition: | + WITH snapshots AS ( + SELECT DISTINCT + db_instance_identifier + FROM + aws_rds_db_snapshot + WHERE + type = 'awsbackup' + ) + SELECT + r.db_instance_identifier AS resource, + platform_integration_id AS platform_integration_id, + platform_resource_id AS platform_resource_id, + CASE + WHEN b.db_instance_identifier IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN b.db_instance_identifier IS NOT NULL THEN r.title || ' has RDS database instance snapshots.' + ELSE r.title || ' has no RDS database instance snapshots.' + END AS reason, + r.region, + r.account_id + FROM + aws_rds_db_instance AS r + LEFT JOIN snapshots AS b ON r.db_instance_identifier = b.db_instance_identifier; severity: low tags: - platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) - platform_score_use_case: - - Missing Backup - score_service_name: - - AWS Relational Database Service (RDS) - score_tags: - - Missing Backup + platform_score_cloud_service_name: + - AWS Relational Database Service (RDS) + platform_score_use_case: + - Missing Backup + score_service_name: + - AWS Relational Database Service (RDS) + score_tags: + - Missing Backup diff --git a/compliance/controls/baseline/aws/vpc/aws_managed_nat_gateway_in_use.yaml b/compliance/controls/baseline/aws/vpc/aws_managed_nat_gateway_in_use.yaml index e31f03383..fb25bc603 100644 --- a/compliance/controls/baseline/aws/vpc/aws_managed_nat_gateway_in_use.yaml +++ b/compliance/controls/baseline/aws/vpc/aws_managed_nat_gateway_in_use.yaml @@ -1,43 +1,44 @@ id: aws_managed_nat_gateway_in_use title: Managed NAT Gateway in Use +type: control description: Ensure that the Managed NAT Gateway service is enabled for high availability (HA). integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc - definition: | - WITH available_nat_gateways AS ( - SELECT vpc_id, arn - FROM aws_vpc_nat_gateway - WHERE state = 'available' - ) - SELECT - v.arn AS resource, - v.platform_integration_id, - v.platform_resource_id, - CASE - WHEN ng.arn IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN ng.arn IS NOT NULL THEN v.vpc_id || ' is using Managed NAT Gateways.' - ELSE v.vpc_id || ' is not using Managed NAT Gateways.' - END AS reason, - v.region, - v.account_id - FROM - aws_vpc AS v - LEFT JOIN available_nat_gateways AS ng - ON ng.vpc_id = v.vpc_id + language: sql + primary_resource: aws_vpc + definition: | + WITH available_nat_gateways AS ( + SELECT vpc_id, arn + FROM aws_vpc_nat_gateway + WHERE state = 'available' + ) + SELECT + v.arn AS resource, + v.platform_integration_id, + v.platform_resource_id, + CASE + WHEN ng.arn IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN ng.arn IS NOT NULL THEN v.vpc_id || ' is using Managed NAT Gateways.' + ELSE v.vpc_id || ' is not using Managed NAT Gateways.' + END AS reason, + v.region, + v.account_id + FROM + aws_vpc AS v + LEFT JOIN available_nat_gateways AS ng + ON ng.vpc_id = v.vpc_id severity: medium tags: - platform_score_cloud_service_name: - - AWS Virtual Private Cloud (VPC) - platform_score_use_case: - - Over Utilization - score_service_name: - - AWS Virtual Private Cloud (VPC) - score_tags: - - Over Utilization + platform_score_cloud_service_name: + - AWS Virtual Private Cloud (VPC) + platform_score_use_case: + - Over Utilization + score_service_name: + - AWS Virtual Private Cloud (VPC) + score_tags: + - Over Utilization diff --git a/compliance/controls/baseline/aws/vpc/aws_unrestricted_inbound_traffic_on_remote_server_administration_ports.yaml b/compliance/controls/baseline/aws/vpc/aws_unrestricted_inbound_traffic_on_remote_server_administration_ports.yaml index b702d710f..8cd03712f 100644 --- a/compliance/controls/baseline/aws/vpc/aws_unrestricted_inbound_traffic_on_remote_server_administration_ports.yaml +++ b/compliance/controls/baseline/aws/vpc/aws_unrestricted_inbound_traffic_on_remote_server_administration_ports.yaml @@ -1,72 +1,73 @@ id: aws_unrestricted_inbound_traffic_on_remote_server_administration_ports title: Unrestricted Inbound Traffic on Remote Server Administration Ports +type: control description: Ensure that no Network ACL (NACL) allows unrestricted inbound traffic on TCP ports 22 and 3389. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_network_acl - definition: | - WITH bad_rules AS ( - SELECT - network_acl_id, - COUNT(*) AS num_bad_rules - FROM - aws_vpc_network_acl, - jsonb_array_elements(entries) AS att - WHERE - att ->> 'Egress' = 'false' - AND ( - att ->> 'CidrBlock' = '0.0.0.0/0' - OR att ->> 'Ipv6CidrBlock' = '::/0' - ) - AND att ->> 'RuleAction' = 'allow' - AND ( - ( - att ->> 'Protocol' = '-1' - AND att ->> 'PortRange' IS NULL - ) - OR ( - (att -> 'PortRange' ->> 'From')::int <= 22 - AND (att -> 'PortRange' ->> 'To')::int >= 22 - AND att ->> 'Protocol' IN('6', '17') - ) - OR ( - (att -> 'PortRange' ->> 'From')::int <= 3389 - AND (att -> 'PortRange' ->> 'To')::int >= 3389 - AND att ->> 'Protocol' IN('6', '17') - ) - ) - GROUP BY - network_acl_id + language: sql + primary_resource: aws_vpc_network_acl + definition: | + WITH bad_rules AS ( + SELECT + network_acl_id, + COUNT(*) AS num_bad_rules + FROM + aws_vpc_network_acl, + jsonb_array_elements(entries) AS att + WHERE + att ->> 'Egress' = 'false' + AND ( + att ->> 'CidrBlock' = '0.0.0.0/0' + OR att ->> 'Ipv6CidrBlock' = '::/0' ) - SELECT - 'arn:' || acl.partition || ':ec2:' || acl.region || ':' || acl.account_id || ':network-acl/' || acl.network_acl_id AS resource, - acl.platform_resource_id, - acl.platform_integration_id, - CASE - WHEN bad_rules.network_acl_id IS NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN bad_rules.network_acl_id IS NULL THEN acl.network_acl_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - ELSE acl.network_acl_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) allowing ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - END AS reason, - acl.region, - acl.account_id - FROM - aws_vpc_network_acl AS acl - LEFT JOIN bad_rules ON bad_rules.network_acl_id = acl.network_acl_id - INNER JOIN aws_vpc vpc ON acl.vpc_id = vpc.vpc_id - WHERE jsonb_array_length(acl.associations) > 0 AND vpc.is_default = FALSE; + AND att ->> 'RuleAction' = 'allow' + AND ( + ( + att ->> 'Protocol' = '-1' + AND att ->> 'PortRange' IS NULL + ) + OR ( + (att -> 'PortRange' ->> 'From')::int <= 22 + AND (att -> 'PortRange' ->> 'To')::int >= 22 + AND att ->> 'Protocol' IN('6', '17') + ) + OR ( + (att -> 'PortRange' ->> 'From')::int <= 3389 + AND (att -> 'PortRange' ->> 'To')::int >= 3389 + AND att ->> 'Protocol' IN('6', '17') + ) + ) + GROUP BY + network_acl_id + ) + SELECT + 'arn:' || acl.partition || ':ec2:' || acl.region || ':' || acl.account_id || ':network-acl/' || acl.network_acl_id AS resource, + acl.platform_resource_id, + acl.platform_integration_id, + CASE + WHEN bad_rules.network_acl_id IS NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN bad_rules.network_acl_id IS NULL THEN acl.network_acl_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' + ELSE acl.network_acl_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) allowing ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' + END AS reason, + acl.region, + acl.account_id + FROM + aws_vpc_network_acl AS acl + LEFT JOIN bad_rules ON bad_rules.network_acl_id = acl.network_acl_id + INNER JOIN aws_vpc vpc ON acl.vpc_id = vpc.vpc_id + WHERE jsonb_array_length(acl.associations) > 0 AND vpc.is_default = FALSE; severity: high tags: - platform_score_cloud_service_name: - - AWS Virtual Private Cloud (VPC) - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS Virtual Private Cloud (VPC) - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS Virtual Private Cloud (VPC) + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS Virtual Private Cloud (VPC) + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/vpc/aws_unrestricted_network_acl_inbound_traffic.yaml b/compliance/controls/baseline/aws/vpc/aws_unrestricted_network_acl_inbound_traffic.yaml index 7fb0a0171..f6376e0c9 100644 --- a/compliance/controls/baseline/aws/vpc/aws_unrestricted_network_acl_inbound_traffic.yaml +++ b/compliance/controls/baseline/aws/vpc/aws_unrestricted_network_acl_inbound_traffic.yaml @@ -1,50 +1,51 @@ id: aws_unrestricted_network_acl_inbound_traffic title: Unrestricted Network ACL Inbound Traffic +type: control description: Ensure that no Network ACL (NACL) allows inbound/ingress traffic from all ports. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_network_acl - definition: | - SELECT - arn AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(entries) AS e - WHERE (e ->> 'Egress')::bool = FALSE - AND e ->> 'PortRange' IS NULL - AND e ->> 'CidrBlock' = '0.0.0.0/0' - AND e ->> 'RuleAction' = 'allow' - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(entries) AS e - WHERE (e ->> 'Egress')::bool = FALSE - AND e ->> 'PortRange' IS NULL - AND e ->> 'CidrBlock' = '0.0.0.0/0' - AND e ->> 'RuleAction' = 'allow' - ) THEN 'the access to the VPC subnets associated with the Network ACL (NACL) is not restricted.' - ELSE 'the access to the VPC subnets associated with the Network ACL (NACL) is restricted.' - END AS reason, - region, - account_id - FROM - aws_vpc_network_acl + language: sql + primary_resource: aws_vpc_network_acl + definition: | + SELECT + arn AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(entries) AS e + WHERE (e ->> 'Egress')::bool = FALSE + AND e ->> 'PortRange' IS NULL + AND e ->> 'CidrBlock' = '0.0.0.0/0' + AND e ->> 'RuleAction' = 'allow' + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(entries) AS e + WHERE (e ->> 'Egress')::bool = FALSE + AND e ->> 'PortRange' IS NULL + AND e ->> 'CidrBlock' = '0.0.0.0/0' + AND e ->> 'RuleAction' = 'allow' + ) THEN 'the access to the VPC subnets associated with the Network ACL (NACL) is not restricted.' + ELSE 'the access to the VPC subnets associated with the Network ACL (NACL) is restricted.' + END AS reason, + region, + account_id + FROM + aws_vpc_network_acl severity: medium tags: - platform_score_cloud_service_name: - - AWS Virtual Private Cloud (VPC) - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS Virtual Private Cloud (VPC) - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS Virtual Private Cloud (VPC) + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS Virtual Private Cloud (VPC) + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/vpc/aws_unrestricted_network_acl_outbound_traffic.yaml b/compliance/controls/baseline/aws/vpc/aws_unrestricted_network_acl_outbound_traffic.yaml index a71e55250..b69cf46e2 100644 --- a/compliance/controls/baseline/aws/vpc/aws_unrestricted_network_acl_outbound_traffic.yaml +++ b/compliance/controls/baseline/aws/vpc/aws_unrestricted_network_acl_outbound_traffic.yaml @@ -1,50 +1,51 @@ id: aws_unrestricted_network_acl_outbound_traffic title: Unrestricted Network ACL Outbound Traffic +type: control description: Ensure that no Network ACL (NACL) allows outbound/egress traffic to all ports. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_network_acl - definition: | - SELECT - arn AS resource, - platform_integration_id, - platform_resource_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(entries) AS e - WHERE (e ->> 'Egress')::bool = TRUE - AND e ->> 'PortRange' IS NULL - AND e ->> 'CidrBlock' = '0.0.0.0/0' - AND e ->> 'RuleAction' = 'allow' - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(entries) AS e - WHERE (e ->> 'Egress')::bool = TRUE - AND e ->> 'PortRange' IS NULL - AND e ->> 'CidrBlock' = '0.0.0.0/0' - AND e ->> 'RuleAction' = 'allow' - ) THEN 'the access to the VPC subnets associated with the Network ACL (NACL) is not restricted.' - ELSE 'the access to the VPC subnets associated with the Network ACL (NACL) is restricted.' - END AS reason, - region, - account_id - FROM - aws_vpc_network_acl + language: sql + primary_resource: aws_vpc_network_acl + definition: | + SELECT + arn AS resource, + platform_integration_id, + platform_resource_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(entries) AS e + WHERE (e ->> 'Egress')::bool = TRUE + AND e ->> 'PortRange' IS NULL + AND e ->> 'CidrBlock' = '0.0.0.0/0' + AND e ->> 'RuleAction' = 'allow' + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(entries) AS e + WHERE (e ->> 'Egress')::bool = TRUE + AND e ->> 'PortRange' IS NULL + AND e ->> 'CidrBlock' = '0.0.0.0/0' + AND e ->> 'RuleAction' = 'allow' + ) THEN 'the access to the VPC subnets associated with the Network ACL (NACL) is not restricted.' + ELSE 'the access to the VPC subnets associated with the Network ACL (NACL) is restricted.' + END AS reason, + region, + account_id + FROM + aws_vpc_network_acl severity: medium tags: - platform_score_cloud_service_name: - - AWS Virtual Private Cloud (VPC) - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS Virtual Private Cloud (VPC) - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS Virtual Private Cloud (VPC) + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS Virtual Private Cloud (VPC) + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/vpc/aws_vpc_endpoint_cross_account_access.yaml b/compliance/controls/baseline/aws/vpc/aws_vpc_endpoint_cross_account_access.yaml index 2e2172dd6..abaab810b 100644 --- a/compliance/controls/baseline/aws/vpc/aws_vpc_endpoint_cross_account_access.yaml +++ b/compliance/controls/baseline/aws/vpc/aws_vpc_endpoint_cross_account_access.yaml @@ -1,66 +1,67 @@ id: aws_vpc_endpoint_cross_account_access title: VPC Endpoint Cross Account Access +type: control description: Ensure Amazon VPC endpoints don't allow unknown cross account access. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_endpoint - definition: | - SELECT - vpc_endpoint_id AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(policy::jsonb -> 'Statement') AS s - WHERE (s ->> 'Effect') = 'Allow' - AND ( - (s ->> 'Principal')::text = '"*"' - OR (s ->> 'Principal')::text = '{"AWS": "*"}' - ) - ) THEN 'alarm' - WHEN '{{.awsTrustedAccounts}}' = '' THEN 'ok' - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(policy::jsonb -> 'Statement') AS s - WHERE (s ->> 'Effect') = 'Allow' - AND NOT ('{{.awsTrustedAccounts}}' LIKE ('%'||((s ->> 'Principal')::text)||'%')) - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(policy::jsonb -> 'Statement') AS s - WHERE (s ->> 'Effect') = 'Allow' - AND ( - (s ->> 'Principal')::text = '"*"' - OR (s ->> 'Principal')::text = '{"AWS": "*"}' - ) - ) THEN vpc_endpoint_id || ' is publicly accessible' - WHEN '{{.awsTrustedAccounts}}' = '' THEN 'trusted AWS accounts are not defined' - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(policy::jsonb -> 'Statement') AS s - WHERE (s ->> 'Effect') = 'Allow' - AND NOT ('{{.awsTrustedAccounts}}' LIKE ('%'||((s ->> 'Principal')::text)||'%')) - ) THEN vpc_endpoint_id || ' is not configured to allow access only to trusted AWS accounts' - ELSE vpc_endpoint_id || ' is configured to allow access only to trusted AWS accounts' - END AS reason, - region, - account_id - FROM - aws_vpc_endpoint + language: sql + primary_resource: aws_vpc_endpoint + definition: | + SELECT + vpc_endpoint_id AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(policy::jsonb -> 'Statement') AS s + WHERE (s ->> 'Effect') = 'Allow' + AND ( + (s ->> 'Principal')::text = '"*"' + OR (s ->> 'Principal')::text = '{"AWS": "*"}' + ) + ) THEN 'alarm' + WHEN '{{.awsTrustedAccounts}}' = '' THEN 'ok' + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(policy::jsonb -> 'Statement') AS s + WHERE (s ->> 'Effect') = 'Allow' + AND NOT ('{{.awsTrustedAccounts}}' LIKE ('%'||((s ->> 'Principal')::text)||'%')) + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(policy::jsonb -> 'Statement') AS s + WHERE (s ->> 'Effect') = 'Allow' + AND ( + (s ->> 'Principal')::text = '"*"' + OR (s ->> 'Principal')::text = '{"AWS": "*"}' + ) + ) THEN vpc_endpoint_id || ' is publicly accessible' + WHEN '{{.awsTrustedAccounts}}' = '' THEN 'trusted AWS accounts are not defined' + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(policy::jsonb -> 'Statement') AS s + WHERE (s ->> 'Effect') = 'Allow' + AND NOT ('{{.awsTrustedAccounts}}' LIKE ('%'||((s ->> 'Principal')::text)||'%')) + ) THEN vpc_endpoint_id || ' is not configured to allow access only to trusted AWS accounts' + ELSE vpc_endpoint_id || ' is configured to allow access only to trusted AWS accounts' + END AS reason, + region, + account_id + FROM + aws_vpc_endpoint severity: medium tags: - platform_score_cloud_service_name: - - AWS Virtual Private Cloud (VPC) - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS Virtual Private Cloud (VPC) - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS Virtual Private Cloud (VPC) + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS Virtual Private Cloud (VPC) + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/vpc/aws_vpc_endpoint_exposed.yaml b/compliance/controls/baseline/aws/vpc/aws_vpc_endpoint_exposed.yaml index 5e9e98efd..97c105143 100644 --- a/compliance/controls/baseline/aws/vpc/aws_vpc_endpoint_exposed.yaml +++ b/compliance/controls/baseline/aws/vpc/aws_vpc_endpoint_exposed.yaml @@ -1,39 +1,40 @@ id: aws_vpc_endpoint_exposed title: VPC Endpoint Exposed +type: control description: Ensure Amazon VPC endpoints aren't exposed to everyone. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc - definition: | - SELECT DISTINCT - arn AS resource, - v.platform_resource_id, - v.platform_integration_id, - CASE - WHEN p ->> 'Principal' = '*' OR p ->> 'Principal' = '{"AWS": ["*"]}' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN p ->> 'Principal' = '*' OR p ->> 'Principal' = '{"AWS": ["*"]}' THEN v.vpc_id || ' endpoint is fully accessible.' - ELSE v.vpc_id || ' endpoint is not fully accessible.' - END AS reason, - v.region, - v.account_id - FROM - aws_vpc AS v - LEFT JOIN - aws_vpc_endpoint AS e ON v.vpc_id = e.vpc_id, - jsonb_array_elements(e.policy -> 'Statement') AS p + language: sql + primary_resource: aws_vpc + definition: | + SELECT DISTINCT + arn AS resource, + v.platform_resource_id, + v.platform_integration_id, + CASE + WHEN p ->> 'Principal' = '*' OR p ->> 'Principal' = '{"AWS": ["*"]}' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN p ->> 'Principal' = '*' OR p ->> 'Principal' = '{"AWS": ["*"]}' THEN v.vpc_id || ' endpoint is fully accessible.' + ELSE v.vpc_id || ' endpoint is not fully accessible.' + END AS reason, + v.region, + v.account_id + FROM + aws_vpc AS v + LEFT JOIN + aws_vpc_endpoint AS e ON v.vpc_id = e.vpc_id, + jsonb_array_elements(e.policy -> 'Statement') AS p severity: medium tags: - platform_score_cloud_service_name: - - AWS Virtual Private Cloud (VPC) - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS Virtual Private Cloud (VPC) - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS Virtual Private Cloud (VPC) + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS Virtual Private Cloud (VPC) + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/vpc/aws_vpc_endpoints_in_use.yaml b/compliance/controls/baseline/aws/vpc/aws_vpc_endpoints_in_use.yaml index 340114bf0..9e33178ee 100644 --- a/compliance/controls/baseline/aws/vpc/aws_vpc_endpoints_in_use.yaml +++ b/compliance/controls/baseline/aws/vpc/aws_vpc_endpoints_in_use.yaml @@ -1,42 +1,43 @@ id: aws_vpc_endpoints_in_use title: VPC Endpoints In Use +type: control description: Ensure that VPC endpoints are being used to connect your VPC to another AWS cloud service. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc - definition: | - SELECT - v.vpc_id AS resource, - v.platform_resource_id, - v.platform_integration_id, - CASE - WHEN EXISTS ( - SELECT 1 FROM aws_vpc_endpoint AS e WHERE e.vpc_id = v.vpc_id - ) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 FROM aws_vpc_endpoint AS e WHERE e.vpc_id = v.vpc_id - ) THEN v.vpc_id || ' has VPC endpoints' - ELSE 'there are no Amazon VPC endpoints deployed for ' || v.vpc_id - END AS reason, - v.region, - v.account_id - FROM - aws_vpc AS v - WHERE - is_default = FALSE; + language: sql + primary_resource: aws_vpc + definition: | + SELECT + v.vpc_id AS resource, + v.platform_resource_id, + v.platform_integration_id, + CASE + WHEN EXISTS ( + SELECT 1 FROM aws_vpc_endpoint AS e WHERE e.vpc_id = v.vpc_id + ) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 FROM aws_vpc_endpoint AS e WHERE e.vpc_id = v.vpc_id + ) THEN v.vpc_id || ' has VPC endpoints' + ELSE 'there are no Amazon VPC endpoints deployed for ' || v.vpc_id + END AS reason, + v.region, + v.account_id + FROM + aws_vpc AS v + WHERE + is_default = FALSE; severity: medium tags: - platform_score_cloud_service_name: - - AWS Virtual Private Cloud (VPC) - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS Virtual Private Cloud (VPC) - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS Virtual Private Cloud (VPC) + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS Virtual Private Cloud (VPC) + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/aws/vpc/aws_vpc_flow_logs_enabled.yaml b/compliance/controls/baseline/aws/vpc/aws_vpc_flow_logs_enabled.yaml index 39fa953a9..935140f1c 100644 --- a/compliance/controls/baseline/aws/vpc/aws_vpc_flow_logs_enabled.yaml +++ b/compliance/controls/baseline/aws/vpc/aws_vpc_flow_logs_enabled.yaml @@ -1,42 +1,43 @@ id: aws_vpc_flow_logs_enabled title: VPC Flow Logs Enabled +type: control description: Ensure VPC flow logging is enabled in all VPCs. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc - definition: | - SELECT - DISTINCT arn AS resource, - v.platform_resource_id, - v.platform_integration_id, - CASE - WHEN v.account_id <> v.owner_id THEN 'skip' - WHEN f.resource_id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN v.account_id <> v.owner_id THEN vpc_id || ' is a shared VPC.' - WHEN f.resource_id IS NOT NULL THEN vpc_id || ' flow logging enabled.' - ELSE vpc_id || ' flow logging disabled.' - END AS reason, - v.region, - v.account_id - FROM - aws_vpc AS v - LEFT JOIN - aws_vpc_flow_log AS f - ON - v.vpc_id = f.resource_id; + language: sql + primary_resource: aws_vpc + definition: | + SELECT + DISTINCT arn AS resource, + v.platform_resource_id, + v.platform_integration_id, + CASE + WHEN v.account_id <> v.owner_id THEN 'skip' + WHEN f.resource_id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN v.account_id <> v.owner_id THEN vpc_id || ' is a shared VPC.' + WHEN f.resource_id IS NOT NULL THEN vpc_id || ' flow logging enabled.' + ELSE vpc_id || ' flow logging disabled.' + END AS reason, + v.region, + v.account_id + FROM + aws_vpc AS v + LEFT JOIN + aws_vpc_flow_log AS f + ON + v.vpc_id = f.resource_id; severity: low tags: - platform_score_cloud_service_name: - - AWS Virtual Private Cloud (VPC) - platform_score_use_case: - - Unencrypted Traffic - score_service_name: - - AWS Virtual Private Cloud (VPC) - score_tags: - - Unencrypted Traffic + platform_score_cloud_service_name: + - AWS Virtual Private Cloud (VPC) + platform_score_use_case: + - Unencrypted Traffic + score_service_name: + - AWS Virtual Private Cloud (VPC) + score_tags: + - Unencrypted Traffic diff --git a/compliance/controls/baseline/aws/vpc/aws_vpc_peering_connections_to_accounts_outside_aws_organization.yaml b/compliance/controls/baseline/aws/vpc/aws_vpc_peering_connections_to_accounts_outside_aws_organization.yaml index 8155356b3..bf90cb440 100644 --- a/compliance/controls/baseline/aws/vpc/aws_vpc_peering_connections_to_accounts_outside_aws_organization.yaml +++ b/compliance/controls/baseline/aws/vpc/aws_vpc_peering_connections_to_accounts_outside_aws_organization.yaml @@ -1,55 +1,56 @@ id: aws_vpc_peering_connections_to_accounts_outside_aws_organization title: VPC Peering Connections To Accounts Outside AWS Organization +type: control description: Ensure VPC peering communication is only between AWS accounts, members of the same AWS Organization. integration_type: - - aws_cloud_account +- aws_cloud_account parameters: [] policy: - language: sql - primary_resource: aws_vpc_peering_connection - definition: | - WITH account_org AS ( - SELECT - platform_integration_id, - organization_id - FROM - aws_account - ), vpc_org AS ( - SELECT - vpc.vpc_id, - ao.organization_id AS org - FROM - aws_vpc AS vpc - LEFT JOIN account_org AS ao ON ao.platform_integration_id = vpc.platform_integration_id - ) - - SELECT - c.id AS resource, - platform_resource_id, - platform_integration_id, - CASE - WHEN accepter_org.org = requester_org.org THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN accepter_org.org = requester_org.org THEN c.id || ' connections are ok' - ELSE c.id || ' connects to accounts outside organization' - END AS reason, - region, - account_id - FROM - aws_vpc_peering_connection AS c - LEFT JOIN vpc_org AS accepter_org ON c.accepter_vpc_id = accepter_org.vpc_id - LEFT JOIN vpc_org AS requester_org ON c.requester_vpc_id = accepter_org.vpc_id - WHERE - status_code = 'active' + language: sql + primary_resource: aws_vpc_peering_connection + definition: | + WITH account_org AS ( + SELECT + platform_integration_id, + organization_id + FROM + aws_account + ), vpc_org AS ( + SELECT + vpc.vpc_id, + ao.organization_id AS org + FROM + aws_vpc AS vpc + LEFT JOIN account_org AS ao ON ao.platform_integration_id = vpc.platform_integration_id + ) + + SELECT + c.id AS resource, + platform_resource_id, + platform_integration_id, + CASE + WHEN accepter_org.org = requester_org.org THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN accepter_org.org = requester_org.org THEN c.id || ' connections are ok' + ELSE c.id || ' connects to accounts outside organization' + END AS reason, + region, + account_id + FROM + aws_vpc_peering_connection AS c + LEFT JOIN vpc_org AS accepter_org ON c.accepter_vpc_id = accepter_org.vpc_id + LEFT JOIN vpc_org AS requester_org ON c.requester_vpc_id = accepter_org.vpc_id + WHERE + status_code = 'active' severity: medium tags: - platform_score_cloud_service_name: - - AWS Virtual Private Cloud (VPC) - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - AWS Virtual Private Cloud (VPC) - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - AWS Virtual Private Cloud (VPC) + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - AWS Virtual Private Cloud (VPC) + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/azure/KeyVault/azure_app_tier_customer_managed_key_in_use.yaml b/compliance/controls/baseline/azure/KeyVault/azure_app_tier_customer_managed_key_in_use.yaml index ee4334389..b7eeb2ea1 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_app_tier_customer_managed_key_in_use.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_app_tier_customer_managed_key_in_use.yaml @@ -1,56 +1,57 @@ id: azure_app_tier_customer_managed_key_in_use title: App Tier Customer-Managed Key In Use +type: control description: Ensure that a Customer-Managed Key is created for your Azure cloud application tier. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureAppTierTags - value: '' +- key: azureAppTierTags + value: "" policy: - language: sql - primary_resource: azure_subscription - definition: | - SELECT - display_name AS resource, - sub.platform_resource_id, - sub.platform_integration_id, - CASE - WHEN EXISTS( - SELECT 1 - FROM azure_key_vault_key AS k - WHERE (k.subscription_id = sub.subscription_id) - AND k.tags IS NOT NULL - AND (k.tags::text LIKE '%' || REPLACE(REPLACE(( - SELECT jsonb_object_agg(key, value)::text - FROM jsonb_each_text('{{.azureAppTierTags}}'::jsonb) - ), '{', ''), '}', '') || '%') - AND enabled - ) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN EXISTS( - SELECT 1 - FROM azure_key_vault_key AS k - WHERE (k.subscription_id = sub.subscription_id) - AND k.tags IS NOT NULL - AND (k.tags::text LIKE '%' || REPLACE(REPLACE(( - SELECT jsonb_object_agg(key, value)::text - FROM jsonb_each_text('{{.azureAppTierTags}}'::jsonb) - ), '{', ''), '}', '') || '%') - AND enabled - ) THEN 'subscription has an app-tier cmk' - ELSE 'subscription does not have any app-tier cmk' - END AS reason, - sub.display_name AS subscription - FROM azure_subscription AS sub + language: sql + primary_resource: azure_subscription + definition: | + SELECT + display_name AS resource, + sub.platform_resource_id, + sub.platform_integration_id, + CASE + WHEN EXISTS( + SELECT 1 + FROM azure_key_vault_key AS k + WHERE (k.subscription_id = sub.subscription_id) + AND k.tags IS NOT NULL + AND (k.tags::text LIKE '%' || REPLACE(REPLACE(( + SELECT jsonb_object_agg(key, value)::text + FROM jsonb_each_text('{{.azureAppTierTags}}'::jsonb) + ), '{', ''), '}', '') || '%') + AND enabled + ) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN EXISTS( + SELECT 1 + FROM azure_key_vault_key AS k + WHERE (k.subscription_id = sub.subscription_id) + AND k.tags IS NOT NULL + AND (k.tags::text LIKE '%' || REPLACE(REPLACE(( + SELECT jsonb_object_agg(key, value)::text + FROM jsonb_each_text('{{.azureAppTierTags}}'::jsonb) + ), '{', ''), '}', '') || '%') + AND enabled + ) THEN 'subscription has an app-tier cmk' + ELSE 'subscription does not have any app-tier cmk' + END AS reason, + sub.display_name AS subscription + FROM azure_subscription AS sub severity: high tags: - platform_score_cloud_service_name: - - Azure KeyVault - platform_score_use_case: - - Unencrypted Storage - score_service_name: - - Azure KeyVault - score_tags: - - Unencrypted Storage + platform_score_cloud_service_name: + - Azure KeyVault + platform_score_use_case: + - Unencrypted Storage + score_service_name: + - Azure KeyVault + score_tags: + - Unencrypted Storage diff --git a/compliance/controls/baseline/azure/KeyVault/azure_check_for_allowed_certificate_key_types.yaml b/compliance/controls/baseline/azure/KeyVault/azure_check_for_allowed_certificate_key_types.yaml index e44ee6999..f65bd1ebd 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_check_for_allowed_certificate_key_types.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_check_for_allowed_certificate_key_types.yaml @@ -1,39 +1,40 @@ id: azure_check_for_allowed_certificate_key_types title: Check for Allowed Certificate Key Types +type: control description: Ensure that Azure Key Vault certificates are using the appropriate key type(s). integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureAllowedKeyTypes - value: '' +- key: azureAllowedKeyTypes + value: "" policy: - language: sql - primary_resource: azure_key_vault_key - definition: | - SELECT - name AS resource, - k.platform_resource_id, - k.platform_integration_id, - CASE - WHEN '{{.azureAllowedKeyTypes}}' ILIKE '%' || k.key_type || '%' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN '{{.azureAllowedKeyTypes}}' ILIKE '%' || k.key_type || '%' THEN k.key_type || ' type is not allowed' - ELSE k.key_type || ' is allowed' - END AS reason, - resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault_key AS k - LEFT JOIN azure_subscription AS sub ON k.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_key_vault_key + definition: | + SELECT + name AS resource, + k.platform_resource_id, + k.platform_integration_id, + CASE + WHEN '{{.azureAllowedKeyTypes}}' ILIKE '%' || k.key_type || '%' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN '{{.azureAllowedKeyTypes}}' ILIKE '%' || k.key_type || '%' THEN k.key_type || ' type is not allowed' + ELSE k.key_type || ' is allowed' + END AS reason, + resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault_key AS k + LEFT JOIN azure_subscription AS sub ON k.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure KeyVault - platform_score_use_case: - - Insecure Keys - score_service_name: - - Azure KeyVault - score_tags: - - Insecure Keys + platform_score_cloud_service_name: + - Azure KeyVault + platform_score_use_case: + - Insecure Keys + score_service_name: + - Azure KeyVault + score_tags: + - Insecure Keys diff --git a/compliance/controls/baseline/azure/KeyVault/azure_check_for_azure_key_vault_keys_expiration_date.yaml b/compliance/controls/baseline/azure/KeyVault/azure_check_for_azure_key_vault_keys_expiration_date.yaml index 6865c217f..67ab9ad40 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_check_for_azure_key_vault_keys_expiration_date.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_check_for_azure_key_vault_keys_expiration_date.yaml @@ -1,58 +1,59 @@ id: azure_check_for_azure_key_vault_keys_expiration_date title: Check for Azure Key Vault Keys Expiration Date +type: control description: Ensure that your Azure Key Vault encryption keys are renewed prior to their expiration date. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureKeyVaultKeyExpirationDateDays - value: '' +- key: azureKeyVaultKeyExpirationDateDays + value: "" policy: - language: sql - primary_resource: azure_key_vault_key - definition: | - SELECT - name AS resource, - k.platform_resource_id, - k.platform_integration_id, + language: sql + primary_resource: azure_key_vault_key + definition: | + SELECT + name AS resource, + k.platform_resource_id, + k.platform_integration_id, + CASE + WHEN expires_at IS NULL THEN 'skip' + WHEN '{{.azureKeyVaultKeyExpirationDateDays}}' = '' THEN CASE - WHEN expires_at IS NULL THEN 'skip' - WHEN '{{.azureKeyVaultKeyExpirationDateDays}}' = '' THEN - CASE - WHEN expires_at - now() > '30 days'::interval THEN 'ok' - ELSE 'alarm' - END - ELSE - CASE - WHEN expires_at - now() > '{{.azureKeyVaultKeyExpirationDateDays}} days'::interval THEN 'ok' - ELSE 'alarm' - END - END AS status, + WHEN expires_at - now() > '30 days'::interval THEN 'ok' + ELSE 'alarm' + END + ELSE CASE - WHEN expires_at IS NULL THEN 'expires at is not specified' - WHEN expires_at < now() THEN 'key has been expired' - WHEN '{{.azureKeyVaultKeyExpirationDateDays}}' = '' THEN - CASE - WHEN expires_at - now() > '30 days'::interval THEN 'key does not expire soon' - ELSE 'key expires soon' - END - ELSE - CASE - WHEN expires_at - now() > '{{.azureKeyVaultKeyExpirationDateDays}} days'::interval THEN 'key does not expire soon' - ELSE 'key expires soon' - END - END AS reason, - resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault_key AS k - LEFT JOIN azure_subscription AS sub ON k.subscription_id = sub.subscription_id + WHEN expires_at - now() > '{{.azureKeyVaultKeyExpirationDateDays}} days'::interval THEN 'ok' + ELSE 'alarm' + END + END AS status, + CASE + WHEN expires_at IS NULL THEN 'expires at is not specified' + WHEN expires_at < now() THEN 'key has been expired' + WHEN '{{.azureKeyVaultKeyExpirationDateDays}}' = '' THEN + CASE + WHEN expires_at - now() > '30 days'::interval THEN 'key does not expire soon' + ELSE 'key expires soon' + END + ELSE + CASE + WHEN expires_at - now() > '{{.azureKeyVaultKeyExpirationDateDays}} days'::interval THEN 'key does not expire soon' + ELSE 'key expires soon' + END + END AS reason, + resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault_key AS k + LEFT JOIN azure_subscription AS sub ON k.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure KeyVault - platform_score_use_case: - - Problem Identities - score_service_name: - - Azure KeyVault - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - Azure KeyVault + platform_score_use_case: + - Problem Identities + score_service_name: + - Azure KeyVault + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/azure/KeyVault/azure_check_for_azure_key_vault_secrets_expiration_date.yaml b/compliance/controls/baseline/azure/KeyVault/azure_check_for_azure_key_vault_secrets_expiration_date.yaml index 3b6684dd7..d68eaf676 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_check_for_azure_key_vault_secrets_expiration_date.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_check_for_azure_key_vault_secrets_expiration_date.yaml @@ -1,40 +1,41 @@ id: azure_check_for_azure_key_vault_secrets_expiration_date title: Check for Azure Key Vault Secrets Expiration Date +type: control description: Ensure that your Azure Key Vault secrets are renewed prior to their expiration date. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureCmkSecretExpireDays - value: '' +- key: azureCmkSecretExpireDays + value: "" policy: - language: sql - primary_resource: azure_key_vault_secret - definition: | - SELECT - s.name AS resource, - s.platform_resource_id, - s.platform_integration_id, - CASE - WHEN NOW() + '{{.azureCmkSecretExpireDays}} days'::interval < expires_at THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN expires_at < NOW() THEN 'secret has been expired' - WHEN NOW() + '{{.azureCmkSecretExpireDays}} days'::interval < expires_at THEN 'secret is not going to be expired soon' - ELSE 'secret is going to be expired soon' - END AS reason, - resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault_secret AS s - LEFT JOIN azure_subscription AS sub ON s.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_key_vault_secret + definition: | + SELECT + s.name AS resource, + s.platform_resource_id, + s.platform_integration_id, + CASE + WHEN NOW() + '{{.azureCmkSecretExpireDays}} days'::interval < expires_at THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN expires_at < NOW() THEN 'secret has been expired' + WHEN NOW() + '{{.azureCmkSecretExpireDays}} days'::interval < expires_at THEN 'secret is not going to be expired soon' + ELSE 'secret is going to be expired soon' + END AS reason, + resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault_secret AS s + LEFT JOIN azure_subscription AS sub ON s.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure KeyVault - platform_score_use_case: - - Problem Identities - score_service_name: - - Azure KeyVault - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - Azure KeyVault + platform_score_use_case: + - Problem Identities + score_service_name: + - Azure KeyVault + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/azure/KeyVault/azure_check_for_certificate_minimum_key_size.yaml b/compliance/controls/baseline/azure/KeyVault/azure_check_for_certificate_minimum_key_size.yaml index 37f7f7770..2beb75dbe 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_check_for_certificate_minimum_key_size.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_check_for_certificate_minimum_key_size.yaml @@ -1,44 +1,45 @@ id: azure_check_for_certificate_minimum_key_size title: Check for Certificate Minimum Key Size +type: control description: Ensure that Azure Key Vault RSA certificates are using the appropriate key size. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureRsaCertificateMinSize - value: '' +- key: azureRsaCertificateMinSize + value: "" policy: - language: sql - primary_resource: azure_key_vault_key - definition: | - SELECT - k.name AS resource, - k.platform_resource_id, - k.platform_integration_id, - CASE - WHEN NOT (key_type = 'RSA') THEN 'skip' - WHEN key_size::INT < '{{.azureRsaCertificateMinSize}}'::INT THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT (key_type = 'RSA') THEN 'skip' - WHEN key_size::INT < '{{.azureRsaCertificateMinSize}}'::INT THEN 'alarm' - ELSE 'RSA certificate size is ok' - END AS reason, - resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault_key AS k - LEFT JOIN - azure_subscription AS sub - ON - k.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_key_vault_key + definition: | + SELECT + k.name AS resource, + k.platform_resource_id, + k.platform_integration_id, + CASE + WHEN NOT (key_type = 'RSA') THEN 'skip' + WHEN key_size::INT < '{{.azureRsaCertificateMinSize}}'::INT THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT (key_type = 'RSA') THEN 'skip' + WHEN key_size::INT < '{{.azureRsaCertificateMinSize}}'::INT THEN 'alarm' + ELSE 'RSA certificate size is ok' + END AS reason, + resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault_key AS k + LEFT JOIN + azure_subscription AS sub + ON + k.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure KeyVault - platform_score_use_case: - - Insecure Keys - score_service_name: - - Azure KeyVault - score_tags: - - Insecure Keys + platform_score_cloud_service_name: + - Azure KeyVault + platform_score_use_case: + - Insecure Keys + score_service_name: + - Azure KeyVault + score_tags: + - Insecure Keys diff --git a/compliance/controls/baseline/azure/KeyVault/azure_check_for_key_vault_full_administrator_permissions.yaml b/compliance/controls/baseline/azure/KeyVault/azure_check_for_key_vault_full_administrator_permissions.yaml index 23b2a392c..af9bc5d72 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_check_for_key_vault_full_administrator_permissions.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_check_for_key_vault_full_administrator_permissions.yaml @@ -1,84 +1,85 @@ id: azure_check_for_key_vault_full_administrator_permissions title: Check for Key Vault Full Administrator Permissions +type: control description: Ensure that no Azure user, group or application has full permissions to access and manage Key Vaults. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - WITH secrets AS ( - SELECT UNNEST(ARRAY ['Get', 'List', 'Set', 'Delete', 'Recover', 'Backup', 'Restore', 'Purge']) AS s - ), keys AS ( - SELECT UNNEST(ARRAY ['Get', 'List', 'Update', 'Create', 'Import', 'Delete', 'Recover', 'Backup', 'Restore', 'Decrypt', - 'Encrypt', 'UnwrapKey', 'WrapKey', 'Verify', 'Sign', 'Purge']) AS k - ), certificates AS ( - SELECT UNNEST(ARRAY ['Get', 'List', 'Update', 'Create', 'Import', 'Delete', 'Recover', 'Backup', 'Restore', - 'ManageContacts', 'ManageIssuers', 'GetIssuers', 'ListIssuers', 'SetIssuers', 'DeleteIssuers', 'Purge']) AS c - ) - - SELECT - v.name AS resource, - v.platform_resource_id, - v.platform_integration_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(access_policies) AS p - WHERE (SELECT COUNT(*) - FROM secrets AS s - WHERE LOWER(p ->> 'permissionsSecrets') ILIKE '%' || LOWER(s.s) || '%') = (SELECT COUNT(*) FROM secrets) - ) AND EXISTS ( - SELECT 1 - FROM jsonb_array_elements(access_policies) AS p - WHERE (SELECT COUNT(*) - FROM keys AS k - WHERE LOWER(p ->> 'permissionsKeys') ILIKE '%' || LOWER(k.k) || '%') = (SELECT COUNT(*) FROM keys) - ) AND EXISTS ( - SELECT 1 - FROM jsonb_array_elements(access_policies) AS p - WHERE (SELECT COUNT(*) - FROM certificates AS c - WHERE LOWER(p ->> 'permissionsCertificates') ILIKE '%' || LOWER(c.c) || '%') = (SELECT COUNT(*) FROM certificates) - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(access_policies) AS p - WHERE (SELECT COUNT(*) - FROM secrets AS s - WHERE LOWER(p ->> 'permissionsSecrets') ILIKE '%' || LOWER(s.s) || '%') = (SELECT COUNT(*) FROM secrets) - ) AND EXISTS ( - SELECT 1 - FROM jsonb_array_elements(access_policies) AS p - WHERE (SELECT COUNT(*) - FROM keys AS k - WHERE LOWER(p ->> 'permissionsKeys') ILIKE '%' || LOWER(k.k) || '%') = (SELECT COUNT(*) FROM keys) - ) AND EXISTS ( - SELECT 1 - FROM jsonb_array_elements(access_policies) AS p - WHERE (SELECT COUNT(*) - FROM certificates AS c - WHERE LOWER(p ->> 'permissionsCertificates') ILIKE '%' || LOWER(c.c) || '%') = (SELECT COUNT(*) FROM certificates) - ) THEN v.name || ' has full permissions to access and manage the selected Azure Key Vault.' - ELSE v.name || ' does not have full permissions to access and manage the selected Azure Key Vault.' - END AS reason, - v.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault AS v - LEFT JOIN azure_subscription AS sub - ON v.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_key_vault + definition: | + WITH secrets AS ( + SELECT UNNEST(ARRAY ['Get', 'List', 'Set', 'Delete', 'Recover', 'Backup', 'Restore', 'Purge']) AS s + ), keys AS ( + SELECT UNNEST(ARRAY ['Get', 'List', 'Update', 'Create', 'Import', 'Delete', 'Recover', 'Backup', 'Restore', 'Decrypt', + 'Encrypt', 'UnwrapKey', 'WrapKey', 'Verify', 'Sign', 'Purge']) AS k + ), certificates AS ( + SELECT UNNEST(ARRAY ['Get', 'List', 'Update', 'Create', 'Import', 'Delete', 'Recover', 'Backup', 'Restore', + 'ManageContacts', 'ManageIssuers', 'GetIssuers', 'ListIssuers', 'SetIssuers', 'DeleteIssuers', 'Purge']) AS c + ) + + SELECT + v.name AS resource, + v.platform_resource_id, + v.platform_integration_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(access_policies) AS p + WHERE (SELECT COUNT(*) + FROM secrets AS s + WHERE LOWER(p ->> 'permissionsSecrets') ILIKE '%' || LOWER(s.s) || '%') = (SELECT COUNT(*) FROM secrets) + ) AND EXISTS ( + SELECT 1 + FROM jsonb_array_elements(access_policies) AS p + WHERE (SELECT COUNT(*) + FROM keys AS k + WHERE LOWER(p ->> 'permissionsKeys') ILIKE '%' || LOWER(k.k) || '%') = (SELECT COUNT(*) FROM keys) + ) AND EXISTS ( + SELECT 1 + FROM jsonb_array_elements(access_policies) AS p + WHERE (SELECT COUNT(*) + FROM certificates AS c + WHERE LOWER(p ->> 'permissionsCertificates') ILIKE '%' || LOWER(c.c) || '%') = (SELECT COUNT(*) FROM certificates) + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(access_policies) AS p + WHERE (SELECT COUNT(*) + FROM secrets AS s + WHERE LOWER(p ->> 'permissionsSecrets') ILIKE '%' || LOWER(s.s) || '%') = (SELECT COUNT(*) FROM secrets) + ) AND EXISTS ( + SELECT 1 + FROM jsonb_array_elements(access_policies) AS p + WHERE (SELECT COUNT(*) + FROM keys AS k + WHERE LOWER(p ->> 'permissionsKeys') ILIKE '%' || LOWER(k.k) || '%') = (SELECT COUNT(*) FROM keys) + ) AND EXISTS ( + SELECT 1 + FROM jsonb_array_elements(access_policies) AS p + WHERE (SELECT COUNT(*) + FROM certificates AS c + WHERE LOWER(p ->> 'permissionsCertificates') ILIKE '%' || LOWER(c.c) || '%') = (SELECT COUNT(*) FROM certificates) + ) THEN v.name || ' has full permissions to access and manage the selected Azure Key Vault.' + ELSE v.name || ' does not have full permissions to access and manage the selected Azure Key Vault.' + END AS reason, + v.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault AS v + LEFT JOIN azure_subscription AS sub + ON v.subscription_id = sub.subscription_id severity: high tags: - platform_score_cloud_service_name: - - Azure KeyVault - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - Azure KeyVault - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - Azure KeyVault + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - Azure KeyVault + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/azure/KeyVault/azure_check_for_sufficient_certificate_auto_renewal_period.yaml b/compliance/controls/baseline/azure/KeyVault/azure_check_for_sufficient_certificate_auto_renewal_period.yaml index 6b9cdc9cb..2aa880e9d 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_check_for_sufficient_certificate_auto_renewal_period.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_check_for_sufficient_certificate_auto_renewal_period.yaml @@ -1,42 +1,43 @@ id: azure_check_for_sufficient_certificate_auto_renewal_period title: Check for Sufficient Certificate Auto-Renewal Period +type: control description: Ensure there is a sufficient period configured for the SSL certificates auto-renewal. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureSufficientDaysBeforeCertificateExpiry - value: '' +- key: azureSufficientDaysBeforeCertificateExpiry + value: "" policy: - language: sql - primary_resource: azure_key_vault_certificate - definition: | - SELECT - c.id AS resource, - c.platform_resource_id, - c.platform_integration_id, - CASE - WHEN (la -> 'Trigger' ->> 'DaysBeforeExpiry')::int < '{{.azureSufficientDaysBeforeCertificateExpiry}}'::int THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (la -> 'Trigger' ->> 'DaysBeforeExpiry')::int < '{{.azureSufficientDaysBeforeCertificateExpiry}}'::int THEN - 'SSL certificate does not have a sufficient period of time before expiration to trigger the auto-renewal process, configured for the issuance policy.' - ELSE - 'SSL certificate has a sufficient period of time before expiration to trigger the auto-renewal process, configured for the issuance policy.' - END AS reason, - resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault_certificate AS c - LEFT JOIN azure_subscription AS sub ON c.subscription_id = sub.subscription_id, - jsonb_array_elements(lifetime_actions) AS la + language: sql + primary_resource: azure_key_vault_certificate + definition: | + SELECT + c.id AS resource, + c.platform_resource_id, + c.platform_integration_id, + CASE + WHEN (la -> 'Trigger' ->> 'DaysBeforeExpiry')::int < '{{.azureSufficientDaysBeforeCertificateExpiry}}'::int THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (la -> 'Trigger' ->> 'DaysBeforeExpiry')::int < '{{.azureSufficientDaysBeforeCertificateExpiry}}'::int THEN + 'SSL certificate does not have a sufficient period of time before expiration to trigger the auto-renewal process, configured for the issuance policy.' + ELSE + 'SSL certificate has a sufficient period of time before expiration to trigger the auto-renewal process, configured for the issuance policy.' + END AS reason, + resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault_certificate AS c + LEFT JOIN azure_subscription AS sub ON c.subscription_id = sub.subscription_id, + jsonb_array_elements(lifetime_actions) AS la severity: high tags: - platform_score_cloud_service_name: - - Azure KeyVault - platform_score_use_case: - - Insecure Keys - score_service_name: - - Azure KeyVault - score_tags: - - Insecure Keys + platform_score_cloud_service_name: + - Azure KeyVault + platform_score_use_case: + - Insecure Keys + score_service_name: + - Azure KeyVault + score_tags: + - Insecure Keys diff --git a/compliance/controls/baseline/azure/KeyVault/azure_database_tier_customer_managed_key_in_use.yaml b/compliance/controls/baseline/azure/KeyVault/azure_database_tier_customer_managed_key_in_use.yaml index 6ea46c7f1..7e09cb048 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_database_tier_customer_managed_key_in_use.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_database_tier_customer_managed_key_in_use.yaml @@ -1,57 +1,58 @@ id: azure_database_tier_customer_managed_key_in_use title: Database Tier Customer-Managed Key In Use +type: control description: Ensure that a Customer-Managed Key is created for your Azure cloud database tier. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureDatabaseTierTags - value: '' +- key: azureDatabaseTierTags + value: "" policy: - language: sql - primary_resource: azure_subscription - definition: | - SELECT - display_name AS resource, - sub.platform_resource_id, - sub.platform_integration_id, - CASE - WHEN EXISTS( - SELECT 1 FROM azure_key_vault_key AS k - WHERE (k.subscription_id = sub.subscription_id) - AND k.tags IS NOT NULL - AND (k.tags::TEXT LIKE '%' || REPLACE( - REPLACE(( - SELECT jsonb_object_agg(key, value)::TEXT - FROM jsonb_each_text('{{.azureDatabaseTierTags}}'::jsonb) - ), '{', ''), '}', '') || '%') - AND enabled - ) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN EXISTS( - SELECT 1 FROM azure_key_vault_key AS k - WHERE (k.subscription_id = sub.subscription_id) - AND k.tags IS NOT NULL - AND (k.tags::TEXT LIKE '%' || REPLACE( - REPLACE(( - SELECT jsonb_object_agg(key, value)::TEXT - FROM jsonb_each_text('{{.azureDatabaseTierTags}}'::jsonb) - ), '{', ''), '}', '') || '%') - AND enabled - ) THEN 'subscription has an app-tier cmk' - ELSE 'subscription does not have any app-tier cmk' - END AS reason, - sub.display_name AS subscription - FROM - azure_subscription AS sub + language: sql + primary_resource: azure_subscription + definition: | + SELECT + display_name AS resource, + sub.platform_resource_id, + sub.platform_integration_id, + CASE + WHEN EXISTS( + SELECT 1 FROM azure_key_vault_key AS k + WHERE (k.subscription_id = sub.subscription_id) + AND k.tags IS NOT NULL + AND (k.tags::TEXT LIKE '%' || REPLACE( + REPLACE(( + SELECT jsonb_object_agg(key, value)::TEXT + FROM jsonb_each_text('{{.azureDatabaseTierTags}}'::jsonb) + ), '{', ''), '}', '') || '%') + AND enabled + ) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN EXISTS( + SELECT 1 FROM azure_key_vault_key AS k + WHERE (k.subscription_id = sub.subscription_id) + AND k.tags IS NOT NULL + AND (k.tags::TEXT LIKE '%' || REPLACE( + REPLACE(( + SELECT jsonb_object_agg(key, value)::TEXT + FROM jsonb_each_text('{{.azureDatabaseTierTags}}'::jsonb) + ), '{', ''), '}', '') || '%') + AND enabled + ) THEN 'subscription has an app-tier cmk' + ELSE 'subscription does not have any app-tier cmk' + END AS reason, + sub.display_name AS subscription + FROM + azure_subscription AS sub severity: high tags: - platform_score_cloud_service_name: - - Azure KeyVault - platform_score_use_case: - - Unencrypted Storage - score_service_name: - - Azure KeyVault - score_tags: - - Unencrypted Storage + platform_score_cloud_service_name: + - Azure KeyVault + platform_score_use_case: + - Unencrypted Storage + score_service_name: + - Azure KeyVault + score_tags: + - Unencrypted Storage diff --git a/compliance/controls/baseline/azure/KeyVault/azure_enable_auditevent_logging_for_azure_key_vaults.yaml b/compliance/controls/baseline/azure/KeyVault/azure_enable_auditevent_logging_for_azure_key_vaults.yaml index bdf420df7..05576e7c0 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_enable_auditevent_logging_for_azure_key_vaults.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_enable_auditevent_logging_for_azure_key_vaults.yaml @@ -1,51 +1,52 @@ id: azure_enable_auditevent_logging_for_azure_key_vaults title: Enable AuditEvent Logging for Azure Key Vaults +type: control description: Ensure that logging for Azure KeyVault is 'Enabled' integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - SELECT - name AS resource, - v.platform_resource_id, - v.platform_integration_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM - jsonb_array_elements(diagnostic_settings) AS ds, - jsonb_array_elements(ds -> 'properties' -> 'logs') AS l - WHERE - (l ->> 'category' = 'AuditEvent') AND (l ->> 'enabled' = 'true') - ) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM - jsonb_array_elements(diagnostic_settings) AS ds, - jsonb_array_elements(ds -> 'properties' -> 'logs') AS l - WHERE - (l ->> 'category' = 'AuditEvent') AND (l ->> 'enabled' = 'true') - ) THEN 'subscription has an app-tier cmk' - ELSE 'subscription does not have any app-tier cmk' - END AS reason, - resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault AS v - LEFT JOIN azure_subscription AS sub ON v.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_key_vault + definition: | + SELECT + name AS resource, + v.platform_resource_id, + v.platform_integration_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM + jsonb_array_elements(diagnostic_settings) AS ds, + jsonb_array_elements(ds -> 'properties' -> 'logs') AS l + WHERE + (l ->> 'category' = 'AuditEvent') AND (l ->> 'enabled' = 'true') + ) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM + jsonb_array_elements(diagnostic_settings) AS ds, + jsonb_array_elements(ds -> 'properties' -> 'logs') AS l + WHERE + (l ->> 'category' = 'AuditEvent') AND (l ->> 'enabled' = 'true') + ) THEN 'subscription has an app-tier cmk' + ELSE 'subscription does not have any app-tier cmk' + END AS reason, + resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault AS v + LEFT JOIN azure_subscription AS sub ON v.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure KeyVault - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - Azure KeyVault - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - Azure KeyVault + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - Azure KeyVault + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/azure/KeyVault/azure_enable_certificate_transparency.yaml b/compliance/controls/baseline/azure/KeyVault/azure_enable_certificate_transparency.yaml index 78c9e66dd..7015e6d64 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_enable_certificate_transparency.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_enable_certificate_transparency.yaml @@ -1,38 +1,39 @@ id: azure_enable_certificate_transparency title: Enable Certificate Transparency +type: control description: Ensure there is a sufficient period configured for the SSL certificates auto-renewal. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_certificate - definition: | - SELECT - c.id AS resource, - c.platform_resource_id, - c.platform_integration_id, - CASE - WHEN c.issuer_parameters ->> 'CertificateTransparency' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN c.issuer_parameters ->> 'CertificateTransparency' = 'true' THEN 'Certificate transparency is not enabled for the certificate' - ELSE 'Certificate transparency is enabled for the certificate' - END AS reason, - resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault_certificate AS c - LEFT JOIN azure_subscription AS sub - ON c.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_key_vault_certificate + definition: | + SELECT + c.id AS resource, + c.platform_resource_id, + c.platform_integration_id, + CASE + WHEN c.issuer_parameters ->> 'CertificateTransparency' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN c.issuer_parameters ->> 'CertificateTransparency' = 'true' THEN 'Certificate transparency is not enabled for the certificate' + ELSE 'Certificate transparency is enabled for the certificate' + END AS reason, + resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault_certificate AS c + LEFT JOIN azure_subscription AS sub + ON c.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure KeyVault - platform_score_use_case: - - Insecure Keys - score_service_name: - - Azure KeyVault - score_tags: - - Insecure Keys + platform_score_cloud_service_name: + - Azure KeyVault + platform_score_use_case: + - Insecure Keys + score_service_name: + - Azure KeyVault + score_tags: + - Insecure Keys diff --git a/compliance/controls/baseline/azure/KeyVault/azure_enable_key_vault_recoverability.yaml b/compliance/controls/baseline/azure/KeyVault/azure_enable_key_vault_recoverability.yaml index 41c2d3d4b..96bff4abf 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_enable_key_vault_recoverability.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_enable_key_vault_recoverability.yaml @@ -1,37 +1,38 @@ id: azure_enable_key_vault_recoverability title: Enable Key Vault Recoverability +type: control description: Ensure that your Microsoft Azure Key Vault instances are recoverable. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - SELECT - name AS resource, - v.platform_resource_id, - v.platform_integration_id, - CASE - WHEN soft_delete_enabled AND purge_protection_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN soft_delete_enabled AND purge_protection_enabled THEN name || ' objects are recoverable' - ELSE name || ' objects are not recoverable' - END AS reason, - resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault AS v - LEFT JOIN azure_subscription AS sub ON v.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_key_vault + definition: | + SELECT + name AS resource, + v.platform_resource_id, + v.platform_integration_id, + CASE + WHEN soft_delete_enabled AND purge_protection_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN soft_delete_enabled AND purge_protection_enabled THEN name || ' objects are recoverable' + ELSE name || ' objects are not recoverable' + END AS reason, + resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault AS v + LEFT JOIN azure_subscription AS sub ON v.subscription_id = sub.subscription_id severity: high tags: - platform_score_cloud_service_name: - - Azure KeyVault - platform_score_use_case: - - Problem Identities - score_service_name: - - Azure KeyVault - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - Azure KeyVault + platform_score_use_case: + - Problem Identities + score_service_name: + - Azure KeyVault + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/azure/KeyVault/azure_enable_ssl_certificate_auto_renewal.yaml b/compliance/controls/baseline/azure/KeyVault/azure_enable_ssl_certificate_auto_renewal.yaml index e172933a5..2e1e4c56d 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_enable_ssl_certificate_auto_renewal.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_enable_ssl_certificate_auto_renewal.yaml @@ -1,38 +1,39 @@ id: azure_enable_ssl_certificate_auto_renewal title: Enable SSL Certificate Auto-Renewal +type: control description: Ensure that Auto-Renewal feature is enabled for your Azure Key Vault SSL certificates. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_certificate - definition: | - SELECT - c.id AS resource, - c.platform_resource_id, - c.platform_integration_id, - CASE - WHEN la -> 'Action' ->> 'ActionType' = 'EmailContacts' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN la -> 'Action' ->> 'ActionType' = 'EmailContacts' THEN 'Auto-Renewal feature is not enabled' - ELSE 'Auto-Renewal feature is enabled' - END AS reason, - resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault_certificate AS c - LEFT JOIN azure_subscription AS sub ON c.subscription_id = sub.subscription_id, - jsonb_array_elements(lifetime_actions) AS la + language: sql + primary_resource: azure_key_vault_certificate + definition: | + SELECT + c.id AS resource, + c.platform_resource_id, + c.platform_integration_id, + CASE + WHEN la -> 'Action' ->> 'ActionType' = 'EmailContacts' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN la -> 'Action' ->> 'ActionType' = 'EmailContacts' THEN 'Auto-Renewal feature is not enabled' + ELSE 'Auto-Renewal feature is enabled' + END AS reason, + resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault_certificate AS c + LEFT JOIN azure_subscription AS sub ON c.subscription_id = sub.subscription_id, + jsonb_array_elements(lifetime_actions) AS la severity: high tags: - platform_score_cloud_service_name: - - Azure KeyVault - platform_score_use_case: - - Insecure Keys - score_service_name: - - Azure KeyVault - score_tags: - - Insecure Keys + platform_score_cloud_service_name: + - Azure KeyVault + platform_score_use_case: + - Insecure Keys + score_service_name: + - Azure KeyVault + score_tags: + - Insecure Keys diff --git a/compliance/controls/baseline/azure/KeyVault/azure_enable_trusted_microsoft_services_for_key_vault_access.yaml b/compliance/controls/baseline/azure/KeyVault/azure_enable_trusted_microsoft_services_for_key_vault_access.yaml index 3d8cd5b04..2dc5b5066 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_enable_trusted_microsoft_services_for_key_vault_access.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_enable_trusted_microsoft_services_for_key_vault_access.yaml @@ -1,39 +1,40 @@ id: azure_enable_trusted_microsoft_services_for_key_vault_access title: Enable Trusted Microsoft Services for Key Vault Access +type: control description: Allow trusted Microsoft services to access your Azure Key Vault resources (i.e. encryption keys, secrets and certificates). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - SELECT - c.name AS resource, - c.platform_resource_id, - c.platform_integration_id, - CASE - WHEN network_acls IS NULL THEN 'alarm' - WHEN network_acls ->> 'bypass' = 'None' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN network_acls IS NULL THEN 'no trusted Microsoft Azure cloud services are allowed to access the resources (keys, secrets and certificates) available in the Azure Key Vault' - WHEN network_acls ->> 'bypass' = 'None' THEN 'no trusted Microsoft Azure cloud services are allowed to access the resources (keys, secrets and certificates) available in the Azure Key Vault' - ELSE 'trusted Microsoft Azure cloud services are allowed to access the resources (keys, secrets and certificates) available in the Azure Key Vault' - END AS reason, - c.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault AS c - LEFT JOIN azure_subscription AS sub ON c.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_key_vault + definition: | + SELECT + c.name AS resource, + c.platform_resource_id, + c.platform_integration_id, + CASE + WHEN network_acls IS NULL THEN 'alarm' + WHEN network_acls ->> 'bypass' = 'None' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN network_acls IS NULL THEN 'no trusted Microsoft Azure cloud services are allowed to access the resources (keys, secrets and certificates) available in the Azure Key Vault' + WHEN network_acls ->> 'bypass' = 'None' THEN 'no trusted Microsoft Azure cloud services are allowed to access the resources (keys, secrets and certificates) available in the Azure Key Vault' + ELSE 'trusted Microsoft Azure cloud services are allowed to access the resources (keys, secrets and certificates) available in the Azure Key Vault' + END AS reason, + c.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault AS c + LEFT JOIN azure_subscription AS sub ON c.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure KeyVault - platform_score_use_case: - - Insecure Keys - score_service_name: - - Azure KeyVault - score_tags: - - Insecure Keys + platform_score_cloud_service_name: + - Azure KeyVault + platform_score_use_case: + - Insecure Keys + score_service_name: + - Azure KeyVault + score_tags: + - Insecure Keys diff --git a/compliance/controls/baseline/azure/KeyVault/azure_restrict_default_network_access_for_azure_key_vaults.yaml b/compliance/controls/baseline/azure/KeyVault/azure_restrict_default_network_access_for_azure_key_vaults.yaml index c9be5f33e..8c02ac114 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_restrict_default_network_access_for_azure_key_vaults.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_restrict_default_network_access_for_azure_key_vaults.yaml @@ -1,39 +1,40 @@ id: azure_restrict_default_network_access_for_azure_key_vaults title: Restrict Default Network Access for Azure Key Vaults +type: control description: Ensure that default network access (i.e. public access) rule is set to "Deny" within your Azure Key Vaults configuration. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault - definition: | - SELECT - name AS resource, - v.platform_resource_id, - v.platform_integration_id, - CASE - WHEN network_acls IS NULL OR network_acls ->> 'defaultAction' = 'Allow' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN network_acls IS NULL OR network_acls ->> 'defaultAction' = 'Allow' THEN name || ' access configuration is not compliant' - ELSE name || ' access configuration is compliant' - END AS reason, - resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault AS v - LEFT JOIN - azure_subscription AS sub - ON v.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_key_vault + definition: | + SELECT + name AS resource, + v.platform_resource_id, + v.platform_integration_id, + CASE + WHEN network_acls IS NULL OR network_acls ->> 'defaultAction' = 'Allow' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN network_acls IS NULL OR network_acls ->> 'defaultAction' = 'Allow' THEN name || ' access configuration is not compliant' + ELSE name || ' access configuration is compliant' + END AS reason, + resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault AS v + LEFT JOIN + azure_subscription AS sub + ON v.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure KeyVault - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - Azure KeyVault - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - Azure KeyVault + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - Azure KeyVault + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/azure/KeyVault/azure_set_azure_secret_key_expiration.yaml b/compliance/controls/baseline/azure/KeyVault/azure_set_azure_secret_key_expiration.yaml index 369637a2a..083b9071b 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_set_azure_secret_key_expiration.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_set_azure_secret_key_expiration.yaml @@ -1,38 +1,39 @@ id: azure_set_azure_secret_key_expiration title: Set Azure Secret Key Expiration +type: control description: Ensure that an expiration date is set for all your Microsoft Azure secret keys. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_secret - definition: | - SELECT - c.name AS resource, - c.platform_resource_id, - c.platform_integration_id, - CASE - WHEN expires_at IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN expires_at IS NULL THEN c.name || ' does not have an expiration date configured.' - ELSE c.name || ' has an expiration date configured.' - END AS reason, - c.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault_secret AS c - LEFT JOIN azure_subscription AS sub - ON c.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_key_vault_secret + definition: | + SELECT + c.name AS resource, + c.platform_resource_id, + c.platform_integration_id, + CASE + WHEN expires_at IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN expires_at IS NULL THEN c.name || ' does not have an expiration date configured.' + ELSE c.name || ' has an expiration date configured.' + END AS reason, + c.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault_secret AS c + LEFT JOIN azure_subscription AS sub + ON c.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure KeyVault - platform_score_use_case: - - Insecure Keys - score_service_name: - - Azure KeyVault - score_tags: - - Insecure Keys + platform_score_cloud_service_name: + - Azure KeyVault + platform_score_use_case: + - Insecure Keys + score_service_name: + - Azure KeyVault + score_tags: + - Insecure Keys diff --git a/compliance/controls/baseline/azure/KeyVault/azure_set_encryption_key_expiration.yaml b/compliance/controls/baseline/azure/KeyVault/azure_set_encryption_key_expiration.yaml index 1d90650a4..2b5f988e8 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_set_encryption_key_expiration.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_set_encryption_key_expiration.yaml @@ -1,40 +1,41 @@ id: azure_set_encryption_key_expiration title: Set Encryption Key Expiration +type: control description: Ensure that an expiration date is configured for all your Microsoft Azure encryption keys. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_key_vault_key - definition: | - SELECT - k.name AS resource, - k.platform_resource_id, - k.platform_integration_id, - CASE - WHEN expires_at IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN expires_at IS NULL THEN 'key does not have an expiration time set' - ELSE 'key has an expiration time set' - END AS reason, - k.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_key_vault_key AS k - LEFT JOIN - azure_subscription AS sub - ON - k.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_key_vault_key + definition: | + SELECT + k.name AS resource, + k.platform_resource_id, + k.platform_integration_id, + CASE + WHEN expires_at IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN expires_at IS NULL THEN 'key does not have an expiration time set' + ELSE 'key has an expiration time set' + END AS reason, + k.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_key_vault_key AS k + LEFT JOIN + azure_subscription AS sub + ON + k.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure KeyVault - platform_score_use_case: - - Problem Identities - score_service_name: - - Azure KeyVault - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - Azure KeyVault + platform_score_use_case: + - Problem Identities + score_service_name: + - Azure KeyVault + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/azure/KeyVault/azure_web_tier_customer_managed_key_in_use.yaml b/compliance/controls/baseline/azure/KeyVault/azure_web_tier_customer_managed_key_in_use.yaml index a2f3deb57..1edde8ea2 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_web_tier_customer_managed_key_in_use.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_web_tier_customer_managed_key_in_use.yaml @@ -1,51 +1,52 @@ id: azure_web_tier_customer_managed_key_in_use title: Web Tier Customer-Managed Key In Use +type: control description: Ensure that a Customer-Managed Key is created for your Microsoft Azure cloud web tier. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureWebTierTags - value: '' +- key: azureWebTierTags + value: "" policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH web_tier_keys AS ( - SELECT - name, subscription_id - FROM - azure_key_vault_key - WHERE - tags::text LIKE '%' || REPLACE(REPLACE(( - SELECT jsonb_object_agg(key, value)::text - FROM jsonb_each_text('{{.azureWebTierTags}}'::jsonb) - ), '{', ''), '}', '') || '%' - ) - - SELECT - sub.display_name AS resource, - sub.platform_resource_id, - sub.platform_integration_id, - CASE - WHEN wtk.name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN wtk.name IS NULL THEN 'there is no web tier key in the subscription.' - ELSE 'subscription has web tier keys.' - END AS reason, - sub.display_name AS subscription - FROM - azure_subscription AS sub - LEFT JOIN web_tier_keys AS wtk - ON sub.subscription_id = wtk.subscription_id + language: sql + primary_resource: azure_subscription + definition: | + WITH web_tier_keys AS ( + SELECT + name, subscription_id + FROM + azure_key_vault_key + WHERE + tags::text LIKE '%' || REPLACE(REPLACE(( + SELECT jsonb_object_agg(key, value)::text + FROM jsonb_each_text('{{.azureWebTierTags}}'::jsonb) + ), '{', ''), '}', '') || '%' + ) + + SELECT + sub.display_name AS resource, + sub.platform_resource_id, + sub.platform_integration_id, + CASE + WHEN wtk.name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN wtk.name IS NULL THEN 'there is no web tier key in the subscription.' + ELSE 'subscription has web tier keys.' + END AS reason, + sub.display_name AS subscription + FROM + azure_subscription AS sub + LEFT JOIN web_tier_keys AS wtk + ON sub.subscription_id = wtk.subscription_id severity: high tags: - platform_score_cloud_service_name: - - Azure KeyVault - platform_score_use_case: - - Insecure Keys - score_service_name: - - Azure KeyVault - score_tags: - - Insecure Keys + platform_score_cloud_service_name: + - Azure KeyVault + platform_score_use_case: + - Insecure Keys + score_service_name: + - Azure KeyVault + score_tags: + - Insecure Keys diff --git a/compliance/controls/baseline/azure/aks/azure_check_for_kubernetes_version.yaml b/compliance/controls/baseline/azure/aks/azure_check_for_kubernetes_version.yaml index 3e37ae5c1..2a95e1553 100644 --- a/compliance/controls/baseline/azure/aks/azure_check_for_kubernetes_version.yaml +++ b/compliance/controls/baseline/azure/aks/azure_check_for_kubernetes_version.yaml @@ -1,39 +1,40 @@ id: azure_check_for_kubernetes_version title: Check for Kubernetes Version +type: control description: Ensure that AKS clusters are using the latest available version of Kubernetes software. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureAksLatestVersion - value: '' +- key: azureAksLatestVersion + value: "" policy: - language: sql - primary_resource: azure_kubernetes_cluster - definition: | - SELECT - c.name AS resource, - c.platform_resource_id, - c.platform_integration_id, - CASE - WHEN kubernetes_version < '{{.azureAksLatestVersion}}' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN kubernetes_version < '{{.azureAksLatestVersion}}' THEN c.name || ' is not using the latest available version of Kubernetes software' - ELSE c.name || ' is using the latest available version of Kubernetes software' - END AS reason, - c.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_kubernetes_cluster AS c - LEFT JOIN azure_subscription AS sub ON c.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_kubernetes_cluster + definition: | + SELECT + c.name AS resource, + c.platform_resource_id, + c.platform_integration_id, + CASE + WHEN kubernetes_version < '{{.azureAksLatestVersion}}' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN kubernetes_version < '{{.azureAksLatestVersion}}' THEN c.name || ' is not using the latest available version of Kubernetes software' + ELSE c.name || ' is using the latest available version of Kubernetes software' + END AS reason, + c.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_kubernetes_cluster AS c + LEFT JOIN azure_subscription AS sub ON c.subscription_id = sub.subscription_id severity: low tags: - platform_score_cloud_service_name: - - Azure Kubernetes (AKS) - platform_score_use_case: - - Lacking High Availability - score_service_name: - - Azure Kubernetes (AKS) - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - Azure Kubernetes (AKS) + platform_score_use_case: + - Lacking High Availability + score_service_name: + - Azure Kubernetes (AKS) + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/azure/aks/azure_enable_defender_for_cloud_for_aks_clusters.yaml b/compliance/controls/baseline/azure/aks/azure_enable_defender_for_cloud_for_aks_clusters.yaml index f8586b1c5..e764de230 100644 --- a/compliance/controls/baseline/azure/aks/azure_enable_defender_for_cloud_for_aks_clusters.yaml +++ b/compliance/controls/baseline/azure/aks/azure_enable_defender_for_cloud_for_aks_clusters.yaml @@ -1,37 +1,38 @@ id: azure_enable_defender_for_cloud_for_aks_clusters title: Enable Defender for Cloud for AKS Clusters +type: control description: Ensure that Microsoft Defender for Cloud is enabled for AKS clusters. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kubernetes_cluster - definition: | - SELECT - c.name AS resource, - c.platform_resource_id, - c.platform_integration_id, - CASE - WHEN (addon_profiles -> 'omsagent' ->> 'enabled')::bool THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (addon_profiles -> 'omsagent' ->> 'enabled')::bool THEN 'Microsoft Defender is enabled for this resource' - ELSE 'Microsoft Defender is not enabled for this resource' - END AS reason, - c.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_kubernetes_cluster AS c - LEFT JOIN azure_subscription AS sub ON c.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_kubernetes_cluster + definition: | + SELECT + c.name AS resource, + c.platform_resource_id, + c.platform_integration_id, + CASE + WHEN (addon_profiles -> 'omsagent' ->> 'enabled')::bool THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (addon_profiles -> 'omsagent' ->> 'enabled')::bool THEN 'Microsoft Defender is enabled for this resource' + ELSE 'Microsoft Defender is not enabled for this resource' + END AS reason, + c.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_kubernetes_cluster AS c + LEFT JOIN azure_subscription AS sub ON c.subscription_id = sub.subscription_id severity: high tags: - platform_score_cloud_service_name: - - Azure Kubernetes (AKS) - platform_score_use_case: - - Tolerate Failures - score_service_name: - - Azure Kubernetes (AKS) - score_tags: - - Tolerate Failures + platform_score_cloud_service_name: + - Azure Kubernetes (AKS) + platform_score_use_case: + - Tolerate Failures + score_service_name: + - Azure Kubernetes (AKS) + score_tags: + - Tolerate Failures diff --git a/compliance/controls/baseline/azure/aks/azure_enable_kubernetes_role_based_access_control.yaml b/compliance/controls/baseline/azure/aks/azure_enable_kubernetes_role_based_access_control.yaml index 5fb05d488..7fbb3f452 100644 --- a/compliance/controls/baseline/azure/aks/azure_enable_kubernetes_role_based_access_control.yaml +++ b/compliance/controls/baseline/azure/aks/azure_enable_kubernetes_role_based_access_control.yaml @@ -1,39 +1,40 @@ id: azure_enable_kubernetes_role_based_access_control title: Enable Kubernetes Role-Based Access Control +type: control description: Ensure that Kubernetes Role-Based Access Control is enabled for Azure Kubernetes clusters. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kubernetes_cluster - definition: | - SELECT - c.name AS resource, - c.platform_resource_id, - c.platform_integration_id, - kubernetes_version, - CASE - WHEN enable_rbac THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enable_rbac THEN c.name || ' Role-Based Access Control (RBAC) is enabled' - ELSE c.name || ' Role-Based Access Control (RBAC) is not enabled' - END AS reason, - c.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_kubernetes_cluster AS c - LEFT JOIN azure_subscription AS sub - ON c.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_kubernetes_cluster + definition: | + SELECT + c.name AS resource, + c.platform_resource_id, + c.platform_integration_id, + kubernetes_version, + CASE + WHEN enable_rbac THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enable_rbac THEN c.name || ' Role-Based Access Control (RBAC) is enabled' + ELSE c.name || ' Role-Based Access Control (RBAC) is not enabled' + END AS reason, + c.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_kubernetes_cluster AS c + LEFT JOIN azure_subscription AS sub + ON c.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Kubernetes (AKS) - platform_score_use_case: - - Unencrypted Traffic - score_service_name: - - Azure Kubernetes (AKS) - score_tags: - - Unencrypted Traffic + platform_score_cloud_service_name: + - Azure Kubernetes (AKS) + platform_score_use_case: + - Unencrypted Traffic + score_service_name: + - Azure Kubernetes (AKS) + score_tags: + - Unencrypted Traffic diff --git a/compliance/controls/baseline/azure/aks/azure_kubernetes_api_version.yaml b/compliance/controls/baseline/azure/aks/azure_kubernetes_api_version.yaml index 3d2995340..3f58d4931 100644 --- a/compliance/controls/baseline/azure/aks/azure_kubernetes_api_version.yaml +++ b/compliance/controls/baseline/azure/aks/azure_kubernetes_api_version.yaml @@ -1,36 +1,37 @@ id: azure_kubernetes_api_version title: Kubernetes API Version +type: control description: Ensure that AKS clusters are using the latest version of Kubernetes API. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureKubernetesLatestVersion - value: '' +- key: azureKubernetesLatestVersion + value: "" policy: - language: sql - primary_resource: azure_kubernetes_cluster - definition: | - SELECT - c.name AS resource, - c.platform_resource_id, - c.platform_integration_id, - CASE - WHEN kubernetes_version < '{{.azureKubernetesLatestVersion}}' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN kubernetes_version < '{{.azureKubernetesLatestVersion}}' THEN c.name || ' is not using the latest version of Kubernetes API' - ELSE c.name || ' is using the latest version of Kubernetes API' - END AS reason, - c.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_kubernetes_cluster AS c - LEFT JOIN - azure_subscription AS sub ON c.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_kubernetes_cluster + definition: | + SELECT + c.name AS resource, + c.platform_resource_id, + c.platform_integration_id, + CASE + WHEN kubernetes_version < '{{.azureKubernetesLatestVersion}}' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN kubernetes_version < '{{.azureKubernetesLatestVersion}}' THEN c.name || ' is not using the latest version of Kubernetes API' + ELSE c.name || ' is using the latest version of Kubernetes API' + END AS reason, + c.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_kubernetes_cluster AS c + LEFT JOIN + azure_subscription AS sub ON c.subscription_id = sub.subscription_id severity: high tags: - platform_score_cloud_service_name: - - Azure Kubernetes (AKS) - score_service_name: - - Azure Kubernetes (AKS) + platform_score_cloud_service_name: + - Azure Kubernetes (AKS) + score_service_name: + - Azure Kubernetes (AKS) diff --git a/compliance/controls/baseline/azure/aks/azure_secure_access_to_kubernetes_api_server_using_authorized_ip_address_ranges.yaml b/compliance/controls/baseline/azure/aks/azure_secure_access_to_kubernetes_api_server_using_authorized_ip_address_ranges.yaml index ea611cbc2..a9eeef592 100644 --- a/compliance/controls/baseline/azure/aks/azure_secure_access_to_kubernetes_api_server_using_authorized_ip_address_ranges.yaml +++ b/compliance/controls/baseline/azure/aks/azure_secure_access_to_kubernetes_api_server_using_authorized_ip_address_ranges.yaml @@ -1,39 +1,40 @@ id: azure_secure_access_to_kubernetes_api_server_using_authorized_ip_address_ranges title: Secure Access to Kubernetes API Server Using Authorized IP Address Ranges +type: control description: Ensure that public access to Kubernetes API server is restricted. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kubernetes_cluster - definition: | - SELECT - c.name AS resource, - c.platform_resource_id, - c.platform_integration_id, - kubernetes_version, - CASE - WHEN api_server_access_profile IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN api_server_access_profile IS NULL THEN c.name || ' is not configured to secure access to the Kubernetes API server' - ELSE c.name || ' is configured to secure access to the Kubernetes API server' - END AS reason, - c.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_kubernetes_cluster AS c - LEFT JOIN - azure_subscription AS sub ON c.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_kubernetes_cluster + definition: | + SELECT + c.name AS resource, + c.platform_resource_id, + c.platform_integration_id, + kubernetes_version, + CASE + WHEN api_server_access_profile IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN api_server_access_profile IS NULL THEN c.name || ' is not configured to secure access to the Kubernetes API server' + ELSE c.name || ' is configured to secure access to the Kubernetes API server' + END AS reason, + c.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_kubernetes_cluster AS c + LEFT JOIN + azure_subscription AS sub ON c.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Kubernetes (AKS) - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - Azure Kubernetes (AKS) - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - Azure Kubernetes (AKS) + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - Azure Kubernetes (AKS) + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/azure/aks/azure_use_azure_cni_add_on_for_managing_network_resources.yaml b/compliance/controls/baseline/azure/aks/azure_use_azure_cni_add_on_for_managing_network_resources.yaml index 131f19457..bc046724a 100644 --- a/compliance/controls/baseline/azure/aks/azure_use_azure_cni_add_on_for_managing_network_resources.yaml +++ b/compliance/controls/baseline/azure/aks/azure_use_azure_cni_add_on_for_managing_network_resources.yaml @@ -1,35 +1,36 @@ id: azure_use_azure_cni_add_on_for_managing_network_resources title: Use Azure CNI Add-On for Managing Network Resources +type: control description: Ensure that DDoS standard protection is enabled for production Azure virtual networks. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kubernetes_cluster - definition: | - SELECT - kc.id AS resource, - kc.platform_integration_id, - kc.platform_resource_id, - CASE - WHEN network_profile ->> 'networkPlugin' = 'kubenet' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN network_profile ->> 'networkPlugin' = 'kubenet' THEN 'not configured to use the Azure Container Networking Interface (CNI) add-on for managing network resources.' - ELSE 'configured to use the Azure Container Networking Interface (CNI) add-on for managing network resources.' - END AS reason, - kc.resource_group, - display_name AS subscription - FROM - azure_kubernetes_cluster AS kc, - azure_subscription AS sub - WHERE - sub.subscription_id = kc.subscription_id + language: sql + primary_resource: azure_kubernetes_cluster + definition: | + SELECT + kc.id AS resource, + kc.platform_integration_id, + kc.platform_resource_id, + CASE + WHEN network_profile ->> 'networkPlugin' = 'kubenet' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN network_profile ->> 'networkPlugin' = 'kubenet' THEN 'not configured to use the Azure Container Networking Interface (CNI) add-on for managing network resources.' + ELSE 'configured to use the Azure Container Networking Interface (CNI) add-on for managing network resources.' + END AS reason, + kc.resource_group, + display_name AS subscription + FROM + azure_kubernetes_cluster AS kc, + azure_subscription AS sub + WHERE + sub.subscription_id = kc.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Kubernetes (AKS) - score_service_name: - - Azure Kubernetes (AKS) + platform_score_cloud_service_name: + - Azure Kubernetes (AKS) + score_service_name: + - Azure Kubernetes (AKS) diff --git a/compliance/controls/baseline/azure/aks/azure_use_microsoft_entra_id_integration_for_aks_clusters.yaml b/compliance/controls/baseline/azure/aks/azure_use_microsoft_entra_id_integration_for_aks_clusters.yaml index 4ace1a4f3..2409ab500 100644 --- a/compliance/controls/baseline/azure/aks/azure_use_microsoft_entra_id_integration_for_aks_clusters.yaml +++ b/compliance/controls/baseline/azure/aks/azure_use_microsoft_entra_id_integration_for_aks_clusters.yaml @@ -1,35 +1,36 @@ id: azure_use_microsoft_entra_id_integration_for_aks_clusters title: Use Microsoft Entra ID Integration for AKS Clusters +type: control description: Ensure that Microsoft Entra ID integration is enabled for Azure Kubernetes clusters. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kubernetes_cluster - definition: | - SELECT - kc.id AS resource, - kc.platform_integration_id, - kc.platform_resource_id, - CASE - WHEN network_profile ->> 'networkPlugin' = 'kubenet' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN network_profile ->> 'networkPlugin' = 'kubenet' THEN 'not configured to use the Azure Container Networking Interface (CNI) add-on for managing network resources.' - ELSE 'configured to use the Azure Container Networking Interface (CNI) add-on for managing network resources.' - END AS reason, - kc.resource_group, - sub.display_name AS subscription - FROM - azure_kubernetes_cluster AS kc, - azure_subscription AS sub - WHERE - sub.subscription_id = kc.subscription_id + language: sql + primary_resource: azure_kubernetes_cluster + definition: | + SELECT + kc.id AS resource, + kc.platform_integration_id, + kc.platform_resource_id, + CASE + WHEN network_profile ->> 'networkPlugin' = 'kubenet' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN network_profile ->> 'networkPlugin' = 'kubenet' THEN 'not configured to use the Azure Container Networking Interface (CNI) add-on for managing network resources.' + ELSE 'configured to use the Azure Container Networking Interface (CNI) add-on for managing network resources.' + END AS reason, + kc.resource_group, + sub.display_name AS subscription + FROM + azure_kubernetes_cluster AS kc, + azure_subscription AS sub + WHERE + sub.subscription_id = kc.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Kubernetes (AKS) - score_service_name: - - Azure Kubernetes (AKS) + platform_score_cloud_service_name: + - Azure Kubernetes (AKS) + score_service_name: + - Azure Kubernetes (AKS) diff --git a/compliance/controls/baseline/azure/aks/azure_use_network_contributor_role_for_managing_azure_network_resources.yaml b/compliance/controls/baseline/azure/aks/azure_use_network_contributor_role_for_managing_azure_network_resources.yaml index c8e534509..bddb9a3bc 100644 --- a/compliance/controls/baseline/azure/aks/azure_use_network_contributor_role_for_managing_azure_network_resources.yaml +++ b/compliance/controls/baseline/azure/aks/azure_use_network_contributor_role_for_managing_azure_network_resources.yaml @@ -1,46 +1,47 @@ id: azure_use_network_contributor_role_for_managing_azure_network_resources title: Use Network Contributor Role for Managing Azure Network Resources +type: control description: Ensure that AKS clusters are configured to use the Network Contributor role. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kubernetes_cluster - definition: | - WITH rd AS ( - SELECT - scope, - ARRAY_AGG(role_name) AS roles - FROM - azure_role_assignment AS ra - LEFT JOIN azure_role_definition AS rd ON ra.role_definition_id = rd.id - GROUP BY - scope - LIMIT 10 - ) - - SELECT - c.name AS resource, - c.platform_resource_id, - c.platform_integration_id, - CASE - WHEN rd.roles::text ILIKE '%Network Contributor%' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN rd.roles::text ILIKE '%Network Contributor%' THEN c.name || ' is using a Network Contributor role to manage network resources.' - ELSE c.name || ' is not using a Network Contributor role to manage network resources.' - END AS reason, - c.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_kubernetes_cluster AS c - LEFT JOIN azure_subscription AS sub ON c.subscription_id = sub.subscription_id - LEFT JOIN rd AS rd ON c.id LIKE '%' || rd.scope || '%' + language: sql + primary_resource: azure_kubernetes_cluster + definition: | + WITH rd AS ( + SELECT + scope, + ARRAY_AGG(role_name) AS roles + FROM + azure_role_assignment AS ra + LEFT JOIN azure_role_definition AS rd ON ra.role_definition_id = rd.id + GROUP BY + scope + LIMIT 10 + ) + + SELECT + c.name AS resource, + c.platform_resource_id, + c.platform_integration_id, + CASE + WHEN rd.roles::text ILIKE '%Network Contributor%' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN rd.roles::text ILIKE '%Network Contributor%' THEN c.name || ' is using a Network Contributor role to manage network resources.' + ELSE c.name || ' is not using a Network Contributor role to manage network resources.' + END AS reason, + c.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_kubernetes_cluster AS c + LEFT JOIN azure_subscription AS sub ON c.subscription_id = sub.subscription_id + LEFT JOIN rd AS rd ON c.id LIKE '%' || rd.scope || '%' severity: medium tags: - platform_score_cloud_service_name: - - Azure Kubernetes (AKS) - score_service_name: - - Azure Kubernetes (AKS) + platform_score_cloud_service_name: + - Azure Kubernetes (AKS) + score_service_name: + - Azure Kubernetes (AKS) diff --git a/compliance/controls/baseline/azure/aks/azure_use_system_assigned_managed_identities_for_aks_clusters.yaml b/compliance/controls/baseline/azure/aks/azure_use_system_assigned_managed_identities_for_aks_clusters.yaml index 9b64b9bc1..a78425340 100644 --- a/compliance/controls/baseline/azure/aks/azure_use_system_assigned_managed_identities_for_aks_clusters.yaml +++ b/compliance/controls/baseline/azure/aks/azure_use_system_assigned_managed_identities_for_aks_clusters.yaml @@ -1,38 +1,39 @@ id: azure_use_system_assigned_managed_identities_for_aks_clusters title: Use System-Assigned Managed Identities for AKS Clusters +type: control description: Ensure that AKS clusters are using system-assigned managed identities. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kubernetes_cluster - definition: | - SELECT - c.name AS resource, - c.platform_resource_id, - c.platform_integration_id, - kubernetes_version, - CASE - WHEN identity ->> 'type' = 'UserAssigned' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN identity ->> 'type' = 'UserAssigned' THEN c.name || ' is not using a system-assigned managed identity' - ELSE c.name || ' is using a system-assigned managed identity' - END AS reason, - c.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_kubernetes_cluster AS c - LEFT JOIN azure_subscription AS sub ON c.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_kubernetes_cluster + definition: | + SELECT + c.name AS resource, + c.platform_resource_id, + c.platform_integration_id, + kubernetes_version, + CASE + WHEN identity ->> 'type' = 'UserAssigned' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN identity ->> 'type' = 'UserAssigned' THEN c.name || ' is not using a system-assigned managed identity' + ELSE c.name || ' is using a system-assigned managed identity' + END AS reason, + c.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_kubernetes_cluster AS c + LEFT JOIN azure_subscription AS sub ON c.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Kubernetes (AKS) - platform_score_use_case: - - Unencrypted Traffic - score_service_name: - - Azure Kubernetes (AKS) - score_tags: - - Unencrypted Traffic + platform_score_cloud_service_name: + - Azure Kubernetes (AKS) + platform_score_use_case: + - Unencrypted Traffic + score_service_name: + - Azure Kubernetes (AKS) + score_tags: + - Unencrypted Traffic diff --git a/compliance/controls/baseline/azure/aks/azure_use_user_assigned_managed_identities_for_aks_clusters.yaml b/compliance/controls/baseline/azure/aks/azure_use_user_assigned_managed_identities_for_aks_clusters.yaml index fcf2b3d00..abcea26c0 100644 --- a/compliance/controls/baseline/azure/aks/azure_use_user_assigned_managed_identities_for_aks_clusters.yaml +++ b/compliance/controls/baseline/azure/aks/azure_use_user_assigned_managed_identities_for_aks_clusters.yaml @@ -1,34 +1,35 @@ id: azure_use_user_assigned_managed_identities_for_aks_clusters title: Use User-Assigned Managed Identities for AKS Clusters +type: control description: Ensure that AKS clusters are using user-assigned managed identities. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_kubernetes_cluster - definition: | - SELECT - c.name AS resource, - c.platform_resource_id, - c.platform_integration_id, - CASE - WHEN identity ->> 'type' = 'SystemAssigned' AND identity ->> 'userAssignedIdentities' IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN identity ->> 'type' = 'SystemAssigned' AND identity ->> 'userAssignedIdentities' IS NULL THEN c.name || ' is not using a user-assigned managed identity' - ELSE c.name || ' is using a user-assigned managed identity' - END AS reason, - c.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_kubernetes_cluster AS c - LEFT JOIN - azure_subscription AS sub ON c.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_kubernetes_cluster + definition: | + SELECT + c.name AS resource, + c.platform_resource_id, + c.platform_integration_id, + CASE + WHEN identity ->> 'type' = 'SystemAssigned' AND identity ->> 'userAssignedIdentities' IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN identity ->> 'type' = 'SystemAssigned' AND identity ->> 'userAssignedIdentities' IS NULL THEN c.name || ' is not using a user-assigned managed identity' + ELSE c.name || ' is using a user-assigned managed identity' + END AS reason, + c.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_kubernetes_cluster AS c + LEFT JOIN + azure_subscription AS sub ON c.subscription_id = sub.subscription_id severity: high tags: - platform_score_cloud_service_name: - - Azure Kubernetes (AKS) - score_service_name: - - Azure Kubernetes (AKS) + platform_score_cloud_service_name: + - Azure Kubernetes (AKS) + score_service_name: + - Azure Kubernetes (AKS) diff --git a/compliance/controls/baseline/azure/app_services/azure_disable_plain_ftp_deployment.yaml b/compliance/controls/baseline/azure/app_services/azure_disable_plain_ftp_deployment.yaml index 62d87c31e..b8e09c8fe 100644 --- a/compliance/controls/baseline/azure/app_services/azure_disable_plain_ftp_deployment.yaml +++ b/compliance/controls/baseline/azure/app_services/azure_disable_plain_ftp_deployment.yaml @@ -1,37 +1,38 @@ id: azure_disable_plain_ftp_deployment title: Disable Plain FTP Deployment +type: control description: Ensure that FTP access is disabled for your Azure App Services web applications. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_app_service_web_app - definition: | - SELECT - wa.name AS resource, - wa.platform_resource_id, - wa.platform_integration_id, - CASE - WHEN configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' THEN name || ' default FTP deployment is not disabled' - ELSE name || ' default FTP deployment is disabled' - END AS reason, - wa.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_app_service_web_app AS wa - LEFT JOIN azure_subscription AS sub ON wa.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_app_service_web_app + definition: | + SELECT + wa.name AS resource, + wa.platform_resource_id, + wa.platform_integration_id, + CASE + WHEN configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' THEN name || ' default FTP deployment is not disabled' + ELSE name || ' default FTP deployment is disabled' + END AS reason, + wa.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_app_service_web_app AS wa + LEFT JOIN azure_subscription AS sub ON wa.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure App Services - platform_score_use_case: - - Lacking High Availability - score_service_name: - - Azure App Services - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - Azure App Services + platform_score_use_case: + - Lacking High Availability + score_service_name: + - Azure App Services + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/azure/cosmosdb/azure_enable_automatic_failover.yaml b/compliance/controls/baseline/azure/cosmosdb/azure_enable_automatic_failover.yaml index d4d43b291..c3b44ac2d 100644 --- a/compliance/controls/baseline/azure/cosmosdb/azure_enable_automatic_failover.yaml +++ b/compliance/controls/baseline/azure/cosmosdb/azure_enable_automatic_failover.yaml @@ -1,35 +1,36 @@ id: azure_enable_automatic_failover title: Enable Automatic Failover +type: control description: Enable automatic failover for Microsoft Azure Cosmos DB accounts. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_cosmosdb_account - definition: | - SELECT - a.name AS resource, - a.platform_resource_id, - a.platform_integration_id, - CASE - WHEN enable_automatic_failover = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enable_automatic_failover = 'true' THEN 'Automatic Failover feature is enabled.' - ELSE 'Automatic Failover feature is not enabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_cosmosdb_account AS a - LEFT JOIN - azure_subscription AS sub - ON a.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_cosmosdb_account + definition: | + SELECT + a.name AS resource, + a.platform_resource_id, + a.platform_integration_id, + CASE + WHEN enable_automatic_failover = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enable_automatic_failover = 'true' THEN 'Automatic Failover feature is enabled.' + ELSE 'Automatic Failover feature is not enabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_cosmosdb_account AS a + LEFT JOIN + azure_subscription AS sub + ON a.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Network - score_service_name: - - Azure Network + platform_score_cloud_service_name: + - Azure Network + score_service_name: + - Azure Network diff --git a/compliance/controls/baseline/azure/monitor/azure_monitor_log_all_activities.yaml b/compliance/controls/baseline/azure/monitor/azure_monitor_log_all_activities.yaml index 6a2765899..e5a302b86 100644 --- a/compliance/controls/baseline/azure/monitor/azure_monitor_log_all_activities.yaml +++ b/compliance/controls/baseline/azure/monitor/azure_monitor_log_all_activities.yaml @@ -1,38 +1,39 @@ id: azure_monitor_log_all_activities title: Azure Monitor Log All Activities +type: control description: Ensure audit profile captures all the activities. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_log_profile - definition: | - SELECT - p.id AS resource, - p.platform_resource_id, - p.platform_integration_id, - CASE - WHEN p.categories @> '["Write", "Delete", "Action"]' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN p.categories @> '["Write", "Delete", "Action"]' THEN p.name || ' collect activity logs from all activities.' - ELSE p.name || ' not collect activity logs from all activities.' - END AS reason, - p.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_log_profile AS p - LEFT JOIN - azure_subscription sub ON sub.subscription_id = p.subscription_id; + language: sql + primary_resource: azure_log_profile + definition: | + SELECT + p.id AS resource, + p.platform_resource_id, + p.platform_integration_id, + CASE + WHEN p.categories @> '["Write", "Delete", "Action"]' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN p.categories @> '["Write", "Delete", "Action"]' THEN p.name || ' collect activity logs from all activities.' + ELSE p.name || ' not collect activity logs from all activities.' + END AS reason, + p.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_log_profile AS p + LEFT JOIN + azure_subscription sub ON sub.subscription_id = p.subscription_id; severity: medium tags: - platform_score_cloud_service_name: - - Azure Monitor - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - Azure Monitor - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - Azure Monitor + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - Azure Monitor + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_mongodb_access.yaml b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_mongodb_access.yaml index 70db7074f..4f3947109 100644 --- a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_mongodb_access.yaml +++ b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_mongodb_access.yaml @@ -1,54 +1,55 @@ id: azure_check_for_unrestricted_mongodb_access title: Check for Unrestricted MongoDB Access +type: control description: Ensure that no network security groups allow unrestricted inbound access on TCP ports 27017, 27018 and 27019. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - SELECT - sg.id AS resource, - sg.platform_integration_id, - sg.platform_resource_id, - CASE - WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') - THEN 'The MongoDB inbound access to the associated Microsoft Azure virtual machine(s) is not secured.' - ELSE 'The MongoDB inbound access to the associated Microsoft Azure virtual machine(s) is secured.' - END AS reason, - sg.resource_group, - display_name AS subscription - FROM - azure_network_security_group AS sg, - azure_subscription AS sub, - jsonb_array_elements(security_rules) AS sr - WHERE - sub.subscription_id = sg.subscription_id - AND sr -> 'properties' ->> 'access' = 'Allow' - AND sr -> 'properties' ->> 'protocol' = 'Tcp' - AND ( - sr -> 'properties' ->> 'destinationPortRanges' = '27017' - OR sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"27017"%' - OR sr -> 'properties' ->> 'destinationPortRanges' = '27018' - OR sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"27018"%' - OR sr -> 'properties' ->> 'destinationPortRanges' = '27019' - OR sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"27019"%' - OR sr -> 'properties' ->> 'destinationPortRanges' = '*' - ) - AND sr -> 'properties' ->> 'direction' = 'Inbound' + language: sql + primary_resource: azure_network_security_group + definition: | + SELECT + sg.id AS resource, + sg.platform_integration_id, + sg.platform_resource_id, + CASE + WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') + THEN 'The MongoDB inbound access to the associated Microsoft Azure virtual machine(s) is not secured.' + ELSE 'The MongoDB inbound access to the associated Microsoft Azure virtual machine(s) is secured.' + END AS reason, + sg.resource_group, + display_name AS subscription + FROM + azure_network_security_group AS sg, + azure_subscription AS sub, + jsonb_array_elements(security_rules) AS sr + WHERE + sub.subscription_id = sg.subscription_id + AND sr -> 'properties' ->> 'access' = 'Allow' + AND sr -> 'properties' ->> 'protocol' = 'Tcp' + AND ( + sr -> 'properties' ->> 'destinationPortRanges' = '27017' + OR sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"27017"%' + OR sr -> 'properties' ->> 'destinationPortRanges' = '27018' + OR sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"27018"%' + OR sr -> 'properties' ->> 'destinationPortRanges' = '27019' + OR sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"27019"%' + OR sr -> 'properties' ->> 'destinationPortRanges' = '*' + ) + AND sr -> 'properties' ->> 'direction' = 'Inbound' severity: high tags: - platform_score_cloud_service_name: - - Azure Network - score_service_name: - - Azure Network + platform_score_cloud_service_name: + - Azure Network + score_service_name: + - Azure Network diff --git a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_mssql_access.yaml b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_mssql_access.yaml index 8dda8a927..033a3e39c 100644 --- a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_mssql_access.yaml +++ b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_mssql_access.yaml @@ -1,46 +1,47 @@ id: azure_check_for_unrestricted_mssql_access title: Check for Unrestricted MSSQL Access +type: control description: Ensure that no network security groups allow unrestricted inbound access on TCP port 1433. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - SELECT - sg.id AS resource, - sg.platform_integration_id, - sg.platform_resource_id, - CASE - WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') THEN 'The MSSQL inbound access to the associated Microsoft Azure virtual machine(s) is not secured.' - ELSE 'The MSSQL inbound access to the associated Microsoft Azure virtual machine(s) is secured.' - END AS reason, - sg.resource_group, - display_name AS subscription - FROM - azure_network_security_group AS sg, - azure_subscription AS sub, - jsonb_array_elements(security_rules) AS sr - WHERE - sub.subscription_id = sg.subscription_id - AND sr -> 'properties' ->> 'access' = 'Allow' - AND sr -> 'properties' ->> 'protocol' = 'Tcp' - AND (sr -> 'properties' ->> 'destinationPortRanges' = '1433' - OR sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"1433"%' - OR sr -> 'properties' ->> 'destinationPortRanges' = '*') - AND sr -> 'properties' ->> 'direction' = 'Inbound' + language: sql + primary_resource: azure_network_security_group + definition: | + SELECT + sg.id AS resource, + sg.platform_integration_id, + sg.platform_resource_id, + CASE + WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') THEN 'The MSSQL inbound access to the associated Microsoft Azure virtual machine(s) is not secured.' + ELSE 'The MSSQL inbound access to the associated Microsoft Azure virtual machine(s) is secured.' + END AS reason, + sg.resource_group, + display_name AS subscription + FROM + azure_network_security_group AS sg, + azure_subscription AS sub, + jsonb_array_elements(security_rules) AS sr + WHERE + sub.subscription_id = sg.subscription_id + AND sr -> 'properties' ->> 'access' = 'Allow' + AND sr -> 'properties' ->> 'protocol' = 'Tcp' + AND (sr -> 'properties' ->> 'destinationPortRanges' = '1433' + OR sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"1433"%' + OR sr -> 'properties' ->> 'destinationPortRanges' = '*') + AND sr -> 'properties' ->> 'direction' = 'Inbound' severity: high tags: - platform_score_cloud_service_name: - - Azure Network - score_service_name: - - Azure Network + platform_score_cloud_service_name: + - Azure Network + score_service_name: + - Azure Network diff --git a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_mysql_database_access.yaml b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_mysql_database_access.yaml index c233907d9..560a00347 100644 --- a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_mysql_database_access.yaml +++ b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_mysql_database_access.yaml @@ -1,46 +1,47 @@ id: azure_check_for_unrestricted_mysql_database_access title: Check for Unrestricted MySQL Database Access +type: control description: Ensure that no network security groups allow unrestricted ingress access on TCP port 3306 (MySQL Database). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - SELECT - sg.id AS resource, - sg.platform_integration_id, - sg.platform_resource_id, - CASE - WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') OR - (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') OR - (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') OR - (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') OR - (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') THEN 'The MySQL Database inbound access to the associated Microsoft Azure virtual machine(s) is not secured.' - ELSE 'The MySQL Database inbound access to the associated Microsoft Azure virtual machine(s) is secured.' - END AS reason, - sg.resource_group, - display_name AS subscription - FROM - azure_network_security_group AS sg, - azure_subscription AS sub, - jsonb_array_elements(security_rules) AS sr - WHERE - sub.subscription_id = sg.subscription_id - AND sr -> 'properties' ->> 'access' = 'Allow' - AND sr -> 'properties' ->> 'protocol' = 'Tcp' - AND (sr -> 'properties' ->> 'destinationPortRanges' = '3306' OR - sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"3306"%' OR - sr -> 'properties' ->> 'destinationPortRanges' = '*') - AND sr -> 'properties' ->> 'direction' = 'Inbound' + language: sql + primary_resource: azure_network_security_group + definition: | + SELECT + sg.id AS resource, + sg.platform_integration_id, + sg.platform_resource_id, + CASE + WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') OR + (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') OR + (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') OR + (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') OR + (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') THEN 'The MySQL Database inbound access to the associated Microsoft Azure virtual machine(s) is not secured.' + ELSE 'The MySQL Database inbound access to the associated Microsoft Azure virtual machine(s) is secured.' + END AS reason, + sg.resource_group, + display_name AS subscription + FROM + azure_network_security_group AS sg, + azure_subscription AS sub, + jsonb_array_elements(security_rules) AS sr + WHERE + sub.subscription_id = sg.subscription_id + AND sr -> 'properties' ->> 'access' = 'Allow' + AND sr -> 'properties' ->> 'protocol' = 'Tcp' + AND (sr -> 'properties' ->> 'destinationPortRanges' = '3306' OR + sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"3306"%' OR + sr -> 'properties' ->> 'destinationPortRanges' = '*') + AND sr -> 'properties' ->> 'direction' = 'Inbound' severity: high tags: - platform_score_cloud_service_name: - - Azure Network - score_service_name: - - Azure Network + platform_score_cloud_service_name: + - Azure Network + score_service_name: + - Azure Network diff --git a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_netbios_access.yaml b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_netbios_access.yaml index 1a09394a8..fb0ee1dc3 100644 --- a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_netbios_access.yaml +++ b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_netbios_access.yaml @@ -1,63 +1,64 @@ id: azure_check_for_unrestricted_netbios_access title: Check for Unrestricted NetBIOS Access +type: control description: Ensure that no network security groups allow unrestricted inbound access on TCP port 139 and UDP ports 137 and 138 (NetBIOS). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - SELECT - sg.id AS resource, - sg.platform_integration_id, - sg.platform_resource_id, - CASE - WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') - THEN 'The NetBIOS inbound access to the associated Microsoft Azure virtual machine(s) is not secured.' - ELSE 'The NetBIOS inbound access to the associated Microsoft Azure virtual machine(s) is secured.' - END AS reason, - sg.resource_group, - display_name AS subscription - FROM - azure_network_security_group AS sg, - azure_subscription AS sub, - jsonb_array_elements(security_rules) AS sr - WHERE - sub.subscription_id = sg.subscription_id - AND sr -> 'properties' ->> 'access' = 'Allow' + language: sql + primary_resource: azure_network_security_group + definition: | + SELECT + sg.id AS resource, + sg.platform_integration_id, + sg.platform_resource_id, + CASE + WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') + THEN 'The NetBIOS inbound access to the associated Microsoft Azure virtual machine(s) is not secured.' + ELSE 'The NetBIOS inbound access to the associated Microsoft Azure virtual machine(s) is secured.' + END AS reason, + sg.resource_group, + display_name AS subscription + FROM + azure_network_security_group AS sg, + azure_subscription AS sub, + jsonb_array_elements(security_rules) AS sr + WHERE + sub.subscription_id = sg.subscription_id + AND sr -> 'properties' ->> 'access' = 'Allow' + AND ( + (sr -> 'properties' ->> 'protocol' = 'Tcp' AND ( - (sr -> 'properties' ->> 'protocol' = 'Tcp' - AND ( - sr -> 'properties' ->> 'destinationPortRanges' = '139' - OR sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"139"%' - OR sr -> 'properties' ->> 'destinationPortRanges' = '*' - ) - ) - OR - (sr -> 'properties' ->> 'protocol' = 'Udp' - AND ( - sr -> 'properties' ->> 'destinationPortRanges' = '137' - OR sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"137"%' - OR sr -> 'properties' ->> 'destinationPortRanges' = '138' - OR sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"138"%' - OR sr -> 'properties' ->> 'destinationPortRanges' = '*' - ) - ) + sr -> 'properties' ->> 'destinationPortRanges' = '139' + OR sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"139"%' + OR sr -> 'properties' ->> 'destinationPortRanges' = '*' ) - AND sr -> 'properties' ->> 'direction' = 'Inbound' + ) + OR + (sr -> 'properties' ->> 'protocol' = 'Udp' + AND ( + sr -> 'properties' ->> 'destinationPortRanges' = '137' + OR sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"137"%' + OR sr -> 'properties' ->> 'destinationPortRanges' = '138' + OR sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"138"%' + OR sr -> 'properties' ->> 'destinationPortRanges' = '*' + ) + ) + ) + AND sr -> 'properties' ->> 'direction' = 'Inbound' severity: high tags: - platform_score_cloud_service_name: - - Azure Network - score_service_name: - - Azure Network + platform_score_cloud_service_name: + - Azure Network + score_service_name: + - Azure Network diff --git a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_oracle_database_access.yaml b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_oracle_database_access.yaml index 5f4f5c2fa..f8f65ba13 100644 --- a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_oracle_database_access.yaml +++ b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_oracle_database_access.yaml @@ -1,48 +1,49 @@ id: azure_check_for_unrestricted_oracle_database_access title: Check for Unrestricted Oracle Database Access +type: control description: Ensure that no network security groups allow unrestricted inbound access on TCP port 1521 (Oracle Database). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - SELECT - sg.id AS resource, - sg.platform_integration_id, - sg.platform_resource_id, - CASE - WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') OR - (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') OR - (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') OR - (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') OR - (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') THEN - 'The Oracle Database inbound access to the associated Microsoft Azure virtual machine(s) is not secured.' - ELSE - 'The Oracle Database inbound access to the associated Microsoft Azure virtual machine(s) is secured.' - END AS reason, - sg.resource_group, - display_name AS subscription - FROM - azure_network_security_group AS sg, - azure_subscription AS sub, - jsonb_array_elements(security_rules) AS sr - WHERE - sub.subscription_id = sg.subscription_id - AND sr -> 'properties' ->> 'access' = 'Allow' - AND sr -> 'properties' ->> 'protocol' = 'Tcp' - AND (sr -> 'properties' ->> 'destinationPortRanges' = '1521' - OR sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"1521"%' - OR sr -> 'properties' ->> 'destinationPortRanges' = '*') - AND sr -> 'properties' ->> 'direction' = 'Inbound' + language: sql + primary_resource: azure_network_security_group + definition: | + SELECT + sg.id AS resource, + sg.platform_integration_id, + sg.platform_resource_id, + CASE + WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') OR + (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') OR + (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') OR + (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') OR + (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') THEN + 'The Oracle Database inbound access to the associated Microsoft Azure virtual machine(s) is not secured.' + ELSE + 'The Oracle Database inbound access to the associated Microsoft Azure virtual machine(s) is secured.' + END AS reason, + sg.resource_group, + display_name AS subscription + FROM + azure_network_security_group AS sg, + azure_subscription AS sub, + jsonb_array_elements(security_rules) AS sr + WHERE + sub.subscription_id = sg.subscription_id + AND sr -> 'properties' ->> 'access' = 'Allow' + AND sr -> 'properties' ->> 'protocol' = 'Tcp' + AND (sr -> 'properties' ->> 'destinationPortRanges' = '1521' + OR sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"1521"%' + OR sr -> 'properties' ->> 'destinationPortRanges' = '*') + AND sr -> 'properties' ->> 'direction' = 'Inbound' severity: high tags: - platform_score_cloud_service_name: - - Azure Network - score_service_name: - - Azure Network + platform_score_cloud_service_name: + - Azure Network + score_service_name: + - Azure Network diff --git a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_postgresql_database_access.yaml b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_postgresql_database_access.yaml index e93427307..4e891c5e5 100644 --- a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_postgresql_database_access.yaml +++ b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_postgresql_database_access.yaml @@ -1,49 +1,50 @@ id: azure_check_for_unrestricted_postgresql_database_access title: Check for Unrestricted PostgreSQL Database Access +type: control description: Ensure that no network security groups allow unrestricted inbound access on TCP port 5432 (PostgreSQL Database Server). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - SELECT - sg.id AS resource, - sg.platform_integration_id, - sg.platform_resource_id, - CASE - WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') THEN - 'The PostgreSQL Database inbound access to the associated Microsoft Azure virtual machine(s) is not secured.' - ELSE 'The PostgreSQL Database inbound access to the associated Microsoft Azure virtual machine(s) is secured.' - END AS reason, - sg.resource_group, - display_name AS subscription - FROM - azure_network_security_group AS sg, - azure_subscription AS sub, - jsonb_array_elements(security_rules) AS sr - WHERE - sub.subscription_id = sg.subscription_id - AND sr -> 'properties' ->> 'access' = 'Allow' - AND sr -> 'properties' ->> 'protocol' = 'Tcp' - AND ( - sr -> 'properties' ->> 'destinationPortRanges' = '5432' - OR sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"5432"%' - OR sr -> 'properties' ->> 'destinationPortRanges' = '*' - ) - AND sr -> 'properties' ->> 'direction' = 'Inbound' + language: sql + primary_resource: azure_network_security_group + definition: | + SELECT + sg.id AS resource, + sg.platform_integration_id, + sg.platform_resource_id, + CASE + WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') THEN + 'The PostgreSQL Database inbound access to the associated Microsoft Azure virtual machine(s) is not secured.' + ELSE 'The PostgreSQL Database inbound access to the associated Microsoft Azure virtual machine(s) is secured.' + END AS reason, + sg.resource_group, + display_name AS subscription + FROM + azure_network_security_group AS sg, + azure_subscription AS sub, + jsonb_array_elements(security_rules) AS sr + WHERE + sub.subscription_id = sg.subscription_id + AND sr -> 'properties' ->> 'access' = 'Allow' + AND sr -> 'properties' ->> 'protocol' = 'Tcp' + AND ( + sr -> 'properties' ->> 'destinationPortRanges' = '5432' + OR sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"5432"%' + OR sr -> 'properties' ->> 'destinationPortRanges' = '*' + ) + AND sr -> 'properties' ->> 'direction' = 'Inbound' severity: high tags: - platform_score_cloud_service_name: - - Azure Network - score_service_name: - - Azure Network + platform_score_cloud_service_name: + - Azure Network + score_service_name: + - Azure Network diff --git a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_rdp_access.yaml b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_rdp_access.yaml index a6b4d8e2d..86c110b9a 100644 --- a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_rdp_access.yaml +++ b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_rdp_access.yaml @@ -1,48 +1,49 @@ id: azure_check_for_unrestricted_rdp_access title: Check for Unrestricted RDP Access +type: control description: Ensure that no network security groups allow unrestricted inbound access on TCP port 3389 (Remote Desktop Protocol RDP). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - SELECT - sg.id AS resource, - sg.platform_integration_id, - sg.platform_resource_id, - CASE - WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') THEN 'The RDP inbound access to the associated Microsoft Azure virtual machine(s) is not secured.' - ELSE 'The RDP inbound access to the associated Microsoft Azure virtual machine(s) is secured.' - END AS reason, - sg.resource_group, - display_name AS subscription - FROM - azure_network_security_group AS sg, - azure_subscription AS sub, - jsonb_array_elements(security_rules) AS sr - WHERE - sub.subscription_id = sg.subscription_id - AND sr -> 'properties' ->> 'access' = 'Allow' - AND sr -> 'properties' ->> 'protocol' = 'Tcp' - AND ( - sr -> 'properties' ->> 'destinationPortRanges' = '3389' - OR sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"3389"%' - OR sr -> 'properties' ->> 'destinationPortRanges' = '*' - ) - AND sr -> 'properties' ->> 'direction' = 'Inbound' + language: sql + primary_resource: azure_network_security_group + definition: | + SELECT + sg.id AS resource, + sg.platform_integration_id, + sg.platform_resource_id, + CASE + WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') THEN 'The RDP inbound access to the associated Microsoft Azure virtual machine(s) is not secured.' + ELSE 'The RDP inbound access to the associated Microsoft Azure virtual machine(s) is secured.' + END AS reason, + sg.resource_group, + display_name AS subscription + FROM + azure_network_security_group AS sg, + azure_subscription AS sub, + jsonb_array_elements(security_rules) AS sr + WHERE + sub.subscription_id = sg.subscription_id + AND sr -> 'properties' ->> 'access' = 'Allow' + AND sr -> 'properties' ->> 'protocol' = 'Tcp' + AND ( + sr -> 'properties' ->> 'destinationPortRanges' = '3389' + OR sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"3389"%' + OR sr -> 'properties' ->> 'destinationPortRanges' = '*' + ) + AND sr -> 'properties' ->> 'direction' = 'Inbound' severity: critical tags: - platform_score_cloud_service_name: - - Azure Network - score_service_name: - - Azure Network + platform_score_cloud_service_name: + - Azure Network + score_service_name: + - Azure Network diff --git a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_rpc_access.yaml b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_rpc_access.yaml index b0ea1f06a..855848028 100644 --- a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_rpc_access.yaml +++ b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_rpc_access.yaml @@ -1,50 +1,51 @@ id: azure_check_for_unrestricted_rpc_access title: Check for Unrestricted RPC Access +type: control description: Ensure that no network security groups allow unrestricted inbound access on TCP port 135. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - SELECT - sg.id AS resource, - sg.platform_integration_id, - sg.platform_resource_id, - CASE - WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') - THEN 'The RPC inbound access to the associated Microsoft Azure virtual machine(s) is not secured.' - ELSE 'The RPC inbound access to the associated Microsoft Azure virtual machine(s) is secured.' - END AS reason, - sg.resource_group, - display_name AS subscription - FROM - azure_network_security_group AS sg, - azure_subscription AS sub, - jsonb_array_elements(security_rules) AS sr - WHERE - sub.subscription_id = sg.subscription_id - AND sr -> 'properties' ->> 'access' = 'Allow' - AND sr -> 'properties' ->> 'protocol' = 'Tcp' - AND ( - sr -> 'properties' ->> 'destinationPortRanges' = '135' - OR sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"135"%' - OR sr -> 'properties' ->> 'destinationPortRanges' = '*' - ) - AND sr -> 'properties' ->> 'direction' = 'Inbound' + language: sql + primary_resource: azure_network_security_group + definition: | + SELECT + sg.id AS resource, + sg.platform_integration_id, + sg.platform_resource_id, + CASE + WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') + THEN 'The RPC inbound access to the associated Microsoft Azure virtual machine(s) is not secured.' + ELSE 'The RPC inbound access to the associated Microsoft Azure virtual machine(s) is secured.' + END AS reason, + sg.resource_group, + display_name AS subscription + FROM + azure_network_security_group AS sg, + azure_subscription AS sub, + jsonb_array_elements(security_rules) AS sr + WHERE + sub.subscription_id = sg.subscription_id + AND sr -> 'properties' ->> 'access' = 'Allow' + AND sr -> 'properties' ->> 'protocol' = 'Tcp' + AND ( + sr -> 'properties' ->> 'destinationPortRanges' = '135' + OR sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"135"%' + OR sr -> 'properties' ->> 'destinationPortRanges' = '*' + ) + AND sr -> 'properties' ->> 'direction' = 'Inbound' severity: high tags: - platform_score_cloud_service_name: - - Azure Network - score_service_name: - - Azure Network + platform_score_cloud_service_name: + - Azure Network + score_service_name: + - Azure Network diff --git a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_smtp_access.yaml b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_smtp_access.yaml index e33b47468..643fe2928 100644 --- a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_smtp_access.yaml +++ b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_smtp_access.yaml @@ -1,46 +1,47 @@ id: azure_check_for_unrestricted_smtp_access title: Check for Unrestricted SMTP Access +type: control description: Ensure that no network security groups allow unrestricted inbound access on TCP port 25. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - SELECT - sg.id AS resource, - sg.platform_integration_id, - sg.platform_resource_id, - CASE - WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') OR - (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') OR - (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') OR - (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') OR - (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') THEN 'The SMTP inbound access to the associated Microsoft Azure virtual machine(s) is not secured.' - ELSE 'The SMTP inbound access to the associated Microsoft Azure virtual machine(s) is secured.' - END AS reason, - sg.resource_group, - display_name AS subscription - FROM - azure_network_security_group AS sg, - azure_subscription AS sub, - jsonb_array_elements(security_rules) AS sr - WHERE - sub.subscription_id = sg.subscription_id - AND sr -> 'properties' ->> 'access' = 'Allow' - AND sr -> 'properties' ->> 'protocol' = 'Tcp' - AND (sr -> 'properties' ->> 'destinationPortRanges' = '25' - OR sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"25"%' - OR sr -> 'properties' ->> 'destinationPortRanges' = '*') - AND sr -> 'properties' ->> 'direction' = 'Inbound' + language: sql + primary_resource: azure_network_security_group + definition: | + SELECT + sg.id AS resource, + sg.platform_integration_id, + sg.platform_resource_id, + CASE + WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') OR + (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') OR + (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') OR + (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') OR + (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') THEN 'The SMTP inbound access to the associated Microsoft Azure virtual machine(s) is not secured.' + ELSE 'The SMTP inbound access to the associated Microsoft Azure virtual machine(s) is secured.' + END AS reason, + sg.resource_group, + display_name AS subscription + FROM + azure_network_security_group AS sg, + azure_subscription AS sub, + jsonb_array_elements(security_rules) AS sr + WHERE + sub.subscription_id = sg.subscription_id + AND sr -> 'properties' ->> 'access' = 'Allow' + AND sr -> 'properties' ->> 'protocol' = 'Tcp' + AND (sr -> 'properties' ->> 'destinationPortRanges' = '25' + OR sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"25"%' + OR sr -> 'properties' ->> 'destinationPortRanges' = '*') + AND sr -> 'properties' ->> 'direction' = 'Inbound' severity: high tags: - platform_score_cloud_service_name: - - Azure Network - score_service_name: - - Azure Network + platform_score_cloud_service_name: + - Azure Network + score_service_name: + - Azure Network diff --git a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_ssh_access.yaml b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_ssh_access.yaml index 1ceeaf5dc..4197f232e 100644 --- a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_ssh_access.yaml +++ b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_ssh_access.yaml @@ -1,47 +1,48 @@ id: azure_check_for_unrestricted_ssh_access title: Check for Unrestricted SSH Access +type: control description: Ensure that no network security groups allow unrestricted inbound access on TCP port 22. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - SELECT - sg.id AS resource, - sg.platform_integration_id, - sg.platform_resource_id, - CASE - WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') OR - (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') OR - (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') OR - (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') OR - (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') THEN - 'The SSH inbound access to the associated Microsoft Azure virtual machine(s) is not secured.' - ELSE 'The SSH inbound access to the associated Microsoft Azure virtual machine(s) is secured.' - END AS reason, - sg.resource_group, - display_name AS subscription - FROM - azure_network_security_group AS sg, - azure_subscription AS sub, - jsonb_array_elements(security_rules) AS sr - WHERE - sub.subscription_id = sg.subscription_id - AND sr -> 'properties' ->> 'access' = 'Allow' - AND sr -> 'properties' ->> 'protocol' = 'Tcp' - AND (sr -> 'properties' ->> 'destinationPortRanges' = '22' - OR sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"22"%' - OR sr -> 'properties' ->> 'destinationPortRanges' = '*') - AND sr -> 'properties' ->> 'direction' = 'Inbound' + language: sql + primary_resource: azure_network_security_group + definition: | + SELECT + sg.id AS resource, + sg.platform_integration_id, + sg.platform_resource_id, + CASE + WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') OR + (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') OR + (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') OR + (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') OR + (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') THEN + 'The SSH inbound access to the associated Microsoft Azure virtual machine(s) is not secured.' + ELSE 'The SSH inbound access to the associated Microsoft Azure virtual machine(s) is secured.' + END AS reason, + sg.resource_group, + display_name AS subscription + FROM + azure_network_security_group AS sg, + azure_subscription AS sub, + jsonb_array_elements(security_rules) AS sr + WHERE + sub.subscription_id = sg.subscription_id + AND sr -> 'properties' ->> 'access' = 'Allow' + AND sr -> 'properties' ->> 'protocol' = 'Tcp' + AND (sr -> 'properties' ->> 'destinationPortRanges' = '22' + OR sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"22"%' + OR sr -> 'properties' ->> 'destinationPortRanges' = '*') + AND sr -> 'properties' ->> 'direction' = 'Inbound' severity: critical tags: - platform_score_cloud_service_name: - - Azure Network - score_service_name: - - Azure Network + platform_score_cloud_service_name: + - Azure Network + score_service_name: + - Azure Network diff --git a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_telnet_access.yaml b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_telnet_access.yaml index 471ab0750..4d818983e 100644 --- a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_telnet_access.yaml +++ b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_telnet_access.yaml @@ -1,48 +1,49 @@ id: azure_check_for_unrestricted_telnet_access title: Check for Unrestricted Telnet Access +type: control description: Ensure that no network security groups allow unrestricted inbound access on TCP port 23. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - SELECT - sg.id AS resource, - sg.platform_integration_id, - sg.platform_resource_id, - CASE - WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') - THEN 'The Telnet inbound access to the associated Microsoft Azure virtual machine(s) is not secured.' - ELSE 'The Telnet inbound access to the associated Microsoft Azure virtual machine(s) is secured.' - END AS reason, - sg.resource_group, - display_name AS subscription - FROM - azure_network_security_group AS sg, - azure_subscription AS sub, - jsonb_array_elements(security_rules) AS sr - WHERE - sub.subscription_id = sg.subscription_id - AND sr -> 'properties' ->> 'access' = 'Allow' - AND sr -> 'properties' ->> 'protocol' = 'Tcp' - AND (sr -> 'properties' ->> 'destinationPortRanges' = '23' - OR sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"23"%' - OR sr -> 'properties' ->> 'destinationPortRanges' = '*') - AND sr -> 'properties' ->> 'direction' = 'Inbound' + language: sql + primary_resource: azure_network_security_group + definition: | + SELECT + sg.id AS resource, + sg.platform_integration_id, + sg.platform_resource_id, + CASE + WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') + THEN 'The Telnet inbound access to the associated Microsoft Azure virtual machine(s) is not secured.' + ELSE 'The Telnet inbound access to the associated Microsoft Azure virtual machine(s) is secured.' + END AS reason, + sg.resource_group, + display_name AS subscription + FROM + azure_network_security_group AS sg, + azure_subscription AS sub, + jsonb_array_elements(security_rules) AS sr + WHERE + sub.subscription_id = sg.subscription_id + AND sr -> 'properties' ->> 'access' = 'Allow' + AND sr -> 'properties' ->> 'protocol' = 'Tcp' + AND (sr -> 'properties' ->> 'destinationPortRanges' = '23' + OR sr -> 'properties' ->> 'destinationPortRanges' LIKE '%"23"%' + OR sr -> 'properties' ->> 'destinationPortRanges' = '*') + AND sr -> 'properties' ->> 'direction' = 'Inbound' severity: medium tags: - platform_score_cloud_service_name: - - Azure Network - score_service_name: - - Azure Network + platform_score_cloud_service_name: + - Azure Network + score_service_name: + - Azure Network diff --git a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_udp_access.yaml b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_udp_access.yaml index 29b39180a..fc077597f 100644 --- a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_udp_access.yaml +++ b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_udp_access.yaml @@ -1,45 +1,46 @@ id: azure_check_for_unrestricted_udp_access title: Check for Unrestricted UDP Access +type: control description: Ensure that no network security groups allow unrestricted inbound access on UDP ports. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_security_group - definition: | - SELECT - sg.id AS resource, - sg.platform_integration_id, - sg.platform_resource_id, - CASE - WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') - OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') - THEN 'The UDP inbound access to the associated Microsoft Azure virtual machine(s) is not secured.' - ELSE 'The UDP inbound access to the associated Microsoft Azure virtual machine(s) is secured.' - END AS reason, - sg.resource_group, - display_name AS subscription - FROM - azure_network_security_group AS sg, - azure_subscription AS sub, - jsonb_array_elements(security_rules) AS sr - WHERE - sub.subscription_id = sg.subscription_id - AND sr -> 'properties' ->> 'access' = 'Allow' - AND sr -> 'properties' ->> 'protocol' = 'Udp' - AND sr -> 'properties' ->> 'direction' = 'Inbound' + language: sql + primary_resource: azure_network_security_group + definition: | + SELECT + sg.id AS resource, + sg.platform_integration_id, + sg.platform_resource_id, + CASE + WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (sr -> 'properties' ->> 'sourceAddressPrefix' = '*') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'any') + OR (sr -> 'properties' ->> 'sourceAddressPrefix' = 'internet') + THEN 'The UDP inbound access to the associated Microsoft Azure virtual machine(s) is not secured.' + ELSE 'The UDP inbound access to the associated Microsoft Azure virtual machine(s) is secured.' + END AS reason, + sg.resource_group, + display_name AS subscription + FROM + azure_network_security_group AS sg, + azure_subscription AS sub, + jsonb_array_elements(security_rules) AS sr + WHERE + sub.subscription_id = sg.subscription_id + AND sr -> 'properties' ->> 'access' = 'Allow' + AND sr -> 'properties' ->> 'protocol' = 'Udp' + AND sr -> 'properties' ->> 'direction' = 'Inbound' severity: medium tags: - platform_score_cloud_service_name: - - Azure Network - score_service_name: - - Azure Network + platform_score_cloud_service_name: + - Azure Network + score_service_name: + - Azure Network diff --git a/compliance/controls/baseline/azure/network/azure_enable_azure_network_watcher.yaml b/compliance/controls/baseline/azure/network/azure_enable_azure_network_watcher.yaml index a187e4b0e..e5124f4b4 100644 --- a/compliance/controls/baseline/azure/network/azure_enable_azure_network_watcher.yaml +++ b/compliance/controls/baseline/azure/network/azure_enable_azure_network_watcher.yaml @@ -1,83 +1,84 @@ id: azure_enable_azure_network_watcher title: Enable Azure Network Watcher +type: control description: Ensure that Network Watcher is enabled within your Microsoft Azure account subscription. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_subscription - definition: | - WITH regions_nw AS ( - SELECT - subscription_id, - ARRAY_AGG(DISTINCT region) AS regions - FROM - azure_network_watcher - GROUP BY - subscription_id - ) - - SELECT - sub.id AS resource, - sub.platform_integration_id, - sub.platform_resource_id, - CASE - WHEN nw.regions @> ARRAY[ - 'eastus', 'eastus2', 'southcentralus', 'westus2', 'westus3', - 'australiaeast', 'southeastasia', 'northeurope', 'swedencentral', - 'uksouth', 'westeurope', 'centralus', 'southafricanorth', 'centralindia', - 'eastasia', 'japaneast', 'koreacentral', 'canadacentral', 'francecentral', - 'germanywestcentral', 'norwayeast', 'polandcentral', 'switzerlandnorth', - 'uaenorth', 'brazilsouth', 'centraluseuap', 'eastus2euap', 'qatarcentral', - 'centralusstage', 'eastusstage', 'eastus2stage', 'northcentralusstage', - 'southcentralusstage', 'westusstage', 'westus2stage', 'asia', 'asiapacific', - 'australia', 'brazil', 'canada', 'europe', 'france', 'germany', 'global', - 'india', 'japan', 'korea', 'norway', 'singapore', 'southafrica', 'switzerland', - 'uae', 'uk', 'unitedstates', 'unitedstateseuap', 'eastasiastage', - 'southeastasiastage', 'brazilus', 'eastusstg', 'northcentralus', 'westus', - 'jioindiawest', 'southcentralusstg', 'westcentralus', 'southafricawest', - 'australiacentral', 'australiacentral2', 'australiasoutheast', 'japanwest', - 'jioindiacentral', 'koreasouth', 'southindia', 'westindia', 'canadaeast', - 'francesouth', 'germanynorth', 'norwaywest', 'switzerlandwest', 'ukwest', - 'uaecentral', 'brazilsoutheast' - ] - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nw.regions @> ARRAY[ - 'eastus', 'eastus2', 'southcentralus', 'westus2', 'westus3', - 'australiaeast', 'southeastasia', 'northeurope', 'swedencentral', - 'uksouth', 'westeurope', 'centralus', 'southafricanorth', 'centralindia', - 'eastasia', 'japaneast', 'koreacentral', 'canadacentral', 'francecentral', - 'germanywestcentral', 'norwayeast', 'polandcentral', 'switzerlandnorth', - 'uaenorth', 'brazilsouth', 'centraluseuap', 'eastus2euap', 'qatarcentral', - 'centralusstage', 'eastusstage', 'eastus2stage', 'northcentralusstage', - 'southcentralusstage', 'westusstage', 'westus2stage', 'asia', 'asiapacific', - 'australia', 'brazil', 'canada', 'europe', 'france', 'germany', 'global', - 'india', 'japan', 'korea', 'norway', 'singapore', 'southafrica', 'switzerland', - 'uae', 'uk', 'unitedstates', 'unitedstateseuap', 'eastasiastage', - 'southeastasiastage', 'brazilus', 'eastusstg', 'northcentralus', 'westus', - 'jioindiawest', 'southcentralusstg', 'westcentralus', 'southafricawest', - 'australiacentral', 'australiacentral2', 'australiasoutheast', 'japanwest', - 'jioindiacentral', 'koreasouth', 'southindia', 'westindia', 'canadaeast', - 'francesouth', 'germanynorth', 'norwaywest', 'switzerlandwest', 'ukwest', - 'uaecentral', 'brazilsoutheast' - ] - THEN 'Network watcher is available for all regions for this subscription.' - ELSE 'Network watcher is not available for all regions for this subscription.' - END AS reason, - display_name AS subscription - FROM - azure_subscription AS sub - LEFT JOIN - regions_nw AS nw - ON - sub.subscription_id = nw.subscription_id + language: sql + primary_resource: azure_subscription + definition: | + WITH regions_nw AS ( + SELECT + subscription_id, + ARRAY_AGG(DISTINCT region) AS regions + FROM + azure_network_watcher + GROUP BY + subscription_id + ) + + SELECT + sub.id AS resource, + sub.platform_integration_id, + sub.platform_resource_id, + CASE + WHEN nw.regions @> ARRAY[ + 'eastus', 'eastus2', 'southcentralus', 'westus2', 'westus3', + 'australiaeast', 'southeastasia', 'northeurope', 'swedencentral', + 'uksouth', 'westeurope', 'centralus', 'southafricanorth', 'centralindia', + 'eastasia', 'japaneast', 'koreacentral', 'canadacentral', 'francecentral', + 'germanywestcentral', 'norwayeast', 'polandcentral', 'switzerlandnorth', + 'uaenorth', 'brazilsouth', 'centraluseuap', 'eastus2euap', 'qatarcentral', + 'centralusstage', 'eastusstage', 'eastus2stage', 'northcentralusstage', + 'southcentralusstage', 'westusstage', 'westus2stage', 'asia', 'asiapacific', + 'australia', 'brazil', 'canada', 'europe', 'france', 'germany', 'global', + 'india', 'japan', 'korea', 'norway', 'singapore', 'southafrica', 'switzerland', + 'uae', 'uk', 'unitedstates', 'unitedstateseuap', 'eastasiastage', + 'southeastasiastage', 'brazilus', 'eastusstg', 'northcentralus', 'westus', + 'jioindiawest', 'southcentralusstg', 'westcentralus', 'southafricawest', + 'australiacentral', 'australiacentral2', 'australiasoutheast', 'japanwest', + 'jioindiacentral', 'koreasouth', 'southindia', 'westindia', 'canadaeast', + 'francesouth', 'germanynorth', 'norwaywest', 'switzerlandwest', 'ukwest', + 'uaecentral', 'brazilsoutheast' + ] + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nw.regions @> ARRAY[ + 'eastus', 'eastus2', 'southcentralus', 'westus2', 'westus3', + 'australiaeast', 'southeastasia', 'northeurope', 'swedencentral', + 'uksouth', 'westeurope', 'centralus', 'southafricanorth', 'centralindia', + 'eastasia', 'japaneast', 'koreacentral', 'canadacentral', 'francecentral', + 'germanywestcentral', 'norwayeast', 'polandcentral', 'switzerlandnorth', + 'uaenorth', 'brazilsouth', 'centraluseuap', 'eastus2euap', 'qatarcentral', + 'centralusstage', 'eastusstage', 'eastus2stage', 'northcentralusstage', + 'southcentralusstage', 'westusstage', 'westus2stage', 'asia', 'asiapacific', + 'australia', 'brazil', 'canada', 'europe', 'france', 'germany', 'global', + 'india', 'japan', 'korea', 'norway', 'singapore', 'southafrica', 'switzerland', + 'uae', 'uk', 'unitedstates', 'unitedstateseuap', 'eastasiastage', + 'southeastasiastage', 'brazilus', 'eastusstg', 'northcentralus', 'westus', + 'jioindiawest', 'southcentralusstg', 'westcentralus', 'southafricawest', + 'australiacentral', 'australiacentral2', 'australiasoutheast', 'japanwest', + 'jioindiacentral', 'koreasouth', 'southindia', 'westindia', 'canadaeast', + 'francesouth', 'germanynorth', 'norwaywest', 'switzerlandwest', 'ukwest', + 'uaecentral', 'brazilsoutheast' + ] + THEN 'Network watcher is available for all regions for this subscription.' + ELSE 'Network watcher is not available for all regions for this subscription.' + END AS reason, + display_name AS subscription + FROM + azure_subscription AS sub + LEFT JOIN + regions_nw AS nw + ON + sub.subscription_id = nw.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Network - score_service_name: - - Azure Network + platform_score_cloud_service_name: + - Azure Network + score_service_name: + - Azure Network diff --git a/compliance/controls/baseline/azure/network/azure_enable_ddos_standard_protection_for_virtual_networks.yaml b/compliance/controls/baseline/azure/network/azure_enable_ddos_standard_protection_for_virtual_networks.yaml index 325b8234c..731b52f28 100644 --- a/compliance/controls/baseline/azure/network/azure_enable_ddos_standard_protection_for_virtual_networks.yaml +++ b/compliance/controls/baseline/azure/network/azure_enable_ddos_standard_protection_for_virtual_networks.yaml @@ -1,35 +1,36 @@ id: azure_enable_ddos_standard_protection_for_virtual_networks title: Enable DDoS Standard Protection for Virtual Networks +type: control description: Ensure that DDoS standard protection is enabled for production Azure virtual networks. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_virtual_network - definition: | - SELECT - vn.id AS resource, - vn.platform_integration_id, - vn.platform_resource_id, - CASE - WHEN enable_ddos_protection = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enable_ddos_protection = 'true' THEN 'DDOS Protection is enabled.' - ELSE 'DDOS Protection is not enabled.' - END AS reason, - vn.resource_group, - display_name AS subscription - FROM - azure_virtual_network AS vn, - azure_subscription AS sub - WHERE - sub.subscription_id = vn.subscription_id + language: sql + primary_resource: azure_virtual_network + definition: | + SELECT + vn.id AS resource, + vn.platform_integration_id, + vn.platform_resource_id, + CASE + WHEN enable_ddos_protection = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enable_ddos_protection = 'true' THEN 'DDOS Protection is enabled.' + ELSE 'DDOS Protection is not enabled.' + END AS reason, + vn.resource_group, + display_name AS subscription + FROM + azure_virtual_network AS vn, + azure_subscription AS sub + WHERE + sub.subscription_id = vn.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Network - score_service_name: - - Azure Network + platform_score_cloud_service_name: + - Azure Network + score_service_name: + - Azure Network diff --git a/compliance/controls/baseline/azure/network/azure_review_network_interfaces_with_ip_forwarding_enabled.yaml b/compliance/controls/baseline/azure/network/azure_review_network_interfaces_with_ip_forwarding_enabled.yaml index 22beddac1..53f8575be 100644 --- a/compliance/controls/baseline/azure/network/azure_review_network_interfaces_with_ip_forwarding_enabled.yaml +++ b/compliance/controls/baseline/azure/network/azure_review_network_interfaces_with_ip_forwarding_enabled.yaml @@ -1,35 +1,36 @@ id: azure_review_network_interfaces_with_ip_forwarding_enabled title: Review Network Interfaces with IP Forwarding Enabled +type: control description: Ensure that the Azure network interfaces with IP forwarding enabled are regularly reviewed. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_network_interface - definition: | - SELECT - ni.id AS resource, - ni.platform_integration_id, - ni.platform_resource_id, - CASE - WHEN enable_ip_forwarding = 'true' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN enable_ip_forwarding = 'true' THEN 'NIC resource must be reviewed in order to decide whether or not IP forwarding is required.' - ELSE 'IP forwarding is not enabled.' - END AS reason, - ni.resource_group, - display_name AS subscription - FROM - azure_network_interface AS ni, - azure_subscription AS sub - WHERE - sub.subscription_id = ni.subscription_id + language: sql + primary_resource: azure_network_interface + definition: | + SELECT + ni.id AS resource, + ni.platform_integration_id, + ni.platform_resource_id, + CASE + WHEN enable_ip_forwarding = 'true' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN enable_ip_forwarding = 'true' THEN 'NIC resource must be reviewed in order to decide whether or not IP forwarding is required.' + ELSE 'IP forwarding is not enabled.' + END AS reason, + ni.resource_group, + display_name AS subscription + FROM + azure_network_interface AS ni, + azure_subscription AS sub + WHERE + sub.subscription_id = ni.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Network - score_service_name: - - Azure Network + platform_score_cloud_service_name: + - Azure Network + score_service_name: + - Azure Network diff --git a/compliance/controls/baseline/azure/recovery_service/azure_recovery_service_vault_alert_for_job_failures_enabled.yaml b/compliance/controls/baseline/azure/recovery_service/azure_recovery_service_vault_alert_for_job_failures_enabled.yaml index 2753dee1f..2f43c21e5 100644 --- a/compliance/controls/baseline/azure/recovery_service/azure_recovery_service_vault_alert_for_job_failures_enabled.yaml +++ b/compliance/controls/baseline/azure/recovery_service/azure_recovery_service_vault_alert_for_job_failures_enabled.yaml @@ -1,37 +1,38 @@ id: azure_recovery_service_vault_alert_for_job_failures_enabled title: Recovery Service Vault alert for job failures enabled +type: control description: Ensure all Recovery Service Vaults alert for job failures are enabled integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_recovery_services_vault - definition: | - SELECT - v.id AS resource, - v.platform_resource_id, - v.platform_integration_id, - CASE - WHEN v.platform_resource_description -> 'Vault' -> 'Properties' -> 'MonitoringSettings' -> 'AzureMonitorAlertSettings' ->> 'AlertsForAllJobFailures' = 'Enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN v.platform_resource_description -> 'Vault' -> 'Properties' -> 'MonitoringSettings' -> 'AzureMonitorAlertSettings' ->> 'AlertsForAllJobFailures' = 'Enabled' THEN v.name || ' alert for job failures is enabled.' - ELSE v.name || ' alert for job failures is not enabled.' - END AS reason, - v.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_recovery_services_vault AS v - LEFT JOIN azure_subscription sub ON sub.subscription_id = v.subscription_id; + language: sql + primary_resource: azure_recovery_services_vault + definition: | + SELECT + v.id AS resource, + v.platform_resource_id, + v.platform_integration_id, + CASE + WHEN v.platform_resource_description -> 'Vault' -> 'Properties' -> 'MonitoringSettings' -> 'AzureMonitorAlertSettings' ->> 'AlertsForAllJobFailures' = 'Enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN v.platform_resource_description -> 'Vault' -> 'Properties' -> 'MonitoringSettings' -> 'AzureMonitorAlertSettings' ->> 'AlertsForAllJobFailures' = 'Enabled' THEN v.name || ' alert for job failures is enabled.' + ELSE v.name || ' alert for job failures is not enabled.' + END AS reason, + v.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_recovery_services_vault AS v + LEFT JOIN azure_subscription sub ON sub.subscription_id = v.subscription_id; severity: medium tags: - platform_score_cloud_service_name: - - Azure Recovery Services - platform_score_use_case: - - Lacking High Availability - score_service_name: - - Azure Recovery Services - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - Azure Recovery Services + platform_score_use_case: + - Lacking High Availability + score_service_name: + - Azure Recovery Services + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/azure/recovery_service/azure_recovery_service_vault_not_publicly_accessible_and_not_encrypted.yaml b/compliance/controls/baseline/azure/recovery_service/azure_recovery_service_vault_not_publicly_accessible_and_not_encrypted.yaml index ff44972e0..1fd1f734b 100644 --- a/compliance/controls/baseline/azure/recovery_service/azure_recovery_service_vault_not_publicly_accessible_and_not_encrypted.yaml +++ b/compliance/controls/baseline/azure/recovery_service/azure_recovery_service_vault_not_publicly_accessible_and_not_encrypted.yaml @@ -1,41 +1,42 @@ id: azure_recovery_service_vault_not_publicly_accessible_and_not_encrypted title: Recovery Service Vault not publicly accessible and not encrypted +type: control description: Ensure Recovery Service Vaults are not publicly accessible and not encrypted integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_recovery_services_vault - definition: | - SELECT - v.id AS resource, - v.platform_resource_id, - v.platform_integration_id, - CASE - WHEN v.platform_resource_description -> 'Vault' -> 'Properties' ->> 'Encryption' IS NULL - AND v.platform_resource_description -> 'Vault' -> 'Properties' ->> 'PublicNetworkAccess' = 'Enabled' - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN v.platform_resource_description -> 'Vault' -> 'Properties' ->> 'Encryption' IS NULL - AND v.platform_resource_description -> 'Vault' -> 'Properties' ->> 'PublicNetworkAccess' = 'Enabled' - THEN v.name || ' is not encrypted and publicly accessible.' - ELSE v.name || ' is not publicly accessible.' - END AS reason, - v.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_recovery_services_vault AS v - LEFT JOIN azure_subscription AS sub ON sub.subscription_id = v.subscription_id + language: sql + primary_resource: azure_recovery_services_vault + definition: | + SELECT + v.id AS resource, + v.platform_resource_id, + v.platform_integration_id, + CASE + WHEN v.platform_resource_description -> 'Vault' -> 'Properties' ->> 'Encryption' IS NULL + AND v.platform_resource_description -> 'Vault' -> 'Properties' ->> 'PublicNetworkAccess' = 'Enabled' + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN v.platform_resource_description -> 'Vault' -> 'Properties' ->> 'Encryption' IS NULL + AND v.platform_resource_description -> 'Vault' -> 'Properties' ->> 'PublicNetworkAccess' = 'Enabled' + THEN v.name || ' is not encrypted and publicly accessible.' + ELSE v.name || ' is not publicly accessible.' + END AS reason, + v.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_recovery_services_vault AS v + LEFT JOIN azure_subscription AS sub ON sub.subscription_id = v.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Recovery Services - platform_score_use_case: - - Unencrypted Storage - score_service_name: - - Azure Recovery Services - score_tags: - - Unencrypted Storage + platform_score_cloud_service_name: + - Azure Recovery Services + platform_score_use_case: + - Unencrypted Storage + score_service_name: + - Azure Recovery Services + score_tags: + - Unencrypted Storage diff --git a/compliance/controls/baseline/azure/sql/azure_advanced_data_security_for_sql_servers.yaml b/compliance/controls/baseline/azure/sql/azure_advanced_data_security_for_sql_servers.yaml index 1b9d71ef4..bf0061b91 100644 --- a/compliance/controls/baseline/azure/sql/azure_advanced_data_security_for_sql_servers.yaml +++ b/compliance/controls/baseline/azure/sql/azure_advanced_data_security_for_sql_servers.yaml @@ -1,39 +1,40 @@ id: azure_enable_auditing_for_sql_servers title: Enable Auditing for SQL Servers +type: control description: Ensure that database auditing is enabled at the Azure SQL database server level. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - name AS resource, - s.platform_resource_id, - s.platform_integration_id, - CASE - WHEN security -> 'properties' ->> 'state' = 'Disabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN security -> 'properties' ->> 'state' = 'Disabled' THEN 'advanced data security is disabled.' - ELSE 'advanced data security is enabled.' - END AS reason, - resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_server AS s - LEFT JOIN - azure_subscription AS sub ON s.subscription_id = sub.subscription_id, - jsonb_array_elements(server_security_alert_policy) AS security + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + name AS resource, + s.platform_resource_id, + s.platform_integration_id, + CASE + WHEN security -> 'properties' ->> 'state' = 'Disabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN security -> 'properties' ->> 'state' = 'Disabled' THEN 'advanced data security is disabled.' + ELSE 'advanced data security is enabled.' + END AS reason, + resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_server AS s + LEFT JOIN + azure_subscription AS sub ON s.subscription_id = sub.subscription_id, + jsonb_array_elements(server_security_alert_policy) AS security severity: medium tags: - platform_score_cloud_service_name: - - Azure Managed SQL Service - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - Azure Managed SQL Service - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - Azure Managed SQL Service + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - Azure Managed SQL Service + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/azure/sql/azure_check_for_publicly_accessible_sql_servers.yaml b/compliance/controls/baseline/azure/sql/azure_check_for_publicly_accessible_sql_servers.yaml index 9222ceb08..ebbed0f28 100644 --- a/compliance/controls/baseline/azure/sql/azure_check_for_publicly_accessible_sql_servers.yaml +++ b/compliance/controls/baseline/azure/sql/azure_check_for_publicly_accessible_sql_servers.yaml @@ -1,39 +1,40 @@ id: azure_check_for_publicly_accessible_sql_servers title: Check for Publicly Accessible SQL Servers +type: control description: Ensure that Azure SQL database servers are accessible via private endpoints only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - a.name AS resource, - a.platform_resource_id, - a.platform_integration_id, - CASE - WHEN public_network_access != 'Disabled' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN public_network_access != 'Disabled' THEN a.name || ' not uses private link.' - ELSE a.name || ' uses private link.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_server AS a, - azure_subscription AS sub - WHERE - sub.subscription_id = a.subscription_id; + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + a.name AS resource, + a.platform_resource_id, + a.platform_integration_id, + CASE + WHEN public_network_access != 'Disabled' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN public_network_access != 'Disabled' THEN a.name || ' not uses private link.' + ELSE a.name || ' uses private link.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_server AS a, + azure_subscription AS sub + WHERE + sub.subscription_id = a.subscription_id; severity: high tags: - platform_score_cloud_service_name: - - Azure Managed SQL Service - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - Azure Managed SQL Service - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - Azure Managed SQL Service + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - Azure Managed SQL Service + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/azure/sql/azure_check_for_sufficient_point_in_time_restore_pitr_backup_retention_period.yaml b/compliance/controls/baseline/azure/sql/azure_check_for_sufficient_point_in_time_restore_pitr_backup_retention_period.yaml index b95a3bbda..5c81970fc 100644 --- a/compliance/controls/baseline/azure/sql/azure_check_for_sufficient_point_in_time_restore_pitr_backup_retention_period.yaml +++ b/compliance/controls/baseline/azure/sql/azure_check_for_sufficient_point_in_time_restore_pitr_backup_retention_period.yaml @@ -1,38 +1,39 @@ id: azure_check_for_sufficient_point_in_time_restore_pitr_backup_retention_period title: Check for Sufficient Point in Time Restore (PITR) Backup Retention Period +type: control description: Ensure there is a sufficient PITR backup retention period configured for Azure SQL databases. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureDatabaseServerRetentionPeriodDays - value: '7' +- key: azureDatabaseServerRetentionPeriodDays + value: "7" policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - name AS resource, - s.platform_resource_id, - s.platform_integration_id, - CASE - WHEN (p -> 'properties' ->> 'retentionDays')::int < '{{.azureDatabaseServerRetentionPeriodDays}}'::int THEN 'alarm' - ELSE 'ok' - END AS status, - name || ' backup retention period set to ' || (p -> 'properties' ->> 'retentionDays') || '.' AS reason, - resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_server AS s - LEFT JOIN azure_subscription AS sub - ON s.subscription_id = sub.subscription_id, - jsonb_array_elements(server_audit_policy) AS p + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + name AS resource, + s.platform_resource_id, + s.platform_integration_id, + CASE + WHEN (p -> 'properties' ->> 'retentionDays')::int < '{{.azureDatabaseServerRetentionPeriodDays}}'::int THEN 'alarm' + ELSE 'ok' + END AS status, + name || ' backup retention period set to ' || (p -> 'properties' ->> 'retentionDays') || '.' AS reason, + resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_server AS s + LEFT JOIN azure_subscription AS sub + ON s.subscription_id = sub.subscription_id, + jsonb_array_elements(server_audit_policy) AS p severity: medium tags: - platform_score_cloud_service_name: - - Azure Managed SQL Service - platform_score_use_case: - - Missing Backup - score_service_name: - - Azure Managed SQL Service - score_tags: - - Missing Backup + platform_score_cloud_service_name: + - Azure Managed SQL Service + platform_score_use_case: + - Missing Backup + score_service_name: + - Azure Managed SQL Service + score_tags: + - Missing Backup diff --git a/compliance/controls/baseline/azure/sql/azure_check_for_unrestricted_sql_database_access.yaml b/compliance/controls/baseline/azure/sql/azure_check_for_unrestricted_sql_database_access.yaml index dacc79c0f..37d075a55 100644 --- a/compliance/controls/baseline/azure/sql/azure_check_for_unrestricted_sql_database_access.yaml +++ b/compliance/controls/baseline/azure/sql/azure_check_for_unrestricted_sql_database_access.yaml @@ -1,43 +1,44 @@ id: azure_check_for_unrestricted_sql_database_access title: Check for Unrestricted SQL Database Access +type: control description: Ensure that no SQL databases allow unrestricted inbound access from 0.0.0.0/0 (any IP address). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - name AS resource, - s.platform_resource_id, - s.platform_integration_id, - CASE - WHEN s.public_network_access = 'Enabled' - AND (r -> 'properties' ->> 'startIpAddress' = '0.0.0.0') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN s.public_network_access = 'Enabled' - AND (r -> 'properties' ->> 'startIpAddress' = '0.0.0.0') THEN - 'allows unrestricted ingress/inbound access for all the SQL databases hosted on the server.' - ELSE - 'does not allow unrestricted ingress/inbound access for all the SQL databases hosted on the server.' - END AS reason, - resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_server AS s - LEFT JOIN azure_subscription AS sub - ON s.subscription_id = sub.subscription_id, - jsonb_array_elements(firewall_rules) AS r + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + name AS resource, + s.platform_resource_id, + s.platform_integration_id, + CASE + WHEN s.public_network_access = 'Enabled' + AND (r -> 'properties' ->> 'startIpAddress' = '0.0.0.0') THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN s.public_network_access = 'Enabled' + AND (r -> 'properties' ->> 'startIpAddress' = '0.0.0.0') THEN + 'allows unrestricted ingress/inbound access for all the SQL databases hosted on the server.' + ELSE + 'does not allow unrestricted ingress/inbound access for all the SQL databases hosted on the server.' + END AS reason, + resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_server AS s + LEFT JOIN azure_subscription AS sub + ON s.subscription_id = sub.subscription_id, + jsonb_array_elements(firewall_rules) AS r severity: critical tags: - platform_score_cloud_service_name: - - Azure Managed SQL Service - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - Azure Managed SQL Service - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - Azure Managed SQL Service + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - Azure Managed SQL Service + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/azure/sql/azure_configure_audit_action_group_for_sql_server_auditing.yaml b/compliance/controls/baseline/azure/sql/azure_configure_audit_action_group_for_sql_server_auditing.yaml index 6a813144d..36092b74d 100644 --- a/compliance/controls/baseline/azure/sql/azure_configure_audit_action_group_for_sql_server_auditing.yaml +++ b/compliance/controls/baseline/azure/sql/azure_configure_audit_action_group_for_sql_server_auditing.yaml @@ -1,45 +1,46 @@ id: azure_configure_audit_action_group_for_sql_server_auditing title: Configure "AuditActionGroup" for SQL Server Auditing +type: control description: Ensure that "AuditActionGroup" property is well configured at the Azure SQL database server level. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - name AS resource, - s.platform_resource_id, - s.platform_integration_id, - CASE - WHEN ( - SELECT ARRAY_AGG(g) - FROM jsonb_array_elements_text(ap -> 'properties' -> 'auditActionsAndGroups') AS g - ) @> ARRAY['SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP', 'FAILED_DATABASE_AUTHENTICATION_GROUP', 'BATCH_COMPLETED_GROUP'] - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN ( - SELECT ARRAY_AGG(g) - FROM jsonb_array_elements_text(ap -> 'properties' -> 'auditActionsAndGroups') AS g - ) @> ARRAY['SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP', 'FAILED_DATABASE_AUTHENTICATION_GROUP', 'BATCH_COMPLETED_GROUP'] - THEN 'AuditActionGroup property configuration for the selected Microsoft Azure SQL database server is compliant' - ELSE 'AuditActionGroup property configuration for the selected Microsoft Azure SQL database server is not compliant' - END AS reason, - resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_server AS s - LEFT JOIN - azure_subscription AS sub - ON - s.subscription_id = sub.subscription_id, - jsonb_array_elements(server_audit_policy) AS ap + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + name AS resource, + s.platform_resource_id, + s.platform_integration_id, + CASE + WHEN ( + SELECT ARRAY_AGG(g) + FROM jsonb_array_elements_text(ap -> 'properties' -> 'auditActionsAndGroups') AS g + ) @> ARRAY['SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP', 'FAILED_DATABASE_AUTHENTICATION_GROUP', 'BATCH_COMPLETED_GROUP'] + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN ( + SELECT ARRAY_AGG(g) + FROM jsonb_array_elements_text(ap -> 'properties' -> 'auditActionsAndGroups') AS g + ) @> ARRAY['SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP', 'FAILED_DATABASE_AUTHENTICATION_GROUP', 'BATCH_COMPLETED_GROUP'] + THEN 'AuditActionGroup property configuration for the selected Microsoft Azure SQL database server is compliant' + ELSE 'AuditActionGroup property configuration for the selected Microsoft Azure SQL database server is not compliant' + END AS reason, + resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_server AS s + LEFT JOIN + azure_subscription AS sub + ON + s.subscription_id = sub.subscription_id, + jsonb_array_elements(server_audit_policy) AS ap severity: medium tags: - platform_score_cloud_service_name: - - Azure Managed SQL Service - score_service_name: - - Azure Managed SQL Service + platform_score_cloud_service_name: + - Azure Managed SQL Service + score_service_name: + - Azure Managed SQL Service diff --git a/compliance/controls/baseline/azure/sql/azure_configure_emails_for_vulnerability_assessment_scan_reports_and_alerts.yaml b/compliance/controls/baseline/azure/sql/azure_configure_emails_for_vulnerability_assessment_scan_reports_and_alerts.yaml index 38bcd441d..559ff507e 100644 --- a/compliance/controls/baseline/azure/sql/azure_configure_emails_for_vulnerability_assessment_scan_reports_and_alerts.yaml +++ b/compliance/controls/baseline/azure/sql/azure_configure_emails_for_vulnerability_assessment_scan_reports_and_alerts.yaml @@ -1,38 +1,39 @@ id: azure_configure_emails_for_vulnerability_assessment_scan_reports_and_alerts title: Configure Emails for Vulnerability Assessment Scan Reports and Alerts +type: control description: Ensure that "Send scan reports to" setting is configured for SQL database servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - name AS resource, - s.platform_resource_id, - s.platform_integration_id, - CASE - WHEN vs -> 'properties' -> 'recurringScans' ->> 'emails' IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN vs -> 'properties' -> 'recurringScans' ->> 'emails' IS NULL THEN 'allows unrestricted ingress/inbound access for all the SQL databases hosted on the server.' - ELSE 'does not allow unrestricted ingress/inbound access for all the SQL databases hosted on the server.' - END AS reason, - resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_server AS s - LEFT JOIN azure_subscription AS sub ON s.subscription_id = sub.subscription_id, - JSONB_ARRAY_ELEMENTS(server_vulnerability_assessment) AS vs + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + name AS resource, + s.platform_resource_id, + s.platform_integration_id, + CASE + WHEN vs -> 'properties' -> 'recurringScans' ->> 'emails' IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN vs -> 'properties' -> 'recurringScans' ->> 'emails' IS NULL THEN 'allows unrestricted ingress/inbound access for all the SQL databases hosted on the server.' + ELSE 'does not allow unrestricted ingress/inbound access for all the SQL databases hosted on the server.' + END AS reason, + resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_server AS s + LEFT JOIN azure_subscription AS sub ON s.subscription_id = sub.subscription_id, + JSONB_ARRAY_ELEMENTS(server_vulnerability_assessment) AS vs severity: medium tags: - platform_score_cloud_service_name: - - Azure Managed SQL Service - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - Azure Managed SQL Service - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - Azure Managed SQL Service + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - Azure Managed SQL Service + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/azure/sql/azure_enable_all_types_of_threat_detection_on_sql_servers.yaml b/compliance/controls/baseline/azure/sql/azure_enable_all_types_of_threat_detection_on_sql_servers.yaml index 3edbda3f7..be546a57f 100644 --- a/compliance/controls/baseline/azure/sql/azure_enable_all_types_of_threat_detection_on_sql_servers.yaml +++ b/compliance/controls/baseline/azure/sql/azure_enable_all_types_of_threat_detection_on_sql_servers.yaml @@ -1,40 +1,41 @@ id: azure_enable_all_types_of_threat_detection_on_sql_servers title: Enable All Types of Threat Detection on SQL Servers +type: control description: Enable all types of threat detection for your Microsoft Azure SQL database servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - name AS resource, - s.platform_resource_id, - s.platform_integration_id, - CASE - WHEN alert_length = 1 AND disabled_alerts = '' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN alert_length = 1 AND disabled_alerts = '' THEN 'send notification alerts for all types of threats detected for the selected SQL server.' - ELSE 'does not send notification alerts for all types of threats detected for the selected SQL server.' - END AS reason, - resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_server AS s - LEFT JOIN azure_subscription AS sub ON s.subscription_id = sub.subscription_id, - jsonb_array_elements(server_security_alert_policy) AS security, - jsonb_array_elements_text(security -> 'properties' -> 'disabledAlerts') AS disabled_alerts, - jsonb_array_length(security -> 'properties' -> 'disabledAlerts') AS alert_length + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + name AS resource, + s.platform_resource_id, + s.platform_integration_id, + CASE + WHEN alert_length = 1 AND disabled_alerts = '' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN alert_length = 1 AND disabled_alerts = '' THEN 'send notification alerts for all types of threats detected for the selected SQL server.' + ELSE 'does not send notification alerts for all types of threats detected for the selected SQL server.' + END AS reason, + resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_server AS s + LEFT JOIN azure_subscription AS sub ON s.subscription_id = sub.subscription_id, + jsonb_array_elements(server_security_alert_policy) AS security, + jsonb_array_elements_text(security -> 'properties' -> 'disabledAlerts') AS disabled_alerts, + jsonb_array_length(security -> 'properties' -> 'disabledAlerts') AS alert_length severity: high tags: - platform_score_cloud_service_name: - - Azure Managed SQL Service - platform_score_use_case: - - Problem Identities - score_service_name: - - Azure Managed SQL Service - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - Azure Managed SQL Service + platform_score_use_case: + - Problem Identities + score_service_name: + - Azure Managed SQL Service + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/azure/sql/azure_enable_auditing_for_sql_servers.yaml b/compliance/controls/baseline/azure/sql/azure_enable_auditing_for_sql_servers.yaml index fb699e0ac..3b67c24c1 100644 --- a/compliance/controls/baseline/azure/sql/azure_enable_auditing_for_sql_servers.yaml +++ b/compliance/controls/baseline/azure/sql/azure_enable_auditing_for_sql_servers.yaml @@ -1,43 +1,44 @@ id: azure_enable_all_types_of_threat_detection_on_sql_servers title: Enable All Types of Threat Detection on SQL Servers +type: control description: Enable all types of threat detection for your Microsoft Azure SQL database servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - WITH sql_server_audit_enabled AS ( - SELECT DISTINCT id - FROM azure_sql_server AS s, - jsonb_array_elements(server_audit_policy) AS audit - WHERE audit -> 'properties' ->> 'state' = 'Enabled' - ) - SELECT - name AS resource, - s.platform_resource_id, - s.platform_integration_id, - CASE - WHEN a.id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN a.id IS NOT NULL THEN 'auditing is enabled for server.' - ELSE 'auditing is not enabled for server.' - END AS reason, - resource_group AS resource_group, - sub.display_name AS subscription - FROM azure_sql_server AS s - LEFT JOIN azure_subscription AS sub ON s.subscription_id = sub.subscription_id - LEFT JOIN sql_server_audit_enabled AS a ON LOWER(s.id) = LOWER(a.id); + language: sql + primary_resource: azure_sql_server + definition: | + WITH sql_server_audit_enabled AS ( + SELECT DISTINCT id + FROM azure_sql_server AS s, + jsonb_array_elements(server_audit_policy) AS audit + WHERE audit -> 'properties' ->> 'state' = 'Enabled' + ) + SELECT + name AS resource, + s.platform_resource_id, + s.platform_integration_id, + CASE + WHEN a.id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN a.id IS NOT NULL THEN 'auditing is enabled for server.' + ELSE 'auditing is not enabled for server.' + END AS reason, + resource_group AS resource_group, + sub.display_name AS subscription + FROM azure_sql_server AS s + LEFT JOIN azure_subscription AS sub ON s.subscription_id = sub.subscription_id + LEFT JOIN sql_server_audit_enabled AS a ON LOWER(s.id) = LOWER(a.id); severity: high tags: - platform_score_cloud_service_name: - - Azure Managed SQL Service - platform_score_use_case: - - Problem Identities - score_service_name: - - Azure Managed SQL Service - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - Azure Managed SQL Service + platform_score_use_case: + - Problem Identities + score_service_name: + - Azure Managed SQL Service + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/azure/sql/azure_enable_auto_failover_groups.yaml b/compliance/controls/baseline/azure/sql/azure_enable_auto_failover_groups.yaml index 8e2ec3011..e433e8802 100644 --- a/compliance/controls/baseline/azure/sql/azure_enable_auto_failover_groups.yaml +++ b/compliance/controls/baseline/azure/sql/azure_enable_auto_failover_groups.yaml @@ -1,40 +1,41 @@ id: azure_enable_auto_failover_groups title: Enable Auto-Failover Groups +type: control description: Ensure that your Azure SQL database servers are configured to use auto-failover groups. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - s.name AS resource, - s.platform_resource_id, - s.platform_integration_id, - CASE - WHEN failover_groups IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN failover_groups IS NULL THEN 'Automatic Failover Group feature is not enabled.' - ELSE 'Automatic Failover Group feature is enabled.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_server AS s - LEFT JOIN - azure_subscription AS sub - ON - s.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + s.name AS resource, + s.platform_resource_id, + s.platform_integration_id, + CASE + WHEN failover_groups IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN failover_groups IS NULL THEN 'Automatic Failover Group feature is not enabled.' + ELSE 'Automatic Failover Group feature is enabled.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_server AS s + LEFT JOIN + azure_subscription AS sub + ON + s.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Managed SQL Service - platform_score_use_case: - - Missing Backup - score_service_name: - - Azure Managed SQL Service - score_tags: - - Missing Backup + platform_score_cloud_service_name: + - Azure Managed SQL Service + platform_score_use_case: + - Missing Backup + score_service_name: + - Azure Managed SQL Service + score_tags: + - Missing Backup diff --git a/compliance/controls/baseline/azure/sql/azure_enable_automatic_tuning_for_sql_database_servers.yaml b/compliance/controls/baseline/azure/sql/azure_enable_automatic_tuning_for_sql_database_servers.yaml index e7bab9efb..8db9d0cc2 100644 --- a/compliance/controls/baseline/azure/sql/azure_enable_automatic_tuning_for_sql_database_servers.yaml +++ b/compliance/controls/baseline/azure/sql/azure_enable_automatic_tuning_for_sql_database_servers.yaml @@ -1,43 +1,44 @@ id: azure_enable_automatic_tuning_for_sql_database_servers title: Enable Automatic Tuning for SQL Database Servers +type: control description: Ensure that Automatic Tuning feature is enabled for Microsoft Azure SQL database servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - s.name AS resource, - s.platform_resource_id, - s.platform_integration_id, - CASE - WHEN s.automatic_tuning -> 'properties' -> 'options' -> 'forceLastGoodPlan' ->> 'actualState' = 'On' - OR s.automatic_tuning -> 'properties' -> 'options' -> 'dropIndex' ->> 'actualState' = 'On' - OR s.automatic_tuning -> 'properties' -> 'options' -> 'createIndex' ->> 'actualState' = 'On' - OR s.automatic_tuning -> 'properties' -> 'options' -> 'maintainIndex' ->> 'actualState' = 'On' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN s.automatic_tuning -> 'properties' -> 'options' -> 'forceLastGoodPlan' ->> 'actualState' = 'On' - OR s.automatic_tuning -> 'properties' -> 'options' -> 'dropIndex' ->> 'actualState' = 'On' - OR s.automatic_tuning -> 'properties' -> 'options' -> 'createIndex' ->> 'actualState' = 'On' - OR s.automatic_tuning -> 'properties' -> 'options' -> 'maintainIndex' ->> 'actualState' = 'On' THEN 'Automatic Tuning feature is enabled.' - ELSE 'Automatic Tuning feature is not enabled.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_server AS s - LEFT JOIN azure_subscription AS sub ON s.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + s.name AS resource, + s.platform_resource_id, + s.platform_integration_id, + CASE + WHEN s.automatic_tuning -> 'properties' -> 'options' -> 'forceLastGoodPlan' ->> 'actualState' = 'On' + OR s.automatic_tuning -> 'properties' -> 'options' -> 'dropIndex' ->> 'actualState' = 'On' + OR s.automatic_tuning -> 'properties' -> 'options' -> 'createIndex' ->> 'actualState' = 'On' + OR s.automatic_tuning -> 'properties' -> 'options' -> 'maintainIndex' ->> 'actualState' = 'On' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN s.automatic_tuning -> 'properties' -> 'options' -> 'forceLastGoodPlan' ->> 'actualState' = 'On' + OR s.automatic_tuning -> 'properties' -> 'options' -> 'dropIndex' ->> 'actualState' = 'On' + OR s.automatic_tuning -> 'properties' -> 'options' -> 'createIndex' ->> 'actualState' = 'On' + OR s.automatic_tuning -> 'properties' -> 'options' -> 'maintainIndex' ->> 'actualState' = 'On' THEN 'Automatic Tuning feature is enabled.' + ELSE 'Automatic Tuning feature is not enabled.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_server AS s + LEFT JOIN azure_subscription AS sub ON s.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Managed SQL Service - platform_score_use_case: - - Missing Backup - score_service_name: - - Azure Managed SQL Service - score_tags: - - Missing Backup + platform_score_cloud_service_name: + - Azure Managed SQL Service + platform_score_use_case: + - Missing Backup + score_service_name: + - Azure Managed SQL Service + score_tags: + - Missing Backup diff --git a/compliance/controls/baseline/azure/sql/azure_enable_in_transit_encryption_for_mysql_servers.yaml b/compliance/controls/baseline/azure/sql/azure_enable_in_transit_encryption_for_mysql_servers.yaml index 9c0a7f828..51026d541 100644 --- a/compliance/controls/baseline/azure/sql/azure_enable_in_transit_encryption_for_mysql_servers.yaml +++ b/compliance/controls/baseline/azure/sql/azure_enable_in_transit_encryption_for_mysql_servers.yaml @@ -1,36 +1,37 @@ id: azure_enable_in_transit_encryption_for_mysql_servers title: Enable In-Transit Encryption for MySQL Servers +type: control description: Ensure that in-transit encryption is enabled for your Azure MySQL database servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_mysql_server - definition: | - SELECT - s.name AS resource, - s.platform_resource_id, - s.platform_integration_id, - CASE - WHEN ssl_enforcement = 'Enabled' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN ssl_enforcement = 'Enabled' THEN s.name || ' encryption in transit using Secure Sockets Layer (SSL) is enabled.' - ELSE s.name || ' encryption in transit using Secure Sockets Layer (SSL) is not enabled.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_mysql_server AS s - LEFT JOIN - azure_subscription AS sub - ON - s.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_mysql_server + definition: | + SELECT + s.name AS resource, + s.platform_resource_id, + s.platform_integration_id, + CASE + WHEN ssl_enforcement = 'Enabled' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN ssl_enforcement = 'Enabled' THEN s.name || ' encryption in transit using Secure Sockets Layer (SSL) is enabled.' + ELSE s.name || ' encryption in transit using Secure Sockets Layer (SSL) is not enabled.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_mysql_server AS s + LEFT JOIN + azure_subscription AS sub + ON + s.subscription_id = sub.subscription_id severity: high tags: - platform_score_cloud_service_name: - - Azure Database for MySQL - score_service_name: - - Azure Database for MySQL + platform_score_cloud_service_name: + - Azure Database for MySQL + score_service_name: + - Azure Database for MySQL diff --git a/compliance/controls/baseline/azure/sql/azure_enable_transparent_data_encryption_for_sql_managed_instance_using_customer_managed_keys.yaml b/compliance/controls/baseline/azure/sql/azure_enable_transparent_data_encryption_for_sql_managed_instance_using_customer_managed_keys.yaml index d817702f9..5f521fe07 100644 --- a/compliance/controls/baseline/azure/sql/azure_enable_transparent_data_encryption_for_sql_managed_instance_using_customer_managed_keys.yaml +++ b/compliance/controls/baseline/azure/sql/azure_enable_transparent_data_encryption_for_sql_managed_instance_using_customer_managed_keys.yaml @@ -1,40 +1,41 @@ id: azure_enable_transparent_data_encryption_for_sql_managed_instance_using_customer_managed_keys title: Enable Transparent Data Encryption for SQL Managed Instance using Customer-Managed Keys +type: control description: Ensure that Azure SQL managed instances are encrypted at rest using Customer-Managed Keys (CMKs). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - s.id AS resource, - s.platform_resource_id, - s.platform_integration_id, - CASE - WHEN encryption ->> 'kind' = 'servicemanaged' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN encryption ->> 'kind' = 'servicemanaged' THEN s.name || ' TDE protector not encrypted with CMK.' - ELSE s.name || ' TDE protector encrypted with CMK.' - END AS reason, - s.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_server s, - jsonb_array_elements(encryption_protector) encryption, - azure_subscription sub - WHERE - sub.subscription_id = s.subscription_id + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + s.id AS resource, + s.platform_resource_id, + s.platform_integration_id, + CASE + WHEN encryption ->> 'kind' = 'servicemanaged' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN encryption ->> 'kind' = 'servicemanaged' THEN s.name || ' TDE protector not encrypted with CMK.' + ELSE s.name || ' TDE protector encrypted with CMK.' + END AS reason, + s.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_server s, + jsonb_array_elements(encryption_protector) encryption, + azure_subscription sub + WHERE + sub.subscription_id = s.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Managed SQL Service - platform_score_use_case: - - Tolerate Failures - score_service_name: - - Azure Managed SQL Service - score_tags: - - Tolerate Failures + platform_score_cloud_service_name: + - Azure Managed SQL Service + platform_score_use_case: + - Tolerate Failures + score_service_name: + - Azure Managed SQL Service + score_tags: + - Tolerate Failures diff --git a/compliance/controls/baseline/azure/sql/azure_enable_vulnerability_assessment_email_notifications_for_admins_and_subscription_owners.yaml b/compliance/controls/baseline/azure/sql/azure_enable_vulnerability_assessment_email_notifications_for_admins_and_subscription_owners.yaml index 2dc5c03ec..8f34d5022 100644 --- a/compliance/controls/baseline/azure/sql/azure_enable_vulnerability_assessment_email_notifications_for_admins_and_subscription_owners.yaml +++ b/compliance/controls/baseline/azure/sql/azure_enable_vulnerability_assessment_email_notifications_for_admins_and_subscription_owners.yaml @@ -1,45 +1,46 @@ id: azure_enable_vulnerability_assessment_email_notifications_for_admins_and_subscription_owners title: Enable Vulnerability Assessment Email Notifications for Admins and Subscription Owners +type: control description: Ensure that the Vulnerability Assessment setting "Also send email notification to admins and subscription owners" is enabled for your Microsoft SQL database servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - WITH sql_server_va AS ( - SELECT - DISTINCT id - FROM - azure_sql_server AS s, - JSONB_ARRAY_ELEMENTS(server_vulnerability_assessment) AS va - WHERE - va -> 'properties' -> 'recurringScans' ->> 'emailSubscriptionAdmins' = 'true' - ) - SELECT - name AS resource, - s.platform_resource_id, - s.platform_integration_id, - CASE - WHEN v.id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN v.id IS NOT NULL THEN 'Vulnerability Assessment Email Notifications is enabled' - ELSE 'Vulnerability Assessment Email Notifications is not enabled' - END AS reason - FROM - azure_sql_server AS s - LEFT JOIN azure_subscription AS sub ON s.subscription_id = sub.subscription_id - LEFT JOIN sql_server_va AS v ON LOWER(s.id) = LOWER(v.id) + language: sql + primary_resource: azure_sql_server + definition: | + WITH sql_server_va AS ( + SELECT + DISTINCT id + FROM + azure_sql_server AS s, + JSONB_ARRAY_ELEMENTS(server_vulnerability_assessment) AS va + WHERE + va -> 'properties' -> 'recurringScans' ->> 'emailSubscriptionAdmins' = 'true' + ) + SELECT + name AS resource, + s.platform_resource_id, + s.platform_integration_id, + CASE + WHEN v.id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN v.id IS NOT NULL THEN 'Vulnerability Assessment Email Notifications is enabled' + ELSE 'Vulnerability Assessment Email Notifications is not enabled' + END AS reason + FROM + azure_sql_server AS s + LEFT JOIN azure_subscription AS sub ON s.subscription_id = sub.subscription_id + LEFT JOIN sql_server_va AS v ON LOWER(s.id) = LOWER(v.id) severity: medium tags: - platform_score_cloud_service_name: - - Azure Managed SQL Service - platform_score_use_case: - - Problem Identities - score_service_name: - - Azure Managed SQL Service - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - Azure Managed SQL Service + platform_score_use_case: + - Problem Identities + score_service_name: + - Azure Managed SQL Service + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/azure/sql/azure_enable_vulnerability_assessment_for_microsoft_sql_servers.yaml b/compliance/controls/baseline/azure/sql/azure_enable_vulnerability_assessment_for_microsoft_sql_servers.yaml index 3ad3e3642..989192c04 100644 --- a/compliance/controls/baseline/azure/sql/azure_enable_vulnerability_assessment_for_microsoft_sql_servers.yaml +++ b/compliance/controls/baseline/azure/sql/azure_enable_vulnerability_assessment_for_microsoft_sql_servers.yaml @@ -1,45 +1,46 @@ id: azure_enable_vulnerability_assessment_for_microsoft_sql_servers title: Enable Vulnerability Assessment for Microsoft SQL Servers +type: control description: Ensure that Vulnerability Assessment is enabled for Microsoft SQL database servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - WITH sql_server_va AS ( - SELECT - DISTINCT id - FROM - azure_sql_server AS s, - jsonb_array_elements(server_vulnerability_assessment) AS va - WHERE - va -> 'properties' -> 'storageContainerPath' IS NOT NULL - ) - SELECT - name AS resource, - s.platform_resource_id, - s.platform_integration_id, - CASE - WHEN v.id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN v.id IS NOT NULL THEN 'Vulnerability Assessment is enabled' - ELSE 'Vulnerability Assessment Recurring is not enabled' - END AS reason - FROM - azure_sql_server AS s - LEFT JOIN azure_subscription AS sub ON s.subscription_id = sub.subscription_id - LEFT JOIN sql_server_va AS v ON LOWER(s.id) = LOWER(v.id) + language: sql + primary_resource: azure_sql_server + definition: | + WITH sql_server_va AS ( + SELECT + DISTINCT id + FROM + azure_sql_server AS s, + jsonb_array_elements(server_vulnerability_assessment) AS va + WHERE + va -> 'properties' -> 'storageContainerPath' IS NOT NULL + ) + SELECT + name AS resource, + s.platform_resource_id, + s.platform_integration_id, + CASE + WHEN v.id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN v.id IS NOT NULL THEN 'Vulnerability Assessment is enabled' + ELSE 'Vulnerability Assessment Recurring is not enabled' + END AS reason + FROM + azure_sql_server AS s + LEFT JOIN azure_subscription AS sub ON s.subscription_id = sub.subscription_id + LEFT JOIN sql_server_va AS v ON LOWER(s.id) = LOWER(v.id) severity: medium tags: - platform_score_cloud_service_name: - - Azure Managed SQL Service - platform_score_use_case: - - Problem Identities - score_service_name: - - Azure Managed SQL Service - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - Azure Managed SQL Service + platform_score_use_case: + - Problem Identities + score_service_name: + - Azure Managed SQL Service + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/azure/sql/azure_enable_vulnerability_assessment_periodic_recurring_scans.yaml b/compliance/controls/baseline/azure/sql/azure_enable_vulnerability_assessment_periodic_recurring_scans.yaml index 5062b7d2a..13b706c72 100644 --- a/compliance/controls/baseline/azure/sql/azure_enable_vulnerability_assessment_periodic_recurring_scans.yaml +++ b/compliance/controls/baseline/azure/sql/azure_enable_vulnerability_assessment_periodic_recurring_scans.yaml @@ -1,45 +1,46 @@ id: azure_enable_vulnerability_assessment_periodic_recurring_scans title: Enable Vulnerability Assessment Periodic Recurring Scans +type: control description: Ensure that the Vulnerability Assessment Periodic Recurring Scans setting is enabled for SQL database servers. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - WITH sql_server_va AS ( - SELECT - DISTINCT id - FROM - azure_sql_server AS s, - jsonb_array_elements(server_vulnerability_assessment) AS va - WHERE - va -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'true' - ) - SELECT - name AS resource, - s.platform_resource_id, - s.platform_integration_id, - CASE - WHEN v.id IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN v.id IS NOT NULL THEN 'Vulnerability Assessment Recurring Scan is enabled' - ELSE 'Vulnerability Assessment Recurring Scan is not enabled' - END AS reason - FROM - azure_sql_server AS s - LEFT JOIN azure_subscription AS sub ON s.subscription_id = sub.subscription_id - LEFT JOIN sql_server_va AS v ON LOWER(s.id) = LOWER(v.id) + language: sql + primary_resource: azure_sql_server + definition: | + WITH sql_server_va AS ( + SELECT + DISTINCT id + FROM + azure_sql_server AS s, + jsonb_array_elements(server_vulnerability_assessment) AS va + WHERE + va -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'true' + ) + SELECT + name AS resource, + s.platform_resource_id, + s.platform_integration_id, + CASE + WHEN v.id IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN v.id IS NOT NULL THEN 'Vulnerability Assessment Recurring Scan is enabled' + ELSE 'Vulnerability Assessment Recurring Scan is not enabled' + END AS reason + FROM + azure_sql_server AS s + LEFT JOIN azure_subscription AS sub ON s.subscription_id = sub.subscription_id + LEFT JOIN sql_server_va AS v ON LOWER(s.id) = LOWER(v.id) severity: medium tags: - platform_score_cloud_service_name: - - Azure Managed SQL Service - platform_score_use_case: - - Problem Identities - score_service_name: - - Azure Managed SQL Service - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - Azure Managed SQL Service + platform_score_use_case: + - Problem Identities + score_service_name: + - Azure Managed SQL Service + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/azure/sql/azure_restrict_default_network_access_for_azure_cosmos_db_accounts.yaml b/compliance/controls/baseline/azure/sql/azure_restrict_default_network_access_for_azure_cosmos_db_accounts.yaml index e33caf188..492db8e01 100644 --- a/compliance/controls/baseline/azure/sql/azure_restrict_default_network_access_for_azure_cosmos_db_accounts.yaml +++ b/compliance/controls/baseline/azure/sql/azure_restrict_default_network_access_for_azure_cosmos_db_accounts.yaml @@ -1,37 +1,38 @@ id: azure_restrict_default_network_access_for_azure_cosmos_db_accounts title: Restrict Default Network Access for Azure Cosmos DB Accounts +type: control description: Ensure that default network access (i.e. public access) is denied within your Azure Cosmos DB account configuration. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_cosmosdb_account - definition: | - SELECT - name AS resource, - a.platform_resource_id, - a.platform_integration_id, - CASE - WHEN NOT is_virtual_network_filter_enabled AND ip_rules IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT is_virtual_network_filter_enabled AND ip_rules IS NULL THEN 'all networks can access' - ELSE name || ' network access is filtered' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_cosmosdb_account AS a - LEFT JOIN azure_subscription AS sub ON a.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_cosmosdb_account + definition: | + SELECT + name AS resource, + a.platform_resource_id, + a.platform_integration_id, + CASE + WHEN NOT is_virtual_network_filter_enabled AND ip_rules IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT is_virtual_network_filter_enabled AND ip_rules IS NULL THEN 'all networks can access' + ELSE name || ' network access is filtered' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_cosmosdb_account AS a + LEFT JOIN azure_subscription AS sub ON a.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Managed SQL Service - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - Azure Managed SQL Service - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - Azure Managed SQL Service + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - Azure Managed SQL Service + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/azure/sql/azure_sql_auditing_retention.yaml b/compliance/controls/baseline/azure/sql/azure_sql_auditing_retention.yaml index 8f0e47622..f6c8dffb5 100644 --- a/compliance/controls/baseline/azure/sql/azure_sql_auditing_retention.yaml +++ b/compliance/controls/baseline/azure/sql/azure_sql_auditing_retention.yaml @@ -1,41 +1,42 @@ id: azure_sql_auditing_retention title: SQL Auditing Retention +type: control description: Ensure that SQL database auditing has a sufficient log data retention period configured. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - name AS resource, - s.platform_resource_id, - s.platform_integration_id, - CASE - WHEN (ap -> 'properties' ->> 'retentionDays')::INT = 0 THEN 'ok' - WHEN (ap -> 'properties' ->> 'retentionDays')::INT >= 90 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (ap -> 'properties' ->> 'retentionDays')::INT = 0 THEN 'server has unlimited retention' - WHEN (ap -> 'properties' ->> 'retentionDays')::INT >= 90 THEN 'server has a sufficient retention period' - ELSE 'server does not have a sufficient log data retention period currently configured.' - END AS reason - FROM - azure_sql_server AS s - LEFT JOIN - azure_subscription AS sub - ON - s.subscription_id = sub.subscription_id, - jsonb_array_elements(server_audit_policy) AS ap + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + name AS resource, + s.platform_resource_id, + s.platform_integration_id, + CASE + WHEN (ap -> 'properties' ->> 'retentionDays')::INT = 0 THEN 'ok' + WHEN (ap -> 'properties' ->> 'retentionDays')::INT >= 90 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (ap -> 'properties' ->> 'retentionDays')::INT = 0 THEN 'server has unlimited retention' + WHEN (ap -> 'properties' ->> 'retentionDays')::INT >= 90 THEN 'server has a sufficient retention period' + ELSE 'server does not have a sufficient log data retention period currently configured.' + END AS reason + FROM + azure_sql_server AS s + LEFT JOIN + azure_subscription AS sub + ON + s.subscription_id = sub.subscription_id, + jsonb_array_elements(server_audit_policy) AS ap severity: medium tags: - platform_score_cloud_service_name: - - Azure Managed SQL Service - platform_score_use_case: - - Problem Identities - score_service_name: - - Azure Managed SQL Service - score_tags: - - Problem Identities + platform_score_cloud_service_name: + - Azure Managed SQL Service + platform_score_use_case: + - Problem Identities + score_service_name: + - Azure Managed SQL Service + score_tags: + - Problem Identities diff --git a/compliance/controls/baseline/azure/sql/azure_use_byok_for_transparent_data_encryption.yaml b/compliance/controls/baseline/azure/sql/azure_use_byok_for_transparent_data_encryption.yaml index ae55c0a7c..4e37e3329 100644 --- a/compliance/controls/baseline/azure/sql/azure_use_byok_for_transparent_data_encryption.yaml +++ b/compliance/controls/baseline/azure/sql/azure_use_byok_for_transparent_data_encryption.yaml @@ -1,39 +1,40 @@ id: azure_use_byok_for_transparent_data_encryption title: Use BYOK for Transparent Data Encryption +type: control description: Use Bring Your Own Key (BYOK) support for Transparent Data Encryption (TDE). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - name AS resource, - s.platform_resource_id, - s.platform_integration_id, - encryption ->> 'kind', - CASE - WHEN (encryption ->> 'kind') = 'servicemanaged' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (encryption ->> 'kind') = 'servicemanaged' THEN - 'server encryption is using a service-managed key instead of a Customer-Managed Key (CMK)' - ELSE 'server encryption is using a Customer-Managed Key (CMK)' - END AS reason - FROM - azure_sql_server AS s - LEFT JOIN - azure_subscription AS sub ON s.subscription_id = sub.subscription_id, - jsonb_array_elements(encryption_protector) AS encryption + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + name AS resource, + s.platform_resource_id, + s.platform_integration_id, + encryption ->> 'kind', + CASE + WHEN (encryption ->> 'kind') = 'servicemanaged' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (encryption ->> 'kind') = 'servicemanaged' THEN + 'server encryption is using a service-managed key instead of a Customer-Managed Key (CMK)' + ELSE 'server encryption is using a Customer-Managed Key (CMK)' + END AS reason + FROM + azure_sql_server AS s + LEFT JOIN + azure_subscription AS sub ON s.subscription_id = sub.subscription_id, + jsonb_array_elements(encryption_protector) AS encryption severity: medium tags: - platform_score_cloud_service_name: - - Azure Managed SQL Service - platform_score_use_case: - - Insecure Keys - score_service_name: - - Azure Managed SQL Service - score_tags: - - Insecure Keys + platform_score_cloud_service_name: + - Azure Managed SQL Service + platform_score_use_case: + - Insecure Keys + score_service_name: + - Azure Managed SQL Service + score_tags: + - Insecure Keys diff --git a/compliance/controls/baseline/azure/sql/azure_use_microsoft_entra_admin_for_sql_authentication.yaml b/compliance/controls/baseline/azure/sql/azure_use_microsoft_entra_admin_for_sql_authentication.yaml index f9b2573f7..9e5ba4ca8 100644 --- a/compliance/controls/baseline/azure/sql/azure_use_microsoft_entra_admin_for_sql_authentication.yaml +++ b/compliance/controls/baseline/azure/sql/azure_use_microsoft_entra_admin_for_sql_authentication.yaml @@ -1,37 +1,38 @@ id: azure_use_microsoft_entra_admin_for_sql_authentication title: Use Microsoft Entra Admin for SQL Authentication +type: control description: Ensure that an Microsoft Entra admin is configured for SQL authentication. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_sql_server - definition: | - SELECT - name AS resource, - s.platform_resource_id, - s.platform_integration_id, - CASE - WHEN server_azure_ad_administrator IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN server_azure_ad_administrator IS NULL - THEN 'There is no Microsoft Entra administrator configured for SQL authentication' - ELSE 'There is Microsoft Entra administrator configured for SQL authentication' - END AS reason, - resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_sql_server AS s - LEFT JOIN - azure_subscription AS sub - ON - s.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_sql_server + definition: | + SELECT + name AS resource, + s.platform_resource_id, + s.platform_integration_id, + CASE + WHEN server_azure_ad_administrator IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN server_azure_ad_administrator IS NULL + THEN 'There is no Microsoft Entra administrator configured for SQL authentication' + ELSE 'There is Microsoft Entra administrator configured for SQL authentication' + END AS reason, + resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_sql_server AS s + LEFT JOIN + azure_subscription AS sub + ON + s.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Managed SQL Service - score_service_name: - - Azure Managed SQL Service + platform_score_cloud_service_name: + - Azure Managed SQL Service + score_service_name: + - Azure Managed SQL Service diff --git a/compliance/controls/baseline/azure/storage_account/azure_check_for_publicly_accessible_web_containers.yaml b/compliance/controls/baseline/azure/storage_account/azure_check_for_publicly_accessible_web_containers.yaml index 38ccab391..e503a57d2 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_check_for_publicly_accessible_web_containers.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_check_for_publicly_accessible_web_containers.yaml @@ -1,42 +1,43 @@ id: azure_check_for_publicly_accessible_web_containers title: Check for Publicly Accessible Web Containers +type: control description: Ensure that Azure Storage containers aren't publicly accessible. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_container - definition: | - SELECT - container.id AS resource, - container.platform_resource_id, - container.platform_integration_id, - CASE - WHEN NOT account.allow_blob_public_access - AND container.public_access = 'None' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN NOT account.allow_blob_public_access - AND container.public_access = 'None' THEN account.name || ' container ' || container.name || ' doesn''t allow anonymous access.' - ELSE account.name || ' container ' || container.name || ' allows anonymous access.' - END AS reason, - container.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_storage_container container - JOIN - azure_storage_account account ON container.account_name = account.name - JOIN - azure_subscription sub ON sub.subscription_id = account.subscription_id; + language: sql + primary_resource: azure_storage_container + definition: | + SELECT + container.id AS resource, + container.platform_resource_id, + container.platform_integration_id, + CASE + WHEN NOT account.allow_blob_public_access + AND container.public_access = 'None' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN NOT account.allow_blob_public_access + AND container.public_access = 'None' THEN account.name || ' container ' || container.name || ' doesn''t allow anonymous access.' + ELSE account.name || ' container ' || container.name || ' allows anonymous access.' + END AS reason, + container.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_storage_container container + JOIN + azure_storage_account account ON container.account_name = account.name + JOIN + azure_subscription sub ON sub.subscription_id = account.subscription_id; severity: high tags: - platform_score_cloud_service_name: - - Azure Storage Accounts - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - Azure Storage Accounts - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - Azure Storage Accounts + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - Azure Storage Accounts + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/azure/storage_account/azure_check_for_sufficient_soft_deleted_data_retention_period.yaml b/compliance/controls/baseline/azure/storage_account/azure_check_for_sufficient_soft_deleted_data_retention_period.yaml index 6ae8a7cdc..1f9c67685 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_check_for_sufficient_soft_deleted_data_retention_period.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_check_for_sufficient_soft_deleted_data_retention_period.yaml @@ -1,39 +1,40 @@ id: azure_check_for_sufficient_soft_deleted_data_retention_period title: Check for Sufficient Soft Deleted Data Retention Period +type: control description: Ensure there is a sufficient retention period configured for Azure Blob Storage soft deleted data. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureStorageBlobSoftDeleteSufficientDays - value: '1' +- key: azureStorageBlobSoftDeleteSufficientDays + value: "1" policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id, - sa.platform_resource_id, - CASE - WHEN blob_soft_delete_retention_days IS NULL THEN 'alarm' - WHEN blob_soft_delete_retention_days <> '{{.azureStorageBlobSoftDeleteSufficientDays}}'::int THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN blob_soft_delete_retention_days IS NULL THEN 'Blob soft delete not enabled' - WHEN blob_soft_delete_retention_days <> '{{.azureStorageBlobSoftDeleteSufficientDays}}'::int THEN 'Blob soft delete retention days is not sufficient' - ELSE 'Blob soft delete retention days is sufficient' - END AS reason, - sa.resource_group, - display_name AS subscription - FROM - azure_storage_account AS sa, - azure_subscription AS sub - WHERE - sub.subscription_id = sa.subscription_id + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id, + sa.platform_resource_id, + CASE + WHEN blob_soft_delete_retention_days IS NULL THEN 'alarm' + WHEN blob_soft_delete_retention_days <> '{{.azureStorageBlobSoftDeleteSufficientDays}}'::int THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN blob_soft_delete_retention_days IS NULL THEN 'Blob soft delete not enabled' + WHEN blob_soft_delete_retention_days <> '{{.azureStorageBlobSoftDeleteSufficientDays}}'::int THEN 'Blob soft delete retention days is not sufficient' + ELSE 'Blob soft delete retention days is sufficient' + END AS reason, + sa.resource_group, + display_name AS subscription + FROM + azure_storage_account AS sa, + azure_subscription AS sub + WHERE + sub.subscription_id = sa.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Storage Accounts - score_service_name: - - Azure Storage Accounts + platform_score_cloud_service_name: + - Azure Storage Accounts + score_service_name: + - Azure Storage Accounts diff --git a/compliance/controls/baseline/azure/storage_account/azure_configure_minimum_tls_version.yaml b/compliance/controls/baseline/azure/storage_account/azure_configure_minimum_tls_version.yaml index 59ba92eed..e314f12d1 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_configure_minimum_tls_version.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_configure_minimum_tls_version.yaml @@ -1,37 +1,38 @@ id: azure_configure_minimum_tls_version title: Configure Minimum TLS Version +type: control description: Ensure that the "Minimum TLS version" setting is set to "Version 1.2" for all Azure Storage accounts. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureLatestTlsVersion - value: '' +- key: azureLatestTlsVersion + value: "" policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - name AS resource, - s.platform_resource_id, - s.platform_integration_id, - CASE - WHEN minimum_tls_version = '{{.azureLatestTlsVersion}}' THEN 'ok' - ELSE 'alarm' - END AS status, - name || ' tls version is set to ' || minimum_tls_version || '.' AS reason, - resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_storage_account AS s - LEFT JOIN - azure_subscription AS sub ON s.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + name AS resource, + s.platform_resource_id, + s.platform_integration_id, + CASE + WHEN minimum_tls_version = '{{.azureLatestTlsVersion}}' THEN 'ok' + ELSE 'alarm' + END AS status, + name || ' tls version is set to ' || minimum_tls_version || '.' AS reason, + resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_storage_account AS s + LEFT JOIN + azure_subscription AS sub ON s.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Storage Accounts - platform_score_use_case: - - Expiring Certificates - score_service_name: - - Azure Storage Accounts - score_tags: - - Expiring Certificates + platform_score_cloud_service_name: + - Azure Storage Accounts + platform_score_use_case: + - Expiring Certificates + score_service_name: + - Azure Storage Accounts + score_tags: + - Expiring Certificates diff --git a/compliance/controls/baseline/azure/storage_account/azure_disable_anonymous_access_to_blob_containers.yaml b/compliance/controls/baseline/azure/storage_account/azure_disable_anonymous_access_to_blob_containers.yaml index c3cb47356..4c5ede159 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_disable_anonymous_access_to_blob_containers.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_disable_anonymous_access_to_blob_containers.yaml @@ -1,40 +1,41 @@ id: azure_disable_anonymous_access_to_blob_containers title: Disable Anonymous Access to Blob Containers +type: control description: Ensure that anonymous access to blob containers is disabled within your Azure Storage account. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - a.name AS resource, - a.platform_resource_id, - a.platform_integration_id, - CASE - WHEN c.public_access IS NULL THEN 'skip' - WHEN c.public_access = 'container' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN c.public_access IS NULL THEN 'no container found' - WHEN c.public_access = 'container' THEN a.name || ' anonymous access to blob container is not disabled.' - ELSE a.name || ' anonymous access to blob container is disabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_storage_account AS a - LEFT JOIN azure_storage_container AS c ON a.name = c.account_name - LEFT JOIN azure_subscription AS sub ON a.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + a.name AS resource, + a.platform_resource_id, + a.platform_integration_id, + CASE + WHEN c.public_access IS NULL THEN 'skip' + WHEN c.public_access = 'container' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN c.public_access IS NULL THEN 'no container found' + WHEN c.public_access = 'container' THEN a.name || ' anonymous access to blob container is not disabled.' + ELSE a.name || ' anonymous access to blob container is disabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_storage_account AS a + LEFT JOIN azure_storage_container AS c ON a.name = c.account_name + LEFT JOIN azure_subscription AS sub ON a.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Storage Accounts - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - Azure Storage Accounts - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - Azure Storage Accounts + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - Azure Storage Accounts + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/azure/storage_account/azure_disable_public_access_to_storage_accounts_with_blob_containers.yaml b/compliance/controls/baseline/azure/storage_account/azure_disable_public_access_to_storage_accounts_with_blob_containers.yaml index 9557fb681..d75ebb9f0 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_disable_public_access_to_storage_accounts_with_blob_containers.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_disable_public_access_to_storage_accounts_with_blob_containers.yaml @@ -1,38 +1,39 @@ id: azure_disable_public_access_to_storage_accounts_with_blob_containers title: Disable public access to storage accounts with blob containers +type: control description: Ensure that public access to blob containers is disabled for your Azure storage accounts to override any ACL configurations allowing access. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - a.name AS resource, - a.platform_resource_id, - a.platform_integration_id, - CASE - WHEN allow_blob_public_access THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN allow_blob_public_access THEN a.name || ' container and blob data can be read by anonymous users.' - ELSE a.name || ' container and blob data can not be read by anonymous users.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_storage_account AS a - LEFT JOIN - azure_subscription AS sub ON a.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + a.name AS resource, + a.platform_resource_id, + a.platform_integration_id, + CASE + WHEN allow_blob_public_access THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN allow_blob_public_access THEN a.name || ' container and blob data can be read by anonymous users.' + ELSE a.name || ' container and blob data can not be read by anonymous users.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_storage_account AS a + LEFT JOIN + azure_subscription AS sub ON a.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Storage Accounts - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - Azure Storage Accounts - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - Azure Storage Accounts + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - Azure Storage Accounts + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/azure/storage_account/azure_enable_blob_storage_lifecycle_management.yaml b/compliance/controls/baseline/azure/storage_account/azure_enable_blob_storage_lifecycle_management.yaml index 71ab703a2..65422ecfb 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_enable_blob_storage_lifecycle_management.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_enable_blob_storage_lifecycle_management.yaml @@ -1,37 +1,38 @@ id: azure_enable_blob_storage_lifecycle_management title: Enable Blob Storage Lifecycle Management +type: control description: Ensure that Azure Blob Storage service has a lifecycle management policy configured. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id, - sa.platform_resource_id, - CASE - WHEN lifecycle_management_policy = '{}' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN lifecycle_management_policy = '{}' THEN - 'Lifecycle management is not enabled for the blob data available in the selected Microsoft Azure Storage account.' - ELSE - 'Lifecycle management is enabled for the blob data available in the selected Microsoft Azure Storage account.' - END AS reason, - sa.resource_group, - display_name AS subscription - FROM - azure_storage_account AS sa, - azure_subscription AS sub - WHERE - sub.subscription_id = sa.subscription_id + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id, + sa.platform_resource_id, + CASE + WHEN lifecycle_management_policy = '{}' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN lifecycle_management_policy = '{}' THEN + 'Lifecycle management is not enabled for the blob data available in the selected Microsoft Azure Storage account.' + ELSE + 'Lifecycle management is enabled for the blob data available in the selected Microsoft Azure Storage account.' + END AS reason, + sa.resource_group, + display_name AS subscription + FROM + azure_storage_account AS sa, + azure_subscription AS sub + WHERE + sub.subscription_id = sa.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Storage Accounts - score_service_name: - - Azure Storage Accounts + platform_score_cloud_service_name: + - Azure Storage Accounts + score_service_name: + - Azure Storage Accounts diff --git a/compliance/controls/baseline/azure/storage_account/azure_enable_immutable_blob_storage.yaml b/compliance/controls/baseline/azure/storage_account/azure_enable_immutable_blob_storage.yaml index 70e3151c0..0e40e4f46 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_enable_immutable_blob_storage.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_enable_immutable_blob_storage.yaml @@ -1,35 +1,36 @@ id: azure_enable_immutable_blob_storage title: Enable Immutable Blob Storage +type: control description: Ensure that critical Azure Blob Storage data is protected from accidental deletion or modification. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_container - definition: | - SELECT - sc.id AS resource, - sc.platform_integration_id, - sc.platform_resource_id, - CASE - WHEN has_immutability_policy = 'false' AND has_legal_hold = 'false' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN has_immutability_policy = 'false' AND has_legal_hold = 'false' THEN 'Immutable Blob Storage protection feature is not enabled.' - ELSE 'Immutable Blob Storage protection feature is enabled.' - END AS reason, - sc.resource_group, - display_name AS subscription - FROM - azure_storage_container AS sc, - azure_subscription AS sub - WHERE - sub.subscription_id = sc.subscription_id + language: sql + primary_resource: azure_storage_container + definition: | + SELECT + sc.id AS resource, + sc.platform_integration_id, + sc.platform_resource_id, + CASE + WHEN has_immutability_policy = 'false' AND has_legal_hold = 'false' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN has_immutability_policy = 'false' AND has_legal_hold = 'false' THEN 'Immutable Blob Storage protection feature is not enabled.' + ELSE 'Immutable Blob Storage protection feature is enabled.' + END AS reason, + sc.resource_group, + display_name AS subscription + FROM + azure_storage_container AS sc, + azure_subscription AS sub + WHERE + sub.subscription_id = sc.subscription_id severity: high tags: - platform_score_cloud_service_name: - - Azure Storage Accounts - score_service_name: - - Azure Storage Accounts + platform_score_cloud_service_name: + - Azure Storage Accounts + score_service_name: + - Azure Storage Accounts diff --git a/compliance/controls/baseline/azure/storage_account/azure_enable_infrastructure_encryption.yaml b/compliance/controls/baseline/azure/storage_account/azure_enable_infrastructure_encryption.yaml index 7fc43e007..1388cfd3b 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_enable_infrastructure_encryption.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_enable_infrastructure_encryption.yaml @@ -1,37 +1,38 @@ id: azure_enable_infrastructure_encryption title: Enable Infrastructure Encryption +type: control description: Ensure that infrastructure encryption is enabled for Microsoft Azure Storage accounts. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - a.name AS resource, - a.platform_resource_id, - a.platform_integration_id, - CASE - WHEN require_infrastructure_encryption IS NULL OR require_infrastructure_encryption = 'false' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN require_infrastructure_encryption IS NULL OR require_infrastructure_encryption = 'false' THEN a.name || ' Infrastructure Encryption feature is not enabled.' - ELSE a.name || ' Infrastructure Encryption feature is enabled.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_storage_account AS a - LEFT JOIN azure_subscription AS sub ON a.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + a.name AS resource, + a.platform_resource_id, + a.platform_integration_id, + CASE + WHEN require_infrastructure_encryption IS NULL OR require_infrastructure_encryption = 'false' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN require_infrastructure_encryption IS NULL OR require_infrastructure_encryption = 'false' THEN a.name || ' Infrastructure Encryption feature is not enabled.' + ELSE a.name || ' Infrastructure Encryption feature is enabled.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_storage_account AS a + LEFT JOIN azure_subscription AS sub ON a.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Storage Accounts - platform_score_use_case: - - Unencrypted Storage - score_service_name: - - Azure Storage Accounts - score_tags: - - Unencrypted Storage + platform_score_cloud_service_name: + - Azure Storage Accounts + platform_score_use_case: + - Unencrypted Storage + score_service_name: + - Azure Storage Accounts + score_tags: + - Unencrypted Storage diff --git a/compliance/controls/baseline/azure/storage_account/azure_enable_logging_for_azure_storage_blob_service.yaml b/compliance/controls/baseline/azure/storage_account/azure_enable_logging_for_azure_storage_blob_service.yaml index ee46b03f6..3a31799b1 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_enable_logging_for_azure_storage_blob_service.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_enable_logging_for_azure_storage_blob_service.yaml @@ -1,41 +1,42 @@ id: azure_enable_logging_for_azure_storage_blob_service title: Enable Logging for Azure Storage Blob Service +type: control description: Ensure that storage logging is enabled for the Azure Storage Blob service. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id, - sa.platform_resource_id, - CASE - WHEN (blob_service_logging ->> 'Read' = 'false' AND - blob_service_logging ->> 'Write' = 'false' AND - blob_service_logging ->> 'Delete' = 'false') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (blob_service_logging ->> 'Read' = 'false' AND - blob_service_logging ->> 'Write' = 'false' AND - blob_service_logging ->> 'Delete' = 'false') THEN - 'The storage logging is not enabled for the Azure Storage Blob service in the selected storage account settings.' - ELSE - 'The storage logging is enabled for the Azure Storage Blob service in the selected storage account settings.' - END AS reason, - sa.resource_group, - display_name AS subscription - FROM - azure_storage_account AS sa, - azure_subscription AS sub - WHERE - sub.subscription_id = sa.subscription_id + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id, + sa.platform_resource_id, + CASE + WHEN (blob_service_logging ->> 'Read' = 'false' AND + blob_service_logging ->> 'Write' = 'false' AND + blob_service_logging ->> 'Delete' = 'false') THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (blob_service_logging ->> 'Read' = 'false' AND + blob_service_logging ->> 'Write' = 'false' AND + blob_service_logging ->> 'Delete' = 'false') THEN + 'The storage logging is not enabled for the Azure Storage Blob service in the selected storage account settings.' + ELSE + 'The storage logging is enabled for the Azure Storage Blob service in the selected storage account settings.' + END AS reason, + sa.resource_group, + display_name AS subscription + FROM + azure_storage_account AS sa, + azure_subscription AS sub + WHERE + sub.subscription_id = sa.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Storage Accounts - score_service_name: - - Azure Storage Accounts + platform_score_cloud_service_name: + - Azure Storage Accounts + score_service_name: + - Azure Storage Accounts diff --git a/compliance/controls/baseline/azure/storage_account/azure_enable_logging_for_azure_storage_queue_service.yaml b/compliance/controls/baseline/azure/storage_account/azure_enable_logging_for_azure_storage_queue_service.yaml index 9a879248d..1167cdb2e 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_enable_logging_for_azure_storage_queue_service.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_enable_logging_for_azure_storage_queue_service.yaml @@ -1,37 +1,38 @@ id: azure_enable_logging_for_azure_storage_queue_service title: Enable Logging for Azure Storage Queue Service +type: control description: Ensure that detailed storage logging is enabled for the Azure Storage Queue service. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id, - sa.platform_resource_id, - CASE - WHEN (queue_logging_read = 'false' AND queue_logging_write = 'false' AND queue_logging_delete = 'false') - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (queue_logging_read = 'false' AND queue_logging_write = 'false' AND queue_logging_delete = 'false') - THEN 'The detailed storage logging is not enabled for the Azure Storage Queue service within the selected storage account.' - ELSE 'The detailed storage logging is enabled for the Azure Storage Queue service within the selected storage account.' - END AS reason, - sa.resource_group, - display_name AS subscription - FROM - azure_storage_account AS sa, - azure_subscription AS sub - WHERE - sub.subscription_id = sa.subscription_id + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id, + sa.platform_resource_id, + CASE + WHEN (queue_logging_read = 'false' AND queue_logging_write = 'false' AND queue_logging_delete = 'false') + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (queue_logging_read = 'false' AND queue_logging_write = 'false' AND queue_logging_delete = 'false') + THEN 'The detailed storage logging is not enabled for the Azure Storage Queue service within the selected storage account.' + ELSE 'The detailed storage logging is enabled for the Azure Storage Queue service within the selected storage account.' + END AS reason, + sa.resource_group, + display_name AS subscription + FROM + azure_storage_account AS sa, + azure_subscription AS sub + WHERE + sub.subscription_id = sa.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Storage Accounts - score_service_name: - - Azure Storage Accounts + platform_score_cloud_service_name: + - Azure Storage Accounts + score_service_name: + - Azure Storage Accounts diff --git a/compliance/controls/baseline/azure/storage_account/azure_enable_logging_for_azure_storage_table_service.yaml b/compliance/controls/baseline/azure/storage_account/azure_enable_logging_for_azure_storage_table_service.yaml index 4d7870586..7d827f9db 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_enable_logging_for_azure_storage_table_service.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_enable_logging_for_azure_storage_table_service.yaml @@ -1,35 +1,36 @@ id: azure_enable_logging_for_azure_storage_table_service title: Enable Logging for Azure Storage Table Service +type: control description: Ensure that storage logging is enabled for the Azure Storage Table service. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id, - sa.platform_resource_id, - CASE - WHEN (table_logging_read = 'false' AND table_logging_write = 'false' AND table_logging_delete = 'false') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (table_logging_read = 'false' AND table_logging_write = 'false' AND table_logging_delete = 'false') THEN 'The storage logging is not enabled for the Azure Storage Table service' - ELSE 'The storage logging is enabled for the Azure Storage Table service' - END AS reason, - sa.resource_group, - display_name AS subscription - FROM - azure_storage_account AS sa, - azure_subscription AS sub - WHERE - sub.subscription_id = sa.subscription_id + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id, + sa.platform_resource_id, + CASE + WHEN (table_logging_read = 'false' AND table_logging_write = 'false' AND table_logging_delete = 'false') THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (table_logging_read = 'false' AND table_logging_write = 'false' AND table_logging_delete = 'false') THEN 'The storage logging is not enabled for the Azure Storage Table service' + ELSE 'The storage logging is enabled for the Azure Storage Table service' + END AS reason, + sa.resource_group, + display_name AS subscription + FROM + azure_storage_account AS sa, + azure_subscription AS sub + WHERE + sub.subscription_id = sa.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Storage Accounts - score_service_name: - - Azure Storage Accounts + platform_score_cloud_service_name: + - Azure Storage Accounts + score_service_name: + - Azure Storage Accounts diff --git a/compliance/controls/baseline/azure/storage_account/azure_enable_secure_transfer_in_azure_storage.yaml b/compliance/controls/baseline/azure/storage_account/azure_enable_secure_transfer_in_azure_storage.yaml index 31b2cd814..adf76e9fe 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_enable_secure_transfer_in_azure_storage.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_enable_secure_transfer_in_azure_storage.yaml @@ -1,36 +1,37 @@ id: azure_enable_secure_transfer_in_azure_storage title: Enable Secure Transfer in Azure Storage +type: control description: Ensure that "Secure transfer required" security feature is enabled within your Azure Storage account configuration. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id, - sa.platform_resource_id, - CASE - WHEN enable_https_traffic_only = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN enable_https_traffic_only = 'true' THEN 'The data in transit between clients and the resources available in the selected Azure Storage account (i.e. files, blobs, queues, tables, and disks) is encrypted' - ELSE 'The data in transit between clients and the resources available in the selected Azure Storage account (i.e. files, blobs, queues, tables, and disks) is not encrypted' - END AS reason, - sa.resource_group, - display_name AS subscription - FROM - azure_storage_account AS sa - JOIN - azure_subscription AS sub - ON - sub.subscription_id = sa.subscription_id + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id, + sa.platform_resource_id, + CASE + WHEN enable_https_traffic_only = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN enable_https_traffic_only = 'true' THEN 'The data in transit between clients and the resources available in the selected Azure Storage account (i.e. files, blobs, queues, tables, and disks) is encrypted' + ELSE 'The data in transit between clients and the resources available in the selected Azure Storage account (i.e. files, blobs, queues, tables, and disks) is not encrypted' + END AS reason, + sa.resource_group, + display_name AS subscription + FROM + azure_storage_account AS sa + JOIN + azure_subscription AS sub + ON + sub.subscription_id = sa.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Storage Accounts - score_service_name: - - Azure Storage Accounts + platform_score_cloud_service_name: + - Azure Storage Accounts + score_service_name: + - Azure Storage Accounts diff --git a/compliance/controls/baseline/azure/storage_account/azure_enable_soft_delete_for_azure_blob_storage.yaml b/compliance/controls/baseline/azure/storage_account/azure_enable_soft_delete_for_azure_blob_storage.yaml index e104ffc98..2ce533ae7 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_enable_soft_delete_for_azure_blob_storage.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_enable_soft_delete_for_azure_blob_storage.yaml @@ -1,35 +1,36 @@ id: azure_enable_soft_delete_for_azure_blob_storage title: Enable Soft Delete for Azure Blob Storage +type: control description: Ensure that infrastructure encryption is enabled for Microsoft Azure Storage accounts. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id, - sa.platform_resource_id, - CASE - WHEN blob_container_soft_delete_enabled = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN blob_container_soft_delete_enabled = 'true' THEN 'Soft Delete feature is enabled' - ELSE 'Soft Delete feature is not enabled' - END AS reason, - sa.resource_group, - display_name AS subscription - FROM - azure_storage_account AS sa, - azure_subscription AS sub - WHERE - sub.subscription_id = sa.subscription_id + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id, + sa.platform_resource_id, + CASE + WHEN blob_container_soft_delete_enabled = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN blob_container_soft_delete_enabled = 'true' THEN 'Soft Delete feature is enabled' + ELSE 'Soft Delete feature is not enabled' + END AS reason, + sa.resource_group, + display_name AS subscription + FROM + azure_storage_account AS sa, + azure_subscription AS sub + WHERE + sub.subscription_id = sa.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Storage Accounts - score_service_name: - - Azure Storage Accounts + platform_score_cloud_service_name: + - Azure Storage Accounts + score_service_name: + - Azure Storage Accounts diff --git a/compliance/controls/baseline/azure/storage_account/azure_enable_trusted_microsoft_services_for_storage_account_access.yaml b/compliance/controls/baseline/azure/storage_account/azure_enable_trusted_microsoft_services_for_storage_account_access.yaml index f9eccf89a..37e6cde49 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_enable_trusted_microsoft_services_for_storage_account_access.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_enable_trusted_microsoft_services_for_storage_account_access.yaml @@ -1,35 +1,36 @@ id: azure_enable_trusted_microsoft_services_for_storage_account_access title: Enable Trusted Microsoft Services for Storage Account Access +type: control description: Allow Trusted Microsoft Services to access your Azure Storage account resources. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id, - sa.platform_resource_id, - CASE - WHEN network_rule_bypass = 'None' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN network_rule_bypass = 'None' THEN 'Trusted Microsoft services are not allowed to access the selected Azure Storage account' - ELSE 'Trusted Microsoft services are allowed to access the selected Azure Storage account' - END AS reason, - sa.resource_group, - display_name AS subscription - FROM - azure_storage_account AS sa, - azure_subscription AS sub - WHERE - sub.subscription_id = sa.subscription_id + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id, + sa.platform_resource_id, + CASE + WHEN network_rule_bypass = 'None' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN network_rule_bypass = 'None' THEN 'Trusted Microsoft services are not allowed to access the selected Azure Storage account' + ELSE 'Trusted Microsoft services are allowed to access the selected Azure Storage account' + END AS reason, + sa.resource_group, + display_name AS subscription + FROM + azure_storage_account AS sa, + azure_subscription AS sub + WHERE + sub.subscription_id = sa.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Storage Accounts - score_service_name: - - Azure Storage Accounts + platform_score_cloud_service_name: + - Azure Storage Accounts + score_service_name: + - Azure Storage Accounts diff --git a/compliance/controls/baseline/azure/storage_account/azure_limit_storage_account_access_by_ip_address.yaml b/compliance/controls/baseline/azure/storage_account/azure_limit_storage_account_access_by_ip_address.yaml index 39ecf27b6..bc666a33c 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_limit_storage_account_access_by_ip_address.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_limit_storage_account_access_by_ip_address.yaml @@ -1,52 +1,53 @@ id: azure_limit_storage_account_access_by_ip_address title: Limit Storage Account Access by IP Address +type: control description: Ensure that Azure Storage account access is limited only to specific IP address(es). integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureStorageAccountAllowedIPAddresses - value: '' +- key: azureStorageAccountAllowedIPAddresses + value: "" policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - name AS resource, - s.platform_resource_id, - s.platform_integration_id, - CASE - WHEN network_ip_rules IS NULL THEN 'skip' - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(network_ip_rules) AS r - WHERE (r ->> 'action') = 'Allow' - AND '{{.azureStorageAccountAllowedIPAddresses}}' NOT LIKE '%' || (r ->> 'value') || '%' - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN network_ip_rules IS NULL THEN 'storage account does not have network ip rule' - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(network_ip_rules) AS r - WHERE (r ->> 'action') = 'Allow' - AND '{{.azureStorageAccountAllowedIPAddresses}}' NOT LIKE '%' || (r ->> 'value') || '%' - ) THEN 'is not restricted to trusted IP addresses/IP ranges only.' - ELSE 'is restricted to trusted IP addresses/IP ranges only.' - END AS reason, - resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_storage_account AS s - LEFT JOIN azure_subscription AS sub - ON s.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + name AS resource, + s.platform_resource_id, + s.platform_integration_id, + CASE + WHEN network_ip_rules IS NULL THEN 'skip' + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(network_ip_rules) AS r + WHERE (r ->> 'action') = 'Allow' + AND '{{.azureStorageAccountAllowedIPAddresses}}' NOT LIKE '%' || (r ->> 'value') || '%' + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN network_ip_rules IS NULL THEN 'storage account does not have network ip rule' + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(network_ip_rules) AS r + WHERE (r ->> 'action') = 'Allow' + AND '{{.azureStorageAccountAllowedIPAddresses}}' NOT LIKE '%' || (r ->> 'value') || '%' + ) THEN 'is not restricted to trusted IP addresses/IP ranges only.' + ELSE 'is restricted to trusted IP addresses/IP ranges only.' + END AS reason, + resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_storage_account AS s + LEFT JOIN azure_subscription AS sub + ON s.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Storage Accounts - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - Azure Storage Accounts - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - Azure Storage Accounts + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - Azure Storage Accounts + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/azure/storage_account/azure_private_endpoint_in_use.yaml b/compliance/controls/baseline/azure/storage_account/azure_private_endpoint_in_use.yaml index 6a34df566..1556da120 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_private_endpoint_in_use.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_private_endpoint_in_use.yaml @@ -1,37 +1,38 @@ id: azure_private_endpoint_in_use title: Private Endpoint in Use +type: control description: Ensure that private endpoints are used to access Microsoft Azure Storage accounts. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - a.name AS resource, - a.platform_resource_id, - a.platform_integration_id, - CASE - WHEN a.private_endpoint_connections IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN a.private_endpoint_connections IS NULL THEN a.name || ' is not using private endpoints for secure access.' - ELSE a.name || ' is using private endpoints for secure access.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_storage_account AS a - LEFT JOIN azure_subscription AS sub ON a.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + a.name AS resource, + a.platform_resource_id, + a.platform_integration_id, + CASE + WHEN a.private_endpoint_connections IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN a.private_endpoint_connections IS NULL THEN a.name || ' is not using private endpoints for secure access.' + ELSE a.name || ' is using private endpoints for secure access.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_storage_account AS a + LEFT JOIN azure_subscription AS sub ON a.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Storage Accounts - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - Azure Storage Accounts - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - Azure Storage Accounts + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - Azure Storage Accounts + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/azure/storage_account/azure_restrict_default_network_access_for_storage_accounts.yaml b/compliance/controls/baseline/azure/storage_account/azure_restrict_default_network_access_for_storage_accounts.yaml index 3a43ae248..44238f6c7 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_restrict_default_network_access_for_storage_accounts.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_restrict_default_network_access_for_storage_accounts.yaml @@ -1,38 +1,39 @@ id: azure_restrict_default_network_access_for_storage_accounts title: Restrict Default Network Access for Storage Accounts +type: control description: Ensure that the default network access rule is set to "Deny" within your Azure Storage account. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - a.name AS resource, - a.platform_resource_id, - a.platform_integration_id, - CASE - WHEN network_rule_default_action = 'Allow' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN network_rule_default_action = 'Allow' THEN a.name || ' can be accessed by all networks, including the Internet.' - ELSE a.name || ' can not be accessed by all networks, including the Internet.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_storage_account AS a - LEFT JOIN - azure_subscription AS sub ON a.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + a.name AS resource, + a.platform_resource_id, + a.platform_integration_id, + CASE + WHEN network_rule_default_action = 'Allow' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN network_rule_default_action = 'Allow' THEN a.name || ' can be accessed by all networks, including the Internet.' + ELSE a.name || ' can not be accessed by all networks, including the Internet.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_storage_account AS a + LEFT JOIN + azure_subscription AS sub ON a.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Storage Accounts - platform_score_use_case: - - Exposed Endpoints - score_service_name: - - Azure Storage Accounts - score_tags: - - Exposed Endpoints + platform_score_cloud_service_name: + - Azure Storage Accounts + platform_score_use_case: + - Exposed Endpoints + score_service_name: + - Azure Storage Accounts + score_tags: + - Exposed Endpoints diff --git a/compliance/controls/baseline/azure/storage_account/azure_storage_account_encryption_using_customer_managed_keys.yaml b/compliance/controls/baseline/azure/storage_account/azure_storage_account_encryption_using_customer_managed_keys.yaml index 236484e50..6ad30a8a0 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_storage_account_encryption_using_customer_managed_keys.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_storage_account_encryption_using_customer_managed_keys.yaml @@ -1,37 +1,38 @@ id: azure_storage_account_encryption_using_customer_managed_keys title: Storage Account Encryption using Customer Managed Keys +type: control description: Use Customer Managed Keys (CMKs) to encrypt data within Azure Storage accounts. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - a.name AS resource, - a.platform_resource_id, - a.platform_integration_id, - CASE - WHEN encryption_key_source = 'Microsoft.Keyvault' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption_key_source = 'Microsoft.Keyvault' THEN a.name || ' is encrypted using a Customer Managed Key.' - ELSE a.name || ' is not encrypted using a Customer Managed Key.' - END AS reason, - a.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_storage_account AS a - LEFT JOIN azure_subscription AS sub ON a.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + a.name AS resource, + a.platform_resource_id, + a.platform_integration_id, + CASE + WHEN encryption_key_source = 'Microsoft.Keyvault' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption_key_source = 'Microsoft.Keyvault' THEN a.name || ' is encrypted using a Customer Managed Key.' + ELSE a.name || ' is not encrypted using a Customer Managed Key.' + END AS reason, + a.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_storage_account AS a + LEFT JOIN azure_subscription AS sub ON a.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Storage Accounts - platform_score_use_case: - - Unencrypted Storage - score_service_name: - - Azure Storage Accounts - score_tags: - - Unencrypted Storage + platform_score_cloud_service_name: + - Azure Storage Accounts + platform_score_use_case: + - Unencrypted Storage + score_service_name: + - Azure Storage Accounts + score_tags: + - Unencrypted Storage diff --git a/compliance/controls/baseline/azure/storage_account/azure_use_byok_for_storage_account_encryption.yaml b/compliance/controls/baseline/azure/storage_account/azure_use_byok_for_storage_account_encryption.yaml index 2e8978fc9..d1ce7a4f0 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_use_byok_for_storage_account_encryption.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_use_byok_for_storage_account_encryption.yaml @@ -1,35 +1,36 @@ id: azure_use_byok_for_storage_account_encryption title: Use BYOK for Storage Account Encryption +type: control description: Ensure that infrastructure encryption is enabled for Microsoft Azure Storage accounts. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_storage_account - definition: | - SELECT - sa.id AS resource, - sa.platform_integration_id, - sa.platform_resource_id, - CASE - WHEN encryption_key_vault_properties_key_name IS NOT NULL THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption_key_vault_properties_key_name IS NOT NULL THEN 'Microsoft Azure Storage account is encrypted using a customer-managed key' - ELSE 'Microsoft Azure Storage account is not encrypted using a customer-managed key' - END AS reason, - sa.resource_group, - display_name AS subscription - FROM - azure_storage_account AS sa, - azure_subscription AS sub - WHERE - sub.subscription_id = sa.subscription_id + language: sql + primary_resource: azure_storage_account + definition: | + SELECT + sa.id AS resource, + sa.platform_integration_id, + sa.platform_resource_id, + CASE + WHEN encryption_key_vault_properties_key_name IS NOT NULL THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption_key_vault_properties_key_name IS NOT NULL THEN 'Microsoft Azure Storage account is encrypted using a customer-managed key' + ELSE 'Microsoft Azure Storage account is not encrypted using a customer-managed key' + END AS reason, + sa.resource_group, + display_name AS subscription + FROM + azure_storage_account AS sa, + azure_subscription AS sub + WHERE + sub.subscription_id = sa.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Storage Accounts - score_service_name: - - Azure Storage Accounts + platform_score_cloud_service_name: + - Azure Storage Accounts + score_service_name: + - Azure Storage Accounts diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_approved_azure_machine_image_in_use.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_approved_azure_machine_image_in_use.yaml index 982a62477..c1c63e3e6 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_approved_azure_machine_image_in_use.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_approved_azure_machine_image_in_use.yaml @@ -1,35 +1,36 @@ id: azure_approved_azure_machine_image_in_use title: Approved Azure Machine Image in Use +type: control description: Ensure that all your Azure virtual machine instances are launched from approved machine images only. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - SELECT - vm.id AS resource, - vm.platform_integration_id, - vm.platform_resource_id, - CASE - WHEN vm.platform_resource_description -> 'VirtualMachine' -> 'Properties' -> 'StorageProfile' -> 'ImageReference' ->> 'ID' IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN vm.platform_resource_description -> 'VirtualMachine' -> 'Properties' -> 'StorageProfile' -> 'ImageReference' ->> 'ID' IS NULL THEN 'Virtual Machine instance was launched without using an approved Azure machine image' - ELSE 'Virtual Machine instance was launched using an approved Azure machine image' - END AS reason, - vm.resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS vm, - azure_subscription AS sub - WHERE - sub.subscription_id = vm.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + SELECT + vm.id AS resource, + vm.platform_integration_id, + vm.platform_resource_id, + CASE + WHEN vm.platform_resource_description -> 'VirtualMachine' -> 'Properties' -> 'StorageProfile' -> 'ImageReference' ->> 'ID' IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN vm.platform_resource_description -> 'VirtualMachine' -> 'Properties' -> 'StorageProfile' -> 'ImageReference' ->> 'ID' IS NULL THEN 'Virtual Machine instance was launched without using an approved Azure machine image' + ELSE 'Virtual Machine instance was launched using an approved Azure machine image' + END AS reason, + vm.resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS vm, + azure_subscription AS sub + WHERE + sub.subscription_id = vm.subscription_id; severity: medium tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - score_service_name: - - Azure Virtual Machines + platform_score_cloud_service_name: + - Azure Virtual Machines + score_service_name: + - Azure Virtual Machines diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_accelerated_networking_for_virtual_machines.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_accelerated_networking_for_virtual_machines.yaml index 6a0b04d91..b657d9f4e 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_accelerated_networking_for_virtual_machines.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_accelerated_networking_for_virtual_machines.yaml @@ -1,37 +1,38 @@ id: azure_check_for_accelerated_networking_for_virtual_machines title: Check for Accelerated Networking for Virtual Machines +type: control description: Ensure that Microsoft Azure virtual machines are configured to use accelerated networking. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureAllowedVmExtentions - value: '' +- key: azureAllowedVmExtentions + value: "" policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - SELECT - vm.id AS resource, - vm.platform_integration_id, - vm.platform_resource_id, - CASE - WHEN nic.enable_accelerated_networking = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN nic.enable_accelerated_networking = 'true' THEN 'Accelerated networking is enabled' - ELSE 'Accelerated networking is not enabled' - END AS reason, - vm.resource_group, - display_name AS subscription - FROM - azure_compute_virtual_machine AS vm - LEFT JOIN azure_subscription AS sub ON sub.subscription_id = vm.subscription_id, - jsonb_array_elements(network_interfaces) AS ni - LEFT JOIN azure_network_interface AS nic ON nic.id = (ni ->> 'id') + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + SELECT + vm.id AS resource, + vm.platform_integration_id, + vm.platform_resource_id, + CASE + WHEN nic.enable_accelerated_networking = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN nic.enable_accelerated_networking = 'true' THEN 'Accelerated networking is enabled' + ELSE 'Accelerated networking is not enabled' + END AS reason, + vm.resource_group, + display_name AS subscription + FROM + azure_compute_virtual_machine AS vm + LEFT JOIN azure_subscription AS sub ON sub.subscription_id = vm.subscription_id, + jsonb_array_elements(network_interfaces) AS ni + LEFT JOIN azure_network_interface AS nic ON nic.id = (ni ->> 'id') severity: high tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - score_service_name: - - Azure Virtual Machines + platform_score_cloud_service_name: + - Azure Virtual Machines + score_service_name: + - Azure Virtual Machines diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_associated_load_balancers.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_associated_load_balancers.yaml index 871ae1c67..7a2dbcb35 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_associated_load_balancers.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_associated_load_balancers.yaml @@ -1,35 +1,36 @@ id: azure_check_for_associated_load_balancers title: Check for Associated Load Balancers +type: control description: Ensure that your Azure virtual machine scale sets are using load balancers for traffic distribution. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine_scale_set - definition: | - SELECT - vm.id AS resource, - vm.platform_integration_id, - vm.platform_resource_id, - CASE - WHEN (SELECT COUNT(*) FROM jsonb_array_elements_text(zones)) > 1 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (SELECT COUNT(*) FROM jsonb_array_elements_text(zones)) > 1 THEN 'VM Scale-set is available in more than one zone' - ELSE 'VM Scale-set is not available in more than one zone' - END AS reason, - vm.resource_group, - display_name AS subscription - FROM - azure_compute_virtual_machine_scale_set AS vm, - azure_subscription AS sub - WHERE - sub.subscription_id = vm.subscription_id + language: sql + primary_resource: azure_compute_virtual_machine_scale_set + definition: | + SELECT + vm.id AS resource, + vm.platform_integration_id, + vm.platform_resource_id, + CASE + WHEN (SELECT COUNT(*) FROM jsonb_array_elements_text(zones)) > 1 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (SELECT COUNT(*) FROM jsonb_array_elements_text(zones)) > 1 THEN 'VM Scale-set is available in more than one zone' + ELSE 'VM Scale-set is not available in more than one zone' + END AS reason, + vm.resource_group, + display_name AS subscription + FROM + azure_compute_virtual_machine_scale_set AS vm, + azure_subscription AS sub + WHERE + sub.subscription_id = vm.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - score_service_name: - - Azure Virtual Machines + platform_score_cloud_service_name: + - Azure Virtual Machines + score_service_name: + - Azure Virtual Machines diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_automatic_instance_repairs.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_automatic_instance_repairs.yaml index bc306739e..9e2595ddd 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_automatic_instance_repairs.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_automatic_instance_repairs.yaml @@ -1,35 +1,36 @@ id: azure_check_for_automatic_instance_repairs title: Check for Automatic Instance Repairs +type: control description: Ensure that Azure virtual machine scale sets are configured to use automatic instance repairs integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine_scale_set - definition: | - SELECT - vm.id AS resource, - vm.platform_integration_id, - vm.platform_resource_id, - CASE - WHEN vm.platform_resource_description -> 'VirtualMachineScaleSet' -> 'Properties' -> 'AutomaticRepairsPolicy' ->> 'Enabled' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN vm.platform_resource_description -> 'VirtualMachineScaleSet' -> 'Properties' -> 'AutomaticRepairsPolicy' ->> 'Enabled' = 'true' THEN 'Automatic repairs feature is enabled' - ELSE 'Automatic repairs feature is not currently enabled' - END AS reason, - vm.resource_group, - display_name AS subscription - FROM - azure_compute_virtual_machine_scale_set AS vm, - azure_subscription AS sub - WHERE - sub.subscription_id = vm.subscription_id + language: sql + primary_resource: azure_compute_virtual_machine_scale_set + definition: | + SELECT + vm.id AS resource, + vm.platform_integration_id, + vm.platform_resource_id, + CASE + WHEN vm.platform_resource_description -> 'VirtualMachineScaleSet' -> 'Properties' -> 'AutomaticRepairsPolicy' ->> 'Enabled' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN vm.platform_resource_description -> 'VirtualMachineScaleSet' -> 'Properties' -> 'AutomaticRepairsPolicy' ->> 'Enabled' = 'true' THEN 'Automatic repairs feature is enabled' + ELSE 'Automatic repairs feature is not currently enabled' + END AS reason, + vm.resource_group, + display_name AS subscription + FROM + azure_compute_virtual_machine_scale_set AS vm, + azure_subscription AS sub + WHERE + sub.subscription_id = vm.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - score_service_name: - - Azure Virtual Machines + platform_score_cloud_service_name: + - Azure Virtual Machines + score_service_name: + - Azure Virtual Machines diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_automatic_os_upgrades.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_automatic_os_upgrades.yaml index 35b1a054a..841d56358 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_automatic_os_upgrades.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_automatic_os_upgrades.yaml @@ -1,35 +1,36 @@ id: azure_check_for_automatic_os_upgrades title: Check for Automatic OS Upgrades +type: control description: Ensure that Automatic OS Upgrades feature is enabled for your Azure virtual machine scale sets. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine_scale_set - definition: | - SELECT - vm.id AS resource, - vm.platform_integration_id, - vm.platform_resource_id, - CASE - WHEN upgrade_policy -> 'automaticOSUpgradePolicy' ->> 'enableAutomaticOSUpgrade' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN upgrade_policy -> 'automaticOSUpgradePolicy' ->> 'enableAutomaticOSUpgrade' = 'true' THEN 'Automatic OS Upgrades feature is enabled' - ELSE 'Automatic OS Upgrades feature is not currently enabled' - END AS reason, - vm.resource_group, - display_name AS subscription - FROM - azure_compute_virtual_machine_scale_set AS vm, - azure_subscription AS sub - WHERE - sub.subscription_id = vm.subscription_id + language: sql + primary_resource: azure_compute_virtual_machine_scale_set + definition: | + SELECT + vm.id AS resource, + vm.platform_integration_id, + vm.platform_resource_id, + CASE + WHEN upgrade_policy -> 'automaticOSUpgradePolicy' ->> 'enableAutomaticOSUpgrade' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN upgrade_policy -> 'automaticOSUpgradePolicy' ->> 'enableAutomaticOSUpgrade' = 'true' THEN 'Automatic OS Upgrades feature is enabled' + ELSE 'Automatic OS Upgrades feature is not currently enabled' + END AS reason, + vm.resource_group, + display_name AS subscription + FROM + azure_compute_virtual_machine_scale_set AS vm, + azure_subscription AS sub + WHERE + sub.subscription_id = vm.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - score_service_name: - - Azure Virtual Machines + platform_score_cloud_service_name: + - Azure Virtual Machines + score_service_name: + - Azure Virtual Machines diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_autoscale_notifications.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_autoscale_notifications.yaml index 2e5799a92..d6e41e454 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_autoscale_notifications.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_autoscale_notifications.yaml @@ -1,36 +1,37 @@ id: azure_check_for_autoscale_notifications title: Check for Autoscale Notifications +type: control description: Ensure that autoscale notifications are enabled for Azure virtual machine scale sets. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine_scale_set - definition: | - SELECT - vm.id AS resource, - vm.platform_integration_id, - vm.platform_resource_id, - CASE - WHEN s.notifications ->> 'enabled' = 'true' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN s.notifications ->> 'enabled' = 'true' THEN 'autoscale notifications are enabled' - ELSE 'autoscale notifications are not enabled' - END AS reason, - vm.resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine_scale_set AS vm - LEFT JOIN - azure_subscription AS sub ON sub.subscription_id = vm.subscription_id - LEFT JOIN - azure_autoscale_setting AS s ON vm.id = s.target_resource_uri + language: sql + primary_resource: azure_compute_virtual_machine_scale_set + definition: | + SELECT + vm.id AS resource, + vm.platform_integration_id, + vm.platform_resource_id, + CASE + WHEN s.notifications ->> 'enabled' = 'true' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN s.notifications ->> 'enabled' = 'true' THEN 'autoscale notifications are enabled' + ELSE 'autoscale notifications are not enabled' + END AS reason, + vm.resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine_scale_set AS vm + LEFT JOIN + azure_subscription AS sub ON sub.subscription_id = vm.subscription_id + LEFT JOIN + azure_autoscale_setting AS s ON vm.id = s.target_resource_uri severity: medium tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - score_service_name: - - Azure Virtual Machines + platform_score_cloud_service_name: + - Azure Virtual Machines + score_service_name: + - Azure Virtual Machines diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_backups_for_azure_virtual_machines.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_backups_for_azure_virtual_machines.yaml index c0678b42e..b5048a523 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_backups_for_azure_virtual_machines.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_backups_for_azure_virtual_machines.yaml @@ -1,36 +1,37 @@ id: azure_check_for_backups_for_azure_virtual_machines title: Check for Backups for Azure Virtual Machines +type: control description: Ensure that Microsoft Azure Backup service is in use for your Azure virtual machines (VMs). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - SELECT - vm.id AS resource, - vm.platform_integration_id, - vm.platform_resource_id, - CASE - WHEN bi.name IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN bi.name IS NULL THEN 'Diagnostic extensions installed on the VM' - ELSE 'Diagnostic extensions not installed on the VM' - END AS reason, - vm.resource_group, - display_name AS subscription - FROM - azure_compute_virtual_machine AS vm - LEFT JOIN azure_subscription AS sub - ON sub.subscription_id = vm.subscription_id - LEFT JOIN azure_recovery_services_backup_item AS bi - ON vm.id = (bi.properties ->> 'SourceResourceID') + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + SELECT + vm.id AS resource, + vm.platform_integration_id, + vm.platform_resource_id, + CASE + WHEN bi.name IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN bi.name IS NULL THEN 'Diagnostic extensions installed on the VM' + ELSE 'Diagnostic extensions not installed on the VM' + END AS reason, + vm.resource_group, + display_name AS subscription + FROM + azure_compute_virtual_machine AS vm + LEFT JOIN azure_subscription AS sub + ON sub.subscription_id = vm.subscription_id + LEFT JOIN azure_recovery_services_backup_item AS bi + ON vm.id = (bi.properties ->> 'SourceResourceID') severity: medium tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - score_service_name: - - Azure Virtual Machines + platform_score_cloud_service_name: + - Azure Virtual Machines + score_service_name: + - Azure Virtual Machines diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_configure_health_monitoring.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_configure_health_monitoring.yaml index 1e534a005..f4d2bdb44 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_configure_health_monitoring.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_configure_health_monitoring.yaml @@ -1,44 +1,45 @@ id: azure_check_for_configure_health_monitoring title: Check for Configure Health Monitoring +type: control description: Ensure that the health of your Microsoft Azure scale set instances is being monitored. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine_scale_set - definition: | - SELECT - vmss.id AS resource, - vmss.platform_integration_id, - vmss.platform_resource_id, - CASE - WHEN EXISTS( - SELECT 1 - FROM jsonb_array_elements(vmss.extensions) AS ex - WHERE ('ApplicationHealthLinux' = (ex ->> 'name')) - OR ('healthRepairExtension' = (ex ->> 'name')) - ) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN EXISTS( - SELECT 1 - FROM jsonb_array_elements(vmss.extensions) AS ex - WHERE ('ApplicationHealthLinux' = (ex ->> 'name')) - OR ('healthRepairExtension' = (ex ->> 'name')) - ) THEN 'Azure virtual machine scaleset has application health monitoring enabled' - ELSE 'Azure virtual machine scaleset does not have application health monitoring enabled' - END AS reason, - vmss.resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine_scale_set AS vmss - LEFT JOIN azure_subscription AS sub - ON sub.subscription_id = vmss.subscription_id + language: sql + primary_resource: azure_compute_virtual_machine_scale_set + definition: | + SELECT + vmss.id AS resource, + vmss.platform_integration_id, + vmss.platform_resource_id, + CASE + WHEN EXISTS( + SELECT 1 + FROM jsonb_array_elements(vmss.extensions) AS ex + WHERE ('ApplicationHealthLinux' = (ex ->> 'name')) + OR ('healthRepairExtension' = (ex ->> 'name')) + ) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN EXISTS( + SELECT 1 + FROM jsonb_array_elements(vmss.extensions) AS ex + WHERE ('ApplicationHealthLinux' = (ex ->> 'name')) + OR ('healthRepairExtension' = (ex ->> 'name')) + ) THEN 'Azure virtual machine scaleset has application health monitoring enabled' + ELSE 'Azure virtual machine scaleset does not have application health monitoring enabled' + END AS reason, + vmss.resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine_scale_set AS vmss + LEFT JOIN azure_subscription AS sub + ON sub.subscription_id = vmss.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - score_service_name: - - Azure Virtual Machines + platform_score_cloud_service_name: + - Azure Virtual Machines + score_service_name: + - Azure Virtual Machines diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_desired_vm_sku_sizes.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_desired_vm_sku_sizes.yaml index 7f6ed237a..73099bd2b 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_desired_vm_sku_sizes.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_desired_vm_sku_sizes.yaml @@ -1,41 +1,42 @@ id: azure_check_for_desired_vm_sku_sizes title: Check for Desired VM SKU Size(s) +type: control description: Ensure that your virtual machine instances are of a given SKU size (e.g. Standard_A8_v2). integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureAllowedVmSizes - value: '' +- key: azureAllowedVmSizes + value: "" policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - SELECT - vm.id AS resource, - vm.platform_integration_id, - vm.platform_resource_id, - CASE - WHEN '{{.azureAllowedVmSizes}}' NOT LIKE '%' || (vm.platform_resource_description -> 'VirtualMachine' -> 'Properties' -> 'HardwareProfile' ->> 'VMSize') || '%' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN '{{.azureAllowedVmSizes}}' NOT LIKE '%' || (vm.platform_resource_description -> 'VirtualMachine' -> 'Properties' -> 'HardwareProfile' ->> 'VMSize') || '%' THEN 'the virtual machine vm size is not allowed by your organization' - ELSE 'the virtual machine vm size is allowed by your organization' - END AS reason, - vm.resource_group, - display_name AS subscription - FROM - azure_compute_virtual_machine AS vm, - azure_subscription AS sub - WHERE - sub.subscription_id = vm.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + SELECT + vm.id AS resource, + vm.platform_integration_id, + vm.platform_resource_id, + CASE + WHEN '{{.azureAllowedVmSizes}}' NOT LIKE '%' || (vm.platform_resource_description -> 'VirtualMachine' -> 'Properties' -> 'HardwareProfile' ->> 'VMSize') || '%' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN '{{.azureAllowedVmSizes}}' NOT LIKE '%' || (vm.platform_resource_description -> 'VirtualMachine' -> 'Properties' -> 'HardwareProfile' ->> 'VMSize') || '%' THEN 'the virtual machine vm size is not allowed by your organization' + ELSE 'the virtual machine vm size is allowed by your organization' + END AS reason, + vm.resource_group, + display_name AS subscription + FROM + azure_compute_virtual_machine AS vm, + azure_subscription AS sub + WHERE + sub.subscription_id = vm.subscription_id; severity: high tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - platform_score_use_case: - - Unencrypted Traffic - score_service_name: - - Azure Virtual Machines - score_tags: - - Unencrypted Traffic + platform_score_cloud_service_name: + - Azure Virtual Machines + platform_score_use_case: + - Unencrypted Traffic + score_service_name: + - Azure Virtual Machines + score_tags: + - Unencrypted Traffic diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_encryption_for_web_tier_disk_volumes.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_encryption_for_web_tier_disk_volumes.yaml index 43ca004b9..40ab98f60 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_encryption_for_web_tier_disk_volumes.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_encryption_for_web_tier_disk_volumes.yaml @@ -1,41 +1,42 @@ id: azure_check_for_encryption_for_web_tier_disk_volumes title: Check for Encryption for Web-Tier Disk Volumes +type: control description: Ensure that Azure virtual machine disk volumes created for the web tier are encrypted. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureAppTierTags - value: '' +- key: azureAppTierTags + value: "" policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - SELECT - vm.id AS resource, - vm.platform_integration_id, - vm.platform_resource_id, - CASE - WHEN (vm.platform_resource_description -> 'VirtualMachine' -> 'Properties' -> 'StorageProfile' -> 'OSDisk' -> 'EncryptionSettings' ->> 'Enabled')::bool THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (vm.platform_resource_description -> 'VirtualMachine' -> 'Properties' -> 'StorageProfile' -> 'OSDisk' -> 'EncryptionSettings' ->> 'Enabled')::bool THEN 'OS disk encrypted' - ELSE 'OS disk not encrypted' - END AS reason, - vm.resource_group, - display_name AS subscription - FROM - azure_compute_virtual_machine AS vm, - azure_subscription AS sub - WHERE - sub.subscription_id = vm.subscription_id - AND vm.tags::text LIKE '%' || REPLACE(REPLACE(( - SELECT jsonb_object_agg(key, value)::text - FROM jsonb_each_text('{{.azureWebTierTags}}'::jsonb) - ), '{', ''), '}', '') || '%' + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + SELECT + vm.id AS resource, + vm.platform_integration_id, + vm.platform_resource_id, + CASE + WHEN (vm.platform_resource_description -> 'VirtualMachine' -> 'Properties' -> 'StorageProfile' -> 'OSDisk' -> 'EncryptionSettings' ->> 'Enabled')::bool THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (vm.platform_resource_description -> 'VirtualMachine' -> 'Properties' -> 'StorageProfile' -> 'OSDisk' -> 'EncryptionSettings' ->> 'Enabled')::bool THEN 'OS disk encrypted' + ELSE 'OS disk not encrypted' + END AS reason, + vm.resource_group, + display_name AS subscription + FROM + azure_compute_virtual_machine AS vm, + azure_subscription AS sub + WHERE + sub.subscription_id = vm.subscription_id + AND vm.tags::text LIKE '%' || REPLACE(REPLACE(( + SELECT jsonb_object_agg(key, value)::text + FROM jsonb_each_text('{{.azureWebTierTags}}'::jsonb) + ), '{', ''), '}', '') || '%' severity: medium tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - score_service_name: - - Azure Virtual Machines + platform_score_cloud_service_name: + - Azure Virtual Machines + score_service_name: + - Azure Virtual Machines diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_guest_level_diagnostics_for_virtual_machines.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_guest_level_diagnostics_for_virtual_machines.yaml index 4d563cdbf..0a68980ab 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_guest_level_diagnostics_for_virtual_machines.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_guest_level_diagnostics_for_virtual_machines.yaml @@ -1,49 +1,50 @@ id: azure_check_for_guest_level_diagnostics_for_virtual_machines title: Check for Guest-Level Diagnostics for Virtual Machines +type: control description: Ensure that Microsoft Azure virtual machines are configured to use OS guest-level monitoring. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - SELECT - vm.id AS resource, - vm.platform_integration_id, - vm.platform_resource_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM - jsonb_array_elements(extensions) AS e - WHERE - (extensions_settings -> (e ->> 'id') -> 'ladCfg' ->> 'diagnosticMonitorConfiguration') IS NOT NULL OR - (extensions_settings -> (e ->> 'id') -> 'WadCfg' ->> 'DiagnosticMonitorConfiguration') IS NOT NULL - ) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM - jsonb_array_elements(extensions) AS e - WHERE - (extensions_settings -> (e ->> 'id') -> 'ladCfg' ->> 'diagnosticMonitorConfiguration') IS NOT NULL OR - (extensions_settings -> (e ->> 'id') -> 'WadCfg' ->> 'DiagnosticMonitorConfiguration') IS NOT NULL - ) THEN 'Guest-Level Diagnostics feature is enabled' - ELSE 'Guest-Level Diagnostics feature is not enabled' - END AS reason, - vm.resource_group, - display_name AS subscription - FROM - azure_compute_virtual_machine AS vm, - azure_subscription AS sub - WHERE - sub.subscription_id = vm.subscription_id + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + SELECT + vm.id AS resource, + vm.platform_integration_id, + vm.platform_resource_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM + jsonb_array_elements(extensions) AS e + WHERE + (extensions_settings -> (e ->> 'id') -> 'ladCfg' ->> 'diagnosticMonitorConfiguration') IS NOT NULL OR + (extensions_settings -> (e ->> 'id') -> 'WadCfg' ->> 'DiagnosticMonitorConfiguration') IS NOT NULL + ) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM + jsonb_array_elements(extensions) AS e + WHERE + (extensions_settings -> (e ->> 'id') -> 'ladCfg' ->> 'diagnosticMonitorConfiguration') IS NOT NULL OR + (extensions_settings -> (e ->> 'id') -> 'WadCfg' ->> 'DiagnosticMonitorConfiguration') IS NOT NULL + ) THEN 'Guest-Level Diagnostics feature is enabled' + ELSE 'Guest-Level Diagnostics feature is not enabled' + END AS reason, + vm.resource_group, + display_name AS subscription + FROM + azure_compute_virtual_machine AS vm, + azure_subscription AS sub + WHERE + sub.subscription_id = vm.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - score_service_name: - - Azure Virtual Machines + platform_score_cloud_service_name: + - Azure Virtual Machines + score_service_name: + - Azure Virtual Machines diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_installataion_for_latest_os_patches.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_installataion_for_latest_os_patches.yaml index 6e5282f11..f82c48ae0 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_installataion_for_latest_os_patches.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_installataion_for_latest_os_patches.yaml @@ -1,37 +1,38 @@ id: azure_check_for_installataion_for_latest_os_patches title: Check for installataion for latest OS Patches +type: control description: Ensure that the latest OS patches available for Microsoft Azure virtual machines are applied. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - SELECT - vm.id AS resource, - vm.platform_integration_id, - vm.platform_resource_id, - CASE - WHEN COALESCE((vm.platform_resource_description -> 'VirtualMachineInstanceView' -> 'PatchStatus' -> 'AvailablePatchSummary' ->> 'CriticalAndSecurityPatchCount')::int) + - COALESCE((vm.platform_resource_description -> 'VirtualMachineInstanceView' -> 'PatchStatus' -> 'AvailablePatchSummary' ->> 'OtherPatchCount')::int) > 0 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN COALESCE((vm.platform_resource_description -> 'VirtualMachineInstanceView' -> 'PatchStatus' -> 'AvailablePatchSummary' ->> 'CriticalAndSecurityPatchCount')::int) + - COALESCE((vm.platform_resource_description -> 'VirtualMachineInstanceView' -> 'PatchStatus' -> 'AvailablePatchSummary' ->> 'OtherPatchCount')::int) > 0 THEN 'There are pending updates in this virtual machine' - ELSE 'There is no pending updates in this virtual machine' - END AS reason, - vm.resource_group, - display_name AS subscription - FROM - azure_compute_virtual_machine AS vm, - azure_subscription AS sub - WHERE - sub.subscription_id = vm.subscription_id + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + SELECT + vm.id AS resource, + vm.platform_integration_id, + vm.platform_resource_id, + CASE + WHEN COALESCE((vm.platform_resource_description -> 'VirtualMachineInstanceView' -> 'PatchStatus' -> 'AvailablePatchSummary' ->> 'CriticalAndSecurityPatchCount')::int) + + COALESCE((vm.platform_resource_description -> 'VirtualMachineInstanceView' -> 'PatchStatus' -> 'AvailablePatchSummary' ->> 'OtherPatchCount')::int) > 0 THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN COALESCE((vm.platform_resource_description -> 'VirtualMachineInstanceView' -> 'PatchStatus' -> 'AvailablePatchSummary' ->> 'CriticalAndSecurityPatchCount')::int) + + COALESCE((vm.platform_resource_description -> 'VirtualMachineInstanceView' -> 'PatchStatus' -> 'AvailablePatchSummary' ->> 'OtherPatchCount')::int) > 0 THEN 'There are pending updates in this virtual machine' + ELSE 'There is no pending updates in this virtual machine' + END AS reason, + vm.resource_group, + display_name AS subscription + FROM + azure_compute_virtual_machine AS vm, + azure_subscription AS sub + WHERE + sub.subscription_id = vm.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - score_service_name: - - Azure Virtual Machines + platform_score_cloud_service_name: + - Azure Virtual Machines + score_service_name: + - Azure Virtual Machines diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_instance_termination_notifications_for_virtual_machine_scale_sets.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_instance_termination_notifications_for_virtual_machine_scale_sets.yaml index a8f7bc1af..63d801dea 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_instance_termination_notifications_for_virtual_machine_scale_sets.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_instance_termination_notifications_for_virtual_machine_scale_sets.yaml @@ -1,37 +1,38 @@ id: azure_check_for_instance_termination_notifications_for_virtual_machine_scale_sets title: Check for Instance Termination Notifications for Virtual Machine Scale Sets +type: control description: Ensure that instance termination notifications are enabled for your Azure virtual machine scale sets. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine_scale_set - definition: | - SELECT - vm.id AS resource, - vm.platform_integration_id, - vm.platform_resource_id, - CASE - WHEN vm.platform_resource_description -> 'VirtualMachineScaleSet' -> 'Properties' -> 'VirtualMachineProfile' -> 'ScheduledEventsProfile' -> 'TerminateNotificationProfile' ->> 'Enable' = 'true' - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN vm.platform_resource_description -> 'VirtualMachineScaleSet' -> 'Properties' -> 'VirtualMachineProfile' -> 'ScheduledEventsProfile' -> 'TerminateNotificationProfile' ->> 'Enable' = 'true' - THEN 'Instance Termination Notifications feature is enabled' - ELSE 'Instance Termination Notifications feature is not enabled' - END AS reason, - vm.resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine_scale_set AS vm, - azure_subscription AS sub - WHERE - sub.subscription_id = vm.subscription_id + language: sql + primary_resource: azure_compute_virtual_machine_scale_set + definition: | + SELECT + vm.id AS resource, + vm.platform_integration_id, + vm.platform_resource_id, + CASE + WHEN vm.platform_resource_description -> 'VirtualMachineScaleSet' -> 'Properties' -> 'VirtualMachineProfile' -> 'ScheduledEventsProfile' -> 'TerminateNotificationProfile' ->> 'Enable' = 'true' + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN vm.platform_resource_description -> 'VirtualMachineScaleSet' -> 'Properties' -> 'VirtualMachineProfile' -> 'ScheduledEventsProfile' -> 'TerminateNotificationProfile' ->> 'Enable' = 'true' + THEN 'Instance Termination Notifications feature is enabled' + ELSE 'Instance Termination Notifications feature is not enabled' + END AS reason, + vm.resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine_scale_set AS vm, + azure_subscription AS sub + WHERE + sub.subscription_id = vm.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - score_service_name: - - Azure Virtual Machines + platform_score_cloud_service_name: + - Azure Virtual Machines + score_service_name: + - Azure Virtual Machines diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_just_in_time_access_for_virtual_machines.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_just_in_time_access_for_virtual_machines.yaml index da4f45453..f9259b94d 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_just_in_time_access_for_virtual_machines.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_just_in_time_access_for_virtual_machines.yaml @@ -1,43 +1,44 @@ id: azure_check_for_just_in_time_access_for_virtual_machines title: Check for Just-In-Time Access for Virtual Machines +type: control description: Ensure that Microsoft Azure virtual machines are configured to use Just-in-Time (JIT) access. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - SELECT DISTINCT - vm.id AS resource, - vm.platform_integration_id, - vm.platform_resource_id, - CASE - WHEN NOT EXISTS( - SELECT 1 - FROM azure_security_center_jit_network_access_policy - WHERE virtual_machines::text LIKE '%' || vm.id || '%' - LIMIT 1 - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOT EXISTS( - SELECT 1 - FROM azure_security_center_jit_network_access_policy - WHERE virtual_machines::text LIKE '%' || vm.id || '%' - LIMIT 1 - ) THEN 'Virtual machine is not associated with a Just-in-Time (JIT) network access policy.' - ELSE 'Virtual machine is associated with a Just-in-Time (JIT) network access policy.' - END AS reason, - vm.resource_group, - display_name AS subscription - FROM azure_compute_virtual_machine AS vm, - azure_subscription AS sub - WHERE sub.subscription_id = vm.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + SELECT DISTINCT + vm.id AS resource, + vm.platform_integration_id, + vm.platform_resource_id, + CASE + WHEN NOT EXISTS( + SELECT 1 + FROM azure_security_center_jit_network_access_policy + WHERE virtual_machines::text LIKE '%' || vm.id || '%' + LIMIT 1 + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOT EXISTS( + SELECT 1 + FROM azure_security_center_jit_network_access_policy + WHERE virtual_machines::text LIKE '%' || vm.id || '%' + LIMIT 1 + ) THEN 'Virtual machine is not associated with a Just-in-Time (JIT) network access policy.' + ELSE 'Virtual machine is associated with a Just-in-Time (JIT) network access policy.' + END AS reason, + vm.resource_group, + display_name AS subscription + FROM azure_compute_virtual_machine AS vm, + azure_subscription AS sub + WHERE sub.subscription_id = vm.subscription_id; severity: high tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - score_service_name: - - Azure Virtual Machines + platform_score_cloud_service_name: + - Azure Virtual Machines + score_service_name: + - Azure Virtual Machines diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_old_virtual_machine_disk_snapshots.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_old_virtual_machine_disk_snapshots.yaml index c9638b530..f921e9e84 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_old_virtual_machine_disk_snapshots.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_old_virtual_machine_disk_snapshots.yaml @@ -1,42 +1,43 @@ id: azure_check_for_old_virtual_machine_disk_snapshots title: Check for Old Virtual Machine Disk Snapshots +type: control description: Identify and remove old virtual machine disk snapshots in order to optimize cloud costs. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureDiskSnapshotAgeThreshold - value: '' +- key: azureDiskSnapshotAgeThreshold + value: "" policy: - language: sql - primary_resource: azure_compute_snapshot - definition: | - SELECT - s.name AS resource, - s.platform_integration_id, - s.platform_resource_id, - NOW() - s.time_created AS age, - CASE - WHEN NOW() - s.time_created > '{{.azureDiskSnapshotAgeThreshold}} days'::interval THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN NOW() - s.time_created > '{{.azureDiskSnapshotAgeThreshold}} days'::interval THEN s.name || ' snapshot is too old and can be removed' - ELSE s.name || ' snapshot is not old' - END AS reason, - s.resource_group, - sub.display_name AS subscription - FROM - azure_compute_snapshot AS s, - azure_subscription AS sub - WHERE - sub.subscription_id = s.subscription_id; + language: sql + primary_resource: azure_compute_snapshot + definition: | + SELECT + s.name AS resource, + s.platform_integration_id, + s.platform_resource_id, + NOW() - s.time_created AS age, + CASE + WHEN NOW() - s.time_created > '{{.azureDiskSnapshotAgeThreshold}} days'::interval THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN NOW() - s.time_created > '{{.azureDiskSnapshotAgeThreshold}} days'::interval THEN s.name || ' snapshot is too old and can be removed' + ELSE s.name || ' snapshot is not old' + END AS reason, + s.resource_group, + sub.display_name AS subscription + FROM + azure_compute_snapshot AS s, + azure_subscription AS sub + WHERE + sub.subscription_id = s.subscription_id; severity: medium tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - platform_score_use_case: - - Optimization - score_service_name: - - Azure Virtual Machines - score_tags: - - Optimization + platform_score_cloud_service_name: + - Azure Virtual Machines + platform_score_use_case: + - Optimization + score_service_name: + - Azure Virtual Machines + score_tags: + - Optimization diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_performance_diagnostics_for_azure_virtual_machines.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_performance_diagnostics_for_azure_virtual_machines.yaml index a442cffcd..978ce5b8f 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_performance_diagnostics_for_azure_virtual_machines.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_performance_diagnostics_for_azure_virtual_machines.yaml @@ -1,44 +1,45 @@ id: azure_check_for_performance_diagnostics_for_azure_virtual_machines title: Check for Performance Diagnostics for Azure Virtual Machines +type: control description: Ensure that Azure virtual machines are configured to use the Performance Diagnostics tool. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - SELECT - vm.id AS resource, - vm.platform_integration_id, - vm.platform_resource_id, - CASE - WHEN EXISTS( - SELECT 1 FROM jsonb_array_elements(vm.extensions) AS ex - WHERE ('AzurePerformanceDiagnosticsLinux' = (ex ->> 'name')) - OR ('AzurePerformanceDiagnostics' = (ex ->> 'name')) - ) - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN EXISTS( - SELECT 1 FROM jsonb_array_elements(vm.extensions) AS ex - WHERE ('AzurePerformanceDiagnosticsLinux' = (ex ->> 'name')) - OR ('AzurePerformanceDiagnostics' = (ex ->> 'name')) - ) - THEN 'Performance Diagnostics feature, powered by PerfInsights extension, is enabled' - ELSE 'Performance Diagnostics feature, powered by PerfInsights extension, is not enabled' - END AS reason, - vm.resource_group, - display_name AS subscription - FROM - azure_compute_virtual_machine AS vm - LEFT JOIN azure_subscription AS sub - ON sub.subscription_id = vm.subscription_id + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + SELECT + vm.id AS resource, + vm.platform_integration_id, + vm.platform_resource_id, + CASE + WHEN EXISTS( + SELECT 1 FROM jsonb_array_elements(vm.extensions) AS ex + WHERE ('AzurePerformanceDiagnosticsLinux' = (ex ->> 'name')) + OR ('AzurePerformanceDiagnostics' = (ex ->> 'name')) + ) + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN EXISTS( + SELECT 1 FROM jsonb_array_elements(vm.extensions) AS ex + WHERE ('AzurePerformanceDiagnosticsLinux' = (ex ->> 'name')) + OR ('AzurePerformanceDiagnostics' = (ex ->> 'name')) + ) + THEN 'Performance Diagnostics feature, powered by PerfInsights extension, is enabled' + ELSE 'Performance Diagnostics feature, powered by PerfInsights extension, is not enabled' + END AS reason, + vm.resource_group, + display_name AS subscription + FROM + azure_compute_virtual_machine AS vm + LEFT JOIN azure_subscription AS sub + ON sub.subscription_id = vm.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - score_service_name: - - Azure Virtual Machines + platform_score_cloud_service_name: + - Azure Virtual Machines + score_service_name: + - Azure Virtual Machines diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_ssh_authentication_type.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_ssh_authentication_type.yaml index 26df0a4b4..29be260e8 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_ssh_authentication_type.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_ssh_authentication_type.yaml @@ -1,35 +1,36 @@ id: azure_check_for_ssh_authentication_type title: Check for SSH Authentication Type +type: control description: Ensure that Azure Linux-based virtual machines (VMs) are configured to use SSH keys. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - SELECT - vm.id AS resource, - vm.platform_integration_id, - vm.platform_resource_id, - CASE - WHEN vm.platform_resource_description -> 'VirtualMachine' -> 'Properties' -> 'OSProfile' -> 'LinuxConfiguration' ->> 'DisablePasswordAuthentication' = 'false' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN vm.platform_resource_description -> 'VirtualMachine' -> 'Properties' -> 'OSProfile' -> 'LinuxConfiguration' ->> 'DisablePasswordAuthentication' = 'false' THEN 'SSH authentication type for the selected Microsoft Azure virtual machine is password-based and is not secured' - ELSE 'SSH authentication type for the selected Microsoft Azure virtual machine is secured' - END AS reason, - vm.resource_group, - display_name AS subscription - FROM - azure_compute_virtual_machine AS vm, - azure_subscription AS sub - WHERE - sub.subscription_id = vm.subscription_id + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + SELECT + vm.id AS resource, + vm.platform_integration_id, + vm.platform_resource_id, + CASE + WHEN vm.platform_resource_description -> 'VirtualMachine' -> 'Properties' -> 'OSProfile' -> 'LinuxConfiguration' ->> 'DisablePasswordAuthentication' = 'false' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN vm.platform_resource_description -> 'VirtualMachine' -> 'Properties' -> 'OSProfile' -> 'LinuxConfiguration' ->> 'DisablePasswordAuthentication' = 'false' THEN 'SSH authentication type for the selected Microsoft Azure virtual machine is password-based and is not secured' + ELSE 'SSH authentication type for the selected Microsoft Azure virtual machine is secured' + END AS reason, + vm.resource_group, + display_name AS subscription + FROM + azure_compute_virtual_machine AS vm, + azure_subscription AS sub + WHERE + sub.subscription_id = vm.subscription_id severity: high tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - score_service_name: - - Azure Virtual Machines + platform_score_cloud_service_name: + - Azure Virtual Machines + score_service_name: + - Azure Virtual Machines diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_sufficient_daily_backup_retention_period.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_sufficient_daily_backup_retention_period.yaml index 1f4572077..b4a6e018a 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_sufficient_daily_backup_retention_period.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_sufficient_daily_backup_retention_period.yaml @@ -1,37 +1,38 @@ id: azure_check_for_sufficient_daily_backup_retention_period title: Check for Sufficient Daily Backup Retention Period +type: control description: Ensure there is a sufficient daily backup retention period configured for Azure virtual machines. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureSufficientDailyBackupRetention - value: '7' +- key: azureSufficientDailyBackupRetention + value: "7" policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - SELECT - vm.id AS resource, - vm.platform_integration_id, - vm.platform_resource_id, - CASE - WHEN (bp.properties -> 'RetentionPolicy' -> 'dailySchedule' -> 'retentionDuration' ->> 'count')::int < '{{.azureSufficientDailyBackupRetention}}'::int THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (bp.properties -> 'RetentionPolicy' -> 'dailySchedule' -> 'retentionDuration' ->> 'count')::int < '{{.azureSufficientDailyBackupRetention}}'::int THEN 'backup policy does not have a sufficient daily backup retention period configured.' - ELSE 'backup policy has a sufficient daily backup retention period configured.' - END AS reason, - vm.resource_group, - display_name AS subscription - FROM - azure_compute_virtual_machine AS vm - LEFT JOIN azure_subscription AS sub ON sub.subscription_id = vm.subscription_id - LEFT JOIN azure_recovery_services_backup_item AS bi ON vm.id = (bi.properties ->> 'SourceResourceID') - LEFT JOIN azure_recovery_services_backup_policy AS bp ON bi.properties ->> 'PolicyID' = bp.id + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + SELECT + vm.id AS resource, + vm.platform_integration_id, + vm.platform_resource_id, + CASE + WHEN (bp.properties -> 'RetentionPolicy' -> 'dailySchedule' -> 'retentionDuration' ->> 'count')::int < '{{.azureSufficientDailyBackupRetention}}'::int THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (bp.properties -> 'RetentionPolicy' -> 'dailySchedule' -> 'retentionDuration' ->> 'count')::int < '{{.azureSufficientDailyBackupRetention}}'::int THEN 'backup policy does not have a sufficient daily backup retention period configured.' + ELSE 'backup policy has a sufficient daily backup retention period configured.' + END AS reason, + vm.resource_group, + display_name AS subscription + FROM + azure_compute_virtual_machine AS vm + LEFT JOIN azure_subscription AS sub ON sub.subscription_id = vm.subscription_id + LEFT JOIN azure_recovery_services_backup_item AS bi ON vm.id = (bi.properties ->> 'SourceResourceID') + LEFT JOIN azure_recovery_services_backup_policy AS bp ON bi.properties ->> 'PolicyID' = bp.id severity: medium tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - score_service_name: - - Azure Virtual Machines + platform_score_cloud_service_name: + - Azure Virtual Machines + score_service_name: + - Azure Virtual Machines diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_sufficient_instant_restore_retention_period.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_sufficient_instant_restore_retention_period.yaml index 482bb0122..f2c1a2573 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_sufficient_instant_restore_retention_period.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_sufficient_instant_restore_retention_period.yaml @@ -1,40 +1,41 @@ id: azure_check_for_sufficient_instant_restore_retention_period title: Check for Sufficient Instant Restore Retention Period +type: control description: Ensure there is a sufficient instant restore retention period configured for Azure virtual machines. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureSufficientInstantRestoreRetention - value: '7' +- key: azureSufficientInstantRestoreRetention + value: "7" policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - SELECT - vm.id AS resource, - vm.platform_integration_id, - vm.platform_resource_id, - CASE - WHEN (bp.properties ->> 'InstantRpRetentionRangeInDays')::int < '{{.azureSufficientInstantRestoreRetention}}'::int THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (bp.properties ->> 'InstantRpRetentionRangeInDays')::int < '{{.azureSufficientInstantRestoreRetention}}'::int THEN 'backup policy does not have a sufficient daily backup retention period configured.' - ELSE 'backup policy has a sufficient daily backup retention period configured.' - END AS reason, - vm.resource_group, - display_name AS subscription - FROM - azure_compute_virtual_machine AS vm - LEFT JOIN azure_subscription AS sub - ON sub.subscription_id = vm.subscription_id - LEFT JOIN azure_recovery_services_backup_item AS bi - ON vm.id = (bi.properties ->> 'SourceResourceID') - LEFT JOIN azure_recovery_services_backup_policy AS bp - ON bi.properties ->> 'PolicyID' = bp.id + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + SELECT + vm.id AS resource, + vm.platform_integration_id, + vm.platform_resource_id, + CASE + WHEN (bp.properties ->> 'InstantRpRetentionRangeInDays')::int < '{{.azureSufficientInstantRestoreRetention}}'::int THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (bp.properties ->> 'InstantRpRetentionRangeInDays')::int < '{{.azureSufficientInstantRestoreRetention}}'::int THEN 'backup policy does not have a sufficient daily backup retention period configured.' + ELSE 'backup policy has a sufficient daily backup retention period configured.' + END AS reason, + vm.resource_group, + display_name AS subscription + FROM + azure_compute_virtual_machine AS vm + LEFT JOIN azure_subscription AS sub + ON sub.subscription_id = vm.subscription_id + LEFT JOIN azure_recovery_services_backup_item AS bi + ON vm.id = (bi.properties ->> 'SourceResourceID') + LEFT JOIN azure_recovery_services_backup_policy AS bp + ON bi.properties ->> 'PolicyID' = bp.id severity: medium tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - score_service_name: - - Azure Virtual Machines + platform_score_cloud_service_name: + - Azure Virtual Machines + score_service_name: + - Azure Virtual Machines diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_system_assigned_managed_identities.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_system_assigned_managed_identities.yaml index 854d74047..dd95458f5 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_system_assigned_managed_identities.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_system_assigned_managed_identities.yaml @@ -1,35 +1,36 @@ id: azure_check_for_system_assigned_managed_identities title: Check for System-Assigned Managed Identities +type: control description: Ensure that Azure virtual machines are configured to use system-assigned managed identities. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - SELECT - vm.id AS resource, - vm.platform_integration_id, - vm.platform_resource_id, - CASE - WHEN (vm.platform_resource_description -> 'VirtualMachine' ->> 'Identity') IS NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (vm.platform_resource_description -> 'VirtualMachine' ->> 'Identity') IS NULL THEN 'system-assigned managed identity is not enabled' - ELSE 'system-assigned managed identity is enabled' - END AS reason, - vm.resource_group, - display_name AS subscription - FROM - azure_compute_virtual_machine AS vm, - azure_subscription AS sub - WHERE - sub.subscription_id = vm.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + SELECT + vm.id AS resource, + vm.platform_integration_id, + vm.platform_resource_id, + CASE + WHEN (vm.platform_resource_description -> 'VirtualMachine' ->> 'Identity') IS NULL THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (vm.platform_resource_description -> 'VirtualMachine' ->> 'Identity') IS NULL THEN 'system-assigned managed identity is not enabled' + ELSE 'system-assigned managed identity is enabled' + END AS reason, + vm.resource_group, + display_name AS subscription + FROM + azure_compute_virtual_machine AS vm, + azure_subscription AS sub + WHERE + sub.subscription_id = vm.subscription_id; severity: medium tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - score_service_name: - - Azure Virtual Machines + platform_score_cloud_service_name: + - Azure Virtual Machines + score_service_name: + - Azure Virtual Machines diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_unattached_virtual_machine_disk_volumes.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_unattached_virtual_machine_disk_volumes.yaml index 2aabfb963..3cd6e8be6 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_unattached_virtual_machine_disk_volumes.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_unattached_virtual_machine_disk_volumes.yaml @@ -1,39 +1,40 @@ id: azure_check_for_unattached_virtual_machine_disk_volumes title: Check for Unattached Virtual Machine Disk Volumes +type: control description: Remove any unattached Azure virtual machine (VM) disk volumes to improve security and reduce costs integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_disk - definition: | - SELECT - disk.id AS resource, - disk.platform_integration_id, - disk.platform_resource_id, - CASE - WHEN disk.disk_state = 'Unattached' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN disk.disk_state = 'Unattached' THEN disk.title || ' has no attachments.' - ELSE disk.title || ' has attachments.' - END AS reason, - disk.resource_group, - display_name AS subscription - FROM - azure_compute_disk AS disk, - azure_subscription AS sub - WHERE - sub.subscription_id = disk.subscription_id; + language: sql + primary_resource: azure_compute_disk + definition: | + SELECT + disk.id AS resource, + disk.platform_integration_id, + disk.platform_resource_id, + CASE + WHEN disk.disk_state = 'Unattached' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN disk.disk_state = 'Unattached' THEN disk.title || ' has no attachments.' + ELSE disk.title || ' has attachments.' + END AS reason, + disk.resource_group, + display_name AS subscription + FROM + azure_compute_disk AS disk, + azure_subscription AS sub + WHERE + sub.subscription_id = disk.subscription_id; severity: medium tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - platform_score_use_case: - - Orphaned Resources - score_service_name: - - Azure Virtual Machines - score_tags: - - Orphaned Resources + platform_score_cloud_service_name: + - Azure Virtual Machines + platform_score_use_case: + - Orphaned Resources + score_service_name: + - Azure Virtual Machines + score_tags: + - Orphaned Resources diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_unused_load_balancers.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_unused_load_balancers.yaml index 39187105f..e8fae22ed 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_unused_load_balancers.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_unused_load_balancers.yaml @@ -1,44 +1,45 @@ id: azure_check_for_unused_load_balancers title: Check for Unused Load Balancers +type: control description: Identify and remove unused load balancers from your Microsoft Azure cloud account. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_lb - definition: | - SELECT - lb.name AS resource, - lb.platform_resource_id, - lb.platform_integration_id, - CASE - WHEN EXISTS ( - SELECT 1 FROM jsonb_array_elements(backend_address_pools) AS p - WHERE p -> 'properties' ->> 'backendIPConfigurations' IS NOT NULL - ) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 FROM jsonb_array_elements(backend_address_pools) AS p - WHERE p -> 'properties' ->> 'backendIPConfigurations' IS NOT NULL - ) THEN lb.name || ' is used.' - ELSE lb.name || ' is unused.' - END AS reason, - lb.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_lb AS lb - LEFT JOIN azure_subscription AS sub - ON lb.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_lb + definition: | + SELECT + lb.name AS resource, + lb.platform_resource_id, + lb.platform_integration_id, + CASE + WHEN EXISTS ( + SELECT 1 FROM jsonb_array_elements(backend_address_pools) AS p + WHERE p -> 'properties' ->> 'backendIPConfigurations' IS NOT NULL + ) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 FROM jsonb_array_elements(backend_address_pools) AS p + WHERE p -> 'properties' ->> 'backendIPConfigurations' IS NOT NULL + ) THEN lb.name || ' is used.' + ELSE lb.name || ' is unused.' + END AS reason, + lb.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_lb AS lb + LEFT JOIN azure_subscription AS sub + ON lb.subscription_id = sub.subscription_id severity: low tags: - platform_score_cloud_service_name: - - Azure Network - platform_score_use_case: - - Orphaned Resources - score_service_name: - - Azure Network - score_tags: - - Orphaned Resources + platform_score_cloud_service_name: + - Azure Network + platform_score_use_case: + - Orphaned Resources + score_service_name: + - Azure Network + score_tags: + - Orphaned Resources diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_approved_extensions_only.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_approved_extensions_only.yaml index d8df0b12e..11543401e 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_approved_extensions_only.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_approved_extensions_only.yaml @@ -1,44 +1,45 @@ id: azure_check_for_usage_of_approved_extensions_only title: Check for usage of Approved Extensions Only +type: control description: Ensure that only approved extensions are installed on your Microsoft Azure virtual machines. integration_type: - - azure_subscription +- azure_subscription parameters: - - key: azureAllowedVmExtentions - value: '' +- key: azureAllowedVmExtentions + value: "" policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - SELECT - vm.id AS resource, - vm.platform_integration_id, - vm.platform_resource_id, - CASE - WHEN EXISTS ( - SELECT 1 FROM jsonb_array_elements(vm.extensions) AS ex - WHERE '{{.azureAllowedVmExtentions}}' NOT LIKE '%' || (ex ->> 'name') || '%' - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 FROM jsonb_array_elements(vm.extensions) AS ex - WHERE '{{.azureAllowedVmExtentions}}' NOT LIKE '%' || (ex ->> 'name') || '%' - ) THEN 'VM is using a not allowed extension' - ELSE 'VM is only using allowed extensions' - END AS reason, - vm.resource_group, - display_name AS subscription - FROM - azure_compute_virtual_machine AS vm - LEFT JOIN - azure_subscription AS sub - ON - sub.subscription_id = vm.subscription_id + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + SELECT + vm.id AS resource, + vm.platform_integration_id, + vm.platform_resource_id, + CASE + WHEN EXISTS ( + SELECT 1 FROM jsonb_array_elements(vm.extensions) AS ex + WHERE '{{.azureAllowedVmExtentions}}' NOT LIKE '%' || (ex ->> 'name') || '%' + ) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 FROM jsonb_array_elements(vm.extensions) AS ex + WHERE '{{.azureAllowedVmExtentions}}' NOT LIKE '%' || (ex ->> 'name') || '%' + ) THEN 'VM is using a not allowed extension' + ELSE 'VM is only using allowed extensions' + END AS reason, + vm.resource_group, + display_name AS subscription + FROM + azure_compute_virtual_machine AS vm + LEFT JOIN + azure_subscription AS sub + ON + sub.subscription_id = vm.subscription_id severity: high tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - score_service_name: - - Azure Virtual Machines + platform_score_cloud_service_name: + - Azure Virtual Machines + score_service_name: + - Azure Virtual Machines diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_byok_for_disk_volumes_encryption.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_byok_for_disk_volumes_encryption.yaml index 3c995d7d5..ceab595af 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_byok_for_disk_volumes_encryption.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_byok_for_disk_volumes_encryption.yaml @@ -1,39 +1,40 @@ id: azure_check_for_usage_of_byok_for_disk_volumes_encryption title: Check for usage of BYOK for Disk Volumes Encryption +type: control description: Use customer-managed keys for Microsoft Azure virtual machine (VM) disk volumes encryption. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_disk - definition: | - SELECT - disk.id AS resource, - disk.platform_integration_id, - disk.platform_resource_id, - CASE - WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN 'Disk is encrypted by CMK.' - ELSE 'Disk is encrypted with Service Managed Key instead of CMK.' - END AS reason, - disk.resource_group, - display_name AS subscription - FROM - azure_compute_disk AS disk, - azure_subscription AS sub - WHERE - sub.subscription_id = disk.subscription_id; + language: sql + primary_resource: azure_compute_disk + definition: | + SELECT + disk.id AS resource, + disk.platform_integration_id, + disk.platform_resource_id, + CASE + WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption_type = 'EncryptionAtRestWithCustomerKey' THEN 'Disk is encrypted by CMK.' + ELSE 'Disk is encrypted with Service Managed Key instead of CMK.' + END AS reason, + disk.resource_group, + display_name AS subscription + FROM + azure_compute_disk AS disk, + azure_subscription AS sub + WHERE + sub.subscription_id = disk.subscription_id; severity: high tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - platform_score_use_case: - - Insecure Keys - score_service_name: - - Azure Virtual Machines - score_tags: - - Insecure Keys + platform_score_cloud_service_name: + - Azure Virtual Machines + platform_score_use_case: + - Insecure Keys + score_service_name: + - Azure Virtual Machines + score_tags: + - Insecure Keys diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_customer_managed_keys_for_virtual_hard_disk_encryption.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_customer_managed_keys_for_virtual_hard_disk_encryption.yaml index 94b206690..8fbea1d31 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_customer_managed_keys_for_virtual_hard_disk_encryption.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_customer_managed_keys_for_virtual_hard_disk_encryption.yaml @@ -1,39 +1,40 @@ id: azure_check_for_usage_of_customer_managed_keys_for_virtual_hard_disk_encryption title: Check for usage of Customer Managed Keys for Virtual Hard Disk Encryption +type: control description: Ensure that Customer Managed Keys are used to encrypt Virtual Hard Disk (VHD) volumes. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_disk - definition: | - SELECT - disk.id AS resource, - disk.platform_integration_id, - disk.platform_resource_id, - CASE - WHEN encryption_type = 'EncryptionAtRestWithPlatformKey' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN encryption_type = 'EncryptionAtRestWithPlatformKey' THEN 'Disk is encrypted by CMK.' - ELSE 'Disk is encrypted with Platform Key instead of CMK.' - END AS reason, - disk.resource_group, - display_name AS subscription - FROM - azure_compute_disk AS disk, - azure_subscription AS sub - WHERE - sub.subscription_id = disk.subscription_id; + language: sql + primary_resource: azure_compute_disk + definition: | + SELECT + disk.id AS resource, + disk.platform_integration_id, + disk.platform_resource_id, + CASE + WHEN encryption_type = 'EncryptionAtRestWithPlatformKey' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN encryption_type = 'EncryptionAtRestWithPlatformKey' THEN 'Disk is encrypted by CMK.' + ELSE 'Disk is encrypted with Platform Key instead of CMK.' + END AS reason, + disk.resource_group, + display_name AS subscription + FROM + azure_compute_disk AS disk, + azure_subscription AS sub + WHERE + sub.subscription_id = disk.subscription_id; severity: high tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - platform_score_use_case: - - Insecure Keys - score_service_name: - - Azure Virtual Machines - score_tags: - - Insecure Keys + platform_score_cloud_service_name: + - Azure Virtual Machines + platform_score_use_case: + - Insecure Keys + score_service_name: + - Azure Virtual Machines + score_tags: + - Insecure Keys diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_endpoint_protection.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_endpoint_protection.yaml index 92e90baa4..4d13bff88 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_endpoint_protection.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_endpoint_protection.yaml @@ -1,48 +1,49 @@ id: azure_check_for_usage_of_endpoint_protection title: Check for usage of Endpoint Protection +type: control description: Ensure that endpoint protection is installed on your Microsoft Azure virtual machines. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - SELECT - vm.id AS resource, - vm.platform_integration_id, - vm.platform_resource_id, - CASE - WHEN EXISTS( - SELECT 1 - FROM jsonb_array_elements(vm.extensions) AS ex - WHERE 'EndpointSecurity,Antimalware,EndpointProtection,SCWPAgent,PortalProtectExtension,FileSecurity' ILIKE '%' || (ex ->> 'name') || '%' - ) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN EXISTS( - SELECT 1 - FROM jsonb_array_elements(vm.extensions) AS ex - WHERE 'EndpointSecurity,Antimalware,EndpointProtection,SCWPAgent,PortalProtectExtension,FileSecurity' ILIKE '%' || (ex ->> 'name') || '%' - ) THEN 'Azure virtual machine has anti-malware protection' - ELSE 'Azure virtual machine is missing anti-malware protection' - END AS reason, - vm.resource_group, - display_name AS subscription - FROM - azure_compute_virtual_machine AS vm - LEFT JOIN - azure_subscription AS sub - ON - sub.subscription_id = vm.subscription_id + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + SELECT + vm.id AS resource, + vm.platform_integration_id, + vm.platform_resource_id, + CASE + WHEN EXISTS( + SELECT 1 + FROM jsonb_array_elements(vm.extensions) AS ex + WHERE 'EndpointSecurity,Antimalware,EndpointProtection,SCWPAgent,PortalProtectExtension,FileSecurity' ILIKE '%' || (ex ->> 'name') || '%' + ) THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN EXISTS( + SELECT 1 + FROM jsonb_array_elements(vm.extensions) AS ex + WHERE 'EndpointSecurity,Antimalware,EndpointProtection,SCWPAgent,PortalProtectExtension,FileSecurity' ILIKE '%' || (ex ->> 'name') || '%' + ) THEN 'Azure virtual machine has anti-malware protection' + ELSE 'Azure virtual machine is missing anti-malware protection' + END AS reason, + vm.resource_group, + display_name AS subscription + FROM + azure_compute_virtual_machine AS vm + LEFT JOIN + azure_subscription AS sub + ON + sub.subscription_id = vm.subscription_id severity: high tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - platform_score_use_case: - - Unencrypted Traffic - score_service_name: - - Azure Virtual Machines - score_tags: - - Unencrypted Traffic + platform_score_cloud_service_name: + - Azure Virtual Machines + platform_score_use_case: + - Unencrypted Traffic + score_service_name: + - Azure Virtual Machines + score_tags: + - Unencrypted Traffic diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_managed_disk_volumes_for_virtual_machines.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_managed_disk_volumes_for_virtual_machines.yaml index dc363fab1..25084e92a 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_managed_disk_volumes_for_virtual_machines.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_managed_disk_volumes_for_virtual_machines.yaml @@ -1,44 +1,45 @@ id: azure_check_for_usage_of_managed_disk_volumes_for_virtual_machines title: Check for usage of Managed Disk Volumes for Virtual Machines +type: control description: Ensure that your Microsoft Azure virtual machines are using managed disk volumes. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - SELECT - vm.name AS resource, - vm.platform_resource_id, - vm.platform_integration_id, - CASE - WHEN (vm.managed_disk_id IS NULL AND NOT EXISTS ( - SELECT 1 FROM jsonb_array_elements(data_disks) AS d WHERE d->>'managedDisk' IS NOT NULL - )) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (vm.managed_disk_id IS NULL AND NOT EXISTS ( - SELECT 1 FROM jsonb_array_elements(data_disks) AS d WHERE d->>'managedDisk' IS NOT NULL - )) THEN vm.name || ' is not using managed disks.' - ELSE vm.name || ' is using managed disks.' - END AS reason, - vm.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS vm - LEFT JOIN - azure_subscription AS sub - ON - vm.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + SELECT + vm.name AS resource, + vm.platform_resource_id, + vm.platform_integration_id, + CASE + WHEN (vm.managed_disk_id IS NULL AND NOT EXISTS ( + SELECT 1 FROM jsonb_array_elements(data_disks) AS d WHERE d->>'managedDisk' IS NOT NULL + )) THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (vm.managed_disk_id IS NULL AND NOT EXISTS ( + SELECT 1 FROM jsonb_array_elements(data_disks) AS d WHERE d->>'managedDisk' IS NOT NULL + )) THEN vm.name || ' is not using managed disks.' + ELSE vm.name || ' is using managed disks.' + END AS reason, + vm.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS vm + LEFT JOIN + azure_subscription AS sub + ON + vm.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - platform_score_use_case: - - Lacking High Availability - score_service_name: - - Azure Virtual Machines - score_tags: - - Lacking High Availability + platform_score_cloud_service_name: + - Azure Virtual Machines + platform_score_use_case: + - Lacking High Availability + score_service_name: + - Azure Virtual Machines + score_tags: + - Lacking High Availability diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_virtual_machine_access_using_microsoft_entra_id_authentication.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_virtual_machine_access_using_microsoft_entra_id_authentication.yaml index 2343e5e63..a8f91262f 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_virtual_machine_access_using_microsoft_entra_id_authentication.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_virtual_machine_access_using_microsoft_entra_id_authentication.yaml @@ -1,46 +1,47 @@ id: azure_check_for_virtual_machine_access_using_microsoft_entra_id_authentication title: Check for Virtual Machine Access using Microsoft Entra ID Authentication +type: control description: Configure your Microsoft Azure virtual machines to use Microsoft Entra ID credentials for secure authentication. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - SELECT - vm.id AS resource, - vm.platform_integration_id, - vm.platform_resource_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(vm.extensions) AS ex - WHERE ('AADLoginForWindows' = (ex ->> 'name')) - OR ('AADLoginForLinux' = (ex ->> 'name')) - ) - THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(vm.extensions) AS ex - WHERE ('AADLoginForWindows' = (ex ->> 'name')) - OR ('AADLoginForLinux' = (ex ->> 'name')) - ) - THEN 'Azure virtual machine is configured to use Microsoft Entra ID authentication' - ELSE 'Azure virtual machine is not configured to use Microsoft Entra ID authentication' - END AS reason, - vm.resource_group, - display_name AS subscription - FROM - azure_compute_virtual_machine AS vm - LEFT JOIN azure_subscription AS sub - ON sub.subscription_id = vm.subscription_id + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + SELECT + vm.id AS resource, + vm.platform_integration_id, + vm.platform_resource_id, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(vm.extensions) AS ex + WHERE ('AADLoginForWindows' = (ex ->> 'name')) + OR ('AADLoginForLinux' = (ex ->> 'name')) + ) + THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN EXISTS ( + SELECT 1 + FROM jsonb_array_elements(vm.extensions) AS ex + WHERE ('AADLoginForWindows' = (ex ->> 'name')) + OR ('AADLoginForLinux' = (ex ->> 'name')) + ) + THEN 'Azure virtual machine is configured to use Microsoft Entra ID authentication' + ELSE 'Azure virtual machine is not configured to use Microsoft Entra ID authentication' + END AS reason, + vm.resource_group, + display_name AS subscription + FROM + azure_compute_virtual_machine AS vm + LEFT JOIN azure_subscription AS sub + ON sub.subscription_id = vm.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - score_service_name: - - Azure Virtual Machines + platform_score_cloud_service_name: + - Azure Virtual Machines + score_service_name: + - Azure Virtual Machines diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_virtual_machine_boot_diagnostics.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_virtual_machine_boot_diagnostics.yaml index d0e11a9b8..a40bf3b74 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_virtual_machine_boot_diagnostics.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_virtual_machine_boot_diagnostics.yaml @@ -1,35 +1,36 @@ id: azure_check_for_virtual_machine_boot_diagnostics title: Check for Virtual Machine Boot Diagnostics +type: control description: Ensure that Microsoft Azure virtual machines are configured to use Boot Diagnostics feature. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - SELECT - vm.id AS resource, - vm.platform_integration_id, - vm.platform_resource_id, - CASE - WHEN (boot_diagnostics_enabled)::bool THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (boot_diagnostics_enabled)::bool THEN 'Boot Diagnostics feature is enabled' - ELSE 'Boot Diagnostics feature is not enabled' - END AS reason, - vm.resource_group, - display_name AS subscription - FROM - azure_compute_virtual_machine AS vm, - azure_subscription AS sub - WHERE - sub.subscription_id = vm.subscription_id; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + SELECT + vm.id AS resource, + vm.platform_integration_id, + vm.platform_resource_id, + CASE + WHEN (boot_diagnostics_enabled)::bool THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (boot_diagnostics_enabled)::bool THEN 'Boot Diagnostics feature is enabled' + ELSE 'Boot Diagnostics feature is not enabled' + END AS reason, + vm.resource_group, + display_name AS subscription + FROM + azure_compute_virtual_machine AS vm, + azure_subscription AS sub + WHERE + sub.subscription_id = vm.subscription_id; severity: medium tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - score_service_name: - - Azure Virtual Machines + platform_score_cloud_service_name: + - Azure Virtual Machines + score_service_name: + - Azure Virtual Machines diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_zone_redundant_virtual_machine_scale_sets.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_zone_redundant_virtual_machine_scale_sets.yaml index cb19f2f0d..c1c9ca603 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_zone_redundant_virtual_machine_scale_sets.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_zone_redundant_virtual_machine_scale_sets.yaml @@ -1,35 +1,36 @@ id: azure_check_for_zone_redundant_virtual_machine_scale_sets title: Check for Zone-Redundant Virtual Machine Scale Sets +type: control description: Ensure that Azure virtual machine scale sets are configured for zone redundancy. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine_scale_set - definition: | - SELECT - vm.id AS resource, - vm.platform_integration_id, - vm.platform_resource_id, - CASE - WHEN (SELECT COUNT(*) FROM jsonb_array_elements_text(zones)) > 1 THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (SELECT COUNT(*) FROM jsonb_array_elements_text(zones)) > 1 THEN 'VM Scale-set is available in more than one zone' - ELSE 'VM Scale-set is not available in more than one zone' - END AS reason, - vm.resource_group, - display_name AS subscription - FROM - azure_compute_virtual_machine_scale_set AS vm, - azure_subscription AS sub - WHERE - sub.subscription_id = vm.subscription_id + language: sql + primary_resource: azure_compute_virtual_machine_scale_set + definition: | + SELECT + vm.id AS resource, + vm.platform_integration_id, + vm.platform_resource_id, + CASE + WHEN (SELECT COUNT(*) FROM jsonb_array_elements_text(zones)) > 1 THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN (SELECT COUNT(*) FROM jsonb_array_elements_text(zones)) > 1 THEN 'VM Scale-set is available in more than one zone' + ELSE 'VM Scale-set is not available in more than one zone' + END AS reason, + vm.resource_group, + display_name AS subscription + FROM + azure_compute_virtual_machine_scale_set AS vm, + azure_subscription AS sub + WHERE + sub.subscription_id = vm.subscription_id severity: high tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - score_service_name: - - Azure Virtual Machines + platform_score_cloud_service_name: + - Azure Virtual Machines + score_service_name: + - Azure Virtual Machines diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_disk_encryption_for_boot_disk_volumes.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_disk_encryption_for_boot_disk_volumes.yaml index 9d60eee39..bd3871acf 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_disk_encryption_for_boot_disk_volumes.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_disk_encryption_for_boot_disk_volumes.yaml @@ -1,40 +1,41 @@ id: azure_disk_encryption_for_boot_disk_volumes title: Azure Disk Encryption for Boot Disk Volumes +type: control description: Ensure that Azure Disk Encryption is enabled for Azure virtual machine boot volumes to protect data at rest. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - SELECT - vm.name AS resource, - vm.platform_resource_id, - vm.platform_integration_id, - CASE - WHEN encryption_settings_collection_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN encryption_settings_collection_enabled THEN vm.name || ' disk encryption for os disk is enabled.' - ELSE vm.name || ' disk encryption for os disk is not enabled.' - END AS reason, - vm.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS vm - LEFT JOIN azure_compute_disk AS d - ON d.name = vm.os_disk_name - LEFT JOIN azure_subscription AS sub - ON vm.subscription_id = sub.subscription_id + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + SELECT + vm.name AS resource, + vm.platform_resource_id, + vm.platform_integration_id, + CASE + WHEN encryption_settings_collection_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN encryption_settings_collection_enabled THEN vm.name || ' disk encryption for os disk is enabled.' + ELSE vm.name || ' disk encryption for os disk is not enabled.' + END AS reason, + vm.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS vm + LEFT JOIN azure_compute_disk AS d + ON d.name = vm.os_disk_name + LEFT JOIN azure_subscription AS sub + ON vm.subscription_id = sub.subscription_id severity: medium tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - platform_score_use_case: - - Unencrypted Storage - score_service_name: - - Azure Virtual Machines - score_tags: - - Unencrypted Storage + platform_score_cloud_service_name: + - Azure Virtual Machines + platform_score_use_case: + - Unencrypted Storage + score_service_name: + - Azure Virtual Machines + score_tags: + - Unencrypted Storage diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_disk_encryption_for_non_boot_disk_volumes.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_disk_encryption_for_non_boot_disk_volumes.yaml index 778c95494..d0c13472c 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_disk_encryption_for_non_boot_disk_volumes.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_disk_encryption_for_non_boot_disk_volumes.yaml @@ -1,42 +1,43 @@ id: azure_disk_encryption_for_non_boot_disk_volumes title: Azure Disk Encryption for Non Boot Disk Volumes +type: control description: Ensure that Azure Disk Encryption is enabled for Microsoft Azure virtual machines for non-boot volumes. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_virtual_machine - definition: | - SELECT - vm.name AS resource, - vm.platform_resource_id, - vm.platform_integration_id, - CASE - WHEN d.encryption_settings_collection_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN d.encryption_settings_collection_enabled THEN vm.name || ' disk encryption for non-boot volume ' || d.name || ' is enabled.' - ELSE vm.name || ' disk encryption for non-boot volume ' || d.name || ' is not enabled.' - END AS reason, - vm.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_virtual_machine AS vm - LEFT JOIN - azure_compute_disk AS d ON d.managed_by = vm.id - LEFT JOIN - azure_subscription AS sub ON vm.subscription_id = sub.subscription_id - WHERE - d.name != vm.os_disk_name; + language: sql + primary_resource: azure_compute_virtual_machine + definition: | + SELECT + vm.name AS resource, + vm.platform_resource_id, + vm.platform_integration_id, + CASE + WHEN d.encryption_settings_collection_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN d.encryption_settings_collection_enabled THEN vm.name || ' disk encryption for non-boot volume ' || d.name || ' is enabled.' + ELSE vm.name || ' disk encryption for non-boot volume ' || d.name || ' is not enabled.' + END AS reason, + vm.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_virtual_machine AS vm + LEFT JOIN + azure_compute_disk AS d ON d.managed_by = vm.id + LEFT JOIN + azure_subscription AS sub ON vm.subscription_id = sub.subscription_id + WHERE + d.name != vm.os_disk_name; severity: medium tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - platform_score_use_case: - - Unencrypted Storage - score_service_name: - - Azure Virtual Machines - score_tags: - - Unencrypted Storage + platform_score_cloud_service_name: + - Azure Virtual Machines + platform_score_use_case: + - Unencrypted Storage + score_service_name: + - Azure Virtual Machines + score_tags: + - Unencrypted Storage diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_disk_encryption_for_unattached_disk_volumes.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_disk_encryption_for_unattached_disk_volumes.yaml index e42edd5cd..ee553ee21 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_disk_encryption_for_unattached_disk_volumes.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_disk_encryption_for_unattached_disk_volumes.yaml @@ -1,39 +1,40 @@ id: azure_disk_encryption_for_unattached_disk_volumes title: Azure Disk Encryption for Unattached Disk Volumes +type: control description: Ensure that Azure Disk Encryption is enabled for unattached Azure virtual machine disk volumes. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_disk - definition: | - SELECT - d.name AS resource, - d.platform_resource_id, - d.platform_integration_id, - CASE - WHEN d.encryption_settings_collection_enabled THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN d.encryption_settings_collection_enabled THEN d.name || ' disk encryption for unattached volume is enabled.' - ELSE d.name || ' disk encryption for unattached volume is not enabled.' - END AS reason, - d.resource_group AS resource_group, - sub.display_name AS subscription - FROM - azure_compute_disk AS d - LEFT JOIN azure_subscription AS sub ON d.subscription_id = sub.subscription_id - WHERE - d.managed_by IS NULL; + language: sql + primary_resource: azure_compute_disk + definition: | + SELECT + d.name AS resource, + d.platform_resource_id, + d.platform_integration_id, + CASE + WHEN d.encryption_settings_collection_enabled THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN d.encryption_settings_collection_enabled THEN d.name || ' disk encryption for unattached volume is enabled.' + ELSE d.name || ' disk encryption for unattached volume is not enabled.' + END AS reason, + d.resource_group AS resource_group, + sub.display_name AS subscription + FROM + azure_compute_disk AS d + LEFT JOIN azure_subscription AS sub ON d.subscription_id = sub.subscription_id + WHERE + d.managed_by IS NULL; severity: medium tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - platform_score_use_case: - - Unencrypted Storage - score_service_name: - - Azure Virtual Machines - score_tags: - - Unencrypted Storage + platform_score_cloud_service_name: + - Azure Virtual Machines + platform_score_use_case: + - Unencrypted Storage + score_service_name: + - Azure Virtual Machines + score_tags: + - Unencrypted Storage diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_disks_should_use_standard_snapshots.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_disks_should_use_standard_snapshots.yaml index 7428852c3..b940b5c04 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_disks_should_use_standard_snapshots.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_disks_should_use_standard_snapshots.yaml @@ -1,39 +1,40 @@ id: azure_disks_should_use_standard_snapshots title: Disks should use standard snapshots +type: control description: Use standard storage instead of premium storage for managed disk snapshots to save 60% on costs. integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_snapshot - definition: | - SELECT - ss.id AS resource, - ss.platform_resource_id, - ss.platform_integration_id, - CASE - WHEN ss.sku_tier = 'Standard' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN ss.sku_tier = 'Standard' THEN ss.title || ' has storage type ' || ss.sku_tier || '.' - ELSE ss.title || ' has storage type ' || ss.sku_tier || '.' - END AS reason, - ss.resource_group, - display_name AS subscription - FROM - azure_compute_snapshot AS ss, - azure_subscription AS sub - WHERE - ss.subscription_id = sub.subscription_id; + language: sql + primary_resource: azure_compute_snapshot + definition: | + SELECT + ss.id AS resource, + ss.platform_resource_id, + ss.platform_integration_id, + CASE + WHEN ss.sku_tier = 'Standard' THEN 'ok' + ELSE 'alarm' + END AS status, + CASE + WHEN ss.sku_tier = 'Standard' THEN ss.title || ' has storage type ' || ss.sku_tier || '.' + ELSE ss.title || ' has storage type ' || ss.sku_tier || '.' + END AS reason, + ss.resource_group, + display_name AS subscription + FROM + azure_compute_snapshot AS ss, + azure_subscription AS sub + WHERE + ss.subscription_id = sub.subscription_id; severity: medium tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - platform_score_use_case: - - Over Utilization - score_service_name: - - Azure Virtual Machines - score_tags: - - Over Utilization + platform_score_cloud_service_name: + - Azure Virtual Machines + platform_score_use_case: + - Over Utilization + score_service_name: + - Azure Virtual Machines + score_tags: + - Over Utilization diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_server_side_encryption_for_boot_disk_using_cmk.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_server_side_encryption_for_boot_disk_using_cmk.yaml index 4ece78340..5e8a5092d 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_server_side_encryption_for_boot_disk_using_cmk.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_server_side_encryption_for_boot_disk_using_cmk.yaml @@ -1,40 +1,41 @@ id: azure_server_side_encryption_for_boot_disk_using_cmk title: Server Side Encryption for Boot Disk using CMK +type: control description: Ensure that Azure VM managed disk boot volumes are encrypted at rest using customer-managed keys (CMKs). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_disk - definition: | - SELECT - disk.id AS resource, - disk.platform_integration_id, - disk.platform_resource_id, - CASE - WHEN encryption_type = 'EncryptionAtRestWithPlatformKey' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN encryption_type = 'EncryptionAtRestWithPlatformKey' THEN 'Disk is encrypted by CMK.' - ELSE 'Disk is encrypted with Platform Key instead of CMK.' - END AS reason, - disk.resource_group, - display_name AS subscription - FROM - azure_compute_disk AS disk - LEFT JOIN azure_subscription AS sub ON sub.subscription_id = disk.subscription_id - LEFT JOIN azure_compute_virtual_machine AS vm ON vm.os_disk_name = disk.name - WHERE - vm.id IS NOT NULL + language: sql + primary_resource: azure_compute_disk + definition: | + SELECT + disk.id AS resource, + disk.platform_integration_id, + disk.platform_resource_id, + CASE + WHEN encryption_type = 'EncryptionAtRestWithPlatformKey' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN encryption_type = 'EncryptionAtRestWithPlatformKey' THEN 'Disk is encrypted by CMK.' + ELSE 'Disk is encrypted with Platform Key instead of CMK.' + END AS reason, + disk.resource_group, + display_name AS subscription + FROM + azure_compute_disk AS disk + LEFT JOIN azure_subscription AS sub ON sub.subscription_id = disk.subscription_id + LEFT JOIN azure_compute_virtual_machine AS vm ON vm.os_disk_name = disk.name + WHERE + vm.id IS NOT NULL severity: high tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - platform_score_use_case: - - Insecure Keys - score_service_name: - - Azure Virtual Machines - score_tags: - - Insecure Keys + platform_score_cloud_service_name: + - Azure Virtual Machines + platform_score_use_case: + - Insecure Keys + score_service_name: + - Azure Virtual Machines + score_tags: + - Insecure Keys diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_server_side_encryption_for_non_boot_disk_using_cmk.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_server_side_encryption_for_non_boot_disk_using_cmk.yaml index 078d357cf..8e60698ff 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_server_side_encryption_for_non_boot_disk_using_cmk.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_server_side_encryption_for_non_boot_disk_using_cmk.yaml @@ -1,40 +1,41 @@ id: azure_server_side_encryption_for_non_boot_disk_using_cmk title: Server Side Encryption for Non-Boot Disk using CMK +type: control description: Ensure that Azure VM data disk volumes are encrypted at rest using customer-managed keys (CMKs). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_disk - definition: | - SELECT - disk.id AS resource, - disk.platform_integration_id, - disk.platform_resource_id, - CASE - WHEN encryption_type = 'EncryptionAtRestWithPlatformKey' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN encryption_type = 'EncryptionAtRestWithPlatformKey' THEN 'Disk is encrypted by CMK.' - ELSE 'Disk is encrypted with Platform Key instead of CMK.' - END AS reason, - disk.resource_group, - display_name AS subscription - FROM - azure_compute_disk AS disk - LEFT JOIN azure_subscription AS sub ON sub.subscription_id = disk.subscription_id - LEFT JOIN azure_compute_virtual_machine AS vm ON vm.data_disks::text LIKE '%' || disk.id || '%' - WHERE - vm.id IS NOT NULL + language: sql + primary_resource: azure_compute_disk + definition: | + SELECT + disk.id AS resource, + disk.platform_integration_id, + disk.platform_resource_id, + CASE + WHEN encryption_type = 'EncryptionAtRestWithPlatformKey' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN encryption_type = 'EncryptionAtRestWithPlatformKey' THEN 'Disk is encrypted by CMK.' + ELSE 'Disk is encrypted with Platform Key instead of CMK.' + END AS reason, + disk.resource_group, + display_name AS subscription + FROM + azure_compute_disk AS disk + LEFT JOIN azure_subscription AS sub ON sub.subscription_id = disk.subscription_id + LEFT JOIN azure_compute_virtual_machine AS vm ON vm.data_disks::text LIKE '%' || disk.id || '%' + WHERE + vm.id IS NOT NULL severity: high tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - platform_score_use_case: - - Insecure Keys - score_service_name: - - Azure Virtual Machines - score_tags: - - Insecure Keys + platform_score_cloud_service_name: + - Azure Virtual Machines + platform_score_use_case: + - Insecure Keys + score_service_name: + - Azure Virtual Machines + score_tags: + - Insecure Keys diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_server_side_encryption_for_unattached_disk_using_cmk.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_server_side_encryption_for_unattached_disk_using_cmk.yaml index 965d1c6ec..6164e1bed 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_server_side_encryption_for_unattached_disk_using_cmk.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_server_side_encryption_for_unattached_disk_using_cmk.yaml @@ -1,40 +1,41 @@ id: azure_server_side_encryption_for_unattached_disk_using_cmk title: Server Side Encryption for Unattached Disk using CMK +type: control description: Ensure that unattached managed disk volumes are encrypted at rest using customer-managed keys (CMKs). integration_type: - - azure_subscription +- azure_subscription parameters: [] policy: - language: sql - primary_resource: azure_compute_disk - definition: | - SELECT - disk.id AS resource, - disk.platform_integration_id, - disk.platform_resource_id, - CASE - WHEN encryption_type = 'EncryptionAtRestWithPlatformKey' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN encryption_type = 'EncryptionAtRestWithPlatformKey' THEN 'Disk is encrypted by CMK.' - ELSE 'Disk is encrypted with Platform Key instead of CMK.' - END AS reason, - disk.resource_group, - display_name AS subscription - FROM - azure_compute_disk AS disk, - azure_subscription AS sub - WHERE - sub.subscription_id = disk.subscription_id - AND disk_state = 'Unattached' + language: sql + primary_resource: azure_compute_disk + definition: | + SELECT + disk.id AS resource, + disk.platform_integration_id, + disk.platform_resource_id, + CASE + WHEN encryption_type = 'EncryptionAtRestWithPlatformKey' THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN encryption_type = 'EncryptionAtRestWithPlatformKey' THEN 'Disk is encrypted by CMK.' + ELSE 'Disk is encrypted with Platform Key instead of CMK.' + END AS reason, + disk.resource_group, + display_name AS subscription + FROM + azure_compute_disk AS disk, + azure_subscription AS sub + WHERE + sub.subscription_id = disk.subscription_id + AND disk_state = 'Unattached' severity: high tags: - platform_score_cloud_service_name: - - Azure Virtual Machines - platform_score_use_case: - - Insecure Keys - score_service_name: - - Azure Virtual Machines - score_tags: - - Insecure Keys + platform_score_cloud_service_name: + - Azure Virtual Machines + platform_score_use_case: + - Insecure Keys + score_service_name: + - Azure Virtual Machines + score_tags: + - Insecure Keys diff --git a/compliance/controls/baseline/shared/cost/kaytu_connection_mom_cost_growth.yaml b/compliance/controls/baseline/shared/cost/kaytu_connection_mom_cost_growth.yaml index 767a84c11..08ff3f975 100644 --- a/compliance/controls/baseline/shared/cost/kaytu_connection_mom_cost_growth.yaml +++ b/compliance/controls/baseline/shared/cost/kaytu_connection_mom_cost_growth.yaml @@ -1,86 +1,87 @@ id: platform_connection_mom_cost_growth title: MoM growth for a connection that has a cost more than a certain amount cannot grow more than a certain percentage +type: control description: MoM growth for a connection that has a cost more than a certain amount cannot grow more than a certain percentage integration_type: - - aws_cloud_account - - azure_subscription +- aws_cloud_account +- azure_subscription parameters: - - key: platformConnectionMoMCostGrowthMinCost - value: '' - - key: platformConnectionMoMCostGrowthAllowedGrowth - value: '' +- key: platformConnectionMoMCostGrowthMinCost + value: "" +- key: platformConnectionMoMCostGrowthAllowedGrowth + value: "" policy: - language: sql - primary_resource: '' - definition: | - WITH last30 AS ( - SELECT - connection_id, - SUM(cost_value) AS cost_value - FROM platform_cost - WHERE period_start::timestamp >= NOW() - INTERVAL '31 days' - AND period_end::timestamp <= NOW() - GROUP BY connection_id - ), - last60to30 AS ( - SELECT - connection_id, - SUM(cost_value) AS cost_value - FROM platform_cost - WHERE period_start::timestamp >= NOW() - INTERVAL '62 days' - AND period_end::timestamp <= NOW() - INTERVAL '31 days' - GROUP BY connection_id - ), - last_valid_60 AS ( - SELECT - l.connection_id AS connection_id, - l.cost_value AS last30_cost_value, - s.cost_value AS last60to30_cost_value - FROM last30 AS l - JOIN last60to30 AS s ON (l.connection_id = s.connection_id) - WHERE l.cost_value > {{.platformConnectionMoMCostGrowthMinCost}} - ) - SELECT - CASE - WHEN aw.account_id IS NOT NULL THEN aw.account_id - WHEN az.subscription_id IS NOT NULL THEN az.subscription_id - END AS resource, - CASE - WHEN aw.platform_integration_id IS NOT NULL THEN aw.platform_integration_id - WHEN az.platform_integration_id IS NOT NULL THEN az.platform_integration_id - END AS platform_integration_id, - CASE - WHEN aw.platform_resource_id IS NOT NULL THEN aw.platform_resource_id - WHEN az.platform_resource_id IS NOT NULL THEN az.platform_resource_id - END AS platform_resource_id, - CASE - WHEN aw.account_id IS NOT NULL THEN 'aws_account' - WHEN az.subscription_id IS NOT NULL THEN 'azure_subscription' - END AS platform_table_name, - CASE - WHEN (l.last30_cost_value - l.last60to30_cost_value) / l.last30_cost_value > {{.platformConnectionMoMCostGrowthAllowedGrowth}} - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN aw.account_id IS NOT NULL - AND (l.last30_cost_value - l.last60to30_cost_value) / l.last30_cost_value > {{.platformConnectionMoMCostGrowthAllowedGrowth}} - THEN aw.account_id || ' cost grew from ' || l.last60to30_cost_value || ' to ' || l.last30_cost_value || ' which is more than allowed growth' - WHEN az.subscription_id IS NOT NULL - AND (l.last30_cost_value - l.last60to30_cost_value) / l.last30_cost_value > {{.platformConnectionMoMCostGrowthAllowedGrowth}} - THEN az.subscription_id || ' cost grew from ' || l.last60to30_cost_value || ' to ' || l.last30_cost_value || ' which is more than allowed growth' - ELSE 'Connection did not have more than allowed growth' - END AS reason - FROM last_valid_60 AS l - LEFT JOIN aws_account AS aw ON aw.platform_integration_id = l.connection_id - LEFT JOIN azure_subscription AS az ON az.platform_integration_id = l.connection_id + language: sql + primary_resource: "" + definition: | + WITH last30 AS ( + SELECT + connection_id, + SUM(cost_value) AS cost_value + FROM platform_cost + WHERE period_start::timestamp >= NOW() - INTERVAL '31 days' + AND period_end::timestamp <= NOW() + GROUP BY connection_id + ), + last60to30 AS ( + SELECT + connection_id, + SUM(cost_value) AS cost_value + FROM platform_cost + WHERE period_start::timestamp >= NOW() - INTERVAL '62 days' + AND period_end::timestamp <= NOW() - INTERVAL '31 days' + GROUP BY connection_id + ), + last_valid_60 AS ( + SELECT + l.connection_id AS connection_id, + l.cost_value AS last30_cost_value, + s.cost_value AS last60to30_cost_value + FROM last30 AS l + JOIN last60to30 AS s ON (l.connection_id = s.connection_id) + WHERE l.cost_value > {{.platformConnectionMoMCostGrowthMinCost}} + ) + SELECT + CASE + WHEN aw.account_id IS NOT NULL THEN aw.account_id + WHEN az.subscription_id IS NOT NULL THEN az.subscription_id + END AS resource, + CASE + WHEN aw.platform_integration_id IS NOT NULL THEN aw.platform_integration_id + WHEN az.platform_integration_id IS NOT NULL THEN az.platform_integration_id + END AS platform_integration_id, + CASE + WHEN aw.platform_resource_id IS NOT NULL THEN aw.platform_resource_id + WHEN az.platform_resource_id IS NOT NULL THEN az.platform_resource_id + END AS platform_resource_id, + CASE + WHEN aw.account_id IS NOT NULL THEN 'aws_account' + WHEN az.subscription_id IS NOT NULL THEN 'azure_subscription' + END AS platform_table_name, + CASE + WHEN (l.last30_cost_value - l.last60to30_cost_value) / l.last30_cost_value > {{.platformConnectionMoMCostGrowthAllowedGrowth}} + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN aw.account_id IS NOT NULL + AND (l.last30_cost_value - l.last60to30_cost_value) / l.last30_cost_value > {{.platformConnectionMoMCostGrowthAllowedGrowth}} + THEN aw.account_id || ' cost grew from ' || l.last60to30_cost_value || ' to ' || l.last30_cost_value || ' which is more than allowed growth' + WHEN az.subscription_id IS NOT NULL + AND (l.last30_cost_value - l.last60to30_cost_value) / l.last30_cost_value > {{.platformConnectionMoMCostGrowthAllowedGrowth}} + THEN az.subscription_id || ' cost grew from ' || l.last60to30_cost_value || ' to ' || l.last30_cost_value || ' which is more than allowed growth' + ELSE 'Connection did not have more than allowed growth' + END AS reason + FROM last_valid_60 AS l + LEFT JOIN aws_account AS aw ON aw.platform_integration_id = l.connection_id + LEFT JOIN azure_subscription AS az ON az.platform_integration_id = l.connection_id severity: high tags: - platform_score_cloud_service_name: - - TODO - platform_score_use_case: - - TODO - score_service_name: - - TODO - score_tags: - - TODO + platform_score_cloud_service_name: + - TODO + platform_score_use_case: + - TODO + score_service_name: + - TODO + score_tags: + - TODO diff --git a/compliance/controls/baseline/shared/cost/kaytu_mom_cost_growth_15.yaml b/compliance/controls/baseline/shared/cost/kaytu_mom_cost_growth_15.yaml index ab24c4dbb..ada96c81c 100644 --- a/compliance/controls/baseline/shared/cost/kaytu_mom_cost_growth_15.yaml +++ b/compliance/controls/baseline/shared/cost/kaytu_mom_cost_growth_15.yaml @@ -1,81 +1,82 @@ id: platform_mom_cost_growth_15 title: MoM growth for a service that is >$100 cannot grow more than 15% +type: control description: MoM growth for a service that is >$100 cannot grow more than 15% integration_type: - - aws_cloud_account - - azure_subscription +- aws_cloud_account +- azure_subscription parameters: - - key: platformMoMCostGrowthMinCost - value: '' - - key: platformMoMCostGrowthAllowedGrowth - value: '' +- key: platformMoMCostGrowthMinCost + value: "" +- key: platformMoMCostGrowthAllowedGrowth + value: "" policy: - language: sql - primary_resource: '' - definition: | - WITH last30 AS ( - SELECT connection_id, metric_id, metric_name, SUM(cost_value) AS cost_value - FROM platform_cost - WHERE period_start::timestamp >= NOW() - INTERVAL '31 days' - AND period_end::timestamp <= NOW() - GROUP BY connection_id, metric_id, metric_name - ), - last60to30 AS ( - SELECT connection_id, metric_id, metric_name, SUM(cost_value) AS cost_value - FROM platform_cost - WHERE period_start::timestamp >= NOW() - INTERVAL '62 days' - AND period_end::timestamp <= NOW() - INTERVAL '31 days' - GROUP BY connection_id, metric_id, metric_name - ), - last_valid_60 AS ( - SELECT - l.connection_id AS connection_id, - l.metric_id AS metric_id, - l.metric_name AS metric_name, - l.cost_value AS last30_cost_value, - s.cost_value AS last60to30_cost_value - FROM last30 AS l - JOIN last60to30 AS s - ON (l.connection_id = s.connection_id AND l.metric_id = s.metric_id) - WHERE l.cost_value > {{.platformMoMCostGrowthMinCost}} - ) - SELECT - CASE - WHEN aw.account_id IS NOT NULL THEN aw.account_id || ' - ' || l.metric_id - WHEN az.subscription_id IS NOT NULL THEN az.subscription_id || ' - ' || l.metric_id - END AS resource, - CASE - WHEN aw.platform_integration_id IS NOT NULL THEN aw.platform_integration_id - WHEN az.platform_integration_id IS NOT NULL THEN az.platform_integration_id - END AS platform_integration_id, - CASE - WHEN aw.platform_resource_id IS NOT NULL THEN aw.platform_resource_id - WHEN az.platform_resource_id IS NOT NULL THEN az.platform_resource_id - END AS platform_resource_id, - CASE - WHEN aw.account_id IS NOT NULL THEN 'aws_account' - WHEN az.subscription_id IS NOT NULL THEN 'azure_subscription' - END AS platform_table_name, - CASE - WHEN (l.last30_cost_value - l.last60to30_cost_value) / l.last30_cost_value > {{.platformMoMCostGrowthAllowedGrowth}} - THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (l.last30_cost_value - l.last60to30_cost_value) / l.last30_cost_value > {{.platformMoMCostGrowthAllowedGrowth}} - THEN l.metric_name || ' cost grew from ' || l.last60to30_cost_value || ' to ' || l.last30_cost_value || ' which is more than allowed growth' - ELSE l.metric_name || ' did not have more than allowed growth' - END AS reason - FROM last_valid_60 AS l - LEFT JOIN aws_account AS aw ON aw.platform_integration_id = l.connection_id - LEFT JOIN azure_subscription AS az ON az.platform_integration_id = l.connection_id + language: sql + primary_resource: "" + definition: | + WITH last30 AS ( + SELECT connection_id, metric_id, metric_name, SUM(cost_value) AS cost_value + FROM platform_cost + WHERE period_start::timestamp >= NOW() - INTERVAL '31 days' + AND period_end::timestamp <= NOW() + GROUP BY connection_id, metric_id, metric_name + ), + last60to30 AS ( + SELECT connection_id, metric_id, metric_name, SUM(cost_value) AS cost_value + FROM platform_cost + WHERE period_start::timestamp >= NOW() - INTERVAL '62 days' + AND period_end::timestamp <= NOW() - INTERVAL '31 days' + GROUP BY connection_id, metric_id, metric_name + ), + last_valid_60 AS ( + SELECT + l.connection_id AS connection_id, + l.metric_id AS metric_id, + l.metric_name AS metric_name, + l.cost_value AS last30_cost_value, + s.cost_value AS last60to30_cost_value + FROM last30 AS l + JOIN last60to30 AS s + ON (l.connection_id = s.connection_id AND l.metric_id = s.metric_id) + WHERE l.cost_value > {{.platformMoMCostGrowthMinCost}} + ) + SELECT + CASE + WHEN aw.account_id IS NOT NULL THEN aw.account_id || ' - ' || l.metric_id + WHEN az.subscription_id IS NOT NULL THEN az.subscription_id || ' - ' || l.metric_id + END AS resource, + CASE + WHEN aw.platform_integration_id IS NOT NULL THEN aw.platform_integration_id + WHEN az.platform_integration_id IS NOT NULL THEN az.platform_integration_id + END AS platform_integration_id, + CASE + WHEN aw.platform_resource_id IS NOT NULL THEN aw.platform_resource_id + WHEN az.platform_resource_id IS NOT NULL THEN az.platform_resource_id + END AS platform_resource_id, + CASE + WHEN aw.account_id IS NOT NULL THEN 'aws_account' + WHEN az.subscription_id IS NOT NULL THEN 'azure_subscription' + END AS platform_table_name, + CASE + WHEN (l.last30_cost_value - l.last60to30_cost_value) / l.last30_cost_value > {{.platformMoMCostGrowthAllowedGrowth}} + THEN 'alarm' + ELSE 'ok' + END AS status, + CASE + WHEN (l.last30_cost_value - l.last60to30_cost_value) / l.last30_cost_value > {{.platformMoMCostGrowthAllowedGrowth}} + THEN l.metric_name || ' cost grew from ' || l.last60to30_cost_value || ' to ' || l.last30_cost_value || ' which is more than allowed growth' + ELSE l.metric_name || ' did not have more than allowed growth' + END AS reason + FROM last_valid_60 AS l + LEFT JOIN aws_account AS aw ON aw.platform_integration_id = l.connection_id + LEFT JOIN azure_subscription AS az ON az.platform_integration_id = l.connection_id severity: high tags: - platform_score_cloud_service_name: - - TODO - platform_score_use_case: - - TODO - score_service_name: - - TODO - score_tags: - - TODO + platform_score_cloud_service_name: + - TODO + platform_score_use_case: + - TODO + score_service_name: + - TODO + score_tags: + - TODO diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight.yaml index 3a62fbc2f..2d2f39a3f 100644 --- a/compliance/frameworks/aws/aws_acsc_essential_eight.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight.yaml @@ -1,498 +1,498 @@ -framework: - id: aws_acsc_essential_eight - title: Australian Cyber Security Center (ACSC) Essential Eight - description: The Australian Cyber Security Center (ACSC) Essential Eight is a set of baseline security strategies designed to mitigate cyber security incidents. The Essential Eight is a prioritized list of mitigation strategies that organizations can implement to protect their systems against a range of adversaries. The Essential Eight is based on the Australian Signals Directorate (ASD) Strategies to Mitigate Cyber Security Incidents. - section-code: aws_acsc_essential_eight - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false +id: aws_acsc_essential_eight +title: Australian Cyber Security Center (ACSC) Essential Eight +description: The Australian Cyber Security Center (ACSC) Essential Eight is a set of baseline security strategies designed to mitigate cyber security incidents. The Essential Eight is a prioritized list of mitigation strategies that organizations can implement to protect their systems against a range of adversaries. The Essential Eight is based on the Australian Signals Directorate (ASD) Strategies to Mitigate Cyber Security Incidents. +section-code: aws_acsc_essential_eight +type: framework +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_acsc_essential_eight_ml_1 + title: ACSC Essential Eight Maturity Level 1 + description: The availability category refers to the accessibility of information used by the entity’s systems, as well as the products or services provided to its customers. + section-code: ml_1 control-group: - - id: aws_acsc_essential_eight_ml_1 - title: ACSC Essential Eight Maturity Level 1 - description: The availability category refers to the accessibility of information used by the entity’s systems, as well as the products or services provided to its customers. - section-code: ml_1 + - id: aws_acsc_essential_eight_ml_1_2 + title: "ACSC-EE-ML1-2: Patch applications ML1" + description: A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. + section-code: "2" control-group: - - id: aws_acsc_essential_eight_ml_1_2 - title: "ACSC-EE-ML1-2: Patch applications ML1" - description: A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. + - id: aws_acsc_essential_eight_ml_1_2_5 + title: "ACSC-EE-ML1-2.5: Patch applications ML1" + description: Patches, updates or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. + section-code: "5" + controls: + - aws_ecs_service_fargate_using_latest_platform_version + - aws_eks_cluster_with_latest_kubernetes_version + - aws_elastic_beanstalk_environment_managed_updates_enabled + - aws_elasticache_cluster_auto_minor_version_upgrade_enabled + - aws_lambda_function_use_latest_runtime + - aws_opensearch_domain_updated_with_latest_service_software_version + - aws_rds_db_instance_automatic_minor_version_upgrade_enabled + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_patch_compliant + - id: aws_acsc_essential_eight_ml_1_5 + title: "ACSC-EE-ML1-5: Restrict administrative privileges ML1" + description: The restriction of administrative privileges is the practice of limiting the number of privileged accounts and the extent of their access to systems and data. + section-code: "5" + control-group: + - id: aws_acsc_essential_eight_ml_1_5_2 + title: "ACSC-EE-ML1-5.2: Restrict administrative privileges ML1" + description: Privileged accounts (excluding privileged service accounts) are prevented from accessing the internet, email and web services. section-code: "2" - control-group: - - id: aws_acsc_essential_eight_ml_1_2_5 - title: "ACSC-EE-ML1-2.5: Patch applications ML1" - description: Patches, updates or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. - section-code: "5" - controls: - - aws_ecs_service_fargate_using_latest_platform_version - - aws_eks_cluster_with_latest_kubernetes_version - - aws_elastic_beanstalk_environment_managed_updates_enabled - - aws_elasticache_cluster_auto_minor_version_upgrade_enabled - - aws_lambda_function_use_latest_runtime - - aws_opensearch_domain_updated_with_latest_service_software_version - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant - - id: aws_acsc_essential_eight_ml_1_5 - title: "ACSC-EE-ML1-5: Restrict administrative privileges ML1" - description: The restriction of administrative privileges is the practice of limiting the number of privileged accounts and the extent of their access to systems and data. + controls: + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_no_root_user + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_sagemaker_notebook_instance_root_access_disabled + - id: aws_acsc_essential_eight_ml_1_5_3 + title: "ACSC-EE-ML1-5.3: Restrict administrative privileges ML1" + description: Privileged users use separate privileged and unprivileged operating environments. + section-code: "3" + controls: + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_codebuild_project_source_repo_oauth_configured + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_no_root_user + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_root_user_no_access_keys + - aws_sagemaker_notebook_instance_root_access_disabled + - aws_ssm_managed_instance_compliance_association_compliant + - id: aws_acsc_essential_eight_ml_1_5_4 + title: "ACSC-EE-ML1-5.4: Restrict administrative privileges ML1" + description: Unprivileged accounts cannot logon to privileged operating environments. + section-code: "4" + controls: + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_iam_profile_attached + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_ssh_all + - id: aws_acsc_essential_eight_ml_1_5_5 + title: "ACSC-EE-ML1-5.5: Restrict administrative privileges ML1" + description: Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments. section-code: "5" - control-group: - - id: aws_acsc_essential_eight_ml_1_5_2 - title: "ACSC-EE-ML1-5.2: Restrict administrative privileges ML1" - description: Privileged accounts (excluding privileged service accounts) are prevented from accessing the internet, email and web services. - section-code: "2" - controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled - - id: aws_acsc_essential_eight_ml_1_5_3 - title: "ACSC-EE-ML1-5.3: Restrict administrative privileges ML1" - description: Privileged users use separate privileged and unprivileged operating environments. - section-code: "3" - controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_source_repo_oauth_configured - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_ssm_managed_instance_compliance_association_compliant - - id: aws_acsc_essential_eight_ml_1_5_4 - title: "ACSC-EE-ML1-5.4: Restrict administrative privileges ML1" - description: Unprivileged accounts cannot logon to privileged operating environments. - section-code: "4" - controls: - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all - - id: aws_acsc_essential_eight_ml_1_5_5 - title: "ACSC-EE-ML1-5.5: Restrict administrative privileges ML1" - description: Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments. - section-code: "5" - controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_source_repo_oauth_configured - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_vpc_security_group_restrict_ingress_ssh_all - - id: aws_acsc_essential_eight_ml_1_8 - title: "ACSC-EE-ML1-8: Regular backups ML1" - description: Regular backups of important data, software and configuration settings are performed and retained... - section-code: "8" - control-group: - - id: aws_acsc_essential_eight_ml_1_8_1 - title: "ACSC-EE-ML1-8.1: Regular backups ML1" - description: Backups of important data, software and configuration settings are performed... - section-code: "1" - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_docdb_cluster_backup_retention_period_7_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_neptune_db_cluster_automated_backup_enabled - - aws_rds_db_cluster_aurora_backtracking_enabled - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - id: aws_acsc_essential_eight_ml_1_8_2 - title: "ACSC-EE-ML1-8.2: Regular backups ML1" - description: Backups of important data, software and configuration settings are synchronised... - section-code: "2" - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_docdb_cluster_backup_retention_period_7_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_neptune_db_cluster_automated_backup_enabled - - aws_rds_db_cluster_aurora_backtracking_enabled - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - id: aws_acsc_essential_eight_ml_1_8_3 - title: "ACSC-EE-ML1-8.3: Regular backups ML1" - description: Backups of important data, software and configuration settings are retained... - section-code: "3" - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_docdb_cluster_backup_retention_period_7_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_neptune_db_cluster_automated_backup_enabled - - aws_rds_db_cluster_aurora_backtracking_enabled - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - id: aws_acsc_essential_eight_ml_1_8_5 - title: "ACSC-EE-ML1-8.5: Regular backups ML1" - description: Unprivileged accounts cannot access backups belonging to other accounts. - section-code: "5" - controls: - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_user_in_group - - aws_opensearch_domain_fine_grained_access_enabled - - aws_s3_bucket_policy_restricts_cross_account_permission_changes - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all - - id: aws_acsc_essential_eight_ml_1_8_6 - title: "ACSC-EE-ML1-8.6: Regular backups ML1" - description: Unprivileged accounts are prevented from modifying and deleting backups. - section-code: "6" - controls: - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_user_in_group - - aws_opensearch_domain_fine_grained_access_enabled - - aws_s3_bucket_policy_restricts_cross_account_permission_changes - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all - - id: aws_acsc_essential_eight_ml_2 - title: ACSC Essential Eight Maturity Level 2 - description: The Essential Eight Maturity Model is a prioritised list of strategies... - section-code: ml_2 + controls: + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_codebuild_project_source_repo_oauth_configured + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_no_root_user + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_sagemaker_notebook_instance_root_access_disabled + - aws_vpc_security_group_restrict_ingress_ssh_all + - id: aws_acsc_essential_eight_ml_1_8 + title: "ACSC-EE-ML1-8: Regular backups ML1" + description: Regular backups of important data, software and configuration settings are performed and retained... + section-code: "8" control-group: - - id: aws_acsc_essential_eight_ml_2_1 - title: "ACSC-EE-ML2-1: Patch applications ML2" - description: An automated method of asset discovery is used at least weekly... + - id: aws_acsc_essential_eight_ml_1_8_1 + title: "ACSC-EE-ML1-8.1: Regular backups ML1" + description: Backups of important data, software and configuration settings are performed... section-code: "1" - control-group: - - id: aws_acsc_essential_eight_ml_2_1_3 - title: "ACSC-EE-ML2-1.3: Application control ML2" - description: Allowed and blocked execution events on workstations and internet-facing servers are logged. - section-code: "3" - controls: - - aws_apigateway_rest_api_stage_xray_tracing_enabled - - aws_apigateway_stage_logging_enabled - - aws_appsync_graphql_api_field_level_logging_enabled - - aws_cloudfront_distribution_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_codebuild_project_logging_enabled - - aws_dms_replication_task_source_database_logging_enabled - - aws_ec2_client_vpn_endpoint_client_connection_logging_enabled - - aws_ecs_task_definition_logging_enabled - - aws_eks_cluster_control_plane_audit_logging_enabled - - aws_elastic_beanstalk_environment_logs_to_cloudwatch - - aws_elb_application_classic_lb_logging_enabled - - aws_elb_classic_lb_desync_mitigation_mode - - aws_gatewayv2_stage_access_logging_enabled - - aws_neptune_db_cluster_audit_logging_enabled - - aws_networkfirewall_firewall_logging_enabled - - aws_rds_db_cluster_aurora_mysql_audit_logging_enabled - - aws_rds_db_cluster_events_subscription - - aws_rds_db_instance_events_subscription - - aws_rds_db_instance_logging_enabled - - aws_rds_db_parameter_group_events_subscription - - aws_rds_db_security_group_events_subscription - - aws_redshift_cluster_audit_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_route53_zone_query_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_sfn_state_machine_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled - - id: aws_acsc_essential_eight_ml_2_2 - title: "ACSC-EE-ML2-2: Patch operating systems ML2" - description: An automated method of asset discovery is used at least weekly... + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_min_retention_35_days + - aws_docdb_cluster_backup_retention_period_7_days + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_neptune_db_cluster_automated_backup_enabled + - aws_rds_db_cluster_aurora_backtracking_enabled + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - id: aws_acsc_essential_eight_ml_1_8_2 + title: "ACSC-EE-ML1-8.2: Regular backups ML1" + description: Backups of important data, software and configuration settings are synchronised... section-code: "2" - control-group: - - id: aws_acsc_essential_eight_ml_2_2_5 - title: "ACSC-EE-ML2-2.5: Patch applications ML2" - description: A vulnerability scanner is used at least fortnightly... - section-code: "5" - controls: - - aws_ecr_repository_image_scan_on_push_enabled - - id: aws_acsc_essential_eight_ml_2_5 - title: "ACSC-EE-ML2-5: Restrict administrative privileges ML2" - description: Requests for privileged access to systems and applications are validated when first requested. + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_min_retention_35_days + - aws_docdb_cluster_backup_retention_period_7_days + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_neptune_db_cluster_automated_backup_enabled + - aws_rds_db_cluster_aurora_backtracking_enabled + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - id: aws_acsc_essential_eight_ml_1_8_3 + title: "ACSC-EE-ML1-8.3: Regular backups ML1" + description: Backups of important data, software and configuration settings are retained... + section-code: "3" + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_min_retention_35_days + - aws_docdb_cluster_backup_retention_period_7_days + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_neptune_db_cluster_automated_backup_enabled + - aws_rds_db_cluster_aurora_backtracking_enabled + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - id: aws_acsc_essential_eight_ml_1_8_5 + title: "ACSC-EE-ML1-8.5: Regular backups ML1" + description: Unprivileged accounts cannot access backups belonging to other accounts. section-code: "5" - control-group: - - id: aws_acsc_essential_eight_ml_2_5_10 - title: "ACSC-EE-ML2-5.10: Restrict administrative privileges ML2" - description: Credentials for local administrator accounts... - section-code: "10" - controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled - - id: aws_acsc_essential_eight_ml_2_5_11 - title: "ACSC-EE-ML2-5.11: Restrict administrative privileges ML2" - description: Privileged access events are logged. - section-code: "11" - controls: - - aws_apigateway_rest_api_stage_xray_tracing_enabled - - aws_apigateway_stage_logging_enabled - - aws_appsync_graphql_api_field_level_logging_enabled - - aws_cloudfront_distribution_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_codebuild_project_logging_enabled - - aws_dms_replication_task_source_database_logging_enabled - - aws_ec2_client_vpn_endpoint_client_connection_logging_enabled - - aws_ecs_task_definition_logging_enabled - - aws_eks_cluster_control_plane_audit_logging_enabled - - aws_elastic_beanstalk_environment_logs_to_cloudwatch - - aws_elb_application_classic_lb_logging_enabled - - aws_elb_classic_lb_desync_mitigation_mode - - aws_gatewayv2_stage_access_logging_enabled - - aws_neptune_db_cluster_audit_logging_enabled - - aws_networkfirewall_firewall_logging_enabled - - aws_rds_db_cluster_aurora_mysql_audit_logging_enabled - - aws_rds_db_cluster_events_subscription - - aws_rds_db_instance_events_subscription - - aws_rds_db_instance_logging_enabled - - aws_rds_db_parameter_group_events_subscription - - aws_rds_db_security_group_events_subscription - - aws_redshift_cluster_audit_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_route53_zone_query_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_sfn_state_machine_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled - - id: aws_acsc_essential_eight_ml_2_5_12 - title: "ACSC-EE-ML2-5.12: Restrict administrative privileges ML2" - description: Privileged account and group management events are logged. - section-code: "12" - controls: - - aws_apigateway_rest_api_stage_xray_tracing_enabled - - aws_apigateway_stage_logging_enabled - - aws_appsync_graphql_api_field_level_logging_enabled - - aws_cloudfront_distribution_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_codebuild_project_logging_enabled - - aws_dms_replication_task_source_database_logging_enabled - - aws_ec2_client_vpn_endpoint_client_connection_logging_enabled - - aws_ecs_task_definition_logging_enabled - - aws_eks_cluster_control_plane_audit_logging_enabled - - aws_elastic_beanstalk_environment_logs_to_cloudwatch - - aws_elb_application_classic_lb_logging_enabled - - aws_elb_classic_lb_desync_mitigation_mode - - aws_gatewayv2_stage_access_logging_enabled - - aws_neptune_db_cluster_audit_logging_enabled - - aws_networkfirewall_firewall_logging_enabled - - aws_rds_db_cluster_aurora_mysql_audit_logging_enabled - - aws_rds_db_cluster_events_subscription - - aws_rds_db_instance_events_subscription - - aws_rds_db_instance_logging_enabled - - aws_rds_db_parameter_group_events_subscription - - aws_rds_db_security_group_events_subscription - - aws_redshift_cluster_audit_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_route53_zone_query_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_sfn_state_machine_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled - - id: aws_acsc_essential_eight_ml_2_5_2 - title: "ACSC-EE-ML2-5.2: Restrict administrative privileges ML2" - description: Privileged access to systems and applications is automatically disabled after 12 months unless revalidated. - section-code: "2" - controls: - - aws_account_part_of_organizations - - aws_backup_recovery_point_manual_deletion_disabled - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_user_role_no_inline_policies - - aws_iam_managed_policy_attached_to_role - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_policy_unused - - aws_iam_root_user_no_access_keys - - aws_iam_user_no_inline_attached_policies - - aws_neptune_db_cluster_iam_authentication_enabled - - aws_opensearch_domain_fine_grained_access_enabled - - aws_rds_db_cluster_iam_authentication_enabled - - aws_rds_db_instance_iam_authentication_enabled - - aws_s3_bucket_acls_should_prohibit_user_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_policy_restricts_cross_account_permission_changes - - aws_sagemaker_notebook_instance_root_access_disabled - - id: aws_acsc_essential_eight_ml_2_5_3 - title: "ACSC-EE-ML2-5.3: Restrict administrative privileges ML2" - description: Privileged access to systems and applications is automatically disabled after 45 days of inactivity. - section-code: "3" - controls: - - aws_account_part_of_organizations - - aws_backup_recovery_point_manual_deletion_disabled - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_user_role_no_inline_policies - - aws_iam_managed_policy_attached_to_role - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_policy_unused - - aws_iam_root_user_no_access_keys - - aws_iam_user_no_inline_attached_policies - - aws_neptune_db_cluster_iam_authentication_enabled - - aws_opensearch_domain_fine_grained_access_enabled - - aws_rds_db_cluster_iam_authentication_enabled - - aws_rds_db_instance_iam_authentication_enabled - - aws_s3_bucket_acls_should_prohibit_user_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_policy_restricts_cross_account_permission_changes - - aws_sagemaker_notebook_instance_root_access_disabled - - id: aws_acsc_essential_eight_ml_2_5_4 - title: "ACSC-EE-ML2-5.4: Restrict administrative privileges ML2" - description: Privileged accounts (excluding privileged service accounts) are prevented from accessing... - section-code: "4" - controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled - - id: aws_acsc_essential_eight_ml_2_5_5 - title: "ACSC-EE-ML2-5.5: Restrict administrative privileges ML2" - description: Privileged users use separate privileged and unprivileged operating environments. - section-code: "5" - controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all - - id: aws_acsc_essential_eight_ml_2_5_6 - title: "ACSC-EE-ML2-5.6: Restrict administrative privileges ML2" - description: Privileged operating environments are not virtualised within unprivileged operating environments. - section-code: "6" - controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all - - id: aws_acsc_essential_eight_ml_2_5_7 - title: "ACSC-EE-ML2-5.7: Restrict administrative privileges ML2" - description: Unprivileged accounts cannot logon to privileged operating environments. - section-code: "7" - controls: - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all - - id: aws_acsc_essential_eight_ml_2_5_8 - title: "ACSC-EE-ML2-5.8: Restrict administrative privileges ML2" - description: Privileged accounts (excluding local administrator accounts) cannot logon... - section-code: "8" - controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all - - id: aws_acsc_essential_eight_ml_2_5_9 - title: "ACSC-EE-ML2-5.9: Restrict administrative privileges ML2" - description: Unprivileged accounts cannot logon to privileged operating environments. - section-code: "9" - controls: - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all + controls: + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_iam_profile_attached + - aws_ecs_task_definition_container_readonly_root_filesystem + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_user_in_group + - aws_opensearch_domain_fine_grained_access_enabled + - aws_s3_bucket_policy_restricts_cross_account_permission_changes + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_ssh_all + - id: aws_acsc_essential_eight_ml_1_8_6 + title: "ACSC-EE-ML1-8.6: Regular backups ML1" + description: Unprivileged accounts are prevented from modifying and deleting backups. + section-code: "6" + controls: + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_iam_profile_attached + - aws_ecs_task_definition_container_readonly_root_filesystem + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_user_in_group + - aws_opensearch_domain_fine_grained_access_enabled + - aws_s3_bucket_policy_restricts_cross_account_permission_changes + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_ssh_all +- id: aws_acsc_essential_eight_ml_2 + title: ACSC Essential Eight Maturity Level 2 + description: The Essential Eight Maturity Model is a prioritised list of strategies... + section-code: ml_2 + control-group: + - id: aws_acsc_essential_eight_ml_2_1 + title: "ACSC-EE-ML2-1: Patch applications ML2" + description: An automated method of asset discovery is used at least weekly... + section-code: "1" + control-group: + - id: aws_acsc_essential_eight_ml_2_1_3 + title: "ACSC-EE-ML2-1.3: Application control ML2" + description: Allowed and blocked execution events on workstations and internet-facing servers are logged. + section-code: "3" + controls: + - aws_apigateway_rest_api_stage_xray_tracing_enabled + - aws_apigateway_stage_logging_enabled + - aws_appsync_graphql_api_field_level_logging_enabled + - aws_cloudfront_distribution_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_codebuild_project_logging_enabled + - aws_dms_replication_task_source_database_logging_enabled + - aws_ec2_client_vpn_endpoint_client_connection_logging_enabled + - aws_ecs_task_definition_logging_enabled + - aws_eks_cluster_control_plane_audit_logging_enabled + - aws_elastic_beanstalk_environment_logs_to_cloudwatch + - aws_elb_application_classic_lb_logging_enabled + - aws_elb_classic_lb_desync_mitigation_mode + - aws_gatewayv2_stage_access_logging_enabled + - aws_neptune_db_cluster_audit_logging_enabled + - aws_networkfirewall_firewall_logging_enabled + - aws_rds_db_cluster_aurora_mysql_audit_logging_enabled + - aws_rds_db_cluster_events_subscription + - aws_rds_db_instance_events_subscription + - aws_rds_db_instance_logging_enabled + - aws_rds_db_parameter_group_events_subscription + - aws_rds_db_security_group_events_subscription + - aws_redshift_cluster_audit_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_route53_zone_query_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_sfn_state_machine_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_waf_web_acl_logging_enabled + - aws_wafv2_web_acl_logging_enabled + - id: aws_acsc_essential_eight_ml_2_2 + title: "ACSC-EE-ML2-2: Patch operating systems ML2" + description: An automated method of asset discovery is used at least weekly... + section-code: "2" + control-group: + - id: aws_acsc_essential_eight_ml_2_2_5 + title: "ACSC-EE-ML2-2.5: Patch applications ML2" + description: A vulnerability scanner is used at least fortnightly... + section-code: "5" + controls: + - aws_ecr_repository_image_scan_on_push_enabled + - id: aws_acsc_essential_eight_ml_2_5 + title: "ACSC-EE-ML2-5: Restrict administrative privileges ML2" + description: Requests for privileged access to systems and applications are validated when first requested. + section-code: "5" + control-group: + - id: aws_acsc_essential_eight_ml_2_5_10 + title: "ACSC-EE-ML2-5.10: Restrict administrative privileges ML2" + description: Credentials for local administrator accounts... + section-code: "10" + controls: + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_no_root_user + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_sagemaker_notebook_instance_root_access_disabled + - id: aws_acsc_essential_eight_ml_2_5_11 + title: "ACSC-EE-ML2-5.11: Restrict administrative privileges ML2" + description: Privileged access events are logged. + section-code: "11" + controls: + - aws_apigateway_rest_api_stage_xray_tracing_enabled + - aws_apigateway_stage_logging_enabled + - aws_appsync_graphql_api_field_level_logging_enabled + - aws_cloudfront_distribution_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_codebuild_project_logging_enabled + - aws_dms_replication_task_source_database_logging_enabled + - aws_ec2_client_vpn_endpoint_client_connection_logging_enabled + - aws_ecs_task_definition_logging_enabled + - aws_eks_cluster_control_plane_audit_logging_enabled + - aws_elastic_beanstalk_environment_logs_to_cloudwatch + - aws_elb_application_classic_lb_logging_enabled + - aws_elb_classic_lb_desync_mitigation_mode + - aws_gatewayv2_stage_access_logging_enabled + - aws_neptune_db_cluster_audit_logging_enabled + - aws_networkfirewall_firewall_logging_enabled + - aws_rds_db_cluster_aurora_mysql_audit_logging_enabled + - aws_rds_db_cluster_events_subscription + - aws_rds_db_instance_events_subscription + - aws_rds_db_instance_logging_enabled + - aws_rds_db_parameter_group_events_subscription + - aws_rds_db_security_group_events_subscription + - aws_redshift_cluster_audit_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_route53_zone_query_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_sfn_state_machine_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_waf_web_acl_logging_enabled + - aws_wafv2_web_acl_logging_enabled + - id: aws_acsc_essential_eight_ml_2_5_12 + title: "ACSC-EE-ML2-5.12: Restrict administrative privileges ML2" + description: Privileged account and group management events are logged. + section-code: "12" + controls: + - aws_apigateway_rest_api_stage_xray_tracing_enabled + - aws_apigateway_stage_logging_enabled + - aws_appsync_graphql_api_field_level_logging_enabled + - aws_cloudfront_distribution_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_codebuild_project_logging_enabled + - aws_dms_replication_task_source_database_logging_enabled + - aws_ec2_client_vpn_endpoint_client_connection_logging_enabled + - aws_ecs_task_definition_logging_enabled + - aws_eks_cluster_control_plane_audit_logging_enabled + - aws_elastic_beanstalk_environment_logs_to_cloudwatch + - aws_elb_application_classic_lb_logging_enabled + - aws_elb_classic_lb_desync_mitigation_mode + - aws_gatewayv2_stage_access_logging_enabled + - aws_neptune_db_cluster_audit_logging_enabled + - aws_networkfirewall_firewall_logging_enabled + - aws_rds_db_cluster_aurora_mysql_audit_logging_enabled + - aws_rds_db_cluster_events_subscription + - aws_rds_db_instance_events_subscription + - aws_rds_db_instance_logging_enabled + - aws_rds_db_parameter_group_events_subscription + - aws_rds_db_security_group_events_subscription + - aws_redshift_cluster_audit_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_route53_zone_query_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_sfn_state_machine_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_waf_web_acl_logging_enabled + - aws_wafv2_web_acl_logging_enabled + - id: aws_acsc_essential_eight_ml_2_5_2 + title: "ACSC-EE-ML2-5.2: Restrict administrative privileges ML2" + description: Privileged access to systems and applications is automatically disabled after 12 months unless revalidated. + section-code: "2" + controls: + - aws_account_part_of_organizations + - aws_backup_recovery_point_manual_deletion_disabled + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_ec2_instance_iam_profile_attached + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_container_readonly_root_filesystem + - aws_ecs_task_definition_no_root_user + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_user_role_no_inline_policies + - aws_iam_managed_policy_attached_to_role + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_policy_unused + - aws_iam_root_user_no_access_keys + - aws_iam_user_no_inline_attached_policies + - aws_neptune_db_cluster_iam_authentication_enabled + - aws_opensearch_domain_fine_grained_access_enabled + - aws_rds_db_cluster_iam_authentication_enabled + - aws_rds_db_instance_iam_authentication_enabled + - aws_s3_bucket_acls_should_prohibit_user_access + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_policy_restricts_cross_account_permission_changes + - aws_sagemaker_notebook_instance_root_access_disabled + - id: aws_acsc_essential_eight_ml_2_5_3 + title: "ACSC-EE-ML2-5.3: Restrict administrative privileges ML2" + description: Privileged access to systems and applications is automatically disabled after 45 days of inactivity. + section-code: "3" + controls: + - aws_account_part_of_organizations + - aws_backup_recovery_point_manual_deletion_disabled + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_ec2_instance_iam_profile_attached + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_container_readonly_root_filesystem + - aws_ecs_task_definition_no_root_user + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_user_role_no_inline_policies + - aws_iam_managed_policy_attached_to_role + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_policy_unused + - aws_iam_root_user_no_access_keys + - aws_iam_user_no_inline_attached_policies + - aws_neptune_db_cluster_iam_authentication_enabled + - aws_opensearch_domain_fine_grained_access_enabled + - aws_rds_db_cluster_iam_authentication_enabled + - aws_rds_db_instance_iam_authentication_enabled + - aws_s3_bucket_acls_should_prohibit_user_access + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_policy_restricts_cross_account_permission_changes + - aws_sagemaker_notebook_instance_root_access_disabled + - id: aws_acsc_essential_eight_ml_2_5_4 + title: "ACSC-EE-ML2-5.4: Restrict administrative privileges ML2" + description: Privileged accounts (excluding privileged service accounts) are prevented from accessing... + section-code: "4" + controls: + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_no_root_user + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_sagemaker_notebook_instance_root_access_disabled + - id: aws_acsc_essential_eight_ml_2_5_5 + title: "ACSC-EE-ML2-5.5: Restrict administrative privileges ML2" + description: Privileged users use separate privileged and unprivileged operating environments. + section-code: "5" + controls: + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_iam_profile_attached + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_no_root_user + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_sagemaker_notebook_instance_root_access_disabled + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_ssh_all + - id: aws_acsc_essential_eight_ml_2_5_6 + title: "ACSC-EE-ML2-5.6: Restrict administrative privileges ML2" + description: Privileged operating environments are not virtualised within unprivileged operating environments. + section-code: "6" + controls: + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_iam_profile_attached + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_no_root_user + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_sagemaker_notebook_instance_root_access_disabled + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_ssh_all + - id: aws_acsc_essential_eight_ml_2_5_7 + title: "ACSC-EE-ML2-5.7: Restrict administrative privileges ML2" + description: Unprivileged accounts cannot logon to privileged operating environments. + section-code: "7" + controls: + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_iam_profile_attached + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_ssh_all + - id: aws_acsc_essential_eight_ml_2_5_8 + title: "ACSC-EE-ML2-5.8: Restrict administrative privileges ML2" + description: Privileged accounts (excluding local administrator accounts) cannot logon... + section-code: "8" + controls: + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_iam_profile_attached + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_no_root_user + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_sagemaker_notebook_instance_root_access_disabled + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_ssh_all + - id: aws_acsc_essential_eight_ml_2_5_9 + title: "ACSC-EE-ML2-5.9: Restrict administrative privileges ML2" + description: Unprivileged accounts cannot logon to privileged operating environments. + section-code: "9" + controls: + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_iam_profile_attached + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight.yaml index cb4afd650..1642686ce 100644 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight.yaml @@ -1,13 +1,13 @@ -framework: - id: aws_acsc_essential_eight - title: Australian Cyber Security Center (ACSC) Essential Eight - description: The Australian Cyber Security Center (ACSC) Essential Eight is a set of baseline security strategies designed to mitigate cyber security incidents. The Essential Eight is a prioritized list of mitigation strategies that organizations can implement to protect their systems against a range of adversaries. The Essential Eight is based on the Australian Signals Directorate (ASD) Strategies to Mitigate Cyber Security Incidents. - section-code: aws_acsc_essential_eight - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: aws_acsc_essential_eight_ml_1 - - id: aws_acsc_essential_eight_ml_2 - - id: aws_acsc_essential_eight_ml_3 +id: aws_acsc_essential_eight +title: Australian Cyber Security Center (ACSC) Essential Eight +description: The Australian Cyber Security Center (ACSC) Essential Eight is a set of baseline security strategies designed to mitigate cyber security incidents. The Essential Eight is a prioritized list of mitigation strategies that organizations can implement to protect their systems against a range of adversaries. The Essential Eight is based on the Australian Signals Directorate (ASD) Strategies to Mitigate Cyber Security Incidents. +section-code: aws_acsc_essential_eight +type: framework +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_acsc_essential_eight_ml_1 +- id: aws_acsc_essential_eight_ml_2 +- id: aws_acsc_essential_eight_ml_3 diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1.yaml index 44f366a44..245a42010 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1.yaml @@ -1,11 +1,16 @@ +id: aws_acsc_essential_eight_ml_1 +title: ACSC Essential Eight Maturity Level 1 +description: The availability category refers to the accessibility of information used by the entity’s systems, as well as the products or services provided to its customers. +section-code: ml_1 +type: control-group control-group: - id: aws_acsc_essential_eight_ml_1 - title: ACSC Essential Eight Maturity Level 1 - description: The availability category refers to the accessibility of information used by the entity’s systems, as well as the products or services provided to its customers. - section-code: ml_1 - control-group: - - id: aws_acsc_essential_eight_ml_1_2 - - id: aws_acsc_essential_eight_ml_1_5 - - id: aws_acsc_essential_eight_ml_1_6 - - id: aws_acsc_essential_eight_ml_1_7 - - id: aws_acsc_essential_eight_ml_1_8 +- id: aws_acsc_essential_eight_ml_1_2 + type: "" +- id: aws_acsc_essential_eight_ml_1_5 + type: "" +- id: aws_acsc_essential_eight_ml_1_6 + type: "" +- id: aws_acsc_essential_eight_ml_1_7 + type: "" +- id: aws_acsc_essential_eight_ml_1_8 + type: "" diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_2.yaml index 859c16bc0..d829f8c7f 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_2.yaml @@ -1,7 +1,8 @@ +id: aws_acsc_essential_eight_ml_1_2 +title: "ACSC-EE-ML1-2: Patch applications ML1" +description: A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. +section-code: "2" +type: control-group control-group: - id: aws_acsc_essential_eight_ml_1_2 - title: "ACSC-EE-ML1-2: Patch applications ML1" - description: A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. - section-code: "2" - control-group: - - id: aws_acsc_essential_eight_ml_1_2_5 +- id: aws_acsc_essential_eight_ml_1_2_5 + type: "" diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_2_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_2_5.yaml index b51b0e3d6..6b73dbe74 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_2_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_2_5.yaml @@ -1,15 +1,15 @@ -control-group: - id: aws_acsc_essential_eight_ml_1_2_5 - title: "ACSC-EE-ML1-2.5: Patch applications ML1" - description: Patches, updates or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. - section-code: "5" - controls: - - aws_ecs_service_fargate_using_latest_platform_version - - aws_eks_cluster_with_latest_kubernetes_version - - aws_elastic_beanstalk_environment_managed_updates_enabled - - aws_elasticache_cluster_auto_minor_version_upgrade_enabled - - aws_lambda_function_use_latest_runtime - - aws_opensearch_domain_updated_with_latest_service_software_version - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_acsc_essential_eight_ml_1_2_5 +title: "ACSC-EE-ML1-2.5: Patch applications ML1" +description: Patches, updates or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. +section-code: "5" +type: control-group +controls: +- aws_ecs_service_fargate_using_latest_platform_version +- aws_eks_cluster_with_latest_kubernetes_version +- aws_elastic_beanstalk_environment_managed_updates_enabled +- aws_elasticache_cluster_auto_minor_version_upgrade_enabled +- aws_lambda_function_use_latest_runtime +- aws_opensearch_domain_updated_with_latest_service_software_version +- aws_rds_db_instance_automatic_minor_version_upgrade_enabled +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5.yaml index 3baf9179f..81ae783fa 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5.yaml @@ -1,10 +1,14 @@ +id: aws_acsc_essential_eight_ml_1_5 +title: "ACSC-EE-ML1-5: Restrict administrative privileges ML1" +description: The restriction of administrative privileges is the practice of limiting the number of privileged accounts and the extent of their access to systems and data. +section-code: "5" +type: control-group control-group: - id: aws_acsc_essential_eight_ml_1_5 - title: "ACSC-EE-ML1-5: Restrict administrative privileges ML1" - description: The restriction of administrative privileges is the practice of limiting the number of privileged accounts and the extent of their access to systems and data. - section-code: "5" - control-group: - - id: aws_acsc_essential_eight_ml_1_5_2 - - id: aws_acsc_essential_eight_ml_1_5_3 - - id: aws_acsc_essential_eight_ml_1_5_4 - - id: aws_acsc_essential_eight_ml_1_5_5 +- id: aws_acsc_essential_eight_ml_1_5_2 + type: "" +- id: aws_acsc_essential_eight_ml_1_5_3 + type: "" +- id: aws_acsc_essential_eight_ml_1_5_4 + type: "" +- id: aws_acsc_essential_eight_ml_1_5_5 + type: "" diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_2.yaml index 0ff238393..a6f923512 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_2.yaml @@ -1,15 +1,15 @@ -control-group: - id: aws_acsc_essential_eight_ml_1_5_2 - title: "ACSC-EE-ML1-5.2: Restrict administrative privileges ML1" - description: Privileged accounts (excluding privileged service accounts) are prevented from accessing the internet, email and web services. - section-code: "2" - controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled +id: aws_acsc_essential_eight_ml_1_5_2 +title: "ACSC-EE-ML1-5.2: Restrict administrative privileges ML1" +description: Privileged accounts (excluding privileged service accounts) are prevented from accessing the internet, email and web services. +section-code: "2" +type: control-group +controls: +- aws_codebuild_project_environment_privileged_mode_disabled +- aws_ecs_task_definition_container_non_privileged +- aws_ecs_task_definition_no_root_user +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_sagemaker_notebook_instance_root_access_disabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_3.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_3.yaml index 0968d4234..1cf8303e2 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_3.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_3.yaml @@ -1,14 +1,14 @@ -control-group: - id: aws_acsc_essential_eight_ml_1_5_3 - title: "ACSC-EE-ML1-5.3: Restrict administrative privileges ML1" - description: Privileged users use separate privileged and unprivileged operating environments. - section-code: "3" - controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_source_repo_oauth_configured - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_ssm_managed_instance_compliance_association_compliant +id: aws_acsc_essential_eight_ml_1_5_3 +title: "ACSC-EE-ML1-5.3: Restrict administrative privileges ML1" +description: Privileged users use separate privileged and unprivileged operating environments. +section-code: "3" +type: control-group +controls: +- aws_codebuild_project_environment_privileged_mode_disabled +- aws_codebuild_project_source_repo_oauth_configured +- aws_ecs_task_definition_container_non_privileged +- aws_ecs_task_definition_no_root_user +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_iam_root_user_no_access_keys +- aws_sagemaker_notebook_instance_root_access_disabled +- aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_4.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_4.yaml index d49415fa4..1ac4a7ec0 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_4.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_4.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_acsc_essential_eight_ml_1_5_4 - title: "ACSC-EE-ML1-5.4: Restrict administrative privileges ML1" - description: Unprivileged accounts cannot logon to privileged operating environments. - section-code: "4" - controls: - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_acsc_essential_eight_ml_1_5_4 +title: "ACSC-EE-ML1-5.4: Restrict administrative privileges ML1" +description: Unprivileged accounts cannot logon to privileged operating environments. +section-code: "4" +type: control-group +controls: +- aws_codebuild_project_source_repo_oauth_configured +- aws_ec2_instance_iam_profile_attached +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_ssm_managed_instance_compliance_association_compliant +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_5.yaml index bf8d7fed7..d51c91624 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_5.yaml @@ -1,16 +1,16 @@ -control-group: - id: aws_acsc_essential_eight_ml_1_5_5 - title: "ACSC-EE-ML1-5.5: Restrict administrative privileges ML1" - description: Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments. - section-code: "5" - controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_source_repo_oauth_configured - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_acsc_essential_eight_ml_1_5_5 +title: "ACSC-EE-ML1-5.5: Restrict administrative privileges ML1" +description: Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments. +section-code: "5" +type: control-group +controls: +- aws_codebuild_project_environment_privileged_mode_disabled +- aws_codebuild_project_source_repo_oauth_configured +- aws_ecs_task_definition_container_non_privileged +- aws_ecs_task_definition_no_root_user +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_sagemaker_notebook_instance_root_access_disabled +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6.yaml index ec17cd28d..7f1228247 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6.yaml @@ -1,12 +1,18 @@ +id: aws_acsc_essential_eight_ml_1_6 +title: "ACSC-EE-ML1-6: Patch operating systems ML1" +description: The patching of operating systems is the practice of applying patches, updates or vendor mitigations to security vulnerabilities in operating systems. +section-code: "6" +type: control-group control-group: - id: aws_acsc_essential_eight_ml_1_6 - title: "ACSC-EE-ML1-6: Patch operating systems ML1" - description: The patching of operating systems is the practice of applying patches, updates or vendor mitigations to security vulnerabilities in operating systems. - section-code: "6" - control-group: - - id: aws_acsc_essential_eight_ml_1_6_2 - - id: aws_acsc_essential_eight_ml_1_6_3 - - id: aws_acsc_essential_eight_ml_1_6_4 - - id: aws_acsc_essential_eight_ml_1_6_5 - - id: aws_acsc_essential_eight_ml_1_6_6 - - id: aws_acsc_essential_eight_ml_1_6_7 +- id: aws_acsc_essential_eight_ml_1_6_2 + type: "" +- id: aws_acsc_essential_eight_ml_1_6_3 + type: "" +- id: aws_acsc_essential_eight_ml_1_6_4 + type: "" +- id: aws_acsc_essential_eight_ml_1_6_5 + type: "" +- id: aws_acsc_essential_eight_ml_1_6_6 + type: "" +- id: aws_acsc_essential_eight_ml_1_6_7 + type: "" diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_2.yaml index 10d9a3aff..28fe64b8a 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_2.yaml @@ -1,8 +1,8 @@ -control-group: - id: aws_acsc_essential_eight_ml_1_6_2 - title: "ACSC-EE-ML1-6.2: Patch operating systems ML1" - description: A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. - section-code: "2" - controls: - - aws_1test - - aws_ecr_repository_image_scan_on_push_enabled +id: aws_acsc_essential_eight_ml_1_6_2 +title: "ACSC-EE-ML1-6.2: Patch operating systems ML1" +description: A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. +section-code: "2" +type: control-group +controls: +- aws_1test +- aws_ecr_repository_image_scan_on_push_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_3.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_3.yaml index 909c516c0..57c3ef70d 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_3.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_3.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_acsc_essential_eight_ml_1_6_3 - title: "ACSC-EE-ML1-6.3: Patch operating systems ML1" - description: A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in operating systems of internet-facing services. - section-code: "3" - controls: - - aws_ecr_repository_image_scan_on_push_enabled +id: aws_acsc_essential_eight_ml_1_6_3 +title: "ACSC-EE-ML1-6.3: Patch operating systems ML1" +description: A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in operating systems of internet-facing services. +section-code: "3" +type: control-group +controls: +- aws_ecr_repository_image_scan_on_push_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_4.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_4.yaml index 7f1ad3b43..c521faf69 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_4.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_4.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_acsc_essential_eight_ml_1_6_4 - title: "ACSC-EE-ML1-6.4: Patch operating systems ML1" - description: A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in operating systems of workstations, servers and network devices. - section-code: "4" - controls: - - aws_ecr_repository_image_scan_on_push_enabled +id: aws_acsc_essential_eight_ml_1_6_4 +title: "ACSC-EE-ML1-6.4: Patch operating systems ML1" +description: A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in operating systems of workstations, servers and network devices. +section-code: "4" +type: control-group +controls: +- aws_ecr_repository_image_scan_on_push_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_5.yaml index 1ea8b4b0f..f3fc9043f 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_5.yaml @@ -1,15 +1,15 @@ -control-group: - id: aws_acsc_essential_eight_ml_1_6_5 - title: "ACSC-EE-ML1-6.5: Patch operating systems ML1" - description: Patches, updates or vendor mitigations for security vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. - section-code: "5" - controls: - - aws_ecs_service_fargate_using_latest_platform_version - - aws_eks_cluster_with_latest_kubernetes_version - - aws_elastic_beanstalk_environment_managed_updates_enabled - - aws_elasticache_cluster_auto_minor_version_upgrade_enabled - - aws_lambda_function_use_latest_runtime - - aws_opensearch_domain_updated_with_latest_service_software_version - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_acsc_essential_eight_ml_1_6_5 +title: "ACSC-EE-ML1-6.5: Patch operating systems ML1" +description: Patches, updates or vendor mitigations for security vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. +section-code: "5" +type: control-group +controls: +- aws_ecs_service_fargate_using_latest_platform_version +- aws_eks_cluster_with_latest_kubernetes_version +- aws_elastic_beanstalk_environment_managed_updates_enabled +- aws_elasticache_cluster_auto_minor_version_upgrade_enabled +- aws_lambda_function_use_latest_runtime +- aws_opensearch_domain_updated_with_latest_service_software_version +- aws_rds_db_instance_automatic_minor_version_upgrade_enabled +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_6.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_6.yaml index c037c008b..84fda49d4 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_6.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_6.yaml @@ -1,15 +1,15 @@ -control-group: - id: aws_acsc_essential_eight_ml_1_6_6 - title: "ACSC-EE-ML1-6.6: Patch operating systems ML1" - description: Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within one month of release. - section-code: "6" - controls: - - aws_ecs_service_fargate_using_latest_platform_version - - aws_eks_cluster_with_latest_kubernetes_version - - aws_elastic_beanstalk_environment_managed_updates_enabled - - aws_elasticache_cluster_auto_minor_version_upgrade_enabled - - aws_lambda_function_use_latest_runtime - - aws_opensearch_domain_updated_with_latest_service_software_version - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_acsc_essential_eight_ml_1_6_6 +title: "ACSC-EE-ML1-6.6: Patch operating systems ML1" +description: Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within one month of release. +section-code: "6" +type: control-group +controls: +- aws_ecs_service_fargate_using_latest_platform_version +- aws_eks_cluster_with_latest_kubernetes_version +- aws_elastic_beanstalk_environment_managed_updates_enabled +- aws_elasticache_cluster_auto_minor_version_upgrade_enabled +- aws_lambda_function_use_latest_runtime +- aws_opensearch_domain_updated_with_latest_service_software_version +- aws_rds_db_instance_automatic_minor_version_upgrade_enabled +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_7.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_7.yaml index 971a37598..a7243c1a2 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_7.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_7.yaml @@ -1,15 +1,15 @@ -control-group: - id: aws_acsc_essential_eight_ml_1_6_7 - title: "ACSC-EE-ML1-6.7: Patch operating systems ML1" - description: Operating systems that are no longer supported by vendors are replaced. - section-code: "7" - controls: - - aws_ecs_service_fargate_using_latest_platform_version - - aws_eks_cluster_with_latest_kubernetes_version - - aws_elastic_beanstalk_environment_managed_updates_enabled - - aws_elasticache_cluster_auto_minor_version_upgrade_enabled - - aws_lambda_function_use_latest_runtime - - aws_opensearch_domain_updated_with_latest_service_software_version - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_acsc_essential_eight_ml_1_6_7 +title: "ACSC-EE-ML1-6.7: Patch operating systems ML1" +description: Operating systems that are no longer supported by vendors are replaced. +section-code: "7" +type: control-group +controls: +- aws_ecs_service_fargate_using_latest_platform_version +- aws_eks_cluster_with_latest_kubernetes_version +- aws_elastic_beanstalk_environment_managed_updates_enabled +- aws_elasticache_cluster_auto_minor_version_upgrade_enabled +- aws_lambda_function_use_latest_runtime +- aws_opensearch_domain_updated_with_latest_service_software_version +- aws_rds_db_instance_automatic_minor_version_upgrade_enabled +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7.yaml index 0b4743b70..f46f93fb2 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7.yaml @@ -1,10 +1,14 @@ +id: aws_acsc_essential_eight_ml_1_7 +title: "ACSC-EE-ML1-7: Application control ML1" +description: Application control is the practice of restricting the execution of applications to those that have been authorised and are known to be secure. +section-code: "7" +type: control-group control-group: - id: aws_acsc_essential_eight_ml_1_7 - title: "ACSC-EE-ML1-7: Application control ML1" - description: Application control is the practice of restricting the execution of applications to those that have been authorised and are known to be secure. - section-code: "7" - control-group: - - id: aws_acsc_essential_eight_ml_1_7_1 - - id: aws_acsc_essential_eight_ml_1_7_2 - - id: aws_acsc_essential_eight_ml_1_7_3 - - id: aws_acsc_essential_eight_ml_1_7_4 +- id: aws_acsc_essential_eight_ml_1_7_1 + type: "" +- id: aws_acsc_essential_eight_ml_1_7_2 + type: "" +- id: aws_acsc_essential_eight_ml_1_7_3 + type: "" +- id: aws_acsc_essential_eight_ml_1_7_4 + type: "" diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_1.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_1.yaml index 0a00e3958..2ee3a1a32 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_1.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_1.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_acsc_essential_eight_ml_1_7_1 - title: "ACSC-EE-ML1-7.1: Multi-factor authentication ML1" - description: Multi-factor authentication is used by an organisation's users if they authenticate to their organisations internet-facing services. - section-code: "1" - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled +id: aws_acsc_essential_eight_ml_1_7_1 +title: "ACSC-EE-ML1-7.1: Multi-factor authentication ML1" +description: Multi-factor authentication is used by an organisation's users if they authenticate to their organisations internet-facing services. +section-code: "1" +type: control-group +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled +- aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_2.yaml index 3e4f4f154..647a208b9 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_2.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_acsc_essential_eight_ml_1_7_2 - title: "ACSC-EE-ML1-7.2: Multi-factor authentication ML1" - description: Multi-factor authentication is used by an organisations users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's sensitive data. - section-code: "2" - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled +id: aws_acsc_essential_eight_ml_1_7_2 +title: "ACSC-EE-ML1-7.2: Multi-factor authentication ML1" +description: Multi-factor authentication is used by an organisations users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's sensitive data. +section-code: "2" +type: control-group +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled +- aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_3.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_3.yaml index 89499a48d..299fe4e8b 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_3.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_3.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_acsc_essential_eight_ml_1_7_3 - title: "ACSC-EE-ML1-7.3: Multi-factor authentication ML1" - description: Multi-factor authentication (where available) is used by an organisations users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's non-sensitive data. - section-code: "3" - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled +id: aws_acsc_essential_eight_ml_1_7_3 +title: "ACSC-EE-ML1-7.3: Multi-factor authentication ML1" +description: Multi-factor authentication (where available) is used by an organisations users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's non-sensitive data. +section-code: "3" +type: control-group +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled +- aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_4.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_4.yaml index 96c0e0b3d..c1edda2f7 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_4.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_4.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_acsc_essential_eight_ml_1_7_4 - title: "ACSC-EE-ML1-7.4: Multi-factor authentication ML1" - description: Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisations internet-facing services. - section-code: "4" - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled +id: aws_acsc_essential_eight_ml_1_7_4 +title: "ACSC-EE-ML1-7.4: Multi-factor authentication ML1" +description: Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisations internet-facing services. +section-code: "4" +type: control-group +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled +- aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8.yaml index 32dabe99c..0b14658fb 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8.yaml @@ -1,11 +1,16 @@ +id: aws_acsc_essential_eight_ml_1_8 +title: "ACSC-EE-ML1-8: Regular backups ML1" +description: Regular backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. +section-code: "8" +type: control-group control-group: - id: aws_acsc_essential_eight_ml_1_8 - title: "ACSC-EE-ML1-8: Regular backups ML1" - description: Regular backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. - section-code: "8" - control-group: - - id: aws_acsc_essential_eight_ml_1_8_1 - - id: aws_acsc_essential_eight_ml_1_8_2 - - id: aws_acsc_essential_eight_ml_1_8_3 - - id: aws_acsc_essential_eight_ml_1_8_5 - - id: aws_acsc_essential_eight_ml_1_8_6 +- id: aws_acsc_essential_eight_ml_1_8_1 + type: "" +- id: aws_acsc_essential_eight_ml_1_8_2 + type: "" +- id: aws_acsc_essential_eight_ml_1_8_3 + type: "" +- id: aws_acsc_essential_eight_ml_1_8_5 + type: "" +- id: aws_acsc_essential_eight_ml_1_8_6 + type: "" diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_1.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_1.yaml index 610579761..b3fcaaff4 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_1.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_1.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_acsc_essential_eight_ml_1_8_1 - title: "ACSC-EE-ML1-8.1: Regular backups ML1" - description: Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. - section-code: "1" - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_docdb_cluster_backup_retention_period_7_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_neptune_db_cluster_automated_backup_enabled - - aws_rds_db_cluster_aurora_backtracking_enabled - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days +id: aws_acsc_essential_eight_ml_1_8_1 +title: "ACSC-EE-ML1-8.1: Regular backups ML1" +description: Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. +section-code: "1" +type: control-group +controls: +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_min_retention_35_days +- aws_docdb_cluster_backup_retention_period_7_days +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_neptune_db_cluster_automated_backup_enabled +- aws_rds_db_cluster_aurora_backtracking_enabled +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_2.yaml index 0dd773eab..3385f6d05 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_2.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_acsc_essential_eight_ml_1_8_2 - title: "ACSC-EE-ML1-8.2: Regular backups ML1" - description: Backups of important data, software and configuration settings are synchronised to enable restoration to a common point in time. - section-code: "2" - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_docdb_cluster_backup_retention_period_7_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_neptune_db_cluster_automated_backup_enabled - - aws_rds_db_cluster_aurora_backtracking_enabled - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days +id: aws_acsc_essential_eight_ml_1_8_2 +title: "ACSC-EE-ML1-8.2: Regular backups ML1" +description: Backups of important data, software and configuration settings are synchronised to enable restoration to a common point in time. +section-code: "2" +type: control-group +controls: +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_min_retention_35_days +- aws_docdb_cluster_backup_retention_period_7_days +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_neptune_db_cluster_automated_backup_enabled +- aws_rds_db_cluster_aurora_backtracking_enabled +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_3.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_3.yaml index 1fc4541c5..a6d7866b4 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_3.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_3.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_acsc_essential_eight_ml_1_8_3 - title: "ACSC-EE-ML1-8.3: Regular backups ML1" - description: Backups of important data, software and configuration settings are retained in a secure and resilient manner. - section-code: "3" - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_docdb_cluster_backup_retention_period_7_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_neptune_db_cluster_automated_backup_enabled - - aws_rds_db_cluster_aurora_backtracking_enabled - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days +id: aws_acsc_essential_eight_ml_1_8_3 +title: "ACSC-EE-ML1-8.3: Regular backups ML1" +description: Backups of important data, software and configuration settings are retained in a secure and resilient manner. +section-code: "3" +type: control-group +controls: +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_min_retention_35_days +- aws_docdb_cluster_backup_retention_period_7_days +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_neptune_db_cluster_automated_backup_enabled +- aws_rds_db_cluster_aurora_backtracking_enabled +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_5.yaml index 431e0138c..e93f3217a 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_5.yaml @@ -1,15 +1,15 @@ -control-group: - id: aws_acsc_essential_eight_ml_1_8_5 - title: "ACSC-EE-ML1-8.5: Regular backups ML1" - description: Unprivileged accounts cannot access backups belonging to other accounts. - section-code: "5" - controls: - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_user_in_group - - aws_opensearch_domain_fine_grained_access_enabled - - aws_s3_bucket_policy_restricts_cross_account_permission_changes - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_acsc_essential_eight_ml_1_8_5 +title: "ACSC-EE-ML1-8.5: Regular backups ML1" +description: Unprivileged accounts cannot access backups belonging to other accounts. +section-code: "5" +type: control-group +controls: +- aws_codebuild_project_source_repo_oauth_configured +- aws_ec2_instance_iam_profile_attached +- aws_ecs_task_definition_container_readonly_root_filesystem +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_iam_user_in_group +- aws_opensearch_domain_fine_grained_access_enabled +- aws_s3_bucket_policy_restricts_cross_account_permission_changes +- aws_ssm_managed_instance_compliance_association_compliant +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_6.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_6.yaml index 052c446c0..95c42cdc1 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_6.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_6.yaml @@ -1,15 +1,15 @@ -control-group: - id: aws_acsc_essential_eight_ml_1_8_6 - title: "ACSC-EE-ML1-8.6: Regular backups ML1" - description: Unprivileged accounts are prevented from modifying and deleting backups. - section-code: "6" - controls: - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_user_in_group - - aws_opensearch_domain_fine_grained_access_enabled - - aws_s3_bucket_policy_restricts_cross_account_permission_changes - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_acsc_essential_eight_ml_1_8_6 +title: "ACSC-EE-ML1-8.6: Regular backups ML1" +description: Unprivileged accounts are prevented from modifying and deleting backups. +section-code: "6" +type: control-group +controls: +- aws_codebuild_project_source_repo_oauth_configured +- aws_ec2_instance_iam_profile_attached +- aws_ecs_task_definition_container_readonly_root_filesystem +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_iam_user_in_group +- aws_opensearch_domain_fine_grained_access_enabled +- aws_s3_bucket_policy_restricts_cross_account_permission_changes +- aws_ssm_managed_instance_compliance_association_compliant +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2.yaml index 309bf32c7..5ec3210eb 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2.yaml @@ -1,12 +1,18 @@ +id: aws_acsc_essential_eight_ml_2 +title: ACSC Essential Eight Maturity Level 2 +description: The Essential Eight Maturity Model is a prioritised list of strategies to mitigate cyber security incidents. The model consists of 8 essential strategies that organisations can implement to protect their systems from a range of adversaries. +section-code: ml_2 +type: control-group control-group: - id: aws_acsc_essential_eight_ml_2 - title: ACSC Essential Eight Maturity Level 2 - description: The Essential Eight Maturity Model is a prioritised list of strategies to mitigate cyber security incidents. The model consists of 8 essential strategies that organisations can implement to protect their systems from a range of adversaries. - section-code: ml_2 - control-group: - - id: aws_acsc_essential_eight_ml_2_1 - - id: aws_acsc_essential_eight_ml_2_2 - - id: aws_acsc_essential_eight_ml_2_5 - - id: aws_acsc_essential_eight_ml_2_6 - - id: aws_acsc_essential_eight_ml_2_7 - - id: aws_acsc_essential_eight_ml_2_8 +- id: aws_acsc_essential_eight_ml_2_1 + type: "" +- id: aws_acsc_essential_eight_ml_2_2 + type: "" +- id: aws_acsc_essential_eight_ml_2_5 + type: "" +- id: aws_acsc_essential_eight_ml_2_6 + type: "" +- id: aws_acsc_essential_eight_ml_2_7 + type: "" +- id: aws_acsc_essential_eight_ml_2_8 + type: "" diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_1.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_1.yaml index eabaa0a2e..a9f13b2ef 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_1.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_1.yaml @@ -1,7 +1,8 @@ +id: aws_acsc_essential_eight_ml_2_1 +title: "ACSC-EE-ML2-1: Patch applications ML2" +description: An automated method of asset discovery is used at least weekly to support the detection of assets for subsequent vulnerability scanning activities. +section-code: "1" +type: control-group control-group: - id: aws_acsc_essential_eight_ml_2_1 - title: "ACSC-EE-ML2-1: Patch applications ML2" - description: An automated method of asset discovery is used at least weekly to support the detection of assets for subsequent vulnerability scanning activities. - section-code: "1" - control-group: - - id: aws_acsc_essential_eight_ml_2_1_3 +- id: aws_acsc_essential_eight_ml_2_1_3 + type: "" diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_1_3.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_1_3.yaml index bbb38167b..0de468cbe 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_1_3.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_1_3.yaml @@ -1,38 +1,38 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_1_3 - title: "ACSC-EE-ML2-1.3: Application control ML2" - description: Allowed and blocked execution events on workstations and internet-facing servers are logged. - section-code: "3" - controls: - - aws_apigateway_rest_api_stage_xray_tracing_enabled - - aws_apigateway_stage_logging_enabled - - aws_appsync_graphql_api_field_level_logging_enabled - - aws_cloudfront_distribution_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_codebuild_project_logging_enabled - - aws_dms_replication_task_source_database_logging_enabled - - aws_ec2_client_vpn_endpoint_client_connection_logging_enabled - - aws_ecs_task_definition_logging_enabled - - aws_eks_cluster_control_plane_audit_logging_enabled - - aws_elastic_beanstalk_environment_logs_to_cloudwatch - - aws_elb_application_classic_lb_logging_enabled - - aws_elb_classic_lb_desync_mitigation_mode - - aws_gatewayv2_stage_access_logging_enabled - - aws_neptune_db_cluster_audit_logging_enabled - - aws_networkfirewall_firewall_logging_enabled - - aws_rds_db_cluster_aurora_mysql_audit_logging_enabled - - aws_rds_db_cluster_events_subscription - - aws_rds_db_instance_events_subscription - - aws_rds_db_instance_logging_enabled - - aws_rds_db_parameter_group_events_subscription - - aws_rds_db_security_group_events_subscription - - aws_redshift_cluster_audit_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_route53_zone_query_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_sfn_state_machine_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_acsc_essential_eight_ml_2_1_3 +title: "ACSC-EE-ML2-1.3: Application control ML2" +description: Allowed and blocked execution events on workstations and internet-facing servers are logged. +section-code: "3" +type: control-group +controls: +- aws_apigateway_rest_api_stage_xray_tracing_enabled +- aws_apigateway_stage_logging_enabled +- aws_appsync_graphql_api_field_level_logging_enabled +- aws_cloudfront_distribution_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_codebuild_project_logging_enabled +- aws_dms_replication_task_source_database_logging_enabled +- aws_ec2_client_vpn_endpoint_client_connection_logging_enabled +- aws_ecs_task_definition_logging_enabled +- aws_eks_cluster_control_plane_audit_logging_enabled +- aws_elastic_beanstalk_environment_logs_to_cloudwatch +- aws_elb_application_classic_lb_logging_enabled +- aws_elb_classic_lb_desync_mitigation_mode +- aws_gatewayv2_stage_access_logging_enabled +- aws_neptune_db_cluster_audit_logging_enabled +- aws_networkfirewall_firewall_logging_enabled +- aws_rds_db_cluster_aurora_mysql_audit_logging_enabled +- aws_rds_db_cluster_events_subscription +- aws_rds_db_instance_events_subscription +- aws_rds_db_instance_logging_enabled +- aws_rds_db_parameter_group_events_subscription +- aws_rds_db_security_group_events_subscription +- aws_redshift_cluster_audit_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_route53_zone_query_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_sfn_state_machine_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_waf_web_acl_logging_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_2.yaml index 6911180b4..cde05839e 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_2.yaml @@ -1,7 +1,8 @@ +id: aws_acsc_essential_eight_ml_2_2 +title: "ACSC-EE-ML2-2: Patch operating systems ML2" +description: An automated method of asset discovery is used at least weekly to support the detection of assets for subsequent vulnerability scanning activities. +section-code: "2" +type: control-group control-group: - id: aws_acsc_essential_eight_ml_2_2 - title: "ACSC-EE-ML2-2: Patch operating systems ML2" - description: An automated method of asset discovery is used at least weekly to support the detection of assets for subsequent vulnerability scanning activities. - section-code: "2" - control-group: - - id: aws_acsc_essential_eight_ml_2_2_5 +- id: aws_acsc_essential_eight_ml_2_2_5 + type: "" diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_2_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_2_5.yaml index 933d6fbfa..a7afe288d 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_2_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_2_5.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_2_5 - title: "ACSC-EE-ML2-2.5: Patch applications ML2" - description: A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in other applications. - section-code: "5" - controls: - - aws_ecr_repository_image_scan_on_push_enabled +id: aws_acsc_essential_eight_ml_2_2_5 +title: "ACSC-EE-ML2-2.5: Patch applications ML2" +description: A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in other applications. +section-code: "5" +type: control-group +controls: +- aws_ecr_repository_image_scan_on_push_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5.yaml index ddd0fefc9..cd6a40287 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5.yaml @@ -1,17 +1,28 @@ +id: aws_acsc_essential_eight_ml_2_5 +title: "ACSC-EE-ML2-5: Restrict administrative privileges ML2" +description: Requests for privileged access to systems and applications are validated when first requested. +section-code: "5" +type: control-group control-group: - id: aws_acsc_essential_eight_ml_2_5 - title: "ACSC-EE-ML2-5: Restrict administrative privileges ML2" - description: Requests for privileged access to systems and applications are validated when first requested. - section-code: "5" - control-group: - - id: aws_acsc_essential_eight_ml_2_5_2 - - id: aws_acsc_essential_eight_ml_2_5_3 - - id: aws_acsc_essential_eight_ml_2_5_4 - - id: aws_acsc_essential_eight_ml_2_5_5 - - id: aws_acsc_essential_eight_ml_2_5_6 - - id: aws_acsc_essential_eight_ml_2_5_7 - - id: aws_acsc_essential_eight_ml_2_5_8 - - id: aws_acsc_essential_eight_ml_2_5_9 - - id: aws_acsc_essential_eight_ml_2_5_10 - - id: aws_acsc_essential_eight_ml_2_5_11 - - id: aws_acsc_essential_eight_ml_2_5_12 +- id: aws_acsc_essential_eight_ml_2_5_2 + type: "" +- id: aws_acsc_essential_eight_ml_2_5_3 + type: "" +- id: aws_acsc_essential_eight_ml_2_5_4 + type: "" +- id: aws_acsc_essential_eight_ml_2_5_5 + type: "" +- id: aws_acsc_essential_eight_ml_2_5_6 + type: "" +- id: aws_acsc_essential_eight_ml_2_5_7 + type: "" +- id: aws_acsc_essential_eight_ml_2_5_8 + type: "" +- id: aws_acsc_essential_eight_ml_2_5_9 + type: "" +- id: aws_acsc_essential_eight_ml_2_5_10 + type: "" +- id: aws_acsc_essential_eight_ml_2_5_11 + type: "" +- id: aws_acsc_essential_eight_ml_2_5_12 + type: "" diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_10.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_10.yaml index 63d0e8b35..c01a649ea 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_10.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_10.yaml @@ -1,15 +1,15 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_5_10 - title: "ACSC-EE-ML2-5.10: Restrict administrative privileges ML2" - description: Credentials for local administrator accounts and service accounts are long, unique, unpredictable and managed. - section-code: "10" - controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled +id: aws_acsc_essential_eight_ml_2_5_10 +title: "ACSC-EE-ML2-5.10: Restrict administrative privileges ML2" +description: Credentials for local administrator accounts and service accounts are long, unique, unpredictable and managed. +section-code: "10" +type: control-group +controls: +- aws_codebuild_project_environment_privileged_mode_disabled +- aws_ecs_task_definition_container_non_privileged +- aws_ecs_task_definition_no_root_user +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_sagemaker_notebook_instance_root_access_disabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_11.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_11.yaml index 4d70e234a..0ed75df11 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_11.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_11.yaml @@ -1,38 +1,38 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_5_11 - title: "ACSC-EE-ML2-5.11: Restrict administrative privileges ML2" - description: Privileged access events are logged. - section-code: "11" - controls: - - aws_apigateway_rest_api_stage_xray_tracing_enabled - - aws_apigateway_stage_logging_enabled - - aws_appsync_graphql_api_field_level_logging_enabled - - aws_cloudfront_distribution_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_codebuild_project_logging_enabled - - aws_dms_replication_task_source_database_logging_enabled - - aws_ec2_client_vpn_endpoint_client_connection_logging_enabled - - aws_ecs_task_definition_logging_enabled - - aws_eks_cluster_control_plane_audit_logging_enabled - - aws_elastic_beanstalk_environment_logs_to_cloudwatch - - aws_elb_application_classic_lb_logging_enabled - - aws_elb_classic_lb_desync_mitigation_mode - - aws_gatewayv2_stage_access_logging_enabled - - aws_neptune_db_cluster_audit_logging_enabled - - aws_networkfirewall_firewall_logging_enabled - - aws_rds_db_cluster_aurora_mysql_audit_logging_enabled - - aws_rds_db_cluster_events_subscription - - aws_rds_db_instance_events_subscription - - aws_rds_db_instance_logging_enabled - - aws_rds_db_parameter_group_events_subscription - - aws_rds_db_security_group_events_subscription - - aws_redshift_cluster_audit_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_route53_zone_query_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_sfn_state_machine_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_acsc_essential_eight_ml_2_5_11 +title: "ACSC-EE-ML2-5.11: Restrict administrative privileges ML2" +description: Privileged access events are logged. +section-code: "11" +type: control-group +controls: +- aws_apigateway_rest_api_stage_xray_tracing_enabled +- aws_apigateway_stage_logging_enabled +- aws_appsync_graphql_api_field_level_logging_enabled +- aws_cloudfront_distribution_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_codebuild_project_logging_enabled +- aws_dms_replication_task_source_database_logging_enabled +- aws_ec2_client_vpn_endpoint_client_connection_logging_enabled +- aws_ecs_task_definition_logging_enabled +- aws_eks_cluster_control_plane_audit_logging_enabled +- aws_elastic_beanstalk_environment_logs_to_cloudwatch +- aws_elb_application_classic_lb_logging_enabled +- aws_elb_classic_lb_desync_mitigation_mode +- aws_gatewayv2_stage_access_logging_enabled +- aws_neptune_db_cluster_audit_logging_enabled +- aws_networkfirewall_firewall_logging_enabled +- aws_rds_db_cluster_aurora_mysql_audit_logging_enabled +- aws_rds_db_cluster_events_subscription +- aws_rds_db_instance_events_subscription +- aws_rds_db_instance_logging_enabled +- aws_rds_db_parameter_group_events_subscription +- aws_rds_db_security_group_events_subscription +- aws_redshift_cluster_audit_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_route53_zone_query_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_sfn_state_machine_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_waf_web_acl_logging_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_12.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_12.yaml index 83380c698..e777dd62b 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_12.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_12.yaml @@ -1,38 +1,38 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_5_12 - title: "ACSC-EE-ML2-5.12: Restrict administrative privileges ML2" - description: Privileged account and group management events are logged. - section-code: "12" - controls: - - aws_apigateway_rest_api_stage_xray_tracing_enabled - - aws_apigateway_stage_logging_enabled - - aws_appsync_graphql_api_field_level_logging_enabled - - aws_cloudfront_distribution_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_codebuild_project_logging_enabled - - aws_dms_replication_task_source_database_logging_enabled - - aws_ec2_client_vpn_endpoint_client_connection_logging_enabled - - aws_ecs_task_definition_logging_enabled - - aws_eks_cluster_control_plane_audit_logging_enabled - - aws_elastic_beanstalk_environment_logs_to_cloudwatch - - aws_elb_application_classic_lb_logging_enabled - - aws_elb_classic_lb_desync_mitigation_mode - - aws_gatewayv2_stage_access_logging_enabled - - aws_neptune_db_cluster_audit_logging_enabled - - aws_networkfirewall_firewall_logging_enabled - - aws_rds_db_cluster_aurora_mysql_audit_logging_enabled - - aws_rds_db_cluster_events_subscription - - aws_rds_db_instance_events_subscription - - aws_rds_db_instance_logging_enabled - - aws_rds_db_parameter_group_events_subscription - - aws_rds_db_security_group_events_subscription - - aws_redshift_cluster_audit_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_route53_zone_query_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_sfn_state_machine_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_acsc_essential_eight_ml_2_5_12 +title: "ACSC-EE-ML2-5.12: Restrict administrative privileges ML2" +description: Privileged account and group management events are logged. +section-code: "12" +type: control-group +controls: +- aws_apigateway_rest_api_stage_xray_tracing_enabled +- aws_apigateway_stage_logging_enabled +- aws_appsync_graphql_api_field_level_logging_enabled +- aws_cloudfront_distribution_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_codebuild_project_logging_enabled +- aws_dms_replication_task_source_database_logging_enabled +- aws_ec2_client_vpn_endpoint_client_connection_logging_enabled +- aws_ecs_task_definition_logging_enabled +- aws_eks_cluster_control_plane_audit_logging_enabled +- aws_elastic_beanstalk_environment_logs_to_cloudwatch +- aws_elb_application_classic_lb_logging_enabled +- aws_elb_classic_lb_desync_mitigation_mode +- aws_gatewayv2_stage_access_logging_enabled +- aws_neptune_db_cluster_audit_logging_enabled +- aws_networkfirewall_firewall_logging_enabled +- aws_rds_db_cluster_aurora_mysql_audit_logging_enabled +- aws_rds_db_cluster_events_subscription +- aws_rds_db_instance_events_subscription +- aws_rds_db_instance_logging_enabled +- aws_rds_db_parameter_group_events_subscription +- aws_rds_db_security_group_events_subscription +- aws_redshift_cluster_audit_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_route53_zone_query_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_sfn_state_machine_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_waf_web_acl_logging_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_2.yaml index 0584d4fb2..76bb45cc3 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_2.yaml @@ -1,31 +1,31 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_5_2 - title: "ACSC-EE-ML2-5.2: Restrict administrative privileges ML2" - description: Privileged access to systems and applications is automatically disabled after 12 months unless revalidated. - section-code: "2" - controls: - - aws_account_part_of_organizations - - aws_backup_recovery_point_manual_deletion_disabled - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_user_role_no_inline_policies - - aws_iam_managed_policy_attached_to_role - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_policy_unused - - aws_iam_root_user_no_access_keys - - aws_iam_user_no_inline_attached_policies - - aws_neptune_db_cluster_iam_authentication_enabled - - aws_opensearch_domain_fine_grained_access_enabled - - aws_rds_db_cluster_iam_authentication_enabled - - aws_rds_db_instance_iam_authentication_enabled - - aws_s3_bucket_acls_should_prohibit_user_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_policy_restricts_cross_account_permission_changes - - aws_sagemaker_notebook_instance_root_access_disabled +id: aws_acsc_essential_eight_ml_2_5_2 +title: "ACSC-EE-ML2-5.2: Restrict administrative privileges ML2" +description: Privileged access to systems and applications is automatically disabled after 12 months unless revalidated. +section-code: "2" +type: control-group +controls: +- aws_account_part_of_organizations +- aws_backup_recovery_point_manual_deletion_disabled +- aws_codebuild_project_environment_privileged_mode_disabled +- aws_ec2_instance_iam_profile_attached +- aws_ecs_task_definition_container_non_privileged +- aws_ecs_task_definition_container_readonly_root_filesystem +- aws_ecs_task_definition_no_root_user +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_user_role_no_inline_policies +- aws_iam_managed_policy_attached_to_role +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_policy_unused +- aws_iam_root_user_no_access_keys +- aws_iam_user_no_inline_attached_policies +- aws_neptune_db_cluster_iam_authentication_enabled +- aws_opensearch_domain_fine_grained_access_enabled +- aws_rds_db_cluster_iam_authentication_enabled +- aws_rds_db_instance_iam_authentication_enabled +- aws_s3_bucket_acls_should_prohibit_user_access +- aws_s3_bucket_policy_restrict_public_access +- aws_s3_bucket_policy_restricts_cross_account_permission_changes +- aws_sagemaker_notebook_instance_root_access_disabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_3.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_3.yaml index 6d7795cf7..12458d6ed 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_3.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_3.yaml @@ -1,31 +1,31 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_5_3 - title: "ACSC-EE-ML2-5.3: Restrict administrative privileges ML2" - description: Privileged access to systems and applications is automatically disabled after 45 days of inactivity. - section-code: "3" - controls: - - aws_account_part_of_organizations - - aws_backup_recovery_point_manual_deletion_disabled - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_user_role_no_inline_policies - - aws_iam_managed_policy_attached_to_role - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_policy_unused - - aws_iam_root_user_no_access_keys - - aws_iam_user_no_inline_attached_policies - - aws_neptune_db_cluster_iam_authentication_enabled - - aws_opensearch_domain_fine_grained_access_enabled - - aws_rds_db_cluster_iam_authentication_enabled - - aws_rds_db_instance_iam_authentication_enabled - - aws_s3_bucket_acls_should_prohibit_user_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_policy_restricts_cross_account_permission_changes - - aws_sagemaker_notebook_instance_root_access_disabled +id: aws_acsc_essential_eight_ml_2_5_3 +title: "ACSC-EE-ML2-5.3: Restrict administrative privileges ML2" +description: Privileged access to systems and applications is automatically disabled after 45 days of inactivity. +section-code: "3" +type: control-group +controls: +- aws_account_part_of_organizations +- aws_backup_recovery_point_manual_deletion_disabled +- aws_codebuild_project_environment_privileged_mode_disabled +- aws_ec2_instance_iam_profile_attached +- aws_ecs_task_definition_container_non_privileged +- aws_ecs_task_definition_container_readonly_root_filesystem +- aws_ecs_task_definition_no_root_user +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_user_role_no_inline_policies +- aws_iam_managed_policy_attached_to_role +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_policy_unused +- aws_iam_root_user_no_access_keys +- aws_iam_user_no_inline_attached_policies +- aws_neptune_db_cluster_iam_authentication_enabled +- aws_opensearch_domain_fine_grained_access_enabled +- aws_rds_db_cluster_iam_authentication_enabled +- aws_rds_db_instance_iam_authentication_enabled +- aws_s3_bucket_acls_should_prohibit_user_access +- aws_s3_bucket_policy_restrict_public_access +- aws_s3_bucket_policy_restricts_cross_account_permission_changes +- aws_sagemaker_notebook_instance_root_access_disabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_4.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_4.yaml index 97c5cf9b6..fbb1d7240 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_4.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_4.yaml @@ -1,15 +1,15 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_5_4 - title: "ACSC-EE-ML2-5.4: Restrict administrative privileges ML2" - description: Privileged accounts (excluding privileged service accounts) are prevented from accessing the internet, email and web services. - section-code: "4" - controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled +id: aws_acsc_essential_eight_ml_2_5_4 +title: "ACSC-EE-ML2-5.4: Restrict administrative privileges ML2" +description: Privileged accounts (excluding privileged service accounts) are prevented from accessing the internet, email and web services. +section-code: "4" +type: control-group +controls: +- aws_codebuild_project_environment_privileged_mode_disabled +- aws_ecs_task_definition_container_non_privileged +- aws_ecs_task_definition_no_root_user +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_sagemaker_notebook_instance_root_access_disabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_5.yaml index 01ae1e0f2..807df69c8 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_5.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_5_5 - title: "ACSC-EE-ML2-5.5: Restrict administrative privileges ML2" - description: Privileged users use separate privileged and unprivileged operating environments. - section-code: "5" - controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_acsc_essential_eight_ml_2_5_5 +title: "ACSC-EE-ML2-5.5: Restrict administrative privileges ML2" +description: Privileged users use separate privileged and unprivileged operating environments. +section-code: "5" +type: control-group +controls: +- aws_codebuild_project_environment_privileged_mode_disabled +- aws_codebuild_project_source_repo_oauth_configured +- aws_ec2_instance_iam_profile_attached +- aws_ecs_task_definition_container_non_privileged +- aws_ecs_task_definition_no_root_user +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_sagemaker_notebook_instance_root_access_disabled +- aws_ssm_managed_instance_compliance_association_compliant +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_6.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_6.yaml index 1175346cb..8d77fd9e4 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_6.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_6.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_5_6 - title: "ACSC-EE-ML2-5.6: Restrict administrative privileges ML2" - description: Privileged operating environments are not virtualised within unprivileged operating environments. - section-code: "6" - controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_acsc_essential_eight_ml_2_5_6 +title: "ACSC-EE-ML2-5.6: Restrict administrative privileges ML2" +description: Privileged operating environments are not virtualised within unprivileged operating environments. +section-code: "6" +type: control-group +controls: +- aws_codebuild_project_environment_privileged_mode_disabled +- aws_codebuild_project_source_repo_oauth_configured +- aws_ec2_instance_iam_profile_attached +- aws_ecs_task_definition_container_non_privileged +- aws_ecs_task_definition_no_root_user +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_sagemaker_notebook_instance_root_access_disabled +- aws_ssm_managed_instance_compliance_association_compliant +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_7.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_7.yaml index 35f4d990e..e83b124a8 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_7.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_7.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_5_7 - title: "ACSC-EE-ML2-5.7: Restrict administrative privileges ML2" - description: Unprivileged accounts cannot logon to privileged operating environments. - section-code: "7" - controls: - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_acsc_essential_eight_ml_2_5_7 +title: "ACSC-EE-ML2-5.7: Restrict administrative privileges ML2" +description: Unprivileged accounts cannot logon to privileged operating environments. +section-code: "7" +type: control-group +controls: +- aws_codebuild_project_source_repo_oauth_configured +- aws_ec2_instance_iam_profile_attached +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_ssm_managed_instance_compliance_association_compliant +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_8.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_8.yaml index 9e50dd97c..c43b4156c 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_8.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_8.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_5_8 - title: "ACSC-EE-ML2-5.8: Restrict administrative privileges ML2" - description: Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments. - section-code: "8" - controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_acsc_essential_eight_ml_2_5_8 +title: "ACSC-EE-ML2-5.8: Restrict administrative privileges ML2" +description: Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments. +section-code: "8" +type: control-group +controls: +- aws_codebuild_project_environment_privileged_mode_disabled +- aws_codebuild_project_source_repo_oauth_configured +- aws_ec2_instance_iam_profile_attached +- aws_ecs_task_definition_container_non_privileged +- aws_ecs_task_definition_no_root_user +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_sagemaker_notebook_instance_root_access_disabled +- aws_ssm_managed_instance_compliance_association_compliant +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_9.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_9.yaml index 52452ecfd..e553b32f5 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_9.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_9.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_5_9 - title: "ACSC-EE-ML2-5.9: Restrict administrative privileges ML2" - description: Unprivileged accounts cannot logon to privileged operating environments. - section-code: "9" - controls: - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_acsc_essential_eight_ml_2_5_9 +title: "ACSC-EE-ML2-5.9: Restrict administrative privileges ML2" +description: Unprivileged accounts cannot logon to privileged operating environments. +section-code: "9" +type: control-group +controls: +- aws_codebuild_project_source_repo_oauth_configured +- aws_ec2_instance_iam_profile_attached +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_ssm_managed_instance_compliance_association_compliant +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6.yaml index b68d1c16e..6f0829e11 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6.yaml @@ -1,12 +1,18 @@ +id: aws_acsc_essential_eight_ml_2_6 +title: "ACSC-EE-ML2-6: Multi-factor authentication ML2" +description: Multi-factor authentication is enabled for all users and administrators. +section-code: "6" +type: control-group control-group: - id: aws_acsc_essential_eight_ml_2_6 - title: "ACSC-EE-ML2-6: Multi-factor authentication ML2" - description: Multi-factor authentication is enabled for all users and administrators. - section-code: "6" - control-group: - - id: aws_acsc_essential_eight_ml_2_6_2 - - id: aws_acsc_essential_eight_ml_2_6_3 - - id: aws_acsc_essential_eight_ml_2_6_4 - - id: aws_acsc_essential_eight_ml_2_6_5 - - id: aws_acsc_essential_eight_ml_2_6_6 - - id: aws_acsc_essential_eight_ml_2_6_7 +- id: aws_acsc_essential_eight_ml_2_6_2 + type: "" +- id: aws_acsc_essential_eight_ml_2_6_3 + type: "" +- id: aws_acsc_essential_eight_ml_2_6_4 + type: "" +- id: aws_acsc_essential_eight_ml_2_6_5 + type: "" +- id: aws_acsc_essential_eight_ml_2_6_6 + type: "" +- id: aws_acsc_essential_eight_ml_2_6_7 + type: "" diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_2.yaml index 5bf67d89e..7eaeb8d21 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_2.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_6_2 - title: "ACSC-EE-ML2-6.2: Patch operating systems ML2" - description: A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. - section-code: "2" - controls: - - aws_ecr_repository_image_scan_on_push_enabled +id: aws_acsc_essential_eight_ml_2_6_2 +title: "ACSC-EE-ML2-6.2: Patch operating systems ML2" +description: A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. +section-code: "2" +type: control-group +controls: +- aws_ecr_repository_image_scan_on_push_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_3.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_3.yaml index c19b26f63..bf8a804b8 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_3.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_3.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_6_3 - title: "ACSC-EE-ML2-6.3: Patch operating systems ML2" - description: A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in operating systems of internet-facing services. - section-code: "3" - controls: - - aws_ecr_repository_image_scan_on_push_enabled +id: aws_acsc_essential_eight_ml_2_6_3 +title: "ACSC-EE-ML2-6.3: Patch operating systems ML2" +description: A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in operating systems of internet-facing services. +section-code: "3" +type: control-group +controls: +- aws_ecr_repository_image_scan_on_push_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_4.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_4.yaml index a24a56d59..966451857 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_4.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_4.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_6_4 - title: "ACSC-EE-ML2-6.4: Patch operating systems ML2" - description: A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in operating systems of workstations, servers and network devices. - section-code: "4" - controls: - - aws_ecr_repository_image_scan_on_push_enabled +id: aws_acsc_essential_eight_ml_2_6_4 +title: "ACSC-EE-ML2-6.4: Patch operating systems ML2" +description: A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in operating systems of workstations, servers and network devices. +section-code: "4" +type: control-group +controls: +- aws_ecr_repository_image_scan_on_push_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_5.yaml index 7c16bbb25..339192e8a 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_5.yaml @@ -1,15 +1,15 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_6_5 - title: "ACSC-EE-ML2-6.5: Patch operating systems ML2" - description: Patches, updates or vendor mitigations for security vulnerabilities in operating systems of Internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. - section-code: "5" - controls: - - aws_ecs_service_fargate_using_latest_platform_version - - aws_eks_cluster_with_latest_kubernetes_version - - aws_elastic_beanstalk_environment_managed_updates_enabled - - aws_elasticache_cluster_auto_minor_version_upgrade_enabled - - aws_lambda_function_use_latest_runtime - - aws_opensearch_domain_updated_with_latest_service_software_version - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_acsc_essential_eight_ml_2_6_5 +title: "ACSC-EE-ML2-6.5: Patch operating systems ML2" +description: Patches, updates or vendor mitigations for security vulnerabilities in operating systems of Internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. +section-code: "5" +type: control-group +controls: +- aws_ecs_service_fargate_using_latest_platform_version +- aws_eks_cluster_with_latest_kubernetes_version +- aws_elastic_beanstalk_environment_managed_updates_enabled +- aws_elasticache_cluster_auto_minor_version_upgrade_enabled +- aws_lambda_function_use_latest_runtime +- aws_opensearch_domain_updated_with_latest_service_software_version +- aws_rds_db_instance_automatic_minor_version_upgrade_enabled +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_6.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_6.yaml index 3008f06b2..a2aa24860 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_6.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_6.yaml @@ -1,15 +1,15 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_6_6 - title: "ACSC-EE-ML2-6.6: Patch operating systems ML2" - description: Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within two weeks of release. - section-code: "6" - controls: - - aws_ecs_service_fargate_using_latest_platform_version - - aws_eks_cluster_with_latest_kubernetes_version - - aws_elastic_beanstalk_environment_managed_updates_enabled - - aws_elasticache_cluster_auto_minor_version_upgrade_enabled - - aws_lambda_function_use_latest_runtime - - aws_opensearch_domain_updated_with_latest_service_software_version - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_acsc_essential_eight_ml_2_6_6 +title: "ACSC-EE-ML2-6.6: Patch operating systems ML2" +description: Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within two weeks of release. +section-code: "6" +type: control-group +controls: +- aws_ecs_service_fargate_using_latest_platform_version +- aws_eks_cluster_with_latest_kubernetes_version +- aws_elastic_beanstalk_environment_managed_updates_enabled +- aws_elasticache_cluster_auto_minor_version_upgrade_enabled +- aws_lambda_function_use_latest_runtime +- aws_opensearch_domain_updated_with_latest_service_software_version +- aws_rds_db_instance_automatic_minor_version_upgrade_enabled +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_7.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_7.yaml index 8456c3cc9..0a199d53a 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_7.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_7.yaml @@ -1,15 +1,15 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_6_7 - title: "ACSC-EE-ML2-6.7: Patch operating systems ML2" - description: Operating systems that are no longer supported by vendors are replaced. - section-code: "7" - controls: - - aws_ecs_service_fargate_using_latest_platform_version - - aws_eks_cluster_with_latest_kubernetes_version - - aws_elastic_beanstalk_environment_managed_updates_enabled - - aws_elasticache_cluster_auto_minor_version_upgrade_enabled - - aws_lambda_function_use_latest_runtime - - aws_opensearch_domain_updated_with_latest_service_software_version - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_acsc_essential_eight_ml_2_6_7 +title: "ACSC-EE-ML2-6.7: Patch operating systems ML2" +description: Operating systems that are no longer supported by vendors are replaced. +section-code: "7" +type: control-group +controls: +- aws_ecs_service_fargate_using_latest_platform_version +- aws_eks_cluster_with_latest_kubernetes_version +- aws_elastic_beanstalk_environment_managed_updates_enabled +- aws_elasticache_cluster_auto_minor_version_upgrade_enabled +- aws_lambda_function_use_latest_runtime +- aws_opensearch_domain_updated_with_latest_service_software_version +- aws_rds_db_instance_automatic_minor_version_upgrade_enabled +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7.yaml index 44f295bb0..d48f25ea2 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7.yaml @@ -1,11 +1,16 @@ +id: aws_acsc_essential_eight_ml_2_7 +title: "ACSC-EE-ML2-7: Application control ML2" +description: Allowed and blocked execution events on workstations and internet-facing servers are logged. +section-code: "7" +type: control-group control-group: - id: aws_acsc_essential_eight_ml_2_7 - title: "ACSC-EE-ML2-7: Application control ML2" - description: Allowed and blocked execution events on workstations and internet-facing servers are logged. - section-code: "7" - control-group: - - id: aws_acsc_essential_eight_ml_2_7_1 - - id: aws_acsc_essential_eight_ml_2_7_4 - - id: aws_acsc_essential_eight_ml_2_7_5 - - id: aws_acsc_essential_eight_ml_2_7_6 - - id: aws_acsc_essential_eight_ml_2_7_7 +- id: aws_acsc_essential_eight_ml_2_7_1 + type: "" +- id: aws_acsc_essential_eight_ml_2_7_4 + type: "" +- id: aws_acsc_essential_eight_ml_2_7_5 + type: "" +- id: aws_acsc_essential_eight_ml_2_7_6 + type: "" +- id: aws_acsc_essential_eight_ml_2_7_7 + type: "" diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_1.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_1.yaml index 4fe506ce7..75c23fb1e 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_1.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_1.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_7_1 - title: "ACSC-EE-ML2-7.1: Multi-factor authentication ML2" - description: Multi-factor authentication is used by an organisation's users if they authenticate to their organisations internet-facing services. - section-code: "1" - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled +id: aws_acsc_essential_eight_ml_2_7_1 +title: "ACSC-EE-ML2-7.1: Multi-factor authentication ML2" +description: Multi-factor authentication is used by an organisation's users if they authenticate to their organisations internet-facing services. +section-code: "1" +type: control-group +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled +- aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_4.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_4.yaml index 992a7575d..68516dd32 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_4.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_4.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_7_4 - title: "ACSC-EE-ML2-7.4: Multi-factor authentication ML2" - description: Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisations internet-facing services. - section-code: "4" - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled +id: aws_acsc_essential_eight_ml_2_7_4 +title: "ACSC-EE-ML2-7.4: Multi-factor authentication ML2" +description: Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisations internet-facing services. +section-code: "4" +type: control-group +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled +- aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_5.yaml index b85a4b55c..158ec1504 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_5.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_7_5 - title: "ACSC-EE-ML2-7.5: Multi-factor authentication ML2" - description: Multi-factor authentication is used to authenticate privileged users of systems. - section-code: "5" - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled +id: aws_acsc_essential_eight_ml_2_7_5 +title: "ACSC-EE-ML2-7.5: Multi-factor authentication ML2" +description: Multi-factor authentication is used to authenticate privileged users of systems. +section-code: "5" +type: control-group +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled +- aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_6.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_6.yaml index 5fe739260..dccfe69b5 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_6.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_6.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_7_6 - title: "ACSC-EE-ML2-7.6: Multi-factor authentication ML2" - description: "Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are." - section-code: "6" - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled +id: aws_acsc_essential_eight_ml_2_7_6 +title: "ACSC-EE-ML2-7.6: Multi-factor authentication ML2" +description: "Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are." +section-code: "6" +type: control-group +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled +- aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_7.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_7.yaml index b841a0f42..fc9577a2a 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_7.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_7.yaml @@ -1,38 +1,38 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_7_7 - title: "ACSC-EE-ML2-7.7: Multi-factor authentication ML2" - description: Successful and unsuccessful multi-factor authentication events are logged. - section-code: "7" - controls: - - aws_apigateway_rest_api_stage_xray_tracing_enabled - - aws_apigateway_stage_logging_enabled - - aws_appsync_graphql_api_field_level_logging_enabled - - aws_cloudfront_distribution_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_codebuild_project_logging_enabled - - aws_dms_replication_task_source_database_logging_enabled - - aws_ec2_client_vpn_endpoint_client_connection_logging_enabled - - aws_ecs_task_definition_logging_enabled - - aws_eks_cluster_control_plane_audit_logging_enabled - - aws_elastic_beanstalk_environment_logs_to_cloudwatch - - aws_elb_application_classic_lb_logging_enabled - - aws_elb_classic_lb_desync_mitigation_mode - - aws_gatewayv2_stage_access_logging_enabled - - aws_neptune_db_cluster_audit_logging_enabled - - aws_networkfirewall_firewall_logging_enabled - - aws_rds_db_cluster_aurora_mysql_audit_logging_enabled - - aws_rds_db_cluster_events_subscription - - aws_rds_db_instance_events_subscription - - aws_rds_db_instance_logging_enabled - - aws_rds_db_parameter_group_events_subscription - - aws_rds_db_security_group_events_subscription - - aws_redshift_cluster_audit_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_route53_zone_query_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_sfn_state_machine_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_acsc_essential_eight_ml_2_7_7 +title: "ACSC-EE-ML2-7.7: Multi-factor authentication ML2" +description: Successful and unsuccessful multi-factor authentication events are logged. +section-code: "7" +type: control-group +controls: +- aws_apigateway_rest_api_stage_xray_tracing_enabled +- aws_apigateway_stage_logging_enabled +- aws_appsync_graphql_api_field_level_logging_enabled +- aws_cloudfront_distribution_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_codebuild_project_logging_enabled +- aws_dms_replication_task_source_database_logging_enabled +- aws_ec2_client_vpn_endpoint_client_connection_logging_enabled +- aws_ecs_task_definition_logging_enabled +- aws_eks_cluster_control_plane_audit_logging_enabled +- aws_elastic_beanstalk_environment_logs_to_cloudwatch +- aws_elb_application_classic_lb_logging_enabled +- aws_elb_classic_lb_desync_mitigation_mode +- aws_gatewayv2_stage_access_logging_enabled +- aws_neptune_db_cluster_audit_logging_enabled +- aws_networkfirewall_firewall_logging_enabled +- aws_rds_db_cluster_aurora_mysql_audit_logging_enabled +- aws_rds_db_cluster_events_subscription +- aws_rds_db_instance_events_subscription +- aws_rds_db_instance_logging_enabled +- aws_rds_db_parameter_group_events_subscription +- aws_rds_db_security_group_events_subscription +- aws_redshift_cluster_audit_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_route53_zone_query_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_sfn_state_machine_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_waf_web_acl_logging_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8.yaml index 29f87f6da..5c5f66e31 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8.yaml @@ -1,13 +1,20 @@ +id: aws_acsc_essential_eight_ml_2_8 +title: "ACSC-EE-ML2-8: Daily backups ML2" +description: Backups are taken daily and retained for at least 7 days. +section-code: "8" +type: control-group control-group: - id: aws_acsc_essential_eight_ml_2_8 - title: "ACSC-EE-ML2-8: Daily backups ML2" - description: Backups are taken daily and retained for at least 7 days. - section-code: "8" - control-group: - - id: aws_acsc_essential_eight_ml_2_8_1 - - id: aws_acsc_essential_eight_ml_2_8_2 - - id: aws_acsc_essential_eight_ml_2_8_3 - - id: aws_acsc_essential_eight_ml_2_8_5 - - id: aws_acsc_essential_eight_ml_2_8_6 - - id: aws_acsc_essential_eight_ml_2_8_7 - - id: aws_acsc_essential_eight_ml_2_8_8 +- id: aws_acsc_essential_eight_ml_2_8_1 + type: "" +- id: aws_acsc_essential_eight_ml_2_8_2 + type: "" +- id: aws_acsc_essential_eight_ml_2_8_3 + type: "" +- id: aws_acsc_essential_eight_ml_2_8_5 + type: "" +- id: aws_acsc_essential_eight_ml_2_8_6 + type: "" +- id: aws_acsc_essential_eight_ml_2_8_7 + type: "" +- id: aws_acsc_essential_eight_ml_2_8_8 + type: "" diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_1.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_1.yaml index 0bf5d63d9..ecf213c05 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_1.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_1.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_8_1 - title: "ACSC-EE-ML2-8.1: Regular backups ML2" - description: Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. - section-code: "1" - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_docdb_cluster_backup_retention_period_7_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_neptune_db_cluster_automated_backup_enabled - - aws_rds_db_cluster_aurora_backtracking_enabled - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days +id: aws_acsc_essential_eight_ml_2_8_1 +title: "ACSC-EE-ML2-8.1: Regular backups ML2" +description: Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. +section-code: "1" +type: control-group +controls: +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_min_retention_35_days +- aws_docdb_cluster_backup_retention_period_7_days +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_neptune_db_cluster_automated_backup_enabled +- aws_rds_db_cluster_aurora_backtracking_enabled +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_2.yaml index 6f63e79fe..457eed927 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_2.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_8_2 - title: "ACSC-EE-ML2-8.2: Regular backups ML2" - description: Backups of important data, software and configuration settings are synchronised to enable restoration to a common point in time. - section-code: "2" - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_docdb_cluster_backup_retention_period_7_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_neptune_db_cluster_automated_backup_enabled - - aws_rds_db_cluster_aurora_backtracking_enabled - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days +id: aws_acsc_essential_eight_ml_2_8_2 +title: "ACSC-EE-ML2-8.2: Regular backups ML2" +description: Backups of important data, software and configuration settings are synchronised to enable restoration to a common point in time. +section-code: "2" +type: control-group +controls: +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_min_retention_35_days +- aws_docdb_cluster_backup_retention_period_7_days +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_neptune_db_cluster_automated_backup_enabled +- aws_rds_db_cluster_aurora_backtracking_enabled +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_3.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_3.yaml index af227b53d..36e85a913 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_3.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_3.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_8_3 - title: "ACSC-EE-ML2-8.3: Regular backups ML2" - description: Backups of important data, software and configuration settings are retained in a secure and resilient manner. - section-code: "3" - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_docdb_cluster_backup_retention_period_7_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_neptune_db_cluster_automated_backup_enabled - - aws_rds_db_cluster_aurora_backtracking_enabled - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days +id: aws_acsc_essential_eight_ml_2_8_3 +title: "ACSC-EE-ML2-8.3: Regular backups ML2" +description: Backups of important data, software and configuration settings are retained in a secure and resilient manner. +section-code: "3" +type: control-group +controls: +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_min_retention_35_days +- aws_docdb_cluster_backup_retention_period_7_days +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_neptune_db_cluster_automated_backup_enabled +- aws_rds_db_cluster_aurora_backtracking_enabled +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_5.yaml index b4f6e5234..b78925a81 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_5.yaml @@ -1,15 +1,15 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_8_5 - title: "ACSC-EE-ML2-8.5: Regular backups ML2" - description: Unprivileged accounts cannot access backups belonging to other accounts. - section-code: "5" - controls: - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_user_in_group - - aws_opensearch_domain_fine_grained_access_enabled - - aws_s3_bucket_policy_restricts_cross_account_permission_changes - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_acsc_essential_eight_ml_2_8_5 +title: "ACSC-EE-ML2-8.5: Regular backups ML2" +description: Unprivileged accounts cannot access backups belonging to other accounts. +section-code: "5" +type: control-group +controls: +- aws_codebuild_project_source_repo_oauth_configured +- aws_ec2_instance_iam_profile_attached +- aws_ecs_task_definition_container_readonly_root_filesystem +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_iam_user_in_group +- aws_opensearch_domain_fine_grained_access_enabled +- aws_s3_bucket_policy_restricts_cross_account_permission_changes +- aws_ssm_managed_instance_compliance_association_compliant +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_6.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_6.yaml index 617c440b9..e29773085 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_6.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_6.yaml @@ -1,36 +1,36 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_8_6 - title: "ACSC-EE-ML2-8.6: Regular backups ML2" - description: Privileged accounts (excluding backup administrator accounts) cannot access backups belonging to other accounts. - section-code: "6" - controls: - - aws_backup_recovery_point_manual_deletion_disabled - - aws_cloudtrail_bucket_not_public - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_ecs_task_definition_no_root_user - - aws_efs_access_point_enforce_root_directory - - aws_efs_access_point_enforce_user_identity - - aws_emr_account_public_access_blocked - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_lambda_function_restrict_public_access - - aws_neptune_db_cluster_snapshot_prohibit_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_access_point_restrict_public_access - - aws_s3_bucket_mfa_delete_enabled - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_ssm_document_prohibit_public_access +id: aws_acsc_essential_eight_ml_2_8_6 +title: "ACSC-EE-ML2-8.6: Regular backups ML2" +description: Privileged accounts (excluding backup administrator accounts) cannot access backups belonging to other accounts. +section-code: "6" +type: control-group +controls: +- aws_backup_recovery_point_manual_deletion_disabled +- aws_cloudtrail_bucket_not_public +- aws_codebuild_project_environment_privileged_mode_disabled +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ecs_task_definition_container_non_privileged +- aws_ecs_task_definition_container_readonly_root_filesystem +- aws_ecs_task_definition_no_root_user +- aws_efs_access_point_enforce_root_directory +- aws_efs_access_point_enforce_user_identity +- aws_emr_account_public_access_blocked +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_lambda_function_restrict_public_access +- aws_neptune_db_cluster_snapshot_prohibit_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_access_point_restrict_public_access +- aws_s3_bucket_mfa_delete_enabled +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_sagemaker_notebook_instance_root_access_disabled +- aws_ssm_document_prohibit_public_access diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_7.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_7.yaml index 085c6c0c8..3705a2f8f 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_7.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_7.yaml @@ -1,15 +1,15 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_8_7 - title: "ACSC-EE-ML2-8.7: Regular backups ML2" - description: Unprivileged accounts are prevented from modifying and deleting backups. - section-code: "7" - controls: - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_user_in_group - - aws_opensearch_domain_fine_grained_access_enabled - - aws_s3_bucket_policy_restricts_cross_account_permission_changes - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_acsc_essential_eight_ml_2_8_7 +title: "ACSC-EE-ML2-8.7: Regular backups ML2" +description: Unprivileged accounts are prevented from modifying and deleting backups. +section-code: "7" +type: control-group +controls: +- aws_codebuild_project_source_repo_oauth_configured +- aws_ec2_instance_iam_profile_attached +- aws_ecs_task_definition_container_readonly_root_filesystem +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_iam_user_in_group +- aws_opensearch_domain_fine_grained_access_enabled +- aws_s3_bucket_policy_restricts_cross_account_permission_changes +- aws_ssm_managed_instance_compliance_association_compliant +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_8.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_8.yaml index 0af28072a..e5a821a93 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_8.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_8.yaml @@ -1,36 +1,36 @@ -control-group: - id: aws_acsc_essential_eight_ml_2_8_8 - title: "ACSC-EE-ML2-8.8: Regular backups ML2" - description: Privileged accounts (excluding backup administrator accounts) are prevented from modifying and deleting backups. - section-code: "8" - controls: - - aws_backup_recovery_point_manual_deletion_disabled - - aws_cloudtrail_bucket_not_public - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_ecs_task_definition_no_root_user - - aws_efs_access_point_enforce_root_directory - - aws_efs_access_point_enforce_user_identity - - aws_emr_account_public_access_blocked - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_lambda_function_restrict_public_access - - aws_neptune_db_cluster_snapshot_prohibit_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_access_point_restrict_public_access - - aws_s3_bucket_mfa_delete_enabled - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_ssm_document_prohibit_public_access +id: aws_acsc_essential_eight_ml_2_8_8 +title: "ACSC-EE-ML2-8.8: Regular backups ML2" +description: Privileged accounts (excluding backup administrator accounts) are prevented from modifying and deleting backups. +section-code: "8" +type: control-group +controls: +- aws_backup_recovery_point_manual_deletion_disabled +- aws_cloudtrail_bucket_not_public +- aws_codebuild_project_environment_privileged_mode_disabled +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ecs_task_definition_container_non_privileged +- aws_ecs_task_definition_container_readonly_root_filesystem +- aws_ecs_task_definition_no_root_user +- aws_efs_access_point_enforce_root_directory +- aws_efs_access_point_enforce_user_identity +- aws_emr_account_public_access_blocked +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_lambda_function_restrict_public_access +- aws_neptune_db_cluster_snapshot_prohibit_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_access_point_restrict_public_access +- aws_s3_bucket_mfa_delete_enabled +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_sagemaker_notebook_instance_root_access_disabled +- aws_ssm_document_prohibit_public_access diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3.yaml index 37bff915b..c7c95bcc2 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3.yaml @@ -1,13 +1,20 @@ +id: aws_acsc_essential_eight_ml_3 +title: ACSC Essential Eight Maturity Level 3 +description: The Essential Eight Maturity Model is a prioritised list of strategies to mitigate cyber security incidents. The model consists of 8 essential strategies that organisations can implement to protect their systems from a range of adversaries. +section-code: ml_3 +type: control-group control-group: - id: aws_acsc_essential_eight_ml_3 - title: ACSC Essential Eight Maturity Level 3 - description: The Essential Eight Maturity Model is a prioritised list of strategies to mitigate cyber security incidents. The model consists of 8 essential strategies that organisations can implement to protect their systems from a range of adversaries. - section-code: ml_3 - control-group: - - id: aws_acsc_essential_eight_ml_3_1 - - id: aws_acsc_essential_eight_ml_3_2 - - id: aws_acsc_essential_eight_ml_3_4 - - id: aws_acsc_essential_eight_ml_3_5 - - id: aws_acsc_essential_eight_ml_3_6 - - id: aws_acsc_essential_eight_ml_3_7 - - id: aws_acsc_essential_eight_ml_3_8 +- id: aws_acsc_essential_eight_ml_3_1 + type: "" +- id: aws_acsc_essential_eight_ml_3_2 + type: "" +- id: aws_acsc_essential_eight_ml_3_4 + type: "" +- id: aws_acsc_essential_eight_ml_3_5 + type: "" +- id: aws_acsc_essential_eight_ml_3_6 + type: "" +- id: aws_acsc_essential_eight_ml_3_7 + type: "" +- id: aws_acsc_essential_eight_ml_3_8 + type: "" diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1.yaml index 8eaf176fb..9fac27da7 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1.yaml @@ -1,9 +1,12 @@ +id: aws_acsc_essential_eight_ml_3_1 +title: "ACSC-EE-ML3-1: Application control ML3" +description: Application control is implemented on workstations and servers. +section-code: "1" +type: control-group control-group: - id: aws_acsc_essential_eight_ml_3_1 - title: "ACSC-EE-ML3-1: Application control ML3" - description: Application control is implemented on workstations and servers. - section-code: "1" - control-group: - - id: aws_acsc_essential_eight_ml_3_1_6 - - id: aws_acsc_essential_eight_ml_3_1_7 - - id: aws_acsc_essential_eight_ml_3_1_8 +- id: aws_acsc_essential_eight_ml_3_1_6 + type: "" +- id: aws_acsc_essential_eight_ml_3_1_7 + type: "" +- id: aws_acsc_essential_eight_ml_3_1_8 + type: "" diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1_6.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1_6.yaml index 736374a2d..97d49aad5 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1_6.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1_6.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_1_6 - title: "ACSC-EE-ML3-1.6: Application control ML3" - description: Allowed and blocked execution events on workstations and servers are centrally logged. - section-code: "6" - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_es_domain_audit_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_opensearch_domain_audit_logging_enabled - - aws_opensearch_domain_logs_to_cloudwatch +id: aws_acsc_essential_eight_ml_3_1_6 +title: "ACSC-EE-ML3-1.6: Application control ML3" +description: Allowed and blocked execution events on workstations and servers are centrally logged. +section-code: "6" +type: control-group +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_es_domain_audit_logging_enabled +- aws_es_domain_logs_to_cloudwatch +- aws_opensearch_domain_audit_logging_enabled +- aws_opensearch_domain_logs_to_cloudwatch diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1_7.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1_7.yaml index 6f6d6116e..8d6b52f51 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1_7.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1_7.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_1_7 - title: "ACSC-EE-ML3-1.7: Application control ML3" - description: Event logs are protected from unauthorised modification and deletion. - section-code: "7" - controls: - - aws_cloudtrail_bucket_not_public - - aws_cloudtrail_security_trail_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_s3_public_access_block_bucket +id: aws_acsc_essential_eight_ml_3_1_7 +title: "ACSC-EE-ML3-1.7: Application control ML3" +description: Event logs are protected from unauthorised modification and deletion. +section-code: "7" +type: control-group +controls: +- aws_cloudtrail_bucket_not_public +- aws_cloudtrail_security_trail_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_cloudtrail_trail_validation_enabled +- aws_log_group_encryption_at_rest_enabled +- aws_s3_public_access_block_bucket diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1_8.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1_8.yaml index 55bd2a283..ba3224797 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1_8.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1_8.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_1_8 - title: "ACSC-EE-ML3-1.8: Application control ML3" - description: Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected. - section-code: "8" - controls: - - aws_apigateway_rest_api_stage_xray_tracing_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_log_metric_filter_bucket_policy - - aws_log_metric_filter_cloudtrail_configuration - - aws_log_metric_filter_config_configuration - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_console_login_mfa - - aws_log_metric_filter_disable_or_delete_cmk - - aws_log_metric_filter_iam_policy - - aws_log_metric_filter_network_acl - - aws_log_metric_filter_network_gateway - - aws_log_metric_filter_root_login - - aws_log_metric_filter_route_table - - aws_log_metric_filter_security_group - - aws_log_metric_filter_unauthorized_api - - aws_log_metric_filter_vpc - - aws_securityhub_enabled - - aws_sns_topic_notification_delivery_status_enabled - - aws_wafv2_rule_group_logging_enabled +id: aws_acsc_essential_eight_ml_3_1_8 +title: "ACSC-EE-ML3-1.8: Application control ML3" +description: Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected. +section-code: "8" +type: control-group +controls: +- aws_apigateway_rest_api_stage_xray_tracing_enabled +- aws_cloudwatch_alarm_action_enabled +- aws_ec2_instance_detailed_monitoring_enabled +- aws_log_metric_filter_bucket_policy +- aws_log_metric_filter_cloudtrail_configuration +- aws_log_metric_filter_config_configuration +- aws_log_metric_filter_console_authentication_failure +- aws_log_metric_filter_console_login_mfa +- aws_log_metric_filter_disable_or_delete_cmk +- aws_log_metric_filter_iam_policy +- aws_log_metric_filter_network_acl +- aws_log_metric_filter_network_gateway +- aws_log_metric_filter_root_login +- aws_log_metric_filter_route_table +- aws_log_metric_filter_security_group +- aws_log_metric_filter_unauthorized_api +- aws_log_metric_filter_vpc +- aws_securityhub_enabled +- aws_sns_topic_notification_delivery_status_enabled +- aws_wafv2_rule_group_logging_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_2.yaml index a579cd6d8..9dd66ae16 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_2.yaml @@ -1,8 +1,10 @@ +id: aws_acsc_essential_eight_ml_3_2 +title: "ACSC-EE-ML3-2: Patch applications ML3" +description: All workstations and servers have the latest security-relevant patches applied. +section-code: "2" +type: control-group control-group: - id: aws_acsc_essential_eight_ml_3_2 - title: "ACSC-EE-ML3-2: Patch applications ML3" - description: All workstations and servers have the latest security-relevant patches applied. - section-code: "2" - control-group: - - id: aws_acsc_essential_eight_ml_3_2_2 - - id: aws_acsc_essential_eight_ml_3_2_9 +- id: aws_acsc_essential_eight_ml_3_2_2 + type: "" +- id: aws_acsc_essential_eight_ml_3_2_9 + type: "" diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_2_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_2_2.yaml index 8ef3457d6..33d39b9d1 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_2_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_2_2.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_2_2 - title: "ACSC-EE-ML3-2.2: Patch applications ML3" - description: A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. - section-code: "2" - controls: - - aws_ecr_repository_image_scan_on_push_enabled +id: aws_acsc_essential_eight_ml_3_2_2 +title: "ACSC-EE-ML3-2.2: Patch applications ML3" +description: A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. +section-code: "2" +type: control-group +controls: +- aws_ecr_repository_image_scan_on_push_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_2_9.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_2_9.yaml index c5af21883..270894975 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_2_9.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_2_9.yaml @@ -1,15 +1,15 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_2_9 - title: "ACSC-EE-ML3-2.9: Patch applications ML3" - description: Applications that are no longer supported by vendors are removed. - section-code: "9" - controls: - - aws_ecs_service_fargate_using_latest_platform_version - - aws_eks_cluster_with_latest_kubernetes_version - - aws_elastic_beanstalk_environment_managed_updates_enabled - - aws_elasticache_cluster_auto_minor_version_upgrade_enabled - - aws_lambda_function_use_latest_runtime - - aws_opensearch_domain_updated_with_latest_service_software_version - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_acsc_essential_eight_ml_3_2_9 +title: "ACSC-EE-ML3-2.9: Patch applications ML3" +description: Applications that are no longer supported by vendors are removed. +section-code: "9" +type: control-group +controls: +- aws_ecs_service_fargate_using_latest_platform_version +- aws_eks_cluster_with_latest_kubernetes_version +- aws_elastic_beanstalk_environment_managed_updates_enabled +- aws_elasticache_cluster_auto_minor_version_upgrade_enabled +- aws_lambda_function_use_latest_runtime +- aws_opensearch_domain_updated_with_latest_service_software_version +- aws_rds_db_instance_automatic_minor_version_upgrade_enabled +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_4.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_4.yaml index 9e700400c..c190ebb42 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_4.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_4.yaml @@ -1,7 +1,8 @@ +id: aws_acsc_essential_eight_ml_3_4 +title: "ACSC-EE-ML3-4: User application hardening ML3" +description: Web browsers do not process Java from the internet. +section-code: "4" +type: control-group control-group: - id: aws_acsc_essential_eight_ml_3_4 - title: "ACSC-EE-ML3-4: User application hardening ML3" - description: Web browsers do not process Java from the internet. - section-code: "4" - control-group: - - id: aws_acsc_essential_eight_ml_3_4_18 +- id: aws_acsc_essential_eight_ml_3_4_18 + type: "" diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_4_18.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_4_18.yaml index 2b89b7493..61533e46b 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_4_18.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_4_18.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_4_18 - title: "ACSC-EE-ML3-4.18: User application hardening ML3" - description: Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected. - section-code: "18" - controls: - - aws_apigateway_rest_api_stage_xray_tracing_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_log_metric_filter_bucket_policy - - aws_log_metric_filter_cloudtrail_configuration - - aws_log_metric_filter_config_configuration - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_console_login_mfa - - aws_log_metric_filter_disable_or_delete_cmk - - aws_log_metric_filter_iam_policy - - aws_log_metric_filter_network_acl - - aws_log_metric_filter_network_gateway - - aws_log_metric_filter_root_login - - aws_log_metric_filter_route_table - - aws_log_metric_filter_security_group - - aws_log_metric_filter_unauthorized_api - - aws_log_metric_filter_vpc - - aws_securityhub_enabled - - aws_sns_topic_notification_delivery_status_enabled - - aws_wafv2_rule_group_logging_enabled +id: aws_acsc_essential_eight_ml_3_4_18 +title: "ACSC-EE-ML3-4.18: User application hardening ML3" +description: Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected. +section-code: "18" +type: control-group +controls: +- aws_apigateway_rest_api_stage_xray_tracing_enabled +- aws_cloudwatch_alarm_action_enabled +- aws_ec2_instance_detailed_monitoring_enabled +- aws_log_metric_filter_bucket_policy +- aws_log_metric_filter_cloudtrail_configuration +- aws_log_metric_filter_config_configuration +- aws_log_metric_filter_console_authentication_failure +- aws_log_metric_filter_console_login_mfa +- aws_log_metric_filter_disable_or_delete_cmk +- aws_log_metric_filter_iam_policy +- aws_log_metric_filter_network_acl +- aws_log_metric_filter_network_gateway +- aws_log_metric_filter_root_login +- aws_log_metric_filter_route_table +- aws_log_metric_filter_security_group +- aws_log_metric_filter_unauthorized_api +- aws_log_metric_filter_vpc +- aws_securityhub_enabled +- aws_sns_topic_notification_delivery_status_enabled +- aws_wafv2_rule_group_logging_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5.yaml index 08d6d5f94..f32cd9c9d 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5.yaml @@ -1,20 +1,34 @@ +id: aws_acsc_essential_eight_ml_3_5 +title: "ACSC-EE-ML3-5: Restrict administrative privileges ML3" +description: Requests for privileged access to systems and applications are validated when first requested. +section-code: "5" +type: control-group control-group: - id: aws_acsc_essential_eight_ml_3_5 - title: "ACSC-EE-ML3-5: Restrict administrative privileges ML3" - description: Requests for privileged access to systems and applications are validated when first requested. - section-code: "5" - control-group: - - id: aws_acsc_essential_eight_ml_3_5_2 - - id: aws_acsc_essential_eight_ml_3_5_3 - - id: aws_acsc_essential_eight_ml_3_5_4 - - id: aws_acsc_essential_eight_ml_3_5_5 - - id: aws_acsc_essential_eight_ml_3_5_6 - - id: aws_acsc_essential_eight_ml_3_5_7 - - id: aws_acsc_essential_eight_ml_3_5_8 - - id: aws_acsc_essential_eight_ml_3_5_9 - - id: aws_acsc_essential_eight_ml_3_5_11 - - id: aws_acsc_essential_eight_ml_3_5_12 - - id: aws_acsc_essential_eight_ml_3_5_14 - - id: aws_acsc_essential_eight_ml_3_5_15 - - id: aws_acsc_essential_eight_ml_3_5_16 - - id: aws_acsc_essential_eight_ml_3_5_17 +- id: aws_acsc_essential_eight_ml_3_5_2 + type: "" +- id: aws_acsc_essential_eight_ml_3_5_3 + type: "" +- id: aws_acsc_essential_eight_ml_3_5_4 + type: "" +- id: aws_acsc_essential_eight_ml_3_5_5 + type: "" +- id: aws_acsc_essential_eight_ml_3_5_6 + type: "" +- id: aws_acsc_essential_eight_ml_3_5_7 + type: "" +- id: aws_acsc_essential_eight_ml_3_5_8 + type: "" +- id: aws_acsc_essential_eight_ml_3_5_9 + type: "" +- id: aws_acsc_essential_eight_ml_3_5_11 + type: "" +- id: aws_acsc_essential_eight_ml_3_5_12 + type: "" +- id: aws_acsc_essential_eight_ml_3_5_14 + type: "" +- id: aws_acsc_essential_eight_ml_3_5_15 + type: "" +- id: aws_acsc_essential_eight_ml_3_5_16 + type: "" +- id: aws_acsc_essential_eight_ml_3_5_17 + type: "" diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_11.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_11.yaml index 1658c3015..efa5dddbd 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_11.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_11.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_5_11 - title: "ACSC-EE-ML3-5.11: Restrict administrative privileges ML3" - description: Administrative activities are conducted through jump servers. - section-code: "11" - controls: - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_acsc_essential_eight_ml_3_5_11 +title: "ACSC-EE-ML3-5.11: Restrict administrative privileges ML3" +description: Administrative activities are conducted through jump servers. +section-code: "11" +type: control-group +controls: +- aws_codebuild_project_source_repo_oauth_configured +- aws_ec2_instance_iam_profile_attached +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_ssm_managed_instance_compliance_association_compliant +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_12.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_12.yaml index e84817942..71f2b4db9 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_12.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_12.yaml @@ -1,15 +1,15 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_5_12 - title: "ACSC-EE-ML3-5.12: Restrict administrative privileges ML3" - description: Credentials for local administrator accounts and service accounts are long, unique, unpredictable and managed. - section-code: "12" - controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled +id: aws_acsc_essential_eight_ml_3_5_12 +title: "ACSC-EE-ML3-5.12: Restrict administrative privileges ML3" +description: Credentials for local administrator accounts and service accounts are long, unique, unpredictable and managed. +section-code: "12" +type: control-group +controls: +- aws_codebuild_project_environment_privileged_mode_disabled +- aws_ecs_task_definition_container_non_privileged +- aws_ecs_task_definition_no_root_user +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_sagemaker_notebook_instance_root_access_disabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_14.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_14.yaml index fa7ef47b0..a3a7d5025 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_14.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_14.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_5_14 - title: "ACSC-EE-ML3-5.14: Restrict administrative privileges ML3" - description: Privileged access events are centrally logged. - section-code: "14" - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_es_domain_audit_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_opensearch_domain_audit_logging_enabled - - aws_opensearch_domain_logs_to_cloudwatch +id: aws_acsc_essential_eight_ml_3_5_14 +title: "ACSC-EE-ML3-5.14: Restrict administrative privileges ML3" +description: Privileged access events are centrally logged. +section-code: "14" +type: control-group +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_es_domain_audit_logging_enabled +- aws_es_domain_logs_to_cloudwatch +- aws_opensearch_domain_audit_logging_enabled +- aws_opensearch_domain_logs_to_cloudwatch diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_15.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_15.yaml index bcaf85735..af5ae587d 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_15.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_15.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_5_15 - title: "ACSC-EE-ML3-5.15: Restrict administrative privileges ML3" - description: Privileged account and group management events are centrally logged. - section-code: "15" - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_es_domain_audit_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_opensearch_domain_audit_logging_enabled - - aws_opensearch_domain_logs_to_cloudwatch +id: aws_acsc_essential_eight_ml_3_5_15 +title: "ACSC-EE-ML3-5.15: Restrict administrative privileges ML3" +description: Privileged account and group management events are centrally logged. +section-code: "15" +type: control-group +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_es_domain_audit_logging_enabled +- aws_es_domain_logs_to_cloudwatch +- aws_opensearch_domain_audit_logging_enabled +- aws_opensearch_domain_logs_to_cloudwatch diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_16.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_16.yaml index 0fbb4c9b8..700f526a5 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_16.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_16.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_5_16 - title: "ACSC-EE-ML3-5.16: Restrict administrative privileges ML3" - description: Event logs are protected from unauthorised modification and deletion. - section-code: "16" - controls: - - aws_cloudtrail_bucket_not_public - - aws_cloudtrail_security_trail_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_s3_public_access_block_bucket +id: aws_acsc_essential_eight_ml_3_5_16 +title: "ACSC-EE-ML3-5.16: Restrict administrative privileges ML3" +description: Event logs are protected from unauthorised modification and deletion. +section-code: "16" +type: control-group +controls: +- aws_cloudtrail_bucket_not_public +- aws_cloudtrail_security_trail_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_cloudtrail_trail_validation_enabled +- aws_log_group_encryption_at_rest_enabled +- aws_s3_public_access_block_bucket diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_17.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_17.yaml index 9019d387a..1db09becb 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_17.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_17.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_5_17 - title: "ACSC-EE-ML3-5.17: Restrict administrative privileges ML3" - description: Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected. - section-code: "17" - controls: - - aws_apigateway_rest_api_stage_xray_tracing_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_log_metric_filter_bucket_policy - - aws_log_metric_filter_cloudtrail_configuration - - aws_log_metric_filter_config_configuration - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_console_login_mfa - - aws_log_metric_filter_disable_or_delete_cmk - - aws_log_metric_filter_iam_policy - - aws_log_metric_filter_network_acl - - aws_log_metric_filter_network_gateway - - aws_log_metric_filter_root_login - - aws_log_metric_filter_route_table - - aws_log_metric_filter_security_group - - aws_log_metric_filter_unauthorized_api - - aws_log_metric_filter_vpc - - aws_securityhub_enabled - - aws_sns_topic_notification_delivery_status_enabled - - aws_wafv2_rule_group_logging_enabled +id: aws_acsc_essential_eight_ml_3_5_17 +title: "ACSC-EE-ML3-5.17: Restrict administrative privileges ML3" +description: Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected. +section-code: "17" +type: control-group +controls: +- aws_apigateway_rest_api_stage_xray_tracing_enabled +- aws_cloudwatch_alarm_action_enabled +- aws_ec2_instance_detailed_monitoring_enabled +- aws_log_metric_filter_bucket_policy +- aws_log_metric_filter_cloudtrail_configuration +- aws_log_metric_filter_config_configuration +- aws_log_metric_filter_console_authentication_failure +- aws_log_metric_filter_console_login_mfa +- aws_log_metric_filter_disable_or_delete_cmk +- aws_log_metric_filter_iam_policy +- aws_log_metric_filter_network_acl +- aws_log_metric_filter_network_gateway +- aws_log_metric_filter_root_login +- aws_log_metric_filter_route_table +- aws_log_metric_filter_security_group +- aws_log_metric_filter_unauthorized_api +- aws_log_metric_filter_vpc +- aws_securityhub_enabled +- aws_sns_topic_notification_delivery_status_enabled +- aws_wafv2_rule_group_logging_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_2.yaml index 94ab02f0f..232c731f0 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_2.yaml @@ -1,31 +1,31 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_5_2 - title: "ACSC-EE-ML3-5.2: Restrict administrative privileges ML3" - description: Privileged access is restricted to the minimum number of people required. - section-code: "2" - controls: - - aws_account_part_of_organizations - - aws_backup_recovery_point_manual_deletion_disabled - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_user_role_no_inline_policies - - aws_iam_managed_policy_attached_to_role - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_policy_unused - - aws_iam_root_user_no_access_keys - - aws_iam_user_no_inline_attached_policies - - aws_neptune_db_cluster_iam_authentication_enabled - - aws_opensearch_domain_fine_grained_access_enabled - - aws_rds_db_cluster_iam_authentication_enabled - - aws_rds_db_instance_iam_authentication_enabled - - aws_s3_bucket_acls_should_prohibit_user_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_policy_restricts_cross_account_permission_changes - - aws_sagemaker_notebook_instance_root_access_disabled +id: aws_acsc_essential_eight_ml_3_5_2 +title: "ACSC-EE-ML3-5.2: Restrict administrative privileges ML3" +description: Privileged access is restricted to the minimum number of people required. +section-code: "2" +type: control-group +controls: +- aws_account_part_of_organizations +- aws_backup_recovery_point_manual_deletion_disabled +- aws_codebuild_project_environment_privileged_mode_disabled +- aws_ec2_instance_iam_profile_attached +- aws_ecs_task_definition_container_non_privileged +- aws_ecs_task_definition_container_readonly_root_filesystem +- aws_ecs_task_definition_no_root_user +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_user_role_no_inline_policies +- aws_iam_managed_policy_attached_to_role +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_policy_unused +- aws_iam_root_user_no_access_keys +- aws_iam_user_no_inline_attached_policies +- aws_neptune_db_cluster_iam_authentication_enabled +- aws_opensearch_domain_fine_grained_access_enabled +- aws_rds_db_cluster_iam_authentication_enabled +- aws_rds_db_instance_iam_authentication_enabled +- aws_s3_bucket_acls_should_prohibit_user_access +- aws_s3_bucket_policy_restrict_public_access +- aws_s3_bucket_policy_restricts_cross_account_permission_changes +- aws_sagemaker_notebook_instance_root_access_disabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_3.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_3.yaml index 145aa54d3..2cad54053 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_3.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_3.yaml @@ -1,31 +1,31 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_5_3 - title: "ACSC-EE-ML3-5.3: Restrict administrative privileges ML3" - description: Privileged access to systems and applications is automatically disabled after 45 days of inactivity. - section-code: "3" - controls: - - aws_account_part_of_organizations - - aws_backup_recovery_point_manual_deletion_disabled - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_user_role_no_inline_policies - - aws_iam_managed_policy_attached_to_role - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_policy_unused - - aws_iam_root_user_no_access_keys - - aws_iam_user_no_inline_attached_policies - - aws_neptune_db_cluster_iam_authentication_enabled - - aws_opensearch_domain_fine_grained_access_enabled - - aws_rds_db_cluster_iam_authentication_enabled - - aws_rds_db_instance_iam_authentication_enabled - - aws_s3_bucket_acls_should_prohibit_user_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_policy_restricts_cross_account_permission_changes - - aws_sagemaker_notebook_instance_root_access_disabled +id: aws_acsc_essential_eight_ml_3_5_3 +title: "ACSC-EE-ML3-5.3: Restrict administrative privileges ML3" +description: Privileged access to systems and applications is automatically disabled after 45 days of inactivity. +section-code: "3" +type: control-group +controls: +- aws_account_part_of_organizations +- aws_backup_recovery_point_manual_deletion_disabled +- aws_codebuild_project_environment_privileged_mode_disabled +- aws_ec2_instance_iam_profile_attached +- aws_ecs_task_definition_container_non_privileged +- aws_ecs_task_definition_container_readonly_root_filesystem +- aws_ecs_task_definition_no_root_user +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_user_role_no_inline_policies +- aws_iam_managed_policy_attached_to_role +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_policy_unused +- aws_iam_root_user_no_access_keys +- aws_iam_user_no_inline_attached_policies +- aws_neptune_db_cluster_iam_authentication_enabled +- aws_opensearch_domain_fine_grained_access_enabled +- aws_rds_db_cluster_iam_authentication_enabled +- aws_rds_db_instance_iam_authentication_enabled +- aws_s3_bucket_acls_should_prohibit_user_access +- aws_s3_bucket_policy_restrict_public_access +- aws_s3_bucket_policy_restricts_cross_account_permission_changes +- aws_sagemaker_notebook_instance_root_access_disabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_4.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_4.yaml index 4a80b6fb1..d73bc4b69 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_4.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_4.yaml @@ -1,10 +1,10 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_5_4 - title: "ACSC-EE-ML3-5.4: Restrict administrative privileges ML3" - description: Privileged access to systems and applications is limited to only what is required for users and services to undertake their duties. - section-code: "4" - controls: - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_iam_user_in_group - - aws_opensearch_domain_fine_grained_access_enabled - - aws_s3_bucket_policy_restricts_cross_account_permission_changes +id: aws_acsc_essential_eight_ml_3_5_4 +title: "ACSC-EE-ML3-5.4: Restrict administrative privileges ML3" +description: Privileged access to systems and applications is limited to only what is required for users and services to undertake their duties. +section-code: "4" +type: control-group +controls: +- aws_ecs_task_definition_container_readonly_root_filesystem +- aws_iam_user_in_group +- aws_opensearch_domain_fine_grained_access_enabled +- aws_s3_bucket_policy_restricts_cross_account_permission_changes diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_5.yaml index 14a5a5c5f..4472d25d5 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_5.yaml @@ -1,15 +1,15 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_5_5 - title: "ACSC-EE-ML3-5.5: Restrict administrative privileges ML3" - description: Privileged accounts are prevented from accessing the internet, email and web services. - section-code: "5" - controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled +id: aws_acsc_essential_eight_ml_3_5_5 +title: "ACSC-EE-ML3-5.5: Restrict administrative privileges ML3" +description: Privileged accounts are prevented from accessing the internet, email and web services. +section-code: "5" +type: control-group +controls: +- aws_codebuild_project_environment_privileged_mode_disabled +- aws_ecs_task_definition_container_non_privileged +- aws_ecs_task_definition_no_root_user +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_sagemaker_notebook_instance_root_access_disabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_6.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_6.yaml index a53911642..3bbf2494a 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_6.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_6.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_5_6 - title: "ACSC-EE-ML3-5.6: Restrict administrative privileges ML3" - description: Privileged users use separate privileged and unprivileged operating environments. - section-code: "6" - controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_acsc_essential_eight_ml_3_5_6 +title: "ACSC-EE-ML3-5.6: Restrict administrative privileges ML3" +description: Privileged users use separate privileged and unprivileged operating environments. +section-code: "6" +type: control-group +controls: +- aws_codebuild_project_environment_privileged_mode_disabled +- aws_codebuild_project_source_repo_oauth_configured +- aws_ec2_instance_iam_profile_attached +- aws_ecs_task_definition_container_non_privileged +- aws_ecs_task_definition_no_root_user +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_sagemaker_notebook_instance_root_access_disabled +- aws_ssm_managed_instance_compliance_association_compliant +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_7.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_7.yaml index 5ef9ed098..4ec9a6e86 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_7.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_7.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_5_7 - title: "ACSC-EE-ML3-5.7: Restrict administrative privileges ML3" - description: Privileged operating environments are not virtualised within unprivileged operating environments. - section-code: "7" - controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_acsc_essential_eight_ml_3_5_7 +title: "ACSC-EE-ML3-5.7: Restrict administrative privileges ML3" +description: Privileged operating environments are not virtualised within unprivileged operating environments. +section-code: "7" +type: control-group +controls: +- aws_codebuild_project_environment_privileged_mode_disabled +- aws_codebuild_project_source_repo_oauth_configured +- aws_ec2_instance_iam_profile_attached +- aws_ecs_task_definition_container_non_privileged +- aws_ecs_task_definition_no_root_user +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_sagemaker_notebook_instance_root_access_disabled +- aws_ssm_managed_instance_compliance_association_compliant +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_8.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_8.yaml index 4933c9ff3..993d2caa3 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_8.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_8.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_5_8 - title: "ACSC-EE-ML3-5.8: Restrict administrative privileges ML3" - description: Unprivileged accounts cannot logon to privileged operating environments. - section-code: "8" - controls: - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_acsc_essential_eight_ml_3_5_8 +title: "ACSC-EE-ML3-5.8: Restrict administrative privileges ML3" +description: Unprivileged accounts cannot logon to privileged operating environments. +section-code: "8" +type: control-group +controls: +- aws_codebuild_project_source_repo_oauth_configured +- aws_ec2_instance_iam_profile_attached +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_ssm_managed_instance_compliance_association_compliant +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_9.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_9.yaml index 7460b2a6e..b874f9bfc 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_9.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_9.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_5_9 - title: "ACSC-EE-ML3-5.9: Restrict administrative privileges ML3" - description: Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments. - section-code: "9" - controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_acsc_essential_eight_ml_3_5_9 +title: "ACSC-EE-ML3-5.9: Restrict administrative privileges ML3" +description: Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments. +section-code: "9" +type: control-group +controls: +- aws_codebuild_project_environment_privileged_mode_disabled +- aws_codebuild_project_source_repo_oauth_configured +- aws_ec2_instance_iam_profile_attached +- aws_ecs_task_definition_container_non_privileged +- aws_ecs_task_definition_no_root_user +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_sagemaker_notebook_instance_root_access_disabled +- aws_ssm_managed_instance_compliance_association_compliant +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6.yaml index 14a675513..1544afdc5 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6.yaml @@ -1,13 +1,20 @@ +id: aws_acsc_essential_eight_ml_3_6 +title: "ACSC-EE-ML3-6: Patch operating systems ML3" +description: An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities. +section-code: "6" +type: control-group control-group: - id: aws_acsc_essential_eight_ml_3_6 - title: "ACSC-EE-ML3-6: Patch operating systems ML3" - description: An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities. - section-code: "6" - control-group: - - id: aws_acsc_essential_eight_ml_3_6_2 - - id: aws_acsc_essential_eight_ml_3_6_3 - - id: aws_acsc_essential_eight_ml_3_6_4 - - id: aws_acsc_essential_eight_ml_3_6_5 - - id: aws_acsc_essential_eight_ml_3_6_6 - - id: aws_acsc_essential_eight_ml_3_6_7 - - id: aws_acsc_essential_eight_ml_3_6_8 +- id: aws_acsc_essential_eight_ml_3_6_2 + type: "" +- id: aws_acsc_essential_eight_ml_3_6_3 + type: "" +- id: aws_acsc_essential_eight_ml_3_6_4 + type: "" +- id: aws_acsc_essential_eight_ml_3_6_5 + type: "" +- id: aws_acsc_essential_eight_ml_3_6_6 + type: "" +- id: aws_acsc_essential_eight_ml_3_6_7 + type: "" +- id: aws_acsc_essential_eight_ml_3_6_8 + type: "" diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_2.yaml index 8e39ec47e..909bd94d7 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_2.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_6_2 - title: "ACSC-EE-ML3-6.2: Patch operating systems ML3" - description: A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. - section-code: "2" - controls: - - aws_ecr_repository_image_scan_on_push_enabled +id: aws_acsc_essential_eight_ml_3_6_2 +title: "ACSC-EE-ML3-6.2: Patch operating systems ML3" +description: A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. +section-code: "2" +type: control-group +controls: +- aws_ecr_repository_image_scan_on_push_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_3.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_3.yaml index 70414d8de..0401ebe24 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_3.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_3.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_6_3 - title: "ACSC-EE-ML3-6.3: Patch operating systems ML3" - description: A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in operating systems of internet-facing services. - section-code: "3" - controls: - - aws_ecr_repository_image_scan_on_push_enabled +id: aws_acsc_essential_eight_ml_3_6_3 +title: "ACSC-EE-ML3-6.3: Patch operating systems ML3" +description: A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in operating systems of internet-facing services. +section-code: "3" +type: control-group +controls: +- aws_ecr_repository_image_scan_on_push_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_4.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_4.yaml index 394145ed1..259d3c2e5 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_4.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_4.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_6_4 - title: "ACSC-EE-ML3-6.4: Patch operating systems ML3" - description: A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in operating systems of workstations, servers and network devices. - section-code: "4" - controls: - - aws_ecr_repository_image_scan_on_push_enabled +id: aws_acsc_essential_eight_ml_3_6_4 +title: "ACSC-EE-ML3-6.4: Patch operating systems ML3" +description: A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in operating systems of workstations, servers and network devices. +section-code: "4" +type: control-group +controls: +- aws_ecr_repository_image_scan_on_push_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_5.yaml index 16da9077e..7ec50bec0 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_5.yaml @@ -1,15 +1,15 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_6_5 - title: "ACSC-EE-ML3-6.5: Patch operating systems ML3" - description: Patches, updates or vendor mitigations for security vulnerabilities in operating systems of Internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. - section-code: "5" - controls: - - aws_ecs_service_fargate_using_latest_platform_version - - aws_eks_cluster_with_latest_kubernetes_version - - aws_elastic_beanstalk_environment_managed_updates_enabled - - aws_elasticache_cluster_auto_minor_version_upgrade_enabled - - aws_lambda_function_use_latest_runtime - - aws_opensearch_domain_updated_with_latest_service_software_version - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_acsc_essential_eight_ml_3_6_5 +title: "ACSC-EE-ML3-6.5: Patch operating systems ML3" +description: Patches, updates or vendor mitigations for security vulnerabilities in operating systems of Internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. +section-code: "5" +type: control-group +controls: +- aws_ecs_service_fargate_using_latest_platform_version +- aws_eks_cluster_with_latest_kubernetes_version +- aws_elastic_beanstalk_environment_managed_updates_enabled +- aws_elasticache_cluster_auto_minor_version_upgrade_enabled +- aws_lambda_function_use_latest_runtime +- aws_opensearch_domain_updated_with_latest_service_software_version +- aws_rds_db_instance_automatic_minor_version_upgrade_enabled +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_6.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_6.yaml index f215db702..e93f0e06d 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_6.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_6.yaml @@ -1,15 +1,15 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_6_6 - title: "ACSC-EE-ML3-6.6: Patch operating systems ML3" - description: Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within two weeks of release, or within 48 hours if an exploit exists. - section-code: "6" - controls: - - aws_ecs_service_fargate_using_latest_platform_version - - aws_eks_cluster_with_latest_kubernetes_version - - aws_elastic_beanstalk_environment_managed_updates_enabled - - aws_elasticache_cluster_auto_minor_version_upgrade_enabled - - aws_lambda_function_use_latest_runtime - - aws_opensearch_domain_updated_with_latest_service_software_version - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_acsc_essential_eight_ml_3_6_6 +title: "ACSC-EE-ML3-6.6: Patch operating systems ML3" +description: Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within two weeks of release, or within 48 hours if an exploit exists. +section-code: "6" +type: control-group +controls: +- aws_ecs_service_fargate_using_latest_platform_version +- aws_eks_cluster_with_latest_kubernetes_version +- aws_elastic_beanstalk_environment_managed_updates_enabled +- aws_elasticache_cluster_auto_minor_version_upgrade_enabled +- aws_lambda_function_use_latest_runtime +- aws_opensearch_domain_updated_with_latest_service_software_version +- aws_rds_db_instance_automatic_minor_version_upgrade_enabled +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_7.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_7.yaml index e1557b2ca..c58eda09c 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_7.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_7.yaml @@ -1,15 +1,15 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_6_7 - title: "ACSC-EE-ML3-6.7: Patch operating systems ML3" - description: The latest release, or the previous release, of operating systems are used. - section-code: "7" - controls: - - aws_ecs_service_fargate_using_latest_platform_version - - aws_eks_cluster_with_latest_kubernetes_version - - aws_elastic_beanstalk_environment_managed_updates_enabled - - aws_elasticache_cluster_auto_minor_version_upgrade_enabled - - aws_lambda_function_use_latest_runtime - - aws_opensearch_domain_updated_with_latest_service_software_version - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_acsc_essential_eight_ml_3_6_7 +title: "ACSC-EE-ML3-6.7: Patch operating systems ML3" +description: The latest release, or the previous release, of operating systems are used. +section-code: "7" +type: control-group +controls: +- aws_ecs_service_fargate_using_latest_platform_version +- aws_eks_cluster_with_latest_kubernetes_version +- aws_elastic_beanstalk_environment_managed_updates_enabled +- aws_elasticache_cluster_auto_minor_version_upgrade_enabled +- aws_lambda_function_use_latest_runtime +- aws_opensearch_domain_updated_with_latest_service_software_version +- aws_rds_db_instance_automatic_minor_version_upgrade_enabled +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_8.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_8.yaml index 04e4a9100..01f6f2378 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_8.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_8.yaml @@ -1,15 +1,15 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_6_8 - title: "ACSC-EE-ML3-6.8: Patch operating systems ML3" - description: Operating systems that are no longer supported by vendors are replaced. - section-code: "8" - controls: - - aws_ecs_service_fargate_using_latest_platform_version - - aws_eks_cluster_with_latest_kubernetes_version - - aws_elastic_beanstalk_environment_managed_updates_enabled - - aws_elasticache_cluster_auto_minor_version_upgrade_enabled - - aws_lambda_function_use_latest_runtime - - aws_opensearch_domain_updated_with_latest_service_software_version - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_acsc_essential_eight_ml_3_6_8 +title: "ACSC-EE-ML3-6.8: Patch operating systems ML3" +description: Operating systems that are no longer supported by vendors are replaced. +section-code: "8" +type: control-group +controls: +- aws_ecs_service_fargate_using_latest_platform_version +- aws_eks_cluster_with_latest_kubernetes_version +- aws_elastic_beanstalk_environment_managed_updates_enabled +- aws_elasticache_cluster_auto_minor_version_upgrade_enabled +- aws_lambda_function_use_latest_runtime +- aws_opensearch_domain_updated_with_latest_service_software_version +- aws_rds_db_instance_automatic_minor_version_upgrade_enabled +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7.yaml index 68ad0be98..0405782a2 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7.yaml @@ -1,16 +1,26 @@ +id: aws_acsc_essential_eight_ml_3_7 +title: "ACSC-EE-ML3-7: Restrict administrative privileges ML3" +description: Multi-factor authentication is used by an organisation's users if they authenticate to their organisations internet-facing services. +section-code: "7" +type: control-group control-group: - id: aws_acsc_essential_eight_ml_3_7 - title: "ACSC-EE-ML3-7: Restrict administrative privileges ML3" - description: Multi-factor authentication is used by an organisation's users if they authenticate to their organisations internet-facing services. - section-code: "7" - control-group: - - id: aws_acsc_essential_eight_ml_3_7_1 - - id: aws_acsc_essential_eight_ml_3_7_2 - - id: aws_acsc_essential_eight_ml_3_7_3 - - id: aws_acsc_essential_eight_ml_3_7_4 - - id: aws_acsc_essential_eight_ml_3_7_5 - - id: aws_acsc_essential_eight_ml_3_7_6 - - id: aws_acsc_essential_eight_ml_3_7_7 - - id: aws_acsc_essential_eight_ml_3_7_8 - - id: aws_acsc_essential_eight_ml_3_7_9 - - id: aws_acsc_essential_eight_ml_3_7_10 +- id: aws_acsc_essential_eight_ml_3_7_1 + type: "" +- id: aws_acsc_essential_eight_ml_3_7_2 + type: "" +- id: aws_acsc_essential_eight_ml_3_7_3 + type: "" +- id: aws_acsc_essential_eight_ml_3_7_4 + type: "" +- id: aws_acsc_essential_eight_ml_3_7_5 + type: "" +- id: aws_acsc_essential_eight_ml_3_7_6 + type: "" +- id: aws_acsc_essential_eight_ml_3_7_7 + type: "" +- id: aws_acsc_essential_eight_ml_3_7_8 + type: "" +- id: aws_acsc_essential_eight_ml_3_7_9 + type: "" +- id: aws_acsc_essential_eight_ml_3_7_10 + type: "" diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_1.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_1.yaml index faea6eab9..4e2bae52b 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_1.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_1.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_7_1 - title: "ACSC-EE-ML3-7.1: Multi-factor authentication ML3" - description: Multi-factor authentication is used by an organisation's users if they authenticate to their organisations internet-facing services. - section-code: "1" - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled +id: aws_acsc_essential_eight_ml_3_7_1 +title: "ACSC-EE-ML3-7.1: Multi-factor authentication ML3" +description: Multi-factor authentication is used by an organisation's users if they authenticate to their organisations internet-facing services. +section-code: "1" +type: control-group +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled +- aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_10.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_10.yaml index d3e555aad..0de24d961 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_10.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_10.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_7_10 - title: "ACSC-EE-ML3-7.10: Multi-factor authentication ML3" - description: Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected. - section-code: "10" - controls: - - aws_apigateway_rest_api_stage_xray_tracing_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_log_metric_filter_bucket_policy - - aws_log_metric_filter_cloudtrail_configuration - - aws_log_metric_filter_config_configuration - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_console_login_mfa - - aws_log_metric_filter_disable_or_delete_cmk - - aws_log_metric_filter_iam_policy - - aws_log_metric_filter_network_acl - - aws_log_metric_filter_network_gateway - - aws_log_metric_filter_root_login - - aws_log_metric_filter_route_table - - aws_log_metric_filter_security_group - - aws_log_metric_filter_unauthorized_api - - aws_log_metric_filter_vpc - - aws_securityhub_enabled - - aws_sns_topic_notification_delivery_status_enabled - - aws_wafv2_rule_group_logging_enabled +id: aws_acsc_essential_eight_ml_3_7_10 +title: "ACSC-EE-ML3-7.10: Multi-factor authentication ML3" +description: Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected. +section-code: "10" +type: control-group +controls: +- aws_apigateway_rest_api_stage_xray_tracing_enabled +- aws_cloudwatch_alarm_action_enabled +- aws_ec2_instance_detailed_monitoring_enabled +- aws_log_metric_filter_bucket_policy +- aws_log_metric_filter_cloudtrail_configuration +- aws_log_metric_filter_config_configuration +- aws_log_metric_filter_console_authentication_failure +- aws_log_metric_filter_console_login_mfa +- aws_log_metric_filter_disable_or_delete_cmk +- aws_log_metric_filter_iam_policy +- aws_log_metric_filter_network_acl +- aws_log_metric_filter_network_gateway +- aws_log_metric_filter_root_login +- aws_log_metric_filter_route_table +- aws_log_metric_filter_security_group +- aws_log_metric_filter_unauthorized_api +- aws_log_metric_filter_vpc +- aws_securityhub_enabled +- aws_sns_topic_notification_delivery_status_enabled +- aws_wafv2_rule_group_logging_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_2.yaml index e64ab8dc6..f95a3e21f 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_2.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_7_2 - title: "ACSC-EE-ML3-7.2: Multi-factor authentication ML3" - description: Multi-factor authentication is used by an organisations users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's sensitive data. - section-code: "2" - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled +id: aws_acsc_essential_eight_ml_3_7_2 +title: "ACSC-EE-ML3-7.2: Multi-factor authentication ML3" +description: Multi-factor authentication is used by an organisations users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's sensitive data. +section-code: "2" +type: control-group +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled +- aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_3.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_3.yaml index a5ad8c666..7799f10d3 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_3.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_3.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_7_3 - title: "ACSC-EE-ML3-7.3: Multi-factor authentication ML3" - description: Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisations internet-facing services. - section-code: "3" - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled +id: aws_acsc_essential_eight_ml_3_7_3 +title: "ACSC-EE-ML3-7.3: Multi-factor authentication ML3" +description: Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisations internet-facing services. +section-code: "3" +type: control-group +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled +- aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_4.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_4.yaml index e818d2e0e..a1f77af0a 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_4.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_4.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_7_4 - title: "ACSC-EE-ML3-7.4: Multi-factor authentication ML3" - description: Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisations internet-facing services. - section-code: "4" - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled +id: aws_acsc_essential_eight_ml_3_7_4 +title: "ACSC-EE-ML3-7.4: Multi-factor authentication ML3" +description: Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisations internet-facing services. +section-code: "4" +type: control-group +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled +- aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_5.yaml index 66dfbcc08..6de9b59a5 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_5.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_7_5 - title: "ACSC-EE-ML3-7.5: Multi-factor authentication ML3" - description: Multi-factor authentication is used to authenticate privileged users of systems. - section-code: "5" - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled +id: aws_acsc_essential_eight_ml_3_7_5 +title: "ACSC-EE-ML3-7.5: Multi-factor authentication ML3" +description: Multi-factor authentication is used to authenticate privileged users of systems. +section-code: "5" +type: control-group +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled +- aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_6.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_6.yaml index a3fc298bf..638d30211 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_6.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_6.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_7_6 - title: "ACSC-EE-ML3-7.6: Multi-factor authentication ML3" - description: Multi-factor authentication is used to authenticate users accessing important data repositories. - section-code: "6" - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled +id: aws_acsc_essential_eight_ml_3_7_6 +title: "ACSC-EE-ML3-7.6: Multi-factor authentication ML3" +description: Multi-factor authentication is used to authenticate users accessing important data repositories. +section-code: "6" +type: control-group +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled +- aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_7.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_7.yaml index 76e0ed1d8..316eae792 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_7.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_7.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_7_7 - title: "ACSC-EE-ML3-7.7: Multi-factor authentication ML3" - description: "Multi-factor authentication is phishing-resistant and uses either: something users have and something users know, or something users have that is unlocked by something users know or are." - section-code: "7" - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled +id: aws_acsc_essential_eight_ml_3_7_7 +title: "ACSC-EE-ML3-7.7: Multi-factor authentication ML3" +description: "Multi-factor authentication is phishing-resistant and uses either: something users have and something users know, or something users have that is unlocked by something users know or are." +section-code: "7" +type: control-group +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled +- aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_8.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_8.yaml index 281b01b3c..aeda05cc8 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_8.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_8.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_7_8 - title: "ACSC-EE-ML3-7.8: Multi-factor authentication ML3" - description: Successful and unsuccessful multi-factor authentication events are centrally logged. - section-code: "8" - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_es_domain_audit_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_opensearch_domain_audit_logging_enabled - - aws_opensearch_domain_logs_to_cloudwatch +id: aws_acsc_essential_eight_ml_3_7_8 +title: "ACSC-EE-ML3-7.8: Multi-factor authentication ML3" +description: Successful and unsuccessful multi-factor authentication events are centrally logged. +section-code: "8" +type: control-group +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_es_domain_audit_logging_enabled +- aws_es_domain_logs_to_cloudwatch +- aws_opensearch_domain_audit_logging_enabled +- aws_opensearch_domain_logs_to_cloudwatch diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_9.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_9.yaml index c7b50bddf..899c48054 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_9.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_9.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_7_9 - title: "ACSC-EE-ML3-7.9: Multi-factor authentication ML3" - description: Event logs are protected from unauthorised modification and deletion. - section-code: "9" - controls: - - aws_cloudtrail_bucket_not_public - - aws_cloudtrail_security_trail_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_s3_public_access_block_bucket +id: aws_acsc_essential_eight_ml_3_7_9 +title: "ACSC-EE-ML3-7.9: Multi-factor authentication ML3" +description: Event logs are protected from unauthorised modification and deletion. +section-code: "9" +type: control-group +controls: +- aws_cloudtrail_bucket_not_public +- aws_cloudtrail_security_trail_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_cloudtrail_trail_validation_enabled +- aws_log_group_encryption_at_rest_enabled +- aws_s3_public_access_block_bucket diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8.yaml index f58a5fea7..4617f45f3 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8.yaml @@ -1,13 +1,20 @@ +id: aws_acsc_essential_eight_ml_3_8 +title: "ACSC-EE-ML3-8: Regular backups ML3" +description: Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. +section-code: "8" +type: control-group control-group: - id: aws_acsc_essential_eight_ml_3_8 - title: "ACSC-EE-ML3-8: Regular backups ML3" - description: Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. - section-code: "8" - control-group: - - id: aws_acsc_essential_eight_ml_3_8_1 - - id: aws_acsc_essential_eight_ml_3_8_2 - - id: aws_acsc_essential_eight_ml_3_8_3 - - id: aws_acsc_essential_eight_ml_3_8_5 - - id: aws_acsc_essential_eight_ml_3_8_6 - - id: aws_acsc_essential_eight_ml_3_8_7 - - id: aws_acsc_essential_eight_ml_3_8_8 +- id: aws_acsc_essential_eight_ml_3_8_1 + type: "" +- id: aws_acsc_essential_eight_ml_3_8_2 + type: "" +- id: aws_acsc_essential_eight_ml_3_8_3 + type: "" +- id: aws_acsc_essential_eight_ml_3_8_5 + type: "" +- id: aws_acsc_essential_eight_ml_3_8_6 + type: "" +- id: aws_acsc_essential_eight_ml_3_8_7 + type: "" +- id: aws_acsc_essential_eight_ml_3_8_8 + type: "" diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_1.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_1.yaml index 0bf2a96dc..88e609867 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_1.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_1.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_8_1 - title: "ACSC-EE-ML3-8.1: Regular backups ML3" - description: Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. - section-code: "1" - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_docdb_cluster_backup_retention_period_7_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_neptune_db_cluster_automated_backup_enabled - - aws_rds_db_cluster_aurora_backtracking_enabled - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days +id: aws_acsc_essential_eight_ml_3_8_1 +title: "ACSC-EE-ML3-8.1: Regular backups ML3" +description: Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. +section-code: "1" +type: control-group +controls: +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_min_retention_35_days +- aws_docdb_cluster_backup_retention_period_7_days +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_neptune_db_cluster_automated_backup_enabled +- aws_rds_db_cluster_aurora_backtracking_enabled +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_2.yaml index bef7a017b..150a15e90 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_2.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_8_2 - title: "ACSC-EE-ML3-8.2: Regular backups ML3" - description: Backups of important data, software and configuration settings are synchronised to enable restoration to a common point in time. - section-code: "2" - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_docdb_cluster_backup_retention_period_7_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_neptune_db_cluster_automated_backup_enabled - - aws_rds_db_cluster_aurora_backtracking_enabled - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days +id: aws_acsc_essential_eight_ml_3_8_2 +title: "ACSC-EE-ML3-8.2: Regular backups ML3" +description: Backups of important data, software and configuration settings are synchronised to enable restoration to a common point in time. +section-code: "2" +type: control-group +controls: +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_min_retention_35_days +- aws_docdb_cluster_backup_retention_period_7_days +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_neptune_db_cluster_automated_backup_enabled +- aws_rds_db_cluster_aurora_backtracking_enabled +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_3.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_3.yaml index 00bc99f73..39b2451f7 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_3.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_3.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_8_3 - title: "ACSC-EE-ML3-8.3: Regular backups ML3" - description: Backups of important data, software and configuration settings are retained in a secure and resilient manner. - section-code: "3" - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_docdb_cluster_backup_retention_period_7_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_neptune_db_cluster_automated_backup_enabled - - aws_rds_db_cluster_aurora_backtracking_enabled - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days +id: aws_acsc_essential_eight_ml_3_8_3 +title: "ACSC-EE-ML3-8.3: Regular backups ML3" +description: Backups of important data, software and configuration settings are retained in a secure and resilient manner. +section-code: "3" +type: control-group +controls: +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_min_retention_35_days +- aws_docdb_cluster_backup_retention_period_7_days +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_neptune_db_cluster_automated_backup_enabled +- aws_rds_db_cluster_aurora_backtracking_enabled +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_5.yaml index fe043c523..60df4c41b 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_5.yaml @@ -1,15 +1,15 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_8_5 - title: "ACSC-EE-ML3-8.5: Regular backups ML3" - description: Unprivileged accounts cannot access backups belonging to other accounts, nor their own accounts. - section-code: "5" - controls: - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_user_in_group - - aws_opensearch_domain_fine_grained_access_enabled - - aws_s3_bucket_policy_restricts_cross_account_permission_changes - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_acsc_essential_eight_ml_3_8_5 +title: "ACSC-EE-ML3-8.5: Regular backups ML3" +description: Unprivileged accounts cannot access backups belonging to other accounts, nor their own accounts. +section-code: "5" +type: control-group +controls: +- aws_codebuild_project_source_repo_oauth_configured +- aws_ec2_instance_iam_profile_attached +- aws_ecs_task_definition_container_readonly_root_filesystem +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_iam_user_in_group +- aws_opensearch_domain_fine_grained_access_enabled +- aws_s3_bucket_policy_restricts_cross_account_permission_changes +- aws_ssm_managed_instance_compliance_association_compliant +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_6.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_6.yaml index c3f2de43b..50ed09505 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_6.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_6.yaml @@ -1,36 +1,36 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_8_6 - title: "ACSC-EE-ML3-8.6: Regular backups ML3" - description: Privileged accounts (excluding backup administrator accounts) cannot access backups belonging to other accounts, nor their own accounts. - section-code: "6" - controls: - - aws_backup_recovery_point_manual_deletion_disabled - - aws_cloudtrail_bucket_not_public - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_ecs_task_definition_no_root_user - - aws_efs_access_point_enforce_root_directory - - aws_efs_access_point_enforce_user_identity - - aws_emr_account_public_access_blocked - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_lambda_function_restrict_public_access - - aws_neptune_db_cluster_snapshot_prohibit_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_access_point_restrict_public_access - - aws_s3_bucket_mfa_delete_enabled - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_ssm_document_prohibit_public_access +id: aws_acsc_essential_eight_ml_3_8_6 +title: "ACSC-EE-ML3-8.6: Regular backups ML3" +description: Privileged accounts (excluding backup administrator accounts) cannot access backups belonging to other accounts, nor their own accounts. +section-code: "6" +type: control-group +controls: +- aws_backup_recovery_point_manual_deletion_disabled +- aws_cloudtrail_bucket_not_public +- aws_codebuild_project_environment_privileged_mode_disabled +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ecs_task_definition_container_non_privileged +- aws_ecs_task_definition_container_readonly_root_filesystem +- aws_ecs_task_definition_no_root_user +- aws_efs_access_point_enforce_root_directory +- aws_efs_access_point_enforce_user_identity +- aws_emr_account_public_access_blocked +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_lambda_function_restrict_public_access +- aws_neptune_db_cluster_snapshot_prohibit_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_access_point_restrict_public_access +- aws_s3_bucket_mfa_delete_enabled +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_sagemaker_notebook_instance_root_access_disabled +- aws_ssm_document_prohibit_public_access diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_7.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_7.yaml index 71927c3c2..251f813b7 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_7.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_7.yaml @@ -1,15 +1,15 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_8_7 - title: "ACSC-EE-ML3-8.7: Regular backups ML3" - description: Unprivileged accounts are prevented from modifying and deleting backups. - section-code: "7" - controls: - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_user_in_group - - aws_opensearch_domain_fine_grained_access_enabled - - aws_s3_bucket_policy_restricts_cross_account_permission_changes - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_acsc_essential_eight_ml_3_8_7 +title: "ACSC-EE-ML3-8.7: Regular backups ML3" +description: Unprivileged accounts are prevented from modifying and deleting backups. +section-code: "7" +type: control-group +controls: +- aws_codebuild_project_source_repo_oauth_configured +- aws_ec2_instance_iam_profile_attached +- aws_ecs_task_definition_container_readonly_root_filesystem +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_iam_user_in_group +- aws_opensearch_domain_fine_grained_access_enabled +- aws_s3_bucket_policy_restricts_cross_account_permission_changes +- aws_ssm_managed_instance_compliance_association_compliant +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_8.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_8.yaml index 806ddb69e..a66c5943e 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_8.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_8.yaml @@ -1,36 +1,36 @@ -control-group: - id: aws_acsc_essential_eight_ml_3_8_8 - title: "ACSC-EE-ML3-8.8: Regular backups ML3" - description: Privileged accounts (including backup administrator accounts) are prevented from modifying and deleting backups during their retention period. - section-code: "8" - controls: - - aws_backup_recovery_point_manual_deletion_disabled - - aws_cloudtrail_bucket_not_public - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_ecs_task_definition_no_root_user - - aws_efs_access_point_enforce_root_directory - - aws_efs_access_point_enforce_user_identity - - aws_emr_account_public_access_blocked - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_lambda_function_restrict_public_access - - aws_neptune_db_cluster_snapshot_prohibit_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_access_point_restrict_public_access - - aws_s3_bucket_mfa_delete_enabled - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_ssm_document_prohibit_public_access +id: aws_acsc_essential_eight_ml_3_8_8 +title: "ACSC-EE-ML3-8.8: Regular backups ML3" +description: Privileged accounts (including backup administrator accounts) are prevented from modifying and deleting backups during their retention period. +section-code: "8" +type: control-group +controls: +- aws_backup_recovery_point_manual_deletion_disabled +- aws_cloudtrail_bucket_not_public +- aws_codebuild_project_environment_privileged_mode_disabled +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ecs_task_definition_container_non_privileged +- aws_ecs_task_definition_container_readonly_root_filesystem +- aws_ecs_task_definition_no_root_user +- aws_efs_access_point_enforce_root_directory +- aws_efs_access_point_enforce_user_identity +- aws_emr_account_public_access_blocked +- aws_eventbridge_custom_bus_resource_based_policy_attached +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_lambda_function_restrict_public_access +- aws_neptune_db_cluster_snapshot_prohibit_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_access_point_restrict_public_access +- aws_s3_bucket_mfa_delete_enabled +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_sagemaker_notebook_instance_root_access_disabled +- aws_ssm_document_prohibit_public_access diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls.yaml index 3f09c96c6..7ec00e58a 100644 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls.yaml @@ -1,75 +1,75 @@ -framework: - id: aws_all_controls - title: All Controls - description: This benchmark contains all controls grouped by service to help you detect resource configurations that do not meet best practices. - section-code: aws_all_controls - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: aws_all_controls_account - - id: aws_all_controls_acm - - id: aws_all_controls_apigateway - - id: aws_all_controls_appstream - - id: aws_all_controls_appsync - - id: aws_all_controls_athena - - id: aws_all_controls_autoscaling - - id: aws_all_controls_backup - - id: aws_all_controls_cloudformation - - id: aws_all_controls_cloudfront - - id: aws_all_controls_cloudtrail - - id: aws_all_controls_cloudwatch - - id: aws_all_controls_codebuild - - id: aws_all_controls_codedeploy - - id: aws_all_controls_config - - id: aws_all_controls_dax - - id: aws_all_controls_directoryservice - - id: aws_all_controls_dlm - - id: aws_all_controls_dms - - id: aws_all_controls_docdb - - id: aws_all_controls_drs - - id: aws_all_controls_dynamodb - - id: aws_all_controls_ebs - - id: aws_all_controls_ec2 - - id: aws_all_controls_ecr - - id: aws_all_controls_ecs - - id: aws_all_controls_efs - - id: aws_all_controls_eks - - id: aws_all_controls_elasticache - - id: aws_all_controls_elasticbeanstalk - - id: aws_all_controls_elb - - id: aws_all_controls_emr - - id: aws_all_controls_es - - id: aws_all_controls_eventbridge - - id: aws_all_controls_fsx - - id: aws_all_controls_glacier - - id: aws_all_controls_glue - - id: aws_all_controls_guardduty - - id: aws_all_controls_iam - - id: aws_all_controls_kinesis - - id: aws_all_controls_kms - - id: aws_all_controls_lambda - - id: aws_all_controls_lightsail - - id: aws_all_controls_mq - - id: aws_all_controls_msk - - id: aws_all_controls_neptune - - id: aws_all_controls_networkfirewall - - id: aws_all_controls_opensearch - - id: aws_all_controls_organization - - id: aws_all_controls_pca - - id: aws_all_controls_rds - - id: aws_all_controls_redshift - - id: aws_all_controls_route53 - - id: aws_all_controls_s3 - - id: aws_all_controls_sagemaker - - id: aws_all_controls_secretsmanager - - id: aws_all_controls_securityhub - - id: aws_all_controls_sfn - - id: aws_all_controls_sns - - id: aws_all_controls_sqs - - id: aws_all_controls_ssm - - id: aws_all_controls_vpc - - id: aws_all_controls_waf - - id: aws_all_controls_wafv2 - - id: aws_all_controls_workspaces +id: aws_all_controls +title: All Controls +description: This benchmark contains all controls grouped by service to help you detect resource configurations that do not meet best practices. +section-code: aws_all_controls +type: framework +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_all_controls_account +- id: aws_all_controls_acm +- id: aws_all_controls_apigateway +- id: aws_all_controls_appstream +- id: aws_all_controls_appsync +- id: aws_all_controls_athena +- id: aws_all_controls_autoscaling +- id: aws_all_controls_backup +- id: aws_all_controls_cloudformation +- id: aws_all_controls_cloudfront +- id: aws_all_controls_cloudtrail +- id: aws_all_controls_cloudwatch +- id: aws_all_controls_codebuild +- id: aws_all_controls_codedeploy +- id: aws_all_controls_config +- id: aws_all_controls_dax +- id: aws_all_controls_directoryservice +- id: aws_all_controls_dlm +- id: aws_all_controls_dms +- id: aws_all_controls_docdb +- id: aws_all_controls_drs +- id: aws_all_controls_dynamodb +- id: aws_all_controls_ebs +- id: aws_all_controls_ec2 +- id: aws_all_controls_ecr +- id: aws_all_controls_ecs +- id: aws_all_controls_efs +- id: aws_all_controls_eks +- id: aws_all_controls_elasticache +- id: aws_all_controls_elasticbeanstalk +- id: aws_all_controls_elb +- id: aws_all_controls_emr +- id: aws_all_controls_es +- id: aws_all_controls_eventbridge +- id: aws_all_controls_fsx +- id: aws_all_controls_glacier +- id: aws_all_controls_glue +- id: aws_all_controls_guardduty +- id: aws_all_controls_iam +- id: aws_all_controls_kinesis +- id: aws_all_controls_kms +- id: aws_all_controls_lambda +- id: aws_all_controls_lightsail +- id: aws_all_controls_mq +- id: aws_all_controls_msk +- id: aws_all_controls_neptune +- id: aws_all_controls_networkfirewall +- id: aws_all_controls_opensearch +- id: aws_all_controls_organization +- id: aws_all_controls_pca +- id: aws_all_controls_rds +- id: aws_all_controls_redshift +- id: aws_all_controls_route53 +- id: aws_all_controls_s3 +- id: aws_all_controls_sagemaker +- id: aws_all_controls_secretsmanager +- id: aws_all_controls_securityhub +- id: aws_all_controls_sfn +- id: aws_all_controls_sns +- id: aws_all_controls_sqs +- id: aws_all_controls_ssm +- id: aws_all_controls_vpc +- id: aws_all_controls_waf +- id: aws_all_controls_wafv2 +- id: aws_all_controls_workspaces diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_account.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_account.yaml index 0e3688bb3..b32cc3723 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_account.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_account.yaml @@ -1,8 +1,8 @@ -control-group: - id: aws_all_controls_account - title: Account - description: This section contains recommendations for configuring Account resources. - section-code: account - controls: - - aws_account_alternate_contact_security_registered - - aws_account_part_of_organizations +id: aws_all_controls_account +title: Account +description: This section contains recommendations for configuring Account resources. +section-code: account +type: control-group +controls: +- aws_account_alternate_contact_security_registered +- aws_account_part_of_organizations diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_acm.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_acm.yaml index 57eca858a..0be7f8389 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_acm.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_acm.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_all_controls_acm - title: ACM - description: This section contains recommendations for configuring ACM resources. - section-code: acm - controls: - - aws_acm_certificate_expires_30_days - - aws_acm_certificate_no_failed_certificate - - aws_acm_certificate_no_pending_validation_certificate - - aws_acm_certificate_no_wildcard_domain_name - - aws_acm_certificate_not_expired - - aws_acm_certificate_rsa_key_length_2048_bits_or_greater - - aws_acm_certificate_transparency_logging_enabled +id: aws_all_controls_acm +title: ACM +description: This section contains recommendations for configuring ACM resources. +section-code: acm +type: control-group +controls: +- aws_acm_certificate_expires_30_days +- aws_acm_certificate_no_failed_certificate +- aws_acm_certificate_no_pending_validation_certificate +- aws_acm_certificate_no_wildcard_domain_name +- aws_acm_certificate_not_expired +- aws_acm_certificate_rsa_key_length_2048_bits_or_greater +- aws_acm_certificate_transparency_logging_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_apigateway.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_apigateway.yaml index 487a2e894..4a36c2359 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_apigateway.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_apigateway.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_all_controls_apigateway - title: API Gateway - description: This section contains recommendations for configuring API Gateway resources. - section-code: apigateway - controls: - - aws_api_gateway_method_authorization_type_configured - - aws_api_gateway_method_request_parameter_validated - - aws_api_gateway_rest_api_public_endpoint_with_authorizer - - aws_api_gatewayv2_route_authorization_type_configured - - aws_api_gatewayv2_route_authorizer_configured - - aws_apigateway_rest_api_authorizers_configured - - aws_apigateway_rest_api_endpoint_restrict_public_access - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_apigateway_rest_api_stage_xray_tracing_enabled - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_apigateway_stage_logging_enabled - - aws_apigateway_stage_use_waf_web_acl - - aws_gatewayv2_stage_access_logging_enabled +id: aws_all_controls_apigateway +title: API Gateway +description: This section contains recommendations for configuring API Gateway resources. +section-code: apigateway +type: control-group +controls: +- aws_api_gateway_method_authorization_type_configured +- aws_api_gateway_method_request_parameter_validated +- aws_api_gateway_rest_api_public_endpoint_with_authorizer +- aws_api_gatewayv2_route_authorization_type_configured +- aws_api_gatewayv2_route_authorizer_configured +- aws_apigateway_rest_api_authorizers_configured +- aws_apigateway_rest_api_endpoint_restrict_public_access +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_apigateway_rest_api_stage_xray_tracing_enabled +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_apigateway_stage_logging_enabled +- aws_apigateway_stage_use_waf_web_acl +- aws_gatewayv2_stage_access_logging_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_appstream.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_appstream.yaml index 46f6867c4..5ce3cf3e5 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_appstream.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_appstream.yaml @@ -1,10 +1,10 @@ -control-group: - id: aws_all_controls_appstream - title: AppStream - description: This section contains recommendations for configuring AppStream resources. - section-code: appstream - controls: - - aws_appstream_fleet_default_internet_access_disabled - - aws_appstream_fleet_idle_disconnect_timeout_600_seconds - - aws_appstream_fleet_max_user_duration_36000_seconds - - aws_appstream_fleet_session_disconnect_timeout_300_seconds +id: aws_all_controls_appstream +title: AppStream +description: This section contains recommendations for configuring AppStream resources. +section-code: appstream +type: control-group +controls: +- aws_appstream_fleet_default_internet_access_disabled +- aws_appstream_fleet_idle_disconnect_timeout_600_seconds +- aws_appstream_fleet_max_user_duration_36000_seconds +- aws_appstream_fleet_session_disconnect_timeout_300_seconds diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_appsync.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_appsync.yaml index dee85e601..8c692228b 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_appsync.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_appsync.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_all_controls_appsync - title: AppSync - description: This section contains recommendations for configuring AppSync resources. - section-code: appsync - controls: - - aws_appsync_graphql_api_field_level_logging_enabled +id: aws_all_controls_appsync +title: AppSync +description: This section contains recommendations for configuring AppSync resources. +section-code: appsync +type: control-group +controls: +- aws_appsync_graphql_api_field_level_logging_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_athena.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_athena.yaml index 710a30087..e734c6194 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_athena.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_athena.yaml @@ -1,8 +1,8 @@ -control-group: - id: aws_all_controls_athena - title: Athena - description: This section contains recommendations for configuring Athena resources. - section-code: athena - controls: - - aws_athena_workgroup_encryption_at_rest_enabled - - aws_athena_workgroup_enforce_configuration_enabled +id: aws_all_controls_athena +title: Athena +description: This section contains recommendations for configuring Athena resources. +section-code: athena +type: control-group +controls: +- aws_athena_workgroup_encryption_at_rest_enabled +- aws_athena_workgroup_enforce_configuration_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_autoscaling.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_autoscaling.yaml index 02fe47630..066956b46 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_autoscaling.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_autoscaling.yaml @@ -1,16 +1,16 @@ -control-group: - id: aws_all_controls_autoscaling - title: Auto Scaling - description: This section contains recommendations for configuring Auto Scaling resources. - section-code: autoscaling - controls: - - aws_autoscaling_ec2_launch_configuration_no_sensitive_data - - aws_autoscaling_group_multiple_az_configured - - aws_autoscaling_group_no_suspended_process - - aws_autoscaling_group_propagate_tags_to_ec2_instance_enabled - - aws_autoscaling_group_uses_ec2_launch_template - - aws_autoscaling_group_with_lb_use_health_check - - aws_autoscaling_launch_config_hop_limit - - aws_autoscaling_launch_config_public_ip_disabled - - aws_autoscaling_launch_config_requires_imdsv2 - - aws_autoscaling_use_multiple_instance_types_in_multiple_az +id: aws_all_controls_autoscaling +title: Auto Scaling +description: This section contains recommendations for configuring Auto Scaling resources. +section-code: autoscaling +type: control-group +controls: +- aws_autoscaling_ec2_launch_configuration_no_sensitive_data +- aws_autoscaling_group_multiple_az_configured +- aws_autoscaling_group_no_suspended_process +- aws_autoscaling_group_propagate_tags_to_ec2_instance_enabled +- aws_autoscaling_group_uses_ec2_launch_template +- aws_autoscaling_group_with_lb_use_health_check +- aws_autoscaling_launch_config_hop_limit +- aws_autoscaling_launch_config_public_ip_disabled +- aws_autoscaling_launch_config_requires_imdsv2 +- aws_autoscaling_use_multiple_instance_types_in_multiple_az diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_backup.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_backup.yaml index ba8756821..43d8bbb9a 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_backup.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_backup.yaml @@ -1,12 +1,12 @@ -control-group: - id: aws_all_controls_backup - title: Backup - description: This section contains recommendations for configuring Backup resources. - section-code: backup - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_plan_region_configured - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_backup_vault_region_configured +id: aws_all_controls_backup +title: Backup +description: This section contains recommendations for configuring Backup resources. +section-code: backup +type: control-group +controls: +- aws_backup_plan_min_retention_35_days +- aws_backup_plan_region_configured +- aws_backup_recovery_point_encryption_enabled +- aws_backup_recovery_point_manual_deletion_disabled +- aws_backup_recovery_point_min_retention_35_days +- aws_backup_vault_region_configured diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudformation.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudformation.yaml index d5305c066..5547e7b28 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudformation.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudformation.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_all_controls_cloudformation - title: CloudFormation - description: This section contains recommendations for configuring CloudFormation resources. - section-code: cloudformation - controls: - - aws_cloudformation_stack_drift_detection_check - - aws_cloudformation_stack_notifications_enabled - - aws_cloudformation_stack_output_no_secrets - - aws_cloudformation_stack_rollback_enabled - - aws_cloudformation_stack_termination_protection_enabled +id: aws_all_controls_cloudformation +title: CloudFormation +description: This section contains recommendations for configuring CloudFormation resources. +section-code: cloudformation +type: control-group +controls: +- aws_cloudformation_stack_drift_detection_check +- aws_cloudformation_stack_notifications_enabled +- aws_cloudformation_stack_output_no_secrets +- aws_cloudformation_stack_rollback_enabled +- aws_cloudformation_stack_termination_protection_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudfront.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudfront.yaml index 2e67fac4c..b672de495 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudfront.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudfront.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_all_controls_cloudfront - title: CloudFront - description: This section contains recommendations for configuring CloudFront resources. - section-code: cloudfront - controls: - - aws_cloudfront_distribution_configured_with_origin_failover - - aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled - - aws_cloudfront_distribution_default_root_object_configured - - aws_cloudfront_distribution_encryption_in_transit_enabled - - aws_cloudfront_distribution_field_level_encryption_enabled - - aws_cloudfront_distribution_geo_restrictions_enabled - - aws_cloudfront_distribution_latest_tls_version - - aws_cloudfront_distribution_logging_enabled - - aws_cloudfront_distribution_no_deprecated_ssl_protocol - - aws_cloudfront_distribution_no_non_existent_s3_origin - - aws_cloudfront_distribution_origin_access_identity_enabled - - aws_cloudfront_distribution_sni_enabled - - aws_cloudfront_distribution_use_custom_ssl_certificate - - aws_cloudfront_distribution_use_secure_cipher - - aws_cloudfront_distribution_waf_enabled +id: aws_all_controls_cloudfront +title: CloudFront +description: This section contains recommendations for configuring CloudFront resources. +section-code: cloudfront +type: control-group +controls: +- aws_cloudfront_distribution_configured_with_origin_failover +- aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled +- aws_cloudfront_distribution_default_root_object_configured +- aws_cloudfront_distribution_encryption_in_transit_enabled +- aws_cloudfront_distribution_field_level_encryption_enabled +- aws_cloudfront_distribution_geo_restrictions_enabled +- aws_cloudfront_distribution_latest_tls_version +- aws_cloudfront_distribution_logging_enabled +- aws_cloudfront_distribution_no_deprecated_ssl_protocol +- aws_cloudfront_distribution_no_non_existent_s3_origin +- aws_cloudfront_distribution_origin_access_identity_enabled +- aws_cloudfront_distribution_sni_enabled +- aws_cloudfront_distribution_use_custom_ssl_certificate +- aws_cloudfront_distribution_use_secure_cipher +- aws_cloudfront_distribution_waf_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudtrail.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudtrail.yaml index 4f40022ff..0a374b526 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudtrail.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudtrail.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_all_controls_cloudtrail - title: CloudTrail - description: This section contains recommendations for configuring CloudTrail resources. - section-code: cloudtrail - controls: - - aws_cloudtrail_bucket_not_public - - aws_cloudtrail_multi_region_read_write_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_multi_region_trail_integrated_with_logs - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_s3_logging_enabled - - aws_cloudtrail_s3_object_read_events_audit_enabled - - aws_cloudtrail_s3_object_write_events_audit_enabled - - aws_cloudtrail_security_trail_enabled - - aws_cloudtrail_trail_bucket_mfa_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_enabled_account - - aws_cloudtrail_trail_insight_selectors_and_logging_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled +id: aws_all_controls_cloudtrail +title: CloudTrail +description: This section contains recommendations for configuring CloudTrail resources. +section-code: cloudtrail +type: control-group +controls: +- aws_cloudtrail_bucket_not_public +- aws_cloudtrail_multi_region_read_write_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_multi_region_trail_integrated_with_logs +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_s3_logging_enabled +- aws_cloudtrail_s3_object_read_events_audit_enabled +- aws_cloudtrail_s3_object_write_events_audit_enabled +- aws_cloudtrail_security_trail_enabled +- aws_cloudtrail_trail_bucket_mfa_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_enabled_account +- aws_cloudtrail_trail_insight_selectors_and_logging_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_cloudtrail_trail_validation_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudwatch.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudwatch.yaml index 15ce8bafc..bb285a6a8 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudwatch.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudwatch.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_all_controls_cloudwatch - title: CloudWatch - description: This section contains recommendations for configuring CloudWatch resources. - section-code: cloudwatch - controls: - - aws_cloudwatch_alarm_action_enabled - - aws_cloudwatch_alarm_action_enabled_check - - aws_cloudwatch_cross_account_sharing - - aws_cloudwatch_log_group_retention_period_365 - - aws_log_group_encryption_at_rest_enabled - - aws_log_metric_filter_bucket_policy - - aws_log_metric_filter_cloudtrail_configuration - - aws_log_metric_filter_config_configuration - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_console_login_mfa - - aws_log_metric_filter_disable_or_delete_cmk - - aws_log_metric_filter_iam_policy - - aws_log_metric_filter_network_acl - - aws_log_metric_filter_network_gateway - - aws_log_metric_filter_organization - - aws_log_metric_filter_root_login - - aws_log_metric_filter_route_table - - aws_log_metric_filter_security_group - - aws_log_metric_filter_unauthorized_api - - aws_log_metric_filter_vpc +id: aws_all_controls_cloudwatch +title: CloudWatch +description: This section contains recommendations for configuring CloudWatch resources. +section-code: cloudwatch +type: control-group +controls: +- aws_cloudwatch_alarm_action_enabled +- aws_cloudwatch_alarm_action_enabled_check +- aws_cloudwatch_cross_account_sharing +- aws_cloudwatch_log_group_retention_period_365 +- aws_log_group_encryption_at_rest_enabled +- aws_log_metric_filter_bucket_policy +- aws_log_metric_filter_cloudtrail_configuration +- aws_log_metric_filter_config_configuration +- aws_log_metric_filter_console_authentication_failure +- aws_log_metric_filter_console_login_mfa +- aws_log_metric_filter_disable_or_delete_cmk +- aws_log_metric_filter_iam_policy +- aws_log_metric_filter_network_acl +- aws_log_metric_filter_network_gateway +- aws_log_metric_filter_organization +- aws_log_metric_filter_root_login +- aws_log_metric_filter_route_table +- aws_log_metric_filter_security_group +- aws_log_metric_filter_unauthorized_api +- aws_log_metric_filter_vpc diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_codebuild.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_codebuild.yaml index bd9c569df..64e4cea0b 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_codebuild.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_codebuild.yaml @@ -1,14 +1,14 @@ -control-group: - id: aws_all_controls_codebuild - title: CodeBuild - description: This section contains recommendations for configuring CodeBuild resources. - section-code: codebuild - controls: - - aws_codebuild_project_artifact_encryption_enabled - - aws_codebuild_project_build_greater_then_90_days - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_logging_enabled - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_s3_logs_encryption_enabled - - aws_codebuild_project_source_repo_oauth_configured - - aws_codebuild_project_with_user_controlled_buildspec +id: aws_all_controls_codebuild +title: CodeBuild +description: This section contains recommendations for configuring CodeBuild resources. +section-code: codebuild +type: control-group +controls: +- aws_codebuild_project_artifact_encryption_enabled +- aws_codebuild_project_build_greater_then_90_days +- aws_codebuild_project_environment_privileged_mode_disabled +- aws_codebuild_project_logging_enabled +- aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values +- aws_codebuild_project_s3_logs_encryption_enabled +- aws_codebuild_project_source_repo_oauth_configured +- aws_codebuild_project_with_user_controlled_buildspec diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_codedeploy.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_codedeploy.yaml index a611df3f4..d387d17cb 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_codedeploy.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_codedeploy.yaml @@ -1,5 +1,5 @@ -control-group: - id: aws_all_controls_codedeploy - title: CodeDeploy - description: This section contains recommendations for configuring CodeDeploy resources. - section-code: codedeploy +id: aws_all_controls_codedeploy +title: CodeDeploy +description: This section contains recommendations for configuring CodeDeploy resources. +section-code: codedeploy +type: control-group diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_config.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_config.yaml index 7ca5dcaa5..81665aed1 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_config.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_config.yaml @@ -1,8 +1,8 @@ -control-group: - id: aws_all_controls_config - title: Config - description: This section contains recommendations for configuring Config resources. - section-code: config - controls: - - aws_config_configuration_recorder_no_failed_deliver_logs - - aws_config_enabled_all_regions +id: aws_all_controls_config +title: Config +description: This section contains recommendations for configuring Config resources. +section-code: config +type: control-group +controls: +- aws_config_configuration_recorder_no_failed_deliver_logs +- aws_config_enabled_all_regions diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dax.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dax.yaml index 8db0cf2d8..fa2d499b6 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dax.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dax.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_all_controls_dax - title: DAX - description: This section contains recommendations for configuring DAX resources. - section-code: dax - controls: - - aws_dax_cluster_encryption_at_rest_enabled +id: aws_all_controls_dax +title: DAX +description: This section contains recommendations for configuring DAX resources. +section-code: dax +type: control-group +controls: +- aws_dax_cluster_encryption_at_rest_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_directoryservice.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_directoryservice.yaml index a4cf36f05..fbc184535 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_directoryservice.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_directoryservice.yaml @@ -1,9 +1,9 @@ -control-group: - id: aws_all_controls_directoryservice - title: Directory Service - description: This section contains recommendations for configuring Directory Service resources. - section-code: directoryservice - controls: - - aws_directory_service_certificate_expires_90_days - - aws_directory_service_directory_snapshots_limit_2 - - aws_directory_service_directory_sns_notifications_enabled +id: aws_all_controls_directoryservice +title: Directory Service +description: This section contains recommendations for configuring Directory Service resources. +section-code: directoryservice +type: control-group +controls: +- aws_directory_service_certificate_expires_90_days +- aws_directory_service_directory_snapshots_limit_2 +- aws_directory_service_directory_sns_notifications_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dlm.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dlm.yaml index cca2bf68a..cc951b335 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dlm.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dlm.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_all_controls_dlm - title: DLM - description: This section contains recommendations for configuring DLM resources. - section-code: dlm - controls: - - aws_dlm_ebs_snapshot_lifecycle_policy_enabled +id: aws_all_controls_dlm +title: DLM +description: This section contains recommendations for configuring DLM resources. +section-code: dlm +type: control-group +controls: +- aws_dlm_ebs_snapshot_lifecycle_policy_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dms.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dms.yaml index f044e8647..665f45d0d 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dms.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dms.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_all_controls_dms - title: DMS - description: This section contains recommendations for configuring DMS resources. - section-code: dms - controls: - - aws_dms_certificate_not_expired - - aws_dms_endpoint_ssl_configured - - aws_dms_replication_instance_automatic_minor_version_upgrade_enabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_dms_replication_task_source_database_logging_enabled +id: aws_all_controls_dms +title: DMS +description: This section contains recommendations for configuring DMS resources. +section-code: dms +type: control-group +controls: +- aws_dms_certificate_not_expired +- aws_dms_endpoint_ssl_configured +- aws_dms_replication_instance_automatic_minor_version_upgrade_enabled +- aws_dms_replication_instance_not_publicly_accessible +- aws_dms_replication_task_source_database_logging_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_docdb.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_docdb.yaml index bc16572ef..969fcf5fa 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_docdb.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_docdb.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_all_controls_docdb - title: DocumentDB - description: This section contains recommendations for configuring DocumentDB resources. - section-code: docdb - controls: - - aws_docdb_cluster_backup_retention_period_7_days - - aws_docdb_cluster_deletion_protection_enabled - - aws_docdb_cluster_encryption_at_rest_enabled - - aws_docdb_cluster_instance_encryption_at_rest_enabled - - aws_docdb_cluster_instance_logging_enabled +id: aws_all_controls_docdb +title: DocumentDB +description: This section contains recommendations for configuring DocumentDB resources. +section-code: docdb +type: control-group +controls: +- aws_docdb_cluster_backup_retention_period_7_days +- aws_docdb_cluster_deletion_protection_enabled +- aws_docdb_cluster_encryption_at_rest_enabled +- aws_docdb_cluster_instance_encryption_at_rest_enabled +- aws_docdb_cluster_instance_logging_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_drs.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_drs.yaml index 2671358af..b6e38c99f 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_drs.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_drs.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_all_controls_drs - title: DRS - description: This section contains recommendations for configuring DRS resources. - section-code: drs - controls: - - aws_drs_job_enabled +id: aws_all_controls_drs +title: DRS +description: This section contains recommendations for configuring DRS resources. +section-code: drs +type: control-group +controls: +- aws_drs_job_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dynamodb.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dynamodb.yaml index b68e71c84..7c90b7ece 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dynamodb.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dynamodb.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_all_controls_dynamodb - title: DynamoDB - description: This section contains recommendations for configuring DynamoDB resources. - section-code: dynamodb - controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_deletion_protection_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan +id: aws_all_controls_dynamodb +title: DynamoDB +description: This section contains recommendations for configuring DynamoDB resources. +section-code: dynamodb +type: control-group +controls: +- aws_dynamodb_table_auto_scaling_enabled +- aws_dynamodb_table_deletion_protection_enabled +- aws_dynamodb_table_encrypted_with_kms +- aws_dynamodb_table_encryption_enabled +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ebs.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ebs.yaml index c57cebf9b..7a59b72f2 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ebs.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ebs.yaml @@ -1,15 +1,15 @@ -control-group: - id: aws_all_controls_ebs - title: EBS - description: This section contains recommendations for configuring EBS resources. - section-code: ebs - controls: - - aws_ebs_attached_volume_delete_on_termination_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ebs_snapshot_encryption_enabled - - aws_ebs_snapshot_not_publicly_restorable - - aws_ebs_volume_encryption_at_rest_enabled - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ebs_volume_snapshot_exists - - aws_ebs_volume_unused +id: aws_all_controls_ebs +title: EBS +description: This section contains recommendations for configuring EBS resources. +section-code: ebs +type: control-group +controls: +- aws_ebs_attached_volume_delete_on_termination_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ebs_snapshot_encryption_enabled +- aws_ebs_snapshot_not_publicly_restorable +- aws_ebs_volume_encryption_at_rest_enabled +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ebs_volume_snapshot_exists +- aws_ebs_volume_unused diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ec2.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ec2.yaml index 3721b370c..bfa6fdc89 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ec2.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ec2.yaml @@ -1,48 +1,48 @@ -control-group: - id: aws_all_controls_ec2 - title: EC2 - description: This section contains recommendations for configuring EC2 resources. - section-code: ec2 - controls: - - aws_ec2_ami_ebs_encryption_enabled - - aws_ec2_ami_not_older_than_90_days - - aws_ec2_ami_restrict_public_access - - aws_ec2_client_vpn_endpoint_client_connection_logging_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_ec2_instance_attached_ebs_volume_delete_on_termination_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_iam_profile_attached - - aws_ec2_instance_in_vpc - - aws_ec2_instance_no_amazon_key_pair - - aws_ec2_instance_no_iam_passrole_and_lambda_invoke_function_access - - aws_ec2_instance_no_iam_role_attached_with_credentials_exposure_access - - aws_ec2_instance_no_iam_role_with_alter_critical_s3_permissions_configuration - - aws_ec2_instance_no_iam_role_with_cloud_log_tampering_access - - aws_ec2_instance_no_iam_role_with_data_destruction_access - - aws_ec2_instance_no_iam_role_with_destruction_kms_access - - aws_ec2_instance_no_iam_role_with_destruction_rds_access - - aws_ec2_instance_no_iam_role_with_elastic_ip_hijacking_access - - aws_ec2_instance_no_iam_role_with_management_level_access - - aws_ec2_instance_no_iam_role_with_new_group_creation_with_attached_policy_access - - aws_ec2_instance_no_iam_role_with_new_role_creation_with_attached_policy_access - - aws_ec2_instance_no_iam_role_with_org_write_access - - aws_ec2_instance_no_iam_role_with_privilege_escalation_risk_access - - aws_ec2_instance_no_iam_role_with_security_group_write_access - - aws_ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration - - aws_ec2_instance_no_iam_with_write_level_access - - aws_ec2_instance_no_launch_wizard_security_group - - aws_ec2_instance_not_older_than_180_days - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_not_use_multiple_enis - - aws_ec2_instance_protected_by_backup_plan - - aws_ec2_instance_publicly_accessible_iam_profile_attached - - aws_ec2_instance_termination_protection_enabled - - aws_ec2_instance_user_data_no_secrets - - aws_ec2_instance_uses_imdsv2 - - aws_ec2_instance_virtualization_type_no_paravirtual - - aws_ec2_launch_template_not_publicly_accessible - - aws_ec2_network_interface_unused - - aws_ec2_stopped_instance_30_days - - aws_ec2_stopped_instance_90_days - - aws_ec2_transit_gateway_auto_cross_account_attachment_disabled +id: aws_all_controls_ec2 +title: EC2 +description: This section contains recommendations for configuring EC2 resources. +section-code: ec2 +type: control-group +controls: +- aws_ec2_ami_ebs_encryption_enabled +- aws_ec2_ami_not_older_than_90_days +- aws_ec2_ami_restrict_public_access +- aws_ec2_client_vpn_endpoint_client_connection_logging_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_ec2_instance_attached_ebs_volume_delete_on_termination_enabled +- aws_ec2_instance_detailed_monitoring_enabled +- aws_ec2_instance_ebs_optimized +- aws_ec2_instance_iam_profile_attached +- aws_ec2_instance_in_vpc +- aws_ec2_instance_no_amazon_key_pair +- aws_ec2_instance_no_iam_passrole_and_lambda_invoke_function_access +- aws_ec2_instance_no_iam_role_attached_with_credentials_exposure_access +- aws_ec2_instance_no_iam_role_with_alter_critical_s3_permissions_configuration +- aws_ec2_instance_no_iam_role_with_cloud_log_tampering_access +- aws_ec2_instance_no_iam_role_with_data_destruction_access +- aws_ec2_instance_no_iam_role_with_destruction_kms_access +- aws_ec2_instance_no_iam_role_with_destruction_rds_access +- aws_ec2_instance_no_iam_role_with_elastic_ip_hijacking_access +- aws_ec2_instance_no_iam_role_with_management_level_access +- aws_ec2_instance_no_iam_role_with_new_group_creation_with_attached_policy_access +- aws_ec2_instance_no_iam_role_with_new_role_creation_with_attached_policy_access +- aws_ec2_instance_no_iam_role_with_org_write_access +- aws_ec2_instance_no_iam_role_with_privilege_escalation_risk_access +- aws_ec2_instance_no_iam_role_with_security_group_write_access +- aws_ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration +- aws_ec2_instance_no_iam_with_write_level_access +- aws_ec2_instance_no_launch_wizard_security_group +- aws_ec2_instance_not_older_than_180_days +- aws_ec2_instance_not_publicly_accessible +- aws_ec2_instance_not_use_multiple_enis +- aws_ec2_instance_protected_by_backup_plan +- aws_ec2_instance_publicly_accessible_iam_profile_attached +- aws_ec2_instance_termination_protection_enabled +- aws_ec2_instance_user_data_no_secrets +- aws_ec2_instance_uses_imdsv2 +- aws_ec2_instance_virtualization_type_no_paravirtual +- aws_ec2_launch_template_not_publicly_accessible +- aws_ec2_network_interface_unused +- aws_ec2_stopped_instance_30_days +- aws_ec2_stopped_instance_90_days +- aws_ec2_transit_gateway_auto_cross_account_attachment_disabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ecr.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ecr.yaml index 803e6312f..e765d315c 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ecr.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ecr.yaml @@ -1,10 +1,10 @@ -control-group: - id: aws_all_controls_ecr - title: ECR - description: This section contains recommendations for configuring ECR resources. - section-code: ecr - controls: - - aws_ecr_repository_image_scan_on_push_enabled - - aws_ecr_repository_lifecycle_policy_configured - - aws_ecr_repository_prohibit_public_access - - aws_ecr_repository_tag_immutability_enabled +id: aws_all_controls_ecr +title: ECR +description: This section contains recommendations for configuring ECR resources. +section-code: ecr +type: control-group +controls: +- aws_ecr_repository_image_scan_on_push_enabled +- aws_ecr_repository_lifecycle_policy_configured +- aws_ecr_repository_prohibit_public_access +- aws_ecr_repository_tag_immutability_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ecs.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ecs.yaml index fd2cca4ff..b288e1286 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ecs.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ecs.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_all_controls_ecs - title: ECS - description: This section contains recommendations for configuring ECS resources. - section-code: ecs - controls: - - aws_ecs_cluster_container_insights_enabled - - aws_ecs_cluster_container_instance_agent_connected - - aws_ecs_cluster_encryption_at_rest_enabled - - aws_ecs_cluster_no_active_services_count - - aws_ecs_cluster_no_registered_container_instance - - aws_ecs_service_fargate_using_latest_platform_version - - aws_ecs_service_load_balancer_attached - - aws_ecs_service_not_publicly_accessible - - aws_ecs_task_definition_container_environment_no_secret - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_ecs_task_definition_logging_enabled - - aws_ecs_task_definition_no_host_pid_mode - - aws_ecs_task_definition_no_root_user - - aws_ecs_task_definition_user_for_host_mode_check +id: aws_all_controls_ecs +title: ECS +description: This section contains recommendations for configuring ECS resources. +section-code: ecs +type: control-group +controls: +- aws_ecs_cluster_container_insights_enabled +- aws_ecs_cluster_container_instance_agent_connected +- aws_ecs_cluster_encryption_at_rest_enabled +- aws_ecs_cluster_no_active_services_count +- aws_ecs_cluster_no_registered_container_instance +- aws_ecs_service_fargate_using_latest_platform_version +- aws_ecs_service_load_balancer_attached +- aws_ecs_service_not_publicly_accessible +- aws_ecs_task_definition_container_environment_no_secret +- aws_ecs_task_definition_container_non_privileged +- aws_ecs_task_definition_container_readonly_root_filesystem +- aws_ecs_task_definition_logging_enabled +- aws_ecs_task_definition_no_host_pid_mode +- aws_ecs_task_definition_no_root_user +- aws_ecs_task_definition_user_for_host_mode_check diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_efs.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_efs.yaml index 45c0dc568..310173e2c 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_efs.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_efs.yaml @@ -1,14 +1,14 @@ -control-group: - id: aws_all_controls_efs - title: EFS - description: This section contains recommendations for configuring EFS resources. - section-code: efs - controls: - - aws_efs_access_point_enforce_root_directory - - aws_efs_access_point_enforce_user_identity - - aws_efs_file_system_encrypt_data_at_rest - - aws_efs_file_system_encrypted_with_cmk - - aws_efs_file_system_enforces_ssl - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_efs_file_system_restrict_public_access +id: aws_all_controls_efs +title: EFS +description: This section contains recommendations for configuring EFS resources. +section-code: efs +type: control-group +controls: +- aws_efs_access_point_enforce_root_directory +- aws_efs_access_point_enforce_user_identity +- aws_efs_file_system_encrypt_data_at_rest +- aws_efs_file_system_encrypted_with_cmk +- aws_efs_file_system_enforces_ssl +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_efs_file_system_restrict_public_access diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_eks.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_eks.yaml index 95231afe8..06a8c15e4 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_eks.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_eks.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_all_controls_eks - title: EKS - description: This section contains recommendations for configuring EKS resources. - section-code: eks - controls: - - aws_eks_cluster_control_plane_audit_logging_enabled - - aws_eks_cluster_endpoint_public_access_restricted - - aws_eks_cluster_endpoint_restrict_public_access - - aws_eks_cluster_no_default_vpc - - aws_eks_cluster_no_multiple_security_groups - - aws_eks_cluster_secrets_encrypted - - aws_eks_cluster_with_latest_kubernetes_version +id: aws_all_controls_eks +title: EKS +description: This section contains recommendations for configuring EKS resources. +section-code: eks +type: control-group +controls: +- aws_eks_cluster_control_plane_audit_logging_enabled +- aws_eks_cluster_endpoint_public_access_restricted +- aws_eks_cluster_endpoint_restrict_public_access +- aws_eks_cluster_no_default_vpc +- aws_eks_cluster_no_multiple_security_groups +- aws_eks_cluster_secrets_encrypted +- aws_eks_cluster_with_latest_kubernetes_version diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_elasticache.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_elasticache.yaml index 82b0a03a7..dca01620a 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_elasticache.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_elasticache.yaml @@ -1,15 +1,15 @@ -control-group: - id: aws_all_controls_elasticache - title: ElastiCache - description: This section contains recommendations for configuring ElastiCache resources. - section-code: elasticache - controls: - - aws_elasticache_cluster_auto_minor_version_upgrade_enabled - - aws_elasticache_cluster_no_default_subnet_group - - aws_elasticache_cluster_no_public_subnet - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elasticache_replication_group_auto_failover_enabled - - aws_elasticache_replication_group_encryption_at_rest_enabled - - aws_elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk - - aws_elasticache_replication_group_encryption_in_transit_enabled - - aws_elasticache_replication_group_redis_auth_enabled +id: aws_all_controls_elasticache +title: ElastiCache +description: This section contains recommendations for configuring ElastiCache resources. +section-code: elasticache +type: control-group +controls: +- aws_elasticache_cluster_auto_minor_version_upgrade_enabled +- aws_elasticache_cluster_no_default_subnet_group +- aws_elasticache_cluster_no_public_subnet +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_elasticache_replication_group_auto_failover_enabled +- aws_elasticache_replication_group_encryption_at_rest_enabled +- aws_elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk +- aws_elasticache_replication_group_encryption_in_transit_enabled +- aws_elasticache_replication_group_redis_auth_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_elasticbeanstalk.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_elasticbeanstalk.yaml index 4f3dbb6e2..d6594c136 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_elasticbeanstalk.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_elasticbeanstalk.yaml @@ -1,9 +1,9 @@ -control-group: - id: aws_all_controls_elasticbeanstalk - title: Elastic Beanstalk - description: This section contains recommendations for configuring Elastic Beanstalk resources. - section-code: elasticbeanstalk - controls: - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_elastic_beanstalk_environment_logs_to_cloudwatch - - aws_elastic_beanstalk_environment_managed_updates_enabled +id: aws_all_controls_elasticbeanstalk +title: Elastic Beanstalk +description: This section contains recommendations for configuring Elastic Beanstalk resources. +section-code: elasticbeanstalk +type: control-group +controls: +- aws_elastic_beanstalk_enhanced_health_reporting_enabled +- aws_elastic_beanstalk_environment_logs_to_cloudwatch +- aws_elastic_beanstalk_environment_managed_updates_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_elb.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_elb.yaml index 70e7c456e..58f0cd5ca 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_elb.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_elb.yaml @@ -1,29 +1,29 @@ -control-group: - id: aws_all_controls_elb - title: ELB - description: This section contains recommendations for configuring ELB resources. - section-code: elb - controls: - - aws_ec2_classic_lb_connection_draining_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_elb_application_classic_network_lb_prohibit_public_access - - aws_elb_application_gateway_network_lb_multiple_az_configured - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_application_lb_desync_mitigation_mode - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_lb_waf_enabled - - aws_elb_application_lb_with_outbound_rule - - aws_elb_application_network_lb_use_listeners - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_elb_classic_lb_desync_mitigation_mode - - aws_elb_classic_lb_multiple_az_configured - - aws_elb_classic_lb_no_registered_instance - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_elb_classic_lb_with_inbound_rule - - aws_elb_classic_lb_with_outbound_rule - - aws_elb_listener_use_secure_ssl_cipher - - aws_elb_network_lb_tls_listener_security_policy_configured - - aws_elb_tls_listener_protocol_version +id: aws_all_controls_elb +title: ELB +description: This section contains recommendations for configuring ELB resources. +section-code: elb +type: control-group +controls: +- aws_ec2_classic_lb_connection_draining_enabled +- aws_elb_application_classic_lb_logging_enabled +- aws_elb_application_classic_network_lb_prohibit_public_access +- aws_elb_application_gateway_network_lb_multiple_az_configured +- aws_elb_application_lb_deletion_protection_enabled +- aws_elb_application_lb_desync_mitigation_mode +- aws_elb_application_lb_drop_http_headers +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_application_lb_waf_enabled +- aws_elb_application_lb_with_outbound_rule +- aws_elb_application_network_lb_use_listeners +- aws_elb_application_network_lb_use_ssl_certificate +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_elb_classic_lb_desync_mitigation_mode +- aws_elb_classic_lb_multiple_az_configured +- aws_elb_classic_lb_no_registered_instance +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_elb_classic_lb_with_inbound_rule +- aws_elb_classic_lb_with_outbound_rule +- aws_elb_listener_use_secure_ssl_cipher +- aws_elb_network_lb_tls_listener_security_policy_configured +- aws_elb_tls_listener_protocol_version diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_emr.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_emr.yaml index 17366fd6a..538440110 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_emr.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_emr.yaml @@ -1,12 +1,12 @@ -control-group: - id: aws_all_controls_emr - title: EMR - description: This section contains recommendations for configuring EMR resources. - section-code: emr - controls: - - aws_emr_account_public_access_blocked - - aws_emr_cluster_encryption_at_rest_with_sse_kms - - aws_emr_cluster_kerberos_enabled - - aws_emr_cluster_local_disk_encrypted_with_cmk - - aws_emr_cluster_master_nodes_no_public_ip - - aws_emr_cluster_security_configuration_enabled +id: aws_all_controls_emr +title: EMR +description: This section contains recommendations for configuring EMR resources. +section-code: emr +type: control-group +controls: +- aws_emr_account_public_access_blocked +- aws_emr_cluster_encryption_at_rest_with_sse_kms +- aws_emr_cluster_kerberos_enabled +- aws_emr_cluster_local_disk_encrypted_with_cmk +- aws_emr_cluster_master_nodes_no_public_ip +- aws_emr_cluster_security_configuration_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_es.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_es.yaml index aa865cbde..620046bff 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_es.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_es.yaml @@ -1,17 +1,17 @@ -control-group: - id: aws_all_controls_es - title: Elasticsearch - description: This section contains recommendations for configuring Elasticsearch resources. - section-code: es - controls: - - aws_es_domain_audit_logging_enabled - - aws_es_domain_cognito_authentication_enabled - - aws_es_domain_data_nodes_min_3 - - aws_es_domain_dedicated_master_nodes_min_3 - - aws_es_domain_encrypted_using_tls_1_2 - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_error_logging_enabled - - aws_es_domain_in_vpc - - aws_es_domain_internal_user_database_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_es_domain_node_to_node_encryption_enabled +id: aws_all_controls_es +title: Elasticsearch +description: This section contains recommendations for configuring Elasticsearch resources. +section-code: es +type: control-group +controls: +- aws_es_domain_audit_logging_enabled +- aws_es_domain_cognito_authentication_enabled +- aws_es_domain_data_nodes_min_3 +- aws_es_domain_dedicated_master_nodes_min_3 +- aws_es_domain_encrypted_using_tls_1_2 +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_error_logging_enabled +- aws_es_domain_in_vpc +- aws_es_domain_internal_user_database_enabled +- aws_es_domain_logs_to_cloudwatch +- aws_es_domain_node_to_node_encryption_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_eventbridge.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_eventbridge.yaml index 2e26dd640..9e87ca6e3 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_eventbridge.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_eventbridge.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_all_controls_eventbridge - title: EventBridge - description: This section contains recommendations for configuring EventBridge resources. - section-code: eventbridge - controls: - - aws_eventbridge_custom_bus_resource_based_policy_attached +id: aws_all_controls_eventbridge +title: EventBridge +description: This section contains recommendations for configuring EventBridge resources. +section-code: eventbridge +type: control-group +controls: +- aws_eventbridge_custom_bus_resource_based_policy_attached diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_fsx.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_fsx.yaml index bf1750602..ee5f57805 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_fsx.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_fsx.yaml @@ -1,8 +1,8 @@ -control-group: - id: aws_all_controls_fsx - title: FSx - description: This section contains recommendations for configuring FSx resources. - section-code: fsx - controls: - - aws_fsx_file_system_copy_tags_to_backup_and_volume_enabled - - aws_fsx_file_system_protected_by_backup_plan +id: aws_all_controls_fsx +title: FSx +description: This section contains recommendations for configuring FSx resources. +section-code: fsx +type: control-group +controls: +- aws_fsx_file_system_copy_tags_to_backup_and_volume_enabled +- aws_fsx_file_system_protected_by_backup_plan diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_glacier.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_glacier.yaml index b9d89ab1a..f585ef6b2 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_glacier.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_glacier.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_all_controls_glacier - title: Glacier - description: This section contains recommendations for configuring Glacier resources. - section-code: glacier - controls: - - aws_glacier_vault_restrict_public_access +id: aws_all_controls_glacier +title: Glacier +description: This section contains recommendations for configuring Glacier resources. +section-code: glacier +type: control-group +controls: +- aws_glacier_vault_restrict_public_access diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_glue.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_glue.yaml index 3a6f6d598..6a94199f3 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_glue.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_glue.yaml @@ -1,10 +1,10 @@ -control-group: - id: aws_all_controls_glue - title: Glue - description: This section contains recommendations for configuring Glue resources. - section-code: glue - controls: - - aws_glue_connection_ssl_enabled - - aws_glue_data_catalog_encryption_settings_metadata_encryption_enabled - - aws_glue_data_catalog_encryption_settings_password_encryption_enabled - - aws_glue_job_bookmarks_encryption_enabled +id: aws_all_controls_glue +title: Glue +description: This section contains recommendations for configuring Glue resources. +section-code: glue +type: control-group +controls: +- aws_glue_connection_ssl_enabled +- aws_glue_data_catalog_encryption_settings_metadata_encryption_enabled +- aws_glue_data_catalog_encryption_settings_password_encryption_enabled +- aws_glue_job_bookmarks_encryption_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_guardduty.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_guardduty.yaml index ab26b981f..49d100130 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_guardduty.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_guardduty.yaml @@ -1,9 +1,9 @@ -control-group: - id: aws_all_controls_guardduty - title: GuardDuty - description: This section contains recommendations for configuring GuardDuty resources. - section-code: guardduty - controls: - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_guardduty_no_high_severity_findings +id: aws_all_controls_guardduty +title: GuardDuty +description: This section contains recommendations for configuring GuardDuty resources. +section-code: guardduty +type: control-group +controls: +- aws_guardduty_enabled +- aws_guardduty_finding_archived +- aws_guardduty_no_high_severity_findings diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_iam.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_iam.yaml index d4e804970..e4db8de3c 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_iam.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_iam.yaml @@ -1,54 +1,54 @@ -control-group: - id: aws_all_controls_iam - title: IAM - description: This section contains recommendations for configuring IAM resources. - section-code: iam - controls: - - aws_iam_access_analyzer_enabled - - aws_iam_account_password_policy_min_length_14 - - aws_iam_account_password_policy_one_lowercase_letter - - aws_iam_account_password_policy_one_number - - aws_iam_account_password_policy_one_symbol - - aws_iam_account_password_policy_one_uppercase_letter - - aws_iam_account_password_policy_reuse_24 - - aws_iam_account_password_policy_strong_min_length_8 - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_all_policy_no_service_wild_card - - aws_iam_custom_policy_unattached_no_star_star - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_inline_policy_no_administrative_privileges - - aws_iam_managed_policy_attached_to_role - - aws_iam_policy_all_attached_no_star_star - - aws_iam_policy_custom_attached_no_star_star - - aws_iam_policy_custom_no_assume_role - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_custom_no_permissive_role_assumption - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_full_access_to_cloudtrail - - aws_iam_policy_no_full_access_to_kms - - aws_iam_policy_no_star_star - - aws_iam_policy_unused - - aws_iam_role_no_administrator_access_policy_attached - - aws_iam_role_unused_60 - - aws_iam_root_last_used - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_security_audit_role - - aws_iam_server_certificate_not_expired - - aws_iam_support_role - - aws_iam_user_access_key_age_90 - - aws_iam_user_access_key_unused_45 - - aws_iam_user_access_keys_and_password_at_setup - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_console_access_unused_45 - - aws_iam_user_group_role_cloudshell_fullaccess_restricted - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_no_policies - - aws_iam_user_one_active_key - - aws_iam_user_unused_credentials_45 - - aws_iam_user_unused_credentials_90 - - aws_iam_user_with_administrator_access_mfa_enabled +id: aws_all_controls_iam +title: IAM +description: This section contains recommendations for configuring IAM resources. +section-code: iam +type: control-group +controls: +- aws_iam_access_analyzer_enabled +- aws_iam_account_password_policy_min_length_14 +- aws_iam_account_password_policy_one_lowercase_letter +- aws_iam_account_password_policy_one_number +- aws_iam_account_password_policy_one_symbol +- aws_iam_account_password_policy_one_uppercase_letter +- aws_iam_account_password_policy_reuse_24 +- aws_iam_account_password_policy_strong_min_length_8 +- aws_iam_account_password_policy_strong_min_reuse_24 +- aws_iam_all_policy_no_service_wild_card +- aws_iam_custom_policy_unattached_no_star_star +- aws_iam_group_not_empty +- aws_iam_group_user_role_no_inline_policies +- aws_iam_inline_policy_no_administrative_privileges +- aws_iam_managed_policy_attached_to_role +- aws_iam_policy_all_attached_no_star_star +- aws_iam_policy_custom_attached_no_star_star +- aws_iam_policy_custom_no_assume_role +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_custom_no_permissive_role_assumption +- aws_iam_policy_inline_no_blocked_kms_actions +- aws_iam_policy_no_full_access_to_cloudtrail +- aws_iam_policy_no_full_access_to_kms +- aws_iam_policy_no_star_star +- aws_iam_policy_unused +- aws_iam_role_no_administrator_access_policy_attached +- aws_iam_role_unused_60 +- aws_iam_root_last_used +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_security_audit_role +- aws_iam_server_certificate_not_expired +- aws_iam_support_role +- aws_iam_user_access_key_age_90 +- aws_iam_user_access_key_unused_45 +- aws_iam_user_access_keys_and_password_at_setup +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_console_access_unused_45 +- aws_iam_user_group_role_cloudshell_fullaccess_restricted +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_no_policies +- aws_iam_user_one_active_key +- aws_iam_user_unused_credentials_45 +- aws_iam_user_unused_credentials_90 +- aws_iam_user_with_administrator_access_mfa_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_kinesis.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_kinesis.yaml index c317a2509..e7c4c74ec 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_kinesis.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_kinesis.yaml @@ -1,9 +1,9 @@ -control-group: - id: aws_all_controls_kinesis - title: Kinesis - description: This section contains recommendations for configuring Kinesis resources. - section-code: kinesis - controls: - - aws_kinesis_firehose_delivery_stream_server_side_encryption_enabled - - aws_kinesis_stream_encrypted_with_kms_cmk - - aws_kinesis_stream_server_side_encryption_enabled +id: aws_all_controls_kinesis +title: Kinesis +description: This section contains recommendations for configuring Kinesis resources. +section-code: kinesis +type: control-group +controls: +- aws_kinesis_firehose_delivery_stream_server_side_encryption_enabled +- aws_kinesis_stream_encrypted_with_kms_cmk +- aws_kinesis_stream_server_side_encryption_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_kms.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_kms.yaml index cb7dcefba..f30fcc2f2 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_kms.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_kms.yaml @@ -1,12 +1,12 @@ -control-group: - id: aws_all_controls_kms - title: KMS - description: This section contains recommendations for configuring KMS resources. - section-code: kms - controls: - - aws_kms_cmk_policy_prohibit_public_access - - aws_kms_cmk_rotation_enabled - - aws_kms_cmk_unused - - aws_kms_key_decryption_restricted_in_iam_customer_managed_policy - - aws_kms_key_decryption_restricted_in_iam_inline_policy - - aws_kms_key_not_pending_deletion +id: aws_all_controls_kms +title: KMS +description: This section contains recommendations for configuring KMS resources. +section-code: kms +type: control-group +controls: +- aws_kms_cmk_policy_prohibit_public_access +- aws_kms_cmk_rotation_enabled +- aws_kms_cmk_unused +- aws_kms_key_decryption_restricted_in_iam_customer_managed_policy +- aws_kms_key_decryption_restricted_in_iam_inline_policy +- aws_kms_key_not_pending_deletion diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_lambda.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_lambda.yaml index ca95718c2..fdab92435 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_lambda.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_lambda.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_all_controls_lambda - title: Lambda - description: This section contains recommendations for configuring Lambda resources. - section-code: lambda - controls: - - aws_lambda_function_cloudtrail_logging_enabled - - aws_lambda_function_cloudwatch_insights_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_cors_configuration - - aws_lambda_function_dead_letter_queue_configured - - aws_lambda_function_encryption_enabled - - aws_lambda_function_in_vpc - - aws_lambda_function_multiple_az_configured - - aws_lambda_function_restrict_public_access - - aws_lambda_function_restrict_public_url - - aws_lambda_function_tracing_enabled - - aws_lambda_function_use_latest_runtime - - aws_lambda_function_variables_no_sensitive_data +id: aws_all_controls_lambda +title: Lambda +description: This section contains recommendations for configuring Lambda resources. +section-code: lambda +type: control-group +controls: +- aws_lambda_function_cloudtrail_logging_enabled +- aws_lambda_function_cloudwatch_insights_enabled +- aws_lambda_function_concurrent_execution_limit_configured +- aws_lambda_function_cors_configuration +- aws_lambda_function_dead_letter_queue_configured +- aws_lambda_function_encryption_enabled +- aws_lambda_function_in_vpc +- aws_lambda_function_multiple_az_configured +- aws_lambda_function_restrict_public_access +- aws_lambda_function_restrict_public_url +- aws_lambda_function_tracing_enabled +- aws_lambda_function_use_latest_runtime +- aws_lambda_function_variables_no_sensitive_data diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_lightsail.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_lightsail.yaml index febf72d1d..b16c7ee79 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_lightsail.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_lightsail.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_all_controls_lightsail - title: Lightsail - description: This section contains recommendations for configuring Lightsail resources. - section-code: lightsail - controls: - - aws_lightsail_instance_ipv6_networking_disabled +id: aws_all_controls_lightsail +title: Lightsail +description: This section contains recommendations for configuring Lightsail resources. +section-code: lightsail +type: control-group +controls: +- aws_lightsail_instance_ipv6_networking_disabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_mq.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_mq.yaml index ef0fe3305..e7e19646d 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_mq.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_mq.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_all_controls_mq - title: MQ - description: This section contains recommendations for configuring MQ resources. - section-code: mq - controls: - - aws_mq_broker_restrict_public_access +id: aws_all_controls_mq +title: MQ +description: This section contains recommendations for configuring MQ resources. +section-code: mq +type: control-group +controls: +- aws_mq_broker_restrict_public_access diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_msk.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_msk.yaml index cc2409448..eb4892ab1 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_msk.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_msk.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_all_controls_msk - title: MSK - description: This section contains recommendations for configuring MSK resources. - section-code: msk - controls: - - aws_msk_cluster_encryption_in_transit_with_tls_enabled +id: aws_all_controls_msk +title: MSK +description: This section contains recommendations for configuring MSK resources. +section-code: msk +type: control-group +controls: +- aws_msk_cluster_encryption_in_transit_with_tls_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_neptune.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_neptune.yaml index f81ddfe6f..9ecfa5850 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_neptune.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_neptune.yaml @@ -1,15 +1,15 @@ -control-group: - id: aws_all_controls_neptune - title: Neptune - description: This section contains recommendations for configuring Neptune resources. - section-code: neptune - controls: - - aws_neptune_db_cluster_audit_logging_enabled - - aws_neptune_db_cluster_automated_backup_enabled - - aws_neptune_db_cluster_copy_tags_to_snapshot_enabled - - aws_neptune_db_cluster_deletion_protection_enabled - - aws_neptune_db_cluster_encryption_at_rest_enabled - - aws_neptune_db_cluster_iam_authentication_enabled - - aws_neptune_db_cluster_no_public_subnet - - aws_neptune_db_cluster_snapshot_encryption_at_rest_enabled - - aws_neptune_db_cluster_snapshot_prohibit_public_access +id: aws_all_controls_neptune +title: Neptune +description: This section contains recommendations for configuring Neptune resources. +section-code: neptune +type: control-group +controls: +- aws_neptune_db_cluster_audit_logging_enabled +- aws_neptune_db_cluster_automated_backup_enabled +- aws_neptune_db_cluster_copy_tags_to_snapshot_enabled +- aws_neptune_db_cluster_deletion_protection_enabled +- aws_neptune_db_cluster_encryption_at_rest_enabled +- aws_neptune_db_cluster_iam_authentication_enabled +- aws_neptune_db_cluster_no_public_subnet +- aws_neptune_db_cluster_snapshot_encryption_at_rest_enabled +- aws_neptune_db_cluster_snapshot_prohibit_public_access diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_networkfirewall.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_networkfirewall.yaml index 71f00c337..4496b84fc 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_networkfirewall.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_networkfirewall.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_all_controls_networkfirewall - title: Network Firewall - description: This section contains recommendations for configuring Network Firewall resources. - section-code: networkfirewall - controls: - - aws_networkfirewall_firewall_deletion_protection_enabled - - aws_networkfirewall_firewall_in_vpc - - aws_networkfirewall_firewall_logging_enabled - - aws_networkfirewall_firewall_policy_default_stateless_action_check_fragmented_packets - - aws_networkfirewall_firewall_policy_default_stateless_action_check_full_packets - - aws_networkfirewall_firewall_policy_rule_group_not_empty - - aws_networkfirewall_stateless_rule_group_not_empty +id: aws_all_controls_networkfirewall +title: Network Firewall +description: This section contains recommendations for configuring Network Firewall resources. +section-code: networkfirewall +type: control-group +controls: +- aws_networkfirewall_firewall_deletion_protection_enabled +- aws_networkfirewall_firewall_in_vpc +- aws_networkfirewall_firewall_logging_enabled +- aws_networkfirewall_firewall_policy_default_stateless_action_check_fragmented_packets +- aws_networkfirewall_firewall_policy_default_stateless_action_check_full_packets +- aws_networkfirewall_firewall_policy_rule_group_not_empty +- aws_networkfirewall_stateless_rule_group_not_empty diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_opensearch.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_opensearch.yaml index 695f20275..ac004e16c 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_opensearch.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_opensearch.yaml @@ -1,17 +1,17 @@ -control-group: - id: aws_all_controls_opensearch - title: OpenSearch - description: This section contains recommendations for configuring OpenSearch resources. - section-code: opensearch - controls: - - aws_opensearch_domain_audit_logging_enabled - - aws_opensearch_domain_cognito_authentication_enabled_for_kibana - - aws_opensearch_domain_data_node_fault_tolerance - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_fine_grained_access_enabled - - aws_opensearch_domain_https_required - - aws_opensearch_domain_in_vpc - - aws_opensearch_domain_internal_user_database_disabled - - aws_opensearch_domain_logs_to_cloudwatch - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_opensearch_domain_updated_with_latest_service_software_version +id: aws_all_controls_opensearch +title: OpenSearch +description: This section contains recommendations for configuring OpenSearch resources. +section-code: opensearch +type: control-group +controls: +- aws_opensearch_domain_audit_logging_enabled +- aws_opensearch_domain_cognito_authentication_enabled_for_kibana +- aws_opensearch_domain_data_node_fault_tolerance +- aws_opensearch_domain_encryption_at_rest_enabled +- aws_opensearch_domain_fine_grained_access_enabled +- aws_opensearch_domain_https_required +- aws_opensearch_domain_in_vpc +- aws_opensearch_domain_internal_user_database_disabled +- aws_opensearch_domain_logs_to_cloudwatch +- aws_opensearch_domain_node_to_node_encryption_enabled +- aws_opensearch_domain_updated_with_latest_service_software_version diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_organization.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_organization.yaml index 3e180bbac..f37ece089 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_organization.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_organization.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_all_controls_organization - title: Organization - description: This section contains recommendations for configuring Organization resources. - section-code: organization - controls: - - aws_organizational_tag_policies_enabled +id: aws_all_controls_organization +title: Organization +description: This section contains recommendations for configuring Organization resources. +section-code: organization +type: control-group +controls: +- aws_organizational_tag_policies_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_pca.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_pca.yaml index 5d84ab37e..01fad95ed 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_pca.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_pca.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_all_controls_pca - title: Private Certificate Authority - description: This section contains recommendations for configuring Private Certificate Authority resources. - section-code: pca - controls: - - aws_acmpca_root_certificate_authority_disabled +id: aws_all_controls_pca +title: Private Certificate Authority +description: This section contains recommendations for configuring Private Certificate Authority resources. +section-code: pca +type: control-group +controls: +- aws_acmpca_root_certificate_authority_disabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_rds.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_rds.yaml index fc202e036..b50f819d1 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_rds.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_rds.yaml @@ -1,43 +1,43 @@ -control-group: - id: aws_all_controls_rds - title: RDS - description: This section contains recommendations for configuring RDS resources. - section-code: rds - controls: - - aws_rds_db_cluster_aurora_backtracking_enabled - - aws_rds_db_cluster_aurora_mysql_audit_logging_enabled - - aws_rds_db_cluster_aurora_postgres_not_exposed_to_local_file_read_vulnerability - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_cluster_automatic_minor_version_upgrade_enabled - - aws_rds_db_cluster_copy_tags_to_snapshot_enabled - - aws_rds_db_cluster_deletion_protection_enabled - - aws_rds_db_cluster_encryption_at_rest_enabled - - aws_rds_db_cluster_events_subscription - - aws_rds_db_cluster_iam_authentication_enabled - - aws_rds_db_cluster_multiple_az_enabled - - aws_rds_db_cluster_no_default_admin_name - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_rds_db_instance_and_cluster_no_default_port - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_backup_retention_period_less_than_7 - - aws_rds_db_instance_ca_certificate_expires_7_days - - aws_rds_db_instance_cloudwatch_logs_enabled - - aws_rds_db_instance_connections_encryption_enabled - - aws_rds_db_instance_copy_tags_to_snapshot_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_instance_events_subscription - - aws_rds_db_instance_iam_authentication_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_in_vpc - - aws_rds_db_instance_logging_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_no_default_admin_name - - aws_rds_db_instance_postgres_not_exposed_to_local_file_read_vulnerability - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_instance_protected_by_backup_plan - - aws_rds_db_parameter_group_events_subscription - - aws_rds_db_security_group_events_subscription - - aws_rds_db_snapshot_encrypted_at_rest - - aws_rds_db_snapshot_prohibit_public_access +id: aws_all_controls_rds +title: RDS +description: This section contains recommendations for configuring RDS resources. +section-code: rds +type: control-group +controls: +- aws_rds_db_cluster_aurora_backtracking_enabled +- aws_rds_db_cluster_aurora_mysql_audit_logging_enabled +- aws_rds_db_cluster_aurora_postgres_not_exposed_to_local_file_read_vulnerability +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_cluster_automatic_minor_version_upgrade_enabled +- aws_rds_db_cluster_copy_tags_to_snapshot_enabled +- aws_rds_db_cluster_deletion_protection_enabled +- aws_rds_db_cluster_encryption_at_rest_enabled +- aws_rds_db_cluster_events_subscription +- aws_rds_db_cluster_iam_authentication_enabled +- aws_rds_db_cluster_multiple_az_enabled +- aws_rds_db_cluster_no_default_admin_name +- aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled +- aws_rds_db_instance_and_cluster_no_default_port +- aws_rds_db_instance_automatic_minor_version_upgrade_enabled +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_backup_retention_period_less_than_7 +- aws_rds_db_instance_ca_certificate_expires_7_days +- aws_rds_db_instance_cloudwatch_logs_enabled +- aws_rds_db_instance_connections_encryption_enabled +- aws_rds_db_instance_copy_tags_to_snapshot_enabled +- aws_rds_db_instance_deletion_protection_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_instance_events_subscription +- aws_rds_db_instance_iam_authentication_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_in_vpc +- aws_rds_db_instance_logging_enabled +- aws_rds_db_instance_multiple_az_enabled +- aws_rds_db_instance_no_default_admin_name +- aws_rds_db_instance_postgres_not_exposed_to_local_file_read_vulnerability +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_instance_protected_by_backup_plan +- aws_rds_db_parameter_group_events_subscription +- aws_rds_db_security_group_events_subscription +- aws_rds_db_snapshot_encrypted_at_rest +- aws_rds_db_snapshot_prohibit_public_access diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_redshift.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_redshift.yaml index 2d5fae270..037605fee 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_redshift.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_redshift.yaml @@ -1,17 +1,17 @@ -control-group: - id: aws_all_controls_redshift - title: Redshift - description: This section contains recommendations for configuring Redshift resources. - section-code: redshift - controls: - - aws_redshift_cluster_audit_logging_enabled - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_automatic_upgrade_major_versions_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_enhanced_vpc_routing_enabled - - aws_redshift_cluster_kms_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_redshift_cluster_no_default_admin_name - - aws_redshift_cluster_no_default_database_name - - aws_redshift_cluster_prohibit_public_access +id: aws_all_controls_redshift +title: Redshift +description: This section contains recommendations for configuring Redshift resources. +section-code: redshift +type: control-group +controls: +- aws_redshift_cluster_audit_logging_enabled +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_redshift_cluster_automatic_upgrade_major_versions_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_redshift_cluster_enhanced_vpc_routing_enabled +- aws_redshift_cluster_kms_enabled +- aws_redshift_cluster_maintenance_settings_check +- aws_redshift_cluster_no_default_admin_name +- aws_redshift_cluster_no_default_database_name +- aws_redshift_cluster_prohibit_public_access diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_route53.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_route53.yaml index 9a4c556da..ca22a2330 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_route53.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_route53.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_all_controls_route53 - title: Route 53 - description: This section contains recommendations for configuring Route 53 resources. - section-code: route53 - controls: - - aws_route53_domain_auto_renew_enabled - - aws_route53_domain_expires_30_days - - aws_route53_domain_expires_7_days - - aws_route53_domain_not_expired - - aws_route53_domain_privacy_protection_enabled - - aws_route53_domain_transfer_lock_enabled - - aws_route53_zone_query_logging_enabled +id: aws_all_controls_route53 +title: Route 53 +description: This section contains recommendations for configuring Route 53 resources. +section-code: route53 +type: control-group +controls: +- aws_route53_domain_auto_renew_enabled +- aws_route53_domain_expires_30_days +- aws_route53_domain_expires_7_days +- aws_route53_domain_not_expired +- aws_route53_domain_privacy_protection_enabled +- aws_route53_domain_transfer_lock_enabled +- aws_route53_zone_query_logging_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_s3.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_s3.yaml index 766f0a5ed..18c806036 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_s3.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_s3.yaml @@ -1,29 +1,29 @@ -control-group: - id: aws_all_controls_s3 - title: S3 - description: This section contains recommendations for configuring S3 resources. - section-code: s3 - controls: - - aws_s3_access_point_restrict_public_access - - aws_s3_bucket_acls_should_prohibit_user_access - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_event_notifications_enabled - - aws_s3_bucket_lifecycle_policy_enabled - - aws_s3_bucket_logging_enabled - - aws_s3_bucket_mfa_delete_enabled - - aws_s3_bucket_not_accessible_to_all_authenticated_user - - aws_s3_bucket_object_lock_enabled - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_policy_restricts_cross_account_permission_changes - - aws_s3_bucket_protected_by_macie - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_bucket_static_website_hosting_disabled - - aws_s3_bucket_versioning_and_lifecycle_policy_enabled - - aws_s3_bucket_versioning_enabled - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_s3_public_access_block_bucket_account +id: aws_all_controls_s3 +title: S3 +description: This section contains recommendations for configuring S3 resources. +section-code: s3 +type: control-group +controls: +- aws_s3_access_point_restrict_public_access +- aws_s3_bucket_acls_should_prohibit_user_access +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_event_notifications_enabled +- aws_s3_bucket_lifecycle_policy_enabled +- aws_s3_bucket_logging_enabled +- aws_s3_bucket_mfa_delete_enabled +- aws_s3_bucket_not_accessible_to_all_authenticated_user +- aws_s3_bucket_object_lock_enabled +- aws_s3_bucket_policy_restrict_public_access +- aws_s3_bucket_policy_restricts_cross_account_permission_changes +- aws_s3_bucket_protected_by_macie +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_bucket_static_website_hosting_disabled +- aws_s3_bucket_versioning_and_lifecycle_policy_enabled +- aws_s3_bucket_versioning_enabled +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_s3_public_access_block_bucket_account diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sagemaker.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sagemaker.yaml index 72b5f7da0..f152ebe16 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sagemaker.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sagemaker.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_all_controls_sagemaker - title: SageMaker - description: This section contains recommendations for configuring SageMaker resources. - section-code: sagemaker - controls: - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_model_in_vpc - - aws_sagemaker_model_network_isolation_enabled - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_sagemaker_notebook_instance_encrypted_with_kms_cmk - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_in_vpc - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_sagemaker_training_job_in_vpc - - aws_sagemaker_training_job_inter_container_traffic_encryption_enabled - - aws_sagemaker_training_job_network_isolation_enabled - - aws_sagemaker_training_job_volume_and_data_encryption_enabled +id: aws_all_controls_sagemaker +title: SageMaker +description: This section contains recommendations for configuring SageMaker resources. +section-code: sagemaker +type: control-group +controls: +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_model_in_vpc +- aws_sagemaker_model_network_isolation_enabled +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_sagemaker_notebook_instance_encrypted_with_kms_cmk +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_in_vpc +- aws_sagemaker_notebook_instance_root_access_disabled +- aws_sagemaker_training_job_in_vpc +- aws_sagemaker_training_job_inter_container_traffic_encryption_enabled +- aws_sagemaker_training_job_network_isolation_enabled +- aws_sagemaker_training_job_volume_and_data_encryption_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_secretsmanager.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_secretsmanager.yaml index ef510089d..f0bca9421 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_secretsmanager.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_secretsmanager.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_all_controls_secretsmanager - title: Secrets Manager - description: This section contains recommendations for configuring Secrets Manager resources. - section-code: secretsmanager - controls: - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_automatic_rotation_lambda_enabled - - aws_secretsmanager_secret_encrypted_with_kms_cmk - - aws_secretsmanager_secret_last_changed_90_day - - aws_secretsmanager_secret_last_used_1_day - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day +id: aws_all_controls_secretsmanager +title: Secrets Manager +description: This section contains recommendations for configuring Secrets Manager resources. +section-code: secretsmanager +type: control-group +controls: +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_automatic_rotation_lambda_enabled +- aws_secretsmanager_secret_encrypted_with_kms_cmk +- aws_secretsmanager_secret_last_changed_90_day +- aws_secretsmanager_secret_last_used_1_day +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_securityhub.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_securityhub.yaml index d31884714..19eb53a1c 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_securityhub.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_securityhub.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_all_controls_securityhub - title: Security Hub - description: This section contains recommendations for configuring Security Hub resources. - section-code: securityhub - controls: - - aws_securityhub_enabled +id: aws_all_controls_securityhub +title: Security Hub +description: This section contains recommendations for configuring Security Hub resources. +section-code: securityhub +type: control-group +controls: +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sfn.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sfn.yaml index f59ff20ea..ad7a390c7 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sfn.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sfn.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_all_controls_sfn - title: Step Functions - description: This section contains recommendations for configuring Step Functions resources. - section-code: sfn - controls: - - aws_sfn_state_machine_logging_enabled +id: aws_all_controls_sfn +title: Step Functions +description: This section contains recommendations for configuring Step Functions resources. +section-code: sfn +type: control-group +controls: +- aws_sfn_state_machine_logging_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sns.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sns.yaml index 955136ecd..4bf97302a 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sns.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sns.yaml @@ -1,12 +1,12 @@ -control-group: - id: aws_all_controls_sns - title: SNS - description: This section contains recommendations for configuring SNS resources. - section-code: sns - controls: - - aws_sns_topic_encrypted_at_rest - - aws_sns_topic_notification_delivery_status_enabled - - aws_sns_topic_policy_prohibit_cross_account_access - - aws_sns_topic_policy_prohibit_public_access - - aws_sns_topic_policy_prohibit_publishing_access - - aws_sns_topic_policy_prohibit_subscription_access +id: aws_all_controls_sns +title: SNS +description: This section contains recommendations for configuring SNS resources. +section-code: sns +type: control-group +controls: +- aws_sns_topic_encrypted_at_rest +- aws_sns_topic_notification_delivery_status_enabled +- aws_sns_topic_policy_prohibit_cross_account_access +- aws_sns_topic_policy_prohibit_public_access +- aws_sns_topic_policy_prohibit_publishing_access +- aws_sns_topic_policy_prohibit_subscription_access diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sqs.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sqs.yaml index ab380608d..73bb10560 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sqs.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sqs.yaml @@ -1,10 +1,10 @@ -control-group: - id: aws_all_controls_sqs - title: SQS - description: This section contains recommendations for configuring SQS resources. - section-code: sqs - controls: - - aws_sqs_queue_dead_letter_queue_configured - - aws_sqs_queue_encrypted_at_rest - - aws_sqs_queue_encrypted_with_kms_cmk - - aws_sqs_queue_policy_prohibit_public_access +id: aws_all_controls_sqs +title: SQS +description: This section contains recommendations for configuring SQS resources. +section-code: sqs +type: control-group +controls: +- aws_sqs_queue_dead_letter_queue_configured +- aws_sqs_queue_encrypted_at_rest +- aws_sqs_queue_encrypted_with_kms_cmk +- aws_sqs_queue_policy_prohibit_public_access diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ssm.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ssm.yaml index 31102cf2b..1a4b24402 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ssm.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ssm.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_all_controls_ssm - title: SSM - description: This section contains recommendations for configuring SSM resources. - section-code: ssm - controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_document_prohibit_public_access - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant - - aws_ssm_parameter_encryption_enabled +id: aws_all_controls_ssm +title: SSM +description: This section contains recommendations for configuring SSM resources. +section-code: ssm +type: control-group +controls: +- aws_ec2_instance_ssm_managed +- aws_ssm_document_prohibit_public_access +- aws_ssm_managed_instance_compliance_association_compliant +- aws_ssm_managed_instance_compliance_patch_compliant +- aws_ssm_parameter_encryption_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_vpc.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_vpc.yaml index eb6e66be4..d128f3f8d 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_vpc.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_vpc.yaml @@ -1,41 +1,41 @@ -control-group: - id: aws_all_controls_vpc - title: VPC - description: This section contains recommendations for configuring VPC resources. - section-code: vpc - controls: - - aws_vpc_configured_to_use_vpc_endpoints - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_eip_associated - - aws_vpc_endpoint_service_acceptance_required_enabled - - aws_vpc_flow_logs_enabled - - aws_vpc_gateway_endpoint_restrict_public_access - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_in_more_than_one_region - - aws_vpc_network_acl_remote_administration - - aws_vpc_network_acl_unused - - aws_vpc_not_in_use - - aws_vpc_peering_connection_no_cross_account_access - - aws_vpc_peering_connection_route_table_least_privilege - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_allows_ingress_authorized_ports - - aws_vpc_security_group_allows_ingress_to_cassandra_ports - - aws_vpc_security_group_allows_ingress_to_memcached_port - - aws_vpc_security_group_allows_ingress_to_mongodb_ports - - aws_vpc_security_group_allows_ingress_to_oracle_ports - - aws_vpc_security_group_associated_to_eni - - aws_vpc_security_group_not_uses_launch_wizard_sg - - aws_vpc_security_group_remote_administration_ipv4 - - aws_vpc_security_group_remote_administration_ipv6 - - aws_vpc_security_group_remote_administration - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_kafka_port - - aws_vpc_security_group_restrict_ingress_kibana_port - - aws_vpc_security_group_restrict_ingress_rdp_all - - aws_vpc_security_group_restrict_ingress_redis_port - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_security_group_restricted_common_ports - - aws_vpc_security_group_unused - - aws_vpc_subnet_auto_assign_public_ip_disabled - - aws_vpc_vpn_tunnel_up +id: aws_all_controls_vpc +title: VPC +description: This section contains recommendations for configuring VPC resources. +section-code: vpc +type: control-group +controls: +- aws_vpc_configured_to_use_vpc_endpoints +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_eip_associated +- aws_vpc_endpoint_service_acceptance_required_enabled +- aws_vpc_flow_logs_enabled +- aws_vpc_gateway_endpoint_restrict_public_access +- aws_vpc_igw_attached_to_authorized_vpc +- aws_vpc_in_more_than_one_region +- aws_vpc_network_acl_remote_administration +- aws_vpc_network_acl_unused +- aws_vpc_not_in_use +- aws_vpc_peering_connection_no_cross_account_access +- aws_vpc_peering_connection_route_table_least_privilege +- aws_vpc_route_table_restrict_public_access_to_igw +- aws_vpc_security_group_allows_ingress_authorized_ports +- aws_vpc_security_group_allows_ingress_to_cassandra_ports +- aws_vpc_security_group_allows_ingress_to_memcached_port +- aws_vpc_security_group_allows_ingress_to_mongodb_ports +- aws_vpc_security_group_allows_ingress_to_oracle_ports +- aws_vpc_security_group_associated_to_eni +- aws_vpc_security_group_not_uses_launch_wizard_sg +- aws_vpc_security_group_remote_administration_ipv4 +- aws_vpc_security_group_remote_administration_ipv6 +- aws_vpc_security_group_remote_administration +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_kafka_port +- aws_vpc_security_group_restrict_ingress_kibana_port +- aws_vpc_security_group_restrict_ingress_rdp_all +- aws_vpc_security_group_restrict_ingress_redis_port +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_security_group_restricted_common_ports +- aws_vpc_security_group_unused +- aws_vpc_subnet_auto_assign_public_ip_disabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_waf.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_waf.yaml index a3934232b..a558ccef2 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_waf.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_waf.yaml @@ -1,14 +1,14 @@ -control-group: - id: aws_all_controls_waf - title: WAF - description: This section contains recommendations for configuring WAF resources. - section-code: waf - controls: - - aws_waf_regional_rule_condition_attached - - aws_waf_regional_rule_group_rule_attached - - aws_waf_regional_web_acl_rule_attached - - aws_waf_rule_condition_attached - - aws_waf_rule_group_rule_attached - - aws_waf_web_acl_logging_enabled - - aws_waf_web_acl_resource_associated - - aws_waf_web_acl_rule_attached +id: aws_all_controls_waf +title: WAF +description: This section contains recommendations for configuring WAF resources. +section-code: waf +type: control-group +controls: +- aws_waf_regional_rule_condition_attached +- aws_waf_regional_rule_group_rule_attached +- aws_waf_regional_web_acl_rule_attached +- aws_waf_rule_condition_attached +- aws_waf_rule_group_rule_attached +- aws_waf_web_acl_logging_enabled +- aws_waf_web_acl_resource_associated +- aws_waf_web_acl_rule_attached diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_wafv2.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_wafv2.yaml index b7e2f3904..3071a9d5d 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_wafv2.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_wafv2.yaml @@ -1,9 +1,9 @@ -control-group: - id: aws_all_controls_wafv2 - title: WAFv2 - description: This section contains recommendations for configuring WAFv2 resources. - section-code: wafv2 - controls: - - aws_wafv2_rule_group_logging_enabled - - aws_wafv2_web_acl_logging_enabled - - aws_wafv2_web_acl_rule_attached +id: aws_all_controls_wafv2 +title: WAFv2 +description: This section contains recommendations for configuring WAFv2 resources. +section-code: wafv2 +type: control-group +controls: +- aws_wafv2_rule_group_logging_enabled +- aws_wafv2_web_acl_logging_enabled +- aws_wafv2_web_acl_rule_attached diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_workspaces.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_workspaces.yaml index ce1ffb66d..c115ff304 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_workspaces.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_workspaces.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_all_controls_workspaces - title: WorkSpaces - description: This section contains recommendations for configuring WorkSpaces resources. - section-code: workspaces - controls: - - aws_workspaces_workspace_volume_encryption_enabled +id: aws_all_controls_workspaces +title: WorkSpaces +description: This section contains recommendations for configuring WorkSpaces resources. +section-code: workspaces +type: control-group +controls: +- aws_workspaces_workspace_volume_encryption_enabled diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower.yaml index 94acfbd43..51450f483 100644 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower.yaml @@ -1,30 +1,30 @@ -framework: - id: aws_audit_manager_control_tower - title: AWS Audit Manager Control Tower Guardrails - description: AWS Control Tower is a service that enables you to enforce and manage governance rules for security, operations, and compliance at scale across all your organizations and accounts in the AWS Cloud. - section-code: aws_audit_manager_control_tower - tags: - audit_manager_control_tower: - - "true" - category: - - Compliance - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - aws - service: - - AWS - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: aws_audit_manager_control_tower_ebs_checks - - id: aws_audit_manager_control_tower_disallow_internet_connection - - id: aws_audit_manager_control_tower_multi_factor_authentication - - id: aws_audit_manager_control_tower_disallow_public_access - - id: aws_audit_manager_control_tower_disallow_instances +id: aws_audit_manager_control_tower +title: AWS Audit Manager Control Tower Guardrails +description: AWS Control Tower is a service that enables you to enforce and manage governance rules for security, operations, and compliance at scale across all your organizations and accounts in the AWS Cloud. +section-code: aws_audit_manager_control_tower +type: framework +tags: + audit_manager_control_tower: + - "true" + category: + - Compliance + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - aws + service: + - AWS + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_audit_manager_control_tower_ebs_checks +- id: aws_audit_manager_control_tower_disallow_internet_connection +- id: aws_audit_manager_control_tower_multi_factor_authentication +- id: aws_audit_manager_control_tower_disallow_public_access +- id: aws_audit_manager_control_tower_disallow_instances diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_instances.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_instances.yaml index 8757cdd71..907a7de2b 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_instances.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_instances.yaml @@ -1,21 +1,23 @@ +id: aws_audit_manager_control_tower_disallow_instances +title: Disallow Instances +description: This benchmark checks if RDS storage is encrypted and S3 bucket's versioning is enabled. +section-code: disallow_instances +type: control-group +tags: + audit_manager_control_tower: + - "true" + category: + - Compliance + control_set: + - disallow_instances + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_audit_manager_control_tower_disallow_instances - title: Disallow Instances - description: This benchmark checks if RDS storage is encrypted and S3 bucket's versioning is enabled. - section-code: disallow_instances - tags: - audit_manager_control_tower: - - "true" - category: - - Compliance - control_set: - - disallow_instances - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_audit_manager_control_tower_disallow_instances_5_0_1 - - id: aws_audit_manager_control_tower_disallow_instances_5_1_1 +- id: aws_audit_manager_control_tower_disallow_instances_5_0_1 + type: "" +- id: aws_audit_manager_control_tower_disallow_instances_5_1_1 + type: "" diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_instances_5_0_1.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_instances_5_0_1.yaml index dd5738581..4f8eb46de 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_instances_5_0_1.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_instances_5_0_1.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_audit_manager_control_tower_disallow_instances_5_0_1 - title: 0.1 - Disallow RDS database instances that are not storage encrypted - description: Disallow RDS database instances that are not storage encrypted - Checks whether storage encryption is enabled for your RDS DB instances. - section-code: "5_0_1" - tags: - audit_manager_control_tower: - - "true" - audit_manager_control_tower_item_id: - - 5.0.1 - category: - - Compliance - control_set: - - disallow_instances - plugin: - - aws - service: - - AWS/RDS - type: - - Benchmark - controls: - - aws_rds_db_instance_encryption_at_rest_enabled +id: aws_audit_manager_control_tower_disallow_instances_5_0_1 +title: 0.1 - Disallow RDS database instances that are not storage encrypted +description: Disallow RDS database instances that are not storage encrypted - Checks whether storage encryption is enabled for your RDS DB instances. +section-code: "5_0_1" +type: control-group +tags: + audit_manager_control_tower: + - "true" + audit_manager_control_tower_item_id: + - 5.0.1 + category: + - Compliance + control_set: + - disallow_instances + plugin: + - aws + service: + - AWS/RDS + type: + - Benchmark +controls: +- aws_rds_db_instance_encryption_at_rest_enabled diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_instances_5_1_1.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_instances_5_1_1.yaml index 9be5190e8..4d8c90953 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_instances_5_1_1.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_instances_5_1_1.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_audit_manager_control_tower_disallow_instances_5_1_1 - title: 1.1 - Disallow S3 buckets that are not versioning enabled - description: Disallow S3 buckets that are not versioning enabled - Checks whether versioning is enabled for your S3 buckets. - section-code: "5_1_1" - tags: - audit_manager_control_tower: - - "true" - audit_manager_control_tower_item_id: - - 5.1.1 - category: - - Compliance - control_set: - - disallow_instances - plugin: - - aws - service: - - AWS/S3 - type: - - Benchmark - controls: - - aws_s3_bucket_versioning_enabled +id: aws_audit_manager_control_tower_disallow_instances_5_1_1 +title: 1.1 - Disallow S3 buckets that are not versioning enabled +description: Disallow S3 buckets that are not versioning enabled - Checks whether versioning is enabled for your S3 buckets. +section-code: "5_1_1" +type: control-group +tags: + audit_manager_control_tower: + - "true" + audit_manager_control_tower_item_id: + - 5.1.1 + category: + - Compliance + control_set: + - disallow_instances + plugin: + - aws + service: + - AWS/S3 + type: + - Benchmark +controls: +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_internet_connection.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_internet_connection.yaml index cf17f534a..c28f73a26 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_internet_connection.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_internet_connection.yaml @@ -1,21 +1,23 @@ +id: aws_audit_manager_control_tower_disallow_internet_connection +title: Disallow Internet Connection +description: This benchmark checks if the VPC security group restricts ingress from RDP and SSH. +section-code: disallow_internet_connection +type: control-group +tags: + audit_manager_control_tower: + - "true" + category: + - Compliance + control_set: + - disallow_internet_connection + plugin: + - aws + service: + - AWS/VPC + type: + - Benchmark control-group: - id: aws_audit_manager_control_tower_disallow_internet_connection - title: Disallow Internet Connection - description: This benchmark checks if the VPC security group restricts ingress from RDP and SSH. - section-code: disallow_internet_connection - tags: - audit_manager_control_tower: - - "true" - category: - - Compliance - control_set: - - disallow_internet_connection - plugin: - - aws - service: - - AWS/VPC - type: - - Benchmark - control-group: - - id: aws_audit_manager_control_tower_disallow_internet_connection_2_0_1 - - id: aws_audit_manager_control_tower_disallow_internet_connection_2_0_2 +- id: aws_audit_manager_control_tower_disallow_internet_connection_2_0_1 + type: "" +- id: aws_audit_manager_control_tower_disallow_internet_connection_2_0_2 + type: "" diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_internet_connection_2_0_1.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_internet_connection_2_0_1.yaml index 4456c334c..dd23f4bcf 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_internet_connection_2_0_1.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_internet_connection_2_0_1.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_audit_manager_control_tower_disallow_internet_connection_2_0_1 - title: 0.1 - Disallow internet connection through RDP - description: Disallow internet connection through RDP - Checks whether security groups that are in use disallow unrestricted incoming TCP traffic to the specified - section-code: "2_0_1" - tags: - audit_manager_control_tower: - - "true" - audit_manager_control_tower_item_id: - - 2.0.1 - category: - - Compliance - control_set: - - disallow_internet_connection - plugin: - - aws - service: - - AWS/VPC - type: - - Benchmark - controls: - - aws_vpc_security_group_restrict_ingress_common_ports_all +id: aws_audit_manager_control_tower_disallow_internet_connection_2_0_1 +title: 0.1 - Disallow internet connection through RDP +description: Disallow internet connection through RDP - Checks whether security groups that are in use disallow unrestricted incoming TCP traffic to the specified +section-code: "2_0_1" +type: control-group +tags: + audit_manager_control_tower: + - "true" + audit_manager_control_tower_item_id: + - 2.0.1 + category: + - Compliance + control_set: + - disallow_internet_connection + plugin: + - aws + service: + - AWS/VPC + type: + - Benchmark +controls: +- aws_vpc_security_group_restrict_ingress_common_ports_all diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_internet_connection_2_0_2.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_internet_connection_2_0_2.yaml index 827b46e97..3333e9cfc 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_internet_connection_2_0_2.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_internet_connection_2_0_2.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_audit_manager_control_tower_disallow_internet_connection_2_0_2 - title: 0.2 - Disallow internet connection through SSH - description: Disallow internet connection through SSH - Checks whether security groups that are in use disallow unrestricted incoming SSH traffic. - section-code: "2_0_2" - tags: - audit_manager_control_tower: - - "true" - audit_manager_control_tower_item_id: - - 2.0.2 - category: - - Compliance - control_set: - - disallow_internet_connection - plugin: - - aws - service: - - AWS/VPC - type: - - Benchmark - controls: - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_audit_manager_control_tower_disallow_internet_connection_2_0_2 +title: 0.2 - Disallow internet connection through SSH +description: Disallow internet connection through SSH - Checks whether security groups that are in use disallow unrestricted incoming SSH traffic. +section-code: "2_0_2" +type: control-group +tags: + audit_manager_control_tower: + - "true" + audit_manager_control_tower_item_id: + - 2.0.2 + category: + - Compliance + control_set: + - disallow_internet_connection + plugin: + - aws + service: + - AWS/VPC + type: + - Benchmark +controls: +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access.yaml index 07a9240b3..f1cc5f5af 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access.yaml @@ -1,23 +1,27 @@ +id: aws_audit_manager_control_tower_disallow_public_access +title: Disallow Public Access +description: This benchmark checks if RDS instances, snapshots and S3 buckets are not publicly accessible. +section-code: disallow_public_access +type: control-group +tags: + audit_manager_control_tower: + - "true" + category: + - Compliance + control_set: + - disallow_public_access + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_audit_manager_control_tower_disallow_public_access - title: Disallow Public Access - description: This benchmark checks if RDS instances, snapshots and S3 buckets are not publicly accessible. - section-code: disallow_public_access - tags: - audit_manager_control_tower: - - "true" - category: - - Compliance - control_set: - - disallow_public_access - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_audit_manager_control_tower_disallow_public_access_4_0_1 - - id: aws_audit_manager_control_tower_disallow_public_access_4_0_2 - - id: aws_audit_manager_control_tower_disallow_public_access_4_1_1 - - id: aws_audit_manager_control_tower_disallow_public_access_4_1_2 +- id: aws_audit_manager_control_tower_disallow_public_access_4_0_1 + type: "" +- id: aws_audit_manager_control_tower_disallow_public_access_4_0_2 + type: "" +- id: aws_audit_manager_control_tower_disallow_public_access_4_1_1 + type: "" +- id: aws_audit_manager_control_tower_disallow_public_access_4_1_2 + type: "" diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_0_1.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_0_1.yaml index 4ca36f4f3..0c7a32231 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_0_1.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_0_1.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_audit_manager_control_tower_disallow_public_access_4_0_1 - title: 0.1 - Disallow public access to RDS database instances - description: Disallow public access to RDS database instances - Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible. The rule is non-compliant if the publiclyAccessible field is true in the instance configuration item. - section-code: "4_0_1" - tags: - audit_manager_control_tower: - - "true" - audit_manager_control_tower_item_id: - - 4.0.1 - category: - - Compliance - control_set: - - disallow_public_access - plugin: - - aws - service: - - AWS/RDS - type: - - Benchmark - controls: - - aws_rds_db_instance_prohibit_public_access +id: aws_audit_manager_control_tower_disallow_public_access_4_0_1 +title: 0.1 - Disallow public access to RDS database instances +description: Disallow public access to RDS database instances - Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible. The rule is non-compliant if the publiclyAccessible field is true in the instance configuration item. +section-code: "4_0_1" +type: control-group +tags: + audit_manager_control_tower: + - "true" + audit_manager_control_tower_item_id: + - 4.0.1 + category: + - Compliance + control_set: + - disallow_public_access + plugin: + - aws + service: + - AWS/RDS + type: + - Benchmark +controls: +- aws_rds_db_instance_prohibit_public_access diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_0_2.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_0_2.yaml index 309bd9766..e4d903962 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_0_2.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_0_2.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_audit_manager_control_tower_disallow_public_access_4_0_2 - title: 0.2 - Disallow public access to RDS database snapshots - description: Disallow public access to RDS database snapshots - Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public. The rule is non-compliant if any existing and new Amazon RDS snapshots are public. - section-code: "4_0_2" - tags: - audit_manager_control_tower: - - "true" - audit_manager_control_tower_item_id: - - 4.0.2 - category: - - Compliance - control_set: - - disallow_public_access - plugin: - - aws - service: - - AWS/RDS - type: - - Benchmark - controls: - - aws_rds_db_snapshot_prohibit_public_access +id: aws_audit_manager_control_tower_disallow_public_access_4_0_2 +title: 0.2 - Disallow public access to RDS database snapshots +description: Disallow public access to RDS database snapshots - Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public. The rule is non-compliant if any existing and new Amazon RDS snapshots are public. +section-code: "4_0_2" +type: control-group +tags: + audit_manager_control_tower: + - "true" + audit_manager_control_tower_item_id: + - 4.0.2 + category: + - Compliance + control_set: + - disallow_public_access + plugin: + - aws + service: + - AWS/RDS + type: + - Benchmark +controls: +- aws_rds_db_snapshot_prohibit_public_access diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_1_1.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_1_1.yaml index 1e093379d..24f6c6135 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_1_1.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_1_1.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_audit_manager_control_tower_disallow_public_access_4_1_1 - title: 1.1 - Disallow public read access to S3 buckets - description: Disallow public read access to S3 buckets - Checks that your S3 buckets do not allow public read access. - section-code: "4_1_1" - tags: - audit_manager_control_tower: - - "true" - audit_manager_control_tower_item_id: - - 4.1.1 - category: - - Compliance - control_set: - - disallow_public_access - plugin: - - aws - service: - - AWS/S3 - type: - - Benchmark - controls: - - aws_s3_bucket_restrict_public_read_access +id: aws_audit_manager_control_tower_disallow_public_access_4_1_1 +title: 1.1 - Disallow public read access to S3 buckets +description: Disallow public read access to S3 buckets - Checks that your S3 buckets do not allow public read access. +section-code: "4_1_1" +type: control-group +tags: + audit_manager_control_tower: + - "true" + audit_manager_control_tower_item_id: + - 4.1.1 + category: + - Compliance + control_set: + - disallow_public_access + plugin: + - aws + service: + - AWS/S3 + type: + - Benchmark +controls: +- aws_s3_bucket_restrict_public_read_access diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_1_2.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_1_2.yaml index 0c10b5071..77b0d06f2 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_1_2.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_1_2.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_audit_manager_control_tower_disallow_public_access_4_1_2 - title: 1.2 - Disallow public write access to S3 buckets - description: Disallow public write access to S3 buckets - Checks that your S3 buckets do not allow public write access. - section-code: "4_1_2" - tags: - audit_manager_control_tower: - - "true" - audit_manager_control_tower_item_id: - - 4.1.2 - category: - - Compliance - control_set: - - disallow_public_access - plugin: - - aws - service: - - AWS/S3 - type: - - Benchmark - controls: - - aws_s3_bucket_restrict_public_write_access +id: aws_audit_manager_control_tower_disallow_public_access_4_1_2 +title: 1.2 - Disallow public write access to S3 buckets +description: Disallow public write access to S3 buckets - Checks that your S3 buckets do not allow public write access. +section-code: "4_1_2" +type: control-group +tags: + audit_manager_control_tower: + - "true" + audit_manager_control_tower_item_id: + - 4.1.2 + category: + - Compliance + control_set: + - disallow_public_access + plugin: + - aws + service: + - AWS/S3 + type: + - Benchmark +controls: +- aws_s3_bucket_restrict_public_write_access diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks.yaml index 156d8c5cc..d4b3d909c 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks.yaml @@ -1,22 +1,25 @@ +id: aws_audit_manager_control_tower_ebs_checks +title: EBS checks +description: This benchmark checks if EBS volumes are in use, encrypted etc. +section-code: ebs_checks +type: control-group +tags: + audit_manager_control_tower: + - "true" + category: + - Compliance + control_set: + - ebs_checks + plugin: + - aws + service: + - AWS/EBS + type: + - Benchmark control-group: - id: aws_audit_manager_control_tower_ebs_checks - title: EBS checks - description: This benchmark checks if EBS volumes are in use, encrypted etc. - section-code: ebs_checks - tags: - audit_manager_control_tower: - - "true" - category: - - Compliance - control_set: - - ebs_checks - plugin: - - aws - service: - - AWS/EBS - type: - - Benchmark - control-group: - - id: aws_audit_manager_control_tower_ebs_checks_1_0_1 - - id: aws_audit_manager_control_tower_ebs_checks_1_0_2 - - id: aws_audit_manager_control_tower_ebs_checks_1_0_3 +- id: aws_audit_manager_control_tower_ebs_checks_1_0_1 + type: "" +- id: aws_audit_manager_control_tower_ebs_checks_1_0_2 + type: "" +- id: aws_audit_manager_control_tower_ebs_checks_1_0_3 + type: "" diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks_1_0_1.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks_1_0_1.yaml index b0a8a3fc0..69f8068e1 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks_1_0_1.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks_1_0_1.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_audit_manager_control_tower_ebs_checks_1_0_1 - title: 0.1 - Disallow launch of EC2 instance types that are not EBS-optimized - description: Disallow launch of EC2 instance types that are not EBS-optimized - Checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized. - section-code: "1_0_1" - tags: - audit_manager_control_tower: - - "true" - audit_manager_control_tower_item_id: - - 1.0.1 - category: - - Compliance - control_set: - - ebs_checks - plugin: - - aws - service: - - AWS/EBS - type: - - Benchmark - controls: - - aws_ec2_instance_ebs_optimized +id: aws_audit_manager_control_tower_ebs_checks_1_0_1 +title: 0.1 - Disallow launch of EC2 instance types that are not EBS-optimized +description: Disallow launch of EC2 instance types that are not EBS-optimized - Checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized. +section-code: "1_0_1" +type: control-group +tags: + audit_manager_control_tower: + - "true" + audit_manager_control_tower_item_id: + - 1.0.1 + category: + - Compliance + control_set: + - ebs_checks + plugin: + - aws + service: + - AWS/EBS + type: + - Benchmark +controls: +- aws_ec2_instance_ebs_optimized diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks_1_0_2.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks_1_0_2.yaml index 489d3be95..afcf245ac 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks_1_0_2.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks_1_0_2.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_audit_manager_control_tower_ebs_checks_1_0_2 - title: 0.2 - Disallow EBS volumes that are unattached to an EC2 instance - description: Disallow EBS volumes that are unattached to an EC2 instance - Checks whether EBS volumes are attached to EC2 instances. - section-code: "1_0_2" - tags: - audit_manager_control_tower: - - "true" - audit_manager_control_tower_item_id: - - 1.0.2 - category: - - Compliance - control_set: - - ebs_checks - plugin: - - aws - service: - - AWS/EBS - type: - - Benchmark - controls: - - aws_ebs_volume_unused +id: aws_audit_manager_control_tower_ebs_checks_1_0_2 +title: 0.2 - Disallow EBS volumes that are unattached to an EC2 instance +description: Disallow EBS volumes that are unattached to an EC2 instance - Checks whether EBS volumes are attached to EC2 instances. +section-code: "1_0_2" +type: control-group +tags: + audit_manager_control_tower: + - "true" + audit_manager_control_tower_item_id: + - 1.0.2 + category: + - Compliance + control_set: + - ebs_checks + plugin: + - aws + service: + - AWS/EBS + type: + - Benchmark +controls: +- aws_ebs_volume_unused diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks_1_0_3.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks_1_0_3.yaml index e289369f8..ca864ed8e 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks_1_0_3.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks_1_0_3.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_audit_manager_control_tower_ebs_checks_1_0_3 - title: 0.3 - Enable encryption for EBS volumes attached to EC2 instances - description: Enable encryption for EBS volumes attached to EC2 instances - Checks whether EBS volumes that are in an attached state are encrypted. - section-code: "1_0_3" - tags: - audit_manager_control_tower: - - "true" - audit_manager_control_tower_item_id: - - 1.0.3 - category: - - Compliance - control_set: - - ebs_checks - plugin: - - aws - service: - - AWS/EBS - type: - - Benchmark - controls: - - aws_ebs_attached_volume_encryption_enabled +id: aws_audit_manager_control_tower_ebs_checks_1_0_3 +title: 0.3 - Enable encryption for EBS volumes attached to EC2 instances +description: Enable encryption for EBS volumes attached to EC2 instances - Checks whether EBS volumes that are in an attached state are encrypted. +section-code: "1_0_3" +type: control-group +tags: + audit_manager_control_tower: + - "true" + audit_manager_control_tower_item_id: + - 1.0.3 + category: + - Compliance + control_set: + - ebs_checks + plugin: + - aws + service: + - AWS/EBS + type: + - Benchmark +controls: +- aws_ebs_attached_volume_encryption_enabled diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication.yaml index ac9b7a662..d0fdcfd49 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication.yaml @@ -1,22 +1,25 @@ +id: aws_audit_manager_control_tower_multi_factor_authentication +title: Multi-Factor Authentication +description: This benchmark checks if MFA is enabled for all the IAM users. +section-code: multi_factor_authentication +type: control-group +tags: + audit_manager_control_tower: + - "true" + category: + - Compliance + control_set: + - multi_factor_authentication + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark control-group: - id: aws_audit_manager_control_tower_multi_factor_authentication - title: Multi-Factor Authentication - description: This benchmark checks if MFA is enabled for all the IAM users. - section-code: multi_factor_authentication - tags: - audit_manager_control_tower: - - "true" - category: - - Compliance - control_set: - - multi_factor_authentication - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - control-group: - - id: aws_audit_manager_control_tower_multi_factor_authentication_3_0_1 - - id: aws_audit_manager_control_tower_multi_factor_authentication_3_0_2 - - id: aws_audit_manager_control_tower_multi_factor_authentication_3_0_3 +- id: aws_audit_manager_control_tower_multi_factor_authentication_3_0_1 + type: "" +- id: aws_audit_manager_control_tower_multi_factor_authentication_3_0_2 + type: "" +- id: aws_audit_manager_control_tower_multi_factor_authentication_3_0_3 + type: "" diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication_3_0_1.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication_3_0_1.yaml index dd039cdf4..071a7003e 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication_3_0_1.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication_3_0_1.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_audit_manager_control_tower_multi_factor_authentication_3_0_1 - title: 0.1 - Disallow access to IAM users without MFA - description: Disallow access to IAM users without MFA - Checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled. - section-code: "3_0_1" - tags: - audit_manager_control_tower: - - "true" - audit_manager_control_tower_item_id: - - 3.0.1 - category: - - Compliance - control_set: - - multi_factor_authentication - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_user_mfa_enabled +id: aws_audit_manager_control_tower_multi_factor_authentication_3_0_1 +title: 0.1 - Disallow access to IAM users without MFA +description: Disallow access to IAM users without MFA - Checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled. +section-code: "3_0_1" +type: control-group +tags: + audit_manager_control_tower: + - "true" + audit_manager_control_tower_item_id: + - 3.0.1 + category: + - Compliance + control_set: + - multi_factor_authentication + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication_3_0_2.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication_3_0_2.yaml index a0fe61571..161410b5e 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication_3_0_2.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication_3_0_2.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_audit_manager_control_tower_multi_factor_authentication_3_0_2 - title: 0.2 - Disallow console access to IAM users without MFA - description: Disallow console access to IAM users without MFA - Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. - section-code: "3_0_2" - tags: - audit_manager_control_tower: - - "true" - audit_manager_control_tower_item_id: - - 3.0.2 - category: - - Compliance - control_set: - - multi_factor_authentication - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_user_console_access_mfa_enabled +id: aws_audit_manager_control_tower_multi_factor_authentication_3_0_2 +title: 0.2 - Disallow console access to IAM users without MFA +description: Disallow console access to IAM users without MFA - Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. +section-code: "3_0_2" +type: control-group +tags: + audit_manager_control_tower: + - "true" + audit_manager_control_tower_item_id: + - 3.0.2 + category: + - Compliance + control_set: + - multi_factor_authentication + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_user_console_access_mfa_enabled diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication_3_0_3.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication_3_0_3.yaml index 7bdea9e2b..58c95418e 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication_3_0_3.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication_3_0_3.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_audit_manager_control_tower_multi_factor_authentication_3_0_3 - title: 0.3 - Enable MFA for the root user - description: Enable MFA for the root user - Checks whether the root user of your AWS account requires multi-factor authentication for console sign-in. - section-code: "3_0_3" - tags: - audit_manager_control_tower: - - "true" - audit_manager_control_tower_item_id: - - 3.0.3 - category: - - Compliance - control_set: - - multi_factor_authentication - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_root_user_mfa_enabled +id: aws_audit_manager_control_tower_multi_factor_authentication_3_0_3 +title: 0.3 - Enable MFA for the root user +description: Enable MFA for the root user - Checks whether the root user of your AWS account requires multi-factor authentication for console sign-in. +section-code: "3_0_3" +type: control-group +tags: + audit_manager_control_tower: + - "true" + audit_manager_control_tower_item_id: + - 3.0.3 + category: + - Compliance + control_set: + - multi_factor_authentication + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_root_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_cis_compute_service_v100/aws_cis_compute_service_v100.yaml b/compliance/frameworks/aws/aws_cis_compute_service_v100/aws_cis_compute_service_v100.yaml index a81fcfa78..160d004fb 100644 --- a/compliance/frameworks/aws/aws_cis_compute_service_v100/aws_cis_compute_service_v100.yaml +++ b/compliance/frameworks/aws/aws_cis_compute_service_v100/aws_cis_compute_service_v100.yaml @@ -1,132 +1,132 @@ -framework: - id: aws_cis_compute_service_v100 - title: CIS AWS Compute Services Benchmark v1.0.0 +id: aws_cis_compute_service_v100 +title: CIS AWS Compute Services Benchmark v1.0.0 +description: | + This CIS AWS Compute Services Benchmark provides prescriptive guidance for configuring security options for the services within the Compute category in AWS. This Benchmark is intended to be used in conjunction with the CIS Amazon Web Services Foundations Benchmark. +section-code: aws_cis_compute_service_v100 +type: framework +tags: + category: + - CIS + compliance: + - CIS + environment: + - production + framework: + - CIS AWS Compute Services Benchmark + owner: + - Security Team + platform: + - AWS + priority: + - high + service: + - compute + type: + - benchmark + version: + - v1.0.0 +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_cis_compute_service_v100_2 + title: Elastic Cloud Compute (EC2) description: | - This CIS AWS Compute Services Benchmark provides prescriptive guidance for configuring security options for the services within the Compute category in AWS. This Benchmark is intended to be used in conjunction with the CIS Amazon Web Services Foundations Benchmark. - section-code: aws_cis_compute_service_v100 - tags: - category: - - CIS - compliance: - - CIS - environment: - - production - framework: - - CIS AWS Compute Services Benchmark - owner: - - Security Team - platform: - - AWS - priority: - - high - service: - - compute - type: - - benchmark - version: - - v1.0.0 - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false + Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. This section will contain recommendations for configuring your compute resources within EC2. + section-code: "2" control-group: - - id: aws_cis_compute_service_v100_2 - title: Elastic Cloud Compute (EC2) + - id: aws_cis_compute_service_v100_2_1 + title: Amazon Machine Images (AMI) description: | - Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. This section will contain recommendations for configuring your compute resources within EC2. - section-code: "2" - control-group: - - id: aws_cis_compute_service_v100_2_1 - title: Amazon Machine Images (AMI) - description: | - This section contains recommendations for the security of Amazon Machine Images (AMI's) that you could utilize within the AWS EC2 Service. - section-code: "1" - controls: - - aws_cis_compute_service_v100_2_1_1 - - aws_cis_compute_service_v100_2_1_2 - - aws_cis_compute_service_v100_2_1_3 - - aws_cis_compute_service_v100_2_1_4 - - aws_cis_compute_service_v100_2_1_5 - - id: aws_cis_compute_service_v100_2_2 - title: Elastic Block Storage (EBS) - description: | - This section contains guidance for Amazon Elastic Block Store (EBS) which is a high performance block storage service designed for use with Amazon Elastic Compute Cloud (EC2). - section-code: "2" - controls: - - aws_cis_compute_service_v100_2_2_1 - - aws_cis_compute_service_v100_2_2_2 - - aws_cis_compute_service_v100_2_2_3 - - aws_cis_compute_service_v100_2_2_4 - controls: - - aws_cis_compute_service_v100_2_3 - - aws_cis_compute_service_v100_2_4 - - aws_cis_compute_service_v100_2_5 - - aws_cis_compute_service_v100_2_6 - - aws_cis_compute_service_v100_2_8 - - aws_cis_compute_service_v100_2_9 - - aws_cis_compute_service_v100_2_10 - - aws_cis_compute_service_v100_2_11 - - aws_cis_compute_service_v100_2_12 - - aws_cis_compute_service_v100_2_13 - - aws_cis_compute_service_v100_2_14 - - id: aws_cis_compute_service_v100_3 - title: Lightsail - description: | - Amazon Lightsail offers easy-to-use virtual private server (VPS) instances, containers, storage, databases, to create a website or application in just a few clicks. - section-code: "3" - controls: - - aws_cis_compute_service_v100_3_1 - - aws_cis_compute_service_v100_3_2 - - aws_cis_compute_service_v100_3_3 - - aws_cis_compute_service_v100_3_5 - - aws_cis_compute_service_v100_3_6 - - aws_cis_compute_service_v100_3_7 - - aws_cis_compute_service_v100_3_8 - - aws_cis_compute_service_v100_3_9 - - aws_cis_compute_service_v100_3_10 - - aws_cis_compute_service_v100_3_11 - - aws_cis_compute_service_v100_3_12 - - id: aws_cis_compute_service_v100_4 - title: Lambda - description: | - Serverless, event-driven compute service that lets you run code for virtually any type of application or backend service without provisioning or managing servers. Serverless addresses some of today's biggest security concerns as it removes infrastructure management tasks, such as operating system patching, updating binaries, etc. - section-code: "4" - controls: - - aws_cis_compute_service_v100_4_1 - - aws_cis_compute_service_v100_4_2 - - aws_cis_compute_service_v100_4_3 - - aws_cis_compute_service_v100_4_4 - - aws_cis_compute_service_v100_4_5 - - aws_cis_compute_service_v100_4_6 - - aws_cis_compute_service_v100_4_7 - - aws_cis_compute_service_v100_4_8 - - aws_cis_compute_service_v100_4_9 - - aws_cis_compute_service_v100_4_10 - - aws_cis_compute_service_v100_4_11 - - aws_cis_compute_service_v100_4_12 - - id: aws_cis_compute_service_v100_5 - title: Batch - description: | - AWS Batch enables developers, scientists, and engineers to easily and efficiently run hundreds of thousands of batch computing jobs on AWS. AWS Batch dynamically provisions the optimal quantity and type of compute resources (e.g., CPU or memory optimized instances) based on the volume and specific resource requirements of the batch jobs submitted. - section-code: "5" + This section contains recommendations for the security of Amazon Machine Images (AMI's) that you could utilize within the AWS EC2 Service. + section-code: "1" controls: - - aws_cis_compute_service_v100_5_1 - - aws_cis_compute_service_v100_5_2 - - id: aws_cis_compute_service_v100_6 - title: Elastic Beanstalk + - aws_cis_compute_service_v100_2_1_1 + - aws_cis_compute_service_v100_2_1_2 + - aws_cis_compute_service_v100_2_1_3 + - aws_cis_compute_service_v100_2_1_4 + - aws_cis_compute_service_v100_2_1_5 + - id: aws_cis_compute_service_v100_2_2 + title: Elastic Block Storage (EBS) description: | - Amazon Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS. You simply upload your code and Elastic Beanstalk automatically handles the deployment, from capacity provisioning, load balancing, and automatic scaling to web application health monitoring, with ongoing fully managed patch and security updates. - section-code: "6" - controls: - - aws_cis_compute_service_v100_6_1 - - aws_cis_compute_service_v100_6_2 - - aws_cis_compute_service_v100_6_3 - - aws_cis_compute_service_v100_6_4 - - id: aws_cis_compute_service_v100_10 - title: AWS App Runner - description: | - AWS App Runner is a fully managed service that makes it easy for developers to deploy from source code or container image directly to a scalable and secure web application. - section-code: "10" + This section contains guidance for Amazon Elastic Block Store (EBS) which is a high performance block storage service designed for use with Amazon Elastic Compute Cloud (EC2). + section-code: "2" controls: - - aws_cis_compute_service_v100_10_1 - - id: aws_cis_compute_service_v100_11 + - aws_cis_compute_service_v100_2_2_1 + - aws_cis_compute_service_v100_2_2_2 + - aws_cis_compute_service_v100_2_2_3 + - aws_cis_compute_service_v100_2_2_4 + controls: + - aws_cis_compute_service_v100_2_3 + - aws_cis_compute_service_v100_2_4 + - aws_cis_compute_service_v100_2_5 + - aws_cis_compute_service_v100_2_6 + - aws_cis_compute_service_v100_2_8 + - aws_cis_compute_service_v100_2_9 + - aws_cis_compute_service_v100_2_10 + - aws_cis_compute_service_v100_2_11 + - aws_cis_compute_service_v100_2_12 + - aws_cis_compute_service_v100_2_13 + - aws_cis_compute_service_v100_2_14 +- id: aws_cis_compute_service_v100_3 + title: Lightsail + description: | + Amazon Lightsail offers easy-to-use virtual private server (VPS) instances, containers, storage, databases, to create a website or application in just a few clicks. + section-code: "3" + controls: + - aws_cis_compute_service_v100_3_1 + - aws_cis_compute_service_v100_3_2 + - aws_cis_compute_service_v100_3_3 + - aws_cis_compute_service_v100_3_5 + - aws_cis_compute_service_v100_3_6 + - aws_cis_compute_service_v100_3_7 + - aws_cis_compute_service_v100_3_8 + - aws_cis_compute_service_v100_3_9 + - aws_cis_compute_service_v100_3_10 + - aws_cis_compute_service_v100_3_11 + - aws_cis_compute_service_v100_3_12 +- id: aws_cis_compute_service_v100_4 + title: Lambda + description: | + Serverless, event-driven compute service that lets you run code for virtually any type of application or backend service without provisioning or managing servers. Serverless addresses some of today's biggest security concerns as it removes infrastructure management tasks, such as operating system patching, updating binaries, etc. + section-code: "4" + controls: + - aws_cis_compute_service_v100_4_1 + - aws_cis_compute_service_v100_4_2 + - aws_cis_compute_service_v100_4_3 + - aws_cis_compute_service_v100_4_4 + - aws_cis_compute_service_v100_4_5 + - aws_cis_compute_service_v100_4_6 + - aws_cis_compute_service_v100_4_7 + - aws_cis_compute_service_v100_4_8 + - aws_cis_compute_service_v100_4_9 + - aws_cis_compute_service_v100_4_10 + - aws_cis_compute_service_v100_4_11 + - aws_cis_compute_service_v100_4_12 +- id: aws_cis_compute_service_v100_5 + title: Batch + description: | + AWS Batch enables developers, scientists, and engineers to easily and efficiently run hundreds of thousands of batch computing jobs on AWS. AWS Batch dynamically provisions the optimal quantity and type of compute resources (e.g., CPU or memory optimized instances) based on the volume and specific resource requirements of the batch jobs submitted. + section-code: "5" + controls: + - aws_cis_compute_service_v100_5_1 + - aws_cis_compute_service_v100_5_2 +- id: aws_cis_compute_service_v100_6 + title: Elastic Beanstalk + description: | + Amazon Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS. You simply upload your code and Elastic Beanstalk automatically handles the deployment, from capacity provisioning, load balancing, and automatic scaling to web application health monitoring, with ongoing fully managed patch and security updates. + section-code: "6" + controls: + - aws_cis_compute_service_v100_6_1 + - aws_cis_compute_service_v100_6_2 + - aws_cis_compute_service_v100_6_3 + - aws_cis_compute_service_v100_6_4 +- id: aws_cis_compute_service_v100_10 + title: AWS App Runner + description: | + AWS App Runner is a fully managed service that makes it easy for developers to deploy from source code or container image directly to a scalable and secure web application. + section-code: "10" + controls: + - aws_cis_compute_service_v100_10_1 +- id: aws_cis_compute_service_v100_11 diff --git a/compliance/frameworks/aws/aws_cis_compute_service_v100/aws_cis_compute_service_v100_11.yaml b/compliance/frameworks/aws/aws_cis_compute_service_v100/aws_cis_compute_service_v100_11.yaml index 76ab2e02c..ac91d1f89 100644 --- a/compliance/frameworks/aws/aws_cis_compute_service_v100/aws_cis_compute_service_v100_11.yaml +++ b/compliance/frameworks/aws/aws_cis_compute_service_v100/aws_cis_compute_service_v100_11.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_cis_compute_service_v100_11 - title: AWS SimSpace Weaver - description: AWS SimSpace Weaver is a service used to build and run dynamic, large-scale spatial simulations, such as city-scale digital twins and crowd simulations with millions of people and objects. - section-code: "11" - controls: - - aws_cis_compute_service_v100_11_1 +id: aws_cis_compute_service_v100_11 +title: AWS SimSpace Weaver +description: AWS SimSpace Weaver is a service used to build and run dynamic, large-scale spatial simulations, such as city-scale digital twins and crowd simulations with millions of people and objects. +section-code: "11" +type: control-group +controls: +- aws_cis_compute_service_v100_11_1 diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1.yaml index ba11f3406..d560064f5 100644 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1.yaml @@ -1,35 +1,35 @@ -framework: - id: aws_cis_controls_v8_ig1 - title: CIS Controls v8 IG1 - description: The CIS Critical Security Controls (CIS Controls) are a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks. - section-code: aws_cis_controls_v8_ig1 - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - aws - service: - - AWS - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: aws_cis_controls_v8_ig1_1 - - id: aws_cis_controls_v8_ig1_3 - - id: aws_cis_controls_v8_ig1_4 - - id: aws_cis_controls_v8_ig1_5 - - id: aws_cis_controls_v8_ig1_6 - - id: aws_cis_controls_v8_ig1_7 - - id: aws_cis_controls_v8_ig1_8 - - id: aws_cis_controls_v8_ig1_10 - - id: aws_cis_controls_v8_ig1_11 - - id: aws_cis_controls_v8_ig1_12 +id: aws_cis_controls_v8_ig1 +title: CIS Controls v8 IG1 +description: The CIS Critical Security Controls (CIS Controls) are a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks. +section-code: aws_cis_controls_v8_ig1 +type: framework +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - aws + service: + - AWS + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_cis_controls_v8_ig1_1 +- id: aws_cis_controls_v8_ig1_3 +- id: aws_cis_controls_v8_ig1_4 +- id: aws_cis_controls_v8_ig1_5 +- id: aws_cis_controls_v8_ig1_6 +- id: aws_cis_controls_v8_ig1_7 +- id: aws_cis_controls_v8_ig1_8 +- id: aws_cis_controls_v8_ig1_10 +- id: aws_cis_controls_v8_ig1_11 +- id: aws_cis_controls_v8_ig1_12 diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_1.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_1.yaml index bee495b32..524bbe294 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_1.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_1.yaml @@ -1,19 +1,21 @@ +id: aws_cis_controls_v8_ig1_1 +title: Inventory and Control of Enterprise Assets +description: Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate. +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_cis_controls_v8_ig1_1 - title: Inventory and Control of Enterprise Assets - description: Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate. - section-code: "1" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_cis_controls_v8_ig1_1_1 - - id: aws_cis_controls_v8_ig1_1_2 +- id: aws_cis_controls_v8_ig1_1_1 + type: "" +- id: aws_cis_controls_v8_ig1_1_2 + type: "" diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_10.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_10.yaml index d12f581ff..2ef178bc3 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_10.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_10.yaml @@ -1,19 +1,21 @@ +id: aws_cis_controls_v8_ig1_10 +title: Malware Defenses +description: Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets. +section-code: "10" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_cis_controls_v8_ig1_10 - title: Malware Defenses - description: Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets. - section-code: "10" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_cis_controls_v8_ig1_10_1 - - id: aws_cis_controls_v8_ig1_10_2 +- id: aws_cis_controls_v8_ig1_10_1 + type: "" +- id: aws_cis_controls_v8_ig1_10_2 + type: "" diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_10_1.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_10_1.yaml index c985f807a..15143776c 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_10_1.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_10_1.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_cis_controls_v8_ig1_10_1 - title: Deploy and Maintain Anti-Malware Software - description: Deploy and maintain anti-malware software on all enterprise assets. - section-code: "1" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_cis_controls_v8_ig1_10_1 +title: Deploy and Maintain Anti-Malware Software +description: Deploy and maintain anti-malware software on all enterprise assets. +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_10_2.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_10_2.yaml index 523d23fb4..4004d5901 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_10_2.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_10_2.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_cis_controls_v8_ig1_10_2 - title: Configure Automatic Anti-Malware Signature Updates - description: Configure automatic updates for anti-malware signature files on all enterprise assets. - section-code: "2" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_cis_controls_v8_ig1_10_2 +title: Configure Automatic Anti-Malware Signature Updates +description: Configure automatic updates for anti-malware signature files on all enterprise assets. +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11.yaml index 58716b5ee..2e2dfec2d 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11.yaml @@ -1,20 +1,23 @@ +id: aws_cis_controls_v8_ig1_11 +title: Data Recovery +description: Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state. +section-code: "11" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_cis_controls_v8_ig1_11 - title: Data Recovery - description: Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state. - section-code: "11" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_cis_controls_v8_ig1_11_2 - - id: aws_cis_controls_v8_ig1_11_3 - - id: aws_cis_controls_v8_ig1_11_4 +- id: aws_cis_controls_v8_ig1_11_2 + type: "" +- id: aws_cis_controls_v8_ig1_11_3 + type: "" +- id: aws_cis_controls_v8_ig1_11_4 + type: "" diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11_2.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11_2.yaml index 230384103..b0fc534e4 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11_2.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11_2.yaml @@ -1,29 +1,29 @@ -control-group: - id: aws_cis_controls_v8_ig1_11_2 - title: Perform Automated Backups - description: Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. - section-code: "2" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_maintenance_settings_check - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +id: aws_cis_controls_v8_ig1_11_2 +title: Perform Automated Backups +description: Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_ebs_volume_in_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_efs_file_system_in_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_redshift_cluster_maintenance_settings_check +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11_3.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11_3.yaml index 3f688d0eb..7f3e32b63 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11_3.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11_3.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_cis_controls_v8_ig1_11_3 - title: Protect Recovery Data - description: Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements. - section-code: "3" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_rds_db_instance_encryption_at_rest_enabled +id: aws_cis_controls_v8_ig1_11_3 +title: Protect Recovery Data +description: Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements. +section-code: "3" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_rds_db_instance_encryption_at_rest_enabled diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11_4.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11_4.yaml index 63ed1f788..1cdff7b23 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11_4.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11_4.yaml @@ -1,29 +1,29 @@ -control-group: - id: aws_cis_controls_v8_ig1_11_4 - title: Establish and Maintain an Isolated Instance of Recovery Data - description: Establish and maintain an isolated instance of recovery data. Example implementations include, version controlling backup destinations through offline, cloud, or off-site systems or services. - section-code: "4" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_maintenance_settings_check - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +id: aws_cis_controls_v8_ig1_11_4 +title: Establish and Maintain an Isolated Instance of Recovery Data +description: Establish and maintain an isolated instance of recovery data. Example implementations include, version controlling backup destinations through offline, cloud, or off-site systems or services. +section-code: "4" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_ebs_volume_in_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_efs_file_system_in_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_redshift_cluster_maintenance_settings_check +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_12.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_12.yaml index c46661343..33ce64e69 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_12.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_12.yaml @@ -1,18 +1,19 @@ +id: aws_cis_controls_v8_ig1_12 +title: Network Infrastructure Management +description: Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points. +section-code: "12" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_cis_controls_v8_ig1_12 - title: Network Infrastructure Management - description: Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points. - section-code: "12" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_cis_controls_v8_ig1_12_1 +- id: aws_cis_controls_v8_ig1_12_1 + type: "" diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_12_1.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_12_1.yaml index 2c5dd1550..74be980ae 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_12_1.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_12_1.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_cis_controls_v8_ig1_12_1 - title: Ensure Network Infrastructure is Up-to-Date - description: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support. - section-code: "1" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_cis_controls_v8_ig1_12_1 +title: Ensure Network Infrastructure is Up-to-Date +description: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support. +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_1_1.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_1_1.yaml index 2df64d615..0adde3ba6 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_1_1.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_1_1.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_cis_controls_v8_ig1_1_1 - title: Establish and Maintain Detailed Enterprise Asset Inventory - description: "Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently." - section-code: "1" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_stopped_instance_30_days - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_eip_associated - - aws_vpc_network_acl_unused - - aws_vpc_security_group_associated_to_eni +id: aws_cis_controls_v8_ig1_1_1 +title: Establish and Maintain Detailed Enterprise Asset Inventory +description: "Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently." +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_stopped_instance_30_days +- aws_ssm_managed_instance_compliance_association_compliant +- aws_vpc_eip_associated +- aws_vpc_network_acl_unused +- aws_vpc_security_group_associated_to_eni diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_1_2.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_1_2.yaml index 98c544439..f22d5efaf 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_1_2.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_1_2.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_cis_controls_v8_ig1_1_2 - title: Address Unauthorized Assets - description: Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset. - section-code: "2" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_cis_controls_v8_ig1_1_2 +title: Address Unauthorized Assets +description: Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset. +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_3.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_3.yaml index 0b4a9c83d..328de1c7d 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_3.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_3.yaml @@ -1,19 +1,21 @@ +id: aws_cis_controls_v8_ig1_3 +title: Data Protection +description: Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. +section-code: "3" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_cis_controls_v8_ig1_3 - title: Data Protection - description: Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. - section-code: "3" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_cis_controls_v8_ig1_3_3 - - id: aws_cis_controls_v8_ig1_3_4 +- id: aws_cis_controls_v8_ig1_3_3 + type: "" +- id: aws_cis_controls_v8_ig1_3_4 + type: "" diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_3_3.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_3_3.yaml index 2fcc845cd..afd0169a4 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_3_3.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_3_3.yaml @@ -1,52 +1,52 @@ -control-group: - id: aws_cis_controls_v8_ig1_3_3 - title: Configure Data Access Control Lists - description: Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. - section-code: "3" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_iam_profile_attached - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_ecs_task_definition_user_for_host_mode_check - - aws_eks_cluster_endpoint_restrict_public_access - - aws_emr_cluster_kerberos_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_managed_policy_attached_to_role - - aws_iam_policy_no_star_star - - aws_iam_policy_unused - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_ssm_document_prohibit_public_access - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_cis_controls_v8_ig1_3_3 +title: Configure Data Access Control Lists +description: Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. +section-code: "3" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_launch_config_public_ip_disabled +- aws_cloudwatch_log_group_retention_period_365 +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_iam_profile_attached +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_ec2_instance_uses_imdsv2 +- aws_ecs_task_definition_user_for_host_mode_check +- aws_eks_cluster_endpoint_restrict_public_access +- aws_emr_cluster_kerberos_enabled +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_not_empty +- aws_iam_group_user_role_no_inline_policies +- aws_iam_managed_policy_attached_to_role +- aws_iam_policy_no_star_star +- aws_iam_policy_unused +- aws_iam_root_user_no_access_keys +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_policy_restrict_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_ssm_document_prohibit_public_access +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_3_4.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_3_4.yaml index 88f5a7185..73c4a9c37 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_3_4.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_3_4.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_cis_controls_v8_ig1_3_4 - title: Enforce Data Retention - description: Retain data according to the enterprise’s data management process. Data retention must include both minimum and maximum timelines. - section-code: "4" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudwatch_log_group_retention_period_365 +id: aws_cis_controls_v8_ig1_3_4 +title: Enforce Data Retention +description: Retain data according to the enterprise’s data management process. Data retention must include both minimum and maximum timelines. +section-code: "4" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudwatch_log_group_retention_period_365 diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4.yaml index 1614b6d96..0bc745c16 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4.yaml @@ -1,20 +1,23 @@ +id: aws_cis_controls_v8_ig1_4 +title: Secure Configuration of Enterprise Assets and Software +description: Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications). +section-code: "4" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_cis_controls_v8_ig1_4 - title: Secure Configuration of Enterprise Assets and Software - description: Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications). - section-code: "4" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_cis_controls_v8_ig1_4_1 - - id: aws_cis_controls_v8_ig1_4_6 - - id: aws_cis_controls_v8_ig1_4_7 +- id: aws_cis_controls_v8_ig1_4_1 + type: "" +- id: aws_cis_controls_v8_ig1_4_6 + type: "" +- id: aws_cis_controls_v8_ig1_4_7 + type: "" diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4_1.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4_1.yaml index 09528c8fd..c7b7f73bb 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4_1.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4_1.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_cis_controls_v8_ig1_4_1 - title: Establish and Maintain a Secure Configuration Process - description: Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. - section-code: "1" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_account_part_of_organizations - - aws_cloudtrail_security_trail_enabled - - aws_ebs_volume_unused - - aws_ec2_stopped_instance_30_days - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_association_compliant +id: aws_cis_controls_v8_ig1_4_1 +title: Establish and Maintain a Secure Configuration Process +description: Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_account_part_of_organizations +- aws_cloudtrail_security_trail_enabled +- aws_ebs_volume_unused +- aws_ec2_stopped_instance_30_days +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4_6.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4_6.yaml index d49add8e6..01f3ae774 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4_6.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4_6.yaml @@ -1,47 +1,47 @@ -control-group: - id: aws_cis_controls_v8_ig1_4_6 - title: Securely Manage Enterprise Assets and Software - description: Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. - section-code: "6" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_account_part_of_organizations - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_ec2_instance_iam_profile_attached - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_kms_cmk_rotation_enabled - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_logging_enabled - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_flow_logs_enabled - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_cis_controls_v8_ig1_4_6 +title: Securely Manage Enterprise Assets and Software +description: Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. +section-code: "6" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_account_part_of_organizations +- aws_autoscaling_group_with_lb_use_health_check +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_cloudtrail_trail_validation_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_ec2_instance_iam_profile_attached +- aws_iam_account_password_policy_strong_min_reuse_24 +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_kms_cmk_rotation_enabled +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_logging_enabled +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_flow_logs_enabled +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4_7.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4_7.yaml index 170234bd8..ffe6cf57b 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4_7.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4_7.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_cis_controls_v8_ig1_4_7 - title: Manage Default Accounts on Enterprise Assets and Software - description: "Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable." - section-code: "7" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_root_user_mfa_enabled - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_cis_controls_v8_ig1_4_7 +title: Manage Default Accounts on Enterprise Assets and Software +description: "Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable." +section-code: "7" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_root_user_mfa_enabled +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5.yaml index e034fe631..d6bdb7c6d 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5.yaml @@ -1,20 +1,23 @@ +id: aws_cis_controls_v8_ig1_5 +title: Account Management +description: Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. +section-code: "5" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_cis_controls_v8_ig1_5 - title: Account Management - description: Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. - section-code: "5" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_cis_controls_v8_ig1_5_2 - - id: aws_cis_controls_v8_ig1_5_3 - - id: aws_cis_controls_v8_ig1_5_4 +- id: aws_cis_controls_v8_ig1_5_2 + type: "" +- id: aws_cis_controls_v8_ig1_5_3 + type: "" +- id: aws_cis_controls_v8_ig1_5_4 + type: "" diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5_2.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5_2.yaml index b42481b68..9719066de 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5_2.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5_2.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_cis_controls_v8_ig1_5_2 - title: Use Unique Passwords - description: Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. - section-code: "2" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled +id: aws_cis_controls_v8_ig1_5_2 +title: Use Unique Passwords +description: Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5_3.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5_3.yaml index 528a7fb6f..33f8149a1 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5_3.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5_3.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_cis_controls_v8_ig1_5_3 - title: Disable Dormant Accounts - description: Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported. - section-code: "3" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_user_unused_credentials_90 +id: aws_cis_controls_v8_ig1_5_3 +title: Disable Dormant Accounts +description: Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported. +section-code: "3" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5_4.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5_4.yaml index 42a20c9e5..e45f3abf4 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5_4.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5_4.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_cis_controls_v8_ig1_5_4 - title: Restrict Administrator Privileges to Dedicated Administrator Accounts - description: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account. - section-code: "4" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys +id: aws_cis_controls_v8_ig1_5_4 +title: Restrict Administrator Privileges to Dedicated Administrator Accounts +description: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account. +section-code: "4" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_6.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_6.yaml index 5e5370e30..699a53cda 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_6.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_6.yaml @@ -1,18 +1,19 @@ +id: aws_cis_controls_v8_ig1_6 +title: Access Control Management +description: Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software. +section-code: "6" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_cis_controls_v8_ig1_6 - title: Access Control Management - description: Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software. - section-code: "6" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_cis_controls_v8_ig1_6_5 +- id: aws_cis_controls_v8_ig1_6_5 + type: "" diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_6_5.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_6_5.yaml index 3a55ab9a6..c58498e38 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_6_5.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_6_5.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_cis_controls_v8_ig1_6_5 - title: Require MFA for Administrative Access - description: Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider. - section-code: "5" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled +id: aws_cis_controls_v8_ig1_6_5 +title: Require MFA for Administrative Access +description: Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider. +section-code: "5" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_7.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_7.yaml index be728a930..6e6a686ad 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_7.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_7.yaml @@ -1,19 +1,21 @@ +id: aws_cis_controls_v8_ig1_7 +title: Continuous Vulnerability Management +description: Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information. +section-code: "7" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_cis_controls_v8_ig1_7 - title: Continuous Vulnerability Management - description: Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information. - section-code: "7" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_cis_controls_v8_ig1_7_1 - - id: aws_cis_controls_v8_ig1_7_3 +- id: aws_cis_controls_v8_ig1_7_1 + type: "" +- id: aws_cis_controls_v8_ig1_7_3 + type: "" diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_7_1.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_7_1.yaml index 87312ecf5..ab8eb5f34 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_7_1.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_7_1.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_cis_controls_v8_ig1_7_1 - title: Establish and Maintain a Vulnerability Management Process - description: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. - section-code: "1" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_securityhub_enabled - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_cis_controls_v8_ig1_7_1 +title: Establish and Maintain a Vulnerability Management Process +description: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled +- aws_securityhub_enabled +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_7_3.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_7_3.yaml index 5a20517d1..fe1ce5543 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_7_3.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_7_3.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_cis_controls_v8_ig1_7_3 - title: Perform Automated Operating System Patch Management - description: Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. - section-code: "3" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_cis_controls_v8_ig1_7_3 +title: Perform Automated Operating System Patch Management +description: Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. +section-code: "3" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_8.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_8.yaml index 27e9aa0de..fbee71975 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_8.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_8.yaml @@ -1,19 +1,21 @@ +id: aws_cis_controls_v8_ig1_8 +title: Audit Log Management +description: Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack. +section-code: "8" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_cis_controls_v8_ig1_8 - title: Audit Log Management - description: Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack. - section-code: "8" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_cis_controls_v8_ig1_8_1 - - id: aws_cis_controls_v8_ig1_8_2 +- id: aws_cis_controls_v8_ig1_8_1 + type: "" +- id: aws_cis_controls_v8_ig1_8_2 + type: "" diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_8_1.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_8_1.yaml index de85ff612..9a1dbe6ee 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_8_1.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_8_1.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_cis_controls_v8_ig1_8_1 - title: Establish and Maintain an Audit Log Management Process - description: Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. - section-code: "1" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudwatch_log_group_retention_period_365 +id: aws_cis_controls_v8_ig1_8_1 +title: Establish and Maintain an Audit Log Management Process +description: Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudwatch_log_group_retention_period_365 diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_8_2.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_8_2.yaml index 4649337e6..d0d31c848 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_8_2.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_8_2.yaml @@ -1,31 +1,31 @@ -control-group: - id: aws_cis_controls_v8_ig1_8_2 - title: Collect Audit Logs - description: Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. - section-code: "2" - tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudfront_distribution_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_cis_controls_v8_ig1_8_2 +title: Collect Audit Logs +description: Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudfront_distribution_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_es_domain_logs_to_cloudwatch +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_waf_web_acl_logging_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120.yaml b/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120.yaml index 669613089..97c6d2d0b 100644 --- a/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120.yaml +++ b/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120.yaml @@ -1,31 +1,31 @@ -framework: - id: aws_cis_v120 - title: CIS v1.2.0 - description: The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. - section-code: aws_cis_v120 - tags: - category: - - Compliance - cis: - - "true" - cis_version: - - v1.2.0 - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - aws - service: - - AWS - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: aws_cis_v120_1 - - id: aws_cis_v120_2 - - id: aws_cis_v120_3 - - id: aws_cis_v120_4 +id: aws_cis_v120 +title: CIS v1.2.0 +description: The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. +section-code: aws_cis_v120 +type: framework +tags: + category: + - Compliance + cis: + - "true" + cis_version: + - v1.2.0 + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - aws + service: + - AWS + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_cis_v120_1 +- id: aws_cis_v120_2 +- id: aws_cis_v120_3 +- id: aws_cis_v120_4 diff --git a/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_1.yaml b/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_1.yaml index c4707aeab..31026cbb5 100755 --- a/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_1.yaml +++ b/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_1.yaml @@ -1,37 +1,37 @@ -control-group: - id: aws_cis_v120_1 - title: Identity and Access Management - description: Identity and Access Management - section-code: "1" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "1" - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cis_v120_1_1 - - aws_cis_v120_1_2 - - aws_cis_v120_1_3 - - aws_cis_v120_1_4 - - aws_cis_v120_1_8 - - aws_cis_v120_1_11 - - aws_cis_v120_1_12 - - aws_cis_v120_1_13 - - aws_cis_v120_1_15 - - aws_cis_v120_1_16 - - aws_cis_v120_1_17 - - aws_cis_v120_1_18 - - aws_cis_v120_1_19 - - aws_cis_v120_1_20 - - aws_cis_v120_1_21 - - aws_cis_v120_1_22 +id: aws_cis_v120_1 +title: Identity and Access Management +description: Identity and Access Management +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "1" + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cis_v120_1_1 +- aws_cis_v120_1_2 +- aws_cis_v120_1_3 +- aws_cis_v120_1_4 +- aws_cis_v120_1_8 +- aws_cis_v120_1_11 +- aws_cis_v120_1_12 +- aws_cis_v120_1_13 +- aws_cis_v120_1_15 +- aws_cis_v120_1_16 +- aws_cis_v120_1_17 +- aws_cis_v120_1_18 +- aws_cis_v120_1_19 +- aws_cis_v120_1_20 +- aws_cis_v120_1_21 +- aws_cis_v120_1_22 diff --git a/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_2.yaml b/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_2.yaml index fc13fb8fb..c02216bf6 100755 --- a/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_2.yaml +++ b/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_2.yaml @@ -1,29 +1,29 @@ -control-group: - id: aws_cis_v120_2 - title: Logging - description: Logging - section-code: "2" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cis_v120_2_2 - - aws_cis_v120_2_3 - - aws_cis_v120_2_4 - - aws_cis_v120_2_5 - - aws_cis_v120_2_6 - - aws_cis_v120_2_7 - - aws_cis_v120_2_8 - - aws_cis_v120_2_9 +id: aws_cis_v120_2 +title: Logging +description: Logging +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cis_v120_2_2 +- aws_cis_v120_2_3 +- aws_cis_v120_2_4 +- aws_cis_v120_2_5 +- aws_cis_v120_2_6 +- aws_cis_v120_2_7 +- aws_cis_v120_2_8 +- aws_cis_v120_2_9 diff --git a/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_3.yaml b/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_3.yaml index 46db71139..2f981814c 100755 --- a/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_3.yaml +++ b/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_3.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_cis_v120_3 - title: Monitoring - description: Monitoring - section-code: "3" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "3" - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark - controls: - - aws_cis_v120_3_5 +id: aws_cis_v120_3 +title: Monitoring +description: Monitoring +section-code: "3" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "3" + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark +controls: +- aws_cis_v120_3_5 diff --git a/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_4.yaml b/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_4.yaml index a86688a57..61e80b245 100755 --- a/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_4.yaml +++ b/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_4.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_cis_v120_4 - title: Networking - description: Networking - section-code: "4" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4" - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/VPC - type: - - Benchmark - controls: - - aws_cis_v120_4_1 - - aws_cis_v120_4_2 - - aws_cis_v120_4_4 +id: aws_cis_v120_4 +title: Networking +description: Networking +section-code: "4" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4" + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/VPC + type: + - Benchmark +controls: +- aws_cis_v120_4_1 +- aws_cis_v120_4_2 +- aws_cis_v120_4_4 diff --git a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130.yaml b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130.yaml index b8281a646..385e28736 100644 --- a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130.yaml +++ b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130.yaml @@ -1,32 +1,32 @@ -framework: - id: aws_cis_v130 - title: CIS v1.3.0 - description: The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. - section-code: aws_cis_v130 - tags: - category: - - Compliance - cis: - - "true" - cis_version: - - v1.3.0 - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - aws - service: - - AWS - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: aws_cis_v130_1 - - id: aws_cis_v130_2 - - id: aws_cis_v130_3 - - id: aws_cis_v130_4 - - id: aws_cis_v130_5 +id: aws_cis_v130 +title: CIS v1.3.0 +description: The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. +section-code: aws_cis_v130 +type: framework +tags: + category: + - Compliance + cis: + - "true" + cis_version: + - v1.3.0 + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - aws + service: + - AWS + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_cis_v130_1 +- id: aws_cis_v130_2 +- id: aws_cis_v130_3 +- id: aws_cis_v130_4 +- id: aws_cis_v130_5 diff --git a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_1.yaml b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_1.yaml index 4bea2487f..1a3119eee 100755 --- a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_1.yaml +++ b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_1.yaml @@ -1,41 +1,41 @@ -control-group: - id: aws_cis_v130_1 - title: Identity and Access Management - description: Identity and Access Management - section-code: "1" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "1" - cis_version: - - v1.3.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cis_v130_1_1 - - aws_cis_v130_1_2 - - aws_cis_v130_1_3 - - aws_cis_v130_1_4 - - aws_cis_v130_1_5 - - aws_cis_v130_1_7 - - aws_cis_v130_1_8 - - aws_cis_v130_1_10 - - aws_cis_v130_1_11 - - aws_cis_v130_1_12 - - aws_cis_v130_1_13 - - aws_cis_v130_1_14 - - aws_cis_v130_1_15 - - aws_cis_v130_1_16 - - aws_cis_v130_1_17 - - aws_cis_v130_1_18 - - aws_cis_v130_1_19 - - aws_cis_v130_1_20 - - aws_cis_v130_1_21 - - aws_cis_v130_1_22 +id: aws_cis_v130_1 +title: Identity and Access Management +description: Identity and Access Management +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "1" + cis_version: + - v1.3.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cis_v130_1_1 +- aws_cis_v130_1_2 +- aws_cis_v130_1_3 +- aws_cis_v130_1_4 +- aws_cis_v130_1_5 +- aws_cis_v130_1_7 +- aws_cis_v130_1_8 +- aws_cis_v130_1_10 +- aws_cis_v130_1_11 +- aws_cis_v130_1_12 +- aws_cis_v130_1_13 +- aws_cis_v130_1_14 +- aws_cis_v130_1_15 +- aws_cis_v130_1_16 +- aws_cis_v130_1_17 +- aws_cis_v130_1_18 +- aws_cis_v130_1_19 +- aws_cis_v130_1_20 +- aws_cis_v130_1_21 +- aws_cis_v130_1_22 diff --git a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_2.yaml b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_2.yaml index a3ed23781..7319c23fe 100755 --- a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_2.yaml +++ b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_2.yaml @@ -1,23 +1,25 @@ +id: aws_cis_v130_2 +title: Storage +description: Storage +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v1.3.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_cis_v130_2 - title: Storage - description: Storage - section-code: "2" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v1.3.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_cis_v130_2_1 - - id: aws_cis_v130_2_2 +- id: aws_cis_v130_2_1 + type: "" +- id: aws_cis_v130_2_2 + type: "" diff --git a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_2_1.yaml b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_2_1.yaml index b291ea19e..6e8329447 100755 --- a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_2_1.yaml +++ b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_2_1.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_cis_v130_2_1 - title: Simple Storage Service (S3) - description: Simple Storage Service (S3) - section-code: "1" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.1" - cis_version: - - v1.3.0 - plugin: - - aws - service: - - AWS/S3 - type: - - Benchmark - controls: - - aws_cis_v130_2_1_1 - - aws_cis_v130_2_1_2 +id: aws_cis_v130_2_1 +title: Simple Storage Service (S3) +description: Simple Storage Service (S3) +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.1" + cis_version: + - v1.3.0 + plugin: + - aws + service: + - AWS/S3 + type: + - Benchmark +controls: +- aws_cis_v130_2_1_1 +- aws_cis_v130_2_1_2 diff --git a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_2_2.yaml b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_2_2.yaml index 32563e4d5..bc02da31f 100755 --- a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_2_2.yaml +++ b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_2_2.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_cis_v130_2_2 - title: Elastic Compute Cloud (EC2) - description: Elastic Compute Cloud (EC2) - section-code: "2" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.2" - cis_version: - - v1.3.0 - plugin: - - aws - service: - - AWS/EBS - type: - - Benchmark - controls: - - aws_cis_v130_2_2_1 +id: aws_cis_v130_2_2 +title: Elastic Compute Cloud (EC2) +description: Elastic Compute Cloud (EC2) +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.2" + cis_version: + - v1.3.0 + plugin: + - aws + service: + - AWS/EBS + type: + - Benchmark +controls: +- aws_cis_v130_2_2_1 diff --git a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_3.yaml b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_3.yaml index 80bd40dfa..6089f7059 100755 --- a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_3.yaml +++ b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_3.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_cis_v130_3 - title: Logging - description: Logging - section-code: "3" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "3" - cis_version: - - v1.3.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cis_v130_3_2 - - aws_cis_v130_3_3 - - aws_cis_v130_3_4 - - aws_cis_v130_3_5 - - aws_cis_v130_3_6 - - aws_cis_v130_3_7 - - aws_cis_v130_3_8 +id: aws_cis_v130_3 +title: Logging +description: Logging +section-code: "3" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "3" + cis_version: + - v1.3.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cis_v130_3_2 +- aws_cis_v130_3_3 +- aws_cis_v130_3_4 +- aws_cis_v130_3_5 +- aws_cis_v130_3_6 +- aws_cis_v130_3_7 +- aws_cis_v130_3_8 diff --git a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_4.yaml b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_4.yaml index 1457ce3f7..e4f58b073 100755 --- a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_4.yaml +++ b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_4.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_cis_v130_4 - title: Monitoring - description: Monitoring - section-code: "4" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4" - cis_version: - - v1.3.0 - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark - controls: - - aws_cis_v130_4_3 - - aws_cis_v130_4_8 +id: aws_cis_v130_4 +title: Monitoring +description: Monitoring +section-code: "4" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4" + cis_version: + - v1.3.0 + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark +controls: +- aws_cis_v130_4_3 +- aws_cis_v130_4_8 diff --git a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_5.yaml b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_5.yaml index fa0b83a8d..d39cc41f3 100755 --- a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_5.yaml +++ b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_5.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_cis_v130_5 - title: Networking - description: Networking - section-code: "5" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v1.3.0 - plugin: - - aws - service: - - AWS/VPC - type: - - Benchmark - controls: - - aws_cis_v130_5_2 - - aws_cis_v130_5_4 +id: aws_cis_v130_5 +title: Networking +description: Networking +section-code: "5" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v1.3.0 + plugin: + - aws + service: + - AWS/VPC + type: + - Benchmark +controls: +- aws_cis_v130_5_2 +- aws_cis_v130_5_4 diff --git a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140.yaml b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140.yaml index b30ce781c..1e57988a1 100644 --- a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140.yaml +++ b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140.yaml @@ -1,32 +1,32 @@ -framework: - id: aws_cis_v140 - title: CIS v1.4.0 - description: The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. - section-code: aws_cis_v140 - tags: - category: - - Compliance - cis: - - "true" - cis_version: - - v1.4.0 - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - aws - service: - - AWS - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: aws_cis_v140_1 - - id: aws_cis_v140_2 - - id: aws_cis_v140_3 - - id: aws_cis_v140_4 - - id: aws_cis_v140_5 +id: aws_cis_v140 +title: CIS v1.4.0 +description: The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. +section-code: aws_cis_v140 +type: framework +tags: + category: + - Compliance + cis: + - "true" + cis_version: + - v1.4.0 + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - aws + service: + - AWS + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_cis_v140_1 +- id: aws_cis_v140_2 +- id: aws_cis_v140_3 +- id: aws_cis_v140_4 +- id: aws_cis_v140_5 diff --git a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_1.yaml b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_1.yaml index 75757239c..82e4479c7 100755 --- a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_1.yaml +++ b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_1.yaml @@ -1,39 +1,39 @@ -control-group: - id: aws_cis_v140_1 - title: Identity and Access Management - description: Identity and Access Management - section-code: "1" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "1" - cis_version: - - v1.4.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cis_v140_1_1 - - aws_cis_v140_1_2 - - aws_cis_v140_1_3 - - aws_cis_v140_1_4 - - aws_cis_v140_1_5 - - aws_cis_v140_1_7 - - aws_cis_v140_1_10 - - aws_cis_v140_1_11 - - aws_cis_v140_1_12 - - aws_cis_v140_1_13 - - aws_cis_v140_1_14 - - aws_cis_v140_1_15 - - aws_cis_v140_1_16 - - aws_cis_v140_1_17 - - aws_cis_v140_1_18 - - aws_cis_v140_1_19 - - aws_cis_v140_1_20 - - aws_cis_v140_1_21 +id: aws_cis_v140_1 +title: Identity and Access Management +description: Identity and Access Management +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "1" + cis_version: + - v1.4.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cis_v140_1_1 +- aws_cis_v140_1_2 +- aws_cis_v140_1_3 +- aws_cis_v140_1_4 +- aws_cis_v140_1_5 +- aws_cis_v140_1_7 +- aws_cis_v140_1_10 +- aws_cis_v140_1_11 +- aws_cis_v140_1_12 +- aws_cis_v140_1_13 +- aws_cis_v140_1_14 +- aws_cis_v140_1_15 +- aws_cis_v140_1_16 +- aws_cis_v140_1_17 +- aws_cis_v140_1_18 +- aws_cis_v140_1_19 +- aws_cis_v140_1_20 +- aws_cis_v140_1_21 diff --git a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2.yaml b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2.yaml index 46df60f10..6f0452f37 100755 --- a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2.yaml +++ b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2.yaml @@ -1,24 +1,27 @@ +id: aws_cis_v140_2 +title: Storage +description: Storage +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v1.4.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_cis_v140_2 - title: Storage - description: Storage - section-code: "2" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v1.4.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_cis_v140_2_1 - - id: aws_cis_v140_2_2 - - id: aws_cis_v140_2_3 +- id: aws_cis_v140_2_1 + type: "" +- id: aws_cis_v140_2_2 + type: "" +- id: aws_cis_v140_2_3 + type: "" diff --git a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2_1.yaml b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2_1.yaml index e7908240e..446c28e5a 100755 --- a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2_1.yaml +++ b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2_1.yaml @@ -1,25 +1,25 @@ -control-group: - id: aws_cis_v140_2_1 - title: Simple Storage Service (S3) - description: Simple Storage Service (S3) - section-code: "1" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.1" - cis_version: - - v1.4.0 - plugin: - - aws - service: - - AWS/S3 - type: - - Benchmark - controls: - - aws_cis_v140_2_1_1 - - aws_cis_v140_2_1_2 - - aws_cis_v140_2_1_3 - - aws_cis_v140_2_1_4 +id: aws_cis_v140_2_1 +title: Simple Storage Service (S3) +description: Simple Storage Service (S3) +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.1" + cis_version: + - v1.4.0 + plugin: + - aws + service: + - AWS/S3 + type: + - Benchmark +controls: +- aws_cis_v140_2_1_1 +- aws_cis_v140_2_1_2 +- aws_cis_v140_2_1_3 +- aws_cis_v140_2_1_4 diff --git a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2_2.yaml b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2_2.yaml index 0ae80dec5..7c7336878 100755 --- a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2_2.yaml +++ b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2_2.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_cis_v140_2_2 - title: Elastic Compute Cloud (EC2) - description: Elastic Compute Cloud (EC2) - section-code: "2" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.1" - cis_version: - - v1.4.0 - plugin: - - aws - service: - - AWS/EBS - type: - - Benchmark - controls: - - aws_cis_v140_2_2_1 +id: aws_cis_v140_2_2 +title: Elastic Compute Cloud (EC2) +description: Elastic Compute Cloud (EC2) +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.1" + cis_version: + - v1.4.0 + plugin: + - aws + service: + - AWS/EBS + type: + - Benchmark +controls: +- aws_cis_v140_2_2_1 diff --git a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2_3.yaml b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2_3.yaml index 7476d8209..8b208bd4e 100755 --- a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2_3.yaml +++ b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2_3.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_cis_v140_2_3 - title: Relational Database Service (RDS) - description: Relational Database Service (RDS) - section-code: "3" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.1" - cis_version: - - v1.4.0 - plugin: - - aws - service: - - AWS/RDS - type: - - Benchmark - controls: - - aws_cis_v140_2_3_1 +id: aws_cis_v140_2_3 +title: Relational Database Service (RDS) +description: Relational Database Service (RDS) +section-code: "3" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.1" + cis_version: + - v1.4.0 + plugin: + - aws + service: + - AWS/RDS + type: + - Benchmark +controls: +- aws_cis_v140_2_3_1 diff --git a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_3.yaml b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_3.yaml index cbec155d5..4e67b153c 100755 --- a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_3.yaml +++ b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_3.yaml @@ -1,29 +1,29 @@ -control-group: - id: aws_cis_v140_3 - title: Logging - description: Logging - section-code: "3" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "3" - cis_version: - - v1.4.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cis_v140_3_2 - - aws_cis_v140_3_3 - - aws_cis_v140_3_4 - - aws_cis_v140_3_5 - - aws_cis_v140_3_6 - - aws_cis_v140_3_7 - - aws_cis_v140_3_8 - - aws_cis_v140_3_9 +id: aws_cis_v140_3 +title: Logging +description: Logging +section-code: "3" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "3" + cis_version: + - v1.4.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cis_v140_3_2 +- aws_cis_v140_3_3 +- aws_cis_v140_3_4 +- aws_cis_v140_3_5 +- aws_cis_v140_3_6 +- aws_cis_v140_3_7 +- aws_cis_v140_3_8 +- aws_cis_v140_3_9 diff --git a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_4.yaml b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_4.yaml index 42d8fc803..113e47033 100755 --- a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_4.yaml +++ b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_4.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_cis_v140_4 - title: Monitoring - description: Monitoring - section-code: "4" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4" - cis_version: - - v1.4.0 - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark - controls: - - aws_cis_v140_4_5 - - aws_cis_v140_4_7 - - aws_cis_v140_4_8 +id: aws_cis_v140_4 +title: Monitoring +description: Monitoring +section-code: "4" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4" + cis_version: + - v1.4.0 + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark +controls: +- aws_cis_v140_4_5 +- aws_cis_v140_4_7 +- aws_cis_v140_4_8 diff --git a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_5.yaml b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_5.yaml index 99a7c2dce..02af031d7 100755 --- a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_5.yaml +++ b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_5.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_cis_v140_5 - title: Networking - description: Networking - section-code: "5" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v1.4.0 - plugin: - - aws - service: - - AWS/VPC - type: - - Benchmark - controls: - - aws_cis_v140_5_1 - - aws_cis_v140_5_2 - - aws_cis_v140_5_4 +id: aws_cis_v140_5 +title: Networking +description: Networking +section-code: "5" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v1.4.0 + plugin: + - aws + service: + - AWS/VPC + type: + - Benchmark +controls: +- aws_cis_v140_5_1 +- aws_cis_v140_5_2 +- aws_cis_v140_5_4 diff --git a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150.yaml b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150.yaml index 10cf83d08..01a20514f 100644 --- a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150.yaml +++ b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150.yaml @@ -1,32 +1,32 @@ -framework: - id: aws_cis_v150 - title: CIS v1.5.0 - description: The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. - section-code: aws_cis_v150 - tags: - category: - - Compliance - cis: - - "true" - cis_version: - - v1.5.0 - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - aws - service: - - AWS - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: aws_cis_v150_1 - - id: aws_cis_v150_2 - - id: aws_cis_v150_3 - - id: aws_cis_v150_4 - - id: aws_cis_v150_5 +id: aws_cis_v150 +title: CIS v1.5.0 +description: The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. +section-code: aws_cis_v150 +type: framework +tags: + category: + - Compliance + cis: + - "true" + cis_version: + - v1.5.0 + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - aws + service: + - AWS + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_cis_v150_1 +- id: aws_cis_v150_2 +- id: aws_cis_v150_3 +- id: aws_cis_v150_4 +- id: aws_cis_v150_5 diff --git a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_1.yaml b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_1.yaml index de06a1dda..5186a2e81 100755 --- a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_1.yaml +++ b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_1.yaml @@ -1,40 +1,40 @@ -control-group: - id: aws_cis_v150_1 - title: Identity and Access Management - description: Identity and Access Management - section-code: "1" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "1" - cis_version: - - v1.5.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cis_v150_1_1 - - aws_cis_v150_1_2 - - aws_cis_v150_1_3 - - aws_cis_v150_1_4 - - aws_cis_v150_1_5 - - aws_cis_v150_1_7 - - aws_cis_v150_1_8 - - aws_cis_v150_1_9 - - aws_cis_v150_1_10 - - aws_cis_v150_1_11 - - aws_cis_v150_1_12 - - aws_cis_v150_1_13 - - aws_cis_v150_1_14 - - aws_cis_v150_1_15 - - aws_cis_v150_1_16 - - aws_cis_v150_1_17 - - aws_cis_v150_1_18 - - aws_cis_v150_1_19 - - aws_cis_v150_1_21 +id: aws_cis_v150_1 +title: Identity and Access Management +description: Identity and Access Management +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "1" + cis_version: + - v1.5.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cis_v150_1_1 +- aws_cis_v150_1_2 +- aws_cis_v150_1_3 +- aws_cis_v150_1_4 +- aws_cis_v150_1_5 +- aws_cis_v150_1_7 +- aws_cis_v150_1_8 +- aws_cis_v150_1_9 +- aws_cis_v150_1_10 +- aws_cis_v150_1_11 +- aws_cis_v150_1_12 +- aws_cis_v150_1_13 +- aws_cis_v150_1_14 +- aws_cis_v150_1_15 +- aws_cis_v150_1_16 +- aws_cis_v150_1_17 +- aws_cis_v150_1_18 +- aws_cis_v150_1_19 +- aws_cis_v150_1_21 diff --git a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2.yaml b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2.yaml index ecaeac815..d70c0292e 100755 --- a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2.yaml +++ b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2.yaml @@ -1,25 +1,29 @@ +id: aws_cis_v150_2 +title: Storage +description: Storage +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v1.5.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_cis_v150_2 - title: Storage - description: Storage - section-code: "2" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v1.5.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_cis_v150_2_1 - - id: aws_cis_v150_2_2 - - id: aws_cis_v150_2_3 - - id: aws_cis_v150_2_4 +- id: aws_cis_v150_2_1 + type: "" +- id: aws_cis_v150_2_2 + type: "" +- id: aws_cis_v150_2_3 + type: "" +- id: aws_cis_v150_2_4 + type: "" diff --git a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_1.yaml b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_1.yaml index c6a830c6d..a67f79ef7 100755 --- a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_1.yaml +++ b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_1.yaml @@ -1,25 +1,25 @@ -control-group: - id: aws_cis_v150_2_1 - title: Simple Storage Service (S3) - description: Simple Storage Service (S3) - section-code: "1" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.1" - cis_version: - - v1.5.0 - plugin: - - aws - service: - - AWS/S3 - type: - - Benchmark - controls: - - aws_cis_v150_2_1_1 - - aws_cis_v150_2_1_2 - - aws_cis_v150_2_1_3 - - aws_cis_v150_2_1_4 +id: aws_cis_v150_2_1 +title: Simple Storage Service (S3) +description: Simple Storage Service (S3) +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.1" + cis_version: + - v1.5.0 + plugin: + - aws + service: + - AWS/S3 + type: + - Benchmark +controls: +- aws_cis_v150_2_1_1 +- aws_cis_v150_2_1_2 +- aws_cis_v150_2_1_3 +- aws_cis_v150_2_1_4 diff --git a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_2.yaml b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_2.yaml index b16925f12..24cf61fd0 100755 --- a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_2.yaml +++ b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_2.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_cis_v150_2_2 - title: Elastic Compute Cloud (EC2) - description: Elastic Compute Cloud (EC2) - section-code: "2" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.2" - cis_version: - - v1.5.0 - plugin: - - aws - service: - - AWS/EBS - type: - - Benchmark - controls: - - aws_cis_v150_2_2_1 +id: aws_cis_v150_2_2 +title: Elastic Compute Cloud (EC2) +description: Elastic Compute Cloud (EC2) +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.2" + cis_version: + - v1.5.0 + plugin: + - aws + service: + - AWS/EBS + type: + - Benchmark +controls: +- aws_cis_v150_2_2_1 diff --git a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_3.yaml b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_3.yaml index 742315645..554b83f49 100755 --- a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_3.yaml +++ b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_3.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_cis_v150_2_3 - title: Relational Database Service (RDS) - description: Relational Database Service (RDS) - section-code: "3" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.3" - cis_version: - - v1.5.0 - plugin: - - aws - service: - - AWS/RDS - type: - - Benchmark - controls: - - aws_cis_v150_2_3_1 - - aws_cis_v150_2_3_2 - - aws_cis_v150_2_3_3 +id: aws_cis_v150_2_3 +title: Relational Database Service (RDS) +description: Relational Database Service (RDS) +section-code: "3" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.3" + cis_version: + - v1.5.0 + plugin: + - aws + service: + - AWS/RDS + type: + - Benchmark +controls: +- aws_cis_v150_2_3_1 +- aws_cis_v150_2_3_2 +- aws_cis_v150_2_3_3 diff --git a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_4.yaml b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_4.yaml index 5ec4149a2..cad1c18d3 100755 --- a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_4.yaml +++ b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_4.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_cis_v150_2_4 - title: Elastic File System (EFS) - description: Elastic File System (EFS) - section-code: "4" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.4" - cis_version: - - v1.5.0 - plugin: - - aws - service: - - AWS/EFS - type: - - Benchmark - controls: - - aws_cis_v150_2_4_1 +id: aws_cis_v150_2_4 +title: Elastic File System (EFS) +description: Elastic File System (EFS) +section-code: "4" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.4" + cis_version: + - v1.5.0 + plugin: + - aws + service: + - AWS/EFS + type: + - Benchmark +controls: +- aws_cis_v150_2_4_1 diff --git a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_3.yaml b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_3.yaml index d693f07a2..add735e58 100755 --- a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_3.yaml +++ b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_3.yaml @@ -1,29 +1,29 @@ -control-group: - id: aws_cis_v150_3 - title: Logging - description: Logging - section-code: "3" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "3" - cis_version: - - v1.5.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cis_v150_3_2 - - aws_cis_v150_3_3 - - aws_cis_v150_3_4 - - aws_cis_v150_3_5 - - aws_cis_v150_3_6 - - aws_cis_v150_3_7 - - aws_cis_v150_3_8 - - aws_cis_v150_3_9 +id: aws_cis_v150_3 +title: Logging +description: Logging +section-code: "3" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "3" + cis_version: + - v1.5.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cis_v150_3_2 +- aws_cis_v150_3_3 +- aws_cis_v150_3_4 +- aws_cis_v150_3_5 +- aws_cis_v150_3_6 +- aws_cis_v150_3_7 +- aws_cis_v150_3_8 +- aws_cis_v150_3_9 diff --git a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_4.yaml b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_4.yaml index ac16d11bb..05269dc33 100755 --- a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_4.yaml +++ b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_4.yaml @@ -1,25 +1,25 @@ -control-group: - id: aws_cis_v150_4 - title: Monitoring - description: Monitoring - section-code: "4" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4" - cis_version: - - v1.5.0 - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark - controls: - - aws_cis_v150_4_3 - - aws_cis_v150_4_5 - - aws_cis_v150_4_7 - - aws_cis_v150_4_8 +id: aws_cis_v150_4 +title: Monitoring +description: Monitoring +section-code: "4" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4" + cis_version: + - v1.5.0 + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark +controls: +- aws_cis_v150_4_3 +- aws_cis_v150_4_5 +- aws_cis_v150_4_7 +- aws_cis_v150_4_8 diff --git a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_5.yaml b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_5.yaml index 2ab1d081d..6b58b61cc 100755 --- a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_5.yaml +++ b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_5.yaml @@ -1,25 +1,25 @@ -control-group: - id: aws_cis_v150_5 - title: Networking - description: Networking - section-code: "5" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v1.5.0 - plugin: - - aws - service: - - AWS/VPC - type: - - Benchmark - controls: - - aws_cis_v150_5_2 - - aws_cis_v150_5_3 - - aws_cis_v150_5_4 - - aws_cis_v150_5_5 +id: aws_cis_v150_5 +title: Networking +description: Networking +section-code: "5" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v1.5.0 + plugin: + - aws + service: + - AWS/VPC + type: + - Benchmark +controls: +- aws_cis_v150_5_2 +- aws_cis_v150_5_3 +- aws_cis_v150_5_4 +- aws_cis_v150_5_5 diff --git a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200.yaml b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200.yaml index c8e4bcd96..d02d54b52 100644 --- a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200.yaml +++ b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200.yaml @@ -1,32 +1,32 @@ -framework: - id: aws_cis_v200 - title: CIS v2.0.0 - description: The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. - section-code: aws_cis_v200 - tags: - category: - - Compliance - cis: - - "true" - cis_version: - - v2.0.0 - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - aws - service: - - AWS - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: aws_cis_v200_1 - - id: aws_cis_v200_2 - - id: aws_cis_v200_3 - - id: aws_cis_v200_4 - - id: aws_cis_v200_5 +id: aws_cis_v200 +title: CIS v2.0.0 +description: The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. +section-code: aws_cis_v200 +type: framework +tags: + category: + - Compliance + cis: + - "true" + cis_version: + - v2.0.0 + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - aws + service: + - AWS + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_cis_v200_1 +- id: aws_cis_v200_2 +- id: aws_cis_v200_3 +- id: aws_cis_v200_4 +- id: aws_cis_v200_5 diff --git a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_1.yaml b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_1.yaml index fbb7446f1..df3b45bdb 100755 --- a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_1.yaml +++ b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_1.yaml @@ -1,40 +1,40 @@ -control-group: - id: aws_cis_v200_1 - title: Identity and Access Management - description: Identity and Access Management - section-code: "1" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "1" - cis_version: - - v2.0.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cis_v200_1_1 - - aws_cis_v200_1_2 - - aws_cis_v200_1_3 - - aws_cis_v200_1_4 - - aws_cis_v200_1_5 - - aws_cis_v200_1_7 - - aws_cis_v200_1_8 - - aws_cis_v200_1_10 - - aws_cis_v200_1_11 - - aws_cis_v200_1_12 - - aws_cis_v200_1_13 - - aws_cis_v200_1_14 - - aws_cis_v200_1_15 - - aws_cis_v200_1_16 - - aws_cis_v200_1_17 - - aws_cis_v200_1_18 - - aws_cis_v200_1_19 - - aws_cis_v200_1_20 - - aws_cis_v200_1_21 +id: aws_cis_v200_1 +title: Identity and Access Management +description: Identity and Access Management +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "1" + cis_version: + - v2.0.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cis_v200_1_1 +- aws_cis_v200_1_2 +- aws_cis_v200_1_3 +- aws_cis_v200_1_4 +- aws_cis_v200_1_5 +- aws_cis_v200_1_7 +- aws_cis_v200_1_8 +- aws_cis_v200_1_10 +- aws_cis_v200_1_11 +- aws_cis_v200_1_12 +- aws_cis_v200_1_13 +- aws_cis_v200_1_14 +- aws_cis_v200_1_15 +- aws_cis_v200_1_16 +- aws_cis_v200_1_17 +- aws_cis_v200_1_18 +- aws_cis_v200_1_19 +- aws_cis_v200_1_20 +- aws_cis_v200_1_21 diff --git a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2.yaml b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2.yaml index 940c00327..5fc3e3f97 100755 --- a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2.yaml +++ b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2.yaml @@ -1,25 +1,29 @@ +id: aws_cis_v200_2 +title: Storage +description: Storage +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v2.0.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_cis_v200_2 - title: Storage - description: Storage - section-code: "2" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v2.0.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_cis_v200_2_1 - - id: aws_cis_v200_2_2 - - id: aws_cis_v200_2_3 - - id: aws_cis_v200_2_4 +- id: aws_cis_v200_2_1 + type: "" +- id: aws_cis_v200_2_2 + type: "" +- id: aws_cis_v200_2_3 + type: "" +- id: aws_cis_v200_2_4 + type: "" diff --git a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_1.yaml b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_1.yaml index a48eb2448..67a8a087a 100755 --- a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_1.yaml +++ b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_1.yaml @@ -1,25 +1,25 @@ -control-group: - id: aws_cis_v200_2_1 - title: Simple Storage Service (S3) - description: Simple Storage Service (S3) - section-code: "1" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.1" - cis_version: - - v2.0.0 - plugin: - - aws - service: - - AWS/S3 - type: - - Benchmark - controls: - - aws_cis_v200_2_1_1 - - aws_cis_v200_2_1_2 - - aws_cis_v200_2_1_3 - - aws_cis_v200_2_1_4 +id: aws_cis_v200_2_1 +title: Simple Storage Service (S3) +description: Simple Storage Service (S3) +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.1" + cis_version: + - v2.0.0 + plugin: + - aws + service: + - AWS/S3 + type: + - Benchmark +controls: +- aws_cis_v200_2_1_1 +- aws_cis_v200_2_1_2 +- aws_cis_v200_2_1_3 +- aws_cis_v200_2_1_4 diff --git a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_2.yaml b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_2.yaml index d0a27b88a..2245c53dc 100755 --- a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_2.yaml +++ b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_2.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_cis_v200_2_2 - title: Elastic Compute Cloud (EC2) - description: Elastic Compute Cloud (EC2) - section-code: "2" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.2" - cis_version: - - v2.0.0 - plugin: - - aws - service: - - AWS/EBS - type: - - Benchmark - controls: - - aws_cis_v200_2_2_1 +id: aws_cis_v200_2_2 +title: Elastic Compute Cloud (EC2) +description: Elastic Compute Cloud (EC2) +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.2" + cis_version: + - v2.0.0 + plugin: + - aws + service: + - AWS/EBS + type: + - Benchmark +controls: +- aws_cis_v200_2_2_1 diff --git a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_3.yaml b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_3.yaml index 0dbc47578..37874c3dd 100755 --- a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_3.yaml +++ b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_3.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_cis_v200_2_3 - title: Relational Database Service (RDS) - description: Relational Database Service (RDS) - section-code: "3" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.3" - cis_version: - - v2.0.0 - plugin: - - aws - service: - - AWS/RDS - type: - - Benchmark - controls: - - aws_cis_v200_2_3_1 - - aws_cis_v200_2_3_2 - - aws_cis_v200_2_3_3 +id: aws_cis_v200_2_3 +title: Relational Database Service (RDS) +description: Relational Database Service (RDS) +section-code: "3" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.3" + cis_version: + - v2.0.0 + plugin: + - aws + service: + - AWS/RDS + type: + - Benchmark +controls: +- aws_cis_v200_2_3_1 +- aws_cis_v200_2_3_2 +- aws_cis_v200_2_3_3 diff --git a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_4.yaml b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_4.yaml index 00d8881e0..9803797a9 100755 --- a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_4.yaml +++ b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_4.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_cis_v200_2_4 - title: Elastic File System (EFS) - description: Elastic File System (EFS) - section-code: "4" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.4" - cis_version: - - v2.0.0 - plugin: - - aws - service: - - AWS/EFS - type: - - Benchmark - controls: - - aws_cis_v200_2_4_1 +id: aws_cis_v200_2_4 +title: Elastic File System (EFS) +description: Elastic File System (EFS) +section-code: "4" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.4" + cis_version: + - v2.0.0 + plugin: + - aws + service: + - AWS/EFS + type: + - Benchmark +controls: +- aws_cis_v200_2_4_1 diff --git a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_3.yaml b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_3.yaml index 38b96daea..719bd190c 100755 --- a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_3.yaml +++ b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_3.yaml @@ -1,29 +1,29 @@ -control-group: - id: aws_cis_v200_3 - title: Logging - description: Logging - section-code: "3" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "3" - cis_version: - - v2.0.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cis_v200_3_2 - - aws_cis_v200_3_3 - - aws_cis_v200_3_4 - - aws_cis_v200_3_5 - - aws_cis_v200_3_6 - - aws_cis_v200_3_7 - - aws_cis_v200_3_8 - - aws_cis_v200_3_9 +id: aws_cis_v200_3 +title: Logging +description: Logging +section-code: "3" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "3" + cis_version: + - v2.0.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cis_v200_3_2 +- aws_cis_v200_3_3 +- aws_cis_v200_3_4 +- aws_cis_v200_3_5 +- aws_cis_v200_3_6 +- aws_cis_v200_3_7 +- aws_cis_v200_3_8 +- aws_cis_v200_3_9 diff --git a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_4.yaml b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_4.yaml index d4f072ced..db9795eb9 100755 --- a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_4.yaml +++ b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_4.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_cis_v200_4 - title: Monitoring - description: Monitoring - section-code: "4" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4" - cis_version: - - v2.0.0 - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark - controls: - - aws_cis_v200_4_3 - - aws_cis_v200_4_6 +id: aws_cis_v200_4 +title: Monitoring +description: Monitoring +section-code: "4" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4" + cis_version: + - v2.0.0 + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark +controls: +- aws_cis_v200_4_3 +- aws_cis_v200_4_6 diff --git a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_5.yaml b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_5.yaml index c8d9a3c66..790cf3f44 100755 --- a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_5.yaml +++ b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_5.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_cis_v200_5 - title: Networking - description: Networking - section-code: "5" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v2.0.0 - plugin: - - aws - service: - - AWS/VPC - type: - - Benchmark - controls: - - aws_cis_v200_5_2 - - aws_cis_v200_5_3 - - aws_cis_v200_5_4 - - aws_cis_v200_5_5 - - aws_cis_v200_5_6 +id: aws_cis_v200_5 +title: Networking +description: Networking +section-code: "5" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v2.0.0 + plugin: + - aws + service: + - AWS/VPC + type: + - Benchmark +controls: +- aws_cis_v200_5_2 +- aws_cis_v200_5_3 +- aws_cis_v200_5_4 +- aws_cis_v200_5_5 +- aws_cis_v200_5_6 diff --git a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300.yaml b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300.yaml index fbc84f1b6..0fa5ba6d3 100644 --- a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300.yaml +++ b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300.yaml @@ -1,32 +1,32 @@ -framework: - id: aws_cis_v300 - title: CIS v3.0.0 - description: The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. - section-code: aws_cis_v300 - tags: - category: - - Compliance - cis: - - "true" - cis_version: - - v3.0.0 - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - aws - service: - - AWS - type: - - Benchmark - defaults: - is-baseline: true - enabled: true - tracks-drift-events: false - control-group: - - id: aws_cis_v300_1 - - id: aws_cis_v300_2 - - id: aws_cis_v300_3 - - id: aws_cis_v300_4 - - id: aws_cis_v300_5 +id: aws_cis_v300 +title: CIS v3.0.0 +description: The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. +section-code: aws_cis_v300 +type: framework +tags: + category: + - Compliance + cis: + - "true" + cis_version: + - v3.0.0 + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - aws + service: + - AWS + type: + - Benchmark +defaults: + is-baseline: true + enabled: true + tracks-drift-events: false +control-group: +- id: aws_cis_v300_1 +- id: aws_cis_v300_2 +- id: aws_cis_v300_3 +- id: aws_cis_v300_4 +- id: aws_cis_v300_5 diff --git a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_1.yaml b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_1.yaml index c0f3c49f7..b713e4609 100755 --- a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_1.yaml +++ b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_1.yaml @@ -1,40 +1,40 @@ -control-group: - id: aws_cis_v300_1 - title: Identity and Access Management - description: Identity and Access Management - section-code: "1" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "1" - cis_version: - - v3.0.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cis_v300_1_1 - - aws_cis_v300_1_2 - - aws_cis_v300_1_3 - - aws_cis_v300_1_4 - - aws_cis_v300_1_5 - - aws_cis_v300_1_6 - - aws_cis_v300_1_7 - - aws_cis_v300_1_8 - - aws_cis_v300_1_10 - - aws_cis_v300_1_11 - - aws_cis_v300_1_12 - - aws_cis_v300_1_14 - - aws_cis_v300_1_15 - - aws_cis_v300_1_16 - - aws_cis_v300_1_17 - - aws_cis_v300_1_18 - - aws_cis_v300_1_19 - - aws_cis_v300_1_20 - - aws_cis_v300_1_21 +id: aws_cis_v300_1 +title: Identity and Access Management +description: Identity and Access Management +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "1" + cis_version: + - v3.0.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cis_v300_1_1 +- aws_cis_v300_1_2 +- aws_cis_v300_1_3 +- aws_cis_v300_1_4 +- aws_cis_v300_1_5 +- aws_cis_v300_1_6 +- aws_cis_v300_1_7 +- aws_cis_v300_1_8 +- aws_cis_v300_1_10 +- aws_cis_v300_1_11 +- aws_cis_v300_1_12 +- aws_cis_v300_1_14 +- aws_cis_v300_1_15 +- aws_cis_v300_1_16 +- aws_cis_v300_1_17 +- aws_cis_v300_1_18 +- aws_cis_v300_1_19 +- aws_cis_v300_1_20 +- aws_cis_v300_1_21 diff --git a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2.yaml b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2.yaml index ed140c9d5..0796b2ae5 100755 --- a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2.yaml +++ b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2.yaml @@ -1,25 +1,29 @@ +id: aws_cis_v300_2 +title: Storage +description: Storage +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v3.0.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_cis_v300_2 - title: Storage - description: Storage - section-code: "2" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v3.0.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_cis_v300_2_1 - - id: aws_cis_v300_2_2 - - id: aws_cis_v300_2_3 - - id: aws_cis_v300_2_4 +- id: aws_cis_v300_2_1 + type: "" +- id: aws_cis_v300_2_2 + type: "" +- id: aws_cis_v300_2_3 + type: "" +- id: aws_cis_v300_2_4 + type: "" diff --git a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_1.yaml b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_1.yaml index d4eda6d22..cafe7b5c7 100755 --- a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_1.yaml +++ b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_1.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_cis_v300_2_1 - title: Simple Storage Service (S3) - description: Simple Storage Service (S3) - section-code: "1" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.1" - cis_version: - - v3.0.0 - plugin: - - aws - service: - - AWS/S3 - type: - - Benchmark - controls: - - aws_cis_v300_2_1_1 - - aws_cis_v300_2_1_2 - - aws_cis_v300_2_1_3 +id: aws_cis_v300_2_1 +title: Simple Storage Service (S3) +description: Simple Storage Service (S3) +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.1" + cis_version: + - v3.0.0 + plugin: + - aws + service: + - AWS/S3 + type: + - Benchmark +controls: +- aws_cis_v300_2_1_1 +- aws_cis_v300_2_1_2 +- aws_cis_v300_2_1_3 diff --git a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_2.yaml b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_2.yaml index 7f6207915..dfa05e196 100755 --- a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_2.yaml +++ b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_2.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_cis_v300_2_2 - title: Elastic Compute Cloud (EC2) - description: Elastic Compute Cloud (EC2) - section-code: "2" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.2" - cis_version: - - v3.0.0 - plugin: - - aws - service: - - AWS/EBS - type: - - Benchmark - controls: - - aws_cis_v300_2_2_1 +id: aws_cis_v300_2_2 +title: Elastic Compute Cloud (EC2) +description: Elastic Compute Cloud (EC2) +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.2" + cis_version: + - v3.0.0 + plugin: + - aws + service: + - AWS/EBS + type: + - Benchmark +controls: +- aws_cis_v300_2_2_1 diff --git a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_3.yaml b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_3.yaml index 684b70712..67f29ae02 100755 --- a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_3.yaml +++ b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_3.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_cis_v300_2_3 - title: Relational Database Service (RDS) - description: Relational Database Service (RDS) - section-code: "3" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.3" - cis_version: - - v3.0.0 - plugin: - - aws - service: - - AWS/RDS - type: - - Benchmark - controls: - - aws_cis_v300_2_3_1 - - aws_cis_v300_2_3_2 - - aws_cis_v300_2_3_3 +id: aws_cis_v300_2_3 +title: Relational Database Service (RDS) +description: Relational Database Service (RDS) +section-code: "3" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.3" + cis_version: + - v3.0.0 + plugin: + - aws + service: + - AWS/RDS + type: + - Benchmark +controls: +- aws_cis_v300_2_3_1 +- aws_cis_v300_2_3_2 +- aws_cis_v300_2_3_3 diff --git a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_4.yaml b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_4.yaml index 1607da9c3..c4359ee30 100755 --- a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_4.yaml +++ b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_4.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_cis_v300_2_4 - title: Elastic File System (EFS) - description: Elastic File System (EFS) - section-code: "4" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.4" - cis_version: - - v3.0.0 - plugin: - - aws - service: - - AWS/EFS - type: - - Benchmark - controls: - - aws_cis_v300_2_4_1 +id: aws_cis_v300_2_4 +title: Elastic File System (EFS) +description: Elastic File System (EFS) +section-code: "4" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.4" + cis_version: + - v3.0.0 + plugin: + - aws + service: + - AWS/EFS + type: + - Benchmark +controls: +- aws_cis_v300_2_4_1 diff --git a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_3.yaml b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_3.yaml index 796b2eedc..9f72ed216 100755 --- a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_3.yaml +++ b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_3.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_cis_v300_3 - title: Logging - description: Logging - section-code: "3" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "3" - cis_version: - - v3.0.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cis_v300_3_2 - - aws_cis_v300_3_3 - - aws_cis_v300_3_4 - - aws_cis_v300_3_5 - - aws_cis_v300_3_6 - - aws_cis_v300_3_8 - - aws_cis_v300_3_9 +id: aws_cis_v300_3 +title: Logging +description: Logging +section-code: "3" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "3" + cis_version: + - v3.0.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cis_v300_3_2 +- aws_cis_v300_3_3 +- aws_cis_v300_3_4 +- aws_cis_v300_3_5 +- aws_cis_v300_3_6 +- aws_cis_v300_3_8 +- aws_cis_v300_3_9 diff --git a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_4.yaml b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_4.yaml index 7afda3082..3f5c443e1 100755 --- a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_4.yaml +++ b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_4.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_cis_v300_4 - title: Monitoring - description: Monitoring - section-code: "4" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4" - cis_version: - - v3.0.0 - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark +id: aws_cis_v300_4 +title: Monitoring +description: Monitoring +section-code: "4" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4" + cis_version: + - v3.0.0 + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark diff --git a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_5.yaml b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_5.yaml index cacb10aa1..f7d7eda0a 100755 --- a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_5.yaml +++ b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_5.yaml @@ -1,25 +1,25 @@ -control-group: - id: aws_cis_v300_5 - title: Networking - description: Networking - section-code: "5" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v3.0.0 - plugin: - - aws - service: - - AWS/VPC - type: - - Benchmark - controls: - - aws_cis_v300_5_2 - - aws_cis_v300_5_3 - - aws_cis_v300_5_5 - - aws_cis_v300_5_6 +id: aws_cis_v300_5 +title: Networking +description: Networking +section-code: "5" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v3.0.0 + plugin: + - aws + service: + - AWS/VPC + type: + - Benchmark +controls: +- aws_cis_v300_5_2 +- aws_cis_v300_5_3 +- aws_cis_v300_5_5 +- aws_cis_v300_5_6 diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials.yaml index 895336431..58a996bcb 100644 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials.yaml @@ -1,30 +1,30 @@ -framework: - id: aws_cisa_cyber_essentials - title: CISA Cyber Essentials - description: CISA's Cyber Essentials is a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices. - section-code: aws_cisa_cyber_essentials - tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - aws - service: - - AWS - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: aws_cisa_cyber_essentials_your_systems - - id: aws_cisa_cyber_essentials_your_surroundings - - id: aws_cisa_cyber_essentials_your_data - - id: aws_cisa_cyber_essentials_your_crisis_response - - id: aws_cisa_cyber_essentials_booting_up_things_to_do_first +id: aws_cisa_cyber_essentials +title: CISA Cyber Essentials +description: CISA's Cyber Essentials is a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices. +section-code: aws_cisa_cyber_essentials +type: framework +tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - aws + service: + - AWS + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_cisa_cyber_essentials_your_systems +- id: aws_cisa_cyber_essentials_your_surroundings +- id: aws_cisa_cyber_essentials_your_data +- id: aws_cisa_cyber_essentials_your_crisis_response +- id: aws_cisa_cyber_essentials_booting_up_things_to_do_first diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first.yaml index c4ecdb717..cb177a650 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first.yaml @@ -1,20 +1,23 @@ +id: aws_cisa_cyber_essentials_booting_up_things_to_do_first +title: "Booting Up: Things to Do First" +description: Even before your organization has begun to adopt a Culture of Cyber Readiness, there are things you can begin doing today to make your organization more prepared against cyber risks. +section-code: booting_up_things_to_do_first +type: control-group +tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_cisa_cyber_essentials_booting_up_things_to_do_first - title: "Booting Up: Things to Do First" - description: Even before your organization has begun to adopt a Culture of Cyber Readiness, there are things you can begin doing today to make your organization more prepared against cyber risks. - section-code: booting_up_things_to_do_first - tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_cisa_cyber_essentials_booting_up_things_to_do_first_1 - - id: aws_cisa_cyber_essentials_booting_up_things_to_do_first_2 - - id: aws_cisa_cyber_essentials_booting_up_things_to_do_first_3 +- id: aws_cisa_cyber_essentials_booting_up_things_to_do_first_1 + type: "" +- id: aws_cisa_cyber_essentials_booting_up_things_to_do_first_2 + type: "" +- id: aws_cisa_cyber_essentials_booting_up_things_to_do_first_3 + type: "" diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first_1.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first_1.yaml index b07de21e8..1a8ed9a20 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first_1.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first_1.yaml @@ -1,34 +1,34 @@ -control-group: - id: aws_cisa_cyber_essentials_booting_up_things_to_do_first_1 - title: "Booting Up: Things to Do First-1" - description: Employ a backup solution that automatically and continuously backs up critical data and system configurations. - section-code: "1" - tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +id: aws_cisa_cyber_essentials_booting_up_things_to_do_first_1 +title: "Booting Up: Things to Do First-1" +description: Employ a backup solution that automatically and continuously backs up critical data and system configurations. +section-code: "1" +type: control-group +tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_min_retention_35_days +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first_2.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first_2.yaml index 29a46bed0..8854e6750 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first_2.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first_2.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_cisa_cyber_essentials_booting_up_things_to_do_first_2 - title: "Booting Up: Things to Do First-2" - description: Require multi-factor authentication (MFA) for accessing your systems whenever possible. MFA should be required of all users, but start with privileged, administrative, and remote access users. - section-code: "2" - tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled +id: aws_cisa_cyber_essentials_booting_up_things_to_do_first_2 +title: "Booting Up: Things to Do First-2" +description: Require multi-factor authentication (MFA) for accessing your systems whenever possible. MFA should be required of all users, but start with privileged, administrative, and remote access users. +section-code: "2" +type: control-group +tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first_3.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first_3.yaml index 7b1aa1a2a..ad6995fb6 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first_3.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first_3.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_cisa_cyber_essentials_booting_up_things_to_do_first_3 - title: "Booting Up: Things to Do First-3" - description: Enable automatic updates whenever possible. Replace unsupported operating systems, applications and hardware. Test and deploy patches quickly. - section-code: "3" - tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_cisa_cyber_essentials_booting_up_things_to_do_first_3 +title: "Booting Up: Things to Do First-3" +description: Enable automatic updates whenever possible. Replace unsupported operating systems, applications and hardware. Test and deploy patches quickly. +section-code: "3" +type: control-group +tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_rds_db_instance_automatic_minor_version_upgrade_enabled +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_crisis_response.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_crisis_response.yaml index 3eb628224..d8d886964 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_crisis_response.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_crisis_response.yaml @@ -1,18 +1,19 @@ +id: aws_cisa_cyber_essentials_your_crisis_response +title: Your Crisis Response +description: As your strategy for responding to and recovering from compromise, this is an essential element of your organization's Culture of Cyber Readiness. Your task for this element is to limit damage and quicken restoration of normal operations. +section-code: your_crisis_response +type: control-group +tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_cisa_cyber_essentials_your_crisis_response - title: Your Crisis Response - description: As your strategy for responding to and recovering from compromise, this is an essential element of your organization's Culture of Cyber Readiness. Your task for this element is to limit damage and quicken restoration of normal operations. - section-code: your_crisis_response - tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_cisa_cyber_essentials_your_crisis_response_2 +- id: aws_cisa_cyber_essentials_your_crisis_response_2 + type: "" diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_crisis_response_2.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_crisis_response_2.yaml index d2b37fd45..827428871 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_crisis_response_2.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_crisis_response_2.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_cisa_cyber_essentials_your_crisis_response_2 - title: Your Crisis Response-2 - description: Lead development of an internal reporting structure to detect, communicate and contain attacks. - section-code: "2" - tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_securityhub_enabled +id: aws_cisa_cyber_essentials_your_crisis_response_2 +title: Your Crisis Response-2 +description: Lead development of an internal reporting structure to detect, communicate and contain attacks. +section-code: "2" +type: control-group +tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data.yaml index 7f09514cc..2ce867bd8 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data.yaml @@ -1,22 +1,27 @@ +id: aws_cisa_cyber_essentials_your_data +title: Your Data +description: Your data, intellectual property, and other sensitive information is what your organization is built on. As such, it is an essential element of your organization's Culture of Cyber Readiness. Your task for this element is to make backups and avoid loss of information critical to operations. +section-code: your_data +type: control-group +tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_cisa_cyber_essentials_your_data - title: Your Data - description: Your data, intellectual property, and other sensitive information is what your organization is built on. As such, it is an essential element of your organization's Culture of Cyber Readiness. Your task for this element is to make backups and avoid loss of information critical to operations. - section-code: your_data - tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_cisa_cyber_essentials_your_data_1 - - id: aws_cisa_cyber_essentials_your_data_2 - - id: aws_cisa_cyber_essentials_your_data_3 - - id: aws_cisa_cyber_essentials_your_data_4 - - id: aws_cisa_cyber_essentials_your_data_5 +- id: aws_cisa_cyber_essentials_your_data_1 + type: "" +- id: aws_cisa_cyber_essentials_your_data_2 + type: "" +- id: aws_cisa_cyber_essentials_your_data_3 + type: "" +- id: aws_cisa_cyber_essentials_your_data_4 + type: "" +- id: aws_cisa_cyber_essentials_your_data_5 + type: "" diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_1.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_1.yaml index 6a6ab686c..f0c4e0b53 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_1.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_1.yaml @@ -1,35 +1,35 @@ -control-group: - id: aws_cisa_cyber_essentials_your_data_1 - title: Your Data-1 - description: Learn how your data is protected. - section-code: "1" - tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_backup_recovery_point_encryption_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dynamodb_table_encrypted_with_kms - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypted_with_cmk - - aws_es_domain_encryption_at_rest_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest +id: aws_cisa_cyber_essentials_your_data_1 +title: Your Data-1 +description: Learn how your data is protected. +section-code: "1" +type: control-group +tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_backup_recovery_point_encryption_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dynamodb_table_encrypted_with_kms +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_efs_file_system_encrypted_with_cmk +- aws_es_domain_encryption_at_rest_enabled +- aws_log_group_encryption_at_rest_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_logging_enabled +- aws_redshift_cluster_kms_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_2.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_2.yaml index 881fda507..c4ee1dbe3 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_2.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_2.yaml @@ -1,78 +1,78 @@ -control-group: - id: aws_cisa_cyber_essentials_your_data_2 - title: Your Data-2 - description: Learn what is happening on your network, manage network and perimeter components, host and device components, data-at-rest and in-transit, and user behavior activities. - section-code: "2" - tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_acm_certificate_expires_30_days - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_apigateway_stage_logging_enabled - - aws_autoscaling_launch_config_public_ip_disabled - - aws_backup_recovery_point_encryption_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dms_replication_instance_not_publicly_accessible - - aws_dynamodb_table_encrypted_with_kms - - aws_ebs_attached_volume_encryption_enabled - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_ebs_default_encryption_enabled - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_efs_file_system_encrypted_with_cmk - - aws_elb_application_classic_lb_logging_enabled - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_lb_waf_enabled - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_in_vpc - - aws_es_domain_logs_to_cloudwatch - - aws_es_domain_node_to_node_encryption_enabled - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_instance_logging_enabled - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_encrypted_at_rest - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_logging_enabled - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_flow_logs_enabled - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled - - aws_wafv2_web_acl_logging_enabled +id: aws_cisa_cyber_essentials_your_data_2 +title: Your Data-2 +description: Learn what is happening on your network, manage network and perimeter components, host and device components, data-at-rest and in-transit, and user behavior activities. +section-code: "2" +type: control-group +tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_acm_certificate_expires_30_days +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_apigateway_stage_logging_enabled +- aws_autoscaling_launch_config_public_ip_disabled +- aws_backup_recovery_point_encryption_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dms_replication_instance_not_publicly_accessible +- aws_dynamodb_table_encrypted_with_kms +- aws_ebs_attached_volume_encryption_enabled +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_ebs_default_encryption_enabled +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_efs_file_system_encrypted_with_cmk +- aws_elb_application_classic_lb_logging_enabled +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_application_lb_waf_enabled +- aws_elb_application_network_lb_use_ssl_certificate +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_in_vpc +- aws_es_domain_logs_to_cloudwatch +- aws_es_domain_node_to_node_encryption_enabled +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_log_group_encryption_at_rest_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_instance_logging_enabled +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_encrypted_at_rest +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_redshift_cluster_kms_enabled +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_logging_enabled +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_sns_topic_encrypted_at_rest +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_flow_logs_enabled +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_3.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_3.yaml index 47203f94d..c3a0204c5 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_3.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_3.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_cisa_cyber_essentials_your_data_3 - title: Your Data-3 - description: Domain name system protection. - section-code: "3" - tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_elb_application_lb_waf_enabled +id: aws_cisa_cyber_essentials_your_data_3 +title: Your Data-3 +description: Domain name system protection. +section-code: "3" +type: control-group +tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_elb_application_lb_waf_enabled diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_4.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_4.yaml index 4a2df81c5..9fc70600d 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_4.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_4.yaml @@ -1,35 +1,35 @@ -control-group: - id: aws_cisa_cyber_essentials_your_data_4 - title: Your Data-4 - description: Establish regular automated backups and redundancies of key systems. - section-code: "4" - tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +id: aws_cisa_cyber_essentials_your_data_4 +title: Your Data-4 +description: Establish regular automated backups and redundancies of key systems. +section-code: "4" +type: control-group +tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_min_retention_35_days +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_ebs_volume_in_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_elb_application_lb_deletion_protection_enabled +- aws_fsx_file_system_protected_by_backup_plan +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_deletion_protection_enabled +- aws_rds_db_instance_in_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_5.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_5.yaml index f73886be3..8a16a2ba3 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_5.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_5.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_cisa_cyber_essentials_your_data_5 - title: Your Data-5 - description: Leverage protections for backups, including physical security, encryption and offline copies. - section-code: "5" - tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled +id: aws_cisa_cyber_essentials_your_data_5 +title: Your Data-5 +description: Leverage protections for backups, including physical security, encryption and offline copies. +section-code: "5" +type: control-group +tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_backup_recovery_point_encryption_enabled +- aws_backup_recovery_point_manual_deletion_disabled diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings.yaml index c15f9f31c..6962f3bb6 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings.yaml @@ -1,21 +1,25 @@ +id: aws_cisa_cyber_essentials_your_surroundings +title: Your Surroundings +description: As your organization's digital workplace, this is an essential element of your organization's Culture of Cyber Readiness. Your task for this element is to ensure only those who belong on your digital workplace have access to it. +section-code: your_surroundings +type: control-group +tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_cisa_cyber_essentials_your_surroundings - title: Your Surroundings - description: As your organization's digital workplace, this is an essential element of your organization's Culture of Cyber Readiness. Your task for this element is to ensure only those who belong on your digital workplace have access to it. - section-code: your_surroundings - tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_cisa_cyber_essentials_your_surroundings_1 - - id: aws_cisa_cyber_essentials_your_surroundings_2 - - id: aws_cisa_cyber_essentials_your_surroundings_3 - - id: aws_cisa_cyber_essentials_your_surroundings_4 +- id: aws_cisa_cyber_essentials_your_surroundings_1 + type: "" +- id: aws_cisa_cyber_essentials_your_surroundings_2 + type: "" +- id: aws_cisa_cyber_essentials_your_surroundings_3 + type: "" +- id: aws_cisa_cyber_essentials_your_surroundings_4 + type: "" diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_1.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_1.yaml index 398032baf..c2247c11a 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_1.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_1.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_cisa_cyber_essentials_your_surroundings_1 - title: Your Surroundings-1 - description: Learn who is on your network. Maintain inventories of network connections (user accounts, vendors, business partners, etc.). - section-code: "1" - tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_vpc_eip_associated - - aws_vpc_flow_logs_enabled - - aws_vpc_network_acl_unused +id: aws_cisa_cyber_essentials_your_surroundings_1 +title: Your Surroundings-1 +description: Learn who is on your network. Maintain inventories of network connections (user accounts, vendors, business partners, etc.). +section-code: "1" +type: control-group +tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_vpc_eip_associated +- aws_vpc_flow_logs_enabled +- aws_vpc_network_acl_unused diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_2.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_2.yaml index a65399c3f..16ed201ff 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_2.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_2.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_cisa_cyber_essentials_your_surroundings_2 - title: Your Surroundings-2 - description: Leverage multi-factor authentication for all users, starting with privileged, administrative and remote access users. - section-code: "2" - tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled +id: aws_cisa_cyber_essentials_your_surroundings_2 +title: Your Surroundings-2 +description: Leverage multi-factor authentication for all users, starting with privileged, administrative and remote access users. +section-code: "2" +type: control-group +tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_3.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_3.yaml index d5852f433..3a777eb12 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_3.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_3.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_cisa_cyber_essentials_your_surroundings_3 - title: Your Surroundings-3 - description: Grant access and admin permissions based on need-to-know and least privilege. - section-code: "3" - tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_elb_application_network_lb_use_ssl_certificate - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys +id: aws_cisa_cyber_essentials_your_surroundings_3 +title: Your Surroundings-3 +description: Grant access and admin permissions based on need-to-know and least privilege. +section-code: "3" +type: control-group +tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_elb_application_network_lb_use_ssl_certificate +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_4.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_4.yaml index cb06f24ff..634c71286 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_4.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_4.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_cisa_cyber_essentials_your_surroundings_4 - title: Your Surroundings-4 - description: Leverage unique passwords for all user accounts. - section-code: "4" - tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 +id: aws_cisa_cyber_essentials_your_surroundings_4 +title: Your Surroundings-4 +description: Leverage unique passwords for all user accounts. +section-code: "4" +type: control-group +tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems.yaml index 19aa6a385..b6a1f04a9 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems.yaml @@ -1,20 +1,23 @@ +id: aws_cisa_cyber_essentials_your_systems +title: Your Systems +description: As the infrastructure that makes your organization operational, your systems are an essential element of your organization's Culture of Cyber Readiness. Your task for this element is to protect critical assets and applications. +section-code: your_systems +type: control-group +tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_cisa_cyber_essentials_your_systems - title: Your Systems - description: As the infrastructure that makes your organization operational, your systems are an essential element of your organization's Culture of Cyber Readiness. Your task for this element is to protect critical assets and applications. - section-code: your_systems - tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_cisa_cyber_essentials_your_systems_1 - - id: aws_cisa_cyber_essentials_your_systems_2 - - id: aws_cisa_cyber_essentials_your_systems_3 +- id: aws_cisa_cyber_essentials_your_systems_1 + type: "" +- id: aws_cisa_cyber_essentials_your_systems_2 + type: "" +- id: aws_cisa_cyber_essentials_your_systems_3 + type: "" diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems_1.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems_1.yaml index f77859c6f..8ebf4cf9a 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems_1.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems_1.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_cisa_cyber_essentials_your_systems_1 - title: Your Systems-1 - description: Learn what is on your network. Maintain inventories of hardware and software assets to know what is in play and at-risk from attack. - section-code: "1" - tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant - - aws_vpc_eip_associated - - aws_vpc_network_acl_unused +id: aws_cisa_cyber_essentials_your_systems_1 +title: Your Systems-1 +description: Learn what is on your network. Maintain inventories of hardware and software assets to know what is in play and at-risk from attack. +section-code: "1" +type: control-group +tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ebs_volume_unused +- aws_ec2_instance_ssm_managed +- aws_ec2_stopped_instance_30_days +- aws_ssm_managed_instance_compliance_association_compliant +- aws_ssm_managed_instance_compliance_patch_compliant +- aws_vpc_eip_associated +- aws_vpc_network_acl_unused diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems_2.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems_2.yaml index 74f189910..d85513794 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems_2.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems_2.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_cisa_cyber_essentials_your_systems_2 - title: Your Systems-2 - description: Leverage automatic updates for all operating systems and third-party software. - section-code: "2" - tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_cisa_cyber_essentials_your_systems_2 +title: Your Systems-2 +description: Leverage automatic updates for all operating systems and third-party software. +section-code: "2" +type: control-group +tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_rds_db_instance_automatic_minor_version_upgrade_enabled +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems_3.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems_3.yaml index 538209fa2..c5ce71136 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems_3.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems_3.yaml @@ -1,121 +1,121 @@ -control-group: - id: aws_cisa_cyber_essentials_your_systems_3 - title: Your Systems-3 - description: Implement security configurations for all hardware and software assets. - section-code: "3" - tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_apigateway_stage_logging_enabled - - aws_apigateway_stage_use_waf_web_acl - - aws_autoscaling_launch_config_public_ip_disabled - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured - - aws_dms_replication_instance_not_publicly_accessible - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_attached_volume_encryption_enabled - - aws_ebs_snapshot_not_publicly_restorable - - aws_ebs_volume_in_backup_plan - - aws_ec2_ebs_default_encryption_enabled - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_protected_by_backup_plan - - aws_ecs_task_definition_user_for_host_mode_check - - aws_efs_file_system_encrypted_with_cmk - - aws_efs_file_system_protected_by_backup_plan - - aws_elb_application_classic_lb_logging_enabled - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_lb_waf_enabled - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_in_vpc - - aws_es_domain_logs_to_cloudwatch - - aws_es_domain_node_to_node_encryption_enabled - - aws_fsx_file_system_protected_by_backup_plan - - aws_guardduty_enabled - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_kms_cmk_rotation_enabled - - aws_kms_key_not_pending_deletion - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_logging_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_encrypted_at_rest - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_logging_enabled - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_bucket_versioning_enabled - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_last_changed_90_day - - aws_secretsmanager_secret_unused_90_day - - aws_securityhub_enabled - - aws_sns_topic_encrypted_at_rest - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled - - aws_wafv2_web_acl_logging_enabled +id: aws_cisa_cyber_essentials_your_systems_3 +title: Your Systems-3 +description: Implement security configurations for all hardware and software assets. +section-code: "3" +type: control-group +tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_apigateway_stage_logging_enabled +- aws_apigateway_stage_use_waf_web_acl +- aws_autoscaling_launch_config_public_ip_disabled +- aws_backup_recovery_point_encryption_enabled +- aws_backup_recovery_point_manual_deletion_disabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_cloudtrail_trail_validation_enabled +- aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values +- aws_codebuild_project_source_repo_oauth_configured +- aws_dms_replication_instance_not_publicly_accessible +- aws_dynamodb_table_auto_scaling_enabled +- aws_dynamodb_table_encrypted_with_kms +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_attached_volume_encryption_enabled +- aws_ebs_snapshot_not_publicly_restorable +- aws_ebs_volume_in_backup_plan +- aws_ec2_ebs_default_encryption_enabled +- aws_ec2_instance_ebs_optimized +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_ec2_instance_protected_by_backup_plan +- aws_ecs_task_definition_user_for_host_mode_check +- aws_efs_file_system_encrypted_with_cmk +- aws_efs_file_system_protected_by_backup_plan +- aws_elb_application_classic_lb_logging_enabled +- aws_elb_application_lb_deletion_protection_enabled +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_application_lb_waf_enabled +- aws_elb_application_network_lb_use_ssl_certificate +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_in_vpc +- aws_es_domain_logs_to_cloudwatch +- aws_es_domain_node_to_node_encryption_enabled +- aws_fsx_file_system_protected_by_backup_plan +- aws_guardduty_enabled +- aws_iam_account_password_policy_strong_min_reuse_24 +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_inline_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_kms_cmk_rotation_enabled +- aws_kms_key_not_pending_deletion +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_log_group_encryption_at_rest_enabled +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_deletion_protection_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_logging_enabled +- aws_rds_db_instance_multiple_az_enabled +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_encrypted_at_rest +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_redshift_cluster_kms_enabled +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_logging_enabled +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_bucket_versioning_enabled +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_last_changed_90_day +- aws_secretsmanager_secret_unused_90_day +- aws_securityhub_enabled +- aws_sns_topic_encrypted_at_rest +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_route_table_restrict_public_access_to_igw +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4.yaml index 29f5ecf24..93908cc6e 100644 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4.yaml @@ -1,34 +1,34 @@ -framework: - id: aws_fedramp_low_rev_4 - title: FedRAMP Low Revision 4 - description: The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that delivers a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services. - section-code: aws_fedramp_low_rev_4 - tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Certifications and Attestations - plugin: - - aws - service: - - AWS - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: aws_fedramp_low_rev_4_ac - - id: aws_fedramp_low_rev_4_au - - id: aws_fedramp_low_rev_4_ca - - id: aws_fedramp_low_rev_4_cm - - id: aws_fedramp_low_rev_4_cp - - id: aws_fedramp_low_rev_4_ia - - id: aws_fedramp_low_rev_4_ir - - id: aws_fedramp_low_rev_4_sa - - id: aws_fedramp_low_rev_4_sc +id: aws_fedramp_low_rev_4 +title: FedRAMP Low Revision 4 +description: The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that delivers a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services. +section-code: aws_fedramp_low_rev_4 +type: framework +tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Certifications and Attestations + plugin: + - aws + service: + - AWS + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_fedramp_low_rev_4_ac +- id: aws_fedramp_low_rev_4_au +- id: aws_fedramp_low_rev_4_ca +- id: aws_fedramp_low_rev_4_cm +- id: aws_fedramp_low_rev_4_cp +- id: aws_fedramp_low_rev_4_ia +- id: aws_fedramp_low_rev_4_ir +- id: aws_fedramp_low_rev_4_sa +- id: aws_fedramp_low_rev_4_sc diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac.yaml index a32da32e6..cd70e7c87 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac.yaml @@ -1,20 +1,23 @@ +id: aws_fedramp_low_rev_4_ac +title: benchmark.nist_800_53_rev_4_ac.title +description: benchmark.nist_800_53_rev_4_ac.description +section-code: ac +type: control-group +tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_low_rev_4_ac - title: benchmark.nist_800_53_rev_4_ac.title - description: benchmark.nist_800_53_rev_4_ac.description - section-code: ac - tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_low_rev_4_ac_2 - - id: aws_fedramp_low_rev_4_ac_3 - - id: aws_fedramp_low_rev_4_ac_17 +- id: aws_fedramp_low_rev_4_ac_2 + type: "" +- id: aws_fedramp_low_rev_4_ac_3 + type: "" +- id: aws_fedramp_low_rev_4_ac_17 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac_17.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac_17.yaml index 80916bc11..683e4e284 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac_17.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac_17.yaml @@ -1,47 +1,47 @@ -control-group: - id: aws_fedramp_low_rev_4_ac_17 - title: benchmark.nist_800_53_rev_4_ac_17.title - description: benchmark.nist_800_53_rev_4_ac_17.description - section-code: "17" - tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_acm_certificate_expires_30_days - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_guardduty_enabled - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_securityhub_enabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_fedramp_low_rev_4_ac_17 +title: benchmark.nist_800_53_rev_4_ac_17.title +description: benchmark.nist_800_53_rev_4_ac_17.description +section-code: "17" +type: control-group +tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_acm_certificate_expires_30_days +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_elb_application_lb_drop_http_headers +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_guardduty_enabled +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_securityhub_enabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac_2.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac_2.yaml index 53a95703f..16556cbeb 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac_2.yaml @@ -1,46 +1,46 @@ -control-group: - id: aws_fedramp_low_rev_4_ac_2 - title: benchmark.nist_800_53_rev_4_ac_2.title - description: benchmark.nist_800_53_rev_4_ac_2.description - section-code: "2" - tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_ecs_task_definition_user_for_host_mode_check - - aws_es_domain_logs_to_cloudwatch - - aws_guardduty_enabled - - aws_iam_account_password_policy_min_length_14 - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_fedramp_low_rev_4_ac_2 +title: benchmark.nist_800_53_rev_4_ac_2.title +description: benchmark.nist_800_53_rev_4_ac_2.description +section-code: "2" +type: control-group +tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled +- aws_ecs_task_definition_user_for_host_mode_check +- aws_es_domain_logs_to_cloudwatch +- aws_guardduty_enabled +- aws_iam_account_password_policy_min_length_14 +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_not_empty +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_securityhub_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac_3.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac_3.yaml index 190ac2d60..fdc313d70 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac_3.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac_3.yaml @@ -1,44 +1,44 @@ -control-group: - id: aws_fedramp_low_rev_4_ac_3 - title: Access Enforcement (AC-3) - description: The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. - section-code: "3" - tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_ecs_task_definition_user_for_host_mode_check - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_fedramp_low_rev_4_ac_3 +title: Access Enforcement (AC-3) +description: The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. +section-code: "3" +type: control-group +tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_launch_config_public_ip_disabled +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_not_publicly_accessible +- aws_ec2_instance_uses_imdsv2 +- aws_ecs_task_definition_user_for_host_mode_check +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_not_empty +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au.yaml index 49612352f..a88e3717d 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au.yaml @@ -1,20 +1,23 @@ +id: aws_fedramp_low_rev_4_au +title: benchmark.nist_800_53_rev_4_au.title +description: benchmark.nist_800_53_rev_4_au.description +section-code: au +type: control-group +tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_low_rev_4_au - title: benchmark.nist_800_53_rev_4_au.title - description: benchmark.nist_800_53_rev_4_au.description - section-code: au - tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_low_rev_4_au_2 - - id: aws_fedramp_low_rev_4_au_9 - - id: aws_fedramp_low_rev_4_au_11 +- id: aws_fedramp_low_rev_4_au_2 + type: "" +- id: aws_fedramp_low_rev_4_au_9 + type: "" +- id: aws_fedramp_low_rev_4_au_11 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au_11.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au_11.yaml index 5ee7f205f..03bf02432 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au_11.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au_11.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_fedramp_low_rev_4_au_11 - title: Audit Record Retention (AU-11) - description: The organization retains audit records for at least 90 days to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. - section-code: "11" - tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark - controls: - - aws_cloudwatch_log_group_retention_period_365 +id: aws_fedramp_low_rev_4_au_11 +title: Audit Record Retention (AU-11) +description: The organization retains audit records for at least 90 days to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. +section-code: "11" +type: control-group +tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark +controls: +- aws_cloudwatch_log_group_retention_period_365 diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au_2.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au_2.yaml index 2f1bf329c..bffb64b59 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au_2.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_fedramp_low_rev_4_au_2 - title: Audit Events (AU-2) - description: "The organization: a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; b. Coordinates the security audit function with other organizational entities requiring audit- related information to enhance mutual support and to help guide the selection of auditable events; c. Provides a rationale for why the auditable events are deemed to be adequate support after- the-fact investigations of security incidents." - section-code: "2" - tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_fedramp_low_rev_4_au_2 +title: Audit Events (AU-2) +description: "The organization: a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; b. Coordinates the security audit function with other organizational entities requiring audit- related information to enhance mutual support and to help guide the selection of auditable events; c. Provides a rationale for why the auditable events are deemed to be adequate support after- the-fact investigations of security incidents." +section-code: "2" +type: control-group +tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au_9.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au_9.yaml index 38b1edadb..85aa96ae0 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au_9.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au_9.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_fedramp_low_rev_4_au_9 - title: benchmark.nist_800_53_rev_4_au_9.title - description: benchmark.nist_800_53_rev_4_au_9.description - section-code: "9" - tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +id: aws_fedramp_low_rev_4_au_9 +title: benchmark.nist_800_53_rev_4_au_9.title +description: benchmark.nist_800_53_rev_4_au_9.description +section-code: "9" +type: control-group +tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_cloudtrail_trail_validation_enabled +- aws_log_group_encryption_at_rest_enabled +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ca.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ca.yaml index 07f444a7f..2043339c4 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ca.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ca.yaml @@ -1,18 +1,19 @@ +id: aws_fedramp_low_rev_4_ca +title: benchmark.nist_800_53_rev_4_ca.title +description: benchmark.nist_800_53_rev_4_ca.description +section-code: ca +type: control-group +tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_low_rev_4_ca - title: benchmark.nist_800_53_rev_4_ca.title - description: benchmark.nist_800_53_rev_4_ca.description - section-code: ca - tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_low_rev_4_ca_7 +- id: aws_fedramp_low_rev_4_ca_7 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ca_7.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ca_7.yaml index 1d272c8cc..a08f8a015 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ca_7.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ca_7.yaml @@ -1,31 +1,31 @@ -control-group: - id: aws_fedramp_low_rev_4_ca_7 - title: benchmark.nist_800_53_rev_4_ca_7.title - description: benchmark.nist_800_53_rev_4_ca_7.description - section-code: "7" - tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_elb_application_lb_waf_enabled - - aws_guardduty_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_securityhub_enabled +id: aws_fedramp_low_rev_4_ca_7 +title: benchmark.nist_800_53_rev_4_ca_7.title +description: benchmark.nist_800_53_rev_4_ca_7.description +section-code: "7" +type: control-group +tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_group_with_lb_use_health_check +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudwatch_alarm_action_enabled +- aws_ec2_instance_detailed_monitoring_enabled +- aws_elastic_beanstalk_enhanced_health_reporting_enabled +- aws_elb_application_lb_waf_enabled +- aws_guardduty_enabled +- aws_lambda_function_concurrent_execution_limit_configured +- aws_lambda_function_dead_letter_queue_configured +- aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cm.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cm.yaml index aa9d6c3c6..89db3dc01 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cm.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cm.yaml @@ -1,19 +1,21 @@ +id: aws_fedramp_low_rev_4_cm +title: benchmark.nist_800_53_rev_4_cm.title +description: benchmark.nist_800_53_rev_4_cm.description +section-code: cm +type: control-group +tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_low_rev_4_cm - title: benchmark.nist_800_53_rev_4_cm.title - description: benchmark.nist_800_53_rev_4_cm.description - section-code: cm - tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_low_rev_4_cm_2 - - id: aws_fedramp_low_rev_4_cm_8 +- id: aws_fedramp_low_rev_4_cm_2 + type: "" +- id: aws_fedramp_low_rev_4_cm_8 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cm_2.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cm_2.yaml index 1f090047a..544195c48 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cm_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cm_2.yaml @@ -1,46 +1,46 @@ -control-group: - id: aws_fedramp_low_rev_4_cm_2 - title: benchmark.nist_800_53_rev_4_cm_2.title - description: benchmark.nist_800_53_rev_4_cm_2.description - section-code: "2" - tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_use_waf_web_acl - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ebs_volume_unused - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_fedramp_low_rev_4_cm_2 +title: benchmark.nist_800_53_rev_4_cm_2.title +description: benchmark.nist_800_53_rev_4_cm_2.description +section-code: "2" +type: control-group +tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_use_waf_web_acl +- aws_autoscaling_launch_config_public_ip_disabled +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ebs_volume_unused +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_ec2_instance_ssm_managed +- aws_ec2_stopped_instance_30_days +- aws_elb_application_lb_deletion_protection_enabled +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_ssm_managed_instance_compliance_association_compliant +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_route_table_restrict_public_access_to_igw +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cm_8.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cm_8.yaml index 07870d975..ca1f4f9c5 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cm_8.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cm_8.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_fedramp_low_rev_4_cm_8 - title: benchmark.nist_800_53_rev_4_cm_8.title - description: benchmark.nist_800_53_rev_4_cm_8.description - section-code: "8" - tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_guardduty_enabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_fedramp_low_rev_4_cm_8 +title: benchmark.nist_800_53_rev_4_cm_8.title +description: benchmark.nist_800_53_rev_4_cm_8.description +section-code: "8" +type: control-group +tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed +- aws_guardduty_enabled +- aws_ssm_managed_instance_compliance_association_compliant +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cp.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cp.yaml index 47a8bf8f0..430893ffb 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cp.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cp.yaml @@ -1,19 +1,21 @@ +id: aws_fedramp_low_rev_4_cp +title: benchmark.nist_800_53_rev_4_cp.title +description: benchmark.nist_800_53_rev_4_cp.description +section-code: cp +type: control-group +tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_low_rev_4_cp - title: benchmark.nist_800_53_rev_4_cp.title - description: benchmark.nist_800_53_rev_4_cp.description - section-code: cp - tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_low_rev_4_cp_9 - - id: aws_fedramp_low_rev_4_cp_10 +- id: aws_fedramp_low_rev_4_cp_9 + type: "" +- id: aws_fedramp_low_rev_4_cp_10 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cp_10.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cp_10.yaml index bba207ea9..935572431 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cp_10.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cp_10.yaml @@ -1,37 +1,37 @@ -control-group: - id: aws_fedramp_low_rev_4_cp_10 - title: benchmark.nist_800_53_rev_4_cp_10.title - description: benchmark.nist_800_53_rev_4_cp_10.description - section-code: "10" - tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_backup_plan_min_retention_35_days - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up +id: aws_fedramp_low_rev_4_cp_10 +title: benchmark.nist_800_53_rev_4_cp_10.title +description: benchmark.nist_800_53_rev_4_cp_10.description +section-code: "10" +type: control-group +tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_backup_plan_min_retention_35_days +- aws_dynamodb_table_auto_scaling_enabled +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_elb_application_lb_deletion_protection_enabled +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_fsx_file_system_protected_by_backup_plan +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_multiple_az_enabled +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cp_9.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cp_9.yaml index 41957cd60..c63a25c27 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cp_9.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cp_9.yaml @@ -1,31 +1,31 @@ -control-group: - id: aws_fedramp_low_rev_4_cp_9 - title: benchmark.nist_800_53_rev_4_cp_9.title - description: benchmark.nist_800_53_rev_4_cp_9.description - section-code: "9" - tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_backup_plan_min_retention_35_days - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +id: aws_fedramp_low_rev_4_cp_9 +title: benchmark.nist_800_53_rev_4_cp_9.title +description: benchmark.nist_800_53_rev_4_cp_9.description +section-code: "9" +type: control-group +tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_backup_plan_min_retention_35_days +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ia.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ia.yaml index 5a24788aa..7224e4107 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ia.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ia.yaml @@ -1,18 +1,19 @@ +id: aws_fedramp_low_rev_4_ia +title: benchmark.nist_800_53_rev_4_ia.title +description: benchmark.nist_800_53_rev_4_ia.description +section-code: ia +type: control-group +tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark control-group: - id: aws_fedramp_low_rev_4_ia - title: benchmark.nist_800_53_rev_4_ia.title - description: benchmark.nist_800_53_rev_4_ia.description - section-code: ia - tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - control-group: - - id: aws_fedramp_low_rev_4_ia_2 +- id: aws_fedramp_low_rev_4_ia_2 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ia_2.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ia_2.yaml index 0822f760f..0e8cba4dc 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ia_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ia_2.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_fedramp_low_rev_4_ia_2 - title: benchmark.nist_800_53_rev_4_ia_2.title - description: benchmark.nist_800_53_rev_4_ia_2.description - section-code: "2" - tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_min_length_14 - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled +id: aws_fedramp_low_rev_4_ia_2 +title: benchmark.nist_800_53_rev_4_ia_2.title +description: benchmark.nist_800_53_rev_4_ia_2.description +section-code: "2" +type: control-group +tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_account_password_policy_min_length_14 +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ir.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ir.yaml index f1adf7588..7d1008c39 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ir.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ir.yaml @@ -1,18 +1,19 @@ +id: aws_fedramp_low_rev_4_ir +title: benchmark.nist_800_53_rev_4_ir.title +description: benchmark.nist_800_53_rev_4_ir.description +section-code: ir +type: control-group +tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_low_rev_4_ir - title: benchmark.nist_800_53_rev_4_ir.title - description: benchmark.nist_800_53_rev_4_ir.description - section-code: ir - tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_low_rev_4_ir_4 +- id: aws_fedramp_low_rev_4_ir_4 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ir_4.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ir_4.yaml index 9a834704b..3fb0a78a5 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ir_4.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ir_4.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_fedramp_low_rev_4_ir_4 - title: benchmark.nist_800_53_rev_4_ir_4.title - description: benchmark.nist_800_53_rev_4_ir_4.description - section-code: "4" - tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled +id: aws_fedramp_low_rev_4_ir_4 +title: benchmark.nist_800_53_rev_4_ir_4.title +description: benchmark.nist_800_53_rev_4_ir_4.description +section-code: "4" +type: control-group +tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_group_with_lb_use_health_check +- aws_cloudwatch_alarm_action_enabled +- aws_guardduty_enabled +- aws_guardduty_finding_archived +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sa.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sa.yaml index 0f3adfa27..cc4bc48f3 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sa.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sa.yaml @@ -1,18 +1,19 @@ +id: aws_fedramp_low_rev_4_sa +title: benchmark.nist_800_53_rev_4_sa.title +description: benchmark.nist_800_53_rev_4_sa.description +section-code: sa +type: control-group +tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_low_rev_4_sa - title: benchmark.nist_800_53_rev_4_sa.title - description: benchmark.nist_800_53_rev_4_sa.description - section-code: sa - tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_low_rev_4_sa_3 +- id: aws_fedramp_low_rev_4_sa_3 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sa_3.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sa_3.yaml index 8e08598d0..a79eb03b8 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sa_3.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sa_3.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_fedramp_low_rev_4_sa_3 - title: benchmark.nist_800_53_rev_4_sa_3.title - description: benchmark.nist_800_53_rev_4_sa_3.description - section-code: "3" - tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_ssm_managed +id: aws_fedramp_low_rev_4_sa_3 +title: benchmark.nist_800_53_rev_4_sa_3.title +description: benchmark.nist_800_53_rev_4_sa_3.description +section-code: "3" +type: control-group +tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values +- aws_codebuild_project_source_repo_oauth_configured +- aws_ec2_instance_ssm_managed diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc.yaml index 00acbccc6..ce7c75c3c 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc.yaml @@ -1,21 +1,25 @@ +id: aws_fedramp_low_rev_4_sc +title: benchmark.nist_800_53_rev_4_sc.title +description: benchmark.nist_800_53_rev_4_sc.description +section-code: sc +type: control-group +tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_low_rev_4_sc - title: benchmark.nist_800_53_rev_4_sc.title - description: benchmark.nist_800_53_rev_4_sc.description - section-code: sc - tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_low_rev_4_sc_5 - - id: aws_fedramp_low_rev_4_sc_7 - - id: aws_fedramp_low_rev_4_sc_12 - - id: aws_fedramp_low_rev_4_sc_13 +- id: aws_fedramp_low_rev_4_sc_5 + type: "" +- id: aws_fedramp_low_rev_4_sc_7 + type: "" +- id: aws_fedramp_low_rev_4_sc_12 + type: "" +- id: aws_fedramp_low_rev_4_sc_13 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_12.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_12.yaml index d147ec3cd..d50c8b1bf 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_12.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_12.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_fedramp_low_rev_4_sc_12 - title: benchmark.nist_800_53_rev_4_sc_12.title - description: benchmark.nist_800_53_rev_4_sc_12.description - section-code: "12" - tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_acm_certificate_expires_30_days - - aws_kms_cmk_rotation_enabled - - aws_kms_key_not_pending_deletion +id: aws_fedramp_low_rev_4_sc_12 +title: benchmark.nist_800_53_rev_4_sc_12.title +description: benchmark.nist_800_53_rev_4_sc_12.description +section-code: "12" +type: control-group +tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_acm_certificate_expires_30_days +- aws_kms_cmk_rotation_enabled +- aws_kms_key_not_pending_deletion diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_13.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_13.yaml index ce7b5d193..29c4538f1 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_13.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_13.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_fedramp_low_rev_4_sc_13 - title: Use of Cryptography (SC-13) - description: The information system implements FIPS-validated or NSA-approved cryptography in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. - section-code: "13" - tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_kms_key_not_pending_deletion - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest +id: aws_fedramp_low_rev_4_sc_13 +title: Use of Cryptography (SC-13) +description: The information system implements FIPS-validated or NSA-approved cryptography in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. +section-code: "13" +type: control-group +tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_kms_key_not_pending_deletion +- aws_redshift_cluster_kms_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_5.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_5.yaml index 484809a7a..19482ecb2 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_5.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_5.yaml @@ -1,32 +1,32 @@ -control-group: - id: aws_fedramp_low_rev_4_sc_5 - title: benchmark.nist_800_53_rev_4_sc_5.title - description: benchmark.nist_800_53_rev_4_sc_5.description - section-code: "5" - tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ec2_instance_ebs_optimized - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_guardduty_enabled - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up +id: aws_fedramp_low_rev_4_sc_5 +title: benchmark.nist_800_53_rev_4_sc_5.title +description: benchmark.nist_800_53_rev_4_sc_5.description +section-code: "5" +type: control-group +tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_group_with_lb_use_health_check +- aws_dynamodb_table_auto_scaling_enabled +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_ec2_instance_ebs_optimized +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_elb_application_lb_deletion_protection_enabled +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_guardduty_enabled +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_deletion_protection_enabled +- aws_rds_db_instance_multiple_az_enabled +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_7.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_7.yaml index d27dc373b..f2c08c979 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_7.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_7.yaml @@ -1,46 +1,46 @@ -control-group: - id: aws_fedramp_low_rev_4_sc_7 - title: benchmark.nist_800_53_rev_4_sc_7.title - description: benchmark.nist_800_53_rev_4_sc_7.description - section-code: "7" - tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_lb_waf_enabled - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_es_domain_node_to_node_encryption_enabled - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled - - aws_wafv2_web_acl_logging_enabled +id: aws_fedramp_low_rev_4_sc_7 +title: benchmark.nist_800_53_rev_4_sc_7.title +description: benchmark.nist_800_53_rev_4_sc_7.description +section-code: "7" +type: control-group +tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_application_lb_waf_enabled +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_es_domain_node_to_node_encryption_enabled +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4.yaml index 67baeeaa2..ae481458e 100644 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4.yaml @@ -1,36 +1,36 @@ -framework: - id: aws_fedramp_moderate_rev_4 - title: FedRAMP Moderate Revision 4 - description: The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that delivers a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services. - section-code: aws_fedramp_moderate_rev_4 - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Certifications and Attestations - plugin: - - aws - service: - - AWS - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: aws_fedramp_moderate_rev_4_ac - - id: aws_fedramp_moderate_rev_4_au - - id: aws_fedramp_moderate_rev_4_ca - - id: aws_fedramp_moderate_rev_4_cm - - id: aws_fedramp_moderate_rev_4_cp - - id: aws_fedramp_moderate_rev_4_ia - - id: aws_fedramp_moderate_rev_4_ir - - id: aws_fedramp_moderate_rev_4_ra - - id: aws_fedramp_moderate_rev_4_sa - - id: aws_fedramp_moderate_rev_4_sc - - id: aws_fedramp_moderate_rev_4_si +id: aws_fedramp_moderate_rev_4 +title: FedRAMP Moderate Revision 4 +description: The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that delivers a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services. +section-code: aws_fedramp_moderate_rev_4 +type: framework +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Certifications and Attestations + plugin: + - aws + service: + - AWS + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_fedramp_moderate_rev_4_ac +- id: aws_fedramp_moderate_rev_4_au +- id: aws_fedramp_moderate_rev_4_ca +- id: aws_fedramp_moderate_rev_4_cm +- id: aws_fedramp_moderate_rev_4_cp +- id: aws_fedramp_moderate_rev_4_ia +- id: aws_fedramp_moderate_rev_4_ir +- id: aws_fedramp_moderate_rev_4_ra +- id: aws_fedramp_moderate_rev_4_sa +- id: aws_fedramp_moderate_rev_4_sc +- id: aws_fedramp_moderate_rev_4_si diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac.yaml index 4ac0e1858..0e1e6ad8c 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac.yaml @@ -1,24 +1,31 @@ +id: aws_fedramp_moderate_rev_4_ac +title: benchmark.nist_800_53_rev_4_ac.title +description: benchmark.nist_800_53_rev_4_ac.description +section-code: ac +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_ac - title: benchmark.nist_800_53_rev_4_ac.title - description: benchmark.nist_800_53_rev_4_ac.description - section-code: ac - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_ac_2 - - id: aws_fedramp_moderate_rev_4_ac_3 - - id: aws_fedramp_moderate_rev_4_ac_4 - - id: aws_fedramp_moderate_rev_4_ac_5 - - id: aws_fedramp_moderate_rev_4_ac_6 - - id: aws_fedramp_moderate_rev_4_ac_17 - - id: aws_fedramp_moderate_rev_4_ac_21 +- id: aws_fedramp_moderate_rev_4_ac_2 + type: "" +- id: aws_fedramp_moderate_rev_4_ac_3 + type: "" +- id: aws_fedramp_moderate_rev_4_ac_4 + type: "" +- id: aws_fedramp_moderate_rev_4_ac_5 + type: "" +- id: aws_fedramp_moderate_rev_4_ac_6 + type: "" +- id: aws_fedramp_moderate_rev_4_ac_17 + type: "" +- id: aws_fedramp_moderate_rev_4_ac_21 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_17.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_17.yaml index 167d7a71c..253d6110a 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_17.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_17.yaml @@ -1,19 +1,21 @@ +id: aws_fedramp_moderate_rev_4_ac_17 +title: benchmark.nist_800_53_rev_4_ac_17.title +description: benchmark.nist_800_53_rev_4_ac_17.description +section-code: "17" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_ac_17 - title: benchmark.nist_800_53_rev_4_ac_17.title - description: benchmark.nist_800_53_rev_4_ac_17.description - section-code: "17" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_ac_17_1 - - id: aws_fedramp_moderate_rev_4_ac_17_2 +- id: aws_fedramp_moderate_rev_4_ac_17_1 + type: "" +- id: aws_fedramp_moderate_rev_4_ac_17_2 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_17_1.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_17_1.yaml index 070b4f4af..532c3b718 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_17_1.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_17_1.yaml @@ -1,40 +1,40 @@ -control-group: - id: aws_fedramp_moderate_rev_4_ac_17_1 - title: benchmark.nist_800_53_rev_4_ac_17_1.title - description: benchmark.nist_800_53_rev_4_ac_17_1.description - section-code: "1" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_guardduty_enabled - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_securityhub_enabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_fedramp_moderate_rev_4_ac_17_1 +title: benchmark.nist_800_53_rev_4_ac_17_1.title +description: benchmark.nist_800_53_rev_4_ac_17_1.description +section-code: "1" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_guardduty_enabled +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_securityhub_enabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_17_2.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_17_2.yaml index 52789e915..414407cb9 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_17_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_17_2.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_fedramp_moderate_rev_4_ac_17_2 - title: benchmark.nist_800_53_rev_4_ac_17_2.title - description: benchmark.nist_800_53_rev_4_ac_17_2.description - section-code: "2" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_acm_certificate_expires_30_days - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl +id: aws_fedramp_moderate_rev_4_ac_17_2 +title: benchmark.nist_800_53_rev_4_ac_17_2.title +description: benchmark.nist_800_53_rev_4_ac_17_2.description +section-code: "2" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_acm_certificate_expires_30_days +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2.yaml index c9f1b311f..90f304676 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2.yaml @@ -1,24 +1,31 @@ +id: aws_fedramp_moderate_rev_4_ac_2 +title: benchmark.nist_800_53_rev_4_ac_2.title +description: benchmark.nist_800_53_rev_4_ac_2.description +section-code: "2" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_ac_2 - title: benchmark.nist_800_53_rev_4_ac_2.title - description: benchmark.nist_800_53_rev_4_ac_2.description - section-code: "2" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_ac_2_1 - - id: aws_fedramp_moderate_rev_4_ac_2_4 - - id: aws_fedramp_moderate_rev_4_ac_2_12 - - id: aws_fedramp_moderate_rev_4_ac_2_f - - id: aws_fedramp_moderate_rev_4_ac_2_g - - id: aws_fedramp_moderate_rev_4_ac_2_j - - id: aws_fedramp_moderate_rev_4_ac_2_3 +- id: aws_fedramp_moderate_rev_4_ac_2_1 + type: "" +- id: aws_fedramp_moderate_rev_4_ac_2_4 + type: "" +- id: aws_fedramp_moderate_rev_4_ac_2_12 + type: "" +- id: aws_fedramp_moderate_rev_4_ac_2_f + type: "" +- id: aws_fedramp_moderate_rev_4_ac_2_g + type: "" +- id: aws_fedramp_moderate_rev_4_ac_2_j + type: "" +- id: aws_fedramp_moderate_rev_4_ac_2_3 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_21.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_21.yaml index 4a1955d2a..1ca974c82 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_21.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_21.yaml @@ -1,18 +1,19 @@ +id: aws_fedramp_moderate_rev_4_ac_21 +title: benchmark.nist_800_53_rev_4_ac_21.title +description: benchmark.nist_800_53_rev_4_ac_21.description +section-code: "21" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_ac_21 - title: benchmark.nist_800_53_rev_4_ac_21.title - description: benchmark.nist_800_53_rev_4_ac_21.description - section-code: "21" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_ac_21_b +- id: aws_fedramp_moderate_rev_4_ac_21_b + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_21_b.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_21_b.yaml index 9fa3f464c..5551a7d32 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_21_b.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_21_b.yaml @@ -1,36 +1,36 @@ -control-group: - id: aws_fedramp_moderate_rev_4_ac_21_b - title: AC-21(b) - description: "The organization: b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions." - section-code: b - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_fedramp_moderate_rev_4_ac_21_b +title: AC-21(b) +description: "The organization: b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions." +section-code: b +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_launch_config_public_ip_disabled +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_route_table_restrict_public_access_to_igw +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_1.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_1.yaml index 93e2a7f81..4473c2885 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_1.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_1.yaml @@ -1,31 +1,31 @@ -control-group: - id: aws_fedramp_moderate_rev_4_ac_2_1 - title: benchmark.nist_800_53_rev_4_ac_2_1.title - description: benchmark.nist_800_53_rev_4_ac_2_1.description - section-code: "1" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_securityhub_enabled +id: aws_fedramp_moderate_rev_4_ac_2_1 +title: benchmark.nist_800_53_rev_4_ac_2_1.title +description: benchmark.nist_800_53_rev_4_ac_2_1.description +section-code: "1" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled +- aws_iam_account_password_policy_min_length_14 +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_12.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_12.yaml index 145b134b8..1ca6a653c 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_12.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_12.yaml @@ -1,18 +1,19 @@ +id: aws_fedramp_moderate_rev_4_ac_2_12 +title: benchmark.nist_800_53_rev_4_ac_2_12.title +description: benchmark.nist_800_53_rev_4_ac_2_12.description +section-code: "12" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_ac_2_12 - title: benchmark.nist_800_53_rev_4_ac_2_12.title - description: benchmark.nist_800_53_rev_4_ac_2_12.description - section-code: "12" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_ac_2_12_a +- id: aws_fedramp_moderate_rev_4_ac_2_12_a + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_12_a.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_12_a.yaml index 5ee52d00f..f6786272f 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_12_a.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_12_a.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_fedramp_moderate_rev_4_ac_2_12_a - title: AC-2(12)(a) - description: "The organization: a. Monitors information system accounts for [Assignment: organization-defined atypical use]." - section-code: a - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_securityhub_enabled +id: aws_fedramp_moderate_rev_4_ac_2_12_a +title: AC-2(12)(a) +description: "The organization: a. Monitors information system accounts for [Assignment: organization-defined atypical use]." +section-code: a +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_3.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_3.yaml index e04c9cd2e..0a319a34c 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_3.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_3.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_fedramp_moderate_rev_4_ac_2_3 - title: benchmark.nist_800_53_rev_4_ac_2_3.title - description: benchmark.nist_800_53_rev_4_ac_2_3.description - section-code: "3" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_min_length_14 - - aws_iam_user_unused_credentials_90 +id: aws_fedramp_moderate_rev_4_ac_2_3 +title: benchmark.nist_800_53_rev_4_ac_2_3.title +description: benchmark.nist_800_53_rev_4_ac_2_3.description +section-code: "3" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_account_password_policy_min_length_14 +- aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_4.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_4.yaml index 000eaa1e5..c673a3d35 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_4.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_4.yaml @@ -1,27 +1,27 @@ -control-group: - id: aws_fedramp_moderate_rev_4_ac_2_4 - title: benchmark.nist_800_53_rev_4_ac_2_4.title - description: benchmark.nist_800_53_rev_4_ac_2_4.description - section-code: "4" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled +id: aws_fedramp_moderate_rev_4_ac_2_4 +title: benchmark.nist_800_53_rev_4_ac_2_4.title +description: benchmark.nist_800_53_rev_4_ac_2_4.description +section-code: "4" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled +- aws_guardduty_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_f.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_f.yaml index 6897c764f..e835e3c15 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_f.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_f.yaml @@ -1,30 +1,30 @@ -control-group: - id: aws_fedramp_moderate_rev_4_ac_2_f - title: AC-2(f) - description: "The organization: f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions]." - section-code: f - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_min_length_14 - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 +id: aws_fedramp_moderate_rev_4_ac_2_f +title: AC-2(f) +description: "The organization: f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions]." +section-code: f +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_account_password_policy_min_length_14 +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_g.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_g.yaml index 031bd4df9..7edc3a1c3 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_g.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_g.yaml @@ -1,29 +1,29 @@ -control-group: - id: aws_fedramp_moderate_rev_4_ac_2_g - title: AC-2(g) - description: "The organization: g. Monitors the use of information system accounts." - section-code: g - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_es_domain_logs_to_cloudwatch - - aws_guardduty_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_fedramp_moderate_rev_4_ac_2_g +title: AC-2(g) +description: "The organization: g. Monitors the use of information system accounts." +section-code: g +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_es_domain_logs_to_cloudwatch +- aws_guardduty_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_securityhub_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_j.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_j.yaml index 304970a68..10aa9885e 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_j.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_j.yaml @@ -1,32 +1,32 @@ -control-group: - id: aws_fedramp_moderate_rev_4_ac_2_j - title: AC-2(j) - description: "The organization: j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]." - section-code: j - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ecs_task_definition_user_for_host_mode_check - - aws_iam_account_password_policy_min_length_14 - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 +id: aws_fedramp_moderate_rev_4_ac_2_j +title: AC-2(j) +description: "The organization: j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]." +section-code: j +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ecs_task_definition_user_for_host_mode_check +- aws_iam_account_password_policy_min_length_14 +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_not_empty +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_3.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_3.yaml index 1716878c7..bc9966312 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_3.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_3.yaml @@ -1,44 +1,44 @@ -control-group: - id: aws_fedramp_moderate_rev_4_ac_3 - title: Access Enforcement (AC-3) - description: The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. - section-code: "3" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_ecs_task_definition_user_for_host_mode_check - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_fedramp_moderate_rev_4_ac_3 +title: Access Enforcement (AC-3) +description: The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. +section-code: "3" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_launch_config_public_ip_disabled +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_not_publicly_accessible +- aws_ec2_instance_uses_imdsv2 +- aws_ecs_task_definition_user_for_host_mode_check +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_not_empty +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_4.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_4.yaml index c6e738b7d..d8f6e48f6 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_4.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_4.yaml @@ -1,36 +1,36 @@ -control-group: - id: aws_fedramp_moderate_rev_4_ac_4 - title: benchmark.nist_800_53_rev_4_ac_4.title - description: benchmark.nist_800_53_rev_4_ac_4.description - section-code: "4" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_acm_certificate_expires_30_days - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all +id: aws_fedramp_moderate_rev_4_ac_4 +title: benchmark.nist_800_53_rev_4_ac_4.title +description: benchmark.nist_800_53_rev_4_ac_4.description +section-code: "4" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_acm_certificate_expires_30_days +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_5.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_5.yaml index 95d97f0db..e23c396b8 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_5.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_5.yaml @@ -1,18 +1,19 @@ +id: aws_fedramp_moderate_rev_4_ac_5 +title: benchmark.nist_800_53_rev_4_ac_5.title +description: benchmark.nist_800_53_rev_4_ac_5.description +section-code: "5" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_ac_5 - title: benchmark.nist_800_53_rev_4_ac_5.title - description: benchmark.nist_800_53_rev_4_ac_5.description - section-code: "5" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_ac_5_c +- id: aws_fedramp_moderate_rev_4_ac_5_c + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_5_c.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_5_c.yaml index 45549ec40..b97747e68 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_5_c.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_5_c.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_fedramp_moderate_rev_4_ac_5_c - title: AC-5(c) - description: "The organization: c. Defines information system access authorizations to support separation of duties." - section-code: c - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ecs_task_definition_user_for_host_mode_check - - aws_iam_account_password_policy_min_length_14 - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 +id: aws_fedramp_moderate_rev_4_ac_5_c +title: AC-5(c) +description: "The organization: c. Defines information system access authorizations to support separation of duties." +section-code: c +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ecs_task_definition_user_for_host_mode_check +- aws_iam_account_password_policy_min_length_14 +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_not_empty +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_6.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_6.yaml index dda1b76ce..3c00c75ad 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_6.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_6.yaml @@ -1,44 +1,45 @@ +id: aws_fedramp_moderate_rev_4_ac_6 +title: benchmark.nist_800_53_rev_4_ac_6.title +description: benchmark.nist_800_53_rev_4_ac_6.description +section-code: "6" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_ac_6 - title: benchmark.nist_800_53_rev_4_ac_6.title - description: benchmark.nist_800_53_rev_4_ac_6.description - section-code: "6" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_ac_6_10 - controls: - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled +- id: aws_fedramp_moderate_rev_4_ac_6_10 + type: "" +controls: +- aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_ec2_instance_uses_imdsv2 +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_iam_group_not_empty +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_6_10.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_6_10.yaml index e3843b562..27b0fafad 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_6_10.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_6_10.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_fedramp_moderate_rev_4_ac_6_10 - title: benchmark.nist_800_53_rev_4_ac_6_10.title - description: benchmark.nist_800_53_rev_4_ac_6_10.description - section-code: "10" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_all_policy_no_service_wild_card - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys +id: aws_fedramp_moderate_rev_4_ac_6_10 +title: benchmark.nist_800_53_rev_4_ac_6_10.title +description: benchmark.nist_800_53_rev_4_ac_6_10.description +section-code: "10" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_all_policy_no_service_wild_card +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au.yaml index fe2f435d3..ccdea9745 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au.yaml @@ -1,24 +1,31 @@ +id: aws_fedramp_moderate_rev_4_au +title: benchmark.nist_800_53_rev_4_au.title +description: benchmark.nist_800_53_rev_4_au.description +section-code: au +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_au - title: benchmark.nist_800_53_rev_4_au.title - description: benchmark.nist_800_53_rev_4_au.description - section-code: au - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_au_2 - - id: aws_fedramp_moderate_rev_4_au_3 - - id: aws_fedramp_moderate_rev_4_au_6 - - id: aws_fedramp_moderate_rev_4_au_7 - - id: aws_fedramp_moderate_rev_4_au_9 - - id: aws_fedramp_moderate_rev_4_au_11 - - id: aws_fedramp_moderate_rev_4_au_12 +- id: aws_fedramp_moderate_rev_4_au_2 + type: "" +- id: aws_fedramp_moderate_rev_4_au_3 + type: "" +- id: aws_fedramp_moderate_rev_4_au_6 + type: "" +- id: aws_fedramp_moderate_rev_4_au_7 + type: "" +- id: aws_fedramp_moderate_rev_4_au_9 + type: "" +- id: aws_fedramp_moderate_rev_4_au_11 + type: "" +- id: aws_fedramp_moderate_rev_4_au_12 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_11.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_11.yaml index 9353a9a8b..63b92710e 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_11.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_11.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_fedramp_moderate_rev_4_au_11 - title: Audit Record Retention (AU-11) - description: The organization retains audit records for at least 90 days to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. - section-code: "11" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark - controls: - - aws_cloudwatch_log_group_retention_period_365 +id: aws_fedramp_moderate_rev_4_au_11 +title: Audit Record Retention (AU-11) +description: The organization retains audit records for at least 90 days to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. +section-code: "11" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark +controls: +- aws_cloudwatch_log_group_retention_period_365 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_12.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_12.yaml index 72f3267d1..577c9ca5b 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_12.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_12.yaml @@ -1,18 +1,19 @@ +id: aws_fedramp_moderate_rev_4_au_12 +title: benchmark.nist_800_53_rev_4_au_12.title +description: benchmark.nist_800_53_rev_4_au_12.description +section-code: "12" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_au_12 - title: benchmark.nist_800_53_rev_4_au_12.title - description: benchmark.nist_800_53_rev_4_au_12.description - section-code: "12" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_au_12_a_c +- id: aws_fedramp_moderate_rev_4_au_12_a_c + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_12_a_c.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_12_a_c.yaml index 1b4b4d6f0..125995a97 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_12_a_c.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_12_a_c.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_fedramp_moderate_rev_4_au_12_a_c - title: AU-12(a)(c) - description: "The information system: a. Provides audit record generation capability for the auditable events defined in AU-2 a. at all information system and network components where audit capability is deployed/available c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3." - section-code: a_c - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_fedramp_moderate_rev_4_au_12_a_c +title: AU-12(a)(c) +description: "The information system: a. Provides audit record generation capability for the auditable events defined in AU-2 a. at all information system and network components where audit capability is deployed/available c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3." +section-code: a_c +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_2.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_2.yaml index 88473d3d1..ebae9f28b 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_2.yaml @@ -1,18 +1,19 @@ +id: aws_fedramp_moderate_rev_4_au_2 +title: Audit Events (AU-2) +description: "The organization: a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; b. Coordinates the security audit function with other organizational entities requiring audit- related information to enhance mutual support and to help guide the selection of auditable events; c. Provides a rationale for why the auditable events are deemed to be adequate support after- the-fact investigations of security incidents." +section-code: "2" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_au_2 - title: Audit Events (AU-2) - description: "The organization: a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; b. Coordinates the security audit function with other organizational entities requiring audit- related information to enhance mutual support and to help guide the selection of auditable events; c. Provides a rationale for why the auditable events are deemed to be adequate support after- the-fact investigations of security incidents." - section-code: "2" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_au_2_a_d +- id: aws_fedramp_moderate_rev_4_au_2_a_d + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_2_a_d.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_2_a_d.yaml index bfb148496..b939098cc 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_2_a_d.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_2_a_d.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_fedramp_moderate_rev_4_au_2_a_d - title: AU-2(a)(d) - description: "The organization: a. Determines that the information system is capable of auditing the following events: Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes. d. Determines that the following events are to be audited within the information system: [organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event]." - section-code: a_d - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_fedramp_moderate_rev_4_au_2_a_d +title: AU-2(a)(d) +description: "The organization: a. Determines that the information system is capable of auditing the following events: Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes. d. Determines that the following events are to be audited within the information system: [organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event]." +section-code: a_d +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_3.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_3.yaml index 7eea0195c..249d8d4b1 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_3.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_3.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_fedramp_moderate_rev_4_au_3 - title: benchmark.nist_800_53_rev_4_au_3.title - description: benchmark.nist_800_53_rev_4_au_3.description - section-code: "3" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_fedramp_moderate_rev_4_au_3 +title: benchmark.nist_800_53_rev_4_au_3.title +description: benchmark.nist_800_53_rev_4_au_3.description +section-code: "3" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_6.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_6.yaml index acfd56bb9..8ebc0d432 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_6.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_6.yaml @@ -1,18 +1,19 @@ +id: aws_fedramp_moderate_rev_4_au_6 +title: benchmark.nist_800_53_rev_4_au_6.title +description: benchmark.nist_800_53_rev_4_au_6.description +section-code: "6" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_au_6 - title: benchmark.nist_800_53_rev_4_au_6.title - description: benchmark.nist_800_53_rev_4_au_6.description - section-code: "6" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_au_6_1_3 +- id: aws_fedramp_moderate_rev_4_au_6_1_3 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_6_1_3.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_6_1_3.yaml index 71852143e..307465bc9 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_6_1_3.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_6_1_3.yaml @@ -1,32 +1,32 @@ -control-group: - id: aws_fedramp_moderate_rev_4_au_6_1_3 - title: AU-6(1)(3) - description: (1) The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. (3) The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. - section-code: "1_3" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_fedramp_moderate_rev_4_au_6_1_3 +title: AU-6(1)(3) +description: (1) The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. (3) The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. +section-code: "1_3" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled +- aws_cloudwatch_log_group_retention_period_365 +- aws_elb_application_classic_lb_logging_enabled +- aws_guardduty_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_securityhub_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_7.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_7.yaml index bfcf9fcde..c07b1ae58 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_7.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_7.yaml @@ -1,18 +1,19 @@ +id: aws_fedramp_moderate_rev_4_au_7 +title: benchmark.nist_800_53_rev_4_au_7.title +description: benchmark.nist_800_53_rev_4_au_7.description +section-code: "7" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_au_7 - title: benchmark.nist_800_53_rev_4_au_7.title - description: benchmark.nist_800_53_rev_4_au_7.description - section-code: "7" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_au_7_1 +- id: aws_fedramp_moderate_rev_4_au_7_1 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_7_1.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_7_1.yaml index 286121140..5bf1e0c3c 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_7_1.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_7_1.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_fedramp_moderate_rev_4_au_7_1 - title: benchmark.nist_800_53_rev_4_au_7_1.title - description: benchmark.nist_800_53_rev_4_au_7_1.description - section-code: "1" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled +id: aws_fedramp_moderate_rev_4_au_7_1 +title: benchmark.nist_800_53_rev_4_au_7_1.title +description: benchmark.nist_800_53_rev_4_au_7_1.description +section-code: "1" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_9.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_9.yaml index 54aa3ba40..daad6199b 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_9.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_9.yaml @@ -1,22 +1,23 @@ +id: aws_fedramp_moderate_rev_4_au_9 +title: benchmark.nist_800_53_rev_4_au_9.title +description: benchmark.nist_800_53_rev_4_au_9.description +section-code: "9" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_au_9 - title: benchmark.nist_800_53_rev_4_au_9.title - description: benchmark.nist_800_53_rev_4_au_9.description - section-code: "9" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_au_9_2 - controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_log_group_encryption_at_rest_enabled +- id: aws_fedramp_moderate_rev_4_au_9_2 + type: "" +controls: +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_cloudtrail_trail_validation_enabled +- aws_log_group_encryption_at_rest_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_9_2.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_9_2.yaml index 4a17764a8..b81029717 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_9_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_9_2.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_fedramp_moderate_rev_4_au_9_2 - title: AU-9(2) Audit Backup On Separate Physical Systems / Components - description: The information system backs up audit records at least weekly onto a physically different system or system component than the system or component being audited. - section-code: "2" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/S3 - type: - - Benchmark - controls: - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +id: aws_fedramp_moderate_rev_4_au_9_2 +title: AU-9(2) Audit Backup On Separate Physical Systems / Components +description: The information system backs up audit records at least weekly onto a physically different system or system component than the system or component being audited. +section-code: "2" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/S3 + type: + - Benchmark +controls: +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ca.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ca.yaml index 833e36a32..9ef4e5aa6 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ca.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ca.yaml @@ -1,18 +1,19 @@ +id: aws_fedramp_moderate_rev_4_ca +title: benchmark.nist_800_53_rev_4_ca.title +description: benchmark.nist_800_53_rev_4_ca.description +section-code: ca +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_ca - title: benchmark.nist_800_53_rev_4_ca.title - description: benchmark.nist_800_53_rev_4_ca.description - section-code: ca - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_ca_7 +- id: aws_fedramp_moderate_rev_4_ca_7 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ca_7.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ca_7.yaml index 6bdaa6550..53ce9e942 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ca_7.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ca_7.yaml @@ -1,18 +1,19 @@ +id: aws_fedramp_moderate_rev_4_ca_7 +title: benchmark.nist_800_53_rev_4_ca_7.title +description: benchmark.nist_800_53_rev_4_ca_7.description +section-code: "7" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_ca_7 - title: benchmark.nist_800_53_rev_4_ca_7.title - description: benchmark.nist_800_53_rev_4_ca_7.description - section-code: "7" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_ca_7_a_b +- id: aws_fedramp_moderate_rev_4_ca_7_a_b + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ca_7_a_b.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ca_7_a_b.yaml index a37ed87f1..1cd9aa610 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ca_7_a_b.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ca_7_a_b.yaml @@ -1,30 +1,30 @@ -control-group: - id: aws_fedramp_moderate_rev_4_ca_7_a_b - title: CA-7(a)(b) - description: "The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: a. Establishment of [Assignment: organization-defined metrics] to be monitored; b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring." - section-code: a_b - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_guardduty_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_securityhub_enabled +id: aws_fedramp_moderate_rev_4_ca_7_a_b +title: CA-7(a)(b) +description: "The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: a. Establishment of [Assignment: organization-defined metrics] to be monitored; b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring." +section-code: a_b +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_group_with_lb_use_health_check +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudwatch_alarm_action_enabled +- aws_ec2_instance_detailed_monitoring_enabled +- aws_elastic_beanstalk_enhanced_health_reporting_enabled +- aws_guardduty_enabled +- aws_lambda_function_concurrent_execution_limit_configured +- aws_lambda_function_dead_letter_queue_configured +- aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm.yaml index 209a0640b..318bf4695 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm.yaml @@ -1,20 +1,23 @@ +id: aws_fedramp_moderate_rev_4_cm +title: benchmark.nist_800_53_rev_4_cm.title +description: benchmark.nist_800_53_rev_4_cm.description +section-code: cm +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_cm - title: benchmark.nist_800_53_rev_4_cm.title - description: benchmark.nist_800_53_rev_4_cm.description - section-code: cm - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_cm_2 - - id: aws_fedramp_moderate_rev_4_cm_7 - - id: aws_fedramp_moderate_rev_4_cm_8 +- id: aws_fedramp_moderate_rev_4_cm_2 + type: "" +- id: aws_fedramp_moderate_rev_4_cm_7 + type: "" +- id: aws_fedramp_moderate_rev_4_cm_8 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_2.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_2.yaml index 4bf5b3022..22853dcc1 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_2.yaml @@ -1,47 +1,47 @@ -control-group: - id: aws_fedramp_moderate_rev_4_cm_2 - title: benchmark.nist_800_53_rev_4_cm_2.title - description: benchmark.nist_800_53_rev_4_cm_2.description - section-code: "2" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_use_waf_web_acl - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_attached_volume_delete_on_termination_enabled - - aws_ebs_snapshot_not_publicly_restorable - - aws_ebs_volume_unused - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_elb_application_lb_waf_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_fedramp_moderate_rev_4_cm_2 +title: benchmark.nist_800_53_rev_4_cm_2.title +description: benchmark.nist_800_53_rev_4_cm_2.description +section-code: "2" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_use_waf_web_acl +- aws_autoscaling_launch_config_public_ip_disabled +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_attached_volume_delete_on_termination_enabled +- aws_ebs_snapshot_not_publicly_restorable +- aws_ebs_volume_unused +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_ec2_instance_ssm_managed +- aws_ec2_stopped_instance_30_days +- aws_elb_application_lb_waf_enabled +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket_account +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_ssm_managed_instance_compliance_association_compliant +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_route_table_restrict_public_access_to_igw +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_7.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_7.yaml index 8ff6f43a6..086346f0d 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_7.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_7.yaml @@ -1,18 +1,19 @@ +id: aws_fedramp_moderate_rev_4_cm_7 +title: benchmark.nist_800_53_rev_4_cm_7.title +description: benchmark.nist_800_53_rev_4_cm_7.description +section-code: "7" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_cm_7 - title: benchmark.nist_800_53_rev_4_cm_7.title - description: benchmark.nist_800_53_rev_4_cm_7.description - section-code: "7" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_cm_7_a +- id: aws_fedramp_moderate_rev_4_cm_7_a + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_7_a.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_7_a.yaml index dfb6255cd..ccdb7fc3e 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_7_a.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_7_a.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_fedramp_moderate_rev_4_cm_7_a - title: CM-7(a) - description: "The organization: a. Configures the information system to provide only essential capabilities." - section-code: a - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant +id: aws_fedramp_moderate_rev_4_cm_7_a +title: CM-7(a) +description: "The organization: a. Configures the information system to provide only essential capabilities." +section-code: a +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed +- aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8.yaml index 539e70290..93aeed64a 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8.yaml @@ -1,19 +1,21 @@ +id: aws_fedramp_moderate_rev_4_cm_8 +title: benchmark.nist_800_53_rev_4_cm_8.title +description: benchmark.nist_800_53_rev_4_cm_8.description +section-code: "8" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_cm_8 - title: benchmark.nist_800_53_rev_4_cm_8.title - description: benchmark.nist_800_53_rev_4_cm_8.description - section-code: "8" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_cm_8_1 - - id: aws_fedramp_moderate_rev_4_cm_8_3 +- id: aws_fedramp_moderate_rev_4_cm_8_1 + type: "" +- id: aws_fedramp_moderate_rev_4_cm_8_3 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8_1.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8_1.yaml index a31b76a29..712e7567d 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8_1.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8_1.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_fedramp_moderate_rev_4_cm_8_1 - title: CM-8(1) - description: The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. - section-code: "1" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant +id: aws_fedramp_moderate_rev_4_cm_8_1 +title: CM-8(1) +description: The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. +section-code: "1" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed +- aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8_3.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8_3.yaml index fc56ea85c..4120c416e 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8_3.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8_3.yaml @@ -1,18 +1,19 @@ +id: aws_fedramp_moderate_rev_4_cm_8_3 +title: benchmark.nist_800_53_rev_4_cm_8_3.title +description: benchmark.nist_800_53_rev_4_cm_8_3.description +section-code: "3" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_cm_8_3 - title: benchmark.nist_800_53_rev_4_cm_8_3.title - description: benchmark.nist_800_53_rev_4_cm_8_3.description - section-code: "3" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_cm_8_3_a +- id: aws_fedramp_moderate_rev_4_cm_8_3_a + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8_3_a.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8_3_a.yaml index 256562607..f2e21774a 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8_3_a.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8_3_a.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_fedramp_moderate_rev_4_cm_8_3_a - title: CM-8(3)(a) - description: "The organization: a. Employs automated mechanisms continuously, using automated mechanisms with a maximum five-minute delay in detection, to detect the presence of unauthorized hardware, software, and firmware components within the information system" - section-code: a - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_guardduty_enabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_fedramp_moderate_rev_4_cm_8_3_a +title: CM-8(3)(a) +description: "The organization: a. Employs automated mechanisms continuously, using automated mechanisms with a maximum five-minute delay in detection, to detect the presence of unauthorized hardware, software, and firmware components within the information system" +section-code: a +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed +- aws_guardduty_enabled +- aws_ssm_managed_instance_compliance_association_compliant +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp.yaml index 532a32e9b..e75c021d6 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp.yaml @@ -1,19 +1,21 @@ +id: aws_fedramp_moderate_rev_4_cp +title: benchmark.nist_800_53_rev_4_cp.title +description: benchmark.nist_800_53_rev_4_cp.description +section-code: cp +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_cp - title: benchmark.nist_800_53_rev_4_cp.title - description: benchmark.nist_800_53_rev_4_cp.description - section-code: cp - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_cp_9 - - id: aws_fedramp_moderate_rev_4_cp_10 +- id: aws_fedramp_moderate_rev_4_cp_9 + type: "" +- id: aws_fedramp_moderate_rev_4_cp_10 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp_10.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp_10.yaml index 9a02cabac..4cfff0002 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp_10.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp_10.yaml @@ -1,37 +1,37 @@ -control-group: - id: aws_fedramp_moderate_rev_4_cp_10 - title: benchmark.nist_800_53_rev_4_cp_10.title - description: benchmark.nist_800_53_rev_4_cp_10.description - section-code: "10" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_backup_plan_min_retention_35_days - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up +id: aws_fedramp_moderate_rev_4_cp_10 +title: benchmark.nist_800_53_rev_4_cp_10.title +description: benchmark.nist_800_53_rev_4_cp_10.description +section-code: "10" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_backup_plan_min_retention_35_days +- aws_dynamodb_table_auto_scaling_enabled +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_elb_application_lb_deletion_protection_enabled +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_fsx_file_system_protected_by_backup_plan +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_multiple_az_enabled +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp_9.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp_9.yaml index 7dcc46c7d..9e22c8ab6 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp_9.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp_9.yaml @@ -1,18 +1,19 @@ +id: aws_fedramp_moderate_rev_4_cp_9 +title: benchmark.nist_800_53_rev_4_cp_9.title +description: benchmark.nist_800_53_rev_4_cp_9.description +section-code: "9" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_cp_9 - title: benchmark.nist_800_53_rev_4_cp_9.title - description: benchmark.nist_800_53_rev_4_cp_9.description - section-code: "9" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_cp_9_b +- id: aws_fedramp_moderate_rev_4_cp_9_b + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp_9_b.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp_9_b.yaml index 45992ebc6..81c2f9f9f 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp_9_b.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp_9_b.yaml @@ -1,31 +1,31 @@ -control-group: - id: aws_fedramp_moderate_rev_4_cp_9_b - title: CP-9(b) - description: "The organization: b. Conducts backups of system-level information contained in the information system (daily incremental; weekly full)." - section-code: b - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_backup_plan_min_retention_35_days - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +id: aws_fedramp_moderate_rev_4_cp_9_b +title: CP-9(b) +description: "The organization: b. Conducts backups of system-level information contained in the information system (daily incremental; weekly full)." +section-code: b +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_backup_plan_min_retention_35_days +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia.yaml index fb223e355..8f02caa1f 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia.yaml @@ -1,19 +1,21 @@ +id: aws_fedramp_moderate_rev_4_ia +title: benchmark.nist_800_53_rev_4_ia.title +description: benchmark.nist_800_53_rev_4_ia.description +section-code: ia +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_ia - title: benchmark.nist_800_53_rev_4_ia.title - description: benchmark.nist_800_53_rev_4_ia.description - section-code: ia - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_ia_2 - - id: aws_fedramp_moderate_rev_4_ia_5 +- id: aws_fedramp_moderate_rev_4_ia_2 + type: "" +- id: aws_fedramp_moderate_rev_4_ia_5 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_2.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_2.yaml index 94815078b..17e9afc75 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_2.yaml @@ -1,21 +1,22 @@ +id: aws_fedramp_moderate_rev_4_ia_2 +title: benchmark.nist_800_53_rev_4_ia_2.title +description: benchmark.nist_800_53_rev_4_ia_2.description +section-code: "2" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_ia_2 - title: benchmark.nist_800_53_rev_4_ia_2.title - description: benchmark.nist_800_53_rev_4_ia_2.description - section-code: "2" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_ia_2_1 - controls: - - aws_iam_account_password_policy_min_length_14 - - aws_iam_root_user_no_access_keys +- id: aws_fedramp_moderate_rev_4_ia_2_1 + type: "" +controls: +- aws_iam_account_password_policy_min_length_14 +- aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_2_1.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_2_1.yaml index 1935775fa..ccc02c4cb 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_2_1.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_2_1.yaml @@ -1,23 +1,24 @@ +id: aws_fedramp_moderate_rev_4_ia_2_1 +title: benchmark.nist_800_53_rev_4_ia_2_1.title +description: benchmark.nist_800_53_rev_4_ia_2_1.description +section-code: "1" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_ia_2_1 - title: benchmark.nist_800_53_rev_4_ia_2_1.title - description: benchmark.nist_800_53_rev_4_ia_2_1.description - section-code: "1" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_ia_2_1_2 - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled +- id: aws_fedramp_moderate_rev_4_ia_2_1_2 + type: "" +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_2_1_2.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_2_1_2.yaml index 26359b41a..9cab95a6e 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_2_1_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_2_1_2.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_fedramp_moderate_rev_4_ia_2_1_2 - title: IA-2(1)(2) - description: (1) The information system implements multifactor authentication for network access to privileged accounts. (2) The information system implements multifactor authentication for network access to non- privileged accounts. - section-code: "2" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_root_user_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_root_user_hardware_mfa_enabled +id: aws_fedramp_moderate_rev_4_ia_2_1_2 +title: IA-2(1)(2) +description: (1) The information system implements multifactor authentication for network access to privileged accounts. (2) The information system implements multifactor authentication for network access to non- privileged accounts. +section-code: "2" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_root_user_mfa_enabled +- aws_iam_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_root_user_hardware_mfa_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5.yaml index 52ff5af7e..26a2586af 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5.yaml @@ -1,20 +1,23 @@ +id: aws_fedramp_moderate_rev_4_ia_5 +title: benchmark.nist_800_53_rev_4_ia_5.title +description: benchmark.nist_800_53_rev_4_ia_5.description +section-code: "5" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_ia_5 - title: benchmark.nist_800_53_rev_4_ia_5.title - description: benchmark.nist_800_53_rev_4_ia_5.description - section-code: "5" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_ia_5_1 - - id: aws_fedramp_moderate_rev_4_ia_5_4 - - id: aws_fedramp_moderate_rev_4_ia_5_7 +- id: aws_fedramp_moderate_rev_4_ia_5_1 + type: "" +- id: aws_fedramp_moderate_rev_4_ia_5_4 + type: "" +- id: aws_fedramp_moderate_rev_4_ia_5_7 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_1.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_1.yaml index 764eca09c..aae28af03 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_1.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_1.yaml @@ -1,18 +1,19 @@ +id: aws_fedramp_moderate_rev_4_ia_5_1 +title: benchmark.nist_800_53_rev_4_ia_5_1.title +description: benchmark.nist_800_53_rev_4_ia_5_1.description +section-code: "1" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_ia_5_1 - title: benchmark.nist_800_53_rev_4_ia_5_1.title - description: benchmark.nist_800_53_rev_4_ia_5_1.description - section-code: "1" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_ia_5_1_a_d_e +- id: aws_fedramp_moderate_rev_4_ia_5_1_a_d_e + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_1_a_d_e.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_1_a_d_e.yaml index ddcb0f640..6f99d28f4 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_1_a_d_e.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_1_a_d_e.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_fedramp_moderate_rev_4_ia_5_1_a_d_e - title: IA-5(1)(a)(d)(e) - description: "The information system, for password-based authentication: a. Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; d. Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum]; e. Prohibits password reuse for 24 generations" - section-code: a_d_e - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_min_length_14 +id: aws_fedramp_moderate_rev_4_ia_5_1_a_d_e +title: IA-5(1)(a)(d)(e) +description: "The information system, for password-based authentication: a. Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; d. Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum]; e. Prohibits password reuse for 24 generations" +section-code: a_d_e +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_4.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_4.yaml index e6617afc3..51320cc96 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_4.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_4.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_fedramp_moderate_rev_4_ia_5_4 - title: benchmark.nist_800_53_rev_4_ia_5_4.title - description: benchmark.nist_800_53_rev_4_ia_5_4.description - section-code: "4" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_min_length_14 +id: aws_fedramp_moderate_rev_4_ia_5_4 +title: benchmark.nist_800_53_rev_4_ia_5_4.title +description: benchmark.nist_800_53_rev_4_ia_5_4.description +section-code: "4" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_7.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_7.yaml index 10e9751e2..f13661eba 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_7.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_7.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_fedramp_moderate_rev_4_ia_5_7 - title: benchmark.nist_800_53_rev_4_ia_5_7.title - description: benchmark.nist_800_53_rev_4_ia_5_7.description - section-code: "7" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/CodeBuild - type: - - Benchmark - controls: - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values +id: aws_fedramp_moderate_rev_4_ia_5_7 +title: benchmark.nist_800_53_rev_4_ia_5_7.title +description: benchmark.nist_800_53_rev_4_ia_5_7.description +section-code: "7" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/CodeBuild + type: + - Benchmark +controls: +- aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir.yaml index 434086a82..9709e1bcd 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir.yaml @@ -1,20 +1,23 @@ +id: aws_fedramp_moderate_rev_4_ir +title: benchmark.nist_800_53_rev_4_ir.title +description: benchmark.nist_800_53_rev_4_ir.description +section-code: ir +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_ir - title: benchmark.nist_800_53_rev_4_ir.title - description: benchmark.nist_800_53_rev_4_ir.description - section-code: ir - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_ir_4 - - id: aws_fedramp_moderate_rev_4_ir_6 - - id: aws_fedramp_moderate_rev_4_ir_7 +- id: aws_fedramp_moderate_rev_4_ir_4 + type: "" +- id: aws_fedramp_moderate_rev_4_ir_6 + type: "" +- id: aws_fedramp_moderate_rev_4_ir_7 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_4.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_4.yaml index 491584763..60e9706d4 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_4.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_4.yaml @@ -1,18 +1,19 @@ +id: aws_fedramp_moderate_rev_4_ir_4 +title: benchmark.nist_800_53_rev_4_ir_4.title +description: benchmark.nist_800_53_rev_4_ir_4.description +section-code: "4" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_ir_4 - title: benchmark.nist_800_53_rev_4_ir_4.title - description: benchmark.nist_800_53_rev_4_ir_4.description - section-code: "4" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_ir_4_1 +- id: aws_fedramp_moderate_rev_4_ir_4_1 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_4_1.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_4_1.yaml index 8959f2379..72fdc0ded 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_4_1.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_4_1.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_fedramp_moderate_rev_4_ir_4_1 - title: benchmark.nist_800_53_rev_4_ir_4_1.title - description: benchmark.nist_800_53_rev_4_ir_4_1.description - section-code: "1" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled +id: aws_fedramp_moderate_rev_4_ir_4_1 +title: benchmark.nist_800_53_rev_4_ir_4_1.title +description: benchmark.nist_800_53_rev_4_ir_4_1.description +section-code: "1" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_group_with_lb_use_health_check +- aws_cloudwatch_alarm_action_enabled +- aws_guardduty_enabled +- aws_guardduty_finding_archived +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_6.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_6.yaml index 68c468e9b..ad4b21f4f 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_6.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_6.yaml @@ -1,18 +1,19 @@ +id: aws_fedramp_moderate_rev_4_ir_6 +title: benchmark.nist_800_53_rev_4_ir_6.title +description: benchmark.nist_800_53_rev_4_ir_6.description +section-code: "6" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_ir_6 - title: benchmark.nist_800_53_rev_4_ir_6.title - description: benchmark.nist_800_53_rev_4_ir_6.description - section-code: "6" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_ir_6_1 +- id: aws_fedramp_moderate_rev_4_ir_6_1 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_6_1.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_6_1.yaml index f233cdd57..ea2d1aa44 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_6_1.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_6_1.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_fedramp_moderate_rev_4_ir_6_1 - title: benchmark.nist_800_53_rev_4_ir_6_1.title - description: benchmark.nist_800_53_rev_4_ir_6_1.description - section-code: "1" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled +id: aws_fedramp_moderate_rev_4_ir_6_1 +title: benchmark.nist_800_53_rev_4_ir_6_1.title +description: benchmark.nist_800_53_rev_4_ir_6_1.description +section-code: "1" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled +- aws_guardduty_finding_archived +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_7.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_7.yaml index dd4554663..431af5553 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_7.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_7.yaml @@ -1,18 +1,19 @@ +id: aws_fedramp_moderate_rev_4_ir_7 +title: benchmark.nist_800_53_rev_4_ir_7.title +description: benchmark.nist_800_53_rev_4_ir_7.description +section-code: "7" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_ir_7 - title: benchmark.nist_800_53_rev_4_ir_7.title - description: benchmark.nist_800_53_rev_4_ir_7.description - section-code: "7" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_ir_7_1 +- id: aws_fedramp_moderate_rev_4_ir_7_1 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_7_1.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_7_1.yaml index ec0c9d687..0d548c96d 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_7_1.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_7_1.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_fedramp_moderate_rev_4_ir_7_1 - title: benchmark.nist_800_53_rev_4_ir_7_1.title - description: benchmark.nist_800_53_rev_4_ir_7_1.description - section-code: "1" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled +id: aws_fedramp_moderate_rev_4_ir_7_1 +title: benchmark.nist_800_53_rev_4_ir_7_1.title +description: benchmark.nist_800_53_rev_4_ir_7_1.description +section-code: "1" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled +- aws_guardduty_finding_archived +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ra.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ra.yaml index fee2f8ee9..4f8f9902d 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ra.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ra.yaml @@ -1,18 +1,19 @@ +id: aws_fedramp_moderate_rev_4_ra +title: benchmark.nist_800_53_rev_4_ra.title +description: benchmark.nist_800_53_rev_4_ra.description +section-code: ra +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_ra - title: benchmark.nist_800_53_rev_4_ra.title - description: benchmark.nist_800_53_rev_4_ra.description - section-code: ra - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_ra_5 +- id: aws_fedramp_moderate_rev_4_ra_5 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ra_5.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ra_5.yaml index e761098f4..e6a98edbb 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ra_5.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ra_5.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_fedramp_moderate_rev_4_ra_5 - title: benchmark.nist_800_53_rev_4_ra_5.title - description: benchmark.nist_800_53_rev_4_ra_5.description - section-code: "5" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_guardduty_finding_archived +id: aws_fedramp_moderate_rev_4_ra_5 +title: benchmark.nist_800_53_rev_4_ra_5.title +description: benchmark.nist_800_53_rev_4_ra_5.description +section-code: "5" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled +- aws_guardduty_finding_archived diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa.yaml index fad9adbdb..656327a6f 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa.yaml @@ -1,19 +1,21 @@ +id: aws_fedramp_moderate_rev_4_sa +title: benchmark.nist_800_53_rev_4_sa.title +description: benchmark.nist_800_53_rev_4_sa.description +section-code: sa +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_sa - title: benchmark.nist_800_53_rev_4_sa.title - description: benchmark.nist_800_53_rev_4_sa.description - section-code: sa - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_sa_3 - - id: aws_fedramp_moderate_rev_4_sa_10 +- id: aws_fedramp_moderate_rev_4_sa_3 + type: "" +- id: aws_fedramp_moderate_rev_4_sa_10 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa_10.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa_10.yaml index 99f6b1985..e016ac0a2 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa_10.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa_10.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_fedramp_moderate_rev_4_sa_10 - title: benchmark.nist_800_53_rev_4_sa_10.title - description: benchmark.nist_800_53_rev_4_sa_10.description - section-code: "10" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled +id: aws_fedramp_moderate_rev_4_sa_10 +title: benchmark.nist_800_53_rev_4_sa_10.title +description: benchmark.nist_800_53_rev_4_sa_10.description +section-code: "10" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed +- aws_guardduty_enabled +- aws_guardduty_finding_archived +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa_3.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa_3.yaml index eb521dfd6..715c6b7ea 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa_3.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa_3.yaml @@ -1,18 +1,19 @@ +id: aws_fedramp_moderate_rev_4_sa_3 +title: benchmark.nist_800_53_rev_4_sa_3.title +description: benchmark.nist_800_53_rev_4_sa_3.description +section-code: "3" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_sa_3 - title: benchmark.nist_800_53_rev_4_sa_3.title - description: benchmark.nist_800_53_rev_4_sa_3.description - section-code: "3" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_sa_3_a +- id: aws_fedramp_moderate_rev_4_sa_3_a + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa_3_a.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa_3_a.yaml index 40421f7da..ef6ed3ac5 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa_3_a.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa_3_a.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_fedramp_moderate_rev_4_sa_3_a - title: SA-3(a) - description: "The organization: a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations." - section-code: a - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_ssm_managed +id: aws_fedramp_moderate_rev_4_sa_3_a +title: SA-3(a) +description: "The organization: a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations." +section-code: a +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values +- aws_codebuild_project_source_repo_oauth_configured +- aws_ec2_instance_ssm_managed diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc.yaml index b78ac8f77..91d9ef1b1 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc.yaml @@ -1,26 +1,35 @@ +id: aws_fedramp_moderate_rev_4_sc +title: benchmark.nist_800_53_rev_4_sc.title +description: benchmark.nist_800_53_rev_4_sc.description +section-code: sc +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_sc - title: benchmark.nist_800_53_rev_4_sc.title - description: benchmark.nist_800_53_rev_4_sc.description - section-code: sc - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_sc_2 - - id: aws_fedramp_moderate_rev_4_sc_4 - - id: aws_fedramp_moderate_rev_4_sc_5 - - id: aws_fedramp_moderate_rev_4_sc_7 - - id: aws_fedramp_moderate_rev_4_sc_8 - - id: aws_fedramp_moderate_rev_4_sc_12 - - id: aws_fedramp_moderate_rev_4_sc_13 - - id: aws_fedramp_moderate_rev_4_sc_23 - - id: aws_fedramp_moderate_rev_4_sc_28 +- id: aws_fedramp_moderate_rev_4_sc_2 + type: "" +- id: aws_fedramp_moderate_rev_4_sc_4 + type: "" +- id: aws_fedramp_moderate_rev_4_sc_5 + type: "" +- id: aws_fedramp_moderate_rev_4_sc_7 + type: "" +- id: aws_fedramp_moderate_rev_4_sc_8 + type: "" +- id: aws_fedramp_moderate_rev_4_sc_12 + type: "" +- id: aws_fedramp_moderate_rev_4_sc_13 + type: "" +- id: aws_fedramp_moderate_rev_4_sc_23 + type: "" +- id: aws_fedramp_moderate_rev_4_sc_28 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_12.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_12.yaml index 00ba014bf..de3a7b36e 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_12.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_12.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_fedramp_moderate_rev_4_sc_12 - title: benchmark.nist_800_53_rev_4_sc_12.title - description: benchmark.nist_800_53_rev_4_sc_12.description - section-code: "12" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_acm_certificate_expires_30_days - - aws_kms_cmk_rotation_enabled - - aws_kms_key_not_pending_deletion +id: aws_fedramp_moderate_rev_4_sc_12 +title: benchmark.nist_800_53_rev_4_sc_12.title +description: benchmark.nist_800_53_rev_4_sc_12.description +section-code: "12" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_acm_certificate_expires_30_days +- aws_kms_cmk_rotation_enabled +- aws_kms_key_not_pending_deletion diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_13.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_13.yaml index b69866673..39dcfc182 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_13.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_13.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_fedramp_moderate_rev_4_sc_13 - title: Use of Cryptography (SC-13) - description: The information system implements FIPS-validated or NSA-approved cryptography in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. - section-code: "13" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_kms_key_not_pending_deletion - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest +id: aws_fedramp_moderate_rev_4_sc_13 +title: Use of Cryptography (SC-13) +description: The information system implements FIPS-validated or NSA-approved cryptography in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. +section-code: "13" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_kms_key_not_pending_deletion +- aws_redshift_cluster_kms_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_2.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_2.yaml index bca5974e8..dfcca677b 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_2.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_fedramp_moderate_rev_4_sc_2 - title: benchmark.nist_800_53_rev_4_sc_2.title - description: benchmark.nist_800_53_rev_4_sc_2.description - section-code: "2" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies +id: aws_fedramp_moderate_rev_4_sc_2 +title: benchmark.nist_800_53_rev_4_sc_2.title +description: benchmark.nist_800_53_rev_4_sc_2.description +section-code: "2" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_group_not_empty +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_23.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_23.yaml index 6cc205331..4ee897b02 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_23.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_23.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_fedramp_moderate_rev_4_sc_23 - title: benchmark.nist_800_53_rev_4_sc_23.title - description: benchmark.nist_800_53_rev_4_sc_23.description - section-code: "23" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl +id: aws_fedramp_moderate_rev_4_sc_23 +title: benchmark.nist_800_53_rev_4_sc_23.title +description: benchmark.nist_800_53_rev_4_sc_23.description +section-code: "23" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_node_to_node_encryption_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_28.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_28.yaml index 8059080c4..a7c81fb6c 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_28.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_28.yaml @@ -1,35 +1,35 @@ -control-group: - id: aws_fedramp_moderate_rev_4_sc_28 - title: Protection of Information at Rest (SC-28) - description: "The information system protects the confidentiality AND integrity of [Assignment: organization-defined information at rest]." - section-code: "28" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_ebs_attached_volume_encryption_enabled - - aws_ebs_volume_encryption_at_rest_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_es_domain_encryption_at_rest_enabled - - aws_kms_key_not_pending_deletion - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_object_lock_enabled - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest +id: aws_fedramp_moderate_rev_4_sc_28 +title: Protection of Information at Rest (SC-28) +description: "The information system protects the confidentiality AND integrity of [Assignment: organization-defined information at rest]." +section-code: "28" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_ebs_attached_volume_encryption_enabled +- aws_ebs_volume_encryption_at_rest_enabled +- aws_efs_file_system_encrypt_data_at_rest +- aws_es_domain_encryption_at_rest_enabled +- aws_kms_key_not_pending_deletion +- aws_log_group_encryption_at_rest_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_logging_enabled +- aws_redshift_cluster_kms_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_object_lock_enabled +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_4.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_4.yaml index f8cbb19d5..c2283fa30 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_4.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_4.yaml @@ -1,34 +1,34 @@ -control-group: - id: aws_fedramp_moderate_rev_4_sc_4 - title: benchmark.nist_800_53_rev_4_sc_4.title - description: benchmark.nist_800_53_rev_4_sc_4.description - section-code: "4" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ebs_volume_unused - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all +id: aws_fedramp_moderate_rev_4_sc_4 +title: benchmark.nist_800_53_rev_4_sc_4.title +description: benchmark.nist_800_53_rev_4_sc_4.description +section-code: "4" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ebs_volume_unused +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket_account +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_route_table_restrict_public_access_to_igw +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_5.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_5.yaml index 2bdc77113..a735be389 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_5.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_5.yaml @@ -1,30 +1,30 @@ -control-group: - id: aws_fedramp_moderate_rev_4_sc_5 - title: benchmark.nist_800_53_rev_4_sc_5.title - description: benchmark.nist_800_53_rev_4_sc_5.description - section-code: "5" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_autoscaling_group_with_lb_use_health_check - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ec2_instance_ebs_optimized - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_guardduty_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up +id: aws_fedramp_moderate_rev_4_sc_5 +title: benchmark.nist_800_53_rev_4_sc_5.title +description: benchmark.nist_800_53_rev_4_sc_5.description +section-code: "5" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_rds_db_instance_deletion_protection_enabled +- aws_autoscaling_group_with_lb_use_health_check +- aws_dynamodb_table_auto_scaling_enabled +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_ec2_instance_ebs_optimized +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_elb_application_lb_deletion_protection_enabled +- aws_guardduty_enabled +- aws_rds_db_instance_multiple_az_enabled +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_7.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_7.yaml index 6fbe159a3..433888d1b 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_7.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_7.yaml @@ -1,48 +1,49 @@ +id: aws_fedramp_moderate_rev_4_sc_7 +title: benchmark.nist_800_53_rev_4_sc_7.title +description: benchmark.nist_800_53_rev_4_sc_7.description +section-code: "7" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_sc_7 - title: benchmark.nist_800_53_rev_4_sc_7.title - description: benchmark.nist_800_53_rev_4_sc_7.description - section-code: "7" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_sc_7_3 - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_lb_waf_enabled - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_es_domain_node_to_node_encryption_enabled - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled - - aws_wafv2_web_acl_logging_enabled +- id: aws_fedramp_moderate_rev_4_sc_7_3 + type: "" +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_application_lb_waf_enabled +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_es_domain_node_to_node_encryption_enabled +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_7_3.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_7_3.yaml index 04cb4fb78..c772ef5d4 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_7_3.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_7_3.yaml @@ -1,39 +1,39 @@ -control-group: - id: aws_fedramp_moderate_rev_4_sc_7_3 - title: benchmark.nist_800_53_rev_4_sc_7_3.title - description: benchmark.nist_800_53_rev_4_sc_7_3.description - section-code: "3" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_fedramp_moderate_rev_4_sc_7_3 +title: benchmark.nist_800_53_rev_4_sc_7_3.title +description: benchmark.nist_800_53_rev_4_sc_7_3.description +section-code: "3" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_launch_config_public_ip_disabled +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_8.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_8.yaml index 2f1e9ebca..3973976f2 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_8.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_8.yaml @@ -1,27 +1,28 @@ +id: aws_fedramp_moderate_rev_4_sc_8 +title: Transmission Integrity (SC-8) +description: The information system protects the confidentiality AND integrity of transmitted information. +section-code: "8" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_sc_8 - title: Transmission Integrity (SC-8) - description: The information system protects the confidentiality AND integrity of transmitted information. - section-code: "8" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_sc_8_1 - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl +- id: aws_fedramp_moderate_rev_4_sc_8_1 + type: "" +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_application_network_lb_use_ssl_certificate +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_node_to_node_encryption_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_8_1.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_8_1.yaml index 5313ac474..4d9e184d0 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_8_1.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_8_1.yaml @@ -1,25 +1,25 @@ -control-group: - id: aws_fedramp_moderate_rev_4_sc_8_1 - title: benchmark.nist_800_53_rev_4_sc_8_1.title - description: benchmark.nist_800_53_rev_4_sc_8_1.description - section-code: "1" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl +id: aws_fedramp_moderate_rev_4_sc_8_1 +title: benchmark.nist_800_53_rev_4_sc_8_1.title +description: benchmark.nist_800_53_rev_4_sc_8_1.description +section-code: "1" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_application_network_lb_use_ssl_certificate +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_node_to_node_encryption_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si.yaml index 6d0cb080d..59940426c 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si.yaml @@ -1,21 +1,25 @@ +id: aws_fedramp_moderate_rev_4_si +title: benchmark.nist_800_53_rev_4_si.title +description: benchmark.nist_800_53_rev_4_si.description +section-code: si +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_si - title: benchmark.nist_800_53_rev_4_si.title - description: benchmark.nist_800_53_rev_4_si.description - section-code: si - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_si_2 - - id: aws_fedramp_moderate_rev_4_si_4 - - id: aws_fedramp_moderate_rev_4_si_7 - - id: aws_fedramp_moderate_rev_4_si_12 +- id: aws_fedramp_moderate_rev_4_si_2 + type: "" +- id: aws_fedramp_moderate_rev_4_si_4 + type: "" +- id: aws_fedramp_moderate_rev_4_si_7 + type: "" +- id: aws_fedramp_moderate_rev_4_si_12 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_12.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_12.yaml index aed481f08..fdb59b3ef 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_12.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_12.yaml @@ -1,31 +1,31 @@ -control-group: - id: aws_fedramp_moderate_rev_4_si_12 - title: benchmark.nist_800_53_rev_4_si_12.title - description: benchmark.nist_800_53_rev_4_si_12.description - section-code: "12" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_backup_plan_min_retention_35_days - - aws_cloudwatch_log_group_retention_period_365 - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_versioning_enabled +id: aws_fedramp_moderate_rev_4_si_12 +title: benchmark.nist_800_53_rev_4_si_12.title +description: benchmark.nist_800_53_rev_4_si_12.description +section-code: "12" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_backup_plan_min_retention_35_days +- aws_cloudwatch_log_group_retention_period_365 +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_2.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_2.yaml index cf854ccc9..dd7013c25 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_2.yaml @@ -1,18 +1,19 @@ +id: aws_fedramp_moderate_rev_4_si_2 +title: benchmark.nist_800_53_rev_4_si_2.title +description: benchmark.nist_800_53_rev_4_si_2.description +section-code: "2" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_si_2 - title: benchmark.nist_800_53_rev_4_si_2.title - description: benchmark.nist_800_53_rev_4_si_2.description - section-code: "2" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_si_2_2 +- id: aws_fedramp_moderate_rev_4_si_2_2 + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_2_2.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_2_2.yaml index 1ebed3a97..2ce1c3b77 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_2_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_2_2.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_fedramp_moderate_rev_4_si_2_2 - title: Automated Flaw Remediation Status (SI-2(2)) - description: The organization employs automated mechanisms at least monthly to determine the state of information system components with regard to flaw remediation. - section-code: "2" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_fedramp_moderate_rev_4_si_2_2 +title: Automated Flaw Remediation Status (SI-2(2)) +description: The organization employs automated mechanisms at least monthly to determine the state of information system components with regard to flaw remediation. +section-code: "2" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed +- aws_ssm_managed_instance_compliance_association_compliant +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4.yaml index 7acdefd1d..410ecf7e1 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4.yaml @@ -1,23 +1,29 @@ +id: aws_fedramp_moderate_rev_4_si_4 +title: benchmark.nist_800_53_rev_4_si_4.title +description: benchmark.nist_800_53_rev_4_si_4.description +section-code: "4" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_si_4 - title: benchmark.nist_800_53_rev_4_si_4.title - description: benchmark.nist_800_53_rev_4_si_4.description - section-code: "4" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_si_4_1 - - id: aws_fedramp_moderate_rev_4_si_4_16 - - id: aws_fedramp_moderate_rev_4_si_4_2 - - id: aws_fedramp_moderate_rev_4_si_4_4 - - id: aws_fedramp_moderate_rev_4_si_4_5 - - id: aws_fedramp_moderate_rev_4_si_4_a_b_c +- id: aws_fedramp_moderate_rev_4_si_4_1 + type: "" +- id: aws_fedramp_moderate_rev_4_si_4_16 + type: "" +- id: aws_fedramp_moderate_rev_4_si_4_2 + type: "" +- id: aws_fedramp_moderate_rev_4_si_4_4 + type: "" +- id: aws_fedramp_moderate_rev_4_si_4_5 + type: "" +- id: aws_fedramp_moderate_rev_4_si_4_a_b_c + type: "" diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_1.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_1.yaml index b3a5d1806..36559a30a 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_1.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_1.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_fedramp_moderate_rev_4_si_4_1 - title: benchmark.nist_800_53_rev_4_si_4_1.title - description: benchmark.nist_800_53_rev_4_si_4_1.description - section-code: "1" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_fedramp_moderate_rev_4_si_4_1 +title: benchmark.nist_800_53_rev_4_si_4_1.title +description: benchmark.nist_800_53_rev_4_si_4_1.description +section-code: "1" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_16.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_16.yaml index 9eb64e455..7395808dc 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_16.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_16.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_fedramp_moderate_rev_4_si_4_16 - title: benchmark.nist_800_53_rev_4_si_4_16.title - description: benchmark.nist_800_53_rev_4_si_4_16.description - section-code: "16" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_guardduty_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_securityhub_enabled +id: aws_fedramp_moderate_rev_4_si_4_16 +title: benchmark.nist_800_53_rev_4_si_4_16.title +description: benchmark.nist_800_53_rev_4_si_4_16.description +section-code: "16" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_guardduty_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_2.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_2.yaml index 29fc3a9a2..a2e4e6e82 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_2.yaml @@ -1,25 +1,25 @@ -control-group: - id: aws_fedramp_moderate_rev_4_si_4_2 - title: benchmark.nist_800_53_rev_4_si_4_2.title - description: benchmark.nist_800_53_rev_4_si_4_2.description - section-code: "2" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_guardduty_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_securityhub_enabled +id: aws_fedramp_moderate_rev_4_si_4_2 +title: benchmark.nist_800_53_rev_4_si_4_2.title +description: benchmark.nist_800_53_rev_4_si_4_2.description +section-code: "2" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudwatch_alarm_action_enabled +- aws_ec2_instance_detailed_monitoring_enabled +- aws_guardduty_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_4.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_4.yaml index c51ae14fd..53b8f4a70 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_4.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_4.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_fedramp_moderate_rev_4_si_4_4 - title: benchmark.nist_800_53_rev_4_si_4_4.title - description: benchmark.nist_800_53_rev_4_si_4_4.description - section-code: "4" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_securityhub_enabled +id: aws_fedramp_moderate_rev_4_si_4_4 +title: benchmark.nist_800_53_rev_4_si_4_4.title +description: benchmark.nist_800_53_rev_4_si_4_4.description +section-code: "4" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled +- aws_guardduty_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_5.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_5.yaml index 0f635d8b5..4c2906ef3 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_5.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_5.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_fedramp_moderate_rev_4_si_4_5 - title: benchmark.nist_800_53_rev_4_si_4_5.title - description: benchmark.nist_800_53_rev_4_si_4_5.description - section-code: "5" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_securityhub_enabled +id: aws_fedramp_moderate_rev_4_si_4_5 +title: benchmark.nist_800_53_rev_4_si_4_5.title +description: benchmark.nist_800_53_rev_4_si_4_5.description +section-code: "5" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled +- aws_guardduty_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_a_b_c.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_a_b_c.yaml index 87e0fb443..970015fc8 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_a_b_c.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_a_b_c.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_fedramp_moderate_rev_4_si_4_a_b_c - title: SI-4(a)(b)(c) - description: "The organization: a. Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization- defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization- defined techniques and methods]; c. Deploys monitoring devices: i. strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization." - section-code: a_b_c - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_use_waf_web_acl - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_elb_application_lb_waf_enabled - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_fedramp_moderate_rev_4_si_4_a_b_c +title: SI-4(a)(b)(c) +description: "The organization: a. Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization- defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization- defined techniques and methods]; c. Deploys monitoring devices: i. strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization." +section-code: a_b_c +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_use_waf_web_acl +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled +- aws_ec2_instance_detailed_monitoring_enabled +- aws_elb_application_lb_waf_enabled +- aws_guardduty_enabled +- aws_guardduty_finding_archived +- aws_securityhub_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_7.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_7.yaml index 87e68753c..69575d87b 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_7.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_7.yaml @@ -1,20 +1,21 @@ +id: aws_fedramp_moderate_rev_4_si_7 +title: benchmark.nist_800_53_rev_4_si_7.title +description: benchmark.nist_800_53_rev_4_si_7.description +section-code: "7" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_fedramp_moderate_rev_4_si_7 - title: benchmark.nist_800_53_rev_4_si_7.title - description: benchmark.nist_800_53_rev_4_si_7.description - section-code: "7" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_fedramp_moderate_rev_4_si_7_1 - controls: - - aws_cloudtrail_trail_validation_enabled +- id: aws_fedramp_moderate_rev_4_si_7_1 + type: "" +controls: +- aws_cloudtrail_trail_validation_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_7_1.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_7_1.yaml index 9bbb676b5..603324613 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_7_1.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_7_1.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_fedramp_moderate_rev_4_si_7_1 - title: benchmark.nist_800_53_rev_4_si_7_1.title - description: benchmark.nist_800_53_rev_4_si_7_1.description - section-code: "1" - tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_validation_enabled - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_fedramp_moderate_rev_4_si_7_1 +title: benchmark.nist_800_53_rev_4_si_7_1.title +description: benchmark.nist_800_53_rev_4_si_7_1.description +section-code: "1" +type: control-group +tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_validation_enabled +- aws_ec2_instance_ssm_managed +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec.yaml index ce342f35e..c466da6f4 100644 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec.yaml @@ -1,30 +1,30 @@ -framework: - id: aws_ffiec - title: Federal Financial Institutions Examination Council (FFIEC) - description: Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (Assessment) to help institutions identify their risks and determine their cybersecurity preparedness. - section-code: aws_ffiec - tags: - category: - - Compliance - ffiec: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Certifications and Attestations - plugin: - - aws - service: - - AWS - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: aws_ffiec_d_1 - - id: aws_ffiec_d_2 - - id: aws_ffiec_d_3 - - id: aws_ffiec_d_4 - - id: aws_ffiec_d_5 +id: aws_ffiec +title: Federal Financial Institutions Examination Council (FFIEC) +description: Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (Assessment) to help institutions identify their risks and determine their cybersecurity preparedness. +section-code: aws_ffiec +type: framework +tags: + category: + - Compliance + ffiec: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Certifications and Attestations + plugin: + - aws + service: + - AWS + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_ffiec_d_1 +- id: aws_ffiec_d_2 +- id: aws_ffiec_d_3 +- id: aws_ffiec_d_4 +- id: aws_ffiec_d_5 diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1.yaml index 3e18e48a6..3657ad6ef 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1.yaml @@ -1,19 +1,21 @@ +id: aws_ffiec_d_1 +title: Cyber Risk Management and Oversight (Domain 1) +description: Cyber risk management and oversight addresses the board of directors' (board's) oversight and management's development and implementation of an effective enterprise-wide cybersecurity program with comprehensive policies and procedures for establishing appropriate accountability and oversight. +section-code: d_1 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_ffiec_d_1 - title: Cyber Risk Management and Oversight (Domain 1) - description: Cyber risk management and oversight addresses the board of directors' (board's) oversight and management's development and implementation of an effective enterprise-wide cybersecurity program with comprehensive policies and procedures for establishing appropriate accountability and oversight. - section-code: d_1 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_ffiec_d_1_g - - id: aws_ffiec_d_1_rm +- id: aws_ffiec_d_1_g + type: "" +- id: aws_ffiec_d_1_rm + type: "" diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_g.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_g.yaml index 880ee0833..fe320ff6b 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_g.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_g.yaml @@ -1,18 +1,19 @@ +id: aws_ffiec_d_1_g +title: Governance (G) +description: Governance includes oversight, strategies, policies, and IT asset management to implement an effective governance of the cybersecurity program. +section-code: g +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_ffiec_d_1_g - title: Governance (G) - description: Governance includes oversight, strategies, policies, and IT asset management to implement an effective governance of the cybersecurity program. - section-code: g - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_ffiec_d_1_g_it_b_1 +- id: aws_ffiec_d_1_g_it_b_1 + type: "" diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_g_it_b_1.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_g_it_b_1.yaml index db01f5cd0..34861bfe8 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_g_it_b_1.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_g_it_b_1.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_ffiec_d_1_g_it_b_1 - title: D1.G.IT.B.1 - description: An inventory of organizational assets (e.g., hardware, software, data, and systems hosted externally) is maintained. - section-code: it_b_1 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ebs_attached_volume_delete_on_termination_enabled - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_vpc_eip_associated +id: aws_ffiec_d_1_g_it_b_1 +title: D1.G.IT.B.1 +description: An inventory of organizational assets (e.g., hardware, software, data, and systems hosted externally) is maintained. +section-code: it_b_1 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ebs_attached_volume_delete_on_termination_enabled +- aws_ebs_volume_unused +- aws_ec2_instance_ssm_managed +- aws_ec2_stopped_instance_30_days +- aws_vpc_eip_associated diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_rm.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_rm.yaml index 93e4e1236..0d175932b 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_rm.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_rm.yaml @@ -1,19 +1,21 @@ +id: aws_ffiec_d_1_rm +title: Risk Management (RM) +description: Risk Management includes a risk management program, risk assessment process, and audit function to effectively manage risk and assess the effectiveness of key controls. +section-code: rm +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_ffiec_d_1_rm - title: Risk Management (RM) - description: Risk Management includes a risk management program, risk assessment process, and audit function to effectively manage risk and assess the effectiveness of key controls. - section-code: rm - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_ffiec_d_1_rm_ra_b_2 - - id: aws_ffiec_d_1_rm_rm_b_1 +- id: aws_ffiec_d_1_rm_ra_b_2 + type: "" +- id: aws_ffiec_d_1_rm_rm_b_1 + type: "" diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_rm_ra_b_2.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_rm_ra_b_2.yaml index 6fce2fff1..3317e528a 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_rm_ra_b_2.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_rm_ra_b_2.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_ffiec_d_1_rm_ra_b_2 - title: D1.RM.RA.B.2 - description: The risk assessment identifies Internet- based systems and high-risk transactions that warrant additional authentication controls. - section-code: ra_b_2 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_ffiec_d_1_rm_ra_b_2 +title: D1.RM.RA.B.2 +description: The risk assessment identifies Internet- based systems and high-risk transactions that warrant additional authentication controls. +section-code: ra_b_2 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_rm_rm_b_1.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_rm_rm_b_1.yaml index 2bbfc7346..06c95677a 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_rm_rm_b_1.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_rm_rm_b_1.yaml @@ -1,32 +1,32 @@ -control-group: - id: aws_ffiec_d_1_rm_rm_b_1 - title: D1.RM.Rm.B.1 - description: An information security and business continuity risk management function(s) exists within the institution. - section-code: rm_b_1 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled +id: aws_ffiec_d_1_rm_rm_b_1 +title: D1.RM.Rm.B.1 +description: An information security and business continuity risk management function(s) exists within the institution. +section-code: rm_b_1 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_group_with_lb_use_health_check +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_manual_deletion_disabled +- aws_backup_recovery_point_min_retention_35_days +- aws_dynamodb_table_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_multiple_az_enabled +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2.yaml index 3ba4fbe1e..a3c932aa5 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2.yaml @@ -1,20 +1,23 @@ +id: aws_ffiec_d_2 +title: Threat Intelligence and Collaboration (Domain 2) +description: Threat intelligence and collaboration includes processes to effectively discover, analyze, and understand cyber threats, with the capability to share information internally and with appropriate third parties. +section-code: d_2 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_ffiec_d_2 - title: Threat Intelligence and Collaboration (Domain 2) - description: Threat intelligence and collaboration includes processes to effectively discover, analyze, and understand cyber threats, with the capability to share information internally and with appropriate third parties. - section-code: d_2 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_ffiec_d_2_is - - id: aws_ffiec_d_2_ma - - id: aws_ffiec_d_2_ti +- id: aws_ffiec_d_2_is + type: "" +- id: aws_ffiec_d_2_ma + type: "" +- id: aws_ffiec_d_2_ti + type: "" diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_is.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_is.yaml index 816ce17cb..0cf16b9c2 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_is.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_is.yaml @@ -1,18 +1,19 @@ +id: aws_ffiec_d_2_is +title: Information Sharing (IS) +description: Information Sharing encompasses establishing relationships with peers and information-sharing forums and how threat information is communicated to those groups as well as internal stakeholders. +section-code: is +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_ffiec_d_2_is - title: Information Sharing (IS) - description: Information Sharing encompasses establishing relationships with peers and information-sharing forums and how threat information is communicated to those groups as well as internal stakeholders. - section-code: is - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_ffiec_d_2_is_is_b_1 +- id: aws_ffiec_d_2_is_is_b_1 + type: "" diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_is_is_b_1.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_is_is_b_1.yaml index 69d2d8db5..df501bcc0 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_is_is_b_1.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_is_is_b_1.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_ffiec_d_2_is_is_b_1 - title: D2.IS.Is.B.1 - description: Information security threats are gathered and shared with applicable internal employees. - section-code: is_b_1 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_guardduty_enabled - - aws_securityhub_enabled +id: aws_ffiec_d_2_is_is_b_1 +title: D2.IS.Is.B.1 +description: Information security threats are gathered and shared with applicable internal employees. +section-code: is_b_1 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_integrated_with_logs +- aws_guardduty_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ma.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ma.yaml index 8ec57c1b8..34a171667 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ma.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ma.yaml @@ -1,19 +1,21 @@ +id: aws_ffiec_d_2_ma +title: Monitoring and Analyzing (MA) +description: Monitoring and Analyzing refers to how an institution monitors threat sources and what analysis may be performed to identify threats that are specific to the institution or to resolve conflicts in the different threat intelligence streams. +section-code: ma +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_ffiec_d_2_ma - title: Monitoring and Analyzing (MA) - description: Monitoring and Analyzing refers to how an institution monitors threat sources and what analysis may be performed to identify threats that are specific to the institution or to resolve conflicts in the different threat intelligence streams. - section-code: ma - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_ffiec_d_2_ma_ma_b_1 - - id: aws_ffiec_d_2_ma_ma_b_2 +- id: aws_ffiec_d_2_ma_ma_b_1 + type: "" +- id: aws_ffiec_d_2_ma_ma_b_2 + type: "" diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ma_ma_b_1.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ma_ma_b_1.yaml index 89718d037..6a73a021e 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ma_ma_b_1.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ma_ma_b_1.yaml @@ -1,32 +1,32 @@ -control-group: - id: aws_ffiec_d_2_ma_ma_b_1 - title: D2.MA.Ma.B.1 - description: Audit log records and other security event logs are reviewed and retained in a secure manner. - section-code: ma_b_1 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_logging_enabled - - aws_s3_bucket_object_lock_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_ffiec_d_2_ma_ma_b_1 +title: D2.MA.Ma.B.1 +description: Audit log records and other security event logs are reviewed and retained in a secure manner. +section-code: ma_b_1 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_log_group_retention_period_365 +- aws_elb_application_classic_lb_logging_enabled +- aws_es_domain_logs_to_cloudwatch +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_redshift_cluster_kms_enabled +- aws_s3_bucket_logging_enabled +- aws_s3_bucket_object_lock_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ma_ma_b_2.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ma_ma_b_2.yaml index 3db7e769e..84cfc2de1 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ma_ma_b_2.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ma_ma_b_2.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_ffiec_d_2_ma_ma_b_2 - title: D2.MA.Ma.B.2 - description: Computer event logs are used for investigations once an event has occurred. - section-code: ma_b_2 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled +id: aws_ffiec_d_2_ma_ma_b_2 +title: D2.MA.Ma.B.2 +description: Computer event logs are used for investigations once an event has occurred. +section-code: ma_b_2 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_es_domain_logs_to_cloudwatch +- aws_redshift_cluster_encryption_logging_enabled +- aws_redshift_cluster_kms_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti.yaml index ab9d94206..aa097cc36 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti.yaml @@ -1,20 +1,23 @@ +id: aws_ffiec_d_2_ti +title: Threat Intelligence (TI) +description: Threat intelligence and collaboration includes processes to effectively discover, analyze, and understand cyber threats, with the capability to share information internally and with appropriate third parties. +section-code: ti +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_ffiec_d_2_ti - title: Threat Intelligence (TI) - description: Threat intelligence and collaboration includes processes to effectively discover, analyze, and understand cyber threats, with the capability to share information internally and with appropriate third parties. - section-code: ti - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_ffiec_d_2_ti_ti_b_1 - - id: aws_ffiec_d_2_ti_ti_b_2 - - id: aws_ffiec_d_2_ti_ti_b_3 +- id: aws_ffiec_d_2_ti_ti_b_1 + type: "" +- id: aws_ffiec_d_2_ti_ti_b_2 + type: "" +- id: aws_ffiec_d_2_ti_ti_b_3 + type: "" diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti_ti_b_1.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti_ti_b_1.yaml index 51e7316bd..eba465ab0 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti_ti_b_1.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti_ti_b_1.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_ffiec_d_2_ti_ti_b_1 - title: D2.TI.Ti.B.1 - description: The institution belongs or subscribes to a threat and vulnerability information-sharing source(s) that provides information on threats (e.g., FS-ISAC, US- CERT). - section-code: ti_b_1 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_securityhub_enabled +id: aws_ffiec_d_2_ti_ti_b_1 +title: D2.TI.Ti.B.1 +description: The institution belongs or subscribes to a threat and vulnerability information-sharing source(s) that provides information on threats (e.g., FS-ISAC, US- CERT). +section-code: ti_b_1 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti_ti_b_2.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti_ti_b_2.yaml index fd907501f..5f2771ee4 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti_ti_b_2.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti_ti_b_2.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_ffiec_d_2_ti_ti_b_2 - title: D2.TI.Ti.B.2 - description: Threat information is used to monitor threats and vulnerabilities. - section-code: ti_b_2 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_securityhub_enabled - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_ffiec_d_2_ti_ti_b_2 +title: D2.TI.Ti.B.2 +description: Threat information is used to monitor threats and vulnerabilities. +section-code: ti_b_2 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled +- aws_securityhub_enabled +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti_ti_b_3.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti_ti_b_3.yaml index 2c5de884c..8c926def4 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti_ti_b_3.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti_ti_b_3.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_ffiec_d_2_ti_ti_b_3 - title: D2.TI.Ti.B.3 - description: Threat information is used to enhance internal risk management and controls. - section-code: ti_b_3 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_securityhub_enabled +id: aws_ffiec_d_2_ti_ti_b_3 +title: D2.TI.Ti.B.3 +description: Threat information is used to enhance internal risk management and controls. +section-code: ti_b_3 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3.yaml index 3facf35aa..4827953f9 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3.yaml @@ -1,20 +1,23 @@ +id: aws_ffiec_d_3 +title: Cybersecurity Controls (Domain 3) +description: Cybersecurity controls are the practices and processes used to protect assets, infrastructure, and information by strengthening the institution's defensive posture through continuous, automated protection and monitoring. +section-code: d_3 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_ffiec_d_3 - title: Cybersecurity Controls (Domain 3) - description: Cybersecurity controls are the practices and processes used to protect assets, infrastructure, and information by strengthening the institution's defensive posture through continuous, automated protection and monitoring. - section-code: d_3 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_ffiec_d_3_cc - - id: aws_ffiec_d_3_dc - - id: aws_ffiec_d_3_pc +- id: aws_ffiec_d_3_cc + type: "" +- id: aws_ffiec_d_3_dc + type: "" +- id: aws_ffiec_d_3_pc + type: "" diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_cc.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_cc.yaml index acc73292f..6f1d1ebca 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_cc.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_cc.yaml @@ -1,19 +1,21 @@ +id: aws_ffiec_d_3_cc +title: Corrective Controls (CC) +description: Corrective Controls are utilized to resolve system and software vulnerabilities through patch management and remediation of issues identified during vulnerability scans and penetration testing. +section-code: cc +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_ffiec_d_3_cc - title: Corrective Controls (CC) - description: Corrective Controls are utilized to resolve system and software vulnerabilities through patch management and remediation of issues identified during vulnerability scans and penetration testing. - section-code: cc - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_ffiec_d_3_cc_pm_b_1 - - id: aws_ffiec_d_3_cc_pm_b_3 +- id: aws_ffiec_d_3_cc_pm_b_1 + type: "" +- id: aws_ffiec_d_3_cc_pm_b_3 + type: "" diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_cc_pm_b_1.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_cc_pm_b_1.yaml index bd810290a..6ec2fb8ac 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_cc_pm_b_1.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_cc_pm_b_1.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_ffiec_d_3_cc_pm_b_1 - title: D3.CC.PM.B.1 - description: A patch management program is implemented and ensures that software and firmware patches are applied in a timely manner. - section-code: pm_b_1 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_ffiec_d_3_cc_pm_b_1 +title: D3.CC.PM.B.1 +description: A patch management program is implemented and ensures that software and firmware patches are applied in a timely manner. +section-code: pm_b_1 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_rds_db_instance_automatic_minor_version_upgrade_enabled +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_cc_pm_b_3.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_cc_pm_b_3.yaml index 18125429c..58e3522ce 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_cc_pm_b_3.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_cc_pm_b_3.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_ffiec_d_3_cc_pm_b_3 - title: D3.CC.PM.B.3 - description: Patch management reports are reviewed and reflect missing security patches. - section-code: pm_b_3 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_ffiec_d_3_cc_pm_b_3 +title: D3.CC.PM.B.3 +description: Patch management reports are reviewed and reflect missing security patches. +section-code: pm_b_3 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_rds_db_instance_automatic_minor_version_upgrade_enabled +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc.yaml index b3dfec608..d97b5cc21 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc.yaml @@ -1,26 +1,35 @@ +id: aws_ffiec_d_3_dc +title: Detective Controls (DC) +description: Detective Controls include threat and vulnerability detection, anomalous activity detection, and event detection, may alert the institution to network and system irregularities that indicate an incident has or may occur. +section-code: dc +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_ffiec_d_3_dc - title: Detective Controls (DC) - description: Detective Controls include threat and vulnerability detection, anomalous activity detection, and event detection, may alert the institution to network and system irregularities that indicate an incident has or may occur. - section-code: dc - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_ffiec_d_3_dc_an_b_1 - - id: aws_ffiec_d_3_dc_an_b_2 - - id: aws_ffiec_d_3_dc_an_b_3 - - id: aws_ffiec_d_3_dc_an_b_4 - - id: aws_ffiec_d_3_dc_an_b_5 - - id: aws_ffiec_d_3_dc_ev_b_1 - - id: aws_ffiec_d_3_dc_ev_b_2 - - id: aws_ffiec_d_3_dc_ev_b_3 - - id: aws_ffiec_d_3_dc_th_b_1 +- id: aws_ffiec_d_3_dc_an_b_1 + type: "" +- id: aws_ffiec_d_3_dc_an_b_2 + type: "" +- id: aws_ffiec_d_3_dc_an_b_3 + type: "" +- id: aws_ffiec_d_3_dc_an_b_4 + type: "" +- id: aws_ffiec_d_3_dc_an_b_5 + type: "" +- id: aws_ffiec_d_3_dc_ev_b_1 + type: "" +- id: aws_ffiec_d_3_dc_ev_b_2 + type: "" +- id: aws_ffiec_d_3_dc_ev_b_3 + type: "" +- id: aws_ffiec_d_3_dc_th_b_1 + type: "" diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_1.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_1.yaml index 1628a2019..f394e2a57 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_1.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_1.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_ffiec_d_3_dc_an_b_1 - title: D3.DC.An.B.1 - description: The institution is able to detect anomalous activities through monitoring across the environment. - section-code: an_b_1 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled +id: aws_ffiec_d_3_dc_an_b_1 +title: D3.DC.An.B.1 +description: The institution is able to detect anomalous activities through monitoring across the environment. +section-code: an_b_1 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled +- aws_guardduty_finding_archived +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_2.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_2.yaml index b20dc137a..708803de0 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_2.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_2.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_ffiec_d_3_dc_an_b_2 - title: D3.DC.An.B.2 - description: Customer transactions generating anomalous activity alerts are monitored and reviewed. - section-code: an_b_2 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_securityhub_enabled +id: aws_ffiec_d_3_dc_an_b_2 +title: D3.DC.An.B.2 +description: Customer transactions generating anomalous activity alerts are monitored and reviewed. +section-code: an_b_2 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_3.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_3.yaml index bbfa423cb..53b67d3fd 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_3.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_3.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_ffiec_d_3_dc_an_b_3 - title: D3.DC.An.B.3 - description: Logs of physical and/or logical access are reviewed following events. - section-code: an_b_3 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_rds_db_instance_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_ffiec_d_3_dc_an_b_3 +title: D3.DC.An.B.3 +description: Logs of physical and/or logical access are reviewed following events. +section-code: an_b_3 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_es_domain_logs_to_cloudwatch +- aws_rds_db_instance_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_4.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_4.yaml index 3d8bbd076..7135426b5 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_4.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_4.yaml @@ -1,30 +1,30 @@ -control-group: - id: aws_ffiec_d_3_dc_an_b_4 - title: D3.DC.An.B.4 - description: Access to critical systems by third parties is monitored for unauthorized or unusual activity. - section-code: an_b_4 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_ffiec_d_3_dc_an_b_4 +title: D3.DC.An.B.4 +description: Access to critical systems by third parties is monitored for unauthorized or unusual activity. +section-code: an_b_4 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_es_domain_logs_to_cloudwatch +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_redshift_cluster_kms_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_5.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_5.yaml index 1dd73e1b3..cec675b15 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_5.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_5.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_ffiec_d_3_dc_an_b_5 - title: D3.DC.An.B.5 - description: Elevated privileges are monitored. - section-code: an_b_5 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs +id: aws_ffiec_d_3_dc_an_b_5 +title: D3.DC.An.B.5 +description: Elevated privileges are monitored. +section-code: an_b_5 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_ev_b_1.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_ev_b_1.yaml index 011df66bd..655cfcd2c 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_ev_b_1.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_ev_b_1.yaml @@ -1,27 +1,27 @@ -control-group: - id: aws_ffiec_d_3_dc_ev_b_1 - title: D3.DC.Ev.B.1 - description: A normal network activity baseline is established. - section-code: ev_b_1 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_vpc_flow_logs_enabled +id: aws_ffiec_d_3_dc_ev_b_1 +title: D3.DC.Ev.B.1 +description: A normal network activity baseline is established. +section-code: ev_b_1 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_lambda_function_concurrent_execution_limit_configured +- aws_redshift_cluster_encryption_logging_enabled +- aws_redshift_cluster_kms_enabled +- aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_ev_b_2.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_ev_b_2.yaml index 32282c63b..57375b935 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_ev_b_2.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_ev_b_2.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_ffiec_d_3_dc_ev_b_2 - title: D3.DC.Ev.B.2 - description: Mechanisms (e.g., antivirus alerts, log event alerts) are in place to alert management to potential attacks. - section-code: ev_b_2 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_ffiec_d_3_dc_ev_b_2 +title: D3.DC.Ev.B.2 +description: Mechanisms (e.g., antivirus alerts, log event alerts) are in place to alert management to potential attacks. +section-code: ev_b_2 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_ev_b_3.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_ev_b_3.yaml index f72a473c3..17c0d4cd6 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_ev_b_3.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_ev_b_3.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_ffiec_d_3_dc_ev_b_3 - title: D3.DC.Ev.B.3 - description: Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software. - section-code: ev_b_3 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_enabled - - aws_guardduty_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled +id: aws_ffiec_d_3_dc_ev_b_3 +title: D3.DC.Ev.B.3 +description: Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software. +section-code: ev_b_3 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_enabled +- aws_guardduty_enabled +- aws_securityhub_enabled +- aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_th_b_1.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_th_b_1.yaml index 0c99763b5..4df72eb20 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_th_b_1.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_th_b_1.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_ffiec_d_3_dc_th_b_1 - title: D3.DC.Th.B.1 - description: Independent testing (including penetration testing and vulnerability scanning) is conducted according to the risk assessment for external-facing systems and the internal network. - section-code: th_b_1 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_securityhub_enabled - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_ffiec_d_3_dc_th_b_1 +title: D3.DC.Th.B.1 +description: Independent testing (including penetration testing and vulnerability scanning) is conducted according to the risk assessment for external-facing systems and the internal network. +section-code: th_b_1 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled +- aws_securityhub_enabled +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc.yaml index 1f9105077..d8eb26c65 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc.yaml @@ -1,35 +1,53 @@ +id: aws_ffiec_d_3_pc +title: Preventative Controls (PC) +description: Preventative Controls deter and prevent cyber attacks and include infrastructure management, access management, device and end-point security, and secure coding. +section-code: pc +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_ffiec_d_3_pc - title: Preventative Controls (PC) - description: Preventative Controls deter and prevent cyber attacks and include infrastructure management, access management, device and end-point security, and secure coding. - section-code: pc - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_ffiec_d_3_pc_am_b_1 - - id: aws_ffiec_d_3_pc_am_b_10 - - id: aws_ffiec_d_3_pc_am_b_12 - - id: aws_ffiec_d_3_pc_am_b_13 - - id: aws_ffiec_d_3_pc_am_b_15 - - id: aws_ffiec_d_3_pc_am_b_16 - - id: aws_ffiec_d_3_pc_am_b_2 - - id: aws_ffiec_d_3_pc_am_b_3 - - id: aws_ffiec_d_3_pc_am_b_6 - - id: aws_ffiec_d_3_pc_am_b_7 - - id: aws_ffiec_d_3_pc_am_b_8 - - id: aws_ffiec_d_3_pc_im_b_1 - - id: aws_ffiec_d_3_pc_im_b_2 - - id: aws_ffiec_d_3_pc_im_b_3 - - id: aws_ffiec_d_3_pc_im_b_5 - - id: aws_ffiec_d_3_pc_im_b_6 - - id: aws_ffiec_d_3_pc_im_b_7 - - id: aws_ffiec_d_3_pc_se_b_1 +- id: aws_ffiec_d_3_pc_am_b_1 + type: "" +- id: aws_ffiec_d_3_pc_am_b_10 + type: "" +- id: aws_ffiec_d_3_pc_am_b_12 + type: "" +- id: aws_ffiec_d_3_pc_am_b_13 + type: "" +- id: aws_ffiec_d_3_pc_am_b_15 + type: "" +- id: aws_ffiec_d_3_pc_am_b_16 + type: "" +- id: aws_ffiec_d_3_pc_am_b_2 + type: "" +- id: aws_ffiec_d_3_pc_am_b_3 + type: "" +- id: aws_ffiec_d_3_pc_am_b_6 + type: "" +- id: aws_ffiec_d_3_pc_am_b_7 + type: "" +- id: aws_ffiec_d_3_pc_am_b_8 + type: "" +- id: aws_ffiec_d_3_pc_im_b_1 + type: "" +- id: aws_ffiec_d_3_pc_im_b_2 + type: "" +- id: aws_ffiec_d_3_pc_im_b_3 + type: "" +- id: aws_ffiec_d_3_pc_im_b_5 + type: "" +- id: aws_ffiec_d_3_pc_im_b_6 + type: "" +- id: aws_ffiec_d_3_pc_im_b_7 + type: "" +- id: aws_ffiec_d_3_pc_se_b_1 + type: "" diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_1.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_1.yaml index ce6f79619..c43fe4082 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_1.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_1.yaml @@ -1,27 +1,27 @@ -control-group: - id: aws_ffiec_d_3_pc_am_b_1 - title: D3.PC.Am.B.1 - description: Employee access is granted to systems and confidential data based on job responsibilities and the principles of least privilege. - section-code: am_b_1 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_user_for_host_mode_check - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies +id: aws_ffiec_d_3_pc_am_b_1 +title: D3.PC.Am.B.1 +description: Employee access is granted to systems and confidential data based on job responsibilities and the principles of least privilege. +section-code: am_b_1 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_iam_profile_attached +- aws_ecs_task_definition_user_for_host_mode_check +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_not_empty +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_10.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_10.yaml index 4b579fbaa..7b2fae6d1 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_10.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_10.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_ffiec_d_3_pc_am_b_10 - title: D3.PC.Am.B.10 - description: Production and non-production environments are segregated to prevent unauthorized access or changes to information assets. (*N/A if no production environment exists at the institution or the institution's third party.) - section-code: am_b_10 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_in_vpc - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all +id: aws_ffiec_d_3_pc_am_b_10 +title: D3.PC.Am.B.10 +description: Production and non-production environments are segregated to prevent unauthorized access or changes to information assets. (*N/A if no production environment exists at the institution or the institution's third party.) +section-code: am_b_10 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_in_vpc +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_12.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_12.yaml index bc1614a56..d21d3eb70 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_12.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_12.yaml @@ -1,33 +1,33 @@ -control-group: - id: aws_ffiec_d_3_pc_am_b_12 - title: D3.PC.Am.B.12 - description: All passwords are encrypted in storage and in transit. - section-code: am_b_12 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_backup_recovery_point_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_tls_https_listeners - - aws_emr_cluster_kerberos_enabled - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl +id: aws_ffiec_d_3_pc_am_b_12 +title: D3.PC.Am.B.12 +description: All passwords are encrypted in storage and in transit. +section-code: am_b_12 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_backup_recovery_point_encryption_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_efs_file_system_encrypt_data_at_rest +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_tls_https_listeners +- aws_emr_cluster_kerberos_enabled +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_node_to_node_encryption_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_redshift_cluster_kms_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_13.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_13.yaml index 205d5fbdc..783952d9c 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_13.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_13.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_ffiec_d_3_pc_am_b_13 - title: D3.PC.Am.B.13 - description: Confidential data is encrypted when transmitted across public or untrusted networks (e.g., Internet). - section-code: am_b_13 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl +id: aws_ffiec_d_3_pc_am_b_13 +title: D3.PC.Am.B.13 +description: Confidential data is encrypted when transmitted across public or untrusted networks (e.g., Internet). +section-code: am_b_13 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_application_network_lb_use_ssl_certificate +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_15.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_15.yaml index 1552cc043..5d43c41a4 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_15.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_15.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_ffiec_d_3_pc_am_b_15 - title: D3.PC.Am.B.15 - description: Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication. - section-code: am_b_15 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl +id: aws_ffiec_d_3_pc_am_b_15 +title: D3.PC.Am.B.15 +description: Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication. +section-code: am_b_15 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_elb_application_lb_redirect_http_request_to_https +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_16.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_16.yaml index d12bbfab1..ac2f67576 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_16.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_16.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_ffiec_d_3_pc_am_b_16 - title: D3.PC.Am.B.16 - description: Administrative, physical, or technical controls are in place to prevent users without administrative responsibilities from installing unauthorized software. - section-code: am_b_16 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_user_in_group +id: aws_ffiec_d_3_pc_am_b_16 +title: D3.PC.Am.B.16 +description: Administrative, physical, or technical controls are in place to prevent users without administrative responsibilities from installing unauthorized software. +section-code: am_b_16 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_not_empty +- aws_iam_policy_no_star_star +- aws_iam_user_in_group diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_2.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_2.yaml index 3764d2208..41b556eb4 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_2.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_2.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_ffiec_d_3_pc_am_b_2 - title: D3.PC.Am.B.2 - description: Employee access to systems and confidential data provides for separation of duties. - section-code: am_b_2 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_all_policy_no_service_wild_card - - aws_iam_policy_no_star_star - - aws_iam_user_in_group +id: aws_ffiec_d_3_pc_am_b_2 +title: D3.PC.Am.B.2 +description: Employee access to systems and confidential data provides for separation of duties. +section-code: am_b_2 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_all_policy_no_service_wild_card +- aws_iam_policy_no_star_star +- aws_iam_user_in_group diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_3.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_3.yaml index 36d0f8021..eb9477162 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_3.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_3.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_ffiec_d_3_pc_am_b_3 - title: D3.PC.Am.B.3 - description: Elevated privileges (e.g., administrator privileges) are limited and tightly controlled (e.g., assigned to individuals, not shared, and require stronger password controls) - section-code: am_b_3 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys +id: aws_ffiec_d_3_pc_am_b_3 +title: D3.PC.Am.B.3 +description: Elevated privileges (e.g., administrator privileges) are limited and tightly controlled (e.g., assigned to individuals, not shared, and require stronger password controls) +section-code: am_b_3 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_not_empty +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_6.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_6.yaml index 4caf8b529..3dc5a5287 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_6.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_6.yaml @@ -1,29 +1,29 @@ -control-group: - id: aws_ffiec_d_3_pc_am_b_6 - title: D3.PC.Am.B.6 - description: Identification and authentication are required and managed for access to systems, applications, and hardware. - section-code: am_b_6 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 +id: aws_ffiec_d_3_pc_am_b_6 +title: D3.PC.Am.B.6 +description: Identification and authentication are required and managed for access to systems, applications, and hardware. +section-code: am_b_6 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_not_empty +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_7.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_7.yaml index 51a0261f6..82807ca48 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_7.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_7.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_ffiec_d_3_pc_am_b_7 - title: D3.PC.Am.B.7 - description: Access controls include password complexity and limits to password attempts and reuse. - section-code: am_b_7 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 +id: aws_ffiec_d_3_pc_am_b_7 +title: D3.PC.Am.B.7 +description: Access controls include password complexity and limits to password attempts and reuse. +section-code: am_b_7 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_8.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_8.yaml index e8f89c4bc..ad54eec33 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_8.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_8.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_ffiec_d_3_pc_am_b_8 - title: D3.PC.Am.B.8 - description: All default passwords and unnecessary default accounts are changed before system implementation. - section-code: am_b_8 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_root_user_no_access_keys +id: aws_ffiec_d_3_pc_am_b_8 +title: D3.PC.Am.B.8 +description: All default passwords and unnecessary default accounts are changed before system implementation. +section-code: am_b_8 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_1.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_1.yaml index 4b33fa084..dd3c334cc 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_1.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_1.yaml @@ -1,44 +1,44 @@ -control-group: - id: aws_ffiec_d_3_pc_im_b_1 - title: D3.PC.Im.B.1 - description: Network perimeter defense tools (e.g., border router and firewall) are used. - section-code: im_b_1 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_acm_certificate_expires_30_days - - aws_apigateway_stage_use_waf_web_acl - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_elb_application_lb_waf_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_enhanced_vpc_routing_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_ffiec_d_3_pc_im_b_1 +title: D3.PC.Im.B.1 +description: Network perimeter defense tools (e.g., border router and firewall) are used. +section-code: im_b_1 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_acm_certificate_expires_30_days +- aws_apigateway_stage_use_waf_web_acl +- aws_autoscaling_launch_config_public_ip_disabled +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_elb_application_lb_waf_enabled +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_enhanced_vpc_routing_enabled +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket_account +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_route_table_restrict_public_access_to_igw +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_2.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_2.yaml index c6cfbf41f..783a59b54 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_2.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_2.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_ffiec_d_3_pc_im_b_2 - title: D3.PC.IM.B.2 - description: Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices. - section-code: im_b_2 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_use_waf_web_acl - - aws_elb_application_lb_waf_enabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all +id: aws_ffiec_d_3_pc_im_b_2 +title: D3.PC.IM.B.2 +description: Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices. +section-code: im_b_2 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_use_waf_web_acl +- aws_elb_application_lb_waf_enabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_3.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_3.yaml index b503c2c40..1859e3d47 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_3.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_3.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_ffiec_d_3_pc_im_b_3 - title: D3.PC.IM.B.3 - description: All ports are monitored. - section-code: im_b_3 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_ffiec_d_3_pc_im_b_3 +title: D3.PC.IM.B.3 +description: All ports are monitored. +section-code: im_b_3 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_5.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_5.yaml index 5963ec6af..3e2398d93 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_5.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_5.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_ffiec_d_3_pc_im_b_5 - title: D3.PC.Im.B.5 - description: Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced - section-code: im_b_5 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_ffiec_d_3_pc_im_b_5 +title: D3.PC.Im.B.5 +description: Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced +section-code: im_b_5 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed +- aws_ssm_managed_instance_compliance_association_compliant +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_6.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_6.yaml index ac66bff52..f773cd50d 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_6.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_6.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_ffiec_d_3_pc_im_b_6 - title: D3.PC.Im.B.6 - description: Ports, functions, protocols and services are prohibited if no longer needed for business purposes. - section-code: im_b_6 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all +id: aws_ffiec_d_3_pc_im_b_6 +title: D3.PC.Im.B.6 +description: Ports, functions, protocols and services are prohibited if no longer needed for business purposes. +section-code: im_b_6 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_7.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_7.yaml index 72e221b58..8567f0140 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_7.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_7.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_ffiec_d_3_pc_im_b_7 - title: D3.PC.Im.B.7 - description: Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored. - section-code: im_b_7 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies +id: aws_ffiec_d_3_pc_im_b_7 +title: D3.PC.Im.B.7 +description: Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored. +section-code: im_b_7 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_se_b_1.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_se_b_1.yaml index 8a4dd36e9..296378a51 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_se_b_1.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_se_b_1.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_ffiec_d_3_pc_se_b_1 - title: D3.PC.Se.B.1 - description: Developers working for the institution follow secure program coding practices, as part of a system development life cycle (SDLC), that meet industry standards. - section-code: se_b_1 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured +id: aws_ffiec_d_3_pc_se_b_1 +title: D3.PC.Se.B.1 +description: Developers working for the institution follow secure program coding practices, as part of a system development life cycle (SDLC), that meet industry standards. +section-code: se_b_1 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values +- aws_codebuild_project_source_repo_oauth_configured diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_4.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_4.yaml index 339562824..2115bae5d 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_4.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_4.yaml @@ -1,18 +1,19 @@ +id: aws_ffiec_d_4 +title: External Dependency Management (Domain 4) +description: External dependency management involves establishing and maintaining a comprehensive program to oversee and manage external connections and third-party relationships with access to the institution's technology assets and information. +section-code: d_4 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_ffiec_d_4 - title: External Dependency Management (Domain 4) - description: External dependency management involves establishing and maintaining a comprehensive program to oversee and manage external connections and third-party relationships with access to the institution's technology assets and information. - section-code: d_4 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_ffiec_d_4_c +- id: aws_ffiec_d_4_c + type: "" diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_4_c.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_4_c.yaml index b5523b6eb..cbdf96d90 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_4_c.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_4_c.yaml @@ -1,18 +1,19 @@ +id: aws_ffiec_d_4_c +title: Connections (C) +description: Connections incorporate the identification, monitoring, and management of external connections and data flows to third parties. +section-code: c +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_ffiec_d_4_c - title: Connections (C) - description: Connections incorporate the identification, monitoring, and management of external connections and data flows to third parties. - section-code: c - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_ffiec_d_4_c_co_b_2 +- id: aws_ffiec_d_4_c_co_b_2 + type: "" diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_4_c_co_b_2.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_4_c_co_b_2.yaml index 5b2cfa492..a885050f0 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_4_c_co_b_2.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_4_c_co_b_2.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_ffiec_d_4_c_co_b_2 - title: D4.C.Co.B.2 - description: The institution ensures that third-party connections are authorized. - section-code: co_b_2 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all +id: aws_ffiec_d_4_c_co_b_2 +title: D4.C.Co.B.2 +description: The institution ensures that third-party connections are authorized. +section-code: co_b_2 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5.yaml index aa7e0b751..84300ea9f 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5.yaml @@ -1,20 +1,23 @@ +id: aws_ffiec_d_5 +title: Cyber Incident Management and Resilience (Domain 5) +description: Cyber incident management includes establishing, identifying, and analyzing cyber events; prioritizing the institution's containment or mitigation; and escalating information to appropriate stakeholders. Cyber resilience encompasses both planning and testing to maintain and recover ongoing operations during and following a cyber incident. +section-code: d_5 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_ffiec_d_5 - title: Cyber Incident Management and Resilience (Domain 5) - description: Cyber incident management includes establishing, identifying, and analyzing cyber events; prioritizing the institution's containment or mitigation; and escalating information to appropriate stakeholders. Cyber resilience encompasses both planning and testing to maintain and recover ongoing operations during and following a cyber incident. - section-code: d_5 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_ffiec_d_5_dr - - id: aws_ffiec_d_5_er - - id: aws_ffiec_d_5_ir +- id: aws_ffiec_d_5_dr + type: "" +- id: aws_ffiec_d_5_er + type: "" +- id: aws_ffiec_d_5_ir + type: "" diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr.yaml index 35f8a1a16..d30a1573c 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr.yaml @@ -1,20 +1,23 @@ +id: aws_ffiec_d_5_dr +title: Detection, Response, & Mitigation (DR) +description: Detection, Response, & Mitigation refers to the steps management takes to identify, prioritize, respond to, and mitigate the effects of internal and external threats and vulnerabilities. +section-code: dr +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_ffiec_d_5_dr - title: Detection, Response, & Mitigation (DR) - description: Detection, Response, & Mitigation refers to the steps management takes to identify, prioritize, respond to, and mitigate the effects of internal and external threats and vulnerabilities. - section-code: dr - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_ffiec_d_5_dr_de_b_1 - - id: aws_ffiec_d_5_dr_de_b_2 - - id: aws_ffiec_d_5_dr_de_b_3 +- id: aws_ffiec_d_5_dr_de_b_1 + type: "" +- id: aws_ffiec_d_5_dr_de_b_2 + type: "" +- id: aws_ffiec_d_5_dr_de_b_3 + type: "" diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr_de_b_1.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr_de_b_1.yaml index 489fb11f7..124cb7081 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr_de_b_1.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr_de_b_1.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_ffiec_d_5_dr_de_b_1 - title: D5.DR.De.B.1 - description: Alert parameters are set for detecting information security incidents that prompt mitigating actions. - section-code: de_b_1 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_securityhub_enabled +id: aws_ffiec_d_5_dr_de_b_1 +title: D5.DR.De.B.1 +description: Alert parameters are set for detecting information security incidents that prompt mitigating actions. +section-code: de_b_1 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudwatch_alarm_action_enabled +- aws_guardduty_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr_de_b_2.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr_de_b_2.yaml index 330ecdc27..0016a57b5 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr_de_b_2.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr_de_b_2.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_ffiec_d_5_dr_de_b_2 - title: D5.DR.De.B.2 - description: System performance reports contain information that can be used as a risk indicator to detect information security incidents. - section-code: de_b_2 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_lambda_function_dead_letter_queue_configured +id: aws_ffiec_d_5_dr_de_b_2 +title: D5.DR.De.B.2 +description: System performance reports contain information that can be used as a risk indicator to detect information security incidents. +section-code: de_b_2 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_lambda_function_dead_letter_queue_configured diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr_de_b_3.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr_de_b_3.yaml index fb352eef4..6c41bf3af 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr_de_b_3.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr_de_b_3.yaml @@ -1,30 +1,30 @@ -control-group: - id: aws_ffiec_d_5_dr_de_b_3 - title: D5.DR.De.B.3 - description: Tools and processes are in place to detect, alert, and trigger the incident response program. - section-code: de_b_3 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_ffiec_d_5_dr_de_b_3 +title: D5.DR.De.B.3 +description: Tools and processes are in place to detect, alert, and trigger the incident response program. +section-code: de_b_3 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled +- aws_elb_application_classic_lb_logging_enabled +- aws_guardduty_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_redshift_cluster_kms_enabled +- aws_s3_bucket_logging_enabled +- aws_securityhub_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_er.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_er.yaml index 66bfb9f8e..b8c42e6e7 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_er.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_er.yaml @@ -1,18 +1,19 @@ +id: aws_ffiec_d_5_er +title: Escalation and Reporting (ER) +description: Escalation & Reporting ensures key stakeholders are informed about the impact of cyber incidents, and regulators, law enforcement, and customers are notified as required. +section-code: er +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_ffiec_d_5_er - title: Escalation and Reporting (ER) - description: Escalation & Reporting ensures key stakeholders are informed about the impact of cyber incidents, and regulators, law enforcement, and customers are notified as required. - section-code: er - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_ffiec_d_5_er_es_b_4 +- id: aws_ffiec_d_5_er_es_b_4 + type: "" diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_er_es_b_4.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_er_es_b_4.yaml index cc303b1fd..df5ffe74b 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_er_es_b_4.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_er_es_b_4.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_ffiec_d_5_er_es_b_4 - title: D5.ER.Es.B.4 - description: Incidents are classified, logged and tracked. - section-code: es_b_4 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_finding_archived +id: aws_ffiec_d_5_er_es_b_4 +title: D5.ER.Es.B.4 +description: Incidents are classified, logged and tracked. +section-code: es_b_4 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_finding_archived diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_ir.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_ir.yaml index 062f9ac58..b0b5aeb3e 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_ir.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_ir.yaml @@ -1,18 +1,19 @@ +id: aws_ffiec_d_5_ir +title: Incident Resilience Planning & Strategy (IR) +description: Incident Resilience Planning & Strategy incorporates resilience planning and testing into existing business continuity and disaster recovery plans to minimize service disruptions and the destruction or corruption of data. +section-code: ir +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_ffiec_d_5_ir - title: Incident Resilience Planning & Strategy (IR) - description: Incident Resilience Planning & Strategy incorporates resilience planning and testing into existing business continuity and disaster recovery plans to minimize service disruptions and the destruction or corruption of data. - section-code: ir - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_ffiec_d_5_ir_pi_b_6 +- id: aws_ffiec_d_5_ir_pi_b_6 + type: "" diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_ir_pi_b_6.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_ir_pi_b_6.yaml index 8fc93799e..693aecb7c 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_ir_pi_b_6.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_ir_pi_b_6.yaml @@ -1,39 +1,39 @@ -control-group: - id: aws_ffiec_d_5_ir_pi_b_6 - title: D5.IR.Pl.B.6 - description: The institution plans to use business continuity, disaster recovery, and data backup programs to recover operations following an incident. - section-code: pi_b_6 - tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up +id: aws_ffiec_d_5_ir_pi_b_6 +title: D5.IR.Pl.B.6 +description: The institution plans to use business continuity, disaster recovery, and data backup programs to recover operations following an incident. +section-code: pi_b_6 +type: control-group +tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_group_with_lb_use_health_check +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_min_retention_35_days +- aws_dynamodb_table_auto_scaling_enabled +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_ebs_volume_in_backup_plan +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_elb_application_lb_deletion_protection_enabled +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_lambda_function_concurrent_execution_limit_configured +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_deletion_protection_enabled +- aws_rds_db_instance_multiple_az_enabled +- aws_rds_db_instance_protected_by_backup_plan +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security.yaml index c4f07b90a..2d2791c96 100644 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security.yaml @@ -1,73 +1,73 @@ -framework: - id: aws_foundational_security - title: AWS Foundational Security Best Practices - description: The AWS Foundational Security Best Practices standard is a set of controls that detect when your deployed accounts and resources deviate from security best practices. - section-code: aws_foundational_security - tags: - aws_foundational_security: - - "true" - category: - - Compliance - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - aws - service: - - AWS - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: aws_foundational_security_account - - id: aws_foundational_security_acm - - id: aws_foundational_security_apigateway - - id: aws_foundational_security_appsync - - id: aws_foundational_security_athena - - id: aws_foundational_security_autoscaling - - id: aws_foundational_security_backup - - id: aws_foundational_security_cloudformation - - id: aws_foundational_security_cloudfront - - id: aws_foundational_security_cloudtrail - - id: aws_foundational_security_codebuild - - id: aws_foundational_security_config - - id: aws_foundational_security_dms - - id: aws_foundational_security_docdb - - id: aws_foundational_security_dynamodb - - id: aws_foundational_security_ec2 - - id: aws_foundational_security_ecr - - id: aws_foundational_security_ecs - - id: aws_foundational_security_efs - - id: aws_foundational_security_eks - - id: aws_foundational_security_elasticache - - id: aws_foundational_security_elasticbeanstalk - - id: aws_foundational_security_elb - - id: aws_foundational_security_emr - - id: aws_foundational_security_es - - id: aws_foundational_security_eventbridge - - id: aws_foundational_security_fsx - - id: aws_foundational_security_guardduty - - id: aws_foundational_security_iam - - id: aws_foundational_security_kinesis - - id: aws_foundational_security_kms - - id: aws_foundational_security_lambda - - id: aws_foundational_security_msk - - id: aws_foundational_security_neptune - - id: aws_foundational_security_networkfirewall - - id: aws_foundational_security_opensearch - - id: aws_foundational_security_pca - - id: aws_foundational_security_rds - - id: aws_foundational_security_redshift - - id: aws_foundational_security_route53 - - id: aws_foundational_security_s3 - - id: aws_foundational_security_sagemaker - - id: aws_foundational_security_secretsmanager - - id: aws_foundational_security_sfn - - id: aws_foundational_security_sns - - id: aws_foundational_security_sqs - - id: aws_foundational_security_ssm - - id: aws_foundational_security_waf +id: aws_foundational_security +title: AWS Foundational Security Best Practices +description: The AWS Foundational Security Best Practices standard is a set of controls that detect when your deployed accounts and resources deviate from security best practices. +section-code: aws_foundational_security +type: framework +tags: + aws_foundational_security: + - "true" + category: + - Compliance + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - aws + service: + - AWS + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_foundational_security_account +- id: aws_foundational_security_acm +- id: aws_foundational_security_apigateway +- id: aws_foundational_security_appsync +- id: aws_foundational_security_athena +- id: aws_foundational_security_autoscaling +- id: aws_foundational_security_backup +- id: aws_foundational_security_cloudformation +- id: aws_foundational_security_cloudfront +- id: aws_foundational_security_cloudtrail +- id: aws_foundational_security_codebuild +- id: aws_foundational_security_config +- id: aws_foundational_security_dms +- id: aws_foundational_security_docdb +- id: aws_foundational_security_dynamodb +- id: aws_foundational_security_ec2 +- id: aws_foundational_security_ecr +- id: aws_foundational_security_ecs +- id: aws_foundational_security_efs +- id: aws_foundational_security_eks +- id: aws_foundational_security_elasticache +- id: aws_foundational_security_elasticbeanstalk +- id: aws_foundational_security_elb +- id: aws_foundational_security_emr +- id: aws_foundational_security_es +- id: aws_foundational_security_eventbridge +- id: aws_foundational_security_fsx +- id: aws_foundational_security_guardduty +- id: aws_foundational_security_iam +- id: aws_foundational_security_kinesis +- id: aws_foundational_security_kms +- id: aws_foundational_security_lambda +- id: aws_foundational_security_msk +- id: aws_foundational_security_neptune +- id: aws_foundational_security_networkfirewall +- id: aws_foundational_security_opensearch +- id: aws_foundational_security_pca +- id: aws_foundational_security_rds +- id: aws_foundational_security_redshift +- id: aws_foundational_security_route53 +- id: aws_foundational_security_s3 +- id: aws_foundational_security_sagemaker +- id: aws_foundational_security_secretsmanager +- id: aws_foundational_security_sfn +- id: aws_foundational_security_sns +- id: aws_foundational_security_sqs +- id: aws_foundational_security_ssm +- id: aws_foundational_security_waf diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_account.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_account.yaml index 331db2033..cfba9be16 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_account.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_account.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_foundational_security_account - title: Account - description: Account - section-code: account - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/Account - type: - - Benchmark - controls: - - aws_foundational_security_account_1 +id: aws_foundational_security_account +title: Account +description: Account +section-code: account +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/Account + type: + - Benchmark +controls: +- aws_foundational_security_account_1 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_acm.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_acm.yaml index df838763d..b4bdf1f30 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_acm.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_acm.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_foundational_security_acm - title: ACM - description: ACM - section-code: acm - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/ACM - type: - - Benchmark - controls: - - aws_foundational_security_acm_1 - - aws_foundational_security_acm_2 +id: aws_foundational_security_acm +title: ACM +description: ACM +section-code: acm +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/ACM + type: + - Benchmark +controls: +- aws_foundational_security_acm_1 +- aws_foundational_security_acm_2 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_apigateway.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_apigateway.yaml index 960bff005..2db15e5f7 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_apigateway.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_apigateway.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_foundational_security_apigateway - title: API Gateway - description: API Gateway - section-code: apigateway - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/APIGateway - type: - - Benchmark - controls: - - aws_foundational_security_apigateway_1 - - aws_foundational_security_apigateway_2 - - aws_foundational_security_apigateway_3 - - aws_foundational_security_apigateway_4 - - aws_foundational_security_apigateway_5 - - aws_foundational_security_apigateway_8 - - aws_foundational_security_apigateway_9 +id: aws_foundational_security_apigateway +title: API Gateway +description: API Gateway +section-code: apigateway +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/APIGateway + type: + - Benchmark +controls: +- aws_foundational_security_apigateway_1 +- aws_foundational_security_apigateway_2 +- aws_foundational_security_apigateway_3 +- aws_foundational_security_apigateway_4 +- aws_foundational_security_apigateway_5 +- aws_foundational_security_apigateway_8 +- aws_foundational_security_apigateway_9 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_appsync.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_appsync.yaml index 6ef611b15..01538e758 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_appsync.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_appsync.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_foundational_security_appsync - title: AppSync - description: AppSync - section-code: appsync - controls: - - aws_foundational_security_appsync_2 +id: aws_foundational_security_appsync +title: AppSync +description: AppSync +section-code: appsync +type: control-group +controls: +- aws_foundational_security_appsync_2 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_athena.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_athena.yaml index 94ac27234..c335f7d9b 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_athena.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_athena.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_foundational_security_athena - title: Athena - description: Athena - section-code: athena - controls: - - aws_foundational_security_athena_1 +id: aws_foundational_security_athena +title: Athena +description: Athena +section-code: athena +type: control-group +controls: +- aws_foundational_security_athena_1 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_autoscaling.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_autoscaling.yaml index c13e7612a..00e598e67 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_autoscaling.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_autoscaling.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_foundational_security_autoscaling - title: Auto Scaling - description: Auto Scaling - section-code: autoscaling - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/AutoScaling - type: - - Benchmark - controls: - - aws_foundational_security_autoscaling_1 - - aws_foundational_security_autoscaling_2 - - aws_foundational_security_autoscaling_3 - - aws_foundational_security_autoscaling_4 - - aws_foundational_security_autoscaling_5 - - aws_foundational_security_autoscaling_6 - - aws_foundational_security_autoscaling_9 +id: aws_foundational_security_autoscaling +title: Auto Scaling +description: Auto Scaling +section-code: autoscaling +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/AutoScaling + type: + - Benchmark +controls: +- aws_foundational_security_autoscaling_1 +- aws_foundational_security_autoscaling_2 +- aws_foundational_security_autoscaling_3 +- aws_foundational_security_autoscaling_4 +- aws_foundational_security_autoscaling_5 +- aws_foundational_security_autoscaling_6 +- aws_foundational_security_autoscaling_9 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_backup.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_backup.yaml index 1f4c6b3c0..18790d2de 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_backup.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_backup.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_foundational_security_backup - title: Backup - description: Backup - section-code: backup - controls: - - aws_foundational_security_backup_1 +id: aws_foundational_security_backup +title: Backup +description: Backup +section-code: backup +type: control-group +controls: +- aws_foundational_security_backup_1 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_cloudformation.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_cloudformation.yaml index 05c3eaa02..521a0bdef 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_cloudformation.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_cloudformation.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_foundational_security_cloudformation - title: CloudFormation - description: CloudFormation - section-code: cloudformation - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/CloudFormation - type: - - Benchmark - controls: - - aws_foundational_security_cloudformation_1 +id: aws_foundational_security_cloudformation +title: CloudFormation +description: CloudFormation +section-code: cloudformation +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/CloudFormation + type: + - Benchmark +controls: +- aws_foundational_security_cloudformation_1 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_cloudfront.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_cloudfront.yaml index 53a4eaa98..57ef980a1 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_cloudfront.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_cloudfront.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_foundational_security_cloudfront - title: CloudFront - description: CloudFront - section-code: cloudfront - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/CloudFront - type: - - Benchmark - controls: - - aws_foundational_security_cloudfront_1 - - aws_foundational_security_cloudfront_3 - - aws_foundational_security_cloudfront_4 - - aws_foundational_security_cloudfront_5 - - aws_foundational_security_cloudfront_6 - - aws_foundational_security_cloudfront_7 - - aws_foundational_security_cloudfront_8 - - aws_foundational_security_cloudfront_10 - - aws_foundational_security_cloudfront_12 +id: aws_foundational_security_cloudfront +title: CloudFront +description: CloudFront +section-code: cloudfront +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/CloudFront + type: + - Benchmark +controls: +- aws_foundational_security_cloudfront_1 +- aws_foundational_security_cloudfront_3 +- aws_foundational_security_cloudfront_4 +- aws_foundational_security_cloudfront_5 +- aws_foundational_security_cloudfront_6 +- aws_foundational_security_cloudfront_7 +- aws_foundational_security_cloudfront_8 +- aws_foundational_security_cloudfront_10 +- aws_foundational_security_cloudfront_12 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_cloudtrail.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_cloudtrail.yaml index b5a4388a9..4ebbe44d2 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_cloudtrail.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_cloudtrail.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_foundational_security_cloudtrail - title: CloudTrail - description: CloudTrail - section-code: cloudtrail - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/CloudTrail - type: - - Benchmark - controls: - - aws_foundational_security_cloudtrail_1 - - aws_foundational_security_cloudtrail_2 - - aws_foundational_security_cloudtrail_4 - - aws_foundational_security_cloudtrail_5 +id: aws_foundational_security_cloudtrail +title: CloudTrail +description: CloudTrail +section-code: cloudtrail +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/CloudTrail + type: + - Benchmark +controls: +- aws_foundational_security_cloudtrail_1 +- aws_foundational_security_cloudtrail_2 +- aws_foundational_security_cloudtrail_4 +- aws_foundational_security_cloudtrail_5 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_codebuild.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_codebuild.yaml index 13cb66bed..bb9d61406 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_codebuild.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_codebuild.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_foundational_security_codebuild - title: CodeBuild - description: CodeBuild - section-code: codebuild - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/CodeBuild - type: - - Benchmark - controls: - - aws_foundational_security_codebuild_1 - - aws_foundational_security_codebuild_2 - - aws_foundational_security_codebuild_3 - - aws_foundational_security_codebuild_4 - - aws_foundational_security_codebuild_5 +id: aws_foundational_security_codebuild +title: CodeBuild +description: CodeBuild +section-code: codebuild +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/CodeBuild + type: + - Benchmark +controls: +- aws_foundational_security_codebuild_1 +- aws_foundational_security_codebuild_2 +- aws_foundational_security_codebuild_3 +- aws_foundational_security_codebuild_4 +- aws_foundational_security_codebuild_5 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_config.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_config.yaml index 6c40255ea..821ff7d53 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_config.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_config.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_foundational_security_config - title: Config - description: Config - section-code: config - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/Config - type: - - Benchmark - controls: - - aws_foundational_security_config_1 +id: aws_foundational_security_config +title: Config +description: Config +section-code: config +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/Config + type: + - Benchmark +controls: +- aws_foundational_security_config_1 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_dms.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_dms.yaml index 606b2e1ac..8e6a477b6 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_dms.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_dms.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_foundational_security_dms - title: DMS - description: DMS - section-code: dms - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/DMS - type: - - Benchmark - controls: - - aws_foundational_security_dms_1 - - aws_foundational_security_dms_6 - - aws_foundational_security_dms_8 - - aws_foundational_security_dms_9 +id: aws_foundational_security_dms +title: DMS +description: DMS +section-code: dms +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/DMS + type: + - Benchmark +controls: +- aws_foundational_security_dms_1 +- aws_foundational_security_dms_6 +- aws_foundational_security_dms_8 +- aws_foundational_security_dms_9 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_docdb.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_docdb.yaml index 47d3a64f1..2891dad56 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_docdb.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_docdb.yaml @@ -1,10 +1,10 @@ -control-group: - id: aws_foundational_security_docdb - title: DocumentDB - description: DocumentDB - section-code: docdb - controls: - - aws_foundational_security_docdb_1 - - aws_foundational_security_docdb_2 - - aws_foundational_security_docdb_4 - - aws_foundational_security_docdb_5 +id: aws_foundational_security_docdb +title: DocumentDB +description: DocumentDB +section-code: docdb +type: control-group +controls: +- aws_foundational_security_docdb_1 +- aws_foundational_security_docdb_2 +- aws_foundational_security_docdb_4 +- aws_foundational_security_docdb_5 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_dynamodb.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_dynamodb.yaml index 2445fbcb6..3a7581666 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_dynamodb.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_dynamodb.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_foundational_security_dynamodb - title: DynamoDB - description: DynamoDB - section-code: dynamodb - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/DynamoDB - type: - - Benchmark - controls: - - aws_foundational_security_dynamodb_1 - - aws_foundational_security_dynamodb_2 - - aws_foundational_security_dynamodb_3 - - aws_foundational_security_dynamodb_6 +id: aws_foundational_security_dynamodb +title: DynamoDB +description: DynamoDB +section-code: dynamodb +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/DynamoDB + type: + - Benchmark +controls: +- aws_foundational_security_dynamodb_1 +- aws_foundational_security_dynamodb_2 +- aws_foundational_security_dynamodb_3 +- aws_foundational_security_dynamodb_6 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ec2.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ec2.yaml index 7c185076d..75d66c76b 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ec2.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ec2.yaml @@ -1,33 +1,33 @@ -control-group: - id: aws_foundational_security_ec2 - title: EC2 - description: EC2 - section-code: ec2 - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/EC2 - type: - - Benchmark - controls: - - aws_foundational_security_ec2_1 - - aws_foundational_security_ec2_2 - - aws_foundational_security_ec2_3 - - aws_foundational_security_ec2_4 - - aws_foundational_security_ec2_7 - - aws_foundational_security_ec2_8 - - aws_foundational_security_ec2_9 - - aws_foundational_security_ec2_15 - - aws_foundational_security_ec2_16 - - aws_foundational_security_ec2_17 - - aws_foundational_security_ec2_18 - - aws_foundational_security_ec2_19 - - aws_foundational_security_ec2_20 - - aws_foundational_security_ec2_23 - - aws_foundational_security_ec2_24 - - aws_foundational_security_ec2_51 +id: aws_foundational_security_ec2 +title: EC2 +description: EC2 +section-code: ec2 +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/EC2 + type: + - Benchmark +controls: +- aws_foundational_security_ec2_1 +- aws_foundational_security_ec2_2 +- aws_foundational_security_ec2_3 +- aws_foundational_security_ec2_4 +- aws_foundational_security_ec2_7 +- aws_foundational_security_ec2_8 +- aws_foundational_security_ec2_9 +- aws_foundational_security_ec2_15 +- aws_foundational_security_ec2_16 +- aws_foundational_security_ec2_17 +- aws_foundational_security_ec2_18 +- aws_foundational_security_ec2_19 +- aws_foundational_security_ec2_20 +- aws_foundational_security_ec2_23 +- aws_foundational_security_ec2_24 +- aws_foundational_security_ec2_51 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ecr.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ecr.yaml index 276cc1a4c..5cf135286 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ecr.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ecr.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_foundational_security_ecr - title: Elastic Container Registry - description: Elastic Container Registry - section-code: ecr - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/ECR - type: - - Benchmark - controls: - - aws_foundational_security_ecr_1 - - aws_foundational_security_ecr_2 - - aws_foundational_security_ecr_3 +id: aws_foundational_security_ecr +title: Elastic Container Registry +description: Elastic Container Registry +section-code: ecr +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/ECR + type: + - Benchmark +controls: +- aws_foundational_security_ecr_1 +- aws_foundational_security_ecr_2 +- aws_foundational_security_ecr_3 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ecs.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ecs.yaml index 33d33990a..355db9506 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ecs.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ecs.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_foundational_security_ecs - title: Elastic Container Service - description: Elastic Container Service - section-code: ecs - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/ECS - type: - - Benchmark - controls: - - aws_foundational_security_ecs_1 - - aws_foundational_security_ecs_2 - - aws_foundational_security_ecs_3 - - aws_foundational_security_ecs_4 - - aws_foundational_security_ecs_5 - - aws_foundational_security_ecs_8 - - aws_foundational_security_ecs_9 - - aws_foundational_security_ecs_10 - - aws_foundational_security_ecs_12 +id: aws_foundational_security_ecs +title: Elastic Container Service +description: Elastic Container Service +section-code: ecs +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/ECS + type: + - Benchmark +controls: +- aws_foundational_security_ecs_1 +- aws_foundational_security_ecs_2 +- aws_foundational_security_ecs_3 +- aws_foundational_security_ecs_4 +- aws_foundational_security_ecs_5 +- aws_foundational_security_ecs_8 +- aws_foundational_security_ecs_9 +- aws_foundational_security_ecs_10 +- aws_foundational_security_ecs_12 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_efs.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_efs.yaml index e888ac840..e59c83fb3 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_efs.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_efs.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_foundational_security_efs - title: EFS - description: EFS - section-code: efs - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/EFS - type: - - Benchmark - controls: - - aws_foundational_security_efs_1 - - aws_foundational_security_efs_2 - - aws_foundational_security_efs_3 - - aws_foundational_security_efs_4 +id: aws_foundational_security_efs +title: EFS +description: EFS +section-code: efs +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/EFS + type: + - Benchmark +controls: +- aws_foundational_security_efs_1 +- aws_foundational_security_efs_2 +- aws_foundational_security_efs_3 +- aws_foundational_security_efs_4 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_eks.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_eks.yaml index 4dc33ecb3..8fe837a35 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_eks.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_eks.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_foundational_security_eks - title: EKS - description: EKS - section-code: eks - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/EKS - type: - - Benchmark - controls: - - aws_foundational_security_eks_1 - - aws_foundational_security_eks_2 - - aws_foundational_security_eks_8 +id: aws_foundational_security_eks +title: EKS +description: EKS +section-code: eks +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/EKS + type: + - Benchmark +controls: +- aws_foundational_security_eks_1 +- aws_foundational_security_eks_2 +- aws_foundational_security_eks_8 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_elasticache.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_elasticache.yaml index f24c4216c..cfde33fb4 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_elasticache.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_elasticache.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_foundational_security_elasticache - title: ElastiCache - description: ElastiCache - section-code: elasticache - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/ElastiCache - type: - - Benchmark - controls: - - aws_foundational_security_elasticache_1 - - aws_foundational_security_elasticache_2 - - aws_foundational_security_elasticache_3 - - aws_foundational_security_elasticache_4 - - aws_foundational_security_elasticache_5 - - aws_foundational_security_elasticache_6 - - aws_foundational_security_elasticache_7 +id: aws_foundational_security_elasticache +title: ElastiCache +description: ElastiCache +section-code: elasticache +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/ElastiCache + type: + - Benchmark +controls: +- aws_foundational_security_elasticache_1 +- aws_foundational_security_elasticache_2 +- aws_foundational_security_elasticache_3 +- aws_foundational_security_elasticache_4 +- aws_foundational_security_elasticache_5 +- aws_foundational_security_elasticache_6 +- aws_foundational_security_elasticache_7 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_elasticbeanstalk.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_elasticbeanstalk.yaml index 0b780c31d..083b9f91a 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_elasticbeanstalk.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_elasticbeanstalk.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_foundational_security_elasticbeanstalk - title: Elastic Beanstalk - description: Elastic Beanstalk - section-code: elasticbeanstalk - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/ElasticBeanstalk - type: - - Benchmark - controls: - - aws_foundational_security_elasticbeanstalk_1 - - aws_foundational_security_elasticbeanstalk_3 +id: aws_foundational_security_elasticbeanstalk +title: Elastic Beanstalk +description: Elastic Beanstalk +section-code: elasticbeanstalk +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/ElasticBeanstalk + type: + - Benchmark +controls: +- aws_foundational_security_elasticbeanstalk_1 +- aws_foundational_security_elasticbeanstalk_3 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_elb.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_elb.yaml index da636ab71..84111e6b2 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_elb.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_elb.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_foundational_security_elb - title: ELB - description: ELB - section-code: elb - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/ELB - type: - - Benchmark - controls: - - aws_foundational_security_elb_1 - - aws_foundational_security_elb_2 - - aws_foundational_security_elb_4 - - aws_foundational_security_elb_6 - - aws_foundational_security_elb_7 - - aws_foundational_security_elb_9 - - aws_foundational_security_elb_10 - - aws_foundational_security_elb_12 - - aws_foundational_security_elb_14 +id: aws_foundational_security_elb +title: ELB +description: ELB +section-code: elb +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/ELB + type: + - Benchmark +controls: +- aws_foundational_security_elb_1 +- aws_foundational_security_elb_2 +- aws_foundational_security_elb_4 +- aws_foundational_security_elb_6 +- aws_foundational_security_elb_7 +- aws_foundational_security_elb_9 +- aws_foundational_security_elb_10 +- aws_foundational_security_elb_12 +- aws_foundational_security_elb_14 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_emr.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_emr.yaml index 10f90c038..8190e3678 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_emr.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_emr.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_foundational_security_emr - title: EMR - description: EMR - section-code: emr - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/EMR - type: - - Benchmark - controls: - - aws_foundational_security_emr_1 - - aws_foundational_security_emr_2 +id: aws_foundational_security_emr +title: EMR +description: EMR +section-code: emr +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/EMR + type: + - Benchmark +controls: +- aws_foundational_security_emr_1 +- aws_foundational_security_emr_2 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_es.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_es.yaml index 25574c93e..7b40c21fd 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_es.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_es.yaml @@ -1,25 +1,25 @@ -control-group: - id: aws_foundational_security_es - title: Elasticsearch - description: Elasticsearch - section-code: es - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/ES - type: - - Benchmark - controls: - - aws_foundational_security_es_1 - - aws_foundational_security_es_2 - - aws_foundational_security_es_3 - - aws_foundational_security_es_4 - - aws_foundational_security_es_5 - - aws_foundational_security_es_6 - - aws_foundational_security_es_7 - - aws_foundational_security_es_8 +id: aws_foundational_security_es +title: Elasticsearch +description: Elasticsearch +section-code: es +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/ES + type: + - Benchmark +controls: +- aws_foundational_security_es_1 +- aws_foundational_security_es_2 +- aws_foundational_security_es_3 +- aws_foundational_security_es_4 +- aws_foundational_security_es_5 +- aws_foundational_security_es_6 +- aws_foundational_security_es_7 +- aws_foundational_security_es_8 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_eventbridge.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_eventbridge.yaml index c138e7730..6da0b3cb2 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_eventbridge.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_eventbridge.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_foundational_security_eventbridge - title: EventBridge - description: EventBridge - section-code: eventbridge - controls: - - aws_foundational_security_eventbridge_3 +id: aws_foundational_security_eventbridge +title: EventBridge +description: EventBridge +section-code: eventbridge +type: control-group +controls: +- aws_foundational_security_eventbridge_3 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_fsx.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_fsx.yaml index 5323c0447..e59db34dc 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_fsx.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_fsx.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_foundational_security_fsx - title: FSx - description: FSx - section-code: fsx - controls: - - aws_foundational_security_fsx_1 +id: aws_foundational_security_fsx +title: FSx +description: FSx +section-code: fsx +type: control-group +controls: +- aws_foundational_security_fsx_1 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_guardduty.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_guardduty.yaml index 520a9a983..0a612cb04 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_guardduty.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_guardduty.yaml @@ -1,16 +1,16 @@ -control-group: - id: aws_foundational_security_guardduty - title: GuardDuty - description: GuardDuty - section-code: guardduty - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +id: aws_foundational_security_guardduty +title: GuardDuty +description: GuardDuty +section-code: guardduty +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_iam.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_iam.yaml index 3d07d0f90..8fd5792ad 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_iam.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_iam.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_foundational_security_iam - title: IAM - description: IAM - section-code: iam - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_foundational_security_iam_1 - - aws_foundational_security_iam_2 - - aws_foundational_security_iam_3 - - aws_foundational_security_iam_4 - - aws_foundational_security_iam_5 - - aws_foundational_security_iam_8 - - aws_foundational_security_iam_21 +id: aws_foundational_security_iam +title: IAM +description: IAM +section-code: iam +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_foundational_security_iam_1 +- aws_foundational_security_iam_2 +- aws_foundational_security_iam_3 +- aws_foundational_security_iam_4 +- aws_foundational_security_iam_5 +- aws_foundational_security_iam_8 +- aws_foundational_security_iam_21 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_kinesis.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_kinesis.yaml index 6d0ddc2f4..edbee25db 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_kinesis.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_kinesis.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_foundational_security_kinesis - title: Kinesis - description: Kinesis - section-code: kinesis - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/Kinesis - type: - - Benchmark - controls: - - aws_foundational_security_kinesis_1 +id: aws_foundational_security_kinesis +title: Kinesis +description: Kinesis +section-code: kinesis +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/Kinesis + type: + - Benchmark +controls: +- aws_foundational_security_kinesis_1 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_kms.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_kms.yaml index b61240a90..89905850a 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_kms.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_kms.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_foundational_security_kms - title: KMS - description: KMS - section-code: kms - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/KMS - type: - - Benchmark - controls: - - aws_foundational_security_kms_1 - - aws_foundational_security_kms_3 +id: aws_foundational_security_kms +title: KMS +description: KMS +section-code: kms +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/KMS + type: + - Benchmark +controls: +- aws_foundational_security_kms_1 +- aws_foundational_security_kms_3 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_lambda.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_lambda.yaml index b78adb3f3..39cc2e434 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_lambda.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_lambda.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_foundational_security_lambda - title: Lambda - description: Lambda - section-code: lambda - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/Lambda - type: - - Benchmark - controls: - - aws_foundational_security_lambda_1 - - aws_foundational_security_lambda_2 +id: aws_foundational_security_lambda +title: Lambda +description: Lambda +section-code: lambda +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/Lambda + type: + - Benchmark +controls: +- aws_foundational_security_lambda_1 +- aws_foundational_security_lambda_2 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_msk.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_msk.yaml index 13a083f03..008a2c3c0 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_msk.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_msk.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_foundational_security_msk - title: MSK - description: MSK - section-code: msk - controls: - - aws_foundational_security_msk_1 +id: aws_foundational_security_msk +title: MSK +description: MSK +section-code: msk +type: control-group +controls: +- aws_foundational_security_msk_1 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_neptune.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_neptune.yaml index 6e18d4503..ac9ad31b5 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_neptune.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_neptune.yaml @@ -1,14 +1,14 @@ -control-group: - id: aws_foundational_security_neptune - title: Neptune - description: Neptune - section-code: neptune - controls: - - aws_foundational_security_neptune_1 - - aws_foundational_security_neptune_2 - - aws_foundational_security_neptune_3 - - aws_foundational_security_neptune_4 - - aws_foundational_security_neptune_5 - - aws_foundational_security_neptune_6 - - aws_foundational_security_neptune_7 - - aws_foundational_security_neptune_8 +id: aws_foundational_security_neptune +title: Neptune +description: Neptune +section-code: neptune +type: control-group +controls: +- aws_foundational_security_neptune_1 +- aws_foundational_security_neptune_2 +- aws_foundational_security_neptune_3 +- aws_foundational_security_neptune_4 +- aws_foundational_security_neptune_5 +- aws_foundational_security_neptune_6 +- aws_foundational_security_neptune_7 +- aws_foundational_security_neptune_8 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_networkfirewall.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_networkfirewall.yaml index 8cc99a39b..c491c45d2 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_networkfirewall.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_networkfirewall.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_foundational_security_networkfirewall - title: Network Firewall - description: Network Firewall - section-code: networkfirewall - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/NetworkFirewall - type: - - Benchmark - controls: - - aws_foundational_security_networkfirewall_2 - - aws_foundational_security_networkfirewall_3 - - aws_foundational_security_networkfirewall_4 - - aws_foundational_security_networkfirewall_5 - - aws_foundational_security_networkfirewall_6 - - aws_foundational_security_networkfirewall_9 +id: aws_foundational_security_networkfirewall +title: Network Firewall +description: Network Firewall +section-code: networkfirewall +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/NetworkFirewall + type: + - Benchmark +controls: +- aws_foundational_security_networkfirewall_2 +- aws_foundational_security_networkfirewall_3 +- aws_foundational_security_networkfirewall_4 +- aws_foundational_security_networkfirewall_5 +- aws_foundational_security_networkfirewall_6 +- aws_foundational_security_networkfirewall_9 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_opensearch.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_opensearch.yaml index bd1f1eedb..18c4f5617 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_opensearch.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_opensearch.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_foundational_security_opensearch - title: Opensearch - description: Opensearch - section-code: opensearch - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/OpenSearch - type: - - Benchmark - controls: - - aws_foundational_security_opensearch_1 - - aws_foundational_security_opensearch_2 - - aws_foundational_security_opensearch_3 - - aws_foundational_security_opensearch_4 - - aws_foundational_security_opensearch_5 - - aws_foundational_security_opensearch_6 - - aws_foundational_security_opensearch_7 - - aws_foundational_security_opensearch_8 - - aws_foundational_security_opensearch_10 +id: aws_foundational_security_opensearch +title: Opensearch +description: Opensearch +section-code: opensearch +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/OpenSearch + type: + - Benchmark +controls: +- aws_foundational_security_opensearch_1 +- aws_foundational_security_opensearch_2 +- aws_foundational_security_opensearch_3 +- aws_foundational_security_opensearch_4 +- aws_foundational_security_opensearch_5 +- aws_foundational_security_opensearch_6 +- aws_foundational_security_opensearch_7 +- aws_foundational_security_opensearch_8 +- aws_foundational_security_opensearch_10 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_pca.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_pca.yaml index f4d2b7f45..cc80c1207 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_pca.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_pca.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_foundational_security_pca - title: Private Certificate Authority - description: Private Certificate Authority - section-code: pca - controls: - - aws_foundational_security_pca_1 +id: aws_foundational_security_pca +title: Private Certificate Authority +description: Private Certificate Authority +section-code: pca +type: control-group +controls: +- aws_foundational_security_pca_1 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_rds.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_rds.yaml index edb122419..4d737916e 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_rds.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_rds.yaml @@ -1,31 +1,31 @@ -control-group: - id: aws_foundational_security_rds - title: RDS - description: RDS - section-code: rds - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/RDS - type: - - Benchmark - controls: - - aws_foundational_security_rds_2 - - aws_foundational_security_rds_3 - - aws_foundational_security_rds_5 - - aws_foundational_security_rds_7 - - aws_foundational_security_rds_8 - - aws_foundational_security_rds_9 - - aws_foundational_security_rds_20 - - aws_foundational_security_rds_21 - - aws_foundational_security_rds_22 - - aws_foundational_security_rds_24 - - aws_foundational_security_rds_25 - - aws_foundational_security_rds_27 - - aws_foundational_security_rds_34 - - aws_foundational_security_rds_35 +id: aws_foundational_security_rds +title: RDS +description: RDS +section-code: rds +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/RDS + type: + - Benchmark +controls: +- aws_foundational_security_rds_2 +- aws_foundational_security_rds_3 +- aws_foundational_security_rds_5 +- aws_foundational_security_rds_7 +- aws_foundational_security_rds_8 +- aws_foundational_security_rds_9 +- aws_foundational_security_rds_20 +- aws_foundational_security_rds_21 +- aws_foundational_security_rds_22 +- aws_foundational_security_rds_24 +- aws_foundational_security_rds_25 +- aws_foundational_security_rds_27 +- aws_foundational_security_rds_34 +- aws_foundational_security_rds_35 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_redshift.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_redshift.yaml index 0596b29f7..680b0ea0c 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_redshift.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_redshift.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_foundational_security_redshift - title: Redshift - description: Redshift - section-code: redshift - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/Redshift - type: - - Benchmark - controls: - - aws_foundational_security_redshift_1 - - aws_foundational_security_redshift_2 - - aws_foundational_security_redshift_3 - - aws_foundational_security_redshift_4 - - aws_foundational_security_redshift_6 - - aws_foundational_security_redshift_7 - - aws_foundational_security_redshift_8 - - aws_foundational_security_redshift_9 - - aws_foundational_security_redshift_10 +id: aws_foundational_security_redshift +title: Redshift +description: Redshift +section-code: redshift +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/Redshift + type: + - Benchmark +controls: +- aws_foundational_security_redshift_1 +- aws_foundational_security_redshift_2 +- aws_foundational_security_redshift_3 +- aws_foundational_security_redshift_4 +- aws_foundational_security_redshift_6 +- aws_foundational_security_redshift_7 +- aws_foundational_security_redshift_8 +- aws_foundational_security_redshift_9 +- aws_foundational_security_redshift_10 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_route53.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_route53.yaml index 8365981a1..07c580953 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_route53.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_route53.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_foundational_security_route53 - title: Route53 - description: Route53 - section-code: route53 - controls: - - aws_foundational_security_route53_2 +id: aws_foundational_security_route53 +title: Route53 +description: Route53 +section-code: route53 +type: control-group +controls: +- aws_foundational_security_route53_2 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_s3.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_s3.yaml index 911ca174f..b128b1f9b 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_s3.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_s3.yaml @@ -1,27 +1,27 @@ -control-group: - id: aws_foundational_security_s3 - title: S3 - description: S3 - section-code: s3 - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/S3 - type: - - Benchmark - controls: - - aws_foundational_security_s3_1 - - aws_foundational_security_s3_5 - - aws_foundational_security_s3_6 - - aws_foundational_security_s3_8 - - aws_foundational_security_s3_9 - - aws_foundational_security_s3_10 - - aws_foundational_security_s3_11 - - aws_foundational_security_s3_12 - - aws_foundational_security_s3_13 - - aws_foundational_security_s3_19 +id: aws_foundational_security_s3 +title: S3 +description: S3 +section-code: s3 +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/S3 + type: + - Benchmark +controls: +- aws_foundational_security_s3_1 +- aws_foundational_security_s3_5 +- aws_foundational_security_s3_6 +- aws_foundational_security_s3_8 +- aws_foundational_security_s3_9 +- aws_foundational_security_s3_10 +- aws_foundational_security_s3_11 +- aws_foundational_security_s3_12 +- aws_foundational_security_s3_13 +- aws_foundational_security_s3_19 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sagemaker.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sagemaker.yaml index 07fe20acb..45f006dbd 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sagemaker.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sagemaker.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_foundational_security_sagemaker - title: SageMaker - description: SageMaker - section-code: sagemaker - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/SageMaker - type: - - Benchmark - controls: - - aws_foundational_security_sagemaker_1 - - aws_foundational_security_sagemaker_2 - - aws_foundational_security_sagemaker_3 +id: aws_foundational_security_sagemaker +title: SageMaker +description: SageMaker +section-code: sagemaker +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/SageMaker + type: + - Benchmark +controls: +- aws_foundational_security_sagemaker_1 +- aws_foundational_security_sagemaker_2 +- aws_foundational_security_sagemaker_3 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_secretsmanager.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_secretsmanager.yaml index 085b17d4a..a75b840b2 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_secretsmanager.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_secretsmanager.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_foundational_security_secretsmanager - title: Secrets Manager - description: Secrets Manager - section-code: secretsmanager - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/SecretsManager - type: - - Benchmark - controls: - - aws_foundational_security_secretsmanager_1 - - aws_foundational_security_secretsmanager_2 - - aws_foundational_security_secretsmanager_3 - - aws_foundational_security_secretsmanager_4 +id: aws_foundational_security_secretsmanager +title: Secrets Manager +description: Secrets Manager +section-code: secretsmanager +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/SecretsManager + type: + - Benchmark +controls: +- aws_foundational_security_secretsmanager_1 +- aws_foundational_security_secretsmanager_2 +- aws_foundational_security_secretsmanager_3 +- aws_foundational_security_secretsmanager_4 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sfn.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sfn.yaml index 98cc040be..0a20b9b03 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sfn.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sfn.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_foundational_security_sfn - title: Step Functions - description: Step Functions - section-code: sfn - controls: - - aws_foundational_security_sfn_1 +id: aws_foundational_security_sfn +title: Step Functions +description: Step Functions +section-code: sfn +type: control-group +controls: +- aws_foundational_security_sfn_1 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sns.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sns.yaml index ab57f2bc6..47350fa71 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sns.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sns.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_foundational_security_sns - title: SNS - description: SNS - section-code: sns - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/SNS - type: - - Benchmark - controls: - - aws_foundational_security_sns_1 - - aws_foundational_security_sns_2 +id: aws_foundational_security_sns +title: SNS +description: SNS +section-code: sns +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/SNS + type: + - Benchmark +controls: +- aws_foundational_security_sns_1 +- aws_foundational_security_sns_2 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sqs.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sqs.yaml index e75fedcd7..26b5764f5 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sqs.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sqs.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_foundational_security_sqs - title: SQS - description: SQS - section-code: sqs - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/SQS - type: - - Benchmark - controls: - - aws_foundational_security_sqs_1 +id: aws_foundational_security_sqs +title: SQS +description: SQS +section-code: sqs +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/SQS + type: + - Benchmark +controls: +- aws_foundational_security_sqs_1 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ssm.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ssm.yaml index 4aaa5e01b..15354f7e3 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ssm.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ssm.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_foundational_security_ssm - title: SSM - description: SSM - section-code: ssm - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/SSM - type: - - Benchmark - controls: - - aws_foundational_security_ssm_1 - - aws_foundational_security_ssm_2 - - aws_foundational_security_ssm_3 - - aws_foundational_security_ssm_4 +id: aws_foundational_security_ssm +title: SSM +description: SSM +section-code: ssm +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/SSM + type: + - Benchmark +controls: +- aws_foundational_security_ssm_1 +- aws_foundational_security_ssm_2 +- aws_foundational_security_ssm_3 +- aws_foundational_security_ssm_4 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_waf.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_waf.yaml index 8ad43123e..25f519882 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_waf.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_waf.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_foundational_security_waf - title: WAF - description: WAF - section-code: waf - tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/WAF - type: - - Benchmark - controls: - - aws_foundational_security_waf_1 - - aws_foundational_security_waf_2 - - aws_foundational_security_waf_3 - - aws_foundational_security_waf_4 - - aws_foundational_security_waf_6 - - aws_foundational_security_waf_7 - - aws_foundational_security_waf_8 - - aws_foundational_security_waf_10 - - aws_foundational_security_waf_12 +id: aws_foundational_security_waf +title: WAF +description: WAF +section-code: waf +type: control-group +tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/WAF + type: + - Benchmark +controls: +- aws_foundational_security_waf_1 +- aws_foundational_security_waf_2 +- aws_foundational_security_waf_3 +- aws_foundational_security_waf_4 +- aws_foundational_security_waf_6 +- aws_foundational_security_waf_7 +- aws_foundational_security_waf_8 +- aws_foundational_security_waf_10 +- aws_foundational_security_waf_12 diff --git a/compliance/frameworks/aws/aws_gdpr/aws_article_25.yaml b/compliance/frameworks/aws/aws_gdpr/aws_article_25.yaml index f97b9ce74..64f54dcd8 100755 --- a/compliance/frameworks/aws/aws_gdpr/aws_article_25.yaml +++ b/compliance/frameworks/aws/aws_gdpr/aws_article_25.yaml @@ -1,58 +1,58 @@ -control-group: - id: aws_article_25 - title: Article 25 Data protection by design and by default - description: Article 25 Data protection by design and by default - section-code: aws_article_25 - tags: - category: - - Compliance - gdpr: - - "true" - gdpr_article: - - "25" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_bucket_not_public - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_logging_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_config_enabled_all_regions - - aws_iam_account_password_policy_min_length_14 - - aws_iam_account_password_policy_one_lowercase_letter - - aws_iam_account_password_policy_one_number - - aws_iam_account_password_policy_one_symbol - - aws_iam_account_password_policy_one_uppercase_letter - - aws_iam_account_password_policy_reuse_24 - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_support_role - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_kms_cmk_rotation_enabled - - aws_log_metric_filter_bucket_policy - - aws_log_metric_filter_cloudtrail_configuration - - aws_log_metric_filter_config_configuration - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_console_login_mfa - - aws_log_metric_filter_disable_or_delete_cmk - - aws_log_metric_filter_iam_policy - - aws_log_metric_filter_network_acl - - aws_log_metric_filter_network_gateway - - aws_log_metric_filter_root_login - - aws_log_metric_filter_route_table - - aws_log_metric_filter_security_group - - aws_log_metric_filter_unauthorized_api - - aws_log_metric_filter_vpc - - aws_vpc_flow_logs_enabled +id: aws_article_25 +title: Article 25 Data protection by design and by default +description: Article 25 Data protection by design and by default +section-code: aws_article_25 +type: control-group +tags: + category: + - Compliance + gdpr: + - "true" + gdpr_article: + - "25" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_bucket_not_public +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_logging_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_cloudtrail_trail_validation_enabled +- aws_config_enabled_all_regions +- aws_iam_account_password_policy_min_length_14 +- aws_iam_account_password_policy_one_lowercase_letter +- aws_iam_account_password_policy_one_number +- aws_iam_account_password_policy_one_symbol +- aws_iam_account_password_policy_one_uppercase_letter +- aws_iam_account_password_policy_reuse_24 +- aws_iam_account_password_policy_strong_min_reuse_24 +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_support_role +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_kms_cmk_rotation_enabled +- aws_log_metric_filter_bucket_policy +- aws_log_metric_filter_cloudtrail_configuration +- aws_log_metric_filter_config_configuration +- aws_log_metric_filter_console_authentication_failure +- aws_log_metric_filter_console_login_mfa +- aws_log_metric_filter_disable_or_delete_cmk +- aws_log_metric_filter_iam_policy +- aws_log_metric_filter_network_acl +- aws_log_metric_filter_network_gateway +- aws_log_metric_filter_root_login +- aws_log_metric_filter_route_table +- aws_log_metric_filter_security_group +- aws_log_metric_filter_unauthorized_api +- aws_log_metric_filter_vpc +- aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_gdpr/aws_article_30.yaml b/compliance/frameworks/aws/aws_gdpr/aws_article_30.yaml index 786b7310c..f60f672c2 100755 --- a/compliance/frameworks/aws/aws_gdpr/aws_article_30.yaml +++ b/compliance/frameworks/aws/aws_gdpr/aws_article_30.yaml @@ -1,29 +1,29 @@ -control-group: - id: aws_article_30 - title: Article 30 Records of processing activities - description: Article 30 Records of processing activities - section-code: aws_article_30 - tags: - category: - - Compliance - gdpr: - - "true" - gdpr_article: - - "30" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_security_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_config_enabled_all_regions - - aws_elb_application_classic_lb_logging_enabled - - aws_kms_cmk_rotation_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_vpc_flow_logs_enabled +id: aws_article_30 +title: Article 30 Records of processing activities +description: Article 30 Records of processing activities +section-code: aws_article_30 +type: control-group +tags: + category: + - Compliance + gdpr: + - "true" + gdpr_article: + - "30" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_security_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_config_enabled_all_regions +- aws_elb_application_classic_lb_logging_enabled +- aws_kms_cmk_rotation_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_gdpr/aws_article_32.yaml b/compliance/frameworks/aws/aws_gdpr/aws_article_32.yaml index 7de5b689a..15ef71803 100755 --- a/compliance/frameworks/aws/aws_gdpr/aws_article_32.yaml +++ b/compliance/frameworks/aws/aws_gdpr/aws_article_32.yaml @@ -1,51 +1,51 @@ -control-group: - id: aws_article_32 - title: Article 32 Security of processing - description: Article 32 Security of processing - section-code: aws_article_32 - tags: - category: - - Compliance - gdpr: - - "true" - gdpr_article: - - "32" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_acm_certificate_expires_30_days - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudfront_distribution_encryption_in_transit_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ebs_volume_encryption_at_rest_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_logging_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest - - aws_wafv2_web_acl_logging_enabled +id: aws_article_32 +title: Article 32 Security of processing +description: Article 32 Security of processing +section-code: aws_article_32 +type: control-group +tags: + category: + - Compliance + gdpr: + - "true" + gdpr_article: + - "32" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_acm_certificate_expires_30_days +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_cloudfront_distribution_encryption_in_transit_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_cloudtrail_trail_validation_enabled +- aws_dax_cluster_encryption_at_rest_enabled +- aws_dynamodb_table_encrypted_with_kms +- aws_dynamodb_table_encryption_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ebs_volume_encryption_at_rest_enabled +- aws_efs_file_system_encrypt_data_at_rest +- aws_elb_application_lb_drop_http_headers +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_node_to_node_encryption_enabled +- aws_log_group_encryption_at_rest_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_logging_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_enforces_ssl +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_sns_topic_encrypted_at_rest +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_gdpr/aws_gdpr.yaml b/compliance/frameworks/aws/aws_gdpr/aws_gdpr.yaml index fe660b9f7..488e92df0 100644 --- a/compliance/frameworks/aws/aws_gdpr/aws_gdpr.yaml +++ b/compliance/frameworks/aws/aws_gdpr/aws_gdpr.yaml @@ -1,28 +1,28 @@ -framework: - id: aws_gdpr - title: General Data Protection Regulation (GDPR) - description: The European Union’s General Data Protection Regulation (GDPR) protects European Union (EU) individuals’ fundamental right to privacy and the protection of personal data. The GDPR includes robust requirements that raise and harmonize standards for data protection, security, and compliance. - section-code: aws_gdpr - tags: - category: - - Compliance - gdpr: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Privacy - plugin: - - aws - service: - - AWS - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: aws_article_25 - - id: aws_article_30 - - id: aws_article_32 +id: aws_gdpr +title: General Data Protection Regulation (GDPR) +description: The European Union’s General Data Protection Regulation (GDPR) protects European Union (EU) individuals’ fundamental right to privacy and the protection of personal data. The GDPR includes robust requirements that raise and harmonize standards for data protection, security, and compliance. +section-code: aws_gdpr +type: framework +tags: + category: + - Compliance + gdpr: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Privacy + plugin: + - aws + service: + - AWS + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_article_25 +- id: aws_article_30 +- id: aws_article_32 diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11.yaml index 4cfa4259c..54c045fda 100644 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11.yaml @@ -1,29 +1,29 @@ -framework: - id: aws_gxp_21_cfr_part_11 - title: GxP 21 CFR Part 11 - description: The overall intent of GxP requirements is to ensure that food and medical products are safe for consumers and to ensure the integrity of data used to make product-related safety decisions. - section-code: aws_gxp_21_cfr_part_11 - tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Frameworks - plugin: - - aws - service: - - AWS - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: aws_gxp_21_cfr_part_11_11_10 - - id: aws_gxp_21_cfr_part_11_11_30 - - id: aws_gxp_21_cfr_part_11_11_200 - - id: aws_gxp_21_cfr_part_11_11_300 +id: aws_gxp_21_cfr_part_11 +title: GxP 21 CFR Part 11 +description: The overall intent of GxP requirements is to ensure that food and medical products are safe for consumers and to ensure the integrity of data used to make product-related safety decisions. +section-code: aws_gxp_21_cfr_part_11 +type: framework +tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Frameworks + plugin: + - aws + service: + - AWS + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_gxp_21_cfr_part_11_11_10 +- id: aws_gxp_21_cfr_part_11_11_30 +- id: aws_gxp_21_cfr_part_11_11_200 +- id: aws_gxp_21_cfr_part_11_11_300 diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10.yaml index 70be16501..5e1b08dac 100755 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10.yaml @@ -1,36 +1,43 @@ +id: aws_gxp_21_cfr_part_11_11_10 +title: Controls for closed systems +description: Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. +section-code: "11_10" +type: control-group +tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_gxp_21_cfr_part_11_11_10 - title: Controls for closed systems - description: Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. - section-code: "11_10" - tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_gxp_21_cfr_part_11_11_10_a - - id: aws_gxp_21_cfr_part_11_11_10_c - - id: aws_gxp_21_cfr_part_11_11_10_d - - id: aws_gxp_21_cfr_part_11_11_10_e - - id: aws_gxp_21_cfr_part_11_11_10_g - - id: aws_gxp_21_cfr_part_11_11_10_h - - id: aws_gxp_21_cfr_part_11_11_10_k - controls: - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +- id: aws_gxp_21_cfr_part_11_11_10_a + type: "" +- id: aws_gxp_21_cfr_part_11_11_10_c + type: "" +- id: aws_gxp_21_cfr_part_11_11_10_d + type: "" +- id: aws_gxp_21_cfr_part_11_11_10_e + type: "" +- id: aws_gxp_21_cfr_part_11_11_10_g + type: "" +- id: aws_gxp_21_cfr_part_11_11_10_h + type: "" +- id: aws_gxp_21_cfr_part_11_11_10_k + type: "" +controls: +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_ebs_volume_in_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_efs_file_system_in_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_a.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_a.yaml index 546af06c8..1be1997b4 100755 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_a.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_a.yaml @@ -1,53 +1,53 @@ -control-group: - id: aws_gxp_21_cfr_part_11_11_10_a - title: 10(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records - description: "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records." - section-code: a - tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_cloudtrail_security_trail_enabled - - aws_cloudtrail_trail_validation_enabled - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ebs_volume_unused - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_object_lock_enabled - - aws_s3_bucket_versioning_enabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant - - aws_vpc_vpn_tunnel_up +id: aws_gxp_21_cfr_part_11_11_10_a +title: 10(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records +description: "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records." +section-code: a +type: control-group +tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_encryption_enabled +- aws_backup_recovery_point_manual_deletion_disabled +- aws_backup_recovery_point_min_retention_35_days +- aws_cloudtrail_security_trail_enabled +- aws_cloudtrail_trail_validation_enabled +- aws_dynamodb_table_auto_scaling_enabled +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ebs_volume_unused +- aws_ec2_instance_ebs_optimized +- aws_ec2_instance_protected_by_backup_plan +- aws_ec2_instance_ssm_managed +- aws_ec2_stopped_instance_30_days +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_elb_application_lb_deletion_protection_enabled +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_fsx_file_system_protected_by_backup_plan +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_deletion_protection_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_multiple_az_enabled +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_object_lock_enabled +- aws_s3_bucket_versioning_enabled +- aws_ssm_managed_instance_compliance_association_compliant +- aws_ssm_managed_instance_compliance_patch_compliant +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_c.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_c.yaml index 8c964cb68..a32159d4e 100755 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_c.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_c.yaml @@ -1,48 +1,48 @@ -control-group: - id: aws_gxp_21_cfr_part_11_11_10_c - title: 10(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period - description: "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (c) Protection of records to enable their accurate and ready retrieval throughout the records retention period." - section-code: c - tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ecr_repository_lifecycle_policy_configured - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_snapshot_encrypted_at_rest - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_lifecycle_policy_enabled - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_bucket_versioning_and_lifecycle_policy_enabled - - aws_s3_bucket_versioning_enabled - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled +id: aws_gxp_21_cfr_part_11_11_10_c +title: 10(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period +description: "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (c) Protection of records to enable their accurate and ready retrieval throughout the records retention period." +section-code: c +type: control-group +tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_cloudtrail_trail_validation_enabled +- aws_cloudwatch_log_group_retention_period_365 +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_ebs_volume_in_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_ecr_repository_lifecycle_policy_configured +- aws_efs_file_system_in_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_snapshot_encrypted_at_rest +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_lifecycle_policy_enabled +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_bucket_versioning_and_lifecycle_policy_enabled +- aws_s3_bucket_versioning_enabled +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_d.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_d.yaml index 776142fcb..12437a8ba 100755 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_d.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_d.yaml @@ -1,72 +1,72 @@ -control-group: - id: aws_gxp_21_cfr_part_11_11_10_d - title: 10(d) Limiting system access to authorized individuals - description: "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (d) Limiting system access to authorized individuals." - section-code: d - tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_account_part_of_organizations - - aws_dms_replication_instance_not_publicly_accessible - - aws_dynamodb_table_encrypted_with_kms - - aws_ebs_attached_volume_encryption_enabled - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_ebs_default_encryption_enabled - - aws_ec2_instance_iam_profile_attached - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_ecs_task_definition_user_for_host_mode_check - - aws_efs_file_system_encrypt_data_at_rest - - aws_emr_cluster_kerberos_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_in_vpc - - aws_es_domain_node_to_node_encryption_enabled - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_managed_policy_attached_to_role - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_ssm_document_prohibit_public_access - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_gxp_21_cfr_part_11_11_10_d +title: 10(d) Limiting system access to authorized individuals +description: "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (d) Limiting system access to authorized individuals." +section-code: d +type: control-group +tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_account_part_of_organizations +- aws_dms_replication_instance_not_publicly_accessible +- aws_dynamodb_table_encrypted_with_kms +- aws_ebs_attached_volume_encryption_enabled +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_ebs_default_encryption_enabled +- aws_ec2_instance_iam_profile_attached +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_ec2_instance_uses_imdsv2 +- aws_ecs_task_definition_user_for_host_mode_check +- aws_efs_file_system_encrypt_data_at_rest +- aws_emr_cluster_kerberos_enabled +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_in_vpc +- aws_es_domain_node_to_node_encryption_enabled +- aws_iam_account_password_policy_strong_min_reuse_24 +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_not_empty +- aws_iam_group_user_role_no_inline_policies +- aws_iam_managed_policy_attached_to_role +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_policy_restrict_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_ssm_document_prohibit_public_access +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_igw_attached_to_authorized_vpc +- aws_vpc_route_table_restrict_public_access_to_igw +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_e.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_e.yaml index 32076843d..5c9d604be 100755 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_e.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_e.yaml @@ -1,44 +1,44 @@ -control-group: - id: aws_gxp_21_cfr_part_11_11_10_e - title: 10(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records - description: "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying." - section-code: e - tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_log_group_retention_period_365 - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_opensearch_domain_audit_logging_enabled - - aws_opensearch_domain_logs_to_cloudwatch - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_audit_logging_enabled - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_logging_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_gxp_21_cfr_part_11_11_10_e +title: 10(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records +description: "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying." +section-code: e +type: control-group +tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_log_group_retention_period_365 +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_ebs_volume_in_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_efs_file_system_in_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_elb_application_classic_lb_logging_enabled +- aws_es_domain_logs_to_cloudwatch +- aws_opensearch_domain_audit_logging_enabled +- aws_opensearch_domain_logs_to_cloudwatch +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_audit_logging_enabled +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_logging_enabled +- aws_s3_bucket_versioning_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_g.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_g.yaml index a7a310dbc..904878790 100755 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_g.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_g.yaml @@ -1,73 +1,73 @@ -control-group: - id: aws_gxp_21_cfr_part_11_11_10_g - title: 10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand - description: "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand." - section-code: g - tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_account_part_of_organizations - - aws_dms_replication_instance_not_publicly_accessible - - aws_dynamodb_table_encrypted_with_kms - - aws_ebs_attached_volume_encryption_enabled - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_ebs_default_encryption_enabled - - aws_ec2_instance_iam_profile_attached - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_ecs_task_definition_user_for_host_mode_check - - aws_efs_file_system_encrypt_data_at_rest - - aws_emr_cluster_kerberos_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_in_vpc - - aws_es_domain_node_to_node_encryption_enabled - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_enhanced_vpc_routing_enabled - - aws_redshift_cluster_kms_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_ssm_document_prohibit_public_access - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_gxp_21_cfr_part_11_11_10_g +title: 10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand +description: "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand." +section-code: g +type: control-group +tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_account_part_of_organizations +- aws_dms_replication_instance_not_publicly_accessible +- aws_dynamodb_table_encrypted_with_kms +- aws_ebs_attached_volume_encryption_enabled +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_ebs_default_encryption_enabled +- aws_ec2_instance_iam_profile_attached +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_ec2_instance_uses_imdsv2 +- aws_ecs_task_definition_user_for_host_mode_check +- aws_efs_file_system_encrypt_data_at_rest +- aws_emr_cluster_kerberos_enabled +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_in_vpc +- aws_es_domain_node_to_node_encryption_enabled +- aws_iam_account_password_policy_strong_min_reuse_24 +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_not_empty +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_enhanced_vpc_routing_enabled +- aws_redshift_cluster_kms_enabled +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_policy_restrict_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_ssm_document_prohibit_public_access +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_igw_attached_to_authorized_vpc +- aws_vpc_route_table_restrict_public_access_to_igw +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_h.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_h.yaml index a0d3c844d..836926226 100755 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_h.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_h.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_gxp_21_cfr_part_11_11_10_h - title: 10(h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction - description: "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction." - section-code: h - tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_gxp_21_cfr_part_11_11_10_h +title: 10(h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction +description: "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction." +section-code: h +type: control-group +tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed +- aws_ssm_managed_instance_compliance_association_compliant +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_k.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_k.yaml index 0ea11d044..5a25b65b1 100755 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_k.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_k.yaml @@ -1,39 +1,39 @@ -control-group: - id: aws_gxp_21_cfr_part_11_11_10_k - title: 10(k) Use of appropriate controls over systems documentation that includes adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance - description: "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (k) Use of appropriate controls over systems documentation including: (1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. (2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation." - section-code: k - tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_emr_cluster_master_nodes_no_public_ip - - aws_rds_db_instance_logging_enabled - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_logging_enabled - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_ssm_document_prohibit_public_access - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all +id: aws_gxp_21_cfr_part_11_11_10_k +title: 10(k) Use of appropriate controls over systems documentation that includes adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance +description: "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (k) Use of appropriate controls over systems documentation including: (1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. (2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation." +section-code: k +type: control-group +tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_launch_config_public_ip_disabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_emr_cluster_master_nodes_no_public_ip +- aws_rds_db_instance_logging_enabled +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_logging_enabled +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_ssm_document_prohibit_public_access +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_igw_attached_to_authorized_vpc +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_200.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_200.yaml index e67d51686..fb09e6562 100755 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_200.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_200.yaml @@ -1,18 +1,19 @@ +id: aws_gxp_21_cfr_part_11_11_200 +title: Electronic signature components and controls +description: Electronic signatures that are not biometric (i.e., not based on a physical feature, like a fingerprint) must be made up of at least two distinct parts (i.e.,user ID and password). Biometric electronic signature (e.g., fingerprint scan, retinal scan) can only be used by the individuals to whom they are assigned. +section-code: "11_200" +type: control-group +tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_gxp_21_cfr_part_11_11_200 - title: Electronic signature components and controls - description: Electronic signatures that are not biometric (i.e., not based on a physical feature, like a fingerprint) must be made up of at least two distinct parts (i.e.,user ID and password). Biometric electronic signature (e.g., fingerprint scan, retinal scan) can only be used by the individuals to whom they are assigned. - section-code: "11_200" - tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_gxp_21_cfr_part_11_11_200_a +- id: aws_gxp_21_cfr_part_11_11_200_a + type: "" diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_200_a.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_200_a.yaml index 6de5a2e76..cb60014ab 100755 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_200_a.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_200_a.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_gxp_21_cfr_part_11_11_200_a - title: 200(a) Biometric electronic signature components and controls - description: "(a) Electronic signatures that are not based upon biometrics shall: (1) Employ at least two distinct identification components such as an identification code and password. (i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. (ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components. (2) Be used only by their genuine owners; and (3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals." - section-code: a - tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled +id: aws_gxp_21_cfr_part_11_11_200_a +title: 200(a) Biometric electronic signature components and controls +description: "(a) Electronic signatures that are not based upon biometrics shall: (1) Employ at least two distinct identification components such as an identification code and password. (i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. (ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components. (2) Be used only by their genuine owners; and (3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals." +section-code: a +type: control-group +tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_30.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_30.yaml index ec9d62344..e399da5ea 100755 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_30.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_30.yaml @@ -1,54 +1,54 @@ -control-group: - id: aws_gxp_21_cfr_part_11_11_30 - title: Controls for open systems - description: Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality. - section-code: "11_30" - tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_backup_recovery_point_encryption_enabled - - aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled - - aws_cloudfront_distribution_no_deprecated_ssl_protocol - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_codebuild_project_artifact_encryption_enabled - - aws_codebuild_project_s3_logs_encryption_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_kinesis_stream_server_side_encryption_enabled - - aws_kms_cmk_rotation_enabled - - aws_kms_key_not_pending_deletion - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_https_required - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_secretsmanager_secret_encrypted_with_kms_cmk - - aws_sns_topic_encrypted_at_rest +id: aws_gxp_21_cfr_part_11_11_30 +title: Controls for open systems +description: Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality. +section-code: "11_30" +type: control-group +tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_backup_recovery_point_encryption_enabled +- aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled +- aws_cloudfront_distribution_no_deprecated_ssl_protocol +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_cloudtrail_trail_validation_enabled +- aws_codebuild_project_artifact_encryption_enabled +- aws_codebuild_project_s3_logs_encryption_enabled +- aws_dynamodb_table_encrypted_with_kms +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_efs_file_system_encrypt_data_at_rest +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_application_network_lb_use_ssl_certificate +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_node_to_node_encryption_enabled +- aws_kinesis_stream_server_side_encryption_enabled +- aws_kms_cmk_rotation_enabled +- aws_kms_key_not_pending_deletion +- aws_log_group_encryption_at_rest_enabled +- aws_opensearch_domain_encryption_at_rest_enabled +- aws_opensearch_domain_https_required +- aws_opensearch_domain_node_to_node_encryption_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_redshift_cluster_kms_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_enforces_ssl +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_secretsmanager_secret_encrypted_with_kms_cmk +- aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_300.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_300.yaml index 6f4f6bd3e..fcd825969 100755 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_300.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_300.yaml @@ -1,19 +1,21 @@ +id: aws_gxp_21_cfr_part_11_11_300 +title: Controls for identification codes/passwords +description: Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include the following benchmarks. +section-code: "11_300" +type: control-group +tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_gxp_21_cfr_part_11_11_300 - title: Controls for identification codes/passwords - description: Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include the following benchmarks. - section-code: "11_300" - tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_gxp_21_cfr_part_11_11_300_b - - id: aws_gxp_21_cfr_part_11_11_300_d +- id: aws_gxp_21_cfr_part_11_11_300_b + type: "" +- id: aws_gxp_21_cfr_part_11_11_300_d + type: "" diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_300_b.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_300_b.yaml index 2f5b2d05f..08a120dcb 100755 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_300_b.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_300_b.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_gxp_21_cfr_part_11_11_300_b - title: 300(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging) - description: "Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging)." - section-code: b - tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_emr_cluster_kerberos_enabled - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_user_access_key_age_90 - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled +id: aws_gxp_21_cfr_part_11_11_300_b +title: 300(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging) +description: "Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging)." +section-code: b +type: control-group +tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_emr_cluster_kerberos_enabled +- aws_iam_account_password_policy_strong_min_reuse_24 +- aws_iam_user_access_key_age_90 +- aws_iam_user_unused_credentials_90 +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_rotated_as_scheduled diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_300_d.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_300_d.yaml index 59229851f..433953a42 100755 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_300_d.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_300_d.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_gxp_21_cfr_part_11_11_300_d - title: 300(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management - description: "Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management." - section-code: d - tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_guardduty_enabled - - aws_securityhub_enabled +id: aws_gxp_21_cfr_part_11_11_300_d +title: 300(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management +description: "Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management." +section-code: d +type: control-group +tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_guardduty_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11.yaml index 50dcb4e6e..40a07d7de 100644 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11.yaml @@ -1,28 +1,28 @@ -framework: - id: aws_gxp_eu_annex_11 - title: GxP EU Annex 11 - description: EU Annex 11 is the European equivalent to FDA 21 CFR part 11 for the United States. This annex applies to all forms of computerized systems used as part of a GMP regulated activities. A computerized system is a set of software and hardware components which together fulfill certain functionalities. The application should be validated; IT infrastructure should be qualified. Where a computerized system replaces a manual operation, there should be no resultant decrease in product quality, process control or quality assurance. There should be no increase in the overall risk of the process. - section-code: aws_gxp_eu_annex_11 - tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Frameworks - plugin: - - aws - service: - - AWS - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: aws_gxp_eu_annex_11_general - - id: aws_gxp_eu_annex_11_operational_phase - - id: aws_gxp_eu_annex_11_project_phase +id: aws_gxp_eu_annex_11 +title: GxP EU Annex 11 +description: EU Annex 11 is the European equivalent to FDA 21 CFR part 11 for the United States. This annex applies to all forms of computerized systems used as part of a GMP regulated activities. A computerized system is a set of software and hardware components which together fulfill certain functionalities. The application should be validated; IT infrastructure should be qualified. Where a computerized system replaces a manual operation, there should be no resultant decrease in product quality, process control or quality assurance. There should be no increase in the overall risk of the process. +section-code: aws_gxp_eu_annex_11 +type: framework +tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Frameworks + plugin: + - aws + service: + - AWS + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_gxp_eu_annex_11_general +- id: aws_gxp_eu_annex_11_operational_phase +- id: aws_gxp_eu_annex_11_project_phase diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_general.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_general.yaml index ca839d85f..d1c09580e 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_general.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_general.yaml @@ -1,18 +1,19 @@ +id: aws_gxp_eu_annex_11_general +title: General +description: This section focuses on more human oriented checks that leverages risk management, personnel verification of process owners, suppliers and service providers agreement reviews, supplier audit and review documentation for COTS. +section-code: general +type: control-group +tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_gxp_eu_annex_11_general - title: General - description: This section focuses on more human oriented checks that leverages risk management, personnel verification of process owners, suppliers and service providers agreement reviews, supplier audit and review documentation for COTS. - section-code: general - tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_gxp_eu_annex_11_general_1 +- id: aws_gxp_eu_annex_11_general_1 + type: "" diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_general_1.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_general_1.yaml index ea75477c7..8afd6a461 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_general_1.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_general_1.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_gxp_eu_annex_11_general_1 - title: Risk Management - description: Risk management should be applied throughout the lifecycle of the computerised system taking into account patient safety, data integrity and product quality. As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerised system. - section-code: "1" - tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_enabled - - aws_config_enabled_all_regions - - aws_securityhub_enabled +id: aws_gxp_eu_annex_11_general_1 +title: Risk Management +description: Risk management should be applied throughout the lifecycle of the computerised system taking into account patient safety, data integrity and product quality. As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerised system. +section-code: "1" +type: control-group +tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_enabled +- aws_config_enabled_all_regions +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase.yaml index f15dbdce4..2f9131a6f 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase.yaml @@ -1,26 +1,35 @@ +id: aws_gxp_eu_annex_11_operational_phase +title: Operational Phase +description: This section focuses on various operational phases of data, such as data accuracy, secure storage, authorized access and backup. +section-code: operational_phase +type: control-group +tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_gxp_eu_annex_11_operational_phase - title: Operational Phase - description: This section focuses on various operational phases of data, such as data accuracy, secure storage, authorized access and backup. - section-code: operational_phase - tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_gxp_eu_annex_11_operational_phase_5 - - id: aws_gxp_eu_annex_11_operational_phase_7 - - id: aws_gxp_eu_annex_11_operational_phase_8 - - id: aws_gxp_eu_annex_11_operational_phase_9 - - id: aws_gxp_eu_annex_11_operational_phase_10 - - id: aws_gxp_eu_annex_11_operational_phase_12 - - id: aws_gxp_eu_annex_11_operational_phase_13 - - id: aws_gxp_eu_annex_11_operational_phase_16 - - id: aws_gxp_eu_annex_11_operational_phase_17 +- id: aws_gxp_eu_annex_11_operational_phase_5 + type: "" +- id: aws_gxp_eu_annex_11_operational_phase_7 + type: "" +- id: aws_gxp_eu_annex_11_operational_phase_8 + type: "" +- id: aws_gxp_eu_annex_11_operational_phase_9 + type: "" +- id: aws_gxp_eu_annex_11_operational_phase_10 + type: "" +- id: aws_gxp_eu_annex_11_operational_phase_12 + type: "" +- id: aws_gxp_eu_annex_11_operational_phase_13 + type: "" +- id: aws_gxp_eu_annex_11_operational_phase_16 + type: "" +- id: aws_gxp_eu_annex_11_operational_phase_17 + type: "" diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_10.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_10.yaml index 84bb7fa59..ba20074aa 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_10.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_10.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_gxp_eu_annex_11_operational_phase_10 - title: Change and Configuration Management - description: Any changes to a computerised system including system configurations should only be made in a controlled manner in accordance with a defined procedure. - section-code: "10" - tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_config_enabled_all_regions +id: aws_gxp_eu_annex_11_operational_phase_10 +title: Change and Configuration Management +description: Any changes to a computerised system including system configurations should only be made in a controlled manner in accordance with a defined procedure. +section-code: "10" +type: control-group +tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_config_enabled_all_regions diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_12.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_12.yaml index c098d71dd..d5a8310e8 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_12.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_12.yaml @@ -1,18 +1,19 @@ +id: aws_gxp_eu_annex_11_operational_phase_12 +title: Security +description: For enhanced security, access to physical and logical controls should be restricted to authorized individuals. Management systems should be created to record the identity of persons entering, changing, confirming, or deleting data by time and date. +section-code: "12" +type: control-group +tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_gxp_eu_annex_11_operational_phase_12 - title: Security - description: For enhanced security, access to physical and logical controls should be restricted to authorized individuals. Management systems should be created to record the identity of persons entering, changing, confirming, or deleting data by time and date. - section-code: "12" - tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_gxp_eu_annex_11_operational_phase_12_4 +- id: aws_gxp_eu_annex_11_operational_phase_12_4 + type: "" diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_12_4.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_12_4.yaml index 29ffa023b..c32a8304e 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_12_4.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_12_4.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_gxp_eu_annex_11_operational_phase_12_4 - title: Security - Audit Trail - description: Management systems for data and for documents should be designed to record the identity of operators entering, changing, confirming or deleting data including date and time. - section-code: "4" - tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_s3_data_events_enabled +id: aws_gxp_eu_annex_11_operational_phase_12_4 +title: Security - Audit Trail +description: Management systems for data and for documents should be designed to record the identity of operators entering, changing, confirming or deleting data including date and time. +section-code: "4" +type: control-group +tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_s3_data_events_enabled diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_13.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_13.yaml index cd09448c7..2c32ec115 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_13.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_13.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_gxp_eu_annex_11_operational_phase_13 - title: Incident Management - description: All incidents, not only system failures and data errors, should be reported and assessed. The root cause of a critical incident should be identified and should form the basis of corrective and preventive actions. - section-code: "13" - tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_security_trail_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled +id: aws_gxp_eu_annex_11_operational_phase_13 +title: Incident Management +description: All incidents, not only system failures and data errors, should be reported and assessed. The root cause of a critical incident should be identified and should form the basis of corrective and preventive actions. +section-code: "13" +type: control-group +tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_security_trail_enabled +- aws_cloudwatch_alarm_action_enabled +- aws_guardduty_enabled +- aws_guardduty_finding_archived +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_16.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_16.yaml index 38fb1ec27..f29629aae 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_16.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_16.yaml @@ -1,40 +1,40 @@ -control-group: - id: aws_gxp_eu_annex_11_operational_phase_16 - title: Business Continuity - description: For the availability of computerised systems supporting critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (e.g. a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and appropriate for a particular system and the business process it supports. These arrangements should be adequately documented and tested. - section-code: "16" - tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +id: aws_gxp_eu_annex_11_operational_phase_16 +title: Business Continuity +description: For the availability of computerised systems supporting critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (e.g. a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and appropriate for a particular system and the business process it supports. These arrangements should be adequately documented and tested. +section-code: "16" +type: control-group +tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_encryption_enabled +- aws_backup_recovery_point_manual_deletion_disabled +- aws_backup_recovery_point_min_retention_35_days +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_fsx_file_system_protected_by_backup_plan +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_17.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_17.yaml index 8d09d4017..d2385b7a9 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_17.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_17.yaml @@ -1,39 +1,39 @@ -control-group: - id: aws_gxp_eu_annex_11_operational_phase_17 - title: Archiving - description: Data may be archived. This data should be checked for accessibility, readability and integrity. If relevant changes are to be made to the system (e.g. computer equipment or programs), then the ability to retrieve the data should be ensured and tested. - section-code: "17" - tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +id: aws_gxp_eu_annex_11_operational_phase_17 +title: Archiving +description: Data may be archived. This data should be checked for accessibility, readability and integrity. If relevant changes are to be made to the system (e.g. computer equipment or programs), then the ability to retrieve the data should be ensured and tested. +section-code: "17" +type: control-group +tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_encryption_enabled +- aws_backup_recovery_point_manual_deletion_disabled +- aws_backup_recovery_point_min_retention_35_days +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_5.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_5.yaml index f77fb728a..f21e3e0c2 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_5.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_5.yaml @@ -1,39 +1,39 @@ -control-group: - id: aws_gxp_eu_annex_11_operational_phase_5 - title: Data - description: Computerised systems exchanging data electronically with other systems should include appropriate built-in checks for the correct and secure entry and processing of data, in order to minimize the risks. - section-code: "5" - tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +id: aws_gxp_eu_annex_11_operational_phase_5 +title: Data +description: Computerised systems exchanging data electronically with other systems should include appropriate built-in checks for the correct and secure entry and processing of data, in order to minimize the risks. +section-code: "5" +type: control-group +tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_encryption_enabled +- aws_backup_recovery_point_manual_deletion_disabled +- aws_backup_recovery_point_min_retention_35_days +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_7.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_7.yaml index 62f57e8e6..af883c58f 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_7.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_7.yaml @@ -1,19 +1,21 @@ +id: aws_gxp_eu_annex_11_operational_phase_7 +title: Data Storage +description: Data must be secure against damage, yet remain accessible, readable, and accurate throughout the retention period. Regular backups are expected and should be verified and monitored. +section-code: "7" +type: control-group +tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_gxp_eu_annex_11_operational_phase_7 - title: Data Storage - description: Data must be secure against damage, yet remain accessible, readable, and accurate throughout the retention period. Regular backups are expected and should be verified and monitored. - section-code: "7" - tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_gxp_eu_annex_11_operational_phase_7_1 - - id: aws_gxp_eu_annex_11_operational_phase_7_2 +- id: aws_gxp_eu_annex_11_operational_phase_7_1 + type: "" +- id: aws_gxp_eu_annex_11_operational_phase_7_2 + type: "" diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_7_1.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_7_1.yaml index c6b049992..78442d607 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_7_1.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_7_1.yaml @@ -1,57 +1,57 @@ -control-group: - id: aws_gxp_eu_annex_11_operational_phase_7_1 - title: Data Storage - Damage Protection - description: Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability and accuracy. Access to data should be ensured throughout the retention period. - section-code: "1" - tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled - - aws_cloudfront_distribution_no_deprecated_ssl_protocol - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_codebuild_project_artifact_encryption_enabled - - aws_codebuild_project_s3_logs_encryption_enabled - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_ebs_default_encryption_enabled - - aws_ec2_instance_ebs_optimized - - aws_efs_file_system_encrypt_data_at_rest - - aws_efs_file_system_in_backup_plan - - aws_eks_cluster_secrets_encrypted - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_network_lb_use_ssl_certificate - - aws_es_domain_encryption_at_rest_enabled - - aws_kinesis_stream_server_side_encryption_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_https_required - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_versioning_enabled - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_secretsmanager_secret_encrypted_with_kms_cmk - - aws_sns_topic_encrypted_at_rest +id: aws_gxp_eu_annex_11_operational_phase_7_1 +title: Data Storage - Damage Protection +description: Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability and accuracy. Access to data should be ensured throughout the retention period. +section-code: "1" +type: control-group +tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled +- aws_cloudfront_distribution_no_deprecated_ssl_protocol +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_codebuild_project_artifact_encryption_enabled +- aws_codebuild_project_s3_logs_encryption_enabled +- aws_dax_cluster_encryption_at_rest_enabled +- aws_dynamodb_table_encrypted_with_kms +- aws_dynamodb_table_encryption_enabled +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ebs_volume_in_backup_plan +- aws_ec2_ebs_default_encryption_enabled +- aws_ec2_instance_ebs_optimized +- aws_efs_file_system_encrypt_data_at_rest +- aws_efs_file_system_in_backup_plan +- aws_eks_cluster_secrets_encrypted +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_elb_application_network_lb_use_ssl_certificate +- aws_es_domain_encryption_at_rest_enabled +- aws_kinesis_stream_server_side_encryption_enabled +- aws_log_group_encryption_at_rest_enabled +- aws_opensearch_domain_encryption_at_rest_enabled +- aws_opensearch_domain_https_required +- aws_opensearch_domain_node_to_node_encryption_enabled +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_versioning_enabled +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_secretsmanager_secret_encrypted_with_kms_cmk +- aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_7_2.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_7_2.yaml index 539c2acf9..8ce19d6cc 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_7_2.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_7_2.yaml @@ -1,39 +1,39 @@ -control-group: - id: aws_gxp_eu_annex_11_operational_phase_7_2 - title: Data Storage - Backups - description: Regular back-ups of all relevant data should be done. Integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically. - section-code: "2" - tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +id: aws_gxp_eu_annex_11_operational_phase_7_2 +title: Data Storage - Backups +description: Regular back-ups of all relevant data should be done. Integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically. +section-code: "2" +type: control-group +tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_encryption_enabled +- aws_backup_recovery_point_manual_deletion_disabled +- aws_backup_recovery_point_min_retention_35_days +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_8.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_8.yaml index 88013345f..9ae2aef2c 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_8.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_8.yaml @@ -1,18 +1,19 @@ +id: aws_gxp_eu_annex_11_operational_phase_8 +title: Printouts +description: Clear printed copies of electronically stored data should be easily available. Any changes to data should be indicated. +section-code: "8" +type: control-group +tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_gxp_eu_annex_11_operational_phase_8 - title: Printouts - description: Clear printed copies of electronically stored data should be easily available. Any changes to data should be indicated. - section-code: "8" - tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_gxp_eu_annex_11_operational_phase_8_2 +- id: aws_gxp_eu_annex_11_operational_phase_8_2 + type: "" diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_8_2.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_8_2.yaml index 4298f8e20..616381dc4 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_8_2.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_8_2.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_gxp_eu_annex_11_operational_phase_8_2 - title: Printouts - Data Changes - description: For records supporting batch release it should be possible to generate printouts indicating if any of the data has been changed since the original entry. - section-code: "2" - tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_s3_data_events_enabled +id: aws_gxp_eu_annex_11_operational_phase_8_2 +title: Printouts - Data Changes +description: For records supporting batch release it should be possible to generate printouts indicating if any of the data has been changed since the original entry. +section-code: "2" +type: control-group +tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_s3_data_events_enabled diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_9.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_9.yaml index 8ec0059f8..84b6f389c 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_9.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_9.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_gxp_eu_annex_11_operational_phase_9 - title: Audit Trails - description: Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated 'audit trail'). For change or deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and convertible to a generally intelligible form and regularly reviewed. - section-code: "9" - tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_s3_data_events_enabled +id: aws_gxp_eu_annex_11_operational_phase_9 +title: Audit Trails +description: Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated 'audit trail'). For change or deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and convertible to a generally intelligible form and regularly reviewed. +section-code: "9" +type: control-group +tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_s3_data_events_enabled diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase.yaml index 7e5841632..ecb39a95e 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase.yaml @@ -1,18 +1,19 @@ +id: aws_gxp_eu_annex_11_project_phase +title: Project Phase +description: This section focuses combination of both human-oriented and automated process that leverages documentation validation and reports for good manufacturing practice (GMP) life cycle process, change control and deviations, systems inventory, user requirement specifications, quality management system, procedure for customized systems, evidence of appropriate test methods and data transfer validation (automated). +section-code: project_phase +type: control-group +tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_gxp_eu_annex_11_project_phase - title: Project Phase - description: This section focuses combination of both human-oriented and automated process that leverages documentation validation and reports for good manufacturing practice (GMP) life cycle process, change control and deviations, systems inventory, user requirement specifications, quality management system, procedure for customized systems, evidence of appropriate test methods and data transfer validation (automated). - section-code: project_phase - tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_gxp_eu_annex_11_project_phase_4 +- id: aws_gxp_eu_annex_11_project_phase_4 + type: "" diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4.yaml index d58286b35..d58ae08f1 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4.yaml @@ -1,21 +1,25 @@ +id: aws_gxp_eu_annex_11_project_phase_4 +title: Validation +description: The second principle of Annex 11 requires manufacturers to validate the application and qualify the system's IT infrastructure. Enhanced documentation and process evidence must be submitted, and computer system validations must be performed periodically and when migrating to another system. +section-code: "4" +type: control-group +tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_gxp_eu_annex_11_project_phase_4 - title: Validation - description: The second principle of Annex 11 requires manufacturers to validate the application and qualify the system's IT infrastructure. Enhanced documentation and process evidence must be submitted, and computer system validations must be performed periodically and when migrating to another system. - section-code: "4" - tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_gxp_eu_annex_11_project_phase_4_2 - - id: aws_gxp_eu_annex_11_project_phase_4_5 - - id: aws_gxp_eu_annex_11_project_phase_4_6 - - id: aws_gxp_eu_annex_11_project_phase_4_8 +- id: aws_gxp_eu_annex_11_project_phase_4_2 + type: "" +- id: aws_gxp_eu_annex_11_project_phase_4_5 + type: "" +- id: aws_gxp_eu_annex_11_project_phase_4_6 + type: "" +- id: aws_gxp_eu_annex_11_project_phase_4_8 + type: "" diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_2.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_2.yaml index 096c86acf..3084507d4 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_2.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_2.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_gxp_eu_annex_11_project_phase_4_2 - title: Validation - Documentation Change Control - description: Validation documentation should include change control records (if applicable) and reports on any deviations observed during the validation process. - section-code: "2" - tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_enabled +id: aws_gxp_eu_annex_11_project_phase_4_2 +title: Validation - Documentation Change Control +description: Validation documentation should include change control records (if applicable) and reports on any deviations observed during the validation process. +section-code: "2" +type: control-group +tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_enabled diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_5.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_5.yaml index e606dbbcc..f19a4c1b9 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_5.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_5.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_gxp_eu_annex_11_project_phase_4_5 - title: Validation - Development Quality - description: The regulated user should take all reasonable steps, to ensure that the system has been developed in accordance with an appropriate quality management system. The supplier should be assessed appropriately. - section-code: "5" - tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_config_enabled_all_regions +id: aws_gxp_eu_annex_11_project_phase_4_5 +title: Validation - Development Quality +description: The regulated user should take all reasonable steps, to ensure that the system has been developed in accordance with an appropriate quality management system. The supplier should be assessed appropriately. +section-code: "5" +type: control-group +tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_config_enabled_all_regions diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_6.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_6.yaml index 01dcff2e7..a37112e61 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_6.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_6.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_gxp_eu_annex_11_project_phase_4_6 - title: Validation - Quality and Performance - description: For the validation of bespoke or customised computerised systems there should be a process in place that ensures the formal assessment and reporting of quality and performance measures for all the life-cycle stages of the system. - section-code: "6" - tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_config_enabled_all_regions +id: aws_gxp_eu_annex_11_project_phase_4_6 +title: Validation - Quality and Performance +description: For the validation of bespoke or customised computerised systems there should be a process in place that ensures the formal assessment and reporting of quality and performance measures for all the life-cycle stages of the system. +section-code: "6" +type: control-group +tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_config_enabled_all_regions diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_8.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_8.yaml index 815253917..f95404553 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_8.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_8.yaml @@ -1,40 +1,40 @@ -control-group: - id: aws_gxp_eu_annex_11_project_phase_4_8 - title: Validation - Data Transfer - description: If data are transferred to another data format or system, validation should include checks that data are not altered in value and/or meaning during this migration process. - section-code: "8" - tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_ecr_repository_lifecycle_policy_configured - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +id: aws_gxp_eu_annex_11_project_phase_4_8 +title: Validation - Data Transfer +description: If data are transferred to another data format or system, validation should include checks that data are not altered in value and/or meaning during this migration process. +section-code: "8" +type: control-group +tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_encryption_enabled +- aws_backup_recovery_point_manual_deletion_disabled +- aws_backup_recovery_point_min_retention_35_days +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_ec2_instance_protected_by_backup_plan +- aws_ecr_repository_lifecycle_policy_configured +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013.yaml index becf4ac70..4a5aa30de 100644 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013.yaml @@ -1,30 +1,30 @@ -framework: - id: aws_hipaa_final_omnibus_security_rule_2013 - title: HIPAA Final Omnibus Security Rule 2013 - description: The HIPAA Security Rule establishes national standards to protect individuals electronic personal health information that is created, received, used, or maintained by a business associate and covered entity. The Final Omnibus Rule provides additional guidance to the 2003 Security Rule and implements a number of provisions of the HITECH Act to strengthen the privacy and security protections for health information established under HIPAA. - section-code: aws_hipaa_final_omnibus_security_rule_2013 - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Laws & Regulations - - Privacy - plugin: - - aws - service: - - AWS - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: aws_hipaa_final_omnibus_security_rule_2013_164_308 - - id: aws_hipaa_final_omnibus_security_rule_2013_164_310 - - id: aws_hipaa_final_omnibus_security_rule_2013_164_312 - - id: aws_hipaa_final_omnibus_security_rule_2013_164_314 +id: aws_hipaa_final_omnibus_security_rule_2013 +title: HIPAA Final Omnibus Security Rule 2013 +description: The HIPAA Security Rule establishes national standards to protect individuals electronic personal health information that is created, received, used, or maintained by a business associate and covered entity. The Final Omnibus Rule provides additional guidance to the 2003 Security Rule and implements a number of provisions of the HITECH Act to strengthen the privacy and security protections for health information established under HIPAA. +section-code: aws_hipaa_final_omnibus_security_rule_2013 +type: framework +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Laws & Regulations + - Privacy + plugin: + - aws + service: + - AWS + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_hipaa_final_omnibus_security_rule_2013_164_308 +- id: aws_hipaa_final_omnibus_security_rule_2013_164_310 +- id: aws_hipaa_final_omnibus_security_rule_2013_164_312 +- id: aws_hipaa_final_omnibus_security_rule_2013_164_314 diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308.yaml index d7867efa1..c4da59404 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308.yaml @@ -1,40 +1,61 @@ +id: aws_hipaa_final_omnibus_security_rule_2013_164_308 +title: Administrative Safeguards +description: An important step in strengthening the protection of health information, especially in electronic form, as well as give patients more access to their individual health information. The HIPAA Omnibus Rule is a set of final regulations that modifies the existing HIPAA rules and implements a variety of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. +section-code: "164_308" +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_308 - title: Administrative Safeguards - description: An important step in strengthening the protection of health information, especially in electronic form, as well as give patients more access to their individual health information. The HIPAA Omnibus Rule is a set of final regulations that modifies the existing HIPAA rules and implements a variety of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. - section-code: "164_308" - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_a - - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_b - - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_d - - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_i - - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_a - - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_b - - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_c - - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_i - - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_a - - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_b - - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_c - - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_b - - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_c - - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_d - - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_i - - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_ii - - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_i - - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_a - - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_b - - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_c - - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_8 +- id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_a + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_b + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_d + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_i + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_a + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_b + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_c + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_i + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_a + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_b + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_c + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_b + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_c + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_d + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_i + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_ii + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_i + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_a + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_b + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_c + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_8 + type: "" diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_a.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_a.yaml index a44c9ad93..6040d86db 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_a.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_a.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_a - title: 308(a)(1)(ii)(A) Risk analysis - description: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. - section-code: a_1_ii_a - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_1_ii_a - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_enabled - - aws_config_enabled_all_regions - - aws_guardduty_enabled +id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_a +title: 308(a)(1)(ii)(A) Risk analysis +description: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. +section-code: a_1_ii_a +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_1_ii_a + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_enabled +- aws_config_enabled_all_regions +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_b.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_b.yaml index fc69cca3a..0d1e8b73c 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_b.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_b.yaml @@ -1,81 +1,81 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_b - title: 308(a)(1)(ii)(B) Risk management - description: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Section 164.306(a). - section-code: a_1_ii_b - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_1_ii_b - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured - - aws_dms_replication_instance_not_publicly_accessible - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_ebs_default_encryption_enabled - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_efs_file_system_encrypt_data_at_rest - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_in_vpc - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_kms_key_not_pending_deletion - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_object_lock_enabled - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_bucket_versioning_enabled - - aws_s3_public_access_block_account - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_vpn_tunnel_up +id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_b +title: 308(a)(1)(ii)(B) Risk management +description: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Section 164.306(a). +section-code: a_1_ii_b +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_1_ii_b + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_autoscaling_group_with_lb_use_health_check +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_cloudtrail_trail_validation_enabled +- aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values +- aws_codebuild_project_source_repo_oauth_configured +- aws_dms_replication_instance_not_publicly_accessible +- aws_dynamodb_table_auto_scaling_enabled +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_ebs_default_encryption_enabled +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_ec2_instance_ssm_managed +- aws_ec2_stopped_instance_30_days +- aws_efs_file_system_encrypt_data_at_rest +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_elb_application_lb_deletion_protection_enabled +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_in_vpc +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_kms_key_not_pending_deletion +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_log_group_encryption_at_rest_enabled +- aws_opensearch_domain_encryption_at_rest_enabled +- aws_opensearch_domain_in_vpc +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_instance_multiple_az_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_object_lock_enabled +- aws_s3_bucket_policy_restrict_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_bucket_versioning_enabled +- aws_s3_public_access_block_account +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_sns_topic_encrypted_at_rest +- aws_ssm_managed_instance_compliance_association_compliant +- aws_ssm_managed_instance_compliance_patch_compliant +- aws_vpc_igw_attached_to_authorized_vpc +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_d.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_d.yaml index b5f329c2e..1f74586b8 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_d.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_d.yaml @@ -1,39 +1,39 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_d - title: 308(a)(1)(ii)(D) Information system activity review - description: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. - section-code: a_1_ii_d - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_1_ii_d - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudfront_distribution_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_codebuild_project_logging_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_d +title: 308(a)(1)(ii)(D) Information system activity review +description: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. +section-code: a_1_ii_d +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_1_ii_d + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudfront_distribution_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_cloudtrail_trail_validation_enabled +- aws_codebuild_project_logging_enabled +- aws_elb_application_classic_lb_logging_enabled +- aws_guardduty_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_securityhub_enabled +- aws_vpc_flow_logs_enabled +- aws_waf_web_acl_logging_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_i.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_i.yaml index 9aedae781..742af1226 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_i.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_i.yaml @@ -1,57 +1,57 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_i - title: 308(a)(3)(i) Workforce security - description: Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. - section-code: a_3_i - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_3_i - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_iam_profile_attached - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_ecs_task_definition_user_for_host_mode_check - - aws_emr_cluster_kerberos_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_ssm_document_prohibit_public_access - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_i +title: 308(a)(3)(i) Workforce security +description: Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. +section-code: a_3_i +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_3_i + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_launch_config_public_ip_disabled +- aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values +- aws_codebuild_project_source_repo_oauth_configured +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_iam_profile_attached +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_ec2_instance_uses_imdsv2 +- aws_ecs_task_definition_user_for_host_mode_check +- aws_emr_cluster_kerberos_enabled +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_iam_group_not_empty +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_opensearch_domain_in_vpc +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_policy_restrict_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_ssm_document_prohibit_public_access +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_a.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_a.yaml index 4fd73c0f1..4076796f0 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_a.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_a.yaml @@ -1,48 +1,48 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_a - title: 308(a)(3)(ii)(A) Authorization and/or supervision - description: Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. - section-code: a_3_ii_a - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_3_ii_a - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_user_for_host_mode_check - - aws_elb_application_classic_lb_logging_enabled - - aws_emr_cluster_kerberos_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_guardduty_enabled - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_iam_authentication_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_s3_bucket_policy_restrict_public_access - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled +id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_a +title: 308(a)(3)(ii)(A) Authorization and/or supervision +description: Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. +section-code: a_3_ii_a +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_3_ii_a + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_ec2_instance_iam_profile_attached +- aws_ecs_task_definition_user_for_host_mode_check +- aws_elb_application_classic_lb_logging_enabled +- aws_emr_cluster_kerberos_enabled +- aws_es_domain_logs_to_cloudwatch +- aws_guardduty_enabled +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_not_empty +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_iam_authentication_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_s3_bucket_policy_restrict_public_access +- aws_securityhub_enabled +- aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_b.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_b.yaml index 61fb71903..b162b9314 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_b.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_b.yaml @@ -1,35 +1,35 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_b - title: 308(a)(3)(ii)(B) Workforce clearance procedure - description: Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. - section-code: a_3_ii_b - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_3_ii_b - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_emr_cluster_kerberos_enabled - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_s3_bucket_policy_restrict_public_access - - aws_ssm_document_prohibit_public_access - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_b +title: 308(a)(3)(ii)(B) Workforce clearance procedure +description: Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. +section-code: a_3_ii_b +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_3_ii_b + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_launch_config_public_ip_disabled +- aws_emr_cluster_kerberos_enabled +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_not_empty +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_s3_bucket_policy_restrict_public_access +- aws_ssm_document_prohibit_public_access +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_c.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_c.yaml index 8b441c042..f71e57308 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_c.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_c.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_c - title: 308(a)(3)(ii)(C) Termination procedures - description: Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section. - section-code: a_3_ii_c - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_3_ii_c - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_user_access_key_age_90 +id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_c +title: 308(a)(3)(ii)(C) Termination procedures +description: Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section. +section-code: a_3_ii_c +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_3_ii_c + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_user_access_key_age_90 diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_i.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_i.yaml index c0ccdba9f..f7593ec70 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_i.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_i.yaml @@ -1,33 +1,33 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_i - title: 308(a)(4)(i) Information access management - description: Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part. - section-code: a_4_i - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_4_i - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_emr_cluster_kerberos_enabled - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_rds_db_instance_iam_authentication_enabled - - aws_s3_bucket_policy_restrict_public_access - - aws_ssm_document_prohibit_public_access - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_i +title: 308(a)(4)(i) Information access management +description: Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part. +section-code: a_4_i +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_4_i + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_emr_cluster_kerberos_enabled +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_not_empty +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_rds_db_instance_iam_authentication_enabled +- aws_s3_bucket_policy_restrict_public_access +- aws_ssm_document_prohibit_public_access +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_a.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_a.yaml index 89ad7410a..0a664da9f 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_a.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_a.yaml @@ -1,54 +1,54 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_a - title: 308(a)(4)(ii)(A) Isolating healthcare clearing house functions - description: If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. - section-code: a_4_ii_a - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_4_ii_a - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_acm_certificate_expires_30_days - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudfront_distribution_encryption_in_transit_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_eks_cluster_secrets_encrypted - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_logging_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_a +title: 308(a)(4)(ii)(A) Isolating healthcare clearing house functions +description: If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. +section-code: a_4_ii_a +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_4_ii_a + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_acm_certificate_expires_30_days +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_cloudfront_distribution_encryption_in_transit_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dax_cluster_encryption_at_rest_enabled +- aws_dynamodb_table_encrypted_with_kms +- aws_dynamodb_table_encryption_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_efs_file_system_encrypt_data_at_rest +- aws_eks_cluster_secrets_encrypted +- aws_elb_application_lb_drop_http_headers +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_node_to_node_encryption_enabled +- aws_log_group_encryption_at_rest_enabled +- aws_opensearch_domain_encryption_at_rest_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_logging_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_sns_topic_encrypted_at_rest +- aws_waf_web_acl_logging_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_b.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_b.yaml index e5f8e3ea1..f437eac65 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_b.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_b.yaml @@ -1,41 +1,41 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_b - title: 308(a)(4)(ii)(B) Access authorization - description: Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. - section-code: a_4_ii_b - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_4_ii_b - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_iam_profile_attached - - aws_emr_cluster_kerberos_enabled - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_user_access_key_age_90 - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_s3_bucket_policy_restrict_public_access - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_last_changed_90_day - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day - - aws_ssm_document_prohibit_public_access - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_b +title: 308(a)(4)(ii)(B) Access authorization +description: Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. +section-code: a_4_ii_b +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_4_ii_b + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_iam_profile_attached +- aws_emr_cluster_kerberos_enabled +- aws_iam_account_password_policy_strong_min_reuse_24 +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_not_empty +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_user_access_key_age_90 +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_s3_bucket_policy_restrict_public_access +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_last_changed_90_day +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_secretsmanager_secret_unused_90_day +- aws_ssm_document_prohibit_public_access +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_c.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_c.yaml index f0b8cfcac..439177917 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_c.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_c.yaml @@ -1,60 +1,60 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_c - title: 308(a)(4)(ii)(C) Access establishment and modification - description: Implement policies and procedures that, based upon the covered entity's or the business associate's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. - section-code: a_4_ii_c - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_4_ii_c - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_iam_profile_attached - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_ecs_task_definition_user_for_host_mode_check - - aws_emr_cluster_kerberos_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_unused_90_day - - aws_ssm_document_prohibit_public_access - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_c +title: 308(a)(4)(ii)(C) Access establishment and modification +description: Implement policies and procedures that, based upon the covered entity's or the business associate's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. +section-code: a_4_ii_c +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_4_ii_c + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_launch_config_public_ip_disabled +- aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values +- aws_codebuild_project_source_repo_oauth_configured +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_iam_profile_attached +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_ec2_instance_uses_imdsv2 +- aws_ecs_task_definition_user_for_host_mode_check +- aws_emr_cluster_kerberos_enabled +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_iam_account_password_policy_strong_min_reuse_24 +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_not_empty +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_policy_restrict_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_unused_90_day +- aws_ssm_document_prohibit_public_access +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_b.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_b.yaml index 650a25403..b589910bb 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_b.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_b.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_b - title: 308(a)(5)(ii)(B) Protection from malicious software - description: Procedures for guarding against, detecting, and reporting malicious software. - section-code: a_5_ii_b - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_5_ii_b - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_b +title: 308(a)(5)(ii)(B) Protection from malicious software +description: Procedures for guarding against, detecting, and reporting malicious software. +section-code: a_5_ii_b +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_5_ii_b + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed +- aws_ssm_managed_instance_compliance_association_compliant +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_c.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_c.yaml index b8ae10679..52c131d4c 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_c.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_c.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_c - title: 308(a)(5)(ii)(C) Log-in monitoring - description: Procedures for monitoring log-in attempts and reporting discrepancies. - section-code: a_5_ii_c - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_5_ii_c - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_validation_enabled - - aws_guardduty_enabled - - aws_log_metric_filter_console_authentication_failure +id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_c +title: 308(a)(5)(ii)(C) Log-in monitoring +description: Procedures for monitoring log-in attempts and reporting discrepancies. +section-code: a_5_ii_c +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_5_ii_c + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudtrail_trail_validation_enabled +- aws_guardduty_enabled +- aws_log_metric_filter_console_authentication_failure diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_d.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_d.yaml index 1f62efd83..dfe1ca5b1 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_d.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_d.yaml @@ -1,27 +1,27 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_d - title: 308(a)(5)(ii)(D) Password management - description: Procedures for creating, changing, and safeguarding passwords. - section-code: a_5_ii_d - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_5_ii_d - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_user_access_key_age_90 - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_last_changed_90_day - - aws_secretsmanager_secret_rotated_as_scheduled +id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_d +title: 308(a)(5)(ii)(D) Password management +description: Procedures for creating, changing, and safeguarding passwords. +section-code: a_5_ii_d +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_5_ii_d + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 +- aws_iam_user_access_key_age_90 +- aws_iam_user_unused_credentials_90 +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_last_changed_90_day +- aws_secretsmanager_secret_rotated_as_scheduled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_i.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_i.yaml index f50dc3e98..16639aa79 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_i.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_i.yaml @@ -1,27 +1,27 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_i - title: 308(a)(6)(i) Security incident procedures - description: Implement policies and procedures to address security incidents. - section-code: a_6_i - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_6_i - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_lambda_function_dead_letter_queue_configured - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_root_login - - aws_securityhub_enabled +id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_i +title: 308(a)(6)(i) Security incident procedures +description: Implement policies and procedures to address security incidents. +section-code: a_6_i +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_6_i + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudwatch_alarm_action_enabled +- aws_guardduty_enabled +- aws_lambda_function_dead_letter_queue_configured +- aws_log_metric_filter_console_authentication_failure +- aws_log_metric_filter_root_login +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_ii.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_ii.yaml index 583e73ff7..2f42f1294 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_ii.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_ii.yaml @@ -1,35 +1,35 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_ii - title: 308(a)(6)(ii) Response and reporting - description: Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. - section-code: a_6_ii - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_6_ii - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_validation_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_root_login - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled +id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_ii +title: 308(a)(6)(ii) Response and reporting +description: Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. +section-code: a_6_ii +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_6_ii + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudtrail_trail_validation_enabled +- aws_elb_application_classic_lb_logging_enabled +- aws_guardduty_enabled +- aws_guardduty_finding_archived +- aws_log_metric_filter_console_authentication_failure +- aws_log_metric_filter_root_login +- aws_s3_bucket_logging_enabled +- aws_securityhub_enabled +- aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_i.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_i.yaml index c69194508..19caa4021 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_i.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_i.yaml @@ -1,50 +1,50 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_i - title: 308(a)(7)(i) Contingency plan - description: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. - section-code: a_7_i - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_7_i - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up +id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_i +title: 308(a)(7)(i) Contingency plan +description: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. +section-code: a_7_i +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_7_i + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_group_with_lb_use_health_check +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_encryption_enabled +- aws_backup_recovery_point_manual_deletion_disabled +- aws_backup_recovery_point_min_retention_35_days +- aws_dynamodb_table_auto_scaling_enabled +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_elb_application_lb_deletion_protection_enabled +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_fsx_file_system_protected_by_backup_plan +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_deletion_protection_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_multiple_az_enabled +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_a.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_a.yaml index f4121c5c2..cc4d30433 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_a.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_a.yaml @@ -1,48 +1,48 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_a - title: 308(a)(7)(ii)(A) Data backup plan - description: Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. - section-code: a_7_ii_a - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_7_ii_a - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_maintenance_settings_check - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up +id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_a +title: 308(a)(7)(ii)(A) Data backup plan +description: Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. +section-code: a_7_ii_a +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_7_ii_a + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_group_with_lb_use_health_check +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_encryption_enabled +- aws_backup_recovery_point_manual_deletion_disabled +- aws_backup_recovery_point_min_retention_35_days +- aws_dynamodb_table_auto_scaling_enabled +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_multiple_az_enabled +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_redshift_cluster_maintenance_settings_check +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_b.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_b.yaml index fcd0fe52a..42d94ae7e 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_b.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_b.yaml @@ -1,47 +1,47 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_b - title: 308(a)(7)(ii)(B) Disaster recovery plan - description: Establish (and implement as needed) procedures to restore any loss of data. - section-code: a_7_ii_b - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_7_ii_b - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up +id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_b +title: 308(a)(7)(ii)(B) Disaster recovery plan +description: Establish (and implement as needed) procedures to restore any loss of data. +section-code: a_7_ii_b +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_7_ii_b + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_group_with_lb_use_health_check +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_encryption_enabled +- aws_backup_recovery_point_manual_deletion_disabled +- aws_backup_recovery_point_min_retention_35_days +- aws_dynamodb_table_auto_scaling_enabled +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_multiple_az_enabled +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_c.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_c.yaml index f47812f70..d09832581 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_c.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_c.yaml @@ -1,50 +1,50 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_c - title: 308(a)(7)(ii)(C) Emergency mode operation plan - description: Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. - section-code: a_7_ii_c - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_7_ii_c - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up +id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_c +title: 308(a)(7)(ii)(C) Emergency mode operation plan +description: Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. +section-code: a_7_ii_c +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_7_ii_c + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_group_with_lb_use_health_check +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_encryption_enabled +- aws_backup_recovery_point_manual_deletion_disabled +- aws_backup_recovery_point_min_retention_35_days +- aws_dynamodb_table_auto_scaling_enabled +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_elb_application_lb_deletion_protection_enabled +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_fsx_file_system_protected_by_backup_plan +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_deletion_protection_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_multiple_az_enabled +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_8.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_8.yaml index 385ac931f..c41d5bb73 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_8.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_8.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_8 - title: 308(a)(8) Evaluation - description: Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart. - section-code: a_8 - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_8 - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_securityhub_enabled +id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_8 +title: 308(a)(8) Evaluation +description: Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart. +section-code: a_8 +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_8 + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_310.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_310.yaml index 111263467..1bb0e33a0 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_310.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_310.yaml @@ -1,20 +1,21 @@ +id: aws_hipaa_final_omnibus_security_rule_2013_164_310 +title: Physical Safeguards +description: The Security Rule defines physical safeguards to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information. +section-code: "164_310" +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_section: + - "164_310" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_310 - title: Physical Safeguards - description: The Security Rule defines physical safeguards to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information. - section-code: "164_310" - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_section: - - "164_310" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_hipaa_final_omnibus_security_rule_2013_164_310_d_2_iv +- id: aws_hipaa_final_omnibus_security_rule_2013_164_310_d_2_iv + type: "" diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_310_d_2_iv.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_310_d_2_iv.yaml index a959444da..9ba28ad79 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_310_d_2_iv.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_310_d_2_iv.yaml @@ -1,43 +1,43 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_310_d_2_iv - title: 310(d)(2)(iv) Data backup and storage - description: Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. - section-code: d_2_iv - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_310_d_2_iv - hipaa_section: - - "164_310" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +id: aws_hipaa_final_omnibus_security_rule_2013_164_310_d_2_iv +title: 310(d)(2)(iv) Data backup and storage +description: Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. +section-code: d_2_iv +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_310_d_2_iv + hipaa_section: + - "164_310" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_encryption_enabled +- aws_backup_recovery_point_manual_deletion_disabled +- aws_backup_recovery_point_min_retention_35_days +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312.yaml index 3ddfca84f..d425ceae5 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312.yaml @@ -1,30 +1,41 @@ +id: aws_hipaa_final_omnibus_security_rule_2013_164_312 +title: Technical Safeguards +description: The Security Rule defines technical safeguards in 164.304 as `the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.` +section-code: "164_312" +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_section: + - "164_312" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_312 - title: Technical Safeguards - description: The Security Rule defines technical safeguards in 164.304 as `the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.` - section-code: "164_312" - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_section: - - "164_312" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_a_1 - - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_i - - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_ii - - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_iv - - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_b - - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_c_1 - - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_c_2 - - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_d - - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_e_1 - - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_i - - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_ii +- id: aws_hipaa_final_omnibus_security_rule_2013_164_312_a_1 + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_i + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_ii + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_iv + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_312_b + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_312_c_1 + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_312_c_2 + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_312_d + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_312_e_1 + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_i + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_ii + type: "" diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_1.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_1.yaml index eac947ddf..9002b87ec 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_1.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_1.yaml @@ -1,57 +1,57 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_a_1 - title: 312(a)(1) Access control - description: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4). - section-code: a_1 - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_312_a_1 - hipaa_section: - - "164_312" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_iam_profile_attached - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_ecs_task_definition_user_for_host_mode_check - - aws_emr_cluster_kerberos_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_ssm_document_prohibit_public_access - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_hipaa_final_omnibus_security_rule_2013_164_312_a_1 +title: 312(a)(1) Access control +description: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4). +section-code: a_1 +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_312_a_1 + hipaa_section: + - "164_312" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_launch_config_public_ip_disabled +- aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values +- aws_codebuild_project_source_repo_oauth_configured +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_iam_profile_attached +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_ec2_instance_uses_imdsv2 +- aws_ecs_task_definition_user_for_host_mode_check +- aws_emr_cluster_kerberos_enabled +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_iam_group_not_empty +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_opensearch_domain_in_vpc +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_policy_restrict_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_ssm_document_prohibit_public_access +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_i.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_i.yaml index 5998d6d3d..c297bf024 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_i.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_i.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_i - title: 312(a)(2)(i) Unique user identification - description: Assign a unique name and/or number for identifying and tracking user identity. - section-code: a_2_i - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_312_a_2_i - hipaa_section: - - "164_312" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_s3_data_events_enabled - - aws_iam_root_user_no_access_keys - - aws_s3_bucket_restrict_public_read_access +id: aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_i +title: 312(a)(2)(i) Unique user identification +description: Assign a unique name and/or number for identifying and tracking user identity. +section-code: a_2_i +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_312_a_2_i + hipaa_section: + - "164_312" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_s3_data_events_enabled +- aws_iam_root_user_no_access_keys +- aws_s3_bucket_restrict_public_read_access diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_ii.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_ii.yaml index e6e641784..21c4e9f26 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_ii.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_ii.yaml @@ -1,43 +1,43 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_ii - title: 312(a)(2)(ii) Emergency access procedure - description: Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. - section-code: a_2_ii - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_312_a_2_ii - hipaa_section: - - "164_312" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +id: aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_ii +title: 312(a)(2)(ii) Emergency access procedure +description: Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. +section-code: a_2_ii +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_312_a_2_ii + hipaa_section: + - "164_312" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_encryption_enabled +- aws_backup_recovery_point_manual_deletion_disabled +- aws_backup_recovery_point_min_retention_35_days +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_iv.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_iv.yaml index 732bce378..fb06c497c 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_iv.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_iv.yaml @@ -1,54 +1,54 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_iv - title: 312(a)(2)(iv) Encryption and decryption - description: Implement a mechanism to encrypt and decrypt electronic protected health information. - section-code: a_2_iv - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_312_a_2_iv - hipaa_section: - - "164_312" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_eks_cluster_secrets_encrypted - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_secretsmanager_secret_encrypted_with_kms_cmk - - aws_sns_topic_encrypted_at_rest +id: aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_iv +title: 312(a)(2)(iv) Encryption and decryption +description: Implement a mechanism to encrypt and decrypt electronic protected health information. +section-code: a_2_iv +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_312_a_2_iv + hipaa_section: + - "164_312" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dax_cluster_encryption_at_rest_enabled +- aws_dynamodb_table_encrypted_with_kms +- aws_dynamodb_table_encryption_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_efs_file_system_encrypt_data_at_rest +- aws_eks_cluster_secrets_encrypted +- aws_elb_application_lb_drop_http_headers +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_application_network_lb_use_ssl_certificate +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_node_to_node_encryption_enabled +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions +- aws_log_group_encryption_at_rest_enabled +- aws_opensearch_domain_encryption_at_rest_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_redshift_cluster_kms_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_enforces_ssl +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_secretsmanager_secret_encrypted_with_kms_cmk +- aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_b.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_b.yaml index 6144dfa05..8dd46f6d2 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_b.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_b.yaml @@ -1,47 +1,47 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_b - title: 312(b) Audit controls - description: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. - section-code: b - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_312_b - hipaa_section: - - "164_312" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_xray_tracing_enabled - - aws_apigateway_stage_logging_enabled - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_validation_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_ec2_instance_detailed_monitoring_enabled - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_hipaa_final_omnibus_security_rule_2013_164_312_b +title: 312(b) Audit controls +description: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. +section-code: b +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_312_b + hipaa_section: + - "164_312" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_rest_api_stage_xray_tracing_enabled +- aws_apigateway_stage_logging_enabled +- aws_autoscaling_group_with_lb_use_health_check +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudtrail_trail_validation_enabled +- aws_cloudwatch_alarm_action_enabled +- aws_cloudwatch_log_group_retention_period_365 +- aws_ec2_instance_detailed_monitoring_enabled +- aws_elastic_beanstalk_enhanced_health_reporting_enabled +- aws_elb_application_classic_lb_logging_enabled +- aws_es_domain_logs_to_cloudwatch +- aws_guardduty_enabled +- aws_guardduty_finding_archived +- aws_lambda_function_concurrent_execution_limit_configured +- aws_lambda_function_dead_letter_queue_configured +- aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_securityhub_enabled +- aws_vpc_flow_logs_enabled +- aws_waf_web_acl_logging_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_c_1.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_c_1.yaml index f2fbf149a..d8d8f7387 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_c_1.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_c_1.yaml @@ -1,42 +1,42 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_c_1 - title: 312(c)(1) Integrity - description: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. - section-code: c_1 - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_312_c_1 - hipaa_section: - - "164_312" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_eks_cluster_secrets_encrypted - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_https_required - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_versioning_enabled +id: aws_hipaa_final_omnibus_security_rule_2013_164_312_c_1 +title: 312(c)(1) Integrity +description: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. +section-code: c_1 +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_312_c_1 + hipaa_section: + - "164_312" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_cloudtrail_trail_validation_enabled +- aws_dax_cluster_encryption_at_rest_enabled +- aws_dynamodb_table_encryption_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_eks_cluster_secrets_encrypted +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_node_to_node_encryption_enabled +- aws_opensearch_domain_encryption_at_rest_enabled +- aws_opensearch_domain_https_required +- aws_opensearch_domain_node_to_node_encryption_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_kms_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_c_2.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_c_2.yaml index 1ca23c41f..e2855225e 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_c_2.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_c_2.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_c_2 - title: 312(c)(2) Mechanism to authenticate electronic protected health information - description: Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. - section-code: c_2 - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_312_c_2 - hipaa_section: - - "164_312" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_versioning_enabled - - aws_vpc_flow_logs_enabled +id: aws_hipaa_final_omnibus_security_rule_2013_164_312_c_2 +title: 312(c)(2) Mechanism to authenticate electronic protected health information +description: Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. +section-code: c_2 +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_312_c_2 + hipaa_section: + - "164_312" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_cloudtrail_trail_validation_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_versioning_enabled +- aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_d.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_d.yaml index b3711ef7c..328010383 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_d.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_d.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_d - title: 312(d) Person or entity authentication - description: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. - section-code: d - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_312_d - hipaa_section: - - "164_312" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled +id: aws_hipaa_final_omnibus_security_rule_2013_164_312_d +title: 312(d) Person or entity authentication +description: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. +section-code: d +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_312_d + hipaa_section: + - "164_312" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_e_1.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_e_1.yaml index bcc68628d..9d7245cf0 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_e_1.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_e_1.yaml @@ -1,56 +1,56 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_e_1 - title: 312(e)(1) Transmission security - description: Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. - section-code: e_1 - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - "1.64312e+06" - hipaa_section: - - "164_312" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_acm_certificate_expires_30_days - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_autoscaling_launch_config_public_ip_disabled - - aws_cloudfront_distribution_encryption_in_transit_enabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_es_domain_node_to_node_encryption_enabled - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_enhanced_vpc_routing_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_ssm_document_prohibit_public_access - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_hipaa_final_omnibus_security_rule_2013_164_312_e_1 +title: 312(e)(1) Transmission security +description: Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. +section-code: e_1 +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - "1.64312e+06" + hipaa_section: + - "164_312" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_acm_certificate_expires_30_days +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_autoscaling_launch_config_public_ip_disabled +- aws_cloudfront_distribution_encryption_in_transit_enabled +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_elb_application_lb_drop_http_headers +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_es_domain_node_to_node_encryption_enabled +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_opensearch_domain_node_to_node_encryption_enabled +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_enhanced_vpc_routing_enabled +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_ssm_document_prohibit_public_access +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_route_table_restrict_public_access_to_igw +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_i.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_i.yaml index 8d666ee48..6bb9ca9f4 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_i.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_i.yaml @@ -1,34 +1,34 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_i - title: 312(e)(2)(i) Integrity controls - description: Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. - section-code: e_2_i - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_312_e_2_i - hipaa_section: - - "164_312" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_guardduty_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled +id: aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_i +title: 312(e)(2)(i) Integrity controls +description: Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. +section-code: e_2_i +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_312_e_2_i + hipaa_section: + - "164_312" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_lb_drop_http_headers +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_guardduty_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_logging_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_ii.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_ii.yaml index 78481516b..39619c621 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_ii.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_ii.yaml @@ -1,52 +1,52 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_ii - title: 312(e)(2)(ii) Encryption - description: Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. - section-code: e_2_ii - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_312_e_2_ii - hipaa_section: - - "164_312" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_eks_cluster_secrets_encrypted - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_secretsmanager_secret_encrypted_with_kms_cmk - - aws_sns_topic_encrypted_at_rest +id: aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_ii +title: 312(e)(2)(ii) Encryption +description: Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. +section-code: e_2_ii +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_312_e_2_ii + hipaa_section: + - "164_312" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dax_cluster_encryption_at_rest_enabled +- aws_dynamodb_table_encrypted_with_kms +- aws_dynamodb_table_encryption_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_efs_file_system_encrypt_data_at_rest +- aws_eks_cluster_secrets_encrypted +- aws_elb_application_lb_drop_http_headers +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_application_network_lb_use_ssl_certificate +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_node_to_node_encryption_enabled +- aws_log_group_encryption_at_rest_enabled +- aws_opensearch_domain_encryption_at_rest_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_redshift_cluster_kms_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_enforces_ssl +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_secretsmanager_secret_encrypted_with_kms_cmk +- aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314.yaml index 20fd67b72..17317efd8 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314.yaml @@ -1,25 +1,31 @@ +id: aws_hipaa_final_omnibus_security_rule_2013_164_314 +title: Organizational Requirements +description: The Security Rule includes the Standard, Business associate contracts or other arrangements. A covered entity is not in compliance with the standard if the it knows of a pattern of an activity or practice of the business associate that constitutes a material breach or violation of the business associate's obligation to safeguard ePHI (under the contract or other arrangement), unless the covered entity takes reasonable steps to cure the breach or end the violation, as applicable. If such steps are unsuccessful, the covered entity is required to terminate the contract or arrangement, if feasible or if termination is not feasible, report the problem to the Secretary (HHS). +section-code: "164_314" +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_section: + - "164_314" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_314 - title: Organizational Requirements - description: The Security Rule includes the Standard, Business associate contracts or other arrangements. A covered entity is not in compliance with the standard if the it knows of a pattern of an activity or practice of the business associate that constitutes a material breach or violation of the business associate's obligation to safeguard ePHI (under the contract or other arrangement), unless the covered entity takes reasonable steps to cure the breach or end the violation, as applicable. If such steps are unsuccessful, the covered entity is required to terminate the contract or arrangement, if feasible or if termination is not feasible, report the problem to the Secretary (HHS). - section-code: "164_314" - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_section: - - "164_314" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_1 - - id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2 - - id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_i - - id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_ii - - id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iii - - id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iv +- id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_1 + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2 + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_i + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_ii + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iii + type: "" +- id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iv + type: "" diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_1.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_1.yaml index bef7cafc1..f9a539e56 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_1.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_1.yaml @@ -1,47 +1,47 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_1 - title: 314(b)(1) Requirements for group health plans - description: Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to 164.504(f)(1)(ii) or (iii), or as authorized under 164.508, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan. - section-code: b_1 - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_314_b_1 - hipaa_section: - - "164_314" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_eks_cluster_secrets_encrypted - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_https_required - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_kms_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_vpc_configured_to_use_vpc_endpoints +id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_1 +title: 314(b)(1) Requirements for group health plans +description: Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to 164.504(f)(1)(ii) or (iii), or as authorized under 164.508, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan. +section-code: b_1 +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_314_b_1 + hipaa_section: + - "164_314" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dax_cluster_encryption_at_rest_enabled +- aws_dynamodb_table_encryption_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_eks_cluster_secrets_encrypted +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_node_to_node_encryption_enabled +- aws_opensearch_domain_encryption_at_rest_enabled +- aws_opensearch_domain_https_required +- aws_opensearch_domain_node_to_node_encryption_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_kms_enabled +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_vpc_configured_to_use_vpc_endpoints diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2.yaml index 16431194a..f2913aa5f 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2.yaml @@ -1,47 +1,47 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2 - title: 314(b)(2) Implementation specifications - description: The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to? - section-code: b_2 - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_314_b_2 - hipaa_section: - - "164_314" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_eks_cluster_secrets_encrypted - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_https_required - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_kms_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_vpc_configured_to_use_vpc_endpoints +id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2 +title: 314(b)(2) Implementation specifications +description: The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to? +section-code: b_2 +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_314_b_2 + hipaa_section: + - "164_314" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dax_cluster_encryption_at_rest_enabled +- aws_dynamodb_table_encryption_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_eks_cluster_secrets_encrypted +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_node_to_node_encryption_enabled +- aws_opensearch_domain_encryption_at_rest_enabled +- aws_opensearch_domain_https_required +- aws_opensearch_domain_node_to_node_encryption_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_kms_enabled +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_vpc_configured_to_use_vpc_endpoints diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_i.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_i.yaml index baf483e99..c9b506a3d 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_i.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_i.yaml @@ -1,47 +1,47 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_i - title: 314(b)(2)(i) - description: Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan. - section-code: b_2_i - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_314_b_2_i - hipaa_section: - - "164_314" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_eks_cluster_secrets_encrypted - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_https_required - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_kms_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_vpc_configured_to_use_vpc_endpoints +id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_i +title: 314(b)(2)(i) +description: Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan. +section-code: b_2_i +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_314_b_2_i + hipaa_section: + - "164_314" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dax_cluster_encryption_at_rest_enabled +- aws_dynamodb_table_encryption_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_eks_cluster_secrets_encrypted +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_node_to_node_encryption_enabled +- aws_opensearch_domain_encryption_at_rest_enabled +- aws_opensearch_domain_https_required +- aws_opensearch_domain_node_to_node_encryption_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_kms_enabled +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_vpc_configured_to_use_vpc_endpoints diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_ii.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_ii.yaml index 32ccb2418..68772d898 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_ii.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_ii.yaml @@ -1,47 +1,47 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_ii - title: 314(b)(2)(ii) - description: Ensure that the adequate separation required by 164.504(f)(2)(iii) is supported by reasonable and appropriate security measures. - section-code: b_2_ii - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_314_b_2_ii - hipaa_section: - - "164_314" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_eks_cluster_secrets_encrypted - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_https_required - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_kms_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_vpc_configured_to_use_vpc_endpoints +id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_ii +title: 314(b)(2)(ii) +description: Ensure that the adequate separation required by 164.504(f)(2)(iii) is supported by reasonable and appropriate security measures. +section-code: b_2_ii +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_314_b_2_ii + hipaa_section: + - "164_314" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dax_cluster_encryption_at_rest_enabled +- aws_dynamodb_table_encryption_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_eks_cluster_secrets_encrypted +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_node_to_node_encryption_enabled +- aws_opensearch_domain_encryption_at_rest_enabled +- aws_opensearch_domain_https_required +- aws_opensearch_domain_node_to_node_encryption_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_kms_enabled +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_vpc_configured_to_use_vpc_endpoints diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iii.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iii.yaml index 289eb5481..4cbd43645 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iii.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iii.yaml @@ -1,47 +1,47 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iii - title: 314(b)(2)(iii) - description: Ensure that any agent to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information. - section-code: b_2_iii - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_314_b_2_iii - hipaa_section: - - "164_314" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_eks_cluster_secrets_encrypted - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_https_required - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_kms_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_vpc_configured_to_use_vpc_endpoints +id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iii +title: 314(b)(2)(iii) +description: Ensure that any agent to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information. +section-code: b_2_iii +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_314_b_2_iii + hipaa_section: + - "164_314" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dax_cluster_encryption_at_rest_enabled +- aws_dynamodb_table_encryption_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_eks_cluster_secrets_encrypted +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_node_to_node_encryption_enabled +- aws_opensearch_domain_encryption_at_rest_enabled +- aws_opensearch_domain_https_required +- aws_opensearch_domain_node_to_node_encryption_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_kms_enabled +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_vpc_configured_to_use_vpc_endpoints diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iv.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iv.yaml index 9d143fb5a..1bf15fd50 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iv.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iv.yaml @@ -1,47 +1,47 @@ -control-group: - id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iv - title: 314(b)(2)(iv) - description: Report to the group health plan any security incident of which it becomes aware. - section-code: b_2_iv - tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_314_b_2_iv - hipaa_section: - - "164_314" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_eks_cluster_secrets_encrypted - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_https_required - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_kms_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_vpc_configured_to_use_vpc_endpoints +id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iv +title: 314(b)(2)(iv) +description: Report to the group health plan any security incident of which it becomes aware. +section-code: b_2_iv +type: control-group +tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_314_b_2_iv + hipaa_section: + - "164_314" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dax_cluster_encryption_at_rest_enabled +- aws_dynamodb_table_encryption_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_eks_cluster_secrets_encrypted +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_node_to_node_encryption_enabled +- aws_opensearch_domain_encryption_at_rest_enabled +- aws_opensearch_domain_https_required +- aws_opensearch_domain_node_to_node_encryption_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_kms_enabled +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_vpc_configured_to_use_vpc_endpoints diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003.yaml index 1843648d5..2126800e5 100644 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003.yaml @@ -1,30 +1,30 @@ -framework: - id: aws_hipaa_security_rule_2003 - title: HIPAA Security Rule 2003 - description: The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. - section-code: aws_hipaa_security_rule_2003 - tags: - category: - - Compliance - hipaa_security_rule_2003: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Laws & Regulations - - Privacy - plugin: - - aws - service: - - AWS - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: aws_hipaa_security_rule_2003_164_308 - - id: aws_hipaa_security_rule_2003_164_310 - - id: aws_hipaa_security_rule_2003_164_312 - - id: aws_hipaa_security_rule_2003_164_314 +id: aws_hipaa_security_rule_2003 +title: HIPAA Security Rule 2003 +description: The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. +section-code: aws_hipaa_security_rule_2003 +type: framework +tags: + category: + - Compliance + hipaa_security_rule_2003: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Laws & Regulations + - Privacy + plugin: + - aws + service: + - AWS + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_hipaa_security_rule_2003_164_308 +- id: aws_hipaa_security_rule_2003_164_310 +- id: aws_hipaa_security_rule_2003_164_312 +- id: aws_hipaa_security_rule_2003_164_314 diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308.yaml index 12405e85d..10b46d8c1 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308.yaml @@ -1,40 +1,61 @@ +id: aws_hipaa_security_rule_2003_164_308 +title: Administrative Safeguards +description: An important step in protecting electronic protected health information (EPHI) is to implement reasonable and appropriate administrative safeguards that establish the foundation for a covered entity's security program. The Administrative Safeguards standards in the Security Rule, at § 164.308, were developed to accomplish this purpose. +section-code: "164_308" +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_hipaa_security_rule_2003_164_308 - title: Administrative Safeguards - description: An important step in protecting electronic protected health information (EPHI) is to implement reasonable and appropriate administrative safeguards that establish the foundation for a covered entity's security program. The Administrative Safeguards standards in the Security Rule, at § 164.308, were developed to accomplish this purpose. - section-code: "164_308" - tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_hipaa_security_rule_2003_164_308_a_1_ii_a - - id: aws_hipaa_security_rule_2003_164_308_a_1_ii_b - - id: aws_hipaa_security_rule_2003_164_308_a_1_ii_d - - id: aws_hipaa_security_rule_2003_164_308_a_3_i - - id: aws_hipaa_security_rule_2003_164_308_a_3_ii_a - - id: aws_hipaa_security_rule_2003_164_308_a_3_ii_b - - id: aws_hipaa_security_rule_2003_164_308_a_3_ii_c - - id: aws_hipaa_security_rule_2003_164_308_a_4_i - - id: aws_hipaa_security_rule_2003_164_308_a_4_ii_a - - id: aws_hipaa_security_rule_2003_164_308_a_4_ii_b - - id: aws_hipaa_security_rule_2003_164_308_a_4_ii_c - - id: aws_hipaa_security_rule_2003_164_308_a_5_ii_b - - id: aws_hipaa_security_rule_2003_164_308_a_5_ii_c - - id: aws_hipaa_security_rule_2003_164_308_a_5_ii_d - - id: aws_hipaa_security_rule_2003_164_308_a_6_i - - id: aws_hipaa_security_rule_2003_164_308_a_6_ii - - id: aws_hipaa_security_rule_2003_164_308_a_7_i - - id: aws_hipaa_security_rule_2003_164_308_a_7_ii_a - - id: aws_hipaa_security_rule_2003_164_308_a_7_ii_b - - id: aws_hipaa_security_rule_2003_164_308_a_7_ii_c - - id: aws_hipaa_security_rule_2003_164_308_a_8 +- id: aws_hipaa_security_rule_2003_164_308_a_1_ii_a + type: "" +- id: aws_hipaa_security_rule_2003_164_308_a_1_ii_b + type: "" +- id: aws_hipaa_security_rule_2003_164_308_a_1_ii_d + type: "" +- id: aws_hipaa_security_rule_2003_164_308_a_3_i + type: "" +- id: aws_hipaa_security_rule_2003_164_308_a_3_ii_a + type: "" +- id: aws_hipaa_security_rule_2003_164_308_a_3_ii_b + type: "" +- id: aws_hipaa_security_rule_2003_164_308_a_3_ii_c + type: "" +- id: aws_hipaa_security_rule_2003_164_308_a_4_i + type: "" +- id: aws_hipaa_security_rule_2003_164_308_a_4_ii_a + type: "" +- id: aws_hipaa_security_rule_2003_164_308_a_4_ii_b + type: "" +- id: aws_hipaa_security_rule_2003_164_308_a_4_ii_c + type: "" +- id: aws_hipaa_security_rule_2003_164_308_a_5_ii_b + type: "" +- id: aws_hipaa_security_rule_2003_164_308_a_5_ii_c + type: "" +- id: aws_hipaa_security_rule_2003_164_308_a_5_ii_d + type: "" +- id: aws_hipaa_security_rule_2003_164_308_a_6_i + type: "" +- id: aws_hipaa_security_rule_2003_164_308_a_6_ii + type: "" +- id: aws_hipaa_security_rule_2003_164_308_a_7_i + type: "" +- id: aws_hipaa_security_rule_2003_164_308_a_7_ii_a + type: "" +- id: aws_hipaa_security_rule_2003_164_308_a_7_ii_b + type: "" +- id: aws_hipaa_security_rule_2003_164_308_a_7_ii_c + type: "" +- id: aws_hipaa_security_rule_2003_164_308_a_8 + type: "" diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_1_ii_a.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_1_ii_a.yaml index d7a43be3a..0fffa5414 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_1_ii_a.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_1_ii_a.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_308_a_1_ii_a - title: 308(a)(1)(ii)(A) Risk analysis - description: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. - section-code: a_1_ii_a - tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_1_ii_a - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_enabled - - aws_config_enabled_all_regions - - aws_guardduty_enabled +id: aws_hipaa_security_rule_2003_164_308_a_1_ii_a +title: 308(a)(1)(ii)(A) Risk analysis +description: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. +section-code: a_1_ii_a +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_1_ii_a + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_enabled +- aws_config_enabled_all_regions +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_1_ii_b.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_1_ii_b.yaml index 04679514b..45baae5ef 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_1_ii_b.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_1_ii_b.yaml @@ -1,81 +1,81 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_308_a_1_ii_b - title: 308(a)(1)(ii)(B) Risk management - description: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Section 164.306(a). - section-code: a_1_ii_b - tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_1_ii_b - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured - - aws_dms_replication_instance_not_publicly_accessible - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_ebs_default_encryption_enabled - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_efs_file_system_encrypt_data_at_rest - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_in_vpc - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_kms_key_not_pending_deletion - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_object_lock_enabled - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_bucket_versioning_enabled - - aws_s3_public_access_block_account - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_vpn_tunnel_up +id: aws_hipaa_security_rule_2003_164_308_a_1_ii_b +title: 308(a)(1)(ii)(B) Risk management +description: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Section 164.306(a). +section-code: a_1_ii_b +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_1_ii_b + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_autoscaling_group_with_lb_use_health_check +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_cloudtrail_trail_validation_enabled +- aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values +- aws_codebuild_project_source_repo_oauth_configured +- aws_dms_replication_instance_not_publicly_accessible +- aws_dynamodb_table_auto_scaling_enabled +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_ebs_default_encryption_enabled +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_ec2_instance_ssm_managed +- aws_ec2_stopped_instance_30_days +- aws_efs_file_system_encrypt_data_at_rest +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_elb_application_lb_deletion_protection_enabled +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_in_vpc +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_kms_key_not_pending_deletion +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_log_group_encryption_at_rest_enabled +- aws_opensearch_domain_encryption_at_rest_enabled +- aws_opensearch_domain_in_vpc +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_instance_multiple_az_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_object_lock_enabled +- aws_s3_bucket_policy_restrict_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_bucket_versioning_enabled +- aws_s3_public_access_block_account +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_sns_topic_encrypted_at_rest +- aws_ssm_managed_instance_compliance_association_compliant +- aws_ssm_managed_instance_compliance_patch_compliant +- aws_vpc_igw_attached_to_authorized_vpc +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_1_ii_d.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_1_ii_d.yaml index 51a346a05..3f25f860b 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_1_ii_d.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_1_ii_d.yaml @@ -1,39 +1,39 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_308_a_1_ii_d - title: 308(a)(1)(ii)(D) Information system activity review - description: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. - section-code: a_1_ii_d - tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_1_ii_d - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudfront_distribution_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_codebuild_project_logging_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_hipaa_security_rule_2003_164_308_a_1_ii_d +title: 308(a)(1)(ii)(D) Information system activity review +description: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. +section-code: a_1_ii_d +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_1_ii_d + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudfront_distribution_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_cloudtrail_trail_validation_enabled +- aws_codebuild_project_logging_enabled +- aws_elb_application_classic_lb_logging_enabled +- aws_guardduty_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_securityhub_enabled +- aws_vpc_flow_logs_enabled +- aws_waf_web_acl_logging_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_i.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_i.yaml index a8fc694fb..adee048eb 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_i.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_i.yaml @@ -1,42 +1,42 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_308_a_3_i - title: 308(a)(3)(i) Workforce security - description: Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. - section-code: a_3_i - tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_3_i - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_es_domain_in_vpc - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled +id: aws_hipaa_security_rule_2003_164_308_a_3_i +title: 308(a)(3)(i) Workforce security +description: Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. +section-code: a_3_i +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_3_i + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_es_domain_in_vpc +- aws_iam_group_not_empty +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_opensearch_domain_in_vpc +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_policy_restrict_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_sagemaker_notebook_instance_direct_internet_access_disabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_ii_a.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_ii_a.yaml index f4dce5b6e..a1623feec 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_ii_a.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_ii_a.yaml @@ -1,36 +1,36 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_308_a_3_ii_a - title: 308(a)(3)(ii)(A) Authorization and/or supervision - description: Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. - section-code: a_3_ii_a - tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_3_ii_a - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_emr_cluster_kerberos_enabled - - aws_guardduty_enabled - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_iam_authentication_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled +id: aws_hipaa_security_rule_2003_164_308_a_3_ii_a +title: 308(a)(3)(ii)(A) Authorization and/or supervision +description: Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. +section-code: a_3_ii_a +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_3_ii_a + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_elb_application_classic_lb_logging_enabled +- aws_emr_cluster_kerberos_enabled +- aws_guardduty_enabled +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_iam_authentication_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_ii_b.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_ii_b.yaml index d40d7699c..d76f07bbd 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_ii_b.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_ii_b.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_308_a_3_ii_b - title: 308(a)(3)(ii)(B) Workforce clearance procedure - description: Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. - section-code: a_3_ii_b - tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_3_ii_b - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_s3_bucket_policy_restrict_public_access +id: aws_hipaa_security_rule_2003_164_308_a_3_ii_b +title: 308(a)(3)(ii)(B) Workforce clearance procedure +description: Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. +section-code: a_3_ii_b +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_3_ii_b + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_group_not_empty +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_s3_bucket_policy_restrict_public_access diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_ii_c.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_ii_c.yaml index d89df2fe5..560ef686e 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_ii_c.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_ii_c.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_308_a_3_ii_c - title: 308(a)(3)(ii)(C) Termination procedures - description: Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section. - section-code: a_3_ii_c - tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_3_ii_c - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_user_access_key_age_90 +id: aws_hipaa_security_rule_2003_164_308_a_3_ii_c +title: 308(a)(3)(ii)(C) Termination procedures +description: Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section. +section-code: a_3_ii_c +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_3_ii_c + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_user_access_key_age_90 diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_i.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_i.yaml index 9877f16c0..a3f2792db 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_i.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_i.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_308_a_4_i - title: 308(a)(4)(i) Information access management - description: Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part. - section-code: a_4_i - tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_4_i - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_rds_db_instance_iam_authentication_enabled +id: aws_hipaa_security_rule_2003_164_308_a_4_i +title: 308(a)(4)(i) Information access management +description: Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part. +section-code: a_4_i +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_4_i + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_group_not_empty +- aws_iam_policy_no_star_star +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_rds_db_instance_iam_authentication_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_ii_a.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_ii_a.yaml index b4d50836b..deae3646e 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_ii_a.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_ii_a.yaml @@ -1,54 +1,54 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_308_a_4_ii_a - title: 308(a)(4)(ii)(A) Isolating healthcare clearing house functions - description: If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. - section-code: a_4_ii_a - tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_4_ii_a - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_acm_certificate_expires_30_days - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudfront_distribution_encryption_in_transit_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_eks_cluster_secrets_encrypted - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_logging_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_hipaa_security_rule_2003_164_308_a_4_ii_a +title: 308(a)(4)(ii)(A) Isolating healthcare clearing house functions +description: If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. +section-code: a_4_ii_a +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_4_ii_a + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_acm_certificate_expires_30_days +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_cloudfront_distribution_encryption_in_transit_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dax_cluster_encryption_at_rest_enabled +- aws_dynamodb_table_encrypted_with_kms +- aws_dynamodb_table_encryption_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_efs_file_system_encrypt_data_at_rest +- aws_eks_cluster_secrets_encrypted +- aws_elb_application_lb_drop_http_headers +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_node_to_node_encryption_enabled +- aws_log_group_encryption_at_rest_enabled +- aws_opensearch_domain_encryption_at_rest_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_logging_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_sns_topic_encrypted_at_rest +- aws_waf_web_acl_logging_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_ii_b.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_ii_b.yaml index 44b978447..e3932cda8 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_ii_b.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_ii_b.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_308_a_4_ii_b - title: 308(a)(4)(ii)(B) Access authorization - description: Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. - section-code: a_4_ii_b - tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_4_ii_b - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_s3_bucket_policy_restrict_public_access +id: aws_hipaa_security_rule_2003_164_308_a_4_ii_b +title: 308(a)(4)(ii)(B) Access authorization +description: Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. +section-code: a_4_ii_b +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_4_ii_b + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_group_not_empty +- aws_iam_policy_no_star_star +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_s3_bucket_policy_restrict_public_access diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_ii_c.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_ii_c.yaml index 147a72661..8cc18764a 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_ii_c.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_ii_c.yaml @@ -1,31 +1,31 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_308_a_4_ii_c - title: 308(a)(4)(ii)(C) Access establishment and modification - description: Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. - section-code: a_4_ii_c - tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_4_ii_c - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_s3_bucket_policy_restrict_public_access - - aws_secretsmanager_secret_automatic_rotation_enabled +id: aws_hipaa_security_rule_2003_164_308_a_4_ii_c +title: 308(a)(4)(ii)(C) Access establishment and modification +description: Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. +section-code: a_4_ii_c +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_4_ii_c + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 +- aws_iam_group_not_empty +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_s3_bucket_policy_restrict_public_access +- aws_secretsmanager_secret_automatic_rotation_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_5_ii_b.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_5_ii_b.yaml index a0676335a..3e0678766 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_5_ii_b.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_5_ii_b.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_308_a_5_ii_b - title: 308(a)(5)(ii)(B) Protection from malicious software - description: Procedures for guarding against, detecting, and reporting malicious software. - section-code: a_5_ii_b - tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_5_ii_b - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_hipaa_security_rule_2003_164_308_a_5_ii_b +title: 308(a)(5)(ii)(B) Protection from malicious software +description: Procedures for guarding against, detecting, and reporting malicious software. +section-code: a_5_ii_b +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_5_ii_b + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed +- aws_ssm_managed_instance_compliance_association_compliant +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_5_ii_c.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_5_ii_c.yaml index 66bf0f604..ab16be897 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_5_ii_c.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_5_ii_c.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_308_a_5_ii_c - title: 308(a)(5)(ii)(C) Log-in monitoring - description: Procedures for monitoring log-in attempts and reporting discrepancies. - section-code: a_5_ii_c - tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_5_ii_c - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_validation_enabled - - aws_guardduty_enabled - - aws_log_metric_filter_console_authentication_failure +id: aws_hipaa_security_rule_2003_164_308_a_5_ii_c +title: 308(a)(5)(ii)(C) Log-in monitoring +description: Procedures for monitoring log-in attempts and reporting discrepancies. +section-code: a_5_ii_c +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_5_ii_c + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudtrail_trail_validation_enabled +- aws_guardduty_enabled +- aws_log_metric_filter_console_authentication_failure diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_5_ii_d.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_5_ii_d.yaml index 87178cab6..03118ba3a 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_5_ii_d.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_5_ii_d.yaml @@ -1,27 +1,27 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_308_a_5_ii_d - title: 308(a)(5)(ii)(D) Password management - description: Procedures for creating, changing, and safeguarding passwords. - section-code: a_5_ii_d - tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_5_ii_d - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_user_access_key_age_90 - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_last_changed_90_day - - aws_secretsmanager_secret_rotated_as_scheduled +id: aws_hipaa_security_rule_2003_164_308_a_5_ii_d +title: 308(a)(5)(ii)(D) Password management +description: Procedures for creating, changing, and safeguarding passwords. +section-code: a_5_ii_d +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_5_ii_d + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 +- aws_iam_user_access_key_age_90 +- aws_iam_user_unused_credentials_90 +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_last_changed_90_day +- aws_secretsmanager_secret_rotated_as_scheduled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_6_i.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_6_i.yaml index 61a0c79a0..4dc92a888 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_6_i.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_6_i.yaml @@ -1,27 +1,27 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_308_a_6_i - title: 308(a)(6)(i) Security incident procedures - description: Implement policies and procedures to address security incidents. - section-code: a_6_i - tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_6_i - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_lambda_function_dead_letter_queue_configured - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_root_login - - aws_securityhub_enabled +id: aws_hipaa_security_rule_2003_164_308_a_6_i +title: 308(a)(6)(i) Security incident procedures +description: Implement policies and procedures to address security incidents. +section-code: a_6_i +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_6_i + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudwatch_alarm_action_enabled +- aws_guardduty_enabled +- aws_lambda_function_dead_letter_queue_configured +- aws_log_metric_filter_console_authentication_failure +- aws_log_metric_filter_root_login +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_6_ii.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_6_ii.yaml index fb9a5f06c..9f2df7ea9 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_6_ii.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_6_ii.yaml @@ -1,35 +1,35 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_308_a_6_ii - title: 308(a)(6)(ii) Response and Reporting - description: Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. - section-code: a_6_ii - tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_6_ii - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_validation_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_root_login - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled +id: aws_hipaa_security_rule_2003_164_308_a_6_ii +title: 308(a)(6)(ii) Response and Reporting +description: Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. +section-code: a_6_ii +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_6_ii + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudtrail_trail_validation_enabled +- aws_elb_application_classic_lb_logging_enabled +- aws_guardduty_enabled +- aws_guardduty_finding_archived +- aws_log_metric_filter_console_authentication_failure +- aws_log_metric_filter_root_login +- aws_s3_bucket_logging_enabled +- aws_securityhub_enabled +- aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_i.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_i.yaml index 21e873e2a..2076a62e2 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_i.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_i.yaml @@ -1,47 +1,47 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_308_a_7_i - title: 308(a)(7)(i) Contingency plan - description: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. - section-code: a_7_i - tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_7_i - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up +id: aws_hipaa_security_rule_2003_164_308_a_7_i +title: 308(a)(7)(i) Contingency plan +description: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. +section-code: a_7_i +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_7_i + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_group_with_lb_use_health_check +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_encryption_enabled +- aws_backup_recovery_point_manual_deletion_disabled +- aws_backup_recovery_point_min_retention_35_days +- aws_dynamodb_table_auto_scaling_enabled +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_multiple_az_enabled +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_ii_a.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_ii_a.yaml index 5058e2a93..457585a16 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_ii_a.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_ii_a.yaml @@ -1,47 +1,47 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_308_a_7_ii_a - title: 308(a)(7)(ii)(A) Data backup plan - description: Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. - section-code: a_7_ii_a - tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_7_ii_a - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up +id: aws_hipaa_security_rule_2003_164_308_a_7_ii_a +title: 308(a)(7)(ii)(A) Data backup plan +description: Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. +section-code: a_7_ii_a +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_7_ii_a + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_group_with_lb_use_health_check +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_encryption_enabled +- aws_backup_recovery_point_manual_deletion_disabled +- aws_backup_recovery_point_min_retention_35_days +- aws_dynamodb_table_auto_scaling_enabled +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_multiple_az_enabled +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_ii_b.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_ii_b.yaml index 40cd7fa4c..e8b762426 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_ii_b.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_ii_b.yaml @@ -1,47 +1,47 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_308_a_7_ii_b - title: 308(a)(7)(ii)(B) Disaster recovery plan - description: Establish (and implement as needed) procedures to restore any loss of data. - section-code: a_7_ii_b - tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_7_ii_b - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up +id: aws_hipaa_security_rule_2003_164_308_a_7_ii_b +title: 308(a)(7)(ii)(B) Disaster recovery plan +description: Establish (and implement as needed) procedures to restore any loss of data. +section-code: a_7_ii_b +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_7_ii_b + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_group_with_lb_use_health_check +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_encryption_enabled +- aws_backup_recovery_point_manual_deletion_disabled +- aws_backup_recovery_point_min_retention_35_days +- aws_dynamodb_table_auto_scaling_enabled +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_multiple_az_enabled +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_ii_c.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_ii_c.yaml index ed82a2f8e..3dc5d58b9 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_ii_c.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_ii_c.yaml @@ -1,47 +1,47 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_308_a_7_ii_c - title: 308(a)(7)(ii)(C) Emergency mode operation plan - description: Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. - section-code: a_7_ii_c - tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_7_ii_c - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up +id: aws_hipaa_security_rule_2003_164_308_a_7_ii_c +title: 308(a)(7)(ii)(C) Emergency mode operation plan +description: Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. +section-code: a_7_ii_c +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_7_ii_c + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_group_with_lb_use_health_check +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_encryption_enabled +- aws_backup_recovery_point_manual_deletion_disabled +- aws_backup_recovery_point_min_retention_35_days +- aws_dynamodb_table_auto_scaling_enabled +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_multiple_az_enabled +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_8.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_8.yaml index 2bab705d5..7f9d93136 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_8.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_8.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_308_a_8 - title: 308(a)(8) Evaluation - description: Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart. - section-code: a_8 - tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_8 - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_securityhub_enabled +id: aws_hipaa_security_rule_2003_164_308_a_8 +title: 308(a)(8) Evaluation +description: Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart. +section-code: a_8 +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_8 + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_310.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_310.yaml index 8e4d00a65..945f94a5a 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_310.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_310.yaml @@ -1,20 +1,21 @@ +id: aws_hipaa_security_rule_2003_164_310 +title: Physical Safeguards +description: The Security Rule defines physical safeguards to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information. +section-code: "164_310" +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_310" + hipaa_security_rule_2003: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_hipaa_security_rule_2003_164_310 - title: Physical Safeguards - description: The Security Rule defines physical safeguards to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information. - section-code: "164_310" - tags: - category: - - Compliance - hipaa_section: - - "164_310" - hipaa_security_rule_2003: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_hipaa_security_rule_2003_164_310_d_2_iv +- id: aws_hipaa_security_rule_2003_164_310_d_2_iv + type: "" diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_310_d_2_iv.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_310_d_2_iv.yaml index 40485e5f8..5a9f631e6 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_310_d_2_iv.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_310_d_2_iv.yaml @@ -1,43 +1,43 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_310_d_2_iv - title: 310(d)(2)(iv) Data backup and storage - description: Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. - section-code: d_2_iv - tags: - category: - - Compliance - hipaa_section: - - "164_310" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_310_d_2_iv - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +id: aws_hipaa_security_rule_2003_164_310_d_2_iv +title: 310(d)(2)(iv) Data backup and storage +description: Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. +section-code: d_2_iv +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_310" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_310_d_2_iv + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_encryption_enabled +- aws_backup_recovery_point_manual_deletion_disabled +- aws_backup_recovery_point_min_retention_35_days +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312.yaml index 5146b3a0f..2c35c99b3 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312.yaml @@ -1,30 +1,41 @@ +id: aws_hipaa_security_rule_2003_164_312 +title: Technical Safeguards +description: The Security Rule defines technical safeguards in § 164.304 as `the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.` +section-code: "164_312" +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_312" + hipaa_security_rule_2003: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_hipaa_security_rule_2003_164_312 - title: Technical Safeguards - description: The Security Rule defines technical safeguards in § 164.304 as `the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.` - section-code: "164_312" - tags: - category: - - Compliance - hipaa_section: - - "164_312" - hipaa_security_rule_2003: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_hipaa_security_rule_2003_164_312_a_1 - - id: aws_hipaa_security_rule_2003_164_312_a_2_i - - id: aws_hipaa_security_rule_2003_164_312_a_2_ii - - id: aws_hipaa_security_rule_2003_164_312_a_2_iv - - id: aws_hipaa_security_rule_2003_164_312_b - - id: aws_hipaa_security_rule_2003_164_312_c_1 - - id: aws_hipaa_security_rule_2003_164_312_c_2 - - id: aws_hipaa_security_rule_2003_164_312_d - - id: aws_hipaa_security_rule_2003_164_312_e_1 - - id: aws_hipaa_security_rule_2003_164_312_e_2_i - - id: aws_hipaa_security_rule_2003_164_312_e_2_ii +- id: aws_hipaa_security_rule_2003_164_312_a_1 + type: "" +- id: aws_hipaa_security_rule_2003_164_312_a_2_i + type: "" +- id: aws_hipaa_security_rule_2003_164_312_a_2_ii + type: "" +- id: aws_hipaa_security_rule_2003_164_312_a_2_iv + type: "" +- id: aws_hipaa_security_rule_2003_164_312_b + type: "" +- id: aws_hipaa_security_rule_2003_164_312_c_1 + type: "" +- id: aws_hipaa_security_rule_2003_164_312_c_2 + type: "" +- id: aws_hipaa_security_rule_2003_164_312_d + type: "" +- id: aws_hipaa_security_rule_2003_164_312_e_1 + type: "" +- id: aws_hipaa_security_rule_2003_164_312_e_2_i + type: "" +- id: aws_hipaa_security_rule_2003_164_312_e_2_ii + type: "" diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_1.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_1.yaml index 296773cb3..600c7778e 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_1.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_1.yaml @@ -1,44 +1,44 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_312_a_1 - title: 312(a)(1) Access control - description: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4). - section-code: a_1 - tags: - category: - - Compliance - hipaa_section: - - "164_312" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_312_a_1 - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_kerberos_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled +id: aws_hipaa_security_rule_2003_164_312_a_1 +title: 312(a)(1) Access control +description: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4). +section-code: a_1 +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_312" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_312_a_1 + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_kerberos_enabled +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_iam_group_not_empty +- aws_iam_policy_no_star_star +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_opensearch_domain_in_vpc +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_policy_restrict_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_sagemaker_notebook_instance_direct_internet_access_disabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_2_i.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_2_i.yaml index 734587ef5..4f240372f 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_2_i.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_2_i.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_312_a_2_i - title: 312(a)(2)(i) Unique user identification - description: Assign a unique name and/or number for identifying and tracking user identity. - section-code: a_2_i - tags: - category: - - Compliance - hipaa_section: - - "164_312" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_312_a_2_i - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_s3_data_events_enabled - - aws_iam_root_user_no_access_keys - - aws_s3_bucket_restrict_public_read_access +id: aws_hipaa_security_rule_2003_164_312_a_2_i +title: 312(a)(2)(i) Unique user identification +description: Assign a unique name and/or number for identifying and tracking user identity. +section-code: a_2_i +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_312" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_312_a_2_i + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_s3_data_events_enabled +- aws_iam_root_user_no_access_keys +- aws_s3_bucket_restrict_public_read_access diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_2_ii.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_2_ii.yaml index 12bc2b6b1..7bf89e613 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_2_ii.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_2_ii.yaml @@ -1,43 +1,43 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_312_a_2_ii - title: 312(a)(2)(ii) Emergency access procedure - description: Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. - section-code: a_2_ii - tags: - category: - - Compliance - hipaa_section: - - "164_312" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_312_a_2_ii - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +id: aws_hipaa_security_rule_2003_164_312_a_2_ii +title: 312(a)(2)(ii) Emergency access procedure +description: Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. +section-code: a_2_ii +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_312" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_312_a_2_ii + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_encryption_enabled +- aws_backup_recovery_point_manual_deletion_disabled +- aws_backup_recovery_point_min_retention_35_days +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_2_iv.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_2_iv.yaml index 73ea38b36..1e214419b 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_2_iv.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_2_iv.yaml @@ -1,43 +1,43 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_312_a_2_iv - title: 312(a)(2)(iv) Encryption and decryption - description: Implement a mechanism to encrypt and decrypt electronic protected health information. - section-code: a_2_iv - tags: - category: - - Compliance - hipaa_section: - - "164_312" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_312_a_2_iv - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_eks_cluster_secrets_encrypted - - aws_es_domain_encryption_at_rest_enabled - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest +id: aws_hipaa_security_rule_2003_164_312_a_2_iv +title: 312(a)(2)(iv) Encryption and decryption +description: Implement a mechanism to encrypt and decrypt electronic protected health information. +section-code: a_2_iv +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_312" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_312_a_2_iv + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dax_cluster_encryption_at_rest_enabled +- aws_dynamodb_table_encrypted_with_kms +- aws_dynamodb_table_encryption_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_efs_file_system_encrypt_data_at_rest +- aws_eks_cluster_secrets_encrypted +- aws_es_domain_encryption_at_rest_enabled +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions +- aws_log_group_encryption_at_rest_enabled +- aws_opensearch_domain_encryption_at_rest_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_b.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_b.yaml index 636a32a59..3d8bf0928 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_b.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_b.yaml @@ -1,33 +1,33 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_312_b - title: 312(b) Audit controls - description: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. - section-code: b - tags: - category: - - Compliance - hipaa_section: - - "164_312" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_312_b - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_validation_enabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_rds_db_instance_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_hipaa_security_rule_2003_164_312_b +title: 312(b) Audit controls +description: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. +section-code: b +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_312" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_312_b + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudtrail_trail_validation_enabled +- aws_cloudwatch_log_group_retention_period_365 +- aws_elb_application_classic_lb_logging_enabled +- aws_guardduty_enabled +- aws_rds_db_instance_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_waf_web_acl_logging_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_c_1.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_c_1.yaml index b8ddd7bf9..a85f983b5 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_c_1.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_c_1.yaml @@ -1,42 +1,42 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_312_c_1 - title: 312(c)(1) Integrity - description: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. - section-code: c_1 - tags: - category: - - Compliance - hipaa_section: - - "164_312" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_312_c_1 - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_eks_cluster_secrets_encrypted - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_https_required - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_versioning_enabled +id: aws_hipaa_security_rule_2003_164_312_c_1 +title: 312(c)(1) Integrity +description: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. +section-code: c_1 +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_312" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_312_c_1 + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_cloudtrail_trail_validation_enabled +- aws_dax_cluster_encryption_at_rest_enabled +- aws_dynamodb_table_encryption_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_eks_cluster_secrets_encrypted +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_node_to_node_encryption_enabled +- aws_opensearch_domain_encryption_at_rest_enabled +- aws_opensearch_domain_https_required +- aws_opensearch_domain_node_to_node_encryption_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_kms_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_c_2.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_c_2.yaml index 19fd66af2..2048b5a4e 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_c_2.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_c_2.yaml @@ -1,27 +1,27 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_312_c_2 - title: 312(c)(2) Mechanism to authenticate electronic protected health information - description: Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. - section-code: c_2 - tags: - category: - - Compliance - hipaa_section: - - "164_312" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_312_c_2 - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_versioning_enabled - - aws_vpc_flow_logs_enabled +id: aws_hipaa_security_rule_2003_164_312_c_2 +title: 312(c)(2) Mechanism to authenticate electronic protected health information +description: Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. +section-code: c_2 +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_312" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_312_c_2 + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_cloudtrail_trail_validation_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_versioning_enabled +- aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_d.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_d.yaml index 3dee4dbdc..a29ee1d8f 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_d.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_d.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_312_d - title: 312(d) Person or entity authentication - description: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. - section-code: d - tags: - category: - - Compliance - hipaa_section: - - "164_312" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_312_d - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled +id: aws_hipaa_security_rule_2003_164_312_d +title: 312(d) Person or entity authentication +description: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. +section-code: d +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_312" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_312_d + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_e_1.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_e_1.yaml index 891414412..559f9d932 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_e_1.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_e_1.yaml @@ -1,31 +1,31 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_312_e_1 - title: 312(e)(1) Transmission security - description: Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. - section-code: e_1 - tags: - category: - - Compliance - hipaa_section: - - "164_312" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - "1.64312e+06" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_acm_certificate_expires_30_days - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudfront_distribution_encryption_in_transit_enabled - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled +id: aws_hipaa_security_rule_2003_164_312_e_1 +title: 312(e)(1) Transmission security +description: Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. +section-code: e_1 +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_312" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - "1.64312e+06" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_acm_certificate_expires_30_days +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_cloudfront_distribution_encryption_in_transit_enabled +- aws_elb_application_lb_drop_http_headers +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_node_to_node_encryption_enabled +- aws_opensearch_domain_node_to_node_encryption_enabled +- aws_redshift_cluster_encryption_in_transit_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_e_2_i.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_e_2_i.yaml index 62aefb709..7f1406d88 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_e_2_i.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_e_2_i.yaml @@ -1,32 +1,32 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_312_e_2_i - title: 312(e)(2)(i) Integrity controls - description: Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. - section-code: e_2_i - tags: - category: - - Compliance - hipaa_section: - - "164_312" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_312_e_2_i - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_guardduty_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled +id: aws_hipaa_security_rule_2003_164_312_e_2_i +title: 312(e)(2)(i) Integrity controls +description: Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. +section-code: e_2_i +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_312" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_312_e_2_i + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_guardduty_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_logging_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_e_2_ii.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_e_2_ii.yaml index b3f75e399..35a1369e2 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_e_2_ii.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_e_2_ii.yaml @@ -1,41 +1,41 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_312_e_2_ii - title: 312(e)(2)(ii) Encryption - description: Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. - section-code: e_2_ii - tags: - category: - - Compliance - hipaa_section: - - "164_312" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_312_e_2_ii - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_eks_cluster_secrets_encrypted - - aws_es_domain_encryption_at_rest_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest +id: aws_hipaa_security_rule_2003_164_312_e_2_ii +title: 312(e)(2)(ii) Encryption +description: Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. +section-code: e_2_ii +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_312" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_312_e_2_ii + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dax_cluster_encryption_at_rest_enabled +- aws_dynamodb_table_encrypted_with_kms +- aws_dynamodb_table_encryption_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_efs_file_system_encrypt_data_at_rest +- aws_eks_cluster_secrets_encrypted +- aws_es_domain_encryption_at_rest_enabled +- aws_log_group_encryption_at_rest_enabled +- aws_opensearch_domain_encryption_at_rest_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_314.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_314.yaml index fe020ffd9..888ba0e6d 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_314.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_314.yaml @@ -1,21 +1,23 @@ +id: aws_hipaa_security_rule_2003_164_314 +title: Organizational Requirements +description: The Security Rule includes the Standard, Business associate contracts or other arrangements. A covered entity is not in compliance with the standard if the it knows of a pattern of an activity or practice of the business associate that constitutes a material breach or violation of the business associate's obligation to safeguard ePHI (under the contract or other arrangement), unless the covered entity takes reasonable steps to cure the breach or end the violation, as applicable. If such steps are unsuccessful, the covered entity is required to terminate the contract or arrangement, if feasible or if termination is not feasible, report the problem to the Secretary (HHS). +section-code: "164_314" +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_314" + hipaa_security_rule_2003: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_hipaa_security_rule_2003_164_314 - title: Organizational Requirements - description: The Security Rule includes the Standard, Business associate contracts or other arrangements. A covered entity is not in compliance with the standard if the it knows of a pattern of an activity or practice of the business associate that constitutes a material breach or violation of the business associate's obligation to safeguard ePHI (under the contract or other arrangement), unless the covered entity takes reasonable steps to cure the breach or end the violation, as applicable. If such steps are unsuccessful, the covered entity is required to terminate the contract or arrangement, if feasible or if termination is not feasible, report the problem to the Secretary (HHS). - section-code: "164_314" - tags: - category: - - Compliance - hipaa_section: - - "164_314" - hipaa_security_rule_2003: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_hipaa_security_rule_2003_164_314_b_1 - - id: aws_hipaa_security_rule_2003_164_314_b_2 +- id: aws_hipaa_security_rule_2003_164_314_b_1 + type: "" +- id: aws_hipaa_security_rule_2003_164_314_b_2 + type: "" diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_314_b_1.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_314_b_1.yaml index 84651eaee..e1bba1bf9 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_314_b_1.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_314_b_1.yaml @@ -1,47 +1,47 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_314_b_1 - title: 314(b)(1) Requirements for group health plans - description: Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to 164.504(f)(1)(ii) or (iii), or as authorized under 164.508, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan. - section-code: b_1 - tags: - category: - - Compliance - hipaa_section: - - "164_314" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_314_b_1 - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_eks_cluster_secrets_encrypted - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_https_required - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_kms_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_vpc_configured_to_use_vpc_endpoints +id: aws_hipaa_security_rule_2003_164_314_b_1 +title: 314(b)(1) Requirements for group health plans +description: Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to 164.504(f)(1)(ii) or (iii), or as authorized under 164.508, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan. +section-code: b_1 +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_314" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_314_b_1 + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dax_cluster_encryption_at_rest_enabled +- aws_dynamodb_table_encryption_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_eks_cluster_secrets_encrypted +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_node_to_node_encryption_enabled +- aws_opensearch_domain_encryption_at_rest_enabled +- aws_opensearch_domain_https_required +- aws_opensearch_domain_node_to_node_encryption_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_kms_enabled +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_vpc_configured_to_use_vpc_endpoints diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_314_b_2.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_314_b_2.yaml index 236272f70..93e11ca37 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_314_b_2.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_314_b_2.yaml @@ -1,47 +1,47 @@ -control-group: - id: aws_hipaa_security_rule_2003_164_314_b_2 - title: 314(b)(2) Implementation specifications - description: The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to — (i) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan; (ii) Ensure that the adequate separation required by 164.504(f)(2)(iii) is supported by reasonable and appropriate security measures; (iii) Ensure that any agent, including a subcontractor, to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information; and (iv) Report to the group health plan any security incident of which it becomes aware. - section-code: b_2 - tags: - category: - - Compliance - hipaa_section: - - "164_314" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_314_b_2 - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_eks_cluster_secrets_encrypted - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_https_required - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_kms_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_vpc_configured_to_use_vpc_endpoints +id: aws_hipaa_security_rule_2003_164_314_b_2 +title: 314(b)(2) Implementation specifications +description: The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to — (i) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan; (ii) Ensure that the adequate separation required by 164.504(f)(2)(iii) is supported by reasonable and appropriate security measures; (iii) Ensure that any agent, including a subcontractor, to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information; and (iv) Report to the group health plan any security incident of which it becomes aware. +section-code: b_2 +type: control-group +tags: + category: + - Compliance + hipaa_section: + - "164_314" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_314_b_2 + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dax_cluster_encryption_at_rest_enabled +- aws_dynamodb_table_encryption_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_eks_cluster_secrets_encrypted +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_node_to_node_encryption_enabled +- aws_opensearch_domain_encryption_at_rest_enabled +- aws_opensearch_domain_https_required +- aws_opensearch_domain_node_to_node_encryption_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_kms_enabled +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_vpc_configured_to_use_vpc_endpoints diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2.yaml index aeabc2ecd..e180dec36 100644 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2.yaml @@ -1,36 +1,36 @@ -framework: - id: aws_nist_800_171_rev_2 - title: NIST 800-171 Revision 2 - description: NIST SP 800-171 focuses on protecting the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems and organizations, and recommends specific security requirements to achieve that objective. NIST 800-171 is a publication that outlines the required security standards and practices for non-federal organizations that handle CUI on their networks. - section-code: aws_nist_800_171_rev_2 - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Frameworks - plugin: - - aws - service: - - AWS - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: aws_nist_800_171_rev_2_2 - - id: aws_nist_800_171_rev_2_3_1 - - id: aws_nist_800_171_rev_2_3_3 - - id: aws_nist_800_171_rev_2_3_4 - - id: aws_nist_800_171_rev_2_3_5 - - id: aws_nist_800_171_rev_2_3_6 - - id: aws_nist_800_171_rev_2_3_8 - - id: aws_nist_800_171_rev_2_3_11 - - id: aws_nist_800_171_rev_2_3_12 - - id: aws_nist_800_171_rev_2_3_13 - - id: aws_nist_800_171_rev_2_3_14 +id: aws_nist_800_171_rev_2 +title: NIST 800-171 Revision 2 +description: NIST SP 800-171 focuses on protecting the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems and organizations, and recommends specific security requirements to achieve that objective. NIST 800-171 is a publication that outlines the required security standards and practices for non-federal organizations that handle CUI on their networks. +section-code: aws_nist_800_171_rev_2 +type: framework +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Frameworks + plugin: + - aws + service: + - AWS + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_nist_800_171_rev_2_2 +- id: aws_nist_800_171_rev_2_3_1 +- id: aws_nist_800_171_rev_2_3_3 +- id: aws_nist_800_171_rev_2_3_4 +- id: aws_nist_800_171_rev_2_3_5 +- id: aws_nist_800_171_rev_2_3_6 +- id: aws_nist_800_171_rev_2_3_8 +- id: aws_nist_800_171_rev_2_3_11 +- id: aws_nist_800_171_rev_2_3_12 +- id: aws_nist_800_171_rev_2_3_13 +- id: aws_nist_800_171_rev_2_3_14 diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_2.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_2.yaml index 1d36a4244..2b1b5e67e 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_2.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_171_rev_2_2 +title: System Enviornment +description: "Include a detailed topology narrative and graphic that clearly depicts the system boundaries, system interconnections, and key devices. (Note: this does not require depicting every workstation or desktop, but include an instance for each operating system in use, an instance for portable components (if applicable), all virtual and physical servers (e.g., file, print, web, database, application), as well as any networked workstations (e.g., Unix, Windows, Mac, Linux), firewalls, routers, switches, copiers, printers, lab equipment, handhelds). If components of other systems that interconnect/interface with this system need to be shown on the diagram, denote the system boundaries by referencing the security plans or names and owners of the other system(s) in the diagram. [Insert a system topology graphic. Provide a narrative consistent with the graphic that clearly lists and describes each system component.]" +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_171_rev_2_2 - title: System Enviornment - description: "Include a detailed topology narrative and graphic that clearly depicts the system boundaries, system interconnections, and key devices. (Note: this does not require depicting every workstation or desktop, but include an instance for each operating system in use, an instance for portable components (if applicable), all virtual and physical servers (e.g., file, print, web, database, application), as well as any networked workstations (e.g., Unix, Windows, Mac, Linux), firewalls, routers, switches, copiers, printers, lab equipment, handhelds). If components of other systems that interconnect/interface with this system need to be shown on the diagram, denote the system boundaries by referencing the security plans or names and owners of the other system(s) in the diagram. [Insert a system topology graphic. Provide a narrative consistent with the graphic that clearly lists and describes each system component.]" - section-code: "2" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_171_rev_2_2_2 +- id: aws_nist_800_171_rev_2_2_2 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_2_2.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_2_2.yaml index f0b40f521..587c8bd70 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_2_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_2_2.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_171_rev_2_2_2 - title: 2. List all software components installed on the system - description: List all software components installed on the system. - section-code: "2" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_config_enabled_all_regions - - aws_ec2_instance_ssm_managed +id: aws_nist_800_171_rev_2_2_2 +title: 2. List all software components installed on the system +description: List all software components installed on the system. +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_config_enabled_all_regions +- aws_ec2_instance_ssm_managed diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1.yaml index 373506ee4..60322062e 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1.yaml @@ -1,28 +1,39 @@ +id: aws_nist_800_171_rev_2_3_1 +title: Access Control +description: The access control family consists of security requirements detailing system logging. This includes who has access to what assets and reporting capabilities like account management, system privileges, and remote access logging to determine when users have access to the system and their level of access. +section-code: "3_1" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_171_rev_2_3_1 - title: Access Control - description: The access control family consists of security requirements detailing system logging. This includes who has access to what assets and reporting capabilities like account management, system privileges, and remote access logging to determine when users have access to the system and their level of access. - section-code: "3_1" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_171_rev_2_3_1_1 - - id: aws_nist_800_171_rev_2_3_1_2 - - id: aws_nist_800_171_rev_2_3_1_3 - - id: aws_nist_800_171_rev_2_3_1_4 - - id: aws_nist_800_171_rev_2_3_1_5 - - id: aws_nist_800_171_rev_2_3_1_6 - - id: aws_nist_800_171_rev_2_3_1_7 - - id: aws_nist_800_171_rev_2_3_1_12 - - id: aws_nist_800_171_rev_2_3_1_13 - - id: aws_nist_800_171_rev_2_3_1_14 - - id: aws_nist_800_171_rev_2_3_1_20 +- id: aws_nist_800_171_rev_2_3_1_1 + type: "" +- id: aws_nist_800_171_rev_2_3_1_2 + type: "" +- id: aws_nist_800_171_rev_2_3_1_3 + type: "" +- id: aws_nist_800_171_rev_2_3_1_4 + type: "" +- id: aws_nist_800_171_rev_2_3_1_5 + type: "" +- id: aws_nist_800_171_rev_2_3_1_6 + type: "" +- id: aws_nist_800_171_rev_2_3_1_7 + type: "" +- id: aws_nist_800_171_rev_2_3_1_12 + type: "" +- id: aws_nist_800_171_rev_2_3_1_13 + type: "" +- id: aws_nist_800_171_rev_2_3_1_14 + type: "" +- id: aws_nist_800_171_rev_2_3_1_20 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_11.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_11.yaml index 57091967d..192254eac 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_11.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_11.yaml @@ -1,19 +1,21 @@ +id: aws_nist_800_171_rev_2_3_11 +title: Risk Assessment +description: The RA control family relates to an organization's risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts. +section-code: "3_11" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_171_rev_2_3_11 - title: Risk Assessment - description: The RA control family relates to an organization's risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts. - section-code: "3_11" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_171_rev_2_3_11_2 - - id: aws_nist_800_171_rev_2_3_11_3 +- id: aws_nist_800_171_rev_2_3_11_2 + type: "" +- id: aws_nist_800_171_rev_2_3_11_3 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_11_2.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_11_2.yaml index c30031589..7ce4f4fba 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_11_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_11_2.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_nist_800_171_rev_2_3_11_2 - title: 11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified - description: "Organizations determine the required vulnerability scanning for all system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. The vulnerabilities to be scanned are readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This process ensures that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in source code reviews and in a variety of tools (e.g., static analysis tools, web-based application scanners, binary analyzers) and in source code reviews. Vulnerability scanning includes: scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating information flow control mechanisms. To facilitate interoperability, organizations consider using products that are Security Content Automated Protocol (SCAP)-validated, scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention, and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of system vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Security assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates thorough vulnerability scanning and protects the sensitive nature of such scanning." - section-code: "2" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled +id: aws_nist_800_171_rev_2_3_11_2 +title: 11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified +description: "Organizations determine the required vulnerability scanning for all system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. The vulnerabilities to be scanned are readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This process ensures that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in source code reviews and in a variety of tools (e.g., static analysis tools, web-based application scanners, binary analyzers) and in source code reviews. Vulnerability scanning includes: scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating information flow control mechanisms. To facilitate interoperability, organizations consider using products that are Security Content Automated Protocol (SCAP)-validated, scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention, and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of system vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Security assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates thorough vulnerability scanning and protects the sensitive nature of such scanning." +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled +- aws_guardduty_finding_archived +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_11_3.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_11_3.yaml index f14858c86..91cf4351b 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_11_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_11_3.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_nist_800_171_rev_2_3_11_3 - title: 11.3 Remediate vulnerabilities in accordance with risk assessments - description: Vulnerabilities discovered, for example, via the scanning conducted in response to 3.11.2, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities. - section-code: "3" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled +id: aws_nist_800_171_rev_2_3_11_3 +title: 11.3 Remediate vulnerabilities in accordance with risk assessments +description: Vulnerabilities discovered, for example, via the scanning conducted in response to 3.11.2, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled +- aws_guardduty_finding_archived +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12.yaml index 734840e78..5e22f5758 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12.yaml @@ -1,20 +1,23 @@ +id: aws_nist_800_171_rev_2_3_12 +title: Assessment, Authorization, and Monitoring +description: The Security Assessment and Authorization control family includes controls that supplement the execution of security assessments, authorizations, continuous monitoring, plan of actions and milestones, and system interconnections. +section-code: "3_12" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_171_rev_2_3_12 - title: Assessment, Authorization, and Monitoring - description: The Security Assessment and Authorization control family includes controls that supplement the execution of security assessments, authorizations, continuous monitoring, plan of actions and milestones, and system interconnections. - section-code: "3_12" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_171_rev_2_3_12_1 - - id: aws_nist_800_171_rev_2_3_12_3 - - id: aws_nist_800_171_rev_2_3_12_4 +- id: aws_nist_800_171_rev_2_3_12_1 + type: "" +- id: aws_nist_800_171_rev_2_3_12_3 + type: "" +- id: aws_nist_800_171_rev_2_3_12_4 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12_1.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12_1.yaml index 96d9609bb..54af133b9 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12_1.yaml @@ -1,45 +1,45 @@ -control-group: - id: aws_nist_800_171_rev_2_3_12_1 - title: 12.1 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application - description: Organizations assess security controls in organizational systems and the environments in which those systems operate as part of the system development life cycle. Security controls are the safeguards or countermeasures organizations implement to satisfy security requirements. By assessing the implemented security controls, organizations determine if the security safeguards or countermeasures are in place and operating as intended. Security control assessments ensure that information security is built into organizational systems; identify weaknesses and deficiencies early in the development process; provide essential information needed to make risk-based decisions; and ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls as documented in system security plans. - section-code: "1" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_bucket_not_public - - aws_cloudtrail_multi_region_read_write_enabled - - aws_cloudtrail_s3_logging_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_config_enabled_all_regions - - aws_ec2_instance_detailed_monitoring_enabled - - aws_guardduty_enabled - - aws_kms_cmk_rotation_enabled - - aws_log_metric_filter_bucket_policy - - aws_log_metric_filter_cloudtrail_configuration - - aws_log_metric_filter_config_configuration - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_console_login_mfa - - aws_log_metric_filter_disable_or_delete_cmk - - aws_log_metric_filter_iam_policy - - aws_log_metric_filter_network_acl - - aws_log_metric_filter_network_gateway - - aws_log_metric_filter_root_login - - aws_log_metric_filter_route_table - - aws_log_metric_filter_security_group - - aws_log_metric_filter_unauthorized_api - - aws_log_metric_filter_vpc - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled +id: aws_nist_800_171_rev_2_3_12_1 +title: 12.1 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application +description: Organizations assess security controls in organizational systems and the environments in which those systems operate as part of the system development life cycle. Security controls are the safeguards or countermeasures organizations implement to satisfy security requirements. By assessing the implemented security controls, organizations determine if the security safeguards or countermeasures are in place and operating as intended. Security control assessments ensure that information security is built into organizational systems; identify weaknesses and deficiencies early in the development process; provide essential information needed to make risk-based decisions; and ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls as documented in system security plans. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_bucket_not_public +- aws_cloudtrail_multi_region_read_write_enabled +- aws_cloudtrail_s3_logging_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_cloudtrail_trail_validation_enabled +- aws_cloudwatch_alarm_action_enabled +- aws_config_enabled_all_regions +- aws_ec2_instance_detailed_monitoring_enabled +- aws_guardduty_enabled +- aws_kms_cmk_rotation_enabled +- aws_log_metric_filter_bucket_policy +- aws_log_metric_filter_cloudtrail_configuration +- aws_log_metric_filter_config_configuration +- aws_log_metric_filter_console_authentication_failure +- aws_log_metric_filter_console_login_mfa +- aws_log_metric_filter_disable_or_delete_cmk +- aws_log_metric_filter_iam_policy +- aws_log_metric_filter_network_acl +- aws_log_metric_filter_network_gateway +- aws_log_metric_filter_root_login +- aws_log_metric_filter_route_table +- aws_log_metric_filter_security_group +- aws_log_metric_filter_unauthorized_api +- aws_log_metric_filter_vpc +- aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled +- aws_securityhub_enabled +- aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12_3.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12_3.yaml index dd66be288..5442831f2 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12_3.yaml @@ -1,45 +1,45 @@ -control-group: - id: aws_nist_800_171_rev_2_3_12_3 - title: 12.3 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls - description: Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and analyze security controls and information security-related risks at a frequency sufficient to support risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Providing access to security information on a continuing basis through reports or dashboards gives organizational officials the capability to make effective and timely risk management decisions. - section-code: "3" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_bucket_not_public - - aws_cloudtrail_multi_region_read_write_enabled - - aws_cloudtrail_s3_logging_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_config_enabled_all_regions - - aws_ec2_instance_detailed_monitoring_enabled - - aws_guardduty_enabled - - aws_kms_cmk_rotation_enabled - - aws_log_metric_filter_bucket_policy - - aws_log_metric_filter_cloudtrail_configuration - - aws_log_metric_filter_config_configuration - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_console_login_mfa - - aws_log_metric_filter_disable_or_delete_cmk - - aws_log_metric_filter_iam_policy - - aws_log_metric_filter_network_acl - - aws_log_metric_filter_network_gateway - - aws_log_metric_filter_root_login - - aws_log_metric_filter_route_table - - aws_log_metric_filter_security_group - - aws_log_metric_filter_unauthorized_api - - aws_log_metric_filter_vpc - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled +id: aws_nist_800_171_rev_2_3_12_3 +title: 12.3 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls +description: Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and analyze security controls and information security-related risks at a frequency sufficient to support risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Providing access to security information on a continuing basis through reports or dashboards gives organizational officials the capability to make effective and timely risk management decisions. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_bucket_not_public +- aws_cloudtrail_multi_region_read_write_enabled +- aws_cloudtrail_s3_logging_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_cloudtrail_trail_validation_enabled +- aws_cloudwatch_alarm_action_enabled +- aws_config_enabled_all_regions +- aws_ec2_instance_detailed_monitoring_enabled +- aws_guardduty_enabled +- aws_kms_cmk_rotation_enabled +- aws_log_metric_filter_bucket_policy +- aws_log_metric_filter_cloudtrail_configuration +- aws_log_metric_filter_config_configuration +- aws_log_metric_filter_console_authentication_failure +- aws_log_metric_filter_console_login_mfa +- aws_log_metric_filter_disable_or_delete_cmk +- aws_log_metric_filter_iam_policy +- aws_log_metric_filter_network_acl +- aws_log_metric_filter_network_gateway +- aws_log_metric_filter_root_login +- aws_log_metric_filter_route_table +- aws_log_metric_filter_security_group +- aws_log_metric_filter_unauthorized_api +- aws_log_metric_filter_vpc +- aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled +- aws_securityhub_enabled +- aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12_4.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12_4.yaml index ee4cdef94..7ab4fbd7e 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12_4.yaml @@ -1,45 +1,45 @@ -control-group: - id: aws_nist_800_171_rev_2_3_12_4 - title: 12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems - description: System security plans relate security requirements to a set of security controls. System security plans also describe, at a high level, how the security controls meet those security requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls. System security plans contain sufficient information to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk if the plan is implemented as intended. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization. - section-code: "4" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_bucket_not_public - - aws_cloudtrail_multi_region_read_write_enabled - - aws_cloudtrail_s3_logging_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_config_enabled_all_regions - - aws_ec2_instance_detailed_monitoring_enabled - - aws_guardduty_enabled - - aws_kms_cmk_rotation_enabled - - aws_log_metric_filter_bucket_policy - - aws_log_metric_filter_cloudtrail_configuration - - aws_log_metric_filter_config_configuration - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_console_login_mfa - - aws_log_metric_filter_disable_or_delete_cmk - - aws_log_metric_filter_iam_policy - - aws_log_metric_filter_network_acl - - aws_log_metric_filter_network_gateway - - aws_log_metric_filter_root_login - - aws_log_metric_filter_route_table - - aws_log_metric_filter_security_group - - aws_log_metric_filter_unauthorized_api - - aws_log_metric_filter_vpc - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled +id: aws_nist_800_171_rev_2_3_12_4 +title: 12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems +description: System security plans relate security requirements to a set of security controls. System security plans also describe, at a high level, how the security controls meet those security requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls. System security plans contain sufficient information to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk if the plan is implemented as intended. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization. +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_bucket_not_public +- aws_cloudtrail_multi_region_read_write_enabled +- aws_cloudtrail_s3_logging_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_cloudtrail_trail_validation_enabled +- aws_cloudwatch_alarm_action_enabled +- aws_config_enabled_all_regions +- aws_ec2_instance_detailed_monitoring_enabled +- aws_guardduty_enabled +- aws_kms_cmk_rotation_enabled +- aws_log_metric_filter_bucket_policy +- aws_log_metric_filter_cloudtrail_configuration +- aws_log_metric_filter_config_configuration +- aws_log_metric_filter_console_authentication_failure +- aws_log_metric_filter_console_login_mfa +- aws_log_metric_filter_disable_or_delete_cmk +- aws_log_metric_filter_iam_policy +- aws_log_metric_filter_network_acl +- aws_log_metric_filter_network_gateway +- aws_log_metric_filter_root_login +- aws_log_metric_filter_route_table +- aws_log_metric_filter_security_group +- aws_log_metric_filter_unauthorized_api +- aws_log_metric_filter_vpc +- aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled +- aws_securityhub_enabled +- aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13.yaml index 4333143e7..60f6a1284 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13.yaml @@ -1,28 +1,39 @@ +id: aws_nist_800_171_rev_2_3_13 +title: System and Communications Protection +description: The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others. +section-code: "3_13" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_171_rev_2_3_13 - title: System and Communications Protection - description: The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others. - section-code: "3_13" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_171_rev_2_3_13_1 - - id: aws_nist_800_171_rev_2_3_13_2 - - id: aws_nist_800_171_rev_2_3_13_3 - - id: aws_nist_800_171_rev_2_3_13_4 - - id: aws_nist_800_171_rev_2_3_13_5 - - id: aws_nist_800_171_rev_2_3_13_6 - - id: aws_nist_800_171_rev_2_3_13_8 - - id: aws_nist_800_171_rev_2_3_13_10 - - id: aws_nist_800_171_rev_2_3_13_11 - - id: aws_nist_800_171_rev_2_3_13_15 - - id: aws_nist_800_171_rev_2_3_13_16 +- id: aws_nist_800_171_rev_2_3_13_1 + type: "" +- id: aws_nist_800_171_rev_2_3_13_2 + type: "" +- id: aws_nist_800_171_rev_2_3_13_3 + type: "" +- id: aws_nist_800_171_rev_2_3_13_4 + type: "" +- id: aws_nist_800_171_rev_2_3_13_5 + type: "" +- id: aws_nist_800_171_rev_2_3_13_6 + type: "" +- id: aws_nist_800_171_rev_2_3_13_8 + type: "" +- id: aws_nist_800_171_rev_2_3_13_10 + type: "" +- id: aws_nist_800_171_rev_2_3_13_11 + type: "" +- id: aws_nist_800_171_rev_2_3_13_15 + type: "" +- id: aws_nist_800_171_rev_2_3_13_16 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_1.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_1.yaml index 21b94bd27..7e2f5dbd7 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_1.yaml @@ -1,50 +1,50 @@ -control-group: - id: aws_nist_800_171_rev_2_3_13_1 - title: 13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems - description: Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. - section-code: "1" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_acm_certificate_expires_30_days - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_validation_enabled - - aws_ec2_instance_in_vpc - - aws_elb_application_classic_lb_logging_enabled - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_lb_waf_enabled - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_in_vpc - - aws_guardduty_enabled - - aws_lambda_function_in_vpc - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_logging_enabled - - aws_rds_db_instance_prohibit_public_access - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_enhanced_vpc_routing_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_logging_enabled - - aws_s3_public_access_block_bucket - - aws_securityhub_enabled - - aws_ssm_document_prohibit_public_access - - aws_vpc_flow_logs_enabled - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_171_rev_2_3_13_1 +title: 13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems +description: Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_acm_certificate_expires_30_days +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_validation_enabled +- aws_ec2_instance_in_vpc +- aws_elb_application_classic_lb_logging_enabled +- aws_elb_application_lb_drop_http_headers +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_application_lb_waf_enabled +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_in_vpc +- aws_guardduty_enabled +- aws_lambda_function_in_vpc +- aws_opensearch_domain_in_vpc +- aws_rds_db_instance_logging_enabled +- aws_rds_db_instance_prohibit_public_access +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_enhanced_vpc_routing_enabled +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_logging_enabled +- aws_s3_public_access_block_bucket +- aws_securityhub_enabled +- aws_ssm_document_prohibit_public_access +- aws_vpc_flow_logs_enabled +- aws_vpc_route_table_restrict_public_access_to_igw +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_10.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_10.yaml index 5b755e061..08060ef8f 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_10.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_10.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_nist_800_171_rev_2_3_13_10 - title: 13.10 Establish and manage cryptographic keys for cryptography employed in organizational systems - description: Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards specifying appropriate options, levels, and parameters. - section-code: "10" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_acm_certificate_expires_30_days - - aws_kms_cmk_rotation_enabled - - aws_kms_key_not_pending_deletion +id: aws_nist_800_171_rev_2_3_13_10 +title: 13.10 Establish and manage cryptographic keys for cryptography employed in organizational systems +description: Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards specifying appropriate options, levels, and parameters. +section-code: "10" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_acm_certificate_expires_30_days +- aws_kms_cmk_rotation_enabled +- aws_kms_key_not_pending_deletion diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_11.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_11.yaml index a1cdd8c2f..62bf57c19 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_11.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_11.yaml @@ -1,35 +1,35 @@ -control-group: - id: aws_nist_800_171_rev_2_3_13_11 - title: 13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI - description: Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Cryptographic standards include FIPSvalidated cryptography and/or NSA-approved cryptography. - section-code: "11" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dynamodb_table_encrypted_with_kms - - aws_ebs_attached_volume_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_es_domain_encryption_at_rest_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest +id: aws_nist_800_171_rev_2_3_13_11 +title: 13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI +description: Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Cryptographic standards include FIPSvalidated cryptography and/or NSA-approved cryptography. +section-code: "11" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dynamodb_table_encrypted_with_kms +- aws_ebs_attached_volume_encryption_enabled +- aws_efs_file_system_encrypt_data_at_rest +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_es_domain_encryption_at_rest_enabled +- aws_log_group_encryption_at_rest_enabled +- aws_opensearch_domain_encryption_at_rest_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_enforces_ssl +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_15.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_15.yaml index 70d760e6e..4f866f2c6 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_15.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_15.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_nist_800_171_rev_2_3_13_15 - title: 13.15 Protect the authenticity of communications sessions - description: Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. - section-code: "15" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners +id: aws_nist_800_171_rev_2_3_13_15 +title: 13.15 Protect the authenticity of communications sessions +description: Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. +section-code: "15" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_elb_application_lb_drop_http_headers +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_application_network_lb_use_ssl_certificate +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_16.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_16.yaml index 6d08fb117..b2296ff92 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_16.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_16.yaml @@ -1,35 +1,35 @@ -control-group: - id: aws_nist_800_171_rev_2_3_13_16 - title: 13.16 Protect the confidentiality of CUI at rest - description: Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest. - section-code: "16" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dynamodb_table_encrypted_with_kms - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_es_domain_encryption_at_rest_enabled - - aws_kms_key_not_pending_deletion - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_object_lock_enabled - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest +id: aws_nist_800_171_rev_2_3_13_16 +title: 13.16 Protect the confidentiality of CUI at rest +description: Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest. +section-code: "16" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dynamodb_table_encrypted_with_kms +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_efs_file_system_encrypt_data_at_rest +- aws_es_domain_encryption_at_rest_enabled +- aws_kms_key_not_pending_deletion +- aws_log_group_encryption_at_rest_enabled +- aws_opensearch_domain_encryption_at_rest_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_object_lock_enabled +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_2.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_2.yaml index 1bc0ed0e1..713200693 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_2.yaml @@ -1,64 +1,64 @@ -control-group: - id: aws_nist_800_171_rev_2_3_13_2 - title: 13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems - description: Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions. - section-code: "2" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_acm_certificate_expires_30_days - - aws_autoscaling_group_with_lb_use_health_check - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_cloudtrail_security_trail_enabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_snapshot_not_publicly_restorable - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_fsx_file_system_protected_by_backup_plan - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_instance_protected_by_backup_plan - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all +id: aws_nist_800_171_rev_2_3_13_2 +title: 13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems +description: Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions. +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_acm_certificate_expires_30_days +- aws_autoscaling_group_with_lb_use_health_check +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_encryption_enabled +- aws_backup_recovery_point_manual_deletion_disabled +- aws_backup_recovery_point_min_retention_35_days +- aws_cloudtrail_security_trail_enabled +- aws_dms_replication_instance_not_publicly_accessible +- aws_dynamodb_table_auto_scaling_enabled +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_snapshot_not_publicly_restorable +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elb_application_lb_deletion_protection_enabled +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_fsx_file_system_protected_by_backup_plan +- aws_lambda_function_concurrent_execution_limit_configured +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_deletion_protection_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_multiple_az_enabled +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_instance_protected_by_backup_plan +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_3.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_3.yaml index 428959bd8..6beb9ef52 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_3.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_171_rev_2_3_13_3 - title: 13.3 Separate user functionality from system management functionality - description: System management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from system management functionality is physical or logical. Organizations can implement separation of system management functionality from user functionality by using different computers, different central processing units, different instances of operating systems, or different network addresses; virtualization techniques; or combinations of these or other methods, as appropriate. This type of separation includes web administrative interfaces that use separate authentication methods for users of any other system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls. - section-code: "3" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star +id: aws_nist_800_171_rev_2_3_13_3 +title: 13.3 Separate user functionality from system management functionality +description: System management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from system management functionality is physical or logical. Organizations can implement separation of system management functionality from user functionality by using different computers, different central processing units, different instances of operating systems, or different network addresses; virtualization techniques; or combinations of these or other methods, as appropriate. This type of separation includes web administrative interfaces that use separate authentication methods for users of any other system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_group_not_empty +- aws_iam_policy_no_star_star diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_4.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_4.yaml index e4584c370..b174fecb6 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_4.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_171_rev_2_3_13_4 - title: 13.4 Prevent unauthorized and unintended information transfer via shared system resources - description: The control of information in shared system resources (e.g., registers, cache memory, main memory, hard disks) is also commonly referred to as object reuse and residual information protection. This requirement prevents information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to any current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. This requirement also applies to encrypted representations of information. This requirement does not address information remanence, which refers to residual representation of data that has been nominally deleted; covert channels (including storage or timing channels) where shared resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles. - section-code: "4" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ebs_volume_unused +id: aws_nist_800_171_rev_2_3_13_4 +title: 13.4 Prevent unauthorized and unintended information transfer via shared system resources +description: The control of information in shared system resources (e.g., registers, cache memory, main memory, hard disks) is also commonly referred to as object reuse and residual information protection. This requirement prevents information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to any current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. This requirement also applies to encrypted representations of information. This requirement does not address information remanence, which refers to residual representation of data that has been nominally deleted; covert channels (including storage or timing channels) where shared resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles. +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ebs_volume_unused diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_5.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_5.yaml index 95535ef26..511691ab1 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_5.yaml @@ -1,47 +1,47 @@ -control-group: - id: aws_nist_800_171_rev_2_3_13_5 - title: 13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks - description: Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies. - section-code: "5" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_lb_waf_enabled - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_es_domain_node_to_node_encryption_enabled - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_171_rev_2_3_13_5 +title: 13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks +description: Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies. +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_elb_application_lb_drop_http_headers +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_application_lb_waf_enabled +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_es_domain_node_to_node_encryption_enabled +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_policy_restrict_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_igw_attached_to_authorized_vpc +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_6.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_6.yaml index d1f1153db..613044add 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_6.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_nist_800_171_rev_2_3_13_6 - title: 13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception) - description: This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. - section-code: "6" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all +id: aws_nist_800_171_rev_2_3_13_6 +title: 13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception) +description: This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. +section-code: "6" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_8.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_8.yaml index 070e99fee..6ff675276 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_8.yaml @@ -1,27 +1,27 @@ -control-group: - id: aws_nist_800_171_rev_2_3_13_8 - title: 13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards - description: This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. - section-code: "8" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_acm_certificate_expires_30_days - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl +id: aws_nist_800_171_rev_2_3_13_8 +title: 13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards +description: This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. +section-code: "8" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_acm_certificate_expires_30_days +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_elb_application_lb_drop_http_headers +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_node_to_node_encryption_enabled +- aws_opensearch_domain_node_to_node_encryption_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14.yaml index 9cdf58e49..5cb836bf4 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14.yaml @@ -1,23 +1,29 @@ +id: aws_nist_800_171_rev_2_3_14 +title: System and Information integrity +description: The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection. +section-code: "3_14" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_171_rev_2_3_14 - title: System and Information integrity - description: The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection. - section-code: "3_14" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_171_rev_2_3_14_1 - - id: aws_nist_800_171_rev_2_3_14_2 - - id: aws_nist_800_171_rev_2_3_14_3 - - id: aws_nist_800_171_rev_2_3_14_4 - - id: aws_nist_800_171_rev_2_3_14_6 - - id: aws_nist_800_171_rev_2_3_14_7 +- id: aws_nist_800_171_rev_2_3_14_1 + type: "" +- id: aws_nist_800_171_rev_2_3_14_2 + type: "" +- id: aws_nist_800_171_rev_2_3_14_3 + type: "" +- id: aws_nist_800_171_rev_2_3_14_4 + type: "" +- id: aws_nist_800_171_rev_2_3_14_6 + type: "" +- id: aws_nist_800_171_rev_2_3_14_7 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_1.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_1.yaml index b556223ba..4ab4266cc 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_1.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_171_rev_2_3_14_1 - title: 14.1 Identify, report, and correct system flaws in a timely manner - description: Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation. - section-code: "1" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_securityhub_enabled +id: aws_nist_800_171_rev_2_3_14_1 +title: 14.1 Identify, report, and correct system flaws in a timely manner +description: Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_2.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_2.yaml index 3ff62c7bb..423a6f4f9 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_2.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_nist_800_171_rev_2_3_14_2 - title: 14.2 Provide protection from malicious code at designated locations within organizational systems - description: Designated locations include system entry and exit points which may include firewalls, remoteaccess servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. Malicious code protection mechanisms include anti-virus signature definitions and reputationbased technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. - section-code: "2" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_elb_application_lb_waf_enabled - - aws_guardduty_enabled - - aws_securityhub_enabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_nist_800_171_rev_2_3_14_2 +title: 14.2 Provide protection from malicious code at designated locations within organizational systems +description: Designated locations include system entry and exit points which may include firewalls, remoteaccess servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. Malicious code protection mechanisms include anti-virus signature definitions and reputationbased technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed +- aws_elb_application_lb_waf_enabled +- aws_guardduty_enabled +- aws_securityhub_enabled +- aws_ssm_managed_instance_compliance_association_compliant +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_3.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_3.yaml index 9ef77478e..23455eb12 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_3.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_nist_800_171_rev_2_3_14_3 - title: 14.3 Monitor system security alerts and advisories and take action in response - description: There are many publicly available sources of system security alerts and advisories. For example, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness across the federal government and in nonfederal organizations. Software vendors, subscription services, and industry information sharing and analysis centers (ISACs) may also provide security alerts and advisories. Examples of response actions include notifying relevant external organizations, for example, external mission/business partners, supply chain partners, external service providers, and peer or supporting organizations. - section-code: "3" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_securityhub_enabled - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_nist_800_171_rev_2_3_14_3 +title: 14.3 Monitor system security alerts and advisories and take action in response +description: There are many publicly available sources of system security alerts and advisories. For example, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness across the federal government and in nonfederal organizations. Software vendors, subscription services, and industry information sharing and analysis centers (ISACs) may also provide security alerts and advisories. Examples of response actions include notifying relevant external organizations, for example, external mission/business partners, supply chain partners, external service providers, and peer or supporting organizations. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled +- aws_redshift_cluster_maintenance_settings_check +- aws_securityhub_enabled +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_4.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_4.yaml index 48da644c3..c474b01a3 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_4.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_171_rev_2_3_14_4 - title: 14.4 Update malicious code protection mechanisms when new releases are available - description: Malicious code protection mechanisms include anti-virus signature definitions and reputationbased technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. - section-code: "4" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_171_rev_2_3_14_4 +title: 14.4 Update malicious code protection mechanisms when new releases are available +description: Malicious code protection mechanisms include anti-virus signature definitions and reputationbased technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_6.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_6.yaml index 9ce934f19..bd8733e80 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_6.yaml @@ -1,31 +1,31 @@ -control-group: - id: aws_nist_800_171_rev_2_3_14_6 - title: 14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks - description: System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system. Organizations can monitor systems, for example, by observing audit record activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. System monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms supporting critical applications, with such devices being employed at managed system interfaces. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of systems to support such objectives. System monitoring is an integral part of continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Unusual or unauthorized activities or conditions related to inbound/outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. - section-code: "6" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_apigateway_stage_use_waf_web_acl - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_elb_application_lb_waf_enabled - - aws_guardduty_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_171_rev_2_3_14_6 +title: 14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks +description: System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system. Organizations can monitor systems, for example, by observing audit record activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. System monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms supporting critical applications, with such devices being employed at managed system interfaces. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of systems to support such objectives. System monitoring is an integral part of continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Unusual or unauthorized activities or conditions related to inbound/outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. +section-code: "6" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_apigateway_stage_use_waf_web_acl +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_elb_application_classic_lb_logging_enabled +- aws_elb_application_lb_waf_enabled +- aws_guardduty_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_securityhub_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_7.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_7.yaml index 84165707e..05b9ec429 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_7.yaml @@ -1,30 +1,30 @@ -control-group: - id: aws_nist_800_171_rev_2_3_14_7 - title: 14.7 Identify unauthorized use of organizational systems - description: System monitoring includes external and internal monitoring. System monitoring can detect unauthorized use of organizational systems. System monitoring is an integral part of continuous monitoring and incident response programs. Monitoring is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Output from system monitoring serves as input to continuous monitoring and incident response programs. Unusual/unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. - section-code: "7" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_guardduty_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_171_rev_2_3_14_7 +title: 14.7 Identify unauthorized use of organizational systems +description: System monitoring includes external and internal monitoring. System monitoring can detect unauthorized use of organizational systems. System monitoring is an integral part of continuous monitoring and incident response programs. Monitoring is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Output from system monitoring serves as input to continuous monitoring and incident response programs. Unusual/unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. +section-code: "7" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_elb_application_classic_lb_logging_enabled +- aws_es_domain_logs_to_cloudwatch +- aws_guardduty_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_securityhub_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_1.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_1.yaml index be06c04d8..83a255b65 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_1.yaml @@ -1,52 +1,52 @@ -control-group: - id: aws_nist_800_171_rev_2_3_1_1 - title: 1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems) - description: Access control policies (e.g., identity or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2. - section-code: "1" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_eks_cluster_endpoint_restrict_public_access - - aws_emr_cluster_kerberos_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all +id: aws_nist_800_171_rev_2_3_1_1 +title: 1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems) +description: Access control policies (e.g., identity or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_eks_cluster_endpoint_restrict_public_access +- aws_emr_cluster_kerberos_enabled +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_iam_group_not_empty +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_opensearch_domain_in_vpc +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_policy_restrict_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_igw_attached_to_authorized_vpc +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_12.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_12.yaml index dc3d40552..f06e37a6b 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_12.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_12.yaml @@ -1,30 +1,30 @@ -control-group: - id: aws_nist_800_171_rev_2_3_1_12 - title: 1.12 Monitor and control remote access sessions - description: Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyberattacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). - section-code: "12" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_guardduty_enabled - - aws_rds_db_instance_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_vpc_igw_attached_to_authorized_vpc - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_171_rev_2_3_1_12 +title: 1.12 Monitor and control remote access sessions +description: Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyberattacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). +section-code: "12" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_elb_application_classic_lb_logging_enabled +- aws_es_domain_logs_to_cloudwatch +- aws_guardduty_enabled +- aws_rds_db_instance_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_securityhub_enabled +- aws_vpc_flow_logs_enabled +- aws_vpc_igw_attached_to_authorized_vpc +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_13.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_13.yaml index 862aa48b4..c587db83a 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_13.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_13.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_nist_800_171_rev_2_3_1_13 - title: 1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions - description: Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. - section-code: "13" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl +id: aws_nist_800_171_rev_2_3_1_13 +title: 1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions +description: Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. +section-code: "13" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_14.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_14.yaml index db7aba85f..414b4057e 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_14.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_14.yaml @@ -1,37 +1,37 @@ -control-group: - id: aws_nist_800_171_rev_2_3_1_14 - title: 1.14 Route remote access via managed access control points - description: Routing remote access through managed access control points enhances explicit, organizational control over such connections, reducing the susceptibility to unauthorized access to organizational systems resulting in the unauthorized disclosure of CUI. - section-code: "14" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_user_console_access_mfa_enabled - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all +id: aws_nist_800_171_rev_2_3_1_14 +title: 1.14 Route remote access via managed access control points +description: Routing remote access through managed access control points enhances explicit, organizational control over such connections, reducing the susceptibility to unauthorized access to organizational systems resulting in the unauthorized disclosure of CUI. +section-code: "14" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_iam_user_console_access_mfa_enabled +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_opensearch_domain_in_vpc +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_public_access_block_account +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_igw_attached_to_authorized_vpc +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_2.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_2.yaml index 916d41562..ce477bee0 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_2.yaml @@ -1,59 +1,59 @@ -control-group: - id: aws_nist_800_171_rev_2_3_1_2 - title: 1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute - description: Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-oforigin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). - section-code: "2" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_iam_profile_attached - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ecs_task_definition_user_for_host_mode_check - - aws_eks_cluster_endpoint_restrict_public_access - - aws_emr_cluster_kerberos_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_ssm_document_prohibit_public_access - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_nist_800_171_rev_2_3_1_2 +title: 1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute +description: Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-oforigin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_launch_config_public_ip_disabled +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_iam_profile_attached +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_ecs_task_definition_user_for_host_mode_check +- aws_eks_cluster_endpoint_restrict_public_access +- aws_emr_cluster_kerberos_enabled +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_not_empty +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_policy_restrict_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_ssm_document_prohibit_public_access +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_igw_attached_to_authorized_vpc +- aws_vpc_route_table_restrict_public_access_to_igw +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_20.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_20.yaml index b0ce7deed..ce93b0b0e 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_20.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_20.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_nist_800_171_rev_2_3_1_20 - title: 1.20 Verify and control/limit connections to and use of external systems - description: External systems are systems or components of systems for which organizations typically have no direct supervision and authority over the application of security requirements and controls or the determination of the effectiveness of implemented controls on those systems. External systems include personally owned systems, components, or devices and privately-owned computing and communications devices resident in commercial or public facilities. This requirement also addresses the use of external systems for the processing, storage, or transmission of CUI, including accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational systems. Organizations establish terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum, the types of applications that can be accessed on organizational systems from external systems. If terms and conditions with the owners of external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems. This requirement recognizes that there are circumstances where individuals using external systems (e.g., contractors, coalition partners) need to access organizational systems. In those situations, organizations need confidence that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been effectively implemented can be achieved by third-party, independent assessments, attestations, or other means, depending on the assurance or confidence level required by organizations. Note that while “external” typically refers to outside of the organization's direct supervision and authority, that is not always the case. Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not. And among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered 'external' to that system. - section-code: "20" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_public_access_block_account - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all +id: aws_nist_800_171_rev_2_3_1_20 +title: 1.20 Verify and control/limit connections to and use of external systems +description: External systems are systems or components of systems for which organizations typically have no direct supervision and authority over the application of security requirements and controls or the determination of the effectiveness of implemented controls on those systems. External systems include personally owned systems, components, or devices and privately-owned computing and communications devices resident in commercial or public facilities. This requirement also addresses the use of external systems for the processing, storage, or transmission of CUI, including accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational systems. Organizations establish terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum, the types of applications that can be accessed on organizational systems from external systems. If terms and conditions with the owners of external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems. This requirement recognizes that there are circumstances where individuals using external systems (e.g., contractors, coalition partners) need to access organizational systems. In those situations, organizations need confidence that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been effectively implemented can be achieved by third-party, independent assessments, attestations, or other means, depending on the assurance or confidence level required by organizations. Note that while “external” typically refers to outside of the organization's direct supervision and authority, that is not always the case. Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not. And among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered 'external' to that system. +section-code: "20" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_s3_bucket_policy_restrict_public_access +- aws_s3_public_access_block_account +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_igw_attached_to_authorized_vpc +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_3.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_3.yaml index be9beb065..c788d74a8 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_3.yaml @@ -1,40 +1,40 @@ -control-group: - id: aws_nist_800_171_rev_2_3_1_3 - title: 1.3 Control the flow of CUI in accordance with approved authorizations - description: "Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping exportcontrolled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packetfiltering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels." - section-code: "3" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_eks_cluster_endpoint_restrict_public_access - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all +id: aws_nist_800_171_rev_2_3_1_3 +title: 1.3 Control the flow of CUI in accordance with approved authorizations +description: "Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping exportcontrolled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packetfiltering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels." +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_eks_cluster_endpoint_restrict_public_access +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_opensearch_domain_in_vpc +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_route_table_restrict_public_access_to_igw +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_4.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_4.yaml index a1ada9c43..ade8e6f43 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_4.yaml @@ -1,34 +1,34 @@ -control-group: - id: aws_nist_800_171_rev_2_3_1_4 - title: 1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion - description: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties. - section-code: "4" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_user_for_host_mode_check - - aws_emr_cluster_kerberos_enabled - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_policy_unused - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_rds_db_cluster_iam_authentication_enabled - - aws_rds_db_instance_iam_authentication_enabled - - aws_s3_bucket_policy_restrict_public_access +id: aws_nist_800_171_rev_2_3_1_4 +title: 1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion +description: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties. +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_iam_profile_attached +- aws_ecs_task_definition_user_for_host_mode_check +- aws_emr_cluster_kerberos_enabled +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_not_empty +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_policy_unused +- aws_iam_root_user_no_access_keys +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_rds_db_cluster_iam_authentication_enabled +- aws_rds_db_instance_iam_authentication_enabled +- aws_s3_bucket_policy_restrict_public_access diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_5.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_5.yaml index 47a6afec5..12dd8f4bf 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_5.yaml @@ -1,32 +1,32 @@ -control-group: - id: aws_nist_800_171_rev_2_3_1_5 - title: 1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts - description: Organizations employ the principle of least privilege for specific duties and authorized accesses for users and processes. The principle of least privilege is applied with the goal of authorized privileges no higher than necessary to accomplish required organizational missions or business functions. Organizations consider the creation of additional processes, roles, and system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational systems. Security functions include establishing system accounts, setting events to be logged, setting intrusion detection parameters, and configuring access authorizations (i.e., permissions, privileges). Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information or functions. Organizations may differentiate in the application of this requirement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk. - section-code: "5" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_iam_profile_attached - - aws_emr_cluster_kerberos_enabled - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_policy_unused - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_rds_db_cluster_iam_authentication_enabled - - aws_rds_db_instance_iam_authentication_enabled - - aws_s3_bucket_policy_restrict_public_access +id: aws_nist_800_171_rev_2_3_1_5 +title: 1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts +description: Organizations employ the principle of least privilege for specific duties and authorized accesses for users and processes. The principle of least privilege is applied with the goal of authorized privileges no higher than necessary to accomplish required organizational missions or business functions. Organizations consider the creation of additional processes, roles, and system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational systems. Security functions include establishing system accounts, setting events to be logged, setting intrusion detection parameters, and configuring access authorizations (i.e., permissions, privileges). Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information or functions. Organizations may differentiate in the application of this requirement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk. +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_iam_profile_attached +- aws_emr_cluster_kerberos_enabled +- aws_iam_group_not_empty +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions +- aws_iam_policy_no_star_star +- aws_iam_policy_unused +- aws_iam_root_user_no_access_keys +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_rds_db_cluster_iam_authentication_enabled +- aws_rds_db_instance_iam_authentication_enabled +- aws_s3_bucket_policy_restrict_public_access diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_6.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_6.yaml index 36ef933ee..a4a675f66 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_6.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_171_rev_2_3_1_6 - title: 1.6 Use non-privileged accounts or roles when accessing nonsecurity functions - description: This requirement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. - section-code: "6" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys +id: aws_nist_800_171_rev_2_3_1_6 +title: 1.6 Use non-privileged accounts or roles when accessing nonsecurity functions +description: This requirement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. +section-code: "6" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_7.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_7.yaml index 4395a9af1..811549fd3 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_7.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_nist_800_171_rev_2_3_1_7 - title: 1.7 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs - description: Privileged functions include establishing system accounts, performing system integrity checks, conducting patching operations, or administering cryptographic key management activities. Nonprivileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. Note that this requirement represents a condition to be achieved by the definition of authorized privileges in 3.1.2. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat. - section-code: "7" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_emr_cluster_kerberos_enabled - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_s3_bucket_policy_restrict_public_access +id: aws_nist_800_171_rev_2_3_1_7 +title: 1.7 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs +description: Privileged functions include establishing system accounts, performing system integrity checks, conducting patching operations, or administering cryptographic key management activities. Nonprivileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. Note that this requirement represents a condition to be achieved by the definition of authorized privileges in 3.1.2. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat. +section-code: "7" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_emr_cluster_kerberos_enabled +- aws_iam_group_not_empty +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_iam_user_in_group +- aws_s3_bucket_policy_restrict_public_access diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3.yaml index aeb001934..ee3d237b9 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3.yaml @@ -1,23 +1,29 @@ +id: aws_nist_800_171_rev_2_3_3 +title: Audit and Accountability +description: The AU control family consists of security controls related to an organization’s audit capabilities. This includes audit policies and procedures, audit logging, audit report generation, and protection of audit information. +section-code: "3_3" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_171_rev_2_3_3 - title: Audit and Accountability - description: The AU control family consists of security controls related to an organization’s audit capabilities. This includes audit policies and procedures, audit logging, audit report generation, and protection of audit information. - section-code: "3_3" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_171_rev_2_3_3_1 - - id: aws_nist_800_171_rev_2_3_3_2 - - id: aws_nist_800_171_rev_2_3_3_3 - - id: aws_nist_800_171_rev_2_3_3_4 - - id: aws_nist_800_171_rev_2_3_3_5 - - id: aws_nist_800_171_rev_2_3_3_8 +- id: aws_nist_800_171_rev_2_3_3_1 + type: "" +- id: aws_nist_800_171_rev_2_3_3_2 + type: "" +- id: aws_nist_800_171_rev_2_3_3_3 + type: "" +- id: aws_nist_800_171_rev_2_3_3_4 + type: "" +- id: aws_nist_800_171_rev_2_3_3_5 + type: "" +- id: aws_nist_800_171_rev_2_3_3_8 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_1.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_1.yaml index 759c2bcfc..521005566 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_1.yaml @@ -1,31 +1,31 @@ -control-group: - id: aws_nist_800_171_rev_2_3_3_1 - title: 3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity - description: An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloudbased architectures. Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making. - section-code: "1" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_171_rev_2_3_3_1 +title: 3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity +description: An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloudbased architectures. Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_log_group_retention_period_365 +- aws_elb_application_classic_lb_logging_enabled +- aws_guardduty_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_securityhub_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_2.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_2.yaml index 69668e7b1..bd2a2ad8b 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_2.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_nist_800_171_rev_2_3_3_2 - title: 3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions - description: This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP). - section-code: "2" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_guardduty_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled +id: aws_nist_800_171_rev_2_3_3_2 +title: 3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions +description: This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP). +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_guardduty_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_3.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_3.yaml index f272d3ba8..91b2fc886 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_3.yaml @@ -1,27 +1,27 @@ -control-group: - id: aws_nist_800_171_rev_2_3_3_3 - title: 3.3 Review and update logged events - description: The intent of this requirement is to periodically re-evaluate which logged events will continue to be included in the list of events to be logged. The event types that are logged by organizations may change over time. Reviewing and updating the set of logged event types periodically is necessary to ensure that the current set remains necessary and sufficient. - section-code: "3" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_171_rev_2_3_3_3 +title: 3.3 Review and update logged events +description: The intent of this requirement is to periodically re-evaluate which logged events will continue to be included in the list of events to be logged. The event types that are logged by organizations may change over time. Reviewing and updating the set of logged event types periodically is necessary to ensure that the current set remains necessary and sufficient. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_4.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_4.yaml index 0b61d7be3..fcb785749 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_4.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_171_rev_2_3_3_4 - title: 3.4 Alert in the event of an audit logging process failure - description: Audit logging process failures include software and hardware errors, failures in the audit record capturing mechanisms, and audit record storage capacity being reached or exceeded. This requirement applies to each audit record data storage repository (i.e., distinct system component where audit records are stored), the total audit record storage capacity of organizations (i.e., all audit record data storage repositories combined), or both. - section-code: "4" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_securityhub_enabled +id: aws_nist_800_171_rev_2_3_3_4 +title: 3.4 Alert in the event of an audit logging process failure +description: Audit logging process failures include software and hardware errors, failures in the audit record capturing mechanisms, and audit record storage capacity being reached or exceeded. This requirement applies to each audit record data storage repository (i.e., distinct system component where audit records are stored), the total audit record storage capacity of organizations (i.e., all audit record data storage repositories combined), or both. +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_5.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_5.yaml index 513a69939..bc4200665 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_5.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_nist_800_171_rev_2_3_3_5 - title: 3.5 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity - description: Correlating audit record review, analysis, and reporting processes helps to ensure that they do not operate independently, but rather collectively. Regarding the assessment of a given organizational system, the requirement is agnostic as to whether this correlation is applied at the system level or at the organization level across all systems. - section-code: "5" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_guardduty_enabled - - aws_securityhub_enabled +id: aws_nist_800_171_rev_2_3_3_5 +title: 3.5 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity +description: Correlating audit record review, analysis, and reporting processes helps to ensure that they do not operate independently, but rather collectively. Regarding the assessment of a given organizational system, the requirement is agnostic as to whether this correlation is applied at the system level or at the organization level across all systems. +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_integrated_with_logs +- aws_guardduty_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_8.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_8.yaml index 736747a4b..73c2e02fb 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_8.yaml @@ -1,27 +1,27 @@ -control-group: - id: aws_nist_800_171_rev_2_3_3_8 - title: 3.8 Protect audit information and audit logging tools from unauthorized access, modification, and deletion - description: Audit information includes all information (e.g., audit records, audit log settings, and audit reports) needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct audit and logging activities. This requirement focuses on the technical protection of audit information and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by media protection and physical and environmental protection requirements. - section-code: "8" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_object_lock_enabled - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_bucket_versioning_enabled - - aws_s3_public_access_block_account +id: aws_nist_800_171_rev_2_3_3_8 +title: 3.8 Protect audit information and audit logging tools from unauthorized access, modification, and deletion +description: Audit information includes all information (e.g., audit records, audit log settings, and audit reports) needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct audit and logging activities. This requirement focuses on the technical protection of audit information and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by media protection and physical and environmental protection requirements. +section-code: "8" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_cloudtrail_trail_validation_enabled +- aws_log_group_encryption_at_rest_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_object_lock_enabled +- aws_s3_bucket_policy_restrict_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_bucket_versioning_enabled +- aws_s3_public_access_block_account diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4.yaml index 0e0012770..7267c93bf 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4.yaml @@ -1,25 +1,33 @@ +id: aws_nist_800_171_rev_2_3_4 +title: Configuration Management +description: CM controls are specific to an organization's configuration management policies. This includes a baseline configuration to operate as the basis for future builds or changes to information systems. Additionally, this includes information system component inventories and a security impact analysis control. +section-code: "3_4" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_171_rev_2_3_4 - title: Configuration Management - description: CM controls are specific to an organization's configuration management policies. This includes a baseline configuration to operate as the basis for future builds or changes to information systems. Additionally, this includes information system component inventories and a security impact analysis control. - section-code: "3_4" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_171_rev_2_3_4_1 - - id: aws_nist_800_171_rev_2_3_4_2 - - id: aws_nist_800_171_rev_2_3_4_3 - - id: aws_nist_800_171_rev_2_3_4_4 - - id: aws_nist_800_171_rev_2_3_4_5 - - id: aws_nist_800_171_rev_2_3_4_6 - - id: aws_nist_800_171_rev_2_3_4_7 - - id: aws_nist_800_171_rev_2_3_4_9 +- id: aws_nist_800_171_rev_2_3_4_1 + type: "" +- id: aws_nist_800_171_rev_2_3_4_2 + type: "" +- id: aws_nist_800_171_rev_2_3_4_3 + type: "" +- id: aws_nist_800_171_rev_2_3_4_4 + type: "" +- id: aws_nist_800_171_rev_2_3_4_5 + type: "" +- id: aws_nist_800_171_rev_2_3_4_6 + type: "" +- id: aws_nist_800_171_rev_2_3_4_7 + type: "" +- id: aws_nist_800_171_rev_2_3_4_9 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_1.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_1.yaml index 01b2ed7fa..0a13080f8 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_1.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_nist_800_171_rev_2_3_4_1 - title: 4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles - description: Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location. - section-code: "1" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_security_trail_enabled - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_eip_associated - - aws_vpc_security_group_associated_to_eni - - aws_vpc_security_group_restrict_ingress_common_ports_all +id: aws_nist_800_171_rev_2_3_4_1 +title: 4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles +description: Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_security_trail_enabled +- aws_ebs_volume_unused +- aws_ec2_instance_ssm_managed +- aws_ec2_stopped_instance_30_days +- aws_elb_application_lb_deletion_protection_enabled +- aws_ssm_managed_instance_compliance_association_compliant +- aws_vpc_eip_associated +- aws_vpc_security_group_associated_to_eni +- aws_vpc_security_group_restrict_ingress_common_ports_all diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_2.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_2.yaml index 4c93a4d90..827ec37b2 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_2.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_nist_800_171_rev_2_3_4_2 - title: 4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems - description: "Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors." - section-code: "2" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_config_enabled_all_regions - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_associated_to_eni +id: aws_nist_800_171_rev_2_3_4_2 +title: 4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems +description: "Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors." +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_config_enabled_all_regions +- aws_ebs_volume_unused +- aws_ec2_instance_ssm_managed +- aws_ec2_stopped_instance_30_days +- aws_ssm_managed_instance_compliance_association_compliant +- aws_vpc_security_group_associated_to_eni diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_3.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_3.yaml index f64fe9e0b..5f78af000 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_3.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_171_rev_2_3_4_3 - title: 4.3 Track, review, approve or disapprove, and log changes to organizational systems - description: Tracking, reviewing, approving/disapproving, and logging changes is called configuration change control. Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled and unauthorized changes, and changes to remediate vulnerabilities. - section-code: "3" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_config_enabled_all_regions +id: aws_nist_800_171_rev_2_3_4_3 +title: 4.3 Track, review, approve or disapprove, and log changes to organizational systems +description: Tracking, reviewing, approving/disapproving, and logging changes is called configuration change control. Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled and unauthorized changes, and changes to remediate vulnerabilities. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_config_enabled_all_regions diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_4.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_4.yaml index c46dd0809..468eb334f 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_4.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_171_rev_2_3_4_4 - title: 4.4 Analyze the security impact of changes prior to implementation - description: Organizational personnel with information security responsibilities (e.g., system administrators, system security officers, system security managers, and systems security engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the associated security ramifications. Security impact analysis may include reviewing security plans to understand security requirements and reviewing system design documentation to understand the implementation of controls and how specific changes might affect the controls. Security impact analyses may also include risk assessments to better understand the impact of the changes and to determine if additional controls are required. - section-code: "4" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_config_enabled_all_regions +id: aws_nist_800_171_rev_2_3_4_4 +title: 4.4 Analyze the security impact of changes prior to implementation +description: Organizational personnel with information security responsibilities (e.g., system administrators, system security officers, system security managers, and systems security engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the associated security ramifications. Security impact analysis may include reviewing security plans to understand security requirements and reviewing system design documentation to understand the implementation of controls and how specific changes might affect the controls. Security impact analyses may also include risk assessments to better understand the impact of the changes and to determine if additional controls are required. +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_config_enabled_all_regions diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_5.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_5.yaml index f72e79be6..88152a655 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_5.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_171_rev_2_3_4_5 - title: 4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems - description: Any changes to the hardware, software, or firmware components of systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes, including upgrades and modifications. Access restrictions for change also include software libraries. - section-code: "5" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_config_enabled_all_regions +id: aws_nist_800_171_rev_2_3_4_5 +title: 4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems +description: Any changes to the hardware, software, or firmware components of systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes, including upgrades and modifications. Access restrictions for change also include software libraries. +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_config_enabled_all_regions diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_6.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_6.yaml index 414b1eb67..2f1862060 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_6.yaml @@ -1,33 +1,33 @@ -control-group: - id: aws_nist_800_171_rev_2_3_4_6 - title: 4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities - description: Systems can provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. It is sometimes convenient to provide multiple services from single system components. However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per component. Organizations review functions and services provided by systems or components of systems, to determine which functions and services are candidates for elimination. Organizations disable unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of devices, transfer of information, and tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. - section-code: "6" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_no_inline_attached_policies - - aws_lambda_function_restrict_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_common_ports_all +id: aws_nist_800_171_rev_2_3_4_6 +title: 4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities +description: Systems can provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. It is sometimes convenient to provide multiple services from single system components. However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per component. Organizations review functions and services provided by systems or components of systems, to determine which functions and services are candidates for elimination. Organizations disable unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of devices, transfer of information, and tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. +section-code: "6" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ebs_volume_unused +- aws_ec2_instance_ssm_managed +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_iam_user_no_inline_attached_policies +- aws_lambda_function_restrict_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_ssm_managed_instance_compliance_association_compliant +- aws_vpc_security_group_restrict_ingress_common_ports_all diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_7.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_7.yaml index ab8e508b3..61ea7e5c3 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_7.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_nist_800_171_rev_2_3_4_7 - title: 4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services - description: Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling. - section-code: "7" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all +id: aws_nist_800_171_rev_2_3_4_7 +title: 4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services +description: Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling. +section-code: "7" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_9.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_9.yaml index 7e39c1cfc..4bc112a77 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_9.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_9.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_171_rev_2_3_4_9 - title: 4.9 Control and monitor user-installed software - description: Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved 'app stores.' Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods, automated methods, or both. - section-code: "9" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant +id: aws_nist_800_171_rev_2_3_4_9 +title: 4.9 Control and monitor user-installed software +description: Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved 'app stores.' Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods, automated methods, or both. +section-code: "9" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed +- aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5.yaml index 164ec4f76..9743db8c0 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5.yaml @@ -1,26 +1,35 @@ +id: aws_nist_800_171_rev_2_3_5 +title: Identification and Authentication +description: IA controls are specific to the identification and authentication policies in an organization. This includes the identification and authentication of organizational and non-organizational users and how the management of those systems. +section-code: "3_5" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_171_rev_2_3_5 - title: Identification and Authentication - description: IA controls are specific to the identification and authentication policies in an organization. This includes the identification and authentication of organizational and non-organizational users and how the management of those systems. - section-code: "3_5" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_171_rev_2_3_5_1 - - id: aws_nist_800_171_rev_2_3_5_2 - - id: aws_nist_800_171_rev_2_3_5_3 - - id: aws_nist_800_171_rev_2_3_5_4 - - id: aws_nist_800_171_rev_2_3_5_5 - - id: aws_nist_800_171_rev_2_3_5_6 - - id: aws_nist_800_171_rev_2_3_5_7 - - id: aws_nist_800_171_rev_2_3_5_8 - - id: aws_nist_800_171_rev_2_3_5_9 +- id: aws_nist_800_171_rev_2_3_5_1 + type: "" +- id: aws_nist_800_171_rev_2_3_5_2 + type: "" +- id: aws_nist_800_171_rev_2_3_5_3 + type: "" +- id: aws_nist_800_171_rev_2_3_5_4 + type: "" +- id: aws_nist_800_171_rev_2_3_5_5 + type: "" +- id: aws_nist_800_171_rev_2_3_5_6 + type: "" +- id: aws_nist_800_171_rev_2_3_5_7 + type: "" +- id: aws_nist_800_171_rev_2_3_5_8 + type: "" +- id: aws_nist_800_171_rev_2_3_5_9 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_1.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_1.yaml index 72e5df13d..a4d3ab241 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_1.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_nist_800_171_rev_2_3_5_1 - title: 5.1 Identify system users, processes acting on behalf of users, and devices - description: Common device identifiers include Media Access Control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names associated with the system accounts assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. - section-code: "1" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled +id: aws_nist_800_171_rev_2_3_5_1 +title: 5.1 Identify system users, processes acting on behalf of users, and devices +description: Common device identifiers include Media Access Control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names associated with the system accounts assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_2.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_2.yaml index c8162aad7..acf4c6297 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_2.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_nist_800_171_rev_2_3_5_2 - title: 5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems - description: "Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include certificates and passwords." - section-code: "2" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled +id: aws_nist_800_171_rev_2_3_5_2 +title: 5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems +description: "Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include certificates and passwords." +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_3.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_3.yaml index 4c95b4d22..31d9843f6 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_3.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_nist_800_171_rev_2_3_5_3 - title: 5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts - description: Multifactor authentication requires the use of two or more different factors to authenticate. The factors are defined as something you know (e.g., password, personal identification number [PIN]); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, when necessary, to provide increased information security. Access to organizational systems is defined as local access or network access. Local access is any access to organizational systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. The use of encrypted virtual private networks for connections between organization-controlled and non-organization controlled endpoints may be treated as internal networks with regard to protecting the confidentiality of information. - section-code: "3" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled +id: aws_nist_800_171_rev_2_3_5_3 +title: 5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts +description: Multifactor authentication requires the use of two or more different factors to authenticate. The factors are defined as something you know (e.g., password, personal identification number [PIN]); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, when necessary, to provide increased information security. Access to organizational systems is defined as local access or network access. Local access is any access to organizational systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. The use of encrypted virtual private networks for connections between organization-controlled and non-organization controlled endpoints may be treated as internal networks with regard to protecting the confidentiality of information. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_4.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_4.yaml index fedb0c232..9eed86c46 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_4.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_nist_800_171_rev_2_3_5_4 - title: 5.4 Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts - description: Authentication processes resist replay attacks if it is impractical to successfully authenticate by recording or replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge-response one-time authenticators. - section-code: "4" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled +id: aws_nist_800_171_rev_2_3_5_4 +title: 5.4 Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts +description: Authentication processes resist replay attacks if it is impractical to successfully authenticate by recording or replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge-response one-time authenticators. +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_5.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_5.yaml index bbeed3f89..a74903edf 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_5.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_171_rev_2_3_5_5 - title: 5.5 Prevent reuse of identifiers for a defined period - description: Identifiers are provided for users, processes acting on behalf of users, or devices (3.5.1). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. - section-code: "5" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 +id: aws_nist_800_171_rev_2_3_5_5 +title: 5.5 Prevent reuse of identifiers for a defined period +description: Identifiers are provided for users, processes acting on behalf of users, or devices (3.5.1). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_6.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_6.yaml index 52ce40b2e..f326982da 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_6.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_171_rev_2_3_5_6 - title: 5.6 Disable identifiers after a defined period of inactivity - description: Inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier to gain undetected access to organizational devices. The owners of the inactive accounts may not notice if unauthorized access to the account has been obtained. - section-code: "6" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_user_unused_credentials_90 +id: aws_nist_800_171_rev_2_3_5_6 +title: 5.6 Disable identifiers after a defined period of inactivity +description: Inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier to gain undetected access to organizational devices. The owners of the inactive accounts may not notice if unauthorized access to the account has been obtained. +section-code: "6" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 +- aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_7.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_7.yaml index 84bb3b12d..90b565216 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_7.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_171_rev_2_3_5_7 - title: 5.7 Enforce a minimum password complexity and change of characters when new passwords are created - description: This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. - section-code: "7" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 +id: aws_nist_800_171_rev_2_3_5_7 +title: 5.7 Enforce a minimum password complexity and change of characters when new passwords are created +description: This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. +section-code: "7" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_8.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_8.yaml index 585e7a13c..239095d35 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_8.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_171_rev_2_3_5_8 - title: 5.8 Prohibit password reuse for a specified number of generations - description: Password lifetime restrictions do not apply to temporary passwords. - section-code: "8" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 +id: aws_nist_800_171_rev_2_3_5_8 +title: 5.8 Prohibit password reuse for a specified number of generations +description: Password lifetime restrictions do not apply to temporary passwords. +section-code: "8" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_9.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_9.yaml index 83a880827..f42040a53 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_9.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_9.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_171_rev_2_3_5_9 - title: 5.9 Allow temporary password use for system logons with an immediate change to a permanent password - description: Changing temporary passwords to permanent passwords immediately after system logon ensures that the necessary strength of the authentication mechanism is implemented at the earliest opportunity, reducing the susceptibility to authenticator compromises. - section-code: "9" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 +id: aws_nist_800_171_rev_2_3_5_9 +title: 5.9 Allow temporary password use for system logons with an immediate change to a permanent password +description: Changing temporary passwords to permanent passwords immediately after system logon ensures that the necessary strength of the authentication mechanism is implemented at the earliest opportunity, reducing the susceptibility to authenticator compromises. +section-code: "9" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_6.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_6.yaml index a53d04c81..fa1f35ba7 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_6.yaml @@ -1,19 +1,21 @@ +id: aws_nist_800_171_rev_2_3_6 +title: Incident Response +description: IR controls are specific to an organization's incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plan. +section-code: "3_6" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_171_rev_2_3_6 - title: Incident Response - description: IR controls are specific to an organization's incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plan. - section-code: "3_6" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_171_rev_2_3_6_1 - - id: aws_nist_800_171_rev_2_3_6_2 +- id: aws_nist_800_171_rev_2_3_6_1 + type: "" +- id: aws_nist_800_171_rev_2_3_6_2 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_6_1.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_6_1.yaml index eef87b9ec..96a6c73a5 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_6_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_6_1.yaml @@ -1,31 +1,31 @@ -control-group: - id: aws_nist_800_171_rev_2_3_6_1 - title: 6.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities - description: Organizations recognize that incident handling capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident handling as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources including audit monitoring, network monitoring, physical access monitoring, user and administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including mission/business owners, system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive. As part of user response activities, incident response training is provided by organizations and is linked directly to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the system; system administrators may require additional training on how to handle or remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification/reporting of suspicious activities from external and internal sources. User response activities also includes incident response assistance which may consist of help desk support, assistance groups, and access to forensics services or consumer redress services, when required. - section-code: "1" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_security_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_171_rev_2_3_6_1 +title: 6.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities +description: Organizations recognize that incident handling capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident handling as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources including audit monitoring, network monitoring, physical access monitoring, user and administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including mission/business owners, system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive. As part of user response activities, incident response training is provided by organizations and is linked directly to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the system; system administrators may require additional training on how to handle or remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification/reporting of suspicious activities from external and internal sources. User response activities also includes incident response assistance which may consist of help desk support, assistance groups, and access to forensics services or consumer redress services, when required. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_security_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled +- aws_cloudwatch_log_group_retention_period_365 +- aws_guardduty_enabled +- aws_guardduty_finding_archived +- aws_lambda_function_dead_letter_queue_configured +- aws_rds_db_instance_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_securityhub_enabled +- aws_vpc_flow_logs_enabled +- aws_waf_web_acl_logging_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_6_2.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_6_2.yaml index 24fa421f4..15c683d0b 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_6_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_6_2.yaml @@ -1,31 +1,31 @@ -control-group: - id: aws_nist_800_171_rev_2_3_6_2 - title: 6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization - description: Tracking and documenting system security incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. Reporting incidents addresses specific incident reporting requirements within an organization and the formal incident reporting requirements for the organization. Suspected security incidents may also be reported and include the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, Executive Orders, directives, regulations, and policies. - section-code: "2" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_security_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_171_rev_2_3_6_2 +title: 6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization +description: Tracking and documenting system security incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. Reporting incidents addresses specific incident reporting requirements within an organization and the formal incident reporting requirements for the organization. Suspected security incidents may also be reported and include the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, Executive Orders, directives, regulations, and policies. +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_security_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled +- aws_cloudwatch_log_group_retention_period_365 +- aws_guardduty_enabled +- aws_guardduty_finding_archived +- aws_lambda_function_dead_letter_queue_configured +- aws_rds_db_instance_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_securityhub_enabled +- aws_vpc_flow_logs_enabled +- aws_waf_web_acl_logging_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_8.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_8.yaml index 2a276ba66..b33dbf94c 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_8.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_171_rev_2_3_8 +title: Media Protection +description: This control family help organizations control access to sensitive media. Requirements cover best practice storage or destruction of sensitive information and media in both physical and digital formats. +section-code: "3_8" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_171_rev_2_3_8 - title: Media Protection - description: This control family help organizations control access to sensitive media. Requirements cover best practice storage or destruction of sensitive information and media in both physical and digital formats. - section-code: "3_8" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_171_rev_2_3_8_9 +- id: aws_nist_800_171_rev_2_3_8_9 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_8_9.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_8_9.yaml index e92e5e7ac..b602b6bab 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_8_9.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_8_9.yaml @@ -1,37 +1,37 @@ -control-group: - id: aws_nist_800_171_rev_2_3_8_9 - title: 8.9 Protect the confidentiality of backup CUI at storage locations - description: Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information. - section-code: "9" - tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled +id: aws_nist_800_171_rev_2_3_8_9 +title: 8.9 Protect the confidentiality of backup CUI at storage locations +description: Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information. +section-code: "9" +type: control-group +tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_encryption_enabled +- aws_backup_recovery_point_manual_deletion_disabled +- aws_backup_recovery_point_min_retention_35_days +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172.yaml index 5291000fd..fcbef452d 100644 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172.yaml @@ -1,16 +1,16 @@ -framework: - id: aws_nist_800_172 - title: NIST 800-172 - description: NIST Special Publication (SP) 800-172 provides federal agencies with a set of enhanced security requirements for protecting the confidentiality, integrity, and availability of controlled unclassified information (CUI) in nonfederal systems and organizations from the advanced persistent threat when the CUI is associated with a critical program or high value asset. - section-code: aws_nist_800_172 - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: aws_nist_800_172_3_1 - - id: aws_nist_800_172_3_4 - - id: aws_nist_800_172_3_5 - - id: aws_nist_800_172_3_11 - - id: aws_nist_800_172_3_13 - - id: aws_nist_800_172_3_14 +id: aws_nist_800_172 +title: NIST 800-172 +description: NIST Special Publication (SP) 800-172 provides federal agencies with a set of enhanced security requirements for protecting the confidentiality, integrity, and availability of controlled unclassified information (CUI) in nonfederal systems and organizations from the advanced persistent threat when the CUI is associated with a critical program or high value asset. +section-code: aws_nist_800_172 +type: framework +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_nist_800_172_3_1 +- id: aws_nist_800_172_3_4 +- id: aws_nist_800_172_3_5 +- id: aws_nist_800_172_3_11 +- id: aws_nist_800_172_3_13 +- id: aws_nist_800_172_3_14 diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_1.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_1.yaml index 1a67f715a..e83a0b1ce 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_1.yaml @@ -1,7 +1,8 @@ +id: aws_nist_800_172_3_1 +title: Access Control +description: The access control family consists of security requirements detailing system logging. This includes who has access to what assets and reporting capabilities like account management, system privileges, and remote access logging to determine when users have access to the system and their level of access. +section-code: "3_1" +type: control-group control-group: - id: aws_nist_800_172_3_1 - title: Access Control - description: The access control family consists of security requirements detailing system logging. This includes who has access to what assets and reporting capabilities like account management, system privileges, and remote access logging to determine when users have access to the system and their level of access. - section-code: "3_1" - control-group: - - id: aws_nist_800_172_3_1_3_e +- id: aws_nist_800_172_3_1_3_e + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_11.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_11.yaml index 5b9680f2e..24ad0562e 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_11.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_11.yaml @@ -1,8 +1,10 @@ +id: aws_nist_800_172_3_11 +title: Risk Assessment +description: The RA control family relates to an organization's risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts. +section-code: "3_11" +type: control-group control-group: - id: aws_nist_800_172_3_11 - title: Risk Assessment - description: The RA control family relates to an organization's risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts. - section-code: "3_11" - control-group: - - id: aws_nist_800_172_3_11_1_e - - id: aws_nist_800_172_3_11_2_e +- id: aws_nist_800_172_3_11_1_e + type: "" +- id: aws_nist_800_172_3_11_2_e + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_11_1_e.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_11_1_e.yaml index 966d2d249..03f1f5830 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_11_1_e.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_11_1_e.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_nist_800_172_3_11_1_e - title: "11.1e Employ [Assignment: organization-defined sources of threat intelligence] as part of a risk assessment to guide and inform the development of organizational systems, security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities" - description: The constant evolution and increased sophistication of adversaries, especially the APT, makes it more likely that adversaries can successfully compromise or breach organizational systems. Accordingly, threat intelligence can be integrated into each step of the risk management process throughout the system development life cycle. This risk management process includes defining system security requirements, developing system and security architectures, selecting security solutions, monitoring (including threat hunting), and remediation efforts. - section-code: 1_e - controls: - - aws_guardduty_enabled +id: aws_nist_800_172_3_11_1_e +title: "11.1e Employ [Assignment: organization-defined sources of threat intelligence] as part of a risk assessment to guide and inform the development of organizational systems, security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities" +description: The constant evolution and increased sophistication of adversaries, especially the APT, makes it more likely that adversaries can successfully compromise or breach organizational systems. Accordingly, threat intelligence can be integrated into each step of the risk management process throughout the system development life cycle. This risk management process includes defining system security requirements, developing system and security architectures, selecting security solutions, monitoring (including threat hunting), and remediation efforts. +section-code: 1_e +type: control-group +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_11_2_e.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_11_2_e.yaml index d465ebe7d..7abc7f78c 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_11_2_e.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_11_2_e.yaml @@ -1,5 +1,5 @@ -control-group: - id: aws_nist_800_172_3_11_2_e - title: "11.2e Conduct cyber threat hunting activities [Selection (one or more): [Assignment: organizationdefined frequency]; [Assignment: organization-defined event]] to search for indicators of compromise in [Assignment: organization-defined systems] and detect, track, and disrupt threats that evade existing controls" - description: Threat hunting is an active means of defense that contrasts with traditional protection measures, such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management (SIEM) technologies and systems. Cyber threat hunting involves proactively searching organizational systems, networks, and infrastructure for advanced threats. The objective is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organizational responses. Indicators of compromise are forensic artifacts from intrusions that are identified on organizational systems at the host or network level and can include unusual network traffic, unusual file changes, and the presence of malicious code. - section-code: 2_e +id: aws_nist_800_172_3_11_2_e +title: "11.2e Conduct cyber threat hunting activities [Selection (one or more): [Assignment: organizationdefined frequency]; [Assignment: organization-defined event]] to search for indicators of compromise in [Assignment: organization-defined systems] and detect, track, and disrupt threats that evade existing controls" +description: Threat hunting is an active means of defense that contrasts with traditional protection measures, such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management (SIEM) technologies and systems. Cyber threat hunting involves proactively searching organizational systems, networks, and infrastructure for advanced threats. The objective is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organizational responses. Indicators of compromise are forensic artifacts from intrusions that are identified on organizational systems at the host or network level and can include unusual network traffic, unusual file changes, and the presence of malicious code. +section-code: 2_e +type: control-group diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_13.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_13.yaml index 57b8ffed3..87221376f 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_13.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_13.yaml @@ -1,7 +1,8 @@ +id: aws_nist_800_172_3_13 +title: System and Communications Protection +description: The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others. +section-code: "3_13" +type: control-group control-group: - id: aws_nist_800_172_3_13 - title: System and Communications Protection - description: The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others. - section-code: "3_13" - control-group: - - id: aws_nist_800_172_3_13_4_e +- id: aws_nist_800_172_3_13_4_e + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_13_4_e.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_13_4_e.yaml index c0ff38e49..731ef60ed 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_13_4_e.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_13_4_e.yaml @@ -1,33 +1,33 @@ -control-group: - id: aws_nist_800_172_3_13_4_e - title: "13.4e Employ [Selection: (one or more): [Assignment: organization-defined physical isolation techniques]; [Assignment: organization-defined logical isolation techniques]] in organizational systems and system components" - description: A mix of physical and logical isolation techniques (described below) implemented as part of the system architecture can limit the unauthorized flow of CUI, reduce the system attack surface, constrain the number of system components that must be secure, and impede the movement of an adversary. When implemented with a set of managed interfaces, physical and logical isolation techniques for organizational systems and components can isolate CUI into separate security domains where additional protections can be implemented. Any communications across the managed interfaces (i.e., across security domains), including for management or administrative purposes, constitutes remote access even if the communications remain within the organization. Separating system components with boundary protection mechanisms allows for the increased protection of individual components and more effective control of information flows between those components. This enhanced protection limits the potential harm from and susceptibility to hostile cyber-attacks and errors. The degree of isolation can vary depending on the boundary protection mechanisms selected. Boundary protection mechanisms include routers, gateways, and firewalls separating system components into physically separate networks or subnetworks; virtualization and micro-virtualization techniques; encrypting information flows among system components using distinct encryption keys; cross-domain devices separating subnetworks; and complete physical separation (i.e., air gaps). - section-code: 4_e - controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_enhanced_vpc_routing_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_ssm_document_prohibit_public_access - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_allows_ingress_authorized_ports - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_subnet_auto_assign_public_ip_disabled - - aws_vpc_network_acl_remote_administration +id: aws_nist_800_172_3_13_4_e +title: "13.4e Employ [Selection: (one or more): [Assignment: organization-defined physical isolation techniques]; [Assignment: organization-defined logical isolation techniques]] in organizational systems and system components" +description: A mix of physical and logical isolation techniques (described below) implemented as part of the system architecture can limit the unauthorized flow of CUI, reduce the system attack surface, constrain the number of system components that must be secure, and impede the movement of an adversary. When implemented with a set of managed interfaces, physical and logical isolation techniques for organizational systems and components can isolate CUI into separate security domains where additional protections can be implemented. Any communications across the managed interfaces (i.e., across security domains), including for management or administrative purposes, constitutes remote access even if the communications remain within the organization. Separating system components with boundary protection mechanisms allows for the increased protection of individual components and more effective control of information flows between those components. This enhanced protection limits the potential harm from and susceptibility to hostile cyber-attacks and errors. The degree of isolation can vary depending on the boundary protection mechanisms selected. Boundary protection mechanisms include routers, gateways, and firewalls separating system components into physically separate networks or subnetworks; virtualization and micro-virtualization techniques; encrypting information flows among system components using distinct encryption keys; cross-domain devices separating subnetworks; and complete physical separation (i.e., air gaps). +section-code: 4_e +type: control-group +controls: +- aws_autoscaling_launch_config_public_ip_disabled +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_opensearch_domain_in_vpc +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_enhanced_vpc_routing_enabled +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_ssm_document_prohibit_public_access +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_route_table_restrict_public_access_to_igw +- aws_vpc_security_group_allows_ingress_authorized_ports +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_subnet_auto_assign_public_ip_disabled +- aws_vpc_network_acl_remote_administration diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14.yaml index 8fde5e16d..f7ce1170c 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14.yaml @@ -1,10 +1,14 @@ +id: aws_nist_800_172_3_14 +title: System and Information integrity +description: The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection. +section-code: "3_14" +type: control-group control-group: - id: aws_nist_800_172_3_14 - title: System and Information integrity - description: The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection. - section-code: "3_14" - control-group: - - id: aws_nist_800_172_3_14_1_e - - id: aws_nist_800_172_3_14_2_e - - id: aws_nist_800_172_3_14_6_e - - id: aws_nist_800_172_3_14_7_e +- id: aws_nist_800_172_3_14_1_e + type: "" +- id: aws_nist_800_172_3_14_2_e + type: "" +- id: aws_nist_800_172_3_14_6_e + type: "" +- id: aws_nist_800_172_3_14_7_e + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_1_e.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_1_e.yaml index ca238280b..1f71ac013 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_1_e.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_1_e.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_nist_800_172_3_14_1_e - title: "14.1e Verify the integrity of [Assignment: organization-defined security critical or essential software] using root of trust mechanisms or cryptographic signatures" - description: Verifying the integrity of the organization’s security-critical or essential software is an important capability since corrupted software is the primary attack vector used by adversaries to undermine or disrupt the proper functioning of organizational systems. There are many ways to verify software integrity throughout the system development life cycle. Root of trust mechanisms (e.g., secure boot, trusted platform modules, Unified Extensible Firmware Interface [UEFI]), verify that only trusted code is executed during boot processes. This capability helps system components protect the integrity of boot firmware in organizational systems by verifying the integrity and authenticity of updates to the firmware prior to applying changes to the system component and preventing unauthorized processes from modifying the boot firmware. The employment of cryptographic signatures ensures the integrity and authenticity of critical and essential software that stores, processes, or transmits, CUI. Cryptographic signatures include digital signatures and the computation and application of signed hashes using asymmetric cryptography, protecting the confidentiality of the key used to generate the hash, and using the public key to verify the hash information. Hardware roots of trust are considered to be more secure. - section-code: 1_e - controls: - - aws_cloudtrail_trail_validation_enabled +id: aws_nist_800_172_3_14_1_e +title: "14.1e Verify the integrity of [Assignment: organization-defined security critical or essential software] using root of trust mechanisms or cryptographic signatures" +description: Verifying the integrity of the organization’s security-critical or essential software is an important capability since corrupted software is the primary attack vector used by adversaries to undermine or disrupt the proper functioning of organizational systems. There are many ways to verify software integrity throughout the system development life cycle. Root of trust mechanisms (e.g., secure boot, trusted platform modules, Unified Extensible Firmware Interface [UEFI]), verify that only trusted code is executed during boot processes. This capability helps system components protect the integrity of boot firmware in organizational systems by verifying the integrity and authenticity of updates to the firmware prior to applying changes to the system component and preventing unauthorized processes from modifying the boot firmware. The employment of cryptographic signatures ensures the integrity and authenticity of critical and essential software that stores, processes, or transmits, CUI. Cryptographic signatures include digital signatures and the computation and application of signed hashes using asymmetric cryptography, protecting the confidentiality of the key used to generate the hash, and using the public key to verify the hash information. Hardware roots of trust are considered to be more secure. +section-code: 1_e +type: control-group +controls: +- aws_cloudtrail_trail_validation_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_2_e.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_2_e.yaml index eaa57a015..170fa9f2c 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_2_e.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_2_e.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_nist_800_172_3_14_2_e - title: 14.2e Monitor organizational systems and system components on an ongoing basis for anomalous or suspicious behavior - description: Monitoring is used to identify unusual, suspicious, or unauthorized activities or conditions related to organizational systems and system components. Such activities or conditions can include unusual internal systems communications traffic, unauthorized exporting of information,signaling to external systems, large file transfers, long-time persistent connections, attempts to access information from unexpected locations, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses. The correlation of physical, time, or geolocation audit record information to the audit records from systems may assist organizations in identifying examples of anomalous behavior. For example, the correlation of an individual’s identity for logical access to certain systems with the additional information that the individual was not present at the facility when the logical access occurred is indicative of anomalous behavior. - section-code: 2_e - controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_guardduty_enabled - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled +id: aws_nist_800_172_3_14_2_e +title: 14.2e Monitor organizational systems and system components on an ongoing basis for anomalous or suspicious behavior +description: Monitoring is used to identify unusual, suspicious, or unauthorized activities or conditions related to organizational systems and system components. Such activities or conditions can include unusual internal systems communications traffic, unauthorized exporting of information,signaling to external systems, large file transfers, long-time persistent connections, attempts to access information from unexpected locations, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses. The correlation of physical, time, or geolocation audit record information to the audit records from systems may assist organizations in identifying examples of anomalous behavior. For example, the correlation of an individual’s identity for logical access to certain systems with the additional information that the individual was not present at the facility when the logical access occurred is indicative of anomalous behavior. +section-code: 2_e +type: control-group +controls: +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled +- aws_ec2_instance_detailed_monitoring_enabled +- aws_guardduty_enabled +- aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled +- aws_securityhub_enabled +- aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_6_e.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_6_e.yaml index 84a06d952..ae85d3235 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_6_e.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_6_e.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_nist_800_172_3_14_6_e - title: "14.6e Use threat indicator information and effective mitigations obtained from [Assignment: organization-defined external organizations] to guide and inform intrusion detection and threat hunting" - description: Threat information related to specific threat events (e.g., TTPs, targets) that organizations have experienced, threat mitigations that organizations have found to be effective against certain types of threats, and threat intelligence (i.e., indications and warnings about threats that can occur) are sourced from and shared with trusted organizations. This threat information can be used by organizational Security Operations Centers (SOC) and incorporated into monitoring capabilities. Threat information sharing includes threat indicators, signatures, and adversary TTPs from organizations participating in threat-sharing consortia, government-commercial cooperatives, and government-government cooperatives (e.g., CERTCC, CISA/US-CERT, FIRST, ISAO, DIB CS Program). Unclassified indicators, based on classified information but which can be readily incorporated into organizational intrusion detection systems, are available to qualified nonfederal organizations from government sources. - section-code: 6_e - controls: - - aws_guardduty_enabled +id: aws_nist_800_172_3_14_6_e +title: "14.6e Use threat indicator information and effective mitigations obtained from [Assignment: organization-defined external organizations] to guide and inform intrusion detection and threat hunting" +description: Threat information related to specific threat events (e.g., TTPs, targets) that organizations have experienced, threat mitigations that organizations have found to be effective against certain types of threats, and threat intelligence (i.e., indications and warnings about threats that can occur) are sourced from and shared with trusted organizations. This threat information can be used by organizational Security Operations Centers (SOC) and incorporated into monitoring capabilities. Threat information sharing includes threat indicators, signatures, and adversary TTPs from organizations participating in threat-sharing consortia, government-commercial cooperatives, and government-government cooperatives (e.g., CERTCC, CISA/US-CERT, FIRST, ISAO, DIB CS Program). Unclassified indicators, based on classified information but which can be readily incorporated into organizational intrusion detection systems, are available to qualified nonfederal organizations from government sources. +section-code: 6_e +type: control-group +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_7_e.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_7_e.yaml index 41d969a11..071d35f0f 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_7_e.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_7_e.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_nist_800_172_3_14_7_e - title: "14.7e Verify the correctness of [Assignment: organization-defined security critical or essential software, firmware, and hardware components] using [Assignment: organization-defined verification methods or techniques]." - description: Verification methods have varying degrees of rigor in determining the correctness of software, firmware, and hardware components. For example, formal verification involves proving that a software program satisfies some formal property or set of properties. The nature of formal verification is generally time-consuming and not employed for commercial operating systems and applications. Therefore, it would likely only be applied to some very limited uses, such as verifying cryptographic protocols. However, in cases where software, firmware, or hardware components exist with formal verification of the component’s security properties, such components provide greater assurance and trustworthiness and are preferred over similar components that have not been formally verified. - section-code: 7_e - controls: - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant - - aws_ec2_instance_ssm_managed - - aws_ecs_service_fargate_using_latest_platform_version - - aws_ecr_repository_image_scan_on_push_enabled +id: aws_nist_800_172_3_14_7_e +title: "14.7e Verify the correctness of [Assignment: organization-defined security critical or essential software, firmware, and hardware components] using [Assignment: organization-defined verification methods or techniques]." +description: Verification methods have varying degrees of rigor in determining the correctness of software, firmware, and hardware components. For example, formal verification involves proving that a software program satisfies some formal property or set of properties. The nature of formal verification is generally time-consuming and not employed for commercial operating systems and applications. Therefore, it would likely only be applied to some very limited uses, such as verifying cryptographic protocols. However, in cases where software, firmware, or hardware components exist with formal verification of the component’s security properties, such components provide greater assurance and trustworthiness and are preferred over similar components that have not been formally verified. +section-code: 7_e +type: control-group +controls: +- aws_ssm_managed_instance_compliance_association_compliant +- aws_ssm_managed_instance_compliance_patch_compliant +- aws_ec2_instance_ssm_managed +- aws_ecs_service_fargate_using_latest_platform_version +- aws_ecr_repository_image_scan_on_push_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_1_3_e.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_1_3_e.yaml index 64e04e1a8..df410034d 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_1_3_e.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_1_3_e.yaml @@ -1,46 +1,46 @@ -control-group: - id: aws_nist_800_172_3_1_3_e - title: "1.3e Employ [Assignment: organization-defined secure information transfer solutions] to control information flows between security domains on connected systems" - description: Organizations employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems in different security domains with different security policies introduces the risk that the transfers violate one or more domain security policies. In such situations, information owners or information stewards provide guidance at designated policy enforcement points between connected systems. Organizations mandate specific architectural solutions when required to enforce logical or physical separation between systems in different security domains. Enforcement includes prohibiting information transfers between connected systems, employing hardware mechanisms to enforce one-way information flows, verifying write permissions before accepting information from another security domain or connected system, and implementing trustworthy regrading mechanisms to reassign security attributes and labels. - section-code: 3_e - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_elb_application_lb_desync_mitigation_mode - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_desync_mitigation_mode - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_es_domain_node_to_node_encryption_enabled - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_opensearch_domain_https_required - - aws_opensearch_domain_in_vpc - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_enhanced_vpc_routing_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_ssm_document_prohibit_public_access - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_allows_ingress_authorized_ports - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_subnet_auto_assign_public_ip_disabled - - aws_vpc_network_acl_remote_administration +id: aws_nist_800_172_3_1_3_e +title: "1.3e Employ [Assignment: organization-defined secure information transfer solutions] to control information flows between security domains on connected systems" +description: Organizations employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems in different security domains with different security policies introduces the risk that the transfers violate one or more domain security policies. In such situations, information owners or information stewards provide guidance at designated policy enforcement points between connected systems. Organizations mandate specific architectural solutions when required to enforce logical or physical separation between systems in different security domains. Enforcement includes prohibiting information transfers between connected systems, employing hardware mechanisms to enforce one-way information flows, verifying write permissions before accepting information from another security domain or connected system, and implementing trustworthy regrading mechanisms to reassign security attributes and labels. +section-code: 3_e +type: control-group +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_autoscaling_launch_config_public_ip_disabled +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_elb_application_lb_desync_mitigation_mode +- aws_elb_application_lb_drop_http_headers +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_application_network_lb_use_ssl_certificate +- aws_elb_classic_lb_desync_mitigation_mode +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_es_domain_node_to_node_encryption_enabled +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_opensearch_domain_https_required +- aws_opensearch_domain_in_vpc +- aws_opensearch_domain_node_to_node_encryption_enabled +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_enhanced_vpc_routing_enabled +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_ssm_document_prohibit_public_access +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_route_table_restrict_public_access_to_igw +- aws_vpc_security_group_allows_ingress_authorized_ports +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_subnet_auto_assign_public_ip_disabled +- aws_vpc_network_acl_remote_administration diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_4.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_4.yaml index 4c45688b2..1f2eda9e0 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_4.yaml @@ -1,8 +1,10 @@ +id: aws_nist_800_172_3_4 +title: Configuration Management +description: CM controls are specific to an organization's configuration management policies. This includes a baseline configuration to operate as the basis for future builds or changes to information systems. Additionally, this includes information system component inventories and a security impact analysis control. +section-code: "3_4" +type: control-group control-group: - id: aws_nist_800_172_3_4 - title: Configuration Management - description: CM controls are specific to an organization's configuration management policies. This includes a baseline configuration to operate as the basis for future builds or changes to information systems. Additionally, this includes information system component inventories and a security impact analysis control. - section-code: "3_4" - control-group: - - id: aws_nist_800_172_3_4_2_e - - id: aws_nist_800_172_3_4_3_e +- id: aws_nist_800_172_3_4_2_e + type: "" +- id: aws_nist_800_172_3_4_3_e + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_4_2_e.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_4_2_e.yaml index 49c7a7d72..d7e112245 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_4_2_e.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_4_2_e.yaml @@ -1,9 +1,9 @@ -control-group: - id: aws_nist_800_172_3_4_2_e - title: "4.2e Employ automated mechanisms to detect misconfigured or unauthorized system components; after detection, [Selection (one or more): remove the components; place the components in a quarantine or remediation network] to facilitate patching, re-configuration, or other mitigations" - description: System components used to process, store, transmit, or protect CUI are monitored and checked against the authoritative source (i.e., hardware and software inventory and associated baseline configurations). From an automated assessment perspective, the system description provided by the authoritative source is referred to as the desired state. Using automated tools, the desired state is compared to the actual state to check for compliance or deviations. Security responses to system components that are unknown or that deviate from approved configurations can include removing the components; halting system functions or processing; placing the system components in a quarantine or remediation network that facilitates patching, re-configuration, or other mitigations; or issuing alerts and/or notifications to personnel when there is an unauthorized modification of an organization-defined configuration item. Responses can be automated, manual, or procedural. Components that are removed from the system are rebuilt from the trusted configuration baseline established by the authoritative source. - section-code: 2_e - controls: - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_nist_800_172_3_4_2_e +title: "4.2e Employ automated mechanisms to detect misconfigured or unauthorized system components; after detection, [Selection (one or more): remove the components; place the components in a quarantine or remediation network] to facilitate patching, re-configuration, or other mitigations" +description: System components used to process, store, transmit, or protect CUI are monitored and checked against the authoritative source (i.e., hardware and software inventory and associated baseline configurations). From an automated assessment perspective, the system description provided by the authoritative source is referred to as the desired state. Using automated tools, the desired state is compared to the actual state to check for compliance or deviations. Security responses to system components that are unknown or that deviate from approved configurations can include removing the components; halting system functions or processing; placing the system components in a quarantine or remediation network that facilitates patching, re-configuration, or other mitigations; or issuing alerts and/or notifications to personnel when there is an unauthorized modification of an organization-defined configuration item. Responses can be automated, manual, or procedural. Components that are removed from the system are rebuilt from the trusted configuration baseline established by the authoritative source. +section-code: 2_e +type: control-group +controls: +- aws_rds_db_instance_automatic_minor_version_upgrade_enabled +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_4_3_e.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_4_3_e.yaml index b2d796468..eee56dfdc 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_4_3_e.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_4_3_e.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_nist_800_172_3_4_3_e - title: 4.3e Employ automated discovery and management tools to maintain an up-to-date, complete, accurate, and readily available inventory of system components - description: The system component inventory includes system-specific information required for component accountability and to provide support to identify, control, monitor, and verify configuration items in accordance with the authoritative source. The information necessary for effective accountability of system components includes the system name, hardware and software component owners,hardware inventory specifications,software license information,software version numbers, and—for networked components—the machine names and network addresses. Inventory specifications include the manufacturer, supplier information, component type, date of receipt, cost, model, serial number, and physical location. Organizations also use automated mechanisms to implement and maintain authoritative (i.e., up-to-date, complete, accurate, and available) baseline configurations for systems that include hardware and software inventory tools, configuration management tools, and network management tools. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. - section-code: 3_e - controls: - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_vpc_eip_associated - - aws_vpc_network_acl_unused +id: aws_nist_800_172_3_4_3_e +title: 4.3e Employ automated discovery and management tools to maintain an up-to-date, complete, accurate, and readily available inventory of system components +description: The system component inventory includes system-specific information required for component accountability and to provide support to identify, control, monitor, and verify configuration items in accordance with the authoritative source. The information necessary for effective accountability of system components includes the system name, hardware and software component owners,hardware inventory specifications,software license information,software version numbers, and—for networked components—the machine names and network addresses. Inventory specifications include the manufacturer, supplier information, component type, date of receipt, cost, model, serial number, and physical location. Organizations also use automated mechanisms to implement and maintain authoritative (i.e., up-to-date, complete, accurate, and available) baseline configurations for systems that include hardware and software inventory tools, configuration management tools, and network management tools. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. +section-code: 3_e +type: control-group +controls: +- aws_ebs_volume_unused +- aws_ec2_instance_ssm_managed +- aws_ec2_stopped_instance_30_days +- aws_vpc_eip_associated +- aws_vpc_network_acl_unused diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_5.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_5.yaml index fd508b31c..9e9fe8465 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_5.yaml @@ -1,7 +1,8 @@ +id: aws_nist_800_172_3_5 +title: Identification and Authentication +description: IA controls are specific to the identification and authentication policies in an organization. This includes the identification and authentication of organizational and non-organizational users and how the management of those systems. +section-code: "3_5" +type: control-group control-group: - id: aws_nist_800_172_3_5 - title: Identification and Authentication - description: IA controls are specific to the identification and authentication policies in an organization. This includes the identification and authentication of organizational and non-organizational users and how the management of those systems. - section-code: "3_5" - control-group: - - id: aws_nist_800_172_3_5_2_e +- id: aws_nist_800_172_3_5_2_e + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_5_2_e.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_5_2_e.yaml index eb8371fa2..0d2bda95d 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_5_2_e.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_5_2_e.yaml @@ -1,9 +1,9 @@ -control-group: - id: aws_nist_800_172_3_5_2_e - title: 5.2e Employ automated mechanisms for the generation, protection, rotation, and management of passwords for systems and system components that do not support multifactor authentication or complex account management - description: In situations where static passwords or personal identification numbers (PIN) are used (e.g., certain system components do not support multifactor authentication or complex account management, such as separate system accounts for each user and logging), automated mechanisms (e.g., password managers) can automatically generate, rotate, manage, and store strong and different passwords for users and device accounts. For example, a router might have one administrator account, but an organization typically has multiple network administrators. Therefore, access management and accountability are problematic. A password manager uses techniques such as automated password rotation (in this example, for the router password) to allow a specific user to temporarily gain access to a device by checking out a temporary password and then checking the password back in to end the access. The password manager simultaneously logs these actions. One of the risks in using password managers is that an adversary may target the collection of passwords that the device generates. Therefore, it is important that these passwords are secured. Methods for protecting passwords include the use of multi-factor authentication to the password manager, encryption, or secured hardware (e.g., a hardware security module). - section-code: 2_e - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_automatic_rotation_enabled +id: aws_nist_800_172_3_5_2_e +title: 5.2e Employ automated mechanisms for the generation, protection, rotation, and management of passwords for systems and system components that do not support multifactor authentication or complex account management +description: In situations where static passwords or personal identification numbers (PIN) are used (e.g., certain system components do not support multifactor authentication or complex account management, such as separate system accounts for each user and logging), automated mechanisms (e.g., password managers) can automatically generate, rotate, manage, and store strong and different passwords for users and device accounts. For example, a router might have one administrator account, but an organization typically has multiple network administrators. Therefore, access management and accountability are problematic. A password manager uses techniques such as automated password rotation (in this example, for the router password) to allow a specific user to temporarily gain access to a device by checking out a temporary password and then checking the password back in to end the access. The password manager simultaneously logs these actions. One of the risks in using password managers is that an adversary may target the collection of passwords that the device generates. Therefore, it is important that these passwords are secured. Methods for protecting passwords include the use of multi-factor authentication to the password manager, encryption, or secured hardware (e.g., a hardware security module). +section-code: 2_e +type: control-group +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_secretsmanager_secret_automatic_rotation_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4.yaml index 5d8623167..d5a671644 100644 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4.yaml @@ -1,36 +1,36 @@ -framework: - id: aws_nist_800_53_rev_4 - title: NIST 800-53 Revision 4 - description: NIST 800-53 is a regulatory standard that defines the minimum baseline of security controls for all U.S. federal information systems except those related to national security. - section-code: aws_nist_800_53_rev_4 - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Frameworks - plugin: - - aws - service: - - AWS - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: aws_nist_800_53_rev_4_ac - - id: aws_nist_800_53_rev_4_au - - id: aws_nist_800_53_rev_4_ca - - id: aws_nist_800_53_rev_4_cm - - id: aws_nist_800_53_rev_4_cp - - id: aws_nist_800_53_rev_4_ia - - id: aws_nist_800_53_rev_4_ir - - id: aws_nist_800_53_rev_4_ra - - id: aws_nist_800_53_rev_4_sa - - id: aws_nist_800_53_rev_4_sc - - id: aws_nist_800_53_rev_4_si +id: aws_nist_800_53_rev_4 +title: NIST 800-53 Revision 4 +description: NIST 800-53 is a regulatory standard that defines the minimum baseline of security controls for all U.S. federal information systems except those related to national security. +section-code: aws_nist_800_53_rev_4 +type: framework +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Frameworks + plugin: + - aws + service: + - AWS + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_nist_800_53_rev_4_ac +- id: aws_nist_800_53_rev_4_au +- id: aws_nist_800_53_rev_4_ca +- id: aws_nist_800_53_rev_4_cm +- id: aws_nist_800_53_rev_4_cp +- id: aws_nist_800_53_rev_4_ia +- id: aws_nist_800_53_rev_4_ir +- id: aws_nist_800_53_rev_4_ra +- id: aws_nist_800_53_rev_4_sa +- id: aws_nist_800_53_rev_4_sc +- id: aws_nist_800_53_rev_4_si diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac.yaml index 00ad3433f..ab0310c69 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac.yaml @@ -1,24 +1,31 @@ +id: aws_nist_800_53_rev_4_ac +title: Access Control (AC) +description: The access control family consists of security requirements detailing system logging. This includes who has access to what assets and reporting capabilities like account management, system privileges, and remote access logging to determine when users have access to the system and their level of access. +section-code: ac +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_4_ac - title: Access Control (AC) - description: The access control family consists of security requirements detailing system logging. This includes who has access to what assets and reporting capabilities like account management, system privileges, and remote access logging to determine when users have access to the system and their level of access. - section-code: ac - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_4_ac_2 - - id: aws_nist_800_53_rev_4_ac_3 - - id: aws_nist_800_53_rev_4_ac_4 - - id: aws_nist_800_53_rev_4_ac_5 - - id: aws_nist_800_53_rev_4_ac_6 - - id: aws_nist_800_53_rev_4_ac_17 - - id: aws_nist_800_53_rev_4_ac_21 +- id: aws_nist_800_53_rev_4_ac_2 + type: "" +- id: aws_nist_800_53_rev_4_ac_3 + type: "" +- id: aws_nist_800_53_rev_4_ac_4 + type: "" +- id: aws_nist_800_53_rev_4_ac_5 + type: "" +- id: aws_nist_800_53_rev_4_ac_6 + type: "" +- id: aws_nist_800_53_rev_4_ac_17 + type: "" +- id: aws_nist_800_53_rev_4_ac_21 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17.yaml index 16a245e66..006ce1397 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17.yaml @@ -1,20 +1,23 @@ +id: aws_nist_800_53_rev_4_ac_17 +title: Remote Access (AC-17) +description: Authorize remote access systems prior to connection. Enforce remote connection requirements to information systems. +section-code: "17" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_4_ac_17 - title: Remote Access (AC-17) - description: Authorize remote access systems prior to connection. Enforce remote connection requirements to information systems. - section-code: "17" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_4_ac_17_1 - - id: aws_nist_800_53_rev_4_ac_17_2 - - id: aws_nist_800_53_rev_4_ac_17_3 +- id: aws_nist_800_53_rev_4_ac_17_1 + type: "" +- id: aws_nist_800_53_rev_4_ac_17_2 + type: "" +- id: aws_nist_800_53_rev_4_ac_17_3 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17_1.yaml index de5de51ee..7d8889e9e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17_1.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_4_ac_17_1 - title: AC-17(1) Automated Monitoring/Control - description: The information system monitors and controls remote access methods. - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_securityhub_enabled +id: aws_nist_800_53_rev_4_ac_17_1 +title: AC-17(1) Automated Monitoring/Control +description: The information system monitors and controls remote access methods. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17_2.yaml index cb60b8c33..74296df04 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17_2.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_nist_800_53_rev_4_ac_17_2 - title: AC-17(2) Protection Of Confidentiality/Integrity Using Encryption - description: The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_acm_certificate_expires_30_days - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl +id: aws_nist_800_53_rev_4_ac_17_2 +title: AC-17(2) Protection Of Confidentiality/Integrity Using Encryption +description: The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_acm_certificate_expires_30_days +- aws_elb_application_lb_drop_http_headers +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17_3.yaml index 475c7e4e2..6b8157d62 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17_3.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_4_ac_17_3 - title: AC-17(3) Managed Access Control Points - description: The information system routes all remote accesses through organization-defined managed network access control points. - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/VPC - type: - - Benchmark - controls: - - aws_vpc_igw_attached_to_authorized_vpc +id: aws_nist_800_53_rev_4_ac_17_3 +title: AC-17(3) Managed Access Control Points +description: The information system routes all remote accesses through organization-defined managed network access control points. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/VPC + type: + - Benchmark +controls: +- aws_vpc_igw_attached_to_authorized_vpc diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2.yaml index 680eefc5c..f6a44d302 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2.yaml @@ -1,41 +1,45 @@ +id: aws_nist_800_53_rev_4_ac_2 +title: Account Management (AC-2) +description: Manage system accounts, group memberships, privileges, workflow, notifications, deactivations, and authorizations. +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_4_ac_2 - title: Account Management (AC-2) - description: Manage system accounts, group memberships, privileges, workflow, notifications, deactivations, and authorizations. - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_4_ac_2_1 - - id: aws_nist_800_53_rev_4_ac_2_3 - - id: aws_nist_800_53_rev_4_ac_2_4 - - id: aws_nist_800_53_rev_4_ac_2_12 - controls: - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_emr_cluster_kerberos_enabled - - aws_guardduty_enabled - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_securityhub_enabled +- id: aws_nist_800_53_rev_4_ac_2_1 + type: "" +- id: aws_nist_800_53_rev_4_ac_2_3 + type: "" +- id: aws_nist_800_53_rev_4_ac_2_4 + type: "" +- id: aws_nist_800_53_rev_4_ac_2_12 + type: "" +controls: +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_emr_cluster_kerberos_enabled +- aws_guardduty_enabled +- aws_iam_account_password_policy_strong_min_reuse_24 +- aws_iam_group_not_empty +- aws_iam_policy_no_star_star +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_21.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_21.yaml index 268345193..e3fd126c8 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_21.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_21.yaml @@ -1,29 +1,29 @@ -control-group: - id: aws_nist_800_53_rev_4_ac_21 - title: Information Sharing (AC-21) - description: Facilitate information sharing. Enable authorized users to grant access to partners. - section-code: "21" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_bucket_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled +id: aws_nist_800_53_rev_4_ac_21 +title: Information Sharing (AC-21) +description: Facilitate information sharing. Enable authorized users to grant access to partners. +section-code: "21" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_bucket_account +- aws_sagemaker_notebook_instance_direct_internet_access_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_1.yaml index 59a36fb06..214442874 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_1.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_nist_800_53_rev_4_ac_2_1 - title: AC-2(1) Automated System Account Management - description: The organization employs automated mechanisms to support the management of information system accounts. - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_user_access_key_age_90 - - aws_iam_user_in_group - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_securityhub_enabled +id: aws_nist_800_53_rev_4_ac_2_1 +title: AC-2(1) Automated System Account Management +description: The organization employs automated mechanisms to support the management of information system accounts. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled +- aws_iam_account_password_policy_strong_min_reuse_24 +- aws_iam_user_access_key_age_90 +- aws_iam_user_in_group +- aws_iam_user_unused_credentials_90 +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_12.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_12.yaml index 90fac641c..c5049e2d5 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_12.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_12.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_4_ac_2_12 - title: AC-2(12) Account Monitoring - description: Monitors and reports atypical usage of information system accounts to organization-defined personnel or roles. - section-code: "12" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_securityhub_enabled +id: aws_nist_800_53_rev_4_ac_2_12 +title: AC-2(12) Account Monitoring +description: Monitors and reports atypical usage of information system accounts to organization-defined personnel or roles. +section-code: "12" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_3.yaml index db4b31e9d..b0d3ac596 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_3.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_4_ac_2_3 - title: AC-2(3) Disable Inactive Accounts - description: The information system automatically disables inactive accounts after 90 days for user accounts. - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_user_unused_credentials_90 +id: aws_nist_800_53_rev_4_ac_2_3 +title: AC-2(3) Disable Inactive Accounts +description: The information system automatically disables inactive accounts after 90 days for user accounts. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_4.yaml index e89ce777e..6bdf76660 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_4.yaml @@ -1,25 +1,25 @@ -control-group: - id: aws_nist_800_53_rev_4_ac_2_4 - title: AC-2(4) Automated Audit Actions - description: "The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]." - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_securityhub_enabled +id: aws_nist_800_53_rev_4_ac_2_4 +title: AC-2(4) Automated Audit Actions +description: "The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]." +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled +- aws_guardduty_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_3.yaml index d9b6132c0..2fd7d7a6f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_3.yaml @@ -1,33 +1,33 @@ -control-group: - id: aws_nist_800_53_rev_4_ac_3 - title: Access Enforcement (AC-3) - description: The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_emr_cluster_kerberos_enabled - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_restrict_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_bucket_account +id: aws_nist_800_53_rev_4_ac_3 +title: Access Enforcement (AC-3) +description: The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_emr_cluster_kerberos_enabled +- aws_iam_group_not_empty +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_lambda_function_restrict_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_bucket_account diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_4.yaml index 907a2394f..9e21e15af 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_4.yaml @@ -1,38 +1,38 @@ -control-group: - id: aws_nist_800_53_rev_4_ac_4 - title: Information Flow Enforcement (AC-4) - description: The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on organization-defined information flow control policies. - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_acm_certificate_expires_30_days - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_bucket_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all +id: aws_nist_800_53_rev_4_ac_4 +title: Information Flow Enforcement (AC-4) +description: The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on organization-defined information flow control policies. +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_acm_certificate_expires_30_days +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_bucket_account +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_igw_attached_to_authorized_vpc +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_5.yaml index d81a9ca8c..db6d44fc7 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_5.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_nist_800_53_rev_4_ac_5 - title: Separation Of Duties (AC-5) - description: Separate duties of individuals to prevent malevolent activity. automate separation of duties and access authorizations. - section-code: "5" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_emr_cluster_kerberos_enabled - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_user_no_inline_attached_policies +id: aws_nist_800_53_rev_4_ac_5 +title: Separation Of Duties (AC-5) +description: Separate duties of individuals to prevent malevolent activity. automate separation of duties and access authorizations. +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_emr_cluster_kerberos_enabled +- aws_iam_group_not_empty +- aws_iam_policy_no_star_star +- aws_iam_user_no_inline_attached_policies diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_6.yaml index 412d38be7..27e021f76 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_6.yaml @@ -1,40 +1,41 @@ +id: aws_nist_800_53_rev_4_ac_6 +title: Least Privilege (AC-6) +description: The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. +section-code: "6" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_4_ac_6 - title: Least Privilege (AC-6) - description: The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. - section-code: "6" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_4_ac_6_10 - controls: - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_emr_cluster_kerberos_enabled - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_bucket_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled +- id: aws_nist_800_53_rev_4_ac_6_10 + type: "" +controls: +- aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_not_publicly_accessible +- aws_ec2_instance_uses_imdsv2 +- aws_emr_cluster_kerberos_enabled +- aws_iam_group_not_empty +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_bucket_account +- aws_sagemaker_notebook_instance_direct_internet_access_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_6_10.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_6_10.yaml index 205f69e2d..fb262ad08 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_6_10.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_6_10.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_4_ac_6_10 - title: AC-6(10) Prohibit Non-Privileged Users From Executing Privileged Functions - description: The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. - section-code: "10" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_root_user_no_access_keys +id: aws_nist_800_53_rev_4_ac_6_10 +title: AC-6(10) Prohibit Non-Privileged Users From Executing Privileged Functions +description: The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. +section-code: "10" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au.yaml index 52be220a7..934effe34 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au.yaml @@ -1,24 +1,31 @@ +id: aws_nist_800_53_rev_4_au +title: Audit and Accountability (AU) +description: The AU control family consists of security controls related to an organization’s audit capabilities. This includes audit policies and procedures, audit logging, audit report generation, and protection of audit information. +section-code: au +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_4_au - title: Audit and Accountability (AU) - description: The AU control family consists of security controls related to an organization’s audit capabilities. This includes audit policies and procedures, audit logging, audit report generation, and protection of audit information. - section-code: au - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_4_au_2 - - id: aws_nist_800_53_rev_4_au_3 - - id: aws_nist_800_53_rev_4_au_6 - - id: aws_nist_800_53_rev_4_au_7 - - id: aws_nist_800_53_rev_4_au_9 - - id: aws_nist_800_53_rev_4_au_11 - - id: aws_nist_800_53_rev_4_au_12 +- id: aws_nist_800_53_rev_4_au_2 + type: "" +- id: aws_nist_800_53_rev_4_au_3 + type: "" +- id: aws_nist_800_53_rev_4_au_6 + type: "" +- id: aws_nist_800_53_rev_4_au_7 + type: "" +- id: aws_nist_800_53_rev_4_au_9 + type: "" +- id: aws_nist_800_53_rev_4_au_11 + type: "" +- id: aws_nist_800_53_rev_4_au_12 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_11.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_11.yaml index 1f41521fe..ffb137fb9 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_11.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_11.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_4_au_11 - title: Audit Record Retention (AU-11) - description: "The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements." - section-code: "11" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark - controls: - - aws_cloudwatch_log_group_retention_period_365 +id: aws_nist_800_53_rev_4_au_11 +title: Audit Record Retention (AU-11) +description: "The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements." +section-code: "11" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark +controls: +- aws_cloudwatch_log_group_retention_period_365 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_12.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_12.yaml index 330faee50..1c89c730f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_12.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_12.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_nist_800_53_rev_4_au_12 - title: Audit Generation (AU-12) - description: Audit events defined in AU-2. Allow trusted personnel to select which events to audit. Generate audit records for events. - section-code: "12" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_4_au_12 +title: Audit Generation (AU-12) +description: Audit events defined in AU-2. Allow trusted personnel to select which events to audit. Generate audit records for events. +section-code: "12" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_2.yaml index 773dfb18e..3fffc7170 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_2.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_nist_800_53_rev_4_au_2 - title: Event Logging (AU-2) - description: Automate security audit function with other organizational entities. Enable mutual support of audit of auditable events. - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_4_au_2 +title: Event Logging (AU-2) +description: Automate security audit function with other organizational entities. Enable mutual support of audit of auditable events. +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_3.yaml index 4880b26fe..55ea99e3f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_3.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_nist_800_53_rev_4_au_3 - title: Content of Audit Records (AU-3) - description: The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_4_au_3 +title: Content of Audit Records (AU-3) +description: The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_6.yaml index 8b8d9aacd..c52b79a24 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_6.yaml @@ -1,19 +1,21 @@ +id: aws_nist_800_53_rev_4_au_6 +title: Audit Review, Analysis And Reporting (AU-6) +description: Integrate audit review, analysis, and reporting with processes for investigation and response to suspicious activities. +section-code: "6" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_4_au_6 - title: Audit Review, Analysis And Reporting (AU-6) - description: Integrate audit review, analysis, and reporting with processes for investigation and response to suspicious activities. - section-code: "6" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_4_au_6_1 - - id: aws_nist_800_53_rev_4_au_6_3 +- id: aws_nist_800_53_rev_4_au_6_1 + type: "" +- id: aws_nist_800_53_rev_4_au_6_3 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_6_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_6_1.yaml index 58b85b4ff..798c21e0c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_6_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_6_1.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_nist_800_53_rev_4_au_6_1 - title: AU-6(1) Process Integration - description: The organization employs automated mechanisms to integrate audit review, analysis,and reporting processes to support organizational processes for investigation and response to suspicious activities. - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_securityhub_enabled +id: aws_nist_800_53_rev_4_au_6_1 +title: AU-6(1) Process Integration +description: The organization employs automated mechanisms to integrate audit review, analysis,and reporting processes to support organizational processes for investigation and response to suspicious activities. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled +- aws_guardduty_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_6_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_6_3.yaml index a1daaa0b4..69e4752f3 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_6_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_6_3.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_nist_800_53_rev_4_au_6_3 - title: AU-6(3) Correlate Audit Repositories - description: The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_securityhub_enabled +id: aws_nist_800_53_rev_4_au_6_3 +title: AU-6(3) Correlate Audit Repositories +description: The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled +- aws_guardduty_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_7.yaml index a5b0d4efd..cdaa9a3ad 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_7.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_4_au_7 +title: Audit Reduction And Report Generation (AU-7) +description: Support for real-time audit review, analysis, and reporting requirements without altering original audit records. +section-code: "7" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_4_au_7 - title: Audit Reduction And Report Generation (AU-7) - description: Support for real-time audit review, analysis, and reporting requirements without altering original audit records. - section-code: "7" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_4_au_7_1 +- id: aws_nist_800_53_rev_4_au_7_1 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_7_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_7_1.yaml index 08eb7aa60..7f661bc0b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_7_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_7_1.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_4_au_7_1 - title: AU-7(1) Automatic Processing - description: "The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records]." - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudwatch_alarm_action_enabled - - aws_cloudtrail_trail_integrated_with_logs +id: aws_nist_800_53_rev_4_au_7_1 +title: AU-7(1) Automatic Processing +description: "The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records]." +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudwatch_alarm_action_enabled +- aws_cloudtrail_trail_integrated_with_logs diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_9.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_9.yaml index f2b6e9db9..cf481e80f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_9.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_9.yaml @@ -1,21 +1,22 @@ +id: aws_nist_800_53_rev_4_au_9 +title: Protection of Audit Information (AU-9) +description: The information system protects audit information and audit tools from unauthorized access, modification, and deletion. +section-code: "9" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_4_au_9 - title: Protection of Audit Information (AU-9) - description: The information system protects audit information and audit tools from unauthorized access, modification, and deletion. - section-code: "9" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_4_au_9_2 - controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_log_group_encryption_at_rest_enabled +- id: aws_nist_800_53_rev_4_au_9_2 + type: "" +controls: +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_log_group_encryption_at_rest_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_9_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_9_2.yaml index 75366cd98..197a5c360 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_9_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_9_2.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_4_au_9_2 - title: AU-9(2) Audit Backup On Separate Physical Systems / Components - description: "The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited." - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/S3 - type: - - Benchmark - controls: - - aws_s3_bucket_cross_region_replication_enabled +id: aws_nist_800_53_rev_4_au_9_2 +title: AU-9(2) Audit Backup On Separate Physical Systems / Components +description: "The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited." +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/S3 + type: + - Benchmark +controls: +- aws_s3_bucket_cross_region_replication_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ca.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ca.yaml index 1df8daa6f..5743fab35 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ca.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ca.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_4_ca +title: Security Assessment And Authorization (CA) +description: The Security Assessment and Authorization control family includes controls that supplement the execution of security assessments, authorizations, continuous monitoring, plan of actions and milestones, and system interconnections. +section-code: ca +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_4_ca - title: Security Assessment And Authorization (CA) - description: The Security Assessment and Authorization control family includes controls that supplement the execution of security assessments, authorizations, continuous monitoring, plan of actions and milestones, and system interconnections. - section-code: ca - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_4_ca_7 +- id: aws_nist_800_53_rev_4_ca_7 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ca_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ca_7.yaml index dd5e7a9f5..961a93664 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ca_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ca_7.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_nist_800_53_rev_4_ca_7 - title: Continuous Monitoring (CA-7) - description: Continuously monitor configuration management processes. Determine security impact, environment and operational risks. - section-code: "7" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_guardduty_enabled - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_securityhub_enabled +id: aws_nist_800_53_rev_4_ca_7 +title: Continuous Monitoring (CA-7) +description: Continuously monitor configuration management processes. Determine security impact, environment and operational risks. +section-code: "7" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled +- aws_ec2_instance_detailed_monitoring_enabled +- aws_guardduty_enabled +- aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm.yaml index c69d9fb7a..2d408d17a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm.yaml @@ -1,20 +1,23 @@ +id: aws_nist_800_53_rev_4_cm +title: Configuration Management (CM) +description: CM controls are specific to an organization’s configuration management policies. This includes a baseline configuration to operate as the basis for future builds or changes to information systems. Additionally, this includes information system component inventories and a security impact analysis control. +section-code: cm +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_4_cm - title: Configuration Management (CM) - description: CM controls are specific to an organization’s configuration management policies. This includes a baseline configuration to operate as the basis for future builds or changes to information systems. Additionally, this includes information system component inventories and a security impact analysis control. - section-code: cm - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_4_cm_2 - - id: aws_nist_800_53_rev_4_cm_7 - - id: aws_nist_800_53_rev_4_cm_8 +- id: aws_nist_800_53_rev_4_cm_2 + type: "" +- id: aws_nist_800_53_rev_4_cm_7 + type: "" +- id: aws_nist_800_53_rev_4_cm_8 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_2.yaml index 73b9be9a2..44e5d327d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_2.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_nist_800_53_rev_4_cm_2 - title: Baseline Configuration (CM-2) - description: The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_security_trail_enabled - - aws_ebs_attached_volume_delete_on_termination_enabled - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_common_ports_all +id: aws_nist_800_53_rev_4_cm_2 +title: Baseline Configuration (CM-2) +description: The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_security_trail_enabled +- aws_ebs_attached_volume_delete_on_termination_enabled +- aws_ec2_instance_ssm_managed +- aws_ec2_stopped_instance_30_days +- aws_elb_application_lb_deletion_protection_enabled +- aws_ssm_managed_instance_compliance_association_compliant +- aws_vpc_security_group_restrict_ingress_common_ports_all diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_7.yaml index b0bc725a8..5bfd030ad 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_7.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_4_cm_7 - title: Least Functionality (CM-7) - description: The organization configures the information system to provide only essential capabilities and prohibits or restricts the use of the functions, ports, protocols, and/or services. - section-code: "7" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant +id: aws_nist_800_53_rev_4_cm_7 +title: Least Functionality (CM-7) +description: The organization configures the information system to provide only essential capabilities and prohibits or restricts the use of the functions, ports, protocols, and/or services. +section-code: "7" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed +- aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_8.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_8.yaml index fbecffcf9..1bc4935c2 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_8.yaml @@ -1,19 +1,21 @@ +id: aws_nist_800_53_rev_4_cm_8 +title: Information System Component Inventory (CM-8) +description: The organization develops and documents an inventory of information system components that accurately reflects the current information system, includes all components within the authorization boundary of the information system, is at the level of granularity deemed necessary for tracking and reporting and reviews and updates the information system component inventory. +section-code: "8" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_4_cm_8 - title: Information System Component Inventory (CM-8) - description: The organization develops and documents an inventory of information system components that accurately reflects the current information system, includes all components within the authorization boundary of the information system, is at the level of granularity deemed necessary for tracking and reporting and reviews and updates the information system component inventory. - section-code: "8" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_4_cm_8_1 - - id: aws_nist_800_53_rev_4_cm_8_3 +- id: aws_nist_800_53_rev_4_cm_8_1 + type: "" +- id: aws_nist_800_53_rev_4_cm_8_3 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_8_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_8_1.yaml index ecb317433..181f1b891 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_8_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_8_1.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_4_cm_8_1 - title: CM-8(1) Updates During Installation / Removals - description: The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/EC2 - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed +id: aws_nist_800_53_rev_4_cm_8_1 +title: CM-8(1) Updates During Installation / Removals +description: The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/EC2 + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_8_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_8_3.yaml index 7b48c3567..fe8b20c68 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_8_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_8_3.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_nist_800_53_rev_4_cm_8_3 - title: CM-8(3) Automated Unauthorized Component Detection - description: The organization employs automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the information system and takes actions (disables network access by such components, isolates the components etc) when unauthorized components are detected. - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_nist_800_53_rev_4_cm_8_3 +title: CM-8(3) Automated Unauthorized Component Detection +description: The organization employs automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the information system and takes actions (disables network access by such components, isolates the components etc) when unauthorized components are detected. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed +- aws_ssm_managed_instance_compliance_association_compliant +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cp.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cp.yaml index 241dcec43..8692e1b02 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cp.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cp.yaml @@ -1,19 +1,21 @@ +id: aws_nist_800_53_rev_4_cp +title: Contingency Planning (CP) +description: The CP control family includes controls specific to an organization's contingency plan if a cybersecurity event should occur. This includes controls like contingency plan testing, updating, training, and backups, and system reconstitution. +section-code: cp +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_4_cp - title: Contingency Planning (CP) - description: The CP control family includes controls specific to an organization's contingency plan if a cybersecurity event should occur. This includes controls like contingency plan testing, updating, training, and backups, and system reconstitution. - section-code: cp - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_4_cp_9 - - id: aws_nist_800_53_rev_4_cp_10 +- id: aws_nist_800_53_rev_4_cp_9 + type: "" +- id: aws_nist_800_53_rev_4_cp_10 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cp_10.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cp_10.yaml index 4371c67bf..0300d3735 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cp_10.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cp_10.yaml @@ -1,31 +1,31 @@ -control-group: - id: aws_nist_800_53_rev_4_cp_10 - title: Information System Recovery And Reconstitution (CP-10) - description: The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. - section-code: "10" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up +id: aws_nist_800_53_rev_4_cp_10 +title: Information System Recovery And Reconstitution (CP-10) +description: The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. +section-code: "10" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dynamodb_table_auto_scaling_enabled +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_ebs_volume_in_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_elb_application_lb_deletion_protection_enabled +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_multiple_az_enabled +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cp_9.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cp_9.yaml index 7d0a6c4e6..daf654e84 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cp_9.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cp_9.yaml @@ -1,25 +1,25 @@ -control-group: - id: aws_nist_800_53_rev_4_cp_9 - title: Information System Backup (CP-9) - description: The organization conducts backups of user-level information, system-level information and information system documentation including security-related documentation contained in the information system and protects the confidentiality, integrity, and availability of backup information at storage locations. - section-code: "9" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_s3_bucket_cross_region_replication_enabled +id: aws_nist_800_53_rev_4_cp_9 +title: Information System Backup (CP-9) +description: The organization conducts backups of user-level information, system-level information and information system documentation including security-related documentation contained in the information system and protects the confidentiality, integrity, and availability of backup information at storage locations. +section-code: "9" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_ebs_volume_in_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_s3_bucket_cross_region_replication_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia.yaml index aa50ccbc5..a98d11c75 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia.yaml @@ -1,19 +1,21 @@ +id: aws_nist_800_53_rev_4_ia +title: Identification and Authentication (IA) +description: IA controls are specific to the identification and authentication policies in an organization. This includes the identification and authentication of organizational and non-organizational users and how the management of those systems. +section-code: ia +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_4_ia - title: Identification and Authentication (IA) - description: IA controls are specific to the identification and authentication policies in an organization. This includes the identification and authentication of organizational and non-organizational users and how the management of those systems. - section-code: ia - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_4_ia_2 - - id: aws_nist_800_53_rev_4_ia_5 +- id: aws_nist_800_53_rev_4_ia_2 + type: "" +- id: aws_nist_800_53_rev_4_ia_5 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2.yaml index 67e2927ca..fe756dee6 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2.yaml @@ -1,22 +1,25 @@ +id: aws_nist_800_53_rev_4_ia_2 +title: Identification and Authentication (Organizational users) (IA-2) +description: The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_4_ia_2 - title: Identification and Authentication (Organizational users) (IA-2) - description: The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_4_ia_2_1 - - id: aws_nist_800_53_rev_4_ia_2_2 - - id: aws_nist_800_53_rev_4_ia_2_11 - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 +- id: aws_nist_800_53_rev_4_ia_2_1 + type: "" +- id: aws_nist_800_53_rev_4_ia_2_2 + type: "" +- id: aws_nist_800_53_rev_4_ia_2_11 + type: "" +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2_1.yaml index 6c24b52b2..63ef536a7 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2_1.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_nist_800_53_rev_4_ia_2_1 - title: IA-2(1) Network Access To Privileged Accounts - description: The information system implements multi-factor authentication for network access to privileged accounts. - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled +id: aws_nist_800_53_rev_4_ia_2_1 +title: IA-2(1) Network Access To Privileged Accounts +description: The information system implements multi-factor authentication for network access to privileged accounts. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2_11.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2_11.yaml index 875e1d496..488ca88c1 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2_11.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2_11.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_nist_800_53_rev_4_ia_2_11 - title: IA-2(11) Remote Access - Separate Device - description: "The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]." - section-code: "11" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled +id: aws_nist_800_53_rev_4_ia_2_11 +title: IA-2(11) Remote Access - Separate Device +description: "The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]." +section-code: "11" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2_2.yaml index c4cc7e68c..95f930834 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2_2.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_4_ia_2_2 - title: IA-2(2) Network Access To Non-Privileged Accounts - description: The information system implements multifactor authentication for network access to non-privileged accounts. - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled +id: aws_nist_800_53_rev_4_ia_2_2 +title: IA-2(2) Network Access To Non-Privileged Accounts +description: The information system implements multifactor authentication for network access to non-privileged accounts. +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5.yaml index 78e70c0e1..12d5c7f17 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5.yaml @@ -1,20 +1,23 @@ +id: aws_nist_800_53_rev_4_ia_5 +title: Authenticator Management (IA-5) +description: Authenticate users and devices. Automate administrative control. Enforce restrictions. Protect against unauthorized use. +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_4_ia_5 - title: Authenticator Management (IA-5) - description: Authenticate users and devices. Automate administrative control. Enforce restrictions. Protect against unauthorized use. - section-code: "5" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_4_ia_5_1 - - id: aws_nist_800_53_rev_4_ia_5_4 - - id: aws_nist_800_53_rev_4_ia_5_7 +- id: aws_nist_800_53_rev_4_ia_5_1 + type: "" +- id: aws_nist_800_53_rev_4_ia_5_4 + type: "" +- id: aws_nist_800_53_rev_4_ia_5_7 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5_1.yaml index deec4ee1f..71fe892ee 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5_1.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_4_ia_5_1 - title: IA-5(1) Password-Based Authentication - description: The information system, for password-based authentication that enforces minimum password complexity, stores and transmits only cryptographically-protected passwords, enforces password minimum and maximum lifetime restrictions, prohibits password reuse, allows the use of a temporary password for system logons with an immediate change to a permanent password etc. - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 +id: aws_nist_800_53_rev_4_ia_5_1 +title: IA-5(1) Password-Based Authentication +description: The information system, for password-based authentication that enforces minimum password complexity, stores and transmits only cryptographically-protected passwords, enforces password minimum and maximum lifetime restrictions, prohibits password reuse, allows the use of a temporary password for system logons with an immediate change to a permanent password etc. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5_4.yaml index d8223ea09..e57ae6180 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5_4.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_4_ia_5_4 - title: IA-5(4) Automated Support For Password Strength Determination - description: "The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements]." - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 +id: aws_nist_800_53_rev_4_ia_5_4 +title: IA-5(4) Automated Support For Password Strength Determination +description: "The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements]." +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5_7.yaml index 13d082770..afc794cea 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5_7.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_4_ia_5_7 - title: IA-5(7) No Embedded Unencrypted Static Authenticators - description: The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys. - section-code: "7" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/CodeBuild - type: - - Benchmark - controls: - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values +id: aws_nist_800_53_rev_4_ia_5_7 +title: IA-5(7) No Embedded Unencrypted Static Authenticators +description: The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys. +section-code: "7" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/CodeBuild + type: + - Benchmark +controls: +- aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir.yaml index c78b4475d..7ddcbe11b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir.yaml @@ -1,20 +1,23 @@ +id: aws_nist_800_53_rev_4_ir +title: Incident Response (IR) +description: IR controls are specific to an organization’s incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plan. +section-code: ir +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_4_ir - title: Incident Response (IR) - description: IR controls are specific to an organization’s incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plan. - section-code: ir - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_4_ir_4 - - id: aws_nist_800_53_rev_4_ir_6 - - id: aws_nist_800_53_rev_4_ir_7 +- id: aws_nist_800_53_rev_4_ir_4 + type: "" +- id: aws_nist_800_53_rev_4_ir_6 + type: "" +- id: aws_nist_800_53_rev_4_ir_7 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_4.yaml index 2c4d4794f..c2d7eb134 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_4.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_4_ir_4 +title: Incident Handling (IR-4) +description: The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery, coordinates incident handling activities with contingency planning activities and incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly. +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_4_ir_4 - title: Incident Handling (IR-4) - description: The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery, coordinates incident handling activities with contingency planning activities and incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly. - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_4_ir_4_1 +- id: aws_nist_800_53_rev_4_ir_4_1 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_4_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_4_1.yaml index 6ae4bcbb4..861d65f7c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_4_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_4_1.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_4_ir_4_1 - title: IR-4(1) Automated Incident Handling Processes - description: The organization employs automated mechanisms to support the incident handling process. - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_finding_archived +id: aws_nist_800_53_rev_4_ir_4_1 +title: IR-4(1) Automated Incident Handling Processes +description: The organization employs automated mechanisms to support the incident handling process. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudwatch_alarm_action_enabled +- aws_guardduty_finding_archived diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_6.yaml index 239f5df66..db5b0d8da 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_6.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_4_ir_6 +title: Incident Reporting (IR-6) +description: The organization report suspected security incidents to the organizational incident response capability within organization-defined time period. +section-code: "6" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_4_ir_6 - title: Incident Reporting (IR-6) - description: The organization report suspected security incidents to the organizational incident response capability within organization-defined time period. - section-code: "6" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_4_ir_6_1 +- id: aws_nist_800_53_rev_4_ir_6_1 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_6_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_6_1.yaml index ab02e9c44..6ccb4673f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_6_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_6_1.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_4_ir_6_1 - title: IR-6(1) Automated Reporting - description: The organization employs automated mechanisms to assist in the reporting of security incidents. - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_finding_archived +id: aws_nist_800_53_rev_4_ir_6_1 +title: IR-6(1) Automated Reporting +description: The organization employs automated mechanisms to assist in the reporting of security incidents. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_finding_archived diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_7.yaml index c432a56d5..9beceb443 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_7.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_4_ir_7 +title: Incident Response Assistance (IR-7) +description: The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents. +section-code: "7" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_4_ir_7 - title: Incident Response Assistance (IR-7) - description: The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents. - section-code: "7" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_4_ir_7_1 +- id: aws_nist_800_53_rev_4_ir_7_1 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_7_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_7_1.yaml index 1518dcc5a..e7e432cae 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_7_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_7_1.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_4_ir_7_1 - title: IR-7(1) Automation Support For Availability Of Information / Support - description: The organization employs automated mechanisms to increase the availability of incident response-related information and support. - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_finding_archived +id: aws_nist_800_53_rev_4_ir_7_1 +title: IR-7(1) Automation Support For Availability Of Information / Support +description: The organization employs automated mechanisms to increase the availability of incident response-related information and support. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_finding_archived diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ra.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ra.yaml index 2547f64a6..a8196005b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ra.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ra.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_4_ra +title: Risk Assessment (RA) +description: The RA control family relates to an organization’s risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts. +section-code: ra +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_4_ra - title: Risk Assessment (RA) - description: The RA control family relates to an organization’s risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts. - section-code: ra - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_4_ra_5 +- id: aws_nist_800_53_rev_4_ra_5 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ra_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ra_5.yaml index 10d8465d7..12612c72c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ra_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ra_5.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_4_ra_5 - title: Vulnerability Scanning (RA-5) - description: Scan for system vulnerabilities. Share vulnerability information and security controls that eliminate vulnerabilities. - section-code: "5" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_guardduty_finding_archived +id: aws_nist_800_53_rev_4_ra_5 +title: Vulnerability Scanning (RA-5) +description: Scan for system vulnerabilities. Share vulnerability information and security controls that eliminate vulnerabilities. +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled +- aws_guardduty_finding_archived diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sa.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sa.yaml index 4bbc26575..7f0a365d1 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sa.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sa.yaml @@ -1,19 +1,21 @@ +id: aws_nist_800_53_rev_4_sa +title: System and Services Acquisition (SA) +description: The SA control family correlates with controls that protect allocated resources and an organization’s system development life cycle. This includes information system documentation controls, development configuration management controls, and developer security testing and evaluation controls. +section-code: sa +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_4_sa - title: System and Services Acquisition (SA) - description: The SA control family correlates with controls that protect allocated resources and an organization’s system development life cycle. This includes information system documentation controls, development configuration management controls, and developer security testing and evaluation controls. - section-code: sa - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_4_sa_3 - - id: aws_nist_800_53_rev_4_sa_10 +- id: aws_nist_800_53_rev_4_sa_3 + type: "" +- id: aws_nist_800_53_rev_4_sa_10 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sa_10.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sa_10.yaml index 23c9b64eb..6495dbf15 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sa_10.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sa_10.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_nist_800_53_rev_4_sa_10 - title: Developer Configuration Management (SA-10) - description: "The organization requires the developer of the information system, system component, or information system service to: a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]." - section-code: "10" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled +id: aws_nist_800_53_rev_4_sa_10 +title: Developer Configuration Management (SA-10) +description: "The organization requires the developer of the information system, system component, or information system service to: a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]." +section-code: "10" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed +- aws_guardduty_enabled +- aws_guardduty_finding_archived +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sa_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sa_3.yaml index 8ea61ff8a..3ff9f0e7f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sa_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sa_3.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_nist_800_53_rev_4_sa_3 - title: System Development Life Cycle (SA-3) - description: The organization manages the information system using organization-defined system development life cycle, defines and documents information security roles and responsibilities throughout the system development life cycle, identifies individuals having information security roles and responsibilities and integrates the organizational information security risk management process into system development life cycle activities. - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_ssm_managed +id: aws_nist_800_53_rev_4_sa_3 +title: System Development Life Cycle (SA-3) +description: The organization manages the information system using organization-defined system development life cycle, defines and documents information security roles and responsibilities throughout the system development life cycle, identifies individuals having information security roles and responsibilities and integrates the organizational information security risk management process into system development life cycle activities. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values +- aws_codebuild_project_source_repo_oauth_configured +- aws_ec2_instance_ssm_managed diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc.yaml index 33a9264bc..3d55e1514 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc.yaml @@ -1,26 +1,35 @@ +id: aws_nist_800_53_rev_4_sc +title: System and Communications Protection (SC) +description: The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others. +section-code: sc +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_4_sc - title: System and Communications Protection (SC) - description: The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others. - section-code: sc - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_4_sc_2 - - id: aws_nist_800_53_rev_4_sc_4 - - id: aws_nist_800_53_rev_4_sc_5 - - id: aws_nist_800_53_rev_4_sc_7 - - id: aws_nist_800_53_rev_4_sc_8 - - id: aws_nist_800_53_rev_4_sc_12 - - id: aws_nist_800_53_rev_4_sc_13 - - id: aws_nist_800_53_rev_4_sc_23 - - id: aws_nist_800_53_rev_4_sc_28 +- id: aws_nist_800_53_rev_4_sc_2 + type: "" +- id: aws_nist_800_53_rev_4_sc_4 + type: "" +- id: aws_nist_800_53_rev_4_sc_5 + type: "" +- id: aws_nist_800_53_rev_4_sc_7 + type: "" +- id: aws_nist_800_53_rev_4_sc_8 + type: "" +- id: aws_nist_800_53_rev_4_sc_12 + type: "" +- id: aws_nist_800_53_rev_4_sc_13 + type: "" +- id: aws_nist_800_53_rev_4_sc_23 + type: "" +- id: aws_nist_800_53_rev_4_sc_28 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_12.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_12.yaml index b046762de..9d85a63e8 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_12.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_12.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_nist_800_53_rev_4_sc_12 - title: Cryptographic Key Establishment And Management (SC-12) - description: "The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]." - section-code: "12" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_acm_certificate_expires_30_days - - aws_kms_cmk_rotation_enabled - - aws_kms_key_not_pending_deletion +id: aws_nist_800_53_rev_4_sc_12 +title: Cryptographic Key Establishment And Management (SC-12) +description: "The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]." +section-code: "12" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_acm_certificate_expires_30_days +- aws_kms_cmk_rotation_enabled +- aws_kms_key_not_pending_deletion diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_13.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_13.yaml index a0eaa914c..df244ff68 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_13.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_13.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_4_sc_13 - title: Cryptographic Protection (SC-13) - description: "The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." - section-code: "13" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/DynamoDB - type: - - Benchmark - controls: - - aws_dynamodb_table_encrypted_with_kms +id: aws_nist_800_53_rev_4_sc_13 +title: Cryptographic Protection (SC-13) +description: "The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." +section-code: "13" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/DynamoDB + type: + - Benchmark +controls: +- aws_dynamodb_table_encrypted_with_kms diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_2.yaml index 27a1622d7..569dfa9ab 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_2.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_4_sc_2 - title: Application Partitioning (SC-2) - description: The information system separates user functionality (including user interface services) from information system management functionality. - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star +id: aws_nist_800_53_rev_4_sc_2 +title: Application Partitioning (SC-2) +description: The information system separates user functionality (including user interface services) from information system management functionality. +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_group_not_empty +- aws_iam_policy_no_star_star diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_23.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_23.yaml index dac52e5ab..63317161f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_23.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_23.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_nist_800_53_rev_4_sc_23 - title: Session Authenticity (SC-23) - description: TThe information system protects the authenticity of communications sessions. - section-code: "23" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/ELB - type: - - Benchmark - controls: - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_tls_https_listeners +id: aws_nist_800_53_rev_4_sc_23 +title: Session Authenticity (SC-23) +description: TThe information system protects the authenticity of communications sessions. +section-code: "23" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/ELB + type: + - Benchmark +controls: +- aws_elb_application_lb_drop_http_headers +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_tls_https_listeners diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_28.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_28.yaml index 5e3bf7465..c0a79c2c7 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_28.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_28.yaml @@ -1,33 +1,33 @@ -control-group: - id: aws_nist_800_53_rev_4_sc_28 - title: Protection Of Information At Rest (SC-28) - description: "The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]." - section-code: "28" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_es_domain_encryption_at_rest_enabled - - aws_kms_key_not_pending_deletion - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_object_lock_enabled - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest +id: aws_nist_800_53_rev_4_sc_28 +title: Protection Of Information At Rest (SC-28) +description: "The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]." +section-code: "28" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_efs_file_system_encrypt_data_at_rest +- aws_es_domain_encryption_at_rest_enabled +- aws_kms_key_not_pending_deletion +- aws_log_group_encryption_at_rest_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_object_lock_enabled +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_4.yaml index be849df55..035c1ff78 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_4.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_4_sc_4 - title: Information In Shared Resources (SC-4) - description: The information system prevents unauthorized and unintended information transfer via shared system resources. - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/EBS - type: - - Benchmark - controls: - - aws_ebs_attached_volume_delete_on_termination_enabled +id: aws_nist_800_53_rev_4_sc_4 +title: Information In Shared Resources (SC-4) +description: The information system prevents unauthorized and unintended information transfer via shared system resources. +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/EBS + type: + - Benchmark +controls: +- aws_ebs_attached_volume_delete_on_termination_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_5.yaml index a699fc311..4206ea674 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_5.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_nist_800_53_rev_4_sc_5 - title: Denial Of Service Protection (SC-5) - description: "The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or references to sources for such information] by employing [Assignment: organization-defined security safeguards]." - section-code: "5" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_dynamodb_table_auto_scaling_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_s3_bucket_cross_region_replication_enabled +id: aws_nist_800_53_rev_4_sc_5 +title: Denial Of Service Protection (SC-5) +description: "The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or references to sources for such information] by employing [Assignment: organization-defined security safeguards]." +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_group_with_lb_use_health_check +- aws_dynamodb_table_auto_scaling_enabled +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_rds_db_instance_deletion_protection_enabled +- aws_rds_db_instance_multiple_az_enabled +- aws_s3_bucket_cross_region_replication_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_7.yaml index 497b6caaa..4370319a3 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_7.yaml @@ -1,48 +1,49 @@ +id: aws_nist_800_53_rev_4_sc_7 +title: Boundary Protection (SC-7) +description: "The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture." +section-code: "7" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_4_sc_7 - title: Boundary Protection (SC-7) - description: "The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture." - section-code: "7" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_4_sc_7_3 - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_lb_waf_enabled - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_es_domain_node_to_node_encryption_enabled - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_wafv2_web_acl_logging_enabled +- id: aws_nist_800_53_rev_4_sc_7_3 + type: "" +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_elb_application_lb_drop_http_headers +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_application_lb_waf_enabled +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_es_domain_node_to_node_encryption_enabled +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_igw_attached_to_authorized_vpc +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_7_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_7_3.yaml index 4b428294e..50853a532 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_7_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_7_3.yaml @@ -1,37 +1,37 @@ -control-group: - id: aws_nist_800_53_rev_4_sc_7_3 - title: SC-7(3) Access Points - description: The organization limits the number of external network connections to the information system. - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all +id: aws_nist_800_53_rev_4_sc_7_3 +title: SC-7(3) Access Points +description: The organization limits the number of external network connections to the information system. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_igw_attached_to_authorized_vpc +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_8.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_8.yaml index 0e8a9e1a1..9e8043108 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_8.yaml @@ -1,26 +1,27 @@ +id: aws_nist_800_53_rev_4_sc_8 +title: Transmission Confidentiality And Integrity (SC-8) +description: "The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information." +section-code: "8" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_4_sc_8 - title: Transmission Confidentiality And Integrity (SC-8) - description: "The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information." - section-code: "8" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_4_sc_8_1 - controls: - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl +- id: aws_nist_800_53_rev_4_sc_8_1 + type: "" +controls: +- aws_elb_application_lb_drop_http_headers +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_node_to_node_encryption_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_8_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_8_1.yaml index 622b57aaa..667f3fb4c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_8_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_8_1.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_nist_800_53_rev_4_sc_8_1 - title: SC-8(1) Cryptographic Or Alternate Physical Protection - description: "The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]." - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl +id: aws_nist_800_53_rev_4_sc_8_1 +title: SC-8(1) Cryptographic Or Alternate Physical Protection +description: "The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]." +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_elb_application_lb_drop_http_headers +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_node_to_node_encryption_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si.yaml index 39bc01576..6c422dc7b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si.yaml @@ -1,21 +1,25 @@ +id: aws_nist_800_53_rev_4_si +title: System and Information Integrity (SI) +description: The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection. +section-code: si +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_4_si - title: System and Information Integrity (SI) - description: The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection. - section-code: si - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_4_si_2 - - id: aws_nist_800_53_rev_4_si_4 - - id: aws_nist_800_53_rev_4_si_7 - - id: aws_nist_800_53_rev_4_si_12 +- id: aws_nist_800_53_rev_4_si_2 + type: "" +- id: aws_nist_800_53_rev_4_si_4 + type: "" +- id: aws_nist_800_53_rev_4_si_7 + type: "" +- id: aws_nist_800_53_rev_4_si_12 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_12.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_12.yaml index c0e1afb18..1390c11f0 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_12.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_12.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_nist_800_53_rev_4_si_12 - title: Information Handling and Retention (SI-12) - description: The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. - section-code: "12" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudwatch_log_group_retention_period_365 - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_s3_bucket_versioning_enabled +id: aws_nist_800_53_rev_4_si_12 +title: Information Handling and Retention (SI-12) +description: The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. +section-code: "12" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudwatch_log_group_retention_period_365 +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_ebs_volume_in_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_2.yaml index 88bd9a258..b4f7ef449 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_2.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_4_si_2 +title: Flaw Remediation (SI-2) +description: "The organization: a.Identifies, reports, and corrects information system flaws; b.Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c.Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and d.Incorporates flaw remediation into the organizational configuration management process." +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_4_si_2 - title: Flaw Remediation (SI-2) - description: "The organization: a.Identifies, reports, and corrects information system flaws; b.Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c.Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and d.Incorporates flaw remediation into the organizational configuration management process." - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_4_si_2_2 +- id: aws_nist_800_53_rev_4_si_2_2 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_2_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_2_2.yaml index 3432cb778..35d469424 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_2_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_2_2.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_nist_800_53_rev_4_si_2_2 - title: SI-2(2) Automates Flaw Remediation Status - description: The organization employs automated mechanisms to determine the state of information system components with regard to flaw remediation. - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_nist_800_53_rev_4_si_2_2 +title: SI-2(2) Automates Flaw Remediation Status +description: The organization employs automated mechanisms to determine the state of information system components with regard to flaw remediation. +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed +- aws_ssm_managed_instance_compliance_association_compliant +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4.yaml index 680e8cf04..12f054ecb 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4.yaml @@ -1,31 +1,36 @@ +id: aws_nist_800_53_rev_4_si_4 +title: Information System Monitoring (SI-4) +description: "The organization: a.Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and 2.Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; c. Deploys monitoring devices: 1. Strategically within the information system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]." +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_4_si_4 - title: Information System Monitoring (SI-4) - description: "The organization: a.Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and 2.Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; c. Deploys monitoring devices: 1. Strategically within the information system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]." - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_4_si_4_1 - - id: aws_nist_800_53_rev_4_si_4_2 - - id: aws_nist_800_53_rev_4_si_4_4 - - id: aws_nist_800_53_rev_4_si_4_5 - - id: aws_nist_800_53_rev_4_si_4_16 - controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_elb_application_lb_waf_enabled - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled - - aws_wafv2_web_acl_logging_enabled +- id: aws_nist_800_53_rev_4_si_4_1 + type: "" +- id: aws_nist_800_53_rev_4_si_4_2 + type: "" +- id: aws_nist_800_53_rev_4_si_4_4 + type: "" +- id: aws_nist_800_53_rev_4_si_4_5 + type: "" +- id: aws_nist_800_53_rev_4_si_4_16 + type: "" +controls: +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled +- aws_ec2_instance_detailed_monitoring_enabled +- aws_elb_application_lb_waf_enabled +- aws_guardduty_enabled +- aws_guardduty_finding_archived +- aws_securityhub_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_1.yaml index 280bbb6d7..8f2bd52ba 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_1.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_4_si_4_1 - title: SI-4(1) System-Wide Intrusion Detection System - description: The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system. - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_4_si_4_1 +title: SI-4(1) System-Wide Intrusion Detection System +description: The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_16.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_16.yaml index ca97b18b8..07c9e4a8d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_16.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_16.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_4_si_4_16 - title: SI-4(16) Correlate Monitoring Information - description: The organization correlates information from monitoring tools employed throughout the information system. - section-code: "16" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_securityhub_enabled +id: aws_nist_800_53_rev_4_si_4_16 +title: SI-4(16) Correlate Monitoring Information +description: The organization correlates information from monitoring tools employed throughout the information system. +section-code: "16" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_2.yaml index ef8906039..083b58556 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_2.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_nist_800_53_rev_4_si_4_2 - title: SI-4(2) Automated Tools For Real-Time Analysis - description: The organization employs automated tools to support near real-time analysis of events. - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_guardduty_enabled - - aws_securityhub_enabled +id: aws_nist_800_53_rev_4_si_4_2 +title: SI-4(2) Automated Tools For Real-Time Analysis +description: The organization employs automated tools to support near real-time analysis of events. +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled +- aws_ec2_instance_detailed_monitoring_enabled +- aws_guardduty_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_4.yaml index fcf6ef749..2bbecf652 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_4.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_nist_800_53_rev_4_si_4_4 - title: SI-4(4) Inbound and Outbound Communications Traffic - description: The information system monitors inbound and outbound communications traffic continuously for unusual or unauthorized activities or conditions. - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_securityhub_enabled +id: aws_nist_800_53_rev_4_si_4_4 +title: SI-4(4) Inbound and Outbound Communications Traffic +description: The information system monitors inbound and outbound communications traffic continuously for unusual or unauthorized activities or conditions. +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled +- aws_guardduty_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_5.yaml index 5b1a87025..3a0b6a1f3 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_5.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_nist_800_53_rev_4_si_4_5 - title: SI-4(5) System-Generated Alerts - description: "The information system alerts organization-defined personnel or roles when the following indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators]." - section-code: "5" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_securityhub_enabled +id: aws_nist_800_53_rev_4_si_4_5 +title: SI-4(5) System-Generated Alerts +description: "The information system alerts organization-defined personnel or roles when the following indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators]." +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled +- aws_guardduty_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_7.yaml index fa3cb84be..eb0ade008 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_7.yaml @@ -1,20 +1,21 @@ +id: aws_nist_800_53_rev_4_si_7 +title: Software, Firmware, and Information Integrity (SI-7) +description: "The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information]." +section-code: "7" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_4_si_7 - title: Software, Firmware, and Information Integrity (SI-7) - description: "The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information]." - section-code: "7" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_4_si_7_1 - controls: - - aws_cloudtrail_trail_validation_enabled +- id: aws_nist_800_53_rev_4_si_7_1 + type: "" +controls: +- aws_cloudtrail_trail_validation_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_7_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_7_1.yaml index c9fa9115d..f66358422 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_7_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_7_1.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_nist_800_53_rev_4_si_7_1 - title: SI-7(1) Integrity Checks - description: The information system performs an integrity check of security relevant events at least monthly. - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_validation_enabled - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_nist_800_53_rev_4_si_7_1 +title: SI-7(1) Integrity Checks +description: The information system performs an integrity check of security relevant events at least monthly. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_validation_enabled +- aws_ec2_instance_ssm_managed +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5.yaml index 2cdde0dc9..75ec57e48 100644 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5.yaml @@ -1,40 +1,40 @@ -framework: - id: aws_nist_800_53_rev_5 - title: NIST 800-53 Revision 5 - description: NIST 800-53 is a regulatory standard that defines the minimum baseline of security controls for all U.S. federal information systems except those related to national security. - section-code: aws_nist_800_53_rev_5 - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Frameworks - plugin: - - aws - service: - - AWS - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: aws_nist_800_53_rev_5_ac - - id: aws_nist_800_53_rev_5_au - - id: aws_nist_800_53_rev_5_ca - - id: aws_nist_800_53_rev_5_cm - - id: aws_nist_800_53_rev_5_cp - - id: aws_nist_800_53_rev_5_ia - - id: aws_nist_800_53_rev_5_ir - - id: aws_nist_800_53_rev_5_ma - - id: aws_nist_800_53_rev_5_mp - - id: aws_nist_800_53_rev_5_pe - - id: aws_nist_800_53_rev_5_pm - - id: aws_nist_800_53_rev_5_ra - - id: aws_nist_800_53_rev_5_sa - - id: aws_nist_800_53_rev_5_sc - - id: aws_nist_800_53_rev_5_si +id: aws_nist_800_53_rev_5 +title: NIST 800-53 Revision 5 +description: NIST 800-53 is a regulatory standard that defines the minimum baseline of security controls for all U.S. federal information systems except those related to national security. +section-code: aws_nist_800_53_rev_5 +type: framework +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Frameworks + plugin: + - aws + service: + - AWS + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_nist_800_53_rev_5_ac +- id: aws_nist_800_53_rev_5_au +- id: aws_nist_800_53_rev_5_ca +- id: aws_nist_800_53_rev_5_cm +- id: aws_nist_800_53_rev_5_cp +- id: aws_nist_800_53_rev_5_ia +- id: aws_nist_800_53_rev_5_ir +- id: aws_nist_800_53_rev_5_ma +- id: aws_nist_800_53_rev_5_mp +- id: aws_nist_800_53_rev_5_pe +- id: aws_nist_800_53_rev_5_pm +- id: aws_nist_800_53_rev_5_ra +- id: aws_nist_800_53_rev_5_sa +- id: aws_nist_800_53_rev_5_sc +- id: aws_nist_800_53_rev_5_si diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac.yaml index b10d3b59a..8934e07bf 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac.yaml @@ -1,26 +1,35 @@ +id: aws_nist_800_53_rev_5_ac +title: Access Control (AC) +description: The access control family consists of security requirements detailing system logging. This includes who has access to what assets and reporting capabilities like account management, system privileges, and remote access logging to determine when users have access to the system and their level of access. +section-code: ac +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ac - title: Access Control (AC) - description: The access control family consists of security requirements detailing system logging. This includes who has access to what assets and reporting capabilities like account management, system privileges, and remote access logging to determine when users have access to the system and their level of access. - section-code: ac - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ac_2 - - id: aws_nist_800_53_rev_5_ac_3 - - id: aws_nist_800_53_rev_5_ac_4 - - id: aws_nist_800_53_rev_5_ac_5 - - id: aws_nist_800_53_rev_5_ac_6 - - id: aws_nist_800_53_rev_5_ac_7 - - id: aws_nist_800_53_rev_5_ac_16 - - id: aws_nist_800_53_rev_5_ac_17 - - id: aws_nist_800_53_rev_5_ac_24 +- id: aws_nist_800_53_rev_5_ac_2 + type: "" +- id: aws_nist_800_53_rev_5_ac_3 + type: "" +- id: aws_nist_800_53_rev_5_ac_4 + type: "" +- id: aws_nist_800_53_rev_5_ac_5 + type: "" +- id: aws_nist_800_53_rev_5_ac_6 + type: "" +- id: aws_nist_800_53_rev_5_ac_7 + type: "" +- id: aws_nist_800_53_rev_5_ac_16 + type: "" +- id: aws_nist_800_53_rev_5_ac_17 + type: "" +- id: aws_nist_800_53_rev_5_ac_24 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_16.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_16.yaml index 38c446a93..03aecd563 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_16.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_16.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_ac_16 +title: Security And Privacy Attributes (AC-16) +description: "a.\u2003Provide the means to associate [Assignment: organization-defined types of security and privacy attributes] with [Assignment: organization-defined security and privacy attribute values] for information in storage, in process, and/or in transmission; b.\u2003Ensure that the attribute associations are made and retained with the information; c.\u2003Establish the following permitted security and privacy attributes from the attributes defined in AC-16a for [Assignment: organization-defined systems]: [Assignment: organization-defined security and privacy attributes]." +section-code: "16" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ac_16 - title: Security And Privacy Attributes (AC-16) - description: "a.\u2003Provide the means to associate [Assignment: organization-defined types of security and privacy attributes] with [Assignment: organization-defined security and privacy attribute values] for information in storage, in process, and/or in transmission; b.\u2003Ensure that the attribute associations are made and retained with the information; c.\u2003Establish the following permitted security and privacy attributes from the attributes defined in AC-16a for [Assignment: organization-defined systems]: [Assignment: organization-defined security and privacy attributes]." - section-code: "16" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ac_16_b +- id: aws_nist_800_53_rev_5_ac_16_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_16_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_16_b.yaml index c136c5df2..b81e565a7 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_16_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_16_b.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_16_b - title: AC-16(b) - description: Ensure that the attribute associations are made and retained with the information. - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark - controls: - - aws_cloudwatch_log_group_retention_period_365 +id: aws_nist_800_53_rev_5_ac_16_b +title: AC-16(b) +description: Ensure that the attribute associations are made and retained with the information. +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark +controls: +- aws_cloudwatch_log_group_retention_period_365 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17.yaml index 67f973039..3de0eb132 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17.yaml @@ -1,23 +1,29 @@ +id: aws_nist_800_53_rev_5_ac_17 +title: Remote Access (AC-17) +description: Authorize remote access systems prior to connection. Enforce remote connection requirements to information systems. +section-code: "17" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ac_17 - title: Remote Access (AC-17) - description: Authorize remote access systems prior to connection. Enforce remote connection requirements to information systems. - section-code: "17" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ac_17_1 - - id: aws_nist_800_53_rev_5_ac_17_2 - - id: aws_nist_800_53_rev_5_ac_17_4 - - id: aws_nist_800_53_rev_5_ac_17_9 - - id: aws_nist_800_53_rev_5_ac_17_10 - - id: aws_nist_800_53_rev_5_ac_17_b +- id: aws_nist_800_53_rev_5_ac_17_1 + type: "" +- id: aws_nist_800_53_rev_5_ac_17_2 + type: "" +- id: aws_nist_800_53_rev_5_ac_17_4 + type: "" +- id: aws_nist_800_53_rev_5_ac_17_9 + type: "" +- id: aws_nist_800_53_rev_5_ac_17_10 + type: "" +- id: aws_nist_800_53_rev_5_ac_17_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_1.yaml index 7e225c523..622f8e7d2 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_1.yaml @@ -1,38 +1,38 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_17_1 - title: AC-17(1) Monitoring And Control - description: Employ automated mechanisms to monitor and control remote access methods. - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_nist_800_53_rev_5_ac_17_1 +title: AC-17(1) Monitoring And Control +description: Employ automated mechanisms to monitor and control remote access methods. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_10.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_10.yaml index e676790b0..1e8dffe04 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_10.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_10.yaml @@ -1,38 +1,38 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_17_10 - title: AC-17(10) Authenticate Remote Commands - description: "Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period]." - section-code: "10" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_nist_800_53_rev_5_ac_17_10 +title: AC-17(10) Authenticate Remote Commands +description: "Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period]." +section-code: "10" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_2.yaml index 1cf842a7c..f4d8a7401 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_2.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_17_2 - title: AC-17(2) Protection Of Confidentiality And Integrity Using Encryption - description: Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_s3_bucket_enforces_ssl +id: aws_nist_800_53_rev_5_ac_17_2 +title: AC-17(2) Protection Of Confidentiality And Integrity Using Encryption +description: Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_4.yaml index 3f2a45ed0..3d503c610 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_4.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_ac_17_4 +title: AC-17(4) Privileged Commands And Access +description: "a.\u2003Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs]; and b.\u2003Document the rationale for remote access in the security plan for the system." +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ac_17_4 - title: AC-17(4) Privileged Commands And Access - description: "a.\u2003Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs]; and b.\u2003Document the rationale for remote access in the security plan for the system." - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ac_17_4_a +- id: aws_nist_800_53_rev_5_ac_17_4_a + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_4_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_4_a.yaml index 02b992d17..d21df4519 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_4_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_4_a.yaml @@ -1,38 +1,38 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_17_4_a - title: AC-17(4)(a) - description: "Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs];" - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_nist_800_53_rev_5_ac_17_4_a +title: AC-17(4)(a) +description: "Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs];" +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_9.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_9.yaml index 5a80cc0ff..c5eb9c846 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_9.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_9.yaml @@ -1,38 +1,38 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_17_9 - title: AC-17(9) Disconnect Or Disable Access - description: "Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period]." - section-code: "9" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_nist_800_53_rev_5_ac_17_9 +title: AC-17(9) Disconnect Or Disable Access +description: "Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period]." +section-code: "9" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_b.yaml index 2be5b33e7..e81aec9b4 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_b.yaml @@ -1,38 +1,38 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_17_b - title: AC-17(b) - description: Authorize each type of remote access to the system prior to allowing such connections. - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_nist_800_53_rev_5_ac_17_b +title: AC-17(b) +description: Authorize each type of remote access to the system prior to allowing such connections. +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2.yaml index 3f78ee4f8..3eae29f00 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2.yaml @@ -1,26 +1,35 @@ +id: aws_nist_800_53_rev_5_ac_2 +title: Account Management (AC-2) +description: Manage system accounts, group memberships, privileges, workflow, notifications, deactivations, and authorizations. +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ac_2 - title: Account Management (AC-2) - description: Manage system accounts, group memberships, privileges, workflow, notifications, deactivations, and authorizations. - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ac_2_1 - - id: aws_nist_800_53_rev_5_ac_2_3 - - id: aws_nist_800_53_rev_5_ac_2_4 - - id: aws_nist_800_53_rev_5_ac_2_6 - - id: aws_nist_800_53_rev_5_ac_2_12 - - id: aws_nist_800_53_rev_5_ac_2_d_1 - - id: aws_nist_800_53_rev_5_ac_2_g - - id: aws_nist_800_53_rev_5_ac_2_i_2 - - id: aws_nist_800_53_rev_5_ac_2_j +- id: aws_nist_800_53_rev_5_ac_2_1 + type: "" +- id: aws_nist_800_53_rev_5_ac_2_3 + type: "" +- id: aws_nist_800_53_rev_5_ac_2_4 + type: "" +- id: aws_nist_800_53_rev_5_ac_2_6 + type: "" +- id: aws_nist_800_53_rev_5_ac_2_12 + type: "" +- id: aws_nist_800_53_rev_5_ac_2_d_1 + type: "" +- id: aws_nist_800_53_rev_5_ac_2_g + type: "" +- id: aws_nist_800_53_rev_5_ac_2_i_2 + type: "" +- id: aws_nist_800_53_rev_5_ac_2_j + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_24.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_24.yaml index c510effbb..261f9c243 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_24.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_24.yaml @@ -1,35 +1,36 @@ +id: aws_nist_800_53_rev_5_ac_24 +title: Access Control Decisions (AC-24) +description: "[Selection: Establish procedures; Implement mechanisms] to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement." +section-code: "24" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ac_24 - title: Access Control Decisions (AC-24) - description: "[Selection: Establish procedures; Implement mechanisms] to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement." - section-code: "24" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ac_24_1 - controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day +- id: aws_nist_800_53_rev_5_ac_24_1 + type: "" +controls: +- aws_ec2_instance_uses_imdsv2 +- aws_iam_account_password_policy_min_length_14 +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_24_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_24_1.yaml index 46a94efb4..c02b752a5 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_24_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_24_1.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_24_1 - title: AC-24(1) - description: "Transmit [Assignment: organization-defined access authorization information] using [Assignment: organization-defined controls] to [Assignment: organization-defined systems] that enforce access control decisions." - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl +id: aws_nist_800_53_rev_5_ac_24_1 +title: AC-24(1) +description: "Transmit [Assignment: organization-defined access authorization information] using [Assignment: organization-defined controls] to [Assignment: organization-defined systems] that enforce access control decisions." +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_node_to_node_encryption_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_1.yaml index eb85db436..9970909cd 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_1.yaml @@ -1,32 +1,32 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_2_1 - title: AC-2(1) Automated System Account Management - description: "Support the management of system accounts using [Assignment: organization-defined automated mechanisms]." - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day +id: aws_nist_800_53_rev_5_ac_2_1 +title: AC-2(1) Automated System Account Management +description: "Support the management of system accounts using [Assignment: organization-defined automated mechanisms]." +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_account_password_policy_min_length_14 +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_12.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_12.yaml index 950eae1dc..bddb5c8c2 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_12.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_12.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_ac_2_12 +title: AC-2(12) Account Monitoring +description: Monitors and reports atypical usage of information system accounts to organization-defined personnel or roles. +section-code: "12" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ac_2_12 - title: AC-2(12) Account Monitoring - description: Monitors and reports atypical usage of information system accounts to organization-defined personnel or roles. - section-code: "12" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ac_2_12_a +- id: aws_nist_800_53_rev_5_ac_2_12_a + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_12_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_12_a.yaml index 644f742e5..2e14c313e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_12_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_12_a.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_2_12_a - title: AC-2(12)(a) - description: "Monitor system accounts for [Assignment: organization-defined atypical usage]." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_ac_2_12_a +title: AC-2(12)(a) +description: "Monitor system accounts for [Assignment: organization-defined atypical usage]." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3.yaml index ac2a2f769..8da647067 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3.yaml @@ -1,24 +1,28 @@ +id: aws_nist_800_53_rev_5_ac_2_3 +title: AC-2(3) Disable Accounts +description: "Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired; (b) Are no longer associated with a user or individual; (c) Are in violation of organizational policy; or (d) Have been inactive for [Assignment: organization-defined time period]." +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ac_2_3 - title: AC-2(3) Disable Accounts - description: "Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired; (b) Are no longer associated with a user or individual; (c) Are in violation of organizational policy; or (d) Have been inactive for [Assignment: organization-defined time period]." - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ac_2_3_a - - id: aws_nist_800_53_rev_5_ac_2_3_b - - id: aws_nist_800_53_rev_5_ac_2_3_c - - id: aws_nist_800_53_rev_5_ac_2_3_d - controls: - - aws_iam_account_password_policy_min_length_14 - - aws_iam_user_unused_credentials_90 +- id: aws_nist_800_53_rev_5_ac_2_3_a + type: "" +- id: aws_nist_800_53_rev_5_ac_2_3_b + type: "" +- id: aws_nist_800_53_rev_5_ac_2_3_c + type: "" +- id: aws_nist_800_53_rev_5_ac_2_3_d + type: "" +controls: +- aws_iam_account_password_policy_min_length_14 +- aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_a.yaml index df3f04540..1a3eefe55 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_a.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_2_3_a - title: AC-2(3)(a) - description: "Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_min_length_14 - - aws_iam_user_unused_credentials_90 +id: aws_nist_800_53_rev_5_ac_2_3_a +title: AC-2(3)(a) +description: "Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_account_password_policy_min_length_14 +- aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_b.yaml index 5de7ea535..193e7e9ca 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_b.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_2_3_b - title: AC-2(3)(b) - description: "Disable accounts within [Assignment: organization-defined time period] when the accounts: (b) Are no longer associated with a user or individual." - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_min_length_14 - - aws_iam_user_unused_credentials_90 +id: aws_nist_800_53_rev_5_ac_2_3_b +title: AC-2(3)(b) +description: "Disable accounts within [Assignment: organization-defined time period] when the accounts: (b) Are no longer associated with a user or individual." +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_account_password_policy_min_length_14 +- aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_c.yaml index 516985e5b..ba72e0c36 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_c.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_2_3_c - title: AC-2(3)(c) - description: "Disable accounts within [Assignment: organization-defined time period] when the accounts: (c) Are in violation of organizational policy." - section-code: c - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_account_password_policy_min_length_14 - - aws_iam_user_unused_credentials_90 +id: aws_nist_800_53_rev_5_ac_2_3_c +title: AC-2(3)(c) +description: "Disable accounts within [Assignment: organization-defined time period] when the accounts: (c) Are in violation of organizational policy." +section-code: c +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_account_password_policy_min_length_14 +- aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_d.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_d.yaml index 663ab4f40..7fb7cae70 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_d.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_d.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_2_3_d - title: AC-2(3)(d) - description: "Disable accounts within [Assignment: organization-defined time period] when the accounts: (d) Have been inactive for [Assignment: organization-defined time period]." - section-code: d - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_min_length_14 - - aws_iam_user_unused_credentials_90 +id: aws_nist_800_53_rev_5_ac_2_3_d +title: AC-2(3)(d) +description: "Disable accounts within [Assignment: organization-defined time period] when the accounts: (d) Have been inactive for [Assignment: organization-defined time period]." +section-code: d +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_account_password_policy_min_length_14 +- aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_4.yaml index 8aaca8c0e..41c6206ac 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_4.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_2_4 - title: AC-2(4) Automated Audit Actions - description: Automatically audit account creation, modification, enabling, disabling, and removal actions. - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled +id: aws_nist_800_53_rev_5_ac_2_4 +title: AC-2(4) Automated Audit Actions +description: Automatically audit account creation, modification, enabling, disabling, and removal actions. +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_6.yaml index 872a305b5..affe88d0f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_6.yaml @@ -1,41 +1,41 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_2_6 - title: AC-2(6) Dynamic Privilege Management - description: "Implement [Assignment: organization-defined dynamic privilege management capabilities]." - section-code: "6" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_nist_800_53_rev_5_ac_2_6 +title: AC-2(6) Dynamic Privilege Management +description: "Implement [Assignment: organization-defined dynamic privilege management capabilities]." +section-code: "6" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_ec2_instance_uses_imdsv2 +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_d_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_d_1.yaml index 7e5eee487..6cd96d300 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_d_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_d_1.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_2_d_1 - title: AC-2(d)(1) - description: "d. Specify: 1. Authorized users of the system;personnel termination and transfer processes." - section-code: d_1 - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_min_length_14 +id: aws_nist_800_53_rev_5_ac_2_d_1 +title: AC-2(d)(1) +description: "d. Specify: 1. Authorized users of the system;personnel termination and transfer processes." +section-code: d_1 +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_g.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_g.yaml index 460fec6ac..da177ddb8 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_g.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_g.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_2_g - title: AC-2(g) - description: "The organization: g. Monitors the use of information system accounts." - section-code: g - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_user_unused_credentials_90 +id: aws_nist_800_53_rev_5_ac_2_g +title: AC-2(g) +description: "The organization: g. Monitors the use of information system accounts." +section-code: g +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_i_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_i_2.yaml index b92889322..357364419 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_i_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_i_2.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_2_i_2 - title: AC-2(i)(2) - description: "i. Authorize access to the system based on: 2. Intended system usage." - section-code: i_2 - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies +id: aws_nist_800_53_rev_5_ac_2_i_2 +title: AC-2(i)(2) +description: "i. Authorize access to the system based on: 2. Intended system usage." +section-code: i_2 +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_j.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_j.yaml index c623e893c..48735e4e7 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_j.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_j.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_2_j - title: AC-2(j) - description: "The organization: j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]." - section-code: j - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_user_unused_credentials_90 +id: aws_nist_800_53_rev_5_ac_2_j +title: AC-2(j) +description: "The organization: j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]." +section-code: j +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3.yaml index f55c9b912..b901f9266 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3.yaml @@ -1,54 +1,64 @@ +id: aws_nist_800_53_rev_5_ac_3 +title: Access Enforcement (AC-3) +description: Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ac_3 - title: Access Enforcement (AC-3) - description: Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ac_3_1 - - id: aws_nist_800_53_rev_5_ac_3_2 - - id: aws_nist_800_53_rev_5_ac_3_3 - - id: aws_nist_800_53_rev_5_ac_3_4 - - id: aws_nist_800_53_rev_5_ac_3_7 - - id: aws_nist_800_53_rev_5_ac_3_8 - - id: aws_nist_800_53_rev_5_ac_3_10 - - id: aws_nist_800_53_rev_5_ac_3_12 - - id: aws_nist_800_53_rev_5_ac_3_13 - - id: aws_nist_800_53_rev_5_ac_3_15 - controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_iam_profile_attached - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_ecs_task_definition_user_for_host_mode_check - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled +- id: aws_nist_800_53_rev_5_ac_3_1 + type: "" +- id: aws_nist_800_53_rev_5_ac_3_2 + type: "" +- id: aws_nist_800_53_rev_5_ac_3_3 + type: "" +- id: aws_nist_800_53_rev_5_ac_3_4 + type: "" +- id: aws_nist_800_53_rev_5_ac_3_7 + type: "" +- id: aws_nist_800_53_rev_5_ac_3_8 + type: "" +- id: aws_nist_800_53_rev_5_ac_3_10 + type: "" +- id: aws_nist_800_53_rev_5_ac_3_12 + type: "" +- id: aws_nist_800_53_rev_5_ac_3_13 + type: "" +- id: aws_nist_800_53_rev_5_ac_3_15 + type: "" +controls: +- aws_autoscaling_launch_config_public_ip_disabled +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_iam_profile_attached +- aws_ec2_instance_not_publicly_accessible +- aws_ec2_instance_uses_imdsv2 +- aws_ecs_task_definition_user_for_host_mode_check +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_1.yaml index 956f8de3f..575d40a27 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_1.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_3_1 - title: AC-3(1) Restricted Access To Privileged Functions - description: "Employ an audited override of automated access control mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles]." - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled +id: aws_nist_800_53_rev_5_ac_3_1 +title: AC-3(1) Restricted Access To Privileged Functions +description: "Employ an audited override of automated access control mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles]." +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_10.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_10.yaml index 3c78be82c..f71a0c50c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_10.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_10.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_3_10 - title: AC-3(10) Audited Override Of Access Control Mechanisms - description: "Employ an audited override of automated access mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles]." - section-code: "10" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled +id: aws_nist_800_53_rev_5_ac_3_10 +title: AC-3(10) Audited Override Of Access Control Mechanisms +description: "Employ an audited override of automated access mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles]." +section-code: "10" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_12.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_12.yaml index 4cb940cf8..475492d5b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_12.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_12.yaml @@ -1,19 +1,21 @@ +id: aws_nist_800_53_rev_5_ac_3_12 +title: AC-3(12) Assert And Enforce Application Access +description: "a.\u2003Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions];b.\u2003Provide an enforcement mechanism to prevent unauthorized access; and c.\u2003Approve access changes after initial installation of the application." +section-code: "12" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ac_3_12 - title: AC-3(12) Assert And Enforce Application Access - description: "a.\u2003Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions];b.\u2003Provide an enforcement mechanism to prevent unauthorized access; and c.\u2003Approve access changes after initial installation of the application." - section-code: "12" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ac_3_12_a - - id: aws_nist_800_53_rev_5_ac_3_12_b +- id: aws_nist_800_53_rev_5_ac_3_12_a + type: "" +- id: aws_nist_800_53_rev_5_ac_3_12_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_12_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_12_a.yaml index dd6d7d918..64b17eaa3 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_12_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_12_a.yaml @@ -1,33 +1,33 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_3_12_a - title: AC-3(12)(a) - description: "Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions]." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day +id: aws_nist_800_53_rev_5_ac_3_12_a +title: AC-3(12)(a) +description: "Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions]." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_uses_imdsv2 +- aws_iam_account_password_policy_min_length_14 +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_12_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_12_b.yaml index 818fe247f..e7464d908 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_12_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_12_b.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_3_12_b - title: AC-3(12)(b) - description: Provide an enforcement mechanism to prevent unauthorized access; - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_ac_3_12_b +title: AC-3(12)(b) +description: Provide an enforcement mechanism to prevent unauthorized access; +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_13.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_13.yaml index be115e0cb..be92e67e6 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_13.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_13.yaml @@ -1,33 +1,33 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_3_13 - title: AC-3(13) Attribute-Based Access Control - description: "Enforce attribute-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined attributes to assume access permissions]." - section-code: "13" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day +id: aws_nist_800_53_rev_5_ac_3_13 +title: AC-3(13) Attribute-Based Access Control +description: "Enforce attribute-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined attributes to assume access permissions]." +section-code: "13" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_uses_imdsv2 +- aws_iam_account_password_policy_min_length_14 +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_15.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_15.yaml index f26a3d617..d5439bd6d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_15.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_15.yaml @@ -1,19 +1,21 @@ +id: aws_nist_800_53_rev_5_ac_3_15 +title: AC-3(15) Discretionary And Mandatory Access Control +description: "a.\u2003Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy; and b.\u2003Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy." +section-code: "15" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ac_3_15 - title: AC-3(15) Discretionary And Mandatory Access Control - description: "a.\u2003Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy; and b.\u2003Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy." - section-code: "15" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ac_3_15_a - - id: aws_nist_800_53_rev_5_ac_3_15_b +- id: aws_nist_800_53_rev_5_ac_3_15_a + type: "" +- id: aws_nist_800_53_rev_5_ac_3_15_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_15_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_15_a.yaml index 644df64fa..abac8f325 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_15_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_15_a.yaml @@ -1,33 +1,33 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_3_15_a - title: AC-3(15)(a) - description: "Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day +id: aws_nist_800_53_rev_5_ac_3_15_a +title: AC-3(15)(a) +description: "Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_uses_imdsv2 +- aws_iam_account_password_policy_min_length_14 +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_15_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_15_b.yaml index 2a7f31012..92e3a7b14 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_15_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_15_b.yaml @@ -1,33 +1,33 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_3_15_b - title: AC-3(15)(b) - description: "Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy." - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day +id: aws_nist_800_53_rev_5_ac_3_15_b +title: AC-3(15)(b) +description: "Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy." +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_uses_imdsv2 +- aws_iam_account_password_policy_min_length_14 +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_2.yaml index 57edad387..484f33627 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_2.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_3_2 - title: AC-3(2) Dual Authorization - description: "Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions]." - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled +id: aws_nist_800_53_rev_5_ac_3_2 +title: AC-3(2) Dual Authorization +description: "Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions]." +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3.yaml index b481d9dda..8a9080e2c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3.yaml @@ -1,41 +1,48 @@ +id: aws_nist_800_53_rev_5_ac_3_3 +title: AC-3(3) Mandatory Access Control +description: "Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and objects within the system; (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1) Passing the information to unauthorized subjects or objects; (2) Granting its privileges to other subjects; (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components; (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and (5) Changing the rules governing access control; and (c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints." +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ac_3_3 - title: AC-3(3) Mandatory Access Control - description: "Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and objects within the system; (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1) Passing the information to unauthorized subjects or objects; (2) Granting its privileges to other subjects; (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components; (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and (5) Changing the rules governing access control; and (c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints." - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ac_3_3_a - - id: aws_nist_800_53_rev_5_ac_3_3_b_1 - - id: aws_nist_800_53_rev_5_ac_3_3_b_2 - - id: aws_nist_800_53_rev_5_ac_3_3_b_3 - - id: aws_nist_800_53_rev_5_ac_3_3_b_4 - - id: aws_nist_800_53_rev_5_ac_3_3_b_5 - - id: aws_nist_800_53_rev_5_ac_3_3_c - controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day +- id: aws_nist_800_53_rev_5_ac_3_3_a + type: "" +- id: aws_nist_800_53_rev_5_ac_3_3_b_1 + type: "" +- id: aws_nist_800_53_rev_5_ac_3_3_b_2 + type: "" +- id: aws_nist_800_53_rev_5_ac_3_3_b_3 + type: "" +- id: aws_nist_800_53_rev_5_ac_3_3_b_4 + type: "" +- id: aws_nist_800_53_rev_5_ac_3_3_b_5 + type: "" +- id: aws_nist_800_53_rev_5_ac_3_3_c + type: "" +controls: +- aws_ec2_instance_uses_imdsv2 +- aws_iam_account_password_policy_min_length_14 +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_a.yaml index e47cce8b0..7d0baefd9 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_a.yaml @@ -1,33 +1,33 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_3_3_a - title: AC-3(3)(a) - description: "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and objects within the system." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day +id: aws_nist_800_53_rev_5_ac_3_3_a +title: AC-3(3)(a) +description: "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and objects within the system." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_uses_imdsv2 +- aws_iam_account_password_policy_min_length_14 +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_1.yaml index 0cb12496c..d9083014b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_1.yaml @@ -1,33 +1,33 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_3_3_b_1 - title: AC-3(3)(b)(1) - description: "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1) Passing the information to unauthorized subjects or objects." - section-code: b_1 - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day +id: aws_nist_800_53_rev_5_ac_3_3_b_1 +title: AC-3(3)(b)(1) +description: "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1) Passing the information to unauthorized subjects or objects." +section-code: b_1 +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_uses_imdsv2 +- aws_iam_account_password_policy_min_length_14 +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_2.yaml index c2f9517ff..a14bfe461 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_2.yaml @@ -1,33 +1,33 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_3_3_b_2 - title: AC-3(3)(b)(2) - description: "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (2) Granting its privileges to other subjects." - section-code: b_2 - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day +id: aws_nist_800_53_rev_5_ac_3_3_b_2 +title: AC-3(3)(b)(2) +description: "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (2) Granting its privileges to other subjects." +section-code: b_2 +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_uses_imdsv2 +- aws_iam_account_password_policy_min_length_14 +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_3.yaml index fb979d96f..9c11e08de 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_3.yaml @@ -1,33 +1,33 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_3_3_b_3 - title: AC-3(3)(b)(3) - description: "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components." - section-code: b_3 - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day +id: aws_nist_800_53_rev_5_ac_3_3_b_3 +title: AC-3(3)(b)(3) +description: "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components." +section-code: b_3 +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_uses_imdsv2 +- aws_iam_account_password_policy_min_length_14 +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_4.yaml index 553fc731f..4c7fcc5d5 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_4.yaml @@ -1,33 +1,33 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_3_3_b_4 - title: AC-3(3)(b)(4) - description: "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects." - section-code: b_4 - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day +id: aws_nist_800_53_rev_5_ac_3_3_b_4 +title: AC-3(3)(b)(4) +description: "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects." +section-code: b_4 +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_uses_imdsv2 +- aws_iam_account_password_policy_min_length_14 +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_5.yaml index 1407d0db6..b057157e6 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_5.yaml @@ -1,33 +1,33 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_3_3_b_5 - title: AC-3(3)(b)(5) - description: "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (5) Changing the rules governing access." - section-code: b_5 - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day +id: aws_nist_800_53_rev_5_ac_3_3_b_5 +title: AC-3(3)(b)(5) +description: "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (5) Changing the rules governing access." +section-code: b_5 +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_uses_imdsv2 +- aws_iam_account_password_policy_min_length_14 +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_c.yaml index c921a1061..fb812ec2d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_c.yaml @@ -1,33 +1,33 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_3_3_c - title: AC-3(3)(c) - description: "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints." - section-code: c - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day +id: aws_nist_800_53_rev_5_ac_3_3_c +title: AC-3(3)(c) +description: "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints." +section-code: c +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_uses_imdsv2 +- aws_iam_account_password_policy_min_length_14 +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4.yaml index d5e00c4c9..e857ba729 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4.yaml @@ -1,39 +1,44 @@ +id: aws_nist_800_53_rev_5_ac_3_4 +title: AC-3(4) Discretionary Access Control +description: "Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects; (b) Grant its privileges to other subjects; (c) Change security attributes on subjects, objects, the system, or the system’s components; (d) Choose the security attributes to be associated with newly created or revised objects; or (e) Change the rules governing access control." +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ac_3_4 - title: AC-3(4) Discretionary Access Control - description: "Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects; (b) Grant its privileges to other subjects; (c) Change security attributes on subjects, objects, the system, or the system’s components; (d) Choose the security attributes to be associated with newly created or revised objects; or (e) Change the rules governing access control." - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ac_3_4_a - - id: aws_nist_800_53_rev_5_ac_3_4_b - - id: aws_nist_800_53_rev_5_ac_3_4_c - - id: aws_nist_800_53_rev_5_ac_3_4_d - - id: aws_nist_800_53_rev_5_ac_3_4_e - controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day +- id: aws_nist_800_53_rev_5_ac_3_4_a + type: "" +- id: aws_nist_800_53_rev_5_ac_3_4_b + type: "" +- id: aws_nist_800_53_rev_5_ac_3_4_c + type: "" +- id: aws_nist_800_53_rev_5_ac_3_4_d + type: "" +- id: aws_nist_800_53_rev_5_ac_3_4_e + type: "" +controls: +- aws_ec2_instance_uses_imdsv2 +- aws_iam_account_password_policy_min_length_14 +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_a.yaml index 1441cffbf..438efde9c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_a.yaml @@ -1,33 +1,33 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_3_4_a - title: AC-3(4)(a) - description: "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day +id: aws_nist_800_53_rev_5_ac_3_4_a +title: AC-3(4)(a) +description: "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_uses_imdsv2 +- aws_iam_account_password_policy_min_length_14 +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_b.yaml index 8dc1af1ab..819e66604 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_b.yaml @@ -1,33 +1,33 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_3_4_b - title: AC-3(4)(b) - description: "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (b) Grant its privileges to other subjects." - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_secretsmanager_secret_unused_90_day - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_iam_user_unused_credentials_90 - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_access_key_age_90 - - aws_iam_root_user_no_access_keys - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_policy_no_star_star - - aws_iam_group_user_role_no_inline_policies - - aws_iam_account_password_policy_min_length_14 - - aws_ec2_instance_uses_imdsv2 +id: aws_nist_800_53_rev_5_ac_3_4_b +title: AC-3(4)(b) +description: "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (b) Grant its privileges to other subjects." +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_secretsmanager_secret_unused_90_day +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_iam_user_unused_credentials_90 +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_access_key_age_90 +- aws_iam_root_user_no_access_keys +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_policy_no_star_star +- aws_iam_group_user_role_no_inline_policies +- aws_iam_account_password_policy_min_length_14 +- aws_ec2_instance_uses_imdsv2 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_c.yaml index b5072463b..c7eaf3663 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_c.yaml @@ -1,33 +1,33 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_3_4_c - title: AC-3(4)(c) - description: "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (c) Change security attributes on subjects, objects, the system, or the system’s components." - section-code: c - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day +id: aws_nist_800_53_rev_5_ac_3_4_c +title: AC-3(4)(c) +description: "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (c) Change security attributes on subjects, objects, the system, or the system’s components." +section-code: c +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_uses_imdsv2 +- aws_iam_account_password_policy_min_length_14 +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_d.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_d.yaml index a8446951b..75a0fc8cd 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_d.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_d.yaml @@ -1,33 +1,33 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_3_4_d - title: AC-3(4)(d) - description: "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (d) Choose the security attributes to be associated with newly created or revised objects." - section-code: d - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day +id: aws_nist_800_53_rev_5_ac_3_4_d +title: AC-3(4)(d) +description: "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (d) Choose the security attributes to be associated with newly created or revised objects." +section-code: d +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_uses_imdsv2 +- aws_iam_account_password_policy_min_length_14 +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_e.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_e.yaml index 82417c089..ce018a584 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_e.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_e.yaml @@ -1,33 +1,33 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_3_4_e - title: AC-3(4)(e) - description: "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (e) Change the rules governing access." - section-code: e - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day +id: aws_nist_800_53_rev_5_ac_3_4_e +title: AC-3(4)(e) +description: "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (e) Change the rules governing access." +section-code: e +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_uses_imdsv2 +- aws_iam_account_password_policy_min_length_14 +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_7.yaml index 6f78582a3..4f61a46b0 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_7.yaml @@ -1,41 +1,41 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_3_7 - title: AC-3(7) Role-Based Access Control - description: "Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles]." - section-code: "7" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_s3_bucket_restrict_public_read_access - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_nist_800_53_rev_5_ac_3_7 +title: AC-3(7) Role-Based Access Control +description: "Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles]." +section-code: "7" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_s3_bucket_restrict_public_read_access +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_ec2_instance_uses_imdsv2 +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_8.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_8.yaml index d4f146cdf..164d9f409 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_8.yaml @@ -1,33 +1,33 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_3_8 - title: AC-3(8) Revocation Of Access Authorizations - description: "Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations]." - section-code: "8" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day +id: aws_nist_800_53_rev_5_ac_3_8 +title: AC-3(8) Revocation Of Access Authorizations +description: "Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations]." +section-code: "8" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_uses_imdsv2 +- aws_iam_account_password_policy_min_length_14 +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4.yaml index 85a05a163..372ca8c78 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4.yaml @@ -1,29 +1,33 @@ +id: aws_nist_800_53_rev_5_ac_4 +title: Information Flow Enforcement (AC-4) +description: "Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]." +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ac_4 - title: Information Flow Enforcement (AC-4) - description: "Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]." - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ac_4_21 - - id: aws_nist_800_53_rev_5_ac_4_22 - - id: aws_nist_800_53_rev_5_ac_4_26 - - id: aws_nist_800_53_rev_5_ac_4_28 - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl +- id: aws_nist_800_53_rev_5_ac_4_21 + type: "" +- id: aws_nist_800_53_rev_5_ac_4_22 + type: "" +- id: aws_nist_800_53_rev_5_ac_4_26 + type: "" +- id: aws_nist_800_53_rev_5_ac_4_28 + type: "" +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_node_to_node_encryption_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_21.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_21.yaml index f9e006fbb..9be108bb0 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_21.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_21.yaml @@ -1,42 +1,42 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_4_21 - title: AC-4(21) Physical Or Logical Separation Of Infomation Flows - description: "Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]." - section-code: "21" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_use_waf_web_acl - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_elb_application_lb_waf_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_enhanced_vpc_routing_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_nist_800_53_rev_5_ac_4_21 +title: AC-4(21) Physical Or Logical Separation Of Infomation Flows +description: "Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]." +section-code: "21" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_use_waf_web_acl +- aws_autoscaling_launch_config_public_ip_disabled +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_elb_application_lb_waf_enabled +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_enhanced_vpc_routing_enabled +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_route_table_restrict_public_access_to_igw +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_22.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_22.yaml index 11ab2387f..198c7bc3a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_22.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_22.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_4_22 - title: AC-4(22) Access Only - description: Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains. - section-code: "22" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl +id: aws_nist_800_53_rev_5_ac_4_22 +title: AC-4(22) Access Only +description: Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains. +section-code: "22" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_node_to_node_encryption_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_26.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_26.yaml index 6b88d0086..006cfdf02 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_26.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_26.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_4_26 - title: AC-4(26) Audit Filtering Actions - description: When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered. - section-code: "26" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_ac_4_26 +title: AC-4(26) Audit Filtering Actions +description: When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered. +section-code: "26" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_28.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_28.yaml index 417cc0203..b441a0672 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_28.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_28.yaml @@ -1,33 +1,33 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_4_28 - title: AC-4(28) Linear Filter Pipelines - description: When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls. - section-code: "28" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day +id: aws_nist_800_53_rev_5_ac_4_28 +title: AC-4(28) Linear Filter Pipelines +description: When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls. +section-code: "28" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_uses_imdsv2 +- aws_iam_account_password_policy_min_length_14 +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_5.yaml index bf518d1d3..52c0c7dae 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_5.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_ac_5 +title: Separation Of Duties (AC-5) +description: Separate duties of individuals to prevent malevolent activity. automate separation of duties and access authorizations. +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ac_5 - title: Separation Of Duties (AC-5) - description: Separate duties of individuals to prevent malevolent activity. automate separation of duties and access authorizations. - section-code: "5" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ac_5_b +- id: aws_nist_800_53_rev_5_ac_5_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_5_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_5_b.yaml index a5f477535..165e3871f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_5_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_5_b.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_5_b - title: AC-5(b) - description: Define system access authorizations to support separation of duties. - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ecs_task_definition_user_for_host_mode_check - - aws_iam_all_policy_no_service_wild_card - - aws_iam_policy_no_star_star +id: aws_nist_800_53_rev_5_ac_5_b +title: AC-5(b) +description: Define system access authorizations to support separation of duties. +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ecs_task_definition_user_for_host_mode_check +- aws_iam_all_policy_no_service_wild_card +- aws_iam_policy_no_star_star diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6.yaml index 71391c571..37724c761 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6.yaml @@ -1,46 +1,50 @@ +id: aws_nist_800_53_rev_5_ac_6 +title: Least Privilege (AC-6) +description: Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. +section-code: "6" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ac_6 - title: Least Privilege (AC-6) - description: Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. - section-code: "6" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ac_6_2 - - id: aws_nist_800_53_rev_5_ac_6_3 - - id: aws_nist_800_53_rev_5_ac_6_9 - - id: aws_nist_800_53_rev_5_ac_6_10 - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled +- id: aws_nist_800_53_rev_5_ac_6_2 + type: "" +- id: aws_nist_800_53_rev_5_ac_6_3 + type: "" +- id: aws_nist_800_53_rev_5_ac_6_9 + type: "" +- id: aws_nist_800_53_rev_5_ac_6_10 + type: "" +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_ec2_instance_uses_imdsv2 +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_10.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_10.yaml index 1c22aa338..e9c8b23ef 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_10.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_10.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_6_10 - title: AC-6(10) - description: Prevent non-privileged users from executing privileged functions. - section-code: "10" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_all_policy_no_service_wild_card - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys +id: aws_nist_800_53_rev_5_ac_6_10 +title: AC-6(10) +description: Prevent non-privileged users from executing privileged functions. +section-code: "10" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_all_policy_no_service_wild_card +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_2.yaml index efa8587d1..b3e6c86f5 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_2.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_6_2 - title: AC-6(2) - description: "Require that users of system accounts (or roles) with access to [Assignment: organization-defined security functions or security-relevant information] use non-privileged accounts or roles, when accessing nonsecurity functions." - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_all_policy_no_service_wild_card - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys +id: aws_nist_800_53_rev_5_ac_6_2 +title: AC-6(2) +description: "Require that users of system accounts (or roles) with access to [Assignment: organization-defined security functions or security-relevant information] use non-privileged accounts or roles, when accessing nonsecurity functions." +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_all_policy_no_service_wild_card +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_3.yaml index 36be8fd81..a2fde635e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_3.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_6_3 - title: AC-6(3) - description: "Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system." - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies +id: aws_nist_800_53_rev_5_ac_6_3 +title: AC-6(3) +description: "Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system." +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_9.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_9.yaml index bd6b2e8af..41e493bf6 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_9.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_9.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_6_9 - title: AC-6(9) - description: Log the execution of privileged functions. - section-code: "9" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled +id: aws_nist_800_53_rev_5_ac_6_9 +title: AC-6(9) +description: Log the execution of privileged functions. +section-code: "9" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_7.yaml index b80741016..b005b9154 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_7.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_ac_7 +title: Unsuccessful Logon Attempts (AC-7) +description: "a. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment:organization-defined time period]; and b.\u2003Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt per [Assignment: organization-defined delay algorithm]; notify system administrator; take other[Assignment: organization-defined action]] when the maximum number of unsuccessful attempts is exceeded." +section-code: "7" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ac_7 - title: Unsuccessful Logon Attempts (AC-7) - description: "a. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment:organization-defined time period]; and b.\u2003Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt per [Assignment: organization-defined delay algorithm]; notify system administrator; take other[Assignment: organization-defined action]] when the maximum number of unsuccessful attempts is exceeded." - section-code: "7" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ac_7_4 +- id: aws_nist_800_53_rev_5_ac_7_4 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_7_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_7_4.yaml index d4ab0438f..ea4c8249e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_7_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_7_4.yaml @@ -1,24 +1,25 @@ +id: aws_nist_800_53_rev_5_ac_7_4 +title: AC-7(4) Use Of Alternate Authentication Factor +description: "a.\u2003Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and b.\u2003Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts through use of the alternative factors by a user during a [Assignment: organization-defined time period]." +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ac_7_4 - title: AC-7(4) Use Of Alternate Authentication Factor - description: "a.\u2003Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and b.\u2003Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts through use of the alternative factors by a user during a [Assignment: organization-defined time period]." - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ac_7_4_a - controls: - - aws_iam_account_password_policy_min_length_14 - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled +- id: aws_nist_800_53_rev_5_ac_7_4_a + type: "" +controls: +- aws_iam_account_password_policy_min_length_14 +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_7_4_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_7_4_a.yaml index 00215e824..705fb7a35 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_7_4_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_7_4_a.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_nist_800_53_rev_5_ac_7_4_a - title: AC-7(4)(a) - description: "Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_min_length_14 - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled +id: aws_nist_800_53_rev_5_ac_7_4_a +title: AC-7(4)(a) +description: "Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_account_password_policy_min_length_14 +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au.yaml index ef2ff7cf5..5bc7cd38f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au.yaml @@ -1,29 +1,41 @@ +id: aws_nist_800_53_rev_5_au +title: Audit and Accountability (AU) +description: The AU control family consists of security controls related to an organization’s audit capabilities. This includes audit policies and procedures, audit logging, audit report generation, and protection of audit information. +section-code: au +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_au - title: Audit and Accountability (AU) - description: The AU control family consists of security controls related to an organization’s audit capabilities. This includes audit policies and procedures, audit logging, audit report generation, and protection of audit information. - section-code: au - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_au_2 - - id: aws_nist_800_53_rev_5_au_3 - - id: aws_nist_800_53_rev_5_au_4 - - id: aws_nist_800_53_rev_5_au_6 - - id: aws_nist_800_53_rev_5_au_7 - - id: aws_nist_800_53_rev_5_au_8 - - id: aws_nist_800_53_rev_5_au_9 - - id: aws_nist_800_53_rev_5_au_10 - - id: aws_nist_800_53_rev_5_au_11 - - id: aws_nist_800_53_rev_5_au_12 - - id: aws_nist_800_53_rev_5_au_14 - - id: aws_nist_800_53_rev_5_au_16 +- id: aws_nist_800_53_rev_5_au_2 + type: "" +- id: aws_nist_800_53_rev_5_au_3 + type: "" +- id: aws_nist_800_53_rev_5_au_4 + type: "" +- id: aws_nist_800_53_rev_5_au_6 + type: "" +- id: aws_nist_800_53_rev_5_au_7 + type: "" +- id: aws_nist_800_53_rev_5_au_8 + type: "" +- id: aws_nist_800_53_rev_5_au_9 + type: "" +- id: aws_nist_800_53_rev_5_au_10 + type: "" +- id: aws_nist_800_53_rev_5_au_11 + type: "" +- id: aws_nist_800_53_rev_5_au_12 + type: "" +- id: aws_nist_800_53_rev_5_au_14 + type: "" +- id: aws_nist_800_53_rev_5_au_16 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_10.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_10.yaml index f10478de5..ad69c6b94 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_10.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_10.yaml @@ -1,29 +1,29 @@ -control-group: - id: aws_nist_800_53_rev_5_au_10 - title: Non-Repudiation (AU-10) - description: "Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions to be covered by non-repudiation]." - section-code: "10" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_au_10 +title: Non-Repudiation (AU-10) +description: "Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions to be covered by non-repudiation]." +section-code: "10" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_log_group_retention_period_365 +- aws_elb_application_classic_lb_logging_enabled +- aws_es_domain_logs_to_cloudwatch +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_11.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_11.yaml index 29668dacd..e507add9b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_11.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_11.yaml @@ -1,20 +1,21 @@ +id: aws_nist_800_53_rev_5_au_11 +title: Audit Record Retention (AU-11) +description: "Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements." +section-code: "11" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_au_11 - title: Audit Record Retention (AU-11) - description: "Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements." - section-code: "11" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_au_11_1 - controls: - - aws_cloudwatch_log_group_retention_period_365 +- id: aws_nist_800_53_rev_5_au_11_1 + type: "" +controls: +- aws_cloudwatch_log_group_retention_period_365 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_11_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_11_1.yaml index c44e7675f..e9800b373 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_11_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_11_1.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_au_11_1 - title: AU-11(1) Long-Term Retrieval Capability - description: "Employ [Assignment: organization-defined measures] to ensure that long-term audit records generated by the system can be retrieved." - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark - controls: - - aws_cloudwatch_log_group_retention_period_365 +id: aws_nist_800_53_rev_5_au_11_1 +title: AU-11(1) Long-Term Retrieval Capability +description: "Employ [Assignment: organization-defined measures] to ensure that long-term audit records generated by the system can be retrieved." +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark +controls: +- aws_cloudwatch_log_group_retention_period_365 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12.yaml index 0ff41cc8f..caffc61de 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12.yaml @@ -1,23 +1,29 @@ +id: aws_nist_800_53_rev_5_au_12 +title: Audit Record Generation (AU-12) +description: Audit events defined in AU-2. Allow trusted personnel to select which events to audit. Generate audit records for events. +section-code: "12" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_au_12 - title: Audit Record Generation (AU-12) - description: Audit events defined in AU-2. Allow trusted personnel to select which events to audit. Generate audit records for events. - section-code: "12" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_au_12_1 - - id: aws_nist_800_53_rev_5_au_12_2 - - id: aws_nist_800_53_rev_5_au_12_3 - - id: aws_nist_800_53_rev_5_au_12_4 - - id: aws_nist_800_53_rev_5_au_12_a - - id: aws_nist_800_53_rev_5_au_12_c +- id: aws_nist_800_53_rev_5_au_12_1 + type: "" +- id: aws_nist_800_53_rev_5_au_12_2 + type: "" +- id: aws_nist_800_53_rev_5_au_12_3 + type: "" +- id: aws_nist_800_53_rev_5_au_12_4 + type: "" +- id: aws_nist_800_53_rev_5_au_12_a + type: "" +- id: aws_nist_800_53_rev_5_au_12_c + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_1.yaml index d819f9373..ad4f2e219 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_1.yaml @@ -1,29 +1,29 @@ -control-group: - id: aws_nist_800_53_rev_5_au_12_1 - title: AU-12(1) System-Wide And Time-Correlated Audit Trial - description: "Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]." - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_au_12_1 +title: AU-12(1) System-Wide And Time-Correlated Audit Trial +description: "Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]." +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_log_group_retention_period_365 +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_2.yaml index a946b7ce0..b0be2a8e9 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_2.yaml @@ -1,29 +1,29 @@ -control-group: - id: aws_nist_800_53_rev_5_au_12_2 - title: AU-12(2) Standardized Formats - description: Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format. - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_au_12_2 +title: AU-12(2) Standardized Formats +description: Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format. +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_log_group_retention_period_365 +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_3.yaml index 67b6b1d3e..1fdf9cd24 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_3.yaml @@ -1,37 +1,37 @@ -control-group: - id: aws_nist_800_53_rev_5_au_12_3 - title: AU-12(3) Changes By Authorized Individuals - description: "Provide and implement the capability for [Assignment: organization-defined individuals or roles] to change the logging to be performed on [Assignment: organization-defined system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds]." - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_au_12_3 +title: AU-12(3) Changes By Authorized Individuals +description: "Provide and implement the capability for [Assignment: organization-defined individuals or roles] to change the logging to be performed on [Assignment: organization-defined system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds]." +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_autoscaling_group_with_lb_use_health_check +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled +- aws_cloudwatch_log_group_retention_period_365 +- aws_elastic_beanstalk_enhanced_health_reporting_enabled +- aws_elb_application_classic_lb_logging_enabled +- aws_guardduty_enabled +- aws_lambda_function_concurrent_execution_limit_configured +- aws_lambda_function_dead_letter_queue_configured +- aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_securityhub_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_4.yaml index 591771549..48dd1f90e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_4.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_nist_800_53_rev_5_au_12_4 - title: AU-12(4) Query Parameter Audits Of Personally Identifiable Information - description: Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information. - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_au_12_4 +title: AU-12(4) Query Parameter Audits Of Personally Identifiable Information +description: Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information. +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_a.yaml index cd33083a5..b797652f0 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_a.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_nist_800_53_rev_5_au_12_a - title: AU-12(a) - description: "Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components]." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_au_12_a +title: AU-12(a) +description: "Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components]." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_c.yaml index 4a0c5f802..2bb5cbb37 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_c.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_nist_800_53_rev_5_au_12_c - title: AU-12(c) - description: Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3. - section-code: c - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_au_12_c +title: AU-12(c) +description: Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3. +section-code: c +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14.yaml index 8206d1926..59702ac33 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14.yaml @@ -1,20 +1,23 @@ +id: aws_nist_800_53_rev_5_au_14 +title: Session Audit (AU-14) +description: Capture, record and log user sessions. Remotely view all content related to a user session that starts at system start-up. +section-code: "14" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_au_14 - title: Session Audit (AU-14) - description: Capture, record and log user sessions. Remotely view all content related to a user session that starts at system start-up. - section-code: "14" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_au_14_3 - - id: aws_nist_800_53_rev_5_au_14_a - - id: aws_nist_800_53_rev_5_au_14_b +- id: aws_nist_800_53_rev_5_au_14_3 + type: "" +- id: aws_nist_800_53_rev_5_au_14_a + type: "" +- id: aws_nist_800_53_rev_5_au_14_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14_3.yaml index 17ef9f107..95da52499 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14_3.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_nist_800_53_rev_5_au_14_3 - title: AU-14(3) Remote Viewing And Listening - description: Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time. - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_au_14_3 +title: AU-14(3) Remote Viewing And Listening +description: Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14_a.yaml index ddb0d3934..56a637ee0 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14_a.yaml @@ -1,37 +1,37 @@ -control-group: - id: aws_nist_800_53_rev_5_au_14_a - title: AU-14(a) - description: "Provide and implement the capability for [Assignment: organization-defined users or roles] to [Selection (one or more): record; view; hear; log] the content of a user session under [Assignment: organization-defined circumstances]." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_au_14_a +title: AU-14(a) +description: "Provide and implement the capability for [Assignment: organization-defined users or roles] to [Selection (one or more): record; view; hear; log] the content of a user session under [Assignment: organization-defined circumstances]." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_autoscaling_group_with_lb_use_health_check +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled +- aws_cloudwatch_log_group_retention_period_365 +- aws_elastic_beanstalk_enhanced_health_reporting_enabled +- aws_elb_application_classic_lb_logging_enabled +- aws_guardduty_enabled +- aws_lambda_function_concurrent_execution_limit_configured +- aws_lambda_function_dead_letter_queue_configured +- aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_securityhub_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14_b.yaml index 07a033f95..ea38464f7 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14_b.yaml @@ -1,37 +1,37 @@ -control-group: - id: aws_nist_800_53_rev_5_au_14_b - title: AU-14(b) - description: Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_au_14_b +title: AU-14(b) +description: Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_autoscaling_group_with_lb_use_health_check +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled +- aws_cloudwatch_log_group_retention_period_365 +- aws_elastic_beanstalk_enhanced_health_reporting_enabled +- aws_elb_application_classic_lb_logging_enabled +- aws_guardduty_enabled +- aws_lambda_function_concurrent_execution_limit_configured +- aws_lambda_function_dead_letter_queue_configured +- aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_securityhub_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_16.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_16.yaml index ea17454ff..905ef50ad 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_16.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_16.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_au_16 - title: Cross-Organizational Audit Logging (AU-16) - description: "Employ [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries." - section-code: "16" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_integrated_with_logs +id: aws_nist_800_53_rev_5_au_16 +title: Cross-Organizational Audit Logging (AU-16) +description: "Employ [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries." +section-code: "16" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_integrated_with_logs diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_2.yaml index 9a811842f..ce8a1aa23 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_2.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_au_2 +title: Event Logging (AU-2) +description: Automate security audit function with other organizational entities. Enable mutual support of audit of auditable events. +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_au_2 - title: Event Logging (AU-2) - description: Automate security audit function with other organizational entities. Enable mutual support of audit of auditable events. - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_au_2_b +- id: aws_nist_800_53_rev_5_au_2_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_2_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_2_b.yaml index a7961e556..b96d37662 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_2_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_2_b.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_nist_800_53_rev_5_au_2_b - title: AU-2(b) - description: Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged. - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_au_2_b +title: AU-2(b) +description: Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged. +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3.yaml index c0e1abd85..52c471c83 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3.yaml @@ -1,24 +1,31 @@ +id: aws_nist_800_53_rev_5_au_3 +title: Content of Audit Records (AU-3) +description: The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_au_3 - title: Content of Audit Records (AU-3) - description: The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_au_3_1 - - id: aws_nist_800_53_rev_5_au_3_a - - id: aws_nist_800_53_rev_5_au_3_b - - id: aws_nist_800_53_rev_5_au_3_c - - id: aws_nist_800_53_rev_5_au_3_d - - id: aws_nist_800_53_rev_5_au_3_e - - id: aws_nist_800_53_rev_5_au_3_f +- id: aws_nist_800_53_rev_5_au_3_1 + type: "" +- id: aws_nist_800_53_rev_5_au_3_a + type: "" +- id: aws_nist_800_53_rev_5_au_3_b + type: "" +- id: aws_nist_800_53_rev_5_au_3_c + type: "" +- id: aws_nist_800_53_rev_5_au_3_d + type: "" +- id: aws_nist_800_53_rev_5_au_3_e + type: "" +- id: aws_nist_800_53_rev_5_au_3_f + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_1.yaml index 7db405344..ca33b40cb 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_1.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_5_au_3_1 - title: AU-3(1) Additional Audit Information - description: "Generate audit records containing the following additional information: [Assignment: organization-defined additional information]." - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_enabled - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_au_3_1 +title: AU-3(1) Additional Audit Information +description: "Generate audit records containing the following additional information: [Assignment: organization-defined additional information]." +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_enabled +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_a.yaml index 0db79d520..1d894e03b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_a.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_nist_800_53_rev_5_au_3_a - title: AU-3(a) - description: "Ensure that audit records contain information that establishes the following: a. What type of event occurred." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_au_3_a +title: AU-3(a) +description: "Ensure that audit records contain information that establishes the following: a. What type of event occurred." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_b.yaml index ece54b01e..e969d1d5f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_b.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_nist_800_53_rev_5_au_3_b - title: AU-3(b) - description: "Ensure that audit records contain information that establishes the following: b. When the event occurred." - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_au_3_b +title: AU-3(b) +description: "Ensure that audit records contain information that establishes the following: b. When the event occurred." +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_c.yaml index 52986ee2a..b9224269f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_c.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_nist_800_53_rev_5_au_3_c - title: AU-3(c) - description: "Ensure that audit records contain information that establishes the following: c. Where the event occurred." - section-code: c - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_au_3_c +title: AU-3(c) +description: "Ensure that audit records contain information that establishes the following: c. Where the event occurred." +section-code: c +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_d.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_d.yaml index 2747d3c01..5b9759890 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_d.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_d.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_nist_800_53_rev_5_au_3_d - title: AU-3(d) - description: "Ensure that audit records contain information that establishes the following: d. Source of the event." - section-code: d - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_au_3_d +title: AU-3(d) +description: "Ensure that audit records contain information that establishes the following: d. Source of the event." +section-code: d +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_e.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_e.yaml index f3a0edbad..ac4f4821c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_e.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_e.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_nist_800_53_rev_5_au_3_e - title: AU-3(e) - description: "Ensure that audit records contain information that establishes the following: e. Outcome of the event." - section-code: e - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_au_3_e +title: AU-3(e) +description: "Ensure that audit records contain information that establishes the following: e. Outcome of the event." +section-code: e +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_f.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_f.yaml index 278d1e86d..157a35609 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_f.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_f.yaml @@ -1,27 +1,27 @@ -control-group: - id: aws_nist_800_53_rev_5_au_3_f - title: AU-3(f) - description: "Ensure that audit records contain information that establishes the following: e. Outcome of the event." - section-code: f - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_au_3_f +title: AU-3(f) +description: "Ensure that audit records contain information that establishes the following: e. Outcome of the event." +section-code: f +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_4.yaml index c3fa67b8e..5ff62500e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_4.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_au_4 +title: Audit Log Stprage Capacity (AU-4) +description: "Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]." +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_au_4 - title: Audit Log Stprage Capacity (AU-4) - description: "Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]." - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_au_4_1 +- id: aws_nist_800_53_rev_5_au_4_1 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_4_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_4_1.yaml index b716376f4..b6d88b9fe 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_4_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_4_1.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_au_4_1 - title: AU-4(1) Transfer To Alternate Storage - description: "Transfer audit logs [Assignment: organization-defined frequency] to a different system, system component, or media other than the system or system component conducting the logging." - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_integrated_with_logs +id: aws_nist_800_53_rev_5_au_4_1 +title: AU-4(1) Transfer To Alternate Storage +description: "Transfer audit logs [Assignment: organization-defined frequency] to a different system, system component, or media other than the system or system component conducting the logging." +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_integrated_with_logs diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6.yaml index dc64158a3..654a097c4 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6.yaml @@ -1,23 +1,29 @@ +id: aws_nist_800_53_rev_5_au_6 +title: Audit Record Review, Analysis And Reporting (AU-6) +description: Integrate audit review, analysis, and reporting with processes for investigation and response to suspicious activities. +section-code: "6" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_au_6 - title: Audit Record Review, Analysis And Reporting (AU-6) - description: Integrate audit review, analysis, and reporting with processes for investigation and response to suspicious activities. - section-code: "6" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_au_6_1 - - id: aws_nist_800_53_rev_5_au_6_3 - - id: aws_nist_800_53_rev_5_au_6_4 - - id: aws_nist_800_53_rev_5_au_6_5 - - id: aws_nist_800_53_rev_5_au_6_6 - - id: aws_nist_800_53_rev_5_au_6_9 +- id: aws_nist_800_53_rev_5_au_6_1 + type: "" +- id: aws_nist_800_53_rev_5_au_6_3 + type: "" +- id: aws_nist_800_53_rev_5_au_6_4 + type: "" +- id: aws_nist_800_53_rev_5_au_6_5 + type: "" +- id: aws_nist_800_53_rev_5_au_6_6 + type: "" +- id: aws_nist_800_53_rev_5_au_6_9 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_1.yaml index 810e51be2..df2e0ad65 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_1.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_nist_800_53_rev_5_au_6_1 - title: AU-6(1) Automated Process Integration - description: "Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]." - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_securityhub_enabled +id: aws_nist_800_53_rev_5_au_6_1 +title: AU-6(1) Automated Process Integration +description: "Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]." +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled +- aws_guardduty_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_3.yaml index 8ba020bc6..df0cf9184 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_3.yaml @@ -1,29 +1,29 @@ -control-group: - id: aws_nist_800_53_rev_5_au_6_3 - title: AU-6(3) Correlate Audit Record Repositories - description: Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_au_6_3 +title: AU-6(3) Correlate Audit Record Repositories +description: Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_log_group_retention_period_365 +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_4.yaml index 6a8c1acc6..828eabb59 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_4.yaml @@ -1,29 +1,29 @@ -control-group: - id: aws_nist_800_53_rev_5_au_6_4 - title: AU-6(4) Central Review And Analysis - description: Provide and implement the capability to centrally review and analyze audit records from multiple components within the system. - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_au_6_4 +title: AU-6(4) Central Review And Analysis +description: Provide and implement the capability to centrally review and analyze audit records from multiple components within the system. +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_log_group_retention_period_365 +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_5.yaml index 3dfaceff8..e22a4b8fd 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_5.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_nist_800_53_rev_5_au_6_5 - title: AU-6(5) Central Review And Analysis - description: "Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity." - section-code: "5" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_securityhub_enabled +id: aws_nist_800_53_rev_5_au_6_5 +title: AU-6(5) Central Review And Analysis +description: "Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity." +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled +- aws_guardduty_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_6.yaml index ce9088764..71ae8ad21 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_6.yaml @@ -1,29 +1,29 @@ -control-group: - id: aws_nist_800_53_rev_5_au_6_6 - title: AU-6(6) Correletion With Physical Monitoring - description: Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. - section-code: "6" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_au_6_6 +title: AU-6(6) Correletion With Physical Monitoring +description: Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. +section-code: "6" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_log_group_retention_period_365 +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_9.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_9.yaml index 3af6db352..182bcb668 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_9.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_9.yaml @@ -1,29 +1,29 @@ -control-group: - id: aws_nist_800_53_rev_5_au_6_9 - title: AU-6(9) Correletion With From Nontechnical Sources - description: Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness. - section-code: "9" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_au_6_9 +title: AU-6(9) Correletion With From Nontechnical Sources +description: Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness. +section-code: "9" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_log_group_retention_period_365 +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_7.yaml index 74eb00df8..63f3c559e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_7.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_au_7 +title: Audit Record Reduction And Report Generation (AU-7) +description: Support for real-time audit review, analysis, and reporting requirements without altering original audit records. +section-code: "7" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_au_7 - title: Audit Record Reduction And Report Generation (AU-7) - description: Support for real-time audit review, analysis, and reporting requirements without altering original audit records. - section-code: "7" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_au_7_1 +- id: aws_nist_800_53_rev_5_au_7_1 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_7_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_7_1.yaml index 2b93970e6..a7693ab91 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_7_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_7_1.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_au_7_1 - title: AU-7(1) Automatic Processing - description: "Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]." - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_integrated_with_logs +id: aws_nist_800_53_rev_5_au_7_1 +title: AU-7(1) Automatic Processing +description: "Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]." +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_integrated_with_logs diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_8.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_8.yaml index 25b40f98c..b04545224 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_8.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_au_8 +title: Time Stamps (AU-8) +description: Use internal system clocks to generate time stamps for audit records. +section-code: "8" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_au_8 - title: Time Stamps (AU-8) - description: Use internal system clocks to generate time stamps for audit records. - section-code: "8" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_au_8_b +- id: aws_nist_800_53_rev_5_au_8_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_8_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_8_b.yaml index 76ab83404..d5cf79ad6 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_8_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_8_b.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_nist_800_53_rev_5_au_8_b - title: AU-8(b) - description: "Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_au_8_b +title: AU-8(b) +description: "Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9.yaml index ac5002582..f655d6eda 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9.yaml @@ -1,21 +1,25 @@ +id: aws_nist_800_53_rev_5_au_9 +title: Protection of Audit Information (AU-9) +description: Protect audit information & tools from unauthorized access, modification & deletion. +section-code: "9" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_au_9 - title: Protection of Audit Information (AU-9) - description: Protect audit information & tools from unauthorized access, modification & deletion. - section-code: "9" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_au_9_2 - - id: aws_nist_800_53_rev_5_au_9_3 - - id: aws_nist_800_53_rev_5_au_9_7 - - id: aws_nist_800_53_rev_5_au_9_a +- id: aws_nist_800_53_rev_5_au_9_2 + type: "" +- id: aws_nist_800_53_rev_5_au_9_3 + type: "" +- id: aws_nist_800_53_rev_5_au_9_7 + type: "" +- id: aws_nist_800_53_rev_5_au_9_a + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_2.yaml index 7f744f9f4..650918192 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_2.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_5_au_9_2 - title: AU-9(2) Store On Separate Physical Systems Or Components - description: "Store audit records [Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited." - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/S3 - type: - - Benchmark - controls: - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +id: aws_nist_800_53_rev_5_au_9_2 +title: AU-9(2) Store On Separate Physical Systems Or Components +description: "Store audit records [Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited." +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/S3 + type: + - Benchmark +controls: +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_3.yaml index 069a16334..608a0e7fd 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_3.yaml @@ -1,41 +1,41 @@ -control-group: - id: aws_nist_800_53_rev_5_au_9_3 - title: AU-9(3) Cryptographic Protection - description: Implement cryptographic mechanisms to protect the integrity of audit information and audit tools. - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dynamodb_table_encrypted_with_kms - - aws_ebs_volume_encryption_at_rest_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_secretsmanager_secret_encrypted_with_kms_cmk - - aws_sns_topic_encrypted_at_rest +id: aws_nist_800_53_rev_5_au_9_3 +title: AU-9(3) Cryptographic Protection +description: Implement cryptographic mechanisms to protect the integrity of audit information and audit tools. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dynamodb_table_encrypted_with_kms +- aws_ebs_volume_encryption_at_rest_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_efs_file_system_encrypt_data_at_rest +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_node_to_node_encryption_enabled +- aws_log_group_encryption_at_rest_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_redshift_cluster_kms_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_enforces_ssl +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_secretsmanager_secret_encrypted_with_kms_cmk +- aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_7.yaml index b89ab3616..1e3fcfbb0 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_7.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_au_9_7 - title: AU-9(7) Store On Component With Different Operation Systems - description: Store audit information on a component running a different operating system than the system or component being audited. - section-code: "7" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_integrated_with_logs +id: aws_nist_800_53_rev_5_au_9_7 +title: AU-9(7) Store On Component With Different Operation Systems +description: Store audit information on a component running a different operating system than the system or component being audited. +section-code: "7" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_integrated_with_logs diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_a.yaml index 38bef466b..66c3b3d7e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_a.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_au_9_a - title: AU-9(a) - description: Protect audit information and audit logging tools from unauthorized access, modification, and deletion. - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_validation_enabled +id: aws_nist_800_53_rev_5_au_9_a +title: AU-9(a) +description: Protect audit information and audit logging tools from unauthorized access, modification, and deletion. +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_validation_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca.yaml index 2c5307882..e692f50c8 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca.yaml @@ -1,20 +1,23 @@ +id: aws_nist_800_53_rev_5_ca +title: Assessment, Authorization, And Monitoring (CA) +description: The Security Assessment and Authorization control family includes controls that supplement the execution of security assessments, authorizations, continuous monitoring, plan of actions and milestones, and system interconnections. +section-code: ca +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ca - title: Assessment, Authorization, And Monitoring (CA) - description: The Security Assessment and Authorization control family includes controls that supplement the execution of security assessments, authorizations, continuous monitoring, plan of actions and milestones, and system interconnections. - section-code: ca - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ca_2 - - id: aws_nist_800_53_rev_5_ca_7 - - id: aws_nist_800_53_rev_5_ca_9 +- id: aws_nist_800_53_rev_5_ca_2 + type: "" +- id: aws_nist_800_53_rev_5_ca_7 + type: "" +- id: aws_nist_800_53_rev_5_ca_9 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_2.yaml index 9a62e8af9..0d0caacf8 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_2.yaml @@ -1,19 +1,21 @@ +id: aws_nist_800_53_rev_5_ca_2 +title: Control Assessments (CA-2) +description: Assess security controls to determine effectiveness and produce security reports, documentation, and graphs. +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ca_2 - title: Control Assessments (CA-2) - description: Assess security controls to determine effectiveness and produce security reports, documentation, and graphs. - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ca_2_2 - - id: aws_nist_800_53_rev_5_ca_2_d +- id: aws_nist_800_53_rev_5_ca_2_2 + type: "" +- id: aws_nist_800_53_rev_5_ca_2_d + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_2_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_2_2.yaml index 65d0db7cc..cf58a2cb7 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_2_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_2_2.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_nist_800_53_rev_5_ca_2_2 - title: CA-2(2) Specialized Assessments - description: "Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment]]." - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudwatch_alarm_action_enabled - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled +id: aws_nist_800_53_rev_5_ca_2_2 +title: CA-2(2) Specialized Assessments +description: "Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment]]." +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_group_with_lb_use_health_check +- aws_cloudwatch_alarm_action_enabled +- aws_elastic_beanstalk_enhanced_health_reporting_enabled +- aws_lambda_function_dead_letter_queue_configured +- aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_2_d.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_2_d.yaml index 48a5c9929..e13f41b34 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_2_d.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_2_d.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_5_ca_2_d - title: CA-2(d) - description: "Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements." - section-code: d - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_securityhub_enabled +id: aws_nist_800_53_rev_5_ca_2_d +title: CA-2(d) +description: "Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements." +section-code: d +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7.yaml index f14346262..2cea799df 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7.yaml @@ -1,28 +1,30 @@ +id: aws_nist_800_53_rev_5_ca_7 +title: Continuous Monitoring (CA-7) +description: Continuously monitor configuration management processes. Determine security impact, environment and operational risks. +section-code: "7" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ca_7 - title: Continuous Monitoring (CA-7) - description: Continuously monitor configuration management processes. Determine security impact, environment and operational risks. - section-code: "7" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ca_7_4 - - id: aws_nist_800_53_rev_5_ca_7_b - controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudwatch_alarm_action_enabled - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_guardduty_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_securityhub_enabled +- id: aws_nist_800_53_rev_5_ca_7_4 + type: "" +- id: aws_nist_800_53_rev_5_ca_7_b + type: "" +controls: +- aws_autoscaling_group_with_lb_use_health_check +- aws_cloudwatch_alarm_action_enabled +- aws_elastic_beanstalk_enhanced_health_reporting_enabled +- aws_guardduty_enabled +- aws_lambda_function_concurrent_execution_limit_configured +- aws_lambda_function_dead_letter_queue_configured +- aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled +- aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7_4.yaml index 75138f590..f0a24bd94 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7_4.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_ca_7_4 +title: CA-7(4) Risk Monitoring +description: "Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: a.\u2003Effectiveness monitoring; b.\u2003Compliance monitoring; and c.\u2003Change monitoring." +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ca_7_4 - title: CA-7(4) Risk Monitoring - description: "Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: a.\u2003Effectiveness monitoring; b.\u2003Compliance monitoring; and c.\u2003Change monitoring." - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ca_7_4_c +- id: aws_nist_800_53_rev_5_ca_7_4_c + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7_4_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7_4_c.yaml index 04c17c71c..e2a616375 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7_4_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7_4_c.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_5_ca_7_4_c - title: CA-7(4)(c) - description: "Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: (c) Change monitoring." - section-code: c - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_elb_application_lb_deletion_protection_enabled - - aws_rds_db_instance_deletion_protection_enabled +id: aws_nist_800_53_rev_5_ca_7_4_c +title: CA-7(4)(c) +description: "Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: (c) Change monitoring." +section-code: c +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_elb_application_lb_deletion_protection_enabled +- aws_rds_db_instance_deletion_protection_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7_b.yaml index 4bb8ae1d9..a75c2f837 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7_b.yaml @@ -1,37 +1,37 @@ -control-group: - id: aws_nist_800_53_rev_5_ca_7_b - title: CA-7(b) - description: "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness." - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_ca_7_b +title: CA-7(b) +description: "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness." +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_autoscaling_group_with_lb_use_health_check +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled +- aws_cloudwatch_log_group_retention_period_365 +- aws_elastic_beanstalk_enhanced_health_reporting_enabled +- aws_elb_application_classic_lb_logging_enabled +- aws_guardduty_enabled +- aws_lambda_function_concurrent_execution_limit_configured +- aws_lambda_function_dead_letter_queue_configured +- aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_securityhub_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_9.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_9.yaml index cb65fe342..88e710f45 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_9.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_9.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_ca_9 +title: Internal System Connections (CA-9) +description: "a.\u2003Authorize internal connections of [Assignment: organization-defined system components or classes of components] to the system; b.\u2003Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; c.\u2003Terminate internal system connections after [Assignment: organization-defined conditions]; and d.\u2003Review [Assignment: organization-defined frequency] the continued need for each internal connection." +section-code: "9" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ca_9 - title: Internal System Connections (CA-9) - description: "a.\u2003Authorize internal connections of [Assignment: organization-defined system components or classes of components] to the system; b.\u2003Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; c.\u2003Terminate internal system connections after [Assignment: organization-defined conditions]; and d.\u2003Review [Assignment: organization-defined frequency] the continued need for each internal connection." - section-code: "9" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ca_9_b +- id: aws_nist_800_53_rev_5_ca_9_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_9_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_9_b.yaml index b5fdf5b43..ee0b1068f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_9_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_9_b.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_nist_800_53_rev_5_ca_9_b - title: CA-9(b) - description: Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated. - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl +id: aws_nist_800_53_rev_5_ca_9_b +title: CA-9(b) +description: Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated. +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_node_to_node_encryption_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm.yaml index 8c1b68c15..f67820b9b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm.yaml @@ -1,25 +1,33 @@ +id: aws_nist_800_53_rev_5_cm +title: Configuration Management (CM) +description: CM controls are specific to an organization’s configuration management policies. This includes a baseline configuration to operate as the basis for future builds or changes to information systems. Additionally, this includes information system component inventories and a security impact analysis control. +section-code: cm +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_cm - title: Configuration Management (CM) - description: CM controls are specific to an organization’s configuration management policies. This includes a baseline configuration to operate as the basis for future builds or changes to information systems. Additionally, this includes information system component inventories and a security impact analysis control. - section-code: cm - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_cm_2 - - id: aws_nist_800_53_rev_5_cm_3 - - id: aws_nist_800_53_rev_5_cm_5 - - id: aws_nist_800_53_rev_5_cm_6 - - id: aws_nist_800_53_rev_5_cm_7 - - id: aws_nist_800_53_rev_5_cm_8 - - id: aws_nist_800_53_rev_5_cm_9 - - id: aws_nist_800_53_rev_5_cm_12 +- id: aws_nist_800_53_rev_5_cm_2 + type: "" +- id: aws_nist_800_53_rev_5_cm_3 + type: "" +- id: aws_nist_800_53_rev_5_cm_5 + type: "" +- id: aws_nist_800_53_rev_5_cm_6 + type: "" +- id: aws_nist_800_53_rev_5_cm_7 + type: "" +- id: aws_nist_800_53_rev_5_cm_8 + type: "" +- id: aws_nist_800_53_rev_5_cm_9 + type: "" +- id: aws_nist_800_53_rev_5_cm_12 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_12.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_12.yaml index 87e122c64..0f4e64e30 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_12.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_12.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_cm_12 +title: Information Location (CM-12) +description: "a.\u2003Identify and document the location of [Assignment: organization-defined information] and the specific system components on which the information is processed and stored; b.\u2003Identify and document the users who have access to the system and system components where the information is processed and stored; and c.\u2003Document changes to the location (i.e., system or system components) where the information is processed and stored." +section-code: "12" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_cm_12 - title: Information Location (CM-12) - description: "a.\u2003Identify and document the location of [Assignment: organization-defined information] and the specific system components on which the information is processed and stored; b.\u2003Identify and document the users who have access to the system and system components where the information is processed and stored; and c.\u2003Document changes to the location (i.e., system or system components) where the information is processed and stored." - section-code: "12" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_cm_12_b +- id: aws_nist_800_53_rev_5_cm_12_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_12_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_12_b.yaml index 9fe041010..2a914e09e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_12_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_12_b.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_cm_12_b - title: CM-12(b) - description: Identify and document the users who have access to the system and system components where the information is processed and stored. - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_iam_account_password_policy_min_length_14 +id: aws_nist_800_53_rev_5_cm_12_b +title: CM-12(b) +description: Identify and document the users who have access to the system and system components where the information is processed and stored. +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2.yaml index a735b620b..8a9ffee93 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2.yaml @@ -1,20 +1,23 @@ +id: aws_nist_800_53_rev_5_cm_2 +title: Baseline Configuration (CM-2) +description: The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_cm_2 - title: Baseline Configuration (CM-2) - description: The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_cm_2_2 - - id: aws_nist_800_53_rev_5_cm_2_a - - id: aws_nist_800_53_rev_5_cm_2_b +- id: aws_nist_800_53_rev_5_cm_2_2 + type: "" +- id: aws_nist_800_53_rev_5_cm_2_a + type: "" +- id: aws_nist_800_53_rev_5_cm_2_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_2.yaml index 061932988..66bf312f6 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_2.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_nist_800_53_rev_5_cm_2_2 - title: CM-2(2) Automation Support For Accuracy And Currency - description: "Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms]." - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_common_ports_all +id: aws_nist_800_53_rev_5_cm_2_2 +title: CM-2(2) Automation Support For Accuracy And Currency +description: "Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms]." +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ebs_volume_unused +- aws_ec2_instance_ssm_managed +- aws_ec2_stopped_instance_30_days +- aws_elb_application_lb_deletion_protection_enabled +- aws_ssm_managed_instance_compliance_association_compliant +- aws_vpc_security_group_restrict_ingress_common_ports_all diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_a.yaml index 31fd436c2..f84992635 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_a.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_nist_800_53_rev_5_cm_2_a - title: CM-2(a) - description: Develop, document, and maintain under configuration control, a current baseline configuration of the system. - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_common_ports_all +id: aws_nist_800_53_rev_5_cm_2_a +title: CM-2(a) +description: Develop, document, and maintain under configuration control, a current baseline configuration of the system. +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ebs_volume_unused +- aws_ec2_instance_ssm_managed +- aws_ec2_stopped_instance_30_days +- aws_elb_application_lb_deletion_protection_enabled +- aws_ssm_managed_instance_compliance_association_compliant +- aws_vpc_security_group_restrict_ingress_common_ports_all diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b.yaml index 42a8632a5..07fd97d2e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b.yaml @@ -1,27 +1,30 @@ +id: aws_nist_800_53_rev_5_cm_2_b +title: CM-2(b) +description: "Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]; 2. When required due to [Assignment: organization-defined circumstances]; and 3. When system components are installed or upgraded." +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_cm_2_b - title: CM-2(b) - description: "Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]; 2. When required due to [Assignment: organization-defined circumstances]; and 3. When system components are installed or upgraded." - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_cm_2_b_1 - - id: aws_nist_800_53_rev_5_cm_2_b_2 - - id: aws_nist_800_53_rev_5_cm_2_b_3 - controls: - - aws_account_part_of_organizations - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_association_compliant +- id: aws_nist_800_53_rev_5_cm_2_b_1 + type: "" +- id: aws_nist_800_53_rev_5_cm_2_b_2 + type: "" +- id: aws_nist_800_53_rev_5_cm_2_b_3 + type: "" +controls: +- aws_account_part_of_organizations +- aws_ebs_volume_unused +- aws_ec2_instance_ssm_managed +- aws_ec2_stopped_instance_30_days +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b_1.yaml index 33dd94253..8976e0227 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b_1.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_nist_800_53_rev_5_cm_2_b_1 - title: CM-2(b)(1) - description: "Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]." - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_account_part_of_organizations - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_association_compliant +id: aws_nist_800_53_rev_5_cm_2_b_1 +title: CM-2(b)(1) +description: "Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]." +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_account_part_of_organizations +- aws_ebs_volume_unused +- aws_ec2_instance_ssm_managed +- aws_ec2_stopped_instance_30_days +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b_2.yaml index 9e7ca5da3..da71afea2 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b_2.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_nist_800_53_rev_5_cm_2_b_2 - title: CM-2(b)(2) - description: "Review and update the baseline configuration of the system: 2. When required due to [Assignment: organization-defined circumstances]." - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_account_part_of_organizations - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_association_compliant +id: aws_nist_800_53_rev_5_cm_2_b_2 +title: CM-2(b)(2) +description: "Review and update the baseline configuration of the system: 2. When required due to [Assignment: organization-defined circumstances]." +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_account_part_of_organizations +- aws_ebs_volume_unused +- aws_ec2_instance_ssm_managed +- aws_ec2_stopped_instance_30_days +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b_3.yaml index dbfccd984..770c97bd8 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b_3.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_nist_800_53_rev_5_cm_2_b_3 - title: CM-2(b)(3) - description: "Review and update the baseline configuration of the system: 3 When system components are installed or upgraded." - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_account_part_of_organizations - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_association_compliant +id: aws_nist_800_53_rev_5_cm_2_b_3 +title: CM-2(b)(3) +description: "Review and update the baseline configuration of the system: 3 When system components are installed or upgraded." +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_account_part_of_organizations +- aws_ebs_volume_unused +- aws_ec2_instance_ssm_managed +- aws_ec2_stopped_instance_30_days +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_3.yaml index 5d6bdfd97..f81340591 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_3.yaml @@ -1,19 +1,21 @@ +id: aws_nist_800_53_rev_5_cm_3 +title: Configuration Change Control (CM-3) +description: The organization authorizes, documents, and controls changes to the information system. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_cm_3 - title: Configuration Change Control (CM-3) - description: The organization authorizes, documents, and controls changes to the information system. - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_cm_3_3 - - id: aws_nist_800_53_rev_5_cm_3_a +- id: aws_nist_800_53_rev_5_cm_3_3 + type: "" +- id: aws_nist_800_53_rev_5_cm_3_a + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_3_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_3_3.yaml index 1c517ebc5..16efc9819 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_3_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_3_3.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_nist_800_53_rev_5_cm_3_3 - title: CM-3(3) Automated Change Implementation - description: "Implement changes to the current system baseline and deploy the updated baseline across the installed base using [Assignment: organization-defined automated mechanisms]." - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_account_part_of_organizations - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_association_compliant +id: aws_nist_800_53_rev_5_cm_3_3 +title: CM-3(3) Automated Change Implementation +description: "Implement changes to the current system baseline and deploy the updated baseline across the installed base using [Assignment: organization-defined automated mechanisms]." +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_account_part_of_organizations +- aws_ebs_volume_unused +- aws_ec2_instance_ssm_managed +- aws_ec2_stopped_instance_30_days +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_3_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_3_a.yaml index 7f6cf1756..42ea6d363 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_3_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_3_a.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_5_cm_3_a - title: CM-3(a) - description: Determine and document the types of changes to the system that are configuration-controlled. - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_elb_application_lb_deletion_protection_enabled - - aws_rds_db_instance_deletion_protection_enabled +id: aws_nist_800_53_rev_5_cm_3_a +title: CM-3(a) +description: Determine and document the types of changes to the system that are configuration-controlled. +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_elb_application_lb_deletion_protection_enabled +- aws_rds_db_instance_deletion_protection_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5.yaml index ea08dc2a1..d368f4d51 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_cm_5 +title: Access Restrictions For Change (CM-5) +description: Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_cm_5 - title: Access Restrictions For Change (CM-5) - description: Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. - section-code: "5" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_cm_5_1 +- id: aws_nist_800_53_rev_5_cm_5_1 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5_1.yaml index b6747c5a1..9b57f627a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5_1.yaml @@ -1,19 +1,21 @@ +id: aws_nist_800_53_rev_5_cm_5_1 +title: CM-5(1) Automated Access Enforcement And Audit Records +description: "a.\u2003Enforce access restrictions using [Assignment: organization-defined automated mechanisms]; and b.\u2003Automatically generate audit records of the enforcement actions." +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_cm_5_1 - title: CM-5(1) Automated Access Enforcement And Audit Records - description: "a.\u2003Enforce access restrictions using [Assignment: organization-defined automated mechanisms]; and b.\u2003Automatically generate audit records of the enforcement actions." - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_cm_5_1_a - - id: aws_nist_800_53_rev_5_cm_5_1_b +- id: aws_nist_800_53_rev_5_cm_5_1_a + type: "" +- id: aws_nist_800_53_rev_5_cm_5_1_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5_1_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5_1_a.yaml index dde5c5fd8..95ce98160 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5_1_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5_1_a.yaml @@ -1,35 +1,35 @@ -control-group: - id: aws_nist_800_53_rev_5_cm_5_1_a - title: CM-5(1)(a) - description: "Enforce access restrictions using [Assignment: organization-defined automated mechanisms]." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_iam_profile_attached - - aws_ec2_instance_uses_imdsv2 - - aws_ecs_task_definition_user_for_host_mode_check - - aws_iam_account_password_policy_min_length_14 - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day +id: aws_nist_800_53_rev_5_cm_5_1_a +title: CM-5(1)(a) +description: "Enforce access restrictions using [Assignment: organization-defined automated mechanisms]." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_iam_profile_attached +- aws_ec2_instance_uses_imdsv2 +- aws_ecs_task_definition_user_for_host_mode_check +- aws_iam_account_password_policy_min_length_14 +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5_1_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5_1_b.yaml index ca27c17a2..e33e5714a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5_1_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5_1_b.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_nist_800_53_rev_5_cm_5_1_b - title: CM-5(1)(b) - description: Automatically generate audit records of the enforcement actions. - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_cm_5_1_b +title: CM-5(1)(b) +description: Automatically generate audit records of the enforcement actions. +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_6.yaml index b718369fd..7f0770d8f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_6.yaml @@ -1,21 +1,22 @@ +id: aws_nist_800_53_rev_5_cm_6 +title: Configuration Settings (CM-6) +description: "The organization: (i) establishes mandatory configuration settings for information technology products employed within the information system; (ii) configures the security settings of information technology products to the most restrictive mode consistent with operational requirements; (iii) documents the configuration settings; and (iv) enforces the configuration settings in all components of the information system." +section-code: "6" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_cm_6 - title: Configuration Settings (CM-6) - description: "The organization: (i) establishes mandatory configuration settings for information technology products employed within the information system; (ii) configures the security settings of information technology products to the most restrictive mode consistent with operational requirements; (iii) documents the configuration settings; and (iv) enforces the configuration settings in all components of the information system." - section-code: "6" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_cm_6_a - controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant +- id: aws_nist_800_53_rev_5_cm_6_a + type: "" +controls: +- aws_ec2_instance_ssm_managed +- aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_6_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_6_a.yaml index 16d5e10c2..fd053b529 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_6_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_6_a.yaml @@ -1,50 +1,50 @@ -control-group: - id: aws_nist_800_53_rev_5_cm_6_a - title: CM-6(a) - description: "Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_account_part_of_organizations - - aws_autoscaling_group_with_lb_use_health_check - - aws_autoscaling_launch_config_public_ip_disabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_ec2_instance_iam_profile_attached - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_kms_cmk_rotation_enabled - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_logging_enabled - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_flow_logs_enabled - - aws_vpc_security_group_restrict_ingress_common_ports_all +id: aws_nist_800_53_rev_5_cm_6_a +title: CM-6(a) +description: "Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_account_part_of_organizations +- aws_autoscaling_group_with_lb_use_health_check +- aws_autoscaling_launch_config_public_ip_disabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_cloudtrail_trail_validation_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_ec2_instance_iam_profile_attached +- aws_iam_account_password_policy_min_length_14 +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_kms_cmk_rotation_enabled +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_logging_enabled +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_flow_logs_enabled +- aws_vpc_security_group_restrict_ingress_common_ports_all diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_7.yaml index 5a5243e16..02a11c1ea 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_7.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_cm_7 +title: Least Functionality (CM-7) +description: The organization configures the information system to provide only essential capabilities and prohibits or restricts the use of the functions, ports, protocols, and/or services. +section-code: "7" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_cm_7 - title: Least Functionality (CM-7) - description: The organization configures the information system to provide only essential capabilities and prohibits or restricts the use of the functions, ports, protocols, and/or services. - section-code: "7" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_cm_7_b +- id: aws_nist_800_53_rev_5_cm_7_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_7_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_7_b.yaml index 3b94d657c..cc2ff73d0 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_7_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_7_b.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_5_cm_7_b - title: CM-7(b) - description: "Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]." - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all +id: aws_nist_800_53_rev_5_cm_7_b +title: CM-7(b) +description: "Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]." +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_vpc_route_table_restrict_public_access_to_igw +- aws_vpc_security_group_restrict_ingress_common_ports_all diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8.yaml index 670685a98..53b60ec70 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8.yaml @@ -1,23 +1,29 @@ +id: aws_nist_800_53_rev_5_cm_8 +title: System Component Inventory (CM-8) +description: The organization develops and documents an inventory of information system components that accurately reflects the current information system, includes all components within the authorization boundary of the information system, is at the level of granularity deemed necessary for tracking and reporting and reviews and updates the information system component inventory. +section-code: "8" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_cm_8 - title: System Component Inventory (CM-8) - description: The organization develops and documents an inventory of information system components that accurately reflects the current information system, includes all components within the authorization boundary of the information system, is at the level of granularity deemed necessary for tracking and reporting and reviews and updates the information system component inventory. - section-code: "8" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_cm_8_1 - - id: aws_nist_800_53_rev_5_cm_8_2 - - id: aws_nist_800_53_rev_5_cm_8_3 - - id: aws_nist_800_53_rev_5_cm_8_6 - - id: aws_nist_800_53_rev_5_cm_8_a - - id: aws_nist_800_53_rev_5_cm_8_b +- id: aws_nist_800_53_rev_5_cm_8_1 + type: "" +- id: aws_nist_800_53_rev_5_cm_8_2 + type: "" +- id: aws_nist_800_53_rev_5_cm_8_3 + type: "" +- id: aws_nist_800_53_rev_5_cm_8_6 + type: "" +- id: aws_nist_800_53_rev_5_cm_8_a + type: "" +- id: aws_nist_800_53_rev_5_cm_8_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_1.yaml index 96e42b69d..2b1e7e7d2 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_1.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_5_cm_8_1 - title: CM-8(1) Updates During Installation And Removals - description: Update the inventory of system components as part of component installations, removals, and system updates. - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant +id: aws_nist_800_53_rev_5_cm_8_1 +title: CM-8(1) Updates During Installation And Removals +description: Update the inventory of system components as part of component installations, removals, and system updates. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed +- aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_2.yaml index 4e2b5bcb0..725b1b8e9 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_2.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_cm_8_2 - title: CM-8(2) Automated Maintenance - description: "Maintain the currency, completeness, accuracy, and availability of the inventory of system components using [Assignment: organization-defined automated mechanisms]." - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed +id: aws_nist_800_53_rev_5_cm_8_2 +title: CM-8(2) Automated Maintenance +description: "Maintain the currency, completeness, accuracy, and availability of the inventory of system components using [Assignment: organization-defined automated mechanisms]." +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_3.yaml index d071e34fa..fa38d5121 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_3.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_cm_8_3 +title: CM-8(3) Automated Unauthorized Component Detection +description: "The organization: Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]]." +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_cm_8_3 - title: CM-8(3) Automated Unauthorized Component Detection - description: "The organization: Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]]." - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_cm_8_3_a +- id: aws_nist_800_53_rev_5_cm_8_3_a + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_3_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_3_a.yaml index 89e2ce5ed..f16d2249c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_3_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_3_a.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_nist_800_53_rev_5_cm_8_3_a - title: CM-8(3)(a) - description: "Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_guardduty_enabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_nist_800_53_rev_5_cm_8_3_a +title: CM-8(3)(a) +description: "Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed +- aws_guardduty_enabled +- aws_ssm_managed_instance_compliance_association_compliant +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_6.yaml index f142becb7..8e1fc381f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_6.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_nist_800_53_rev_5_cm_8_6 - title: CM-8(6) Assessed Configurations And Approved Deviations - description: Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory. - section-code: "6" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_common_ports_all +id: aws_nist_800_53_rev_5_cm_8_6 +title: CM-8(6) Assessed Configurations And Approved Deviations +description: Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory. +section-code: "6" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ebs_volume_unused +- aws_ec2_instance_ssm_managed +- aws_ec2_stopped_instance_30_days +- aws_elb_application_lb_deletion_protection_enabled +- aws_ssm_managed_instance_compliance_association_compliant +- aws_vpc_security_group_restrict_ingress_common_ports_all diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a.yaml index 9d81c054d..15098e1a6 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a.yaml @@ -1,25 +1,30 @@ +id: aws_nist_800_53_rev_5_cm_8_a +title: CM-8(a) +description: "Develop and document an inventory of system components that: 1. Accurately reflects the system; 2. Includes all components within the system; 3. Does not include duplicate accounting of components or components assigned to any other system; 4. Is at the level of granularity deemed necessary for tracking and reporting; and 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_cm_8_a - title: CM-8(a) - description: "Develop and document an inventory of system components that: 1. Accurately reflects the system; 2. Includes all components within the system; 3. Does not include duplicate accounting of components or components assigned to any other system; 4. Is at the level of granularity deemed necessary for tracking and reporting; and 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_cm_8_a_1 - - id: aws_nist_800_53_rev_5_cm_8_a_2 - - id: aws_nist_800_53_rev_5_cm_8_a_3 - - id: aws_nist_800_53_rev_5_cm_8_a_4 - - id: aws_nist_800_53_rev_5_cm_8_a_5 - controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant +- id: aws_nist_800_53_rev_5_cm_8_a_1 + type: "" +- id: aws_nist_800_53_rev_5_cm_8_a_2 + type: "" +- id: aws_nist_800_53_rev_5_cm_8_a_3 + type: "" +- id: aws_nist_800_53_rev_5_cm_8_a_4 + type: "" +- id: aws_nist_800_53_rev_5_cm_8_a_5 + type: "" +controls: +- aws_ec2_instance_ssm_managed +- aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_1.yaml index 3a45b2e01..f44267e73 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_1.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_5_cm_8_a_1 - title: CM-8(a)(1) - description: "Develop and document an inventory of system components that: 1. Accurately reflects the system." - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant +id: aws_nist_800_53_rev_5_cm_8_a_1 +title: CM-8(a)(1) +description: "Develop and document an inventory of system components that: 1. Accurately reflects the system." +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed +- aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_2.yaml index b4457db9b..e9748870e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_2.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_5_cm_8_a_2 - title: CM-8(a)(2) - description: "Develop and document an inventory of system components that: 2. Includes all components within the system." - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant +id: aws_nist_800_53_rev_5_cm_8_a_2 +title: CM-8(a)(2) +description: "Develop and document an inventory of system components that: 2. Includes all components within the system." +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed +- aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_3.yaml index f189f3674..a0109dc1f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_3.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_5_cm_8_a_3 - title: CM-8(a)(3) - description: "Develop and document an inventory of system components that: 3. Does not include duplicate accounting of components or components assigned to any other system." - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant +id: aws_nist_800_53_rev_5_cm_8_a_3 +title: CM-8(a)(3) +description: "Develop and document an inventory of system components that: 3. Does not include duplicate accounting of components or components assigned to any other system." +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed +- aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_4.yaml index 42ff661ea..ea0cb3331 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_4.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_5_cm_8_a_4 - title: CM-8(a)(4) - description: "Develop and document an inventory of system components that: 4. Is at the level of granularity deemed necessary for tracking and reporting." - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant +id: aws_nist_800_53_rev_5_cm_8_a_4 +title: CM-8(a)(4) +description: "Develop and document an inventory of system components that: 4. Is at the level of granularity deemed necessary for tracking and reporting." +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed +- aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_5.yaml index 596c90720..9b53cd63c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_5.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_5_cm_8_a_5 - title: CM-8(a)(5) - description: "Develop and document an inventory of system components that: 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]." - section-code: "5" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant +id: aws_nist_800_53_rev_5_cm_8_a_5 +title: CM-8(a)(5) +description: "Develop and document an inventory of system components that: 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]." +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed +- aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_b.yaml index d5921ffeb..3b10f4902 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_b.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_5_cm_8_b - title: CM-8(b) - description: "Review and update the system component inventory [Assignment: organization-defined frequency]." - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant +id: aws_nist_800_53_rev_5_cm_8_b +title: CM-8(b) +description: "Review and update the system component inventory [Assignment: organization-defined frequency]." +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed +- aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_9.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_9.yaml index bb28328cb..ff84c523d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_9.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_9.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_cm_9 +title: Configuration Management Plan (CM-9) +description: "Develop, document, and implement a configuration management plan for the system that: a.\u2003Addresses roles, responsibilities, and configuration management processes and procedures; b.\u2003Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; c.\u2003Defines the configuration items for the system and places the configuration items under configuration management; d.\u2003Is reviewed and approved by [Assignment: organization-defined personnel or roles]; and e.\u2003Protects the configuration management plan from unauthorized disclosure and modification." +section-code: "9" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_cm_9 - title: Configuration Management Plan (CM-9) - description: "Develop, document, and implement a configuration management plan for the system that: a.\u2003Addresses roles, responsibilities, and configuration management processes and procedures; b.\u2003Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; c.\u2003Defines the configuration items for the system and places the configuration items under configuration management; d.\u2003Is reviewed and approved by [Assignment: organization-defined personnel or roles]; and e.\u2003Protects the configuration management plan from unauthorized disclosure and modification." - section-code: "9" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_cm_9_b +- id: aws_nist_800_53_rev_5_cm_9_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_9_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_9_b.yaml index 4e0135b49..b64d71b38 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_9_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_9_b.yaml @@ -1,49 +1,49 @@ -control-group: - id: aws_nist_800_53_rev_5_cm_9_b - title: CM-9(b) - description: "Develop, document, and implement a configuration management plan for the system that: b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items." - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_account_part_of_organizations - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_kms_cmk_rotation_enabled - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_logging_enabled - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_flow_logs_enabled - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_nist_800_53_rev_5_cm_9_b +title: CM-9(b) +description: "Develop, document, and implement a configuration management plan for the system that: b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items." +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_account_part_of_organizations +- aws_autoscaling_group_with_lb_use_health_check +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_cloudtrail_trail_validation_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_iam_account_password_policy_min_length_14 +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_kms_cmk_rotation_enabled +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_logging_enabled +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_flow_logs_enabled +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp.yaml index cbf1cf2e0..f2d81cb01 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp.yaml @@ -1,22 +1,27 @@ +id: aws_nist_800_53_rev_5_cp +title: Contingency Planning (CP) +description: The CP control family includes controls specific to an organization's contingency plan if a cybersecurity event should occur. This includes controls like contingency plan testing, updating, training, and backups, and system reconstitution. +section-code: cp +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_cp - title: Contingency Planning (CP) - description: The CP control family includes controls specific to an organization's contingency plan if a cybersecurity event should occur. This includes controls like contingency plan testing, updating, training, and backups, and system reconstitution. - section-code: cp - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_cp_1 - - id: aws_nist_800_53_rev_5_cp_2 - - id: aws_nist_800_53_rev_5_cp_6 - - id: aws_nist_800_53_rev_5_cp_9 - - id: aws_nist_800_53_rev_5_cp_10 +- id: aws_nist_800_53_rev_5_cp_1 + type: "" +- id: aws_nist_800_53_rev_5_cp_2 + type: "" +- id: aws_nist_800_53_rev_5_cp_6 + type: "" +- id: aws_nist_800_53_rev_5_cp_9 + type: "" +- id: aws_nist_800_53_rev_5_cp_10 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1.yaml index b6a25bd89..46092f1dc 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1.yaml @@ -1,19 +1,21 @@ +id: aws_nist_800_53_rev_5_cp_1 +title: Policy And Procedures (CP-1) +description: "a.\u2003Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1.\u2003[Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: a).\u2003Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b).\u2003Is consistent with applicable laws, executive orders, directives regulations, policies, standards, and guidelines; and 2.\u2003Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls; b.\u2003Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and c.\u2003Review and update the current contingency planning: 1.\u2003Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2.\u2003Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]." +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_cp_1 - title: Policy And Procedures (CP-1) - description: "a.\u2003Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1.\u2003[Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: a).\u2003Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b).\u2003Is consistent with applicable laws, executive orders, directives regulations, policies, standards, and guidelines; and 2.\u2003Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls; b.\u2003Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and c.\u2003Review and update the current contingency planning: 1.\u2003Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2.\u2003Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]." - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_cp_1_2 - - id: aws_nist_800_53_rev_5_cp_1_a +- id: aws_nist_800_53_rev_5_cp_1_2 + type: "" +- id: aws_nist_800_53_rev_5_cp_1_a + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_10.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_10.yaml index 637c8eb18..efa97509a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_10.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_10.yaml @@ -1,34 +1,35 @@ +id: aws_nist_800_53_rev_5_cp_10 +title: System Recovery And Reconstitution (CP-10) +description: "Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure." +section-code: "10" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_cp_10 - title: System Recovery And Reconstitution (CP-10) - description: "Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure." - section-code: "10" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_cp_10_2 - controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up +- id: aws_nist_800_53_rev_5_cp_10_2 + type: "" +controls: +- aws_dynamodb_table_auto_scaling_enabled +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_ebs_volume_in_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_efs_file_system_in_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_multiple_az_enabled +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_10_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_10_2.yaml index 9d8f99b11..a13c936d8 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_10_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_10_2.yaml @@ -1,27 +1,27 @@ -control-group: - id: aws_nist_800_53_rev_5_cp_10_2 - title: CP-10(2) Transaction Recovery - description: Implement transaction recovery for systems that are transaction-based. - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +id: aws_nist_800_53_rev_5_cp_10_2 +title: CP-10(2) Transaction Recovery +description: Implement transaction recovery for systems that are transaction-based. +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_ebs_volume_in_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_2.yaml index 8078ef8c2..6880bcb4b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_2.yaml @@ -1,27 +1,27 @@ -control-group: - id: aws_nist_800_53_rev_5_cp_1_2 - title: CP-1(2) - description: Implement transaction recovery for systems that are transaction-based. - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dynamodb_table_in_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_rds_db_instance_backup_enabled - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +id: aws_nist_800_53_rev_5_cp_1_2 +title: CP-1(2) +description: Implement transaction recovery for systems that are transaction-based. +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dynamodb_table_in_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_rds_db_instance_in_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_rds_db_instance_backup_enabled +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_a.yaml index a13caa3c2..056015af1 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_a.yaml @@ -1,19 +1,21 @@ +id: aws_nist_800_53_rev_5_cp_1_a +title: CP-1(a) +description: "a.\u2003Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1.\u2003[Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: a).\u2003Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b).\u2003Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2.\u2003Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_cp_1_a - title: CP-1(a) - description: "a.\u2003Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1.\u2003[Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: a).\u2003Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b).\u2003Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2.\u2003Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_cp_1_a_2 - - id: aws_nist_800_53_rev_5_cp_1_a_1_b +- id: aws_nist_800_53_rev_5_cp_1_a_2 + type: "" +- id: aws_nist_800_53_rev_5_cp_1_a_1_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_a_1_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_a_1_b.yaml index 364d59a75..1176d2c3d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_a_1_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_a_1_b.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_nist_800_53_rev_5_cp_1_a_1_b - title: CP-1(a)(1)(b) - description: "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." - section-code: 1_b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_vpc_vpn_tunnel_up +id: aws_nist_800_53_rev_5_cp_1_a_1_b +title: CP-1(a)(1)(b) +description: "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." +section-code: 1_b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dynamodb_table_auto_scaling_enabled +- aws_elb_application_lb_deletion_protection_enabled +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_rds_db_instance_deletion_protection_enabled +- aws_rds_db_instance_multiple_az_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_a_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_a_2.yaml index d5b9f5bab..fdfaacc1a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_a_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_a_2.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_nist_800_53_rev_5_cp_1_a_2 - title: CP-1(a)(2) - description: "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls." - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_vpc_vpn_tunnel_up +id: aws_nist_800_53_rev_5_cp_1_a_2 +title: CP-1(a)(2) +description: "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls." +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dynamodb_table_auto_scaling_enabled +- aws_elb_application_lb_deletion_protection_enabled +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_rds_db_instance_deletion_protection_enabled +- aws_rds_db_instance_multiple_az_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2.yaml index eb1979c98..e04526844 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2.yaml @@ -1,22 +1,27 @@ +id: aws_nist_800_53_rev_5_cp_2 +title: Contingency Plan (CP-2) +description: "a.\u2003Develop a contingency plan for the system that: 1.\u2003Identifies essential mission and business functions and associated contingency requirements; 2.\u2003Provides recovery objectives, restoration priorities, and metrics; b.\u2003Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c.\u2003Coordinate contingency planning activities with incident handling activities; d.\u2003Review the contingency plan for the system [Assignment: organization-defined frequency]; e.\u2003Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f.\u2003Communicate contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; g.\u2003Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and h.\u2003Protect the contingency plan from unauthorized disclosure and modification." +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_cp_2 - title: Contingency Plan (CP-2) - description: "a.\u2003Develop a contingency plan for the system that: 1.\u2003Identifies essential mission and business functions and associated contingency requirements; 2.\u2003Provides recovery objectives, restoration priorities, and metrics; b.\u2003Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c.\u2003Coordinate contingency planning activities with incident handling activities; d.\u2003Review the contingency plan for the system [Assignment: organization-defined frequency]; e.\u2003Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f.\u2003Communicate contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; g.\u2003Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and h.\u2003Protect the contingency plan from unauthorized disclosure and modification." - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_cp_2_a - - id: aws_nist_800_53_rev_5_cp_2_d - - id: aws_nist_800_53_rev_5_cp_2_e - - id: aws_nist_800_53_rev_5_cp_2_5 - - id: aws_nist_800_53_rev_5_cp_2_6 +- id: aws_nist_800_53_rev_5_cp_2_a + type: "" +- id: aws_nist_800_53_rev_5_cp_2_d + type: "" +- id: aws_nist_800_53_rev_5_cp_2_e + type: "" +- id: aws_nist_800_53_rev_5_cp_2_5 + type: "" +- id: aws_nist_800_53_rev_5_cp_2_6 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_5.yaml index 25688a55a..00ca9680d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_5.yaml @@ -1,34 +1,34 @@ -control-group: - id: aws_nist_800_53_rev_5_cp_2_5 - title: CP-2(5) Continue Mission And Business Functions - description: "Plan for the continuance of [Selection: all; essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites." - section-code: "5" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up +id: aws_nist_800_53_rev_5_cp_2_5 +title: CP-2(5) Continue Mission And Business Functions +description: "Plan for the continuance of [Selection: all; essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites." +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dynamodb_table_auto_scaling_enabled +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_ebs_volume_in_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_efs_file_system_in_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_elb_application_lb_deletion_protection_enabled +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_deletion_protection_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_multiple_az_enabled +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_6.yaml index ea4f70f2c..54ca3d52d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_6.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_nist_800_53_rev_5_cp_2_6 - title: CP-2(6) Alternate Processing And Storage Sites - description: "Plan for the transfer of [Selection: all; essential] mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites." - section-code: "6" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_vpc_vpn_tunnel_up +id: aws_nist_800_53_rev_5_cp_2_6 +title: CP-2(6) Alternate Processing And Storage Sites +description: "Plan for the transfer of [Selection: all; essential] mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites." +section-code: "6" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dynamodb_table_auto_scaling_enabled +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_rds_db_instance_multiple_az_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_a.yaml index 3a2f40585..47e9a315f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_a.yaml @@ -1,26 +1,28 @@ +id: aws_nist_800_53_rev_5_cp_2_a +title: CP-2(a) +description: "a. Develop a contingency plan for the system that: 1. Identifies essential mission and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; 5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; 6. Addresses the sharing of contingency information; and 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles]." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_cp_2_a - title: CP-2(a) - description: "a. Develop a contingency plan for the system that: 1. Identifies essential mission and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; 5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; 6. Addresses the sharing of contingency information; and 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles]." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_cp_2_a_6 - - id: aws_nist_800_53_rev_5_cp_2_a_7 - controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_vpc_vpn_tunnel_up +- id: aws_nist_800_53_rev_5_cp_2_a_6 + type: "" +- id: aws_nist_800_53_rev_5_cp_2_a_7 + type: "" +controls: +- aws_dynamodb_table_auto_scaling_enabled +- aws_elb_application_lb_deletion_protection_enabled +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_rds_db_instance_deletion_protection_enabled +- aws_rds_db_instance_multiple_az_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_a_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_a_6.yaml index cb5d00a59..5a6874ef1 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_a_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_a_6.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_nist_800_53_rev_5_cp_2_a_6 - title: CP-2(a)(6) - description: "Develop a contingency plan for the system that: 6. Addresses the sharing of contingency information." - section-code: "6" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_vpc_vpn_tunnel_up +id: aws_nist_800_53_rev_5_cp_2_a_6 +title: CP-2(a)(6) +description: "Develop a contingency plan for the system that: 6. Addresses the sharing of contingency information." +section-code: "6" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dynamodb_table_auto_scaling_enabled +- aws_elb_application_lb_deletion_protection_enabled +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_rds_db_instance_deletion_protection_enabled +- aws_rds_db_instance_multiple_az_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_a_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_a_7.yaml index dd37e7521..889078496 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_a_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_a_7.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_nist_800_53_rev_5_cp_2_a_7 - title: CP-2(a)(7) - description: "Develop a contingency plan for the system that: 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles]." - section-code: "7" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_vpc_vpn_tunnel_up +id: aws_nist_800_53_rev_5_cp_2_a_7 +title: CP-2(a)(7) +description: "Develop a contingency plan for the system that: 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles]." +section-code: "7" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dynamodb_table_auto_scaling_enabled +- aws_elb_application_lb_deletion_protection_enabled +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_rds_db_instance_deletion_protection_enabled +- aws_rds_db_instance_multiple_az_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_d.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_d.yaml index 4b2af8d3a..a34d14e99 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_d.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_d.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_nist_800_53_rev_5_cp_2_d - title: CP-2(d) - description: "Review the contingency plan for the system [Assignment: organization-defined frequency]" - section-code: d - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_vpc_vpn_tunnel_up +id: aws_nist_800_53_rev_5_cp_2_d +title: CP-2(d) +description: "Review the contingency plan for the system [Assignment: organization-defined frequency]" +section-code: d +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dynamodb_table_auto_scaling_enabled +- aws_elb_application_lb_deletion_protection_enabled +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_rds_db_instance_deletion_protection_enabled +- aws_rds_db_instance_multiple_az_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_e.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_e.yaml index f4deb9b29..cc3452f18 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_e.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_e.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_nist_800_53_rev_5_cp_2_e - title: CP-2(e) - description: Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing. - section-code: e - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_vpc_vpn_tunnel_up +id: aws_nist_800_53_rev_5_cp_2_e +title: CP-2(e) +description: Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing. +section-code: e +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dynamodb_table_auto_scaling_enabled +- aws_elb_application_lb_deletion_protection_enabled +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_rds_db_instance_deletion_protection_enabled +- aws_rds_db_instance_multiple_az_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6.yaml index 8ff1c472a..f749b9e03 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6.yaml @@ -1,20 +1,23 @@ +id: aws_nist_800_53_rev_5_cp_6 +title: Alternate Storage Sites (CP-6) +description: a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and b. Ensure that the alternate storage site provides controls equivalent to that of the primary site. +section-code: "6" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_cp_6 - title: Alternate Storage Sites (CP-6) - description: a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and b. Ensure that the alternate storage site provides controls equivalent to that of the primary site. - section-code: "6" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_cp_6_1 - - id: aws_nist_800_53_rev_5_cp_6_2 - - id: aws_nist_800_53_rev_5_cp_6_a +- id: aws_nist_800_53_rev_5_cp_6_1 + type: "" +- id: aws_nist_800_53_rev_5_cp_6_2 + type: "" +- id: aws_nist_800_53_rev_5_cp_6_a + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6_1.yaml index 71472ab03..ed2c2ad28 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6_1.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_nist_800_53_rev_5_cp_6_1 - title: CP-6(1) Separation From Primary Site - description: Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats. - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dynamodb_table_in_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +id: aws_nist_800_53_rev_5_cp_6_1 +title: CP-6(1) Separation From Primary Site +description: Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dynamodb_table_in_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6_2.yaml index 0af90dc13..8436753bd 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6_2.yaml @@ -1,31 +1,31 @@ -control-group: - id: aws_nist_800_53_rev_5_cp_6_2 - title: CP-6(2) Recovery Time And Recovery Point Objectives - description: Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives. - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up +id: aws_nist_800_53_rev_5_cp_6_2 +title: CP-6(2) Recovery Time And Recovery Point Objectives +description: Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives. +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dynamodb_table_auto_scaling_enabled +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_ebs_volume_in_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_multiple_az_enabled +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6_a.yaml index 6f04876da..58c8e213e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6_a.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_nist_800_53_rev_5_cp_6_a - title: CP-6(a) - description: Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information. - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dynamodb_table_in_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +id: aws_nist_800_53_rev_5_cp_6_a +title: CP-6(a) +description: Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information. +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dynamodb_table_in_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9.yaml index 9d46ce9ec..794ae0b0c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9.yaml @@ -1,22 +1,27 @@ +id: aws_nist_800_53_rev_5_cp_9 +title: System Backup (CP-9) +description: "a.\u2003Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b.\u2003Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c.\u2003Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d.\u2003Protect the confidentiality, integrity, and availability of backup information." +section-code: "9" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_cp_9 - title: System Backup (CP-9) - description: "a.\u2003Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b.\u2003Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c.\u2003Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d.\u2003Protect the confidentiality, integrity, and availability of backup information." - section-code: "9" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_cp_9_8 - - id: aws_nist_800_53_rev_5_cp_9_a - - id: aws_nist_800_53_rev_5_cp_9_b - - id: aws_nist_800_53_rev_5_cp_9_c - - id: aws_nist_800_53_rev_5_cp_9_d +- id: aws_nist_800_53_rev_5_cp_9_8 + type: "" +- id: aws_nist_800_53_rev_5_cp_9_a + type: "" +- id: aws_nist_800_53_rev_5_cp_9_b + type: "" +- id: aws_nist_800_53_rev_5_cp_9_c + type: "" +- id: aws_nist_800_53_rev_5_cp_9_d + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_8.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_8.yaml index dc00ae3e9..9fbba7c23 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_8.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_nist_800_53_rev_5_cp_9_8 - title: CP-9(8) Cryptographic Protection - description: "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined backup information]." - section-code: "8" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_rds_db_snapshot_encrypted_at_rest - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms +id: aws_nist_800_53_rev_5_cp_9_8 +title: CP-9(8) Cryptographic Protection +description: "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined backup information]." +section-code: "8" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_rds_db_snapshot_encrypted_at_rest +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_a.yaml index 6c82a470a..61acc54ec 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_a.yaml @@ -1,29 +1,29 @@ -control-group: - id: aws_nist_800_53_rev_5_cp_9_a - title: CP-9(a) - description: "Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_maintenance_settings_check - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +id: aws_nist_800_53_rev_5_cp_9_a +title: CP-9(a) +description: "Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_ebs_volume_in_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_efs_file_system_in_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_redshift_cluster_maintenance_settings_check +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_b.yaml index a6c7b1883..2cbb5ed50 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_b.yaml @@ -1,29 +1,29 @@ -control-group: - id: aws_nist_800_53_rev_5_cp_9_b - title: CP-9(b) - description: "Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]." - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_maintenance_settings_check - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +id: aws_nist_800_53_rev_5_cp_9_b +title: CP-9(b) +description: "Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]." +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_ebs_volume_in_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_efs_file_system_in_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_redshift_cluster_maintenance_settings_check +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_c.yaml index 88bf38a4b..ca15feeb1 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_c.yaml @@ -1,29 +1,29 @@ -control-group: - id: aws_nist_800_53_rev_5_cp_9_c - title: CP-9(c) - description: "Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]." - section-code: c - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dynamodb_table_in_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_rds_db_instance_backup_enabled - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ec2_instance_ebs_optimized - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_redshift_cluster_maintenance_settings_check - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +id: aws_nist_800_53_rev_5_cp_9_c +title: CP-9(c) +description: "Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]." +section-code: c +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dynamodb_table_in_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_rds_db_instance_in_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_rds_db_instance_backup_enabled +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_ec2_instance_ebs_optimized +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_redshift_cluster_maintenance_settings_check +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_d.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_d.yaml index c6dfdd1a4..d42b2877a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_d.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_d.yaml @@ -1,35 +1,35 @@ -control-group: - id: aws_nist_800_53_rev_5_cp_9_d - title: CP-9(d) - description: Protect the confidentiality, integrity, and availability of backup information. - section-code: d - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dynamodb_table_in_backup_plan - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_es_domain_encryption_at_rest_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_default_encryption_enabled - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_secretsmanager_secret_encrypted_with_kms_cmk - - aws_sns_topic_encrypted_at_rest +id: aws_nist_800_53_rev_5_cp_9_d +title: CP-9(d) +description: Protect the confidentiality, integrity, and availability of backup information. +section-code: d +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dynamodb_table_in_backup_plan +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_efs_file_system_encrypt_data_at_rest +- aws_es_domain_encryption_at_rest_enabled +- aws_log_group_encryption_at_rest_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_logging_enabled +- aws_redshift_cluster_kms_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_default_encryption_enabled +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_secretsmanager_secret_encrypted_with_kms_cmk +- aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia.yaml index d3becd49b..136d2e5ae 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia.yaml @@ -1,22 +1,27 @@ +id: aws_nist_800_53_rev_5_ia +title: Identification and Authentication (IA) +description: IA controls are specific to the identification and authentication policies in an organization. This includes the identification and authentication of organizational and non-organizational users and how the management of those systems. +section-code: ia +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ia - title: Identification and Authentication (IA) - description: IA controls are specific to the identification and authentication policies in an organization. This includes the identification and authentication of organizational and non-organizational users and how the management of those systems. - section-code: ia - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ia_2 - - id: aws_nist_800_53_rev_5_ia_3 - - id: aws_nist_800_53_rev_5_ia_4 - - id: aws_nist_800_53_rev_5_ia_5 - - id: aws_nist_800_53_rev_5_ia_8 +- id: aws_nist_800_53_rev_5_ia_2 + type: "" +- id: aws_nist_800_53_rev_5_ia_3 + type: "" +- id: aws_nist_800_53_rev_5_ia_4 + type: "" +- id: aws_nist_800_53_rev_5_ia_5 + type: "" +- id: aws_nist_800_53_rev_5_ia_8 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2.yaml index 3fa9528e2..71eeb7b03 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2.yaml @@ -1,23 +1,27 @@ +id: aws_nist_800_53_rev_5_ia_2 +title: Identification and Authentication (Organizational users) (IA-2) +description: The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ia_2 - title: Identification and Authentication (Organizational users) (IA-2) - description: The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ia_2_1 - - id: aws_nist_800_53_rev_5_ia_2_2 - - id: aws_nist_800_53_rev_5_ia_2_6 - - id: aws_nist_800_53_rev_5_ia_2_8 - controls: - - aws_iam_root_user_no_access_keys +- id: aws_nist_800_53_rev_5_ia_2_1 + type: "" +- id: aws_nist_800_53_rev_5_ia_2_2 + type: "" +- id: aws_nist_800_53_rev_5_ia_2_6 + type: "" +- id: aws_nist_800_53_rev_5_ia_2_8 + type: "" +controls: +- aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_1.yaml index 0b2df6a68..35c489912 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_1.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_nist_800_53_rev_5_ia_2_1 - title: IA-2(1) Multi-Factor Authentication To Privileged Accounts - description: Implement multi-factor authentication for access to privileged accounts. - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled +id: aws_nist_800_53_rev_5_ia_2_1 +title: IA-2(1) Multi-Factor Authentication To Privileged Accounts +description: Implement multi-factor authentication for access to privileged accounts. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_2.yaml index a5e2ffc04..c1d29596d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_2.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_nist_800_53_rev_5_ia_2_2 - title: IA-2(2) Multi-Factor Authentication To Non-Privileged Accounts - description: Implement multi-factor authentication for access to non-privileged accounts. - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled +id: aws_nist_800_53_rev_5_ia_2_2 +title: IA-2(2) Multi-Factor Authentication To Non-Privileged Accounts +description: Implement multi-factor authentication for access to non-privileged accounts. +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_6.yaml index 7c92dda15..dcc6b70ea 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_6.yaml @@ -1,23 +1,24 @@ +id: aws_nist_800_53_rev_5_ia_2_6 +title: IA-2(6) Acces To Accounts — Separate Device +description: "Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that: (a) One of the factors is provided by a device separate from the system gaining access; and (b) The device meets [Assignment: organization-defined strength of mechanism requirements]." +section-code: "6" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ia_2_6 - title: IA-2(6) Acces To Accounts — Separate Device - description: "Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that: (a) One of the factors is provided by a device separate from the system gaining access; and (b) The device meets [Assignment: organization-defined strength of mechanism requirements]." - section-code: "6" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ia_2_6_a - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled +- id: aws_nist_800_53_rev_5_ia_2_6_a + type: "" +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_6_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_6_a.yaml index a651f6a1e..29b36d3da 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_6_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_6_a.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_nist_800_53_rev_5_ia_2_6_a - title: IA-2(6)(a) - description: "Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that: (a) One of the factors is provided by a device separate from the system gaining access." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled +id: aws_nist_800_53_rev_5_ia_2_6_a +title: IA-2(6)(a) +description: "Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that: (a) One of the factors is provided by a device separate from the system gaining access." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_8.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_8.yaml index 40535e9da..2138328bf 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_8.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_nist_800_53_rev_5_ia_2_8 - title: IA-2(8) Access To Accounts — Replay Resistant - description: "Implement replay-resistant authentication mechanisms for access to [Selection (one or more): privileged accounts; non-privileged accounts]." - section-code: "8" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled +id: aws_nist_800_53_rev_5_ia_2_8 +title: IA-2(8) Access To Accounts — Replay Resistant +description: "Implement replay-resistant authentication mechanisms for access to [Selection (one or more): privileged accounts; non-privileged accounts]." +section-code: "8" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_3.yaml index 1a7eb7c46..46bf760f1 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_3.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_ia_3 +title: Device Identification And Authentication (IA-3) +description: "Uniquely identify and authenticate [Assignment: organization-defined devices and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection." +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ia_3 - title: Device Identification And Authentication (IA-3) - description: "Uniquely identify and authenticate [Assignment: organization-defined devices and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection." - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ia_3_3 +- id: aws_nist_800_53_rev_5_ia_3_3 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_3_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_3_3.yaml index 1670c1aef..c71bd7064 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_3_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_3_3.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_ia_3_3 +title: IA-3(3) Dynamic Address Allocation +description: "a.\u2003Where addresses are allocated dynamically, standardize dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and b.\u2003Audit lease information when assigned to a device." +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ia_3_3 - title: IA-3(3) Dynamic Address Allocation - description: "a.\u2003Where addresses are allocated dynamically, standardize dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and b.\u2003Audit lease information when assigned to a device." - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ia_3_3_b +- id: aws_nist_800_53_rev_5_ia_3_3_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_3_3_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_3_3_b.yaml index ac181214b..e563394d0 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_3_3_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_3_3_b.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_nist_800_53_rev_5_ia_3_3_b - title: IA-3(3)(b) - description: Audit lease information when assigned to a device. - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_wafv2_web_acl_logging_enabled - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled +id: aws_nist_800_53_rev_5_ia_3_3_b +title: IA-3(3)(b) +description: Audit lease information when assigned to a device. +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_wafv2_web_acl_logging_enabled +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4.yaml index 58e47561f..cf8992b51 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4.yaml @@ -1,21 +1,25 @@ +id: aws_nist_800_53_rev_5_ia_4 +title: Identifier Management (IA-4) +description: Manage information system identifiers for users and devices. Automate authorizing and disabling users to prevent misuse. +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ia_4 - title: Identifier Management (IA-4) - description: Manage information system identifiers for users and devices. Automate authorizing and disabling users to prevent misuse. - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ia_4_8 - - id: aws_nist_800_53_rev_5_ia_4_b - - id: aws_nist_800_53_rev_5_ia_4_d - - id: aws_nist_800_53_rev_5_ia_4_4 +- id: aws_nist_800_53_rev_5_ia_4_8 + type: "" +- id: aws_nist_800_53_rev_5_ia_4_b + type: "" +- id: aws_nist_800_53_rev_5_ia_4_d + type: "" +- id: aws_nist_800_53_rev_5_ia_4_4 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_4.yaml index 1ad5928a6..f6607307f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_4.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ia_4_4 - title: IA-4(4) - description: "Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status]." - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_root_user_no_access_keys +id: aws_nist_800_53_rev_5_ia_4_4 +title: IA-4(4) +description: "Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status]." +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_8.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_8.yaml index 87c177c68..b76d86713 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_8.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ia_4_8 - title: IA-4(8) - description: Generate pairwise pseudonymous identifiers. - section-code: "8" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_root_user_no_access_keys +id: aws_nist_800_53_rev_5_ia_4_8 +title: IA-4(8) +description: Generate pairwise pseudonymous identifiers. +section-code: "8" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_b.yaml index 5efdf7596..b78fccc9e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_b.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ia_4_b - title: IA-4(b) - description: "Manage system identifiers by: b. Selecting an identifier that identifies an individual, group, role, service, or device." - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_root_user_no_access_keys +id: aws_nist_800_53_rev_5_ia_4_b +title: IA-4(b) +description: "Manage system identifiers by: b. Selecting an identifier that identifies an individual, group, role, service, or device." +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_d.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_d.yaml index da1b950d0..94f29f204 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_d.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_d.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ia_4_d - title: IA-4(d) - description: "Manage system identifiers by: d. Preventing reuse of identifiers for [Assignment: organization-defined time period]." - section-code: d - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_min_length_14 +id: aws_nist_800_53_rev_5_ia_4_d +title: IA-4(d) +description: "Manage system identifiers by: d. Preventing reuse of identifiers for [Assignment: organization-defined time period]." +section-code: d +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5.yaml index 96b5ae876..46fadcbcc 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5.yaml @@ -1,27 +1,35 @@ +id: aws_nist_800_53_rev_5_ia_5 +title: Authenticator Management (IA-5) +description: Authenticate users and devices. Automate administrative control. Enforce restrictions. Protect against unauthorized use. +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ia_5 - title: Authenticator Management (IA-5) - description: Authenticate users and devices. Automate administrative control. Enforce restrictions. Protect against unauthorized use. - section-code: "5" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ia_5_1 - - id: aws_nist_800_53_rev_5_ia_5_8 - - id: aws_nist_800_53_rev_5_ia_5_18 - - id: aws_nist_800_53_rev_5_ia_5_b - - id: aws_nist_800_53_rev_5_ia_5_c - - id: aws_nist_800_53_rev_5_ia_5_d - - id: aws_nist_800_53_rev_5_ia_5_f - - id: aws_nist_800_53_rev_5_ia_5_h - controls: - - aws_iam_account_password_policy_min_length_14 +- id: aws_nist_800_53_rev_5_ia_5_1 + type: "" +- id: aws_nist_800_53_rev_5_ia_5_8 + type: "" +- id: aws_nist_800_53_rev_5_ia_5_18 + type: "" +- id: aws_nist_800_53_rev_5_ia_5_b + type: "" +- id: aws_nist_800_53_rev_5_ia_5_c + type: "" +- id: aws_nist_800_53_rev_5_ia_5_d + type: "" +- id: aws_nist_800_53_rev_5_ia_5_f + type: "" +- id: aws_nist_800_53_rev_5_ia_5_h + type: "" +controls: +- aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1.yaml index 713426220..e72e948cf 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1.yaml @@ -1,21 +1,25 @@ +id: aws_nist_800_53_rev_5_ia_5_1 +title: IA-5(1) Password-Based Authentication +description: The information system, for password-based authentication that enforces minimum password complexity, stores and transmits only cryptographically-protected passwords, enforces password minimum and maximum lifetime restrictions, prohibits password reuse, allows the use of a temporary password for system logons with an immediate change to a permanent password etc. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ia_5_1 - title: IA-5(1) Password-Based Authentication - description: The information system, for password-based authentication that enforces minimum password complexity, stores and transmits only cryptographically-protected passwords, enforces password minimum and maximum lifetime restrictions, prohibits password reuse, allows the use of a temporary password for system logons with an immediate change to a permanent password etc. - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ia_5_1_c - - id: aws_nist_800_53_rev_5_ia_5_1_f - - id: aws_nist_800_53_rev_5_ia_5_1_g - - id: aws_nist_800_53_rev_5_ia_5_1_h +- id: aws_nist_800_53_rev_5_ia_5_1_c + type: "" +- id: aws_nist_800_53_rev_5_ia_5_1_f + type: "" +- id: aws_nist_800_53_rev_5_ia_5_1_g + type: "" +- id: aws_nist_800_53_rev_5_ia_5_1_h + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_18.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_18.yaml index 1441a2a0b..de86a0ebf 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_18.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_18.yaml @@ -1,19 +1,21 @@ +id: aws_nist_800_53_rev_5_ia_5_18 +title: IA-5(18) Password Managers +description: "a.\u2003Employ [Assignment: organization-defined password managers] to generate and manage passwords; and b.\u2003Protect the passwords using [Assignment: organization-defined controls]." +section-code: "18" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ia_5_18 - title: IA-5(18) Password Managers - description: "a.\u2003Employ [Assignment: organization-defined password managers] to generate and manage passwords; and b.\u2003Protect the passwords using [Assignment: organization-defined controls]." - section-code: "18" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ia_5_18_a - - id: aws_nist_800_53_rev_5_ia_5_18_b +- id: aws_nist_800_53_rev_5_ia_5_18_a + type: "" +- id: aws_nist_800_53_rev_5_ia_5_18_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_18_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_18_a.yaml index 7093c7417..c204234aa 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_18_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_18_a.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ia_5_18_a - title: IA-5(18)(a) - description: "Employ [Assignment: organization-defined password managers] to generate and manage passwords." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_min_length_14 +id: aws_nist_800_53_rev_5_ia_5_18_a +title: IA-5(18)(a) +description: "Employ [Assignment: organization-defined password managers] to generate and manage passwords." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_18_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_18_b.yaml index 4c1a76562..99eb534da 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_18_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_18_b.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ia_5_18_b - title: IA-5(18)(b) - description: "Protect the passwords using [Assignment: organization-defined controls]." - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_min_length_14 +id: aws_nist_800_53_rev_5_ia_5_18_b +title: IA-5(18)(b) +description: "Protect the passwords using [Assignment: organization-defined controls]." +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_c.yaml index 50e4caaea..c09d1c5cc 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_c.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_nist_800_53_rev_5_ia_5_1_c - title: IA-5(1)(c) - description: "For password-based authentication: (c) Transmit passwords only over cryptographically-protected channels." - section-code: c - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_s3_bucket_enforces_ssl +id: aws_nist_800_53_rev_5_ia_5_1_c +title: IA-5(1)(c) +description: "For password-based authentication: (c) Transmit passwords only over cryptographically-protected channels." +section-code: c +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_f.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_f.yaml index 3b9a0a737..a2e3dca17 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_f.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_f.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ia_5_1_f - title: IA-5(1)(f) - description: "For password-based authentication: (f) Allow user selection of long passwords and passphrases, including spaces and all printable characters." - section-code: f - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_min_length_14 +id: aws_nist_800_53_rev_5_ia_5_1_f +title: IA-5(1)(f) +description: "For password-based authentication: (f) Allow user selection of long passwords and passphrases, including spaces and all printable characters." +section-code: f +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_g.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_g.yaml index 4cdede242..e48a43b98 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_g.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_g.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ia_5_1_g - title: IA-5(1)(g) - description: "For password-based authentication: (g) Employ automated tools to assist the user in selecting strong password authenticators." - section-code: g - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_min_length_14 +id: aws_nist_800_53_rev_5_ia_5_1_g +title: IA-5(1)(g) +description: "For password-based authentication: (g) Employ automated tools to assist the user in selecting strong password authenticators." +section-code: g +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_h.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_h.yaml index c96467cca..24fd27678 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_h.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_h.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ia_5_1_h - title: IA-5(1)(h) - description: "For password-based authentication: (h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]." - section-code: h - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_min_length_14 +id: aws_nist_800_53_rev_5_ia_5_1_h +title: IA-5(1)(h) +description: "For password-based authentication: (h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]." +section-code: h +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_8.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_8.yaml index 0f6129832..2433783b3 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_8.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ia_5_8 - title: IA-5(8) Multiple System Accounts - description: "Implement [Assignment: organization-defined security controls] to manage the risk of compromise due to individuals having accounts on multiple systems." - section-code: "8" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_root_user_no_access_keys +id: aws_nist_800_53_rev_5_ia_5_8 +title: IA-5(8) Multiple System Accounts +description: "Implement [Assignment: organization-defined security controls] to manage the risk of compromise due to individuals having accounts on multiple systems." +section-code: "8" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_b.yaml index 73377d483..100d031d9 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_b.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ia_5_b - title: IA-5(b) - description: "Manage system authenticators by: b. Establishing initial authenticator content for any authenticators issued by the organization." - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_min_length_14 +id: aws_nist_800_53_rev_5_ia_5_b +title: IA-5(b) +description: "Manage system authenticators by: b. Establishing initial authenticator content for any authenticators issued by the organization." +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_c.yaml index 042c9a479..bb8d08b16 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_c.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ia_5_c - title: IA-5(c) - description: "Manage system authenticators by: c. Ensuring that authenticators have sufficient strength of mechanism for their intended use." - section-code: c - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_min_length_14 +id: aws_nist_800_53_rev_5_ia_5_c +title: IA-5(c) +description: "Manage system authenticators by: c. Ensuring that authenticators have sufficient strength of mechanism for their intended use." +section-code: c +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_d.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_d.yaml index 5da99ab1b..25076f507 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_d.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_d.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ia_5_d - title: IA-5(d) - description: "Manage system authenticators by: d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators." - section-code: d - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_min_length_14 +id: aws_nist_800_53_rev_5_ia_5_d +title: IA-5(d) +description: "Manage system authenticators by: d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators." +section-code: d +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_f.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_f.yaml index cf7c1c32e..ad1182267 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_f.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_f.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ia_5_f - title: IA-5(f) - description: "Manage system authenticators by: f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur." - section-code: f - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_min_length_14 +id: aws_nist_800_53_rev_5_ia_5_f +title: IA-5(f) +description: "Manage system authenticators by: f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur." +section-code: f +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_h.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_h.yaml index a38a48a7a..76be3d7ff 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_h.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_h.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ia_5_h - title: IA-5(h) - description: "Manage system authenticators by: h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators." - section-code: h - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_min_length_14 +id: aws_nist_800_53_rev_5_ia_5_h +title: IA-5(h) +description: "Manage system authenticators by: h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators." +section-code: h +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_8.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_8.yaml index ddec2cca0..911dcaac8 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_8.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_ia_8 +title: Identification And Authentication (Non-Organizational Users) (IA-8) +description: Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. +section-code: "8" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ia_8 - title: Identification And Authentication (Non-Organizational Users) (IA-8) - description: Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. - section-code: "8" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ia_8_2 +- id: aws_nist_800_53_rev_5_ia_8_2 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_8_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_8_2.yaml index a2e6c61b1..10a23ecba 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_8_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_8_2.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_ia_8_2 +title: IA-8(2) Acceptance Of External Authenticators +description: Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ia_8_2 - title: IA-8(2) Acceptance Of External Authenticators - description: Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ia_8_2_b +- id: aws_nist_800_53_rev_5_ia_8_2_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_8_2_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_8_2_b.yaml index 5a78e6988..6007b9dfe 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_8_2_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_8_2_b.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ia_8_2_b - title: IA-8(2)(b) - description: Document and maintain a list of accepted external authenticators. - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_min_length_14 +id: aws_nist_800_53_rev_5_ia_8_2_b +title: IA-8(2)(b) +description: Document and maintain a list of accepted external authenticators. +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ir.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ir.yaml index 40cf9ecc7..35a585413 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ir.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ir.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_ir +title: Incident Response (IR) +description: IR controls are specific to an organization’s incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plan. +section-code: ir +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ir - title: Incident Response (IR) - description: IR controls are specific to an organization’s incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plan. - section-code: ir - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ir_4 +- id: aws_nist_800_53_rev_5_ir_4 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ir_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ir_4.yaml index 78108a0ed..1cac877b4 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ir_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ir_4.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_ir_4 +title: Incident Handling (IR-4) +description: a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;b. Coordinate incident handling activities with contingency planning activities; c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization. +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ir_4 - title: Incident Handling (IR-4) - description: a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;b. Coordinate incident handling activities with contingency planning activities; c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization. - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ir_4_a +- id: aws_nist_800_53_rev_5_ir_4_a + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ir_4_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ir_4_a.yaml index 58316bd66..b1df8fa44 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ir_4_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ir_4_a.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ir_4_a - title: IR-4(a) - description: Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery. - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_finding_archived +id: aws_nist_800_53_rev_5_ir_4_a +title: IR-4(a) +description: Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery. +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_finding_archived diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma.yaml index 17978c76a..b5ea31af3 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_ma +title: Maintenance (MA) +description: The MA controls in NIST 800-53 revision five detail requirements for maintaining organizational systems and the tools used. +section-code: ma +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ma - title: Maintenance (MA) - description: The MA controls in NIST 800-53 revision five detail requirements for maintaining organizational systems and the tools used. - section-code: ma - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ma_4 +- id: aws_nist_800_53_rev_5_ma_4 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4.yaml index 323035c8f..3125afb71 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4.yaml @@ -1,19 +1,21 @@ +id: aws_nist_800_53_rev_5_ma_4 +title: Nonlocal Maintenance (MA-4) +description: a. Approve and monitor nonlocal maintenance and diagnostic activities; b. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system; c. Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; d. Maintain records for nonlocal maintenance and diagnostic activities; and e. Terminate session and network connections when nonlocal maintenance is completed. +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ma_4 - title: Nonlocal Maintenance (MA-4) - description: a. Approve and monitor nonlocal maintenance and diagnostic activities; b. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system; c. Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; d. Maintain records for nonlocal maintenance and diagnostic activities; and e. Terminate session and network connections when nonlocal maintenance is completed. - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ma_4_1 - - id: aws_nist_800_53_rev_5_ma_4_c +- id: aws_nist_800_53_rev_5_ma_4_1 + type: "" +- id: aws_nist_800_53_rev_5_ma_4_c + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4_1.yaml index 5dcb2aad8..fc663bb12 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4_1.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_ma_4_1 +title: MA-4(1) Logging And Review +description: "a.\u2003Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions; and b.\u2003Review the audit records of the maintenance and diagnostic sessions to detect anomalous behavior." +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ma_4_1 - title: MA-4(1) Logging And Review - description: "a.\u2003Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions; and b.\u2003Review the audit records of the maintenance and diagnostic sessions to detect anomalous behavior." - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ma_4_1_a +- id: aws_nist_800_53_rev_5_ma_4_1_a + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4_1_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4_1_a.yaml index 39ac85c5e..714f2b5ff 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4_1_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4_1_a.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_nist_800_53_rev_5_ma_4_1_a - title: MA-4(1)(a) - description: "Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_ma_4_1_a +title: MA-4(1)(a) +description: "Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4_c.yaml index 844edbac6..92561d575 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4_c.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ma_4_c - title: MA-4(c) - description: Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions. - section-code: c - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_min_length_14 +id: aws_nist_800_53_rev_5_ma_4_c +title: MA-4(c) +description: Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions. +section-code: c +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_mp.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_mp.yaml index a03050711..f4291f66c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_mp.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_mp.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_mp +title: Media Protection (MP) +description: The Media Protection control family includes controls specific to access, marking, storage, transport policies, sanitization, and defined organizational media use. +section-code: mp +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_mp - title: Media Protection (MP) - description: The Media Protection control family includes controls specific to access, marking, storage, transport policies, sanitization, and defined organizational media use. - section-code: mp - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_mp_2 +- id: aws_nist_800_53_rev_5_mp_2 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_mp_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_mp_2.yaml index 3d4d3b0f1..5461221ee 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_mp_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_mp_2.yaml @@ -1,41 +1,41 @@ -control-group: - id: aws_nist_800_53_rev_5_mp_2 - title: Media Access (MP-2) - description: "Restrict access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles]." - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_nist_800_53_rev_5_mp_2 +title: Media Access (MP-2) +description: "Restrict access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles]." +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_ec2_instance_uses_imdsv2 +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe.yaml index 59dcafc8c..488e5bcf4 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_pe +title: Physical And Environmental Protection (PE) +description: The Physical and Environmental Protection control family is implemented to protect systems, buildings, and related supporting infrastructure against physical threats. These controls include physical access authorizations, monitoring, visitor records, emergency shutoff, power, lighting, fire protection, and water damage protection. +section-code: pe +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_pe - title: Physical And Environmental Protection (PE) - description: The Physical and Environmental Protection control family is implemented to protect systems, buildings, and related supporting infrastructure against physical threats. These controls include physical access authorizations, monitoring, visitor records, emergency shutoff, power, lighting, fire protection, and water damage protection. - section-code: pe - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_pe_6 +- id: aws_nist_800_53_rev_5_pe_6 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe_6.yaml index 147667efb..2b28a585c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe_6.yaml @@ -1,19 +1,21 @@ +id: aws_nist_800_53_rev_5_pe_6 +title: Monitoring Physical Access (PE-6) +description: "a.\u2003Monitor physical access to the facility where the system resides to detect and respond to physical security incidents; b.\u2003Review physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and c.\u2003Coordinate results of reviews and investigations with the organizational incident response capability." +section-code: "6" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_pe_6 - title: Monitoring Physical Access (PE-6) - description: "a.\u2003Monitor physical access to the facility where the system resides to detect and respond to physical security incidents; b.\u2003Review physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and c.\u2003Coordinate results of reviews and investigations with the organizational incident response capability." - section-code: "6" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_pe_6_2 - - id: aws_nist_800_53_rev_5_pe_6_4 +- id: aws_nist_800_53_rev_5_pe_6_2 + type: "" +- id: aws_nist_800_53_rev_5_pe_6_4 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe_6_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe_6_2.yaml index 6de55936a..5e4995503 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe_6_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe_6_2.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_pe_6_2 - title: PE-6(2) Monitoring Physical Access - description: "Recognize [Assignment: organization-defined classes or types of intrusions] and initiate [Assignment: organization-defined response actions] using [Assignment: organization-defined automated mechanisms]." - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_pe_6_2 +title: PE-6(2) Monitoring Physical Access +description: "Recognize [Assignment: organization-defined classes or types of intrusions] and initiate [Assignment: organization-defined response actions] using [Assignment: organization-defined automated mechanisms]." +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe_6_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe_6_4.yaml index 1b02a7b3e..8265f12ee 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe_6_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe_6_4.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_pe_6_4 - title: PE-6(4) Monitoring Physical Access - description: "Monitor physical access to the system in addition to the physical access monitoring of the facility at [Assignment: organization-defined physical spaces containing one or more components of the system]." - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_pe_6_4 +title: PE-6(4) Monitoring Physical Access +description: "Monitor physical access to the system in addition to the physical access monitoring of the facility at [Assignment: organization-defined physical spaces containing one or more components of the system]." +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm.yaml index 42bcabb9a..0adba3fea 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm.yaml @@ -1,23 +1,29 @@ +id: aws_nist_800_53_rev_5_pm +title: Program Management (PM) +description: The PM control family is specific to who manages your cybersecurity program and how it operates. This includes, but is not limited to, a critical infrastructure plan, information security program plan, plan of action milestones and processes, risk management strategy, and enterprise architecture. +section-code: pm +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_pm - title: Program Management (PM) - description: The PM control family is specific to who manages your cybersecurity program and how it operates. This includes, but is not limited to, a critical infrastructure plan, information security program plan, plan of action milestones and processes, risk management strategy, and enterprise architecture. - section-code: pm - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_pm_11 - - id: aws_nist_800_53_rev_5_pm_14 - - id: aws_nist_800_53_rev_5_pm_16 - - id: aws_nist_800_53_rev_5_pm_17 - - id: aws_nist_800_53_rev_5_pm_21 - - id: aws_nist_800_53_rev_5_pm_31 +- id: aws_nist_800_53_rev_5_pm_11 + type: "" +- id: aws_nist_800_53_rev_5_pm_14 + type: "" +- id: aws_nist_800_53_rev_5_pm_16 + type: "" +- id: aws_nist_800_53_rev_5_pm_17 + type: "" +- id: aws_nist_800_53_rev_5_pm_21 + type: "" +- id: aws_nist_800_53_rev_5_pm_31 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_11.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_11.yaml index cef02316f..cb880f53f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_11.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_11.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_pm_11 +title: Mission And Business Process Defination (PM-11) +description: "a.\u2003Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and b.\u2003Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and c.\u2003Review and revise the mission and business processes [Assignment: organization-defined frequency]." +section-code: "11" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_pm_11 - title: Mission And Business Process Defination (PM-11) - description: "a.\u2003Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and b.\u2003Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and c.\u2003Review and revise the mission and business processes [Assignment: organization-defined frequency]." - section-code: "11" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_pm_11_b +- id: aws_nist_800_53_rev_5_pm_11_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_11_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_11_b.yaml index 101180406..6cb95a94c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_11_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_11_b.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_nist_800_53_rev_5_pm_11_b - title: PM-11(b) - description: Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes. - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_validation_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_versioning_enabled +id: aws_nist_800_53_rev_5_pm_11_b +title: PM-11(b) +description: Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes. +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_validation_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_14.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_14.yaml index 9281d25fd..c8819454b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_14.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_14.yaml @@ -1,19 +1,21 @@ +id: aws_nist_800_53_rev_5_pm_14 +title: Testing, Training, And Monitoring (PM-14) +description: "a.\u2003Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: 1.\u2003Are developed and maintained; and 2.\u2003Continue to be executed; and b.\u2003Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions." +section-code: "14" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_pm_14 - title: Testing, Training, And Monitoring (PM-14) - description: "a.\u2003Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: 1.\u2003Are developed and maintained; and 2.\u2003Continue to be executed; and b.\u2003Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions." - section-code: "14" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_pm_14_a_1 - - id: aws_nist_800_53_rev_5_pm_14_b +- id: aws_nist_800_53_rev_5_pm_14_a_1 + type: "" +- id: aws_nist_800_53_rev_5_pm_14_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_14_a_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_14_a_1.yaml index 42e92e854..b6f716a11 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_14_a_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_14_a_1.yaml @@ -1,37 +1,37 @@ -control-group: - id: aws_nist_800_53_rev_5_pm_14_a_1 - title: PM-14(a)(1) - description: "a. Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: 1. Are developed and maintained." - section-code: a_1 - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_pm_14_a_1 +title: PM-14(a)(1) +description: "a. Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: 1. Are developed and maintained." +section-code: a_1 +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_autoscaling_group_with_lb_use_health_check +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled +- aws_cloudwatch_log_group_retention_period_365 +- aws_elastic_beanstalk_enhanced_health_reporting_enabled +- aws_elb_application_classic_lb_logging_enabled +- aws_guardduty_enabled +- aws_lambda_function_concurrent_execution_limit_configured +- aws_lambda_function_dead_letter_queue_configured +- aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_securityhub_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_14_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_14_b.yaml index a388c1929..10d79ec61 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_14_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_14_b.yaml @@ -1,37 +1,37 @@ -control-group: - id: aws_nist_800_53_rev_5_pm_14_b - title: PM-14(b) - description: Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_pm_14_b +title: PM-14(b) +description: Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_autoscaling_group_with_lb_use_health_check +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled +- aws_cloudwatch_log_group_retention_period_365 +- aws_elastic_beanstalk_enhanced_health_reporting_enabled +- aws_elb_application_classic_lb_logging_enabled +- aws_guardduty_enabled +- aws_lambda_function_concurrent_execution_limit_configured +- aws_lambda_function_dead_letter_queue_configured +- aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_securityhub_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_16.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_16.yaml index 2a524d522..865f2019c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_16.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_16.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_pm_16 - title: Threat Awareness Program (PM-16) - description: Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence. - section-code: "16" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_pm_16 +title: Threat Awareness Program (PM-16) +description: Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence. +section-code: "16" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_17.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_17.yaml index 61a99ca8a..56e332730 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_17.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_17.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_pm_17 +title: Protecting Controlled Unclassified Information On External Systems (PM-17) +description: "a.\u2003Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards; and b.\u2003Review and update the policy and procedures [Assignment: organization-defined frequency]." +section-code: "17" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_pm_17 - title: Protecting Controlled Unclassified Information On External Systems (PM-17) - description: "a.\u2003Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards; and b.\u2003Review and update the policy and procedures [Assignment: organization-defined frequency]." - section-code: "17" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_pm_17_b +- id: aws_nist_800_53_rev_5_pm_17_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_17_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_17_b.yaml index 0474f1523..36e41a9d3 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_17_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_17_b.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_nist_800_53_rev_5_pm_17_b - title: PM-17(b) - description: "Review and update the policy and procedures [Assignment: organization-defined frequency]." - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_cloudtrail_trail_validation_enabled - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_versioning_enabled +id: aws_nist_800_53_rev_5_pm_17_b +title: PM-17(b) +description: "Review and update the policy and procedures [Assignment: organization-defined frequency]." +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_cloudtrail_trail_validation_enabled +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_node_to_node_encryption_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_21.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_21.yaml index 39f01b599..c9a3ec5d7 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_21.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_21.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_pm_21 +title: Accounting Of Disclosures (PM-21) +description: "a.\u2003Develop and maintain an accurate accounting of disclosures of personally identifiable information, including: 1.\u2003Date, nature, and purpose of each disclosure; and 2.\u2003Name and address, or other contact information of the individual or organization to which the disclosure was made; b.\u2003Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and c.\u2003Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request." +section-code: "21" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_pm_21 - title: Accounting Of Disclosures (PM-21) - description: "a.\u2003Develop and maintain an accurate accounting of disclosures of personally identifiable information, including: 1.\u2003Date, nature, and purpose of each disclosure; and 2.\u2003Name and address, or other contact information of the individual or organization to which the disclosure was made; b.\u2003Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and c.\u2003Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request." - section-code: "21" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_pm_21_b +- id: aws_nist_800_53_rev_5_pm_21_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_21_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_21_b.yaml index b6eb988dc..8b1af3d44 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_21_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_21_b.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_pm_21_b - title: PM-21(b) - description: Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer. - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark - controls: - - aws_cloudwatch_log_group_retention_period_365 +id: aws_nist_800_53_rev_5_pm_21_b +title: PM-21(b) +description: Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer. +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark +controls: +- aws_cloudwatch_log_group_retention_period_365 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_31.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_31.yaml index c15cbbc1a..6c979a78f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_31.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_31.yaml @@ -1,37 +1,37 @@ -control-group: - id: aws_nist_800_53_rev_5_pm_31 - title: Continuous Monitoring Strategy (PM-31) - description: "Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: a. Establishing the following organization-wide metrics to be monitored: [Assignment: organization-defined metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy; d. Correlation and analysis of information generated by control assessments and monitoring; e. Response actions to address results of the analysis of control assessment and monitoring information; and f. Reporting the security and privacy status of organizational systems to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]." - section-code: "31" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_pm_31 +title: Continuous Monitoring Strategy (PM-31) +description: "Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: a. Establishing the following organization-wide metrics to be monitored: [Assignment: organization-defined metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy; d. Correlation and analysis of information generated by control assessments and monitoring; e. Response actions to address results of the analysis of control assessment and monitoring information; and f. Reporting the security and privacy status of organizational systems to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]." +section-code: "31" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_autoscaling_group_with_lb_use_health_check +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled +- aws_cloudwatch_log_group_retention_period_365 +- aws_elastic_beanstalk_enhanced_health_reporting_enabled +- aws_elb_application_classic_lb_logging_enabled +- aws_guardduty_enabled +- aws_lambda_function_concurrent_execution_limit_configured +- aws_lambda_function_dead_letter_queue_configured +- aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_securityhub_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra.yaml index d58742c36..cbcf53c5a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra.yaml @@ -1,21 +1,25 @@ +id: aws_nist_800_53_rev_5_ra +title: Risk Assessment (RA) +description: The RA control family relates to an organization’s risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts. +section-code: ra +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ra - title: Risk Assessment (RA) - description: The RA control family relates to an organization’s risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts. - section-code: ra - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ra_1 - - id: aws_nist_800_53_rev_5_ra_3 - - id: aws_nist_800_53_rev_5_ra_5 - - id: aws_nist_800_53_rev_5_ra_10 +- id: aws_nist_800_53_rev_5_ra_1 + type: "" +- id: aws_nist_800_53_rev_5_ra_3 + type: "" +- id: aws_nist_800_53_rev_5_ra_5 + type: "" +- id: aws_nist_800_53_rev_5_ra_10 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1.yaml index 1b307dce1..c196d2320 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_ra_1 +title: Policy And Procedures (RA-1) +description: Track risk assessment policies that address purpose, scope, roles, management, and organizational compliance. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ra_1 - title: Policy And Procedures (RA-1) - description: Track risk assessment policies that address purpose, scope, roles, management, and organizational compliance. - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ra_1_a +- id: aws_nist_800_53_rev_5_ra_1_a + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10.yaml index 8b1922d50..a25561dda 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_ra_10 +title: Threat Hunting (RA-10) +description: "a.\u2003Establish and maintain a cyber threat hunting capability to: 1.\u2003Search for indicators of compromise in organizational systems; and 2.\u2003Detect, track, and disrupt threats that evade existing controls; and b.\u2003Employ the threat hunting capability [Assignment: organization-defined frequency]." +section-code: "10" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ra_10 - title: Threat Hunting (RA-10) - description: "a.\u2003Establish and maintain a cyber threat hunting capability to: 1.\u2003Search for indicators of compromise in organizational systems; and 2.\u2003Detect, track, and disrupt threats that evade existing controls; and b.\u2003Employ the threat hunting capability [Assignment: organization-defined frequency]." - section-code: "10" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ra_10_a +- id: aws_nist_800_53_rev_5_ra_10_a + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10_a.yaml index 56fdf6ac2..76b962f72 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10_a.yaml @@ -1,21 +1,23 @@ +id: aws_nist_800_53_rev_5_ra_10_a +title: RA-10(a) +description: "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existings." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ra_10_a - title: RA-10(a) - description: "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existings." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ra_10_a_1 - - id: aws_nist_800_53_rev_5_ra_10_a_2 - controls: - - aws_guardduty_enabled +- id: aws_nist_800_53_rev_5_ra_10_a_1 + type: "" +- id: aws_nist_800_53_rev_5_ra_10_a_2 + type: "" +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10_a_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10_a_1.yaml index 0510c4428..1ce15e55a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10_a_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10_a_1.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ra_10_a_1 - title: RA-10(a)(1) - description: "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existings." - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_ra_10_a_1 +title: RA-10(a)(1) +description: "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existings." +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10_a_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10_a_2.yaml index b8455a011..821a3a851 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10_a_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10_a_2.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ra_10_a_2 - title: RA-10(a)(2) - description: "a. Establish and maintain a cyber threat hunting capability to: 2. Detect, track, and disrupt threats that evade existings." - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_ra_10_a_2 +title: RA-10(a)(2) +description: "a. Establish and maintain a cyber threat hunting capability to: 2. Detect, track, and disrupt threats that evade existings." +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1_a.yaml index 43e2d5284..b5d391cb7 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1_a.yaml @@ -1,21 +1,23 @@ +id: aws_nist_800_53_rev_5_ra_1_a +title: RA-1(a) +description: "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existing controls." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ra_1_a - title: RA-1(a) - description: "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existing controls." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ra_1_a_1 - - id: aws_nist_800_53_rev_5_ra_1_a_2 - controls: - - aws_guardduty_enabled +- id: aws_nist_800_53_rev_5_ra_1_a_1 + type: "" +- id: aws_nist_800_53_rev_5_ra_1_a_2 + type: "" +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1_a_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1_a_1.yaml index 5a3c30efc..3097c3937 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1_a_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1_a_1.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ra_1_a_1 - title: RA-1(a)(1) - description: "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems." - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_ra_1_a_1 +title: RA-1(a)(1) +description: "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems." +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1_a_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1_a_2.yaml index d18004f45..dcc65dc06 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1_a_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1_a_2.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ra_1_a_2 - title: RA-1(a)(2) - description: "a. Establish and maintain a cyber threat hunting capability to: 2. Detect, track, and disrupt threats that evade existing controls." - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_ra_1_a_2 +title: RA-1(a)(2) +description: "a. Establish and maintain a cyber threat hunting capability to: 2. Detect, track, and disrupt threats that evade existing controls." +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_3.yaml index dc0704b16..2ff91a728 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_3.yaml @@ -1,19 +1,21 @@ +id: aws_nist_800_53_rev_5_ra_3 +title: Risk Assessment (RA-3) +description: Assess risks and magnitude of unauthorized system access, use, disclosure, disruption, modifications, or destruction. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ra_3 - title: Risk Assessment (RA-3) - description: Assess risks and magnitude of unauthorized system access, use, disclosure, disruption, modifications, or destruction. - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ra_3_4 - - id: aws_nist_800_53_rev_5_ra_3_a_1 +- id: aws_nist_800_53_rev_5_ra_3_4 + type: "" +- id: aws_nist_800_53_rev_5_ra_3_a_1 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_3_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_3_4.yaml index e1ee48e65..96a38357b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_3_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_3_4.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ra_3_4 - title: RA-3(4) Predictive Cyber Analytics - description: "Employ the following advanced automation and analytics capabilities to predict and identify risks to [Assignment: organization-defined systems or system components]: [Assignment: organization-defined advanced automation and analytics capabilities]." - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_ra_3_4 +title: RA-3(4) Predictive Cyber Analytics +description: "Employ the following advanced automation and analytics capabilities to predict and identify risks to [Assignment: organization-defined systems or system components]: [Assignment: organization-defined advanced automation and analytics capabilities]." +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_3_a_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_3_a_1.yaml index f142bb8ba..a81c4b952 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_3_a_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_3_a_1.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_5_ra_3_a_1 - title: RA-3(a)(1) - description: "a. Conduct a risk assessment, including: 1. Identifying threats to and vulnerabilities in the system." - section-code: a_1 - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_nist_800_53_rev_5_ra_3_a_1 +title: RA-3(a)(1) +description: "a. Conduct a risk assessment, including: 1. Identifying threats to and vulnerabilities in the system." +section-code: a_1 +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_5.yaml index 37e6420e4..bef0ae021 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_5.yaml @@ -1,19 +1,21 @@ +id: aws_nist_800_53_rev_5_ra_5 +title: Vulnerability Monitoring And Scanning (RA-5) +description: "Employ the following advanced automation and analytics capabilities to predict and identify risks to [Assignment: organization-defined systems or system components]: [Assignment: organization-defined advanced automation and analytics capabilities]." +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_ra_5 - title: Vulnerability Monitoring And Scanning (RA-5) - description: "Employ the following advanced automation and analytics capabilities to predict and identify risks to [Assignment: organization-defined systems or system components]: [Assignment: organization-defined advanced automation and analytics capabilities]." - section-code: "5" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_ra_5_4 - - id: aws_nist_800_53_rev_5_ra_5_a +- id: aws_nist_800_53_rev_5_ra_5_4 + type: "" +- id: aws_nist_800_53_rev_5_ra_5_a + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_5_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_5_4.yaml index 565d21e7a..acccca3c6 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_5_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_5_4.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ra_5_4 - title: RA-5(4) Discoverable Information - description: "Determine information about the system that is discoverable and take [Assignment: organization-defined corrective actions]." - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_ra_5_4 +title: RA-5(4) Discoverable Information +description: "Determine information about the system that is discoverable and take [Assignment: organization-defined corrective actions]." +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_5_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_5_a.yaml index 761ee3495..1513515e2 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_5_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_5_a.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_ra_5_a - title: RA-5(a) - description: "Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_ra_5_a +title: RA-5(a) +description: "Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa.yaml index 402e666a1..96846c8ac 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa.yaml @@ -1,21 +1,25 @@ +id: aws_nist_800_53_rev_5_sa +title: System and Services Acquisition (SA) +description: The SA control family correlates with controls that protect allocated resources and an organization’s system development life cycle. This includes information system documentation controls, development configuration management controls, and developer security testing and evaluation controls. +section-code: sa +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_sa - title: System and Services Acquisition (SA) - description: The SA control family correlates with controls that protect allocated resources and an organization’s system development life cycle. This includes information system documentation controls, development configuration management controls, and developer security testing and evaluation controls. - section-code: sa - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_sa_1 - - id: aws_nist_800_53_rev_5_sa_9 - - id: aws_nist_800_53_rev_5_sa_10 - - id: aws_nist_800_53_rev_5_sa_15 +- id: aws_nist_800_53_rev_5_sa_1 + type: "" +- id: aws_nist_800_53_rev_5_sa_9 + type: "" +- id: aws_nist_800_53_rev_5_sa_10 + type: "" +- id: aws_nist_800_53_rev_5_sa_15 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_1.yaml index 8294edc80..4cf985682 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_1.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_sa_1 +title: Policy And Procedures (SA-1) +description: "The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, system and services acquisition policy that includes information security considerations and that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls." +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudTrail + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_sa_1 - title: Policy And Procedures (SA-1) - description: "The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, system and services acquisition policy that includes information security considerations and that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls." - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudTrail - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_sa_1_1 +- id: aws_nist_800_53_rev_5_sa_1_1 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_10.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_10.yaml index bdb284b13..5a372e6b4 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_10.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_10.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_sa_10 +title: Developer Configuration Management (SA-10) +description: "The organization requires the developer of the information system, system component, or information system service to: a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]." +section-code: "10" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudTrail + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_sa_10 - title: Developer Configuration Management (SA-10) - description: "The organization requires the developer of the information system, system component, or information system service to: a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]." - section-code: "10" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudTrail - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_sa_10_1 +- id: aws_nist_800_53_rev_5_sa_10_1 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_10_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_10_1.yaml index 621320849..5fb978498 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_10_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_10_1.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_sa_10_1 - title: SA-10(1) Software And Firmware Integrity Verification - description: Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components. - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudTrail - type: - - Benchmark - controls: - - aws_cloudtrail_trail_validation_enabled +id: aws_nist_800_53_rev_5_sa_10_1 +title: SA-10(1) Software And Firmware Integrity Verification +description: Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudTrail + type: + - Benchmark +controls: +- aws_cloudtrail_trail_validation_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_15.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_15.yaml index 4d4d9072e..21064c941 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_15.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_15.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_sa_15 +title: Development Process, Standards, And Tools (SA-15) +description: "a.\u2003Require the developer of the system, system component, or system service to follow a documented development process that: 1.\u2003Explicitly addresses security and privacy requirements; 2.\u2003Identifies the standards and tools used in the development process; 3.\u2003Documents the specific tool options and tool configurations used in the development process; and 4.\u2003Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and b.\u2003Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: [Assignment: organization-defined security and privacy requirements]." +section-code: "15" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_sa_15 - title: Development Process, Standards, And Tools (SA-15) - description: "a.\u2003Require the developer of the system, system component, or system service to follow a documented development process that: 1.\u2003Explicitly addresses security and privacy requirements; 2.\u2003Identifies the standards and tools used in the development process; 3.\u2003Documents the specific tool options and tool configurations used in the development process; and 4.\u2003Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and b.\u2003Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: [Assignment: organization-defined security and privacy requirements]." - section-code: "15" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_sa_15_a_4 +- id: aws_nist_800_53_rev_5_sa_15_a_4 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_15_a_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_15_a_4.yaml index 23f110b12..0d7b147a9 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_15_a_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_15_a_4.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_5_sa_15_a_4 - title: SA-15(a)(4) - description: "a. Require the developer of the system, system component, or system service to follow a documented development process that: 4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development." - section-code: a_4 - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_elb_application_lb_deletion_protection_enabled - - aws_rds_db_instance_deletion_protection_enabled +id: aws_nist_800_53_rev_5_sa_15_a_4 +title: SA-15(a)(4) +description: "a. Require the developer of the system, system component, or system service to follow a documented development process that: 4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development." +section-code: a_4 +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_elb_application_lb_deletion_protection_enabled +- aws_rds_db_instance_deletion_protection_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_1_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_1_1.yaml index dd19e2993..886ba3db3 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_1_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_1_1.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_sa_1_1 - title: SA-1(1) - description: Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components. - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudTrail - type: - - Benchmark - controls: - - aws_cloudtrail_trail_validation_enabled +id: aws_nist_800_53_rev_5_sa_1_1 +title: SA-1(1) +description: Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudTrail + type: + - Benchmark +controls: +- aws_cloudtrail_trail_validation_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_9.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_9.yaml index 7a9c7e04c..e1c21a57e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_9.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_9.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_sa_9 +title: External System Services (SA-9) +description: Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components. +section-code: "9" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/KMS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_sa_9 - title: External System Services (SA-9) - description: Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components. - section-code: "9" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/KMS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_sa_9_6 +- id: aws_nist_800_53_rev_5_sa_9_6 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_9_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_9_6.yaml index 3c7b35dad..d96d661af 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_9_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_9_6.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_5_sa_9_6 - title: SA-9(6) Organization-Controlled Cryptographic Keys - description: Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system. - section-code: "6" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/KMS - type: - - Benchmark - controls: - - aws_kms_key_not_pending_deletion - - aws_kms_cmk_rotation_enabled +id: aws_nist_800_53_rev_5_sa_9_6 +title: SA-9(6) Organization-Controlled Cryptographic Keys +description: Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system. +section-code: "6" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/KMS + type: + - Benchmark +controls: +- aws_kms_key_not_pending_deletion +- aws_kms_cmk_rotation_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc.yaml index b1b8e626a..138d9f662 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc.yaml @@ -1,30 +1,43 @@ +id: aws_nist_800_53_rev_5_sc +title: System and Communications Protection (SC) +description: The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others. +section-code: sc +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_sc - title: System and Communications Protection (SC) - description: The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others. - section-code: sc - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_sc_5 - - id: aws_nist_800_53_rev_5_sc_6 - - id: aws_nist_800_53_rev_5_sc_7 - - id: aws_nist_800_53_rev_5_sc_8 - - id: aws_nist_800_53_rev_5_sc_12 - - id: aws_nist_800_53_rev_5_sc_13 - - id: aws_nist_800_53_rev_5_sc_16 - - id: aws_nist_800_53_rev_5_sc_22 - - id: aws_nist_800_53_rev_5_sc_23 - - id: aws_nist_800_53_rev_5_sc_25 - - id: aws_nist_800_53_rev_5_sc_28 - - id: aws_nist_800_53_rev_5_sc_36 - - id: aws_nist_800_53_rev_5_sc_43 +- id: aws_nist_800_53_rev_5_sc_5 + type: "" +- id: aws_nist_800_53_rev_5_sc_6 + type: "" +- id: aws_nist_800_53_rev_5_sc_7 + type: "" +- id: aws_nist_800_53_rev_5_sc_8 + type: "" +- id: aws_nist_800_53_rev_5_sc_12 + type: "" +- id: aws_nist_800_53_rev_5_sc_13 + type: "" +- id: aws_nist_800_53_rev_5_sc_16 + type: "" +- id: aws_nist_800_53_rev_5_sc_22 + type: "" +- id: aws_nist_800_53_rev_5_sc_23 + type: "" +- id: aws_nist_800_53_rev_5_sc_25 + type: "" +- id: aws_nist_800_53_rev_5_sc_28 + type: "" +- id: aws_nist_800_53_rev_5_sc_36 + type: "" +- id: aws_nist_800_53_rev_5_sc_43 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_12.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_12.yaml index 4e6700a14..852800e2b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_12.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_12.yaml @@ -1,22 +1,24 @@ +id: aws_nist_800_53_rev_5_sc_12 +title: Cryptographic Key Establishment And Management (SC-12) +description: "Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]." +section-code: "12" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/KMS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_sc_12 - title: Cryptographic Key Establishment And Management (SC-12) - description: "Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]." - section-code: "12" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/KMS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_sc_12_2 - - id: aws_nist_800_53_rev_5_sc_12_6 - controls: - - aws_kms_cmk_rotation_enabled - - aws_kms_key_not_pending_deletion +- id: aws_nist_800_53_rev_5_sc_12_2 + type: "" +- id: aws_nist_800_53_rev_5_sc_12_6 + type: "" +controls: +- aws_kms_cmk_rotation_enabled +- aws_kms_key_not_pending_deletion diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_12_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_12_2.yaml index 9ccbc740c..3f6d5a81a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_12_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_12_2.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_12_2 - title: SC-12(2) Symmetric Keys - description: "Produce, control, and distribute symmetric cryptographic keys using [Selection: NIST FIPS-validated; NSA-approved] key management technology and processes." - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/KMS - type: - - Benchmark - controls: - - aws_kms_cmk_rotation_enabled - - aws_kms_key_not_pending_deletion +id: aws_nist_800_53_rev_5_sc_12_2 +title: SC-12(2) Symmetric Keys +description: "Produce, control, and distribute symmetric cryptographic keys using [Selection: NIST FIPS-validated; NSA-approved] key management technology and processes." +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/KMS + type: + - Benchmark +controls: +- aws_kms_cmk_rotation_enabled +- aws_kms_key_not_pending_deletion diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_12_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_12_6.yaml index 61b18c287..5a34fe365 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_12_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_12_6.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_12_6 - title: SC-12(6) Physical Control Of Keys - description: Maintain physical control of cryptographic keys when stored information is encrypted by external service providers. - section-code: "6" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/KMS - type: - - Benchmark - controls: - - aws_kms_cmk_rotation_enabled - - aws_kms_key_not_pending_deletion +id: aws_nist_800_53_rev_5_sc_12_6 +title: SC-12(6) Physical Control Of Keys +description: Maintain physical control of cryptographic keys when stored information is encrypted by external service providers. +section-code: "6" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/KMS + type: + - Benchmark +controls: +- aws_kms_cmk_rotation_enabled +- aws_kms_key_not_pending_deletion diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_13.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_13.yaml index c271fd5cf..fb3003085 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_13.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_13.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_sc_13 +title: Cryptographic Protection (SC-13) +description: "a.\u2003Determine the [Assignment: organization-defined cryptographic uses]; and b.\u2003Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use]." +section-code: "13" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_sc_13 - title: Cryptographic Protection (SC-13) - description: "a.\u2003Determine the [Assignment: organization-defined cryptographic uses]; and b.\u2003Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use]." - section-code: "13" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_sc_13_a +- id: aws_nist_800_53_rev_5_sc_13_a + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_13_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_13_a.yaml index 740621d50..e7a7f5903 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_13_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_13_a.yaml @@ -1,42 +1,42 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_13_a - title: SC-13(a) - description: "Determine the [Assignment: organization-defined cryptographic uses]." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dynamodb_table_encrypted_with_kms - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_secretsmanager_secret_encrypted_with_kms_cmk - - aws_sns_topic_encrypted_at_rest +id: aws_nist_800_53_rev_5_sc_13_a +title: SC-13(a) +description: "Determine the [Assignment: organization-defined cryptographic uses]." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dynamodb_table_encrypted_with_kms +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_efs_file_system_encrypt_data_at_rest +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_node_to_node_encryption_enabled +- aws_log_group_encryption_at_rest_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_redshift_cluster_kms_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_enforces_ssl +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_secretsmanager_secret_encrypted_with_kms_cmk +- aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_16.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_16.yaml index a2ecbb519..d6c538802 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_16.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_16.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_sc_16 +title: Transmission Of Security And Privacy Attributes (SC-16) +description: "Associate [Assignment: organization-defined security and privacy attributes] with information exchanged between systems and between system components." +section-code: "16" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_sc_16 - title: Transmission Of Security And Privacy Attributes (SC-16) - description: "Associate [Assignment: organization-defined security and privacy attributes] with information exchanged between systems and between system components." - section-code: "16" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_sc_16_1 +- id: aws_nist_800_53_rev_5_sc_16_1 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_16_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_16_1.yaml index 36a15b548..72fdc5b7f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_16_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_16_1.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_16_1 - title: SC-16(1) Integrity Verification - description: Verify the integrity of transmitted security and privacy attributes. - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_validation_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_versioning_enabled +id: aws_nist_800_53_rev_5_sc_16_1 +title: SC-16(1) Integrity Verification +description: Verify the integrity of transmitted security and privacy attributes. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_trail_validation_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_22.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_22.yaml index d2257dc26..07046ff0a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_22.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_22.yaml @@ -1,23 +1,23 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_22 - title: Architecture And Provisioning For Name/Address Resolution Service (SC-22) - description: Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation. - section-code: "22" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_vpc_vpn_tunnel_up +id: aws_nist_800_53_rev_5_sc_22 +title: Architecture And Provisioning For Name/Address Resolution Service (SC-22) +description: Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation. +section-code: "22" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dynamodb_table_auto_scaling_enabled +- aws_elb_application_lb_deletion_protection_enabled +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_rds_db_instance_deletion_protection_enabled +- aws_rds_db_instance_multiple_az_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_23.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_23.yaml index 0fbea52e7..8ecf75e60 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_23.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_23.yaml @@ -1,27 +1,29 @@ +id: aws_nist_800_53_rev_5_sc_23 +title: Session Authenticity (SC-23) +description: Protect the authenticity of communications sessions. +section-code: "23" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_sc_23 - title: Session Authenticity (SC-23) - description: Protect the authenticity of communications sessions. - section-code: "23" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_sc_23_3 - - id: aws_nist_800_53_rev_5_sc_23_5 - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl +- id: aws_nist_800_53_rev_5_sc_23_3 + type: "" +- id: aws_nist_800_53_rev_5_sc_23_5 + type: "" +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_node_to_node_encryption_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_23_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_23_3.yaml index 7f0181faa..ea830844f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_23_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_23_3.yaml @@ -1,33 +1,33 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_23_3 - title: SC-23(3) Unique System-Generated Session Identifiers - description: "Generate a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognize only session identifiers that are system-generated." - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day +id: aws_nist_800_53_rev_5_sc_23_3 +title: SC-23(3) Unique System-Generated Session Identifiers +description: "Generate a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognize only session identifiers that are system-generated." +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_uses_imdsv2 +- aws_iam_account_password_policy_min_length_14 +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_23_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_23_5.yaml index f38b0f558..07a2cb39c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_23_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_23_5.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_23_5 - title: SC-23(5) Allowed Certificate Authorities - description: "Only allow the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions." - section-code: "5" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/ELB - type: - - Benchmark - controls: - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate +id: aws_nist_800_53_rev_5_sc_23_5 +title: SC-23(5) Allowed Certificate Authorities +description: "Only allow the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions." +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/ELB + type: + - Benchmark +controls: +- aws_elb_application_network_lb_use_ssl_certificate +- aws_elb_classic_lb_use_ssl_certificate diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_25.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_25.yaml index 6919cb2aa..38dc02c22 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_25.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_25.yaml @@ -1,37 +1,37 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_25 - title: Thin Nodes (SC-25) - description: "Employ minimal functionality and information storage on the following system components: [Assignment: organization-defined system components]." - section-code: "25" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_no_inline_attached_policies - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_nist_800_53_rev_5_sc_25 +title: Thin Nodes (SC-25) +description: "Employ minimal functionality and information storage on the following system components: [Assignment: organization-defined system components]." +section-code: "25" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_iam_user_no_inline_attached_policies +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_28.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_28.yaml index 19425fb61..179ea49d4 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_28.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_28.yaml @@ -1,19 +1,21 @@ +id: aws_nist_800_53_rev_5_sc_28 +title: Protection Of Information At Rest (SC-28) +description: "Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest]." +section-code: "28" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_sc_28 - title: Protection Of Information At Rest (SC-28) - description: "Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest]." - section-code: "28" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_sc_28_1 - - id: aws_nist_800_53_rev_5_sc_28_2 +- id: aws_nist_800_53_rev_5_sc_28_1 + type: "" +- id: aws_nist_800_53_rev_5_sc_28_2 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_28_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_28_1.yaml index 8e97c6445..d731f4345 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_28_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_28_1.yaml @@ -1,35 +1,35 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_28_1 - title: SC-28(1) Cryptographic Protection - description: "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information]." - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dynamodb_table_encrypted_with_kms - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_es_domain_encryption_at_rest_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_default_encryption_enabled - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_secretsmanager_secret_encrypted_with_kms_cmk - - aws_sns_topic_encrypted_at_rest +id: aws_nist_800_53_rev_5_sc_28_1 +title: SC-28(1) Cryptographic Protection +description: "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information]." +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dynamodb_table_encrypted_with_kms +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_efs_file_system_encrypt_data_at_rest +- aws_es_domain_encryption_at_rest_enabled +- aws_log_group_encryption_at_rest_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_logging_enabled +- aws_redshift_cluster_kms_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_default_encryption_enabled +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_secretsmanager_secret_encrypted_with_kms_cmk +- aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_28_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_28_2.yaml index 7bbca8164..e5f194d03 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_28_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_28_2.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_28_2 - title: SC-28(2) Offline Storage - description: "Remove the following information from online storage and store offline in a secure location: [Assignment: organization-defined information]." - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark - controls: - - aws_cloudwatch_log_group_retention_period_365 +id: aws_nist_800_53_rev_5_sc_28_2 +title: SC-28(2) Offline Storage +description: "Remove the following information from online storage and store offline in a secure location: [Assignment: organization-defined information]." +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark +controls: +- aws_cloudwatch_log_group_retention_period_365 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_36.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_36.yaml index fd28206e9..2af8c5a38 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_36.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_36.yaml @@ -1,23 +1,24 @@ +id: aws_nist_800_53_rev_5_sc_36 +title: Distributed Processing And Storage (SC-36) +description: "Distribute the following processing and storage components across multiple [Selection: physical locations; logical domains]: [Assignment: organization-defined processing and storage components]." +section-code: "36" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_sc_36 - title: Distributed Processing And Storage (SC-36) - description: "Distribute the following processing and storage components across multiple [Selection: physical locations; logical domains]: [Assignment: organization-defined processing and storage components]." - section-code: "36" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_sc_36_1_a - controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_vpc_vpn_tunnel_up +- id: aws_nist_800_53_rev_5_sc_36_1_a + type: "" +controls: +- aws_dynamodb_table_auto_scaling_enabled +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_rds_db_instance_multiple_az_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_36_1_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_36_1_a.yaml index 1d4d79b63..43b7dce7e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_36_1_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_36_1_a.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_36_1_a - title: SC-36(1)(a) - description: "Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: [Assignment: organization-defined distributed processing and storage components]." - section-code: 1_a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudwatch_alarm_action_enabled - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled +id: aws_nist_800_53_rev_5_sc_36_1_a +title: SC-36(1)(a) +description: "Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: [Assignment: organization-defined distributed processing and storage components]." +section-code: 1_a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_group_with_lb_use_health_check +- aws_cloudwatch_alarm_action_enabled +- aws_elastic_beanstalk_enhanced_health_reporting_enabled +- aws_lambda_function_dead_letter_queue_configured +- aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_43.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_43.yaml index 02d446ab9..49301e636 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_43.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_43.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_sc_43 +title: Usage Restrictions (SC-43) +description: "a.\u2003Establish usage restrictions and implementation guidelines for the following system components: [Assignment: organization-defined system components]; and b.\u2003Authorize, monitor, and control the use of such components within the system." +section-code: "43" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_sc_43 - title: Usage Restrictions (SC-43) - description: "a.\u2003Establish usage restrictions and implementation guidelines for the following system components: [Assignment: organization-defined system components]; and b.\u2003Authorize, monitor, and control the use of such components within the system." - section-code: "43" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_sc_43_b +- id: aws_nist_800_53_rev_5_sc_43_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_43_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_43_b.yaml index fb3e6301d..84d3fcc89 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_43_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_43_b.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_43_b - title: SC-43(b) - description: Authorize, monitor, and control the use of such components within the system. - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_sc_43_b +title: SC-43(b) +description: Authorize, monitor, and control the use of such components within the system. +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5.yaml index 72c11f30a..9a7832d74 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5.yaml @@ -1,22 +1,27 @@ +id: aws_nist_800_53_rev_5_sc_5 +title: Denial Of Service Protection (SC-5) +description: "The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards]." +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_sc_5 - title: Denial Of Service Protection (SC-5) - description: "The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards]." - section-code: "5" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_sc_5_1 - - id: aws_nist_800_53_rev_5_sc_5_2 - - id: aws_nist_800_53_rev_5_sc_5_3 - - id: aws_nist_800_53_rev_5_sc_5_a - - id: aws_nist_800_53_rev_5_sc_5_b +- id: aws_nist_800_53_rev_5_sc_5_1 + type: "" +- id: aws_nist_800_53_rev_5_sc_5_2 + type: "" +- id: aws_nist_800_53_rev_5_sc_5_3 + type: "" +- id: aws_nist_800_53_rev_5_sc_5_a + type: "" +- id: aws_nist_800_53_rev_5_sc_5_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_1.yaml index 0ae617387..c07bd9ed5 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_1.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_5_1 - title: SC-5(1) Restrict Ability TO Attack Other Systems - description: "Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: [Assignment: organization-defined denial-of-service attacks]." - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_sc_5_1 +title: SC-5(1) Restrict Ability TO Attack Other Systems +description: "Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: [Assignment: organization-defined denial-of-service attacks]." +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_2.yaml index 80bbca121..1250b6539 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_2.yaml @@ -1,35 +1,35 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_5_2 - title: SC-5(2) Capacity, Bandwidth, And Redundancy - description: Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks. - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_maintenance_settings_check - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up +id: aws_nist_800_53_rev_5_sc_5_2 +title: SC-5(2) Capacity, Bandwidth, And Redundancy +description: Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks. +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dynamodb_table_auto_scaling_enabled +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_ebs_volume_in_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_efs_file_system_in_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_elb_application_lb_deletion_protection_enabled +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_deletion_protection_enabled +- aws_rds_db_instance_multiple_az_enabled +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_redshift_cluster_maintenance_settings_check +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_3.yaml index 1991d5d1d..879a8460b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_3.yaml @@ -1,19 +1,21 @@ +id: aws_nist_800_53_rev_5_sc_5_3 +title: SC-5(3) Detection And Monitoring +description: "a.\u2003Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools]; and b.\u2003Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: [Assignment: organization-defined system resources]." +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_sc_5_3 - title: SC-5(3) Detection And Monitoring - description: "a.\u2003Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools]; and b.\u2003Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: [Assignment: organization-defined system resources]." - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_sc_5_3_a - - id: aws_nist_800_53_rev_5_sc_5_3_b +- id: aws_nist_800_53_rev_5_sc_5_3_a + type: "" +- id: aws_nist_800_53_rev_5_sc_5_3_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_3_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_3_a.yaml index d80503625..95022fe21 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_3_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_3_a.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_5_3_a - title: SC-5(3)(a) - description: "Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools]." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_sc_5_3_a +title: SC-5(3)(a) +description: "Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools]." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_3_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_3_b.yaml index 8aa6da4cd..76e9bdea5 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_3_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_3_b.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_5_3_b - title: SC-5(3)(b) - description: "Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: [Assignment: organization-defined system resources]." - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_sc_5_3_b +title: SC-5(3)(b) +description: "Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: [Assignment: organization-defined system resources]." +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_a.yaml index 5030fc435..e14ece71a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_a.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_5_a - title: SC-5(a) - description: "[Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_sc_5_a +title: SC-5(a) +description: "[Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_b.yaml index 722d5e36f..ab7975310 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_b.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_5_b - title: SC-5(b) - description: "Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event]." - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_sc_5_b +title: SC-5(b) +description: "Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event]." +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_6.yaml index c5c075f99..9f44804bf 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_6.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_6 - title: Resource Availability (SC-6) - description: "Protect the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more): priority; quota; [Assignment: organization-defined controls]]." - section-code: "6" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_dynamodb_table_auto_scaling_enabled - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_rds_db_instance_multiple_az_enabled - - aws_vpc_vpn_tunnel_up +id: aws_nist_800_53_rev_5_sc_6 +title: Resource Availability (SC-6) +description: "Protect the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more): priority; quota; [Assignment: organization-defined controls]]." +section-code: "6" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_group_with_lb_use_health_check +- aws_dynamodb_table_auto_scaling_enabled +- aws_elastic_beanstalk_enhanced_health_reporting_enabled +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_lambda_function_concurrent_execution_limit_configured +- aws_rds_db_instance_multiple_az_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7.yaml index 26490a00f..88dbe0f2a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7.yaml @@ -1,36 +1,55 @@ +id: aws_nist_800_53_rev_5_sc_7 +title: Boundary Protection (SC-7) +description: "The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture." +section-code: "7" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_sc_7 - title: Boundary Protection (SC-7) - description: "The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture." - section-code: "7" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_sc_7_2 - - id: aws_nist_800_53_rev_5_sc_7_3 - - id: aws_nist_800_53_rev_5_sc_7_4 - - id: aws_nist_800_53_rev_5_sc_7_5 - - id: aws_nist_800_53_rev_5_sc_7_7 - - id: aws_nist_800_53_rev_5_sc_7_9 - - id: aws_nist_800_53_rev_5_sc_7_11 - - id: aws_nist_800_53_rev_5_sc_7_12 - - id: aws_nist_800_53_rev_5_sc_7_16 - - id: aws_nist_800_53_rev_5_sc_7_20 - - id: aws_nist_800_53_rev_5_sc_7_21 - - id: aws_nist_800_53_rev_5_sc_7_24 - - id: aws_nist_800_53_rev_5_sc_7_25 - - id: aws_nist_800_53_rev_5_sc_7_26 - - id: aws_nist_800_53_rev_5_sc_7_27 - - id: aws_nist_800_53_rev_5_sc_7_28 - - id: aws_nist_800_53_rev_5_sc_7_a - - id: aws_nist_800_53_rev_5_sc_7_b - - id: aws_nist_800_53_rev_5_sc_7_c +- id: aws_nist_800_53_rev_5_sc_7_2 + type: "" +- id: aws_nist_800_53_rev_5_sc_7_3 + type: "" +- id: aws_nist_800_53_rev_5_sc_7_4 + type: "" +- id: aws_nist_800_53_rev_5_sc_7_5 + type: "" +- id: aws_nist_800_53_rev_5_sc_7_7 + type: "" +- id: aws_nist_800_53_rev_5_sc_7_9 + type: "" +- id: aws_nist_800_53_rev_5_sc_7_11 + type: "" +- id: aws_nist_800_53_rev_5_sc_7_12 + type: "" +- id: aws_nist_800_53_rev_5_sc_7_16 + type: "" +- id: aws_nist_800_53_rev_5_sc_7_20 + type: "" +- id: aws_nist_800_53_rev_5_sc_7_21 + type: "" +- id: aws_nist_800_53_rev_5_sc_7_24 + type: "" +- id: aws_nist_800_53_rev_5_sc_7_25 + type: "" +- id: aws_nist_800_53_rev_5_sc_7_26 + type: "" +- id: aws_nist_800_53_rev_5_sc_7_27 + type: "" +- id: aws_nist_800_53_rev_5_sc_7_28 + type: "" +- id: aws_nist_800_53_rev_5_sc_7_a + type: "" +- id: aws_nist_800_53_rev_5_sc_7_b + type: "" +- id: aws_nist_800_53_rev_5_sc_7_c + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_11.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_11.yaml index 24fb27415..5f0ec92fc 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_11.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_11.yaml @@ -1,38 +1,38 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_7_11 - title: SC-7(11) Restrict Incoming communications Traffic - description: "Only allow incoming communications from [Assignment: organization-defined authorized sources] to be routed to [Assignment: organization-defined authorized destinations]." - section-code: "11" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_nist_800_53_rev_5_sc_7_11 +title: SC-7(11) Restrict Incoming communications Traffic +description: "Only allow incoming communications from [Assignment: organization-defined authorized sources] to be routed to [Assignment: organization-defined authorized destinations]." +section-code: "11" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_12.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_12.yaml index 02a0da7f7..0f3eafcc5 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_12.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_12.yaml @@ -1,38 +1,38 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_7_12 - title: SC-7(12) Host-Based Protection - description: "Implement [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined system components]." - section-code: "12" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_acm_certificate_expires_30_days - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_nist_800_53_rev_5_sc_7_12 +title: SC-7(12) Host-Based Protection +description: "Implement [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined system components]." +section-code: "12" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_acm_certificate_expires_30_days +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_16.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_16.yaml index 1bc6f078b..d4ec4e491 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_16.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_16.yaml @@ -1,38 +1,38 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_7_16 - title: SC-7(16) Prevent Discovery Of System Components - description: Prevent the discovery of specific system components that represent a managed interface. - section-code: "16" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_acm_certificate_expires_30_days - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_nist_800_53_rev_5_sc_7_16 +title: SC-7(16) Prevent Discovery Of System Components +description: Prevent the discovery of specific system components that represent a managed interface. +section-code: "16" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_acm_certificate_expires_30_days +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_2.yaml index 2d090e027..e68371c26 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_2.yaml @@ -1,34 +1,34 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_7_2 - title: SC-7(2) Public Access - description: "Provide the capability to dynamically isolate [Assignment: organization-defined system components] from other system components." - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_nist_800_53_rev_5_sc_7_2 +title: SC-7(2) Public Access +description: "Provide the capability to dynamically isolate [Assignment: organization-defined system components] from other system components." +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_20.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_20.yaml index 551b115aa..875c79ec2 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_20.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_20.yaml @@ -1,34 +1,34 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_7_20 - title: SC-7(20) Prevent Discovery Of System Components - description: Prevent the discovery of specific system components that represent a managed interface. - section-code: "20" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_nist_800_53_rev_5_sc_7_20 +title: SC-7(20) Prevent Discovery Of System Components +description: Prevent the discovery of specific system components that represent a managed interface. +section-code: "20" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_21.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_21.yaml index 76f32ac0a..134588a71 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_21.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_21.yaml @@ -1,38 +1,38 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_7_21 - title: SC-7(21) Isolation Of System Components - description: "Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions]." - section-code: "21" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_nist_800_53_rev_5_sc_7_21 +title: SC-7(21) Isolation Of System Components +description: "Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions]." +section-code: "21" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_24.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_24.yaml index 99e0fd3e0..22915b3f7 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_24.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_24.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_sc_7_24 +title: SC-7(24) Personally Identifiable Information +description: "For systems that process personally identifiable information: a.\u2003Apply the following processing rules to data elements of personally identifiable information: [Assignment: organization-defined processing rules];b.\u2003Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system; c.\u2003Document each processing exception; and d.\u2003Review and remove exceptions that are no longer supported." +section-code: "24" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_sc_7_24 - title: SC-7(24) Personally Identifiable Information - description: "For systems that process personally identifiable information: a.\u2003Apply the following processing rules to data elements of personally identifiable information: [Assignment: organization-defined processing rules];b.\u2003Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system; c.\u2003Document each processing exception; and d.\u2003Review and remove exceptions that are no longer supported." - section-code: "24" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_sc_7_24_b +- id: aws_nist_800_53_rev_5_sc_7_24_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_24_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_24_b.yaml index eabf8b3b6..b0e7548c7 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_24_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_24_b.yaml @@ -1,38 +1,38 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_7_24_b - title: SC-7(24)(b) - description: "For systems that process personally identifiable information: (b) Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system." - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_nist_800_53_rev_5_sc_7_24_b +title: SC-7(24)(b) +description: "For systems that process personally identifiable information: (b) Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system." +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_25.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_25.yaml index 315b1c062..699d2e04f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_25.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_25.yaml @@ -1,34 +1,34 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_7_25 - title: SC-7(25) Unclassified National Security System Connections - description: "Prohibit the direct connection of [Assignment: organization-defined unclassified national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]." - section-code: "25" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_nist_800_53_rev_5_sc_7_25 +title: SC-7(25) Unclassified National Security System Connections +description: "Prohibit the direct connection of [Assignment: organization-defined unclassified national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]." +section-code: "25" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_26.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_26.yaml index 7d776e9c6..423f9bf97 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_26.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_26.yaml @@ -1,34 +1,34 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_7_26 - title: SC-7(26) Classified National Security System Connections - description: "Prohibit the direct connection of a classified national security system to an external network without the use of [Assignment: organization-defined boundary protection device]." - section-code: "26" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_nist_800_53_rev_5_sc_7_26 +title: SC-7(26) Classified National Security System Connections +description: "Prohibit the direct connection of a classified national security system to an external network without the use of [Assignment: organization-defined boundary protection device]." +section-code: "26" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_27.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_27.yaml index f61920075..9ffe507b4 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_27.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_27.yaml @@ -1,34 +1,34 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_7_27 - title: SC-7(27) Unclassified Non-National Security System Connections - description: "Prohibit the direct connection of [Assignment: organization-defined unclassified non-national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]." - section-code: "27" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_nist_800_53_rev_5_sc_7_27 +title: SC-7(27) Unclassified Non-National Security System Connections +description: "Prohibit the direct connection of [Assignment: organization-defined unclassified non-national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]." +section-code: "27" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_28.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_28.yaml index 179583098..322a7d0e4 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_28.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_28.yaml @@ -1,34 +1,34 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_7_28 - title: SC-7(28) Connections To Public Networks - description: "Prohibit the direct connection of [Assignment: organization-defined system] to a public network." - section-code: "28" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_nist_800_53_rev_5_sc_7_28 +title: SC-7(28) Connections To Public Networks +description: "Prohibit the direct connection of [Assignment: organization-defined system] to a public network." +section-code: "28" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_3.yaml index bc41bc5c4..e4472abfe 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_3.yaml @@ -1,35 +1,35 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_7_3 - title: SC-7(3) Access Points - description: Limit the number of external network connections to the system. - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_nist_800_53_rev_5_sc_7_3 +title: SC-7(3) Access Points +description: Limit the number of external network connections to the system. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_launch_config_public_ip_disabled +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_4.yaml index 16d8e7da7..d40da3cda 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_4.yaml @@ -1,19 +1,21 @@ +id: aws_nist_800_53_rev_5_sc_7_4 +title: SC-7(4) External Telecommunications Services +description: "a.\u2003Implement a managed interface for each external telecommunication service; b.\u2003Establish a traffic flow policy for each managed interface; c.\u2003Protect the confidentiality and integrity of the information being transmitted across each interface; d.\u2003Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; e.\u2003Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need; f.\u2003Prevent unauthorized exchange of control plane traffic with external networks; g.\u2003Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and h.\u2003Filter unauthorized control plane traffic from external networks." +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_sc_7_4 - title: SC-7(4) External Telecommunications Services - description: "a.\u2003Implement a managed interface for each external telecommunication service; b.\u2003Establish a traffic flow policy for each managed interface; c.\u2003Protect the confidentiality and integrity of the information being transmitted across each interface; d.\u2003Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; e.\u2003Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need; f.\u2003Prevent unauthorized exchange of control plane traffic with external networks; g.\u2003Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and h.\u2003Filter unauthorized control plane traffic from external networks." - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_sc_7_4_b - - id: aws_nist_800_53_rev_5_sc_7_4_g +- id: aws_nist_800_53_rev_5_sc_7_4_b + type: "" +- id: aws_nist_800_53_rev_5_sc_7_4_g + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_4_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_4_b.yaml index 02497a493..2f17669a4 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_4_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_4_b.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_7_4_b - title: SC-7(4)(b) - description: Establish a traffic flow policy for each managed interface. - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl +id: aws_nist_800_53_rev_5_sc_7_4_b +title: SC-7(4)(b) +description: Establish a traffic flow policy for each managed interface. +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_node_to_node_encryption_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_4_g.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_4_g.yaml index f2629d980..2dd5600ee 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_4_g.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_4_g.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_7_4_g - title: SC-7(4)(g) - description: Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks. - section-code: g - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl +id: aws_nist_800_53_rev_5_sc_7_4_g +title: SC-7(4)(g) +description: Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks. +section-code: g +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_node_to_node_encryption_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_5.yaml index 96e8d2747..f8d051b1e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_5.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_7_5 - title: SC-7(5) Deny By Default — Allow By Exception - description: "Deny network communications traffic by default and allow network communications traffic by exception [Selection (one or more): at managed interfaces; for [Assignment: organization-defined systems]]." - section-code: "5" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all +id: aws_nist_800_53_rev_5_sc_7_5 +title: SC-7(5) Deny By Default — Allow By Exception +description: "Deny network communications traffic by default and allow network communications traffic by exception [Selection (one or more): at managed interfaces; for [Assignment: organization-defined systems]]." +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_elb_classic_lb_use_ssl_certificate +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_7.yaml index 806d763f6..f1fb27b1a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_7.yaml @@ -1,35 +1,35 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_7_7 - title: SC-7(7) Split Tunneling For Remote Devices - description: "Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using [Assignment: organization-defined safeguards]." - section-code: "7" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_nist_800_53_rev_5_sc_7_7 +title: SC-7(7) Split Tunneling For Remote Devices +description: "Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using [Assignment: organization-defined safeguards]." +section-code: "7" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_9.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_9.yaml index 0b1a8e698..d19ee78f8 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_9.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_9.yaml @@ -1,19 +1,21 @@ +id: aws_nist_800_53_rev_5_sc_7_9 +title: SC-7(9) Restrict Threatening Outgoing Communications Traffic +description: a. Detect and deny outgoing communications traffic posing a threat to external systems; and b. Audit the identity of internal users associated with denied communications. +section-code: "9" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_sc_7_9 - title: SC-7(9) Restrict Threatening Outgoing Communications Traffic - description: a. Detect and deny outgoing communications traffic posing a threat to external systems; and b. Audit the identity of internal users associated with denied communications. - section-code: "9" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_sc_7_9_a - - id: aws_nist_800_53_rev_5_sc_7_9_b +- id: aws_nist_800_53_rev_5_sc_7_9_a + type: "" +- id: aws_nist_800_53_rev_5_sc_7_9_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_9_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_9_a.yaml index 20e599a3d..68244d11d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_9_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_9_a.yaml @@ -1,34 +1,34 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_7_9_a - title: SC-7(9)(a) - description: Detect and deny outgoing communications traffic posing a threat to external systems. - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_nist_800_53_rev_5_sc_7_9_a +title: SC-7(9)(a) +description: Detect and deny outgoing communications traffic posing a threat to external systems. +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_9_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_9_b.yaml index 199813a4e..ec86b05fe 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_9_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_9_b.yaml @@ -1,27 +1,27 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_7_9_b - title: SC-7(9)(b) - description: Audit the identity of internal users associated with denied communications. - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_sc_7_9_b +title: SC-7(9)(b) +description: Audit the identity of internal users associated with denied communications. +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_a.yaml index 688c09461..0068209a5 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_a.yaml @@ -1,38 +1,38 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_7_a - title: SC-7(a) - description: Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system. - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_nist_800_53_rev_5_sc_7_a +title: SC-7(a) +description: Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system. +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_b.yaml index 4a2a099c3..f96c29c83 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_b.yaml @@ -1,35 +1,35 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_7_b - title: SC-7(b) - description: "Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks." - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_enhanced_vpc_routing_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_nist_800_53_rev_5_sc_7_b +title: SC-7(b) +description: "Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks." +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_enhanced_vpc_routing_enabled +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_c.yaml index 1fe2bc8a5..3813bc95a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_c.yaml @@ -1,38 +1,38 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_7_c - title: SC-7(c) - description: Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. - section-code: c - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_nist_800_53_rev_5_sc_7_c +title: SC-7(c) +description: Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. +section-code: c +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8.yaml index 5a9e96f36..a2277c104 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8.yaml @@ -1,30 +1,35 @@ +id: aws_nist_800_53_rev_5_sc_8 +title: Transmission Confidentiality And Integrity (SC-8) +description: "Protect the [Selection (one or more): confidentiality; integrity] of transmitted information." +section-code: "8" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_sc_8 - title: Transmission Confidentiality And Integrity (SC-8) - description: "Protect the [Selection (one or more): confidentiality; integrity] of transmitted information." - section-code: "8" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_sc_8_1 - - id: aws_nist_800_53_rev_5_sc_8_2 - - id: aws_nist_800_53_rev_5_sc_8_3 - - id: aws_nist_800_53_rev_5_sc_8_4 - - id: aws_nist_800_53_rev_5_sc_8_5 - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl +- id: aws_nist_800_53_rev_5_sc_8_1 + type: "" +- id: aws_nist_800_53_rev_5_sc_8_2 + type: "" +- id: aws_nist_800_53_rev_5_sc_8_3 + type: "" +- id: aws_nist_800_53_rev_5_sc_8_4 + type: "" +- id: aws_nist_800_53_rev_5_sc_8_5 + type: "" +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_node_to_node_encryption_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_1.yaml index 7a9633945..7551663e2 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_1.yaml @@ -1,25 +1,25 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_8_1 - title: SC-8(1) Cryptographic Protection - description: "Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission." - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl +id: aws_nist_800_53_rev_5_sc_8_1 +title: SC-8(1) Cryptographic Protection +description: "Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission." +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_application_network_lb_use_ssl_certificate +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_node_to_node_encryption_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_2.yaml index 2a229b569..dfeb93e81 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_2.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_8_2 - title: SC-8(2) Pre- And Post-Transmission Handling - description: "Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception." - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl +id: aws_nist_800_53_rev_5_sc_8_2 +title: SC-8(2) Pre- And Post-Transmission Handling +description: "Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception." +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_node_to_node_encryption_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_3.yaml index ea37471bc..2aebadb0a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_3.yaml @@ -1,42 +1,42 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_8_3 - title: SC-8(3) Cryptographic Protection For Message Externals - description: "Implement cryptographic mechanisms to protect message externals unless otherwise protected by [Assignment: organization-defined alternative physical controls]." - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dynamodb_table_encrypted_with_kms - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_secretsmanager_secret_encrypted_with_kms_cmk - - aws_sns_topic_encrypted_at_rest +id: aws_nist_800_53_rev_5_sc_8_3 +title: SC-8(3) Cryptographic Protection For Message Externals +description: "Implement cryptographic mechanisms to protect message externals unless otherwise protected by [Assignment: organization-defined alternative physical controls]." +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dynamodb_table_encrypted_with_kms +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_efs_file_system_encrypt_data_at_rest +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_node_to_node_encryption_enabled +- aws_log_group_encryption_at_rest_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_redshift_cluster_kms_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_enforces_ssl +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_secretsmanager_secret_encrypted_with_kms_cmk +- aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_4.yaml index c94948ae6..e04b671b9 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_4.yaml @@ -1,42 +1,42 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_8_4 - title: SC-8(4) Conceal Or Ramdomize Communications - description: "Implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [Assignment: organization-defined alternative physical controls]." - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dynamodb_table_encrypted_with_kms - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_secretsmanager_secret_encrypted_with_kms_cmk - - aws_sns_topic_encrypted_at_rest +id: aws_nist_800_53_rev_5_sc_8_4 +title: SC-8(4) Conceal Or Ramdomize Communications +description: "Implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [Assignment: organization-defined alternative physical controls]." +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dynamodb_table_encrypted_with_kms +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_efs_file_system_encrypt_data_at_rest +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_node_to_node_encryption_enabled +- aws_log_group_encryption_at_rest_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_redshift_cluster_kms_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_enforces_ssl +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_secretsmanager_secret_encrypted_with_kms_cmk +- aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_5.yaml index ad4af6442..282c46c8c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_5.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_nist_800_53_rev_5_sc_8_5 - title: SC-8(5) Protected Distribution System - description: "Implement [Assignment: organization-defined protected distribution system] to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission." - section-code: "5" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl +id: aws_nist_800_53_rev_5_sc_8_5 +title: SC-8(5) Protected Distribution System +description: "Implement [Assignment: organization-defined protected distribution system] to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission." +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_node_to_node_encryption_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si.yaml index a2dd5e0e3..e666e71b2 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si.yaml @@ -1,27 +1,37 @@ +id: aws_nist_800_53_rev_5_si +title: System and Information integrity (SI) +description: The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection. +section-code: si +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_si - title: System and Information integrity (SI) - description: The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection. - section-code: si - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_si_1 - - id: aws_nist_800_53_rev_5_si_2 - - id: aws_nist_800_53_rev_5_si_3 - - id: aws_nist_800_53_rev_5_si_4 - - id: aws_nist_800_53_rev_5_si_5 - - id: aws_nist_800_53_rev_5_si_7 - - id: aws_nist_800_53_rev_5_si_10 - - id: aws_nist_800_53_rev_5_si_12 - - id: aws_nist_800_53_rev_5_si_13 - - id: aws_nist_800_53_rev_5_si_19 +- id: aws_nist_800_53_rev_5_si_1 + type: "" +- id: aws_nist_800_53_rev_5_si_2 + type: "" +- id: aws_nist_800_53_rev_5_si_3 + type: "" +- id: aws_nist_800_53_rev_5_si_4 + type: "" +- id: aws_nist_800_53_rev_5_si_5 + type: "" +- id: aws_nist_800_53_rev_5_si_7 + type: "" +- id: aws_nist_800_53_rev_5_si_10 + type: "" +- id: aws_nist_800_53_rev_5_si_12 + type: "" +- id: aws_nist_800_53_rev_5_si_13 + type: "" +- id: aws_nist_800_53_rev_5_si_19 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1.yaml index 35770e78d..da837523f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1.yaml @@ -1,20 +1,23 @@ +id: aws_nist_800_53_rev_5_si_1 +title: Policy And Procedures (SI-1) +description: "a.\u2003Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1.\u2003[Selection (one or more): Organization-level; Mission/business process-level; System-level] system and information integrity policy that: a).\u2003Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b).\u2003Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2.\u2003Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls; b.\u2003Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and c.\u2003Review and update the current system and information integrity: 1.\u2003Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2.\u2003Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]." +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_si_1 - title: Policy And Procedures (SI-1) - description: "a.\u2003Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1.\u2003[Selection (one or more): Organization-level; Mission/business process-level; System-level] system and information integrity policy that: a).\u2003Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b).\u2003Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2.\u2003Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls; b.\u2003Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and c.\u2003Review and update the current system and information integrity: 1.\u2003Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2.\u2003Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]." - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_si_1_1_c - - id: aws_nist_800_53_rev_5_si_1_a_2 - - id: aws_nist_800_53_rev_5_si_1_c_2 +- id: aws_nist_800_53_rev_5_si_1_1_c + type: "" +- id: aws_nist_800_53_rev_5_si_1_a_2 + type: "" +- id: aws_nist_800_53_rev_5_si_1_c_2 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_10.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_10.yaml index 4c9a03e3f..f6777cfb4 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_10.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_10.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_si_10 +title: Information Input Validation (SI-10) +description: "Check the validity of the following information inputs: [Assignment: organization-defined information inputs to the system]." +section-code: "10" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_si_10 - title: Information Input Validation (SI-10) - description: "Check the validity of the following information inputs: [Assignment: organization-defined information inputs to the system]." - section-code: "10" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_si_10_1 +- id: aws_nist_800_53_rev_5_si_10_1 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_10_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_10_1.yaml index 0fd19ad9a..ab4e5a66c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_10_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_10_1.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_si_10_1 +title: SI-10(1) Manual Override Capability +description: "a.\u2003Provide a manual override capability for input validation of the following information inputs: [Assignment: organization-defined inputs defined in the base control (SI-10)]; b.\u2003Restrict the use of the manual override capability to only [Assignment: organization-defined authorized individuals]; and c.\u2003Audit the use of the manual override capability." +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_si_10_1 - title: SI-10(1) Manual Override Capability - description: "a.\u2003Provide a manual override capability for input validation of the following information inputs: [Assignment: organization-defined inputs defined in the base control (SI-10)]; b.\u2003Restrict the use of the manual override capability to only [Assignment: organization-defined authorized individuals]; and c.\u2003Audit the use of the manual override capability." - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_si_10_1_c +- id: aws_nist_800_53_rev_5_si_10_1_c + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_10_1_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_10_1_c.yaml index afc8b774b..ce86ff067 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_10_1_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_10_1_c.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_nist_800_53_rev_5_si_10_1_c - title: SI-10(1)(c) - description: Audit the use of the manual override capability. - section-code: c - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled +id: aws_nist_800_53_rev_5_si_10_1_c +title: SI-10(1)(c) +description: Audit the use of the manual override capability. +section-code: c +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_12.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_12.yaml index be0173e5e..30d7dd216 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_12.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_12.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_si_12 - title: Information Management and Retention (SI-12) - description: Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. - section-code: "12" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark - controls: - - aws_cloudwatch_log_group_retention_period_365 +id: aws_nist_800_53_rev_5_si_12 +title: Information Management and Retention (SI-12) +description: Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. +section-code: "12" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark +controls: +- aws_cloudwatch_log_group_retention_period_365 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_13.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_13.yaml index af388b279..6c442e432 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_13.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_13.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_si_13 +title: Predictable Failure Prevention (SI-13) +description: "a.\u2003Determine mean time to failure (MTTF) for the following system components in specific environments of operation: [Assignment: organization-defined system components]; and b.\u2003Provide substitute system components and a means to exchange active and standby components in accordance with the following criteria: Provide [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the system.[Assignment: organization-defined MTTF substitution criteria]." +section-code: "13" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_si_13 - title: Predictable Failure Prevention (SI-13) - description: "a.\u2003Determine mean time to failure (MTTF) for the following system components in specific environments of operation: [Assignment: organization-defined system components]; and b.\u2003Provide substitute system components and a means to exchange active and standby components in accordance with the following criteria: Provide [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the system.[Assignment: organization-defined MTTF substitution criteria]." - section-code: "13" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_si_13_5 +- id: aws_nist_800_53_rev_5_si_13_5 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_13_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_13_5.yaml index 8c1f858e2..1b8c0690d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_13_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_13_5.yaml @@ -1,32 +1,32 @@ -control-group: - id: aws_nist_800_53_rev_5_si_13_5 - title: SI-13(5) Failover Capability - description: "Provide [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the system." - section-code: "5" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up +id: aws_nist_800_53_rev_5_si_13_5 +title: SI-13(5) Failover Capability +description: "Provide [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the system." +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_dynamodb_table_auto_scaling_enabled +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_ebs_volume_in_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_deletion_protection_enabled +- aws_rds_db_instance_multiple_az_enabled +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_19.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_19.yaml index 3925b8082..fa82cd082 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_19.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_19.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_si_19 +title: De-Identification (SI-19) +description: "a.\u2003Remove the following elements of personally identifiable information from datasets: [Assignment: organization-defined elements of personally identifiable information]; and b.\u2003Evaluate [Assignment: organization-defined frequency] for effectiveness of de-identification." +section-code: "19" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_si_19 - title: De-Identification (SI-19) - description: "a.\u2003Remove the following elements of personally identifiable information from datasets: [Assignment: organization-defined elements of personally identifiable information]; and b.\u2003Evaluate [Assignment: organization-defined frequency] for effectiveness of de-identification." - section-code: "19" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_si_19_4 +- id: aws_nist_800_53_rev_5_si_19_4 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_19_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_19_4.yaml index 2ec808f35..6aa06a84b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_19_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_19_4.yaml @@ -1,34 +1,34 @@ -control-group: - id: aws_nist_800_53_rev_5_si_19_4 - title: SI-19(4) Removal, Masking, Encryption, Hashing, Or Replacement Of Direct Identifiers - description: Remove, mask, encrypt, hash, or replace direct identifiers in a dataset. - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dynamodb_table_encrypted_with_kms - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_es_domain_encryption_at_rest_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_default_encryption_enabled - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_secretsmanager_secret_encrypted_with_kms_cmk +id: aws_nist_800_53_rev_5_si_19_4 +title: SI-19(4) Removal, Masking, Encryption, Hashing, Or Replacement Of Direct Identifiers +description: Remove, mask, encrypt, hash, or replace direct identifiers in a dataset. +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dynamodb_table_encrypted_with_kms +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_efs_file_system_encrypt_data_at_rest +- aws_es_domain_encryption_at_rest_enabled +- aws_log_group_encryption_at_rest_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_logging_enabled +- aws_redshift_cluster_kms_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_default_encryption_enabled +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_secretsmanager_secret_encrypted_with_kms_cmk diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1_1_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1_1_c.yaml index b66f1dcb5..b2870bd2e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1_1_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1_1_c.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_nist_800_53_rev_5_si_1_1_c - title: SI-1(1)(c) - description: Audit the use of the manual override capability. - section-code: 1_c - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled +id: aws_nist_800_53_rev_5_si_1_1_c +title: SI-1(1)(c) +description: Audit the use of the manual override capability. +section-code: 1_c +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1_a_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1_a_2.yaml index e628f6357..ed5ce4e18 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1_a_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1_a_2.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_nist_800_53_rev_5_si_1_a_2 - title: SI-1(a)(2) - description: "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 2. Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;." - section-code: a_2 - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_cloudtrail_trail_validation_enabled - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_versioning_enabled +id: aws_nist_800_53_rev_5_si_1_a_2 +title: SI-1(a)(2) +description: "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 2. Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;." +section-code: a_2 +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_cloudtrail_trail_validation_enabled +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_node_to_node_encryption_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1_c_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1_c_2.yaml index 4c2ddf70f..5eb1c5175 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1_c_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1_c_2.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_nist_800_53_rev_5_si_1_c_2 - title: SI-1(c)(2) - description: "c. Review and update the current system and information integrity: 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]." - section-code: c_2 - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_cloudtrail_trail_validation_enabled - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_versioning_enabled +id: aws_nist_800_53_rev_5_si_1_c_2 +title: SI-1(c)(2) +description: "c. Review and update the current system and information integrity: 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]." +section-code: c_2 +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_cloudtrail_trail_validation_enabled +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_node_to_node_encryption_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2.yaml index 0f1f9817b..5cfc256ed 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2.yaml @@ -1,22 +1,27 @@ +id: aws_nist_800_53_rev_5_si_2 +title: Flaw Remediation (SI-2) +description: "The organization: a.Identifies, reports, and corrects information system flaws; b.Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c.Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and d.Incorporates flaw remediation into the organizational configuration management process." +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_si_2 - title: Flaw Remediation (SI-2) - description: "The organization: a.Identifies, reports, and corrects information system flaws; b.Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c.Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and d.Incorporates flaw remediation into the organizational configuration management process." - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_si_2_2 - - id: aws_nist_800_53_rev_5_si_2_5 - - id: aws_nist_800_53_rev_5_si_2_a - - id: aws_nist_800_53_rev_5_si_2_c - - id: aws_nist_800_53_rev_5_si_2_d +- id: aws_nist_800_53_rev_5_si_2_2 + type: "" +- id: aws_nist_800_53_rev_5_si_2_5 + type: "" +- id: aws_nist_800_53_rev_5_si_2_a + type: "" +- id: aws_nist_800_53_rev_5_si_2_c + type: "" +- id: aws_nist_800_53_rev_5_si_2_d + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_2.yaml index fbc08d533..29f89dddb 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_2.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_nist_800_53_rev_5_si_2_2 - title: SI-2(2) Automated Flaw Remediation Status - description: "Determine if system components have applicable security-relevant software and firmware updates installed using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]." - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_nist_800_53_rev_5_si_2_2 +title: SI-2(2) Automated Flaw Remediation Status +description: "Determine if system components have applicable security-relevant software and firmware updates installed using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]." +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_elastic_beanstalk_enhanced_health_reporting_enabled +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_5.yaml index c190dc106..32136ddc2 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_5.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_nist_800_53_rev_5_si_2_5 - title: SI-2(5) Automatic Software And Firmware Updated - description: "Install [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined system components]." - section-code: "5" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_nist_800_53_rev_5_si_2_5 +title: SI-2(5) Automatic Software And Firmware Updated +description: "Install [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined system components]." +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_elastic_beanstalk_enhanced_health_reporting_enabled +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_a.yaml index 15edab495..2cefd9aeb 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_a.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_nist_800_53_rev_5_si_2_a - title: SI-2(a) - description: Identify, report, and correct system flaws. - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudwatch_alarm_action_enabled - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled +id: aws_nist_800_53_rev_5_si_2_a +title: SI-2(a) +description: Identify, report, and correct system flaws. +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_autoscaling_group_with_lb_use_health_check +- aws_cloudwatch_alarm_action_enabled +- aws_elastic_beanstalk_enhanced_health_reporting_enabled +- aws_lambda_function_dead_letter_queue_configured +- aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_c.yaml index b60be9c4b..5badcff4d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_c.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_nist_800_53_rev_5_si_2_c - title: SI-2(c) - description: "Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates." - section-code: c - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_nist_800_53_rev_5_si_2_c +title: SI-2(c) +description: "Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates." +section-code: c +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_elastic_beanstalk_enhanced_health_reporting_enabled +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_d.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_d.yaml index 9026066e6..b58b3409e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_d.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_d.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_nist_800_53_rev_5_si_2_d - title: SI-2(d) - description: Incorporate flaw remediation into the organizational configuration management process. - section-code: d - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_nist_800_53_rev_5_si_2_d +title: SI-2(d) +description: Incorporate flaw remediation into the organizational configuration management process. +section-code: d +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_elastic_beanstalk_enhanced_health_reporting_enabled +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3.yaml index b6135e652..dcf69daba 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3.yaml @@ -1,19 +1,21 @@ +id: aws_nist_800_53_rev_5_si_3 +title: Malicious Code Protection (SI-3) +description: "a.\u2003Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; b.\u2003Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; c.\u2003Configure malicious code protection mechanisms to: 1.\u2003Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2.\u2003[Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and d.\u2003Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system." +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_si_3 - title: Malicious Code Protection (SI-3) - description: "a.\u2003Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; b.\u2003Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; c.\u2003Configure malicious code protection mechanisms to: 1.\u2003Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2.\u2003[Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and d.\u2003Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system." - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_si_3_8 - - id: aws_nist_800_53_rev_5_si_3_c_2 +- id: aws_nist_800_53_rev_5_si_3_8 + type: "" +- id: aws_nist_800_53_rev_5_si_3_c_2 + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_8.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_8.yaml index 0ce7641da..f98a29f0c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_8.yaml @@ -1,19 +1,21 @@ +id: aws_nist_800_53_rev_5_si_3_8 +title: SI-3(8) Detect Unauthorized Commands +description: "a.\u2003Detect the following unauthorized operating system commands through the kernel application programming interface on [Assignment: organization-defined system hardware components]: [Assignment: organization-defined unauthorized operating system commands]; and b.\u2003[Selection (one or more): issue a warning; audit the command execution; prevent the execution of the command]." +section-code: "8" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_si_3_8 - title: SI-3(8) Detect Unauthorized Commands - description: "a.\u2003Detect the following unauthorized operating system commands through the kernel application programming interface on [Assignment: organization-defined system hardware components]: [Assignment: organization-defined unauthorized operating system commands]; and b.\u2003[Selection (one or more): issue a warning; audit the command execution; prevent the execution of the command]." - section-code: "8" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_si_3_8_a - - id: aws_nist_800_53_rev_5_si_3_8_b +- id: aws_nist_800_53_rev_5_si_3_8_a + type: "" +- id: aws_nist_800_53_rev_5_si_3_8_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_8_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_8_a.yaml index c3e4147ce..201324a87 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_8_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_8_a.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_si_3_8_a - title: SI-3(8)(a) - description: "Detect the following unauthorized operating system commands through the kernel application programming interface on [Assignment: organization-defined system hardware components]: [Assignment: organization-defined unauthorized operating system commands]." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_si_3_8_a +title: SI-3(8)(a) +description: "Detect the following unauthorized operating system commands through the kernel application programming interface on [Assignment: organization-defined system hardware components]: [Assignment: organization-defined unauthorized operating system commands]." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_8_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_8_b.yaml index 970d5208b..1d33107fd 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_8_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_8_b.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_nist_800_53_rev_5_si_3_8_b - title: SI-3(8)(b) - description: "[Selection (one or more): issue a warning; audit the command execution; prevent the execution of the command]." - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled +id: aws_nist_800_53_rev_5_si_3_8_b +title: SI-3(8)(b) +description: "[Selection (one or more): issue a warning; audit the command execution; prevent the execution of the command]." +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_c_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_c_2.yaml index b88b2479b..b23ffb590 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_c_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_c_2.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_nist_800_53_rev_5_si_3_c_2 - title: SI-3(c)(2) - description: "c. Configure malicious code protection mechanisms to: 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection." - section-code: c_2 - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_nist_800_53_rev_5_si_3_c_2 +title: SI-3(c)(2) +description: "c. Configure malicious code protection mechanisms to: 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection." +section-code: c_2 +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed +- aws_ssm_managed_instance_compliance_association_compliant +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4.yaml index 427eb6574..f59139fac 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4.yaml @@ -1,33 +1,49 @@ +id: aws_nist_800_53_rev_5_si_4 +title: System Monitoring (SI-4) +description: "The organization: a.Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and 2.Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; c. Deploys monitoring devices: 1. Strategically within the information system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]." +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_si_4 - title: System Monitoring (SI-4) - description: "The organization: a.Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and 2.Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; c. Deploys monitoring devices: 1. Strategically within the information system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]." - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_si_4_1 - - id: aws_nist_800_53_rev_5_si_4_2 - - id: aws_nist_800_53_rev_5_si_4_3 - - id: aws_nist_800_53_rev_5_si_4_4 - - id: aws_nist_800_53_rev_5_si_4_10 - - id: aws_nist_800_53_rev_5_si_4_12 - - id: aws_nist_800_53_rev_5_si_4_13 - - id: aws_nist_800_53_rev_5_si_4_14 - - id: aws_nist_800_53_rev_5_si_4_17 - - id: aws_nist_800_53_rev_5_si_4_20 - - id: aws_nist_800_53_rev_5_si_4_23 - - id: aws_nist_800_53_rev_5_si_4_25 - - id: aws_nist_800_53_rev_5_si_4_a - - id: aws_nist_800_53_rev_5_si_4_b - - id: aws_nist_800_53_rev_5_si_4_c - - id: aws_nist_800_53_rev_5_si_4_d +- id: aws_nist_800_53_rev_5_si_4_1 + type: "" +- id: aws_nist_800_53_rev_5_si_4_2 + type: "" +- id: aws_nist_800_53_rev_5_si_4_3 + type: "" +- id: aws_nist_800_53_rev_5_si_4_4 + type: "" +- id: aws_nist_800_53_rev_5_si_4_10 + type: "" +- id: aws_nist_800_53_rev_5_si_4_12 + type: "" +- id: aws_nist_800_53_rev_5_si_4_13 + type: "" +- id: aws_nist_800_53_rev_5_si_4_14 + type: "" +- id: aws_nist_800_53_rev_5_si_4_17 + type: "" +- id: aws_nist_800_53_rev_5_si_4_20 + type: "" +- id: aws_nist_800_53_rev_5_si_4_23 + type: "" +- id: aws_nist_800_53_rev_5_si_4_25 + type: "" +- id: aws_nist_800_53_rev_5_si_4_a + type: "" +- id: aws_nist_800_53_rev_5_si_4_b + type: "" +- id: aws_nist_800_53_rev_5_si_4_c + type: "" +- id: aws_nist_800_53_rev_5_si_4_d + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_1.yaml index 5ede28072..2d1e178d1 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_1.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_si_4_1 - title: SI-4(1) System-Wide Intrusion Detection System - description: Connect and configure individual intrusion detection tools into a system-wide intrusion detection system. - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_si_4_1 +title: SI-4(1) System-Wide Intrusion Detection System +description: Connect and configure individual intrusion detection tools into a system-wide intrusion detection system. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_10.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_10.yaml index c26caf6a4..ba84ea572 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_10.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_10.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_si_4_10 - title: SI-4(10) Visibility Of Encrypted Communications - description: "Make provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined system monitoring tools and mechanisms]." - section-code: "10" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_si_4_10 +title: SI-4(10) Visibility Of Encrypted Communications +description: "Make provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined system monitoring tools and mechanisms]." +section-code: "10" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_12.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_12.yaml index cea2d7388..5c9fe9c9c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_12.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_12.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_si_4_12 - title: SI-4(12) Automated Organization-Generated Alerts - description: "Alert [Assignment: organization-defined personnel or roles] using [Assignment: organization-defined automated mechanisms] when the following indications of inappropriate or unusual activities with security or privacy implications occur: [Assignment: organization-defined activities that trigger alerts]." - section-code: "12" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark - controls: - - aws_cloudwatch_alarm_action_enabled +id: aws_nist_800_53_rev_5_si_4_12 +title: SI-4(12) Automated Organization-Generated Alerts +description: "Alert [Assignment: organization-defined personnel or roles] using [Assignment: organization-defined automated mechanisms] when the following indications of inappropriate or unusual activities with security or privacy implications occur: [Assignment: organization-defined activities that trigger alerts]." +section-code: "12" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark +controls: +- aws_cloudwatch_alarm_action_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_13.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_13.yaml index 7af85f744..cead5d312 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_13.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_13.yaml @@ -1,18 +1,19 @@ +id: aws_nist_800_53_rev_5_si_4_13 +title: SI-4(13) Analyze Traffic And Event Patterns +description: a. Analyze communications traffic and event patterns for the system; b. Develop profiles representing common traffic and event patterns; and c. Use the traffic and event profiles in tuning system-monitoring devices. +section-code: "13" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_si_4_13 - title: SI-4(13) Analyze Traffic And Event Patterns - description: a. Analyze communications traffic and event patterns for the system; b. Develop profiles representing common traffic and event patterns; and c. Use the traffic and event profiles in tuning system-monitoring devices. - section-code: "13" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_si_4_13_a +- id: aws_nist_800_53_rev_5_si_4_13_a + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_13_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_13_a.yaml index ef38fccd1..57611bed8 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_13_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_13_a.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_si_4_13_a - title: SI-4(13)(a) - description: Analyze communications traffic and event patterns for the system. - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_si_4_13_a +title: SI-4(13)(a) +description: Analyze communications traffic and event patterns for the system. +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_14.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_14.yaml index 345f42b06..d3333daff 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_14.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_14.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_si_4_14 - title: SI-4(14) Wireless Intrusion Detection - description: Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system. - section-code: "14" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_si_4_14 +title: SI-4(14) Wireless Intrusion Detection +description: Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system. +section-code: "14" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_17.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_17.yaml index 400b9c0f4..6587399f1 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_17.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_17.yaml @@ -1,29 +1,29 @@ -control-group: - id: aws_nist_800_53_rev_5_si_4_17 - title: SI-4(17) Integrated Situational Awareness - description: Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness. - section-code: "17" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_nist_800_53_rev_5_si_4_17 +title: SI-4(17) Integrated Situational Awareness +description: Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness. +section-code: "17" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_log_group_retention_period_365 +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_2.yaml index 2943f2593..48afb5baa 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_2.yaml @@ -1,25 +1,25 @@ -control-group: - id: aws_nist_800_53_rev_5_si_4_2 - title: SI-4(2) Automated Tools For Real-Time Analysis - description: "Implement the following additional monitoring of privileged users: [Assignment: organization-defined additional monitoring]. Employ automated tools and mechanisms to support near real-time analysis of events." - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_guardduty_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled +id: aws_nist_800_53_rev_5_si_4_2 +title: SI-4(2) Automated Tools For Real-Time Analysis +description: "Implement the following additional monitoring of privileged users: [Assignment: organization-defined additional monitoring]. Employ automated tools and mechanisms to support near real-time analysis of events." +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_guardduty_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_20.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_20.yaml index d7aa8549c..37ae3b1fe 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_20.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_20.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_nist_800_53_rev_5_si_4_20 - title: SI-4(20) Privileged Users - description: "Implement the following additional monitoring of privileged users: [Assignment: organization-defined additional monitoring]." - section-code: "20" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled +id: aws_nist_800_53_rev_5_si_4_20 +title: SI-4(20) Privileged Users +description: "Implement the following additional monitoring of privileged users: [Assignment: organization-defined additional monitoring]." +section-code: "20" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_23.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_23.yaml index 9d4758774..783393fc1 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_23.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_23.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_si_4_23 - title: SI-4(23) Host-Based Devices - description: "Implement the following host-based monitoring mechanisms at [Assignment: organization-defined system components]: [Assignment: organization-defined host-based monitoring mechanisms]." - section-code: "23" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_si_4_23 +title: SI-4(23) Host-Based Devices +description: "Implement the following host-based monitoring mechanisms at [Assignment: organization-defined system components]: [Assignment: organization-defined host-based monitoring mechanisms]." +section-code: "23" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_25.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_25.yaml index c5e54d229..b1a3663ac 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_25.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_25.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_si_4_25 - title: SI-4(25) Optimize Network Traffic Analysis - description: Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices. - section-code: "25" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_si_4_25 +title: SI-4(25) Optimize Network Traffic Analysis +description: Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices. +section-code: "25" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_3.yaml index 8a12c387e..35d03d4aa 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_3.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_si_4_3 - title: SI-4(3) Automated Tools And Mechanism Integration - description: Employ automated tools and mechanisms to integrate intrusion detection tools and mechanisms into access control and flow control mechanisms. - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_si_4_3 +title: SI-4(3) Automated Tools And Mechanism Integration +description: Employ automated tools and mechanisms to integrate intrusion detection tools and mechanisms into access control and flow control mechanisms. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_4.yaml index 87495f9e9..ffc476548 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_4.yaml @@ -1,19 +1,21 @@ +id: aws_nist_800_53_rev_5_si_4_4 +title: SI-4(4) Inbound and Outbound Communications Traffic +description: The information system monitors inbound and outbound communications traffic continuously for unusual or unauthorized activities or conditions. +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_si_4_4 - title: SI-4(4) Inbound and Outbound Communications Traffic - description: The information system monitors inbound and outbound communications traffic continuously for unusual or unauthorized activities or conditions. - section-code: "4" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_si_4_4_a - - id: aws_nist_800_53_rev_5_si_4_4_b +- id: aws_nist_800_53_rev_5_si_4_4_a + type: "" +- id: aws_nist_800_53_rev_5_si_4_4_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_4_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_4_a.yaml index 497eda938..c5751f8a3 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_4_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_4_a.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_si_4_4_a - title: SI-4(4)(a) - description: Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic. - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_si_4_4_a +title: SI-4(4)(a) +description: Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic. +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_4_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_4_b.yaml index 14c789f6a..dfacadf99 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_4_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_4_b.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_si_4_4_b - title: SI-4(4)(b) - description: "Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions]." - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_si_4_4_b +title: SI-4(4)(b) +description: "Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions]." +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_a.yaml index 5a82e97b4..b3bf6a16a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_a.yaml @@ -1,21 +1,23 @@ +id: aws_nist_800_53_rev_5_si_4_a +title: SI-4(a) +description: "Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_si_4_a - title: SI-4(a) - description: "Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_si_4_a_1 - - id: aws_nist_800_53_rev_5_si_4_a_2 - controls: - - aws_guardduty_enabled +- id: aws_nist_800_53_rev_5_si_4_a_1 + type: "" +- id: aws_nist_800_53_rev_5_si_4_a_2 + type: "" +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_a_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_a_1.yaml index d85fabd3b..3f521b4e8 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_a_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_a_1.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_si_4_a_1 - title: SI-4(a)(1) - description: "a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections." - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_si_4_a_1 +title: SI-4(a)(1) +description: "a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections." +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_a_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_a_2.yaml index 431fdc41e..6bbad19dd 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_a_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_a_2.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_si_4_a_2 - title: SI-4(a)(2) - description: "a. Monitor the system to detect: 2. Unauthorized local, network, and remote connections." - section-code: "2" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_si_4_a_2 +title: SI-4(a)(2) +description: "a. Monitor the system to detect: 2. Unauthorized local, network, and remote connections." +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_b.yaml index dd9657e5a..9b37f0928 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_b.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_si_4_b - title: SI-4(b) - description: "Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]." - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_si_4_b +title: SI-4(b) +description: "Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]." +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_c.yaml index 4bc4b229d..b5119c651 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_c.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_si_4_c - title: SI-4(c) - description: "c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization." - section-code: c - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_si_4_c +title: SI-4(c) +description: "c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization." +section-code: c +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_d.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_d.yaml index 51bbdaab5..8a3377176 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_d.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_d.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_si_4_d - title: SI-4(d) - description: Analyze detected events and anomalies. - section-code: d - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudTrail - type: - - Benchmark - controls: - - aws_cloudtrail_trail_validation_enabled +id: aws_nist_800_53_rev_5_si_4_d +title: SI-4(d) +description: Analyze detected events and anomalies. +section-code: d +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudTrail + type: + - Benchmark +controls: +- aws_cloudtrail_trail_validation_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_5.yaml index a36bf9c63..d789e794f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_5.yaml @@ -1,19 +1,21 @@ +id: aws_nist_800_53_rev_5_si_5 +title: Secuity Alerts, Advisories, And Directives (SI-5) +description: "a.\u2003Receive system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis; b.\u2003Generate internal security alerts, advisories, and directives as deemed necessary; c.\u2003Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and d.\u2003Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_si_5 - title: Secuity Alerts, Advisories, And Directives (SI-5) - description: "a.\u2003Receive system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis; b.\u2003Generate internal security alerts, advisories, and directives as deemed necessary; c.\u2003Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and d.\u2003Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." - section-code: "5" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_si_5_1 - - id: aws_nist_800_53_rev_5_si_5_b +- id: aws_nist_800_53_rev_5_si_5_1 + type: "" +- id: aws_nist_800_53_rev_5_si_5_b + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_5_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_5_1.yaml index 30c14b2f5..826a7c70a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_5_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_5_1.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_5_si_5_1 - title: SI-5(1) Automated Alerts And Advisories - description: "Broadcast security alert and advisory information throughout the organization using [Assignment: organization-defined automated mechanisms]." - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_si_5_1 +title: SI-5(1) Automated Alerts And Advisories +description: "Broadcast security alert and advisory information throughout the organization using [Assignment: organization-defined automated mechanisms]." +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudwatch_alarm_action_enabled +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_5_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_5_b.yaml index 4d74cfe97..78cbf5e57 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_5_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_5_b.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_nist_800_53_rev_5_si_5_b - title: SI-5(b) - description: Generate internal security alerts, advisories, and directives as deemed necessary. - section-code: b - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled +id: aws_nist_800_53_rev_5_si_5_b +title: SI-5(b) +description: Generate internal security alerts, advisories, and directives as deemed necessary. +section-code: b +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudwatch_alarm_action_enabled +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7.yaml index daf1a5400..0748779ca 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7.yaml @@ -1,22 +1,27 @@ +id: aws_nist_800_53_rev_5_si_7 +title: Software, Firmware, and Information Integrity (SI-7) +description: "a.\u2003Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information]; and b.\u2003Take the following actions when unauthorized changes to the software, firmware, and information are detected: [Assignment: organization-defined actions]." +section-code: "7" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark control-group: - id: aws_nist_800_53_rev_5_si_7 - title: Software, Firmware, and Information Integrity (SI-7) - description: "a.\u2003Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information]; and b.\u2003Take the following actions when unauthorized changes to the software, firmware, and information are detected: [Assignment: organization-defined actions]." - section-code: "7" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - control-group: - - id: aws_nist_800_53_rev_5_si_7_1 - - id: aws_nist_800_53_rev_5_si_7_3 - - id: aws_nist_800_53_rev_5_si_7_7 - - id: aws_nist_800_53_rev_5_si_7_8 - - id: aws_nist_800_53_rev_5_si_7_a +- id: aws_nist_800_53_rev_5_si_7_1 + type: "" +- id: aws_nist_800_53_rev_5_si_7_3 + type: "" +- id: aws_nist_800_53_rev_5_si_7_7 + type: "" +- id: aws_nist_800_53_rev_5_si_7_8 + type: "" +- id: aws_nist_800_53_rev_5_si_7_a + type: "" diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_1.yaml index bf7b0af77..282606704 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_1.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_si_7_1 - title: SI-7(1) Integrity Checks - description: "Perform an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]]." - section-code: "1" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudTrail - type: - - Benchmark - controls: - - aws_cloudtrail_trail_validation_enabled +id: aws_nist_800_53_rev_5_si_7_1 +title: SI-7(1) Integrity Checks +description: "Perform an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]]." +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudTrail + type: + - Benchmark +controls: +- aws_cloudtrail_trail_validation_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_3.yaml index eb3ec2e80..f78375895 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_3.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_si_7_3 - title: SI-7(3) Centrally Managed Integrity Tools - description: Employ centrally managed integrity verification tools. - section-code: "3" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudTrail - type: - - Benchmark - controls: - - aws_cloudtrail_trail_validation_enabled +id: aws_nist_800_53_rev_5_si_7_3 +title: SI-7(3) Centrally Managed Integrity Tools +description: Employ centrally managed integrity verification tools. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudTrail + type: + - Benchmark +controls: +- aws_cloudtrail_trail_validation_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_7.yaml index 284b494d7..9f82d2700 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_7.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_si_7_7 - title: SI-7(7) Integration Of Detection And Response - description: "Incorporate the detection of the following unauthorized changes into the organizational incident response capability: [Assignment: organization-defined security-relevant changes to the system]." - section-code: "7" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudTrail - type: - - Benchmark - controls: - - aws_cloudtrail_trail_validation_enabled +id: aws_nist_800_53_rev_5_si_7_7 +title: SI-7(7) Integration Of Detection And Response +description: "Incorporate the detection of the following unauthorized changes into the organizational incident response capability: [Assignment: organization-defined security-relevant changes to the system]." +section-code: "7" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudTrail + type: + - Benchmark +controls: +- aws_cloudtrail_trail_validation_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_8.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_8.yaml index 99d8f203e..fc3e4cdce 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_8.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_nist_800_53_rev_5_si_7_8 - title: SI-7(8) Auditing Capability For Significant Events - description: "Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: [Selection (one or more): generate an audit record; alert current user; alert [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined other actions]]." - section-code: "8" - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_wafv2_web_acl_logging_enabled - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled +id: aws_nist_800_53_rev_5_si_7_8 +title: SI-7(8) Auditing Capability For Significant Events +description: "Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: [Selection (one or more): generate an audit record; alert current user; alert [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined other actions]]." +section-code: "8" +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_wafv2_web_acl_logging_enabled +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_a.yaml index f2beb49ba..920bde269 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_a.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_nist_800_53_rev_5_si_7_a - title: SI-7(a) - description: "Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information]." - section-code: a - tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudTrail - type: - - Benchmark - controls: - - aws_cloudtrail_trail_validation_enabled +id: aws_nist_800_53_rev_5_si_7_a +title: SI-7(a) +description: "Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information]." +section-code: a +type: control-group +tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudTrail + type: + - Benchmark +controls: +- aws_cloudtrail_trail_validation_enabled diff --git a/compliance/frameworks/aws/aws_nist_csf.yaml b/compliance/frameworks/aws/aws_nist_csf.yaml index e5c03be3f..bb0aa4164 100644 --- a/compliance/frameworks/aws/aws_nist_csf.yaml +++ b/compliance/frameworks/aws/aws_nist_csf.yaml @@ -1,33 +1,49 @@ -framework: - id: aws_nist_csf - title: NIST Cybersecurity Framework (CSF) v1.1 - description: NIST Cybersecurity Framework is a set of best practices, standards, and recommendations that help an organization improve its cybersecurity measures. - section-code: aws_nist_csf +id: aws_nist_csf +title: NIST Cybersecurity Framework (CSF) v1.1 +description: NIST Cybersecurity Framework is a set of best practices, standards, and recommendations that help an organization improve its cybersecurity measures. +section-code: aws_nist_csf +type: framework +tags: + category: + - Compliance + nist_csf: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Frameworks + - Best Practices + plugin: + - aws + service: + - AWS + type: + - Benchmark +defaults: + is-baseline: false + enabled: true + tracks-drift-events: false +control-group: +- id: aws_nist_csf_de + title: Detect (DE) + description: Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. + section-code: de tags: category: - Compliance nist_csf: - "true" - platform_benchmark_type: - - compliance - platform_category: - - Frameworks - - Best Practices plugin: - aws service: - AWS type: - Benchmark - defaults: - is-baseline: false - enabled: true - tracks-drift-events: false control-group: - - id: aws_nist_csf_de - title: Detect (DE) - description: Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. - section-code: de + - id: aws_nist_csf_de_ae + title: Anomalies and Events (DE.AE) + description: Anomalous activity is detected and the potential impact of events is understood. + section-code: ae tags: category: - Compliance @@ -40,10 +56,10 @@ framework: type: - Benchmark control-group: - - id: aws_nist_csf_de_ae - title: Anomalies and Events (DE.AE) - description: Anomalous activity is detected and the potential impact of events is understood. - section-code: ae + - id: aws_nist_csf_de_ae_1 + title: DE.AE-1 + description: A baseline of network operations and expected data flows for users and systems is established and managed. + section-code: "1" tags: category: - Compliance @@ -55,164 +71,50 @@ framework: - AWS type: - Benchmark - control-group: - - id: aws_nist_csf_de_ae_1 - title: DE.AE-1 - description: A baseline of network operations and expected data flows for users and systems is established and managed. - section-code: "1" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_apigateway_stage_use_waf_web_acl - - aws_cloudfront_distribution_logging_enabled - - aws_cloudfront_distribution_sni_enabled - - aws_cloudfront_distribution_waf_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_codebuild_project_logging_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_ec2_instance_not_use_multiple_enis - - aws_ec2_transit_gateway_auto_cross_account_attachment_disabled - - aws_ecs_cluster_container_insights_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_lambda_function_concurrent_execution_limit_configured - - aws_networkfirewall_firewall_policy_default_stateless_action_check_full_packets - - aws_networkfirewall_firewall_policy_rule_group_not_empty - - aws_networkfirewall_stateless_rule_group_not_empty - - aws_opensearch_domain_audit_logging_enabled - - aws_opensearch_domain_logs_to_cloudwatch - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_audit_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_event_notifications_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_flow_logs_enabled - - aws_vpc_network_acl_remote_administration - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_waf_regional_rule_condition_attached - - aws_waf_regional_rule_group_rule_attached - - aws_waf_web_acl_logging_enabled - - aws_waf_web_acl_rule_attached - - aws_wafv2_web_acl_logging_enabled - - id: aws_nist_csf_de_ae_2 - title: DE.AE-2 - description: Detected events are analyzed to understand attack targets and methods. - section-code: "2" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled - - id: aws_nist_csf_de_ae_3 - title: DE.AE-3 - description: Event data are collected and correlated from multiple sources and sensors. - section-code: "3" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudfront_distribution_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_log_group_retention_period_365 - - aws_codebuild_project_logging_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_guardduty_enabled - - aws_opensearch_domain_audit_logging_enabled - - aws_opensearch_domain_logs_to_cloudwatch - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_audit_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled - - id: aws_nist_csf_de_ae_4 - title: DE.AE-4 - description: Impact of events is determined. - section-code: "4" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - id: aws_nist_csf_de_ae_5 - title: DE.AE-5 - description: Incident alert thresholds are established. - section-code: "5" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudwatch_alarm_action_enabled - - aws_codebuild_project_source_repo_oauth_configured - - aws_lambda_function_dead_letter_queue_configured - - id: aws_nist_csf_de_cm - title: Security Continuous Monitoring (DE.CM) - description: The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures. - section-code: cm + controls: + - aws_apigateway_stage_logging_enabled + - aws_apigateway_stage_use_waf_web_acl + - aws_cloudfront_distribution_logging_enabled + - aws_cloudfront_distribution_sni_enabled + - aws_cloudfront_distribution_waf_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_codebuild_project_logging_enabled + - aws_ec2_instance_detailed_monitoring_enabled + - aws_ec2_instance_not_use_multiple_enis + - aws_ec2_transit_gateway_auto_cross_account_attachment_disabled + - aws_ecs_cluster_container_insights_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_es_domain_logs_to_cloudwatch + - aws_lambda_function_concurrent_execution_limit_configured + - aws_networkfirewall_firewall_policy_default_stateless_action_check_full_packets + - aws_networkfirewall_firewall_policy_rule_group_not_empty + - aws_networkfirewall_stateless_rule_group_not_empty + - aws_opensearch_domain_audit_logging_enabled + - aws_opensearch_domain_logs_to_cloudwatch + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_audit_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_event_notifications_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_flow_logs_enabled + - aws_vpc_network_acl_remote_administration + - aws_vpc_route_table_restrict_public_access_to_igw + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_waf_regional_rule_condition_attached + - aws_waf_regional_rule_group_rule_attached + - aws_waf_web_acl_logging_enabled + - aws_waf_web_acl_rule_attached + - aws_wafv2_web_acl_logging_enabled + - id: aws_nist_csf_de_ae_2 + title: DE.AE-2 + description: Detected events are analyzed to understand attack targets and methods. + section-code: "2" tags: category: - Compliance @@ -224,193 +126,14 @@ framework: - AWS type: - Benchmark - control-group: - - id: aws_nist_csf_de_cm_1 - title: DE.CM-1 - description: The network is monitored to detect potential cybersecurity events. - section-code: "1" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_s3_bucket_event_notifications_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - id: aws_nist_csf_de_cm_2 - title: DE.CM-2 - description: The physical environment is monitored to detect potential cybersecurity events. - section-code: "2" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_bucket_not_public - - aws_cloudtrail_multi_region_read_write_enabled - - aws_cloudtrail_s3_logging_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_config_enabled_all_regions - - aws_ec2_instance_detailed_monitoring_enabled - - aws_guardduty_enabled - - aws_kms_cmk_rotation_enabled - - aws_log_metric_filter_bucket_policy - - aws_log_metric_filter_cloudtrail_configuration - - aws_log_metric_filter_config_configuration - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_console_login_mfa - - aws_log_metric_filter_disable_or_delete_cmk - - aws_log_metric_filter_iam_policy - - aws_log_metric_filter_network_acl - - aws_log_metric_filter_network_gateway - - aws_log_metric_filter_root_login - - aws_log_metric_filter_route_table - - aws_log_metric_filter_security_group - - aws_log_metric_filter_unauthorized_api - - aws_log_metric_filter_vpc - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - id: aws_nist_csf_de_cm_3 - title: DE.CM-3 - description: Personnel activity is monitored to detect potential cybersecurity events. - section-code: "3" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_guardduty_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - id: aws_nist_csf_de_cm_4 - title: DE.CM-4 - description: Malicious code is detected. - section-code: "4" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled - - id: aws_nist_csf_de_cm_5 - title: DE.CM-5 - description: Unauthorized mobile code is detected. - section-code: "5" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_elb_application_lb_waf_enabled - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled - - aws_wafv2_web_acl_logging_enabled - - id: aws_nist_csf_de_cm_6 - title: DE.CM-6 - description: External service provider activity is monitored to detect potential cybersecurity events. - section-code: "6" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_guardduty_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - id: aws_nist_csf_de_cm_7 - title: DE.CM-7 - description: Monitoring for unauthorized personnel, connections, devices, and software is performed. - section-code: "7" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - id: aws_nist_csf_de_dp - title: Detection Processes (DE.DP) - description: Detection processes and procedures are maintained and tested to ensure awareness of anomalous events. - section-code: dp + controls: + - aws_guardduty_enabled + - aws_guardduty_finding_archived + - aws_securityhub_enabled + - id: aws_nist_csf_de_ae_3 + title: DE.AE-3 + description: Event data are collected and correlated from multiple sources and sensors. + section-code: "3" tags: category: - Compliance @@ -422,57 +145,350 @@ framework: - AWS type: - Benchmark - control-group: - - id: aws_nist_csf_de_dp_4 - title: DE.DP-4 - description: Event detection information is communicated. - section-code: "4" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudformation_stack_notifications_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_cloudwatch_alarm_action_enabled_check - - aws_ec2_instance_detailed_monitoring_enabled - - aws_elb_application_lb_waf_enabled - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_s3_bucket_event_notifications_enabled - - aws_securityhub_enabled - - aws_sns_topic_notification_delivery_status_enabled - - aws_wafv2_web_acl_logging_enabled - - id: aws_nist_csf_de_dp_5 - title: DE.DP-5 - description: Detection processes are continuously improved. - section-code: "5" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS/EC2 - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - id: aws_nist_csf_id - title: Identify (ID) - description: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. - section-code: id + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudfront_distribution_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_log_group_retention_period_365 + - aws_codebuild_project_logging_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_es_domain_logs_to_cloudwatch + - aws_guardduty_enabled + - aws_opensearch_domain_audit_logging_enabled + - aws_opensearch_domain_logs_to_cloudwatch + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_audit_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_waf_web_acl_logging_enabled + - aws_wafv2_web_acl_logging_enabled + - id: aws_nist_csf_de_ae_4 + title: DE.AE-4 + description: Impact of events is determined. + section-code: "4" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_guardduty_enabled + - aws_guardduty_finding_archived + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - id: aws_nist_csf_de_ae_5 + title: DE.AE-5 + description: Incident alert thresholds are established. + section-code: "5" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudwatch_alarm_action_enabled + - aws_codebuild_project_source_repo_oauth_configured + - aws_lambda_function_dead_letter_queue_configured + - id: aws_nist_csf_de_cm + title: Security Continuous Monitoring (DE.CM) + description: The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures. + section-code: cm + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_csf_de_cm_1 + title: DE.CM-1 + description: The network is monitored to detect potential cybersecurity events. + section-code: "1" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_guardduty_enabled + - aws_s3_bucket_event_notifications_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled + - id: aws_nist_csf_de_cm_2 + title: DE.CM-2 + description: The physical environment is monitored to detect potential cybersecurity events. + section-code: "2" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_bucket_not_public + - aws_cloudtrail_multi_region_read_write_enabled + - aws_cloudtrail_s3_logging_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_cloudwatch_alarm_action_enabled + - aws_config_enabled_all_regions + - aws_ec2_instance_detailed_monitoring_enabled + - aws_guardduty_enabled + - aws_kms_cmk_rotation_enabled + - aws_log_metric_filter_bucket_policy + - aws_log_metric_filter_cloudtrail_configuration + - aws_log_metric_filter_config_configuration + - aws_log_metric_filter_console_authentication_failure + - aws_log_metric_filter_console_login_mfa + - aws_log_metric_filter_disable_or_delete_cmk + - aws_log_metric_filter_iam_policy + - aws_log_metric_filter_network_acl + - aws_log_metric_filter_network_gateway + - aws_log_metric_filter_root_login + - aws_log_metric_filter_route_table + - aws_log_metric_filter_security_group + - aws_log_metric_filter_unauthorized_api + - aws_log_metric_filter_vpc + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled + - id: aws_nist_csf_de_cm_3 + title: DE.CM-3 + description: Personnel activity is monitored to detect potential cybersecurity events. + section-code: "3" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_guardduty_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - id: aws_nist_csf_de_cm_4 + title: DE.CM-4 + description: Malicious code is detected. + section-code: "4" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_guardduty_finding_archived + - aws_securityhub_enabled + - id: aws_nist_csf_de_cm_5 + title: DE.CM-5 + description: Unauthorized mobile code is detected. + section-code: "5" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_ec2_instance_detailed_monitoring_enabled + - aws_elb_application_lb_waf_enabled + - aws_guardduty_enabled + - aws_guardduty_finding_archived + - aws_securityhub_enabled + - aws_wafv2_web_acl_logging_enabled + - id: aws_nist_csf_de_cm_6 + title: DE.CM-6 + description: External service provider activity is monitored to detect potential cybersecurity events. + section-code: "6" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_guardduty_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - id: aws_nist_csf_de_cm_7 + title: DE.CM-7 + description: Monitoring for unauthorized personnel, connections, devices, and software is performed. + section-code: "7" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_guardduty_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled + - id: aws_nist_csf_de_dp + title: Detection Processes (DE.DP) + description: Detection processes and procedures are maintained and tested to ensure awareness of anomalous events. + section-code: dp + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_csf_de_dp_4 + title: DE.DP-4 + description: Event detection information is communicated. + section-code: "4" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudformation_stack_notifications_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_cloudwatch_alarm_action_enabled_check + - aws_ec2_instance_detailed_monitoring_enabled + - aws_elb_application_lb_waf_enabled + - aws_guardduty_enabled + - aws_guardduty_finding_archived + - aws_s3_bucket_event_notifications_enabled + - aws_securityhub_enabled + - aws_sns_topic_notification_delivery_status_enabled + - aws_wafv2_web_acl_logging_enabled + - id: aws_nist_csf_de_dp_5 + title: DE.DP-5 + description: Detection processes are continuously improved. + section-code: "5" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/EC2 + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_ec2_instance_detailed_monitoring_enabled +- id: aws_nist_csf_id + title: Identify (ID) + description: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. + section-code: id + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_csf_id_am + title: Asset Management (ID.AM) + description: The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance. + section-code: am tags: category: - Compliance @@ -485,10 +501,10 @@ framework: type: - Benchmark control-group: - - id: aws_nist_csf_id_am - title: Asset Management (ID.AM) - description: The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance. - section-code: am + - id: aws_nist_csf_id_am_1 + title: ID.AM-1 + description: Physical devices and systems within the organization are inventoried. + section-code: "1" tags: category: - Compliance @@ -500,108 +516,13 @@ framework: - AWS type: - Benchmark - control-group: - - id: aws_nist_csf_id_am_1 - title: ID.AM-1 - description: Physical devices and systems within the organization are inventoried. - section-code: "1" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_config_enabled_all_regions - - aws_ec2_instance_ssm_managed - - id: aws_nist_csf_id_am_2 - title: ID.AM-2 - description: Software platforms and applications within the organization are inventoried. - section-code: "2" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_eip_associated - - aws_vpc_network_acl_unused - - id: aws_nist_csf_id_am_3 - title: ID.AM-3 - description: Organizational communication and data flows are mapped. - section-code: "3" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_trail_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - id: aws_nist_csf_id_am_5 - title: ID.AM-5 - description: Resources are prioritized based on their classification, criticality, and business value. - section-code: "5" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_dynamodb_table_auto_scaling_enabled - - id: aws_nist_csf_id_am_6 - title: ID.AM-6 - description: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders are established. - section-code: "6" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_user_in_group - - id: aws_nist_csf_id_be - title: Business Environment (ID.BE) - description: The organization's mission, objectives, stakeholders, and activities are understood and prioritized. - section-code: be + controls: + - aws_config_enabled_all_regions + - aws_ec2_instance_ssm_managed + - id: aws_nist_csf_id_am_2 + title: ID.AM-2 + description: Software platforms and applications within the organization are inventoried. + section-code: "2" tags: category: - Compliance @@ -613,57 +534,16 @@ framework: - AWS type: - Benchmark - control-group: - - id: aws_nist_csf_id_be_5 - title: ID.BE-5 - description: Resilience requirements for critical services are established. - section-code: "5" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_group_multiple_az_configured - - aws_autoscaling_group_with_lb_use_health_check - - aws_autoscaling_use_multiple_instance_types_in_multiple_az - - aws_cloudfront_distribution_configured_with_origin_failover - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_gateway_network_lb_multiple_az_configured - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_elb_classic_lb_multiple_az_configured - - aws_lambda_function_multiple_az_configured - - aws_rds_db_cluster_aurora_backtracking_enabled - - aws_rds_db_cluster_deletion_protection_enabled - - aws_rds_db_cluster_multiple_az_enabled - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_lifecycle_policy_enabled - - aws_s3_bucket_object_lock_enabled - - aws_s3_bucket_versioning_and_lifecycle_policy_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up - - id: aws_nist_csf_id_ra - title: Risk Assessment (ID.RA) - description: The organization understands the cybersecurity risk to organizational operations and assets. - section-code: ra + controls: + - aws_ec2_instance_ssm_managed + - aws_ec2_stopped_instance_30_days + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_eip_associated + - aws_vpc_network_acl_unused + - id: aws_nist_csf_id_am_3 + title: ID.AM-3 + description: Organizational communication and data flows are mapped. + section-code: "3" tags: category: - Compliance @@ -675,137 +555,18 @@ framework: - AWS type: - Benchmark - control-group: - - id: aws_nist_csf_id_ra_1 - title: ID.RA-1 - description: Asset vulnerabilities are identified and documented. - section-code: "1" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_bucket_not_public - - aws_cloudtrail_multi_region_read_write_enabled - - aws_cloudtrail_s3_logging_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_config_enabled_all_regions - - aws_ec2_instance_detailed_monitoring_enabled - - aws_ecr_repository_image_scan_on_push_enabled - - aws_guardduty_enabled - - aws_kms_cmk_rotation_enabled - - aws_log_metric_filter_bucket_policy - - aws_log_metric_filter_cloudtrail_configuration - - aws_log_metric_filter_config_configuration - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_console_login_mfa - - aws_log_metric_filter_disable_or_delete_cmk - - aws_log_metric_filter_iam_policy - - aws_log_metric_filter_network_acl - - aws_log_metric_filter_network_gateway - - aws_log_metric_filter_root_login - - aws_log_metric_filter_route_table - - aws_log_metric_filter_security_group - - aws_log_metric_filter_unauthorized_api - - aws_log_metric_filter_vpc - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_securityhub_enabled - - aws_ssm_managed_instance_compliance_patch_compliant - - aws_vpc_flow_logs_enabled - - id: aws_nist_csf_id_ra_2 - title: ID.RA-2 - description: Cyber threat intelligence is received from information sharing forums and sources. - section-code: "2" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_securityhub_enabled - - id: aws_nist_csf_id_ra_3 - title: ID.RA-3 - description: Threats, both internal and external, are identified and documented. - section-code: "3" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_enabled - - aws_securityhub_enabled - - id: aws_nist_csf_id_ra_5 - title: ID.RA-5 - description: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk. - section-code: "5" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_bucket_not_public - - aws_cloudtrail_multi_region_read_write_enabled - - aws_cloudtrail_s3_logging_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_config_enabled_all_regions - - aws_ec2_instance_detailed_monitoring_enabled - - aws_guardduty_enabled - - aws_kms_cmk_rotation_enabled - - aws_log_metric_filter_bucket_policy - - aws_log_metric_filter_cloudtrail_configuration - - aws_log_metric_filter_config_configuration - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_console_login_mfa - - aws_log_metric_filter_disable_or_delete_cmk - - aws_log_metric_filter_iam_policy - - aws_log_metric_filter_network_acl - - aws_log_metric_filter_network_gateway - - aws_log_metric_filter_root_login - - aws_log_metric_filter_route_table - - aws_log_metric_filter_security_group - - aws_log_metric_filter_unauthorized_api - - aws_log_metric_filter_vpc - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - id: aws_nist_csf_id_sc - title: Supply Chain Risk Management (ID.SC) - description: The organization uses processes to identify, assess and manage supply chain risks. - section-code: sc + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_trail_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - id: aws_nist_csf_id_am_5 + title: ID.AM-5 + description: Resources are prioritized based on their classification, criticality, and business value. + section-code: "5" tags: category: - Compliance @@ -817,55 +578,30 @@ framework: - AWS type: - Benchmark - control-group: - - id: aws_nist_csf_id_sc_4 - title: ID.SC-4 - description: Suppliers and third-party partners are routinely assessed to confirm they meet obligations. - section-code: "4" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_bucket_not_public - - aws_cloudtrail_multi_region_read_write_enabled - - aws_cloudtrail_s3_logging_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_config_enabled_all_regions - - aws_ec2_instance_detailed_monitoring_enabled - - aws_guardduty_enabled - - aws_kms_cmk_rotation_enabled - - aws_log_metric_filter_bucket_policy - - aws_log_metric_filter_cloudtrail_configuration - - aws_log_metric_filter_config_configuration - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_console_login_mfa - - aws_log_metric_filter_disable_or_delete_cmk - - aws_log_metric_filter_iam_policy - - aws_log_metric_filter_network_acl - - aws_log_metric_filter_network_gateway - - aws_log_metric_filter_root_login - - aws_log_metric_filter_route_table - - aws_log_metric_filter_security_group - - aws_log_metric_filter_unauthorized_api - - aws_log_metric_filter_vpc - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - id: aws_nist_csf_pr - title: Protect (PR) - description: Develop and implement safeguards to ensure delivery of critical services. - section-code: pr + controls: + - aws_autoscaling_group_with_lb_use_health_check + - aws_dynamodb_table_auto_scaling_enabled + - id: aws_nist_csf_id_am_6 + title: ID.AM-6 + description: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders are established. + section-code: "6" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_user_in_group + - id: aws_nist_csf_id_be + title: Business Environment (ID.BE) + description: The organization's mission, objectives, stakeholders, and activities are understood and prioritized. + section-code: be tags: category: - Compliance @@ -878,10 +614,10 @@ framework: type: - Benchmark control-group: - - id: aws_nist_csf_pr_ac - title: Identity Management and Access Control (PR.AC) - description: Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions. - section-code: ac + - id: aws_nist_csf_id_be_5 + title: ID.BE-5 + description: Resilience requirements for critical services are established. + section-code: "5" tags: category: - Compliance @@ -893,278 +629,57 @@ framework: - AWS type: - Benchmark - control-group: - - id: aws_nist_csf_pr_ac_1 - title: PR.AC-1 - description: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes. - section-code: "1" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_ec2_instance_iam_profile_attached - - aws_ec2_instance_no_amazon_key_pair - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_ecs_task_definition_user_for_host_mode_check - - aws_emr_cluster_kerberos_enabled - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_managed_policy_attached_to_role - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_policy_unused - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_opensearch_domain_fine_grained_access_enabled - - aws_rds_db_cluster_iam_authentication_enabled - - aws_rds_db_instance_iam_authentication_enabled - - aws_s3_bucket_acls_should_prohibit_user_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_policy_restricts_cross_account_permission_changes - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day - - id: aws_nist_csf_pr_ac_3 - title: PR.AC-3 - description: Remote access is managed. - section-code: "3" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_use_waf_web_acl - - aws_autoscaling_launch_config_public_ip_disabled - - aws_cloudfront_distribution_waf_enabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_transit_gateway_auto_cross_account_attachment_disabled - - aws_eks_cluster_endpoint_restrict_public_access - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_networkfirewall_firewall_policy_default_stateless_action_check_full_packets - - aws_networkfirewall_firewall_policy_rule_group_not_empty - - aws_networkfirewall_stateless_rule_group_not_empty - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_enhanced_vpc_routing_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_ssm_document_prohibit_public_access - - aws_vpc_configured_to_use_vpc_endpoints - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_network_acl_remote_administration - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled - - aws_waf_regional_rule_condition_attached - - aws_waf_regional_rule_group_rule_attached - - aws_waf_web_acl_rule_attached - - id: aws_nist_csf_pr_ac_4 - title: PR.AC-4 - description: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties. - section-code: "4" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_iam_profile_attached - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_ecs_task_definition_user_for_host_mode_check - - aws_efs_access_point_enforce_root_directory - - aws_efs_access_point_enforce_user_identity - - aws_eks_cluster_endpoint_restrict_public_access - - aws_emr_cluster_kerberos_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_managed_policy_attached_to_role - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_policy_unused - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_opensearch_domain_fine_grained_access_enabled - - aws_opensearch_domain_in_vpc - - aws_rds_db_cluster_iam_authentication_enabled - - aws_rds_db_instance_iam_authentication_enabled - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_ssm_document_prohibit_public_access - - aws_vpc_configured_to_use_vpc_endpoints - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_subnet_auto_assign_public_ip_disabled - - id: aws_nist_csf_pr_ac_5 - title: PR.AC-5 - description: Network integrity is protected (e.g., network segregation, network segmentation). - section-code: "5" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_acm_certificate_expires_30_days - - aws_apigateway_stage_use_waf_web_acl - - aws_autoscaling_launch_config_public_ip_disabled - - aws_cloudfront_distribution_default_root_object_configured - - aws_cloudfront_distribution_waf_enabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_transit_gateway_auto_cross_account_attachment_disabled - - aws_eks_cluster_endpoint_restrict_public_access - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_networkfirewall_firewall_policy_default_stateless_action_check_full_packets - - aws_networkfirewall_firewall_policy_rule_group_not_empty - - aws_networkfirewall_stateless_rule_group_not_empty - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_enhanced_vpc_routing_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_ssm_document_prohibit_public_access - - aws_vpc_configured_to_use_vpc_endpoints - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_network_acl_remote_administration - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_subnet_auto_assign_public_ip_disabled - - aws_waf_regional_rule_condition_attached - - aws_waf_regional_rule_group_rule_attached - - aws_waf_web_acl_rule_attached - - id: aws_nist_csf_pr_ac_6 - title: PR.AC-6 - description: Identities are proofed and bound to credentials and asserted in interactions. - section-code: "6" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_trail_enabled - - aws_emr_cluster_kerberos_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - id: aws_nist_csf_pr_ac_7 - title: PR.AC-7 - description: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction. - section-code: "7" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - id: aws_nist_csf_pr_ds - title: Data Security (PR.DS) - description: Information and records (data) are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information. - section-code: ds + controls: + - aws_autoscaling_group_multiple_az_configured + - aws_autoscaling_group_with_lb_use_health_check + - aws_autoscaling_use_multiple_instance_types_in_multiple_az + - aws_cloudfront_distribution_configured_with_origin_failover + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ebs_volume_in_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_efs_file_system_in_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_elb_application_gateway_network_lb_multiple_az_configured + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_elb_classic_lb_multiple_az_configured + - aws_lambda_function_multiple_az_configured + - aws_rds_db_cluster_aurora_backtracking_enabled + - aws_rds_db_cluster_deletion_protection_enabled + - aws_rds_db_cluster_multiple_az_enabled + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_deletion_protection_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_multiple_az_enabled + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_lifecycle_policy_enabled + - aws_s3_bucket_object_lock_enabled + - aws_s3_bucket_versioning_and_lifecycle_policy_enabled + - aws_s3_bucket_versioning_enabled + - aws_vpc_vpn_tunnel_up + - id: aws_nist_csf_id_ra + title: Risk Assessment (ID.RA) + description: The organization understands the cybersecurity risk to organizational operations and assets. + section-code: ra + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_csf_id_ra_1 + title: ID.RA-1 + description: Asset vulnerabilities are identified and documented. + section-code: "1" tags: category: - Compliance @@ -1176,255 +691,41 @@ framework: - AWS type: - Benchmark - control-group: - - id: aws_nist_csf_pr_ds_1 - title: PR.DS-1 - description: Data-at-rest is protected. - section-code: "1" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_codebuild_project_artifact_encryption_enabled - - aws_codebuild_project_s3_logs_encryption_enabled - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_eks_cluster_secrets_encrypted - - aws_es_domain_encryption_at_rest_enabled - - aws_kinesis_stream_server_side_encryption_enabled - - aws_kms_key_not_pending_deletion - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_object_lock_enabled - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_secretsmanager_secret_encrypted_with_kms_cmk - - id: aws_nist_csf_pr_ds_2 - title: PR.DS-2 - description: Data-in-transit is protected. - section-code: "2" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_acm_certificate_expires_30_days - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled - - aws_cloudfront_distribution_encryption_in_transit_enabled - - aws_cloudfront_distribution_no_deprecated_ssl_protocol - - aws_cloudfront_distribution_use_custom_ssl_certificate - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_opensearch_domain_https_required - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl - - id: aws_nist_csf_pr_ds_3 - title: PR.DS-3 - description: Assets are formally managed throughout removal, transfers, and disposition. - section-code: "3" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_eip_associated - - id: aws_nist_csf_pr_ds_4 - title: PR.DS-4 - description: Adequate capacity to ensure availability is maintained. - section-code: "4" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_group_multiple_az_configured - - aws_autoscaling_group_with_lb_use_health_check - - aws_autoscaling_use_multiple_instance_types_in_multiple_az - - aws_cloudfront_distribution_configured_with_origin_failover - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_gateway_network_lb_multiple_az_configured - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_elb_classic_lb_multiple_az_configured - - aws_lambda_function_multiple_az_configured - - aws_rds_db_cluster_deletion_protection_enabled - - aws_rds_db_cluster_multiple_az_enabled - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_maintenance_settings_check - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_lifecycle_policy_enabled - - aws_s3_bucket_versioning_and_lifecycle_policy_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up - - id: aws_nist_csf_pr_ds_5 - title: PR.DS-5 - description: Protections against data leaks are implemented. - section-code: "5" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_codebuild_project_logging_enabled - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ecs_task_definition_container_environment_no_secret - - aws_eks_cluster_endpoint_restrict_public_access - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_in_vpc - - aws_guardduty_enabled - - aws_lambda_function_restrict_public_access - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_audit_logging_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_event_notifications_enabled - - aws_s3_bucket_logging_enabled - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_securityhub_enabled - - aws_ssm_document_prohibit_public_access - - aws_vpc_configured_to_use_vpc_endpoints - - aws_vpc_flow_logs_enabled - - id: aws_nist_csf_pr_ds_6 - title: PR.DS-6 - description: Integrity checking mechanisms are used to verify software, firmware, and information integrity. - section-code: "6" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS/CloudTrail - type: - - Benchmark - controls: - - aws_cloudtrail_trail_validation_enabled - - aws_s3_bucket_versioning_enabled - - id: aws_nist_csf_pr_ds_7 - title: PR.DS-7 - description: The development and testing environment(s) are separate from the production environment. - section-code: "7" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_cloudtrail_security_trail_enabled - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_common_ports_all - - id: aws_nist_csf_pr_ds_8 - title: PR.DS-8 - description: Integrity checking mechanisms are used to verify hardware integrity. - section-code: "8" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed - - aws_securityhub_enabled - - id: aws_nist_csf_pr_ip - title: Information Protection Processes and Procedures (PR.IP) - description: Security policies (addressing purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets. - section-code: ip + controls: + - aws_cloudtrail_bucket_not_public + - aws_cloudtrail_multi_region_read_write_enabled + - aws_cloudtrail_s3_logging_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_cloudwatch_alarm_action_enabled + - aws_config_enabled_all_regions + - aws_ec2_instance_detailed_monitoring_enabled + - aws_ecr_repository_image_scan_on_push_enabled + - aws_guardduty_enabled + - aws_kms_cmk_rotation_enabled + - aws_log_metric_filter_bucket_policy + - aws_log_metric_filter_cloudtrail_configuration + - aws_log_metric_filter_config_configuration + - aws_log_metric_filter_console_authentication_failure + - aws_log_metric_filter_console_login_mfa + - aws_log_metric_filter_disable_or_delete_cmk + - aws_log_metric_filter_iam_policy + - aws_log_metric_filter_network_acl + - aws_log_metric_filter_network_gateway + - aws_log_metric_filter_root_login + - aws_log_metric_filter_route_table + - aws_log_metric_filter_security_group + - aws_log_metric_filter_unauthorized_api + - aws_log_metric_filter_vpc + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled + - aws_securityhub_enabled + - aws_ssm_managed_instance_compliance_patch_compliant + - aws_vpc_flow_logs_enabled + - id: aws_nist_csf_id_ra_2 + title: ID.RA-2 + description: Cyber threat intelligence is received from information sharing forums and sources. + section-code: "2" tags: category: - Compliance @@ -1436,239 +737,13 @@ framework: - AWS type: - Benchmark - control-group: - - id: aws_nist_csf_pr_ip_1 - title: PR.IP-1 - description: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality). - section-code: "1" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_account_part_of_organizations - - aws_autoscaling_launch_config_hop_limit - - aws_autoscaling_launch_config_requires_imdsv2 - - aws_cloudformation_stack_drift_detection_check - - aws_cloudfront_distribution_origin_access_identity_enabled - - aws_cloudtrail_security_trail_enabled - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_instance_virtualization_type_no_paravirtual - - aws_ec2_stopped_instance_30_days - - aws_ecr_repository_lifecycle_policy_configured - - aws_ecr_repository_tag_immutability_enabled - - aws_ecs_service_fargate_using_latest_platform_version - - aws_ecs_task_definition_container_environment_no_secret - - aws_ecs_task_definition_no_host_pid_mode - - aws_eks_cluster_with_latest_kubernetes_version - - aws_elb_application_lb_desync_mitigation_mode - - aws_lambda_function_use_latest_runtime - - aws_networkfirewall_firewall_policy_default_stateless_action_check_fragmented_packets - - aws_networkfirewall_firewall_policy_default_stateless_action_check_full_packets - - aws_networkfirewall_firewall_policy_rule_group_not_empty - - aws_rds_db_cluster_no_default_admin_name - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_rds_db_instance_no_default_admin_name - - aws_redshift_cluster_maintenance_settings_check - - aws_redshift_cluster_no_default_admin_name - - aws_redshift_cluster_no_default_database_name - - aws_s3_bucket_policy_restricts_cross_account_permission_changes - - aws_ssm_managed_instance_compliance_association_compliant - - aws_waf_regional_web_acl_rule_attached - - aws_waf_rule_condition_attached - - aws_waf_rule_group_rule_attached - - aws_waf_web_acl_resource_associated - - id: aws_nist_csf_pr_ip_2 - title: PR.IP-2 - description: A System Development Life Cycle to manage systems is implemented. - section-code: "2" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_ssm_managed - - id: aws_nist_csf_pr_ip_3 - title: PR.IP-3 - description: Configuration change control processes are in place. - section-code: "3" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS/ELB - type: - - Benchmark - controls: - - aws_elb_application_lb_deletion_protection_enabled - - aws_rds_db_cluster_deletion_protection_enabled - - aws_rds_db_instance_deletion_protection_enabled - - id: aws_nist_csf_pr_ip_4 - title: PR.IP-4 - description: Backups of information are conducted, maintained, and tested periodically. - section-code: "4" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_cluster_aurora_backtracking_enabled - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_maintenance_settings_check - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_lifecycle_policy_enabled - - aws_s3_bucket_versioning_and_lifecycle_policy_enabled - - aws_s3_bucket_versioning_enabled - - id: aws_nist_csf_pr_ip_7 - title: PR.IP-7 - description: Protection processes are improved. - section-code: "7" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS/EC2 - type: - - Benchmark - controls: - - aws_ec2_instance_ebs_optimized - - id: aws_nist_csf_pr_ip_8 - title: PR.IP-8 - description: Effectiveness of protection technologies is shared. - section-code: "8" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_not_publicly_accessible - - aws_eks_cluster_endpoint_restrict_public_access - - aws_emr_cluster_master_nodes_no_public_ip - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled - - id: aws_nist_csf_pr_ip_9 - title: PR.IP-9 - description: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed. - section-code: "9" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up - - id: aws_nist_csf_pr_ip_12 - title: PR.IP-12 - description: A vulnerability management plan is developed and implemented. - section-code: "12" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_config_enabled_all_regions - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant - - id: aws_nist_csf_pr_ma - title: Maintenance (PR.MA) - description: Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures. - section-code: ma + controls: + - aws_guardduty_enabled + - aws_securityhub_enabled + - id: aws_nist_csf_id_ra_3 + title: ID.RA-3 + description: Threats, both internal and external, are identified and documented. + section-code: "3" tags: category: - Compliance @@ -1680,30 +755,13 @@ framework: - AWS type: - Benchmark - control-group: - - id: aws_nist_csf_pr_ma_2 - title: PR.MA-2 - description: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access. - section-code: "2" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS/CloudTrail - type: - - Benchmark - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_trail_enabled - - aws_redshift_cluster_audit_logging_enabled - - id: aws_nist_csf_pr_pt - title: Protective Technology (PR.PT) - description: Technical security solutions are managed to ensure the security and resilience of systems and assets. - section-code: pt + controls: + - aws_guardduty_enabled + - aws_securityhub_enabled + - id: aws_nist_csf_id_ra_5 + title: ID.RA-5 + description: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk. + section-code: "5" tags: category: - Compliance @@ -1715,201 +773,39 @@ framework: - AWS type: - Benchmark - control-group: - - id: aws_nist_csf_pr_pt_1 - title: PR.PT-1 - description: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy. - section-code: "1" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_rest_api_stage_xray_tracing_enabled - - aws_apigateway_stage_logging_enabled - - aws_cloudfront_distribution_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_log_group_retention_period_365 - - aws_codebuild_project_logging_enabled - - aws_ecs_cluster_container_insights_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_opensearch_domain_audit_logging_enabled - - aws_opensearch_domain_logs_to_cloudwatch - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_audit_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_event_notifications_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled - - id: aws_nist_csf_pr_pt_3 - title: PR.PT-3 - description: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities. - section-code: "3" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_iam_profile_attached - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_transit_gateway_auto_cross_account_attachment_disabled - - aws_ecs_task_definition_user_for_host_mode_check - - aws_eks_cluster_endpoint_restrict_public_access - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_no_inline_attached_policies - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_opensearch_domain_fine_grained_access_enabled - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_enhanced_vpc_routing_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_acls_should_prohibit_user_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_ssm_document_prohibit_public_access - - aws_vpc_configured_to_use_vpc_endpoints - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_subnet_auto_assign_public_ip_disabled - - id: aws_nist_csf_pr_pt_4 - title: PR.PT-4 - description: Communications and control networks are protected. - section-code: "4" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_acm_certificate_expires_30_days - - aws_apigateway_stage_use_waf_web_acl - - aws_autoscaling_launch_config_public_ip_disabled - - aws_cloudfront_distribution_default_root_object_configured - - aws_cloudfront_distribution_waf_enabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_transit_gateway_auto_cross_account_attachment_disabled - - aws_eks_cluster_endpoint_restrict_public_access - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_networkfirewall_firewall_policy_default_stateless_action_check_full_packets - - aws_networkfirewall_firewall_policy_rule_group_not_empty - - aws_networkfirewall_stateless_rule_group_not_empty - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_ssm_document_prohibit_public_access - - aws_vpc_configured_to_use_vpc_endpoints - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_network_acl_remote_administration - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_waf_regional_rule_condition_attached - - aws_waf_regional_rule_group_rule_attached - - aws_waf_web_acl_rule_attached - - id: aws_nist_csf_pr_pt_5 - title: PR.PT-5 - description: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations. - section-code: "5" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_group_multiple_az_configured - - aws_autoscaling_group_with_lb_use_health_check - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_gateway_network_lb_multiple_az_configured - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_elb_classic_lb_multiple_az_configured - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_multiple_az_configured - - aws_rds_db_cluster_deletion_protection_enabled - - aws_rds_db_cluster_multiple_az_enabled - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_lifecycle_policy_enabled - - aws_s3_bucket_object_lock_enabled - - aws_s3_bucket_versioning_and_lifecycle_policy_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up - - id: aws_nist_csf_rc - title: Recover (RC) - description: Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. - section-code: rc + controls: + - aws_cloudtrail_bucket_not_public + - aws_cloudtrail_multi_region_read_write_enabled + - aws_cloudtrail_s3_logging_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_cloudwatch_alarm_action_enabled + - aws_config_enabled_all_regions + - aws_ec2_instance_detailed_monitoring_enabled + - aws_guardduty_enabled + - aws_kms_cmk_rotation_enabled + - aws_log_metric_filter_bucket_policy + - aws_log_metric_filter_cloudtrail_configuration + - aws_log_metric_filter_config_configuration + - aws_log_metric_filter_console_authentication_failure + - aws_log_metric_filter_console_login_mfa + - aws_log_metric_filter_disable_or_delete_cmk + - aws_log_metric_filter_iam_policy + - aws_log_metric_filter_network_acl + - aws_log_metric_filter_network_gateway + - aws_log_metric_filter_root_login + - aws_log_metric_filter_route_table + - aws_log_metric_filter_security_group + - aws_log_metric_filter_unauthorized_api + - aws_log_metric_filter_vpc + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled + - id: aws_nist_csf_id_sc + title: Supply Chain Risk Management (ID.SC) + description: The organization uses processes to identify, assess and manage supply chain risks. + section-code: sc tags: category: - Compliance @@ -1922,10 +818,10 @@ framework: type: - Benchmark control-group: - - id: aws_nist_csf_rc_rp - title: Recovery Planning (RC.RP) - description: Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events. - section-code: rp + - id: aws_nist_csf_id_sc_4 + title: ID.SC-4 + description: Suppliers and third-party partners are routinely assessed to confirm they meet obligations. + section-code: "4" tags: category: - Compliance @@ -1937,64 +833,55 @@ framework: - AWS type: - Benchmark - control-group: - - id: aws_nist_csf_rc_rp_1 - title: RC.RP-1 - description: Recovery plan is executed during or after a cybersecurity incident. - section-code: "1" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_autoscaling_group_multiple_az_configured - - aws_autoscaling_use_multiple_instance_types_in_multiple_az - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_cloudfront_distribution_configured_with_origin_failover - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_fsx_file_system_protected_by_backup_plan - - aws_lambda_function_multiple_az_configured - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_cluster_deletion_protection_enabled - - aws_rds_db_cluster_multiple_az_enabled - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_lifecycle_policy_enabled - - aws_s3_bucket_object_lock_enabled - - aws_s3_bucket_versioning_and_lifecycle_policy_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up - - id: aws_nist_csf_rs - title: Respond (RS) - description: Develop and implement appropriate activities to take action regarding a detected cybersecurity incident. - section-code: rs + controls: + - aws_cloudtrail_bucket_not_public + - aws_cloudtrail_multi_region_read_write_enabled + - aws_cloudtrail_s3_logging_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_cloudwatch_alarm_action_enabled + - aws_config_enabled_all_regions + - aws_ec2_instance_detailed_monitoring_enabled + - aws_guardduty_enabled + - aws_kms_cmk_rotation_enabled + - aws_log_metric_filter_bucket_policy + - aws_log_metric_filter_cloudtrail_configuration + - aws_log_metric_filter_config_configuration + - aws_log_metric_filter_console_authentication_failure + - aws_log_metric_filter_console_login_mfa + - aws_log_metric_filter_disable_or_delete_cmk + - aws_log_metric_filter_iam_policy + - aws_log_metric_filter_network_acl + - aws_log_metric_filter_network_gateway + - aws_log_metric_filter_root_login + - aws_log_metric_filter_route_table + - aws_log_metric_filter_security_group + - aws_log_metric_filter_unauthorized_api + - aws_log_metric_filter_vpc + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled +- id: aws_nist_csf_pr + title: Protect (PR) + description: Develop and implement safeguards to ensure delivery of critical services. + section-code: pr + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_csf_pr_ac + title: Identity Management and Access Control (PR.AC) + description: Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions. + section-code: ac tags: category: - Compliance @@ -2007,10 +894,235 @@ framework: type: - Benchmark control-group: - - id: aws_nist_csf_rs_an - title: Analysis (RS.AN) - description: Analysis is conducted to ensure effective response and support recovery activities. - section-code: an + - id: aws_nist_csf_pr_ac_1 + title: PR.AC-1 + description: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes. + section-code: "1" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_ec2_instance_iam_profile_attached + - aws_ec2_instance_no_amazon_key_pair + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_container_readonly_root_filesystem + - aws_ecs_task_definition_user_for_host_mode_check + - aws_emr_cluster_kerberos_enabled + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_managed_policy_attached_to_role + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_policy_unused + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_opensearch_domain_fine_grained_access_enabled + - aws_rds_db_cluster_iam_authentication_enabled + - aws_rds_db_instance_iam_authentication_enabled + - aws_s3_bucket_acls_should_prohibit_user_access + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_policy_restricts_cross_account_permission_changes + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_secretsmanager_secret_unused_90_day + - id: aws_nist_csf_pr_ac_3 + title: PR.AC-3 + description: Remote access is managed. + section-code: "3" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_use_waf_web_acl + - aws_autoscaling_launch_config_public_ip_disabled + - aws_cloudfront_distribution_waf_enabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_transit_gateway_auto_cross_account_attachment_disabled + - aws_eks_cluster_endpoint_restrict_public_access + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_networkfirewall_firewall_policy_default_stateless_action_check_full_packets + - aws_networkfirewall_firewall_policy_rule_group_not_empty + - aws_networkfirewall_stateless_rule_group_not_empty + - aws_opensearch_domain_in_vpc + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_enhanced_vpc_routing_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_ssm_document_prohibit_public_access + - aws_vpc_configured_to_use_vpc_endpoints + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_igw_attached_to_authorized_vpc + - aws_vpc_network_acl_remote_administration + - aws_vpc_route_table_restrict_public_access_to_igw + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled + - aws_waf_regional_rule_condition_attached + - aws_waf_regional_rule_group_rule_attached + - aws_waf_web_acl_rule_attached + - id: aws_nist_csf_pr_ac_4 + title: PR.AC-4 + description: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties. + section-code: "4" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_launch_config_public_ip_disabled + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_iam_profile_attached + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_instance_uses_imdsv2 + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_container_readonly_root_filesystem + - aws_ecs_task_definition_user_for_host_mode_check + - aws_efs_access_point_enforce_root_directory + - aws_efs_access_point_enforce_user_identity + - aws_eks_cluster_endpoint_restrict_public_access + - aws_emr_cluster_kerberos_enabled + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_managed_policy_attached_to_role + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_policy_unused + - aws_iam_root_user_no_access_keys + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_opensearch_domain_fine_grained_access_enabled + - aws_opensearch_domain_in_vpc + - aws_rds_db_cluster_iam_authentication_enabled + - aws_rds_db_instance_iam_authentication_enabled + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_ssm_document_prohibit_public_access + - aws_vpc_configured_to_use_vpc_endpoints + - aws_vpc_igw_attached_to_authorized_vpc + - aws_vpc_subnet_auto_assign_public_ip_disabled + - id: aws_nist_csf_pr_ac_5 + title: PR.AC-5 + description: Network integrity is protected (e.g., network segregation, network segmentation). + section-code: "5" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_acm_certificate_expires_30_days + - aws_apigateway_stage_use_waf_web_acl + - aws_autoscaling_launch_config_public_ip_disabled + - aws_cloudfront_distribution_default_root_object_configured + - aws_cloudfront_distribution_waf_enabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_transit_gateway_auto_cross_account_attachment_disabled + - aws_eks_cluster_endpoint_restrict_public_access + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_networkfirewall_firewall_policy_default_stateless_action_check_full_packets + - aws_networkfirewall_firewall_policy_rule_group_not_empty + - aws_networkfirewall_stateless_rule_group_not_empty + - aws_opensearch_domain_in_vpc + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_enhanced_vpc_routing_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_ssm_document_prohibit_public_access + - aws_vpc_configured_to_use_vpc_endpoints + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_igw_attached_to_authorized_vpc + - aws_vpc_network_acl_remote_administration + - aws_vpc_route_table_restrict_public_access_to_igw + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_subnet_auto_assign_public_ip_disabled + - aws_waf_regional_rule_condition_attached + - aws_waf_regional_rule_group_rule_attached + - aws_waf_web_acl_rule_attached + - id: aws_nist_csf_pr_ac_6 + title: PR.AC-6 + description: Identities are proofed and bound to credentials and asserted in interactions. + section-code: "6" tags: category: - Compliance @@ -2022,28 +1134,53 @@ framework: - AWS type: - Benchmark - control-group: - - id: aws_nist_csf_rs_an_2 - title: RS.AN-2 - description: The impact of the incident is understood. - section-code: "2" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_finding_archived - - id: aws_nist_csf_rs_mi - title: Mitigation (RS.MI) - description: Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident. - section-code: mi + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_trail_enabled + - aws_emr_cluster_kerberos_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - id: aws_nist_csf_pr_ac_7 + title: PR.AC-7 + description: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction. + section-code: "7" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled + - id: aws_nist_csf_pr_ds + title: Data Security (PR.DS) + description: Information and records (data) are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information. + section-code: ds + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_csf_pr_ds_1 + title: PR.DS-1 + description: Data-at-rest is protected. + section-code: "1" tags: category: - Compliance @@ -2055,28 +1192,907 @@ framework: - AWS type: - Benchmark - control-group: - - id: aws_nist_csf_rs_mi_3 - title: RS.MI-3 - description: Newly identified vulnerabilities are mitigated or documented as accepted risks. - section-code: "3" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark - controls: - - aws_guardduty_finding_archived - - id: aws_nist_csf_rs_rp - title: Response Planning (RS.RP) - description: Response processes and procedures are executed and maintained, ensuring timely response to detected cybersecurity events. - section-code: rp + controls: + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_codebuild_project_artifact_encryption_enabled + - aws_codebuild_project_s3_logs_encryption_enabled + - aws_dax_cluster_encryption_at_rest_enabled + - aws_dynamodb_table_encrypted_with_kms + - aws_dynamodb_table_encryption_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_efs_file_system_encrypt_data_at_rest + - aws_eks_cluster_secrets_encrypted + - aws_es_domain_encryption_at_rest_enabled + - aws_kinesis_stream_server_side_encryption_enabled + - aws_kms_key_not_pending_deletion + - aws_log_group_encryption_at_rest_enabled + - aws_opensearch_domain_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_logging_enabled + - aws_redshift_cluster_kms_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_object_lock_enabled + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_secretsmanager_secret_encrypted_with_kms_cmk + - id: aws_nist_csf_pr_ds_2 + title: PR.DS-2 + description: Data-in-transit is protected. + section-code: "2" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_acm_certificate_expires_30_days + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled + - aws_cloudfront_distribution_encryption_in_transit_enabled + - aws_cloudfront_distribution_no_deprecated_ssl_protocol + - aws_cloudfront_distribution_use_custom_ssl_certificate + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_application_network_lb_use_ssl_certificate + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_node_to_node_encryption_enabled + - aws_opensearch_domain_https_required + - aws_opensearch_domain_node_to_node_encryption_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl + - id: aws_nist_csf_pr_ds_3 + title: PR.DS-3 + description: Assets are formally managed throughout removal, transfers, and disposition. + section-code: "3" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_eip_associated + - id: aws_nist_csf_pr_ds_4 + title: PR.DS-4 + description: Adequate capacity to ensure availability is maintained. + section-code: "4" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_group_multiple_az_configured + - aws_autoscaling_group_with_lb_use_health_check + - aws_autoscaling_use_multiple_instance_types_in_multiple_az + - aws_cloudfront_distribution_configured_with_origin_failover + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ebs_volume_in_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_efs_file_system_in_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_elb_application_gateway_network_lb_multiple_az_configured + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_elb_classic_lb_multiple_az_configured + - aws_lambda_function_multiple_az_configured + - aws_rds_db_cluster_deletion_protection_enabled + - aws_rds_db_cluster_multiple_az_enabled + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_deletion_protection_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_multiple_az_enabled + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_redshift_cluster_maintenance_settings_check + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_lifecycle_policy_enabled + - aws_s3_bucket_versioning_and_lifecycle_policy_enabled + - aws_s3_bucket_versioning_enabled + - aws_vpc_vpn_tunnel_up + - id: aws_nist_csf_pr_ds_5 + title: PR.DS-5 + description: Protections against data leaks are implemented. + section-code: "5" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_launch_config_public_ip_disabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_codebuild_project_logging_enabled + - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values + - aws_codebuild_project_source_repo_oauth_configured + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ecs_task_definition_container_environment_no_secret + - aws_eks_cluster_endpoint_restrict_public_access + - aws_elb_application_classic_lb_logging_enabled + - aws_es_domain_in_vpc + - aws_guardduty_enabled + - aws_lambda_function_restrict_public_access + - aws_opensearch_domain_in_vpc + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_audit_logging_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_event_notifications_enabled + - aws_s3_bucket_logging_enabled + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_securityhub_enabled + - aws_ssm_document_prohibit_public_access + - aws_vpc_configured_to_use_vpc_endpoints + - aws_vpc_flow_logs_enabled + - id: aws_nist_csf_pr_ds_6 + title: PR.DS-6 + description: Integrity checking mechanisms are used to verify software, firmware, and information integrity. + section-code: "6" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/CloudTrail + type: + - Benchmark + controls: + - aws_cloudtrail_trail_validation_enabled + - aws_s3_bucket_versioning_enabled + - id: aws_nist_csf_pr_ds_7 + title: PR.DS-7 + description: The development and testing environment(s) are separate from the production environment. + section-code: "7" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_security_trail_enabled + - aws_ebs_volume_unused + - aws_ec2_instance_ssm_managed + - aws_ec2_stopped_instance_30_days + - aws_elb_application_lb_deletion_protection_enabled + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_common_ports_all + - id: aws_nist_csf_pr_ds_8 + title: PR.DS-8 + description: Integrity checking mechanisms are used to verify hardware integrity. + section-code: "8" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed + - aws_securityhub_enabled + - id: aws_nist_csf_pr_ip + title: Information Protection Processes and Procedures (PR.IP) + description: Security policies (addressing purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets. + section-code: ip + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_csf_pr_ip_1 + title: PR.IP-1 + description: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality). + section-code: "1" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_account_part_of_organizations + - aws_autoscaling_launch_config_hop_limit + - aws_autoscaling_launch_config_requires_imdsv2 + - aws_cloudformation_stack_drift_detection_check + - aws_cloudfront_distribution_origin_access_identity_enabled + - aws_cloudtrail_security_trail_enabled + - aws_ebs_volume_unused + - aws_ec2_instance_ssm_managed + - aws_ec2_instance_virtualization_type_no_paravirtual + - aws_ec2_stopped_instance_30_days + - aws_ecr_repository_lifecycle_policy_configured + - aws_ecr_repository_tag_immutability_enabled + - aws_ecs_service_fargate_using_latest_platform_version + - aws_ecs_task_definition_container_environment_no_secret + - aws_ecs_task_definition_no_host_pid_mode + - aws_eks_cluster_with_latest_kubernetes_version + - aws_elb_application_lb_desync_mitigation_mode + - aws_lambda_function_use_latest_runtime + - aws_networkfirewall_firewall_policy_default_stateless_action_check_fragmented_packets + - aws_networkfirewall_firewall_policy_default_stateless_action_check_full_packets + - aws_networkfirewall_firewall_policy_rule_group_not_empty + - aws_rds_db_cluster_no_default_admin_name + - aws_rds_db_instance_automatic_minor_version_upgrade_enabled + - aws_rds_db_instance_no_default_admin_name + - aws_redshift_cluster_maintenance_settings_check + - aws_redshift_cluster_no_default_admin_name + - aws_redshift_cluster_no_default_database_name + - aws_s3_bucket_policy_restricts_cross_account_permission_changes + - aws_ssm_managed_instance_compliance_association_compliant + - aws_waf_regional_web_acl_rule_attached + - aws_waf_rule_condition_attached + - aws_waf_rule_group_rule_attached + - aws_waf_web_acl_resource_associated + - id: aws_nist_csf_pr_ip_2 + title: PR.IP-2 + description: A System Development Life Cycle to manage systems is implemented. + section-code: "2" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_ssm_managed + - id: aws_nist_csf_pr_ip_3 + title: PR.IP-3 + description: Configuration change control processes are in place. + section-code: "3" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/ELB + type: + - Benchmark + controls: + - aws_elb_application_lb_deletion_protection_enabled + - aws_rds_db_cluster_deletion_protection_enabled + - aws_rds_db_instance_deletion_protection_enabled + - id: aws_nist_csf_pr_ip_4 + title: PR.IP-4 + description: Backups of information are conducted, maintained, and tested periodically. + section-code: "4" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ebs_volume_in_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_efs_file_system_in_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_rds_db_cluster_aurora_backtracking_enabled + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_redshift_cluster_maintenance_settings_check + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_lifecycle_policy_enabled + - aws_s3_bucket_versioning_and_lifecycle_policy_enabled + - aws_s3_bucket_versioning_enabled + - id: aws_nist_csf_pr_ip_7 + title: PR.IP-7 + description: Protection processes are improved. + section-code: "7" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/EC2 + type: + - Benchmark + controls: + - aws_ec2_instance_ebs_optimized + - id: aws_nist_csf_pr_ip_8 + title: PR.IP-8 + description: Effectiveness of protection technologies is shared. + section-code: "8" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_not_publicly_accessible + - aws_eks_cluster_endpoint_restrict_public_access + - aws_emr_cluster_master_nodes_no_public_ip + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_subnet_auto_assign_public_ip_disabled + - id: aws_nist_csf_pr_ip_9 + title: PR.IP-9 + description: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed. + section-code: "9" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_multiple_az_enabled + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled + - aws_vpc_vpn_tunnel_up + - id: aws_nist_csf_pr_ip_12 + title: PR.IP-12 + description: A vulnerability management plan is developed and implemented. + section-code: "12" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_config_enabled_all_regions + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_association_compliant + - aws_ssm_managed_instance_compliance_patch_compliant + - id: aws_nist_csf_pr_ma + title: Maintenance (PR.MA) + description: Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures. + section-code: ma + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_csf_pr_ma_2 + title: PR.MA-2 + description: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access. + section-code: "2" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/CloudTrail + type: + - Benchmark + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_trail_enabled + - aws_redshift_cluster_audit_logging_enabled + - id: aws_nist_csf_pr_pt + title: Protective Technology (PR.PT) + description: Technical security solutions are managed to ensure the security and resilience of systems and assets. + section-code: pt + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_csf_pr_pt_1 + title: PR.PT-1 + description: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy. + section-code: "1" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_xray_tracing_enabled + - aws_apigateway_stage_logging_enabled + - aws_cloudfront_distribution_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_log_group_retention_period_365 + - aws_codebuild_project_logging_enabled + - aws_ecs_cluster_container_insights_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_es_domain_logs_to_cloudwatch + - aws_opensearch_domain_audit_logging_enabled + - aws_opensearch_domain_logs_to_cloudwatch + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_audit_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_event_notifications_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_waf_web_acl_logging_enabled + - aws_wafv2_web_acl_logging_enabled + - id: aws_nist_csf_pr_pt_3 + title: PR.PT-3 + description: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities. + section-code: "3" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_launch_config_public_ip_disabled + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_iam_profile_attached + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_transit_gateway_auto_cross_account_attachment_disabled + - aws_ecs_task_definition_user_for_host_mode_check + - aws_eks_cluster_endpoint_restrict_public_access + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_iam_user_no_inline_attached_policies + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_opensearch_domain_fine_grained_access_enabled + - aws_opensearch_domain_in_vpc + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_enhanced_vpc_routing_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_acls_should_prohibit_user_access + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_ssm_document_prohibit_public_access + - aws_vpc_configured_to_use_vpc_endpoints + - aws_vpc_igw_attached_to_authorized_vpc + - aws_vpc_subnet_auto_assign_public_ip_disabled + - id: aws_nist_csf_pr_pt_4 + title: PR.PT-4 + description: Communications and control networks are protected. + section-code: "4" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_acm_certificate_expires_30_days + - aws_apigateway_stage_use_waf_web_acl + - aws_autoscaling_launch_config_public_ip_disabled + - aws_cloudfront_distribution_default_root_object_configured + - aws_cloudfront_distribution_waf_enabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_transit_gateway_auto_cross_account_attachment_disabled + - aws_eks_cluster_endpoint_restrict_public_access + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_networkfirewall_firewall_policy_default_stateless_action_check_full_packets + - aws_networkfirewall_firewall_policy_rule_group_not_empty + - aws_networkfirewall_stateless_rule_group_not_empty + - aws_opensearch_domain_in_vpc + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_ssm_document_prohibit_public_access + - aws_vpc_configured_to_use_vpc_endpoints + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_igw_attached_to_authorized_vpc + - aws_vpc_network_acl_remote_administration + - aws_vpc_route_table_restrict_public_access_to_igw + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_waf_regional_rule_condition_attached + - aws_waf_regional_rule_group_rule_attached + - aws_waf_web_acl_rule_attached + - id: aws_nist_csf_pr_pt_5 + title: PR.PT-5 + description: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations. + section-code: "5" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_group_multiple_az_configured + - aws_autoscaling_group_with_lb_use_health_check + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elastic_beanstalk_enhanced_health_reporting_enabled + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_elb_application_gateway_network_lb_multiple_az_configured + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_elb_classic_lb_multiple_az_configured + - aws_lambda_function_concurrent_execution_limit_configured + - aws_lambda_function_multiple_az_configured + - aws_rds_db_cluster_deletion_protection_enabled + - aws_rds_db_cluster_multiple_az_enabled + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_deletion_protection_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_multiple_az_enabled + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_lifecycle_policy_enabled + - aws_s3_bucket_object_lock_enabled + - aws_s3_bucket_versioning_and_lifecycle_policy_enabled + - aws_s3_bucket_versioning_enabled + - aws_vpc_vpn_tunnel_up +- id: aws_nist_csf_rc + title: Recover (RC) + description: Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. + section-code: rc + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_csf_rc_rp + title: Recovery Planning (RC.RP) + description: Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events. + section-code: rp + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_csf_rc_rp_1 + title: RC.RP-1 + description: Recovery plan is executed during or after a cybersecurity incident. + section-code: "1" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_group_multiple_az_configured + - aws_autoscaling_use_multiple_instance_types_in_multiple_az + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_cloudfront_distribution_configured_with_origin_failover + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_fsx_file_system_protected_by_backup_plan + - aws_lambda_function_multiple_az_configured + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_cluster_deletion_protection_enabled + - aws_rds_db_cluster_multiple_az_enabled + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_deletion_protection_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_multiple_az_enabled + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_lifecycle_policy_enabled + - aws_s3_bucket_object_lock_enabled + - aws_s3_bucket_versioning_and_lifecycle_policy_enabled + - aws_s3_bucket_versioning_enabled + - aws_vpc_vpn_tunnel_up +- id: aws_nist_csf_rs + title: Respond (RS) + description: Develop and implement appropriate activities to take action regarding a detected cybersecurity incident. + section-code: rs + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_csf_rs_an + title: Analysis (RS.AN) + description: Analysis is conducted to ensure effective response and support recovery activities. + section-code: an + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_csf_rs_an_2 + title: RS.AN-2 + description: The impact of the incident is understood. + section-code: "2" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_finding_archived + - id: aws_nist_csf_rs_mi + title: Mitigation (RS.MI) + description: Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident. + section-code: mi + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_csf_rs_mi_3 + title: RS.MI-3 + description: Newly identified vulnerabilities are mitigated or documented as accepted risks. + section-code: "3" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_finding_archived + - id: aws_nist_csf_rs_rp + title: Response Planning (RS.RP) + description: Response processes and procedures are executed and maintained, ensuring timely response to detected cybersecurity events. + section-code: rp + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_csf_rs_rp_1 + title: RS.RP-1 + description: Response plan is executed during or after an incident. + section-code: "1" tags: category: - Compliance @@ -2088,46 +2104,30 @@ framework: - AWS type: - Benchmark - control-group: - - id: aws_nist_csf_rs_rp_1 - title: RS.RP-1 - description: Response plan is executed during or after an incident. - section-code: "1" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_multiple_az_enabled + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321.yaml index 4523dd382..a5e37abfe 100644 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321.yaml @@ -1,20 +1,20 @@ -framework: - id: aws_pci_dss_v321 - title: PCI DSS v3.2.1 - description: The Payment Card Industry Data Security Standard (PCI DSS) v3.2.1 is an information security standard for entities that store, process, and/or transmit cardholder data. - section-code: aws_pci_dss_v321 - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: aws_pci_dss_v321_requirement_1 - - id: aws_pci_dss_v321_requirement_2 - - id: aws_pci_dss_v321_requirement_3 - - id: aws_pci_dss_v321_requirement_4 - - id: aws_pci_dss_v321_requirement_5 - - id: aws_pci_dss_v321_requirement_6 - - id: aws_pci_dss_v321_requirement_7 - - id: aws_pci_dss_v321_requirement_8 - - id: aws_pci_dss_v321_requirement_10 - - id: aws_pci_dss_v321_requirement_11 +id: aws_pci_dss_v321 +title: PCI DSS v3.2.1 +description: The Payment Card Industry Data Security Standard (PCI DSS) v3.2.1 is an information security standard for entities that store, process, and/or transmit cardholder data. +section-code: aws_pci_dss_v321 +type: framework +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_pci_dss_v321_requirement_1 +- id: aws_pci_dss_v321_requirement_2 +- id: aws_pci_dss_v321_requirement_3 +- id: aws_pci_dss_v321_requirement_4 +- id: aws_pci_dss_v321_requirement_5 +- id: aws_pci_dss_v321_requirement_6 +- id: aws_pci_dss_v321_requirement_7 +- id: aws_pci_dss_v321_requirement_8 +- id: aws_pci_dss_v321_requirement_10 +- id: aws_pci_dss_v321_requirement_11 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1.yaml index c5de03c31..02e45300a 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1.yaml @@ -1,9 +1,12 @@ +id: aws_pci_dss_v321_requirement_1 +title: "Requirement 1: Install and maintain a firewall configuration to protect cardholder data" +description: A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria. All systems must be protected from unauthorized access from untrusted networks. +section-code: requirement_1 +type: control-group control-group: - id: aws_pci_dss_v321_requirement_1 - title: "Requirement 1: Install and maintain a firewall configuration to protect cardholder data" - description: A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria. All systems must be protected from unauthorized access from untrusted networks. - section-code: requirement_1 - control-group: - - id: aws_pci_dss_v321_requirement_1_1 - - id: aws_pci_dss_v321_requirement_1_2 - - id: aws_pci_dss_v321_requirement_1_3 +- id: aws_pci_dss_v321_requirement_1_1 + type: "" +- id: aws_pci_dss_v321_requirement_1_2 + type: "" +- id: aws_pci_dss_v321_requirement_1_3 + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10.yaml index c1fc076d9..41c1c7348 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10.yaml @@ -1,12 +1,18 @@ +id: aws_pci_dss_v321_requirement_10 +title: "Requirement 10: Track and monitor all access to network resources and cardholder data" +description: Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. +section-code: requirement_10 +type: control-group control-group: - id: aws_pci_dss_v321_requirement_10 - title: "Requirement 10: Track and monitor all access to network resources and cardholder data" - description: Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. - section-code: requirement_10 - control-group: - - id: aws_pci_dss_v321_requirement_10_1 - - id: aws_pci_dss_v321_requirement_10_2 - - id: aws_pci_dss_v321_requirement_10_3 - - id: aws_pci_dss_v321_requirement_10_5 - - id: aws_pci_dss_v321_requirement_10_7 - - id: aws_pci_dss_v321_requirement_10_8 +- id: aws_pci_dss_v321_requirement_10_1 + type: "" +- id: aws_pci_dss_v321_requirement_10_2 + type: "" +- id: aws_pci_dss_v321_requirement_10_3 + type: "" +- id: aws_pci_dss_v321_requirement_10_5 + type: "" +- id: aws_pci_dss_v321_requirement_10_7 + type: "" +- id: aws_pci_dss_v321_requirement_10_8 + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_1.yaml index 7beded389..b9616e12f 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_1.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_pci_dss_v321_requirement_10_1 - title: Implement audit trails to link all access to system components to each individual user - description: "It is critical to have a process or system that links user access to system components accessed. This system generates audit logs and provides the ability to trace back suspicious activity to a specific user. This control verifies, through observation and interviewing the system administrator, that: audit trails are enabled and active for system components, access to system components is linked to individual users." - section-code: "1" - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled_check - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_pci_dss_v321_requirement_10_1 +title: Implement audit trails to link all access to system components to each individual user +description: "It is critical to have a process or system that links user access to system components accessed. This system generates audit logs and provides the ability to trace back suspicious activity to a specific user. This control verifies, through observation and interviewing the system administrator, that: audit trails are enabled and active for system components, access to system components is linked to individual users." +section-code: "1" +type: control-group +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_alarm_action_enabled_check +- aws_cloudwatch_log_group_retention_period_365 +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_waf_web_acl_logging_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2.yaml index 9a9fc87b7..9fcf894ca 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2.yaml @@ -1,18 +1,25 @@ +id: aws_pci_dss_v321_requirement_10_2 +title: Through interviews of responsible personnel, observation of audit logs, and examination of audit log settings +description: "It is critical to have a process or system that links user access to system components accessed. This system generates audit logs and provides the ability to trace back suspicious activity to a specific user. This control verifies, through observation and interviewing the system administrator, that: audit trails are enabled and active for system components, access to system components is linked to individual users." +section-code: "2" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_10_2 - title: Through interviews of responsible personnel, observation of audit logs, and examination of audit log settings - description: "It is critical to have a process or system that links user access to system components accessed. This system generates audit logs and provides the ability to trace back suspicious activity to a specific user. This control verifies, through observation and interviewing the system administrator, that: audit trails are enabled and active for system components, access to system components is linked to individual users." - section-code: "2" - control-group: - - id: aws_pci_dss_v321_requirement_10_2_1 - - id: aws_pci_dss_v321_requirement_10_2_2 - - id: aws_pci_dss_v321_requirement_10_2_3 - - id: aws_pci_dss_v321_requirement_10_2_4 - - id: aws_pci_dss_v321_requirement_10_2_5 - - id: aws_pci_dss_v321_requirement_10_2_6 - - id: aws_pci_dss_v321_requirement_10_2_7 - controls: - - aws_es_domain_logs_to_cloudwatch - - aws_opensearch_domain_audit_logging_enabled - - aws_opensearch_domain_logs_to_cloudwatch - - aws_redshift_cluster_audit_logging_enabled +- id: aws_pci_dss_v321_requirement_10_2_1 + type: "" +- id: aws_pci_dss_v321_requirement_10_2_2 + type: "" +- id: aws_pci_dss_v321_requirement_10_2_3 + type: "" +- id: aws_pci_dss_v321_requirement_10_2_4 + type: "" +- id: aws_pci_dss_v321_requirement_10_2_5 + type: "" +- id: aws_pci_dss_v321_requirement_10_2_6 + type: "" +- id: aws_pci_dss_v321_requirement_10_2_7 + type: "" +controls: +- aws_es_domain_logs_to_cloudwatch +- aws_opensearch_domain_audit_logging_enabled +- aws_opensearch_domain_logs_to_cloudwatch +- aws_redshift_cluster_audit_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_1.yaml index b6930a575..ccb2c127f 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_1.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_pci_dss_v321_requirement_10_2_1 - title: 2.1 All individual user accesses to cardholder data - description: Malicious individuals could obtain knowledge of a user account with access to systems in the CDE, or they could create a new, unauthorized account in order to access cardholder data. A record of all individual accesses to cardholder data can identify which accounts may have been compromised or misused. This control verifies all individual access to cardholder data is loggedVerify all individual access to cardholder data is logged. - section-code: "1" - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled +id: aws_pci_dss_v321_requirement_10_2_1 +title: 2.1 All individual user accesses to cardholder data +description: Malicious individuals could obtain knowledge of a user account with access to systems in the CDE, or they could create a new, unauthorized account in order to access cardholder data. A record of all individual accesses to cardholder data can identify which accounts may have been compromised or misused. This control verifies all individual access to cardholder data is loggedVerify all individual access to cardholder data is logged. +section-code: "1" +type: control-group +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_2.yaml index bdf5b2ce7..19d6152a6 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_2.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_pci_dss_v321_requirement_10_2_2 - title: 2.2 All actions taken by any individual with root or administrative privileges - description: Accounts with increased privileges, such as the “administrator” or “root” account, have the potential to greatly impact the security or operational functionality of a system. Without a log of the activities performed, an organization is unable to trace any issues resulting from an administrative mistake or misuse of privilege back to the specific action and individual. This control verifies all actions taken by any individual with root or administrative privileges are logged. - section-code: "2" - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled +id: aws_pci_dss_v321_requirement_10_2_2 +title: 2.2 All actions taken by any individual with root or administrative privileges +description: Accounts with increased privileges, such as the “administrator” or “root” account, have the potential to greatly impact the security or operational functionality of a system. Without a log of the activities performed, an organization is unable to trace any issues resulting from an administrative mistake or misuse of privilege back to the specific action and individual. This control verifies all actions taken by any individual with root or administrative privileges are logged. +section-code: "2" +type: control-group +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_3.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_3.yaml index d11d22724..0af81a402 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_3.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_3.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_pci_dss_v321_requirement_10_2_3 - title: 2.3 Access to all audit trails - description: Malicious users often attempt to alter audit logs to hide their actions, and a record of access allows an organization to trace any inconsistencies or potential tampering of the logs to an individual account. Having access to logs identifying changes, additions, and deletions can help retrace steps made by unauthorized personnel. This control verifies access to all audit trails is logged. - section-code: "3" - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled +id: aws_pci_dss_v321_requirement_10_2_3 +title: 2.3 Access to all audit trails +description: Malicious users often attempt to alter audit logs to hide their actions, and a record of access allows an organization to trace any inconsistencies or potential tampering of the logs to an individual account. Having access to logs identifying changes, additions, and deletions can help retrace steps made by unauthorized personnel. This control verifies access to all audit trails is logged. +section-code: "3" +type: control-group +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_4.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_4.yaml index 5ade6fe28..ccaf6495f 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_4.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_4.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_pci_dss_v321_requirement_10_2_4 - title: 2.4 Invalid logical access attempts - description: Malicious users often attempt to alter audit logs to hide their actions, and a record of access allows an organization to trace any inconsistencies or potential tampering of the logs to an individual account. Having access to logs identifying changes, additions, and deletions can help retrace steps made by unauthorized personnel. This control verifies access to all audit trails is logged. - section-code: "4" - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled +id: aws_pci_dss_v321_requirement_10_2_4 +title: 2.4 Invalid logical access attempts +description: Malicious users often attempt to alter audit logs to hide their actions, and a record of access allows an organization to trace any inconsistencies or potential tampering of the logs to an individual account. Having access to logs identifying changes, additions, and deletions can help retrace steps made by unauthorized personnel. This control verifies access to all audit trails is logged. +section-code: "4" +type: control-group +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_5.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_5.yaml index 0aae409fa..c94c1219b 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_5.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_5.yaml @@ -1,7 +1,8 @@ +id: aws_pci_dss_v321_requirement_10_2_5 +title: 2.5 Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges +description: Without knowing who was logged on at the time of an incident, it is impossible to identify the accounts that may have been used. Additionally, malicious users may attempt to manipulate the authentication controls with the intent of bypassing them or impersonating a valid account. +section-code: "5" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_10_2_5 - title: 2.5 Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges - description: Without knowing who was logged on at the time of an incident, it is impossible to identify the accounts that may have been used. Additionally, malicious users may attempt to manipulate the authentication controls with the intent of bypassing them or impersonating a valid account. - section-code: "5" - control-group: - - id: aws_pci_dss_v321_requirement_10_2_5_a +- id: aws_pci_dss_v321_requirement_10_2_5_a + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_5_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_5_a.yaml index bfca0d246..61793acd9 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_5_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_5_a.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_10_2_5_a - title: 2.5.a Verify use of identification and authentication mechanisms is logged - description: Without knowing who was logged on at the time of an incident, it is impossible to identify the accounts that may have been used. Additionally, malicious users may attempt to manipulate the authentication controls with the intent of bypassing them or impersonating a valid account. - section-code: a - controls: - - aws_cloudtrail_trail_enabled +id: aws_pci_dss_v321_requirement_10_2_5_a +title: 2.5.a Verify use of identification and authentication mechanisms is logged +description: Without knowing who was logged on at the time of an incident, it is impossible to identify the accounts that may have been used. Additionally, malicious users may attempt to manipulate the authentication controls with the intent of bypassing them or impersonating a valid account. +section-code: a +type: control-group +controls: +- aws_cloudtrail_trail_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_6.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_6.yaml index 9bfd9caf5..89153df10 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_6.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_6.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_pci_dss_v321_requirement_10_2_6 - title: 2.6 Initialization, stopping, or pausing of the audit logs - description: "Turning the audit logs off (or pausing them) prior to performing illicit activities is a common practice for malicious users wishing to avoid detection. Initialization of audit logs could indicate that the log function was disabled by a user to hide their actions. This control verifies the following are logged: initialization of audit logs, stopping or pausing of audit logs." - section-code: "6" - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled +id: aws_pci_dss_v321_requirement_10_2_6 +title: 2.6 Initialization, stopping, or pausing of the audit logs +description: "Turning the audit logs off (or pausing them) prior to performing illicit activities is a common practice for malicious users wishing to avoid detection. Initialization of audit logs could indicate that the log function was disabled by a user to hide their actions. This control verifies the following are logged: initialization of audit logs, stopping or pausing of audit logs." +section-code: "6" +type: control-group +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_7.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_7.yaml index ca7d5a970..388c7abb2 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_7.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_7.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_pci_dss_v321_requirement_10_2_7 - title: 2.7 Creation and deletion of system- level objects - description: Malicious software, such as malware, often creates or replaces system level objects on the target system in order to control a particular function or operation on that system. By logging when system-level objects, such as database tables or stored procedures, are created or deleted, it will be easier to determine whether such modifications were authorized. This control verifies creation and deletion of system level objects are logged. - section-code: "7" - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled +id: aws_pci_dss_v321_requirement_10_2_7 +title: 2.7 Creation and deletion of system- level objects +description: Malicious software, such as malware, often creates or replaces system level objects on the target system in order to control a particular function or operation on that system. By logging when system-level objects, such as database tables or stored procedures, are created or deleted, it will be easier to determine whether such modifications were authorized. This control verifies creation and deletion of system level objects are logged. +section-code: "7" +type: control-group +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3.yaml index 8c437b997..198b20847 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3.yaml @@ -1,20 +1,26 @@ +id: aws_pci_dss_v321_requirement_10_3 +title: Record at least the following audit trail entries for all system components for each event +description: "By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how. Through interviews and observation of audit logs, for each auditable event (from 10.2), perform the following:" +section-code: "3" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_10_3 - title: Record at least the following audit trail entries for all system components for each event - description: "By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how. Through interviews and observation of audit logs, for each auditable event (from 10.2), perform the following:" - section-code: "3" - control-group: - - id: aws_pci_dss_v321_requirement_10_3_1 - - id: aws_pci_dss_v321_requirement_10_3_2 - - id: aws_pci_dss_v321_requirement_10_3_3 - - id: aws_pci_dss_v321_requirement_10_3_4 - - id: aws_pci_dss_v321_requirement_10_3_5 - - id: aws_pci_dss_v321_requirement_10_3_6 - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled +- id: aws_pci_dss_v321_requirement_10_3_1 + type: "" +- id: aws_pci_dss_v321_requirement_10_3_2 + type: "" +- id: aws_pci_dss_v321_requirement_10_3_3 + type: "" +- id: aws_pci_dss_v321_requirement_10_3_4 + type: "" +- id: aws_pci_dss_v321_requirement_10_3_5 + type: "" +- id: aws_pci_dss_v321_requirement_10_3_6 + type: "" +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_1.yaml index dd6e0878a..3e76832ba 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_1.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_pci_dss_v321_requirement_10_3_1 - title: 3.1 User identification - description: By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how. This control verifies user identification is included in log entries. - section-code: "1" - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled +id: aws_pci_dss_v321_requirement_10_3_1 +title: 3.1 User identification +description: By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how. This control verifies user identification is included in log entries. +section-code: "1" +type: control-group +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_2.yaml index 6e1800f37..ac18d061c 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_2.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_pci_dss_v321_requirement_10_3_2 - title: 3.2 Type of event - description: By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how. This control verifies event is included in log entries. - section-code: "2" - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled +id: aws_pci_dss_v321_requirement_10_3_2 +title: 3.2 Type of event +description: By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how. This control verifies event is included in log entries. +section-code: "2" +type: control-group +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_3.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_3.yaml index 9715bd860..a893ecf21 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_3.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_3.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_pci_dss_v321_requirement_10_3_3 - title: 3.3 Date and time - description: By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how. This verifies date and time stamp is included in log entries. - section-code: "3" - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled +id: aws_pci_dss_v321_requirement_10_3_3 +title: 3.3 Date and time +description: By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how. This verifies date and time stamp is included in log entries. +section-code: "3" +type: control-group +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_4.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_4.yaml index a32742626..526ae5493 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_4.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_4.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_pci_dss_v321_requirement_10_3_4 - title: 3.4 Success or failure indication - description: By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how. This control verifies success or failure indication is included in log entries. - section-code: "4" - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled +id: aws_pci_dss_v321_requirement_10_3_4 +title: 3.4 Success or failure indication +description: By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how. This control verifies success or failure indication is included in log entries. +section-code: "4" +type: control-group +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_5.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_5.yaml index 5e9b41ad8..2c79f9a57 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_5.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_5.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_pci_dss_v321_requirement_10_3_5 - title: 3.5 Origination of event - description: By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how. This control verifies origination of event is included in log entries. - section-code: "5" - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled +id: aws_pci_dss_v321_requirement_10_3_5 +title: 3.5 Origination of event +description: By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how. This control verifies origination of event is included in log entries. +section-code: "5" +type: control-group +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_6.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_6.yaml index d4195df9e..74162f16a 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_6.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_6.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_pci_dss_v321_requirement_10_3_6 - title: 3.6 Identity or name of affected data, system component, or resource - description: By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how. This control verifies identity or name of affected data, system component, or resources is included in log entries. - section-code: "6" - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled +id: aws_pci_dss_v321_requirement_10_3_6 +title: 3.6 Identity or name of affected data, system component, or resource +description: By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how. This control verifies identity or name of affected data, system component, or resources is included in log entries. +section-code: "6" +type: control-group +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5.yaml index a79c98c1f..9645f5183 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5.yaml @@ -1,18 +1,22 @@ +id: aws_pci_dss_v321_requirement_10_5 +title: Interview system administrators and examine system configurations and permissions to verify that audit trails are secured so that they cannot be altered +description: Often a malicious individual who has entered the network will attempt to edit the audit logs in order to hide their activity. Without adequate protection of audit logs, their completeness, accuracy, and integrity cannot be guaranteed, and the audit logs can be rendered useless as an investigation tool after a compromise. This control checks secure audit trails so they cannot be altered. +section-code: "5" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_10_5 - title: Interview system administrators and examine system configurations and permissions to verify that audit trails are secured so that they cannot be altered - description: Often a malicious individual who has entered the network will attempt to edit the audit logs in order to hide their activity. Without adequate protection of audit logs, their completeness, accuracy, and integrity cannot be guaranteed, and the audit logs can be rendered useless as an investigation tool after a compromise. This control checks secure audit trails so they cannot be altered. - section-code: "5" - control-group: - - id: aws_pci_dss_v321_requirement_10_5_2 - - id: aws_pci_dss_v321_requirement_10_5_3 - - id: aws_pci_dss_v321_requirement_10_5_4 - - id: aws_pci_dss_v321_requirement_10_5_5 - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled +- id: aws_pci_dss_v321_requirement_10_5_2 + type: "" +- id: aws_pci_dss_v321_requirement_10_5_3 + type: "" +- id: aws_pci_dss_v321_requirement_10_5_4 + type: "" +- id: aws_pci_dss_v321_requirement_10_5_5 + type: "" +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_2.yaml index 7bc73f025..33deaefab 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_2.yaml @@ -1,9 +1,9 @@ -control-group: - id: aws_pci_dss_v321_requirement_10_5_2 - title: 5.2 Current audit trail files are protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation - description: Adequate protection of the audit logs includes strong access control (limit access to logs based on “need to know” only), and use of physical or network segregation to make the logs harder to find and modify. Promptly backing up the logs to a centralized log server or media that is difficult to alter keeps the logs protected even if the system generating the logs becomes compromised. Protect audit trail files from unauthorized modifications. - section-code: "2" - controls: - - aws_cloudtrail_trail_validation_enabled - - aws_config_enabled_all_regions - - aws_s3_bucket_versioning_enabled +id: aws_pci_dss_v321_requirement_10_5_2 +title: 5.2 Current audit trail files are protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation +description: Adequate protection of the audit logs includes strong access control (limit access to logs based on “need to know” only), and use of physical or network segregation to make the logs harder to find and modify. Promptly backing up the logs to a centralized log server or media that is difficult to alter keeps the logs protected even if the system generating the logs becomes compromised. Protect audit trail files from unauthorized modifications. +section-code: "2" +type: control-group +controls: +- aws_cloudtrail_trail_validation_enabled +- aws_config_enabled_all_regions +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_3.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_3.yaml index e8487bd65..1329abe71 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_3.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_3.yaml @@ -1,9 +1,9 @@ -control-group: - id: aws_pci_dss_v321_requirement_10_5_3 - title: 5.3 Current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter - description: Adequate protection of the audit logs includes strong access control (limit access to logs based on “need to know” only), and use of physical or network segregation to make the logs harder to find and modify. Promptly backing up the logs to a centralized log server or media that is difficult to alter keeps the logs protected even if the system generating the logs becomes compromised. Promptly back up audit trail files to a centralized log server or media that is difficult to alter. - section-code: "3" - controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +id: aws_pci_dss_v321_requirement_10_5_3 +title: 5.3 Current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter +description: Adequate protection of the audit logs includes strong access control (limit access to logs based on “need to know” only), and use of physical or network segregation to make the logs harder to find and modify. Promptly backing up the logs to a centralized log server or media that is difficult to alter keeps the logs protected even if the system generating the logs becomes compromised. Promptly back up audit trail files to a centralized log server or media that is difficult to alter. +section-code: "3" +type: control-group +controls: +- aws_cloudtrail_trail_integrated_with_logs +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_4.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_4.yaml index ab3899458..e5d8af41f 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_4.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_4.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_pci_dss_v321_requirement_10_5_4 - title: 5.4 Logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) are written onto a secure, centralized, internal log server or media - description: By writing logs from external-facing technologies such as wireless, firewalls, DNS, and mail servers, the risk of those logs being lost or altered is lowered, as they are more secure within the internal network. Logs may be written directly, or offloaded or copied from external systems, to the secure internal system or media. - section-code: "4" - controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled +id: aws_pci_dss_v321_requirement_10_5_4 +title: 5.4 Logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) are written onto a secure, centralized, internal log server or media +description: By writing logs from external-facing technologies such as wireless, firewalls, DNS, and mail servers, the risk of those logs being lost or altered is lowered, as they are more secure within the internal network. Logs may be written directly, or offloaded or copied from external systems, to the secure internal system or media. +section-code: "4" +type: control-group +controls: +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_5.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_5.yaml index 33f69c32e..4a7fb10e9 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_5.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_5.yaml @@ -1,8 +1,8 @@ -control-group: - id: aws_pci_dss_v321_requirement_10_5_5 - title: 5.5 Examine system settings, monitored files, and results from monitoring activities to verify the use of file-integrity monitoring or change-detection software on logs - description: File-integrity monitoring or change-detection systems check for changes to critical files, and notify when such changes are noted. For file- integrity monitoring purposes, an entity usually monitors files that don't regularly change, but when changed indicate a possible compromise. - section-code: "5" - controls: - - aws_cloudtrail_trail_validation_enabled - - aws_s3_bucket_versioning_enabled +id: aws_pci_dss_v321_requirement_10_5_5 +title: 5.5 Examine system settings, monitored files, and results from monitoring activities to verify the use of file-integrity monitoring or change-detection software on logs +description: File-integrity monitoring or change-detection systems check for changes to critical files, and notify when such changes are noted. For file- integrity monitoring purposes, an entity usually monitors files that don't regularly change, but when changed indicate a possible compromise. +section-code: "5" +type: control-group +controls: +- aws_cloudtrail_trail_validation_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7.yaml index 5db0bf4f4..ce4d8577d 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7.yaml @@ -1,11 +1,14 @@ +id: aws_pci_dss_v321_requirement_10_7 +title: Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup) +description: Retaining logs for at least a year allows for the fact that it often takes a while to notice that a compromise has occurred or is occurring, and allows investigators sufficient log history to better determine the length of time of a potential breach and potential system(s) impacted. By having three months of logs immediately available, an entity can quickly identify and minimize impact of a data breach. Storing logs in off-line locations could prevent them from being readily available, resulting in longer time frames to restore log data, perform analysis, and identify impacted systems or data. +section-code: "7" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_10_7 - title: Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup) - description: Retaining logs for at least a year allows for the fact that it often takes a while to notice that a compromise has occurred or is occurring, and allows investigators sufficient log history to better determine the length of time of a potential breach and potential system(s) impacted. By having three months of logs immediately available, an entity can quickly identify and minimize impact of a data breach. Storing logs in off-line locations could prevent them from being readily available, resulting in longer time frames to restore log data, perform analysis, and identify impacted systems or data. - section-code: "7" - control-group: - - id: aws_pci_dss_v321_requirement_10_7_a - - id: aws_pci_dss_v321_requirement_10_7_b - - id: aws_pci_dss_v321_requirement_10_7_c - controls: - - aws_cloudwatch_log_group_retention_period_365 +- id: aws_pci_dss_v321_requirement_10_7_a + type: "" +- id: aws_pci_dss_v321_requirement_10_7_b + type: "" +- id: aws_pci_dss_v321_requirement_10_7_c + type: "" +controls: +- aws_cloudwatch_log_group_retention_period_365 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7_a.yaml index 853870e07..e3bd12548 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7_a.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_pci_dss_v321_requirement_10_7_a - title: 7.a Examine security policies and procedures to verify that they define audit log retention policies and procedures for retaining audit logs for at least one year, with a minimum of three months immediately available online - description: Retaining logs for at least a year allows for the fact that it often takes a while to notice that a compromise has occurred or is occurring, and allows investigators sufficient log history to better determine the length of time of a potential breach and potential system(s) impacted. By having three months of logs immediately available, an entity can quickly identify and minimize impact of a data breach. Storing logs in off-line locations could prevent them from being readily available, resulting in longer time frames to restore log data, perform analysis, and identify impacted systems or data. - section-code: a - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_s3_bucket_lifecycle_policy_enabled - - aws_s3_bucket_versioning_and_lifecycle_policy_enabled +id: aws_pci_dss_v321_requirement_10_7_a +title: 7.a Examine security policies and procedures to verify that they define audit log retention policies and procedures for retaining audit logs for at least one year, with a minimum of three months immediately available online +description: Retaining logs for at least a year allows for the fact that it often takes a while to notice that a compromise has occurred or is occurring, and allows investigators sufficient log history to better determine the length of time of a potential breach and potential system(s) impacted. By having three months of logs immediately available, an entity can quickly identify and minimize impact of a data breach. Storing logs in off-line locations could prevent them from being readily available, resulting in longer time frames to restore log data, perform analysis, and identify impacted systems or data. +section-code: a +type: control-group +controls: +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_manual_deletion_disabled +- aws_backup_recovery_point_min_retention_35_days +- aws_s3_bucket_lifecycle_policy_enabled +- aws_s3_bucket_versioning_and_lifecycle_policy_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7_b.yaml index 1b96a3c97..f76bc344b 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7_b.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_10_7_b - title: 7.b Interview personnel and examine audit logs to verify that audit logs are retained for at least one year - description: Retaining logs for at least a year allows for the fact that it often takes a while to notice that a compromise has occurred or is occurring, and allows investigators sufficient log history to better determine the length of time of a potential breach and potential system(s) impacted. By having three months of logs immediately available, an entity can quickly identify and minimize impact of a data breach. Storing logs in off-line locations could prevent them from being readily available, resulting in longer time frames to restore log data, perform analysis, and identify impacted systems or data. - section-code: b - controls: - - aws_cloudwatch_log_group_retention_period_365 +id: aws_pci_dss_v321_requirement_10_7_b +title: 7.b Interview personnel and examine audit logs to verify that audit logs are retained for at least one year +description: Retaining logs for at least a year allows for the fact that it often takes a while to notice that a compromise has occurred or is occurring, and allows investigators sufficient log history to better determine the length of time of a potential breach and potential system(s) impacted. By having three months of logs immediately available, an entity can quickly identify and minimize impact of a data breach. Storing logs in off-line locations could prevent them from being readily available, resulting in longer time frames to restore log data, perform analysis, and identify impacted systems or data. +section-code: b +type: control-group +controls: +- aws_cloudwatch_log_group_retention_period_365 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7_c.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7_c.yaml index e7189e7e6..bb019758a 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7_c.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7_c.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_10_7_c - title: 7.c Interview personnel and observe processes to verify that at least the last three months' logs are immediately available for analysis - description: Retaining logs for at least a year allows for the fact that it often takes a while to notice that a compromise has occurred or is occurring, and allows investigators sufficient log history to better determine the length of time of a potential breach and potential system(s) impacted. By having three months of logs immediately available, an entity can quickly identify and minimize impact of a data breach. Storing logs in off-line locations could prevent them from being readily available, resulting in longer time frames to restore log data, perform analysis, and identify impacted systems or data. - section-code: c - controls: - - aws_cloudwatch_log_group_retention_period_365 +id: aws_pci_dss_v321_requirement_10_7_c +title: 7.c Interview personnel and observe processes to verify that at least the last three months' logs are immediately available for analysis +description: Retaining logs for at least a year allows for the fact that it often takes a while to notice that a compromise has occurred or is occurring, and allows investigators sufficient log history to better determine the length of time of a potential breach and potential system(s) impacted. By having three months of logs immediately available, an entity can quickly identify and minimize impact of a data breach. Storing logs in off-line locations could prevent them from being readily available, resulting in longer time frames to restore log data, perform analysis, and identify impacted systems or data. +section-code: c +type: control-group +controls: +- aws_cloudwatch_log_group_retention_period_365 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8.yaml index 62799e07d..406d3bb0d 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8.yaml @@ -1,8 +1,10 @@ +id: aws_pci_dss_v321_requirement_10_8 +title: Additional requirement for service providers only to implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of firewalls, IDS/IPS, FIM, anti-virus, physical access controls, logical access controls, audit logging mechanisms and segmentation controls +description: "Note: This requirement applies only when the entity being assessed is a service provider. Without formal processes to detect and alert when critical security controls fail, failures may go undetected for extended periods and provide attackers ample time to compromise systems and steal sensitive data from the cardholder data environment. The specific types of failures may vary depending on the function of the device and technology in use. Typical failures include a system ceasing to perform its security function or not functioning in its intended manner; for example, a firewall erasing all its rules or going offline." +section-code: "8" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_10_8 - title: Additional requirement for service providers only to implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of firewalls, IDS/IPS, FIM, anti-virus, physical access controls, logical access controls, audit logging mechanisms and segmentation controls - description: "Note: This requirement applies only when the entity being assessed is a service provider. Without formal processes to detect and alert when critical security controls fail, failures may go undetected for extended periods and provide attackers ample time to compromise systems and steal sensitive data from the cardholder data environment. The specific types of failures may vary depending on the function of the device and technology in use. Typical failures include a system ceasing to perform its security function or not functioning in its intended manner; for example, a firewall erasing all its rules or going offline." - section-code: "8" - control-group: - - id: aws_pci_dss_v321_requirement_10_8_1 - - id: aws_pci_dss_v321_requirement_10_8_b +- id: aws_pci_dss_v321_requirement_10_8_1 + type: "" +- id: aws_pci_dss_v321_requirement_10_8_b + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8_1.yaml index a9ad147a4..fd337f4ce 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8_1.yaml @@ -1,7 +1,8 @@ +id: aws_pci_dss_v321_requirement_10_8_1 +title: "8.1 Additional requirement for service providers only: Respond to failures of any critical security controls in a timely manner" +description: "Processes for responding to failures in security controls must include restoring security functions, identifying and documenting the duration (date and time start to end) of the security failure, identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause, identifying and addressing any security issues that arose during the failure, performing a risk assessment to determine whether further actions are required as a result of the security failure, implementing controls to prevent cause of failure from reoccurring and resuming monitoring of security controls. Note: This requirement applies only when the entity being assessed is a service provider. If critical security control failures alerts are not quickly and effectively responded to, attackers may use this time to insert malicious software, gain control of a system, or steal data from the entity's environment. Documented evidence (e.g., records within a problem management system) should support that processes and procedures are in place to respond to security failures. In addition, personnel should be aware of their responsibilities in the event of a failure. Actions and responses to the failure should be captured in the documented evidence." +section-code: "1" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_10_8_1 - title: "8.1 Additional requirement for service providers only: Respond to failures of any critical security controls in a timely manner" - description: "Processes for responding to failures in security controls must include restoring security functions, identifying and documenting the duration (date and time start to end) of the security failure, identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause, identifying and addressing any security issues that arose during the failure, performing a risk assessment to determine whether further actions are required as a result of the security failure, implementing controls to prevent cause of failure from reoccurring and resuming monitoring of security controls. Note: This requirement applies only when the entity being assessed is a service provider. If critical security control failures alerts are not quickly and effectively responded to, attackers may use this time to insert malicious software, gain control of a system, or steal data from the entity's environment. Documented evidence (e.g., records within a problem management system) should support that processes and procedures are in place to respond to security failures. In addition, personnel should be aware of their responsibilities in the event of a failure. Actions and responses to the failure should be captured in the documented evidence." - section-code: "1" - control-group: - - id: aws_pci_dss_v321_requirement_10_8_1_a +- id: aws_pci_dss_v321_requirement_10_8_1_a + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8_1_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8_1_a.yaml index 6e019eaf0..768b72668 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8_1_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8_1_a.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_10_8_1_a - title: 8.1.a Examine documented policies and procedures and interview personnel to verify processes are defined and implemented to respond to a security control failure - description: "This include restoring security functions, identifying and documenting the duration (date and time start to end) of the security failure, identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause, identifying and addressing any security issues that arose during the failure, performing a risk assessment to determine whether further actions are required as a result of the security failure, implementing controls to prevent cause of failure from reoccurring and resuming monitoring of security controls. Note: This requirement applies only when the entity being assessed is a service provider. If critical security control failures alerts are not quickly and effectively responded to, attackers may use this time to insert malicious software, gain control of a system, or steal data from the entity's environment. Documented evidence (e.g., records within a problem management system) should support that processes and procedures are in place to respond to security failures. In addition, personnel should be aware of their responsibilities in the event of a failure. Actions and responses to the failure should be captured in the documented evidence." - section-code: a - controls: - - aws_cloudwatch_alarm_action_enabled_check +id: aws_pci_dss_v321_requirement_10_8_1_a +title: 8.1.a Examine documented policies and procedures and interview personnel to verify processes are defined and implemented to respond to a security control failure +description: "This include restoring security functions, identifying and documenting the duration (date and time start to end) of the security failure, identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause, identifying and addressing any security issues that arose during the failure, performing a risk assessment to determine whether further actions are required as a result of the security failure, implementing controls to prevent cause of failure from reoccurring and resuming monitoring of security controls. Note: This requirement applies only when the entity being assessed is a service provider. If critical security control failures alerts are not quickly and effectively responded to, attackers may use this time to insert malicious software, gain control of a system, or steal data from the entity's environment. Documented evidence (e.g., records within a problem management system) should support that processes and procedures are in place to respond to security failures. In addition, personnel should be aware of their responsibilities in the event of a failure. Actions and responses to the failure should be captured in the documented evidence." +section-code: a +type: control-group +controls: +- aws_cloudwatch_alarm_action_enabled_check diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8_b.yaml index 58875d351..aab5b9437 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8_b.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_pci_dss_v321_requirement_10_8_b - title: 8.b Examine detection and alerting processes and interview personnel to verify that processes are implemented for all critical security controls - description: "The failure of a critical security control results in the generation of an alert.10.8.b Examine detection and alerting processes and interview personnel to verify that processes are implemented for all critical security controls, and that failure of a critical security control results in the generation of an alert. Note: This requirement applies only when the entity being assessed is a service provider. Without formal processes to detect and alert when critical security controls fail, failures may go undetected for extended periods and provide attackers ample time to compromise systems and steal sensitive data from the cardholder data environment. The specific types of failures may vary depending on the function of the device and technology in use. Typical failures include a system ceasing to perform its security function or not functioning in its intended manner; for example, a firewall erasing all its rules or going offline." - section-code: b - controls: - - aws_cloudtrail_trail_enabled - - aws_cloudwatch_alarm_action_enabled_check - - aws_es_domain_logs_to_cloudwatch - - aws_opensearch_domain_audit_logging_enabled - - aws_opensearch_domain_logs_to_cloudwatch - - aws_redshift_cluster_audit_logging_enabled - - aws_sns_topic_notification_delivery_status_enabled +id: aws_pci_dss_v321_requirement_10_8_b +title: 8.b Examine detection and alerting processes and interview personnel to verify that processes are implemented for all critical security controls +description: "The failure of a critical security control results in the generation of an alert.10.8.b Examine detection and alerting processes and interview personnel to verify that processes are implemented for all critical security controls, and that failure of a critical security control results in the generation of an alert. Note: This requirement applies only when the entity being assessed is a service provider. Without formal processes to detect and alert when critical security controls fail, failures may go undetected for extended periods and provide attackers ample time to compromise systems and steal sensitive data from the cardholder data environment. The specific types of failures may vary depending on the function of the device and technology in use. Typical failures include a system ceasing to perform its security function or not functioning in its intended manner; for example, a firewall erasing all its rules or going offline." +section-code: b +type: control-group +controls: +- aws_cloudtrail_trail_enabled +- aws_cloudwatch_alarm_action_enabled_check +- aws_es_domain_logs_to_cloudwatch +- aws_opensearch_domain_audit_logging_enabled +- aws_opensearch_domain_logs_to_cloudwatch +- aws_redshift_cluster_audit_logging_enabled +- aws_sns_topic_notification_delivery_status_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11.yaml index ad3b38955..1a87b43d5 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11.yaml @@ -1,8 +1,10 @@ +id: aws_pci_dss_v321_requirement_11 +title: "Requirement 11: Regularly test security systems and processes" +description: Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment. +section-code: requirement_11 +type: control-group control-group: - id: aws_pci_dss_v321_requirement_11 - title: "Requirement 11: Regularly test security systems and processes" - description: Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment. - section-code: requirement_11 - control-group: - - id: aws_pci_dss_v321_requirement_11_4 - - id: aws_pci_dss_v321_requirement_11_5 +- id: aws_pci_dss_v321_requirement_11_4 + type: "" +- id: aws_pci_dss_v321_requirement_11_5 + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4.yaml index dc02452d9..e933f6775 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4.yaml @@ -1,11 +1,14 @@ +id: aws_pci_dss_v321_requirement_11_4 +title: Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network +description: Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up to date. Intrusion detection and/or intrusion prevention techniques (such as IDS/IPS) compare the traffic coming into the network with known “signatures” and/or behaviors of thousands of compromise types (hacker tools, Trojans, and other malware), and send alerts and/or stop the attempt as it happens. Without a proactive approach to unauthorized activity detection, attacks on (or misuse of) computer resources could go unnoticed in real time. Security alerts generated by these techniques should be monitored so that the attempted intrusions can be stopped. +section-code: "4" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_11_4 - title: Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network - description: Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up to date. Intrusion detection and/or intrusion prevention techniques (such as IDS/IPS) compare the traffic coming into the network with known “signatures” and/or behaviors of thousands of compromise types (hacker tools, Trojans, and other malware), and send alerts and/or stop the attempt as it happens. Without a proactive approach to unauthorized activity detection, attacks on (or misuse of) computer resources could go unnoticed in real time. Security alerts generated by these techniques should be monitored so that the attempted intrusions can be stopped. - section-code: "4" - control-group: - - id: aws_pci_dss_v321_requirement_11_4_a - - id: aws_pci_dss_v321_requirement_11_4_b - - id: aws_pci_dss_v321_requirement_11_4_c - controls: - - aws_guardduty_enabled +- id: aws_pci_dss_v321_requirement_11_4_a + type: "" +- id: aws_pci_dss_v321_requirement_11_4_b + type: "" +- id: aws_pci_dss_v321_requirement_11_4_c + type: "" +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4_a.yaml index 6692d835e..05eaadc99 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4_a.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_11_4_a - title: 4.a Examine system configurations and network diagrams to verify that techniques (such as intrusion-detection systems and/or intrusion-prevention systems) are in place to monitor all traffic at the perimeter of the cardholder data environment and at critical points in the cardholder data environment - description: Intrusion detection and/or intrusion prevention techniques (such as IDS/IPS) compare the traffic coming into the network with known “signatures” and/or behaviors of thousands of compromise types (hacker tools, Trojans, and other malware), and send alerts and/or stop the attempt as it happens. Without a proactive approach to unauthorized activity detection, attacks on (or misuse of) computer resources could go unnoticed in real time. Security alerts generated by these techniques should be monitored so that the attempted intrusions can be stopped. - section-code: a - controls: - - aws_guardduty_enabled +id: aws_pci_dss_v321_requirement_11_4_a +title: 4.a Examine system configurations and network diagrams to verify that techniques (such as intrusion-detection systems and/or intrusion-prevention systems) are in place to monitor all traffic at the perimeter of the cardholder data environment and at critical points in the cardholder data environment +description: Intrusion detection and/or intrusion prevention techniques (such as IDS/IPS) compare the traffic coming into the network with known “signatures” and/or behaviors of thousands of compromise types (hacker tools, Trojans, and other malware), and send alerts and/or stop the attempt as it happens. Without a proactive approach to unauthorized activity detection, attacks on (or misuse of) computer resources could go unnoticed in real time. Security alerts generated by these techniques should be monitored so that the attempted intrusions can be stopped. +section-code: a +type: control-group +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4_b.yaml index b78fa9b5c..1b9bbef20 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4_b.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_11_4_b - title: 4.b Examine system configurations and interview responsible personnel to confirm intrusion-detection and/or intrusion-prevention techniques alert personnel of suspected compromises - description: Intrusion detection and/or intrusion prevention techniques (such as IDS/IPS) compare the traffic coming into the network with known “signatures” and/or behaviors of thousands of compromise types (hacker tools, Trojans, and other malware), and send alerts and/or stop the attempt as it happens. Without a proactive approach to unauthorized activity detection, attacks on (or misuse of) computer resources could go unnoticed in real time. Security alerts generated by these techniques should be monitored so that the attempted intrusions can be stopped. - section-code: b - controls: - - aws_guardduty_enabled +id: aws_pci_dss_v321_requirement_11_4_b +title: 4.b Examine system configurations and interview responsible personnel to confirm intrusion-detection and/or intrusion-prevention techniques alert personnel of suspected compromises +description: Intrusion detection and/or intrusion prevention techniques (such as IDS/IPS) compare the traffic coming into the network with known “signatures” and/or behaviors of thousands of compromise types (hacker tools, Trojans, and other malware), and send alerts and/or stop the attempt as it happens. Without a proactive approach to unauthorized activity detection, attacks on (or misuse of) computer resources could go unnoticed in real time. Security alerts generated by these techniques should be monitored so that the attempted intrusions can be stopped. +section-code: b +type: control-group +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4_c.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4_c.yaml index 258b631d4..36afc1f2c 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4_c.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4_c.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_11_4_c - title: 4.c Examine IDS/IPS configurations and vendor documentation to verify intrusion-detection and/or intrusion- prevention techniques are configured, maintained, and updated per vendor instructions to ensure optimal protection - description: Intrusion detection and/or intrusion prevention techniques (such as IDS/IPS) compare the traffic coming into the network with known “signatures” and/or behaviors of thousands of compromise types (hacker tools, Trojans, and other malware), and send alerts and/or stop the attempt as it happens. Without a proactive approach to unauthorized activity detection, attacks on (or misuse of) computer resources could go unnoticed in real time. Security alerts generated by these techniques should be monitored so that the attempted intrusions can be stopped. - section-code: c - controls: - - aws_guardduty_enabled +id: aws_pci_dss_v321_requirement_11_4_c +title: 4.c Examine IDS/IPS configurations and vendor documentation to verify intrusion-detection and/or intrusion- prevention techniques are configured, maintained, and updated per vendor instructions to ensure optimal protection +description: Intrusion detection and/or intrusion prevention techniques (such as IDS/IPS) compare the traffic coming into the network with known “signatures” and/or behaviors of thousands of compromise types (hacker tools, Trojans, and other malware), and send alerts and/or stop the attempt as it happens. Without a proactive approach to unauthorized activity detection, attacks on (or misuse of) computer resources could go unnoticed in real time. Security alerts generated by these techniques should be monitored so that the attempted intrusions can be stopped. +section-code: c +type: control-group +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_5.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_5.yaml index 52a825f6a..211da993c 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_5.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_5.yaml @@ -1,10 +1,12 @@ +id: aws_pci_dss_v321_requirement_11_5 +title: Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly +description: Change-detection solutions such as file-integrity monitoring (FIM) tools check for changes, additions, and deletions to critical files, and notify when such changes are detected. If not implemented properly and the output of the change-detection solution monitored, a malicious individual could add, remove, or alter configuration file contents, operating system programs, or application executables. Unauthorized changes, if undetected, could render existing security controls ineffective and/or result in cardholder data being stolen with no perceptible impact to normal processing. +section-code: "5" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_11_5 - title: Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly - description: Change-detection solutions such as file-integrity monitoring (FIM) tools check for changes, additions, and deletions to critical files, and notify when such changes are detected. If not implemented properly and the output of the change-detection solution monitored, a malicious individual could add, remove, or alter configuration file contents, operating system programs, or application executables. Unauthorized changes, if undetected, could render existing security controls ineffective and/or result in cardholder data being stolen with no perceptible impact to normal processing. - section-code: "5" - control-group: - - id: aws_pci_dss_v321_requirement_11_5_a - - id: aws_pci_dss_v321_requirement_11_5_b - controls: - - aws_config_enabled_all_regions +- id: aws_pci_dss_v321_requirement_11_5_a + type: "" +- id: aws_pci_dss_v321_requirement_11_5_b + type: "" +controls: +- aws_config_enabled_all_regions diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_5_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_5_a.yaml index b702435bb..588478d84 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_5_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_5_a.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_11_5_a - title: 5.a Verify the use of a change-detection mechanism by observing system settings and monitored files, as well as reviewing results from monitoring activities - description: Examples of files that should be monitored are system executables, application executables, configuration and parameter files, centrally stored, historical or archived, log and audit files and additional critical files determined by entity (for example, through risk assessment or other means). Change-detection solutions such as file-integrity monitoring (FIM) tools check for changes, additions, and deletions to critical files, and notify when such changes are detected. If not implemented properly and the output of the change-detection solution monitored, a malicious individual could add, remove, or alter configuration file contents, operating system programs, or application executables. Unauthorized changes, if undetected, could render existing security controls ineffective and/or result in cardholder data being stolen with no perceptible impact to normal processing. - section-code: a - controls: - - aws_config_enabled_all_regions +id: aws_pci_dss_v321_requirement_11_5_a +title: 5.a Verify the use of a change-detection mechanism by observing system settings and monitored files, as well as reviewing results from monitoring activities +description: Examples of files that should be monitored are system executables, application executables, configuration and parameter files, centrally stored, historical or archived, log and audit files and additional critical files determined by entity (for example, through risk assessment or other means). Change-detection solutions such as file-integrity monitoring (FIM) tools check for changes, additions, and deletions to critical files, and notify when such changes are detected. If not implemented properly and the output of the change-detection solution monitored, a malicious individual could add, remove, or alter configuration file contents, operating system programs, or application executables. Unauthorized changes, if undetected, could render existing security controls ineffective and/or result in cardholder data being stolen with no perceptible impact to normal processing. +section-code: a +type: control-group +controls: +- aws_config_enabled_all_regions diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_5_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_5_b.yaml index b164fb4c7..a216ace8d 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_5_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_5_b.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_11_5_b - title: 5.b Verify the mechanism is configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files, and to perform critical file comparisons at least weekly - description: 5.b Verify the mechanism is configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files, and to perform critical file comparisons at least weekly - section-code: b - controls: - - aws_config_enabled_all_regions +id: aws_pci_dss_v321_requirement_11_5_b +title: 5.b Verify the mechanism is configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files, and to perform critical file comparisons at least weekly +description: 5.b Verify the mechanism is configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files, and to perform critical file comparisons at least weekly +section-code: b +type: control-group +controls: +- aws_config_enabled_all_regions diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_1.yaml index e50af0137..5e31fe3f4 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_1.yaml @@ -1,7 +1,8 @@ +id: aws_pci_dss_v321_requirement_1_1 +title: Establish and implement firewall and router configuration standards +description: Firewalls and routers are key components of the architecture that controls entry to and exit from the network. These devices are software or hardware devices that block unwanted access and manage authorized access into and out of the network. Configuration standards and procedures will help to ensure that the organization's first line of defense in the protection of its data remains strong. +section-code: "1" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_1_1 - title: Establish and implement firewall and router configuration standards - description: Firewalls and routers are key components of the architecture that controls entry to and exit from the network. These devices are software or hardware devices that block unwanted access and manage authorized access into and out of the network. Configuration standards and procedures will help to ensure that the organization's first line of defense in the protection of its data remains strong. - section-code: "1" - control-group: - - id: aws_pci_dss_v321_requirement_1_1_4 +- id: aws_pci_dss_v321_requirement_1_1_4 + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_1_4.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_1_4.yaml index c06ffda69..bad8fa0f7 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_1_4.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_1_4.yaml @@ -1,7 +1,8 @@ +id: aws_pci_dss_v321_requirement_1_1_4 +title: 1.4 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone +description: Using a firewall on every Internet connection coming into (and out of) the network, and between any DMZ and the internal network, allows the organization to monitor and control access and minimizes the chances of a malicious individual obtaining access to the internal network via an unprotected connection. +section-code: "4" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_1_1_4 - title: 1.4 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone - description: Using a firewall on every Internet connection coming into (and out of) the network, and between any DMZ and the internal network, allows the organization to monitor and control access and minimizes the chances of a malicious individual obtaining access to the internal network via an unprotected connection. - section-code: "4" - control-group: - - id: aws_pci_dss_v321_requirement_1_1_4_c +- id: aws_pci_dss_v321_requirement_1_1_4_c + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_1_4_c.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_1_4_c.yaml index 511f69173..92b7cdc1d 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_1_4_c.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_1_4_c.yaml @@ -1,9 +1,9 @@ -control-group: - id: aws_pci_dss_v321_requirement_1_1_4_c - title: 1.4.c Observe network configurations to verify that a firewall is in place at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone, per the documented configuration standards and network diagrams - description: Using a firewall on every Internet connection coming into (and out of) the network, and between any DMZ and the internal network, allows the organization to monitor and control access and minimizes the chances of a malicious individual obtaining access to the internal network via an unprotected connection. - section-code: c - controls: - - aws_apigateway_stage_use_waf_web_acl - - aws_elb_application_lb_waf_enabled - - aws_vpc_security_group_restrict_ingress_tcp_udp_all +id: aws_pci_dss_v321_requirement_1_1_4_c +title: 1.4.c Observe network configurations to verify that a firewall is in place at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone, per the documented configuration standards and network diagrams +description: Using a firewall on every Internet connection coming into (and out of) the network, and between any DMZ and the internal network, allows the organization to monitor and control access and minimizes the chances of a malicious individual obtaining access to the internal network via an unprotected connection. +section-code: c +type: control-group +controls: +- aws_apigateway_stage_use_waf_web_acl +- aws_elb_application_lb_waf_enabled +- aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2.yaml index 2a05f19c1..633e55a58 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2.yaml @@ -1,9 +1,12 @@ +id: aws_pci_dss_v321_requirement_1_2 +title: Examine firewall and router configurations and perform the following to verify that connections are restricted between untrusted networks and system components in the cardholder data environment +description: It is essential to install network protection between the internal, trusted network and any untrusted network that is external and/or out of the entity's ability to control or manage. Failure to implement this measure correctly results in the entity being vulnerable to unauthorized access by malicious individuals or software. For firewall functionality to be effective, it must be properly configured to control and/or limit traffic into and out of the entity's network. +section-code: "2" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_1_2 - title: Examine firewall and router configurations and perform the following to verify that connections are restricted between untrusted networks and system components in the cardholder data environment - description: It is essential to install network protection between the internal, trusted network and any untrusted network that is external and/or out of the entity's ability to control or manage. Failure to implement this measure correctly results in the entity being vulnerable to unauthorized access by malicious individuals or software. For firewall functionality to be effective, it must be properly configured to control and/or limit traffic into and out of the entity's network. - section-code: "2" - control-group: - - id: aws_pci_dss_v321_requirement_1_2_1 - - id: aws_pci_dss_v321_requirement_1_2_2 - - id: aws_pci_dss_v321_requirement_1_2_3 +- id: aws_pci_dss_v321_requirement_1_2_1 + type: "" +- id: aws_pci_dss_v321_requirement_1_2_2 + type: "" +- id: aws_pci_dss_v321_requirement_1_2_3 + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1.yaml index 81e18e632..874936e78 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1.yaml @@ -1,9 +1,12 @@ +id: aws_pci_dss_v321_requirement_1_2_1 +title: 2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic +description: Examination of all inbound and outbound connections allows for inspection and restriction of traffic based on the source and/or destination address, thus preventing unfiltered access between untrusted and trusted environments. This prevents malicious individuals from accessing the entity's network via unauthorized IP addresses or from using services, protocols, or ports in an unauthorized manner (for example, to send data they've obtained from within the entity's network out to an untrusted server). Implementing a rule that denies all inbound and outbound traffic that is not specifically needed helps to prevent inadvertent holes that would allow unintended and potentially harmful traffic in or out. +section-code: "1" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_1_2_1 - title: 2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic - description: Examination of all inbound and outbound connections allows for inspection and restriction of traffic based on the source and/or destination address, thus preventing unfiltered access between untrusted and trusted environments. This prevents malicious individuals from accessing the entity's network via unauthorized IP addresses or from using services, protocols, or ports in an unauthorized manner (for example, to send data they've obtained from within the entity's network out to an untrusted server). Implementing a rule that denies all inbound and outbound traffic that is not specifically needed helps to prevent inadvertent holes that would allow unintended and potentially harmful traffic in or out. - section-code: "1" - control-group: - - id: aws_pci_dss_v321_requirement_1_2_1_a - - id: aws_pci_dss_v321_requirement_1_2_1_b - - id: aws_pci_dss_v321_requirement_1_2_1_c +- id: aws_pci_dss_v321_requirement_1_2_1_a + type: "" +- id: aws_pci_dss_v321_requirement_1_2_1_b + type: "" +- id: aws_pci_dss_v321_requirement_1_2_1_c + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1_a.yaml index 5335480d8..a3ac5d6f0 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1_a.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_pci_dss_v321_requirement_1_2_1_a - title: 2.1.a Examine firewall and router configuration standards to verify that they identify inbound and outbound traffic necessary for the cardholder data environment - description: Examination of all inbound and outbound connections allows for inspection and restriction of traffic based on the source and/or destination address, thus preventing unfiltered access between untrusted and trusted environments. This prevents malicious individuals from accessing the entity's network via unauthorized IP addresses or from using services, protocols, or ports in an unauthorized manner (for example, to send data they've obtained from within the entity's network out to an untrusted server). Implementing a rule that denies all inbound and outbound traffic that is not specifically needed helps to prevent inadvertent holes that would allow unintended and potentially harmful traffic in or out. - section-code: a - controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_network_acl_remote_administration - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all +id: aws_pci_dss_v321_requirement_1_2_1_a +title: 2.1.a Examine firewall and router configuration standards to verify that they identify inbound and outbound traffic necessary for the cardholder data environment +description: Examination of all inbound and outbound connections allows for inspection and restriction of traffic based on the source and/or destination address, thus preventing unfiltered access between untrusted and trusted environments. This prevents malicious individuals from accessing the entity's network via unauthorized IP addresses or from using services, protocols, or ports in an unauthorized manner (for example, to send data they've obtained from within the entity's network out to an untrusted server). Implementing a rule that denies all inbound and outbound traffic that is not specifically needed helps to prevent inadvertent holes that would allow unintended and potentially harmful traffic in or out. +section-code: a +type: control-group +controls: +- aws_autoscaling_launch_config_public_ip_disabled +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_igw_attached_to_authorized_vpc +- aws_vpc_network_acl_remote_administration +- aws_vpc_route_table_restrict_public_access_to_igw +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1_b.yaml index 05f3fac68..650ff33ac 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1_b.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_pci_dss_v321_requirement_1_2_1_b - title: 2.1.b Examine firewall and router configurations to verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment - description: Examination of all inbound and outbound connections allows for inspection and restriction of traffic based on the source and/or destination address, thus preventing unfiltered access between untrusted and trusted environments. This prevents malicious individuals from accessing the entity's network via unauthorized IP addresses or from using services, protocols, or ports in an unauthorized manner (for example, to send data they've obtained from within the entity's network out to an untrusted server). Implementing a rule that denies all inbound and outbound traffic that is not specifically needed helps to prevent inadvertent holes that would allow unintended and potentially harmful traffic in or out. - section-code: b - controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_network_acl_remote_administration - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all +id: aws_pci_dss_v321_requirement_1_2_1_b +title: 2.1.b Examine firewall and router configurations to verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment +description: Examination of all inbound and outbound connections allows for inspection and restriction of traffic based on the source and/or destination address, thus preventing unfiltered access between untrusted and trusted environments. This prevents malicious individuals from accessing the entity's network via unauthorized IP addresses or from using services, protocols, or ports in an unauthorized manner (for example, to send data they've obtained from within the entity's network out to an untrusted server). Implementing a rule that denies all inbound and outbound traffic that is not specifically needed helps to prevent inadvertent holes that would allow unintended and potentially harmful traffic in or out. +section-code: b +type: control-group +controls: +- aws_autoscaling_launch_config_public_ip_disabled +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_igw_attached_to_authorized_vpc +- aws_vpc_network_acl_remote_administration +- aws_vpc_route_table_restrict_public_access_to_igw +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1_c.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1_c.yaml index 539188730..2375155fb 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1_c.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1_c.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_pci_dss_v321_requirement_1_2_1_c - title: 2.1.c Examine firewall and router configurations to verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit “deny all” or an implicit deny after allow statement - description: Examination of all inbound and outbound connections allows for inspection and restriction of traffic based on the source and/or destination address, thus preventing unfiltered access between untrusted and trusted environments. This prevents malicious individuals from accessing the entity's network via unauthorized IP addresses or from using services, protocols, or ports in an unauthorized manner (for example, to send data they've obtained from within the entity's network out to an untrusted server). Implementing a rule that denies all inbound and outbound traffic that is not specifically needed helps to prevent inadvertent holes that would allow unintended and potentially harmful traffic in or out. - section-code: c - controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_network_acl_remote_administration - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all +id: aws_pci_dss_v321_requirement_1_2_1_c +title: 2.1.c Examine firewall and router configurations to verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit “deny all” or an implicit deny after allow statement +description: Examination of all inbound and outbound connections allows for inspection and restriction of traffic based on the source and/or destination address, thus preventing unfiltered access between untrusted and trusted environments. This prevents malicious individuals from accessing the entity's network via unauthorized IP addresses or from using services, protocols, or ports in an unauthorized manner (for example, to send data they've obtained from within the entity's network out to an untrusted server). Implementing a rule that denies all inbound and outbound traffic that is not specifically needed helps to prevent inadvertent holes that would allow unintended and potentially harmful traffic in or out. +section-code: c +type: control-group +controls: +- aws_autoscaling_launch_config_public_ip_disabled +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_igw_attached_to_authorized_vpc +- aws_vpc_network_acl_remote_administration +- aws_vpc_route_table_restrict_public_access_to_igw +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_2.yaml index 811bc8368..58b5db269 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_2.yaml @@ -1,7 +1,8 @@ +id: aws_pci_dss_v321_requirement_1_2_2 +title: 2.2 Secure and synchronize router configuration files +description: While the running (or active) router configuration files include the current, secure settings, the start- up files (which are used when routers are re- started or booted) must be updated with the same secure settings to ensure these settings are applied when the start-up configuration is run. Because they only run occasionally, start-up configuration files are often forgotten and are not updated. When a router re-starts and loads a start-up configuration that has not been updated with the same secure settings as those in the running configuration, it may result in weaker rules that allow malicious individuals into the network. +section-code: "2" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_1_2_2 - title: 2.2 Secure and synchronize router configuration files - description: While the running (or active) router configuration files include the current, secure settings, the start- up files (which are used when routers are re- started or booted) must be updated with the same secure settings to ensure these settings are applied when the start-up configuration is run. Because they only run occasionally, start-up configuration files are often forgotten and are not updated. When a router re-starts and loads a start-up configuration that has not been updated with the same secure settings as those in the running configuration, it may result in weaker rules that allow malicious individuals into the network. - section-code: "2" - control-group: - - id: aws_pci_dss_v321_requirement_1_2_2_b +- id: aws_pci_dss_v321_requirement_1_2_2_b + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_2_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_2_b.yaml index 3cbe6d975..b7dd3bcc4 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_2_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_2_b.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_1_2_2_b - title: 2.2.b Examine router configurations to verify they are synchronized—for example, the running (or active) configuration matches the start-up configuration (used when machines are booted) - description: While the running (or active) router configuration files include the current, secure settings, the start- up files (which are used when routers are re- started or booted) must be updated with the same secure settings to ensure these settings are applied when the start-up configuration is run. Because they only run occasionally, start-up configuration files are often forgotten and are not updated. When a router re-starts and loads a start-up configuration that has not been updated with the same secure settings as those in the running configuration, it may result in weaker rules that allow malicious individuals into the network. - section-code: b - controls: - - aws_cloudformation_stack_drift_detection_check +id: aws_pci_dss_v321_requirement_1_2_2_b +title: 2.2.b Examine router configurations to verify they are synchronized—for example, the running (or active) configuration matches the start-up configuration (used when machines are booted) +description: While the running (or active) router configuration files include the current, secure settings, the start- up files (which are used when routers are re- started or booted) must be updated with the same secure settings to ensure these settings are applied when the start-up configuration is run. Because they only run occasionally, start-up configuration files are often forgotten and are not updated. When a router re-starts and loads a start-up configuration that has not been updated with the same secure settings as those in the running configuration, it may result in weaker rules that allow malicious individuals into the network. +section-code: b +type: control-group +controls: +- aws_cloudformation_stack_drift_detection_check diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_3.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_3.yaml index ae00da149..7adbb6534 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_3.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_3.yaml @@ -1,7 +1,8 @@ +id: aws_pci_dss_v321_requirement_1_2_3 +title: 2.3 Install perimeter firewalls between all wireless networks and the cardholder data environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment +description: The known (or unknown) implementation and exploitation of wireless technology within a network is a common path for malicious individuals to gain access to the network and cardholder data. If a wireless device or network is installed without the entity's knowledge, a malicious individual could easily and “invisibly” enter the network. If firewalls do not restrict access from wireless networks into the CDE, malicious individuals that gain unauthorized access to the wireless network can easily connect to the CDE and compromise account information. Firewalls must be installed between all wireless networks and the CDE, regardless of the purpose of the environment to which the wireless network is connected. This may include, but is not limited to, corporate networks, retail stores, guest networks, warehouse environments, etc. +section-code: "3" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_1_2_3 - title: 2.3 Install perimeter firewalls between all wireless networks and the cardholder data environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment - description: The known (or unknown) implementation and exploitation of wireless technology within a network is a common path for malicious individuals to gain access to the network and cardholder data. If a wireless device or network is installed without the entity's knowledge, a malicious individual could easily and “invisibly” enter the network. If firewalls do not restrict access from wireless networks into the CDE, malicious individuals that gain unauthorized access to the wireless network can easily connect to the CDE and compromise account information. Firewalls must be installed between all wireless networks and the CDE, regardless of the purpose of the environment to which the wireless network is connected. This may include, but is not limited to, corporate networks, retail stores, guest networks, warehouse environments, etc. - section-code: "3" - control-group: - - id: aws_pci_dss_v321_requirement_1_2_3_b +- id: aws_pci_dss_v321_requirement_1_2_3_b + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_3_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_3_b.yaml index 9f4a70e01..942d7e657 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_3_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_3_b.yaml @@ -1,12 +1,12 @@ -control-group: - id: aws_pci_dss_v321_requirement_1_2_3_b - title: 2.3.b Verify that the firewalls deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment - description: The known (or unknown) implementation and exploitation of wireless technology within a network is a common path for malicious individuals to gain access to the network and cardholder data. If a wireless device or network is installed without the entity's knowledge, a malicious individual could easily and “invisibly” enter the network. If firewalls do not restrict access from wireless networks into the CDE, malicious individuals that gain unauthorized access to the wireless network can easily connect to the CDE and compromise account information. Firewalls must be installed between all wireless networks and the CDE, regardless of the purpose of the environment to which the wireless network is connected. This may include, but is not limited to, corporate networks, retail stores, guest networks, warehouse environments, etc. - section-code: b - controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_network_acl_remote_administration - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_tcp_udp_all +id: aws_pci_dss_v321_requirement_1_2_3_b +title: 2.3.b Verify that the firewalls deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment +description: The known (or unknown) implementation and exploitation of wireless technology within a network is a common path for malicious individuals to gain access to the network and cardholder data. If a wireless device or network is installed without the entity's knowledge, a malicious individual could easily and “invisibly” enter the network. If firewalls do not restrict access from wireless networks into the CDE, malicious individuals that gain unauthorized access to the wireless network can easily connect to the CDE and compromise account information. Firewalls must be installed between all wireless networks and the CDE, regardless of the purpose of the environment to which the wireless network is connected. This may include, but is not limited to, corporate networks, retail stores, guest networks, warehouse environments, etc. +section-code: b +type: control-group +controls: +- aws_autoscaling_launch_config_public_ip_disabled +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_igw_attached_to_authorized_vpc +- aws_vpc_network_acl_remote_administration +- aws_vpc_route_table_restrict_public_access_to_igw +- aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3.yaml index d6a8d151c..b059959ac 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3.yaml @@ -1,30 +1,36 @@ +id: aws_pci_dss_v321_requirement_1_3 +title: Examine firewall and router configurations—including but not limited to the choke router at the Internet, the DMZ router and firewall, the DMZ cardholder segment, the perimeter router, and the internal cardholder network segment—and perform the following to determine that there is no direct access between the Internet and system components in the internal cardholder network segment +description: While there may be legitimate reasons for untrusted connections to be permitted to DMZ systems (e.g., to allow public access to a web server), such connections should never be granted to systems in the internal network. A firewall's intent is to manage and control all connections between public systems and internal systems, especially those that store, process or transmit cardholder data. If direct access is allowed between public systems and the CDE, the protections offered by the firewall are bypassed, and system components storing cardholder data may be exposed to compromise. +section-code: "3" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_1_3 - title: Examine firewall and router configurations—including but not limited to the choke router at the Internet, the DMZ router and firewall, the DMZ cardholder segment, the perimeter router, and the internal cardholder network segment—and perform the following to determine that there is no direct access between the Internet and system components in the internal cardholder network segment - description: While there may be legitimate reasons for untrusted connections to be permitted to DMZ systems (e.g., to allow public access to a web server), such connections should never be granted to systems in the internal network. A firewall's intent is to manage and control all connections between public systems and internal systems, especially those that store, process or transmit cardholder data. If direct access is allowed between public systems and the CDE, the protections offered by the firewall are bypassed, and system components storing cardholder data may be exposed to compromise. - section-code: "3" - control-group: - - id: aws_pci_dss_v321_requirement_1_3_1 - - id: aws_pci_dss_v321_requirement_1_3_2 - - id: aws_pci_dss_v321_requirement_1_3_3 - - id: aws_pci_dss_v321_requirement_1_3_4 - - id: aws_pci_dss_v321_requirement_1_3_5 - - id: aws_pci_dss_v321_requirement_1_3_6 - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_eks_cluster_endpoint_restrict_public_access - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_configured_to_use_vpc_endpoints - - aws_vpc_igw_attached_to_authorized_vpc +- id: aws_pci_dss_v321_requirement_1_3_1 + type: "" +- id: aws_pci_dss_v321_requirement_1_3_2 + type: "" +- id: aws_pci_dss_v321_requirement_1_3_3 + type: "" +- id: aws_pci_dss_v321_requirement_1_3_4 + type: "" +- id: aws_pci_dss_v321_requirement_1_3_5 + type: "" +- id: aws_pci_dss_v321_requirement_1_3_6 + type: "" +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_eks_cluster_endpoint_restrict_public_access +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_public_access_block_account +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_configured_to_use_vpc_endpoints +- aws_vpc_igw_attached_to_authorized_vpc diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_1.yaml index 2896112a6..e1cce6dbd 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_1.yaml @@ -1,19 +1,19 @@ -control-group: - id: aws_pci_dss_v321_requirement_1_3_1 - title: 3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports - description: The DMZ is that part of the network that manages connections between the Internet (or other untrusted networks), and services that an organization needs to have available to the public (like a web server). This functionality is intended to prevent malicious individuals from accessing the organization's internal network from the Internet, or from using services, protocols, or ports in an unauthorized manner. The set of controls will examine firewall and router configurations to verify that a DMZ is implemented to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. - section-code: "1" - controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_pci_dss_v321_requirement_1_3_1 +title: 3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports +description: The DMZ is that part of the network that manages connections between the Internet (or other untrusted networks), and services that an organization needs to have available to the public (like a web server). This functionality is intended to prevent malicious individuals from accessing the organization's internal network from the Internet, or from using services, protocols, or ports in an unauthorized manner. The set of controls will examine firewall and router configurations to verify that a DMZ is implemented to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. +section-code: "1" +type: control-group +controls: +- aws_autoscaling_launch_config_public_ip_disabled +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_2.yaml index 13cf01277..8f72b9664 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_2.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_pci_dss_v321_requirement_1_3_2 - title: 3.2 Limit inbound Internet traffic to IP addresses within the DMZ - description: The DMZ is that part of the network that manages connections between the Internet (or other untrusted networks), and services that an organization needs to have available to the public (like a web server). This functionality is intended to prevent malicious individuals from accessing the organization's internal network from the Internet, or from using services, protocols, or ports in an unauthorized manner. The set of controls will limit inbound Internet traffic to IP addresses within the DMZ. - section-code: "2" - controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_network_acl_remote_administration - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_tcp_udp_all +id: aws_pci_dss_v321_requirement_1_3_2 +title: 3.2 Limit inbound Internet traffic to IP addresses within the DMZ +description: The DMZ is that part of the network that manages connections between the Internet (or other untrusted networks), and services that an organization needs to have available to the public (like a web server). This functionality is intended to prevent malicious individuals from accessing the organization's internal network from the Internet, or from using services, protocols, or ports in an unauthorized manner. The set of controls will limit inbound Internet traffic to IP addresses within the DMZ. +section-code: "2" +type: control-group +controls: +- aws_autoscaling_launch_config_public_ip_disabled +- aws_dms_replication_instance_not_publicly_accessible +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_igw_attached_to_authorized_vpc +- aws_vpc_network_acl_remote_administration +- aws_vpc_route_table_restrict_public_access_to_igw +- aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_3.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_3.yaml index 6ae27de82..b365124b3 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_3.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_3.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_1_3_3 - title: 3.3 Examine firewall and router configurations to verify that anti-spoofing measures are implemented, for example internal addresses cannot pass from the Internet into the DMZ - description: Normally a packet contains the IP address of the computer that originally sent it so other computers in the network know where the packet came from. Malicious individuals will often try to spoof (or imitate) the sending IP address so that the target system believes the packet is from a trusted source. Filtering packets coming into the network helps to, among other things, ensure packets are not “spoofed” to look like they are coming from an organization's own internal network. - section-code: "3" - controls: - - aws_autoscaling_launch_config_requires_imdsv2 +id: aws_pci_dss_v321_requirement_1_3_3 +title: 3.3 Examine firewall and router configurations to verify that anti-spoofing measures are implemented, for example internal addresses cannot pass from the Internet into the DMZ +description: Normally a packet contains the IP address of the computer that originally sent it so other computers in the network know where the packet came from. Malicious individuals will often try to spoof (or imitate) the sending IP address so that the target system believes the packet is from a trusted source. Filtering packets coming into the network helps to, among other things, ensure packets are not “spoofed” to look like they are coming from an organization's own internal network. +section-code: "3" +type: control-group +controls: +- aws_autoscaling_launch_config_requires_imdsv2 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_4.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_4.yaml index 02648bb0e..c2f924858 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_4.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_4.yaml @@ -1,16 +1,16 @@ -control-group: - id: aws_pci_dss_v321_requirement_1_3_4 - title: 3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet - description: All traffic outbound from the cardholder data environment should be evaluated to ensure that it follows established, authorized rules. Connections should be inspected to restrict traffic to only authorized communications (for example by restricting source/destination addresses/ports, and/or blocking of content). The set of controls will examine firewall and router configurations to verify that outbound traffic from the cardholder data environment to the Internet is explicitly authorized. - section-code: "4" - controls: - - aws_autoscaling_launch_config_requires_imdsv2 - - aws_dms_replication_instance_not_publicly_accessible - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_sagemaker_notebook_instance_direct_internet_access_disabled +id: aws_pci_dss_v321_requirement_1_3_4 +title: 3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet +description: All traffic outbound from the cardholder data environment should be evaluated to ensure that it follows established, authorized rules. Connections should be inspected to restrict traffic to only authorized communications (for example by restricting source/destination addresses/ports, and/or blocking of content). The set of controls will examine firewall and router configurations to verify that outbound traffic from the cardholder data environment to the Internet is explicitly authorized. +section-code: "4" +type: control-group +controls: +- aws_autoscaling_launch_config_requires_imdsv2 +- aws_dms_replication_instance_not_publicly_accessible +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_sagemaker_notebook_instance_direct_internet_access_disabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_5.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_5.yaml index 55c79891a..6ec94e3b9 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_5.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_5.yaml @@ -1,8 +1,8 @@ -control-group: - id: aws_pci_dss_v321_requirement_1_3_5 - title: 3.5 Examine firewall and router configurations to verify that the firewall permits only established connections into the internal network and denies any inbound connections not associated with a previously established session - description: A firewall that maintains the `state` (or the status) for each connection through the firewall knows whether an apparent response to a previous connection is actually a valid, authorized response (since it retains each connection's status) or is malicious traffic trying to trick the firewall into allowing the connection. - section-code: "5" - controls: - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_tcp_udp_all +id: aws_pci_dss_v321_requirement_1_3_5 +title: 3.5 Examine firewall and router configurations to verify that the firewall permits only established connections into the internal network and denies any inbound connections not associated with a previously established session +description: A firewall that maintains the `state` (or the status) for each connection through the firewall knows whether an apparent response to a previous connection is actually a valid, authorized response (since it retains each connection's status) or is malicious traffic trying to trick the firewall into allowing the connection. +section-code: "5" +type: control-group +controls: +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_6.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_6.yaml index 6d54a2480..4810fbfcd 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_6.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_6.yaml @@ -1,14 +1,14 @@ -control-group: - id: aws_pci_dss_v321_requirement_1_3_6 - title: 3.6 Examine firewall and router configurations to verify that system components that store cardholder data are on an internal network zone, segregated from the DMZ and other untrusted networks - description: If cardholder data is located within the DMZ, it is easier for an external attacker to access this information, since there are fewer layers to penetrate. Securing system components that store cardholder data (such as a database) in an internal network zone that is segregated from the DMZ and other untrusted networks by a firewall can prevent unauthorized network traffic from reaching the system component. - section-code: "6" - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_es_domain_in_vpc - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_sagemaker_notebook_instance_direct_internet_access_disabled +id: aws_pci_dss_v321_requirement_1_3_6 +title: 3.6 Examine firewall and router configurations to verify that system components that store cardholder data are on an internal network zone, segregated from the DMZ and other untrusted networks +description: If cardholder data is located within the DMZ, it is easier for an external attacker to access this information, since there are fewer layers to penetrate. Securing system components that store cardholder data (such as a database) in an internal network zone that is segregated from the DMZ and other untrusted networks by a firewall can prevent unauthorized network traffic from reaching the system component. +section-code: "6" +type: control-group +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_es_domain_in_vpc +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_sagemaker_notebook_instance_direct_internet_access_disabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2.yaml index 526d15618..bfe06da72 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2.yaml @@ -1,10 +1,14 @@ +id: aws_pci_dss_v321_requirement_2 +title: "Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters" +description: Malicious individuals (external and internal to an entity) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known by hacker communities and are easily determined via public information. +section-code: requirement_2 +type: control-group control-group: - id: aws_pci_dss_v321_requirement_2 - title: "Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters" - description: Malicious individuals (external and internal to an entity) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known by hacker communities and are easily determined via public information. - section-code: requirement_2 - control-group: - - id: aws_pci_dss_v321_requirement_2_1 - - id: aws_pci_dss_v321_requirement_2_2 - - id: aws_pci_dss_v321_requirement_2_3 - - id: aws_pci_dss_v321_requirement_2_4 +- id: aws_pci_dss_v321_requirement_2_1 + type: "" +- id: aws_pci_dss_v321_requirement_2_2 + type: "" +- id: aws_pci_dss_v321_requirement_2_3 + type: "" +- id: aws_pci_dss_v321_requirement_2_4 + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_1.yaml index b13590254..2a169dc45 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_1.yaml @@ -1,7 +1,8 @@ +id: aws_pci_dss_v321_requirement_2_1 +title: Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network +description: This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc. Malicious individuals (external and internal to an organization) often use vendor default settings, account names, and passwords to compromise operating system software, applications, and the systems on which they are installed. Because these default settings are often published and are well known in hacker communities, changing these settings will leave systems less vulnerable to attack. Even if a default account is not intended to be used, changing the default password to a strong unique password and then disabling the account will prevent a malicious individual from re-enabling the account and gaining access with the default password. +section-code: "1" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_2_1 - title: Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network - description: This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc. Malicious individuals (external and internal to an organization) often use vendor default settings, account names, and passwords to compromise operating system software, applications, and the systems on which they are installed. Because these default settings are often published and are well known in hacker communities, changing these settings will leave systems less vulnerable to attack. Even if a default account is not intended to be used, changing the default password to a strong unique password and then disabling the account will prevent a malicious individual from re-enabling the account and gaining access with the default password. - section-code: "1" - control-group: - - id: aws_pci_dss_v321_requirement_2_1_b +- id: aws_pci_dss_v321_requirement_2_1_b + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_1_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_1_b.yaml index 212dcf6bd..5a82b4509 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_1_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_1_b.yaml @@ -1,9 +1,9 @@ -control-group: - id: aws_pci_dss_v321_requirement_2_1_b - title: 1.b For the sample of system components, verify that all unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled - description: Malicious individuals (external and internal to an organization) often use vendor default settings, account names, and passwords to compromise operating system software, applications, and the systems on which they are installed. Because these default settings are often published and are well known in hacker communities, changing these settings will leave systems less vulnerable to attack. Even if a default account is not intended to be used, changing the default password to a strong unique password and then disabling the account will prevent a malicious individual from re-enabling the account and gaining access with the default password. - section-code: b - controls: - - aws_rds_db_cluster_no_default_admin_name - - aws_rds_db_instance_no_default_admin_name - - aws_redshift_cluster_no_default_admin_name +id: aws_pci_dss_v321_requirement_2_1_b +title: 1.b For the sample of system components, verify that all unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled +description: Malicious individuals (external and internal to an organization) often use vendor default settings, account names, and passwords to compromise operating system software, applications, and the systems on which they are installed. Because these default settings are often published and are well known in hacker communities, changing these settings will leave systems less vulnerable to attack. Even if a default account is not intended to be used, changing the default password to a strong unique password and then disabling the account will prevent a malicious individual from re-enabling the account and gaining access with the default password. +section-code: b +type: control-group +controls: +- aws_rds_db_cluster_no_default_admin_name +- aws_rds_db_instance_no_default_admin_name +- aws_redshift_cluster_no_default_admin_name diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2.yaml index e8f9135d2..f58f6b357 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2.yaml @@ -1,15 +1,20 @@ +id: aws_pci_dss_v321_requirement_2_2 +title: Develop configuration standards for all system components +description: "Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardening standards may include, but are not limited to Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS) Institute and National Institute of Standards Technology (NIST). There are known weaknesses with many operating systems, databases, and enterprise applications, and there are also known ways to configure these systems to fix security vulnerabilities. To help those that are not security experts, a number of security organizations have established system-hardening guidelines and recommendations, which advise how to correct these weaknesses. Examples of sources for guidance on configuration standards include, but are not limited to: www.nist.gov, www.sans.org, and www.cisecurity.org, www.iso.org, and product vendors. System configuration standards must be kept up to date to ensure that newly identified weaknesses are corrected prior to a system being installed on the network." +section-code: "2" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_2_2 - title: Develop configuration standards for all system components - description: "Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardening standards may include, but are not limited to Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS) Institute and National Institute of Standards Technology (NIST). There are known weaknesses with many operating systems, databases, and enterprise applications, and there are also known ways to configure these systems to fix security vulnerabilities. To help those that are not security experts, a number of security organizations have established system-hardening guidelines and recommendations, which advise how to correct these weaknesses. Examples of sources for guidance on configuration standards include, but are not limited to: www.nist.gov, www.sans.org, and www.cisecurity.org, www.iso.org, and product vendors. System configuration standards must be kept up to date to ensure that newly identified weaknesses are corrected prior to a system being installed on the network." - section-code: "2" - control-group: - - id: aws_pci_dss_v321_requirement_2_2_2 - - id: aws_pci_dss_v321_requirement_2_2_4 - - id: aws_pci_dss_v321_requirement_2_2_5 - - id: aws_pci_dss_v321_requirement_2_2_a - - id: aws_pci_dss_v321_requirement_2_2_d - controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_iam_root_user_no_access_keys - - aws_s3_bucket_cross_region_replication_enabled +- id: aws_pci_dss_v321_requirement_2_2_2 + type: "" +- id: aws_pci_dss_v321_requirement_2_2_4 + type: "" +- id: aws_pci_dss_v321_requirement_2_2_5 + type: "" +- id: aws_pci_dss_v321_requirement_2_2_a + type: "" +- id: aws_pci_dss_v321_requirement_2_2_d + type: "" +controls: +- aws_autoscaling_group_with_lb_use_health_check +- aws_iam_root_user_no_access_keys +- aws_s3_bucket_cross_region_replication_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_2.yaml index dc38e5e22..45ba557ae 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_2.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_pci_dss_v321_requirement_2_2_2 - title: 2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system - description: As stated in Requirement 1.1.6, there are many protocols that a business may need (or have enabled by default) that are commonly used by malicious individuals to compromise a network. Including this requirement as part of an organization's configuration standards and related processes ensures that only the necessary services and protocols are enabled. - section-code: "2" - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_eks_cluster_endpoint_restrict_public_access - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_configured_to_use_vpc_endpoints - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_pci_dss_v321_requirement_2_2_2 +title: 2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system +description: As stated in Requirement 1.1.6, there are many protocols that a business may need (or have enabled by default) that are commonly used by malicious individuals to compromise a network. Including this requirement as part of an organization's configuration standards and related processes ensures that only the necessary services and protocols are enabled. +section-code: "2" +type: control-group +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_eks_cluster_endpoint_restrict_public_access +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_public_access_block_account +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_configured_to_use_vpc_endpoints +- aws_vpc_igw_attached_to_authorized_vpc +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_4.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_4.yaml index bf5e4538e..8c456dc37 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_4.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_4.yaml @@ -1,9 +1,9 @@ -control-group: - id: aws_pci_dss_v321_requirement_2_2_4 - title: 2.4 Configure system security parameters to prevent misuse - description: System configuration standards and related processes should specifically address security settings and parameters that have known security implications for each type of system in use. In order for systems to be configured securely, personnel responsible for configuration and/or administering systems must be knowledgeable in the specific security parameters and settings that apply to the system. - section-code: "4" - controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_pci_dss_v321_requirement_2_2_4 +title: 2.4 Configure system security parameters to prevent misuse +description: System configuration standards and related processes should specifically address security settings and parameters that have known security implications for each type of system in use. In order for systems to be configured securely, personnel responsible for configuration and/or administering systems must be knowledgeable in the specific security parameters and settings that apply to the system. +section-code: "4" +type: control-group +controls: +- aws_ec2_instance_ssm_managed +- aws_ssm_managed_instance_compliance_association_compliant +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_5.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_5.yaml index 55983a7ab..7677068b8 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_5.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_5.yaml @@ -1,7 +1,8 @@ +id: aws_pci_dss_v321_requirement_2_2_5 +title: 2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers +description: Unnecessary functions can provide additional opportunities for malicious individuals to gain access to a system. By removing unnecessary functionality, organizations can focus on securing the functions that are required and reduce the risk that unknown functions will be exploited. Including this in server-hardening standards and processes addresses the specific security implications associated with unnecessary functions (for example, by removing/disabling FTP or the web server if the server will not be performing those functions). +section-code: "5" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_2_2_5 - title: 2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers - description: Unnecessary functions can provide additional opportunities for malicious individuals to gain access to a system. By removing unnecessary functionality, organizations can focus on securing the functions that are required and reduce the risk that unknown functions will be exploited. Including this in server-hardening standards and processes addresses the specific security implications associated with unnecessary functions (for example, by removing/disabling FTP or the web server if the server will not be performing those functions). - section-code: "5" - control-group: - - id: aws_pci_dss_v321_requirement_2_2_5_b +- id: aws_pci_dss_v321_requirement_2_2_5_b + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_5_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_5_b.yaml index bb9d77620..b16b97049 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_5_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_5_b.yaml @@ -1,9 +1,9 @@ -control-group: - id: aws_pci_dss_v321_requirement_2_2_5_b - title: 2.5.b. Examine the documentation and security parameters to verify enabled functions are documented and support secure configuration - description: Unnecessary functions can provide additional opportunities for malicious individuals to gain access to a system. By removing unnecessary functionality, organizations can focus on securing the functions that are required and reduce the risk that unknown functions will be exploited. Including this in server-hardening standards and processes addresses the specific security implications associated with unnecessary functions (for example, by removing/disabling FTP or the web server if the server will not be performing those functions). - section-code: b - controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_pci_dss_v321_requirement_2_2_5_b +title: 2.5.b. Examine the documentation and security parameters to verify enabled functions are documented and support secure configuration +description: Unnecessary functions can provide additional opportunities for malicious individuals to gain access to a system. By removing unnecessary functionality, organizations can focus on securing the functions that are required and reduce the risk that unknown functions will be exploited. Including this in server-hardening standards and processes addresses the specific security implications associated with unnecessary functions (for example, by removing/disabling FTP or the web server if the server will not be performing those functions). +section-code: b +type: control-group +controls: +- aws_ec2_instance_ssm_managed +- aws_ssm_managed_instance_compliance_association_compliant +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_a.yaml index 31d0aca58..687603d03 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_a.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_pci_dss_v321_requirement_2_2_a - title: 2.a Examine the organization's system configuration standards for all types of system components and verify the system configuration standards are consistent with industry-accepted hardening standards - description: "There are known weaknesses with many operating systems, databases, and enterprise applications, and there are also known ways to configure these systems to fix security vulnerabilities. To help those that are not security experts, a number of security organizations have established system-hardening guidelines and recommendations, which advise how to correct these weaknesses. Examples of sources for guidance on configuration standards include, but are not limited to: www.nist.gov, www.sans.org, and www.cisecurity.org, www.iso.org, and product vendors. System configuration standards must be kept up to date to ensure that newly identified weaknesses are corrected prior to a system being installed on the network." - section-code: a - controls: - - aws_autoscaling_launch_config_requires_imdsv2 - - aws_cloudformation_stack_drift_detection_check - - aws_rds_db_cluster_no_default_admin_name - - aws_rds_db_instance_no_default_admin_name - - aws_redshift_cluster_no_default_admin_name +id: aws_pci_dss_v321_requirement_2_2_a +title: 2.a Examine the organization's system configuration standards for all types of system components and verify the system configuration standards are consistent with industry-accepted hardening standards +description: "There are known weaknesses with many operating systems, databases, and enterprise applications, and there are also known ways to configure these systems to fix security vulnerabilities. To help those that are not security experts, a number of security organizations have established system-hardening guidelines and recommendations, which advise how to correct these weaknesses. Examples of sources for guidance on configuration standards include, but are not limited to: www.nist.gov, www.sans.org, and www.cisecurity.org, www.iso.org, and product vendors. System configuration standards must be kept up to date to ensure that newly identified weaknesses are corrected prior to a system being installed on the network." +section-code: a +type: control-group +controls: +- aws_autoscaling_launch_config_requires_imdsv2 +- aws_cloudformation_stack_drift_detection_check +- aws_rds_db_cluster_no_default_admin_name +- aws_rds_db_instance_no_default_admin_name +- aws_redshift_cluster_no_default_admin_name diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_d.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_d.yaml index 7020bba1e..877198af9 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_d.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_d.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_pci_dss_v321_requirement_2_2_d - title: 2.d Verify that system configuration standards include the procedures like changing of all vendor-supplied defaults and elimination of unnecessary default accounts etc. for all types of system components - description: "System configuration standards include the following procedures for all types of system components: changing of all vendor-supplied defaults and elimination of unnecessary default accounts, implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server, enabling only necessary services, protocols, daemons, etc., as required for the function of the system, implementing additional security features for any required services, protocols or daemons that are considered to be insecure, configuring system security parameters to prevent misuse and removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. There are known weaknesses with many operating systems, databases, and enterprise applications, and there are also known ways to configure these systems to fix security vulnerabilities. To help those that are not security experts, a number of security organizations have established system-hardening guidelines and recommendations, which advise how to correct these weaknesses. Examples of sources for guidance on configuration standards include, but are not limited to: www.nist.gov, www.sans.org, and www.cisecurity.org, www.iso.org, and product vendors. System configuration standards must be kept up to date to ensure that newly identified weaknesses are corrected prior to a system being installed on the network." - section-code: d - controls: - - aws_autoscaling_launch_config_requires_imdsv2 - - aws_cloudformation_stack_drift_detection_check - - aws_rds_db_cluster_no_default_admin_name - - aws_rds_db_instance_no_default_admin_name - - aws_redshift_cluster_no_default_admin_name +id: aws_pci_dss_v321_requirement_2_2_d +title: 2.d Verify that system configuration standards include the procedures like changing of all vendor-supplied defaults and elimination of unnecessary default accounts etc. for all types of system components +description: "System configuration standards include the following procedures for all types of system components: changing of all vendor-supplied defaults and elimination of unnecessary default accounts, implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server, enabling only necessary services, protocols, daemons, etc., as required for the function of the system, implementing additional security features for any required services, protocols or daemons that are considered to be insecure, configuring system security parameters to prevent misuse and removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. There are known weaknesses with many operating systems, databases, and enterprise applications, and there are also known ways to configure these systems to fix security vulnerabilities. To help those that are not security experts, a number of security organizations have established system-hardening guidelines and recommendations, which advise how to correct these weaknesses. Examples of sources for guidance on configuration standards include, but are not limited to: www.nist.gov, www.sans.org, and www.cisecurity.org, www.iso.org, and product vendors. System configuration standards must be kept up to date to ensure that newly identified weaknesses are corrected prior to a system being installed on the network." +section-code: d +type: control-group +controls: +- aws_autoscaling_launch_config_requires_imdsv2 +- aws_cloudformation_stack_drift_detection_check +- aws_rds_db_cluster_no_default_admin_name +- aws_rds_db_instance_no_default_admin_name +- aws_redshift_cluster_no_default_admin_name diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_3.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_3.yaml index a89442b16..64d51e2f1 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_3.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_3.yaml @@ -1,15 +1,15 @@ -control-group: - id: aws_pci_dss_v321_requirement_2_3 - title: Encrypt all non-console administrative access using strong cryptography - description: If non-console (including remote) administration does not use secure authentication and encrypted communications, sensitive administrative or operational level information (like administrator's IDs and passwords) can be revealed to an eavesdropper. A malicious individual could use this information to access the network, become administrator, and steal data. Clear-text protocols (such as HTTP, telnet, etc.) do not encrypt traffic or logon details, making it easy for an eavesdropper to intercept this information. Select a sample of system components and verify that non-console administrative access is encrypted. - section-code: "3" - controls: - - aws_acm_certificate_expires_30_days - - aws_cloudfront_distribution_encryption_in_transit_enabled - - aws_cloudfront_distribution_no_deprecated_ssl_protocol - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_redshift_cluster_encryption_in_transit_enabled +id: aws_pci_dss_v321_requirement_2_3 +title: Encrypt all non-console administrative access using strong cryptography +description: If non-console (including remote) administration does not use secure authentication and encrypted communications, sensitive administrative or operational level information (like administrator's IDs and passwords) can be revealed to an eavesdropper. A malicious individual could use this information to access the network, become administrator, and steal data. Clear-text protocols (such as HTTP, telnet, etc.) do not encrypt traffic or logon details, making it easy for an eavesdropper to intercept this information. Select a sample of system components and verify that non-console administrative access is encrypted. +section-code: "3" +type: control-group +controls: +- aws_acm_certificate_expires_30_days +- aws_cloudfront_distribution_encryption_in_transit_enabled +- aws_cloudfront_distribution_no_deprecated_ssl_protocol +- aws_elb_application_lb_drop_http_headers +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_application_network_lb_use_ssl_certificate +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_redshift_cluster_encryption_in_transit_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_4.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_4.yaml index 4398cb7a6..2d2eb5e9c 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_4.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_4.yaml @@ -1,12 +1,13 @@ +id: aws_pci_dss_v321_requirement_2_4 +title: Maintain an inventory of system components that are in scope for PCI DSS +description: Maintaining a current list of all system components will enable an organization to accurately and efficiently define the scope of their environment for implementing PCI DSS controls. Without an inventory, some system components could be forgotten, and be inadvertently excluded from the organization's configuration standards. +section-code: "4" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_2_4 - title: Maintain an inventory of system components that are in scope for PCI DSS - description: Maintaining a current list of all system components will enable an organization to accurately and efficiently define the scope of their environment for implementing PCI DSS controls. Without an inventory, some system components could be forgotten, and be inadvertently excluded from the organization's configuration standards. - section-code: "4" - control-group: - - id: aws_pci_dss_v321_requirement_2_4_a - controls: - - aws_config_enabled_all_regions - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_eip_associated +- id: aws_pci_dss_v321_requirement_2_4_a + type: "" +controls: +- aws_config_enabled_all_regions +- aws_ec2_instance_ssm_managed +- aws_ssm_managed_instance_compliance_association_compliant +- aws_vpc_eip_associated diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_4_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_4_a.yaml index a67c74bbc..ed30c9270 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_4_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_4_a.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_2_4_a - title: 4.a Examine system inventory to verify that a list of hardware and software components is maintained and includes a description of function/use for each - description: Maintaining a current list of all system components will enable an organization to accurately and efficiently define the scope of their environment for implementing PCI DSS controls. Without an inventory, some system components could be forgotten, and be inadvertently excluded from the organization's configuration standards. - section-code: a - controls: - - aws_config_enabled_all_regions +id: aws_pci_dss_v321_requirement_2_4_a +title: 4.a Examine system inventory to verify that a list of hardware and software components is maintained and includes a description of function/use for each +description: Maintaining a current list of all system components will enable an organization to accurately and efficiently define the scope of their environment for implementing PCI DSS controls. Without an inventory, some system components could be forgotten, and be inadvertently excluded from the organization's configuration standards. +section-code: a +type: control-group +controls: +- aws_config_enabled_all_regions diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3.yaml index 045fe95a2..b75e520ce 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3.yaml @@ -1,11 +1,16 @@ +id: aws_pci_dss_v321_requirement_3 +title: "Requirement 3: Protect stored cardholder data" +description: Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. +section-code: requirement_3 +type: control-group control-group: - id: aws_pci_dss_v321_requirement_3 - title: "Requirement 3: Protect stored cardholder data" - description: Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. - section-code: requirement_3 - control-group: - - id: aws_pci_dss_v321_requirement_3_1 - - id: aws_pci_dss_v321_requirement_3_2 - - id: aws_pci_dss_v321_requirement_3_4 - - id: aws_pci_dss_v321_requirement_3_5 - - id: aws_pci_dss_v321_requirement_3_6 +- id: aws_pci_dss_v321_requirement_3_1 + type: "" +- id: aws_pci_dss_v321_requirement_3_2 + type: "" +- id: aws_pci_dss_v321_requirement_3_4 + type: "" +- id: aws_pci_dss_v321_requirement_3_5 + type: "" +- id: aws_pci_dss_v321_requirement_3_6 + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_1.yaml index 752e21e82..82e074800 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_1.yaml @@ -1,8 +1,10 @@ +id: aws_pci_dss_v321_requirement_3_1 +title: Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes +description: "Procedures and processes should include at least the following for all cardholder data (CHD) storage: limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements, specific retention requirements for cardholder data, processes for secure deletion of data when no longer needed, a quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention. Identifying and deleting stored data that has exceeded its specified retention period prevents unnecessary retention of data that is no longer needed. This process may be automated or manual or a combination of both. For example, a programmatic procedure (automatic or manual) to locate and remove data and/or a manual review of data storage areas could be performed. Implementing secure deletion methods ensure that the data cannot be retrieved when it is no longer needed. Remember, if you don't need it, don't store it!" +section-code: "1" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_3_1 - title: Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes - description: "Procedures and processes should include at least the following for all cardholder data (CHD) storage: limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements, specific retention requirements for cardholder data, processes for secure deletion of data when no longer needed, a quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention. Identifying and deleting stored data that has exceeded its specified retention period prevents unnecessary retention of data that is no longer needed. This process may be automated or manual or a combination of both. For example, a programmatic procedure (automatic or manual) to locate and remove data and/or a manual review of data storage areas could be performed. Implementing secure deletion methods ensure that the data cannot be retrieved when it is no longer needed. Remember, if you don't need it, don't store it!" - section-code: "1" - control-group: - - id: aws_pci_dss_v321_requirement_3_1_a - - id: aws_pci_dss_v321_requirement_3_1_c +- id: aws_pci_dss_v321_requirement_3_1_a + type: "" +- id: aws_pci_dss_v321_requirement_3_1_c + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_1_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_1_a.yaml index 3e06a1f3d..8cb7f42df 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_1_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_1_a.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_3_1_a - title: 1.a Examine the data retention and disposal policies, procedures and processes to verify they satisfy all the requirements for cardholder data (CHD) storage - description: "procedures and processes should they include the following for all cardholder data (CHD) storage: limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements, specific requirements for retention of cardholder data (for example, cardholder data needs to be held for X period for Y business reasons), processes for secure deletion of cardholder data when no longer needed for legal, regulatory, or business reasons and a quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements. Identifying and deleting stored data that has exceeded its specified retention period prevents unnecessary retention of data that is no longer needed. This process may be automated or manual or a combination of both. For example, a programmatic procedure (automatic or manual) to locate and remove data and/or a manual review of data storage areas could be performed. Implementing secure deletion methods ensure that the data cannot be retrieved when it is no longer needed. Remember, if you don't need it, don't store it!" - section-code: a - controls: - - aws_s3_bucket_lifecycle_policy_enabled +id: aws_pci_dss_v321_requirement_3_1_a +title: 1.a Examine the data retention and disposal policies, procedures and processes to verify they satisfy all the requirements for cardholder data (CHD) storage +description: "procedures and processes should they include the following for all cardholder data (CHD) storage: limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements, specific requirements for retention of cardholder data (for example, cardholder data needs to be held for X period for Y business reasons), processes for secure deletion of cardholder data when no longer needed for legal, regulatory, or business reasons and a quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements. Identifying and deleting stored data that has exceeded its specified retention period prevents unnecessary retention of data that is no longer needed. This process may be automated or manual or a combination of both. For example, a programmatic procedure (automatic or manual) to locate and remove data and/or a manual review of data storage areas could be performed. Implementing secure deletion methods ensure that the data cannot be retrieved when it is no longer needed. Remember, if you don't need it, don't store it!" +section-code: a +type: control-group +controls: +- aws_s3_bucket_lifecycle_policy_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_1_c.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_1_c.yaml index edcd4a162..9c0eda643 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_1_c.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_1_c.yaml @@ -1,28 +1,28 @@ -control-group: - id: aws_pci_dss_v321_requirement_3_1_c - title: 1.c For a sample of system components that store cardholder data examine files and system records to verify that the data stored does not exceed the requirements defined in the data retention policy and observe the deletion mechanism to verify data is deleted securely - description: Identifying and deleting stored data that has exceeded its specified retention period prevents unnecessary retention of data that is no longer needed. This process may be automated or manual or a combination of both. For example, a programmatic procedure (automatic or manual) to locate and remove data and/or a manual review of data storage areas could be performed. Implementing secure deletion methods ensure that the data cannot be retrieved when it is no longer needed. Remember, if you don't need it, don't store it! - section-code: c - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +id: aws_pci_dss_v321_requirement_3_1_c +title: 1.c For a sample of system components that store cardholder data examine files and system records to verify that the data stored does not exceed the requirements defined in the data retention policy and observe the deletion mechanism to verify data is deleted securely +description: Identifying and deleting stored data that has exceeded its specified retention period prevents unnecessary retention of data that is no longer needed. This process may be automated or manual or a combination of both. For example, a programmatic procedure (automatic or manual) to locate and remove data and/or a manual review of data storage areas could be performed. Implementing secure deletion methods ensure that the data cannot be retrieved when it is no longer needed. Remember, if you don't need it, don't store it! +section-code: c +type: control-group +controls: +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_encryption_enabled +- aws_backup_recovery_point_manual_deletion_disabled +- aws_backup_recovery_point_min_retention_35_days +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_dynamodb_table_protected_by_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ebs_volume_protected_by_backup_plan +- aws_ec2_instance_ebs_optimized +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_efs_file_system_protected_by_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_rds_db_instance_protected_by_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_2.yaml index f8787c4d2..7d31c0537 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_2.yaml @@ -1,8 +1,10 @@ +id: aws_pci_dss_v321_requirement_3_2 +title: Do not store sensitive authentication data after authorization (even if encrypted) +description: If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process. It is permissible for issuers and companies that support issuing services to store sensitive authentication data if there is a business justification and the data is stored securely. Sensitive authentication data includes the data as cited in the following Requirements 3.2.1 through 3.2.3. Sensitive authentication data consists of full track data, card validation code or value, and PIN data. Storage of sensitive authentication data after authorization is prohibited! This data is very valuable to malicious individuals as it allows them to generate counterfeit payment cards and create fraudulent transactions. Entities that issue payment cards or that perform or support issuing services will often create and control sensitive authentication data as part of the issuing function. It is allowable for companies that perform, facilitate, or support issuing services to store sensitive authentication data ONLY IF they have a legitimate business need to store such data. It should be noted that all PCI DSS requirements apply to issuers, and the only exception for issuers and issuer processors is that sensitive authentication data may be retained if there is a legitimate reason to do so. A legitimate reason is one that is necessary for the performance of the function being provided for the issuer and not one of convenience. Any such data must be stored securely and in accordance with all PCI DSS and specific payment brand requirements. +section-code: "2" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_3_2 - title: Do not store sensitive authentication data after authorization (even if encrypted) - description: If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process. It is permissible for issuers and companies that support issuing services to store sensitive authentication data if there is a business justification and the data is stored securely. Sensitive authentication data includes the data as cited in the following Requirements 3.2.1 through 3.2.3. Sensitive authentication data consists of full track data, card validation code or value, and PIN data. Storage of sensitive authentication data after authorization is prohibited! This data is very valuable to malicious individuals as it allows them to generate counterfeit payment cards and create fraudulent transactions. Entities that issue payment cards or that perform or support issuing services will often create and control sensitive authentication data as part of the issuing function. It is allowable for companies that perform, facilitate, or support issuing services to store sensitive authentication data ONLY IF they have a legitimate business need to store such data. It should be noted that all PCI DSS requirements apply to issuers, and the only exception for issuers and issuer processors is that sensitive authentication data may be retained if there is a legitimate reason to do so. A legitimate reason is one that is necessary for the performance of the function being provided for the issuer and not one of convenience. Any such data must be stored securely and in accordance with all PCI DSS and specific payment brand requirements. - section-code: "2" - control-group: - - id: aws_pci_dss_v321_requirement_3_2_3 - - id: aws_pci_dss_v321_requirement_3_2_c +- id: aws_pci_dss_v321_requirement_3_2_3 + type: "" +- id: aws_pci_dss_v321_requirement_3_2_c + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_2_3.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_2_3.yaml index d99bba0b8..0b9f4f3e4 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_2_3.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_2_3.yaml @@ -1,14 +1,14 @@ -control-group: - id: aws_pci_dss_v321_requirement_3_2_3 - title: 2.3 Do not store the personal identification number (PIN) or the encrypted PIN block after authorization - description: "These values should be known only to the card owner or bank that issued the card. If this data is stolen, malicious individuals can execute fraudulent PIN-based debit transactions (for example, ATM withdrawals). For a sample of system components, examine data sources, including but not limited to the following and verify that PINs and encrypted PIN blocks are not stored after authorization: incoming transaction data, all logs (for example, transaction, history, debugging, error), history files, trace files, several database schemas, database contents" - section-code: "3" - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_pci_dss_v321_requirement_3_2_3 +title: 2.3 Do not store the personal identification number (PIN) or the encrypted PIN block after authorization +description: "These values should be known only to the card owner or bank that issued the card. If this data is stolen, malicious individuals can execute fraudulent PIN-based debit transactions (for example, ATM withdrawals). For a sample of system components, examine data sources, including but not limited to the following and verify that PINs and encrypted PIN blocks are not stored after authorization: incoming transaction data, all logs (for example, transaction, history, debugging, error), history files, trace files, several database schemas, database contents" +section-code: "3" +type: control-group +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_elb_application_classic_lb_logging_enabled +- aws_rds_db_instance_logging_enabled +- aws_waf_web_acl_logging_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_2_c.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_2_c.yaml index c8dccab26..a6bec4d8e 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_2_c.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_2_c.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_3_2_c - title: 2.c For all other entities, if sensitive authentication data is received, review policies and procedures, and examine system configurations to verify the data is not retained after authorization - description: Sensitive authentication data consists of full track data, card validation code or value, and PIN data. Storage of sensitive authentication data after authorization is prohibited! This data is very valuable to malicious individuals as it allows them to generate counterfeit payment cards and create fraudulent transactions. Entities that issue payment cards or that perform or support issuing services will often create and control sensitive authentication data as part of the issuing function. It is allowable for companies that perform, facilitate, or support issuing services to store sensitive authentication data ONLY IF they have a legitimate business need to store such data. It should be noted that all PCI DSS requirements apply to issuers, and the only exception for issuers and issuer processors is that sensitive authentication data may be retained if there is a legitimate reason to do so. A legitimate reason is one that is necessary for the performance of the function being provided for the issuer and not one of convenience. Any such data must be stored securely and in accordance with all PCI DSS and specific payment brand requirements. - section-code: c - controls: - - aws_s3_bucket_lifecycle_policy_enabled +id: aws_pci_dss_v321_requirement_3_2_c +title: 2.c For all other entities, if sensitive authentication data is received, review policies and procedures, and examine system configurations to verify the data is not retained after authorization +description: Sensitive authentication data consists of full track data, card validation code or value, and PIN data. Storage of sensitive authentication data after authorization is prohibited! This data is very valuable to malicious individuals as it allows them to generate counterfeit payment cards and create fraudulent transactions. Entities that issue payment cards or that perform or support issuing services will often create and control sensitive authentication data as part of the issuing function. It is allowable for companies that perform, facilitate, or support issuing services to store sensitive authentication data ONLY IF they have a legitimate business need to store such data. It should be noted that all PCI DSS requirements apply to issuers, and the only exception for issuers and issuer processors is that sensitive authentication data may be retained if there is a legitimate reason to do so. A legitimate reason is one that is necessary for the performance of the function being provided for the issuer and not one of convenience. Any such data must be stored securely and in accordance with all PCI DSS and specific payment brand requirements. +section-code: c +type: control-group +controls: +- aws_s3_bucket_lifecycle_policy_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4.yaml index 1922135de..8c9ada0ab 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4.yaml @@ -1,30 +1,34 @@ +id: aws_pci_dss_v321_requirement_3_4 +title: Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using approaches like one-way hashes based on strong cryptography, truncation etc +description: "The following approaches should be used to render PAN unreadable anywhere it is stored: One-way hashes based on strong cryptography, (hash must be of the entire PAN), truncation (hashing cannot be used to replace the truncated segment of PAN), index tokens and pads (pads must be securely stored) and strong cryptography with associated key-management processes and procedures. Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity's environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN. PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception or troubleshooting logs) must all be protected. One-way hash functions based on strong cryptography can be used to render cardholder data unreadable. Hash functions are appropriate when there is no need to retrieve the original number (one-way hashes are irreversible). It is recommended, but not currently a requirement, that an additional, random input value be added to the cardholder data prior to hashing to reduce the feasibility of an attacker comparing the data against (and deriving the PAN from) tables of pre- computed hash values. The intent of truncation is to permanently remove a segment of PAN data so that only a portion (generally not to exceed the first six and last four digits) of the PAN is stored. An index token is a cryptographic token that replaces the PAN based on a given index for an unpredictable value. A one-time pad is a system in which a randomly generated private key is used only once to encrypt a message that is then decrypted using a matching one-time pad and key. The intent of strong cryptography (as defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms) is that the encryption be based on an industry-tested and accepted algorithm (not a proprietary or `home- grown` algorithm) with strong cryptographic keys. By correlating hashed and truncated versions of a given PAN, a malicious individual may easily derive the original PAN value. Controls that prevent the correlation of this data will help ensure that the original PAN remains unreadable." +section-code: "4" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_3_4 - title: Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using approaches like one-way hashes based on strong cryptography, truncation etc - description: "The following approaches should be used to render PAN unreadable anywhere it is stored: One-way hashes based on strong cryptography, (hash must be of the entire PAN), truncation (hashing cannot be used to replace the truncated segment of PAN), index tokens and pads (pads must be securely stored) and strong cryptography with associated key-management processes and procedures. Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity's environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN. PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception or troubleshooting logs) must all be protected. One-way hash functions based on strong cryptography can be used to render cardholder data unreadable. Hash functions are appropriate when there is no need to retrieve the original number (one-way hashes are irreversible). It is recommended, but not currently a requirement, that an additional, random input value be added to the cardholder data prior to hashing to reduce the feasibility of an attacker comparing the data against (and deriving the PAN from) tables of pre- computed hash values. The intent of truncation is to permanently remove a segment of PAN data so that only a portion (generally not to exceed the first six and last four digits) of the PAN is stored. An index token is a cryptographic token that replaces the PAN based on a given index for an unpredictable value. A one-time pad is a system in which a randomly generated private key is used only once to encrypt a message that is then decrypted using a matching one-time pad and key. The intent of strong cryptography (as defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms) is that the encryption be based on an industry-tested and accepted algorithm (not a proprietary or `home- grown` algorithm) with strong cryptographic keys. By correlating hashed and truncated versions of a given PAN, a malicious individual may easily derive the original PAN value. Controls that prevent the correlation of this data will help ensure that the original PAN remains unreadable." - section-code: "4" - control-group: - - id: aws_pci_dss_v321_requirement_3_4_1 - - id: aws_pci_dss_v321_requirement_3_4_a - - id: aws_pci_dss_v321_requirement_3_4_b - - id: aws_pci_dss_v321_requirement_3_4_d - controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_eks_cluster_secrets_encrypted - - aws_es_domain_encryption_at_rest_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest +- id: aws_pci_dss_v321_requirement_3_4_1 + type: "" +- id: aws_pci_dss_v321_requirement_3_4_a + type: "" +- id: aws_pci_dss_v321_requirement_3_4_b + type: "" +- id: aws_pci_dss_v321_requirement_3_4_d + type: "" +controls: +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dax_cluster_encryption_at_rest_enabled +- aws_dynamodb_table_encrypted_with_kms +- aws_dynamodb_table_encryption_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_efs_file_system_encrypt_data_at_rest +- aws_eks_cluster_secrets_encrypted +- aws_es_domain_encryption_at_rest_enabled +- aws_log_group_encryption_at_rest_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_1.yaml index 721049a33..dd81dd115 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_1.yaml @@ -1,28 +1,30 @@ +id: aws_pci_dss_v321_requirement_3_4_1 +title: 4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials) +description: "Decryption keys must not be associated with user accounts. Note: This requirement applies in addition to all other PCI DSS encryption and key- management requirements. PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception or troubleshooting logs) must all be protected. One-way hash functions based on strong cryptography can be used to render cardholder data unreadable. Hash functions are appropriate when there is no need to retrieve the original number (one-way hashes are irreversible). It is recommended, but not currently a requirement, that an additional, random input value be added to the cardholder data prior to hashing to reduce the feasibility of an attacker comparing the data against (and deriving the PAN from) tables of pre- computed hash values. The intent of truncation is to permanently remove a segment of PAN data so that only a portion (generally not to exceed the first six and last four digits) of the PAN is stored. An index token is a cryptographic token that replaces the PAN based on a given index for an unpredictable value. A one-time pad is a system in which a randomly generated private key is used only once to encrypt a message that is then decrypted using a matching one-time pad and key. The intent of strong cryptography (as defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms) is that the encryption be based on an industry-tested and accepted algorithm (not a proprietary or `home-grown` algorithm) with strong cryptographic keys. By correlating hashed and truncated versions of a given PAN, a malicious individual may easily derive the original PAN value. Controls that prevent the correlation of this data will help ensure that the original PAN remains unreadable." +section-code: "1" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_3_4_1 - title: 4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials) - description: "Decryption keys must not be associated with user accounts. Note: This requirement applies in addition to all other PCI DSS encryption and key- management requirements. PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception or troubleshooting logs) must all be protected. One-way hash functions based on strong cryptography can be used to render cardholder data unreadable. Hash functions are appropriate when there is no need to retrieve the original number (one-way hashes are irreversible). It is recommended, but not currently a requirement, that an additional, random input value be added to the cardholder data prior to hashing to reduce the feasibility of an attacker comparing the data against (and deriving the PAN from) tables of pre- computed hash values. The intent of truncation is to permanently remove a segment of PAN data so that only a portion (generally not to exceed the first six and last four digits) of the PAN is stored. An index token is a cryptographic token that replaces the PAN based on a given index for an unpredictable value. A one-time pad is a system in which a randomly generated private key is used only once to encrypt a message that is then decrypted using a matching one-time pad and key. The intent of strong cryptography (as defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms) is that the encryption be based on an industry-tested and accepted algorithm (not a proprietary or `home-grown` algorithm) with strong cryptographic keys. By correlating hashed and truncated versions of a given PAN, a malicious individual may easily derive the original PAN value. Controls that prevent the correlation of this data will help ensure that the original PAN remains unreadable." - section-code: "1" - control-group: - - id: aws_pci_dss_v321_requirement_3_4_1_a - - id: aws_pci_dss_v321_requirement_3_4_1_c - controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_eks_cluster_secrets_encrypted - - aws_es_domain_encryption_at_rest_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest +- id: aws_pci_dss_v321_requirement_3_4_1_a + type: "" +- id: aws_pci_dss_v321_requirement_3_4_1_c + type: "" +controls: +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dax_cluster_encryption_at_rest_enabled +- aws_dynamodb_table_encrypted_with_kms +- aws_dynamodb_table_encryption_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_efs_file_system_encrypt_data_at_rest +- aws_eks_cluster_secrets_encrypted +- aws_es_domain_encryption_at_rest_enabled +- aws_log_group_encryption_at_rest_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_1_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_1_a.yaml index d587b5db4..61af463ec 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_1_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_1_a.yaml @@ -1,25 +1,25 @@ -control-group: - id: aws_pci_dss_v321_requirement_3_4_1_a - title: 4.1.a If disk encryption is used, inspect the configuration and observe the authentication process to verify that logical access to encrypted file systems is implemented via a mechanism that is separate from the native operating system's authentication mechanism (for example, not using local user account databases or general network login credentials) - description: "The intent of this requirement is to address the acceptability of disk-level encryption for rendering cardholder data unreadable. Disk-level encryption encrypts the entire disk/partition on a computer and automatically decrypts the information when an authorized user requests it. Many disk- encryption solutions intercept operating system read/write operations and carry out the appropriate cryptographic transformations without any special action by the user other than supplying a password or pass phrase upon system startup or at the beginning of a session. Based on these characteristics of disk-level encryption, to be compliant with this requirement, the method cannot: 1) Use the same user account authenticator as the operating system, or 2) Use a decryption key that is associated with or derived from the system's local user account database or general network login credentials. Full disk encryption helps to protect data in the event of physical loss of a disk and therefore may be appropriate for portable devices that store cardholder data." - section-code: a - controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_eks_cluster_secrets_encrypted - - aws_es_domain_encryption_at_rest_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest +id: aws_pci_dss_v321_requirement_3_4_1_a +title: 4.1.a If disk encryption is used, inspect the configuration and observe the authentication process to verify that logical access to encrypted file systems is implemented via a mechanism that is separate from the native operating system's authentication mechanism (for example, not using local user account databases or general network login credentials) +description: "The intent of this requirement is to address the acceptability of disk-level encryption for rendering cardholder data unreadable. Disk-level encryption encrypts the entire disk/partition on a computer and automatically decrypts the information when an authorized user requests it. Many disk- encryption solutions intercept operating system read/write operations and carry out the appropriate cryptographic transformations without any special action by the user other than supplying a password or pass phrase upon system startup or at the beginning of a session. Based on these characteristics of disk-level encryption, to be compliant with this requirement, the method cannot: 1) Use the same user account authenticator as the operating system, or 2) Use a decryption key that is associated with or derived from the system's local user account database or general network login credentials. Full disk encryption helps to protect data in the event of physical loss of a disk and therefore may be appropriate for portable devices that store cardholder data." +section-code: a +type: control-group +controls: +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dax_cluster_encryption_at_rest_enabled +- aws_dynamodb_table_encrypted_with_kms +- aws_dynamodb_table_encryption_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_efs_file_system_encrypt_data_at_rest +- aws_eks_cluster_secrets_encrypted +- aws_es_domain_encryption_at_rest_enabled +- aws_log_group_encryption_at_rest_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_1_c.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_1_c.yaml index ce5f7cfe3..3640e0b8a 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_1_c.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_1_c.yaml @@ -1,25 +1,25 @@ -control-group: - id: aws_pci_dss_v321_requirement_3_4_1_c - title: 4.1.c Examine the configurations and observe the processes to verify that cardholder data on removable media is encrypted wherever stored - description: "Note: If disk encryption is not used to encrypt removable media, the data stored on this media will need to be rendered unreadable through some other method. The intent of this requirement is to address the acceptability of disk-level encryption for rendering cardholder data unreadable. Disk-level encryption encrypts the entire disk/partition on a computer and automatically decrypts the information when an authorized user requests it. Many disk- encryption solutions intercept operating system read/write operations and carry out the appropriate cryptographic transformations without any special action by the user other than supplying a password or pass phrase upon system startup or at the beginning of a session. Based on these characteristics of disk-level encryption, to be compliant with this requirement, the method cannot: 1) Use the same user account authenticator as the operating system, or 2) Use a decryption key that is associated with or derived from the system's local user account database or general network login credentials. Full disk encryption helps to protect data in the event of physical loss of a disk and therefore may be appropriate for portable devices that store cardholder data." - section-code: c - controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_eks_cluster_secrets_encrypted - - aws_es_domain_encryption_at_rest_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest +id: aws_pci_dss_v321_requirement_3_4_1_c +title: 4.1.c Examine the configurations and observe the processes to verify that cardholder data on removable media is encrypted wherever stored +description: "Note: If disk encryption is not used to encrypt removable media, the data stored on this media will need to be rendered unreadable through some other method. The intent of this requirement is to address the acceptability of disk-level encryption for rendering cardholder data unreadable. Disk-level encryption encrypts the entire disk/partition on a computer and automatically decrypts the information when an authorized user requests it. Many disk- encryption solutions intercept operating system read/write operations and carry out the appropriate cryptographic transformations without any special action by the user other than supplying a password or pass phrase upon system startup or at the beginning of a session. Based on these characteristics of disk-level encryption, to be compliant with this requirement, the method cannot: 1) Use the same user account authenticator as the operating system, or 2) Use a decryption key that is associated with or derived from the system's local user account database or general network login credentials. Full disk encryption helps to protect data in the event of physical loss of a disk and therefore may be appropriate for portable devices that store cardholder data." +section-code: c +type: control-group +controls: +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dax_cluster_encryption_at_rest_enabled +- aws_dynamodb_table_encrypted_with_kms +- aws_dynamodb_table_encryption_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_efs_file_system_encrypt_data_at_rest +- aws_eks_cluster_secrets_encrypted +- aws_es_domain_encryption_at_rest_enabled +- aws_log_group_encryption_at_rest_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_a.yaml index 6911a3c12..eccfe47c4 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_a.yaml @@ -1,27 +1,27 @@ -control-group: - id: aws_pci_dss_v321_requirement_3_4_a - title: 4.a Examine documentation about the system used to protect the PAN, including the vendor, type of system/process, and the encryption algorithms (if applicable) to verify that the PAN is rendered unreadable using methods like truncation,one-way hashes based on strong cryptography etc - description: "Verify documentation about the system used to protect the PAN, including the vendor, type of system/process, and the encryption algorithms (if applicable) to verify that the PAN is rendered unreadable using any of the following methods: One-way hashes based on strong cryptography, truncation, index tokens and pads with the pads being securely stored, strong cryptography, with associated key-management processes and procedures. PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception or troubleshooting logs) must all be protected. One-way hash functions based on strong cryptography can be used to render cardholder data unreadable. Hash functions are appropriate when there is no need to retrieve the original number (one-way hashes are irreversible). It is recommended, but not currently a requirement, that an additional, random input value be added to the cardholder data prior to hashing to reduce the feasibility of an attacker comparing the data against (and deriving the PAN from) tables of pre- computed hash values. The intent of truncation is to permanently remove a segment of PAN data so that only a portion (generally not to exceed the first six and last four digits) of the PAN is stored. An index token is a cryptographic token that replaces the PAN based on a given index for an unpredictable value. A one-time pad is a system in which a randomly generated private key is used only once to encrypt a message that is then decrypted using a matching one-time pad and key. The intent of strong cryptography (as defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms) is that the encryption be based on an industry-tested and accepted algorithm (not a proprietary or `home-grown` algorithm) with strong cryptographic keys. By correlating hashed and truncated versions of a given PAN, a malicious individual may easily derive the original PAN value. Controls that prevent the correlation of this data will help ensure that the original PAN remains unreadable." - section-code: a - controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_backup_recovery_point_encryption_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_eks_cluster_secrets_encrypted - - aws_es_domain_encryption_at_rest_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest +id: aws_pci_dss_v321_requirement_3_4_a +title: 4.a Examine documentation about the system used to protect the PAN, including the vendor, type of system/process, and the encryption algorithms (if applicable) to verify that the PAN is rendered unreadable using methods like truncation,one-way hashes based on strong cryptography etc +description: "Verify documentation about the system used to protect the PAN, including the vendor, type of system/process, and the encryption algorithms (if applicable) to verify that the PAN is rendered unreadable using any of the following methods: One-way hashes based on strong cryptography, truncation, index tokens and pads with the pads being securely stored, strong cryptography, with associated key-management processes and procedures. PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception or troubleshooting logs) must all be protected. One-way hash functions based on strong cryptography can be used to render cardholder data unreadable. Hash functions are appropriate when there is no need to retrieve the original number (one-way hashes are irreversible). It is recommended, but not currently a requirement, that an additional, random input value be added to the cardholder data prior to hashing to reduce the feasibility of an attacker comparing the data against (and deriving the PAN from) tables of pre- computed hash values. The intent of truncation is to permanently remove a segment of PAN data so that only a portion (generally not to exceed the first six and last four digits) of the PAN is stored. An index token is a cryptographic token that replaces the PAN based on a given index for an unpredictable value. A one-time pad is a system in which a randomly generated private key is used only once to encrypt a message that is then decrypted using a matching one-time pad and key. The intent of strong cryptography (as defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms) is that the encryption be based on an industry-tested and accepted algorithm (not a proprietary or `home-grown` algorithm) with strong cryptographic keys. By correlating hashed and truncated versions of a given PAN, a malicious individual may easily derive the original PAN value. Controls that prevent the correlation of this data will help ensure that the original PAN remains unreadable." +section-code: a +type: control-group +controls: +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_backup_recovery_point_encryption_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dax_cluster_encryption_at_rest_enabled +- aws_dynamodb_table_encrypted_with_kms +- aws_dynamodb_table_encryption_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_efs_file_system_encrypt_data_at_rest +- aws_eks_cluster_secrets_encrypted +- aws_es_domain_encryption_at_rest_enabled +- aws_log_group_encryption_at_rest_enabled +- aws_opensearch_domain_encryption_at_rest_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_b.yaml index 5ed28d048..c93aa5c7a 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_b.yaml @@ -1,27 +1,27 @@ -control-group: - id: aws_pci_dss_v321_requirement_3_4_b - title: 4.b Examine several tables or files from a sample of data repositories to verify the PAN is rendered unreadable (that is, not stored in plain-text) - description: PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception or troubleshooting logs) must all be protected. One-way hash functions based on strong cryptography can be used to render cardholder data unreadable. Hash functions are appropriate when there is no need to retrieve the original number (one-way hashes are irreversible). It is recommended, but not currently a requirement, that an additional, random input value be added to the cardholder data prior to hashing to reduce the feasibility of an attacker comparing the data against (and deriving the PAN from) tables of pre- computed hash values. The intent of truncation is to permanently remove a segment of PAN data so that only a portion (generally not to exceed the first six and last four digits) of the PAN is stored. An index token is a cryptographic token that replaces the PAN based on a given index for an unpredictable value. A one-time pad is a system in which a randomly generated private key is used only once to encrypt a message that is then decrypted using a matching one-time pad and key. The intent of strong cryptography (as defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms) is that the encryption be based on an industry-tested and accepted algorithm (not a proprietary or `home- grown` algorithm) with strong cryptographic keys. By correlating hashed and truncated versions of a given PAN, a malicious individual may easily derive the original PAN value. Controls that prevent the correlation of this data will help ensure that the original PAN remains unreadable. - section-code: b - controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_backup_recovery_point_encryption_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_eks_cluster_secrets_encrypted - - aws_es_domain_encryption_at_rest_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest +id: aws_pci_dss_v321_requirement_3_4_b +title: 4.b Examine several tables or files from a sample of data repositories to verify the PAN is rendered unreadable (that is, not stored in plain-text) +description: PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception or troubleshooting logs) must all be protected. One-way hash functions based on strong cryptography can be used to render cardholder data unreadable. Hash functions are appropriate when there is no need to retrieve the original number (one-way hashes are irreversible). It is recommended, but not currently a requirement, that an additional, random input value be added to the cardholder data prior to hashing to reduce the feasibility of an attacker comparing the data against (and deriving the PAN from) tables of pre- computed hash values. The intent of truncation is to permanently remove a segment of PAN data so that only a portion (generally not to exceed the first six and last four digits) of the PAN is stored. An index token is a cryptographic token that replaces the PAN based on a given index for an unpredictable value. A one-time pad is a system in which a randomly generated private key is used only once to encrypt a message that is then decrypted using a matching one-time pad and key. The intent of strong cryptography (as defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms) is that the encryption be based on an industry-tested and accepted algorithm (not a proprietary or `home- grown` algorithm) with strong cryptographic keys. By correlating hashed and truncated versions of a given PAN, a malicious individual may easily derive the original PAN value. Controls that prevent the correlation of this data will help ensure that the original PAN remains unreadable. +section-code: b +type: control-group +controls: +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_backup_recovery_point_encryption_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dax_cluster_encryption_at_rest_enabled +- aws_dynamodb_table_encrypted_with_kms +- aws_dynamodb_table_encryption_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_efs_file_system_encrypt_data_at_rest +- aws_eks_cluster_secrets_encrypted +- aws_es_domain_encryption_at_rest_enabled +- aws_log_group_encryption_at_rest_enabled +- aws_opensearch_domain_encryption_at_rest_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_d.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_d.yaml index a488e9bfc..c0e143a88 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_d.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_d.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_pci_dss_v321_requirement_3_4_d - title: 4.d Examine a sample of audit logs, including payment application logs, to confirm that PAN is rendered unreadable or is not present in the logs - description: PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception or troubleshooting logs) must all be protected. One-way hash functions based on strong cryptography can be used to render cardholder data unreadable. Hash functions are appropriate when there is no need to retrieve the original number (one-way hashes are irreversible). It is recommended, but not currently a requirement, that an additional, random input value be added to the cardholder data prior to hashing to reduce the feasibility of an attacker comparing the data against (and deriving the PAN from) tables of pre- computed hash values. The intent of truncation is to permanently remove a segment of PAN data so that only a portion (generally not to exceed the first six and last four digits) of the PAN is stored. An index token is a cryptographic token that replaces the PAN based on a given index for an unpredictable value. A one-time pad is a system in which a randomly generated private key is used only once to encrypt a message that is then decrypted using a matching one-time pad and key. The intent of strong cryptography (as defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms) is that the encryption be based on an industry-tested and accepted algorithm (not a proprietary or 'home-grown` algorithm) with strong cryptographic keys. By correlating hashed and truncated versions of a given PAN, a malicious individual may easily derive the original PAN value. Controls that prevent the correlation of this data will help ensure that the original PAN remains unreadable. - section-code: d - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_elb_application_classic_lb_logging_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_pci_dss_v321_requirement_3_4_d +title: 4.d Examine a sample of audit logs, including payment application logs, to confirm that PAN is rendered unreadable or is not present in the logs +description: PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception or troubleshooting logs) must all be protected. One-way hash functions based on strong cryptography can be used to render cardholder data unreadable. Hash functions are appropriate when there is no need to retrieve the original number (one-way hashes are irreversible). It is recommended, but not currently a requirement, that an additional, random input value be added to the cardholder data prior to hashing to reduce the feasibility of an attacker comparing the data against (and deriving the PAN from) tables of pre- computed hash values. The intent of truncation is to permanently remove a segment of PAN data so that only a portion (generally not to exceed the first six and last four digits) of the PAN is stored. An index token is a cryptographic token that replaces the PAN based on a given index for an unpredictable value. A one-time pad is a system in which a randomly generated private key is used only once to encrypt a message that is then decrypted using a matching one-time pad and key. The intent of strong cryptography (as defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms) is that the encryption be based on an industry-tested and accepted algorithm (not a proprietary or 'home-grown` algorithm) with strong cryptographic keys. By correlating hashed and truncated versions of a given PAN, a malicious individual may easily derive the original PAN value. Controls that prevent the correlation of this data will help ensure that the original PAN remains unreadable. +section-code: d +type: control-group +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_elb_application_classic_lb_logging_enabled +- aws_log_group_encryption_at_rest_enabled +- aws_rds_db_instance_logging_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_waf_web_acl_logging_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_5.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_5.yaml index 931e1bc3b..a354efc89 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_5.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_5.yaml @@ -1,7 +1,8 @@ +id: aws_pci_dss_v321_requirement_3_5 +title: Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse +description: "Note: This requirement applies to keys used to encrypt stored cardholder data, and also applies to key-encrypting keys used to protect data-encrypting keys—such key- encrypting keys must be at least as strong as the data-encrypting key. Cryptographic keys must be strongly protected because those who obtain access will be able to decrypt data. Key-encrypting keys, if used, must be at least as strong as the data-encrypting key in order to ensure proper protection of the key that encrypts the data as well as the data encrypted with that key. The requirement to protect keys from disclosure and misuse applies to both data-encrypting keys and key-encrypting keys. Because one key- encrypting key may grant access to many data- encrypting keys, the key-encrypting keys require strong protection measures." +section-code: "5" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_3_5 - title: Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse - description: "Note: This requirement applies to keys used to encrypt stored cardholder data, and also applies to key-encrypting keys used to protect data-encrypting keys—such key- encrypting keys must be at least as strong as the data-encrypting key. Cryptographic keys must be strongly protected because those who obtain access will be able to decrypt data. Key-encrypting keys, if used, must be at least as strong as the data-encrypting key in order to ensure proper protection of the key that encrypts the data as well as the data encrypted with that key. The requirement to protect keys from disclosure and misuse applies to both data-encrypting keys and key-encrypting keys. Because one key- encrypting key may grant access to many data- encrypting keys, the key-encrypting keys require strong protection measures." - section-code: "5" - control-group: - - id: aws_pci_dss_v321_requirement_3_5_2 +- id: aws_pci_dss_v321_requirement_3_5_2 + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_5_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_5_2.yaml index 88d9f95c8..0b5a6cbcd 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_5_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_5_2.yaml @@ -1,8 +1,8 @@ -control-group: - id: aws_pci_dss_v321_requirement_3_5_2 - title: 5.2 Restrict access to cryptographic keys to the fewest number of custodians necessary - description: There should be very few who have access to cryptographic keys (reducing the potential for rending cardholder data visible by unauthorized parties), usually only those who have key custodian responsibilities. - section-code: "2" - controls: - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions +id: aws_pci_dss_v321_requirement_3_5_2 +title: 5.2 Restrict access to cryptographic keys to the fewest number of custodians necessary +description: There should be very few who have access to cryptographic keys (reducing the potential for rending cardholder data visible by unauthorized parties), usually only those who have key custodian responsibilities. +section-code: "2" +type: control-group +controls: +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_6.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_6.yaml index 43850137a..47f2b548f 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_6.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_6.yaml @@ -1,7 +1,8 @@ +id: aws_pci_dss_v321_requirement_3_6 +title: Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data +description: "Note: Numerous industry standards for key management are available from various resources including NIST, which can be found at http://csrc.nist.gov. The manner in which cryptographic keys are managed is a critical part of the continued security of the encryption solution. A good key- management process, whether it is manual or automated as part of the encryption product, is based on industry standards and addresses all key elements at 3.6.1 through 3.6.8. Providing guidance to customers on how to securely transmit, store and update cryptographic keys can help prevent keys from being mismanaged or disclosed to unauthorized entities. This requirement applies to keys used to encrypt stored cardholder data, and any respective key- encrypting keys. Note: Testing Procedure 3.6.a is an additional procedure that only applies if the entity being assessed is a service provider." +section-code: "6" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_3_6 - title: Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data - description: "Note: Numerous industry standards for key management are available from various resources including NIST, which can be found at http://csrc.nist.gov. The manner in which cryptographic keys are managed is a critical part of the continued security of the encryption solution. A good key- management process, whether it is manual or automated as part of the encryption product, is based on industry standards and addresses all key elements at 3.6.1 through 3.6.8. Providing guidance to customers on how to securely transmit, store and update cryptographic keys can help prevent keys from being mismanaged or disclosed to unauthorized entities. This requirement applies to keys used to encrypt stored cardholder data, and any respective key- encrypting keys. Note: Testing Procedure 3.6.a is an additional procedure that only applies if the entity being assessed is a service provider." - section-code: "6" - control-group: - - id: aws_pci_dss_v321_requirement_3_6_4 +- id: aws_pci_dss_v321_requirement_3_6_4 + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_6_4.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_6_4.yaml index 6dad766dd..3fa6224e0 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_6_4.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_6_4.yaml @@ -1,10 +1,11 @@ +id: aws_pci_dss_v321_requirement_3_6_4 +title: 6.4 Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines +description: A cryptoperiod is the time span during which a particular cryptographic key can be used for its defined purpose. Considerations for defining the cryptoperiod include, but are not limited to, the strength of the underlying algorithm, size or length of the key, risk of key compromise, and the sensitivity of the data being encrypted. Periodic changing of encryption keys when the keys have reached the end of their cryptoperiod is imperative to minimize the risk of someone's obtaining the encryption keys, and using them to decrypt data. +section-code: "4" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_3_6_4 - title: 6.4 Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines - description: A cryptoperiod is the time span during which a particular cryptographic key can be used for its defined purpose. Considerations for defining the cryptoperiod include, but are not limited to, the strength of the underlying algorithm, size or length of the key, risk of key compromise, and the sensitivity of the data being encrypted. Periodic changing of encryption keys when the keys have reached the end of their cryptoperiod is imperative to minimize the risk of someone's obtaining the encryption keys, and using them to decrypt data. - section-code: "4" - control-group: - - id: aws_pci_dss_v321_requirement_3_6_4_a - controls: - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions +- id: aws_pci_dss_v321_requirement_3_6_4_a + type: "" +controls: +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_6_4_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_6_4_a.yaml index 9cd26cbaf..1d4758aa1 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_6_4_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_6_4_a.yaml @@ -1,8 +1,8 @@ -control-group: - id: aws_pci_dss_v321_requirement_3_6_4_a - title: 6.4.a Verify that key-management procedures include a defined cryptoperiod for each key type in use and define a process for key changes at the end of the defined cryptoperiod(s) - description: A cryptoperiod is the time span during which a particular cryptographic key can be used for its defined purpose. Considerations for defining the cryptoperiod include, but are not limited to, the strength of the underlying algorithm, size or length of the key, risk of key compromise, and the sensitivity of the data being encrypted. Periodic changing of encryption keys when the keys have reached the end of their cryptoperiod is imperative to minimize the risk of someone’s obtaining the encryption keys, and using them to decrypt data. - section-code: a - controls: - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions +id: aws_pci_dss_v321_requirement_3_6_4_a +title: 6.4.a Verify that key-management procedures include a defined cryptoperiod for each key type in use and define a process for key changes at the end of the defined cryptoperiod(s) +description: A cryptoperiod is the time span during which a particular cryptographic key can be used for its defined purpose. Considerations for defining the cryptoperiod include, but are not limited to, the strength of the underlying algorithm, size or length of the key, risk of key compromise, and the sensitivity of the data being encrypted. Periodic changing of encryption keys when the keys have reached the end of their cryptoperiod is imperative to minimize the risk of someone’s obtaining the encryption keys, and using them to decrypt data. +section-code: a +type: control-group +controls: +- aws_iam_policy_custom_no_blocked_kms_actions +- aws_iam_policy_inline_no_blocked_kms_actions diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4.yaml index ed08cb194..b79913b04 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4.yaml @@ -1,7 +1,8 @@ +id: aws_pci_dss_v321_requirement_4 +title: "Requirement 4: Encrypt transmission of cardholder data across open, public networks" +description: Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments. +section-code: requirement_4 +type: control-group control-group: - id: aws_pci_dss_v321_requirement_4 - title: "Requirement 4: Encrypt transmission of cardholder data across open, public networks" - description: Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments. - section-code: requirement_4 - control-group: - - id: aws_pci_dss_v321_requirement_4_1 +- id: aws_pci_dss_v321_requirement_4_1 + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1.yaml index 5219ac5a2..0bb8f61e9 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1.yaml @@ -1,21 +1,26 @@ +id: aws_pci_dss_v321_requirement_4_1 +title: Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks +description: "Following should be used to safeguard sensitive cardholder data during transmission over open, public networks: only trusted keys and certificates are accepted, the protocol in use only supports secure versions or configurations and the encryption strength is appropriate for the encryption methodology in use. Examples of open, public networks include but are not limited to the Internet, wireless technologies, including 802.11 and Bluetooth, cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA), general Packet Radio Service (GPRS) and satellite communications. Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure transmission of cardholder data requires using trusted keys/certificates, a secure protocol for transport, and proper encryption strength to encrypt cardholder data. Connection requests from systems that do not support the required encryption strength, and that would result in an insecure connection, should not be accepted. Note that some protocol implementations (such as SSL, SSH v1.0, and early TLS) have known vulnerabilities that an attacker can use to gain control of the affected system. Whichever security protocol is used, ensure it is configured to use only secure versions and configurations to prevent use of an insecure connection—for example, by using only trusted certificates and supporting only strong encryption (not supporting weaker, insecure protocols or methods). Verifying that certificates are trusted (for example, have not expired and are issued from a trusted source) helps ensure the integrity of the secure connection. Generally, the web page URL should begin with `HTTPS` and/or the web browser display a padlock icon somewhere in the window of the browser. Many TLS certificate vendors also provide a highly visible verification seal— sometimes referred to as a “security seal,” `secure site seal,` or “secure trust seal”)—which may provide the ability to click on the seal to reveal information about the website. Refer to industry standards and best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 and SP 800-57, OWASP, etc.) Note: SSL/early TLS is not considered strong cryptography and may not be used as a security control, except by POS POI terminals that are verified as not being susceptible to known exploits and the termination points to which they connect as defined in Appendix A2." +section-code: "1" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_4_1 - title: Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks - description: "Following should be used to safeguard sensitive cardholder data during transmission over open, public networks: only trusted keys and certificates are accepted, the protocol in use only supports secure versions or configurations and the encryption strength is appropriate for the encryption methodology in use. Examples of open, public networks include but are not limited to the Internet, wireless technologies, including 802.11 and Bluetooth, cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA), general Packet Radio Service (GPRS) and satellite communications. Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure transmission of cardholder data requires using trusted keys/certificates, a secure protocol for transport, and proper encryption strength to encrypt cardholder data. Connection requests from systems that do not support the required encryption strength, and that would result in an insecure connection, should not be accepted. Note that some protocol implementations (such as SSL, SSH v1.0, and early TLS) have known vulnerabilities that an attacker can use to gain control of the affected system. Whichever security protocol is used, ensure it is configured to use only secure versions and configurations to prevent use of an insecure connection—for example, by using only trusted certificates and supporting only strong encryption (not supporting weaker, insecure protocols or methods). Verifying that certificates are trusted (for example, have not expired and are issued from a trusted source) helps ensure the integrity of the secure connection. Generally, the web page URL should begin with `HTTPS` and/or the web browser display a padlock icon somewhere in the window of the browser. Many TLS certificate vendors also provide a highly visible verification seal— sometimes referred to as a “security seal,” `secure site seal,` or “secure trust seal”)—which may provide the ability to click on the seal to reveal information about the website. Refer to industry standards and best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 and SP 800-57, OWASP, etc.) Note: SSL/early TLS is not considered strong cryptography and may not be used as a security control, except by POS POI terminals that are verified as not being susceptible to known exploits and the termination points to which they connect as defined in Appendix A2." - section-code: "1" - control-group: - - id: aws_pci_dss_v321_requirement_4_1_a - - id: aws_pci_dss_v321_requirement_4_1_d - - id: aws_pci_dss_v321_requirement_4_1_e - - id: aws_pci_dss_v321_requirement_4_1_f - - id: aws_pci_dss_v321_requirement_4_1_g - controls: - - aws_acm_certificate_expires_30_days - - aws_cloudfront_distribution_encryption_in_transit_enabled - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl +- id: aws_pci_dss_v321_requirement_4_1_a + type: "" +- id: aws_pci_dss_v321_requirement_4_1_d + type: "" +- id: aws_pci_dss_v321_requirement_4_1_e + type: "" +- id: aws_pci_dss_v321_requirement_4_1_f + type: "" +- id: aws_pci_dss_v321_requirement_4_1_g + type: "" +controls: +- aws_acm_certificate_expires_30_days +- aws_cloudfront_distribution_encryption_in_transit_enabled +- aws_elb_application_lb_drop_http_headers +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_node_to_node_encryption_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_a.yaml index 2389cfd4f..c43a540c7 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_a.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_pci_dss_v321_requirement_4_1_a - title: 1.a Identify all locations where cardholder data is transmitted or received over open, public networks - description: "Examine documented standards and compare to system configurations to verify the use of security protocols and strong cryptography for all locations. Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure transmission of cardholder data requires using trusted keys/certificates, a secure protocol for transport, and proper encryption strength to encrypt cardholder data. Connection requests from systems that do not support the required encryption strength, and that would result in an insecure connection, should not be accepted. Note that some protocol implementations (such as SSL, SSH v1.0, and early TLS) have known vulnerabilities that an attacker can use to gain control of the affected system. Whichever security protocol is used, ensure it is configured to use only secure versions and configurations to prevent use of an insecure connection—for example, by using only trusted certificates and supporting only strong encryption (not supporting weaker, insecure protocols or methods). Verifying that certificates are trusted (for example, have not expired and are issued from a trusted source) helps ensure the integrity of the secure connection. Generally, the web page URL should begin with `HTTPS` and/or the web browser display a padlock icon somewhere in the window of the browser. Many TLS certificate vendors also provide a highly visible verification seal— sometimes referred to as a “security seal,” `secure site seal,` or “secure trust seal”)—which may provide the ability to click on the seal to reveal information about the website. Refer to industry standards and best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 and SP 800-57, OWASP, etc.) Note: SSL/early TLS is not considered strong cryptography and may not be used as a security control, except by POS POI terminals that are verified as not being susceptible to known exploits and the termination points to which they connect as defined in Appendix A2." - section-code: a - controls: - - aws_acm_certificate_expires_30_days - - aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled - - aws_cloudfront_distribution_encryption_in_transit_enabled - - aws_cloudfront_distribution_no_deprecated_ssl_protocol - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_kinesis_stream_server_side_encryption_enabled - - aws_opensearch_domain_https_required - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl +id: aws_pci_dss_v321_requirement_4_1_a +title: 1.a Identify all locations where cardholder data is transmitted or received over open, public networks +description: "Examine documented standards and compare to system configurations to verify the use of security protocols and strong cryptography for all locations. Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure transmission of cardholder data requires using trusted keys/certificates, a secure protocol for transport, and proper encryption strength to encrypt cardholder data. Connection requests from systems that do not support the required encryption strength, and that would result in an insecure connection, should not be accepted. Note that some protocol implementations (such as SSL, SSH v1.0, and early TLS) have known vulnerabilities that an attacker can use to gain control of the affected system. Whichever security protocol is used, ensure it is configured to use only secure versions and configurations to prevent use of an insecure connection—for example, by using only trusted certificates and supporting only strong encryption (not supporting weaker, insecure protocols or methods). Verifying that certificates are trusted (for example, have not expired and are issued from a trusted source) helps ensure the integrity of the secure connection. Generally, the web page URL should begin with `HTTPS` and/or the web browser display a padlock icon somewhere in the window of the browser. Many TLS certificate vendors also provide a highly visible verification seal— sometimes referred to as a “security seal,” `secure site seal,` or “secure trust seal”)—which may provide the ability to click on the seal to reveal information about the website. Refer to industry standards and best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 and SP 800-57, OWASP, etc.) Note: SSL/early TLS is not considered strong cryptography and may not be used as a security control, except by POS POI terminals that are verified as not being susceptible to known exploits and the termination points to which they connect as defined in Appendix A2." +section-code: a +type: control-group +controls: +- aws_acm_certificate_expires_30_days +- aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled +- aws_cloudfront_distribution_encryption_in_transit_enabled +- aws_cloudfront_distribution_no_deprecated_ssl_protocol +- aws_elb_application_lb_drop_http_headers +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_application_network_lb_use_ssl_certificate +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_node_to_node_encryption_enabled +- aws_kinesis_stream_server_side_encryption_enabled +- aws_opensearch_domain_https_required +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_d.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_d.yaml index 14a1cf218..2169316b6 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_d.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_d.yaml @@ -1,8 +1,8 @@ -control-group: - id: aws_pci_dss_v321_requirement_4_1_d - title: 1.d Examine keys and certificates to verify that only trusted keys and/or certificates are accepted - description: "Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure transmission of cardholder data requires using trusted keys/certificates, a secure protocol for transport, and proper encryption strength to encrypt cardholder data. Connection requests from systems that do not support the required encryption strength, and that would result in an insecure connection, should not be accepted. Note that some protocol implementations (such as SSL, SSH v1.0, and early TLS) have known vulnerabilities that an attacker can use to gain control of the affected system. Whichever security protocol is used, ensure it is configured to use only secure versions and configurations to prevent use of an insecure connection—for example, by using only trusted certificates and supporting only strong encryption (not supporting weaker, insecure protocols or methods). Verifying that certificates are trusted (for example, have not expired and are issued from a trusted source) helps ensure the integrity of the secure connection. Generally, the web page URL should begin with `HTTPS` and/or the web browser display a padlock icon somewhere in the window of the browser. Many TLS certificate vendors also provide a highly visible verification seal— sometimes referred to as a “security seal,” `secure site seal,` or “secure trust seal”)—which may provide the ability to click on the seal to reveal information about the website. Refer to industry standards and best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 and SP 800-57, OWASP, etc.) Note: SSL/early TLS is not considered strong cryptography and may not be used as a security control, except by POS POI terminals that are verified as not being susceptible to known exploits and the termination points to which they connect as defined in Appendix A2." - section-code: d - controls: - - aws_acm_certificate_expires_30_days - - aws_elb_classic_lb_use_ssl_certificate +id: aws_pci_dss_v321_requirement_4_1_d +title: 1.d Examine keys and certificates to verify that only trusted keys and/or certificates are accepted +description: "Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure transmission of cardholder data requires using trusted keys/certificates, a secure protocol for transport, and proper encryption strength to encrypt cardholder data. Connection requests from systems that do not support the required encryption strength, and that would result in an insecure connection, should not be accepted. Note that some protocol implementations (such as SSL, SSH v1.0, and early TLS) have known vulnerabilities that an attacker can use to gain control of the affected system. Whichever security protocol is used, ensure it is configured to use only secure versions and configurations to prevent use of an insecure connection—for example, by using only trusted certificates and supporting only strong encryption (not supporting weaker, insecure protocols or methods). Verifying that certificates are trusted (for example, have not expired and are issued from a trusted source) helps ensure the integrity of the secure connection. Generally, the web page URL should begin with `HTTPS` and/or the web browser display a padlock icon somewhere in the window of the browser. Many TLS certificate vendors also provide a highly visible verification seal— sometimes referred to as a “security seal,” `secure site seal,` or “secure trust seal”)—which may provide the ability to click on the seal to reveal information about the website. Refer to industry standards and best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 and SP 800-57, OWASP, etc.) Note: SSL/early TLS is not considered strong cryptography and may not be used as a security control, except by POS POI terminals that are verified as not being susceptible to known exploits and the termination points to which they connect as defined in Appendix A2." +section-code: d +type: control-group +controls: +- aws_acm_certificate_expires_30_days +- aws_elb_classic_lb_use_ssl_certificate diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_e.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_e.yaml index 65beb5068..6df476b4b 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_e.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_e.yaml @@ -1,8 +1,8 @@ -control-group: - id: aws_pci_dss_v321_requirement_4_1_e - title: 1.e Examine system configurations to verify that the protocol is implemented to use only secure configurations and does not support insecure versions or configurations - description: "Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure transmission of cardholder data requires using trusted keys/certificates, a secure protocol for transport, and proper encryption strength to encrypt cardholder data. Connection requests from systems that do not support the required encryption strength, and that would result in an insecure connection, should not be accepted. Note that some protocol implementations (such as SSL, SSH v1.0, and early TLS) have known vulnerabilities that an attacker can use to gain control of the affected system. Whichever security protocol is used, ensure it is configured to use only secure versions and configurations to prevent use of an insecure connection—for example, by using only trusted certificates and supporting only strong encryption (not supporting weaker, insecure protocols or methods). Verifying that certificates are trusted (for example, have not expired and are issued from a trusted source) helps ensure the integrity of the secure connection. Generally, the web page URL should begin with `HTTPS` and/or the web browser display a padlock icon somewhere in the window of the browser. Many TLS certificate vendors also provide a highly visible verification seal— sometimes referred to as a “security seal,” `secure site seal,` or “secure trust seal”)—which may provide the ability to click on the seal to reveal information about the website. Refer to industry standards and best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 and SP 800-57, OWASP, etc.) Note: SSL/early TLS is not considered strong cryptography and may not be used as a security control, except by POS POI terminals that are verified as not being susceptible to known exploits and the termination points to which they connect as defined in Appendix A2." - section-code: e - controls: - - aws_cloudfront_distribution_no_deprecated_ssl_protocol - - aws_vpc_flow_logs_enabled +id: aws_pci_dss_v321_requirement_4_1_e +title: 1.e Examine system configurations to verify that the protocol is implemented to use only secure configurations and does not support insecure versions or configurations +description: "Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure transmission of cardholder data requires using trusted keys/certificates, a secure protocol for transport, and proper encryption strength to encrypt cardholder data. Connection requests from systems that do not support the required encryption strength, and that would result in an insecure connection, should not be accepted. Note that some protocol implementations (such as SSL, SSH v1.0, and early TLS) have known vulnerabilities that an attacker can use to gain control of the affected system. Whichever security protocol is used, ensure it is configured to use only secure versions and configurations to prevent use of an insecure connection—for example, by using only trusted certificates and supporting only strong encryption (not supporting weaker, insecure protocols or methods). Verifying that certificates are trusted (for example, have not expired and are issued from a trusted source) helps ensure the integrity of the secure connection. Generally, the web page URL should begin with `HTTPS` and/or the web browser display a padlock icon somewhere in the window of the browser. Many TLS certificate vendors also provide a highly visible verification seal— sometimes referred to as a “security seal,” `secure site seal,` or “secure trust seal”)—which may provide the ability to click on the seal to reveal information about the website. Refer to industry standards and best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 and SP 800-57, OWASP, etc.) Note: SSL/early TLS is not considered strong cryptography and may not be used as a security control, except by POS POI terminals that are verified as not being susceptible to known exploits and the termination points to which they connect as defined in Appendix A2." +section-code: e +type: control-group +controls: +- aws_cloudfront_distribution_no_deprecated_ssl_protocol +- aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_f.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_f.yaml index 776313738..c3a478ac2 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_f.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_f.yaml @@ -1,8 +1,8 @@ -control-group: - id: aws_pci_dss_v321_requirement_4_1_f - title: 1.f Examine system configurations to verify that the proper encryption strength is implemented for the encryption methodology in use - description: "Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure transmission of cardholder data requires using trusted keys/certificates, a secure protocol for transport, and proper encryption strength to encrypt cardholder data. Connection requests from systems that do not support the required encryption strength, and that would result in an insecure connection, should not be accepted. Note that some protocol implementations (such as SSL, SSH v1.0, and early TLS) have known vulnerabilities that an attacker can use to gain control of the affected system. Whichever security protocol is used, ensure it is configured to use only secure versions and configurations to prevent use of an insecure connection—for example, by using only trusted certificates and supporting only strong encryption (not supporting weaker, insecure protocols or methods). Verifying that certificates are trusted (for example, have not expired and are issued from a trusted source) helps ensure the integrity of the secure connection. Generally, the web page URL should begin with `HTTPS` and/or the web browser display a padlock icon somewhere in the window of the browser. Many TLS certificate vendors also provide a highly visible verification seal— sometimes referred to as a “security seal,” `secure site seal,` or “secure trust seal”)—which may provide the ability to click on the seal to reveal information about the website. Refer to industry standards and best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 and SP 800-57, OWASP, etc.) Note: SSL/early TLS is not considered strong cryptography and may not be used as a security control, except by POS POI terminals that are verified as not being susceptible to known exploits and the termination points to which they connect as defined in Appendix A2." - section-code: f - controls: - - aws_cloudfront_distribution_no_deprecated_ssl_protocol - - aws_vpc_flow_logs_enabled +id: aws_pci_dss_v321_requirement_4_1_f +title: 1.f Examine system configurations to verify that the proper encryption strength is implemented for the encryption methodology in use +description: "Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure transmission of cardholder data requires using trusted keys/certificates, a secure protocol for transport, and proper encryption strength to encrypt cardholder data. Connection requests from systems that do not support the required encryption strength, and that would result in an insecure connection, should not be accepted. Note that some protocol implementations (such as SSL, SSH v1.0, and early TLS) have known vulnerabilities that an attacker can use to gain control of the affected system. Whichever security protocol is used, ensure it is configured to use only secure versions and configurations to prevent use of an insecure connection—for example, by using only trusted certificates and supporting only strong encryption (not supporting weaker, insecure protocols or methods). Verifying that certificates are trusted (for example, have not expired and are issued from a trusted source) helps ensure the integrity of the secure connection. Generally, the web page URL should begin with `HTTPS` and/or the web browser display a padlock icon somewhere in the window of the browser. Many TLS certificate vendors also provide a highly visible verification seal— sometimes referred to as a “security seal,” `secure site seal,` or “secure trust seal”)—which may provide the ability to click on the seal to reveal information about the website. Refer to industry standards and best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 and SP 800-57, OWASP, etc.) Note: SSL/early TLS is not considered strong cryptography and may not be used as a security control, except by POS POI terminals that are verified as not being susceptible to known exploits and the termination points to which they connect as defined in Appendix A2." +section-code: f +type: control-group +controls: +- aws_cloudfront_distribution_no_deprecated_ssl_protocol +- aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_g.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_g.yaml index 5d94dac20..3ed7f1271 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_g.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_g.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_pci_dss_v321_requirement_4_1_g - title: 1.g For TLS implementations, examine system configurations to verify that TLS is enabled whenever cardholder data is transmitted or received - description: "For example, for browser-based implementations “HTTPS” appears as the browser Universal Record Locator (URL) protocol, and cardholder data is only requested if “HTTPS” appears as part of the URL. Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure transmission of cardholder data requires using trusted keys/certificates, a secure protocol for transport, and proper encryption strength to encrypt cardholder data. Connection requests from systems that do not support the required encryption strength, and that would result in an insecure connection, should not be accepted. Note that some protocol implementations (such as SSL, SSH v1.0, and early TLS) have known vulnerabilities that an attacker can use to gain control of the affected system. Whichever security protocol is used, ensure it is configured to use only secure versions and configurations to prevent use of an insecure connection—for example, by using only trusted certificates and supporting only strong encryption (not supporting weaker, insecure protocols or methods). Verifying that certificates are trusted (for example, have not expired and are issued from a trusted source) helps ensure the integrity of the secure connection. Generally, the web page URL should begin with `HTTPS` and/or the web browser display a padlock icon somewhere in the window of the browser. Many TLS certificate vendors also provide a highly visible verification seal— sometimes referred to as a “security seal,” `secure site seal,` or “secure trust seal”)—which may provide the ability to click on the seal to reveal information about the website. Refer to industry standards and best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 and SP 800-57, OWASP, etc.) Note: SSL/early TLS is not considered strong cryptography and may not be used as a security control, except by POS POI terminals that are verified as not being susceptible to known exploits and the termination points to which they connect as defined in Appendix A2." - section-code: g - controls: - - aws_acm_certificate_expires_30_days - - aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled - - aws_cloudfront_distribution_encryption_in_transit_enabled - - aws_cloudfront_distribution_no_deprecated_ssl_protocol - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl +id: aws_pci_dss_v321_requirement_4_1_g +title: 1.g For TLS implementations, examine system configurations to verify that TLS is enabled whenever cardholder data is transmitted or received +description: "For example, for browser-based implementations “HTTPS” appears as the browser Universal Record Locator (URL) protocol, and cardholder data is only requested if “HTTPS” appears as part of the URL. Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure transmission of cardholder data requires using trusted keys/certificates, a secure protocol for transport, and proper encryption strength to encrypt cardholder data. Connection requests from systems that do not support the required encryption strength, and that would result in an insecure connection, should not be accepted. Note that some protocol implementations (such as SSL, SSH v1.0, and early TLS) have known vulnerabilities that an attacker can use to gain control of the affected system. Whichever security protocol is used, ensure it is configured to use only secure versions and configurations to prevent use of an insecure connection—for example, by using only trusted certificates and supporting only strong encryption (not supporting weaker, insecure protocols or methods). Verifying that certificates are trusted (for example, have not expired and are issued from a trusted source) helps ensure the integrity of the secure connection. Generally, the web page URL should begin with `HTTPS` and/or the web browser display a padlock icon somewhere in the window of the browser. Many TLS certificate vendors also provide a highly visible verification seal— sometimes referred to as a “security seal,” `secure site seal,` or “secure trust seal”)—which may provide the ability to click on the seal to reveal information about the website. Refer to industry standards and best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 and SP 800-57, OWASP, etc.) Note: SSL/early TLS is not considered strong cryptography and may not be used as a security control, except by POS POI terminals that are verified as not being susceptible to known exploits and the termination points to which they connect as defined in Appendix A2." +section-code: g +type: control-group +controls: +- aws_acm_certificate_expires_30_days +- aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled +- aws_cloudfront_distribution_encryption_in_transit_enabled +- aws_cloudfront_distribution_no_deprecated_ssl_protocol +- aws_elb_application_lb_drop_http_headers +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_application_network_lb_use_ssl_certificate +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_node_to_node_encryption_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5.yaml index 8f1f51de8..bd242bb8b 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5.yaml @@ -1,8 +1,10 @@ +id: aws_pci_dss_v321_requirement_5 +title: "Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs" +description: Malicious software, commonly referred to as “malware”—including viruses, worms, and Trojans—enters the network during many businessapproved activities including employee e-mail and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats +section-code: requirement_5 +type: control-group control-group: - id: aws_pci_dss_v321_requirement_5 - title: "Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs" - description: Malicious software, commonly referred to as “malware”—including viruses, worms, and Trojans—enters the network during many businessapproved activities including employee e-mail and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats - section-code: requirement_5 - control-group: - - id: aws_pci_dss_v321_requirement_5_1 - - id: aws_pci_dss_v321_requirement_5_2 +- id: aws_pci_dss_v321_requirement_5_1 + type: "" +- id: aws_pci_dss_v321_requirement_5_2 + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5_1.yaml index b7dca4f1d..d182bd44e 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5_1.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_5_1 - title: For a sample of system components including all operating system types commonly affected by malicious software, verify that anti-virus software is deployed if applicable anti-virus technology exists - description: There is a constant stream of attacks using widely published exploits, often called `zero day` (an attack that exploits a previously unknown vulnerability), against otherwise secured systems. Without an anti-virus solution that is updated regularly, these new forms of malicious software can attack systems, disable a network, or lead to compromise of data. - section-code: "1" - controls: - - aws_ssm_managed_instance_compliance_association_compliant +id: aws_pci_dss_v321_requirement_5_1 +title: For a sample of system components including all operating system types commonly affected by malicious software, verify that anti-virus software is deployed if applicable anti-virus technology exists +description: There is a constant stream of attacks using widely published exploits, often called `zero day` (an attack that exploits a previously unknown vulnerability), against otherwise secured systems. Without an anti-virus solution that is updated regularly, these new forms of malicious software can attack systems, disable a network, or lead to compromise of data. +section-code: "1" +type: control-group +controls: +- aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5_2.yaml index c86d906ec..d9939d7fb 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5_2.yaml @@ -1,7 +1,8 @@ +id: aws_pci_dss_v321_requirement_5_2 +title: Ensure that all anti-virus mechanisms are maintained +description: "Anti-virus mechanisms should be maintained as follows: are kept current, perform periodic scans and generate audit logs which are retained per PCI DSS Requirement 10.7. Even the best anti-virus solutions are limited in effectiveness if they are not maintained and kept current with the latest security updates, signature files, or malware protections. Audit logs provide the ability to monitor virus and malware activity and anti-malware reactions. Thus, it is imperative that anti-malware solutions be configured to generate audit logs and that these logs be managed in accordance with Requirement 10." +section-code: "2" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_5_2 - title: Ensure that all anti-virus mechanisms are maintained - description: "Anti-virus mechanisms should be maintained as follows: are kept current, perform periodic scans and generate audit logs which are retained per PCI DSS Requirement 10.7. Even the best anti-virus solutions are limited in effectiveness if they are not maintained and kept current with the latest security updates, signature files, or malware protections. Audit logs provide the ability to monitor virus and malware activity and anti-malware reactions. Thus, it is imperative that anti-malware solutions be configured to generate audit logs and that these logs be managed in accordance with Requirement 10." - section-code: "2" - control-group: - - id: aws_pci_dss_v321_requirement_5_2_c +- id: aws_pci_dss_v321_requirement_5_2_c + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5_2_c.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5_2_c.yaml index 396e0f60f..8f16bc564 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5_2_c.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5_2_c.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_5_2_c - title: 2.c Examine a sample of system components, including all operating system types commonly affected by malicious software, to verify that the anti-virus software and definitions are current and periodic scans are performed - description: Even the best anti-virus solutions are limited in effectiveness if they are not maintained and kept current with the latest security updates, signature files, or malware protections. Audit logs provide the ability to monitor virus and malware activity and anti-malware reactions. Thus, it is imperative that anti-malware solutions be configured to generate audit logs and that these logs be managed in accordance with Requirement 10. - section-code: c - controls: - - aws_ssm_managed_instance_compliance_association_compliant +id: aws_pci_dss_v321_requirement_5_2_c +title: 2.c Examine a sample of system components, including all operating system types commonly affected by malicious software, to verify that the anti-virus software and definitions are current and periodic scans are performed +description: Even the best anti-virus solutions are limited in effectiveness if they are not maintained and kept current with the latest security updates, signature files, or malware protections. Audit logs provide the ability to monitor virus and malware activity and anti-malware reactions. Thus, it is imperative that anti-malware solutions be configured to generate audit logs and that these logs be managed in accordance with Requirement 10. +section-code: c +type: control-group +controls: +- aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6.yaml index 2f9d5b920..575bebba6 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6.yaml @@ -1,11 +1,16 @@ +id: aws_pci_dss_v321_requirement_6 +title: "Requirement 6: Develop and maintain secure systems and applications" +description: Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendorprovided security patches, which must be installed by the entities that manage the systems. +section-code: requirement_6 +type: control-group control-group: - id: aws_pci_dss_v321_requirement_6 - title: "Requirement 6: Develop and maintain secure systems and applications" - description: Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendorprovided security patches, which must be installed by the entities that manage the systems. - section-code: requirement_6 - control-group: - - id: aws_pci_dss_v321_requirement_6_1 - - id: aws_pci_dss_v321_requirement_6_2 - - id: aws_pci_dss_v321_requirement_6_3 - - id: aws_pci_dss_v321_requirement_6_5 - - id: aws_pci_dss_v321_requirement_6_6 +- id: aws_pci_dss_v321_requirement_6_1 + type: "" +- id: aws_pci_dss_v321_requirement_6_2 + type: "" +- id: aws_pci_dss_v321_requirement_6_3 + type: "" +- id: aws_pci_dss_v321_requirement_6_5 + type: "" +- id: aws_pci_dss_v321_requirement_6_6 + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_1.yaml index a488d3f31..d3d7ebfee 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_1.yaml @@ -1,7 +1,8 @@ +id: aws_pci_dss_v321_requirement_6_1 +title: Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities +description: The intent of this requirement is that organizations keep up to date with new vulnerabilities that may impact their environment. Sources for vulnerability information should be trustworthy and often include vendor websites, industry news groups, mailing list, or RSS feeds. Once an organization identifies a vulnerability that could affect their environment, the risk that the vulnerability poses must be evaluated and ranked. The organization must therefore have a method in place to evaluate vulnerabilities on an ongoing basis and assign risk rankings to those vulnerabilities. This is not achieved by an ASV scan or internal vulnerability scan, rather this requires a process to actively monitor industry sources for vulnerability information. Classifying the risks (for example, as “high,” “medium,” or “low”) allows organizations to identify, prioritize, and address the highest risk items more quickly and reduce the likelihood that vulnerabilities posing the greatest risk will be exploited. +section-code: "1" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_6_1 - title: Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities - description: The intent of this requirement is that organizations keep up to date with new vulnerabilities that may impact their environment. Sources for vulnerability information should be trustworthy and often include vendor websites, industry news groups, mailing list, or RSS feeds. Once an organization identifies a vulnerability that could affect their environment, the risk that the vulnerability poses must be evaluated and ranked. The organization must therefore have a method in place to evaluate vulnerabilities on an ongoing basis and assign risk rankings to those vulnerabilities. This is not achieved by an ASV scan or internal vulnerability scan, rather this requires a process to actively monitor industry sources for vulnerability information. Classifying the risks (for example, as “high,” “medium,” or “low”) allows organizations to identify, prioritize, and address the highest risk items more quickly and reduce the likelihood that vulnerabilities posing the greatest risk will be exploited. - section-code: "1" - control-group: - - id: aws_pci_dss_v321_requirement_6_1_b +- id: aws_pci_dss_v321_requirement_6_1_b + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_1_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_1_b.yaml index 130c4555c..86ecb04fd 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_1_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_1_b.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_6_1_b - title: 1.b Interview responsible personnel and observe processes to verify that new security vulnerabilities are identified, a risk ranking is assigned to vulnerabilities that includes identification of all “high risk” and “critical” vulnerabilities and processes to identify new security vulnerabilities include using reputable outside sources for security vulnerability information - description: The intent of this requirement is that organizations keep up to date with new vulnerabilities that may impact their environment. Sources for vulnerability information should be trustworthy and often include vendor websites, industry news groups, mailing list, or RSS feeds. Once an organization identifies a vulnerability that could affect their environment, the risk that the vulnerability poses must be evaluated and ranked. The organization must therefore have a method in place to evaluate vulnerabilities on an ongoing basis and assign risk rankings to those vulnerabilities. This is not achieved by an ASV scan or internal vulnerability scan, rather this requires a process to actively monitor industry sources for vulnerability information. Classifying the risks (for example, as “high,” “medium,” or “low”) allows organizations to identify, prioritize, and address the highest risk items more quickly and reduce the likelihood that vulnerabilities posing the greatest risk will be exploited. - section-code: b - controls: - - aws_guardduty_finding_archived +id: aws_pci_dss_v321_requirement_6_1_b +title: 1.b Interview responsible personnel and observe processes to verify that new security vulnerabilities are identified, a risk ranking is assigned to vulnerabilities that includes identification of all “high risk” and “critical” vulnerabilities and processes to identify new security vulnerabilities include using reputable outside sources for security vulnerability information +description: The intent of this requirement is that organizations keep up to date with new vulnerabilities that may impact their environment. Sources for vulnerability information should be trustworthy and often include vendor websites, industry news groups, mailing list, or RSS feeds. Once an organization identifies a vulnerability that could affect their environment, the risk that the vulnerability poses must be evaluated and ranked. The organization must therefore have a method in place to evaluate vulnerabilities on an ongoing basis and assign risk rankings to those vulnerabilities. This is not achieved by an ASV scan or internal vulnerability scan, rather this requires a process to actively monitor industry sources for vulnerability information. Classifying the risks (for example, as “high,” “medium,” or “low”) allows organizations to identify, prioritize, and address the highest risk items more quickly and reduce the likelihood that vulnerabilities posing the greatest risk will be exploited. +section-code: b +type: control-group +controls: +- aws_guardduty_finding_archived diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_2.yaml index 31a6c45f4..1be19df50 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_2.yaml @@ -1,10 +1,11 @@ +id: aws_pci_dss_v321_requirement_6_2 +title: Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor- supplied security patches +description: "Install critical security patches within one month of release. Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1. There is a constant stream of attacks using widely published exploits, often called `zero day` (an attack that exploits a previously unknown vulnerability), against otherwise secured systems. If the most recent patches are not implemented on critical systems as soon as possible, a malicious individual can use these exploits to attack or disable a system, or gain access to sensitive data. Prioritizing patches for critical infrastructure ensures that high-priority systems and devices are protected from vulnerabilities as soon as possible after a patch is released. Consider prioritizing patch installations such that security patches for critical or at-risk systems are installed within 30 days, and other lower-risk patches are installed within 2-3 months. This requirement applies to applicable patches for all installed software, including payment applications (both those that are PA-DSS validated and those that are not)." +section-code: "2" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_6_2 - title: Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor- supplied security patches - description: "Install critical security patches within one month of release. Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1. There is a constant stream of attacks using widely published exploits, often called `zero day` (an attack that exploits a previously unknown vulnerability), against otherwise secured systems. If the most recent patches are not implemented on critical systems as soon as possible, a malicious individual can use these exploits to attack or disable a system, or gain access to sensitive data. Prioritizing patches for critical infrastructure ensures that high-priority systems and devices are protected from vulnerabilities as soon as possible after a patch is released. Consider prioritizing patch installations such that security patches for critical or at-risk systems are installed within 30 days, and other lower-risk patches are installed within 2-3 months. This requirement applies to applicable patches for all installed software, including payment applications (both those that are PA-DSS validated and those that are not)." - section-code: "2" - control-group: - - id: aws_pci_dss_v321_requirement_6_2_b - controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_patch_compliant +- id: aws_pci_dss_v321_requirement_6_2_b + type: "" +controls: +- aws_ec2_instance_ssm_managed +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_2_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_2_b.yaml index 5c8a8bd88..11e915818 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_2_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_2_b.yaml @@ -1,9 +1,9 @@ -control-group: - id: aws_pci_dss_v321_requirement_6_2_b - title: 2.b For a sample of system components and related software, compare the list of security patches installed on each system to the most recent vendor security-patch list, to verify that the applicable critical vendor-supplied security patches are installed within one month of release, all applicable vendor-supplied security patches are installed within an appropriate time frame (for example, within three months) - description: There is a constant stream of attacks using widely published exploits, often called `zero day` (an attack that exploits a previously unknown vulnerability), against otherwise secured systems. If the most recent patches are not implemented on critical systems as soon as possible, a malicious individual can use these exploits to attack or disable a system, or gain access to sensitive data. Prioritizing patches for critical infrastructure ensures that high-priority systems and devices are protected from vulnerabilities as soon as possible after a patch is released. Consider prioritizing patch installations such that security patches for critical or at-risk systems are installed within 30 days, and other lower-risk patches are installed within 2-3 months. This requirement applies to applicable patches for all installed software, including payment applications (both those that are PA-DSS validated and those that are not). - section-code: b - controls: - - aws_eks_cluster_with_latest_kubernetes_version - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_pci_dss_v321_requirement_6_2_b +title: 2.b For a sample of system components and related software, compare the list of security patches installed on each system to the most recent vendor security-patch list, to verify that the applicable critical vendor-supplied security patches are installed within one month of release, all applicable vendor-supplied security patches are installed within an appropriate time frame (for example, within three months) +description: There is a constant stream of attacks using widely published exploits, often called `zero day` (an attack that exploits a previously unknown vulnerability), against otherwise secured systems. If the most recent patches are not implemented on critical systems as soon as possible, a malicious individual can use these exploits to attack or disable a system, or gain access to sensitive data. Prioritizing patches for critical infrastructure ensures that high-priority systems and devices are protected from vulnerabilities as soon as possible after a patch is released. Consider prioritizing patch installations such that security patches for critical or at-risk systems are installed within 30 days, and other lower-risk patches are installed within 2-3 months. This requirement applies to applicable patches for all installed software, including payment applications (both those that are PA-DSS validated and those that are not). +section-code: b +type: control-group +controls: +- aws_eks_cluster_with_latest_kubernetes_version +- aws_rds_db_instance_automatic_minor_version_upgrade_enabled +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3.yaml index 53a08fbbc..d7905487d 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3.yaml @@ -1,11 +1,16 @@ +id: aws_pci_dss_v321_requirement_6_3 +title: Develop internal and external software applications (including web-based administrative access to applications) securely +description: "Develop internal and external software application securely as follows: in accordance with PCI DSS (for example, secure authentication and logging), based on industry standards and/or best practices, incorporating information security throughout the software-development life cycle. Note: this applies to all software developed internally as well as bespoke or custom software developed by a third party. Without the inclusion of security during the requirements definition, design, analysis, and testing phases of software development, security vulnerabilities can be inadvertently or maliciously introduced into the production environment. Understanding how sensitive data is handled by the application—including when stored, transmitted, and when in memory—can help identify where data needs to be protected." +section-code: "3" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_6_3 - title: Develop internal and external software applications (including web-based administrative access to applications) securely - description: "Develop internal and external software application securely as follows: in accordance with PCI DSS (for example, secure authentication and logging), based on industry standards and/or best practices, incorporating information security throughout the software-development life cycle. Note: this applies to all software developed internally as well as bespoke or custom software developed by a third party. Without the inclusion of security during the requirements definition, design, analysis, and testing phases of software development, security vulnerabilities can be inadvertently or maliciously introduced into the production environment. Understanding how sensitive data is handled by the application—including when stored, transmitted, and when in memory—can help identify where data needs to be protected." - section-code: "3" - control-group: - - id: aws_pci_dss_v321_requirement_6_3_1 - - id: aws_pci_dss_v321_requirement_6_3_2 - - id: aws_pci_dss_v321_requirement_6_3_a - - id: aws_pci_dss_v321_requirement_6_3_b - - id: aws_pci_dss_v321_requirement_6_3_c +- id: aws_pci_dss_v321_requirement_6_3_1 + type: "" +- id: aws_pci_dss_v321_requirement_6_3_2 + type: "" +- id: aws_pci_dss_v321_requirement_6_3_a + type: "" +- id: aws_pci_dss_v321_requirement_6_3_b + type: "" +- id: aws_pci_dss_v321_requirement_6_3_c + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_1.yaml index 649888eca..c08ea1ab6 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_1.yaml @@ -1,9 +1,9 @@ -control-group: - id: aws_pci_dss_v321_requirement_6_3_1 - title: 3.1 Examine written software-development procedures and interview responsible personnel to verify that pre-production and/or custom application accounts, user IDs and/or passwords are removed before an application goes into production or is released to customers - description: Development, test and/or custom application accounts, user IDs, and passwords should be removed from production code before the application becomes active or is released to customers, since these items may give away information about the functioning of the application. Possession of such information could facilitate compromise of the application and related cardholder data. - section-code: "1" - controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured +id: aws_pci_dss_v321_requirement_6_3_1 +title: 3.1 Examine written software-development procedures and interview responsible personnel to verify that pre-production and/or custom application accounts, user IDs and/or passwords are removed before an application goes into production or is released to customers +description: Development, test and/or custom application accounts, user IDs, and passwords should be removed from production code before the application becomes active or is released to customers, since these items may give away information about the functioning of the application. Possession of such information could facilitate compromise of the application and related cardholder data. +section-code: "1" +type: control-group +controls: +- aws_codebuild_project_environment_privileged_mode_disabled +- aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values +- aws_codebuild_project_source_repo_oauth_configured diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_2.yaml index 180b499b5..068504422 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_2.yaml @@ -1,7 +1,8 @@ +id: aws_pci_dss_v321_requirement_6_3_2 +title: 3.2 Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) +description: "Custom code prior to release to production should include the following: code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices, code reviews ensure code is developed according to secure coding guidelines, appropriate corrections are implemented prior to release, code-review results are reviewed and approved by management prior to release and security vulnerabilities in custom code are commonly exploited by malicious individuals to gain access to a network and compromise cardholder data. An individual knowledgeable and experienced in code-review techniques should be involved in the review process. Code reviews should be performed by someone other than the developer of the code to allow for an independent, objective review. Automated tools or processes may also be used in lieu of manual reviews, but keep in mind that it may be difficult or even impossible for an automated tool to identify some coding issues. Correcting coding errors before the code is deployed into a production environment or released to customers prevents the code exposing the environments to potential exploit. Faulty code is also far more difficult and expensive to address after it has been deployed or released into production environments. Including a formal review and signoff by management prior to release helps to ensure that code is approved and has been developed in accordance with policies and procedures." +section-code: "2" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_6_3_2 - title: 3.2 Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) - description: "Custom code prior to release to production should include the following: code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices, code reviews ensure code is developed according to secure coding guidelines, appropriate corrections are implemented prior to release, code-review results are reviewed and approved by management prior to release and security vulnerabilities in custom code are commonly exploited by malicious individuals to gain access to a network and compromise cardholder data. An individual knowledgeable and experienced in code-review techniques should be involved in the review process. Code reviews should be performed by someone other than the developer of the code to allow for an independent, objective review. Automated tools or processes may also be used in lieu of manual reviews, but keep in mind that it may be difficult or even impossible for an automated tool to identify some coding issues. Correcting coding errors before the code is deployed into a production environment or released to customers prevents the code exposing the environments to potential exploit. Faulty code is also far more difficult and expensive to address after it has been deployed or released into production environments. Including a formal review and signoff by management prior to release helps to ensure that code is approved and has been developed in accordance with policies and procedures." - section-code: "2" - control-group: - - id: aws_pci_dss_v321_requirement_6_3_2_b +- id: aws_pci_dss_v321_requirement_6_3_2_b + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_2_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_2_b.yaml index 91bdcf59f..98dd2f1b5 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_2_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_2_b.yaml @@ -1,5 +1,5 @@ -control-group: - id: aws_pci_dss_v321_requirement_6_3_2_b - title: 3.2.b Select a sample of recent custom application changes and verify that custom application code is reviewed according to 6.3.2.a, above - description: Security vulnerabilities in custom code are commonly exploited by malicious individuals to gain access to a network and compromise cardholder data. An individual knowledgeable and experienced in code-review techniques should be involved in the review process. Code reviews should be performed by someone other than the developer of the code to allow for an independent, objective review. Automated tools or processes may also be used in lieu of manual reviews, but keep in mind that it may be difficult or even impossible for an automated tool to identify some coding issues. Correcting coding errors before the code is deployed into a production environment or released to customers prevents the code exposing the environments to potential exploit. Faulty code is also far more difficult and expensive to address after it has been deployed or released into production environments. Including a formal review and signoff by management prior to release helps to ensure that code is approved and has been developed in accordance with policies and procedures. - section-code: b +id: aws_pci_dss_v321_requirement_6_3_2_b +title: 3.2.b Select a sample of recent custom application changes and verify that custom application code is reviewed according to 6.3.2.a, above +description: Security vulnerabilities in custom code are commonly exploited by malicious individuals to gain access to a network and compromise cardholder data. An individual knowledgeable and experienced in code-review techniques should be involved in the review process. Code reviews should be performed by someone other than the developer of the code to allow for an independent, objective review. Automated tools or processes may also be used in lieu of manual reviews, but keep in mind that it may be difficult or even impossible for an automated tool to identify some coding issues. Correcting coding errors before the code is deployed into a production environment or released to customers prevents the code exposing the environments to potential exploit. Faulty code is also far more difficult and expensive to address after it has been deployed or released into production environments. Including a formal review and signoff by management prior to release helps to ensure that code is approved and has been developed in accordance with policies and procedures. +section-code: b +type: control-group diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_a.yaml index a377c9c50..e2d9c2cdc 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_a.yaml @@ -1,9 +1,9 @@ -control-group: - id: aws_pci_dss_v321_requirement_6_3_a - title: 3.a Examine written software-development processes to verify that the processes are based on industry standards and/or best practices - description: Without the inclusion of security during the requirements definition, design, analysis, and testing phases of software development, security vulnerabilities can be inadvertently or maliciously introduced into the production environment. Understanding how sensitive data is handled by the application—including when stored, transmitted, and when in memory—can help identify where data needs to be protected. - section-code: a - controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured +id: aws_pci_dss_v321_requirement_6_3_a +title: 3.a Examine written software-development processes to verify that the processes are based on industry standards and/or best practices +description: Without the inclusion of security during the requirements definition, design, analysis, and testing phases of software development, security vulnerabilities can be inadvertently or maliciously introduced into the production environment. Understanding how sensitive data is handled by the application—including when stored, transmitted, and when in memory—can help identify where data needs to be protected. +section-code: a +type: control-group +controls: +- aws_codebuild_project_environment_privileged_mode_disabled +- aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values +- aws_codebuild_project_source_repo_oauth_configured diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_b.yaml index f777b7272..b0522af9f 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_b.yaml @@ -1,9 +1,9 @@ -control-group: - id: aws_pci_dss_v321_requirement_6_3_b - title: 3.b Examine written software-development processes to verify that information security is included throughout the life cycle - description: Without the inclusion of security during the requirements definition, design, analysis, and testing phases of software development, security vulnerabilities can be inadvertently or maliciously introduced into the production environment. Understanding how sensitive data is handled by the application—including when stored, transmitted, and when in memory—can help identify where data needs to be protected. - section-code: b - controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured +id: aws_pci_dss_v321_requirement_6_3_b +title: 3.b Examine written software-development processes to verify that information security is included throughout the life cycle +description: Without the inclusion of security during the requirements definition, design, analysis, and testing phases of software development, security vulnerabilities can be inadvertently or maliciously introduced into the production environment. Understanding how sensitive data is handled by the application—including when stored, transmitted, and when in memory—can help identify where data needs to be protected. +section-code: b +type: control-group +controls: +- aws_codebuild_project_environment_privileged_mode_disabled +- aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values +- aws_codebuild_project_source_repo_oauth_configured diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_c.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_c.yaml index 5ecc91170..37a09cd15 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_c.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_c.yaml @@ -1,9 +1,9 @@ -control-group: - id: aws_pci_dss_v321_requirement_6_3_c - title: 3.c Examine written software-development processes to verify that software applications are developed in accordance with PCI DSS - description: Without the inclusion of security during the requirements definition, design, analysis, and testing phases of software development, security vulnerabilities can be inadvertently or maliciously introduced into the production environment. Understanding how sensitive data is handled by the application—including when stored, transmitted, and when in memory—can help identify where data needs to be protected. - section-code: c - controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured +id: aws_pci_dss_v321_requirement_6_3_c +title: 3.c Examine written software-development processes to verify that software applications are developed in accordance with PCI DSS +description: Without the inclusion of security during the requirements definition, design, analysis, and testing phases of software development, security vulnerabilities can be inadvertently or maliciously introduced into the production environment. Understanding how sensitive data is handled by the application—including when stored, transmitted, and when in memory—can help identify where data needs to be protected. +section-code: c +type: control-group +controls: +- aws_codebuild_project_environment_privileged_mode_disabled +- aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values +- aws_codebuild_project_source_repo_oauth_configured diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_5.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_5.yaml index 0a71d4ea2..2e134eed3 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_5.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_5.yaml @@ -1,7 +1,8 @@ +id: aws_pci_dss_v321_requirement_6_5 +title: Address common coding vulnerabilities in software-development processes like train developers at least annually in up-to-date secure coding techniques etc +description: "Common coding vulnerabilities in software-development processes as follows: train developers at least annually in up- to-date secure coding techniques, including how to avoid common coding vulnerabilities, develop applications based on secure coding guidelines. Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current with industry best practices when this version of PCI DSS was published. However, as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these requirements. The application layer is high-risk and may be targeted by both internal and external threats. Requirements 6.5.1 through 6.5.10 are the minimum controls that should be in place, and organizations should incorporate the relevant secure coding practices as applicable to the particular technology in their environment. Application developers should be properly trained to identify and resolve issues related to these (and other) common coding vulnerabilities. Having staff knowledgeable of secure coding guidelines should minimize the number of security vulnerabilities introduced through poor coding practices. Training for developers may be provided in-house or by third parties and should be applicable for technology used. As industry-accepted secure coding practices change, organizational coding practices and developer training should likewise be updated to address new threats—for example, memory scraping attacks. The vulnerabilities identified in 6.5.1 through 6.5.10 provide a minimum baseline. It is up to the organization to remain up to date with vulnerability trends and incorporate appropriate measures into their secure coding practices." +section-code: "5" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_6_5 - title: Address common coding vulnerabilities in software-development processes like train developers at least annually in up-to-date secure coding techniques etc - description: "Common coding vulnerabilities in software-development processes as follows: train developers at least annually in up- to-date secure coding techniques, including how to avoid common coding vulnerabilities, develop applications based on secure coding guidelines. Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current with industry best practices when this version of PCI DSS was published. However, as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these requirements. The application layer is high-risk and may be targeted by both internal and external threats. Requirements 6.5.1 through 6.5.10 are the minimum controls that should be in place, and organizations should incorporate the relevant secure coding practices as applicable to the particular technology in their environment. Application developers should be properly trained to identify and resolve issues related to these (and other) common coding vulnerabilities. Having staff knowledgeable of secure coding guidelines should minimize the number of security vulnerabilities introduced through poor coding practices. Training for developers may be provided in-house or by third parties and should be applicable for technology used. As industry-accepted secure coding practices change, organizational coding practices and developer training should likewise be updated to address new threats—for example, memory scraping attacks. The vulnerabilities identified in 6.5.1 through 6.5.10 provide a minimum baseline. It is up to the organization to remain up to date with vulnerability trends and incorporate appropriate measures into their secure coding practices." - section-code: "5" - control-group: - - id: aws_pci_dss_v321_requirement_6_5_8 +- id: aws_pci_dss_v321_requirement_6_5_8 + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_5_8.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_5_8.yaml index f05457720..e3410e7fb 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_5_8.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_5_8.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_6_5_8 - title: 5.8 Examine software-development policies and procedures and interview responsible personnel to verify that improper access control—such as insecure direct object references, failure to restrict URL access, and directory traversal—is addressed by coding technique - description: "Directory traversal—is addressed by coding technique should include: proper authentication of users, sanitizing input, not exposing internal object references to users and user interfaces that do not permit access to unauthorized functions. A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization. Consistently enforce access control in presentation layer and business logic for all URLs. Frequently, the only way an application protects sensitive functionality is by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly. An attacker may be able to enumerate and navigate the directory structure of a website (directory traversal) thus gaining access to unauthorized information as well as gaining further insight into the workings of the site for later exploitation. If user interfaces permit access to unauthorized functions, this access could result in unauthorized individuals gaining access to privileged credentials or cardholder data. Only authorized users should be permitted to access direct object references to sensitive resources. Limiting access to data resources will help prevent cardholder data from being presented to unauthorized resources." - section-code: "8" - controls: - - aws_codebuild_project_environment_privileged_mode_disabled +id: aws_pci_dss_v321_requirement_6_5_8 +title: 5.8 Examine software-development policies and procedures and interview responsible personnel to verify that improper access control—such as insecure direct object references, failure to restrict URL access, and directory traversal—is addressed by coding technique +description: "Directory traversal—is addressed by coding technique should include: proper authentication of users, sanitizing input, not exposing internal object references to users and user interfaces that do not permit access to unauthorized functions. A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization. Consistently enforce access control in presentation layer and business logic for all URLs. Frequently, the only way an application protects sensitive functionality is by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly. An attacker may be able to enumerate and navigate the directory structure of a website (directory traversal) thus gaining access to unauthorized information as well as gaining further insight into the workings of the site for later exploitation. If user interfaces permit access to unauthorized functions, this access could result in unauthorized individuals gaining access to privileged credentials or cardholder data. Only authorized users should be permitted to access direct object references to sensitive resources. Limiting access to data resources will help prevent cardholder data from being presented to unauthorized resources." +section-code: "8" +type: control-group +controls: +- aws_codebuild_project_environment_privileged_mode_disabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_6.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_6.yaml index 0f646e4d4..0bb1bb962 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_6.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_6.yaml @@ -1,17 +1,17 @@ -control-group: - id: aws_pci_dss_v321_requirement_6_6 - title: For public-facing web applications, ensure that either one of the requirements are in place - description: "Verify following methods is in place as follows: examine documented processes, interview personnel, and examine records of application security assessments to verify that public-facing web applications are reviewed—using either manual or automated vulnerability security assessment tools or methods—as follows: - At least annually - After any changes - By an organization that specializes in application security - That, at a minimum, all vulnerabilities in Requirement 6.5 are included in the assessment - That all vulnerabilities are corrected - That the application is re-evaluated after the corrections. Examine the system configuration settings and interview responsible personnel to verify that an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) is in place as follows: - Is situated in front of public-facing web applications to detect and prevent web-based attacks. - Is actively running and up to date as applicable. - Is generating audit logs. - Is configured to either block web-based attacks, or generate an alert that is immediately investigated.Public-facing web applications are primary targets for attackers, and poorly coded web applications provide an easy path for attackers to gain access to sensitive data and systems. The requirement for reviewing applications or installing web-application firewalls is intended to reduce the number of compromises on public-facing web applications due to poor coding or application management practices. Manual or automated vulnerability security assessment tools or methods review and/or test the application for vulnerabilities, web-application firewalls filter and block non- essential traffic at the application layer. Used in conjunction with a network-based firewall, a properly configured web-application firewall prevents application-layer attacks if applications are improperly coded or configured. This can be achieved through a combination of technology and process. Process-based solutions must have mechanisms that facilitate timely responses to alerts in order to meet the intent of this requirement, which is to prevent attacks. Note: “An organization that specializes in application security” can be either a third-party company or an internal organization, as long as the reviewers specialize in application security and can demonstrate independence from the development team. For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes Note: This assessment is not the same as the vulnerability scans performed for Requirement 11.2., Installing an automated technical solution that detects and prevents web- based attacks (for example, a web- application firewall) in front of public- facing web applications, to continually check all traffic." - section-code: "6" - controls: - - aws_apigateway_stage_use_waf_web_acl - - aws_elb_application_lb_desync_mitigation_mode - - aws_elb_application_lb_waf_enabled - - aws_elb_classic_lb_desync_mitigation_mode - - aws_waf_regional_rule_condition_attached - - aws_waf_regional_rule_group_rule_attached - - aws_waf_regional_web_acl_rule_attached - - aws_waf_rule_condition_attached - - aws_waf_rule_group_rule_attached - - aws_waf_web_acl_resource_associated - - aws_waf_web_acl_rule_attached +id: aws_pci_dss_v321_requirement_6_6 +title: For public-facing web applications, ensure that either one of the requirements are in place +description: "Verify following methods is in place as follows: examine documented processes, interview personnel, and examine records of application security assessments to verify that public-facing web applications are reviewed—using either manual or automated vulnerability security assessment tools or methods—as follows: - At least annually - After any changes - By an organization that specializes in application security - That, at a minimum, all vulnerabilities in Requirement 6.5 are included in the assessment - That all vulnerabilities are corrected - That the application is re-evaluated after the corrections. Examine the system configuration settings and interview responsible personnel to verify that an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) is in place as follows: - Is situated in front of public-facing web applications to detect and prevent web-based attacks. - Is actively running and up to date as applicable. - Is generating audit logs. - Is configured to either block web-based attacks, or generate an alert that is immediately investigated.Public-facing web applications are primary targets for attackers, and poorly coded web applications provide an easy path for attackers to gain access to sensitive data and systems. The requirement for reviewing applications or installing web-application firewalls is intended to reduce the number of compromises on public-facing web applications due to poor coding or application management practices. Manual or automated vulnerability security assessment tools or methods review and/or test the application for vulnerabilities, web-application firewalls filter and block non- essential traffic at the application layer. Used in conjunction with a network-based firewall, a properly configured web-application firewall prevents application-layer attacks if applications are improperly coded or configured. This can be achieved through a combination of technology and process. Process-based solutions must have mechanisms that facilitate timely responses to alerts in order to meet the intent of this requirement, which is to prevent attacks. Note: “An organization that specializes in application security” can be either a third-party company or an internal organization, as long as the reviewers specialize in application security and can demonstrate independence from the development team. For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes Note: This assessment is not the same as the vulnerability scans performed for Requirement 11.2., Installing an automated technical solution that detects and prevents web- based attacks (for example, a web- application firewall) in front of public- facing web applications, to continually check all traffic." +section-code: "6" +type: control-group +controls: +- aws_apigateway_stage_use_waf_web_acl +- aws_elb_application_lb_desync_mitigation_mode +- aws_elb_application_lb_waf_enabled +- aws_elb_classic_lb_desync_mitigation_mode +- aws_waf_regional_rule_condition_attached +- aws_waf_regional_rule_group_rule_attached +- aws_waf_regional_web_acl_rule_attached +- aws_waf_rule_condition_attached +- aws_waf_rule_group_rule_attached +- aws_waf_web_acl_resource_associated +- aws_waf_web_acl_rule_attached diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7.yaml index 56f69a55e..cfc00049c 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7.yaml @@ -1,8 +1,10 @@ +id: aws_pci_dss_v321_requirement_7 +title: "Requirement 7: Restrict access to cardholder data by business need to know" +description: To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities. +section-code: requirement_7 +type: control-group control-group: - id: aws_pci_dss_v321_requirement_7 - title: "Requirement 7: Restrict access to cardholder data by business need to know" - description: To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities. - section-code: requirement_7 - control-group: - - id: aws_pci_dss_v321_requirement_7_1 - - id: aws_pci_dss_v321_requirement_7_2 +- id: aws_pci_dss_v321_requirement_7_1 + type: "" +- id: aws_pci_dss_v321_requirement_7_2 + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_1.yaml index a62a648f6..e86911c75 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_1.yaml @@ -1,7 +1,8 @@ +id: aws_pci_dss_v321_requirement_7_1 +title: Limit access to system components and cardholder data to only those individuals whose job requires such access +description: The more people who have access to cardholder data, the more risk there is that a user's account will be used maliciously. Limiting access to those with a legitimate business reason for the access helps an organization prevent mishandling of cardholder data through inexperience or malice. +section-code: "1" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_7_1 - title: Limit access to system components and cardholder data to only those individuals whose job requires such access - description: The more people who have access to cardholder data, the more risk there is that a user's account will be used maliciously. Limiting access to those with a legitimate business reason for the access helps an organization prevent mishandling of cardholder data through inexperience or malice. - section-code: "1" - control-group: - - id: aws_pci_dss_v321_requirement_7_1_2 +- id: aws_pci_dss_v321_requirement_7_1_2 + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_1_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_1_2.yaml index 9a2f985a9..723cce3df 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_1_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_1_2.yaml @@ -1,7 +1,8 @@ +id: aws_pci_dss_v321_requirement_7_1_2 +title: 1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities +description: When assigning privileged IDs, it is important to assign individuals only the privileges they need to perform their job (the “least privileges”). For example, the database administrator or backup administrator should not be assigned the same privileges as the overall systems administrator. +section-code: "2" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_7_1_2 - title: 1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities - description: When assigning privileged IDs, it is important to assign individuals only the privileges they need to perform their job (the “least privileges”). For example, the database administrator or backup administrator should not be assigned the same privileges as the overall systems administrator. - section-code: "2" - control-group: - - id: aws_pci_dss_v321_requirement_7_1_2_a +- id: aws_pci_dss_v321_requirement_7_1_2_a + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_1_2_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_1_2_a.yaml index ab77bc996..0bec5211d 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_1_2_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_1_2_a.yaml @@ -1,9 +1,9 @@ -control-group: - id: aws_pci_dss_v321_requirement_7_1_2_a - title: 1.2.a Interview personnel responsible for assigning access to verify that access to privileged user IDs is assigned only to roles that specifically require such privileged access and restricted to least privileges necessary to perform job responsibilities - description: When assigning privileged IDs, it is important to assign individuals only the privileges they need to perform their job (the “least privileges”). For example, the database administrator or backup administrator should not be assigned the same privileges as the overall systems administrator. - section-code: a - controls: - - aws_efs_access_point_enforce_user_identity - - aws_iam_all_policy_no_service_wild_card - - aws_opensearch_domain_fine_grained_access_enabled +id: aws_pci_dss_v321_requirement_7_1_2_a +title: 1.2.a Interview personnel responsible for assigning access to verify that access to privileged user IDs is assigned only to roles that specifically require such privileged access and restricted to least privileges necessary to perform job responsibilities +description: When assigning privileged IDs, it is important to assign individuals only the privileges they need to perform their job (the “least privileges”). For example, the database administrator or backup administrator should not be assigned the same privileges as the overall systems administrator. +section-code: a +type: control-group +controls: +- aws_efs_access_point_enforce_user_identity +- aws_iam_all_policy_no_service_wild_card +- aws_opensearch_domain_fine_grained_access_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_2.yaml index 482e8f1bb..8d89b5547 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_2.yaml @@ -1,7 +1,8 @@ +id: aws_pci_dss_v321_requirement_7_2 +title: Examine system settings and vendor documentation to verify that an access control system(s) +description: "Without a mechanism to restrict access based on user's need to know, a user may unknowingly be granted access to cardholder data. Access control systems automate the process of restricting access and assigning privileges. Additionally, a default “deny-all” setting ensures no one is granted access until and unless a rule is established specifically granting such access. Entities may have one or more access controls systems to manage user access. Note: Some access control systems are set by default to “allow-all,” thereby permitting access unless/until a rule is written to specifically deny it." +section-code: "2" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_7_2 - title: Examine system settings and vendor documentation to verify that an access control system(s) - description: "Without a mechanism to restrict access based on user's need to know, a user may unknowingly be granted access to cardholder data. Access control systems automate the process of restricting access and assigning privileges. Additionally, a default “deny-all” setting ensures no one is granted access until and unless a rule is established specifically granting such access. Entities may have one or more access controls systems to manage user access. Note: Some access control systems are set by default to “allow-all,” thereby permitting access unless/until a rule is written to specifically deny it." - section-code: "2" - control-group: - - id: aws_pci_dss_v321_requirement_7_2_1 +- id: aws_pci_dss_v321_requirement_7_2_1 + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_2_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_2_1.yaml index 58e4fc428..df65a72ad 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_2_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_2_1.yaml @@ -1,25 +1,25 @@ -control-group: - id: aws_pci_dss_v321_requirement_7_2_1 - title: 2.1 Confirm that access control systems are in place on all system components - description: "Without a mechanism to restrict access based on user's need to know, a user may unknowingly be granted access to cardholder data. Access control systems automate the process of restricting access and assigning privileges. Additionally, a default “deny-all” setting ensures no one is granted access until and unless a rule is established specifically granting such access. Entities may have one or more access controls systems to manage user access. Note: Some access control systems are set by default to “allow-all,” thereby permitting access unless/until a rule is written to specifically deny it." - section-code: "1" - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_not_publicly_accessible - - aws_eks_cluster_endpoint_restrict_public_access - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_no_inline_attached_policies - - aws_lambda_function_restrict_public_access - - aws_log_metric_filter_root_login - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_igw_attached_to_authorized_vpc +id: aws_pci_dss_v321_requirement_7_2_1 +title: 2.1 Confirm that access control systems are in place on all system components +description: "Without a mechanism to restrict access based on user's need to know, a user may unknowingly be granted access to cardholder data. Access control systems automate the process of restricting access and assigning privileges. Additionally, a default “deny-all” setting ensures no one is granted access until and unless a rule is established specifically granting such access. Entities may have one or more access controls systems to manage user access. Note: Some access control systems are set by default to “allow-all,” thereby permitting access unless/until a rule is written to specifically deny it." +section-code: "1" +type: control-group +controls: +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_not_publicly_accessible +- aws_eks_cluster_endpoint_restrict_public_access +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_iam_user_no_inline_attached_policies +- aws_lambda_function_restrict_public_access +- aws_log_metric_filter_root_login +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_account +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_vpc_igw_attached_to_authorized_vpc diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8.yaml index 2177dd33e..0563fe2ef 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8.yaml @@ -1,12 +1,18 @@ +id: aws_pci_dss_v321_requirement_8 +title: "Requirement 8: Identify and authenticate access to system components" +description: Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for their actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users and processes. +section-code: requirement_8 +type: control-group control-group: - id: aws_pci_dss_v321_requirement_8 - title: "Requirement 8: Identify and authenticate access to system components" - description: Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for their actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users and processes. - section-code: requirement_8 - control-group: - - id: aws_pci_dss_v321_requirement_8_1 - - id: aws_pci_dss_v321_requirement_8_2 - - id: aws_pci_dss_v321_requirement_8_3 - - id: aws_pci_dss_v321_requirement_8_5 - - id: aws_pci_dss_v321_requirement_8_6 - - id: aws_pci_dss_v321_requirement_8_7 +- id: aws_pci_dss_v321_requirement_8_1 + type: "" +- id: aws_pci_dss_v321_requirement_8_2 + type: "" +- id: aws_pci_dss_v321_requirement_8_3 + type: "" +- id: aws_pci_dss_v321_requirement_8_5 + type: "" +- id: aws_pci_dss_v321_requirement_8_6 + type: "" +- id: aws_pci_dss_v321_requirement_8_7 + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1.yaml index cc20d873a..803b04b89 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1.yaml @@ -1,9 +1,12 @@ +id: aws_pci_dss_v321_requirement_8_1 +title: Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators +description: By ensuring each user is uniquely identified— instead of using one ID for several employees—an organization can maintain individual responsibility for actions and an effective audit trail per employee. This will help speed issue resolution and containment when misuse or malicious intent occurs. +section-code: "1" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_8_1 - title: Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators - description: By ensuring each user is uniquely identified— instead of using one ID for several employees—an organization can maintain individual responsibility for actions and an effective audit trail per employee. This will help speed issue resolution and containment when misuse or malicious intent occurs. - section-code: "1" - control-group: - - id: aws_pci_dss_v321_requirement_8_1_2 - - id: aws_pci_dss_v321_requirement_8_1_4 - - id: aws_pci_dss_v321_requirement_8_1_5 +- id: aws_pci_dss_v321_requirement_8_1_2 + type: "" +- id: aws_pci_dss_v321_requirement_8_1_4 + type: "" +- id: aws_pci_dss_v321_requirement_8_1_5 + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_2.yaml index 97af53fcd..ceff46e87 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_2.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_8_1_2 - title: 1.2 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects - description: To ensure that user accounts granted access to systems are all valid and recognized users, strong processes must manage all changes to user IDs and other authentication credentials, including adding new ones and modifying or deleting existing ones. - section-code: "2" - controls: - - aws_log_metric_filter_iam_policy +id: aws_pci_dss_v321_requirement_8_1_2 +title: 1.2 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects +description: To ensure that user accounts granted access to systems are all valid and recognized users, strong processes must manage all changes to user IDs and other authentication credentials, including adding new ones and modifying or deleting existing ones. +section-code: "2" +type: control-group +controls: +- aws_log_metric_filter_iam_policy diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_4.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_4.yaml index 6df4e2fbd..c24e54d63 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_4.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_4.yaml @@ -1,8 +1,8 @@ -control-group: - id: aws_pci_dss_v321_requirement_8_1_4 - title: 1.4 Observe user accounts to verify that any inactive accounts over 90 days old are either removed or disabled - description: Accounts that are not used regularly are often targets of attack since it is less likely that any changes (such as a changed password) will be noticed. As such, these accounts may be more easily exploited and used to access cardholder data. - section-code: "4" - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_user_unused_credentials_90 +id: aws_pci_dss_v321_requirement_8_1_4 +title: 1.4 Observe user accounts to verify that any inactive accounts over 90 days old are either removed or disabled +description: Accounts that are not used regularly are often targets of attack since it is less likely that any changes (such as a changed password) will be noticed. As such, these accounts may be more easily exploited and used to access cardholder data. +section-code: "4" +type: control-group +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 +- aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_5.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_5.yaml index 695d95192..14d218f0a 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_5.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_5.yaml @@ -1,7 +1,8 @@ +id: aws_pci_dss_v321_requirement_8_1_5 +title: 1.5 Manage IDs used by third parties to access, support, or maintain system components via remote access by enabling only during the time period needed and disabled when not in use +description: Allowing vendors to have 24/7 access into your network in case they need to support your systems increases the chances of unauthorized access, either from a user in the vendor's environment or from a malicious individual who finds and uses this always-available external entry point into your network. Enabling access only for the time periods needed, and disabling it as soon as it is no longer needed, helps prevent misuse of these connections. Monitoring of vendor access provides assurance that vendors are accessing only the systems necessary and only during approved time frames. +section-code: "5" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_8_1_5 - title: 1.5 Manage IDs used by third parties to access, support, or maintain system components via remote access by enabling only during the time period needed and disabled when not in use - description: Allowing vendors to have 24/7 access into your network in case they need to support your systems increases the chances of unauthorized access, either from a user in the vendor's environment or from a malicious individual who finds and uses this always-available external entry point into your network. Enabling access only for the time periods needed, and disabling it as soon as it is no longer needed, helps prevent misuse of these connections. Monitoring of vendor access provides assurance that vendors are accessing only the systems necessary and only during approved time frames. - section-code: "5" - control-group: - - id: aws_pci_dss_v321_requirement_8_1_5_a +- id: aws_pci_dss_v321_requirement_8_1_5_a + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_5_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_5_a.yaml index 8799ee56e..c814f5df4 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_5_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_5_a.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_8_1_5_a - title: 1.5.a Interview personnel and observe processes for managing accounts used by third parties to access, support, or maintain system components to verify that accounts used for remote access are disabled when not in use, enabled only when needed by the third party and disabled when not in use - description: Allowing vendors to have 24/7 access into your network in case they need to support your systems increases the chances of unauthorized access, either from a user in the vendor's environment or from a malicious individual who finds and uses this always-available external entry point into your network. Enabling access only for the time periods needed, and disabling it as soon as it is no longer needed, helps prevent misuse of these connections. Monitoring of vendor access provides assurance that vendors are accessing only the systems necessary and only during approved time frames. - section-code: a - controls: - - aws_cloudtrail_trail_enabled +id: aws_pci_dss_v321_requirement_8_1_5_a +title: 1.5.a Interview personnel and observe processes for managing accounts used by third parties to access, support, or maintain system components to verify that accounts used for remote access are disabled when not in use, enabled only when needed by the third party and disabled when not in use +description: Allowing vendors to have 24/7 access into your network in case they need to support your systems increases the chances of unauthorized access, either from a user in the vendor's environment or from a malicious individual who finds and uses this always-available external entry point into your network. Enabling access only for the time periods needed, and disabling it as soon as it is no longer needed, helps prevent misuse of these connections. Monitoring of vendor access provides assurance that vendors are accessing only the systems necessary and only during approved time frames. +section-code: a +type: control-group +controls: +- aws_cloudtrail_trail_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2.yaml index 88c16dff2..17c4abb6c 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2.yaml @@ -1,12 +1,16 @@ +id: aws_pci_dss_v321_requirement_8_2 +title: To verify that users are authenticated using unique ID and additional authentication (for example, a password/phrase) for access to the cardholder data environment perform the methods like examine documentation describing the authentication method(s) used etc +description: "Verify users are authenticated using unique ID, perform the following: examine documentation describing the authentication method(s) used, for each type of authentication method used and for each type of system component, observe an authentication to verify authentication is functioning consistent with documented authentication method(s). These authentication methods, when used in addition to unique IDs, help protect users' IDs from being compromised, since the one attempting the compromise needs to know both the unique ID and the password (or other authentication used). Note that a digital certificate is a valid option for “something you have” as long as it is unique for a particular user. Since one of the first steps a malicious individual will take to compromise a system is to exploit weak or nonexistent passwords, it is important to implement good processes for authentication management." +section-code: "2" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_8_2 - title: To verify that users are authenticated using unique ID and additional authentication (for example, a password/phrase) for access to the cardholder data environment perform the methods like examine documentation describing the authentication method(s) used etc - description: "Verify users are authenticated using unique ID, perform the following: examine documentation describing the authentication method(s) used, for each type of authentication method used and for each type of system component, observe an authentication to verify authentication is functioning consistent with documented authentication method(s). These authentication methods, when used in addition to unique IDs, help protect users' IDs from being compromised, since the one attempting the compromise needs to know both the unique ID and the password (or other authentication used). Note that a digital certificate is a valid option for “something you have” as long as it is unique for a particular user. Since one of the first steps a malicious individual will take to compromise a system is to exploit weak or nonexistent passwords, it is important to implement good processes for authentication management." - section-code: "2" - control-group: - - id: aws_pci_dss_v321_requirement_8_2_1 - - id: aws_pci_dss_v321_requirement_8_2_3 - - id: aws_pci_dss_v321_requirement_8_2_4 - - id: aws_pci_dss_v321_requirement_8_2_5 - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 +- id: aws_pci_dss_v321_requirement_8_2_1 + type: "" +- id: aws_pci_dss_v321_requirement_8_2_3 + type: "" +- id: aws_pci_dss_v321_requirement_8_2_4 + type: "" +- id: aws_pci_dss_v321_requirement_8_2_5 + type: "" +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1.yaml index ad87fbcbe..9997c5bb1 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1.yaml @@ -1,20 +1,23 @@ +id: aws_pci_dss_v321_requirement_8_2_1 +title: 2.1 Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components +description: "Many network devices and applications transmit unencrypted, readable passwords across the network and/or store passwords without encryption. A malicious individual can easily intercept unencrypted passwords during transmission using a “sniffer,” or directly access unencrypted passwords in files where they are stored, and use this data to gain unauthorized access. Note: Testing Procedures 8.2.1.d and 8.2.1.e are additional procedures that only apply if the entity being assessed is a service provider." +section-code: "1" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_8_2_1 - title: 2.1 Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components - description: "Many network devices and applications transmit unencrypted, readable passwords across the network and/or store passwords without encryption. A malicious individual can easily intercept unencrypted passwords during transmission using a “sniffer,” or directly access unencrypted passwords in files where they are stored, and use this data to gain unauthorized access. Note: Testing Procedures 8.2.1.d and 8.2.1.e are additional procedures that only apply if the entity being assessed is a service provider." - section-code: "1" - control-group: - - id: aws_pci_dss_v321_requirement_8_2_1_a - - id: aws_pci_dss_v321_requirement_8_2_1_b - - id: aws_pci_dss_v321_requirement_8_2_1_c - controls: - - aws_cloudfront_distribution_encryption_in_transit_enabled - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl +- id: aws_pci_dss_v321_requirement_8_2_1_a + type: "" +- id: aws_pci_dss_v321_requirement_8_2_1_b + type: "" +- id: aws_pci_dss_v321_requirement_8_2_1_c + type: "" +controls: +- aws_cloudfront_distribution_encryption_in_transit_enabled +- aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values +- aws_codebuild_project_source_repo_oauth_configured +- aws_elb_application_lb_drop_http_headers +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_node_to_node_encryption_enabled +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1_a.yaml index 43a73eadb..0213a27cb 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1_a.yaml @@ -1,32 +1,32 @@ -control-group: - id: aws_pci_dss_v321_requirement_8_2_1_a - title: 2.1.a Examine vendor documentation and system configuration settings to verify that passwords are protected with strong cryptography during transmission and storage - description: "Many network devices and applications transmit unencrypted, readable passwords across the network and/or store passwords without encryption. A malicious individual can easily intercept unencrypted passwords during transmission using a “sniffer,” or directly access unencrypted passwords in files where they are stored, and use this data to gain unauthorized access. Note: Testing Procedures 8.2.1.d and 8.2.1.e are additional procedures that only apply if the entity being assessed is a service provider." - section-code: a - controls: - - aws_cloudfront_distribution_encryption_in_transit_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_eks_cluster_secrets_encrypted - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest +id: aws_pci_dss_v321_requirement_8_2_1_a +title: 2.1.a Examine vendor documentation and system configuration settings to verify that passwords are protected with strong cryptography during transmission and storage +description: "Many network devices and applications transmit unencrypted, readable passwords across the network and/or store passwords without encryption. A malicious individual can easily intercept unencrypted passwords during transmission using a “sniffer,” or directly access unencrypted passwords in files where they are stored, and use this data to gain unauthorized access. Note: Testing Procedures 8.2.1.d and 8.2.1.e are additional procedures that only apply if the entity being assessed is a service provider." +section-code: a +type: control-group +controls: +- aws_cloudfront_distribution_encryption_in_transit_enabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dax_cluster_encryption_at_rest_enabled +- aws_dynamodb_table_encrypted_with_kms +- aws_dynamodb_table_encryption_enabled +- aws_ebs_attached_volume_encryption_enabled +- aws_ec2_ebs_default_encryption_enabled +- aws_efs_file_system_encrypt_data_at_rest +- aws_eks_cluster_secrets_encrypted +- aws_elb_application_lb_drop_http_headers +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_node_to_node_encryption_enabled +- aws_log_group_encryption_at_rest_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_snapshot_encrypted_at_rest +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_enforces_ssl +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1_b.yaml index ed8e58aab..86012c668 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1_b.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_8_2_1_b - title: 2.1.b For a sample of system components, examine password files to verify that passwords are unreadable during storage - description: "Many network devices and applications transmit unencrypted, readable passwords across the network and/or store passwords without encryption. A malicious individual can easily intercept unencrypted passwords during transmission using a “sniffer,” or directly access unencrypted passwords in files where they are stored, and use this data to gain unauthorized access. Note: Testing Procedures 8.2.1.d and 8.2.1.e are additional procedures that only apply if the entity being assessed is a service provider." - section-code: b - controls: - - aws_secretsmanager_secret_encrypted_with_kms_cmk +id: aws_pci_dss_v321_requirement_8_2_1_b +title: 2.1.b For a sample of system components, examine password files to verify that passwords are unreadable during storage +description: "Many network devices and applications transmit unencrypted, readable passwords across the network and/or store passwords without encryption. A malicious individual can easily intercept unencrypted passwords during transmission using a “sniffer,” or directly access unencrypted passwords in files where they are stored, and use this data to gain unauthorized access. Note: Testing Procedures 8.2.1.d and 8.2.1.e are additional procedures that only apply if the entity being assessed is a service provider." +section-code: b +type: control-group +controls: +- aws_secretsmanager_secret_encrypted_with_kms_cmk diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1_c.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1_c.yaml index 5a7084961..01b0fc1d1 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1_c.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1_c.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_8_2_1_c - title: 2.1.c For a sample of system components, examine data transmissions to verify that passwords are unreadable during transmission - description: "Many network devices and applications transmit unencrypted, readable passwords across the network and/or store passwords without encryption. A malicious individual can easily intercept unencrypted passwords during transmission using a “sniffer,” or directly access unencrypted passwords in files where they are stored, and use this data to gain unauthorized access. Note: Testing Procedures 8.2.1.d and 8.2.1.e are additional procedures that only apply if the entity being assessed is a service provider." - section-code: c - controls: - - aws_secretsmanager_secret_encrypted_with_kms_cmk +id: aws_pci_dss_v321_requirement_8_2_1_c +title: 2.1.c For a sample of system components, examine data transmissions to verify that passwords are unreadable during transmission +description: "Many network devices and applications transmit unencrypted, readable passwords across the network and/or store passwords without encryption. A malicious individual can easily intercept unencrypted passwords during transmission using a “sniffer,” or directly access unencrypted passwords in files where they are stored, and use this data to gain unauthorized access. Note: Testing Procedures 8.2.1.d and 8.2.1.e are additional procedures that only apply if the entity being assessed is a service provider." +section-code: c +type: control-group +controls: +- aws_secretsmanager_secret_encrypted_with_kms_cmk diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_3.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_3.yaml index 250790780..7b7359a1a 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_3.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_3.yaml @@ -1,10 +1,12 @@ +id: aws_pci_dss_v321_requirement_8_2_3 +title: 2.3 Passwords/passphrases require a minimum length of at least seven characters, contain both numeric and alphabetic characters +description: "The passwords/ passphrases must have complexity and strength at least equivalent to the parameters specified above. Strong passwords/passphrases are the first line of defense into a network since a malicious individual will often first try to find accounts with weak or non- existent passwords. If passwords are short or simple to guess, it is relatively easy for a malicious individual to find these weak accounts and compromise a network under the guise of a valid user ID. This requirement specifies that a minimum of seven characters and both numeric and alphabetic characters should be used for passwords/ passphrases. For cases where this minimum cannot be met due to technical limitations, entities can use “equivalent strength” to evaluate their alternative. For information on variability and equivalency of password strength (also referred to as entropy) for passwords/passphrases of different formats, refer to industry standards (e.g., the current version of NIST SP 800-63.) Note: Testing Procedure 8.2.3.b is an additional procedure that only applies if the entity being assessed is a service provider." +section-code: "3" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_8_2_3 - title: 2.3 Passwords/passphrases require a minimum length of at least seven characters, contain both numeric and alphabetic characters - description: "The passwords/ passphrases must have complexity and strength at least equivalent to the parameters specified above. Strong passwords/passphrases are the first line of defense into a network since a malicious individual will often first try to find accounts with weak or non- existent passwords. If passwords are short or simple to guess, it is relatively easy for a malicious individual to find these weak accounts and compromise a network under the guise of a valid user ID. This requirement specifies that a minimum of seven characters and both numeric and alphabetic characters should be used for passwords/ passphrases. For cases where this minimum cannot be met due to technical limitations, entities can use “equivalent strength” to evaluate their alternative. For information on variability and equivalency of password strength (also referred to as entropy) for passwords/passphrases of different formats, refer to industry standards (e.g., the current version of NIST SP 800-63.) Note: Testing Procedure 8.2.3.b is an additional procedure that only applies if the entity being assessed is a service provider." - section-code: "3" - control-group: - - id: aws_pci_dss_v321_requirement_8_2_3_a - - id: aws_pci_dss_v321_requirement_8_2_3_b - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 +- id: aws_pci_dss_v321_requirement_8_2_3_a + type: "" +- id: aws_pci_dss_v321_requirement_8_2_3_b + type: "" +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_3_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_3_a.yaml index c24e3b4cf..60d1c82d9 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_3_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_3_a.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_8_2_3_a - title: 2.3.a For a sample of system components, inspect system configuration settings to verify that user password/passphrase parameters are set to require at least the following strength/complexity that is require a minimum length of at least seven characters and contain both numeric and alphabetic characters - description: "Strong passwords/passphrases are the first line of defense into a network since a malicious individual will often first try to find accounts with weak or non- existent passwords. If passwords are short or simple to guess, it is relatively easy for a malicious individual to find these weak accounts and compromise a network under the guise of a valid user ID. This requirement specifies that a minimum of seven characters and both numeric and alphabetic characters should be used for passwords/ passphrases. For cases where this minimum cannot be met due to technical limitations, entities can use “equivalent strength” to evaluate their alternative. For information on variability and equivalency of password strength (also referred to as entropy) for passwords/passphrases of different formats, refer to industry standards (e.g., the current version of NIST SP 800-63.) Note: Testing Procedure 8.2.3.b is an additional procedure that only applies if the entity being assessed is a service provider." - section-code: a - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 +id: aws_pci_dss_v321_requirement_8_2_3_a +title: 2.3.a For a sample of system components, inspect system configuration settings to verify that user password/passphrase parameters are set to require at least the following strength/complexity that is require a minimum length of at least seven characters and contain both numeric and alphabetic characters +description: "Strong passwords/passphrases are the first line of defense into a network since a malicious individual will often first try to find accounts with weak or non- existent passwords. If passwords are short or simple to guess, it is relatively easy for a malicious individual to find these weak accounts and compromise a network under the guise of a valid user ID. This requirement specifies that a minimum of seven characters and both numeric and alphabetic characters should be used for passwords/ passphrases. For cases where this minimum cannot be met due to technical limitations, entities can use “equivalent strength” to evaluate their alternative. For information on variability and equivalency of password strength (also referred to as entropy) for passwords/passphrases of different formats, refer to industry standards (e.g., the current version of NIST SP 800-63.) Note: Testing Procedure 8.2.3.b is an additional procedure that only applies if the entity being assessed is a service provider." +section-code: a +type: control-group +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_3_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_3_b.yaml index 0cae20d02..1e12b1f07 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_3_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_3_b.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_8_2_3_b - title: 2.3.b Additional testing procedure for service provider assessments only to review internal processes and customer/user documentation to verify that non-consumer customer passwords/passphrases are required to meet at least the following strength/complexity that is require a minimum length of at least seven characters and contain both numeric and alphabetic characters - description: "Strong passwords/passphrases are the first line of defense into a network since a malicious individual will often first try to find accounts with weak or non- existent passwords. If passwords are short or simple to guess, it is relatively easy for a malicious individual to find these weak accounts and compromise a network under the guise of a valid user ID. This requirement specifies that a minimum of seven characters and both numeric and alphabetic characters should be used for passwords/ passphrases. For cases where this minimum cannot be met due to technical limitations, entities can use “equivalent strength” to evaluate their alternative. For information on variability and equivalency of password strength (also referred to as entropy) for passwords/passphrases of different formats, refer to industry standards (e.g., the current version of NIST SP 800-63.) Note: Testing Procedure 8.2.3.b is an additional procedure that only applies if the entity being assessed is a service provider." - section-code: b - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 +id: aws_pci_dss_v321_requirement_8_2_3_b +title: 2.3.b Additional testing procedure for service provider assessments only to review internal processes and customer/user documentation to verify that non-consumer customer passwords/passphrases are required to meet at least the following strength/complexity that is require a minimum length of at least seven characters and contain both numeric and alphabetic characters +description: "Strong passwords/passphrases are the first line of defense into a network since a malicious individual will often first try to find accounts with weak or non- existent passwords. If passwords are short or simple to guess, it is relatively easy for a malicious individual to find these weak accounts and compromise a network under the guise of a valid user ID. This requirement specifies that a minimum of seven characters and both numeric and alphabetic characters should be used for passwords/ passphrases. For cases where this minimum cannot be met due to technical limitations, entities can use “equivalent strength” to evaluate their alternative. For information on variability and equivalency of password strength (also referred to as entropy) for passwords/passphrases of different formats, refer to industry standards (e.g., the current version of NIST SP 800-63.) Note: Testing Procedure 8.2.3.b is an additional procedure that only applies if the entity being assessed is a service provider." +section-code: b +type: control-group +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_4.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_4.yaml index 70935a4b9..04f7b8509 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_4.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_4.yaml @@ -1,10 +1,12 @@ +id: aws_pci_dss_v321_requirement_8_2_4 +title: 2.4 Change user passwords/passphrases at least once every 90 days +description: "Passwords/passphrases that are valid for a long time without a change provide malicious individuals with more time to work on breaking the password/phrase. Note: Testing Procedure 8.2.4.b is an additional procedure that only applies if the entity being assessed is a service provider." +section-code: "4" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_8_2_4 - title: 2.4 Change user passwords/passphrases at least once every 90 days - description: "Passwords/passphrases that are valid for a long time without a change provide malicious individuals with more time to work on breaking the password/phrase. Note: Testing Procedure 8.2.4.b is an additional procedure that only applies if the entity being assessed is a service provider." - section-code: "4" - control-group: - - id: aws_pci_dss_v321_requirement_8_2_4_a - - id: aws_pci_dss_v321_requirement_8_2_4_b - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 +- id: aws_pci_dss_v321_requirement_8_2_4_a + type: "" +- id: aws_pci_dss_v321_requirement_8_2_4_b + type: "" +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_4_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_4_a.yaml index ed0d6e124..0bb514839 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_4_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_4_a.yaml @@ -1,8 +1,8 @@ -control-group: - id: aws_pci_dss_v321_requirement_8_2_4_a - title: 2.4.a For a sample of system components, inspect system configuration settings to verify that user password/passphrase parameters are set to require users to change passwords at least once every 90 days - description: "Passwords/passphrases that are valid for a long time without a change provide malicious individuals with more time to work on breaking the password/phrase. Note: Testing Procedure 8.2.4.b is an additional procedure that only applies if the entity being assessed is a service provider." - section-code: a - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_secretsmanager_secret_last_changed_90_day +id: aws_pci_dss_v321_requirement_8_2_4_a +title: 2.4.a For a sample of system components, inspect system configuration settings to verify that user password/passphrase parameters are set to require users to change passwords at least once every 90 days +description: "Passwords/passphrases that are valid for a long time without a change provide malicious individuals with more time to work on breaking the password/phrase. Note: Testing Procedure 8.2.4.b is an additional procedure that only applies if the entity being assessed is a service provider." +section-code: a +type: control-group +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 +- aws_secretsmanager_secret_last_changed_90_day diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_4_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_4_b.yaml index 4987f3486..0ee0df3b6 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_4_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_4_b.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_8_2_4_b - title: "2.4.b Additional testing procedure for service provider assessments only: Review internal processes and customer/user documentation to verify that non-consumer customer user passwords/passphrases are required to change periodically; and non-consumer customer users are given guidance as to when, and under what circumstances, passwords/passphrases must change" - description: "Passwords/passphrases that are valid for a long time without a change provide malicious individuals with more time to work on breaking the password/phrase. Note: Testing Procedure 8.2.4.b is an additional procedure that only applies if the entity being assessed is a service provider." - section-code: b - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 +id: aws_pci_dss_v321_requirement_8_2_4_b +title: "2.4.b Additional testing procedure for service provider assessments only: Review internal processes and customer/user documentation to verify that non-consumer customer user passwords/passphrases are required to change periodically; and non-consumer customer users are given guidance as to when, and under what circumstances, passwords/passphrases must change" +description: "Passwords/passphrases that are valid for a long time without a change provide malicious individuals with more time to work on breaking the password/phrase. Note: Testing Procedure 8.2.4.b is an additional procedure that only applies if the entity being assessed is a service provider." +section-code: b +type: control-group +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_5.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_5.yaml index 86a4f4784..962e790ca 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_5.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_5.yaml @@ -1,10 +1,12 @@ +id: aws_pci_dss_v321_requirement_8_2_5 +title: 2.5 Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used +description: "If password history isn't maintained, the effectiveness of changing passwords is reduced, as previous passwords can be reused over and over. Requiring that passwords cannot be reused for a period of time reduces the likelihood that passwords that have been guessed or brute-forced will be used in the future. Note: Testing Procedure 8.2.5.b is an additional procedure that only applies if the entity being assessed is a service provider." +section-code: "5" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_8_2_5 - title: 2.5 Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used - description: "If password history isn't maintained, the effectiveness of changing passwords is reduced, as previous passwords can be reused over and over. Requiring that passwords cannot be reused for a period of time reduces the likelihood that passwords that have been guessed or brute-forced will be used in the future. Note: Testing Procedure 8.2.5.b is an additional procedure that only applies if the entity being assessed is a service provider." - section-code: "5" - control-group: - - id: aws_pci_dss_v321_requirement_8_2_5_a - - id: aws_pci_dss_v321_requirement_8_2_5_b - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 +- id: aws_pci_dss_v321_requirement_8_2_5_a + type: "" +- id: aws_pci_dss_v321_requirement_8_2_5_b + type: "" +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_5_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_5_a.yaml index 6f0f2009f..6b732dedf 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_5_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_5_a.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_8_2_5_a - title: 2.5.a For a sample of system components, obtain and inspect system configuration settings to verify that password parameters are set to require that new passwords/passphrases cannot be the same as the four previously used passwords/passphrases - description: "If password history isn't maintained, the effectiveness of changing passwords is reduced, as previous passwords can be reused over and over. Requiring that passwords cannot be reused for a period of time reduces the likelihood that passwords that have been guessed or brute-forced will be used in the future. Note: Testing Procedure 8.2.5.b is an additional procedure that only applies if the entity being assessed is a service provider." - section-code: a - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 +id: aws_pci_dss_v321_requirement_8_2_5_a +title: 2.5.a For a sample of system components, obtain and inspect system configuration settings to verify that password parameters are set to require that new passwords/passphrases cannot be the same as the four previously used passwords/passphrases +description: "If password history isn't maintained, the effectiveness of changing passwords is reduced, as previous passwords can be reused over and over. Requiring that passwords cannot be reused for a period of time reduces the likelihood that passwords that have been guessed or brute-forced will be used in the future. Note: Testing Procedure 8.2.5.b is an additional procedure that only applies if the entity being assessed is a service provider." +section-code: a +type: control-group +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_5_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_5_b.yaml index 08d515ed8..6e122f352 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_5_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_5_b.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_8_2_5_b - title: 2.5.b Additional testing procedure for service provider assessments only to review internal processes and customer/user documentation to verify that new non-consumer customer user passwords/passphrase cannot be the same as the previous four passwords - description: "If password history isn't maintained, the effectiveness of changing passwords is reduced, as previous passwords can be reused over and over. Requiring that passwords cannot be reused for a period of time reduces the likelihood that passwords that have been guessed or brute-forced will be used in the future. Note: Testing Procedure 8.2.5.b is an additional procedure that only applies if the entity being assessed is a service provider." - section-code: b - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 +id: aws_pci_dss_v321_requirement_8_2_5_b +title: 2.5.b Additional testing procedure for service provider assessments only to review internal processes and customer/user documentation to verify that new non-consumer customer user passwords/passphrase cannot be the same as the previous four passwords +description: "If password history isn't maintained, the effectiveness of changing passwords is reduced, as previous passwords can be reused over and over. Requiring that passwords cannot be reused for a period of time reduces the likelihood that passwords that have been guessed or brute-forced will be used in the future. Note: Testing Procedure 8.2.5.b is an additional procedure that only applies if the entity being assessed is a service provider." +section-code: b +type: control-group +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3.yaml index 11faf1379..206a6eeb0 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3.yaml @@ -1,8 +1,10 @@ +id: aws_pci_dss_v321_requirement_8_3 +title: Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication +description: "Note: Multi-factor authentication requires that a minimum of two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication. Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication (as described in Requirement 8.2), before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk. Multi-factor authentication is not required at both the system-level and application-level for a particular system component. Multi-factor authentication can be performed either upon authentication to the particular network or to the system component. Examples of multi-factor technologies include but are not limited to remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; and other technologies that facilitate multi- factor authentication." +section-code: "3" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_8_3 - title: Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication - description: "Note: Multi-factor authentication requires that a minimum of two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication. Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication (as described in Requirement 8.2), before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk. Multi-factor authentication is not required at both the system-level and application-level for a particular system component. Multi-factor authentication can be performed either upon authentication to the particular network or to the system component. Examples of multi-factor technologies include but are not limited to remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; and other technologies that facilitate multi- factor authentication." - section-code: "3" - control-group: - - id: aws_pci_dss_v321_requirement_8_3_1 - - id: aws_pci_dss_v321_requirement_8_3_2 +- id: aws_pci_dss_v321_requirement_8_3_1 + type: "" +- id: aws_pci_dss_v321_requirement_8_3_2 + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_1.yaml index db05bb9cb..f1006e3ba 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_1.yaml @@ -1,11 +1,12 @@ +id: aws_pci_dss_v321_requirement_8_3_1 +title: 3.1 Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access +description: This requirement is intended to apply to all personnel with administrative access to the CDE. This requirement applies only to personnel with administrative access and only for non-console access to the CDE; it does not apply to application or system accounts performing automated functions. If the entity does not use segmentation to separate the CDE from the rest of their network, an administrator could use multi-factor authentication either when logging onto the CDE network or when logging onto a system. If the CDE is segmented from the rest of the entity’s network, an administrator would need to use multi- factor authentication when connecting to a CDE system from a non-CDE network. Multi-factor authentication can be implemented at network level or at system/application level; it does not have to be both. If the administrator uses MFA when logging into the CDE network, they do not also need to use MFA to log into a particular system or application within the CDE. +section-code: "1" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_8_3_1 - title: 3.1 Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access - description: This requirement is intended to apply to all personnel with administrative access to the CDE. This requirement applies only to personnel with administrative access and only for non-console access to the CDE; it does not apply to application or system accounts performing automated functions. If the entity does not use segmentation to separate the CDE from the rest of their network, an administrator could use multi-factor authentication either when logging onto the CDE network or when logging onto a system. If the CDE is segmented from the rest of the entity’s network, an administrator would need to use multi- factor authentication when connecting to a CDE system from a non-CDE network. Multi-factor authentication can be implemented at network level or at system/application level; it does not have to be both. If the administrator uses MFA when logging into the CDE network, they do not also need to use MFA to log into a particular system or application within the CDE. - section-code: "1" - control-group: - - id: aws_pci_dss_v321_requirement_8_3_1_a - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled +- id: aws_pci_dss_v321_requirement_8_3_1_a + type: "" +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_1_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_1_a.yaml index b5d053dfe..e20277a8a 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_1_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_1_a.yaml @@ -1,9 +1,9 @@ -control-group: - id: aws_pci_dss_v321_requirement_8_3_1_a - title: 3.1.a Examine network and/or system configurations, as applicable, to verify multi-factor authentication is required for all non-console administrative access into the CDE - description: This requirement is intended to apply to all personnel with administrative access to the CDE. This requirement applies only to personnel with administrative access and only for non-console access to the CDE; it does not apply to application or system accounts performing automated functions. If the entity does not use segmentation to separate the CDE from the rest of their network, an administrator could use multi-factor authentication either when logging onto the CDE network or when logging onto a system. If the CDE is segmented from the rest of the entity's network, an administrator would need to use multi- factor authentication when connecting to a CDE system from a non-CDE network. Multi-factor authentication can be implemented at network level or at system/application level; it does not have to be both. If the administrator uses MFA when logging into the CDE network, they do not also need to use MFA to log into a particular system or application within the CDE. - section-code: a - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled +id: aws_pci_dss_v321_requirement_8_3_1_a +title: 3.1.a Examine network and/or system configurations, as applicable, to verify multi-factor authentication is required for all non-console administrative access into the CDE +description: This requirement is intended to apply to all personnel with administrative access to the CDE. This requirement applies only to personnel with administrative access and only for non-console access to the CDE; it does not apply to application or system accounts performing automated functions. If the entity does not use segmentation to separate the CDE from the rest of their network, an administrator could use multi-factor authentication either when logging onto the CDE network or when logging onto a system. If the CDE is segmented from the rest of the entity's network, an administrator would need to use multi- factor authentication when connecting to a CDE system from a non-CDE network. Multi-factor authentication can be implemented at network level or at system/application level; it does not have to be both. If the administrator uses MFA when logging into the CDE network, they do not also need to use MFA to log into a particular system or application within the CDE. +section-code: a +type: control-group +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_2.yaml index ad3e70396..494923274 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_2.yaml @@ -1,7 +1,8 @@ +id: aws_pci_dss_v321_requirement_8_3_2 +title: 3.2 Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity's network +description: This requirement is intended to apply to all personnel—including general users, administrators, and vendors (for support or maintenance) with remote access to the network—where that remote access could lead to access to the CDE. If remote access is to an entity's network that has appropriate segmentation, such that remote users cannot access or impact the cardholder data environment, multi-factor authentication for remote access to that network would not be required. However, multi- factor authentication is required for any remote access to networks with access to the cardholder data environment, and is recommended for all remote access to the entity's networks. +section-code: "2" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_8_3_2 - title: 3.2 Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity's network - description: This requirement is intended to apply to all personnel—including general users, administrators, and vendors (for support or maintenance) with remote access to the network—where that remote access could lead to access to the CDE. If remote access is to an entity's network that has appropriate segmentation, such that remote users cannot access or impact the cardholder data environment, multi-factor authentication for remote access to that network would not be required. However, multi- factor authentication is required for any remote access to networks with access to the cardholder data environment, and is recommended for all remote access to the entity's networks. - section-code: "2" - control-group: - - id: aws_pci_dss_v321_requirement_8_3_2_a +- id: aws_pci_dss_v321_requirement_8_3_2_a + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_2_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_2_a.yaml index 53539374a..ae7129626 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_2_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_2_a.yaml @@ -1,9 +1,9 @@ -control-group: - id: aws_pci_dss_v321_requirement_8_3_2_a - title: 3.2.a Examine system configurations for remote access servers and systems to verify multi-factor authentication is required for all remote access by personnel, both user and administrator, and all third-party/vendor remote access (including access to applications and system components for support or maintenance purposes) - description: This requirement is intended to apply to all personnel—including general users, administrators, and vendors (for support or maintenance) with remote access to the network—where that remote access could lead to access to the CDE. If remote access is to an entity's network that has appropriate segmentation, such that remote users cannot access or impact the cardholder data environment, multi-factor authentication for remote access to that network would not be required. However, multi- factor authentication is required for any remote access to networks with access to the cardholder data environment, and is recommended for all remote access to the entity's networks. - section-code: a - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled +id: aws_pci_dss_v321_requirement_8_3_2_a +title: 3.2.a Examine system configurations for remote access servers and systems to verify multi-factor authentication is required for all remote access by personnel, both user and administrator, and all third-party/vendor remote access (including access to applications and system components for support or maintenance purposes) +description: This requirement is intended to apply to all personnel—including general users, administrators, and vendors (for support or maintenance) with remote access to the network—where that remote access could lead to access to the CDE. If remote access is to an entity's network that has appropriate segmentation, such that remote users cannot access or impact the cardholder data environment, multi-factor authentication for remote access to that network would not be required. However, multi- factor authentication is required for any remote access to networks with access to the cardholder data environment, and is recommended for all remote access to the entity's networks. +section-code: a +type: control-group +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_5.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_5.yaml index f07594262..4ffb98bab 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_5.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_5.yaml @@ -1,7 +1,8 @@ +id: aws_pci_dss_v321_requirement_8_5 +title: Do not use group, shared, or generic IDs, passwords, or other authentication methods +description: Generic user IDs are disabled or removed. Shared user IDs do not exist for system administration and other critical functions. Shared and generic user IDs are not used to administer any system components. If multiple users share the same authentication credentials (for example, user account and password), it becomes impossible to trace system access and activities to an individual. This in turn prevents an entity from assigning accountability for, or having effective logging of, an individual's actions, since a given action could have been performed by anyone in the group that has knowledge of the authentication credentials. +section-code: "5" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_8_5 - title: Do not use group, shared, or generic IDs, passwords, or other authentication methods - description: Generic user IDs are disabled or removed. Shared user IDs do not exist for system administration and other critical functions. Shared and generic user IDs are not used to administer any system components. If multiple users share the same authentication credentials (for example, user account and password), it becomes impossible to trace system access and activities to an individual. This in turn prevents an entity from assigning accountability for, or having effective logging of, an individual's actions, since a given action could have been performed by anyone in the group that has knowledge of the authentication credentials. - section-code: "5" - control-group: - - id: aws_pci_dss_v321_requirement_8_5_a +- id: aws_pci_dss_v321_requirement_8_5_a + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_5_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_5_a.yaml index 3c0ecdfa6..9cb865928 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_5_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_5_a.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_8_5_a - title: 5.a For a sample of system components, examine user ID lists to verify that generic user IDs are disabled or removed, shared user IDs for system administration activities and other critical functions do not exist or are shared, and generic user IDs are not used to administer any system components - description: Generic user IDs are disabled or removed. Shared user IDs for system administration activities and other critical functions do not exist. Shared and generic user IDs are not used to administer any system components. If multiple users share the same authentication credentials (for example, user account and password), it becomes impossible to trace system access and activities to an individual. This in turn prevents an entity from assigning accountability for, or having effective logging of, an individual's actions, since a given action could have been performed by anyone in the group that has knowledge of the authentication credentials. - section-code: a - controls: - - aws_iam_root_user_no_access_keys +id: aws_pci_dss_v321_requirement_8_5_a +title: 5.a For a sample of system components, examine user ID lists to verify that generic user IDs are disabled or removed, shared user IDs for system administration activities and other critical functions do not exist or are shared, and generic user IDs are not used to administer any system components +description: Generic user IDs are disabled or removed. Shared user IDs for system administration activities and other critical functions do not exist. Shared and generic user IDs are not used to administer any system components. If multiple users share the same authentication credentials (for example, user account and password), it becomes impossible to trace system access and activities to an individual. This in turn prevents an entity from assigning accountability for, or having effective logging of, an individual's actions, since a given action could have been performed by anyone in the group that has knowledge of the authentication credentials. +section-code: a +type: control-group +controls: +- aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_6.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_6.yaml index 8453c4f01..96f6252ce 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_6.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_6.yaml @@ -1,7 +1,8 @@ +id: aws_pci_dss_v321_requirement_8_6 +title: Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.), use of these mechanisms must be assigned authentication mechanisms must be assigned to an individual account and not shared among multiple accounts, physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access +description: If user authentication mechanisms such as tokens, smart cards, and certificates can be used by multiple accounts, it may be impossible to identify the individual using the authentication mechanism. Having physical and/or logical controls (for example, a PIN, biometric data, or a password) to uniquely identify the user of the account will prevent unauthorized users from gaining access through use of a shared authentication mechanism. +section-code: "6" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_8_6 - title: Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.), use of these mechanisms must be assigned authentication mechanisms must be assigned to an individual account and not shared among multiple accounts, physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access - description: If user authentication mechanisms such as tokens, smart cards, and certificates can be used by multiple accounts, it may be impossible to identify the individual using the authentication mechanism. Having physical and/or logical controls (for example, a PIN, biometric data, or a password) to uniquely identify the user of the account will prevent unauthorized users from gaining access through use of a shared authentication mechanism. - section-code: "6" - control-group: - - id: aws_pci_dss_v321_requirement_8_6_c +- id: aws_pci_dss_v321_requirement_8_6_c + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_6_c.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_6_c.yaml index f9e5f9702..0d8a4d22e 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_6_c.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_6_c.yaml @@ -1,9 +1,9 @@ -control-group: - id: aws_pci_dss_v321_requirement_8_6_c - title: 6.c Examine system configuration settings and/or physical controls, as applicable, to verify that controls are implemented to ensure only the intended account can use that mechanism to gain access - description: If user authentication mechanisms such as tokens, smart cards, and certificates can be used by multiple accounts, it may be impossible to identify the individual using the authentication mechanism. Having physical and/or logical controls (for example, a PIN, biometric data, or a password) to uniquely identify the user of the account will prevent unauthorized users from gaining access through use of a shared authentication mechanism. - section-code: c - controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled +id: aws_pci_dss_v321_requirement_8_6_c +title: 6.c Examine system configuration settings and/or physical controls, as applicable, to verify that controls are implemented to ensure only the intended account can use that mechanism to gain access +description: If user authentication mechanisms such as tokens, smart cards, and certificates can be used by multiple accounts, it may be impossible to identify the individual using the authentication mechanism. Having physical and/or logical controls (for example, a PIN, biometric data, or a password) to uniquely identify the user of the account will prevent unauthorized users from gaining access through use of a shared authentication mechanism. +section-code: c +type: control-group +controls: +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7.yaml index eece5df18..7b4db1137 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7.yaml @@ -1,10 +1,14 @@ +id: aws_pci_dss_v321_requirement_8_7 +title: All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted +description: "Access to any database containing cardholder data is restricted as follows: all user access to, user queries of, and user actions on databases are through programmatic methods. Only database administrators have the ability to directly access or query databases. Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes). Without user authentication for access to databases and applications, the potential for unauthorized or malicious access increases, and such access cannot be logged since the user has not been authenticated and is therefore not known to the system. Also, database access should be granted through programmatic methods only (for example, through stored procedures), rather than via direct access to the database by end users (except for DBAs, who may need direct access to the database for their administrative duties)." +section-code: "7" +type: control-group control-group: - id: aws_pci_dss_v321_requirement_8_7 - title: All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted - description: "Access to any database containing cardholder data is restricted as follows: all user access to, user queries of, and user actions on databases are through programmatic methods. Only database administrators have the ability to directly access or query databases. Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes). Without user authentication for access to databases and applications, the potential for unauthorized or malicious access increases, and such access cannot be logged since the user has not been authenticated and is therefore not known to the system. Also, database access should be granted through programmatic methods only (for example, through stored procedures), rather than via direct access to the database by end users (except for DBAs, who may need direct access to the database for their administrative duties)." - section-code: "7" - control-group: - - id: aws_pci_dss_v321_requirement_8_7_a - - id: aws_pci_dss_v321_requirement_8_7_b - - id: aws_pci_dss_v321_requirement_8_7_c - - id: aws_pci_dss_v321_requirement_8_7_d +- id: aws_pci_dss_v321_requirement_8_7_a + type: "" +- id: aws_pci_dss_v321_requirement_8_7_b + type: "" +- id: aws_pci_dss_v321_requirement_8_7_c + type: "" +- id: aws_pci_dss_v321_requirement_8_7_d + type: "" diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_a.yaml index 3837c64e4..f557bb4bf 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_a.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_8_7_a - title: 7.a Review database and application configuration settings and verify that all users are authenticated prior to access - description: Without user authentication for access to databases and applications, the potential for unauthorized or malicious access increases, and such access cannot be logged since the user has not been authenticated and is therefore not known to the system. Also, database access should be granted through programmatic methods only (for example, through stored procedures), rather than via direct access to the database by end users (except for DBAs, who may need direct access to the database for their administrative duties). - section-code: a - controls: - - aws_rds_db_instance_iam_authentication_enabled +id: aws_pci_dss_v321_requirement_8_7_a +title: 7.a Review database and application configuration settings and verify that all users are authenticated prior to access +description: Without user authentication for access to databases and applications, the potential for unauthorized or malicious access increases, and such access cannot be logged since the user has not been authenticated and is therefore not known to the system. Also, database access should be granted through programmatic methods only (for example, through stored procedures), rather than via direct access to the database by end users (except for DBAs, who may need direct access to the database for their administrative duties). +section-code: a +type: control-group +controls: +- aws_rds_db_instance_iam_authentication_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_b.yaml index a50448442..93ea23f47 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_b.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_8_7_b - title: 7.b Examine database and application configuration settings to verify that all user access to, user queries of, and user actions on (for example, move, copy, delete), the database are through programmatic methods only (for example, through stored procedures) - description: Without user authentication for access to databases and applications, the potential for unauthorized or malicious access increases, and such access cannot be logged since the user has not been authenticated and is therefore not known to the system. Also, database access should be granted through programmatic methods only (for example, through stored procedures), rather than via direct access to the database by end users (except for DBAs, who may need direct access to the database for their administrative duties). - section-code: b - controls: - - aws_rds_db_instance_iam_authentication_enabled +id: aws_pci_dss_v321_requirement_8_7_b +title: 7.b Examine database and application configuration settings to verify that all user access to, user queries of, and user actions on (for example, move, copy, delete), the database are through programmatic methods only (for example, through stored procedures) +description: Without user authentication for access to databases and applications, the potential for unauthorized or malicious access increases, and such access cannot be logged since the user has not been authenticated and is therefore not known to the system. Also, database access should be granted through programmatic methods only (for example, through stored procedures), rather than via direct access to the database by end users (except for DBAs, who may need direct access to the database for their administrative duties). +section-code: b +type: control-group +controls: +- aws_rds_db_instance_iam_authentication_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_c.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_c.yaml index bdf06389a..0cf592452 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_c.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_c.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_8_7_c - title: 7.c Examine database access control settings and database application configuration settings to verify that user direct access to or queries of databases are restricted to database administrators - description: Without user authentication for access to databases and applications, the potential for unauthorized or malicious access increases, and such access cannot be logged since the user has not been authenticated and is therefore not known to the system. Also, database access should be granted through programmatic methods only (for example, through stored procedures), rather than via direct access to the database by end users (except for DBAs, who may need direct access to the database for their administrative duties). - section-code: c - controls: - - aws_rds_db_instance_iam_authentication_enabled +id: aws_pci_dss_v321_requirement_8_7_c +title: 7.c Examine database access control settings and database application configuration settings to verify that user direct access to or queries of databases are restricted to database administrators +description: Without user authentication for access to databases and applications, the potential for unauthorized or malicious access increases, and such access cannot be logged since the user has not been authenticated and is therefore not known to the system. Also, database access should be granted through programmatic methods only (for example, through stored procedures), rather than via direct access to the database by end users (except for DBAs, who may need direct access to the database for their administrative duties). +section-code: c +type: control-group +controls: +- aws_rds_db_instance_iam_authentication_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_d.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_d.yaml index 645a72274..052f17e70 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_d.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_d.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_pci_dss_v321_requirement_8_7_d - title: 7.d Examine database access control settings, database application configuration settings, and the related application IDs to verify that application IDs can only be used by the applications (and not by individual users or other processes) - description: Without user authentication for access to databases and applications, the potential for unauthorized or malicious access increases, and such access cannot be logged since the user has not been authenticated and is therefore not known to the system. Also, database access should be granted through programmatic methods only (for example, through stored procedures), rather than via direct access to the database by end users (except for DBAs, who may need direct access to the database for their administrative duties). - section-code: d - controls: - - aws_rds_db_instance_iam_authentication_enabled +id: aws_pci_dss_v321_requirement_8_7_d +title: 7.d Examine database access control settings, database application configuration settings, and the related application IDs to verify that application IDs can only be used by the applications (and not by individual users or other processes) +description: Without user authentication for access to databases and applications, the potential for unauthorized or malicious access increases, and such access cannot be logged since the user has not been authenticated and is therefore not known to the system. Also, database access should be granted through programmatic methods only (for example, through stored procedures), rather than via direct access to the database by end users (except for DBAs, who may need direct access to the database for their administrative duties). +section-code: d +type: control-group +controls: +- aws_rds_db_instance_iam_authentication_enabled diff --git a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security.yaml b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security.yaml index 1100f0e05..cd8c29827 100644 --- a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security.yaml +++ b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security.yaml @@ -1,34 +1,34 @@ -framework: - id: aws_rbi_cyber_security - title: RBI Cyber Security Framework - description: The Reserve Bank had prescribed a set of baseline cyber security controls for primary (Urban) cooperative banks (UCBs) in October 2018. On further examination, it has been decided to prescribe a comprehensive cyber security framework for the UCBs, as a graded approach, based on their digital depth and interconnectedness with the payment systems landscape, digital products offered by them and assessment of cyber security risk. The framework would mandate implementation of progressively stronger security measures based on the nature, variety and scale of digital product offerings of banks. - section-code: aws_rbi_cyber_security - tags: - category: - - Compliance - platform_benchmark_type: - - compliance - platform_category: - - Laws & Regulations - plugin: - - aws - rbi_cyber_security: - - "true" - service: - - AWS - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: aws_rbi_cyber_security_annex_i_1_1 - - id: aws_rbi_cyber_security_annex_i_1_3 - - id: aws_rbi_cyber_security_annex_i_5_1 - - id: aws_rbi_cyber_security_annex_i_6 - - id: aws_rbi_cyber_security_annex_i_7_1 - - id: aws_rbi_cyber_security_annex_i_7_2 - - id: aws_rbi_cyber_security_annex_i_7_3 - - id: aws_rbi_cyber_security_annex_i_7_4 - - id: aws_rbi_cyber_security_annex_i_12 +id: aws_rbi_cyber_security +title: RBI Cyber Security Framework +description: The Reserve Bank had prescribed a set of baseline cyber security controls for primary (Urban) cooperative banks (UCBs) in October 2018. On further examination, it has been decided to prescribe a comprehensive cyber security framework for the UCBs, as a graded approach, based on their digital depth and interconnectedness with the payment systems landscape, digital products offered by them and assessment of cyber security risk. The framework would mandate implementation of progressively stronger security measures based on the nature, variety and scale of digital product offerings of banks. +section-code: aws_rbi_cyber_security +type: framework +tags: + category: + - Compliance + platform_benchmark_type: + - compliance + platform_category: + - Laws & Regulations + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_rbi_cyber_security_annex_i_1_1 +- id: aws_rbi_cyber_security_annex_i_1_3 +- id: aws_rbi_cyber_security_annex_i_5_1 +- id: aws_rbi_cyber_security_annex_i_6 +- id: aws_rbi_cyber_security_annex_i_7_1 +- id: aws_rbi_cyber_security_annex_i_7_2 +- id: aws_rbi_cyber_security_annex_i_7_3 +- id: aws_rbi_cyber_security_annex_i_7_4 +- id: aws_rbi_cyber_security_annex_i_12 diff --git a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_12.yaml b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_12.yaml index 73338d9ee..d64a68610 100755 --- a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_12.yaml +++ b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_12.yaml @@ -1,29 +1,29 @@ -control-group: - id: aws_rbi_cyber_security_annex_i_12 - title: Annex I (12) - description: Take periodic back up of the important data and store this data ‘off line’ (i.e., transferring important files to a storage device that can be detached from a computer/system after copying all the files). - section-code: annex_i_12 - tags: - category: - - Compliance - plugin: - - aws - rbi_cyber_security: - - "true" - rbi_cyber_security_item_id: - - annex_i_12 - service: - - AWS - type: - - Benchmark - controls: - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled +id: aws_rbi_cyber_security_annex_i_12 +title: Annex I (12) +description: Take periodic back up of the important data and store this data ‘off line’ (i.e., transferring important files to a storage device that can be detached from a computer/system after copying all the files). +section-code: annex_i_12 +type: control-group +tags: + category: + - Compliance + plugin: + - aws + rbi_cyber_security: + - "true" + rbi_cyber_security_item_id: + - annex_i_12 + service: + - AWS + type: + - Benchmark +controls: +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_ebs_volume_in_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_1_1.yaml b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_1_1.yaml index 22129ca0d..68a3be4d1 100755 --- a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_1_1.yaml +++ b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_1_1.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_rbi_cyber_security_annex_i_1_1 - title: Annex I (1.1) - description: "UCBs should maintain an up-to-date business IT Asset Inventory Register containing the following fields, as a minimum: a) Details of the IT Asset (viz., hardware/software/network devices, key personnel, services, etc.), b. Details of systems where customer data are stored, c. Associated business applications, if any, d. Criticality of the IT asset (For example, High/Medium/Low)." - section-code: annex_i_1_1 - tags: - category: - - Compliance - plugin: - - aws - rbi_cyber_security: - - "true" - rbi_cyber_security_item_id: - - annex_i_1_1 - service: - - AWS/EC2 - type: - - Benchmark - controls: - - aws_ec2_instance_ssm_managed +id: aws_rbi_cyber_security_annex_i_1_1 +title: Annex I (1.1) +description: "UCBs should maintain an up-to-date business IT Asset Inventory Register containing the following fields, as a minimum: a) Details of the IT Asset (viz., hardware/software/network devices, key personnel, services, etc.), b. Details of systems where customer data are stored, c. Associated business applications, if any, d. Criticality of the IT asset (For example, High/Medium/Low)." +section-code: annex_i_1_1 +type: control-group +tags: + category: + - Compliance + plugin: + - aws + rbi_cyber_security: + - "true" + rbi_cyber_security_item_id: + - annex_i_1_1 + service: + - AWS/EC2 + type: + - Benchmark +controls: +- aws_ec2_instance_ssm_managed diff --git a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_1_3.yaml b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_1_3.yaml index d670990a9..5221f1ea0 100755 --- a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_1_3.yaml +++ b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_1_3.yaml @@ -1,68 +1,68 @@ -control-group: - id: aws_rbi_cyber_security_annex_i_1_3 - title: Annex I (1.3) - description: Appropriately manage and provide protection within and outside UCB/network, keeping in mind how the data/information is stored, transmitted, processed, accessed and put to use within/outside the UCB’s network, and level of risk they are exposed to depending on the sensitivity of the data/information. - section-code: annex_i_1_3 - tags: - category: - - Compliance - plugin: - - aws - rbi_cyber_security: - - "true" - rbi_cyber_security_item_id: - - annex_i_1_3 - service: - - AWS - type: - - Benchmark - controls: - - aws_acm_certificate_expires_30_days - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_autoscaling_launch_config_public_ip_disabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dms_replication_instance_not_publicly_accessible - - aws_dynamodb_table_encrypted_with_kms - - aws_ebs_attached_volume_encryption_enabled - - aws_ebs_snapshot_not_publicly_restorable - - aws_ebs_volume_encryption_at_rest_enabled - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_efs_file_system_encrypt_data_at_rest - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_in_vpc - - aws_es_domain_node_to_node_encryption_enabled - - aws_kms_cmk_rotation_enabled - - aws_kms_key_not_pending_deletion - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_encrypted_at_rest - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_bucket_account - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_rbi_cyber_security_annex_i_1_3 +title: Annex I (1.3) +description: Appropriately manage and provide protection within and outside UCB/network, keeping in mind how the data/information is stored, transmitted, processed, accessed and put to use within/outside the UCB’s network, and level of risk they are exposed to depending on the sensitivity of the data/information. +section-code: annex_i_1_3 +type: control-group +tags: + category: + - Compliance + plugin: + - aws + rbi_cyber_security: + - "true" + rbi_cyber_security_item_id: + - annex_i_1_3 + service: + - AWS + type: + - Benchmark +controls: +- aws_acm_certificate_expires_30_days +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_apigateway_stage_cache_encryption_at_rest_enabled +- aws_autoscaling_launch_config_public_ip_disabled +- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk +- aws_dms_replication_instance_not_publicly_accessible +- aws_dynamodb_table_encrypted_with_kms +- aws_ebs_attached_volume_encryption_enabled +- aws_ebs_snapshot_not_publicly_restorable +- aws_ebs_volume_encryption_at_rest_enabled +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_efs_file_system_encrypt_data_at_rest +- aws_elb_application_lb_drop_http_headers +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_application_network_lb_use_ssl_certificate +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_encryption_at_rest_enabled +- aws_es_domain_in_vpc +- aws_es_domain_node_to_node_encryption_enabled +- aws_kms_cmk_rotation_enabled +- aws_kms_key_not_pending_deletion +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_log_group_encryption_at_rest_enabled +- aws_rds_db_instance_encryption_at_rest_enabled +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_encrypted_at_rest +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_redshift_cluster_kms_enabled +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_default_encryption_enabled_kms +- aws_s3_bucket_default_encryption_enabled +- aws_s3_bucket_enforces_ssl +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_bucket_account +- aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_sagemaker_notebook_instance_encryption_at_rest_enabled +- aws_sns_topic_encrypted_at_rest +- aws_vpc_igw_attached_to_authorized_vpc +- aws_vpc_route_table_restrict_public_access_to_igw +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_5_1.yaml b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_5_1.yaml index 4c64b47a1..9536483a8 100755 --- a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_5_1.yaml +++ b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_5_1.yaml @@ -1,25 +1,25 @@ -control-group: - id: aws_rbi_cyber_security_annex_i_5_1 - title: Annex I (5.1) - description: The firewall configurations should be set to the highest security level and evaluation of critical device (such as firewall, network switches, security devices, etc.) configurations should be done periodically. - section-code: annex_i_5_1 - tags: - category: - - Compliance - plugin: - - aws - rbi_cyber_security: - - "true" - rbi_cyber_security_item_id: - - annex_i_5_1 - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_use_waf_web_acl - - aws_elb_application_lb_waf_enabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all +id: aws_rbi_cyber_security_annex_i_5_1 +title: Annex I (5.1) +description: The firewall configurations should be set to the highest security level and evaluation of critical device (such as firewall, network switches, security devices, etc.) configurations should be done periodically. +section-code: annex_i_5_1 +type: control-group +tags: + category: + - Compliance + plugin: + - aws + rbi_cyber_security: + - "true" + rbi_cyber_security_item_id: + - annex_i_5_1 + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_use_waf_web_acl +- aws_elb_application_lb_waf_enabled +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_6.yaml b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_6.yaml index a2b4e42f5..7ddb37f93 100755 --- a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_6.yaml +++ b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_6.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_rbi_cyber_security_annex_i_6 - title: Annex I (6) - description: Put in place systems and processes to identify, track, manage and monitor the status of patches to servers, operating system and application software running at the systems used by the UCB officials (end-users). Implement and update antivirus protection for all servers and applicable end points preferably through a centralised system. - section-code: annex_i_6 - tags: - category: - - Compliance - plugin: - - aws - rbi_cyber_security: - - "true" - rbi_cyber_security_item_id: - - annex_i_6 - service: - - AWS - type: - - Benchmark - controls: - - aws_guardduty_finding_archived - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_rbi_cyber_security_annex_i_6 +title: Annex I (6) +description: Put in place systems and processes to identify, track, manage and monitor the status of patches to servers, operating system and application software running at the systems used by the UCB officials (end-users). Implement and update antivirus protection for all servers and applicable end points preferably through a centralised system. +section-code: annex_i_6 +type: control-group +tags: + category: + - Compliance + plugin: + - aws + rbi_cyber_security: + - "true" + rbi_cyber_security_item_id: + - annex_i_6 + service: + - AWS + type: + - Benchmark +controls: +- aws_guardduty_finding_archived +- aws_rds_db_instance_automatic_minor_version_upgrade_enabled +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_association_compliant +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_1.yaml b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_1.yaml index 43335d459..89df35f94 100755 --- a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_1.yaml +++ b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_1.yaml @@ -1,24 +1,24 @@ -control-group: - id: aws_rbi_cyber_security_annex_i_7_1 - title: Annex I (7.1) - description: Disallow administrative rights on end-user workstations/PCs/laptops and provide access rights on a ‘need to know’ and ‘need to do’ basis. - section-code: annex_i_7_1 - tags: - category: - - Compliance - plugin: - - aws - rbi_cyber_security: - - "true" - rbi_cyber_security_item_id: - - annex_i_7_1 - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_no_inline_attached_policies +id: aws_rbi_cyber_security_annex_i_7_1 +title: Annex I (7.1) +description: Disallow administrative rights on end-user workstations/PCs/laptops and provide access rights on a ‘need to know’ and ‘need to do’ basis. +section-code: annex_i_7_1 +type: control-group +tags: + category: + - Compliance + plugin: + - aws + rbi_cyber_security: + - "true" + rbi_cyber_security_item_id: + - annex_i_7_1 + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_no_access_keys +- aws_iam_user_no_inline_attached_policies diff --git a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_2.yaml b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_2.yaml index 5a58f0ec9..791421a64 100755 --- a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_2.yaml +++ b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_2.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_rbi_cyber_security_annex_i_7_2 - title: Annex I (7.2) - description: Passwords should be set as complex and lengthy and users should not use same passwords for all the applications/systems/devices. - section-code: annex_i_7_2 - tags: - category: - - Compliance - plugin: - - aws - rbi_cyber_security: - - "true" - rbi_cyber_security_item_id: - - annex_i_7_2 - service: - - AWS/IAM - type: - - Benchmark - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 +id: aws_rbi_cyber_security_annex_i_7_2 +title: Annex I (7.2) +description: Passwords should be set as complex and lengthy and users should not use same passwords for all the applications/systems/devices. +section-code: annex_i_7_2 +type: control-group +tags: + category: + - Compliance + plugin: + - aws + rbi_cyber_security: + - "true" + rbi_cyber_security_item_id: + - annex_i_7_2 + service: + - AWS/IAM + type: + - Benchmark +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_3.yaml b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_3.yaml index fe1dcb05e..a433f2f79 100755 --- a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_3.yaml +++ b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_3.yaml @@ -1,20 +1,20 @@ -control-group: - id: aws_rbi_cyber_security_annex_i_7_3 - title: Annex I (7.3) - description: Remote Desktop Protocol (RDP) which allows others to access the computer remotely over a network or over the internet should be always disabled and should be enabled only with the approval of the authorised officer of the UCB. Logs for such remote access shall be enabled and monitored for suspicious activities. - section-code: annex_i_7_3 - tags: - category: - - Compliance - plugin: - - aws - rbi_cyber_security: - - "true" - rbi_cyber_security_item_id: - - annex_i_7_3 - service: - - AWS/VPC - type: - - Benchmark - controls: - - aws_vpc_security_group_restrict_ingress_ssh_all +id: aws_rbi_cyber_security_annex_i_7_3 +title: Annex I (7.3) +description: Remote Desktop Protocol (RDP) which allows others to access the computer remotely over a network or over the internet should be always disabled and should be enabled only with the approval of the authorised officer of the UCB. Logs for such remote access shall be enabled and monitored for suspicious activities. +section-code: annex_i_7_3 +type: control-group +tags: + category: + - Compliance + plugin: + - aws + rbi_cyber_security: + - "true" + rbi_cyber_security_item_id: + - annex_i_7_3 + service: + - AWS/VPC + type: + - Benchmark +controls: +- aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_4.yaml b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_4.yaml index 67eea4479..836fb030d 100755 --- a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_4.yaml +++ b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_4.yaml @@ -1,33 +1,33 @@ -control-group: - id: aws_rbi_cyber_security_annex_i_7_4 - title: Annex I (7.4) - description: Implement appropriate (e.g. centralised) systems and controls to allow, manage, log and monitor privileged/super user/administrative access to critical systems (servers/databases, applications, network devices etc.) - section-code: annex_i_7_4 - tags: - category: - - Compliance - plugin: - - aws - rbi_cyber_security: - - "true" - rbi_cyber_security_item_id: - - annex_i_7_4 - service: - - AWS - type: - - Benchmark - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_rbi_cyber_security_annex_i_7_4 +title: Annex I (7.4) +description: Implement appropriate (e.g. centralised) systems and controls to allow, manage, log and monitor privileged/super user/administrative access to critical systems (servers/databases, applications, network devices etc.) +section-code: annex_i_7_4 +type: control-group +tags: + category: + - Compliance + plugin: + - aws + rbi_cyber_security: + - "true" + rbi_cyber_security_item_id: + - annex_i_7_4 + service: + - AWS + type: + - Benchmark +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_log_group_retention_period_365 +- aws_elb_application_classic_lb_logging_enabled +- aws_es_domain_logs_to_cloudwatch +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_securityhub_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc.yaml index 3618d87f0..e640702ea 100644 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc.yaml @@ -1,14 +1,14 @@ -framework: - id: aws_rbi_itf_nbfc - title: Reserve Bank of India - Information Technology Framework for Non-Banking Financial Companies (RBI ITF-NBFC) - description: The NBFC (Non-Banking Finance Company) sector has grown in size and complexity over the years. As the NBFC industry matures and achieves scale, its Information Technology /Information Security (IT/IS) framework, Business continuity planning (BCP), Disaster Recovery (DR) Management, IT audit, etc. must be benchmarked to best practices. - section-code: aws_rbi_itf_nbfc - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: aws_rbi_itf_nbfc_3 - - id: aws_rbi_itf_nbfc_4 - - id: aws_rbi_itf_nbfc_6 - - id: aws_rbi_itf_nbfc_8 +id: aws_rbi_itf_nbfc +title: Reserve Bank of India - Information Technology Framework for Non-Banking Financial Companies (RBI ITF-NBFC) +description: The NBFC (Non-Banking Finance Company) sector has grown in size and complexity over the years. As the NBFC industry matures and achieves scale, its Information Technology /Information Security (IT/IS) framework, Business continuity planning (BCP), Disaster Recovery (DR) Management, IT audit, etc. must be benchmarked to best practices. +section-code: aws_rbi_itf_nbfc +type: framework +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_rbi_itf_nbfc_3 +- id: aws_rbi_itf_nbfc_4 +- id: aws_rbi_itf_nbfc_6 +- id: aws_rbi_itf_nbfc_8 diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3.yaml index 6f17bd415..25563bd19 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3.yaml @@ -1,9 +1,12 @@ +id: aws_rbi_itf_nbfc_3 +title: Information Security +description: "Information is an asset to all NBFCs and Information Security (IS) refers to the protection of these assets in order to achieve organizational goals. The purpose of IS is to control access to sensitive information, ensuring use only by legitimate users so that data cannot be read or compromised without proper authorization. NBFCs must have a board approved IS Policy with the following basic tenets: a. Confidentiality - Ensuring access to sensitive data to authorized users only, b. Integrity - Ensuring accuracy and reliability of information by ensuring that there is no modification without authorization, c. Availability - Ensuring that uninterrupted data is available to users when it is needed, d. Authenticity - For IS it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine." +section-code: "3" +type: control-group control-group: - id: aws_rbi_itf_nbfc_3 - title: Information Security - description: "Information is an asset to all NBFCs and Information Security (IS) refers to the protection of these assets in order to achieve organizational goals. The purpose of IS is to control access to sensitive information, ensuring use only by legitimate users so that data cannot be read or compromised without proper authorization. NBFCs must have a board approved IS Policy with the following basic tenets: a. Confidentiality - Ensuring access to sensitive data to authorized users only, b. Integrity - Ensuring accuracy and reliability of information by ensuring that there is no modification without authorization, c. Availability - Ensuring that uninterrupted data is available to users when it is needed, d. Authenticity - For IS it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine." - section-code: "3" - control-group: - - id: aws_rbi_itf_nbfc_3_1 - - id: aws_rbi_itf_nbfc_3_3 - - id: aws_rbi_itf_nbfc_3_5 +- id: aws_rbi_itf_nbfc_3_1 + type: "" +- id: aws_rbi_itf_nbfc_3_3 + type: "" +- id: aws_rbi_itf_nbfc_3_5 + type: "" diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1.yaml index 2828d6c3e..8dab0fb10 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1.yaml @@ -1,11 +1,16 @@ +id: aws_rbi_itf_nbfc_3_1 +title: Information Security Policy +description: "The IS Policy must provide for a IS framework with the following basic tenets: a. Identification and Classification of Information Assets, b. Segregation of functions, c. Role based Access Control, d. Personnel Security, e. Physical Security, f. Maker-checker, g. Incident Management, h. Trails, i. Public Key Infrastructure (PKI)." +section-code: "1" +type: control-group control-group: - id: aws_rbi_itf_nbfc_3_1 - title: Information Security Policy - description: "The IS Policy must provide for a IS framework with the following basic tenets: a. Identification and Classification of Information Assets, b. Segregation of functions, c. Role based Access Control, d. Personnel Security, e. Physical Security, f. Maker-checker, g. Incident Management, h. Trails, i. Public Key Infrastructure (PKI)." - section-code: "1" - control-group: - - id: aws_rbi_itf_nbfc_3_1_a - - id: aws_rbi_itf_nbfc_3_1_c - - id: aws_rbi_itf_nbfc_3_1_g - - id: aws_rbi_itf_nbfc_3_1_h - - id: aws_rbi_itf_nbfc_3_1_i +- id: aws_rbi_itf_nbfc_3_1_a + type: "" +- id: aws_rbi_itf_nbfc_3_1_c + type: "" +- id: aws_rbi_itf_nbfc_3_1_g + type: "" +- id: aws_rbi_itf_nbfc_3_1_h + type: "" +- id: aws_rbi_itf_nbfc_3_1_i + type: "" diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_a.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_a.yaml index 00ccd02af..b62526130 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_a.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_a.yaml @@ -1,10 +1,10 @@ -control-group: - id: aws_rbi_itf_nbfc_3_1_a - title: 1.a Identification and Classification of Information Assets - description: NBFCs shall maintain detailed inventory of Information Asset with distinct and clear identification of the asset. - section-code: a - controls: - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_ecr_repository_tag_immutability_enabled +id: aws_rbi_itf_nbfc_3_1_a +title: 1.a Identification and Classification of Information Assets +description: NBFCs shall maintain detailed inventory of Information Asset with distinct and clear identification of the asset. +section-code: a +type: control-group +controls: +- aws_ebs_volume_unused +- aws_ec2_instance_ssm_managed +- aws_ec2_stopped_instance_30_days +- aws_ecr_repository_tag_immutability_enabled diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_c.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_c.yaml index 7fa95c21b..739f01248 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_c.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_c.yaml @@ -1,26 +1,26 @@ -control-group: - id: aws_rbi_itf_nbfc_3_1_c - title: 1.c Role based Access Control - description: Access to information should be based on well-defined user roles (system administrator, user manager, application owner etc.), NBFCs shall avoid dependence on one or few persons for a particular job. There should be clear delegation of authority for right to upgrade/change user profiles and permissions and also key business parameters (eg. interest rates) which should be documented. - section-code: c - controls: - - aws_ec2_instance_iam_profile_attached - - aws_efs_access_point_enforce_root_directory - - aws_efs_access_point_enforce_user_identity - - aws_emr_cluster_kerberos_enabled - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled +id: aws_rbi_itf_nbfc_3_1_c +title: 1.c Role based Access Control +description: Access to information should be based on well-defined user roles (system administrator, user manager, application owner etc.), NBFCs shall avoid dependence on one or few persons for a particular job. There should be clear delegation of authority for right to upgrade/change user profiles and permissions and also key business parameters (eg. interest rates) which should be documented. +section-code: c +type: control-group +controls: +- aws_ec2_instance_iam_profile_attached +- aws_efs_access_point_enforce_root_directory +- aws_efs_access_point_enforce_user_identity +- aws_emr_cluster_kerberos_enabled +- aws_iam_account_password_policy_strong_min_reuse_24 +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_not_empty +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_rotated_as_scheduled diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_g.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_g.yaml index 2fc1b2831..f048788e7 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_g.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_g.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_rbi_itf_nbfc_3_1_g - title: 1.g Incident Management - description: The IS Policy should define what constitutes an incident. NBFCs shall develop and implement processes for preventing, detecting, analysing and responding to information security incidents. - section-code: g - controls: - - aws_elb_application_lb_waf_enabled - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_rbi_itf_nbfc_3_1_g +title: 1.g Incident Management +description: The IS Policy should define what constitutes an incident. NBFCs shall develop and implement processes for preventing, detecting, analysing and responding to information security incidents. +section-code: g +type: control-group +controls: +- aws_elb_application_lb_waf_enabled +- aws_guardduty_enabled +- aws_guardduty_finding_archived +- aws_securityhub_enabled +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_h.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_h.yaml index bc8e6776f..47136fd25 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_h.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_h.yaml @@ -1,22 +1,22 @@ -control-group: - id: aws_rbi_itf_nbfc_3_1_h - title: 1.h Trails - description: NBFCs shall ensure that audit trails exist for IT assets satisfying its business requirements including regulatory and legal requirements, facilitating audit, serving as forensic evidence when required and assisting in dispute resolution. If an employee, for instance, attempts to access an unauthorized section, this improper activity should be recorded in the audit trail. - section-code: h - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_log_group_retention_period_365 - - aws_codebuild_project_logging_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_opensearch_domain_logs_to_cloudwatch - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_audit_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled +id: aws_rbi_itf_nbfc_3_1_h +title: 1.h Trails +description: NBFCs shall ensure that audit trails exist for IT assets satisfying its business requirements including regulatory and legal requirements, facilitating audit, serving as forensic evidence when required and assisting in dispute resolution. If an employee, for instance, attempts to access an unauthorized section, this improper activity should be recorded in the audit trail. +section-code: h +type: control-group +controls: +- aws_apigateway_stage_logging_enabled +- aws_cloudtrail_multi_region_trail_enabled +- aws_cloudtrail_s3_data_events_enabled +- aws_cloudtrail_trail_enabled +- aws_cloudtrail_trail_integrated_with_logs +- aws_cloudwatch_log_group_retention_period_365 +- aws_codebuild_project_logging_enabled +- aws_elb_application_classic_lb_logging_enabled +- aws_es_domain_logs_to_cloudwatch +- aws_opensearch_domain_logs_to_cloudwatch +- aws_rds_db_instance_logging_enabled +- aws_redshift_cluster_audit_logging_enabled +- aws_redshift_cluster_encryption_logging_enabled +- aws_s3_bucket_logging_enabled +- aws_vpc_flow_logs_enabled +- aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_i.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_i.yaml index 2c723f827..3f41fd9ca 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_i.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_i.yaml @@ -1,16 +1,16 @@ -control-group: - id: aws_rbi_itf_nbfc_3_1_i - title: 1.i Public Key Infrastructure (PKI) - description: NBFCs may increase the usage of PKI to ensure confidentiality of data, access control, data integrity, authentication and nonrepudiation. - section-code: i - controls: - - aws_acm_certificate_expires_30_days - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_opensearch_domain_https_required - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl +id: aws_rbi_itf_nbfc_3_1_i +title: 1.i Public Key Infrastructure (PKI) +description: NBFCs may increase the usage of PKI to ensure confidentiality of data, access control, data integrity, authentication and nonrepudiation. +section-code: i +type: control-group +controls: +- aws_acm_certificate_expires_30_days +- aws_apigateway_rest_api_stage_use_ssl_certificate +- aws_elb_application_lb_drop_http_headers +- aws_elb_application_lb_redirect_http_request_to_https +- aws_elb_application_network_lb_use_ssl_certificate +- aws_elb_classic_lb_use_ssl_certificate +- aws_elb_classic_lb_use_tls_https_listeners +- aws_opensearch_domain_https_required +- aws_redshift_cluster_encryption_in_transit_enabled +- aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_3.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_3.yaml index 2a4e739fa..246866e19 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_3.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_3.yaml @@ -1,12 +1,12 @@ -control-group: - id: aws_rbi_itf_nbfc_3_3 - title: Vulnerability Management - description: A vulnerability can be defined as an inherent configuration flaw in an organization's information technology base, whether hardware or software, which can be exploited by a third party to gather sensitive information regarding the organization. Vulnerability management is an ongoing process to determine the process of eliminating or mitigating vulnerabilities based upon the risk and cost associated with the vulnerabilities. NBFCs may devise a strategy for managing and eliminating vulnerabilities and such strategy may clearly be communicated in the Cyber Security policy. - section-code: "3" - controls: - - aws_ec2_instance_ssm_managed - - aws_guardduty_finding_archived - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_rbi_itf_nbfc_3_3 +title: Vulnerability Management +description: A vulnerability can be defined as an inherent configuration flaw in an organization's information technology base, whether hardware or software, which can be exploited by a third party to gather sensitive information regarding the organization. Vulnerability management is an ongoing process to determine the process of eliminating or mitigating vulnerabilities based upon the risk and cost associated with the vulnerabilities. NBFCs may devise a strategy for managing and eliminating vulnerabilities and such strategy may clearly be communicated in the Cyber Security policy. +section-code: "3" +type: control-group +controls: +- aws_ec2_instance_ssm_managed +- aws_guardduty_finding_archived +- aws_rds_db_instance_automatic_minor_version_upgrade_enabled +- aws_redshift_cluster_maintenance_settings_check +- aws_ssm_managed_instance_compliance_association_compliant +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_5.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_5.yaml index 36121ffd0..c56db43a9 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_5.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_5.yaml @@ -1,11 +1,11 @@ -control-group: - id: aws_rbi_itf_nbfc_3_5 - title: Cyber Crisis Management Plan - description: "A Cyber Crisis Management Plan (CCMP) should be immediately evolved and should be a part of the overall Board approved strategy. CCMP should address the following four aspects: (i) Detection (ii) Response (iii) Recovery and (iv) Containment. NBFCs need to take effective measures to prevent cyber-attacks and to promptly detect any cyber-intrusions so as to respond / recover / contain the fall out. NBFCs are expected to be well prepared to face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks. Among other things, NBFCs should take necessary preventive and corrective measures in addressing various types of cyber threats including, but not limited to, denial of service, distributed denial of services (DDoS), ransom-ware / crypto ware, destructive malware, business email frauds including spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, etc." - section-code: "5" - controls: - - aws_ec2_instance_ssm_managed - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant +id: aws_rbi_itf_nbfc_3_5 +title: Cyber Crisis Management Plan +description: "A Cyber Crisis Management Plan (CCMP) should be immediately evolved and should be a part of the overall Board approved strategy. CCMP should address the following four aspects: (i) Detection (ii) Response (iii) Recovery and (iv) Containment. NBFCs need to take effective measures to prevent cyber-attacks and to promptly detect any cyber-intrusions so as to respond / recover / contain the fall out. NBFCs are expected to be well prepared to face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks. Among other things, NBFCs should take necessary preventive and corrective measures in addressing various types of cyber threats including, but not limited to, denial of service, distributed denial of services (DDoS), ransom-ware / crypto ware, destructive malware, business email frauds including spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, etc." +section-code: "5" +type: control-group +controls: +- aws_ec2_instance_ssm_managed +- aws_guardduty_enabled +- aws_guardduty_finding_archived +- aws_ssm_managed_instance_compliance_association_compliant +- aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4.yaml index f2fbc0132..4103ef4f1 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4.yaml @@ -1,7 +1,8 @@ +id: aws_rbi_itf_nbfc_4 +title: IT Operations +description: IT Operations should support processing and storage of information, such that the required information is available in a timely, reliable, secure and resilient manner. The Board or Senior Management should take into consideration the risk associated with existing and planned IT operations and the risk tolerance and then establish and monitor policies for risk management. +section-code: "4" +type: control-group control-group: - id: aws_rbi_itf_nbfc_4 - title: IT Operations - description: IT Operations should support processing and storage of information, such that the required information is available in a timely, reliable, secure and resilient manner. The Board or Senior Management should take into consideration the risk associated with existing and planned IT operations and the risk tolerance and then establish and monitor policies for risk management. - section-code: "4" - control-group: - - id: aws_rbi_itf_nbfc_4_4 +- id: aws_rbi_itf_nbfc_4_4 + type: "" diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4.yaml index 85f81d1a4..398ffff90 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4.yaml @@ -1,9 +1,12 @@ +id: aws_rbi_itf_nbfc_4_4 +title: Management Information System (MIS) +description: NBFCs may put in place MIS that assist the Top Management as well as the business heads in decision making and also to maintain an oversight over operations of various business verticals. With robust IT systems in place, NBFCs may have the following as part of an effective system generated MIS (indicative list). +section-code: "4" +type: control-group control-group: - id: aws_rbi_itf_nbfc_4_4 - title: Management Information System (MIS) - description: NBFCs may put in place MIS that assist the Top Management as well as the business heads in decision making and also to maintain an oversight over operations of various business verticals. With robust IT systems in place, NBFCs may have the following as part of an effective system generated MIS (indicative list). - section-code: "4" - control-group: - - id: aws_rbi_itf_nbfc_4_4_g - - id: aws_rbi_itf_nbfc_4_4_h - - id: aws_rbi_itf_nbfc_4_4_i +- id: aws_rbi_itf_nbfc_4_4_g + type: "" +- id: aws_rbi_itf_nbfc_4_4_h + type: "" +- id: aws_rbi_itf_nbfc_4_4_i + type: "" diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4_g.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4_g.yaml index e9750feb7..9f6f25c98 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4_g.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4_g.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_rbi_itf_nbfc_4_4_g - title: 4.g Fraud analysis - description: Suspicious transaction analysis, embezzlement, theft or suspected money-laundering, misappropriation of assets, manipulation of financial records etc. The regulatory requirement of reporting fraud to RBI should be system driven. - section-code: g - controls: - - aws_guardduty_enabled +id: aws_rbi_itf_nbfc_4_4_g +title: 4.g Fraud analysis +description: Suspicious transaction analysis, embezzlement, theft or suspected money-laundering, misappropriation of assets, manipulation of financial records etc. The regulatory requirement of reporting fraud to RBI should be system driven. +section-code: g +type: control-group +controls: +- aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4_h.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4_h.yaml index b17e19d05..d526e5d2a 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4_h.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4_h.yaml @@ -1,25 +1,25 @@ -control-group: - id: aws_rbi_itf_nbfc_4_4_h - title: 4.h Capacity and performance analysis - description: Capacity and performance analysis of IT security systems. - section-code: h - controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_dynamodb_table_auto_scaling_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_ec2_instance_ebs_optimized - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_elb_application_gateway_network_lb_multiple_az_configured - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_elb_classic_lb_multiple_az_configured - - aws_guardduty_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_dead_letter_queue_configured - - aws_lambda_function_multiple_az_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_s3_bucket_object_lock_enabled - - aws_securityhub_enabled - - aws_vpc_vpn_tunnel_up +id: aws_rbi_itf_nbfc_4_4_h +title: 4.h Capacity and performance analysis +description: Capacity and performance analysis of IT security systems. +section-code: h +type: control-group +controls: +- aws_autoscaling_group_with_lb_use_health_check +- aws_dynamodb_table_auto_scaling_enabled +- aws_ec2_instance_detailed_monitoring_enabled +- aws_ec2_instance_ebs_optimized +- aws_elastic_beanstalk_enhanced_health_reporting_enabled +- aws_elb_application_gateway_network_lb_multiple_az_configured +- aws_elb_application_lb_deletion_protection_enabled +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_elb_classic_lb_multiple_az_configured +- aws_guardduty_enabled +- aws_lambda_function_concurrent_execution_limit_configured +- aws_lambda_function_dead_letter_queue_configured +- aws_lambda_function_multiple_az_configured +- aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled +- aws_rds_db_instance_deletion_protection_enabled +- aws_rds_db_instance_multiple_az_enabled +- aws_s3_bucket_object_lock_enabled +- aws_securityhub_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4_i.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4_i.yaml index a79f437ed..80745f5af 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4_i.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4_i.yaml @@ -1,8 +1,8 @@ -control-group: - id: aws_rbi_itf_nbfc_4_4_i - title: 4.i Incident reporting - description: Incident reporting, their impact and steps taken for non-recurrence of such events in the future. - section-code: i - controls: - - aws_guardduty_enabled - - aws_guardduty_finding_archived +id: aws_rbi_itf_nbfc_4_4_i +title: 4.i Incident reporting +description: Incident reporting, their impact and steps taken for non-recurrence of such events in the future. +section-code: i +type: control-group +controls: +- aws_guardduty_enabled +- aws_guardduty_finding_archived diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_6.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_6.yaml index b7bbee9ae..5e5779f58 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_6.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_6.yaml @@ -1,7 +1,8 @@ +id: aws_rbi_itf_nbfc_6 +title: Business Continuity Planning (BCP) and Disaster Recovery +description: BCP forms a significant part of an organisation's overall Business Continuity Management plan, which includes policies, standards and procedures to ensure continuity, resumption and recovery of critical business processes. BCP shall be designed to minimise the operational, financial, legal, reputational and other material consequences arising from a disaster. NBFC should adopt a Board approved BCP Policy. The functioning of BCP shall be monitored by the Board by way of periodic reports. The CIO shall be responsible for formulation, review and monitoring of BCP to ensure continued effectiveness. +section-code: "6" +type: control-group control-group: - id: aws_rbi_itf_nbfc_6 - title: Business Continuity Planning (BCP) and Disaster Recovery - description: BCP forms a significant part of an organisation's overall Business Continuity Management plan, which includes policies, standards and procedures to ensure continuity, resumption and recovery of critical business processes. BCP shall be designed to minimise the operational, financial, legal, reputational and other material consequences arising from a disaster. NBFC should adopt a Board approved BCP Policy. The functioning of BCP shall be monitored by the Board by way of periodic reports. The CIO shall be responsible for formulation, review and monitoring of BCP to ensure continued effectiveness. - section-code: "6" - control-group: - - id: aws_rbi_itf_nbfc_6_3 +- id: aws_rbi_itf_nbfc_6_3 + type: "" diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_6_3.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_6_3.yaml index fe0f22b58..b51d00665 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_6_3.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_6_3.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_rbi_itf_nbfc_6_3 - title: Backup and Recovery - description: NBFCs shall consider the need to put in place necessary backup sites for their critical business systems and Data centers. - section-code: "3" - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_kms_cmk_rotation_enabled - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled +id: aws_rbi_itf_nbfc_6_3 +title: Backup and Recovery +description: NBFCs shall consider the need to put in place necessary backup sites for their critical business systems and Data centers. +section-code: "3" +type: control-group +controls: +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_min_retention_35_days +- aws_dynamodb_table_auto_scaling_enabled +- aws_dynamodb_table_in_backup_plan +- aws_ebs_volume_in_backup_plan +- aws_ec2_instance_protected_by_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_fsx_file_system_protected_by_backup_plan +- aws_kms_cmk_rotation_enabled +- aws_rds_db_cluster_aurora_protected_by_backup_plan +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8.yaml index b13894660..36a4ef02d 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8.yaml @@ -1,11 +1,16 @@ +id: aws_rbi_itf_nbfc_8 +title: Recommendations for NBFCs with asset size below ₹ 500 crore +description: It is recommended that smaller NBFCs may start with developing basic IT systems mainly for maintaining the database. NBFCs having asset size below ₹ 500 crore shall have a Board approved Information Technology policy/Information system policy. +section-code: "8" +type: control-group control-group: - id: aws_rbi_itf_nbfc_8 - title: Recommendations for NBFCs with asset size below ₹ 500 crore - description: It is recommended that smaller NBFCs may start with developing basic IT systems mainly for maintaining the database. NBFCs having asset size below ₹ 500 crore shall have a Board approved Information Technology policy/Information system policy. - section-code: "8" - control-group: - - id: aws_rbi_itf_nbfc_8_1 - - id: aws_rbi_itf_nbfc_8_I - - id: aws_rbi_itf_nbfc_8_II - - id: aws_rbi_itf_nbfc_8_III - - id: aws_rbi_itf_nbfc_8_IX +- id: aws_rbi_itf_nbfc_8_1 + type: "" +- id: aws_rbi_itf_nbfc_8_I + type: "" +- id: aws_rbi_itf_nbfc_8_II + type: "" +- id: aws_rbi_itf_nbfc_8_III + type: "" +- id: aws_rbi_itf_nbfc_8_IX + type: "" diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_1.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_1.yaml index 2cd4b6984..d8982fcc3 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_1.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_1.yaml @@ -1,21 +1,21 @@ -control-group: - id: aws_rbi_itf_nbfc_8_1 - title: IT Systems - description: IT Systems should be progressively scaled up as the size and complexity of NBFC's operations increases. - section-code: "1" - controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_dynamodb_table_auto_scaling_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_elb_application_gateway_network_lb_multiple_az_configured - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_elb_classic_lb_multiple_az_configured - - aws_guardduty_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_multiple_az_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_securityhub_enabled - - aws_vpc_vpn_tunnel_up +id: aws_rbi_itf_nbfc_8_1 +title: IT Systems +description: IT Systems should be progressively scaled up as the size and complexity of NBFC's operations increases. +section-code: "1" +type: control-group +controls: +- aws_autoscaling_group_with_lb_use_health_check +- aws_dynamodb_table_auto_scaling_enabled +- aws_ec2_instance_detailed_monitoring_enabled +- aws_elb_application_gateway_network_lb_multiple_az_configured +- aws_elb_application_lb_deletion_protection_enabled +- aws_elb_classic_lb_cross_zone_load_balancing_enabled +- aws_elb_classic_lb_multiple_az_configured +- aws_guardduty_enabled +- aws_lambda_function_concurrent_execution_limit_configured +- aws_lambda_function_multiple_az_configured +- aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled +- aws_rds_db_instance_deletion_protection_enabled +- aws_rds_db_instance_multiple_az_enabled +- aws_securityhub_enabled +- aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_I.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_I.yaml index dcbd314e6..b13f59e9e 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_I.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_I.yaml @@ -1,52 +1,52 @@ -control-group: - id: aws_rbi_itf_nbfc_8_I - title: I Basic Security Aspects - description: Basic security aspects such as physical/ logical access controls and well defined password policy. - section-code: I - controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_iam_profile_attached - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_efs_access_point_enforce_root_directory - - aws_efs_access_point_enforce_user_identity - - aws_emr_cluster_kerberos_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_acls_should_prohibit_user_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_ssm_document_prohibit_public_access - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled +id: aws_rbi_itf_nbfc_8_I +title: I Basic Security Aspects +description: Basic security aspects such as physical/ logical access controls and well defined password policy. +section-code: I +type: control-group +controls: +- aws_autoscaling_launch_config_public_ip_disabled +- aws_dms_replication_instance_not_publicly_accessible +- aws_ebs_snapshot_not_publicly_restorable +- aws_ec2_instance_iam_profile_attached +- aws_ec2_instance_in_vpc +- aws_ec2_instance_not_publicly_accessible +- aws_efs_access_point_enforce_root_directory +- aws_efs_access_point_enforce_user_identity +- aws_emr_cluster_kerberos_enabled +- aws_emr_cluster_master_nodes_no_public_ip +- aws_es_domain_in_vpc +- aws_iam_account_password_policy_strong_min_reuse_24 +- aws_iam_all_policy_no_service_wild_card +- aws_iam_group_not_empty +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_root_user_hardware_mfa_enabled +- aws_iam_root_user_mfa_enabled +- aws_iam_root_user_no_access_keys +- aws_iam_user_access_key_age_90 +- aws_iam_user_console_access_mfa_enabled +- aws_iam_user_in_group +- aws_iam_user_mfa_enabled +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 +- aws_lambda_function_in_vpc +- aws_lambda_function_restrict_public_access +- aws_opensearch_domain_in_vpc +- aws_rds_db_instance_prohibit_public_access +- aws_rds_db_snapshot_prohibit_public_access +- aws_redshift_cluster_prohibit_public_access +- aws_s3_bucket_acls_should_prohibit_user_access +- aws_s3_bucket_policy_restrict_public_access +- aws_s3_bucket_restrict_public_read_access +- aws_s3_bucket_restrict_public_write_access +- aws_s3_public_access_block_bucket +- aws_sagemaker_notebook_instance_direct_internet_access_disabled +- aws_secretsmanager_secret_automatic_rotation_enabled +- aws_secretsmanager_secret_rotated_as_scheduled +- aws_ssm_document_prohibit_public_access +- aws_vpc_default_security_group_restricts_all_traffic +- aws_vpc_igw_attached_to_authorized_vpc +- aws_vpc_security_group_restrict_ingress_common_ports_all +- aws_vpc_security_group_restrict_ingress_ssh_all +- aws_vpc_security_group_restrict_ingress_tcp_udp_all +- aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_II.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_II.yaml index 0aeb4a093..cf319e341 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_II.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_II.yaml @@ -1,13 +1,13 @@ -control-group: - id: aws_rbi_itf_nbfc_8_II - title: II User Role - description: A well-defined user role. - section-code: II - controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 +id: aws_rbi_itf_nbfc_8_II +title: II User Role +description: A well-defined user role. +section-code: II +type: control-group +controls: +- aws_iam_account_password_policy_strong_min_reuse_24 +- aws_iam_group_not_empty +- aws_iam_group_user_role_no_inline_policies +- aws_iam_policy_no_star_star +- aws_iam_user_in_group +- aws_iam_user_no_inline_attached_policies +- aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_III.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_III.yaml index 3f76e5912..7e323616a 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_III.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_III.yaml @@ -1,7 +1,7 @@ -control-group: - id: aws_rbi_itf_nbfc_8_III - title: III Maker-Checker Concept - description: A Maker-checker concept to reduce the risk of error and misuse and to ensure reliability of data/information. - section-code: III - controls: - - aws_s3_bucket_versioning_enabled +id: aws_rbi_itf_nbfc_8_III +title: III Maker-Checker Concept +description: A Maker-checker concept to reduce the risk of error and misuse and to ensure reliability of data/information. +section-code: III +type: control-group +controls: +- aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_IX.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_IX.yaml index 9a3503454..5c141bfb0 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_IX.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_IX.yaml @@ -1,18 +1,18 @@ -control-group: - id: aws_rbi_itf_nbfc_8_IX - title: IX Backup and Recovery - description: Arrangement for backup of data with periodic testing. - section-code: IX - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled +id: aws_rbi_itf_nbfc_8_IX +title: IX Backup and Recovery +description: Arrangement for backup of data with periodic testing. +section-code: IX +type: control-group +controls: +- aws_backup_plan_min_retention_35_days +- aws_backup_recovery_point_manual_deletion_disabled +- aws_backup_recovery_point_min_retention_35_days +- aws_dynamodb_table_in_backup_plan +- aws_dynamodb_table_point_in_time_recovery_enabled +- aws_ebs_volume_in_backup_plan +- aws_efs_file_system_in_backup_plan +- aws_elasticache_redis_cluster_automatic_backup_retention_15_days +- aws_rds_db_instance_backup_enabled +- aws_rds_db_instance_in_backup_plan +- aws_redshift_cluster_automatic_snapshots_min_7_days +- aws_s3_bucket_cross_region_replication_enabled diff --git a/compliance/frameworks/aws/aws_rego_test.yaml b/compliance/frameworks/aws/aws_rego_test.yaml index 1142c6a56..6a900d47d 100644 --- a/compliance/frameworks/aws/aws_rego_test.yaml +++ b/compliance/frameworks/aws/aws_rego_test.yaml @@ -1,49 +1,49 @@ -framework: - id: aws_rego_test - title: Rego Test - description: Rego test - section-code: aws_rego_test - tags: - category: - - Compliance - platform_benchmark_type: - - compliance - platform_category: - - Certifications and Attestations - - Best Practices - plugin: - - aws - service: - - AWS - soc_2: - - "true" - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false +id: aws_rego_test +title: Rego Test +description: Rego test +section-code: aws_rego_test +type: framework +tags: + category: + - Compliance + platform_benchmark_type: + - compliance + platform_category: + - Certifications and Attestations + - Best Practices + plugin: + - aws + service: + - AWS + soc_2: + - "true" + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_rego_test_c + title: C1 + description: c1 + section-code: c_1 control-group: - - id: aws_rego_test_c - title: C1 - description: c1 - section-code: c_1 - control-group: - - id: aws_rego_test_c_1 - title: "1" - description: "1" - section-code: "1" - tags: - category: - - Compliance - nist_csf: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_ec2_classic_lb_connection_draining_enabled_rego - - aws_ec2_ami_not_older_than_90_days_rego + - id: aws_rego_test_c_1 + title: "1" + description: "1" + section-code: "1" + tags: + category: + - Compliance + nist_csf: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_classic_lb_connection_draining_enabled_rego + - aws_ec2_ami_not_older_than_90_days_rego diff --git a/compliance/frameworks/aws/aws_soc_2.yaml b/compliance/frameworks/aws/aws_soc_2.yaml index 39c659325..5bd469baf 100644 --- a/compliance/frameworks/aws/aws_soc_2.yaml +++ b/compliance/frameworks/aws/aws_soc_2.yaml @@ -1,461 +1,461 @@ -framework: - id: aws_soc_2 - title: SOC 2 - description: System and Organization Controls (SOC) 2 is an auditing procedure that ensures a company's data is securely managed. AWS Audit Manager provides a prebuilt framework that supports SOC 2 to assist you with your audit preparation. - section-code: aws_soc_2 - tags: - category: - - Compliance - platform_benchmark_type: - - compliance - platform_category: - - Certifications and Attestations - - Best Practices - plugin: - - aws - service: - - AWS - soc_2: - - "true" - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false +id: aws_soc_2 +title: SOC 2 +description: System and Organization Controls (SOC) 2 is an auditing procedure that ensures a company's data is securely managed. AWS Audit Manager provides a prebuilt framework that supports SOC 2 to assist you with your audit preparation. +section-code: aws_soc_2 +type: framework +tags: + category: + - Compliance + platform_benchmark_type: + - compliance + platform_category: + - Certifications and Attestations + - Best Practices + plugin: + - aws + service: + - AWS + soc_2: + - "true" + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: aws_soc_2_cc_1 + title: CC1 Common Criteria Related to Control Environment + description: The criteria relevant to how the entity demonstrates commitment to integrity and ethical values, exercises oversight responsibility, establishes structure, authority and responsibility, demonstrates commitment to competence, and enforces accountability. + section-code: cc_1 control-group: - - id: aws_soc_2_cc_1 - title: CC1 Common Criteria Related to Control Environment - description: The criteria relevant to how the entity demonstrates commitment to integrity and ethical values, exercises oversight responsibility, establishes structure, authority and responsibility, demonstrates commitment to competence, and enforces accountability. - section-code: cc_1 - control-group: - - id: aws_soc_2_cc_1_3 - title: "CC1.3 COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives" - section-code: "3" - controls: - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_managed_policy_attached_to_role - - aws_iam_policy_no_star_star - - aws_iam_policy_unused - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_rds_db_instance_iam_authentication_enabled - - id: aws_soc_2_cc_2 - title: CC2 Common Criteria Related to Communication and Information - description: The criteria relevant to how the entity (i) uses relevant information, (ii) communicates internally, and (iii) communicates externally. - section-code: cc_2 - control-group: - - id: aws_soc_2_cc_2_1 - title: "CC2.1 COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control" - section-code: "1" - controls: - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_security_trail_enabled - - aws_config_enabled_all_regions - - id: aws_soc_2_cc_3 - title: CC3 Common Criteria Related to Risk Assessment - description: The criteria relevant to how the entity (i) specifies suitable objectives, (ii) identifies and analyzes risk, and (iii) assess fraud risk. - section-code: cc_3 - control-group: - - id: aws_soc_2_cc_3_1 - title: CC3.1 COSO Principle 6... - section-code: "1" - controls: - - aws_config_enabled_all_regions - - aws_guardduty_enabled - - aws_securityhub_enabled - - id: aws_soc_2_cc_3_2 - title: CC3.2 COSO Principle 7... - section-code: "2" - controls: - - aws_ec2_instance_ssm_managed - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_iam_user_console_access_mfa_enabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant - - id: aws_soc_2_cc_3_4 - title: CC3.4 COSO Principle 9... - section-code: "4" - controls: - - aws_config_enabled_all_regions - - id: aws_soc_2_cc_4 - title: CC4 Monitoring Activities - description: The criteria relevant to how the entity (i) conducts ongoing and/or separate evaluations... - section-code: cc_4 - control-group: - - id: aws_soc_2_cc_4_2 - title: CC4.2 COSO Principle 17... - section-code: "2" - controls: - - aws_cloudwatch_alarm_action_enabled_check - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - id: aws_soc_2_cc_6 - title: CC6 Logical and Physical Access - description: The criteria relevant to how an entity restricts logical and physical access... - section-code: cc_6 - control-group: - - id: aws_soc_2_cc_6_1 - title: CC6.1 The entity implements logical access security software... - section-code: "1" - controls: - - aws_acm_certificate_expires_30_days - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_attached_volume_encryption_enabled - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_ebs_default_encryption_enabled - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_ssm_managed - - aws_efs_file_system_encrypt_data_at_rest - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_lb_waf_enabled - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_emr_cluster_kerberos_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_in_vpc - - aws_es_domain_node_to_node_encryption_enabled - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_kms_key_not_pending_deletion - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_encrypted_at_rest - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_logging_enabled - - aws_s3_bucket_object_lock_enabled - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_sns_topic_encrypted_at_rest - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_eip_associated - - aws_vpc_security_group_associated_to_eni - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - id: aws_soc_2_cc_6_2 - title: CC6.2 Prior to issuing system credentials... - section-code: "2" - controls: - - aws_acm_certificate_expires_30_days - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_attached_volume_encryption_enabled - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_ebs_default_encryption_enabled - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_ssm_managed - - aws_efs_file_system_encrypt_data_at_rest - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_lb_waf_enabled - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_emr_cluster_kerberos_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_in_vpc - - aws_es_domain_node_to_node_encryption_enabled - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_kms_key_not_pending_deletion - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_encrypted_at_rest - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_logging_enabled - - aws_s3_bucket_object_lock_enabled - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_sns_topic_encrypted_at_rest - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_eip_associated - - aws_vpc_security_group_associated_to_eni - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - id: aws_soc_2_cc_6_3 - title: CC6.3 The entity authorizes, modifies, or removes access... - section-code: "3" - controls: - - aws_emr_cluster_kerberos_enabled - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_managed_policy_attached_to_role - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_s3_bucket_policy_restrict_public_access - - id: aws_soc_2_cc_6_6 - title: CC6.6 The entity implements logical access security measures... - section-code: "6" - controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_elb_application_lb_waf_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_guardduty_enabled - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_securityhub_enabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_flow_logs_enabled - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - id: aws_soc_2_cc_6_7 - title: CC6.7 The entity restricts the transmission... - section-code: "7" - controls: - - aws_acm_certificate_expires_30_days - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudfront_distribution_encryption_in_transit_enabled - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - id: aws_soc_2_cc_6_8 - title: CC6.8 The entity implements controls to prevent or detect unauthorized or malicious software... - section-code: "8" - controls: - - aws_guardduty_enabled - - aws_securityhub_enabled - - id: aws_soc_2_cc_7 - title: CC7 System Operations - description: The criteria relevant to how an entity manages the operation of system(s)... - section-code: cc_7 - control-group: - - id: aws_soc_2_cc_7_1 - title: CC7.1 To meet its objectives, the entity uses detection and monitoring procedures... - section-code: "1" - controls: - - aws_ec2_instance_ssm_managed - - aws_guardduty_enabled - - aws_securityhub_enabled - - aws_ssm_managed_instance_compliance_association_compliant - - id: aws_soc_2_cc_7_2 - title: CC7.2 The entity monitors system components... - section-code: "2" - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_detailed_monitoring_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled - - id: aws_soc_2_cc_7_3 - title: CC7.3 The entity evaluates security events... - section-code: "3" - controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_validation_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_lambda_function_dead_letter_queue_configured - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_audit_logging_enabled - - aws_opensearch_domain_logs_to_cloudwatch - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_audit_logging_enabled - - aws_s3_bucket_event_notifications_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - id: aws_soc_2_cc_7_4 - title: CC7.4 The entity responds to identified security incidents... - section-code: "4" - controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_cloudwatch_alarm_action_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_securityhub_enabled - - id: aws_soc_2_cc_8 - title: CC8 Change Management - description: The criteria relevant to how an entity identifies the need for changes... - section-code: cc_8 - control-group: - - id: aws_soc_2_cc_8_1 - title: CC8.1 The entity authorizes, designs... - section-code: "1" - controls: - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured - - aws_config_enabled_all_regions - - id: aws_soc_2_a_1 - title: A1 Additional Criterial for Availability - description: The availability category refers to the accessibility of information... - section-code: a_1 - control-group: - - id: aws_soc_2_a_1_2 - title: A1.2 The entity authorizes... - section-code: "2" - controls: - - aws_apigateway_stage_logging_enabled - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_classic_lb_logging_enabled - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_logging_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled - - id: aws_soc_2_c_1 - title: C1 Additional Criterial for Confidentiality - description: The Confidentiality category refers that all confidential material and information should be sufficiently protected... - section-code: c_1 - control-group: - - id: aws_soc_2_c_1_1 - title: C1.1 The entity identifies and maintains confidential information... - section-code: "1" - controls: - - aws_rds_db_instance_deletion_protection_enabled - - aws_s3_bucket_object_lock_enabled - - aws_s3_bucket_versioning_and_lifecycle_policy_enabled - - id: aws_soc_2_c_1_2 - title: C1.2 The entity disposes of confidential information... - section-code: "2" - controls: - - aws_s3_bucket_lifecycle_policy_enabled - - aws_s3_bucket_versioning_enabled + - id: aws_soc_2_cc_1_3 + title: "CC1.3 COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives" + section-code: "3" + controls: + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_managed_policy_attached_to_role + - aws_iam_policy_no_star_star + - aws_iam_policy_unused + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_rds_db_instance_iam_authentication_enabled +- id: aws_soc_2_cc_2 + title: CC2 Common Criteria Related to Communication and Information + description: The criteria relevant to how the entity (i) uses relevant information, (ii) communicates internally, and (iii) communicates externally. + section-code: cc_2 + control-group: + - id: aws_soc_2_cc_2_1 + title: "CC2.1 COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control" + section-code: "1" + controls: + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_security_trail_enabled + - aws_config_enabled_all_regions +- id: aws_soc_2_cc_3 + title: CC3 Common Criteria Related to Risk Assessment + description: The criteria relevant to how the entity (i) specifies suitable objectives, (ii) identifies and analyzes risk, and (iii) assess fraud risk. + section-code: cc_3 + control-group: + - id: aws_soc_2_cc_3_1 + title: CC3.1 COSO Principle 6... + section-code: "1" + controls: + - aws_config_enabled_all_regions + - aws_guardduty_enabled + - aws_securityhub_enabled + - id: aws_soc_2_cc_3_2 + title: CC3.2 COSO Principle 7... + section-code: "2" + controls: + - aws_ec2_instance_ssm_managed + - aws_guardduty_enabled + - aws_guardduty_finding_archived + - aws_iam_user_console_access_mfa_enabled + - aws_ssm_managed_instance_compliance_association_compliant + - aws_ssm_managed_instance_compliance_patch_compliant + - id: aws_soc_2_cc_3_4 + title: CC3.4 COSO Principle 9... + section-code: "4" + controls: + - aws_config_enabled_all_regions +- id: aws_soc_2_cc_4 + title: CC4 Monitoring Activities + description: The criteria relevant to how the entity (i) conducts ongoing and/or separate evaluations... + section-code: cc_4 + control-group: + - id: aws_soc_2_cc_4_2 + title: CC4.2 COSO Principle 17... + section-code: "2" + controls: + - aws_cloudwatch_alarm_action_enabled_check + - aws_guardduty_enabled + - aws_guardduty_finding_archived +- id: aws_soc_2_cc_6 + title: CC6 Logical and Physical Access + description: The criteria relevant to how an entity restricts logical and physical access... + section-code: cc_6 + control-group: + - id: aws_soc_2_cc_6_1 + title: CC6.1 The entity implements logical access security software... + section-code: "1" + controls: + - aws_acm_certificate_expires_30_days + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_attached_volume_encryption_enabled + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_ebs_default_encryption_enabled + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_instance_ssm_managed + - aws_efs_file_system_encrypt_data_at_rest + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_application_lb_waf_enabled + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_emr_cluster_kerberos_enabled + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_in_vpc + - aws_es_domain_node_to_node_encryption_enabled + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_kms_key_not_pending_deletion + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_log_group_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_encrypted_at_rest + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_logging_enabled + - aws_s3_bucket_object_lock_enabled + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_sns_topic_encrypted_at_rest + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_eip_associated + - aws_vpc_security_group_associated_to_eni + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - id: aws_soc_2_cc_6_2 + title: CC6.2 Prior to issuing system credentials... + section-code: "2" + controls: + - aws_acm_certificate_expires_30_days + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_attached_volume_encryption_enabled + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_ebs_default_encryption_enabled + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_instance_ssm_managed + - aws_efs_file_system_encrypt_data_at_rest + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_application_lb_waf_enabled + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_emr_cluster_kerberos_enabled + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_in_vpc + - aws_es_domain_node_to_node_encryption_enabled + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_kms_key_not_pending_deletion + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_log_group_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_encrypted_at_rest + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_logging_enabled + - aws_s3_bucket_object_lock_enabled + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_sns_topic_encrypted_at_rest + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_eip_associated + - aws_vpc_security_group_associated_to_eni + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - id: aws_soc_2_cc_6_3 + title: CC6.3 The entity authorizes, modifies, or removes access... + section-code: "3" + controls: + - aws_emr_cluster_kerberos_enabled + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_managed_policy_attached_to_role + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_s3_bucket_policy_restrict_public_access + - id: aws_soc_2_cc_6_6 + title: CC6.6 The entity implements logical access security measures... + section-code: "6" + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_elb_application_lb_waf_enabled + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_guardduty_enabled + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_securityhub_enabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_flow_logs_enabled + - aws_vpc_igw_attached_to_authorized_vpc + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - id: aws_soc_2_cc_6_7 + title: CC6.7 The entity restricts the transmission... + section-code: "7" + controls: + - aws_acm_certificate_expires_30_days + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_cloudfront_distribution_encryption_in_transit_enabled + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_node_to_node_encryption_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - id: aws_soc_2_cc_6_8 + title: CC6.8 The entity implements controls to prevent or detect unauthorized or malicious software... + section-code: "8" + controls: + - aws_guardduty_enabled + - aws_securityhub_enabled +- id: aws_soc_2_cc_7 + title: CC7 System Operations + description: The criteria relevant to how an entity manages the operation of system(s)... + section-code: cc_7 + control-group: + - id: aws_soc_2_cc_7_1 + title: CC7.1 To meet its objectives, the entity uses detection and monitoring procedures... + section-code: "1" + controls: + - aws_ec2_instance_ssm_managed + - aws_guardduty_enabled + - aws_securityhub_enabled + - aws_ssm_managed_instance_compliance_association_compliant + - id: aws_soc_2_cc_7_2 + title: CC7.2 The entity monitors system components... + section-code: "2" + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_cloudwatch_log_group_retention_period_365 + - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_detailed_monitoring_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_guardduty_enabled + - aws_lambda_function_concurrent_execution_limit_configured + - aws_lambda_function_dead_letter_queue_configured + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_waf_web_acl_logging_enabled + - aws_wafv2_web_acl_logging_enabled + - id: aws_soc_2_cc_7_3 + title: CC7.3 The entity evaluates security events... + section-code: "3" + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudtrail_trail_validation_enabled + - aws_cloudwatch_alarm_action_enabled + - aws_cloudwatch_log_group_retention_period_365 + - aws_elb_application_classic_lb_logging_enabled + - aws_es_domain_logs_to_cloudwatch + - aws_guardduty_enabled + - aws_guardduty_finding_archived + - aws_lambda_function_dead_letter_queue_configured + - aws_log_group_encryption_at_rest_enabled + - aws_opensearch_domain_audit_logging_enabled + - aws_opensearch_domain_logs_to_cloudwatch + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_audit_logging_enabled + - aws_s3_bucket_event_notifications_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled + - aws_waf_web_acl_logging_enabled + - id: aws_soc_2_cc_7_4 + title: CC7.4 The entity responds to identified security incidents... + section-code: "4" + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_cloudwatch_alarm_action_enabled + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_guardduty_enabled + - aws_guardduty_finding_archived + - aws_lambda_function_dead_letter_queue_configured + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled + - aws_securityhub_enabled +- id: aws_soc_2_cc_8 + title: CC8 Change Management + description: The criteria relevant to how an entity identifies the need for changes... + section-code: cc_8 + control-group: + - id: aws_soc_2_cc_8_1 + title: CC8.1 The entity authorizes, designs... + section-code: "1" + controls: + - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values + - aws_codebuild_project_source_repo_oauth_configured + - aws_config_enabled_all_regions +- id: aws_soc_2_a_1 + title: A1 Additional Criterial for Availability + description: The availability category refers to the accessibility of information... + section-code: a_1 + control-group: + - id: aws_soc_2_a_1_2 + title: A1.2 The entity authorizes... + section-code: "2" + controls: + - aws_apigateway_stage_logging_enabled + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_elb_application_classic_lb_logging_enabled + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_logging_enabled + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled + - aws_waf_web_acl_logging_enabled + - aws_wafv2_web_acl_logging_enabled +- id: aws_soc_2_c_1 + title: C1 Additional Criterial for Confidentiality + description: The Confidentiality category refers that all confidential material and information should be sufficiently protected... + section-code: c_1 + control-group: + - id: aws_soc_2_c_1_1 + title: C1.1 The entity identifies and maintains confidential information... + section-code: "1" + controls: + - aws_rds_db_instance_deletion_protection_enabled + - aws_s3_bucket_object_lock_enabled + - aws_s3_bucket_versioning_and_lifecycle_policy_enabled + - id: aws_soc_2_c_1_2 + title: C1.2 The entity disposes of confidential information... + section-code: "2" + controls: + - aws_s3_bucket_lifecycle_policy_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls.yaml index 5f5a96656..1238c4f48 100644 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls.yaml @@ -1,55 +1,55 @@ -framework: - id: azure_all_controls - title: All Controls - description: This benchmark contains all controls grouped by service to help you detect resource configurations that do not meet best practices. - section-code: azure_all_controls - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: azure_all_controls_activedirectory - - id: azure_all_controls_apimanagement - - id: azure_all_controls_appconfiguration - - id: azure_all_controls_appservice - - id: azure_all_controls_automation - - id: azure_all_controls_batch - - id: azure_all_controls_cognitivesearch - - id: azure_all_controls_cognitiveservice - - id: azure_all_controls_compute - - id: azure_all_controls_containerinstance - - id: azure_all_controls_containerregistry - - id: azure_all_controls_cosmosdb - - id: azure_all_controls_databoxedge - - id: azure_all_controls_datafactory - - id: azure_all_controls_datalakeanalytics - - id: azure_all_controls_datalakestore - - id: azure_all_controls_eventgrid - - id: azure_all_controls_eventhub - - id: azure_all_controls_frontdoor - - id: azure_all_controls_hdinsight - - id: azure_all_controls_healthcare - - id: azure_all_controls_hpccache - - id: azure_all_controls_iothub - - id: azure_all_controls_keyvault - - id: azure_all_controls_kubernetes - - id: azure_all_controls_kusto - - id: azure_all_controls_logic - - id: azure_all_controls_machinelearning - - id: azure_all_controls_mariadb - - id: azure_all_controls_monitor - - id: azure_all_controls_mysql - - id: azure_all_controls_network - - id: azure_all_controls_postgres - - id: azure_all_controls_recoveryservice - - id: azure_all_controls_redis - - id: azure_all_controls_securitycenter - - id: azure_all_controls_servicebus - - id: azure_all_controls_servicefabric - - id: azure_all_controls_signalr - - id: azure_all_controls_springcloud - - id: azure_all_controls_sql - - id: azure_all_controls_storage - - id: azure_all_controls_storagesync - - id: azure_all_controls_streamanalytics - - id: azure_all_controls_synapse +id: azure_all_controls +title: All Controls +description: This benchmark contains all controls grouped by service to help you detect resource configurations that do not meet best practices. +section-code: azure_all_controls +type: framework +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: azure_all_controls_activedirectory +- id: azure_all_controls_apimanagement +- id: azure_all_controls_appconfiguration +- id: azure_all_controls_appservice +- id: azure_all_controls_automation +- id: azure_all_controls_batch +- id: azure_all_controls_cognitivesearch +- id: azure_all_controls_cognitiveservice +- id: azure_all_controls_compute +- id: azure_all_controls_containerinstance +- id: azure_all_controls_containerregistry +- id: azure_all_controls_cosmosdb +- id: azure_all_controls_databoxedge +- id: azure_all_controls_datafactory +- id: azure_all_controls_datalakeanalytics +- id: azure_all_controls_datalakestore +- id: azure_all_controls_eventgrid +- id: azure_all_controls_eventhub +- id: azure_all_controls_frontdoor +- id: azure_all_controls_hdinsight +- id: azure_all_controls_healthcare +- id: azure_all_controls_hpccache +- id: azure_all_controls_iothub +- id: azure_all_controls_keyvault +- id: azure_all_controls_kubernetes +- id: azure_all_controls_kusto +- id: azure_all_controls_logic +- id: azure_all_controls_machinelearning +- id: azure_all_controls_mariadb +- id: azure_all_controls_monitor +- id: azure_all_controls_mysql +- id: azure_all_controls_network +- id: azure_all_controls_postgres +- id: azure_all_controls_recoveryservice +- id: azure_all_controls_redis +- id: azure_all_controls_securitycenter +- id: azure_all_controls_servicebus +- id: azure_all_controls_servicefabric +- id: azure_all_controls_signalr +- id: azure_all_controls_springcloud +- id: azure_all_controls_sql +- id: azure_all_controls_storage +- id: azure_all_controls_storagesync +- id: azure_all_controls_streamanalytics +- id: azure_all_controls_synapse diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_activedirectory.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_activedirectory.yaml index 841317107..3ba231572 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_activedirectory.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_activedirectory.yaml @@ -1,22 +1,22 @@ -control-group: - id: azure_all_controls_activedirectory - title: Active Directory - description: This section contains recommendations for configuring Active Directory resources. - section-code: activedirectory - controls: - - azure_ad_guest_user_reviewed_monthly - - azure_iam_conditional_access_mfa_enabled - - azure_iam_deprecated_account - - azure_iam_deprecated_account_with_owner_roles - - azure_iam_external_user_with_owner_role - - azure_iam_external_user_with_read_permission - - azure_iam_external_user_with_write_permission - - azure_iam_no_custom_role - - azure_iam_no_custom_subscription_owner_roles_created - - azure_iam_subscription_owner_max_3 - - azure_iam_subscription_owner_more_than_1 - - azure_iam_subscriptions_with_custom_roles_no_overly_permissive - - azure_iam_user_no_built_in_contributor_role - - azure_iam_user_not_allowed_to_create_security_group - - azure_iam_user_not_allowed_to_create_tenants - - azure_iam_user_not_allowed_to_register_application +id: azure_all_controls_activedirectory +title: Active Directory +description: This section contains recommendations for configuring Active Directory resources. +section-code: activedirectory +type: control-group +controls: +- azure_ad_guest_user_reviewed_monthly +- azure_iam_conditional_access_mfa_enabled +- azure_iam_deprecated_account +- azure_iam_deprecated_account_with_owner_roles +- azure_iam_external_user_with_owner_role +- azure_iam_external_user_with_read_permission +- azure_iam_external_user_with_write_permission +- azure_iam_no_custom_role +- azure_iam_no_custom_subscription_owner_roles_created +- azure_iam_subscription_owner_max_3 +- azure_iam_subscription_owner_more_than_1 +- azure_iam_subscriptions_with_custom_roles_no_overly_permissive +- azure_iam_user_no_built_in_contributor_role +- azure_iam_user_not_allowed_to_create_security_group +- azure_iam_user_not_allowed_to_create_tenants +- azure_iam_user_not_allowed_to_register_application diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_apimanagement.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_apimanagement.yaml index 952e28f98..3b50e455c 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_apimanagement.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_apimanagement.yaml @@ -1,8 +1,8 @@ -control-group: - id: azure_all_controls_apimanagement - title: API Management - description: This section contains recommendations for configuring API Management resources. - section-code: apimanagement - controls: - - azure_apimanagement_service_client_certificate_enabled - - azure_apimanagement_service_with_virtual_network +id: azure_all_controls_apimanagement +title: API Management +description: This section contains recommendations for configuring API Management resources. +section-code: apimanagement +type: control-group +controls: +- azure_apimanagement_service_client_certificate_enabled +- azure_apimanagement_service_with_virtual_network diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_appconfiguration.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_appconfiguration.yaml index 4e27583c3..b652df0f7 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_appconfiguration.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_appconfiguration.yaml @@ -1,9 +1,9 @@ -control-group: - id: azure_all_controls_appconfiguration - title: App Configuration - description: This section contains recommendations for configuring App Configuration resources. - section-code: appconfiguration - controls: - - azure_app_configuration_encryption_enabled - - azure_app_configuration_private_link_used - - azure_app_configuration_sku_standard +id: azure_all_controls_appconfiguration +title: App Configuration +description: This section contains recommendations for configuring App Configuration resources. +section-code: appconfiguration +type: control-group +controls: +- azure_app_configuration_encryption_enabled +- azure_app_configuration_private_link_used +- azure_app_configuration_sku_standard diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_appservice.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_appservice.yaml index 5fc842721..dc805fd68 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_appservice.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_appservice.yaml @@ -1,50 +1,50 @@ -control-group: - id: azure_all_controls_appservice - title: App Service - description: This section contains recommendations for configuring App Service resources. - section-code: appservice - controls: - - azure_app_service_environment_internal_encryption_enabled - - azure_appservice_api_app_client_certificates_on - - azure_appservice_api_app_cors_no_star - - azure_appservice_api_app_ftps_enabled - - azure_appservice_api_app_latest_tls_version - - azure_appservice_api_app_remote_debugging_disabled - - azure_appservice_api_app_use_https - - azure_appservice_api_app_uses_managed_identity - - azure_appservice_authentication_enabled - - azure_appservice_ftp_deployment_disabled - - azure_appservice_function_app_authentication_on - - azure_appservice_function_app_client_certificates_on - - azure_appservice_function_app_cors_no_star - - azure_appservice_function_app_ftps_enabled - - azure_appservice_function_app_latest_http_version - - azure_appservice_function_app_latest_java_version - - azure_appservice_function_app_latest_python_version - - azure_appservice_function_app_latest_tls_version - - azure_appservice_function_app_only_https_accessible - - azure_appservice_function_app_restrict_public_acces - - azure_appservice_function_app_remote_debugging_disabled - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_plan_minimum_sku - - azure_appservice_web_app_always_on - - azure_appservice_web_app_client_certificates_on - - azure_appservice_web_app_cors_no_star - - azure_appservice_web_app_diagnostic_logs_enabled - - azure_appservice_web_app_failed_request_tracing_enabled - - azure_appservice_web_app_ftps_enabled - - azure_appservice_web_app_health_check_enabled - - azure_appservice_web_app_http_logs_enabled - - azure_appservice_web_app_incoming_client_cert_on - - azure_appservice_web_app_latest_dotnet_framework_version - - azure_appservice_web_app_latest_http_version - - azure_appservice_web_app_latest_java_version - - azure_appservice_web_app_latest_php_version - - azure_appservice_web_app_latest_python_version - - azure_appservice_web_app_latest_tls_version - - azure_appservice_web_app_register_with_active_directory_enabled - - azure_appservice_web_app_remote_debugging_disabled - - azure_appservice_web_app_slot_use_https - - azure_appservice_web_app_use_https - - azure_appservice_web_app_use_virtual_service_endpoint - - azure_appservice_web_app_uses_managed_identity +id: azure_all_controls_appservice +title: App Service +description: This section contains recommendations for configuring App Service resources. +section-code: appservice +type: control-group +controls: +- azure_app_service_environment_internal_encryption_enabled +- azure_appservice_api_app_client_certificates_on +- azure_appservice_api_app_cors_no_star +- azure_appservice_api_app_ftps_enabled +- azure_appservice_api_app_latest_tls_version +- azure_appservice_api_app_remote_debugging_disabled +- azure_appservice_api_app_use_https +- azure_appservice_api_app_uses_managed_identity +- azure_appservice_authentication_enabled +- azure_appservice_ftp_deployment_disabled +- azure_appservice_function_app_authentication_on +- azure_appservice_function_app_client_certificates_on +- azure_appservice_function_app_cors_no_star +- azure_appservice_function_app_ftps_enabled +- azure_appservice_function_app_latest_http_version +- azure_appservice_function_app_latest_java_version +- azure_appservice_function_app_latest_python_version +- azure_appservice_function_app_latest_tls_version +- azure_appservice_function_app_only_https_accessible +- azure_appservice_function_app_restrict_public_acces +- azure_appservice_function_app_remote_debugging_disabled +- azure_appservice_function_app_uses_managed_identity +- azure_appservice_plan_minimum_sku +- azure_appservice_web_app_always_on +- azure_appservice_web_app_client_certificates_on +- azure_appservice_web_app_cors_no_star +- azure_appservice_web_app_diagnostic_logs_enabled +- azure_appservice_web_app_failed_request_tracing_enabled +- azure_appservice_web_app_ftps_enabled +- azure_appservice_web_app_health_check_enabled +- azure_appservice_web_app_http_logs_enabled +- azure_appservice_web_app_incoming_client_cert_on +- azure_appservice_web_app_latest_dotnet_framework_version +- azure_appservice_web_app_latest_http_version +- azure_appservice_web_app_latest_java_version +- azure_appservice_web_app_latest_php_version +- azure_appservice_web_app_latest_python_version +- azure_appservice_web_app_latest_tls_version +- azure_appservice_web_app_register_with_active_directory_enabled +- azure_appservice_web_app_remote_debugging_disabled +- azure_appservice_web_app_slot_use_https +- azure_appservice_web_app_use_https +- azure_appservice_web_app_use_virtual_service_endpoint +- azure_appservice_web_app_uses_managed_identity diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_automation.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_automation.yaml index 7fd6c8cb2..8efd3b731 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_automation.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_automation.yaml @@ -1,7 +1,7 @@ -control-group: - id: azure_all_controls_automation - title: Automation - description: This section contains recommendations for configuring Automation resources. - section-code: automation - controls: - - azure_automation_account_variable_encryption_enabled +id: azure_all_controls_automation +title: Automation +description: This section contains recommendations for configuring Automation resources. +section-code: automation +type: control-group +controls: +- azure_automation_account_variable_encryption_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_batch.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_batch.yaml index 627ce09a7..71095b213 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_batch.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_batch.yaml @@ -1,9 +1,9 @@ -control-group: - id: azure_all_controls_batch - title: Batch - description: This section contains recommendations for configuring Batch resources. - section-code: batch - controls: - - azure_batch_account_encrypted_with_cmk - - azure_batch_account_identity_provider_enabled - - azure_batch_account_logging_enabled +id: azure_all_controls_batch +title: Batch +description: This section contains recommendations for configuring Batch resources. +section-code: batch +type: control-group +controls: +- azure_batch_account_encrypted_with_cmk +- azure_batch_account_identity_provider_enabled +- azure_batch_account_logging_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_cognitivesearch.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_cognitivesearch.yaml index 4e7fd2dd9..fd1737daa 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_cognitivesearch.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_cognitivesearch.yaml @@ -1,12 +1,12 @@ -control-group: - id: azure_all_controls_cognitivesearch - title: Cognitive Search - description: This section contains recommendations for configuring Cognitive Search resources. - section-code: cognitivesearch - controls: - - azure_search_service_logging_enabled - - azure_search_service_public_network_access_disabled - - azure_search_service_replica_count_3 - - azure_search_service_uses_managed_identity - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link +id: azure_all_controls_cognitivesearch +title: Cognitive Search +description: This section contains recommendations for configuring Cognitive Search resources. +section-code: cognitivesearch +type: control-group +controls: +- azure_search_service_logging_enabled +- azure_search_service_public_network_access_disabled +- azure_search_service_replica_count_3 +- azure_search_service_uses_managed_identity +- azure_search_service_uses_private_link +- azure_search_service_uses_sku_supporting_private_link diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_cognitiveservice.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_cognitiveservice.yaml index 2c807c5c6..a5a274532 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_cognitiveservice.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_cognitiveservice.yaml @@ -1,11 +1,11 @@ -control-group: - id: azure_all_controls_cognitiveservice - title: Cognitive Services - description: This section contains recommendations for configuring Cognitive Services resources. - section-code: cognitiveservice - controls: - - azure_cognitive_account_encrypted_with_cmk - - azure_cognitive_account_private_link_used - - azure_cognitive_account_public_network_access_disabled - - azure_cognitive_account_restrict_public_access - - azure_cognitive_service_local_auth_disabled +id: azure_all_controls_cognitiveservice +title: Cognitive Services +description: This section contains recommendations for configuring Cognitive Services resources. +section-code: cognitiveservice +type: control-group +controls: +- azure_cognitive_account_encrypted_with_cmk +- azure_cognitive_account_private_link_used +- azure_cognitive_account_public_network_access_disabled +- azure_cognitive_account_restrict_public_access +- azure_cognitive_service_local_auth_disabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_compute.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_compute.yaml index f5d67a3fe..8139f5ad9 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_compute.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_compute.yaml @@ -1,56 +1,56 @@ -control-group: - id: azure_all_controls_compute - title: Compute - description: This section contains recommendations for configuring Compute resources. - section-code: compute - controls: - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_compute_disk_access_uses_private_link - - azure_compute_disk_unattached_encrypted_with_cmk - - azure_compute_os_and_data_disk_encrypted_with_cmk - - azure_compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed - - azure_compute_unattached_disk_encrypted_with_cmk - - azure_compute_vm_account_with_password_linux - - azure_compute_vm_and_sacle_set_encryption_at_host_enabled - - azure_compute_vm_attached_with_network - - azure_compute_vm_data_and_os_disk_uses_managed_disk - - azure_compute_vm_disaster_recovery_enabled - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_jit_access_protected - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_log_analytics_agent_installed_windows - - azure_compute_vm_malware_agent_automatic_upgrade_enabled - - azure_compute_vm_malware_agent_installed - - azure_compute_vm_max_password_age_70_days_windows - - azure_compute_vm_meet_security_baseline_requirements_linux - - azure_compute_vm_meet_security_baseline_requirements_windows - - azure_compute_vm_min_password_age_1_day_windows - - azure_compute_vm_min_password_length_14_windows - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_password_complexity_setting_enabled_windows - - azure_compute_vm_passwords_stored_using_reversible_encryption_windows - - azure_compute_vm_remote_access_restricted_all_ports - - azure_compute_vm_restrict_previous_24_passwords_resuse_windows - - azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux - - azure_compute_vm_scale_set_automatic_upgrade_enabled - - azure_compute_vm_scale_set_boot_diagnostics_enabled - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_compute_vm_scale_set_logging_enabled - - azure_compute_vm_scale_set_uses_managed_disks - - azure_compute_vm_scale_set_ssh_key_authentication_linux - - azure_compute_vm_secure_communication_protocols_configured - - azure_compute_vm_ssh_key_authentication_linux - - azure_compute_vm_system_updates_installed - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_compute_vm_uses_azure_resource_manager - - azure_compute_vm_utilizing_managed_disk - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_compute_vm_windows_defender_exploit_guard_enabled - - azure_network_interface_ip_forwarding_disabled +id: azure_all_controls_compute +title: Compute +description: This section contains recommendations for configuring Compute resources. +section-code: compute +type: control-group +controls: +- azure_arc_compute_machine_linux_log_analytics_agent_installed +- azure_arc_compute_machine_windows_log_analytics_agent_installed +- azure_compute_disk_access_uses_private_link +- azure_compute_disk_unattached_encrypted_with_cmk +- azure_compute_os_and_data_disk_encrypted_with_cmk +- azure_compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed +- azure_compute_unattached_disk_encrypted_with_cmk +- azure_compute_vm_account_with_password_linux +- azure_compute_vm_and_sacle_set_encryption_at_host_enabled +- azure_compute_vm_attached_with_network +- azure_compute_vm_data_and_os_disk_uses_managed_disk +- azure_compute_vm_disaster_recovery_enabled +- azure_compute_vm_guest_configuration_installed +- azure_compute_vm_guest_configuration_installed_linux +- azure_compute_vm_guest_configuration_installed_windows +- azure_compute_vm_guest_configuration_with_no_managed_identity +- azure_compute_vm_guest_configuration_with_system_assigned_managed_identity +- azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity +- azure_compute_vm_jit_access_protected +- azure_compute_vm_log_analytics_agent_installed +- azure_compute_vm_log_analytics_agent_installed_windows +- azure_compute_vm_malware_agent_automatic_upgrade_enabled +- azure_compute_vm_malware_agent_installed +- azure_compute_vm_max_password_age_70_days_windows +- azure_compute_vm_meet_security_baseline_requirements_linux +- azure_compute_vm_meet_security_baseline_requirements_windows +- azure_compute_vm_min_password_age_1_day_windows +- azure_compute_vm_min_password_length_14_windows +- azure_compute_vm_network_traffic_data_collection_linux_agent_installed +- azure_compute_vm_network_traffic_data_collection_windows_agent_installed +- azure_compute_vm_password_complexity_setting_enabled_windows +- azure_compute_vm_passwords_stored_using_reversible_encryption_windows +- azure_compute_vm_remote_access_restricted_all_ports +- azure_compute_vm_restrict_previous_24_passwords_resuse_windows +- azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux +- azure_compute_vm_scale_set_automatic_upgrade_enabled +- azure_compute_vm_scale_set_boot_diagnostics_enabled +- azure_compute_vm_scale_set_log_analytics_agent_installed +- azure_compute_vm_scale_set_logging_enabled +- azure_compute_vm_scale_set_uses_managed_disks +- azure_compute_vm_scale_set_ssh_key_authentication_linux +- azure_compute_vm_secure_communication_protocols_configured +- azure_compute_vm_ssh_key_authentication_linux +- azure_compute_vm_system_updates_installed +- azure_compute_vm_tcp_udp_access_restricted_internet +- azure_compute_vm_uses_azure_resource_manager +- azure_compute_vm_utilizing_managed_disk +- azure_compute_vm_vulnerability_assessment_solution_enabled +- azure_compute_vm_windows_defender_exploit_guard_enabled +- azure_network_interface_ip_forwarding_disabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_containerinstance.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_containerinstance.yaml index 66588bf90..d768efb8f 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_containerinstance.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_containerinstance.yaml @@ -1,10 +1,10 @@ -control-group: - id: azure_all_controls_containerinstance - title: Container Instance - description: This section contains recommendations for configuring Container Instance resources. - section-code: containerinstance - controls: - - azure_container_instance_container_group_encrypted_using_cmk - - azure_container_instance_container_group_identity_provider_enabled - - azure_container_instance_container_group_in_virtual_network - - azure_container_instance_container_group_secured_environment_variable +id: azure_all_controls_containerinstance +title: Container Instance +description: This section contains recommendations for configuring Container Instance resources. +section-code: containerinstance +type: control-group +controls: +- azure_container_instance_container_group_encrypted_using_cmk +- azure_container_instance_container_group_identity_provider_enabled +- azure_container_instance_container_group_in_virtual_network +- azure_container_instance_container_group_secured_environment_variable diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_containerregistry.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_containerregistry.yaml index 18afc7022..088253e4e 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_containerregistry.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_containerregistry.yaml @@ -1,16 +1,16 @@ -control-group: - id: azure_all_controls_containerregistry - title: Container Registry - description: This section contains recommendations for configuring Container Registry resources. - section-code: containerregistry - controls: - - azure_container_registry_admin_user_disabled - - azure_container_registry_encrypted_with_cmk - - azure_container_registry_geo_replication_enabled - - azure_container_registry_public_network_access_disabled - - azure_container_registry_quarantine_policy_enabled - - azure_container_registry_restrict_public_access - - azure_container_registry_retention_policy_enabled - - azure_container_registry_trust_policy_enabled - - azure_container_registry_use_virtual_service_endpoint - - azure_container_registry_uses_private_link +id: azure_all_controls_containerregistry +title: Container Registry +description: This section contains recommendations for configuring Container Registry resources. +section-code: containerregistry +type: control-group +controls: +- azure_container_registry_admin_user_disabled +- azure_container_registry_encrypted_with_cmk +- azure_container_registry_geo_replication_enabled +- azure_container_registry_public_network_access_disabled +- azure_container_registry_quarantine_policy_enabled +- azure_container_registry_restrict_public_access +- azure_container_registry_retention_policy_enabled +- azure_container_registry_trust_policy_enabled +- azure_container_registry_use_virtual_service_endpoint +- azure_container_registry_uses_private_link diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_cosmosdb.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_cosmosdb.yaml index 86b29ef12..e2198d986 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_cosmosdb.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_cosmosdb.yaml @@ -1,13 +1,13 @@ -control-group: - id: azure_all_controls_cosmosdb - title: Cosmos DB - description: This section contains recommendations for configuring CosmosDB resources. - section-code: cosmosdb - controls: - - azure_cosmosdb_account_encryption_at_rest_using_cmk - - azure_cosmosdb_account_key_based_metadata_write_access_disabled - - azure_cosmosdb_account_uses_aad_and_rbac - - azure_cosmosdb_account_uses_private_link - - azure_cosmosdb_account_virtual_network_filter_enabled - - azure_cosmosdb_account_with_firewall_rules - - azure_cosmosdb_use_virtual_service_endpoint +id: azure_all_controls_cosmosdb +title: Cosmos DB +description: This section contains recommendations for configuring CosmosDB resources. +section-code: cosmosdb +type: control-group +controls: +- azure_cosmosdb_account_encryption_at_rest_using_cmk +- azure_cosmosdb_account_key_based_metadata_write_access_disabled +- azure_cosmosdb_account_uses_aad_and_rbac +- azure_cosmosdb_account_uses_private_link +- azure_cosmosdb_account_virtual_network_filter_enabled +- azure_cosmosdb_account_with_firewall_rules +- azure_cosmosdb_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_databoxedge.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_databoxedge.yaml index 7db72d7d4..df3d62e9a 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_databoxedge.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_databoxedge.yaml @@ -1,7 +1,7 @@ -control-group: - id: azure_all_controls_databoxedge - title: Data Box - description: This section contains recommendations for configuring Data Box resources. - section-code: databoxedge - controls: - - azure_databox_edge_device_double_encryption_enabled +id: azure_all_controls_databoxedge +title: Data Box +description: This section contains recommendations for configuring Data Box resources. +section-code: databoxedge +type: control-group +controls: +- azure_databox_edge_device_double_encryption_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_datafactory.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_datafactory.yaml index 0b324de3b..5a53033cf 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_datafactory.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_datafactory.yaml @@ -1,10 +1,10 @@ -control-group: - id: azure_all_controls_datafactory - title: Data Factory - description: This section contains recommendations for configuring Data Factory resources. - section-code: datafactory - controls: - - azure_data_factory_encrypted_with_cmk - - azure_data_factory_public_network_access_disabled - - azure_data_factory_uses_git_repository - - azure_data_factory_uses_private_link +id: azure_all_controls_datafactory +title: Data Factory +description: This section contains recommendations for configuring Data Factory resources. +section-code: datafactory +type: control-group +controls: +- azure_data_factory_encrypted_with_cmk +- azure_data_factory_public_network_access_disabled +- azure_data_factory_uses_git_repository +- azure_data_factory_uses_private_link diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_datalakeanalytics.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_datalakeanalytics.yaml index e0a659402..84c288ac0 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_datalakeanalytics.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_datalakeanalytics.yaml @@ -1,7 +1,7 @@ -control-group: - id: azure_all_controls_datalakeanalytics - title: Data Lake Analytics - description: This section contains recommendations for configuring Data Lake Analytics resources. - section-code: datalakeanalytics - controls: - - azure_datalake_analytics_account_logging_enabled +id: azure_all_controls_datalakeanalytics +title: Data Lake Analytics +description: This section contains recommendations for configuring Data Lake Analytics resources. +section-code: datalakeanalytics +type: control-group +controls: +- azure_datalake_analytics_account_logging_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_datalakestore.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_datalakestore.yaml index 68a1ca6a6..6a7378dc3 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_datalakestore.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_datalakestore.yaml @@ -1,8 +1,8 @@ -control-group: - id: azure_all_controls_datalakestore - title: Data Lake Storage - description: This section contains recommendations for configuring Data Lake Storage resources. - section-code: datalakestore - controls: - - azure_datalake_store_account_encryption_enabled - - azure_datalake_store_account_logging_enabled +id: azure_all_controls_datalakestore +title: Data Lake Storage +description: This section contains recommendations for configuring Data Lake Storage resources. +section-code: datalakestore +type: control-group +controls: +- azure_datalake_store_account_encryption_enabled +- azure_datalake_store_account_logging_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_eventgrid.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_eventgrid.yaml index 3407db825..f453f69b8 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_eventgrid.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_eventgrid.yaml @@ -1,12 +1,12 @@ -control-group: - id: azure_all_controls_eventgrid - title: Event Grid - description: This section contains recommendations for configuring Event Grid resources. - section-code: eventgrid - controls: - - azure_eventgrid_domain_identity_provider_enabled - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_domain_restrict_public_access - - azure_eventgrid_topic_identity_provider_enabled - - azure_eventgrid_topic_local_auth_enabled - - azure_eventgrid_topic_private_link_used +id: azure_all_controls_eventgrid +title: Event Grid +description: This section contains recommendations for configuring Event Grid resources. +section-code: eventgrid +type: control-group +controls: +- azure_eventgrid_domain_identity_provider_enabled +- azure_eventgrid_domain_private_link_used +- azure_eventgrid_domain_restrict_public_access +- azure_eventgrid_topic_identity_provider_enabled +- azure_eventgrid_topic_local_auth_enabled +- azure_eventgrid_topic_private_link_used diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_eventhub.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_eventhub.yaml index 6699bc61e..a1ea6ec51 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_eventhub.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_eventhub.yaml @@ -1,10 +1,10 @@ -control-group: - id: azure_all_controls_eventhub - title: Event Hub - description: This section contains recommendations for configuring Event Hub resources. - section-code: eventhub - controls: - - azure_eventhub_namespace_cmk_encryption_enabled - - azure_eventhub_namespace_logging_enabled - - azure_eventhub_namespace_private_link_used - - azure_eventhub_namespace_use_virtual_service_endpoint +id: azure_all_controls_eventhub +title: Event Hub +description: This section contains recommendations for configuring Event Hub resources. +section-code: eventhub +type: control-group +controls: +- azure_eventhub_namespace_cmk_encryption_enabled +- azure_eventhub_namespace_logging_enabled +- azure_eventhub_namespace_private_link_used +- azure_eventhub_namespace_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_frontdoor.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_frontdoor.yaml index a356a3b30..cdcc55aed 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_frontdoor.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_frontdoor.yaml @@ -1,7 +1,7 @@ -control-group: - id: azure_all_controls_frontdoor - title: Front Door - description: This section contains recommendations for configuring Front Door resources. - section-code: frontdoor - controls: - - azure_frontdoor_waf_enabled +id: azure_all_controls_frontdoor +title: Front Door +description: This section contains recommendations for configuring Front Door resources. +section-code: frontdoor +type: control-group +controls: +- azure_frontdoor_waf_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_hdinsight.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_hdinsight.yaml index 96ea758fd..5f9d68bb5 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_hdinsight.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_hdinsight.yaml @@ -1,9 +1,9 @@ -control-group: - id: azure_all_controls_hdinsight - title: HDInsight - description: This section contains recommendations for configuring HDInsight resources. - section-code: hdinsight - controls: - - azure_hdinsight_cluster_encrypted_at_rest_with_cmk - - azure_hdinsight_cluster_encryption_at_host_enabled - - azure_hdinsight_cluster_encryption_in_transit_enabled +id: azure_all_controls_hdinsight +title: HDInsight +description: This section contains recommendations for configuring HDInsight resources. +section-code: hdinsight +type: control-group +controls: +- azure_hdinsight_cluster_encrypted_at_rest_with_cmk +- azure_hdinsight_cluster_encryption_at_host_enabled +- azure_hdinsight_cluster_encryption_in_transit_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_healthcare.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_healthcare.yaml index e0c267b99..f89e20c22 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_healthcare.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_healthcare.yaml @@ -1,8 +1,8 @@ -control-group: - id: azure_all_controls_healthcare - title: HealthcareAPIs - description: This section contains recommendations for configuring HealthcareAPIs resources. - section-code: healthcare - controls: - - azure_healthcare_fhir_azure_api_encrypted_at_rest_with_cmk - - azure_healthcare_fhir_uses_private_link +id: azure_all_controls_healthcare +title: HealthcareAPIs +description: This section contains recommendations for configuring HealthcareAPIs resources. +section-code: healthcare +type: control-group +controls: +- azure_healthcare_fhir_azure_api_encrypted_at_rest_with_cmk +- azure_healthcare_fhir_uses_private_link diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_hpccache.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_hpccache.yaml index 1390cdc08..3033b5aca 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_hpccache.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_hpccache.yaml @@ -1,7 +1,7 @@ -control-group: - id: azure_all_controls_hpccache - title: HPC Cache - description: This section contains recommendations for configuring HPC Cache resources. - section-code: hpccache - controls: - - azure_hpc_cache_encrypted_with_cmk +id: azure_all_controls_hpccache +title: HPC Cache +description: This section contains recommendations for configuring HPC Cache resources. +section-code: hpccache +type: control-group +controls: +- azure_hpc_cache_encrypted_with_cmk diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_iothub.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_iothub.yaml index 424efcc4f..46618423c 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_iothub.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_iothub.yaml @@ -1,7 +1,7 @@ -control-group: - id: azure_all_controls_iothub - title: IoT Hub - description: This section contains recommendations for configuring IoT Hub resources. - section-code: iothub - controls: - - azure_iot_hub_logging_enabled +id: azure_all_controls_iothub +title: IoT Hub +description: This section contains recommendations for configuring IoT Hub resources. +section-code: iothub +type: control-group +controls: +- azure_iot_hub_logging_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_keyvault.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_keyvault.yaml index a4fa0918b..f4823aaa7 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_keyvault.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_keyvault.yaml @@ -1,23 +1,23 @@ -control-group: - id: azure_all_controls_keyvault - title: Key Vault - description: This section contains recommendations for configuring Key Vault resources. - section-code: keyvault - controls: - - azure_keyvault_firewall_enabled - - azure_keyvault_key_expiration_set - - azure_keyvault_logging_enabled - - azure_keyvault_managed_hms_logging_enabled - - azure_keyvault_managed_hms_purge_protection_enabled - - azure_keyvault_purge_protection_enabled - - azure_keyvault_rbac_enabled - - azure_keyvault_secret_expiration_set - - azure_keyvault_soft_delete_enabled - - azure_keyvault_vault_private_link_used - - azure_keyvault_vault_public_network_access_disabled - - azure_keyvault_vault_recoverable - - azure_keyvault_vault_use_virtual_service_endpoint - - azure_keyvault_with_non_rbac_key_expiration_set - - azure_keyvault_with_non_rbac_secret_expiration_set - - azure_keyvault_with_rbac_key_expiration_set - - azure_keyvault_with_rbac_secret_expiration_set +id: azure_all_controls_keyvault +title: Key Vault +description: This section contains recommendations for configuring Key Vault resources. +section-code: keyvault +type: control-group +controls: +- azure_keyvault_firewall_enabled +- azure_keyvault_key_expiration_set +- azure_keyvault_logging_enabled +- azure_keyvault_managed_hms_logging_enabled +- azure_keyvault_managed_hms_purge_protection_enabled +- azure_keyvault_purge_protection_enabled +- azure_keyvault_rbac_enabled +- azure_keyvault_secret_expiration_set +- azure_keyvault_soft_delete_enabled +- azure_keyvault_vault_private_link_used +- azure_keyvault_vault_public_network_access_disabled +- azure_keyvault_vault_recoverable +- azure_keyvault_vault_use_virtual_service_endpoint +- azure_keyvault_with_non_rbac_key_expiration_set +- azure_keyvault_with_non_rbac_secret_expiration_set +- azure_keyvault_with_rbac_key_expiration_set +- azure_keyvault_with_rbac_secret_expiration_set diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_kubernetes.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_kubernetes.yaml index 1846a5532..eb5ff8fc3 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_kubernetes.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_kubernetes.yaml @@ -1,23 +1,23 @@ -control-group: - id: azure_all_controls_kubernetes - title: Kubernetes Service - description: This section contains recommendations for configuring Kubernetes Service resources. - section-code: kubernetes - controls: - - azure_kubernetes_cluster_add_on_azure_policy_enabled - - azure_kubernetes_cluster_addon_azure_policy_enabled - - azure_kubernetes_cluster_authorized_ip_range_defined - - azure_kubernetes_cluster_http_application_routing_disabled - - azure_kubernetes_cluster_key_vault_secret_rotation_enabled - - azure_kubernetes_cluster_logging_enabled - - azure_kubernetes_cluster_max_pod_50 - - azure_kubernetes_cluster_network_plugin_azure - - azure_kubernetes_cluster_network_policy_enabled - - azure_kubernetes_cluster_node_restrict_public_access - - azure_kubernetes_cluster_os_and_data_disks_encrypted_with_cmk - - azure_kubernetes_cluster_restrict_public_access - - azure_kubernetes_cluster_sku_standard - - azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host - - azure_kubernetes_cluster_upgrade_channel - - azure_kubernetes_cluster_upgraded_with_non_vulnerable_version - - azure_kubernetes_instance_rbac_enabled +id: azure_all_controls_kubernetes +title: Kubernetes Service +description: This section contains recommendations for configuring Kubernetes Service resources. +section-code: kubernetes +type: control-group +controls: +- azure_kubernetes_cluster_add_on_azure_policy_enabled +- azure_kubernetes_cluster_addon_azure_policy_enabled +- azure_kubernetes_cluster_authorized_ip_range_defined +- azure_kubernetes_cluster_http_application_routing_disabled +- azure_kubernetes_cluster_key_vault_secret_rotation_enabled +- azure_kubernetes_cluster_logging_enabled +- azure_kubernetes_cluster_max_pod_50 +- azure_kubernetes_cluster_network_plugin_azure +- azure_kubernetes_cluster_network_policy_enabled +- azure_kubernetes_cluster_node_restrict_public_access +- azure_kubernetes_cluster_os_and_data_disks_encrypted_with_cmk +- azure_kubernetes_cluster_restrict_public_access +- azure_kubernetes_cluster_sku_standard +- azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host +- azure_kubernetes_cluster_upgrade_channel +- azure_kubernetes_cluster_upgraded_with_non_vulnerable_version +- azure_kubernetes_instance_rbac_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_kusto.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_kusto.yaml index 2888d7193..512ba027d 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_kusto.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_kusto.yaml @@ -1,10 +1,10 @@ -control-group: - id: azure_all_controls_kusto - title: Data Explorer - description: This section contains recommendations for configuring Data Explorer resources. - section-code: kusto - controls: - - azure_kusto_cluster_disk_encryption_enabled - - azure_kusto_cluster_double_encryption_enabled - - azure_kusto_cluster_encrypted_at_rest_with_cmk - - azure_kusto_cluster_sku_with_sla +id: azure_all_controls_kusto +title: Data Explorer +description: This section contains recommendations for configuring Data Explorer resources. +section-code: kusto +type: control-group +controls: +- azure_kusto_cluster_disk_encryption_enabled +- azure_kusto_cluster_double_encryption_enabled +- azure_kusto_cluster_encrypted_at_rest_with_cmk +- azure_kusto_cluster_sku_with_sla diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_logic.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_logic.yaml index 3f9454615..89a19f378 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_logic.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_logic.yaml @@ -1,7 +1,7 @@ -control-group: - id: azure_all_controls_logic - title: Logic - description: This section contains recommendations for configuring Logic resources. - section-code: logic - controls: - - azure_logic_app_workflow_logging_enabled +id: azure_all_controls_logic +title: Logic +description: This section contains recommendations for configuring Logic resources. +section-code: logic +type: control-group +controls: +- azure_logic_app_workflow_logging_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_machinelearning.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_machinelearning.yaml index 3bb7d1250..07db647ca 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_machinelearning.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_machinelearning.yaml @@ -1,7 +1,7 @@ -control-group: - id: azure_all_controls_machinelearning - title: Machine Learning - description: This section contains recommendations for configuring Machine Learning resources. - section-code: machinelearning - controls: - - azure_machine_learning_workspace_encrypted_with_cmk +id: azure_all_controls_machinelearning +title: Machine Learning +description: This section contains recommendations for configuring Machine Learning resources. +section-code: machinelearning +type: control-group +controls: +- azure_machine_learning_workspace_encrypted_with_cmk diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_mariadb.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_mariadb.yaml index 3d01dfcbe..99af319ae 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_mariadb.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_mariadb.yaml @@ -1,9 +1,9 @@ -control-group: - id: azure_all_controls_mariadb - title: MariaDB - description: This section contains recommendations for configuring MariaDB resources. - section-code: mariadb - controls: - - azure_mariadb_server_geo_redundant_backup_enabled - - azure_mariadb_server_public_network_access_disabled - - azure_mariadb_server_ssl_enabled +id: azure_all_controls_mariadb +title: MariaDB +description: This section contains recommendations for configuring MariaDB resources. +section-code: mariadb +type: control-group +controls: +- azure_mariadb_server_geo_redundant_backup_enabled +- azure_mariadb_server_public_network_access_disabled +- azure_mariadb_server_ssl_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_monitor.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_monitor.yaml index ebbe1be54..3a2885f69 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_monitor.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_monitor.yaml @@ -1,30 +1,30 @@ -control-group: - id: azure_all_controls_monitor - title: Monitor - description: This section contains recommendations for configuring Monitor resources. - section-code: monitor - controls: - - azure_application_insights_block_log_ingestion_and_querying_from_public - - azure_log_analytics_workspace_block_log_ingestion_and_querying_from_public - - azure_log_analytics_workspace_block_non_azure_ingestion - - azure_log_profile_enabled_for_all_subscription - - azure_monitor_diagnostic_settings_captures_proper_categories - - azure_monitor_log_alert_create_policy_assignment - - azure_monitor_log_alert_create_update_nsg - - azure_monitor_log_alert_create_update_nsg_rule - - azure_monitor_log_alert_create_update_public_ip_address - - azure_monitor_log_alert_create_update_security_solution - - azure_monitor_log_alert_create_update_sql_servers_firewall_rule - - azure_monitor_log_alert_delete_nsg - - azure_monitor_log_alert_delete_nsg_rule - - azure_monitor_log_alert_delete_policy_assignment - - azure_monitor_log_alert_delete_public_ip_address - - azure_monitor_log_alert_delete_security_solution - - azure_monitor_log_alert_delete_sql_servers_firewall_rule - - azure_monitor_log_alert_for_administrative_operations - - azure_monitor_log_alert_sql_firewall_rule - - azure_monitor_log_profile_enabled_for_all_categories - - azure_monitor_log_profile_enabled_for_all_regions - - azure_monitor_log_profile_retention_365_days - - azure_monitor_logs_storage_container_insights_activity_logs_not_public_accessible - - azure_monitor_logs_storage_container_insights_operational_logs_not_public_accessible +id: azure_all_controls_monitor +title: Monitor +description: This section contains recommendations for configuring Monitor resources. +section-code: monitor +type: control-group +controls: +- azure_application_insights_block_log_ingestion_and_querying_from_public +- azure_log_analytics_workspace_block_log_ingestion_and_querying_from_public +- azure_log_analytics_workspace_block_non_azure_ingestion +- azure_log_profile_enabled_for_all_subscription +- azure_monitor_diagnostic_settings_captures_proper_categories +- azure_monitor_log_alert_create_policy_assignment +- azure_monitor_log_alert_create_update_nsg +- azure_monitor_log_alert_create_update_nsg_rule +- azure_monitor_log_alert_create_update_public_ip_address +- azure_monitor_log_alert_create_update_security_solution +- azure_monitor_log_alert_create_update_sql_servers_firewall_rule +- azure_monitor_log_alert_delete_nsg +- azure_monitor_log_alert_delete_nsg_rule +- azure_monitor_log_alert_delete_policy_assignment +- azure_monitor_log_alert_delete_public_ip_address +- azure_monitor_log_alert_delete_security_solution +- azure_monitor_log_alert_delete_sql_servers_firewall_rule +- azure_monitor_log_alert_for_administrative_operations +- azure_monitor_log_alert_sql_firewall_rule +- azure_monitor_log_profile_enabled_for_all_categories +- azure_monitor_log_profile_enabled_for_all_regions +- azure_monitor_log_profile_retention_365_days +- azure_monitor_logs_storage_container_insights_activity_logs_not_public_accessible +- azure_monitor_logs_storage_container_insights_operational_logs_not_public_accessible diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_mysql.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_mysql.yaml index 732f3f567..fbea8c05a 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_mysql.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_mysql.yaml @@ -1,17 +1,17 @@ -control-group: - id: azure_all_controls_mysql - title: MySQL - description: This section contains recommendations for configuring MySQL resources. - section-code: mysql - controls: - - azure_mssql_managed_instance_encryption_at_rest_using_cmk - - azure_mssql_managed_instance_vulnerability_assessment_enabled - - azure_mysql_db_server_geo_redundant_backup_enabled - - azure_mysql_server_audit_logging_enabled - - azure_mysql_server_audit_logging_events_connection_set - - azure_mysql_server_encrypted_at_rest_using_cmk - - azure_mysql_server_infrastructure_encryption_enabled - - azure_mysql_server_min_tls_1_2 - - azure_mysql_server_private_link_used - - azure_mysql_server_public_network_access_disabled - - azure_mysql_ssl_enabled +id: azure_all_controls_mysql +title: MySQL +description: This section contains recommendations for configuring MySQL resources. +section-code: mysql +type: control-group +controls: +- azure_mssql_managed_instance_encryption_at_rest_using_cmk +- azure_mssql_managed_instance_vulnerability_assessment_enabled +- azure_mysql_db_server_geo_redundant_backup_enabled +- azure_mysql_server_audit_logging_enabled +- azure_mysql_server_audit_logging_events_connection_set +- azure_mysql_server_encrypted_at_rest_using_cmk +- azure_mysql_server_infrastructure_encryption_enabled +- azure_mysql_server_min_tls_1_2 +- azure_mysql_server_private_link_used +- azure_mysql_server_public_network_access_disabled +- azure_mysql_ssl_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_network.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_network.yaml index 659c2e393..05a1d486f 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_network.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_network.yaml @@ -1,48 +1,48 @@ -control-group: - id: azure_all_controls_network - title: Network - description: This section contains recommendations for configuring Network resources. - section-code: network - controls: - - azure_application_gateway_waf_enabled - - azure_application_gateway_waf_uses_specified_mode - - azure_network_bastion_host_min_1 - - azure_network_ddos_enabled - - azure_network_lb_no_basic_sku - - azure_network_network_peering_connected - - azure_network_public_ip_no_basic_sku - - azure_network_security_group_diagnostic_setting_deployed - - azure_network_security_group_https_access_restricted - - azure_network_security_group_not_configured_gateway_subnets - - azure_network_security_group_outbound_access_restricted - - azure_network_security_group_rdp_access_restricted - - azure_network_security_group_remote_access_restricted - - azure_network_security_group_restrict_inbound_icmp_port - - azure_network_security_group_restrict_inbound_tcp_port_135 - - azure_network_security_group_restrict_inbound_tcp_port_1433 - - azure_network_security_group_restrict_inbound_tcp_port_20 - - azure_network_security_group_restrict_inbound_tcp_port_21 - - azure_network_security_group_restrict_inbound_tcp_port_23 - - azure_network_security_group_restrict_inbound_tcp_port_25 - - azure_network_security_group_restrict_inbound_tcp_port_3306 - - azure_network_security_group_restrict_inbound_tcp_port_4333 - - azure_network_security_group_restrict_inbound_tcp_port_445 - - azure_network_security_group_restrict_inbound_tcp_port_53 - - azure_network_security_group_restrict_inbound_tcp_port_5432 - - azure_network_security_group_restrict_inbound_tcp_port_5500 - - azure_network_security_group_restrict_inbound_tcp_port_5900 - - azure_network_security_group_restrict_inbound_udp_port_137 - - azure_network_security_group_restrict_inbound_udp_port_138 - - azure_network_security_group_restrict_inbound_udp_port_1434 - - azure_network_security_group_restrict_inbound_udp_port_445 - - azure_network_security_group_restrict_inbound_udp_port_53 - - azure_network_security_group_ssh_access_restricted - - azure_network_security_group_subnet_associated - - azure_network_security_group_udp_service_restricted - - azure_network_sg_flowlog_enabled - - azure_network_sg_flowlog_retention_period_greater_than_90 - - azure_network_virtual_network_gateway_no_basic_sku - - azure_network_watcher_enabled - - azure_network_watcher_flow_log_enabled - - azure_network_watcher_flow_log_traffic_analytics_enabled - - azure_network_watcher_in_regions_with_virtual_network +id: azure_all_controls_network +title: Network +description: This section contains recommendations for configuring Network resources. +section-code: network +type: control-group +controls: +- azure_application_gateway_waf_enabled +- azure_application_gateway_waf_uses_specified_mode +- azure_network_bastion_host_min_1 +- azure_network_ddos_enabled +- azure_network_lb_no_basic_sku +- azure_network_network_peering_connected +- azure_network_public_ip_no_basic_sku +- azure_network_security_group_diagnostic_setting_deployed +- azure_network_security_group_https_access_restricted +- azure_network_security_group_not_configured_gateway_subnets +- azure_network_security_group_outbound_access_restricted +- azure_network_security_group_rdp_access_restricted +- azure_network_security_group_remote_access_restricted +- azure_network_security_group_restrict_inbound_icmp_port +- azure_network_security_group_restrict_inbound_tcp_port_135 +- azure_network_security_group_restrict_inbound_tcp_port_1433 +- azure_network_security_group_restrict_inbound_tcp_port_20 +- azure_network_security_group_restrict_inbound_tcp_port_21 +- azure_network_security_group_restrict_inbound_tcp_port_23 +- azure_network_security_group_restrict_inbound_tcp_port_25 +- azure_network_security_group_restrict_inbound_tcp_port_3306 +- azure_network_security_group_restrict_inbound_tcp_port_4333 +- azure_network_security_group_restrict_inbound_tcp_port_445 +- azure_network_security_group_restrict_inbound_tcp_port_53 +- azure_network_security_group_restrict_inbound_tcp_port_5432 +- azure_network_security_group_restrict_inbound_tcp_port_5500 +- azure_network_security_group_restrict_inbound_tcp_port_5900 +- azure_network_security_group_restrict_inbound_udp_port_137 +- azure_network_security_group_restrict_inbound_udp_port_138 +- azure_network_security_group_restrict_inbound_udp_port_1434 +- azure_network_security_group_restrict_inbound_udp_port_445 +- azure_network_security_group_restrict_inbound_udp_port_53 +- azure_network_security_group_ssh_access_restricted +- azure_network_security_group_subnet_associated +- azure_network_security_group_udp_service_restricted +- azure_network_sg_flowlog_enabled +- azure_network_sg_flowlog_retention_period_greater_than_90 +- azure_network_virtual_network_gateway_no_basic_sku +- azure_network_watcher_enabled +- azure_network_watcher_flow_log_enabled +- azure_network_watcher_flow_log_traffic_analytics_enabled +- azure_network_watcher_in_regions_with_virtual_network diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_postgres.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_postgres.yaml index 3eecba3d7..f477b8f17 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_postgres.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_postgres.yaml @@ -1,19 +1,19 @@ -control-group: - id: azure_all_controls_postgres - title: PostgreSQL - description: This section contains recommendations for configuring PostgreSQL resources. - section-code: postgres - controls: - - azure_postgres_db_server_allow_access_to_azure_services_disabled - - azure_postgres_db_server_connection_throttling_on - - azure_postgres_db_server_geo_redundant_backup_enabled - - azure_postgres_db_server_latest_tls_version - - azure_postgres_db_server_log_checkpoints_on - - azure_postgres_db_server_log_connections_on - - azure_postgres_db_server_log_disconnections_on - - azure_postgres_db_server_log_retention_days_3 - - azure_postgres_server_private_link_used - - azure_postgres_sql_server_encrypted_at_rest_using_cmk - - azure_postgres_sql_ssl_enabled - - azure_postgresql_server_infrastructure_encryption_enabled - - azure_postgresql_server_public_network_access_disabled +id: azure_all_controls_postgres +title: PostgreSQL +description: This section contains recommendations for configuring PostgreSQL resources. +section-code: postgres +type: control-group +controls: +- azure_postgres_db_server_allow_access_to_azure_services_disabled +- azure_postgres_db_server_connection_throttling_on +- azure_postgres_db_server_geo_redundant_backup_enabled +- azure_postgres_db_server_latest_tls_version +- azure_postgres_db_server_log_checkpoints_on +- azure_postgres_db_server_log_connections_on +- azure_postgres_db_server_log_disconnections_on +- azure_postgres_db_server_log_retention_days_3 +- azure_postgres_server_private_link_used +- azure_postgres_sql_server_encrypted_at_rest_using_cmk +- azure_postgres_sql_ssl_enabled +- azure_postgresql_server_infrastructure_encryption_enabled +- azure_postgresql_server_public_network_access_disabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_recoveryservice.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_recoveryservice.yaml index 1759ceb9e..3dcc20c6a 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_recoveryservice.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_recoveryservice.yaml @@ -1,9 +1,9 @@ -control-group: - id: azure_all_controls_recoveryservice - title: Recovery Service - description: This section contains recommendations for configuring Recovery Service resources. - section-code: recoveryservice - controls: - - azure_recovery_service_vault_uses_managed_identity - - azure_recovery_service_vault_uses_private_link - - azure_recovery_service_vault_uses_private_link_for_backup +id: azure_all_controls_recoveryservice +title: Recovery Service +description: This section contains recommendations for configuring Recovery Service resources. +section-code: recoveryservice +type: control-group +controls: +- azure_recovery_service_vault_uses_managed_identity +- azure_recovery_service_vault_uses_private_link +- azure_recovery_service_vault_uses_private_link_for_backup diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_redis.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_redis.yaml index f9f72c06a..c101c48fb 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_redis.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_redis.yaml @@ -1,11 +1,11 @@ -control-group: - id: azure_all_controls_redis - title: Redis - description: This section contains recommendations for configuring Redis resources. - section-code: redis - controls: - - azure_redis_cache_ssl_enabled - - azure_redis_cache_uses_private_link - - azure_redis_cache_in_virtual_network - - azure_redis_cache_min_tls_1_2 - - azure_redis_cache_no_basic_sku +id: azure_all_controls_redis +title: Redis +description: This section contains recommendations for configuring Redis resources. +section-code: redis +type: control-group +controls: +- azure_redis_cache_ssl_enabled +- azure_redis_cache_uses_private_link +- azure_redis_cache_in_virtual_network +- azure_redis_cache_min_tls_1_2 +- azure_redis_cache_no_basic_sku diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_securitycenter.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_securitycenter.yaml index af56f3199..b5d3868d2 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_securitycenter.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_securitycenter.yaml @@ -1,30 +1,30 @@ -control-group: - id: azure_all_controls_securitycenter - title: Security Center - description: This section contains recommendations for configuring Security Center resources. - section-code: securitycenter - controls: - - azure_securitycenter_additional_email_configured - - azure_securitycenter_asc_default_setting_not_disabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containerregistry - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_cosmosdb - - azure_securitycenter_azure_defender_on_for_database - - azure_securitycenter_azure_defender_on_for_dns - - azure_securitycenter_azure_defender_on_for_k8s - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_opensource_relational_db - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_securitycenter_container_image_scan_enabled - - azure_securitycenter_email_configured - - azure_securitycenter_mcas_integration - - azure_securitycenter_notify_alerts_configured - - azure_securitycenter_pricing_standard - - azure_securitycenter_security_alerts_to_owner_enabled - - azure_securitycenter_wdatp_integration +id: azure_all_controls_securitycenter +title: Security Center +description: This section contains recommendations for configuring Security Center resources. +section-code: securitycenter +type: control-group +controls: +- azure_securitycenter_additional_email_configured +- azure_securitycenter_asc_default_setting_not_disabled +- azure_securitycenter_automatic_provisioning_monitoring_agent_on +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containerregistry +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_cosmosdb +- azure_securitycenter_azure_defender_on_for_database +- azure_securitycenter_azure_defender_on_for_dns +- azure_securitycenter_azure_defender_on_for_k8s +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_opensource_relational_db +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_sqlservervm +- azure_securitycenter_azure_defender_on_for_storage +- azure_securitycenter_container_image_scan_enabled +- azure_securitycenter_email_configured +- azure_securitycenter_mcas_integration +- azure_securitycenter_notify_alerts_configured +- azure_securitycenter_pricing_standard +- azure_securitycenter_security_alerts_to_owner_enabled +- azure_securitycenter_wdatp_integration diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_servicebus.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_servicebus.yaml index e4d6c768d..7cc84f4e7 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_servicebus.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_servicebus.yaml @@ -1,12 +1,12 @@ -control-group: - id: azure_all_controls_servicebus - title: Service Bus - description: This section contains recommendations for configuring Service Bus resources. - section-code: servicebus - controls: - - azure_servicebus_name_space_private_link_used - - azure_servicebus_namespace_logging_enabled - - azure_servicebus_namespace_azure_ad_authentication_enabled - - azure_servicebus_namespace_no_overly_permissive_network_access - - azure_servicebus_premium_namespace_cmk_encrypted - - azure_servicebus_use_virtual_service_endpoint +id: azure_all_controls_servicebus +title: Service Bus +description: This section contains recommendations for configuring Service Bus resources. +section-code: servicebus +type: control-group +controls: +- azure_servicebus_name_space_private_link_used +- azure_servicebus_namespace_logging_enabled +- azure_servicebus_namespace_azure_ad_authentication_enabled +- azure_servicebus_namespace_no_overly_permissive_network_access +- azure_servicebus_premium_namespace_cmk_encrypted +- azure_servicebus_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_servicefabric.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_servicefabric.yaml index 81f2b326e..19c5779c1 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_servicefabric.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_servicefabric.yaml @@ -1,8 +1,8 @@ -control-group: - id: azure_all_controls_servicefabric - title: Service Fabric - description: This section contains recommendations for configuring Service Fabric resources. - section-code: servicefabric - controls: - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_servicefabric_cluster_protection_level_as_encrypt_and_sign +id: azure_all_controls_servicefabric +title: Service Fabric +description: This section contains recommendations for configuring Service Fabric resources. +section-code: servicefabric +type: control-group +controls: +- azure_servicefabric_cluster_active_directory_authentication_enabled +- azure_servicefabric_cluster_protection_level_as_encrypt_and_sign diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_signalr.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_signalr.yaml index 3bc7327ac..c98a210d7 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_signalr.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_signalr.yaml @@ -1,8 +1,8 @@ -control-group: - id: azure_all_controls_signalr - title: SignalR Service - description: This section contains recommendations for configuring SignalR Service resources. - section-code: signalr - controls: - - azure_signalr_service_no_free_tier_sku - - azure_signalr_service_private_link_used +id: azure_all_controls_signalr +title: SignalR Service +description: This section contains recommendations for configuring SignalR Service resources. +section-code: signalr +type: control-group +controls: +- azure_signalr_service_no_free_tier_sku +- azure_signalr_service_private_link_used diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_springcloud.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_springcloud.yaml index 40aefb0a6..6a83ddbfc 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_springcloud.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_springcloud.yaml @@ -1,7 +1,7 @@ -control-group: - id: azure_all_controls_springcloud - title: Spring Cloud - description: This section contains recommendations for configuring Spring Cloud resources. - section-code: springcloud - controls: - - azure_spring_cloud_service_network_injection_enabled +id: azure_all_controls_springcloud +title: Spring Cloud +description: This section contains recommendations for configuring Spring Cloud resources. +section-code: springcloud +type: control-group +controls: +- azure_spring_cloud_service_network_injection_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_sql.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_sql.yaml index 904b69e10..1e0621431 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_sql.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_sql.yaml @@ -1,27 +1,27 @@ -control-group: - id: azure_all_controls_sql - title: SQL - description: This section contains recommendations for configuring SQL resources. - section-code: sql - controls: - - azure_sql_database_allow_internet_access - - azure_sql_database_long_term_geo_redundant_backup_enabled - - azure_sql_database_transparent_data_encryption_enabled - - azure_sql_database_vulnerability_findings_resolved - - azure_sql_db_active_directory_admin_configured - - azure_sql_db_public_network_access_disabled - - azure_sql_server_and_databases_va_enabled - - azure_sql_server_atp_enabled - - azure_sql_server_auditing_on - - azure_sql_server_auditing_retention_period_90 - - azure_sql_server_auditing_storage_account_destination_retention_90_days - - azure_sql_server_azure_ad_authentication_enabled - - azure_sql_server_azure_defender_enabled - - azure_sql_server_tde_protector_cmk_encrypted - - azure_sql_server_threat_detection_all_enabled - - azure_sql_server_transparent_data_encryption_enabled - - azure_sql_server_use_virtual_service_endpoint - - azure_sql_server_uses_private_link - - azure_sql_server_va_setting_periodic_scan_enabled - - azure_sql_server_va_setting_reports_notify_admins - - azure_sql_server_va_setting_scan_reports_configured +id: azure_all_controls_sql +title: SQL +description: This section contains recommendations for configuring SQL resources. +section-code: sql +type: control-group +controls: +- azure_sql_database_allow_internet_access +- azure_sql_database_long_term_geo_redundant_backup_enabled +- azure_sql_database_transparent_data_encryption_enabled +- azure_sql_database_vulnerability_findings_resolved +- azure_sql_db_active_directory_admin_configured +- azure_sql_db_public_network_access_disabled +- azure_sql_server_and_databases_va_enabled +- azure_sql_server_atp_enabled +- azure_sql_server_auditing_on +- azure_sql_server_auditing_retention_period_90 +- azure_sql_server_auditing_storage_account_destination_retention_90_days +- azure_sql_server_azure_ad_authentication_enabled +- azure_sql_server_azure_defender_enabled +- azure_sql_server_tde_protector_cmk_encrypted +- azure_sql_server_threat_detection_all_enabled +- azure_sql_server_transparent_data_encryption_enabled +- azure_sql_server_use_virtual_service_endpoint +- azure_sql_server_uses_private_link +- azure_sql_server_va_setting_periodic_scan_enabled +- azure_sql_server_va_setting_reports_notify_admins +- azure_sql_server_va_setting_scan_reports_configured diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_storage.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_storage.yaml index 31b3d6fed..c6e69429e 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_storage.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_storage.yaml @@ -1,26 +1,26 @@ -control-group: - id: azure_all_controls_storage - title: Storage - description: This section contains recommendations for configuring Storage resources. - section-code: storage - controls: - - azure_storage_account_blob_containers_public_access_private - - azure_storage_account_blob_service_logging_enabled - - azure_storage_account_block_public_access - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_encryption_at_rest_using_cmk - - azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk - - azure_storage_account_geo_redundant_enabled - - azure_storage_account_infrastructure_encryption_enabled - - azure_storage_account_blobs_logging_enabled - - azure_storage_account_tables_logging_enabled - - azure_storage_account_min_tls_1_2 - - azure_storage_account_queue_services_logging_enabled - - azure_storage_account_restrict_network_access - - azure_storage_account_secure_transfer_required_enabled - - azure_storage_account_soft_delete_enabled - - azure_storage_account_table_service_logging_enabled - - azure_storage_account_trusted_microsoft_services_enabled - - azure_storage_account_use_virtual_service_endpoint - - azure_storage_account_uses_azure_resource_manager - - azure_storage_account_uses_private_link +id: azure_all_controls_storage +title: Storage +description: This section contains recommendations for configuring Storage resources. +section-code: storage +type: control-group +controls: +- azure_storage_account_blob_containers_public_access_private +- azure_storage_account_blob_service_logging_enabled +- azure_storage_account_block_public_access +- azure_storage_account_default_network_access_rule_denied +- azure_storage_account_encryption_at_rest_using_cmk +- azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk +- azure_storage_account_geo_redundant_enabled +- azure_storage_account_infrastructure_encryption_enabled +- azure_storage_account_blobs_logging_enabled +- azure_storage_account_tables_logging_enabled +- azure_storage_account_min_tls_1_2 +- azure_storage_account_queue_services_logging_enabled +- azure_storage_account_restrict_network_access +- azure_storage_account_secure_transfer_required_enabled +- azure_storage_account_soft_delete_enabled +- azure_storage_account_table_service_logging_enabled +- azure_storage_account_trusted_microsoft_services_enabled +- azure_storage_account_use_virtual_service_endpoint +- azure_storage_account_uses_azure_resource_manager +- azure_storage_account_uses_private_link diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_storagesync.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_storagesync.yaml index ae6e71fbb..8639ff6d6 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_storagesync.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_storagesync.yaml @@ -1,7 +1,7 @@ -control-group: - id: azure_all_controls_storagesync - title: File Sync - description: This section contains recommendations for configuring FileSync resources. - section-code: storagesync - controls: - - azure_storage_sync_private_link_used +id: azure_all_controls_storagesync +title: File Sync +description: This section contains recommendations for configuring FileSync resources. +section-code: storagesync +type: control-group +controls: +- azure_storage_sync_private_link_used diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_streamanalytics.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_streamanalytics.yaml index 3cacd5c56..97aefe381 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_streamanalytics.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_streamanalytics.yaml @@ -1,7 +1,7 @@ -control-group: - id: azure_all_controls_streamanalytics - title: Stream Analytics - description: This section contains recommendations for configuring Stream Analytics resources. - section-code: streamanalytics - controls: - - azure_stream_analytics_job_logging_enabled +id: azure_all_controls_streamanalytics +title: Stream Analytics +description: This section contains recommendations for configuring Stream Analytics resources. +section-code: streamanalytics +type: control-group +controls: +- azure_stream_analytics_job_logging_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_synapse.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_synapse.yaml index 5f87bc803..c0bb45987 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_synapse.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_synapse.yaml @@ -1,10 +1,10 @@ -control-group: - id: azure_all_controls_synapse - title: Synapse Analytics - description: This section contains recommendations for configuring Synapse Analytics resources. - section-code: synapse - controls: - - azure_synapse_workspace_data_exfiltration_protection_enabled - - azure_synapse_workspace_encryption_at_rest_using_cmk - - azure_synapse_workspace_private_link_used - - azure_synapse_workspace_vulnerability_assessment_enabled +id: azure_all_controls_synapse +title: Synapse Analytics +description: This section contains recommendations for configuring Synapse Analytics resources. +section-code: synapse +type: control-group +controls: +- azure_synapse_workspace_data_exfiltration_protection_enabled +- azure_synapse_workspace_encryption_at_rest_using_cmk +- azure_synapse_workspace_private_link_used +- azure_synapse_workspace_vulnerability_assessment_enabled diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130.yaml index e9520ba96..f19034b34 100644 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130.yaml @@ -1,36 +1,36 @@ -framework: - id: azure_cis_v130 - title: CIS v1.3.0 - description: The CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. - section-code: azure_cis_v130 - tags: - category: - - Compliance - cis: - - "true" - cis_version: - - v1.3.0 - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - azure - service: - - Azure - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: azure_cis_v130_1 - - id: azure_cis_v130_2 - - id: azure_cis_v130_3 - - id: azure_cis_v130_4 - - id: azure_cis_v130_5 - - id: azure_cis_v130_6 - - id: azure_cis_v130_7 - - id: azure_cis_v130_8 - - id: azure_cis_v130_9 +id: azure_cis_v130 +title: CIS v1.3.0 +description: The CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. +section-code: azure_cis_v130 +type: framework +tags: + category: + - Compliance + cis: + - "true" + cis_version: + - v1.3.0 + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - azure + service: + - Azure + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: azure_cis_v130_1 +- id: azure_cis_v130_2 +- id: azure_cis_v130_3 +- id: azure_cis_v130_4 +- id: azure_cis_v130_5 +- id: azure_cis_v130_6 +- id: azure_cis_v130_7 +- id: azure_cis_v130_8 +- id: azure_cis_v130_9 diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_1.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_1.yaml index e4f83813f..bf0727eac 100755 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_1.yaml @@ -1,44 +1,44 @@ -control-group: - id: azure_cis_v130_1 - title: Identity and Access Management - description: Identity and Access Management - section-code: "1" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "1" - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark - controls: - - azure_cis_v130_1_1 - - azure_cis_v130_1_2 - - azure_cis_v130_1_3 - - azure_cis_v130_1_4 - - azure_cis_v130_1_5 - - azure_cis_v130_1_6 - - azure_cis_v130_1_7 - - azure_cis_v130_1_8 - - azure_cis_v130_1_9 - - azure_cis_v130_1_10 - - azure_cis_v130_1_11 - - azure_cis_v130_1_12 - - azure_cis_v130_1_13 - - azure_cis_v130_1_14 - - azure_cis_v130_1_15 - - azure_cis_v130_1_16 - - azure_cis_v130_1_17 - - azure_cis_v130_1_18 - - azure_cis_v130_1_19 - - azure_cis_v130_1_20 - - azure_cis_v130_1_21 - - azure_cis_v130_1_22 - - azure_cis_v130_1_23 +id: azure_cis_v130_1 +title: Identity and Access Management +description: Identity and Access Management +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "1" + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark +controls: +- azure_cis_v130_1_1 +- azure_cis_v130_1_2 +- azure_cis_v130_1_3 +- azure_cis_v130_1_4 +- azure_cis_v130_1_5 +- azure_cis_v130_1_6 +- azure_cis_v130_1_7 +- azure_cis_v130_1_8 +- azure_cis_v130_1_9 +- azure_cis_v130_1_10 +- azure_cis_v130_1_11 +- azure_cis_v130_1_12 +- azure_cis_v130_1_13 +- azure_cis_v130_1_14 +- azure_cis_v130_1_15 +- azure_cis_v130_1_16 +- azure_cis_v130_1_17 +- azure_cis_v130_1_18 +- azure_cis_v130_1_19 +- azure_cis_v130_1_20 +- azure_cis_v130_1_21 +- azure_cis_v130_1_22 +- azure_cis_v130_1_23 diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_2.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_2.yaml index 2e4d44a15..07affc6fb 100755 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_2.yaml @@ -1,36 +1,36 @@ -control-group: - id: azure_cis_v130_2 - title: Security Center - description: Security Center - section-code: "2" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark - controls: - - azure_cis_v130_2_1 - - azure_cis_v130_2_2 - - azure_cis_v130_2_3 - - azure_cis_v130_2_4 - - azure_cis_v130_2_5 - - azure_cis_v130_2_6 - - azure_cis_v130_2_7 - - azure_cis_v130_2_8 - - azure_cis_v130_2_9 - - azure_cis_v130_2_10 - - azure_cis_v130_2_11 - - azure_cis_v130_2_12 - - azure_cis_v130_2_13 - - azure_cis_v130_2_14 - - azure_cis_v130_2_15 +id: azure_cis_v130_2 +title: Security Center +description: Security Center +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark +controls: +- azure_cis_v130_2_1 +- azure_cis_v130_2_2 +- azure_cis_v130_2_3 +- azure_cis_v130_2_4 +- azure_cis_v130_2_5 +- azure_cis_v130_2_6 +- azure_cis_v130_2_7 +- azure_cis_v130_2_8 +- azure_cis_v130_2_9 +- azure_cis_v130_2_10 +- azure_cis_v130_2_11 +- azure_cis_v130_2_12 +- azure_cis_v130_2_13 +- azure_cis_v130_2_14 +- azure_cis_v130_2_15 diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_3.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_3.yaml index 18f7735ae..8b28af0cf 100755 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_3.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_3.yaml @@ -1,31 +1,31 @@ -control-group: - id: azure_cis_v130_3 - title: Storage Accounts - description: Storage Accounts - section-code: "3" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "3" - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Storage - type: - - Benchmark - controls: - - azure_cis_v130_3_1 - - azure_cis_v130_3_2 - - azure_cis_v130_3_3 - - azure_cis_v130_3_4 - - azure_cis_v130_3_6 - - azure_cis_v130_3_7 - - azure_cis_v130_3_8 - - azure_cis_v130_3_9 - - azure_cis_v130_3_10 - - azure_cis_v130_3_11 +id: azure_cis_v130_3 +title: Storage Accounts +description: Storage Accounts +section-code: "3" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "3" + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Storage + type: + - Benchmark +controls: +- azure_cis_v130_3_1 +- azure_cis_v130_3_2 +- azure_cis_v130_3_3 +- azure_cis_v130_3_4 +- azure_cis_v130_3_6 +- azure_cis_v130_3_7 +- azure_cis_v130_3_8 +- azure_cis_v130_3_9 +- azure_cis_v130_3_10 +- azure_cis_v130_3_11 diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4.yaml index eb2beaf26..aa49dd6b2 100755 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4.yaml @@ -1,26 +1,29 @@ +id: azure_cis_v130_4 +title: Database Services +description: Database Services +section-code: "4" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4" + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_cis_v130_4 - title: Database Services - description: Database Services - section-code: "4" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4" - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_cis_v130_4_1 - - id: azure_cis_v130_4_2 - - id: azure_cis_v130_4_3 - controls: - - azure_cis_v130_4_4 +- id: azure_cis_v130_4_1 + type: "" +- id: azure_cis_v130_4_2 + type: "" +- id: azure_cis_v130_4_3 + type: "" +controls: +- azure_cis_v130_4_4 diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4_1.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4_1.yaml index 820d6b484..476411330 100755 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4_1.yaml @@ -1,22 +1,22 @@ -control-group: - id: azure_cis_v130_4_1 - title: SQL Server - Auditing - description: SQL Server - Auditing - section-code: "1" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.1" - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark - controls: - - azure_cis_v130_4_1_2 +id: azure_cis_v130_4_1 +title: SQL Server - Auditing +description: SQL Server - Auditing +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.1" + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark +controls: +- azure_cis_v130_4_1_2 diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4_2.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4_2.yaml index e369d4d44..b6f4c8b88 100755 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4_2.yaml @@ -1,20 +1,20 @@ -control-group: - id: azure_cis_v130_4_2 - title: SQL Server - Azure Defender for SQL - description: SQL Server - Azure Defender for SQL - section-code: "2" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.2" - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark +id: azure_cis_v130_4_2 +title: SQL Server - Azure Defender for SQL +description: SQL Server - Azure Defender for SQL +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.2" + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4_3.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4_3.yaml index addd58b94..89ddd6b97 100755 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4_3.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4_3.yaml @@ -1,25 +1,25 @@ -control-group: - id: azure_cis_v130_4_3 - title: PostgreSQL Database Server - description: PostgreSQL Database Server - section-code: "3" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.3" - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_cis_v130_4_3_1 - - azure_cis_v130_4_3_2 - - azure_cis_v130_4_3_5 - - azure_cis_v130_4_3_8 +id: azure_cis_v130_4_3 +title: PostgreSQL Database Server +description: PostgreSQL Database Server +section-code: "3" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.3" + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_cis_v130_4_3_1 +- azure_cis_v130_4_3_2 +- azure_cis_v130_4_3_5 +- azure_cis_v130_4_3_8 diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_5.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_5.yaml index 05721e40a..24c73a434 100755 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_5.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_5.yaml @@ -1,25 +1,27 @@ +id: azure_cis_v130_5 +title: Logging and Monitoring +description: Logging and Monitoring +section-code: "5" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_cis_v130_5 - title: Logging and Monitoring - description: Logging and Monitoring - section-code: "5" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_cis_v130_5_1 - - id: azure_cis_v130_5_2 - controls: - - azure_cis_v130_5_3 +- id: azure_cis_v130_5_1 + type: "" +- id: azure_cis_v130_5_2 + type: "" +controls: +- azure_cis_v130_5_3 diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_5_1.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_5_1.yaml index bc7d62b64..10b2dabfb 100755 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_5_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_5_1.yaml @@ -1,25 +1,25 @@ -control-group: - id: azure_cis_v130_5_1 - title: Configuring Diagnostic Settings - description: Configuring Diagnostic Settings - section-code: "1" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5.1" - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_cis_v130_5_1_1 - - azure_cis_v130_5_1_2 - - azure_cis_v130_5_1_3 - - azure_cis_v130_5_1_5 +id: azure_cis_v130_5_1 +title: Configuring Diagnostic Settings +description: Configuring Diagnostic Settings +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5.1" + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_cis_v130_5_1_1 +- azure_cis_v130_5_1_2 +- azure_cis_v130_5_1_3 +- azure_cis_v130_5_1_5 diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_5_2.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_5_2.yaml index d380704b7..d67f9564d 100755 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_5_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_5_2.yaml @@ -1,30 +1,30 @@ -control-group: - id: azure_cis_v130_5_2 - title: Monitoring using Activity Log Alerts - description: Monitoring using Activity Log Alerts - section-code: "2" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5.2" - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Monitor - type: - - Benchmark - controls: - - azure_cis_v130_5_2_1 - - azure_cis_v130_5_2_2 - - azure_cis_v130_5_2_3 - - azure_cis_v130_5_2_4 - - azure_cis_v130_5_2_5 - - azure_cis_v130_5_2_6 - - azure_cis_v130_5_2_7 - - azure_cis_v130_5_2_8 - - azure_cis_v130_5_2_9 +id: azure_cis_v130_5_2 +title: Monitoring using Activity Log Alerts +description: Monitoring using Activity Log Alerts +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5.2" + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Monitor + type: + - Benchmark +controls: +- azure_cis_v130_5_2_1 +- azure_cis_v130_5_2_2 +- azure_cis_v130_5_2_3 +- azure_cis_v130_5_2_4 +- azure_cis_v130_5_2_5 +- azure_cis_v130_5_2_6 +- azure_cis_v130_5_2_7 +- azure_cis_v130_5_2_8 +- azure_cis_v130_5_2_9 diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_6.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_6.yaml index ba9752014..cdc2e2e0a 100755 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_6.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_6.yaml @@ -1,25 +1,25 @@ -control-group: - id: azure_cis_v130_6 - title: Networking - description: Networking - section-code: "6" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "6" - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Network - type: - - Benchmark - controls: - - azure_cis_v130_6_1 - - azure_cis_v130_6_2 - - azure_cis_v130_6_3 - - azure_cis_v130_6_6 +id: azure_cis_v130_6 +title: Networking +description: Networking +section-code: "6" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "6" + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Network + type: + - Benchmark +controls: +- azure_cis_v130_6_1 +- azure_cis_v130_6_2 +- azure_cis_v130_6_3 +- azure_cis_v130_6_6 diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_7.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_7.yaml index 161da5311..609712f3c 100755 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_7.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_7.yaml @@ -1,28 +1,28 @@ -control-group: - id: azure_cis_v130_7 - title: Virtual Machines - description: Virtual Machines - section-code: "7" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "7" - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_cis_v130_7_1 - - azure_cis_v130_7_2 - - azure_cis_v130_7_3 - - azure_cis_v130_7_4 - - azure_cis_v130_7_5 - - azure_cis_v130_7_6 - - azure_cis_v130_7_7 +id: azure_cis_v130_7 +title: Virtual Machines +description: Virtual Machines +section-code: "7" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "7" + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_cis_v130_7_1 +- azure_cis_v130_7_2 +- azure_cis_v130_7_3 +- azure_cis_v130_7_4 +- azure_cis_v130_7_5 +- azure_cis_v130_7_6 +- azure_cis_v130_7_7 diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_8.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_8.yaml index 6173a8af8..b9fb4a307 100755 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_8.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_8.yaml @@ -1,26 +1,26 @@ -control-group: - id: azure_cis_v130_8 - title: Other Security Considerations - description: Other Security Considerations - section-code: "8" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "8" - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_cis_v130_8_1 - - azure_cis_v130_8_2 - - azure_cis_v130_8_3 - - azure_cis_v130_8_4 - - azure_cis_v130_8_5 +id: azure_cis_v130_8 +title: Other Security Considerations +description: Other Security Considerations +section-code: "8" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "8" + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_cis_v130_8_1 +- azure_cis_v130_8_2 +- azure_cis_v130_8_3 +- azure_cis_v130_8_4 +- azure_cis_v130_8_5 diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_9.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_9.yaml index 3aa772c46..29bc4ac01 100755 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_9.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_9.yaml @@ -1,31 +1,31 @@ -control-group: - id: azure_cis_v130_9 - title: AppService - description: AppService - section-code: "9" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "9" - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark - controls: - - azure_cis_v130_9_1 - - azure_cis_v130_9_2 - - azure_cis_v130_9_3 - - azure_cis_v130_9_4 - - azure_cis_v130_9_5 - - azure_cis_v130_9_6 - - azure_cis_v130_9_7 - - azure_cis_v130_9_8 - - azure_cis_v130_9_9 - - azure_cis_v130_9_11 +id: azure_cis_v130_9 +title: AppService +description: AppService +section-code: "9" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "9" + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark +controls: +- azure_cis_v130_9_1 +- azure_cis_v130_9_2 +- azure_cis_v130_9_3 +- azure_cis_v130_9_4 +- azure_cis_v130_9_5 +- azure_cis_v130_9_6 +- azure_cis_v130_9_7 +- azure_cis_v130_9_8 +- azure_cis_v130_9_9 +- azure_cis_v130_9_11 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140.yaml index a66d1cd1e..05d4ed9fd 100644 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140.yaml @@ -1,36 +1,36 @@ -framework: - id: azure_cis_v140 - title: CIS v1.4.0 - description: The CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. - section-code: azure_cis_v140 - tags: - category: - - Compliance - cis: - - "true" - cis_version: - - v1.4.0 - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - azure - service: - - Azure - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: azure_cis_v140_1 - - id: azure_cis_v140_2 - - id: azure_cis_v140_3 - - id: azure_cis_v140_4 - - id: azure_cis_v140_5 - - id: azure_cis_v140_6 - - id: azure_cis_v140_7 - - id: azure_cis_v140_8 - - id: azure_cis_v140_9 +id: azure_cis_v140 +title: CIS v1.4.0 +description: The CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. +section-code: azure_cis_v140 +type: framework +tags: + category: + - Compliance + cis: + - "true" + cis_version: + - v1.4.0 + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - azure + service: + - Azure + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: azure_cis_v140_1 +- id: azure_cis_v140_2 +- id: azure_cis_v140_3 +- id: azure_cis_v140_4 +- id: azure_cis_v140_5 +- id: azure_cis_v140_6 +- id: azure_cis_v140_7 +- id: azure_cis_v140_8 +- id: azure_cis_v140_9 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_1.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_1.yaml index 3f9e5d501..52d993a40 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_1.yaml @@ -1,41 +1,41 @@ -control-group: - id: azure_cis_v140_1 - title: Identity and Access Management - description: Identity and Access Management - section-code: "1" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "1" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark - controls: - - azure_cis_v140_1_1 - - azure_cis_v140_1_2 - - azure_cis_v140_1_3 - - azure_cis_v140_1_4 - - azure_cis_v140_1_5 - - azure_cis_v140_1_7 - - azure_cis_v140_1_9 - - azure_cis_v140_1_10 - - azure_cis_v140_1_11 - - azure_cis_v140_1_12 - - azure_cis_v140_1_13 - - azure_cis_v140_1_14 - - azure_cis_v140_1_15 - - azure_cis_v140_1_16 - - azure_cis_v140_1_17 - - azure_cis_v140_1_18 - - azure_cis_v140_1_19 - - azure_cis_v140_1_20 - - azure_cis_v140_1_21 - - azure_cis_v140_1_22 +id: azure_cis_v140_1 +title: Identity and Access Management +description: Identity and Access Management +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "1" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark +controls: +- azure_cis_v140_1_1 +- azure_cis_v140_1_2 +- azure_cis_v140_1_3 +- azure_cis_v140_1_4 +- azure_cis_v140_1_5 +- azure_cis_v140_1_7 +- azure_cis_v140_1_9 +- azure_cis_v140_1_10 +- azure_cis_v140_1_11 +- azure_cis_v140_1_12 +- azure_cis_v140_1_13 +- azure_cis_v140_1_14 +- azure_cis_v140_1_15 +- azure_cis_v140_1_16 +- azure_cis_v140_1_17 +- azure_cis_v140_1_18 +- azure_cis_v140_1_19 +- azure_cis_v140_1_20 +- azure_cis_v140_1_21 +- azure_cis_v140_1_22 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_2.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_2.yaml index bed9a990e..866a6b046 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_2.yaml @@ -1,36 +1,36 @@ -control-group: - id: azure_cis_v140_2 - title: Microsoft Defender for Cloud - description: Microsoft Defender for Cloud - section-code: "2" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark - controls: - - azure_cis_v140_2_1 - - azure_cis_v140_2_2 - - azure_cis_v140_2_3 - - azure_cis_v140_2_4 - - azure_cis_v140_2_5 - - azure_cis_v140_2_6 - - azure_cis_v140_2_7 - - azure_cis_v140_2_8 - - azure_cis_v140_2_9 - - azure_cis_v140_2_10 - - azure_cis_v140_2_11 - - azure_cis_v140_2_12 - - azure_cis_v140_2_13 - - azure_cis_v140_2_14 - - azure_cis_v140_2_15 +id: azure_cis_v140_2 +title: Microsoft Defender for Cloud +description: Microsoft Defender for Cloud +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark +controls: +- azure_cis_v140_2_1 +- azure_cis_v140_2_2 +- azure_cis_v140_2_3 +- azure_cis_v140_2_4 +- azure_cis_v140_2_5 +- azure_cis_v140_2_6 +- azure_cis_v140_2_7 +- azure_cis_v140_2_8 +- azure_cis_v140_2_9 +- azure_cis_v140_2_10 +- azure_cis_v140_2_11 +- azure_cis_v140_2_12 +- azure_cis_v140_2_13 +- azure_cis_v140_2_14 +- azure_cis_v140_2_15 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_3.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_3.yaml index f9398b03d..79a05b76d 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_3.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_3.yaml @@ -1,32 +1,32 @@ -control-group: - id: azure_cis_v140_3 - title: Storage Accounts - description: Storage Accounts - section-code: "3" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "3" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure/Storage - type: - - Benchmark - controls: - - azure_cis_v140_3_1 - - azure_cis_v140_3_2 - - azure_cis_v140_3_3 - - azure_cis_v140_3_4 - - azure_cis_v140_3_6 - - azure_cis_v140_3_7 - - azure_cis_v140_3_8 - - azure_cis_v140_3_9 - - azure_cis_v140_3_10 - - azure_cis_v140_3_11 - - azure_cis_v140_3_12 +id: azure_cis_v140_3 +title: Storage Accounts +description: Storage Accounts +section-code: "3" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "3" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure/Storage + type: + - Benchmark +controls: +- azure_cis_v140_3_1 +- azure_cis_v140_3_2 +- azure_cis_v140_3_3 +- azure_cis_v140_3_4 +- azure_cis_v140_3_6 +- azure_cis_v140_3_7 +- azure_cis_v140_3_8 +- azure_cis_v140_3_9 +- azure_cis_v140_3_10 +- azure_cis_v140_3_11 +- azure_cis_v140_3_12 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4.yaml index 55b593f53..e7736b0f2 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4.yaml @@ -1,27 +1,31 @@ +id: azure_cis_v140_4 +title: Database Services +description: Database Services +section-code: "4" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_cis_v140_4 - title: Database Services - description: Database Services - section-code: "4" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_cis_v140_4_1 - - id: azure_cis_v140_4_2 - - id: azure_cis_v140_4_3 - - id: azure_cis_v140_4_4 - controls: - - azure_cis_v140_4_5 +- id: azure_cis_v140_4_1 + type: "" +- id: azure_cis_v140_4_2 + type: "" +- id: azure_cis_v140_4_3 + type: "" +- id: azure_cis_v140_4_4 + type: "" +controls: +- azure_cis_v140_4_5 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_1.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_1.yaml index f178708a3..62ed97f1d 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_1.yaml @@ -1,22 +1,22 @@ -control-group: - id: azure_cis_v140_4_1 - title: SQL Server - Auditing - description: SQL Server - Auditing - section-code: "1" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.1" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark - controls: - - azure_cis_v140_4_1_2 +id: azure_cis_v140_4_1 +title: SQL Server - Auditing +description: SQL Server - Auditing +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.1" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark +controls: +- azure_cis_v140_4_1_2 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_2.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_2.yaml index 0a3475ea8..cdb270b84 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_2.yaml @@ -1,20 +1,20 @@ -control-group: - id: azure_cis_v140_4_2 - title: SQL Server - Azure Defender for SQL - description: SQL Server - Azure Defender for SQL - section-code: "2" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.2" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark +id: azure_cis_v140_4_2 +title: SQL Server - Azure Defender for SQL +description: SQL Server - Azure Defender for SQL +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.2" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_3.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_3.yaml index 70582e761..022c24f2a 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_3.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_3.yaml @@ -1,24 +1,24 @@ -control-group: - id: azure_cis_v140_4_3 - title: PostgreSQL Database Server - description: PostgreSQL Database Server - section-code: "3" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.3" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_cis_v140_4_3_1 - - azure_cis_v140_4_3_7 - - azure_cis_v140_4_3_8 +id: azure_cis_v140_4_3 +title: PostgreSQL Database Server +description: PostgreSQL Database Server +section-code: "3" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.3" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_cis_v140_4_3_1 +- azure_cis_v140_4_3_7 +- azure_cis_v140_4_3_8 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_4.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_4.yaml index 65705e837..88867a90d 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_4.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_4.yaml @@ -1,23 +1,23 @@ -control-group: - id: azure_cis_v140_4_4 - title: MySQL Database - description: MySQL Database - section-code: "4" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.4" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark - controls: - - azure_cis_v140_4_4_1 - - azure_cis_v140_4_4_2 +id: azure_cis_v140_4_4 +title: MySQL Database +description: MySQL Database +section-code: "4" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.4" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark +controls: +- azure_cis_v140_4_4_1 +- azure_cis_v140_4_4_2 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_5.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_5.yaml index 984b499d3..118d8b9cb 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_5.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_5.yaml @@ -1,25 +1,27 @@ +id: azure_cis_v140_5 +title: Logging and Monitoring +description: Logging and Monitoring +section-code: "5" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_cis_v140_5 - title: Logging and Monitoring - description: Logging and Monitoring - section-code: "5" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_cis_v140_5_1 - - id: azure_cis_v140_5_2 - controls: - - azure_cis_v140_5_3 +- id: azure_cis_v140_5_1 + type: "" +- id: azure_cis_v140_5_2 + type: "" +controls: +- azure_cis_v140_5_3 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_5_1.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_5_1.yaml index 20d12c7f9..9c0db70b4 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_5_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_5_1.yaml @@ -1,25 +1,25 @@ -control-group: - id: azure_cis_v140_5_1 - title: Configuring Diagnostic Settings - description: Configuring Diagnostic Settings - section-code: "1" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5.1" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_cis_v140_5_1_1 - - azure_cis_v140_5_1_2 - - azure_cis_v140_5_1_3 - - azure_cis_v140_5_1_5 +id: azure_cis_v140_5_1 +title: Configuring Diagnostic Settings +description: Configuring Diagnostic Settings +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5.1" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_cis_v140_5_1_1 +- azure_cis_v140_5_1_2 +- azure_cis_v140_5_1_3 +- azure_cis_v140_5_1_5 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_5_2.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_5_2.yaml index fa5a2c67f..50139d0d2 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_5_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_5_2.yaml @@ -1,30 +1,30 @@ -control-group: - id: azure_cis_v140_5_2 - title: Monitoring using Activity Log Alerts - description: Monitoring using Activity Log Alerts - section-code: "2" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5.2" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure/Monitor - type: - - Benchmark - controls: - - azure_cis_v140_5_2_1 - - azure_cis_v140_5_2_2 - - azure_cis_v140_5_2_3 - - azure_cis_v140_5_2_4 - - azure_cis_v140_5_2_5 - - azure_cis_v140_5_2_6 - - azure_cis_v140_5_2_7 - - azure_cis_v140_5_2_8 - - azure_cis_v140_5_2_9 +id: azure_cis_v140_5_2 +title: Monitoring using Activity Log Alerts +description: Monitoring using Activity Log Alerts +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5.2" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure/Monitor + type: + - Benchmark +controls: +- azure_cis_v140_5_2_1 +- azure_cis_v140_5_2_2 +- azure_cis_v140_5_2_3 +- azure_cis_v140_5_2_4 +- azure_cis_v140_5_2_5 +- azure_cis_v140_5_2_6 +- azure_cis_v140_5_2_7 +- azure_cis_v140_5_2_8 +- azure_cis_v140_5_2_9 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_6.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_6.yaml index 000acc277..acf0fbac4 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_6.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_6.yaml @@ -1,25 +1,25 @@ -control-group: - id: azure_cis_v140_6 - title: Networking - description: Networking - section-code: "6" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "6" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure/Network - type: - - Benchmark - controls: - - azure_cis_v140_6_1 - - azure_cis_v140_6_2 - - azure_cis_v140_6_3 - - azure_cis_v140_6_6 +id: azure_cis_v140_6 +title: Networking +description: Networking +section-code: "6" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "6" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure/Network + type: + - Benchmark +controls: +- azure_cis_v140_6_1 +- azure_cis_v140_6_2 +- azure_cis_v140_6_3 +- azure_cis_v140_6_6 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_7.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_7.yaml index a91ef86d0..0e315cbaf 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_7.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_7.yaml @@ -1,28 +1,28 @@ -control-group: - id: azure_cis_v140_7 - title: Virtual Machines - description: Virtual Machines - section-code: "7" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "7" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_cis_v140_7_1 - - azure_cis_v140_7_2 - - azure_cis_v140_7_3 - - azure_cis_v140_7_4 - - azure_cis_v140_7_5 - - azure_cis_v140_7_6 - - azure_cis_v140_7_7 +id: azure_cis_v140_7 +title: Virtual Machines +description: Virtual Machines +section-code: "7" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "7" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_cis_v140_7_1 +- azure_cis_v140_7_2 +- azure_cis_v140_7_3 +- azure_cis_v140_7_4 +- azure_cis_v140_7_5 +- azure_cis_v140_7_6 +- azure_cis_v140_7_7 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_8.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_8.yaml index 2eba4e852..624ec416e 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_8.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_8.yaml @@ -1,28 +1,28 @@ -control-group: - id: azure_cis_v140_8 - title: Other Security Considerations - description: Other Security Considerations - section-code: "8" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "8" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_cis_v140_8_1 - - azure_cis_v140_8_2 - - azure_cis_v140_8_3 - - azure_cis_v140_8_4 - - azure_cis_v140_8_5 - - azure_cis_v140_8_6 - - azure_cis_v140_8_7 +id: azure_cis_v140_8 +title: Other Security Considerations +description: Other Security Considerations +section-code: "8" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "8" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_cis_v140_8_1 +- azure_cis_v140_8_2 +- azure_cis_v140_8_3 +- azure_cis_v140_8_4 +- azure_cis_v140_8_5 +- azure_cis_v140_8_6 +- azure_cis_v140_8_7 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_9.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_9.yaml index 502ef1ef7..955bb6669 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_9.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_9.yaml @@ -1,31 +1,31 @@ -control-group: - id: azure_cis_v140_9 - title: AppService - description: AppService - section-code: "9" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "9" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark - controls: - - azure_cis_v140_9_1 - - azure_cis_v140_9_2 - - azure_cis_v140_9_3 - - azure_cis_v140_9_4 - - azure_cis_v140_9_5 - - azure_cis_v140_9_6 - - azure_cis_v140_9_7 - - azure_cis_v140_9_8 - - azure_cis_v140_9_9 - - azure_cis_v140_9_11 +id: azure_cis_v140_9 +title: AppService +description: AppService +section-code: "9" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "9" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark +controls: +- azure_cis_v140_9_1 +- azure_cis_v140_9_2 +- azure_cis_v140_9_3 +- azure_cis_v140_9_4 +- azure_cis_v140_9_5 +- azure_cis_v140_9_6 +- azure_cis_v140_9_7 +- azure_cis_v140_9_8 +- azure_cis_v140_9_9 +- azure_cis_v140_9_11 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150.yaml index 0353cdf86..642d77161 100644 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150.yaml @@ -1,37 +1,37 @@ -framework: - id: azure_cis_v150 - title: CIS v1.5.0 - description: The CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. - section-code: azure_cis_v150 - tags: - category: - - Compliance - cis: - - "true" - cis_version: - - v1.5.0 - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - azure - service: - - Azure - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: azure_cis_v150_1 - - id: azure_cis_v150_2 - - id: azure_cis_v150_3 - - id: azure_cis_v150_4 - - id: azure_cis_v150_5 - - id: azure_cis_v150_6 - - id: azure_cis_v150_7 - - id: azure_cis_v150_8 - - id: azure_cis_v150_9 - - id: azure_cis_v150_10 +id: azure_cis_v150 +title: CIS v1.5.0 +description: The CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. +section-code: azure_cis_v150 +type: framework +tags: + category: + - Compliance + cis: + - "true" + cis_version: + - v1.5.0 + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - azure + service: + - Azure + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: azure_cis_v150_1 +- id: azure_cis_v150_2 +- id: azure_cis_v150_3 +- id: azure_cis_v150_4 +- id: azure_cis_v150_5 +- id: azure_cis_v150_6 +- id: azure_cis_v150_7 +- id: azure_cis_v150_8 +- id: azure_cis_v150_9 +- id: azure_cis_v150_10 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_1.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_1.yaml index 051d3866e..ce154757c 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_1.yaml @@ -1,45 +1,47 @@ +id: azure_cis_v150_1 +title: Identity and Access Management +description: Identity and Access Management +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "1" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark control-group: - id: azure_cis_v150_1 - title: Identity and Access Management - description: Identity and Access Management - section-code: "1" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "1" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark - control-group: - - id: azure_cis_v150_1_1 - - id: azure_cis_v150_1_2 - controls: - - azure_cis_v150_1_3 - - azure_cis_v150_1_4 - - azure_cis_v150_1_5 - - azure_cis_v150_1_6 - - azure_cis_v150_1_7 - - azure_cis_v150_1_8 - - azure_cis_v150_1_9 - - azure_cis_v150_1_10 - - azure_cis_v150_1_11 - - azure_cis_v150_1_12 - - azure_cis_v150_1_14 - - azure_cis_v150_1_15 - - azure_cis_v150_1_16 - - azure_cis_v150_1_17 - - azure_cis_v150_1_19 - - azure_cis_v150_1_20 - - azure_cis_v150_1_21 - - azure_cis_v150_1_22 - - azure_cis_v150_1_23 - - azure_cis_v150_1_24 - - azure_cis_v150_1_25 +- id: azure_cis_v150_1_1 + type: "" +- id: azure_cis_v150_1_2 + type: "" +controls: +- azure_cis_v150_1_3 +- azure_cis_v150_1_4 +- azure_cis_v150_1_5 +- azure_cis_v150_1_6 +- azure_cis_v150_1_7 +- azure_cis_v150_1_8 +- azure_cis_v150_1_9 +- azure_cis_v150_1_10 +- azure_cis_v150_1_11 +- azure_cis_v150_1_12 +- azure_cis_v150_1_14 +- azure_cis_v150_1_15 +- azure_cis_v150_1_16 +- azure_cis_v150_1_17 +- azure_cis_v150_1_19 +- azure_cis_v150_1_20 +- azure_cis_v150_1_21 +- azure_cis_v150_1_22 +- azure_cis_v150_1_23 +- azure_cis_v150_1_24 +- azure_cis_v150_1_25 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_10.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_10.yaml index d28628139..6c0deb4f2 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_10.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_10.yaml @@ -1,22 +1,22 @@ -control-group: - id: azure_cis_v150_10 - title: Miscellaneous - description: Miscellaneous - section-code: "10" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "10" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_cis_v150_10_1 +id: azure_cis_v150_10 +title: Miscellaneous +description: Miscellaneous +section-code: "10" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "10" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_cis_v150_10_1 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_1_1.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_1_1.yaml index b3d9b2ee9..c71229dcd 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_1_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_1_1.yaml @@ -1,25 +1,25 @@ -control-group: - id: azure_cis_v150_1_1 - title: Security Defaults - description: Security Defaults - section-code: "1" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "1.1" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark - controls: - - azure_cis_v150_1_1_1 - - azure_cis_v150_1_1_2 - - azure_cis_v150_1_1_3 - - azure_cis_v150_1_1_4 +id: azure_cis_v150_1_1 +title: Security Defaults +description: Security Defaults +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "1.1" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark +controls: +- azure_cis_v150_1_1_1 +- azure_cis_v150_1_1_2 +- azure_cis_v150_1_1_3 +- azure_cis_v150_1_1_4 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_1_2.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_1_2.yaml index 092e1edf8..fa8645131 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_1_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_1_2.yaml @@ -1,27 +1,27 @@ -control-group: - id: azure_cis_v150_1_2 - title: Conditional Access - description: Conditional Access - section-code: "2" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "1.2" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark - controls: - - azure_cis_v150_1_2_1 - - azure_cis_v150_1_2_2 - - azure_cis_v150_1_2_3 - - azure_cis_v150_1_2_4 - - azure_cis_v150_1_2_5 - - azure_cis_v150_1_2_6 +id: azure_cis_v150_1_2 +title: Conditional Access +description: Conditional Access +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "1.2" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark +controls: +- azure_cis_v150_1_2_1 +- azure_cis_v150_1_2_2 +- azure_cis_v150_1_2_3 +- azure_cis_v150_1_2_4 +- azure_cis_v150_1_2_5 +- azure_cis_v150_1_2_6 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2.yaml index a6a4e1b27..db18c1213 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2.yaml @@ -1,28 +1,32 @@ +id: azure_cis_v150_2 +title: Microsoft Defender for Cloud +description: Microsoft Defender for Cloud +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark control-group: - id: azure_cis_v150_2 - title: Microsoft Defender for Cloud - description: Microsoft Defender for Cloud - section-code: "2" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark - control-group: - - id: azure_cis_v150_2_1 - - id: azure_cis_v150_2_2 - - id: azure_cis_v150_2_3 - - id: azure_cis_v150_2_4 - controls: - - azure_cis_v150_2_5 - - azure_cis_v150_2_6 +- id: azure_cis_v150_2_1 + type: "" +- id: azure_cis_v150_2_2 + type: "" +- id: azure_cis_v150_2_3 + type: "" +- id: azure_cis_v150_2_4 + type: "" +controls: +- azure_cis_v150_2_5 +- azure_cis_v150_2_6 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_1.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_1.yaml index c5e44c5f6..e59fb8eb7 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_1.yaml @@ -1,34 +1,34 @@ -control-group: - id: azure_cis_v150_2_1 - title: Defender Plans - description: Defender Plans - section-code: "1" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark - controls: - - azure_cis_v150_2_1_1 - - azure_cis_v150_2_1_2 - - azure_cis_v150_2_1_3 - - azure_cis_v150_2_1_4 - - azure_cis_v150_2_1_5 - - azure_cis_v150_2_1_6 - - azure_cis_v150_2_1_7 - - azure_cis_v150_2_1_8 - - azure_cis_v150_2_1_9 - - azure_cis_v150_2_1_10 - - azure_cis_v150_2_1_11 - - azure_cis_v150_2_1_12 - - azure_cis_v150_2_1_13 +id: azure_cis_v150_2_1 +title: Defender Plans +description: Defender Plans +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark +controls: +- azure_cis_v150_2_1_1 +- azure_cis_v150_2_1_2 +- azure_cis_v150_2_1_3 +- azure_cis_v150_2_1_4 +- azure_cis_v150_2_1_5 +- azure_cis_v150_2_1_6 +- azure_cis_v150_2_1_7 +- azure_cis_v150_2_1_8 +- azure_cis_v150_2_1_9 +- azure_cis_v150_2_1_10 +- azure_cis_v150_2_1_11 +- azure_cis_v150_2_1_12 +- azure_cis_v150_2_1_13 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_2.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_2.yaml index d49ac73e9..fbbef435f 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_2.yaml @@ -1,24 +1,24 @@ -control-group: - id: azure_cis_v150_2_2 - title: Auto Provisioning - description: Auto Provisioning - section-code: "2" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark - controls: - - azure_cis_v150_2_2_1 - - azure_cis_v150_2_2_2 - - azure_cis_v150_2_2_3 +id: azure_cis_v150_2_2 +title: Auto Provisioning +description: Auto Provisioning +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark +controls: +- azure_cis_v150_2_2_1 +- azure_cis_v150_2_2_2 +- azure_cis_v150_2_2_3 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_3.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_3.yaml index 4c3788df0..a56787e2c 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_3.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_3.yaml @@ -1,24 +1,24 @@ -control-group: - id: azure_cis_v150_2_3 - title: Email notifications - description: Email notifications - section-code: "3" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark - controls: - - azure_cis_v150_2_3_1 - - azure_cis_v150_2_3_2 - - azure_cis_v150_2_3_3 +id: azure_cis_v150_2_3 +title: Email notifications +description: Email notifications +section-code: "3" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark +controls: +- azure_cis_v150_2_3_1 +- azure_cis_v150_2_3_2 +- azure_cis_v150_2_3_3 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_4.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_4.yaml index 95f935b64..f838596c6 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_4.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_4.yaml @@ -1,23 +1,23 @@ -control-group: - id: azure_cis_v150_2_4 - title: Integrations - description: Integrations - section-code: "4" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark - controls: - - azure_cis_v150_2_4_1 - - azure_cis_v150_2_4_2 +id: azure_cis_v150_2_4 +title: Integrations +description: Integrations +section-code: "4" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark +controls: +- azure_cis_v150_2_4_1 +- azure_cis_v150_2_4_2 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_3.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_3.yaml index b7504894c..dfddf8072 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_3.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_3.yaml @@ -1,35 +1,35 @@ -control-group: - id: azure_cis_v150_3 - title: Storage Accounts - description: Storage Accounts - section-code: "3" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "3" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/Storage - type: - - Benchmark - controls: - - azure_cis_v150_3_1 - - azure_cis_v150_3_2 - - azure_cis_v150_3_3 - - azure_cis_v150_3_4 - - azure_cis_v150_3_5 - - azure_cis_v150_3_6 - - azure_cis_v150_3_7 - - azure_cis_v150_3_8 - - azure_cis_v150_3_9 - - azure_cis_v150_3_10 - - azure_cis_v150_3_11 - - azure_cis_v150_3_12 - - azure_cis_v150_3_14 - - azure_cis_v150_3_15 +id: azure_cis_v150_3 +title: Storage Accounts +description: Storage Accounts +section-code: "3" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "3" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/Storage + type: + - Benchmark +controls: +- azure_cis_v150_3_1 +- azure_cis_v150_3_2 +- azure_cis_v150_3_3 +- azure_cis_v150_3_4 +- azure_cis_v150_3_5 +- azure_cis_v150_3_6 +- azure_cis_v150_3_7 +- azure_cis_v150_3_8 +- azure_cis_v150_3_9 +- azure_cis_v150_3_10 +- azure_cis_v150_3_11 +- azure_cis_v150_3_12 +- azure_cis_v150_3_14 +- azure_cis_v150_3_15 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4.yaml index b3b0c2a73..bbd928b57 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4.yaml @@ -1,26 +1,31 @@ +id: azure_cis_v150_4 +title: Database Services +description: Database Services +section-code: "4" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_cis_v150_4 - title: Database Services - description: Database Services - section-code: "4" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_cis_v150_4_1 - - id: azure_cis_v150_4_2 - - id: azure_cis_v150_4_3 - - id: azure_cis_v150_4_4 - - id: azure_cis_v150_4_5 +- id: azure_cis_v150_4_1 + type: "" +- id: azure_cis_v150_4_2 + type: "" +- id: azure_cis_v150_4_3 + type: "" +- id: azure_cis_v150_4_4 + type: "" +- id: azure_cis_v150_4_5 + type: "" diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_1.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_1.yaml index e998c301e..f1a3aa8e7 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_1.yaml @@ -1,24 +1,24 @@ -control-group: - id: azure_cis_v150_4_1 - title: SQL Server - Auditing - description: SQL Server - Auditing - section-code: "1" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.1" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark - controls: - - azure_cis_v150_4_1_2 - - azure_cis_v150_4_1_4 - - azure_cis_v150_4_1_5 +id: azure_cis_v150_4_1 +title: SQL Server - Auditing +description: SQL Server - Auditing +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.1" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark +controls: +- azure_cis_v150_4_1_2 +- azure_cis_v150_4_1_4 +- azure_cis_v150_4_1_5 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_2.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_2.yaml index 2ff48f7f7..420d3206d 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_2.yaml @@ -1,20 +1,20 @@ -control-group: - id: azure_cis_v150_4_2 - title: SQL Server - Microsoft Defender for SQL - description: SQL Server - Microsoft Defender for SQL - section-code: "2" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.2" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark +id: azure_cis_v150_4_2 +title: SQL Server - Microsoft Defender for SQL +description: SQL Server - Microsoft Defender for SQL +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.2" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_3.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_3.yaml index ff5c16bb1..5987d5576 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_3.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_3.yaml @@ -1,24 +1,24 @@ -control-group: - id: azure_cis_v150_4_3 - title: PostgreSQL Database Server - description: PostgreSQL Database Server - section-code: "3" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.3" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_cis_v150_4_3_1 - - azure_cis_v150_4_3_7 - - azure_cis_v150_4_3_8 +id: azure_cis_v150_4_3 +title: PostgreSQL Database Server +description: PostgreSQL Database Server +section-code: "3" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.3" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_cis_v150_4_3_1 +- azure_cis_v150_4_3_7 +- azure_cis_v150_4_3_8 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_4.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_4.yaml index dd37b94ac..b2a30d2fa 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_4.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_4.yaml @@ -1,24 +1,24 @@ -control-group: - id: azure_cis_v150_4_4 - title: MySQL Database - description: MySQL Database - section-code: "4" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.4" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark - controls: - - azure_cis_v150_4_4_1 - - azure_cis_v150_4_4_2 - - azure_cis_v150_4_4_3 +id: azure_cis_v150_4_4 +title: MySQL Database +description: MySQL Database +section-code: "4" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.4" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark +controls: +- azure_cis_v150_4_4_1 +- azure_cis_v150_4_4_2 +- azure_cis_v150_4_4_3 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_5.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_5.yaml index 00246bdfd..b6ba68818 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_5.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_5.yaml @@ -1,23 +1,23 @@ -control-group: - id: azure_cis_v150_4_5 - title: Cosmos DB - description: Cosmos DB - section-code: "5" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark - controls: - - azure_cis_v150_4_5_1 - - azure_cis_v150_4_5_2 +id: azure_cis_v150_4_5 +title: Cosmos DB +description: Cosmos DB +section-code: "5" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark +controls: +- azure_cis_v150_4_5_1 +- azure_cis_v150_4_5_2 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_5.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_5.yaml index 40260b9d9..30646325f 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_5.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_5.yaml @@ -1,25 +1,27 @@ +id: azure_cis_v150_5 +title: Logging and Monitoring +description: Logging and Monitoring +section-code: "5" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_cis_v150_5 - title: Logging and Monitoring - description: Logging and Monitoring - section-code: "5" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_cis_v150_5_1 - - id: azure_cis_v150_5_2 - controls: - - azure_cis_v150_5_3 +- id: azure_cis_v150_5_1 + type: "" +- id: azure_cis_v150_5_2 + type: "" +controls: +- azure_cis_v150_5_3 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_5_1.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_5_1.yaml index ded11697e..42d9dca36 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_5_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_5_1.yaml @@ -1,27 +1,27 @@ -control-group: - id: azure_cis_v150_5_1 - title: Configuring Diagnostic Settings - description: Configuring Diagnostic Settings - section-code: "1" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_cis_v150_5_1_1 - - azure_cis_v150_5_1_2 - - azure_cis_v150_5_1_3 - - azure_cis_v150_5_1_5 - - azure_cis_v150_5_1_6 - - azure_cis_v150_5_1_7 +id: azure_cis_v150_5_1 +title: Configuring Diagnostic Settings +description: Configuring Diagnostic Settings +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_cis_v150_5_1_1 +- azure_cis_v150_5_1_2 +- azure_cis_v150_5_1_3 +- azure_cis_v150_5_1_5 +- azure_cis_v150_5_1_6 +- azure_cis_v150_5_1_7 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_5_2.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_5_2.yaml index 03b32a465..a8e5fbbff 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_5_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_5_2.yaml @@ -1,31 +1,31 @@ -control-group: - id: azure_cis_v150_5_2 - title: Monitoring using Activity Log Alerts - description: Monitoring using Activity Log Alerts - section-code: "2" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/Monitor - type: - - Benchmark - controls: - - azure_cis_v150_5_2_1 - - azure_cis_v150_5_2_2 - - azure_cis_v150_5_2_3 - - azure_cis_v150_5_2_4 - - azure_cis_v150_5_2_5 - - azure_cis_v150_5_2_6 - - azure_cis_v150_5_2_7 - - azure_cis_v150_5_2_8 - - azure_cis_v150_5_2_9 - - azure_cis_v150_5_2_10 +id: azure_cis_v150_5_2 +title: Monitoring using Activity Log Alerts +description: Monitoring using Activity Log Alerts +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/Monitor + type: + - Benchmark +controls: +- azure_cis_v150_5_2_1 +- azure_cis_v150_5_2_2 +- azure_cis_v150_5_2_3 +- azure_cis_v150_5_2_4 +- azure_cis_v150_5_2_5 +- azure_cis_v150_5_2_6 +- azure_cis_v150_5_2_7 +- azure_cis_v150_5_2_8 +- azure_cis_v150_5_2_9 +- azure_cis_v150_5_2_10 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_6.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_6.yaml index 5a8db085f..d28990b9d 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_6.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_6.yaml @@ -1,25 +1,25 @@ -control-group: - id: azure_cis_v150_6 - title: Networking - description: Networking - section-code: "6" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "6" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/Network - type: - - Benchmark - controls: - - azure_cis_v150_6_1 - - azure_cis_v150_6_2 - - azure_cis_v150_6_3 - - azure_cis_v150_6_4 +id: azure_cis_v150_6 +title: Networking +description: Networking +section-code: "6" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "6" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/Network + type: + - Benchmark +controls: +- azure_cis_v150_6_1 +- azure_cis_v150_6_2 +- azure_cis_v150_6_3 +- azure_cis_v150_6_4 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_7.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_7.yaml index cf3410462..e51f04684 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_7.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_7.yaml @@ -1,27 +1,27 @@ -control-group: - id: azure_cis_v150_7 - title: Virtual Machines - description: Virtual Machines - section-code: "7" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "7" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_cis_v150_7_1 - - azure_cis_v150_7_2 - - azure_cis_v150_7_3 - - azure_cis_v150_7_4 - - azure_cis_v150_7_5 - - azure_cis_v150_7_6 +id: azure_cis_v150_7 +title: Virtual Machines +description: Virtual Machines +section-code: "7" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "7" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_cis_v150_7_1 +- azure_cis_v150_7_2 +- azure_cis_v150_7_3 +- azure_cis_v150_7_4 +- azure_cis_v150_7_5 +- azure_cis_v150_7_6 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_8.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_8.yaml index c16cef95c..e8f303076 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_8.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_8.yaml @@ -1,28 +1,28 @@ -control-group: - id: azure_cis_v150_8 - title: Other Security Considerations - description: Other Security Considerations - section-code: "8" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "8" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_cis_v150_8_1 - - azure_cis_v150_8_2 - - azure_cis_v150_8_3 - - azure_cis_v150_8_4 - - azure_cis_v150_8_5 - - azure_cis_v150_8_6 - - azure_cis_v150_8_8 +id: azure_cis_v150_8 +title: Other Security Considerations +description: Other Security Considerations +section-code: "8" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "8" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_cis_v150_8_1 +- azure_cis_v150_8_2 +- azure_cis_v150_8_3 +- azure_cis_v150_8_4 +- azure_cis_v150_8_5 +- azure_cis_v150_8_6 +- azure_cis_v150_8_8 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_9.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_9.yaml index 5bacd2b55..ad52cef46 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_9.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_9.yaml @@ -1,30 +1,30 @@ -control-group: - id: azure_cis_v150_9 - title: AppService - description: AppService - section-code: "9" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "9" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark - controls: - - azure_cis_v150_9_1 - - azure_cis_v150_9_2 - - azure_cis_v150_9_4 - - azure_cis_v150_9_5 - - azure_cis_v150_9_6 - - azure_cis_v150_9_7 - - azure_cis_v150_9_8 - - azure_cis_v150_9_9 - - azure_cis_v150_9_11 +id: azure_cis_v150_9 +title: AppService +description: AppService +section-code: "9" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "9" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark +controls: +- azure_cis_v150_9_1 +- azure_cis_v150_9_2 +- azure_cis_v150_9_4 +- azure_cis_v150_9_5 +- azure_cis_v150_9_6 +- azure_cis_v150_9_7 +- azure_cis_v150_9_8 +- azure_cis_v150_9_9 +- azure_cis_v150_9_11 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200.yaml index bf0bccd71..90a8b5568 100644 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200.yaml @@ -1,37 +1,37 @@ -framework: - id: azure_cis_v200 - title: CIS v2.0.0 - description: The CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. - section-code: azure_cis_v200 - tags: - category: - - Compliance - cis: - - "true" - cis_version: - - v2.0.0 - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - azure - service: - - Azure - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: azure_cis_v200_1 - - id: azure_cis_v200_2 - - id: azure_cis_v200_3 - - id: azure_cis_v200_4 - - id: azure_cis_v200_5 - - id: azure_cis_v200_6 - - id: azure_cis_v200_7 - - id: azure_cis_v200_8 - - id: azure_cis_v200_9 - - id: azure_cis_v200_10 +id: azure_cis_v200 +title: CIS v2.0.0 +description: The CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. +section-code: azure_cis_v200 +type: framework +tags: + category: + - Compliance + cis: + - "true" + cis_version: + - v2.0.0 + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - azure + service: + - Azure + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: azure_cis_v200_1 +- id: azure_cis_v200_2 +- id: azure_cis_v200_3 +- id: azure_cis_v200_4 +- id: azure_cis_v200_5 +- id: azure_cis_v200_6 +- id: azure_cis_v200_7 +- id: azure_cis_v200_8 +- id: azure_cis_v200_9 +- id: azure_cis_v200_10 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_1.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_1.yaml index 4cb4b718b..5810fee9d 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_1.yaml @@ -1,46 +1,48 @@ +id: azure_cis_v200_1 +title: Identity and Access Management +description: Identity and Access Management +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "1" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark control-group: - id: azure_cis_v200_1 - title: Identity and Access Management - description: Identity and Access Management - section-code: "1" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "1" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark - control-group: - - id: azure_cis_v200_1_1 - - id: azure_cis_v200_1_2 - controls: - - azure_cis_v200_1_3 - - azure_cis_v200_1_4 - - azure_cis_v200_1_5 - - azure_cis_v200_1_6 - - azure_cis_v200_1_7 - - azure_cis_v200_1_8 - - azure_cis_v200_1_9 - - azure_cis_v200_1_10 - - azure_cis_v200_1_12 - - azure_cis_v200_1_13 - - azure_cis_v200_1_14 - - azure_cis_v200_1_15 - - azure_cis_v200_1_16 - - azure_cis_v200_1_17 - - azure_cis_v200_1_18 - - azure_cis_v200_1_19 - - azure_cis_v200_1_20 - - azure_cis_v200_1_21 - - azure_cis_v200_1_22 - - azure_cis_v200_1_23 - - azure_cis_v200_1_24 - - azure_cis_v200_1_25 +- id: azure_cis_v200_1_1 + type: "" +- id: azure_cis_v200_1_2 + type: "" +controls: +- azure_cis_v200_1_3 +- azure_cis_v200_1_4 +- azure_cis_v200_1_5 +- azure_cis_v200_1_6 +- azure_cis_v200_1_7 +- azure_cis_v200_1_8 +- azure_cis_v200_1_9 +- azure_cis_v200_1_10 +- azure_cis_v200_1_12 +- azure_cis_v200_1_13 +- azure_cis_v200_1_14 +- azure_cis_v200_1_15 +- azure_cis_v200_1_16 +- azure_cis_v200_1_17 +- azure_cis_v200_1_18 +- azure_cis_v200_1_19 +- azure_cis_v200_1_20 +- azure_cis_v200_1_21 +- azure_cis_v200_1_22 +- azure_cis_v200_1_23 +- azure_cis_v200_1_24 +- azure_cis_v200_1_25 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_10.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_10.yaml index 499eef0e7..a2512e485 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_10.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_10.yaml @@ -1,22 +1,22 @@ -control-group: - id: azure_cis_v200_10 - title: Miscellaneous - description: Miscellaneous - section-code: "10" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "10" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_cis_v200_10_1 +id: azure_cis_v200_10 +title: Miscellaneous +description: Miscellaneous +section-code: "10" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "10" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_cis_v200_10_1 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_1_1.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_1_1.yaml index fb9e1ff54..24d92e029 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_1_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_1_1.yaml @@ -1,25 +1,25 @@ -control-group: - id: azure_cis_v200_1_1 - title: Security Defaults - description: Security Defaults - section-code: "1" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "1.1" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark - controls: - - azure_cis_v200_1_1_1 - - azure_cis_v200_1_1_2 - - azure_cis_v200_1_1_3 - - azure_cis_v200_1_1_4 +id: azure_cis_v200_1_1 +title: Security Defaults +description: Security Defaults +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "1.1" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark +controls: +- azure_cis_v200_1_1_1 +- azure_cis_v200_1_1_2 +- azure_cis_v200_1_1_3 +- azure_cis_v200_1_1_4 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_1_2.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_1_2.yaml index 098300780..e33cf9907 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_1_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_1_2.yaml @@ -1,27 +1,27 @@ -control-group: - id: azure_cis_v200_1_2 - title: Conditional Access - description: Conditional Access - section-code: "2" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "1.2" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark - controls: - - azure_cis_v200_1_2_1 - - azure_cis_v200_1_2_2 - - azure_cis_v200_1_2_3 - - azure_cis_v200_1_2_4 - - azure_cis_v200_1_2_5 - - azure_cis_v200_1_2_6 +id: azure_cis_v200_1_2 +title: Conditional Access +description: Conditional Access +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "1.2" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark +controls: +- azure_cis_v200_1_2_1 +- azure_cis_v200_1_2_2 +- azure_cis_v200_1_2_3 +- azure_cis_v200_1_2_4 +- azure_cis_v200_1_2_5 +- azure_cis_v200_1_2_6 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2.yaml index 55abcc986..c7a7befae 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2.yaml @@ -1,24 +1,27 @@ +id: azure_cis_v200_2 +title: Microsoft Defender +description: Microsoft Defender +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark control-group: - id: azure_cis_v200_2 - title: Microsoft Defender - description: Microsoft Defender - section-code: "2" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark - control-group: - - id: azure_cis_v200_2_1 - - id: azure_cis_v200_2_2 - - id: azure_cis_v200_2_3 +- id: azure_cis_v200_2_1 + type: "" +- id: azure_cis_v200_2_2 + type: "" +- id: azure_cis_v200_2_3 + type: "" diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2_1.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2_1.yaml index c3869ba06..88abbb181 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2_1.yaml @@ -1,42 +1,42 @@ -control-group: - id: azure_cis_v200_2_1 - title: Microsoft Defender for Cloud - description: Microsoft Defender for Cloud - section-code: "1" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark - controls: - - azure_cis_v200_2_1_1 - - azure_cis_v200_2_1_2 - - azure_cis_v200_2_1_3 - - azure_cis_v200_2_1_4 - - azure_cis_v200_2_1_5 - - azure_cis_v200_2_1_6 - - azure_cis_v200_2_1_7 - - azure_cis_v200_2_1_8 - - azure_cis_v200_2_1_9 - - azure_cis_v200_2_1_11 - - azure_cis_v200_2_1_12 - - azure_cis_v200_2_1_13 - - azure_cis_v200_2_1_14 - - azure_cis_v200_2_1_15 - - azure_cis_v200_2_1_16 - - azure_cis_v200_2_1_17 - - azure_cis_v200_2_1_18 - - azure_cis_v200_2_1_19 - - azure_cis_v200_2_1_20 - - azure_cis_v200_2_1_21 - - azure_cis_v200_2_1_22 +id: azure_cis_v200_2_1 +title: Microsoft Defender for Cloud +description: Microsoft Defender for Cloud +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark +controls: +- azure_cis_v200_2_1_1 +- azure_cis_v200_2_1_2 +- azure_cis_v200_2_1_3 +- azure_cis_v200_2_1_4 +- azure_cis_v200_2_1_5 +- azure_cis_v200_2_1_6 +- azure_cis_v200_2_1_7 +- azure_cis_v200_2_1_8 +- azure_cis_v200_2_1_9 +- azure_cis_v200_2_1_11 +- azure_cis_v200_2_1_12 +- azure_cis_v200_2_1_13 +- azure_cis_v200_2_1_14 +- azure_cis_v200_2_1_15 +- azure_cis_v200_2_1_16 +- azure_cis_v200_2_1_17 +- azure_cis_v200_2_1_18 +- azure_cis_v200_2_1_19 +- azure_cis_v200_2_1_20 +- azure_cis_v200_2_1_21 +- azure_cis_v200_2_1_22 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2_2.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2_2.yaml index ff8b43560..9be123bc9 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2_2.yaml @@ -1,22 +1,22 @@ -control-group: - id: azure_cis_v200_2_2 - title: Microsoft Defender for IoT - description: Microsoft Defender for IoT - section-code: "2" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark - controls: - - azure_cis_v200_2_2_1 +id: azure_cis_v200_2_2 +title: Microsoft Defender for IoT +description: Microsoft Defender for IoT +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark +controls: +- azure_cis_v200_2_2_1 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2_3.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2_3.yaml index 3de051ac2..b8c4a6797 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2_3.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2_3.yaml @@ -1,20 +1,20 @@ -control-group: - id: azure_cis_v200_2_3 - title: Microsoft Defender for External Attack Surface Monitoring - description: Microsoft Defender for External Attack Surface Monitoring - section-code: "3" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark +id: azure_cis_v200_2_3 +title: Microsoft Defender for External Attack Surface Monitoring +description: Microsoft Defender for External Attack Surface Monitoring +section-code: "3" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_3.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_3.yaml index eb0f55a62..e1793cf7a 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_3.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_3.yaml @@ -1,34 +1,34 @@ -control-group: - id: azure_cis_v200_3 - title: Storage Accounts - description: Storage Accounts - section-code: "3" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "3" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/Storage - type: - - Benchmark - controls: - - azure_cis_v200_3_1 - - azure_cis_v200_3_2 - - azure_cis_v200_3_3 - - azure_cis_v200_3_4 - - azure_cis_v200_3_5 - - azure_cis_v200_3_6 - - azure_cis_v200_3_8 - - azure_cis_v200_3_9 - - azure_cis_v200_3_10 - - azure_cis_v200_3_11 - - azure_cis_v200_3_12 - - azure_cis_v200_3_14 - - azure_cis_v200_3_15 +id: azure_cis_v200_3 +title: Storage Accounts +description: Storage Accounts +section-code: "3" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "3" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/Storage + type: + - Benchmark +controls: +- azure_cis_v200_3_1 +- azure_cis_v200_3_2 +- azure_cis_v200_3_3 +- azure_cis_v200_3_4 +- azure_cis_v200_3_5 +- azure_cis_v200_3_6 +- azure_cis_v200_3_8 +- azure_cis_v200_3_9 +- azure_cis_v200_3_10 +- azure_cis_v200_3_11 +- azure_cis_v200_3_12 +- azure_cis_v200_3_14 +- azure_cis_v200_3_15 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4.yaml index b3df4bc4b..1006c0362 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4.yaml @@ -1,26 +1,31 @@ +id: azure_cis_v200_4 +title: Database Services +description: Database Services +section-code: "4" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_cis_v200_4 - title: Database Services - description: Database Services - section-code: "4" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_cis_v200_4_1 - - id: azure_cis_v200_4_2 - - id: azure_cis_v200_4_3 - - id: azure_cis_v200_4_4 - - id: azure_cis_v200_4_5 +- id: azure_cis_v200_4_1 + type: "" +- id: azure_cis_v200_4_2 + type: "" +- id: azure_cis_v200_4_3 + type: "" +- id: azure_cis_v200_4_4 + type: "" +- id: azure_cis_v200_4_5 + type: "" diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_1.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_1.yaml index 790d7a5e2..0df349823 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_1.yaml @@ -1,23 +1,23 @@ -control-group: - id: azure_cis_v200_4_1 - title: SQL Server - Auditing - description: SQL Server - Auditing - section-code: "1" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.1" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark - controls: - - azure_cis_v200_4_1_2 - - azure_cis_v200_4_1_4 +id: azure_cis_v200_4_1 +title: SQL Server - Auditing +description: SQL Server - Auditing +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.1" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark +controls: +- azure_cis_v200_4_1_2 +- azure_cis_v200_4_1_4 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_2.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_2.yaml index e4ae6c35a..e1d201631 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_2.yaml @@ -1,20 +1,20 @@ -control-group: - id: azure_cis_v200_4_2 - title: SQL Server - Microsoft Defender for SQL - description: SQL Server - Microsoft Defender for SQL - section-code: "2" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.2" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark +id: azure_cis_v200_4_2 +title: SQL Server - Microsoft Defender for SQL +description: SQL Server - Microsoft Defender for SQL +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.2" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_3.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_3.yaml index ea7e8f4bc..051228377 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_3.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_3.yaml @@ -1,25 +1,25 @@ -control-group: - id: azure_cis_v200_4_3 - title: PostgreSQL Database Server - description: PostgreSQL Database Server - section-code: "3" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.3" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_cis_v200_4_3_1 - - azure_cis_v200_4_3_5 - - azure_cis_v200_4_3_7 - - azure_cis_v200_4_3_8 +id: azure_cis_v200_4_3 +title: PostgreSQL Database Server +description: PostgreSQL Database Server +section-code: "3" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.3" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_cis_v200_4_3_1 +- azure_cis_v200_4_3_5 +- azure_cis_v200_4_3_7 +- azure_cis_v200_4_3_8 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_4.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_4.yaml index 9fed51b45..4bbd070d4 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_4.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_4.yaml @@ -1,23 +1,23 @@ -control-group: - id: azure_cis_v200_4_4 - title: MySQL Database - description: MySQL Database - section-code: "4" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.4" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark - controls: - - azure_cis_v200_4_4_1 - - azure_cis_v200_4_4_2 +id: azure_cis_v200_4_4 +title: MySQL Database +description: MySQL Database +section-code: "4" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.4" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark +controls: +- azure_cis_v200_4_4_1 +- azure_cis_v200_4_4_2 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_5.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_5.yaml index 99392b534..4e9e8228d 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_5.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_5.yaml @@ -1,24 +1,24 @@ -control-group: - id: azure_cis_v200_4_5 - title: Cosmos DB - description: Cosmos DB - section-code: "5" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark - controls: - - azure_cis_v200_4_5_1 - - azure_cis_v200_4_5_2 - - azure_cis_v200_4_5_3 +id: azure_cis_v200_4_5 +title: Cosmos DB +description: Cosmos DB +section-code: "5" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark +controls: +- azure_cis_v200_4_5_1 +- azure_cis_v200_4_5_2 +- azure_cis_v200_4_5_3 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5.yaml index 3e835147d..6485867ff 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5.yaml @@ -1,27 +1,31 @@ +id: azure_cis_v200_5 +title: Logging and Monitoring +description: Logging and Monitoring +section-code: "5" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_cis_v200_5 - title: Logging and Monitoring - description: Logging and Monitoring - section-code: "5" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_cis_v200_5_1 - - id: azure_cis_v200_5_2 - - id: azure_cis_v200_5_3 - - id: azure_cis_v200_5_5 - controls: - - azure_cis_v200_5_4 +- id: azure_cis_v200_5_1 + type: "" +- id: azure_cis_v200_5_2 + type: "" +- id: azure_cis_v200_5_3 + type: "" +- id: azure_cis_v200_5_5 + type: "" +controls: +- azure_cis_v200_5_4 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_1.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_1.yaml index 37ca5f3b2..b1bf98985 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_1.yaml @@ -1,27 +1,27 @@ -control-group: - id: azure_cis_v200_5_1 - title: Configuring Diagnostic Settings - description: Configuring Diagnostic Settings - section-code: "1" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_cis_v200_5_1_1 - - azure_cis_v200_5_1_2 - - azure_cis_v200_5_1_3 - - azure_cis_v200_5_1_5 - - azure_cis_v200_5_1_6 - - azure_cis_v200_5_1_7 +id: azure_cis_v200_5_1 +title: Configuring Diagnostic Settings +description: Configuring Diagnostic Settings +section-code: "1" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_cis_v200_5_1_1 +- azure_cis_v200_5_1_2 +- azure_cis_v200_5_1_3 +- azure_cis_v200_5_1_5 +- azure_cis_v200_5_1_6 +- azure_cis_v200_5_1_7 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_2.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_2.yaml index 80ab423ca..7d8588531 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_2.yaml @@ -1,31 +1,31 @@ -control-group: - id: azure_cis_v200_5_2 - title: Monitoring using Activity Log Alerts - description: Monitoring using Activity Log Alerts - section-code: "2" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/Monitor - type: - - Benchmark - controls: - - azure_cis_v200_5_2_1 - - azure_cis_v200_5_2_2 - - azure_cis_v200_5_2_3 - - azure_cis_v200_5_2_4 - - azure_cis_v200_5_2_5 - - azure_cis_v200_5_2_6 - - azure_cis_v200_5_2_7 - - azure_cis_v200_5_2_8 - - azure_cis_v200_5_2_9 - - azure_cis_v200_5_2_10 +id: azure_cis_v200_5_2 +title: Monitoring using Activity Log Alerts +description: Monitoring using Activity Log Alerts +section-code: "2" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/Monitor + type: + - Benchmark +controls: +- azure_cis_v200_5_2_1 +- azure_cis_v200_5_2_2 +- azure_cis_v200_5_2_3 +- azure_cis_v200_5_2_4 +- azure_cis_v200_5_2_5 +- azure_cis_v200_5_2_6 +- azure_cis_v200_5_2_7 +- azure_cis_v200_5_2_8 +- azure_cis_v200_5_2_9 +- azure_cis_v200_5_2_10 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_3.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_3.yaml index 35284a5ff..118f51d70 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_3.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_3.yaml @@ -1,22 +1,22 @@ -control-group: - id: azure_cis_v200_5_3 - title: Configuring Application Insights - description: Configuring Application Insights - section-code: "3" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/Monitor - type: - - Benchmark - controls: - - azure_cis_v200_5_3_1 +id: azure_cis_v200_5_3 +title: Configuring Application Insights +description: Configuring Application Insights +section-code: "3" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/Monitor + type: + - Benchmark +controls: +- azure_cis_v200_5_3_1 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_5.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_5.yaml index fe8a6b754..18741fdbd 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_5.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_5.yaml @@ -1,29 +1,29 @@ -control-group: - id: azure_cis_v200_5_5 - title: Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) - description: The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU's do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads. - section-code: "5" - tags: - category: - - Compliance - cis: - - "true" - cis_item_id: - - "5.5" - cis_level: - - "2" - cis_section_id: - - "5" - cis_type: - - automated - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/Monitor - controls: - - azure_network_lb_no_basic_sku - - azure_network_public_ip_no_basic_sku - - azure_network_virtual_network_gateway_no_basic_sku - - azure_redis_cache_no_basic_sku +id: azure_cis_v200_5_5 +title: Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) +description: The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU's do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads. +section-code: "5" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_item_id: + - "5.5" + cis_level: + - "2" + cis_section_id: + - "5" + cis_type: + - automated + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/Monitor +controls: +- azure_network_lb_no_basic_sku +- azure_network_public_ip_no_basic_sku +- azure_network_virtual_network_gateway_no_basic_sku +- azure_redis_cache_no_basic_sku diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_6.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_6.yaml index 7d42c7d3a..91037e5e7 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_6.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_6.yaml @@ -1,26 +1,26 @@ -control-group: - id: azure_cis_v200_6 - title: Networking - description: Networking - section-code: "6" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "6" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/Network - type: - - Benchmark - controls: - - azure_cis_v200_6_1 - - azure_cis_v200_6_2 - - azure_cis_v200_6_3 - - azure_cis_v200_6_4 - - azure_cis_v200_6_7 +id: azure_cis_v200_6 +title: Networking +description: Networking +section-code: "6" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "6" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/Network + type: + - Benchmark +controls: +- azure_cis_v200_6_1 +- azure_cis_v200_6_2 +- azure_cis_v200_6_3 +- azure_cis_v200_6_4 +- azure_cis_v200_6_7 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_7.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_7.yaml index c7438283f..2d998580e 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_7.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_7.yaml @@ -1,28 +1,28 @@ -control-group: - id: azure_cis_v200_7 - title: Virtual Machines - description: Virtual Machines - section-code: "7" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "7" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_cis_v200_7_1 - - azure_cis_v200_7_2 - - azure_cis_v200_7_3 - - azure_cis_v200_7_4 - - azure_cis_v200_7_5 - - azure_cis_v200_7_6 - - azure_cis_v200_7_7 +id: azure_cis_v200_7 +title: Virtual Machines +description: Virtual Machines +section-code: "7" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "7" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_cis_v200_7_1 +- azure_cis_v200_7_2 +- azure_cis_v200_7_3 +- azure_cis_v200_7_4 +- azure_cis_v200_7_5 +- azure_cis_v200_7_6 +- azure_cis_v200_7_7 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_8.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_8.yaml index 974149535..2c217ecd5 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_8.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_8.yaml @@ -1,28 +1,28 @@ -control-group: - id: azure_cis_v200_8 - title: Key Vault - description: Key Vault - section-code: "8" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "8" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_cis_v200_8_1 - - azure_cis_v200_8_2 - - azure_cis_v200_8_3 - - azure_cis_v200_8_4 - - azure_cis_v200_8_5 - - azure_cis_v200_8_6 - - azure_cis_v200_8_8 +id: azure_cis_v200_8 +title: Key Vault +description: Key Vault +section-code: "8" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "8" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_cis_v200_8_1 +- azure_cis_v200_8_2 +- azure_cis_v200_8_3 +- azure_cis_v200_8_4 +- azure_cis_v200_8_5 +- azure_cis_v200_8_6 +- azure_cis_v200_8_8 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_9.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_9.yaml index 91b8fcc3e..8b921fc62 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_9.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_9.yaml @@ -1,31 +1,31 @@ -control-group: - id: azure_cis_v200_9 - title: AppService - description: AppService - section-code: "9" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "9" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark - controls: - - azure_cis_v200_9_1 - - azure_cis_v200_9_2 - - azure_cis_v200_9_3 - - azure_cis_v200_9_4 - - azure_cis_v200_9_5 - - azure_cis_v200_9_6 - - azure_cis_v200_9_7 - - azure_cis_v200_9_8 - - azure_cis_v200_9_9 - - azure_cis_v200_9_11 +id: azure_cis_v200_9 +title: AppService +description: AppService +section-code: "9" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "9" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark +controls: +- azure_cis_v200_9_1 +- azure_cis_v200_9_2 +- azure_cis_v200_9_3 +- azure_cis_v200_9_4 +- azure_cis_v200_9_5 +- azure_cis_v200_9_6 +- azure_cis_v200_9_7 +- azure_cis_v200_9_8 +- azure_cis_v200_9_9 +- azure_cis_v200_9_11 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210.yaml index c47206805..1d2e7fa5f 100644 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210.yaml @@ -1,20 +1,20 @@ -framework: - id: azure_cis_v210 - title: CIS v2.1.0 - description: The CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. - section-code: azure_cis_v210 - defaults: - is-baseline: true - enabled: true - tracks-drift-events: false - control-group: - - id: azure_cis_v210_1 - - id: azure_cis_v210_2 - - id: azure_cis_v210_3 - - id: azure_cis_v210_4 - - id: azure_cis_v210_5 - - id: azure_cis_v210_6 - - id: azure_cis_v210_7 - - id: azure_cis_v210_8 - - id: azure_cis_v210_9 - - id: azure_cis_v210_10 +id: azure_cis_v210 +title: CIS v2.1.0 +description: The CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. +section-code: azure_cis_v210 +type: framework +defaults: + is-baseline: true + enabled: true + tracks-drift-events: false +control-group: +- id: azure_cis_v210_1 +- id: azure_cis_v210_2 +- id: azure_cis_v210_3 +- id: azure_cis_v210_4 +- id: azure_cis_v210_5 +- id: azure_cis_v210_6 +- id: azure_cis_v210_7 +- id: azure_cis_v210_8 +- id: azure_cis_v210_9 +- id: azure_cis_v210_10 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_1.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_1.yaml index c9323863f..c8467f961 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_1.yaml @@ -1,31 +1,33 @@ +id: azure_cis_v210_1 +title: Identity and Access Management +description: Identity and Access Management +section-code: "1" +type: control-group control-group: - id: azure_cis_v210_1 - title: Identity and Access Management - description: Identity and Access Management - section-code: "1" - control-group: - - id: azure_cis_v210_1_1 - - id: azure_cis_v210_1_2 - controls: - - azure_cis_v210_1_4 - - azure_cis_v210_1_5 - - azure_cis_v210_1_6 - - azure_cis_v210_1_7 - - azure_cis_v210_1_8 - - azure_cis_v210_1_9 - - azure_cis_v210_1_10 - - azure_cis_v210_1_11 - - azure_cis_v210_1_12 - - azure_cis_v210_1_13 - - azure_cis_v210_1_14 - - azure_cis_v210_1_15 - - azure_cis_v210_1_16 - - azure_cis_v210_1_17 - - azure_cis_v210_1_18 - - azure_cis_v210_1_19 - - azure_cis_v210_1_20 - - azure_cis_v210_1_21 - - azure_cis_v210_1_22 - - azure_cis_v210_1_23 - - azure_cis_v210_1_24 - - azure_cis_v210_1_25 +- id: azure_cis_v210_1_1 + type: "" +- id: azure_cis_v210_1_2 + type: "" +controls: +- azure_cis_v210_1_4 +- azure_cis_v210_1_5 +- azure_cis_v210_1_6 +- azure_cis_v210_1_7 +- azure_cis_v210_1_8 +- azure_cis_v210_1_9 +- azure_cis_v210_1_10 +- azure_cis_v210_1_11 +- azure_cis_v210_1_12 +- azure_cis_v210_1_13 +- azure_cis_v210_1_14 +- azure_cis_v210_1_15 +- azure_cis_v210_1_16 +- azure_cis_v210_1_17 +- azure_cis_v210_1_18 +- azure_cis_v210_1_19 +- azure_cis_v210_1_20 +- azure_cis_v210_1_21 +- azure_cis_v210_1_22 +- azure_cis_v210_1_23 +- azure_cis_v210_1_24 +- azure_cis_v210_1_25 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_10.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_10.yaml index 0c85367eb..ce47bbfa8 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_10.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_10.yaml @@ -1,7 +1,7 @@ -control-group: - id: azure_cis_v210_10 - title: Miscellaneous - description: Miscellaneous - section-code: "10" - controls: - - azure_cis_v210_10_1 +id: azure_cis_v210_10 +title: Miscellaneous +description: Miscellaneous +section-code: "10" +type: control-group +controls: +- azure_cis_v210_10_1 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_1_1.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_1_1.yaml index 16cbf4142..1c023e913 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_1_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_1_1.yaml @@ -1,10 +1,10 @@ -control-group: - id: azure_cis_v210_1_1 - title: Security Defaults - description: Security Defaults - section-code: "1" - controls: - - azure_cis_v210_1_1_1 - - azure_cis_v210_1_1_2 - - azure_cis_v210_1_1_3 - - azure_cis_v210_1_1_4 +id: azure_cis_v210_1_1 +title: Security Defaults +description: Security Defaults +section-code: "1" +type: control-group +controls: +- azure_cis_v210_1_1_1 +- azure_cis_v210_1_1_2 +- azure_cis_v210_1_1_3 +- azure_cis_v210_1_1_4 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_1_2.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_1_2.yaml index bd6070081..70549d3b9 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_1_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_1_2.yaml @@ -1,13 +1,13 @@ -control-group: - id: azure_cis_v210_1_2 - title: Conditional Access - description: Conditional Access - section-code: "2" - controls: - - azure_cis_v210_1_2_1 - - azure_cis_v210_1_2_2 - - azure_cis_v210_1_2_3 - - azure_cis_v210_1_2_4 - - azure_cis_v210_1_2_5 - - azure_cis_v210_1_2_6 - - azure_cis_v210_1_2_7 +id: azure_cis_v210_1_2 +title: Conditional Access +description: Conditional Access +section-code: "2" +type: control-group +controls: +- azure_cis_v210_1_2_1 +- azure_cis_v210_1_2_2 +- azure_cis_v210_1_2_3 +- azure_cis_v210_1_2_4 +- azure_cis_v210_1_2_5 +- azure_cis_v210_1_2_6 +- azure_cis_v210_1_2_7 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_2.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_2.yaml index 02b6fd5fc..01b46bdd8 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_2.yaml @@ -1,8 +1,10 @@ +id: azure_cis_v210_2 +title: Microsoft Defender +description: Microsoft Defender +section-code: "2" +type: control-group control-group: - id: azure_cis_v210_2 - title: Microsoft Defender - description: Microsoft Defender - section-code: "2" - control-group: - - id: azure_cis_v210_2_1 - - id: azure_cis_v210_2_2 +- id: azure_cis_v210_2_1 + type: "" +- id: azure_cis_v210_2_2 + type: "" diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_2_1.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_2_1.yaml index 9ce0949e8..9e6ff635e 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_2_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_2_1.yaml @@ -1,27 +1,27 @@ -control-group: - id: azure_cis_v210_2_1 - title: Microsoft Defender for Cloud - description: Microsoft Defender for Cloud - section-code: "1" - controls: - - azure_cis_v210_2_1_1 - - azure_cis_v210_2_1_2 - - azure_cis_v210_2_1_3 - - azure_cis_v210_2_1_4 - - azure_cis_v210_2_1_5 - - azure_cis_v210_2_1_6 - - azure_cis_v210_2_1_7 - - azure_cis_v210_2_1_8 - - azure_cis_v210_2_1_10 - - azure_cis_v210_2_1_11 - - azure_cis_v210_2_1_12 - - azure_cis_v210_2_1_13 - - azure_cis_v210_2_1_14 - - azure_cis_v210_2_1_15 - - azure_cis_v210_2_1_16 - - azure_cis_v210_2_1_17 - - azure_cis_v210_2_1_18 - - azure_cis_v210_2_1_19 - - azure_cis_v210_2_1_20 - - azure_cis_v210_2_1_21 - - azure_cis_v210_2_1_22 +id: azure_cis_v210_2_1 +title: Microsoft Defender for Cloud +description: Microsoft Defender for Cloud +section-code: "1" +type: control-group +controls: +- azure_cis_v210_2_1_1 +- azure_cis_v210_2_1_2 +- azure_cis_v210_2_1_3 +- azure_cis_v210_2_1_4 +- azure_cis_v210_2_1_5 +- azure_cis_v210_2_1_6 +- azure_cis_v210_2_1_7 +- azure_cis_v210_2_1_8 +- azure_cis_v210_2_1_10 +- azure_cis_v210_2_1_11 +- azure_cis_v210_2_1_12 +- azure_cis_v210_2_1_13 +- azure_cis_v210_2_1_14 +- azure_cis_v210_2_1_15 +- azure_cis_v210_2_1_16 +- azure_cis_v210_2_1_17 +- azure_cis_v210_2_1_18 +- azure_cis_v210_2_1_19 +- azure_cis_v210_2_1_20 +- azure_cis_v210_2_1_21 +- azure_cis_v210_2_1_22 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_2_2.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_2_2.yaml index 13e8a5dd2..e9b4b967d 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_2_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_2_2.yaml @@ -1,7 +1,7 @@ -control-group: - id: azure_cis_v210_2_2 - title: Microsoft Defender for IoT - description: Microsoft Defender for IoT - section-code: "2" - controls: - - azure_cis_v210_2_2_1 +id: azure_cis_v210_2_2 +title: Microsoft Defender for IoT +description: Microsoft Defender for IoT +section-code: "2" +type: control-group +controls: +- azure_cis_v210_2_2_1 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_3.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_3.yaml index dbf5ddd4f..286795eb8 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_3.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_3.yaml @@ -1,22 +1,22 @@ -control-group: - id: azure_cis_v210_3 - title: Storage Accounts - description: Storage Accounts - section-code: "3" - controls: - - azure_cis_v210_3_1 - - azure_cis_v210_3_2 - - azure_cis_v210_3_3 - - azure_cis_v210_3_4 - - azure_cis_v210_3_5 - - azure_cis_v210_3_6 - - azure_cis_v210_3_7 - - azure_cis_v210_3_8 - - azure_cis_v210_3_9 - - azure_cis_v210_3_10 - - azure_cis_v210_3_11 - - azure_cis_v210_3_12 - - azure_cis_v210_3_13 - - azure_cis_v210_3_14 - - azure_cis_v210_3_15 - - azure_cis_v210_3_16 +id: azure_cis_v210_3 +title: Storage Accounts +description: Storage Accounts +section-code: "3" +type: control-group +controls: +- azure_cis_v210_3_1 +- azure_cis_v210_3_2 +- azure_cis_v210_3_3 +- azure_cis_v210_3_4 +- azure_cis_v210_3_5 +- azure_cis_v210_3_6 +- azure_cis_v210_3_7 +- azure_cis_v210_3_8 +- azure_cis_v210_3_9 +- azure_cis_v210_3_10 +- azure_cis_v210_3_11 +- azure_cis_v210_3_12 +- azure_cis_v210_3_13 +- azure_cis_v210_3_14 +- azure_cis_v210_3_15 +- azure_cis_v210_3_16 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4.yaml index 284bf4ac2..31430d95b 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4.yaml @@ -1,10 +1,14 @@ +id: azure_cis_v210_4 +title: Database Services +description: Database Services +section-code: "4" +type: control-group control-group: - id: azure_cis_v210_4 - title: Database Services - description: Database Services - section-code: "4" - control-group: - - id: azure_cis_v210_4_1 - - id: azure_cis_v210_4_3 - - id: azure_cis_v210_4_4 - - id: azure_cis_v210_4_5 +- id: azure_cis_v210_4_1 + type: "" +- id: azure_cis_v210_4_3 + type: "" +- id: azure_cis_v210_4_4 + type: "" +- id: azure_cis_v210_4_5 + type: "" diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_1.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_1.yaml index 5bd2e53d1..b7bce4afe 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_1.yaml @@ -1,9 +1,9 @@ -control-group: - id: azure_cis_v210_4_1 - title: SQL Server - Auditing - description: SQL Server - Auditing - section-code: "1" - controls: - - azure_cis_v210_4_1_2 - - azure_cis_v210_4_1_4 - - azure_cis_v210_4_1_5 +id: azure_cis_v210_4_1 +title: SQL Server - Auditing +description: SQL Server - Auditing +section-code: "1" +type: control-group +controls: +- azure_cis_v210_4_1_2 +- azure_cis_v210_4_1_4 +- azure_cis_v210_4_1_5 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_3.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_3.yaml index 5e772f221..71c3b8326 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_3.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_3.yaml @@ -1,9 +1,9 @@ -control-group: - id: azure_cis_v210_4_3 - title: PostgreSQL Database Server - description: PostgreSQL Database Server - section-code: "3" - controls: - - azure_cis_v210_4_3_1 - - azure_cis_v210_4_3_7 - - azure_cis_v210_4_3_8 +id: azure_cis_v210_4_3 +title: PostgreSQL Database Server +description: PostgreSQL Database Server +section-code: "3" +type: control-group +controls: +- azure_cis_v210_4_3_1 +- azure_cis_v210_4_3_7 +- azure_cis_v210_4_3_8 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_4.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_4.yaml index 386e06208..bb5da5105 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_4.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_4.yaml @@ -1,8 +1,8 @@ -control-group: - id: azure_cis_v210_4_4 - title: MySQL Database - description: MySQL Database - section-code: "4" - controls: - - azure_cis_v210_4_4_1 - - azure_cis_v210_4_4_2 +id: azure_cis_v210_4_4 +title: MySQL Database +description: MySQL Database +section-code: "4" +type: control-group +controls: +- azure_cis_v210_4_4_1 +- azure_cis_v210_4_4_2 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_5.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_5.yaml index aed46d439..733114a7a 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_5.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_5.yaml @@ -1,9 +1,9 @@ -control-group: - id: azure_cis_v210_4_5 - title: Cosmos DB - description: Cosmos DB - section-code: "5" - controls: - - azure_cis_v210_4_5_1 - - azure_cis_v210_4_5_2 - - azure_cis_v210_4_5_3 +id: azure_cis_v210_4_5 +title: Cosmos DB +description: Cosmos DB +section-code: "5" +type: control-group +controls: +- azure_cis_v210_4_5_1 +- azure_cis_v210_4_5_2 +- azure_cis_v210_4_5_3 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5.yaml index 443f0f397..209cc5021 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5.yaml @@ -1,12 +1,16 @@ +id: azure_cis_v210_5 +title: Logging and Monitoring +description: Logging and Monitoring +section-code: "5" +type: control-group control-group: - id: azure_cis_v210_5 - title: Logging and Monitoring - description: Logging and Monitoring - section-code: "5" - control-group: - - id: azure_cis_v210_5_1 - - id: azure_cis_v210_5_2 - - id: azure_cis_v210_5_3 - - id: azure_cis_v210_5_5 - controls: - - azure_cis_v210_5_4 +- id: azure_cis_v210_5_1 + type: "" +- id: azure_cis_v210_5_2 + type: "" +- id: azure_cis_v210_5_3 + type: "" +- id: azure_cis_v210_5_5 + type: "" +controls: +- azure_cis_v210_5_4 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_1.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_1.yaml index a088e84fc..12a097850 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_1.yaml @@ -1,12 +1,12 @@ -control-group: - id: azure_cis_v210_5_1 - title: Configuring Diagnostic Settings - description: Configuring Diagnostic Settings - section-code: "1" - controls: - - azure_cis_v210_5_1_1 - - azure_cis_v210_5_1_2 - - azure_cis_v210_5_1_3 - - azure_cis_v210_5_1_4 - - azure_cis_v210_5_1_5 - - azure_cis_v210_5_1_6 +id: azure_cis_v210_5_1 +title: Configuring Diagnostic Settings +description: Configuring Diagnostic Settings +section-code: "1" +type: control-group +controls: +- azure_cis_v210_5_1_1 +- azure_cis_v210_5_1_2 +- azure_cis_v210_5_1_3 +- azure_cis_v210_5_1_4 +- azure_cis_v210_5_1_5 +- azure_cis_v210_5_1_6 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_2.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_2.yaml index c1991138a..a8c44694a 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_2.yaml @@ -1,16 +1,16 @@ -control-group: - id: azure_cis_v210_5_2 - title: Monitoring using Activity Log Alerts - description: Monitoring using Activity Log Alerts - section-code: "2" - controls: - - azure_cis_v210_5_2_1 - - azure_cis_v210_5_2_2 - - azure_cis_v210_5_2_3 - - azure_cis_v210_5_2_4 - - azure_cis_v210_5_2_5 - - azure_cis_v210_5_2_6 - - azure_cis_v210_5_2_7 - - azure_cis_v210_5_2_8 - - azure_cis_v210_5_2_9 - - azure_cis_v210_5_2_10 +id: azure_cis_v210_5_2 +title: Monitoring using Activity Log Alerts +description: Monitoring using Activity Log Alerts +section-code: "2" +type: control-group +controls: +- azure_cis_v210_5_2_1 +- azure_cis_v210_5_2_2 +- azure_cis_v210_5_2_3 +- azure_cis_v210_5_2_4 +- azure_cis_v210_5_2_5 +- azure_cis_v210_5_2_6 +- azure_cis_v210_5_2_7 +- azure_cis_v210_5_2_8 +- azure_cis_v210_5_2_9 +- azure_cis_v210_5_2_10 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_3.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_3.yaml index 4edeec7a2..998fd043b 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_3.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_3.yaml @@ -1,7 +1,7 @@ -control-group: - id: azure_cis_v210_5_3 - title: Configuring Application Insights - description: Configuring Application Insights - section-code: "3" - controls: - - azure_cis_v210_5_3_1 +id: azure_cis_v210_5_3 +title: Configuring Application Insights +description: Configuring Application Insights +section-code: "3" +type: control-group +controls: +- azure_cis_v210_5_3_1 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_5.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_5.yaml index 62cdd375f..da6a0a02a 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_5.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_5.yaml @@ -1,10 +1,10 @@ -control-group: - id: azure_cis_v210_5_5 - title: Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) - description: The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU's do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads. - section-code: "5" - controls: - - azure_network_lb_no_basic_sku - - azure_network_public_ip_no_basic_sku - - azure_network_virtual_network_gateway_no_basic_sku - - azure_redis_cache_no_basic_sku +id: azure_cis_v210_5_5 +title: Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) +description: The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU's do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads. +section-code: "5" +type: control-group +controls: +- azure_network_lb_no_basic_sku +- azure_network_public_ip_no_basic_sku +- azure_network_virtual_network_gateway_no_basic_sku +- azure_redis_cache_no_basic_sku diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_6.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_6.yaml index 4a9832fc4..ec0474317 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_6.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_6.yaml @@ -1,12 +1,12 @@ -control-group: - id: azure_cis_v210_6 - title: Networking - description: Networking - section-code: "6" - controls: - - azure_cis_v210_6_1 - - azure_cis_v210_6_2 - - azure_cis_v210_6_3 - - azure_cis_v210_6_4 - - azure_cis_v210_6_6 - - azure_cis_v210_6_7 +id: azure_cis_v210_6 +title: Networking +description: Networking +section-code: "6" +type: control-group +controls: +- azure_cis_v210_6_1 +- azure_cis_v210_6_2 +- azure_cis_v210_6_3 +- azure_cis_v210_6_4 +- azure_cis_v210_6_6 +- azure_cis_v210_6_7 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_7.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_7.yaml index 78f01145f..05d74a1b6 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_7.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_7.yaml @@ -1,15 +1,15 @@ -control-group: - id: azure_cis_v210_7 - title: Virtual Machines - description: Virtual Machines - section-code: "7" - controls: - - azure_cis_v210_7_1 - - azure_cis_v210_7_2 - - azure_cis_v210_7_3 - - azure_cis_v210_7_4 - - azure_cis_v210_7_5 - - azure_cis_v210_7_6 - - azure_cis_v210_7_7 - - azure_cis_v210_7_8 - - azure_cis_v210_7_9 +id: azure_cis_v210_7 +title: Virtual Machines +description: Virtual Machines +section-code: "7" +type: control-group +controls: +- azure_cis_v210_7_1 +- azure_cis_v210_7_2 +- azure_cis_v210_7_3 +- azure_cis_v210_7_4 +- azure_cis_v210_7_5 +- azure_cis_v210_7_6 +- azure_cis_v210_7_7 +- azure_cis_v210_7_8 +- azure_cis_v210_7_9 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_8.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_8.yaml index 943e896a9..82a11a0f5 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_8.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_8.yaml @@ -1,13 +1,13 @@ -control-group: - id: azure_cis_v210_8 - title: Key Vault - description: Key Vault - section-code: "8" - controls: - - azure_cis_v210_8_1 - - azure_cis_v210_8_2 - - azure_cis_v210_8_3 - - azure_cis_v210_8_4 - - azure_cis_v210_8_5 - - azure_cis_v210_8_6 - - azure_cis_v210_8_8 +id: azure_cis_v210_8 +title: Key Vault +description: Key Vault +section-code: "8" +type: control-group +controls: +- azure_cis_v210_8_1 +- azure_cis_v210_8_2 +- azure_cis_v210_8_3 +- azure_cis_v210_8_4 +- azure_cis_v210_8_5 +- azure_cis_v210_8_6 +- azure_cis_v210_8_8 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_9.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_9.yaml index 961014891..b9af56567 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_9.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_9.yaml @@ -1,15 +1,15 @@ -control-group: - id: azure_cis_v210_9 - title: AppService - description: AppService - section-code: "9" - controls: - - azure_cis_v210_9_1 - - azure_cis_v210_9_2 - - azure_cis_v210_9_3 - - azure_cis_v210_9_4 - - azure_cis_v210_9_5 - - azure_cis_v210_9_6 - - azure_cis_v210_9_7 - - azure_cis_v210_9_8 - - azure_cis_v210_9_10 +id: azure_cis_v210_9 +title: AppService +description: AppService +section-code: "9" +type: control-group +controls: +- azure_cis_v210_9_1 +- azure_cis_v210_9_2 +- azure_cis_v210_9_3 +- azure_cis_v210_9_4 +- azure_cis_v210_9_5 +- azure_cis_v210_9_6 +- azure_cis_v210_9_7 +- azure_cis_v210_9_8 +- azure_cis_v210_9_10 diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high.yaml index 7e5d1fa1b..b4c9b78fc 100644 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high.yaml @@ -1,19 +1,19 @@ -framework: - id: azure_fedramp_high - title: FedRAMP High - description: The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. Federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The FedRAMP program has helped to accelerate the adoption of secure cloud solutions through the reuse of assessments and authorizations across government agencies. FedRAMP leverages a standardized set of requirements, established in accordance with the Federal Information Security Management Act (FISMA), to improve consistency and confidence in the security of cloud solutions. Cloud Service Providers (CSP) that support U.S. government customers or operate on U.S. government information are responsible for complying with the requirements established by the FedRAMP program. In May 2020 the Salesforce Government Cloud Plus achieved a provisional Authority to Operate (ATO) at the high impact level issued by the FedRAMP Joint Authorization Board (JAB). - section-code: azure_fedramp_high - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: azure_fedramp_high_ac - - id: azure_fedramp_high_au - - id: azure_fedramp_high_cm - - id: azure_fedramp_high_cp - - id: azure_fedramp_high_ia - - id: azure_fedramp_high_ir - - id: azure_fedramp_high_ra - - id: azure_fedramp_high_sc - - id: azure_fedramp_high_si +id: azure_fedramp_high +title: FedRAMP High +description: The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. Federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The FedRAMP program has helped to accelerate the adoption of secure cloud solutions through the reuse of assessments and authorizations across government agencies. FedRAMP leverages a standardized set of requirements, established in accordance with the Federal Information Security Management Act (FISMA), to improve consistency and confidence in the security of cloud solutions. Cloud Service Providers (CSP) that support U.S. government customers or operate on U.S. government information are responsible for complying with the requirements established by the FedRAMP program. In May 2020 the Salesforce Government Cloud Plus achieved a provisional Authority to Operate (ATO) at the high impact level issued by the FedRAMP Joint Authorization Board (JAB). +section-code: azure_fedramp_high +type: framework +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: azure_fedramp_high_ac +- id: azure_fedramp_high_au +- id: azure_fedramp_high_cm +- id: azure_fedramp_high_cp +- id: azure_fedramp_high_ia +- id: azure_fedramp_high_ir +- id: azure_fedramp_high_ra +- id: azure_fedramp_high_sc +- id: azure_fedramp_high_si diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac.yaml index 87d06eb3c..e2fa970a0 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac.yaml @@ -1,12 +1,18 @@ +id: azure_fedramp_high_ac +title: Access Control (AC) +description: Access control policies and procedures are established and implemented to ensure that access to systems and data is restricted to authorized users, processes, or devices, and to prevent unauthorized access. +section-code: ac +type: control-group control-group: - id: azure_fedramp_high_ac - title: Access Control (AC) - description: Access control policies and procedures are established and implemented to ensure that access to systems and data is restricted to authorized users, processes, or devices, and to prevent unauthorized access. - section-code: ac - control-group: - - id: azure_fedramp_high_ac_2 - - id: azure_fedramp_high_ac_3 - - id: azure_fedramp_high_ac_4 - - id: azure_fedramp_high_ac_5 - - id: azure_fedramp_high_ac_6 - - id: azure_fedramp_high_ac_17 +- id: azure_fedramp_high_ac_2 + type: "" +- id: azure_fedramp_high_ac_3 + type: "" +- id: azure_fedramp_high_ac_4 + type: "" +- id: azure_fedramp_high_ac_5 + type: "" +- id: azure_fedramp_high_ac_6 + type: "" +- id: azure_fedramp_high_ac_17 + type: "" diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_17.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_17.yaml index 581af752b..eed2d87ee 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_17.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_17.yaml @@ -1,39 +1,40 @@ +id: azure_fedramp_high_ac_17 +title: Remote Access (AC-17) +description: Authorize remote access systems prior to connection. Enforce remote connection requirements to information systems. +section-code: "17" +type: control-group control-group: - id: azure_fedramp_high_ac_17 - title: Remote Access (AC-17) - description: Authorize remote access systems prior to connection. Enforce remote connection requirements to information systems. - section-code: "17" - control-group: - - id: azure_fedramp_high_ac_17_1 - controls: - - azure_app_configuration_private_link_used - - azure_appservice_api_app_remote_debugging_disabled - - azure_appservice_function_app_remote_debugging_disabled - - azure_cognitive_account_private_link_used - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_vault_private_link_used - - azure_mysql_server_private_link_used - - azure_postgres_server_private_link_used - - azure_redis_cache_uses_private_link - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_spring_cloud_service_network_injection_enabled - - azure_sql_server_uses_private_link - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used +- id: azure_fedramp_high_ac_17_1 + type: "" +controls: +- azure_app_configuration_private_link_used +- azure_appservice_api_app_remote_debugging_disabled +- azure_appservice_function_app_remote_debugging_disabled +- azure_cognitive_account_private_link_used +- azure_compute_disk_access_uses_private_link +- azure_compute_vm_guest_configuration_installed_linux +- azure_compute_vm_guest_configuration_installed_windows +- azure_compute_vm_guest_configuration_with_no_managed_identity +- azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity +- azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux +- azure_container_registry_uses_private_link +- azure_cosmosdb_account_uses_private_link +- azure_data_factory_uses_private_link +- azure_eventgrid_domain_private_link_used +- azure_eventgrid_topic_private_link_used +- azure_eventhub_namespace_private_link_used +- azure_healthcare_fhir_uses_private_link +- azure_keyvault_vault_private_link_used +- azure_mysql_server_private_link_used +- azure_postgres_server_private_link_used +- azure_redis_cache_uses_private_link +- azure_search_service_uses_private_link +- azure_search_service_uses_sku_supporting_private_link +- azure_servicebus_name_space_private_link_used +- azure_signalr_service_private_link_used +- azure_spring_cloud_service_network_injection_enabled +- azure_sql_server_uses_private_link +- azure_storage_account_default_network_access_rule_denied +- azure_storage_account_uses_private_link +- azure_storage_sync_private_link_used +- azure_synapse_workspace_private_link_used diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_17_1.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_17_1.yaml index e52ffc8ad..023a385c6 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_17_1.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_17_1.yaml @@ -1,37 +1,37 @@ -control-group: - id: azure_fedramp_high_ac_17_1 - title: AC-17(1) Automated Monitoring / Control - description: Employ automated mechanisms to monitor and control remote access methods. - section-code: "1" - controls: - - azure_app_configuration_private_link_used - - azure_appservice_api_app_remote_debugging_disabled - - azure_appservice_function_app_remote_debugging_disabled - - azure_cognitive_account_private_link_used - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_vault_private_link_used - - azure_mysql_server_private_link_used - - azure_postgres_server_private_link_used - - azure_redis_cache_uses_private_link - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_spring_cloud_service_network_injection_enabled - - azure_sql_server_uses_private_link - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used +id: azure_fedramp_high_ac_17_1 +title: AC-17(1) Automated Monitoring / Control +description: Employ automated mechanisms to monitor and control remote access methods. +section-code: "1" +type: control-group +controls: +- azure_app_configuration_private_link_used +- azure_appservice_api_app_remote_debugging_disabled +- azure_appservice_function_app_remote_debugging_disabled +- azure_cognitive_account_private_link_used +- azure_compute_disk_access_uses_private_link +- azure_compute_vm_guest_configuration_installed_linux +- azure_compute_vm_guest_configuration_installed_windows +- azure_compute_vm_guest_configuration_with_no_managed_identity +- azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity +- azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux +- azure_container_registry_uses_private_link +- azure_cosmosdb_account_uses_private_link +- azure_data_factory_uses_private_link +- azure_eventgrid_domain_private_link_used +- azure_eventgrid_topic_private_link_used +- azure_eventhub_namespace_private_link_used +- azure_healthcare_fhir_uses_private_link +- azure_keyvault_vault_private_link_used +- azure_mysql_server_private_link_used +- azure_postgres_server_private_link_used +- azure_redis_cache_uses_private_link +- azure_search_service_uses_private_link +- azure_search_service_uses_sku_supporting_private_link +- azure_servicebus_name_space_private_link_used +- azure_signalr_service_private_link_used +- azure_spring_cloud_service_network_injection_enabled +- azure_sql_server_uses_private_link +- azure_storage_account_default_network_access_rule_denied +- azure_storage_account_uses_private_link +- azure_storage_sync_private_link_used +- azure_synapse_workspace_private_link_used diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2.yaml index cb5321311..31f341fb9 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2.yaml @@ -1,21 +1,24 @@ +id: azure_fedramp_high_ac_2 +title: Account Management (AC-2) +description: Manage system accounts, group memberships, privileges, workflow, notifications, deactivations, and authorizations. +section-code: "2" +type: control-group control-group: - id: azure_fedramp_high_ac_2 - title: Account Management (AC-2) - description: Manage system accounts, group memberships, privileges, workflow, notifications, deactivations, and authorizations. - section-code: "2" - control-group: - - id: azure_fedramp_high_ac_2_1 - - id: azure_fedramp_high_ac_2_12 - - id: azure_fedramp_high_ac_2_7 - controls: - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_web_app_uses_managed_identity - - azure_iam_deprecated_account - - azure_iam_deprecated_account_with_owner_roles - - azure_iam_external_user_with_owner_role - - azure_iam_external_user_with_read_permission - - azure_iam_external_user_with_write_permission - - azure_iam_no_custom_role - - azure_iam_subscription_owner_max_3 - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled +- id: azure_fedramp_high_ac_2_1 + type: "" +- id: azure_fedramp_high_ac_2_12 + type: "" +- id: azure_fedramp_high_ac_2_7 + type: "" +controls: +- azure_appservice_function_app_uses_managed_identity +- azure_appservice_web_app_uses_managed_identity +- azure_iam_deprecated_account +- azure_iam_deprecated_account_with_owner_roles +- azure_iam_external_user_with_owner_role +- azure_iam_external_user_with_read_permission +- azure_iam_external_user_with_write_permission +- azure_iam_no_custom_role +- azure_iam_subscription_owner_max_3 +- azure_servicefabric_cluster_active_directory_authentication_enabled +- azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2_1.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2_1.yaml index 7aaf03b7b..818b1ec4e 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2_1.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2_1.yaml @@ -1,8 +1,8 @@ -control-group: - id: azure_fedramp_high_ac_2_1 - title: AC-2(1) Automated System Account Management - description: "Support the management of system accounts using [Assignment: organization-defined automated mechanisms]." - section-code: "1" - controls: - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled +id: azure_fedramp_high_ac_2_1 +title: AC-2(1) Automated System Account Management +description: "Support the management of system accounts using [Assignment: organization-defined automated mechanisms]." +section-code: "1" +type: control-group +controls: +- azure_servicefabric_cluster_active_directory_authentication_enabled +- azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2_12.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2_12.yaml index 812d968c0..e5c64822d 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2_12.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2_12.yaml @@ -1,15 +1,15 @@ -control-group: - id: azure_fedramp_high_ac_2_12 - title: AC-2(12) Account Monitoring - description: Monitors and reports atypical usage of information system accounts to organization-defined personnel or roles. - section-code: "12" - controls: - - azure_compute_vm_jit_access_protected - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage +id: azure_fedramp_high_ac_2_12 +title: AC-2(12) Account Monitoring +description: Monitors and reports atypical usage of information system accounts to organization-defined personnel or roles. +section-code: "12" +type: control-group +controls: +- azure_compute_vm_jit_access_protected +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_sqlservervm +- azure_securitycenter_azure_defender_on_for_storage diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2_7.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2_7.yaml index 8234f4a19..438565478 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2_7.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2_7.yaml @@ -1,8 +1,8 @@ -control-group: - id: azure_fedramp_high_ac_2_7 - title: AC-2(7) Role-Based Schemes - description: "The organization: Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles; Monitors privileged role assignments; and Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate." - section-code: "7" - controls: - - azure_iam_no_custom_role - - azure_sql_server_azure_ad_authentication_enabled +id: azure_fedramp_high_ac_2_7 +title: AC-2(7) Role-Based Schemes +description: "The organization: Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles; Monitors privileged role assignments; and Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate." +section-code: "7" +type: control-group +controls: +- azure_iam_no_custom_role +- azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_3.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_3.yaml index 3046feefe..815f64616 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_3.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_3.yaml @@ -1,17 +1,17 @@ -control-group: - id: azure_fedramp_high_ac_3 - title: Access Enforcement (AC-3) - description: Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. - section-code: "3" - controls: - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_web_app_uses_managed_identity - - azure_compute_vm_account_with_password_linux - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_ssh_key_authentication_linux - - azure_compute_vm_uses_azure_resource_manager - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled - - azure_storage_account_uses_azure_resource_manager +id: azure_fedramp_high_ac_3 +title: Access Enforcement (AC-3) +description: Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. +section-code: "3" +type: control-group +controls: +- azure_appservice_function_app_uses_managed_identity +- azure_appservice_web_app_uses_managed_identity +- azure_compute_vm_account_with_password_linux +- azure_compute_vm_guest_configuration_installed_linux +- azure_compute_vm_guest_configuration_with_no_managed_identity +- azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity +- azure_compute_vm_ssh_key_authentication_linux +- azure_compute_vm_uses_azure_resource_manager +- azure_servicefabric_cluster_active_directory_authentication_enabled +- azure_sql_server_azure_ad_authentication_enabled +- azure_storage_account_uses_azure_resource_manager diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_4.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_4.yaml index ecee18f28..fea69559b 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_4.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_4.yaml @@ -1,48 +1,48 @@ -control-group: - id: azure_fedramp_high_ac_4 - title: Information Flow Enforcement (AC-4) - description: "Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]." - section-code: "4" - controls: - - azure_apimanagement_service_with_virtual_network - - azure_app_configuration_private_link_used - - azure_appservice_web_app_cors_no_star - - azure_cognitive_account_private_link_used - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_jit_access_protected - - azure_compute_vm_remote_access_restricted_all_ports - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_container_registry_restrict_public_access - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_cosmosdb_account_with_firewall_rules - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_firewall_enabled - - azure_keyvault_vault_private_link_used - - azure_kubernetes_cluster_authorized_ip_range_defined - - azure_mariadb_server_public_network_access_disabled - - azure_mysql_server_private_link_used - - azure_mysql_server_public_network_access_disabled - - azure_network_interface_ip_forwarding_disabled - - azure_network_security_group_remote_access_restricted - - azure_network_security_group_subnet_associated - - azure_postgres_server_private_link_used - - azure_postgresql_server_public_network_access_disabled - - azure_redis_cache_uses_private_link - - azure_search_service_public_network_access_disabled - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_sql_db_public_network_access_disabled - - azure_sql_server_uses_private_link - - azure_storage_account_block_public_access - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_restrict_network_access - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used +id: azure_fedramp_high_ac_4 +title: Information Flow Enforcement (AC-4) +description: "Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]." +section-code: "4" +type: control-group +controls: +- azure_apimanagement_service_with_virtual_network +- azure_app_configuration_private_link_used +- azure_appservice_web_app_cors_no_star +- azure_cognitive_account_private_link_used +- azure_compute_disk_access_uses_private_link +- azure_compute_vm_jit_access_protected +- azure_compute_vm_remote_access_restricted_all_ports +- azure_compute_vm_tcp_udp_access_restricted_internet +- azure_container_registry_restrict_public_access +- azure_container_registry_uses_private_link +- azure_cosmosdb_account_uses_private_link +- azure_cosmosdb_account_with_firewall_rules +- azure_data_factory_uses_private_link +- azure_eventgrid_domain_private_link_used +- azure_eventgrid_topic_private_link_used +- azure_eventhub_namespace_private_link_used +- azure_healthcare_fhir_uses_private_link +- azure_keyvault_firewall_enabled +- azure_keyvault_vault_private_link_used +- azure_kubernetes_cluster_authorized_ip_range_defined +- azure_mariadb_server_public_network_access_disabled +- azure_mysql_server_private_link_used +- azure_mysql_server_public_network_access_disabled +- azure_network_interface_ip_forwarding_disabled +- azure_network_security_group_remote_access_restricted +- azure_network_security_group_subnet_associated +- azure_postgres_server_private_link_used +- azure_postgresql_server_public_network_access_disabled +- azure_redis_cache_uses_private_link +- azure_search_service_public_network_access_disabled +- azure_search_service_uses_private_link +- azure_search_service_uses_sku_supporting_private_link +- azure_servicebus_name_space_private_link_used +- azure_signalr_service_private_link_used +- azure_sql_db_public_network_access_disabled +- azure_sql_server_uses_private_link +- azure_storage_account_block_public_access +- azure_storage_account_default_network_access_rule_denied +- azure_storage_account_restrict_network_access +- azure_storage_account_uses_private_link +- azure_storage_sync_private_link_used +- azure_synapse_workspace_private_link_used diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_5.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_5.yaml index 689e8cbdc..1c1851783 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_5.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_5.yaml @@ -1,7 +1,7 @@ -control-group: - id: azure_fedramp_high_ac_5 - title: Separation Of Duties (AC-5) - description: Separate duties of individuals to prevent malevolent activity. automate separation of duties and access authorizations. - section-code: "5" - controls: - - azure_iam_subscription_owner_more_than_1 +id: azure_fedramp_high_ac_5 +title: Separation Of Duties (AC-5) +description: Separate duties of individuals to prevent malevolent activity. automate separation of duties and access authorizations. +section-code: "5" +type: control-group +controls: +- azure_iam_subscription_owner_more_than_1 diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_6.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_6.yaml index ed33160fa..6fa43ba8b 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_6.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_6.yaml @@ -1,10 +1,11 @@ +id: azure_fedramp_high_ac_6 +title: Least Privilege (AC-6) +description: Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. +section-code: "6" +type: control-group control-group: - id: azure_fedramp_high_ac_6 - title: Least Privilege (AC-6) - description: Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. - section-code: "6" - control-group: - - id: azure_fedramp_high_ac_6_7 - controls: - - azure_iam_no_custom_role - - azure_iam_subscription_owner_max_3 +- id: azure_fedramp_high_ac_6_7 + type: "" +controls: +- azure_iam_no_custom_role +- azure_iam_subscription_owner_max_3 diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_6_7.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_6_7.yaml index 2aac5bb8d..dfe162970 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_6_7.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_6_7.yaml @@ -1,8 +1,8 @@ -control-group: - id: azure_fedramp_high_ac_6_7 - title: AC-6(7) Review Of User Privileges - description: Centralize access control for all enterprise assets through a directory service or SSO provider, where supported. - section-code: "7" - controls: - - azure_iam_no_custom_role - - azure_iam_subscription_owner_max_3 +id: azure_fedramp_high_ac_6_7 +title: AC-6(7) Review Of User Privileges +description: Centralize access control for all enterprise assets through a directory service or SSO provider, where supported. +section-code: "7" +type: control-group +controls: +- azure_iam_no_custom_role +- azure_iam_subscription_owner_max_3 diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au.yaml index fe9acf98a..595fedb75 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au.yaml @@ -1,8 +1,10 @@ +id: azure_fedramp_high_au +title: Audit And Accountability (AU) +description: The FedRAMP High baseline requires that audit logs are generated and reviewed for security-relevant events. This benchmark verifies that audit logs are generated and reviewed for security-relevant events. +section-code: au +type: control-group control-group: - id: azure_fedramp_high_au - title: Audit And Accountability (AU) - description: The FedRAMP High baseline requires that audit logs are generated and reviewed for security-relevant events. This benchmark verifies that audit logs are generated and reviewed for security-relevant events. - section-code: au - control-group: - - id: azure_fedramp_high_au_6 - - id: azure_fedramp_high_au_12 +- id: azure_fedramp_high_au_6 + type: "" +- id: azure_fedramp_high_au_12 + type: "" diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_12.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_12.yaml index 0d0156b9c..14b6074d4 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_12.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_12.yaml @@ -1,38 +1,39 @@ +id: azure_fedramp_high_au_12 +title: Audit Generation (AU-12) +description: Audit events defined in AU-2. Allow trusted personnel to select which events to audit. Generate audit records for events. +section-code: "12" +type: control-group control-group: - id: azure_fedramp_high_au_12 - title: Audit Generation (AU-12) - description: Audit events defined in AU-2. Allow trusted personnel to select which events to audit. Generate audit records for events. - section-code: "12" - control-group: - - id: azure_fedramp_high_au_12_1 - controls: - - azure_appservice_web_app_diagnostic_logs_enabled - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_batch_account_logging_enabled - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_datalake_analytics_account_logging_enabled - - azure_datalake_store_account_logging_enabled - - azure_eventhub_namespace_logging_enabled - - azure_iot_hub_logging_enabled - - azure_keyvault_logging_enabled - - azure_logic_app_workflow_logging_enabled - - azure_network_watcher_enabled - - azure_search_service_logging_enabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_storage - - azure_servicebus_namespace_logging_enabled - - azure_sql_server_auditing_on - - azure_sql_server_azure_defender_enabled - - azure_stream_analytics_job_logging_enabled +- id: azure_fedramp_high_au_12_1 + type: "" +controls: +- azure_appservice_web_app_diagnostic_logs_enabled +- azure_arc_compute_machine_linux_log_analytics_agent_installed +- azure_arc_compute_machine_windows_log_analytics_agent_installed +- azure_batch_account_logging_enabled +- azure_compute_vm_guest_configuration_installed +- azure_compute_vm_guest_configuration_with_system_assigned_managed_identity +- azure_compute_vm_log_analytics_agent_installed +- azure_compute_vm_network_traffic_data_collection_linux_agent_installed +- azure_compute_vm_network_traffic_data_collection_windows_agent_installed +- azure_compute_vm_scale_set_log_analytics_agent_installed +- azure_datalake_analytics_account_logging_enabled +- azure_datalake_store_account_logging_enabled +- azure_eventhub_namespace_logging_enabled +- azure_iot_hub_logging_enabled +- azure_keyvault_logging_enabled +- azure_logic_app_workflow_logging_enabled +- azure_network_watcher_enabled +- azure_search_service_logging_enabled +- azure_securitycenter_automatic_provisioning_monitoring_agent_on +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_storage +- azure_servicebus_namespace_logging_enabled +- azure_sql_server_auditing_on +- azure_sql_server_azure_defender_enabled +- azure_stream_analytics_job_logging_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_12_1.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_12_1.yaml index 1db52fd19..8d4e306d1 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_12_1.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_12_1.yaml @@ -1,36 +1,36 @@ -control-group: - id: azure_fedramp_high_au_12_1 - title: AU-12(1) System-Wide / Time-Correlated Audit Trail - description: "Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]." - section-code: "1" - controls: - - azure_appservice_web_app_diagnostic_logs_enabled - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_batch_account_logging_enabled - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_datalake_analytics_account_logging_enabled - - azure_datalake_store_account_logging_enabled - - azure_eventhub_namespace_logging_enabled - - azure_iot_hub_logging_enabled - - azure_keyvault_logging_enabled - - azure_logic_app_workflow_logging_enabled - - azure_network_watcher_enabled - - azure_search_service_logging_enabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_storage - - azure_servicebus_namespace_logging_enabled - - azure_sql_server_auditing_on - - azure_sql_server_azure_defender_enabled - - azure_stream_analytics_job_logging_enabled +id: azure_fedramp_high_au_12_1 +title: AU-12(1) System-Wide / Time-Correlated Audit Trail +description: "Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]." +section-code: "1" +type: control-group +controls: +- azure_appservice_web_app_diagnostic_logs_enabled +- azure_arc_compute_machine_linux_log_analytics_agent_installed +- azure_arc_compute_machine_windows_log_analytics_agent_installed +- azure_batch_account_logging_enabled +- azure_compute_vm_guest_configuration_installed +- azure_compute_vm_guest_configuration_with_system_assigned_managed_identity +- azure_compute_vm_log_analytics_agent_installed +- azure_compute_vm_network_traffic_data_collection_linux_agent_installed +- azure_compute_vm_network_traffic_data_collection_windows_agent_installed +- azure_compute_vm_scale_set_log_analytics_agent_installed +- azure_datalake_analytics_account_logging_enabled +- azure_datalake_store_account_logging_enabled +- azure_eventhub_namespace_logging_enabled +- azure_iot_hub_logging_enabled +- azure_keyvault_logging_enabled +- azure_logic_app_workflow_logging_enabled +- azure_network_watcher_enabled +- azure_search_service_logging_enabled +- azure_securitycenter_automatic_provisioning_monitoring_agent_on +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_storage +- azure_servicebus_namespace_logging_enabled +- azure_sql_server_auditing_on +- azure_sql_server_azure_defender_enabled +- azure_stream_analytics_job_logging_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_6.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_6.yaml index f3a716a98..7b706e142 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_6.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_6.yaml @@ -1,20 +1,22 @@ +id: azure_fedramp_high_au_6 +title: Audit Record Review, Analysis And Reporting (AU-6) +description: Integrate audit review, analysis, and reporting with processes for investigation and response to suspicious activities. +section-code: "6" +type: control-group control-group: - id: azure_fedramp_high_au_6 - title: Audit Record Review, Analysis And Reporting (AU-6) - description: Integrate audit review, analysis, and reporting with processes for investigation and response to suspicious activities. - section-code: "6" - control-group: - - id: azure_fedramp_high_au_6_4 - - id: azure_fedramp_high_au_6_5 - controls: - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_network_watcher_enabled - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_server_azure_defender_enabled +- id: azure_fedramp_high_au_6_4 + type: "" +- id: azure_fedramp_high_au_6_5 + type: "" +controls: +- azure_compute_vm_network_traffic_data_collection_linux_agent_installed +- azure_compute_vm_network_traffic_data_collection_windows_agent_installed +- azure_network_watcher_enabled +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_storage +- azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_6_4.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_6_4.yaml index 33293eae9..01f4538e2 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_6_4.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_6_4.yaml @@ -1,36 +1,36 @@ -control-group: - id: azure_fedramp_high_au_6_4 - title: AU-6(4) Central Review And Analysis - description: Provide and implement the capability to centrally review and analyze audit records from multiple components within the system. - section-code: "4" - controls: - - azure_appservice_web_app_diagnostic_logs_enabled - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_batch_account_logging_enabled - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_datalake_analytics_account_logging_enabled - - azure_datalake_store_account_logging_enabled - - azure_eventhub_namespace_logging_enabled - - azure_iot_hub_logging_enabled - - azure_keyvault_logging_enabled - - azure_logic_app_workflow_logging_enabled - - azure_network_watcher_enabled - - azure_search_service_logging_enabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_storage - - azure_servicebus_namespace_logging_enabled - - azure_sql_server_auditing_on - - azure_sql_server_azure_defender_enabled - - azure_stream_analytics_job_logging_enabled +id: azure_fedramp_high_au_6_4 +title: AU-6(4) Central Review And Analysis +description: Provide and implement the capability to centrally review and analyze audit records from multiple components within the system. +section-code: "4" +type: control-group +controls: +- azure_appservice_web_app_diagnostic_logs_enabled +- azure_arc_compute_machine_linux_log_analytics_agent_installed +- azure_arc_compute_machine_windows_log_analytics_agent_installed +- azure_batch_account_logging_enabled +- azure_compute_vm_guest_configuration_installed +- azure_compute_vm_guest_configuration_with_system_assigned_managed_identity +- azure_compute_vm_log_analytics_agent_installed +- azure_compute_vm_network_traffic_data_collection_linux_agent_installed +- azure_compute_vm_network_traffic_data_collection_windows_agent_installed +- azure_compute_vm_scale_set_log_analytics_agent_installed +- azure_datalake_analytics_account_logging_enabled +- azure_datalake_store_account_logging_enabled +- azure_eventhub_namespace_logging_enabled +- azure_iot_hub_logging_enabled +- azure_keyvault_logging_enabled +- azure_logic_app_workflow_logging_enabled +- azure_network_watcher_enabled +- azure_search_service_logging_enabled +- azure_securitycenter_automatic_provisioning_monitoring_agent_on +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_storage +- azure_servicebus_namespace_logging_enabled +- azure_sql_server_auditing_on +- azure_sql_server_azure_defender_enabled +- azure_stream_analytics_job_logging_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_6_5.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_6_5.yaml index 5fea01a44..e343c5064 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_6_5.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_6_5.yaml @@ -1,36 +1,36 @@ -control-group: - id: azure_fedramp_high_au_6_5 - title: AU-6(5) Integration / Scanning And Monitoring Capabilities - description: "Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity." - section-code: "5" - controls: - - azure_appservice_web_app_diagnostic_logs_enabled - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_batch_account_logging_enabled - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_datalake_analytics_account_logging_enabled - - azure_datalake_store_account_logging_enabled - - azure_eventhub_namespace_logging_enabled - - azure_iot_hub_logging_enabled - - azure_keyvault_logging_enabled - - azure_logic_app_workflow_logging_enabled - - azure_network_watcher_enabled - - azure_search_service_logging_enabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_storage - - azure_servicebus_namespace_logging_enabled - - azure_sql_server_auditing_on - - azure_sql_server_azure_defender_enabled - - azure_stream_analytics_job_logging_enabled +id: azure_fedramp_high_au_6_5 +title: AU-6(5) Integration / Scanning And Monitoring Capabilities +description: "Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity." +section-code: "5" +type: control-group +controls: +- azure_appservice_web_app_diagnostic_logs_enabled +- azure_arc_compute_machine_linux_log_analytics_agent_installed +- azure_arc_compute_machine_windows_log_analytics_agent_installed +- azure_batch_account_logging_enabled +- azure_compute_vm_guest_configuration_installed +- azure_compute_vm_guest_configuration_with_system_assigned_managed_identity +- azure_compute_vm_log_analytics_agent_installed +- azure_compute_vm_network_traffic_data_collection_linux_agent_installed +- azure_compute_vm_network_traffic_data_collection_windows_agent_installed +- azure_compute_vm_scale_set_log_analytics_agent_installed +- azure_datalake_analytics_account_logging_enabled +- azure_datalake_store_account_logging_enabled +- azure_eventhub_namespace_logging_enabled +- azure_iot_hub_logging_enabled +- azure_keyvault_logging_enabled +- azure_logic_app_workflow_logging_enabled +- azure_network_watcher_enabled +- azure_search_service_logging_enabled +- azure_securitycenter_automatic_provisioning_monitoring_agent_on +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_storage +- azure_servicebus_namespace_logging_enabled +- azure_sql_server_auditing_on +- azure_sql_server_azure_defender_enabled +- azure_stream_analytics_job_logging_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cm.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cm.yaml index fe8f9f6c7..0fd45b2a5 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cm.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cm.yaml @@ -1,8 +1,10 @@ +id: azure_fedramp_high_cm +title: Configuration Management (CM) +description: "The organization: (i) defines and documents configuration settings for information technology products employed within the information system; (ii) implements the configuration settings; (iii) identifies, documents, and approves any deviations from established configuration settings; and (iv) monitors and controls changes to the configuration settings." +section-code: cm +type: control-group control-group: - id: azure_fedramp_high_cm - title: Configuration Management (CM) - description: "The organization: (i) defines and documents configuration settings for information technology products employed within the information system; (ii) implements the configuration settings; (iii) identifies, documents, and approves any deviations from established configuration settings; and (iv) monitors and controls changes to the configuration settings." - section-code: cm - control-group: - - id: azure_fedramp_high_cm_6 - - id: azure_fedramp_high_cm_7 +- id: azure_fedramp_high_cm_6 + type: "" +- id: azure_fedramp_high_cm_7 + type: "" diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cm_6.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cm_6.yaml index 812e665a5..5c977f17f 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cm_6.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cm_6.yaml @@ -1,15 +1,15 @@ -control-group: - id: azure_fedramp_high_cm_6 - title: Configuration Settings (CM-6) - description: "The organization: (i) establishes mandatory configuration settings for information technology products employed within the information system; (ii) configures the security settings of information technology products to the most restrictive mode consistent with operational requirements; (iii) documents the configuration settings; and (iv) enforces the configuration settings in all components of the information system." - section-code: "6" - controls: - - azure_appservice_api_app_client_certificates_on - - azure_appservice_api_app_cors_no_star - - azure_appservice_api_app_remote_debugging_disabled - - azure_appservice_function_app_client_certificates_on - - azure_appservice_function_app_cors_no_star - - azure_appservice_function_app_remote_debugging_disabled - - azure_compute_vm_meet_security_baseline_requirements_linux - - azure_compute_vm_meet_security_baseline_requirements_windows - - azure_kubernetes_cluster_add_on_azure_policy_enabled +id: azure_fedramp_high_cm_6 +title: Configuration Settings (CM-6) +description: "The organization: (i) establishes mandatory configuration settings for information technology products employed within the information system; (ii) configures the security settings of information technology products to the most restrictive mode consistent with operational requirements; (iii) documents the configuration settings; and (iv) enforces the configuration settings in all components of the information system." +section-code: "6" +type: control-group +controls: +- azure_appservice_api_app_client_certificates_on +- azure_appservice_api_app_cors_no_star +- azure_appservice_api_app_remote_debugging_disabled +- azure_appservice_function_app_client_certificates_on +- azure_appservice_function_app_cors_no_star +- azure_appservice_function_app_remote_debugging_disabled +- azure_compute_vm_meet_security_baseline_requirements_linux +- azure_compute_vm_meet_security_baseline_requirements_windows +- azure_kubernetes_cluster_add_on_azure_policy_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cm_7.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cm_7.yaml index d9aa2b06b..d87e78858 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cm_7.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cm_7.yaml @@ -1,7 +1,7 @@ -control-group: - id: azure_fedramp_high_cm_7 - title: Least Functionality (CM-7) - description: The organization configures the information system to provide only essential capabilities and prohibits or restricts the use of the functions, ports, protocols, and/or services. - section-code: "7" - controls: - - azure_securitycenter_azure_defender_on_for_server +id: azure_fedramp_high_cm_7 +title: Least Functionality (CM-7) +description: The organization configures the information system to provide only essential capabilities and prohibits or restricts the use of the functions, ports, protocols, and/or services. +section-code: "7" +type: control-group +controls: +- azure_securitycenter_azure_defender_on_for_server diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp.yaml index 93c24ee54..90ae14f35 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp.yaml @@ -1,9 +1,12 @@ +id: azure_fedramp_high_cp +title: Contingency Planning (CP) +description: Thecp control family includes controls specific to an organization's contingency plan if a cybersecurity event should occur. This includes controls like contingency plan testing, updating, training, and backups, and system reconstitution. +section-code: cp +type: control-group control-group: - id: azure_fedramp_high_cp - title: Contingency Planning (CP) - description: Thecp control family includes controls specific to an organization's contingency plan if a cybersecurity event should occur. This includes controls like contingency plan testing, updating, training, and backups, and system reconstitution. - section-code: cp - control-group: - - id: azure_fedramp_high_cp_6 - - id: azure_fedramp_high_cp_7 - - id: azure_fedramp_high_cp_9 +- id: azure_fedramp_high_cp_6 + type: "" +- id: azure_fedramp_high_cp_7 + type: "" +- id: azure_fedramp_high_cp_9 + type: "" diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_6.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_6.yaml index 85cde31bf..6479b3ef5 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_6.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_6.yaml @@ -1,13 +1,14 @@ +id: azure_fedramp_high_cp_6 +title: Alternate Storage Sites (CP-6) +description: a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and b. Ensure that the alternate storage site provides controls equivalent to that of the primary site. +section-code: "6" +type: control-group control-group: - id: azure_fedramp_high_cp_6 - title: Alternate Storage Sites (CP-6) - description: a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and b. Ensure that the alternate storage site provides controls equivalent to that of the primary site. - section-code: "6" - control-group: - - id: azure_fedramp_high_cp_6_1 - controls: - - azure_mariadb_server_geo_redundant_backup_enabled - - azure_mysql_db_server_geo_redundant_backup_enabled - - azure_postgres_db_server_geo_redundant_backup_enabled - - azure_sql_database_long_term_geo_redundant_backup_enabled - - azure_storage_account_geo_redundant_enabled +- id: azure_fedramp_high_cp_6_1 + type: "" +controls: +- azure_mariadb_server_geo_redundant_backup_enabled +- azure_mysql_db_server_geo_redundant_backup_enabled +- azure_postgres_db_server_geo_redundant_backup_enabled +- azure_sql_database_long_term_geo_redundant_backup_enabled +- azure_storage_account_geo_redundant_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_6_1.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_6_1.yaml index a496789aa..c880ce33e 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_6_1.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_6_1.yaml @@ -1,11 +1,11 @@ -control-group: - id: azure_fedramp_high_cp_6_1 - title: CP-6(1) Separation From Primary Site - description: Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats. - section-code: "1" - controls: - - azure_mariadb_server_geo_redundant_backup_enabled - - azure_mysql_db_server_geo_redundant_backup_enabled - - azure_postgres_db_server_geo_redundant_backup_enabled - - azure_sql_database_long_term_geo_redundant_backup_enabled - - azure_storage_account_geo_redundant_enabled +id: azure_fedramp_high_cp_6_1 +title: CP-6(1) Separation From Primary Site +description: Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats. +section-code: "1" +type: control-group +controls: +- azure_mariadb_server_geo_redundant_backup_enabled +- azure_mysql_db_server_geo_redundant_backup_enabled +- azure_postgres_db_server_geo_redundant_backup_enabled +- azure_sql_database_long_term_geo_redundant_backup_enabled +- azure_storage_account_geo_redundant_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_7.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_7.yaml index a1827c064..8bcf27052 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_7.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_7.yaml @@ -1,7 +1,7 @@ -control-group: - id: azure_fedramp_high_cp_7 - title: Alternate Processing Site (CP-7) - description: Alternate Processing Site (CP-7) - section-code: "7" - controls: - - azure_compute_vm_disaster_recovery_enabled +id: azure_fedramp_high_cp_7 +title: Alternate Processing Site (CP-7) +description: Alternate Processing Site (CP-7) +section-code: "7" +type: control-group +controls: +- azure_compute_vm_disaster_recovery_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_9.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_9.yaml index 4e98f5732..d55d210e2 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_9.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_9.yaml @@ -1,11 +1,11 @@ -control-group: - id: azure_fedramp_high_cp_9 - title: System Backup (CP-9) - description: "a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protect the confidentiality, integrity, and availability of backup information." - section-code: "9" - controls: - - azure_keyvault_purge_protection_enabled - - azure_keyvault_soft_delete_enabled - - azure_mariadb_server_geo_redundant_backup_enabled - - azure_mysql_db_server_geo_redundant_backup_enabled - - azure_postgres_db_server_geo_redundant_backup_enabled +id: azure_fedramp_high_cp_9 +title: System Backup (CP-9) +description: "a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protect the confidentiality, integrity, and availability of backup information." +section-code: "9" +type: control-group +controls: +- azure_keyvault_purge_protection_enabled +- azure_keyvault_soft_delete_enabled +- azure_mariadb_server_geo_redundant_backup_enabled +- azure_mysql_db_server_geo_redundant_backup_enabled +- azure_postgres_db_server_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia.yaml index 5939b92e0..0ddc924d2 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia.yaml @@ -1,9 +1,12 @@ +id: azure_fedramp_high_ia +title: Identification and Authentication (IA) +description: IA controls are specific to the identification and authentication policies in an organization. This includes the identification and authentication of organizational and non-organizational users and how the management of those systems. +section-code: ia +type: control-group control-group: - id: azure_fedramp_high_ia - title: Identification and Authentication (IA) - description: IA controls are specific to the identification and authentication policies in an organization. This includes the identification and authentication of organizational and non-organizational users and how the management of those systems. - section-code: ia - control-group: - - id: azure_fedramp_high_ia_2 - - id: azure_fedramp_high_ia_4 - - id: azure_fedramp_high_ia_5 +- id: azure_fedramp_high_ia_2 + type: "" +- id: azure_fedramp_high_ia_4 + type: "" +- id: azure_fedramp_high_ia_5 + type: "" diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_2.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_2.yaml index 2591af431..7abda09a9 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_2.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_2.yaml @@ -1,10 +1,10 @@ -control-group: - id: azure_fedramp_high_ia_2 - title: Identification and Authentication (Organizational users) (IA-2) - description: The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). - section-code: "2" - controls: - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_web_app_uses_managed_identity - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled +id: azure_fedramp_high_ia_2 +title: Identification and Authentication (Organizational users) (IA-2) +description: The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). +section-code: "2" +type: control-group +controls: +- azure_appservice_function_app_uses_managed_identity +- azure_appservice_web_app_uses_managed_identity +- azure_servicefabric_cluster_active_directory_authentication_enabled +- azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_4.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_4.yaml index 1d7066f18..7e736e106 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_4.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_4.yaml @@ -1,10 +1,10 @@ -control-group: - id: azure_fedramp_high_ia_4 - title: Identifier Management (IA-4) - description: Manage information system identifiers for users and devices. Automate authorizing and disabling users to prevent misuse. - section-code: "4" - controls: - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_web_app_uses_managed_identity - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled +id: azure_fedramp_high_ia_4 +title: Identifier Management (IA-4) +description: Manage information system identifiers for users and devices. Automate authorizing and disabling users to prevent misuse. +section-code: "4" +type: control-group +controls: +- azure_appservice_function_app_uses_managed_identity +- azure_appservice_web_app_uses_managed_identity +- azure_servicefabric_cluster_active_directory_authentication_enabled +- azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_5.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_5.yaml index ecce962ff..cb32e4cf5 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_5.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_5.yaml @@ -1,16 +1,17 @@ +id: azure_fedramp_high_ia_5 +title: Authenticator Management (IA-5) +description: Authenticate users and devices. Automate administrative control. Enforce restrictions. Protect against unauthorized use. +section-code: "5" +type: control-group control-group: - id: azure_fedramp_high_ia_5 - title: Authenticator Management (IA-5) - description: Authenticate users and devices. Automate administrative control. Enforce restrictions. Protect against unauthorized use. - section-code: "5" - control-group: - - id: azure_fedramp_high_ia_5_1 - controls: - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_passwords_stored_using_reversible_encryption_windows - - azure_compute_vm_ssh_key_authentication_linux - - azure_keyvault_key_expiration_set - - azure_keyvault_secret_expiration_set +- id: azure_fedramp_high_ia_5_1 + type: "" +controls: +- azure_compute_vm_guest_configuration_installed_linux +- azure_compute_vm_guest_configuration_installed_windows +- azure_compute_vm_guest_configuration_with_no_managed_identity +- azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity +- azure_compute_vm_passwords_stored_using_reversible_encryption_windows +- azure_compute_vm_ssh_key_authentication_linux +- azure_keyvault_key_expiration_set +- azure_keyvault_secret_expiration_set diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_5_1.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_5_1.yaml index 335318b63..01d3f0956 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_5_1.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_5_1.yaml @@ -1,12 +1,12 @@ -control-group: - id: azure_fedramp_high_ia_5_1 - title: IA-5(1) Password-Based Authentication - description: The information system, for password-based authentication that enforces minimum password complexity, stores and transmits only cryptographically-protected passwords, enforces password minimum and maximum lifetime restrictions, prohibits password reuse, allows the use of a temporary password for system logons with an immediate change to a permanent password etc. - section-code: "1" - controls: - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_password_complexity_setting_enabled_windows - - azure_compute_vm_passwords_stored_using_reversible_encryption_windows +id: azure_fedramp_high_ia_5_1 +title: IA-5(1) Password-Based Authentication +description: The information system, for password-based authentication that enforces minimum password complexity, stores and transmits only cryptographically-protected passwords, enforces password minimum and maximum lifetime restrictions, prohibits password reuse, allows the use of a temporary password for system logons with an immediate change to a permanent password etc. +section-code: "1" +type: control-group +controls: +- azure_compute_vm_guest_configuration_installed_linux +- azure_compute_vm_guest_configuration_installed_windows +- azure_compute_vm_guest_configuration_with_no_managed_identity +- azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity +- azure_compute_vm_password_complexity_setting_enabled_windows +- azure_compute_vm_passwords_stored_using_reversible_encryption_windows diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ir.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ir.yaml index 6e903415e..68c039113 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ir.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ir.yaml @@ -1,8 +1,10 @@ +id: azure_fedramp_high_ir +title: Incident Response (IR) +description: IR controls are specific to an organization's incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plan. +section-code: ir +type: control-group control-group: - id: azure_fedramp_high_ir - title: Incident Response (IR) - description: IR controls are specific to an organization's incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plan. - section-code: ir - control-group: - - id: azure_fedramp_high_ir_4 - - id: azure_fedramp_high_ir_5 +- id: azure_fedramp_high_ir_4 + type: "" +- id: azure_fedramp_high_ir_5 + type: "" diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ir_4.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ir_4.yaml index df167a224..f8a5c95b4 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ir_4.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ir_4.yaml @@ -1,17 +1,17 @@ -control-group: - id: azure_fedramp_high_ir_4 - title: Incident Handling (IR-4) - description: a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;b. Coordinate incident handling activities with contingency planning activities; c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization. - section-code: "4" - controls: - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_storage - - azure_securitycenter_email_configured - - azure_securitycenter_notify_alerts_configured - - azure_securitycenter_security_alerts_to_owner_enabled - - azure_sql_server_azure_defender_enabled +id: azure_fedramp_high_ir_4 +title: Incident Handling (IR-4) +description: a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;b. Coordinate incident handling activities with contingency planning activities; c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization. +section-code: "4" +type: control-group +controls: +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_storage +- azure_securitycenter_email_configured +- azure_securitycenter_notify_alerts_configured +- azure_securitycenter_security_alerts_to_owner_enabled +- azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ir_5.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ir_5.yaml index 16fa674e6..18a7e28c5 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ir_5.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ir_5.yaml @@ -1,17 +1,17 @@ -control-group: - id: azure_fedramp_high_ir_5 - title: Incident Monitoring (IR-5) - description: "Track incidents and collect and analyze incident information using [Assignment: organization-defined automated mechanisms]." - section-code: "5" - controls: - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_storage - - azure_securitycenter_email_configured - - azure_securitycenter_notify_alerts_configured - - azure_securitycenter_security_alerts_to_owner_enabled - - azure_sql_server_azure_defender_enabled +id: azure_fedramp_high_ir_5 +title: Incident Monitoring (IR-5) +description: "Track incidents and collect and analyze incident information using [Assignment: organization-defined automated mechanisms]." +section-code: "5" +type: control-group +controls: +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_storage +- azure_securitycenter_email_configured +- azure_securitycenter_notify_alerts_configured +- azure_securitycenter_security_alerts_to_owner_enabled +- azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ra.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ra.yaml index 4d640bf01..97f809c55 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ra.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ra.yaml @@ -1,7 +1,8 @@ +id: azure_fedramp_high_ra +title: Risk Assessment (RA) +description: The RA control family relates to an organization's risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts. +section-code: ra +type: control-group control-group: - id: azure_fedramp_high_ra - title: Risk Assessment (RA) - description: The RA control family relates to an organization's risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts. - section-code: ra - control-group: - - id: azure_fedramp_high_ra_5 +- id: azure_fedramp_high_ra_5 + type: "" diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ra_5.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ra_5.yaml index 8ea497150..ea058c965 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ra_5.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ra_5.yaml @@ -1,19 +1,19 @@ -control-group: - id: azure_fedramp_high_ra_5 - title: Vulnerability Scanning (RA-5) - description: Scan for system vulnerabilities. Share vulnerability information and security controls that eliminate vulnerabilities. - section-code: "5" - controls: - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_mssql_managed_instance_vulnerability_assessment_enabled - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_database_vulnerability_findings_resolved - - azure_sql_server_and_databases_va_enabled - - azure_sql_server_azure_defender_enabled - - azure_synapse_workspace_vulnerability_assessment_enabled +id: azure_fedramp_high_ra_5 +title: Vulnerability Scanning (RA-5) +description: Scan for system vulnerabilities. Share vulnerability information and security controls that eliminate vulnerabilities. +section-code: "5" +type: control-group +controls: +- azure_compute_vm_vulnerability_assessment_solution_enabled +- azure_mssql_managed_instance_vulnerability_assessment_enabled +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_storage +- azure_sql_database_vulnerability_findings_resolved +- azure_sql_server_and_databases_va_enabled +- azure_sql_server_azure_defender_enabled +- azure_synapse_workspace_vulnerability_assessment_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc.yaml index 4abd19cee..954eabbd0 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc.yaml @@ -1,12 +1,18 @@ +id: azure_fedramp_high_sc +title: System and Communications Protection (SC) +description: The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others. +section-code: sc +type: control-group control-group: - id: azure_fedramp_high_sc - title: System and Communications Protection (SC) - description: The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others. - section-code: sc - control-group: - - id: azure_fedramp_high_sc_3 - - id: azure_fedramp_high_sc_5 - - id: azure_fedramp_high_sc_7 - - id: azure_fedramp_high_sc_8 - - id: azure_fedramp_high_sc_12 - - id: azure_fedramp_high_sc_28 +- id: azure_fedramp_high_sc_3 + type: "" +- id: azure_fedramp_high_sc_5 + type: "" +- id: azure_fedramp_high_sc_7 + type: "" +- id: azure_fedramp_high_sc_8 + type: "" +- id: azure_fedramp_high_sc_12 + type: "" +- id: azure_fedramp_high_sc_28 + type: "" diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_12.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_12.yaml index 6987044cd..03da547a1 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_12.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_12.yaml @@ -1,28 +1,28 @@ -control-group: - id: azure_fedramp_high_sc_12 - title: Cryptographic Key Establishment And Management (SC-12) - description: "The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]." - section-code: "12" - controls: - - azure_batch_account_encrypted_with_cmk - - azure_cognitive_account_encrypted_with_cmk - - azure_compute_os_and_data_disk_encrypted_with_cmk - - azure_compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed - - azure_container_registry_encrypted_with_cmk - - azure_cosmosdb_account_encryption_at_rest_using_cmk - - azure_eventhub_namespace_cmk_encryption_enabled - - azure_hdinsight_cluster_encrypted_at_rest_with_cmk - - azure_hdinsight_cluster_encryption_at_host_enabled - - azure_healthcare_fhir_azure_api_encrypted_at_rest_with_cmk - - azure_hpc_cache_encrypted_with_cmk - - azure_kubernetes_cluster_os_and_data_disks_encrypted_with_cmk - - azure_kusto_cluster_encrypted_at_rest_with_cmk - - azure_machine_learning_workspace_encrypted_with_cmk - - azure_mssql_managed_instance_encryption_at_rest_using_cmk - - azure_mysql_server_encrypted_at_rest_using_cmk - - azure_postgres_sql_server_encrypted_at_rest_using_cmk - - azure_servicebus_premium_namespace_cmk_encrypted - - azure_sql_server_tde_protector_cmk_encrypted - - azure_storage_account_encryption_at_rest_using_cmk - - azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk - - azure_synapse_workspace_encryption_at_rest_using_cmk +id: azure_fedramp_high_sc_12 +title: Cryptographic Key Establishment And Management (SC-12) +description: "The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]." +section-code: "12" +type: control-group +controls: +- azure_batch_account_encrypted_with_cmk +- azure_cognitive_account_encrypted_with_cmk +- azure_compute_os_and_data_disk_encrypted_with_cmk +- azure_compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed +- azure_container_registry_encrypted_with_cmk +- azure_cosmosdb_account_encryption_at_rest_using_cmk +- azure_eventhub_namespace_cmk_encryption_enabled +- azure_hdinsight_cluster_encrypted_at_rest_with_cmk +- azure_hdinsight_cluster_encryption_at_host_enabled +- azure_healthcare_fhir_azure_api_encrypted_at_rest_with_cmk +- azure_hpc_cache_encrypted_with_cmk +- azure_kubernetes_cluster_os_and_data_disks_encrypted_with_cmk +- azure_kusto_cluster_encrypted_at_rest_with_cmk +- azure_machine_learning_workspace_encrypted_with_cmk +- azure_mssql_managed_instance_encryption_at_rest_using_cmk +- azure_mysql_server_encrypted_at_rest_using_cmk +- azure_postgres_sql_server_encrypted_at_rest_using_cmk +- azure_servicebus_premium_namespace_cmk_encrypted +- azure_sql_server_tde_protector_cmk_encrypted +- azure_storage_account_encryption_at_rest_using_cmk +- azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk +- azure_synapse_workspace_encryption_at_rest_using_cmk diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_28.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_28.yaml index ba71bd8a3..b817726b5 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_28.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_28.yaml @@ -1,20 +1,21 @@ +id: azure_fedramp_high_sc_28 +title: Protection Of Information At Rest (SC-28) +description: "The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]." +section-code: "28" +type: control-group control-group: - id: azure_fedramp_high_sc_28 - title: Protection Of Information At Rest (SC-28) - description: "The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]." - section-code: "28" - control-group: - - id: azure_fedramp_high_sc_28_1 - controls: - - azure_app_service_environment_internal_encryption_enabled - - azure_automation_account_variable_encryption_enabled - - azure_compute_vm_and_sacle_set_encryption_at_host_enabled - - azure_databox_edge_device_double_encryption_enabled - - azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host - - azure_kusto_cluster_disk_encryption_enabled - - azure_kusto_cluster_double_encryption_enabled - - azure_mysql_server_infrastructure_encryption_enabled - - azure_postgresql_server_infrastructure_encryption_enabled - - azure_servicefabric_cluster_protection_level_as_encrypt_and_sign - - azure_sql_server_transparent_data_encryption_enabled - - azure_storage_account_infrastructure_encryption_enabled +- id: azure_fedramp_high_sc_28_1 + type: "" +controls: +- azure_app_service_environment_internal_encryption_enabled +- azure_automation_account_variable_encryption_enabled +- azure_compute_vm_and_sacle_set_encryption_at_host_enabled +- azure_databox_edge_device_double_encryption_enabled +- azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host +- azure_kusto_cluster_disk_encryption_enabled +- azure_kusto_cluster_double_encryption_enabled +- azure_mysql_server_infrastructure_encryption_enabled +- azure_postgresql_server_infrastructure_encryption_enabled +- azure_servicefabric_cluster_protection_level_as_encrypt_and_sign +- azure_sql_server_transparent_data_encryption_enabled +- azure_storage_account_infrastructure_encryption_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_28_1.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_28_1.yaml index 5dedc107a..cef3a3a1f 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_28_1.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_28_1.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_fedramp_high_sc_28_1 - title: SC-28(1) Cryptographic Protection - description: "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information]." - section-code: "1" - controls: - - azure_app_service_environment_internal_encryption_enabled - - azure_automation_account_variable_encryption_enabled - - azure_compute_vm_and_sacle_set_encryption_at_host_enabled - - azure_databox_edge_device_double_encryption_enabled - - azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host - - azure_kusto_cluster_disk_encryption_enabled - - azure_kusto_cluster_double_encryption_enabled - - azure_mysql_server_infrastructure_encryption_enabled - - azure_postgresql_server_infrastructure_encryption_enabled - - azure_servicefabric_cluster_protection_level_as_encrypt_and_sign - - azure_sql_server_transparent_data_encryption_enabled - - azure_storage_account_infrastructure_encryption_enabled +id: azure_fedramp_high_sc_28_1 +title: SC-28(1) Cryptographic Protection +description: "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information]." +section-code: "1" +type: control-group +controls: +- azure_app_service_environment_internal_encryption_enabled +- azure_automation_account_variable_encryption_enabled +- azure_compute_vm_and_sacle_set_encryption_at_host_enabled +- azure_databox_edge_device_double_encryption_enabled +- azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host +- azure_kusto_cluster_disk_encryption_enabled +- azure_kusto_cluster_double_encryption_enabled +- azure_mysql_server_infrastructure_encryption_enabled +- azure_postgresql_server_infrastructure_encryption_enabled +- azure_servicefabric_cluster_protection_level_as_encrypt_and_sign +- azure_sql_server_transparent_data_encryption_enabled +- azure_storage_account_infrastructure_encryption_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_3.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_3.yaml index b809dca02..d5c4f4cca 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_3.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_3.yaml @@ -1,8 +1,8 @@ -control-group: - id: azure_fedramp_high_sc_3 - title: Security Function Isolation (SC-3) - description: Isolate security functions from nonsecurity functions. - section-code: "3" - controls: - - azure_compute_vm_windows_defender_exploit_guard_enabled - - azure_securitycenter_azure_defender_on_for_server +id: azure_fedramp_high_sc_3 +title: Security Function Isolation (SC-3) +description: Isolate security functions from nonsecurity functions. +section-code: "3" +type: control-group +controls: +- azure_compute_vm_windows_defender_exploit_guard_enabled +- azure_securitycenter_azure_defender_on_for_server diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_5.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_5.yaml index 0a4127fc0..637ed1039 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_5.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_5.yaml @@ -1,9 +1,9 @@ -control-group: - id: azure_fedramp_high_sc_5 - title: Denial Of Service Protection (SC-5) - description: "The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or references to sources for such information] by employing [Assignment: organization-defined security safeguards]." - section-code: "5" - controls: - - azure_application_gateway_waf_enabled - - azure_frontdoor_waf_enabled - - azure_network_interface_ip_forwarding_disabled +id: azure_fedramp_high_sc_5 +title: Denial Of Service Protection (SC-5) +description: "The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or references to sources for such information] by employing [Assignment: organization-defined security safeguards]." +section-code: "5" +type: control-group +controls: +- azure_application_gateway_waf_enabled +- azure_frontdoor_waf_enabled +- azure_network_interface_ip_forwarding_disabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_7.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_7.yaml index 4849070b7..d5b0bb165 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_7.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_7.yaml @@ -1,51 +1,52 @@ +id: azure_fedramp_high_sc_7 +title: Boundary Protection (SC-7) +description: "The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture." +section-code: "7" +type: control-group control-group: - id: azure_fedramp_high_sc_7 - title: Boundary Protection (SC-7) - description: "The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture." - section-code: "7" - control-group: - - id: azure_fedramp_high_sc_7_3 - controls: - - azure_apimanagement_service_with_virtual_network - - azure_app_configuration_private_link_used - - azure_application_gateway_waf_enabled - - azure_cognitive_account_private_link_used - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_jit_access_protected - - azure_compute_vm_remote_access_restricted_all_ports - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_container_registry_restrict_public_access - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_cosmosdb_account_with_firewall_rules - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_frontdoor_waf_enabled - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_firewall_enabled - - azure_keyvault_vault_private_link_used - - azure_kubernetes_cluster_authorized_ip_range_defined - - azure_mariadb_server_public_network_access_disabled - - azure_mysql_server_private_link_used - - azure_mysql_server_public_network_access_disabled - - azure_network_interface_ip_forwarding_disabled - - azure_network_security_group_remote_access_restricted - - azure_network_security_group_subnet_associated - - azure_postgres_server_private_link_used - - azure_postgresql_server_public_network_access_disabled - - azure_redis_cache_uses_private_link - - azure_search_service_public_network_access_disabled - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_sql_db_public_network_access_disabled - - azure_sql_server_uses_private_link - - azure_storage_account_block_public_access - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_restrict_network_access - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used +- id: azure_fedramp_high_sc_7_3 + type: "" +controls: +- azure_apimanagement_service_with_virtual_network +- azure_app_configuration_private_link_used +- azure_application_gateway_waf_enabled +- azure_cognitive_account_private_link_used +- azure_compute_disk_access_uses_private_link +- azure_compute_vm_jit_access_protected +- azure_compute_vm_remote_access_restricted_all_ports +- azure_compute_vm_tcp_udp_access_restricted_internet +- azure_container_registry_restrict_public_access +- azure_container_registry_uses_private_link +- azure_cosmosdb_account_uses_private_link +- azure_cosmosdb_account_with_firewall_rules +- azure_data_factory_uses_private_link +- azure_eventgrid_domain_private_link_used +- azure_eventgrid_topic_private_link_used +- azure_eventhub_namespace_private_link_used +- azure_frontdoor_waf_enabled +- azure_healthcare_fhir_uses_private_link +- azure_keyvault_firewall_enabled +- azure_keyvault_vault_private_link_used +- azure_kubernetes_cluster_authorized_ip_range_defined +- azure_mariadb_server_public_network_access_disabled +- azure_mysql_server_private_link_used +- azure_mysql_server_public_network_access_disabled +- azure_network_interface_ip_forwarding_disabled +- azure_network_security_group_remote_access_restricted +- azure_network_security_group_subnet_associated +- azure_postgres_server_private_link_used +- azure_postgresql_server_public_network_access_disabled +- azure_redis_cache_uses_private_link +- azure_search_service_public_network_access_disabled +- azure_search_service_uses_private_link +- azure_search_service_uses_sku_supporting_private_link +- azure_servicebus_name_space_private_link_used +- azure_signalr_service_private_link_used +- azure_sql_db_public_network_access_disabled +- azure_sql_server_uses_private_link +- azure_storage_account_block_public_access +- azure_storage_account_default_network_access_rule_denied +- azure_storage_account_restrict_network_access +- azure_storage_account_uses_private_link +- azure_storage_sync_private_link_used +- azure_synapse_workspace_private_link_used diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_7_3.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_7_3.yaml index f94b52d99..7209c79bd 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_7_3.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_7_3.yaml @@ -1,49 +1,49 @@ -control-group: - id: azure_fedramp_high_sc_7_3 - title: SC-7(3) Access Points - description: The organization limits the number of external network connections to the information system. - section-code: "3" - controls: - - azure_apimanagement_service_with_virtual_network - - azure_app_configuration_private_link_used - - azure_application_gateway_waf_enabled - - azure_cognitive_account_private_link_used - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_jit_access_protected - - azure_compute_vm_remote_access_restricted_all_ports - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_container_registry_restrict_public_access - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_cosmosdb_account_with_firewall_rules - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_frontdoor_waf_enabled - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_firewall_enabled - - azure_keyvault_vault_private_link_used - - azure_kubernetes_cluster_authorized_ip_range_defined - - azure_mariadb_server_public_network_access_disabled - - azure_mysql_server_private_link_used - - azure_mysql_server_public_network_access_disabled - - azure_network_interface_ip_forwarding_disabled - - azure_network_security_group_remote_access_restricted - - azure_network_security_group_subnet_associated - - azure_postgres_server_private_link_used - - azure_postgresql_server_public_network_access_disabled - - azure_redis_cache_uses_private_link - - azure_search_service_public_network_access_disabled - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_sql_db_public_network_access_disabled - - azure_sql_server_uses_private_link - - azure_storage_account_block_public_access - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_restrict_network_access - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used +id: azure_fedramp_high_sc_7_3 +title: SC-7(3) Access Points +description: The organization limits the number of external network connections to the information system. +section-code: "3" +type: control-group +controls: +- azure_apimanagement_service_with_virtual_network +- azure_app_configuration_private_link_used +- azure_application_gateway_waf_enabled +- azure_cognitive_account_private_link_used +- azure_compute_disk_access_uses_private_link +- azure_compute_vm_jit_access_protected +- azure_compute_vm_remote_access_restricted_all_ports +- azure_compute_vm_tcp_udp_access_restricted_internet +- azure_container_registry_restrict_public_access +- azure_container_registry_uses_private_link +- azure_cosmosdb_account_uses_private_link +- azure_cosmosdb_account_with_firewall_rules +- azure_data_factory_uses_private_link +- azure_eventgrid_domain_private_link_used +- azure_eventgrid_topic_private_link_used +- azure_eventhub_namespace_private_link_used +- azure_frontdoor_waf_enabled +- azure_healthcare_fhir_uses_private_link +- azure_keyvault_firewall_enabled +- azure_keyvault_vault_private_link_used +- azure_kubernetes_cluster_authorized_ip_range_defined +- azure_mariadb_server_public_network_access_disabled +- azure_mysql_server_private_link_used +- azure_mysql_server_public_network_access_disabled +- azure_network_interface_ip_forwarding_disabled +- azure_network_security_group_remote_access_restricted +- azure_network_security_group_subnet_associated +- azure_postgres_server_private_link_used +- azure_postgresql_server_public_network_access_disabled +- azure_redis_cache_uses_private_link +- azure_search_service_public_network_access_disabled +- azure_search_service_uses_private_link +- azure_search_service_uses_sku_supporting_private_link +- azure_servicebus_name_space_private_link_used +- azure_signalr_service_private_link_used +- azure_sql_db_public_network_access_disabled +- azure_sql_server_uses_private_link +- azure_storage_account_block_public_access +- azure_storage_account_default_network_access_rule_denied +- azure_storage_account_restrict_network_access +- azure_storage_account_uses_private_link +- azure_storage_sync_private_link_used +- azure_synapse_workspace_private_link_used diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_8.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_8.yaml index 682691044..da5e788de 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_8.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_8.yaml @@ -1,18 +1,19 @@ +id: azure_fedramp_high_sc_8 +title: Transmission Confidentiality And Integrity (SC-8) +description: "The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information." +section-code: "8" +type: control-group control-group: - id: azure_fedramp_high_sc_8 - title: Transmission Confidentiality And Integrity (SC-8) - description: "The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information." - section-code: "8" - control-group: - - id: azure_fedramp_high_sc_8_1 - controls: - - azure_appservice_api_app_ftps_enabled - - azure_appservice_api_app_latest_tls_version - - azure_appservice_api_app_use_https - - azure_appservice_function_app_latest_tls_version - - azure_appservice_function_app_only_https_accessible - - azure_hdinsight_cluster_encryption_in_transit_enabled - - azure_mysql_ssl_enabled - - azure_postgres_sql_ssl_enabled - - azure_redis_cache_ssl_enabled - - azure_storage_account_secure_transfer_required_enabled +- id: azure_fedramp_high_sc_8_1 + type: "" +controls: +- azure_appservice_api_app_ftps_enabled +- azure_appservice_api_app_latest_tls_version +- azure_appservice_api_app_use_https +- azure_appservice_function_app_latest_tls_version +- azure_appservice_function_app_only_https_accessible +- azure_hdinsight_cluster_encryption_in_transit_enabled +- azure_mysql_ssl_enabled +- azure_postgres_sql_ssl_enabled +- azure_redis_cache_ssl_enabled +- azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_8_1.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_8_1.yaml index 7473546b6..573b44777 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_8_1.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_8_1.yaml @@ -1,16 +1,16 @@ -control-group: - id: azure_fedramp_high_sc_8_1 - title: SC-8(1) Cryptographic Or Alternate Physical Protection - description: "The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]." - section-code: "1" - controls: - - azure_appservice_api_app_ftps_enabled - - azure_appservice_api_app_latest_tls_version - - azure_appservice_api_app_use_https - - azure_appservice_function_app_latest_tls_version - - azure_appservice_function_app_only_https_accessible - - azure_hdinsight_cluster_encryption_in_transit_enabled - - azure_mysql_ssl_enabled - - azure_postgres_sql_ssl_enabled - - azure_redis_cache_ssl_enabled - - azure_storage_account_secure_transfer_required_enabled +id: azure_fedramp_high_sc_8_1 +title: SC-8(1) Cryptographic Or Alternate Physical Protection +description: "The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]." +section-code: "1" +type: control-group +controls: +- azure_appservice_api_app_ftps_enabled +- azure_appservice_api_app_latest_tls_version +- azure_appservice_api_app_use_https +- azure_appservice_function_app_latest_tls_version +- azure_appservice_function_app_only_https_accessible +- azure_hdinsight_cluster_encryption_in_transit_enabled +- azure_mysql_ssl_enabled +- azure_postgres_sql_ssl_enabled +- azure_redis_cache_ssl_enabled +- azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si.yaml index 18bb022fe..ba6824c6d 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si.yaml @@ -1,10 +1,14 @@ +id: azure_fedramp_high_si +title: System and Information Integrity (SI) +description: The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection. +section-code: si +type: control-group control-group: - id: azure_fedramp_high_si - title: System and Information Integrity (SI) - description: The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection. - section-code: si - control-group: - - id: azure_fedramp_high_si_2 - - id: azure_fedramp_high_si_3 - - id: azure_fedramp_high_si_4 - - id: azure_fedramp_high_si_16 +- id: azure_fedramp_high_si_2 + type: "" +- id: azure_fedramp_high_si_3 + type: "" +- id: azure_fedramp_high_si_4 + type: "" +- id: azure_fedramp_high_si_16 + type: "" diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_16.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_16.yaml index cb9e6d606..db7715d61 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_16.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_16.yaml @@ -1,8 +1,8 @@ -control-group: - id: azure_fedramp_high_si_16 - title: Memory Protection (SI-16) - description: "Implement the following controls to protect the system memory from unauthorized code execution: [Assignment: organization-defined controls]." - section-code: "16" - controls: - - azure_compute_vm_windows_defender_exploit_guard_enabled - - azure_securitycenter_azure_defender_on_for_server +id: azure_fedramp_high_si_16 +title: Memory Protection (SI-16) +description: "Implement the following controls to protect the system memory from unauthorized code execution: [Assignment: organization-defined controls]." +section-code: "16" +type: control-group +controls: +- azure_compute_vm_windows_defender_exploit_guard_enabled +- azure_securitycenter_azure_defender_on_for_server diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_2.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_2.yaml index b01b0876a..4b5f998c6 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_2.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_2.yaml @@ -1,19 +1,19 @@ -control-group: - id: azure_fedramp_high_si_2 - title: Flaw Remediation (SI-2) - description: "The organization: a.Identifies, reports, and corrects information system flaws; b.Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c.Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and d.Incorporates flaw remediation into the organizational configuration management process." - section-code: "2" - controls: - - azure_appservice_function_app_latest_http_version - - azure_appservice_web_app_latest_http_version - - azure_compute_vm_system_updates_installed - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_kubernetes_cluster_upgraded_with_non_vulnerable_version - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_database_vulnerability_findings_resolved +id: azure_fedramp_high_si_2 +title: Flaw Remediation (SI-2) +description: "The organization: a.Identifies, reports, and corrects information system flaws; b.Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c.Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and d.Incorporates flaw remediation into the organizational configuration management process." +section-code: "2" +type: control-group +controls: +- azure_appservice_function_app_latest_http_version +- azure_appservice_web_app_latest_http_version +- azure_compute_vm_system_updates_installed +- azure_compute_vm_vulnerability_assessment_solution_enabled +- azure_kubernetes_cluster_upgraded_with_non_vulnerable_version +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_storage +- azure_sql_database_vulnerability_findings_resolved diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_3.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_3.yaml index a8b96dcbc..397d79ea5 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_3.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_3.yaml @@ -1,10 +1,11 @@ +id: azure_fedramp_high_si_3 +title: Malicious Code Protection (SI-3) +description: "Implement [Assignment (one or more): signature based, non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;" +section-code: "3" +type: control-group control-group: - id: azure_fedramp_high_si_3 - title: Malicious Code Protection (SI-3) - description: "Implement [Assignment (one or more): signature based, non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;" - section-code: "3" - control-group: - - id: azure_fedramp_high_si_3_1 - controls: - - azure_compute_vm_windows_defender_exploit_guard_enabled - - azure_securitycenter_azure_defender_on_for_server +- id: azure_fedramp_high_si_3_1 + type: "" +controls: +- azure_compute_vm_windows_defender_exploit_guard_enabled +- azure_securitycenter_azure_defender_on_for_server diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_3_1.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_3_1.yaml index ff6e32156..55e223ed8 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_3_1.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_3_1.yaml @@ -1,8 +1,8 @@ -control-group: - id: azure_fedramp_high_si_3_1 - title: SI-3(1) Central Management - description: SI-3(1) Central Management - section-code: "1" - controls: - - azure_compute_vm_windows_defender_exploit_guard_enabled - - azure_securitycenter_azure_defender_on_for_server +id: azure_fedramp_high_si_3_1 +title: SI-3(1) Central Management +description: SI-3(1) Central Management +section-code: "1" +type: control-group +controls: +- azure_compute_vm_windows_defender_exploit_guard_enabled +- azure_securitycenter_azure_defender_on_for_server diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_4.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_4.yaml index db2da98f1..edb4c607a 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_4.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_4.yaml @@ -1,24 +1,24 @@ -control-group: - id: azure_fedramp_high_si_4 - title: Information System Monitoring (SI-4) - description: "The organization: a.Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and 2.Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; c. Deploys monitoring devices: 1. Strategically within the information system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]." - section-code: "4" - controls: - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_network_watcher_enabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_server_azure_defender_enabled +id: azure_fedramp_high_si_4 +title: Information System Monitoring (SI-4) +description: "The organization: a.Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and 2.Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; c. Deploys monitoring devices: 1. Strategically within the information system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]." +section-code: "4" +type: control-group +controls: +- azure_arc_compute_machine_linux_log_analytics_agent_installed +- azure_arc_compute_machine_windows_log_analytics_agent_installed +- azure_compute_vm_guest_configuration_installed +- azure_compute_vm_guest_configuration_with_system_assigned_managed_identity +- azure_compute_vm_log_analytics_agent_installed +- azure_compute_vm_network_traffic_data_collection_linux_agent_installed +- azure_compute_vm_network_traffic_data_collection_windows_agent_installed +- azure_compute_vm_scale_set_log_analytics_agent_installed +- azure_network_watcher_enabled +- azure_securitycenter_automatic_provisioning_monitoring_agent_on +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_storage +- azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92.yaml index 86644883c..2a0f44d92 100644 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92.yaml @@ -1,46 +1,46 @@ -framework: - id: azure_hipaa_hitrust_v92 - title: HIPAA HITRUST 9.2 - description: The HIPAA HITRUST 9.2 provides a combined set of predefined compliance and security best-practice checks for Health Insurance Portability and Accountability Act. - section-code: azure_hipaa_hitrust_v92 - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Laws & Regulations - - Frameworks - - Privacy - plugin: - - azure - service: - - Azure - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: azure_hipaa_hitrust_v92_privilege_management - - id: azure_hipaa_hitrust_v92_user_authentication_for_external_connections - - id: azure_hipaa_hitrust_v92_user_identification_and_authentication - - id: azure_hipaa_hitrust_v92_endpoint_protection - - id: azure_hipaa_hitrust_v92_portable_media_security - - id: azure_hipaa_hitrust_v92_identification_of_risks_related_to_external_parties - - id: azure_hipaa_hitrust_v92_configuration_management - - id: azure_hipaa_hitrust_v92_vulnerability_management - - id: azure_hipaa_hitrust_v92_network_protection - - id: azure_hipaa_hitrust_v92_back_up - - id: azure_hipaa_hitrust_v92_network_controls - - id: azure_hipaa_hitrust_v92_on_line_transactions - - id: azure_hipaa_hitrust_v92_transmission_protection - - id: azure_hipaa_hitrust_v92_control_of_operational_software - - id: azure_hipaa_hitrust_v92_access_control - - id: azure_hipaa_hitrust_v92_audit_logging_and_monitoring - - id: azure_hipaa_hitrust_v92_education_training_and_awareness - - id: azure_hipaa_hitrust_v92_third_party_assurance - - id: azure_hipaa_hitrust_v92_business_continuity_and_disaster_recovery +id: azure_hipaa_hitrust_v92 +title: HIPAA HITRUST 9.2 +description: The HIPAA HITRUST 9.2 provides a combined set of predefined compliance and security best-practice checks for Health Insurance Portability and Accountability Act. +section-code: azure_hipaa_hitrust_v92 +type: framework +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Laws & Regulations + - Frameworks + - Privacy + plugin: + - azure + service: + - Azure + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: azure_hipaa_hitrust_v92_privilege_management +- id: azure_hipaa_hitrust_v92_user_authentication_for_external_connections +- id: azure_hipaa_hitrust_v92_user_identification_and_authentication +- id: azure_hipaa_hitrust_v92_endpoint_protection +- id: azure_hipaa_hitrust_v92_portable_media_security +- id: azure_hipaa_hitrust_v92_identification_of_risks_related_to_external_parties +- id: azure_hipaa_hitrust_v92_configuration_management +- id: azure_hipaa_hitrust_v92_vulnerability_management +- id: azure_hipaa_hitrust_v92_network_protection +- id: azure_hipaa_hitrust_v92_back_up +- id: azure_hipaa_hitrust_v92_network_controls +- id: azure_hipaa_hitrust_v92_on_line_transactions +- id: azure_hipaa_hitrust_v92_transmission_protection +- id: azure_hipaa_hitrust_v92_control_of_operational_software +- id: azure_hipaa_hitrust_v92_access_control +- id: azure_hipaa_hitrust_v92_audit_logging_and_monitoring +- id: azure_hipaa_hitrust_v92_education_training_and_awareness +- id: azure_hipaa_hitrust_v92_third_party_assurance +- id: azure_hipaa_hitrust_v92_business_continuity_and_disaster_recovery diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0201_09j1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0201_09j1organizational.yaml index e93d554d7..ec1dea8ec 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0201_09j1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0201_09j1organizational.yaml @@ -1,23 +1,23 @@ -control-group: - id: azure_hipaa_hitrust_v92_0201_09j1organizational - title: 09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code - description: Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software may address the requirement via a network-based malware detection (NBMD) solution. - section-code: azure_hipaa_hitrust_v92_0201_09j1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_adaptive_application_controls_enabled - - azure_compute_vm_endpoint_protection_agent_installed - - azure_compute_vm_malware_agent_automatic_upgrade_enabled - - azure_compute_vm_malware_agent_installed - - azure_compute_vm_scale_set_endpoint_protection_solution_installed - - azure_compute_vm_system_updates_installed +id: azure_hipaa_hitrust_v92_0201_09j1organizational +title: 09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code +description: Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software may address the requirement via a network-based malware detection (NBMD) solution. +section-code: azure_hipaa_hitrust_v92_0201_09j1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_adaptive_application_controls_enabled +- azure_compute_vm_endpoint_protection_agent_installed +- azure_compute_vm_malware_agent_automatic_upgrade_enabled +- azure_compute_vm_malware_agent_installed +- azure_compute_vm_scale_set_endpoint_protection_solution_installed +- azure_compute_vm_system_updates_installed diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0301_09o1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0301_09o1organizational.yaml index cd68c792a..8ece438c2 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0301_09o1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0301_09o1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0301_09o1organizational - title: 09o1Organizational.123-09.o 09.07 Media Handling - description: The organization, based on the data classification level, registers media (including laptops) prior to use, places reasonable restrictions on how such media be used, and provides an appropriate level of physical and logical protection (including encryption) for media containing covered information until properly destroyed or sanitized. - section-code: azure_hipaa_hitrust_v92_0301_09o1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark - controls: - - azure_sql_database_transparent_data_encryption_enabled +id: azure_hipaa_hitrust_v92_0301_09o1organizational +title: 09o1Organizational.123-09.o 09.07 Media Handling +description: The organization, based on the data classification level, registers media (including laptops) prior to use, places reasonable restrictions on how such media be used, and provides an appropriate level of physical and logical protection (including encryption) for media containing covered information until properly destroyed or sanitized. +section-code: azure_hipaa_hitrust_v92_0301_09o1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark +controls: +- azure_sql_database_transparent_data_encryption_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0302_09o2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0302_09o2organizational.yaml index bc1ed47e2..fc4e8a0ac 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0302_09o2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0302_09o2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0302_09o2organizational - title: 09o2Organizational.1-09.o 09.07 Media Handling - description: The organization protects and controls media containing sensitive information during transport outside of controlled areas. - section-code: azure_hipaa_hitrust_v92_0302_09o2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_temp_disks_cache_and_data_flows_encrypted +id: azure_hipaa_hitrust_v92_0302_09o2organizational +title: 09o2Organizational.1-09.o 09.07 Media Handling +description: The organization protects and controls media containing sensitive information during transport outside of controlled areas. +section-code: azure_hipaa_hitrust_v92_0302_09o2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_temp_disks_cache_and_data_flows_encrypted diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0304_09o3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0304_09o3organizational.yaml index d2ec68c19..da45a8c06 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0304_09o3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0304_09o3organizational.yaml @@ -1,20 +1,20 @@ -control-group: - id: azure_hipaa_hitrust_v92_0304_09o3organizational - title: 09o3Organizational.1-09.o 09.07 Media Handling - description: The organization restricts the use of writable removable media and personally-owned removable media in organizational systems. - section-code: azure_hipaa_hitrust_v92_0304_09o3organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_datalake_store_account_encryption_enabled - - azure_mssql_managed_instance_encryption_at_rest_using_cmk - - azure_sql_server_tde_protector_cmk_encrypted +id: azure_hipaa_hitrust_v92_0304_09o3organizational +title: 09o3Organizational.1-09.o 09.07 Media Handling +description: The organization restricts the use of writable removable media and personally-owned removable media in organizational systems. +section-code: azure_hipaa_hitrust_v92_0304_09o3organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_datalake_store_account_encryption_enabled +- azure_mssql_managed_instance_encryption_at_rest_using_cmk +- azure_sql_server_tde_protector_cmk_encrypted diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0605_10h1system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0605_10h1system.yaml index 53d6cd4f2..92e60373f 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0605_10h1system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0605_10h1system.yaml @@ -1,20 +1,20 @@ -control-group: - id: azure_hipaa_hitrust_v92_0605_10h1system - title: 10h1System.12-10.h 10.04 Security of System Files - description: Only authorized administrators are allowed to implement approved upgrades to software, applications, and program libraries, based on business requirements and the security implications of the release. - section-code: azure_hipaa_hitrust_v92_0605_10h1system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_meet_security_option_audit_requirement_windows - - azure_compute_vm_meet_system_audit_policies_requirement_windows - - azure_compute_vm_security_configuration_vulnerabilities_remediated +id: azure_hipaa_hitrust_v92_0605_10h1system +title: 10h1System.12-10.h 10.04 Security of System Files +description: Only authorized administrators are allowed to implement approved upgrades to software, applications, and program libraries, based on business requirements and the security implications of the release. +section-code: azure_hipaa_hitrust_v92_0605_10h1system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_meet_security_option_audit_requirement_windows +- azure_compute_vm_meet_system_audit_policies_requirement_windows +- azure_compute_vm_security_configuration_vulnerabilities_remediated diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0606_10h2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0606_10h2system.yaml index f4ec895c7..c72a28d8e 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0606_10h2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0606_10h2system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0606_10h2system - title: Applications and operating systems are successfully tested for usability, security and impact prior to production - description: Applications and operating systems are successfully tested for usability, security and impact prior to production - section-code: azure_hipaa_hitrust_v92_0606_10h2system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_container_security_configurations_vulnerabilities_remediated +id: azure_hipaa_hitrust_v92_0606_10h2system +title: Applications and operating systems are successfully tested for usability, security and impact prior to production +description: Applications and operating systems are successfully tested for usability, security and impact prior to production +section-code: azure_hipaa_hitrust_v92_0606_10h2system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_container_security_configurations_vulnerabilities_remediated diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0607_10h2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0607_10h2system.yaml index 833c191df..a2dec213c 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0607_10h2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0607_10h2system.yaml @@ -1,19 +1,19 @@ -control-group: - id: azure_hipaa_hitrust_v92_0607_10h2system - title: The organization uses its configuration control program to maintain control of all implemented software and its system documentation and archive prior versions of implemented software and associated system documentation - description: The organization uses its configuration control program to maintain control of all implemented software and its system documentation and archive prior versions of implemented software and associated system documentation - section-code: azure_hipaa_hitrust_v92_0607_10h2system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_adaptive_application_controls_enabled - - azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated +id: azure_hipaa_hitrust_v92_0607_10h2system +title: The organization uses its configuration control program to maintain control of all implemented software and its system documentation and archive prior versions of implemented software and associated system documentation +description: The organization uses its configuration control program to maintain control of all implemented software and its system documentation and archive prior versions of implemented software and associated system documentation +section-code: azure_hipaa_hitrust_v92_0607_10h2system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_adaptive_application_controls_enabled +- azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0635_10k1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0635_10k1organizational.yaml index 7c703a643..718d68818 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0635_10k1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0635_10k1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0635_10k1organizational - title: 10k1Organizational.12-10.k 10.05 Security In Development and Support Processes - description: Managers responsible for application systems are also responsible for the strict control (security) of the project or support environment and ensure that all proposed system changes are reviewed to check that they do not compromise the security of either the system or the operating environment. - section-code: azure_hipaa_hitrust_v92_0635_10k1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_meet_system_audit_policies_requirement_windows +id: azure_hipaa_hitrust_v92_0635_10k1organizational +title: 10k1Organizational.12-10.k 10.05 Security In Development and Support Processes +description: Managers responsible for application systems are also responsible for the strict control (security) of the project or support environment and ensure that all proposed system changes are reviewed to check that they do not compromise the security of either the system or the operating environment. +section-code: azure_hipaa_hitrust_v92_0635_10k1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_meet_system_audit_policies_requirement_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0636_10k2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0636_10k2organizational.yaml index 5bceb4216..61e9f5277 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0636_10k2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0636_10k2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0636_10k2organizational - title: 10k2Organizational.1-10.k 10.05 Security In Development and Support Processes - description: The organization formally addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management. - section-code: azure_hipaa_hitrust_v92_0636_10k2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_meet_system_audit_policies_requirement_windows +id: azure_hipaa_hitrust_v92_0636_10k2organizational +title: 10k2Organizational.1-10.k 10.05 Security In Development and Support Processes +description: The organization formally addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management. +section-code: azure_hipaa_hitrust_v92_0636_10k2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_meet_system_audit_policies_requirement_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0637_10k2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0637_10k2organizational.yaml index 094153f5b..d5b0a0206 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0637_10k2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0637_10k2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0637_10k2organizational - title: 10k2Organizational.2-10.k 10.05 Security In Development and Support Processes - description: The organization has developed, documented, and implemented a configuration management plan for the information system. - section-code: azure_hipaa_hitrust_v92_0637_10k2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_meet_system_audit_policies_requirement_windows +id: azure_hipaa_hitrust_v92_0637_10k2organizational +title: 10k2Organizational.2-10.k 10.05 Security In Development and Support Processes +description: The organization has developed, documented, and implemented a configuration management plan for the information system. +section-code: azure_hipaa_hitrust_v92_0637_10k2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_meet_system_audit_policies_requirement_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0638_10k2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0638_10k2organizational.yaml index 3d6cf2d29..fed24cc6e 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0638_10k2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0638_10k2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0638_10k2organizational - title: 10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes - description: Changes are formally controlled, documented and enforced in order to minimize the corruption of information systems. - section-code: azure_hipaa_hitrust_v92_0638_10k2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_meet_system_audit_policies_requirement_windows +id: azure_hipaa_hitrust_v92_0638_10k2organizational +title: 10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes +description: Changes are formally controlled, documented and enforced in order to minimize the corruption of information systems. +section-code: azure_hipaa_hitrust_v92_0638_10k2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_meet_system_audit_policies_requirement_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0639_10k2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0639_10k2organizational.yaml index e69295a7d..7636040fb 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0639_10k2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0639_10k2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0639_10k2organizational - title: 10k2Organizational.78-10.k 10.05 Security In Development and Support Processes - description: Installation checklists and vulnerability scans are used to validate the configuration of servers, workstations, devices and appliances and ensure the configuration meets minimum standards. - section-code: azure_hipaa_hitrust_v92_0639_10k2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_meet_system_audit_policies_requirement_windows +id: azure_hipaa_hitrust_v92_0639_10k2organizational +title: 10k2Organizational.78-10.k 10.05 Security In Development and Support Processes +description: Installation checklists and vulnerability scans are used to validate the configuration of servers, workstations, devices and appliances and ensure the configuration meets minimum standards. +section-code: azure_hipaa_hitrust_v92_0639_10k2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_meet_system_audit_policies_requirement_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0640_10k2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0640_10k2organizational.yaml index 58c5c4049..b4c0c1e98 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0640_10k2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0640_10k2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0640_10k2organizational - title: 10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes - description: Where development is outsourced, change control procedures to address security are included in the contract(s) and specifically require the developer to track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel or roles. - section-code: azure_hipaa_hitrust_v92_0640_10k2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_meet_system_audit_policies_requirement_windows +id: azure_hipaa_hitrust_v92_0640_10k2organizational +title: 10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes +description: Where development is outsourced, change control procedures to address security are included in the contract(s) and specifically require the developer to track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel or roles. +section-code: azure_hipaa_hitrust_v92_0640_10k2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_meet_system_audit_policies_requirement_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0641_10k2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0641_10k2organizational.yaml index aa7127860..f4f273dbd 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0641_10k2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0641_10k2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0641_10k2organizational - title: 10k2Organizational.11-10.k 10.05 Security In Development and Support Processes - description: The organization does not use automated updates on critical systems. - section-code: azure_hipaa_hitrust_v92_0641_10k2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_meet_system_audit_policies_requirement_windows +id: azure_hipaa_hitrust_v92_0641_10k2organizational +title: 10k2Organizational.11-10.k 10.05 Security In Development and Support Processes +description: The organization does not use automated updates on critical systems. +section-code: azure_hipaa_hitrust_v92_0641_10k2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_meet_system_audit_policies_requirement_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0642_10k3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0642_10k3organizational.yaml index 7366768a9..ad179f1a4 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0642_10k3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0642_10k3organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0642_10k3organizational - title: 10k3Organizational.12-10.k 10.05 Security In Development and Support Processes - description: The organization develops, documents, and maintains, under configuration control, a current baseline configuration of the information system, and reviews and updates the baseline as required. - section-code: azure_hipaa_hitrust_v92_0642_10k3organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_meet_system_audit_policies_requirement_windows +id: azure_hipaa_hitrust_v92_0642_10k3organizational +title: 10k3Organizational.12-10.k 10.05 Security In Development and Support Processes +description: The organization develops, documents, and maintains, under configuration control, a current baseline configuration of the information system, and reviews and updates the baseline as required. +section-code: azure_hipaa_hitrust_v92_0642_10k3organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_meet_system_audit_policies_requirement_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0643_10k3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0643_10k3organizational.yaml index b702392a7..48bc55c87 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0643_10k3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0643_10k3organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0643_10k3organizational - title: 10k3Organizational.3-10.k 10.05 Security In Development and Support Processes - description: The organization (i) establishes and documents mandatory configuration settings for information technology products employed within the information system using the latest security configuration baselines; (ii) identifies, documents, and approves exceptions from the mandatory established configuration settings for individual components based on explicit operational requirements; and (iii) monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. - section-code: azure_hipaa_hitrust_v92_0643_10k3organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_meet_system_audit_policies_requirement_windows +id: azure_hipaa_hitrust_v92_0643_10k3organizational +title: 10k3Organizational.3-10.k 10.05 Security In Development and Support Processes +description: The organization (i) establishes and documents mandatory configuration settings for information technology products employed within the information system using the latest security configuration baselines; (ii) identifies, documents, and approves exceptions from the mandatory established configuration settings for individual components based on explicit operational requirements; and (iii) monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. +section-code: azure_hipaa_hitrust_v92_0643_10k3organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_meet_system_audit_policies_requirement_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0644_10k3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0644_10k3organizational.yaml index 902a02ee8..6338b799a 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0644_10k3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0644_10k3organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0644_10k3organizational - title: 10k3Organizational.4-10.k 10.05 Security In Development and Support Processes - description: The organization employs automated mechanisms to (i) centrally manage, apply, and verify configuration settings; (ii) respond to unauthorized changes to network and system security-related configuration settings; and (iii) enforce access restrictions and auditing of the enforcement actions. - section-code: azure_hipaa_hitrust_v92_0644_10k3organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_meet_system_audit_policies_requirement_windows +id: azure_hipaa_hitrust_v92_0644_10k3organizational +title: 10k3Organizational.4-10.k 10.05 Security In Development and Support Processes +description: The organization employs automated mechanisms to (i) centrally manage, apply, and verify configuration settings; (ii) respond to unauthorized changes to network and system security-related configuration settings; and (iii) enforce access restrictions and auditing of the enforcement actions. +section-code: azure_hipaa_hitrust_v92_0644_10k3organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_meet_system_audit_policies_requirement_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0662_09scsporganizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0662_09scsporganizational.yaml index e95432f09..67d77df5d 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0662_09scsporganizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0662_09scsporganizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0662_09scsporganizational - title: 09sCSPOrganizational.2-09.s 09.08 Exchange of Information - description: Cloud service providers use an industry-recognized virtualization platform and standard virtualization formats (e.g., Open Virtualization Format, OVF) to help ensure interoperability, and has documented custom changes made to any hypervisor in use and all solution-specific virtualization hooks available for customer review. - section-code: azure_hipaa_hitrust_v92_0662_09scsporganizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark - controls: - - azure_appservice_web_app_client_certificates_on +id: azure_hipaa_hitrust_v92_0662_09scsporganizational +title: 09sCSPOrganizational.2-09.s 09.08 Exchange of Information +description: Cloud service providers use an industry-recognized virtualization platform and standard virtualization formats (e.g., Open Virtualization Format, OVF) to help ensure interoperability, and has documented custom changes made to any hypervisor in use and all solution-specific virtualization hooks available for customer review. +section-code: azure_hipaa_hitrust_v92_0662_09scsporganizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark +controls: +- azure_appservice_web_app_client_certificates_on diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0709_10m1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0709_10m1organizational.yaml index 1fd8c7e46..605906484 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0709_10m1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0709_10m1organizational.yaml @@ -1,24 +1,24 @@ -control-group: - id: azure_hipaa_hitrust_v92_0709_10m1organizational - title: 10m1Organizational.1-10.m 10.06 Technical Vulnerability Management - description: Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner. - section-code: azure_hipaa_hitrust_v92_0709_10m1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_compute_vm_container_security_configurations_vulnerabilities_remediated - - azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated - - azure_compute_vm_security_configuration_vulnerabilities_remediated - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_mssql_managed_instance_vulnerability_assessment_enabled - - azure_sql_database_vulnerability_findings_resolved - - azure_sql_server_and_databases_va_enabled +id: azure_hipaa_hitrust_v92_0709_10m1organizational +title: 10m1Organizational.1-10.m 10.06 Technical Vulnerability Management +description: Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner. +section-code: azure_hipaa_hitrust_v92_0709_10m1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_compute_vm_container_security_configurations_vulnerabilities_remediated +- azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated +- azure_compute_vm_security_configuration_vulnerabilities_remediated +- azure_compute_vm_vulnerability_assessment_solution_enabled +- azure_mssql_managed_instance_vulnerability_assessment_enabled +- azure_sql_database_vulnerability_findings_resolved +- azure_sql_server_and_databases_va_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0710_10m2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0710_10m2organizational.yaml index 9c2c0580b..2bd2910c2 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0710_10m2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0710_10m2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0710_10m2organizational - title: 10m2Organizational.1-10.m 10.06 Technical Vulnerability Management - description: A hardened configuration standard exists for all system and network components. - section-code: azure_hipaa_hitrust_v92_0710_10m2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/MySQL - type: - - Benchmark - controls: - - azure_mssql_managed_instance_vulnerability_assessment_enabled +id: azure_hipaa_hitrust_v92_0710_10m2organizational +title: 10m2Organizational.1-10.m 10.06 Technical Vulnerability Management +description: A hardened configuration standard exists for all system and network components. +section-code: azure_hipaa_hitrust_v92_0710_10m2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/MySQL + type: + - Benchmark +controls: +- azure_mssql_managed_instance_vulnerability_assessment_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0711_10m2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0711_10m2organizational.yaml index 96ab144f9..3c1b7f588 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0711_10m2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0711_10m2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0711_10m2organizational - title: 10m2Organizational.23-10.m 10.06 Technical Vulnerability Management - description: A technical vulnerability management program is in place to monitor, assess, rank, and remediate vulnerabilities identified in systems. - section-code: azure_hipaa_hitrust_v92_0711_10m2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_vulnerability_assessment_solution_enabled +id: azure_hipaa_hitrust_v92_0711_10m2organizational +title: 10m2Organizational.23-10.m 10.06 Technical Vulnerability Management +description: A technical vulnerability management program is in place to monitor, assess, rank, and remediate vulnerabilities identified in systems. +section-code: azure_hipaa_hitrust_v92_0711_10m2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_vulnerability_assessment_solution_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0713_10m2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0713_10m2organizational.yaml index d1ed85545..b840210b2 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0713_10m2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0713_10m2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0713_10m2organizational - title: 10m2Organizational.5-10.m 10.06 Technical Vulnerability Management - description: Patches are tested and evaluated before they are installed. - section-code: azure_hipaa_hitrust_v92_0713_10m2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_security_configuration_vulnerabilities_remediated +id: azure_hipaa_hitrust_v92_0713_10m2organizational +title: 10m2Organizational.5-10.m 10.06 Technical Vulnerability Management +description: Patches are tested and evaluated before they are installed. +section-code: azure_hipaa_hitrust_v92_0713_10m2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_security_configuration_vulnerabilities_remediated diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0714_10m2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0714_10m2organizational.yaml index fa9917c06..e08bf215e 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0714_10m2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0714_10m2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0714_10m2organizational - title: 10m2Organizational.7-10.m 10.06 Technical Vulnerability Management - description: The technical vulnerability management program is evaluated on a quarterly basis. - section-code: azure_hipaa_hitrust_v92_0714_10m2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated +id: azure_hipaa_hitrust_v92_0714_10m2organizational +title: 10m2Organizational.7-10.m 10.06 Technical Vulnerability Management +description: The technical vulnerability management program is evaluated on a quarterly basis. +section-code: azure_hipaa_hitrust_v92_0714_10m2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0715_10m2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0715_10m2organizational.yaml index 491724d64..38d844dff 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0715_10m2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0715_10m2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0715_10m2organizational - title: 10m2Organizational.8-10.m 10.06 Technical Vulnerability Management - description: Systems are appropriately hardened (e.g., configured with only necessary and secure services, ports and protocols enabled). - section-code: azure_hipaa_hitrust_v92_0715_10m2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_container_security_configurations_vulnerabilities_remediated +id: azure_hipaa_hitrust_v92_0715_10m2organizational +title: 10m2Organizational.8-10.m 10.06 Technical Vulnerability Management +description: Systems are appropriately hardened (e.g., configured with only necessary and secure services, ports and protocols enabled). +section-code: azure_hipaa_hitrust_v92_0715_10m2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_container_security_configurations_vulnerabilities_remediated diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0716_10m3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0716_10m3organizational.yaml index 9536155da..cc0bc4f04 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0716_10m3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0716_10m3organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0716_10m3organizational - title: 10m3Organizational.1-10.m 10.06 Technical Vulnerability Management - description: The organization conducts an enterprise security posture review as needed but no less than once within every three-hundred-sixty-five (365) days, in accordance with organizational IS procedures. - section-code: azure_hipaa_hitrust_v92_0716_10m3organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark - controls: - - azure_sql_database_vulnerability_findings_resolved +id: azure_hipaa_hitrust_v92_0716_10m3organizational +title: 10m3Organizational.1-10.m 10.06 Technical Vulnerability Management +description: The organization conducts an enterprise security posture review as needed but no less than once within every three-hundred-sixty-five (365) days, in accordance with organizational IS procedures. +section-code: azure_hipaa_hitrust_v92_0716_10m3organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark +controls: +- azure_sql_database_vulnerability_findings_resolved diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0717_10m3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0717_10m3organizational.yaml index 13f4f64c6..61cfc34a1 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0717_10m3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0717_10m3organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0717_10m3organizational - title: 10m3Organizational.2-10.m 10.06 Technical Vulnerability Management - description: Vulnerability scanning tools include the capability to readily update the information system vulnerabilities scanned. - section-code: azure_hipaa_hitrust_v92_0717_10m3organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated +id: azure_hipaa_hitrust_v92_0717_10m3organizational +title: 10m3Organizational.2-10.m 10.06 Technical Vulnerability Management +description: Vulnerability scanning tools include the capability to readily update the information system vulnerabilities scanned. +section-code: azure_hipaa_hitrust_v92_0717_10m3organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0718_10m3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0718_10m3organizational.yaml index 0093efbe5..0c0e8703a 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0718_10m3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0718_10m3organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0718_10m3organizational - title: 10m3Organizational.34-10.m 10.06 Technical Vulnerability Management - description: The organization scans for vulnerabilities in the information system and hosted applications to determine the state of flaw remediation monthly (automatically) and again (manually or automatically) when new vulnerabilities potentially affecting the systems and networked environments are identified and reported. - section-code: azure_hipaa_hitrust_v92_0718_10m3organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_security_configuration_vulnerabilities_remediated +id: azure_hipaa_hitrust_v92_0718_10m3organizational +title: 10m3Organizational.34-10.m 10.06 Technical Vulnerability Management +description: The organization scans for vulnerabilities in the information system and hosted applications to determine the state of flaw remediation monthly (automatically) and again (manually or automatically) when new vulnerabilities potentially affecting the systems and networked environments are identified and reported. +section-code: azure_hipaa_hitrust_v92_0718_10m3organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_security_configuration_vulnerabilities_remediated diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0719_10m3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0719_10m3organizational.yaml index ef61bb171..f643eb612 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0719_10m3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0719_10m3organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0719_10m3organizational - title: 10m3Organizational.5-10.m 10.06 Technical Vulnerability Management - description: The organization updates the list of information system vulnerabilities scanned within every thirty (30) days or when new vulnerabilities are identified and reported. - section-code: azure_hipaa_hitrust_v92_0719_10m3organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/MySQL - type: - - Benchmark - controls: - - azure_mssql_managed_instance_vulnerability_assessment_enabled +id: azure_hipaa_hitrust_v92_0719_10m3organizational +title: 10m3Organizational.5-10.m 10.06 Technical Vulnerability Management +description: The organization updates the list of information system vulnerabilities scanned within every thirty (30) days or when new vulnerabilities are identified and reported. +section-code: azure_hipaa_hitrust_v92_0719_10m3organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/MySQL + type: + - Benchmark +controls: +- azure_mssql_managed_instance_vulnerability_assessment_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0805_01m1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0805_01m1organizational.yaml index aaee070ff..8c0424731 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0805_01m1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0805_01m1organizational.yaml @@ -1,28 +1,28 @@ -control-group: - id: azure_hipaa_hitrust_v92_0805_01m1organizational - title: 01m1Organizational.12-01.m 01.04 Network Access Control - description: The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains, block unauthorized access, and are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet) including DMZs and enforce access control policies for each of the domains. - section-code: azure_hipaa_hitrust_v92_0805_01m1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_appservice_web_app_use_virtual_service_endpoint - - azure_compute_vm_attached_with_network - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_container_registry_use_virtual_service_endpoint - - azure_cosmosdb_use_virtual_service_endpoint - - azure_eventhub_namespace_use_virtual_service_endpoint - - azure_keyvault_vault_use_virtual_service_endpoint - - azure_network_security_group_not_configured_gateway_subnets - - azure_network_security_group_subnet_associated - - azure_sql_server_use_virtual_service_endpoint - - azure_storage_account_use_virtual_service_endpoint +id: azure_hipaa_hitrust_v92_0805_01m1organizational +title: 01m1Organizational.12-01.m 01.04 Network Access Control +description: The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains, block unauthorized access, and are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet) including DMZs and enforce access control policies for each of the domains. +section-code: azure_hipaa_hitrust_v92_0805_01m1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_appservice_web_app_use_virtual_service_endpoint +- azure_compute_vm_attached_with_network +- azure_compute_vm_tcp_udp_access_restricted_internet +- azure_container_registry_use_virtual_service_endpoint +- azure_cosmosdb_use_virtual_service_endpoint +- azure_eventhub_namespace_use_virtual_service_endpoint +- azure_keyvault_vault_use_virtual_service_endpoint +- azure_network_security_group_not_configured_gateway_subnets +- azure_network_security_group_subnet_associated +- azure_sql_server_use_virtual_service_endpoint +- azure_storage_account_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0806_01m2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0806_01m2organizational.yaml index 3f78a0859..bfdba7518 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0806_01m2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0806_01m2organizational.yaml @@ -1,28 +1,28 @@ -control-group: - id: azure_hipaa_hitrust_v92_0806_01m2organizational - title: 01m2Organizational.12356-01.m 01.04 Network Access Control - description: The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls, including subnetworks for publicly accessible system components that are logically separated from the internal network, based on organizational requirements; and traffic is controlled based on functionality required and classification of the data/systems based on a risk assessment and their respective security requirements. - section-code: azure_hipaa_hitrust_v92_0806_01m2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_appservice_web_app_use_virtual_service_endpoint - - azure_compute_vm_attached_with_network - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_container_registry_use_virtual_service_endpoint - - azure_cosmosdb_use_virtual_service_endpoint - - azure_eventhub_namespace_use_virtual_service_endpoint - - azure_keyvault_vault_use_virtual_service_endpoint - - azure_network_security_group_not_configured_gateway_subnets - - azure_network_security_group_subnet_associated - - azure_sql_server_use_virtual_service_endpoint - - azure_storage_account_use_virtual_service_endpoint +id: azure_hipaa_hitrust_v92_0806_01m2organizational +title: 01m2Organizational.12356-01.m 01.04 Network Access Control +description: The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls, including subnetworks for publicly accessible system components that are logically separated from the internal network, based on organizational requirements; and traffic is controlled based on functionality required and classification of the data/systems based on a risk assessment and their respective security requirements. +section-code: azure_hipaa_hitrust_v92_0806_01m2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_appservice_web_app_use_virtual_service_endpoint +- azure_compute_vm_attached_with_network +- azure_compute_vm_tcp_udp_access_restricted_internet +- azure_container_registry_use_virtual_service_endpoint +- azure_cosmosdb_use_virtual_service_endpoint +- azure_eventhub_namespace_use_virtual_service_endpoint +- azure_keyvault_vault_use_virtual_service_endpoint +- azure_network_security_group_not_configured_gateway_subnets +- azure_network_security_group_subnet_associated +- azure_sql_server_use_virtual_service_endpoint +- azure_storage_account_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0809_01n2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0809_01n2organizational.yaml index a213a0924..90efe025f 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0809_01n2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0809_01n2organizational.yaml @@ -1,29 +1,29 @@ -control-group: - id: azure_hipaa_hitrust_v92_0809_01n2organizational - title: 01n2Organizational.1234-01.n 01.04 Network Access Control - description: Network traffic is controlled in accordance with the organizations access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. - section-code: azure_hipaa_hitrust_v92_0809_01n2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_appservice_api_app_latest_tls_version - - azure_appservice_api_app_use_https - - azure_appservice_function_app_latest_tls_version - - azure_appservice_function_app_only_https_accessible - - azure_redis_cache_ssl_enabled - - azure_compute_vm_adaptive_network_hardening_recommendation_applied - - azure_compute_vm_attached_with_network - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_mysql_ssl_enabled - - azure_network_security_group_subnet_associated - - azure_postgres_sql_ssl_enabled - - azure_storage_account_secure_transfer_required_enabled +id: azure_hipaa_hitrust_v92_0809_01n2organizational +title: 01n2Organizational.1234-01.n 01.04 Network Access Control +description: Network traffic is controlled in accordance with the organizations access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. +section-code: azure_hipaa_hitrust_v92_0809_01n2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_appservice_api_app_latest_tls_version +- azure_appservice_api_app_use_https +- azure_appservice_function_app_latest_tls_version +- azure_appservice_function_app_only_https_accessible +- azure_redis_cache_ssl_enabled +- azure_compute_vm_adaptive_network_hardening_recommendation_applied +- azure_compute_vm_attached_with_network +- azure_compute_vm_tcp_udp_access_restricted_internet +- azure_mysql_ssl_enabled +- azure_network_security_group_subnet_associated +- azure_postgres_sql_ssl_enabled +- azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0810_01n2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0810_01n2organizational.yaml index b54758584..4cc1378c6 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0810_01n2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0810_01n2organizational.yaml @@ -1,29 +1,29 @@ -control-group: - id: azure_hipaa_hitrust_v92_0810_01n2organizational - title: 01n2Organizational.5-01.n 01.04 Network Access Control - description: Transmitted information is secured and, at a minimum, encrypted over open, public networks. - section-code: azure_hipaa_hitrust_v92_0810_01n2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_appservice_api_app_latest_tls_version - - azure_appservice_api_app_use_https - - azure_appservice_function_app_latest_tls_version - - azure_appservice_function_app_only_https_accessible - - azure_redis_cache_ssl_enabled - - azure_compute_vm_adaptive_network_hardening_recommendation_applied - - azure_compute_vm_attached_with_network - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_mysql_ssl_enabled - - azure_network_security_group_subnet_associated - - azure_postgres_sql_ssl_enabled - - azure_storage_account_secure_transfer_required_enabled +id: azure_hipaa_hitrust_v92_0810_01n2organizational +title: 01n2Organizational.5-01.n 01.04 Network Access Control +description: Transmitted information is secured and, at a minimum, encrypted over open, public networks. +section-code: azure_hipaa_hitrust_v92_0810_01n2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_appservice_api_app_latest_tls_version +- azure_appservice_api_app_use_https +- azure_appservice_function_app_latest_tls_version +- azure_appservice_function_app_only_https_accessible +- azure_redis_cache_ssl_enabled +- azure_compute_vm_adaptive_network_hardening_recommendation_applied +- azure_compute_vm_attached_with_network +- azure_compute_vm_tcp_udp_access_restricted_internet +- azure_mysql_ssl_enabled +- azure_network_security_group_subnet_associated +- azure_postgres_sql_ssl_enabled +- azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0811_01n2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0811_01n2organizational.yaml index a68f562e4..4eae99aef 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0811_01n2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0811_01n2organizational.yaml @@ -1,29 +1,29 @@ -control-group: - id: azure_hipaa_hitrust_v92_0811_01n2organizational - title: 01n2Organizational.6-01.n 01.04 Network Access Control - description: Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. - section-code: azure_hipaa_hitrust_v92_0811_01n2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_appservice_api_app_latest_tls_version - - azure_appservice_api_app_use_https - - azure_appservice_function_app_latest_tls_version - - azure_appservice_function_app_only_https_accessible - - azure_redis_cache_ssl_enabled - - azure_compute_vm_adaptive_network_hardening_recommendation_applied - - azure_compute_vm_attached_with_network - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_mysql_ssl_enabled - - azure_network_security_group_subnet_associated - - azure_postgres_sql_ssl_enabled - - azure_storage_account_secure_transfer_required_enabled +id: azure_hipaa_hitrust_v92_0811_01n2organizational +title: 01n2Organizational.6-01.n 01.04 Network Access Control +description: Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. +section-code: azure_hipaa_hitrust_v92_0811_01n2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_appservice_api_app_latest_tls_version +- azure_appservice_api_app_use_https +- azure_appservice_function_app_latest_tls_version +- azure_appservice_function_app_only_https_accessible +- azure_redis_cache_ssl_enabled +- azure_compute_vm_adaptive_network_hardening_recommendation_applied +- azure_compute_vm_attached_with_network +- azure_compute_vm_tcp_udp_access_restricted_internet +- azure_mysql_ssl_enabled +- azure_network_security_group_subnet_associated +- azure_postgres_sql_ssl_enabled +- azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0812_01n2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0812_01n2organizational.yaml index afed4be34..59df3af2a 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0812_01n2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0812_01n2organizational.yaml @@ -1,29 +1,29 @@ -control-group: - id: azure_hipaa_hitrust_v92_0812_01n2organizational - title: 01n2Organizational.8-01.n 01.04 Network Access Control - description: Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. - section-code: azure_hipaa_hitrust_v92_0812_01n2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_appservice_api_app_latest_tls_version - - azure_appservice_api_app_use_https - - azure_appservice_function_app_latest_tls_version - - azure_appservice_function_app_only_https_accessible - - azure_redis_cache_ssl_enabled - - azure_compute_vm_adaptive_network_hardening_recommendation_applied - - azure_compute_vm_attached_with_network - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_mysql_ssl_enabled - - azure_network_security_group_subnet_associated - - azure_postgres_sql_ssl_enabled - - azure_storage_account_secure_transfer_required_enabled +id: azure_hipaa_hitrust_v92_0812_01n2organizational +title: 01n2Organizational.8-01.n 01.04 Network Access Control +description: Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. +section-code: azure_hipaa_hitrust_v92_0812_01n2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_appservice_api_app_latest_tls_version +- azure_appservice_api_app_use_https +- azure_appservice_function_app_latest_tls_version +- azure_appservice_function_app_only_https_accessible +- azure_redis_cache_ssl_enabled +- azure_compute_vm_adaptive_network_hardening_recommendation_applied +- azure_compute_vm_attached_with_network +- azure_compute_vm_tcp_udp_access_restricted_internet +- azure_mysql_ssl_enabled +- azure_network_security_group_subnet_associated +- azure_postgres_sql_ssl_enabled +- azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0814_01n1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0814_01n1organizational.yaml index 299c7b5f6..6e577996f 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0814_01n1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0814_01n1organizational.yaml @@ -1,29 +1,29 @@ -control-group: - id: azure_hipaa_hitrust_v92_0814_01n1organizational - title: 01n1Organizational.12-01.n 01.04 Network Access Control - description: The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of clinical and business applications. - section-code: azure_hipaa_hitrust_v92_0814_01n1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_appservice_api_app_latest_tls_version - - azure_appservice_api_app_use_https - - azure_appservice_function_app_latest_tls_version - - azure_appservice_function_app_only_https_accessible - - azure_redis_cache_ssl_enabled - - azure_compute_vm_adaptive_network_hardening_recommendation_applied - - azure_compute_vm_attached_with_network - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_mysql_ssl_enabled - - azure_network_security_group_subnet_associated - - azure_postgres_sql_ssl_enabled - - azure_storage_account_secure_transfer_required_enabled +id: azure_hipaa_hitrust_v92_0814_01n1organizational +title: 01n1Organizational.12-01.n 01.04 Network Access Control +description: The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of clinical and business applications. +section-code: azure_hipaa_hitrust_v92_0814_01n1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_appservice_api_app_latest_tls_version +- azure_appservice_api_app_use_https +- azure_appservice_function_app_latest_tls_version +- azure_appservice_function_app_only_https_accessible +- azure_redis_cache_ssl_enabled +- azure_compute_vm_adaptive_network_hardening_recommendation_applied +- azure_compute_vm_attached_with_network +- azure_compute_vm_tcp_udp_access_restricted_internet +- azure_mysql_ssl_enabled +- azure_network_security_group_subnet_associated +- azure_postgres_sql_ssl_enabled +- azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0835_09n1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0835_09n1organizational.yaml index 3f0f51c51..8b3f4c2e0 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0835_09n1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0835_09n1organizational.yaml @@ -1,19 +1,19 @@ -control-group: - id: azure_hipaa_hitrust_v92_0835_09n1organizational - title: 09n1Organizational.1-09.n 09.06 Network Security Management - description: Agreed services provided by a network service provider/manager are formally managed and monitored to ensure they are provided securely. - section-code: azure_hipaa_hitrust_v92_0835_09n1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_uses_azure_resource_manager +id: azure_hipaa_hitrust_v92_0835_09n1organizational +title: 09n1Organizational.1-09.n 09.06 Network Security Management +description: Agreed services provided by a network service provider/manager are formally managed and monitored to ensure they are provided securely. +section-code: azure_hipaa_hitrust_v92_0835_09n1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_network_traffic_data_collection_windows_agent_installed +- azure_compute_vm_uses_azure_resource_manager diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0836_09_n2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0836_09_n2organizational.yaml index 154ae0c7b..a7545d8ef 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0836_09_n2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0836_09_n2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0836_09_n2organizational - title: 09.n2Organizational.1-09.n 09.06 Network Security Management - description: The organization formally authorizes and documents the characteristics of each connection from an information system to other information systems outside the organization. - section-code: azure_hipaa_hitrust_v92_0836_09_n2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed +id: azure_hipaa_hitrust_v92_0836_09_n2organizational +title: 09.n2Organizational.1-09.n 09.06 Network Security Management +description: The organization formally authorizes and documents the characteristics of each connection from an information system to other information systems outside the organization. +section-code: azure_hipaa_hitrust_v92_0836_09_n2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_network_traffic_data_collection_linux_agent_installed diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0837_09_n2Organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0837_09_n2Organizational.yaml index 3ef9efdb5..f7cbed3b0 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0837_09_n2Organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0837_09_n2Organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0837_09_n2Organizational - title: 09.n2Organizational.2-09.n 09.06 Network Security Management - description: Formal agreements with external information system providers include specific obligations for security and privacy. - section-code: azure_hipaa_hitrust_v92_0837_09_n2Organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Network - type: - - Benchmark - controls: - - azure_network_watcher_enabled +id: azure_hipaa_hitrust_v92_0837_09_n2Organizational +title: 09.n2Organizational.2-09.n 09.06 Network Security Management +description: Formal agreements with external information system providers include specific obligations for security and privacy. +section-code: azure_hipaa_hitrust_v92_0837_09_n2Organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Network + type: + - Benchmark +controls: +- azure_network_watcher_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0858_09m1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0858_09m1organizational.yaml index 81a9c97b3..d787dab3e 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0858_09m1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0858_09m1organizational.yaml @@ -1,20 +1,20 @@ -control-group: - id: azure_hipaa_hitrust_v92_0858_09m1organizational - title: 09m1Organizational.4-09.m 09.06 Network Security Management - description: The organization monitors for all authorized and unauthorized wireless access to the information system and prohibits installation of wireless access points (WAPs) unless explicitly authorized in writing by the CIO or his/her designated representative. - section-code: azure_hipaa_hitrust_v92_0858_09m1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_jit_access_protected - - azure_compute_vm_meet_firewall_properties_windows - - azure_compute_vm_remote_access_restricted_all_ports +id: azure_hipaa_hitrust_v92_0858_09m1organizational +title: 09m1Organizational.4-09.m 09.06 Network Security Management +description: The organization monitors for all authorized and unauthorized wireless access to the information system and prohibits installation of wireless access points (WAPs) unless explicitly authorized in writing by the CIO or his/her designated representative. +section-code: azure_hipaa_hitrust_v92_0858_09m1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_jit_access_protected +- azure_compute_vm_meet_firewall_properties_windows +- azure_compute_vm_remote_access_restricted_all_ports diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0859_09m1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0859_09m1organizational.yaml index 8b2e8d4c4..2bfbd5b28 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0859_09m1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0859_09m1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0859_09m1organizational - title: 09m1Organizational.78-09.m 09.06 Network Security Management - description: The organization ensures the security of information in networks, availability of network services and information services using the network, and the protection of connected services from unauthorized access. - section-code: azure_hipaa_hitrust_v92_0859_09m1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_adaptive_network_hardening_recommendation_applied +id: azure_hipaa_hitrust_v92_0859_09m1organizational +title: 09m1Organizational.78-09.m 09.06 Network Security Management +description: The organization ensures the security of information in networks, availability of network services and information services using the network, and the protection of connected services from unauthorized access. +section-code: azure_hipaa_hitrust_v92_0859_09m1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_adaptive_network_hardening_recommendation_applied diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0860_09m1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0860_09m1organizational.yaml index ec5fe56cb..6ef506d0c 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0860_09m1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0860_09m1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0860_09m1organizational - title: 09m1Organizational.9-09.m 09.06 Network Security Management - description: The organization formally manages equipment on the network, including equipment in user areas. - section-code: azure_hipaa_hitrust_v92_0860_09m1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Network - type: - - Benchmark - controls: - - azure_network_security_group_diagnostic_setting_deployed +id: azure_hipaa_hitrust_v92_0860_09m1organizational +title: 09m1Organizational.9-09.m 09.06 Network Security Management +description: The organization formally manages equipment on the network, including equipment in user areas. +section-code: azure_hipaa_hitrust_v92_0860_09m1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Network + type: + - Benchmark +controls: +- azure_network_security_group_diagnostic_setting_deployed diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0861_09m2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0861_09m2organizational.yaml index 2215827e7..56e80046a 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0861_09m2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0861_09m2organizational.yaml @@ -1,19 +1,19 @@ -control-group: - id: azure_hipaa_hitrust_v92_0861_09m2organizational - title: 09m2Organizational.67-09.m 09.06 Network Security Management - description: To identify and authenticate devices on local and/or wide area networks, including wireless networks, the information system uses either a (i) shared known information solution or (ii) an organizational authentication solution, the exact selection and strength of which is dependent on the security categorization of the information system. - section-code: azure_hipaa_hitrust_v92_0861_09m2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_appservice_web_app_use_virtual_service_endpoint - - azure_compute_vm_meet_security_options_network_access_requirement_windows +id: azure_hipaa_hitrust_v92_0861_09m2organizational +title: 09m2Organizational.67-09.m 09.06 Network Security Management +description: To identify and authenticate devices on local and/or wide area networks, including wireless networks, the information system uses either a (i) shared known information solution or (ii) an organizational authentication solution, the exact selection and strength of which is dependent on the security categorization of the information system. +section-code: azure_hipaa_hitrust_v92_0861_09m2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_appservice_web_app_use_virtual_service_endpoint +- azure_compute_vm_meet_security_options_network_access_requirement_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0862_09m2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0862_09m2organizational.yaml index d44b3078e..3ec55112c 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0862_09m2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0862_09m2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0862_09m2organizational - title: 09m2Organizational.8-09.m 09.06 Network Security Management - description: The organization ensures information systems protect the confidentiality and integrity of transmitted information, including during preparation for transmission and during reception. - section-code: azure_hipaa_hitrust_v92_0862_09m2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark - controls: - - azure_sql_server_use_virtual_service_endpoint +id: azure_hipaa_hitrust_v92_0862_09m2organizational +title: 09m2Organizational.8-09.m 09.06 Network Security Management +description: The organization ensures information systems protect the confidentiality and integrity of transmitted information, including during preparation for transmission and during reception. +section-code: azure_hipaa_hitrust_v92_0862_09m2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark +controls: +- azure_sql_server_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0863_09m2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0863_09m2organizational.yaml index 70e27931a..2fd1c3c68 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0863_09m2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0863_09m2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0863_09m2organizational - title: 09m2Organizational.910-09.m 09.06 Network Security Management - description: The organization builds a firewall configuration that restricts connections between un-trusted networks and any system components in the covered information environment; and any changes to the firewall configuration are updated in the network diagram. - section-code: azure_hipaa_hitrust_v92_0863_09m2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/EventHub - type: - - Benchmark - controls: - - azure_eventhub_namespace_use_virtual_service_endpoint +id: azure_hipaa_hitrust_v92_0863_09m2organizational +title: 09m2Organizational.910-09.m 09.06 Network Security Management +description: The organization builds a firewall configuration that restricts connections between un-trusted networks and any system components in the covered information environment; and any changes to the firewall configuration are updated in the network diagram. +section-code: azure_hipaa_hitrust_v92_0863_09m2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/EventHub + type: + - Benchmark +controls: +- azure_eventhub_namespace_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0864_09m2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0864_09m2organizational.yaml index 6fc1698e2..ab7493a59 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0864_09m2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0864_09m2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0864_09m2organizational - title: 09m2Organizational.12-09.m 09.06 Network Security Management - description: Usage restrictions and implementation guidance are formally defined for VoIP, including the authorization and monitoring of the service. - section-code: azure_hipaa_hitrust_v92_0864_09m2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/CosmosDB - type: - - Benchmark - controls: - - azure_cosmosdb_use_virtual_service_endpoint +id: azure_hipaa_hitrust_v92_0864_09m2organizational +title: 09m2Organizational.12-09.m 09.06 Network Security Management +description: Usage restrictions and implementation guidance are formally defined for VoIP, including the authorization and monitoring of the service. +section-code: azure_hipaa_hitrust_v92_0864_09m2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/CosmosDB + type: + - Benchmark +controls: +- azure_cosmosdb_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0865_09m2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0865_09m2organizational.yaml index 88f6805ea..3bff95fed 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0865_09m2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0865_09m2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0865_09m2organizational - title: 09m2Organizational.13-09.m 09.06 Network Security Management - description: The organization (i) authorizes connections from the information system to other information systems outside of the organization through the use of interconnection security agreements or other formal agreement; (ii) documents each connection, the interface characteristics, security requirements, and the nature of the information communicated; (iii) employs a deny all, permit by exception policy for allowing connections from the information system to other information systems outside of the organization; and (iv) applies a default-deny rule that drops all traffic via host-based firewalls or port filtering tools on its endpoints (workstations, servers, etc.), except those services and ports that are explicitly allowed. - section-code: azure_hipaa_hitrust_v92_0865_09m2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/KeyVault - type: - - Benchmark - controls: - - azure_keyvault_vault_use_virtual_service_endpoint +id: azure_hipaa_hitrust_v92_0865_09m2organizational +title: 09m2Organizational.13-09.m 09.06 Network Security Management +description: The organization (i) authorizes connections from the information system to other information systems outside of the organization through the use of interconnection security agreements or other formal agreement; (ii) documents each connection, the interface characteristics, security requirements, and the nature of the information communicated; (iii) employs a deny all, permit by exception policy for allowing connections from the information system to other information systems outside of the organization; and (iv) applies a default-deny rule that drops all traffic via host-based firewalls or port filtering tools on its endpoints (workstations, servers, etc.), except those services and ports that are explicitly allowed. +section-code: azure_hipaa_hitrust_v92_0865_09m2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/KeyVault + type: + - Benchmark +controls: +- azure_keyvault_vault_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0866_09m3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0866_09m3organizational.yaml index d20861998..a670e1c5b 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0866_09m3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0866_09m3organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0866_09m3organizational - title: 09m3Organizational.1516-09.m 09.06 Network Security Management - description: The organization describes the groups, roles, and responsibilities for the logical management of network components and ensures coordination of and consistency in the elements of the network infrastructure. - section-code: azure_hipaa_hitrust_v92_0866_09m3organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Storage - type: - - Benchmark - controls: - - azure_storage_account_default_network_access_rule_denied +id: azure_hipaa_hitrust_v92_0866_09m3organizational +title: 09m3Organizational.1516-09.m 09.06 Network Security Management +description: The organization describes the groups, roles, and responsibilities for the logical management of network components and ensures coordination of and consistency in the elements of the network infrastructure. +section-code: azure_hipaa_hitrust_v92_0866_09m3organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Storage + type: + - Benchmark +controls: +- azure_storage_account_default_network_access_rule_denied diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0867_09m3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0867_09m3organizational.yaml index afe855ccb..41e2b8fd9 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0867_09m3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0867_09m3organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0867_09m3organizational - title: Wireless access points are placed in secure areas and shut down when not in use (e.g. nights, weekends) - description: Ensure the protection of information in networks and protection of the supporting network infrastructure. - section-code: azure_hipaa_hitrust_v92_0867_09m3organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Storage - type: - - Benchmark - controls: - - azure_storage_account_use_virtual_service_endpoint +id: azure_hipaa_hitrust_v92_0867_09m3organizational +title: Wireless access points are placed in secure areas and shut down when not in use (e.g. nights, weekends) +description: Ensure the protection of information in networks and protection of the supporting network infrastructure. +section-code: azure_hipaa_hitrust_v92_0867_09m3organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Storage + type: + - Benchmark +controls: +- azure_storage_account_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0868_09m3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0868_09m3organizational.yaml index 2e2aca913..f20d0c88f 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0868_09m3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0868_09m3organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0868_09m3organizational - title: 09m3Organizational.18-09.m 09.06 Network Security Management - description: The organization builds a firewall configuration to restrict inbound and outbound traffic to that which is necessary for the covered data environment. - section-code: azure_hipaa_hitrust_v92_0868_09m3organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/ContainerRegistry - type: - - Benchmark - controls: - - azure_container_registry_use_virtual_service_endpoint +id: azure_hipaa_hitrust_v92_0868_09m3organizational +title: 09m3Organizational.18-09.m 09.06 Network Security Management +description: The organization builds a firewall configuration to restrict inbound and outbound traffic to that which is necessary for the covered data environment. +section-code: azure_hipaa_hitrust_v92_0868_09m3organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/ContainerRegistry + type: + - Benchmark +controls: +- azure_container_registry_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0869_09m3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0869_09m3organizational.yaml index a05344777..dd5d304c0 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0869_09m3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0869_09m3organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0869_09m3organizational - title: 09m3Organizational.19-09.m 09.06 Network Security Management - description: The router configuration files are secured and synchronized. - section-code: azure_hipaa_hitrust_v92_0869_09m3organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/ContainerRegistry - type: - - Benchmark - controls: - - azure_container_registry_use_virtual_service_endpoint +id: azure_hipaa_hitrust_v92_0869_09m3organizational +title: 09m3Organizational.19-09.m 09.06 Network Security Management +description: The router configuration files are secured and synchronized. +section-code: azure_hipaa_hitrust_v92_0869_09m3organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/ContainerRegistry + type: + - Benchmark +controls: +- azure_container_registry_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0870_09m3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0870_09m3organizational.yaml index 879803e72..a7b2e3e35 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0870_09m3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0870_09m3organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0870_09m3organizational - title: 09m3Organizational.20-09.m 09.06 Network Security Management - description: Access to all proxies is denied, except for those hosts, ports, and services that are explicitly required. - section-code: azure_hipaa_hitrust_v92_0870_09m3organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/ContainerRegistry - type: - - Benchmark - controls: - - azure_container_registry_use_virtual_service_endpoint +id: azure_hipaa_hitrust_v92_0870_09m3organizational +title: 09m3Organizational.20-09.m 09.06 Network Security Management +description: Access to all proxies is denied, except for those hosts, ports, and services that are explicitly required. +section-code: azure_hipaa_hitrust_v92_0870_09m3organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/ContainerRegistry + type: + - Benchmark +controls: +- azure_container_registry_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0871_09m3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0871_09m3organizational.yaml index f37d18133..07f7e8936 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0871_09m3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0871_09m3organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0871_09m3organizational - title: 09m3Organizational.22-09.m 09.07 Network Security Management - description: Authoritative DNS servers are segregated into internal and external roles. - section-code: azure_hipaa_hitrust_v92_0871_09m3organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/ContainerRegistry - type: - - Benchmark - controls: - - azure_container_registry_use_virtual_service_endpoint +id: azure_hipaa_hitrust_v92_0871_09m3organizational +title: 09m3Organizational.22-09.m 09.07 Network Security Management +description: Authoritative DNS servers are segregated into internal and external roles. +section-code: azure_hipaa_hitrust_v92_0871_09m3organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/ContainerRegistry + type: + - Benchmark +controls: +- azure_container_registry_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0885_09n2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0885_09n2organizational.yaml index 133b1b7ec..86ee546dc 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0885_09n2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0885_09n2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0885_09n2organizational - title: 09n2Organizational.3-09.n 09.06 Network Security Management - description: The organization reviews and updates the interconnection security agreements on an ongoing basis verifying enforcement of security requirements. - section-code: azure_hipaa_hitrust_v92_0885_09n2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed +id: azure_hipaa_hitrust_v92_0885_09n2organizational +title: 09n2Organizational.3-09.n 09.06 Network Security Management +description: The organization reviews and updates the interconnection security agreements on an ongoing basis verifying enforcement of security requirements. +section-code: azure_hipaa_hitrust_v92_0885_09n2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_network_traffic_data_collection_linux_agent_installed diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0886_09n2Organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0886_09n2Organizational.yaml index ae4fb624d..68504b2a0 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0886_09n2Organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0886_09n2Organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0886_09n2Organizational - title: 09n2Organizational.4-09.n 09.06 Network Security Management - description: The organization employs and documents in a formal agreement or other document, either i) allow-all, deny-by-exception, or, ii) deny-all, permit-by-exception (preferred), policy for allowing specific information systems to connect to external information systems. - section-code: azure_hipaa_hitrust_v92_0886_09n2Organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Network - type: - - Benchmark - controls: - - azure_network_watcher_enabled +id: azure_hipaa_hitrust_v92_0886_09n2Organizational +title: 09n2Organizational.4-09.n 09.06 Network Security Management +description: The organization employs and documents in a formal agreement or other document, either i) allow-all, deny-by-exception, or, ii) deny-all, permit-by-exception (preferred), policy for allowing specific information systems to connect to external information systems. +section-code: azure_hipaa_hitrust_v92_0886_09n2Organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Network + type: + - Benchmark +controls: +- azure_network_watcher_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0887_09n2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0887_09n2organizational.yaml index e892c6ff3..592ca5aad 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0887_09n2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0887_09n2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0887_09n2organizational - title: 09n2Organizational.5-09.n 09.06 Network Security Management - description: The organization requires external/outsourced service providers to identify the specific functions, ports, and protocols used in the provision of the external/outsourced services. - section-code: azure_hipaa_hitrust_v92_0887_09n2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed +id: azure_hipaa_hitrust_v92_0887_09n2organizational +title: 09n2Organizational.5-09.n 09.06 Network Security Management +description: The organization requires external/outsourced service providers to identify the specific functions, ports, and protocols used in the provision of the external/outsourced services. +section-code: azure_hipaa_hitrust_v92_0887_09n2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_network_traffic_data_collection_windows_agent_installed diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0888_09n2Organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0888_09n2Organizational.yaml index 6921128bb..b923b8ef3 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0888_09n2Organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0888_09n2Organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0888_09n2Organizational - title: 09n2Organizational.6-09.n 09.06 Network Security Management - description: The contract with the external/outsourced service provider includes the specification that the service provider is responsible for the protection of covered information shared. - section-code: azure_hipaa_hitrust_v92_0888_09n2Organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Network - type: - - Benchmark - controls: - - azure_network_watcher_enabled +id: azure_hipaa_hitrust_v92_0888_09n2Organizational +title: 09n2Organizational.6-09.n 09.06 Network Security Management +description: The contract with the external/outsourced service provider includes the specification that the service provider is responsible for the protection of covered information shared. +section-code: azure_hipaa_hitrust_v92_0888_09n2Organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Network + type: + - Benchmark +controls: +- azure_network_watcher_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0894_01m2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0894_01m2organizational.yaml index c0128eff9..145b9494e 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0894_01m2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0894_01m2organizational.yaml @@ -1,29 +1,29 @@ -control-group: - id: azure_hipaa_hitrust_v92_0894_01m2organizational - title: 01m2Organizational.7-01.m 01.04 Network Access Control - description: Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers. - section-code: azure_hipaa_hitrust_v92_0894_01m2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_appservice_web_app_use_virtual_service_endpoint - - azure_compute_vm_attached_with_network - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_container_registry_use_virtual_service_endpoint - - azure_cosmosdb_use_virtual_service_endpoint - - azure_eventhub_namespace_use_virtual_service_endpoint - - azure_keyvault_vault_use_virtual_service_endpoint - - azure_network_security_group_not_configured_gateway_subnets - - azure_network_security_group_subnet_associated - - azure_network_watcher_in_regions_with_virtual_network - - azure_sql_server_use_virtual_service_endpoint - - azure_storage_account_use_virtual_service_endpoint +id: azure_hipaa_hitrust_v92_0894_01m2organizational +title: 01m2Organizational.7-01.m 01.04 Network Access Control +description: Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers. +section-code: azure_hipaa_hitrust_v92_0894_01m2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_appservice_web_app_use_virtual_service_endpoint +- azure_compute_vm_attached_with_network +- azure_compute_vm_tcp_udp_access_restricted_internet +- azure_container_registry_use_virtual_service_endpoint +- azure_cosmosdb_use_virtual_service_endpoint +- azure_eventhub_namespace_use_virtual_service_endpoint +- azure_keyvault_vault_use_virtual_service_endpoint +- azure_network_security_group_not_configured_gateway_subnets +- azure_network_security_group_subnet_associated +- azure_network_watcher_in_regions_with_virtual_network +- azure_sql_server_use_virtual_service_endpoint +- azure_storage_account_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0901_09s1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0901_09s1organizational.yaml index 77f6a644f..4d37e2e36 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0901_09s1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0901_09s1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0901_09s1organizational - title: 09s1Organizational.1-09.s 09.08 Exchange of Information - description: The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange. - section-code: azure_hipaa_hitrust_v92_0901_09s1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark - controls: - - azure_appservice_api_app_cors_no_star +id: azure_hipaa_hitrust_v92_0901_09s1organizational +title: 09s1Organizational.1-09.s 09.08 Exchange of Information +description: The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange. +section-code: azure_hipaa_hitrust_v92_0901_09s1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark +controls: +- azure_appservice_api_app_cors_no_star diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0902_09s2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0902_09s2organizational.yaml index a7ff86189..6266a861d 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0902_09s2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0902_09s2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0902_09s2organizational - title: 09s2Organizational.13-09.s 09.08 Exchange of Information - description: Remote (external) access to the organization's information assets and access to external information assets (for which the organization has no control) is based on clearly defined terms and conditions. - section-code: azure_hipaa_hitrust_v92_0902_09s2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark - controls: - - azure_appservice_function_app_cors_no_star +id: azure_hipaa_hitrust_v92_0902_09s2organizational +title: 09s2Organizational.13-09.s 09.08 Exchange of Information +description: Remote (external) access to the organization's information assets and access to external information assets (for which the organization has no control) is based on clearly defined terms and conditions. +section-code: azure_hipaa_hitrust_v92_0902_09s2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark +controls: +- azure_appservice_function_app_cors_no_star diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0912_09s1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0912_09s1organizational.yaml index fdd93007d..f800c6fe0 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0912_09s1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0912_09s1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0912_09s1organizational - title: 09s1Organizational.4-09.s 09.08 Exchange of Information - description: Cryptography is used to protect the confidentiality and integrity of remote access sessions to the internal network and to external systems. - section-code: azure_hipaa_hitrust_v92_0912_09s1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark - controls: - - azure_appservice_api_app_remote_debugging_disabled +id: azure_hipaa_hitrust_v92_0912_09s1organizational +title: 09s1Organizational.4-09.s 09.08 Exchange of Information +description: Cryptography is used to protect the confidentiality and integrity of remote access sessions to the internal network and to external systems. +section-code: azure_hipaa_hitrust_v92_0912_09s1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark +controls: +- azure_appservice_api_app_remote_debugging_disabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0913_09s1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0913_09s1organizational.yaml index a0511593c..6d06ece7c 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0913_09s1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0913_09s1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0913_09s1organizational - title: 09s1Organizational.5-09.s 09.08 Exchange of Information - description: Strong cryptography protocols are used to safeguard covered information during transmission over less trusted / open public networks. - section-code: azure_hipaa_hitrust_v92_0913_09s1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark - controls: - - azure_appservice_function_app_remote_debugging_disabled +id: azure_hipaa_hitrust_v92_0913_09s1organizational +title: 09s1Organizational.5-09.s 09.08 Exchange of Information +description: Strong cryptography protocols are used to safeguard covered information during transmission over less trusted / open public networks. +section-code: azure_hipaa_hitrust_v92_0913_09s1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark +controls: +- azure_appservice_function_app_remote_debugging_disabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0915_09s2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0915_09s2organizational.yaml index c501a2e1f..a657b2640 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0915_09s2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0915_09s2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0915_09s2organizational - title: 09s2Organizational.2-09.s 09.08 Exchange of Information - description: The organization limits the use of organization-controlled portable storage media by authorized individuals on external information systems. - section-code: azure_hipaa_hitrust_v92_0915_09s2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark - controls: - - azure_appservice_api_app_client_certificates_on +id: azure_hipaa_hitrust_v92_0915_09s2organizational +title: 09s2Organizational.2-09.s 09.08 Exchange of Information +description: The organization limits the use of organization-controlled portable storage media by authorized individuals on external information systems. +section-code: azure_hipaa_hitrust_v92_0915_09s2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark +controls: +- azure_appservice_api_app_client_certificates_on diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0916_09s2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0916_09s2organizational.yaml index 9a98c600d..bfe43e3e9 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0916_09s2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0916_09s2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0916_09s2organizational - title: 09s2Organizational.4-09.s 09.08 Exchange of Information - description: The information system prohibits remote activation of collaborative computing devices and provides an explicit indication of use to users physically present at the devices. - section-code: azure_hipaa_hitrust_v92_0916_09s2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark - controls: - - azure_appservice_api_app_cors_no_star +id: azure_hipaa_hitrust_v92_0916_09s2organizational +title: 09s2Organizational.4-09.s 09.08 Exchange of Information +description: The information system prohibits remote activation of collaborative computing devices and provides an explicit indication of use to users physically present at the devices. +section-code: azure_hipaa_hitrust_v92_0916_09s2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark +controls: +- azure_appservice_api_app_cors_no_star diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0943_09y1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0943_09y1organizational.yaml index 0428eda87..0c9272d7e 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0943_09y1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0943_09y1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0943_09y1organizational - title: 09y1Organizational.1-09.y 09.09 Electronic Commerce Services - description: The organization verifies every ninety (90) days for each extract of covered information recorded that the data is erased or its use is still required. - section-code: azure_hipaa_hitrust_v92_0943_09y1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Storage - type: - - Benchmark - controls: - - azure_storage_account_secure_transfer_required_enabled +id: azure_hipaa_hitrust_v92_0943_09y1organizational +title: 09y1Organizational.1-09.y 09.09 Electronic Commerce Services +description: The organization verifies every ninety (90) days for each extract of covered information recorded that the data is erased or its use is still required. +section-code: azure_hipaa_hitrust_v92_0943_09y1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Storage + type: + - Benchmark +controls: +- azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0945_09y1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0945_09y1organizational.yaml index ee94c8dd3..5d9e6a789 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0945_09y1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0945_09y1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0945_09y1organizational - title: 09y1Organizational.3-09.y 09.09 Electronic Commerce Services - description: Protocols used to communicate between all involved parties are secured using cryptographic techniques (e.g., SSL). - section-code: azure_hipaa_hitrust_v92_0945_09y1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_with_no_specified_certificates_in_trusted_root_windows +id: azure_hipaa_hitrust_v92_0945_09y1organizational +title: 09y1Organizational.3-09.y 09.09 Electronic Commerce Services +description: Protocols used to communicate between all involved parties are secured using cryptographic techniques (e.g., SSL). +section-code: azure_hipaa_hitrust_v92_0945_09y1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_with_no_specified_certificates_in_trusted_root_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0946_09y2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0946_09y2organizational.yaml index b129b26d4..9c7cc4b79 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0946_09y2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0946_09y2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0946_09y2organizational - title: The organization requires the use of encryption between, and the use of electronic signatures by, each of the parties involved in the transaction - description: The organization requires the use of encryption between, and the use of electronic signatures by, each of the parties involved in the transaction - section-code: azure_hipaa_hitrust_v92_0946_09y2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Redis - type: - - Benchmark - controls: - - azure_redis_cache_ssl_enabled +id: azure_hipaa_hitrust_v92_0946_09y2organizational +title: The organization requires the use of encryption between, and the use of electronic signatures by, each of the parties involved in the transaction +description: The organization requires the use of encryption between, and the use of electronic signatures by, each of the parties involved in the transaction +section-code: azure_hipaa_hitrust_v92_0946_09y2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Redis + type: + - Benchmark +controls: +- azure_redis_cache_ssl_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0947_09y2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0947_09y2organizational.yaml index c5ad700d9..6218bfc04 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0947_09y2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0947_09y2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0947_09y2organizational - title: 09y2Organizational.2-09.y 09.09 Electronic Commerce Services - description: The organization ensures the storage of the transaction details are located outside of any publicly accessible environments (e.g., on a storage platform existing on the organization's intranet) and not retained and exposed on a storage medium directly accessible from the Internet. - section-code: azure_hipaa_hitrust_v92_0947_09y2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/PostgreSQL - type: - - Benchmark - controls: - - azure_postgres_sql_ssl_enabled +id: azure_hipaa_hitrust_v92_0947_09y2organizational +title: 09y2Organizational.2-09.y 09.09 Electronic Commerce Services +description: The organization ensures the storage of the transaction details are located outside of any publicly accessible environments (e.g., on a storage platform existing on the organization's intranet) and not retained and exposed on a storage medium directly accessible from the Internet. +section-code: azure_hipaa_hitrust_v92_0947_09y2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/PostgreSQL + type: + - Benchmark +controls: +- azure_postgres_sql_ssl_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0948_09y2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0948_09y2organizational.yaml index 61fa9b692..5050a9651 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0948_09y2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0948_09y2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0948_09y2organizational - title: 09y2Organizational.3-09.y 09.09 Electronic Commerce Services - description: Where a trusted authority is used (e.g., for the purposes of issuing and maintaining digital signatures and/or digital certificates), security is integrated and embedded throughout the entire end-to-end certificate/signature management process. - section-code: azure_hipaa_hitrust_v92_0948_09y2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/MySQL - type: - - Benchmark - controls: - - azure_mysql_ssl_enabled +id: azure_hipaa_hitrust_v92_0948_09y2organizational +title: 09y2Organizational.3-09.y 09.09 Electronic Commerce Services +description: Where a trusted authority is used (e.g., for the purposes of issuing and maintaining digital signatures and/or digital certificates), security is integrated and embedded throughout the entire end-to-end certificate/signature management process. +section-code: azure_hipaa_hitrust_v92_0948_09y2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/MySQL + type: + - Benchmark +controls: +- azure_mysql_ssl_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0949_09y2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0949_09y2organizational.yaml index b84c9f8e0..ec7981d92 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0949_09y2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0949_09y2organizational.yaml @@ -1,21 +1,21 @@ -control-group: - id: azure_hipaa_hitrust_v92_0949_09y2organizational - title: 09y2Organizational.5-09.y 09.09 Electronic Commerce Services - description: The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible. - section-code: azure_hipaa_hitrust_v92_0949_09y2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark - controls: - - azure_appservice_api_app_latest_tls_version - - azure_appservice_api_app_use_https - - azure_appservice_function_app_latest_tls_version - - azure_appservice_function_app_only_https_accessible +id: azure_hipaa_hitrust_v92_0949_09y2organizational +title: 09y2Organizational.5-09.y 09.09 Electronic Commerce Services +description: The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible. +section-code: azure_hipaa_hitrust_v92_0949_09y2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark +controls: +- azure_appservice_api_app_latest_tls_version +- azure_appservice_api_app_use_https +- azure_appservice_function_app_latest_tls_version +- azure_appservice_function_app_only_https_accessible diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0960_09scsporganizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0960_09scsporganizational.yaml index 9a4f2ea74..6b1176e26 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0960_09scsporganizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0960_09scsporganizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_0960_09scsporganizational - title: 09sCSPOrganizational.1-09.s 09.08 Exchange of Information - description: Cloud service providers use secure (e.g., non-clear text and authenticated) standardized network protocols for the import and export of data and to manage the service, and make available a document to consumers (tenants) detailing the relevant interoperability and portability standards that are involved. - section-code: azure_hipaa_hitrust_v92_0960_09scsporganizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark - controls: - - azure_appservice_function_app_cors_no_star +id: azure_hipaa_hitrust_v92_0960_09scsporganizational +title: 09sCSPOrganizational.1-09.s 09.08 Exchange of Information +description: Cloud service providers use secure (e.g., non-clear text and authenticated) standardized network protocols for the import and export of data and to manage the service, and make available a document to consumers (tenants) detailing the relevant interoperability and portability standards that are involved. +section-code: azure_hipaa_hitrust_v92_0960_09scsporganizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark +controls: +- azure_appservice_function_app_cors_no_star diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11109_01q1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11109_01q1organizational.yaml index 8d1cab329..93763a146 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11109_01q1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11109_01q1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_11109_01q1organizational - title: 01q1Organizational.57-01.q 01.05 Operating System Access Control - description: The organization ensures that redundant user IDs are not issued to other users and that all users are uniquely identified and authenticated for both local and remote access to information systems. - section-code: azure_hipaa_hitrust_v92_11109_01q1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark - controls: - - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled +id: azure_hipaa_hitrust_v92_11109_01q1organizational +title: 01q1Organizational.57-01.q 01.05 Operating System Access Control +description: The organization ensures that redundant user IDs are not issued to other users and that all users are uniquely identified and authenticated for both local and remote access to information systems. +section-code: azure_hipaa_hitrust_v92_11109_01q1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark +controls: +- azure_iam_user_with_owner_permission_on_subscription_mfa_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11110_01q1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11110_01q1organizational.yaml index e4c3718f4..bf1c4bbb2 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11110_01q1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11110_01q1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_11110_01q1organizational - title: Non-organizational users (all information system users other than organizational users, such as patients, customers, contractors, or foreign nationals), or processes acting on behalf of non-organizational users, determined to need access to information residing on the organization's information systems, are uniquely identified and authenticated - description: Non-organizational users (all information system users other than organizational users, such as patients, customers, contractors, or foreign nationals), or processes acting on behalf of non-organizational users, determined to need access to information residing on the organization's information systems, are uniquely identified and authenticated - section-code: azure_hipaa_hitrust_v92_11110_01q1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark - controls: - - azure_iam_user_with_write_permission_on_subscription_mfa_enabled +id: azure_hipaa_hitrust_v92_11110_01q1organizational +title: Non-organizational users (all information system users other than organizational users, such as patients, customers, contractors, or foreign nationals), or processes acting on behalf of non-organizational users, determined to need access to information residing on the organization's information systems, are uniquely identified and authenticated +description: Non-organizational users (all information system users other than organizational users, such as patients, customers, contractors, or foreign nationals), or processes acting on behalf of non-organizational users, determined to need access to information residing on the organization's information systems, are uniquely identified and authenticated +section-code: azure_hipaa_hitrust_v92_11110_01q1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark +controls: +- azure_iam_user_with_write_permission_on_subscription_mfa_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11111_01q2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11111_01q2system.yaml index f22c61a92..7b5cbe5a1 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11111_01q2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11111_01q2system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_11111_01q2system - title: 01q2System.4-01.q 01.05 Operating System Access Control - description: When PKI-based authentication is used, the information system validates certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; enforces access to the corresponding private key; maps the identity to the corresponding account of the individual or group; and implements a local cache of revocation data to support path discovery and validation in case of an inability to access revocation information via the network. - section-code: azure_hipaa_hitrust_v92_11111_01q2system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark - controls: - - azure_iam_user_with_read_permission_on_subscription_mfa_enabled +id: azure_hipaa_hitrust_v92_11111_01q2system +title: 01q2System.4-01.q 01.05 Operating System Access Control +description: When PKI-based authentication is used, the information system validates certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; enforces access to the corresponding private key; maps the identity to the corresponding account of the individual or group; and implements a local cache of revocation data to support path discovery and validation in case of an inability to access revocation information via the network. +section-code: azure_hipaa_hitrust_v92_11111_01q2system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark +controls: +- azure_iam_user_with_read_permission_on_subscription_mfa_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11112_01q2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11112_01q2organizational.yaml index 3ae975fe8..d29818661 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11112_01q2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11112_01q2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_11112_01q2organizational - title: 01q2Organizational.67-01.q 01.05 Operating System Access Control - description: The information system employs replay-resistant authentication mechanisms such as nonce, one-time passwords, or time stamps to secure network access for privileged accounts; and, for hardware token-based authentication, employs mechanisms that satisfy minimum token requirements discussed in NIST SP 800-63-2, Electronic Authentication Guideline. - section-code: azure_hipaa_hitrust_v92_11112_01q2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark - controls: - - azure_iam_subscription_owner_max_3 +id: azure_hipaa_hitrust_v92_11112_01q2organizational +title: 01q2Organizational.67-01.q 01.05 Operating System Access Control +description: The information system employs replay-resistant authentication mechanisms such as nonce, one-time passwords, or time stamps to secure network access for privileged accounts; and, for hardware token-based authentication, employs mechanisms that satisfy minimum token requirements discussed in NIST SP 800-63-2, Electronic Authentication Guideline. +section-code: azure_hipaa_hitrust_v92_11112_01q2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark +controls: +- azure_iam_subscription_owner_max_3 diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1116_01j1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1116_01j1organizational.yaml index 9fbafcdff..67566a165 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1116_01j1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1116_01j1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1116_01j1organizational - title: 01j1Organizational.145-01.j 01.04 Network Access Control - description: Prevent unauthorized access to networked services, such as user authentication for external connections. - section-code: azure_hipaa_hitrust_v92_1116_01j1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark - controls: - - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled +id: azure_hipaa_hitrust_v92_1116_01j1organizational +title: 01j1Organizational.145-01.j 01.04 Network Access Control +description: Prevent unauthorized access to networked services, such as user authentication for external connections. +section-code: azure_hipaa_hitrust_v92_1116_01j1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark +controls: +- azure_iam_user_with_owner_permission_on_subscription_mfa_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1117_01j1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1117_01j1organizational.yaml index 5e11c6943..d2a86ea60 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1117_01j1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1117_01j1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1117_01j1organizational - title: Remote access by vendors and business partners (e.g., for remote maintenance) is disabled/deactivated when not in use - description: Remote access by vendors and business partners (e.g., for remote maintenance) is disabled/deactivated when not in use - section-code: azure_hipaa_hitrust_v92_1117_01j1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark - controls: - - azure_iam_user_with_write_permission_on_subscription_mfa_enabled +id: azure_hipaa_hitrust_v92_1117_01j1organizational +title: Remote access by vendors and business partners (e.g., for remote maintenance) is disabled/deactivated when not in use +description: Remote access by vendors and business partners (e.g., for remote maintenance) is disabled/deactivated when not in use +section-code: azure_hipaa_hitrust_v92_1117_01j1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark +controls: +- azure_iam_user_with_write_permission_on_subscription_mfa_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11180_01c3system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11180_01c3system.yaml index beb433400..1c3605123 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11180_01c3system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11180_01c3system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_11180_01c3system - title: 01c3System.6-01.c 01.02 Authorized Access to Information Systems - description: Access to management functions or administrative consoles for systems hosting virtualized systems are restricted to personnel based upon the principle of least privilege and supported through technical controls. - section-code: azure_hipaa_hitrust_v92_11180_01c3system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_jit_access_protected +id: azure_hipaa_hitrust_v92_11180_01c3system +title: 01c3System.6-01.c 01.02 Authorized Access to Information Systems +description: Access to management functions or administrative consoles for systems hosting virtualized systems are restricted to personnel based upon the principle of least privilege and supported through technical controls. +section-code: azure_hipaa_hitrust_v92_11180_01c3system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_jit_access_protected diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1118_01j2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1118_01j2organizational.yaml index b4e57ac4f..c4f34286b 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1118_01j2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1118_01j2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1118_01j2organizational - title: 01j2Organizational.124-01.j 01.04 Network Access Control - description: The organization has implemented encryption (e.g. VPN solutions or private lines) and logs remote access to the organization's network by employees, contractors or third party. - section-code: azure_hipaa_hitrust_v92_1118_01j2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark - controls: - - azure_iam_user_with_read_permission_on_subscription_mfa_enabled +id: azure_hipaa_hitrust_v92_1118_01j2organizational +title: 01j2Organizational.124-01.j 01.04 Network Access Control +description: The organization has implemented encryption (e.g. VPN solutions or private lines) and logs remote access to the organization's network by employees, contractors or third party. +section-code: azure_hipaa_hitrust_v92_1118_01j2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark +controls: +- azure_iam_user_with_read_permission_on_subscription_mfa_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1119_01j2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1119_01j2organizational.yaml index e914efa89..4603577b1 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1119_01j2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1119_01j2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1119_01j2organizational - title: 01j2Organizational.3-01.j 01.04 Network Access Control - description: Network equipment is checked for unanticipated dial-up capabilities. - section-code: azure_hipaa_hitrust_v92_1119_01j2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_jit_access_protected +id: azure_hipaa_hitrust_v92_1119_01j2organizational +title: 01j2Organizational.3-01.j 01.04 Network Access Control +description: Network equipment is checked for unanticipated dial-up capabilities. +section-code: azure_hipaa_hitrust_v92_1119_01j2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_jit_access_protected diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11208_01q1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11208_01q1organizational.yaml index 98cc9e5e0..89fdc077e 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11208_01q1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11208_01q1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_11208_01q1organizational - title: The organization requires that electronic signatures, unique to one individual, cannot be reused by, or reassigned to, anyone else - description: The organization requires that electronic signatures, unique to one individual, cannot be reused by, or reassigned to, anyone else - section-code: azure_hipaa_hitrust_v92_11208_01q1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark - controls: - - azure_iam_subscription_owner_more_than_1 +id: azure_hipaa_hitrust_v92_11208_01q1organizational +title: The organization requires that electronic signatures, unique to one individual, cannot be reused by, or reassigned to, anyone else +description: The organization requires that electronic signatures, unique to one individual, cannot be reused by, or reassigned to, anyone else +section-code: azure_hipaa_hitrust_v92_11208_01q1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark +controls: +- azure_iam_subscription_owner_more_than_1 diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1120_09ab3system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1120_09ab3system.yaml index ba21d2bc0..f1c6b7dee 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1120_09ab3system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1120_09ab3system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1120_09ab3system - title: 09ab3System.9-09.ab 09.10 Monitoring - description: Unauthorized remote connections to the information systems are monitored and reviewed at least quarterly, and appropriate action is taken if an unauthorized connection is discovered. - section-code: azure_hipaa_hitrust_v92_1120_09ab3system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Monitor - type: - - Benchmark - controls: - - azure_monitor_log_profile_enabled_for_all_regions +id: azure_hipaa_hitrust_v92_1120_09ab3system +title: 09ab3System.9-09.ab 09.10 Monitoring +description: Unauthorized remote connections to the information systems are monitored and reviewed at least quarterly, and appropriate action is taken if an unauthorized connection is discovered. +section-code: azure_hipaa_hitrust_v92_1120_09ab3system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Monitor + type: + - Benchmark +controls: +- azure_monitor_log_profile_enabled_for_all_regions diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11210_01q2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11210_01q2organizational.yaml index f4e711a14..4c1a73488 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11210_01q2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11210_01q2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_11210_01q2organizational - title: Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records - description: Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records - section-code: azure_hipaa_hitrust_v92_11210_01q2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_administrators_group_with_specified_members_windows +id: azure_hipaa_hitrust_v92_11210_01q2organizational +title: Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records +description: Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records +section-code: azure_hipaa_hitrust_v92_11210_01q2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_administrators_group_with_specified_members_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11211_01q2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11211_01q2organizational.yaml index 4c221dcb6..3e6b6e2ec 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11211_01q2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11211_01q2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_11211_01q2organizational - title: Signed electronic records shall contain information associated with the signing in human-readable format - description: Signed electronic records shall contain information associated with the signing in human-readable format - section-code: azure_hipaa_hitrust_v92_11211_01q2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_administrators_group_with_no_specified_members_windows +id: azure_hipaa_hitrust_v92_11211_01q2organizational +title: Signed electronic records shall contain information associated with the signing in human-readable format +description: Signed electronic records shall contain information associated with the signing in human-readable format +section-code: azure_hipaa_hitrust_v92_11211_01q2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_administrators_group_with_no_specified_members_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1121_01j3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1121_01j3organizational.yaml index 3e775099a..d9ea44a25 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1121_01j3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1121_01j3organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1121_01j3organizational - title: 01j3Organizational.2-01.j 01.04 Network Access Control - description: The organization ensures that redundant user IDs are not issued to other users and that all users are uniquely identified and authenticated for both local and remote access to information systems. - section-code: azure_hipaa_hitrust_v92_1121_01j3organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark - controls: - - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled +id: azure_hipaa_hitrust_v92_1121_01j3organizational +title: 01j3Organizational.2-01.j 01.04 Network Access Control +description: The organization ensures that redundant user IDs are not issued to other users and that all users are uniquely identified and authenticated for both local and remote access to information systems. +section-code: azure_hipaa_hitrust_v92_1121_01j3organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark +controls: +- azure_iam_user_with_owner_permission_on_subscription_mfa_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1123_01q1system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1123_01q1system.yaml index 64b4ac8df..7da2ca8e6 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1123_01q1system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1123_01q1system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1123_01q1system - title: 01q1System.2-01.q 01.05 Operating System Access Control - description: Users who performed privileged functions (e.g., system administration) use separate accounts when performing those privileged functions. - section-code: azure_hipaa_hitrust_v92_1123_01q1system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_administrators_group_with_extra_accounts_windows +id: azure_hipaa_hitrust_v92_1123_01q1system +title: 01q1System.2-01.q 01.05 Operating System Access Control +description: Users who performed privileged functions (e.g., system administration) use separate accounts when performing those privileged functions. +section-code: azure_hipaa_hitrust_v92_1123_01q1system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_administrators_group_with_extra_accounts_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1125_01q2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1125_01q2system.yaml index edb434776..327ee6f1c 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1125_01q2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1125_01q2system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1125_01q2system - title: 01q2System.1-01.q 01.05 Operating System Access Control - description: Multi-factor authentication methods are used in accordance with organizational policy, (e.g., for remote network access). - section-code: azure_hipaa_hitrust_v92_1125_01q2system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_administrators_group_with_specified_members_windows +id: azure_hipaa_hitrust_v92_1125_01q2system +title: 01q2System.1-01.q 01.05 Operating System Access Control +description: Multi-factor authentication methods are used in accordance with organizational policy, (e.g., for remote network access). +section-code: azure_hipaa_hitrust_v92_1125_01q2system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_administrators_group_with_specified_members_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1127_01q2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1127_01q2system.yaml index c55df2f4d..cd555408a 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1127_01q2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1127_01q2system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1127_01q2system - title: 01q2System.3-01.q 01.05 Operating System Access Control - description: Where tokens are provided for multi-factor authentication, in-person verification is required prior to granting access. - section-code: azure_hipaa_hitrust_v92_1127_01q2system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_administrators_group_with_no_specified_members_windows +id: azure_hipaa_hitrust_v92_1127_01q2system +title: 01q2System.3-01.q 01.05 Operating System Access Control +description: Where tokens are provided for multi-factor authentication, in-person verification is required prior to granting access. +section-code: azure_hipaa_hitrust_v92_1127_01q2system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_administrators_group_with_no_specified_members_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1143_01c1system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1143_01c1system.yaml index d82ac266f..11dae2194 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1143_01c1system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1143_01c1system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1143_01c1system - title: 01c1System.123-01.c 01.02 Authorized Access to Information Systems - description: Privileges are formally authorized and controlled, allocated to users on a need-to-use and event-by-event basis for their functional role (e.g., user or administrator), and documented for each system product/element. - section-code: azure_hipaa_hitrust_v92_1143_01c1system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Network - type: - - Benchmark - controls: - - azure_network_security_group_remote_access_restricted +id: azure_hipaa_hitrust_v92_1143_01c1system +title: 01c1System.123-01.c 01.02 Authorized Access to Information Systems +description: Privileges are formally authorized and controlled, allocated to users on a need-to-use and event-by-event basis for their functional role (e.g., user or administrator), and documented for each system product/element. +section-code: azure_hipaa_hitrust_v92_1143_01c1system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Network + type: + - Benchmark +controls: +- azure_network_security_group_remote_access_restricted diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1144_01c1system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1144_01c1system.yaml index 819255294..089d73985 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1144_01c1system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1144_01c1system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1144_01c1system - title: 01c1System.4-01.c 01.02 Authorized Access to Information Systems - description: The organization explicitly authorizes access to specific security relevant functions (deployed in hardware, software, and firmware) and security-relevant information. - section-code: azure_hipaa_hitrust_v92_1144_01c1system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark - controls: - - azure_iam_subscription_owner_max_3 +id: azure_hipaa_hitrust_v92_1144_01c1system +title: 01c1System.4-01.c 01.02 Authorized Access to Information Systems +description: The organization explicitly authorizes access to specific security relevant functions (deployed in hardware, software, and firmware) and security-relevant information. +section-code: azure_hipaa_hitrust_v92_1144_01c1system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark +controls: +- azure_iam_subscription_owner_max_3 diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1145_01c2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1145_01c2system.yaml index 366619a43..7703ee183 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1145_01c2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1145_01c2system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1145_01c2system - title: 01c2System.1-01.c 01.02 Authorized Access to Information Systems - description: Role-based access control is implemented and capable of mapping each user to one or more roles, and each role to one or more system functions. - section-code: azure_hipaa_hitrust_v92_1145_01c2system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark - controls: - - azure_iam_subscription_owner_more_than_1 +id: azure_hipaa_hitrust_v92_1145_01c2system +title: 01c2System.1-01.c 01.02 Authorized Access to Information Systems +description: Role-based access control is implemented and capable of mapping each user to one or more roles, and each role to one or more system functions. +section-code: azure_hipaa_hitrust_v92_1145_01c2system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark +controls: +- azure_iam_subscription_owner_more_than_1 diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1146_01c2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1146_01c2system.yaml index 3073b0592..008b97b94 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1146_01c2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1146_01c2system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1146_01c2system - title: 01c2System.23-01.c 01.02 Authorized Access to Information Systems - description: The organization promotes the development and use of programs that avoid the need to run with elevated privileges and system routines to avoid the need to grant privileges to users. - section-code: azure_hipaa_hitrust_v92_1146_01c2system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark - controls: - - azure_iam_external_user_with_owner_role +id: azure_hipaa_hitrust_v92_1146_01c2system +title: 01c2System.23-01.c 01.02 Authorized Access to Information Systems +description: The organization promotes the development and use of programs that avoid the need to run with elevated privileges and system routines to avoid the need to grant privileges to users. +section-code: azure_hipaa_hitrust_v92_1146_01c2system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark +controls: +- azure_iam_external_user_with_owner_role diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1147_01c2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1147_01c2system.yaml index 926788b51..acd9d2921 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1147_01c2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1147_01c2system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1147_01c2system - title: 01c2System.456-01.c 01.02 Authorized Access to Information Systems - description: Elevated privileges are assigned to a different user ID from those used for normal business use, all users access privileged services in a single role, and such privileged access is minimized. - section-code: azure_hipaa_hitrust_v92_1147_01c2system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark - controls: - - azure_iam_deprecated_account_with_owner_roles +id: azure_hipaa_hitrust_v92_1147_01c2system +title: 01c2System.456-01.c 01.02 Authorized Access to Information Systems +description: Elevated privileges are assigned to a different user ID from those used for normal business use, all users access privileged services in a single role, and such privileged access is minimized. +section-code: azure_hipaa_hitrust_v92_1147_01c2system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark +controls: +- azure_iam_deprecated_account_with_owner_roles diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1148_01c2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1148_01c2system.yaml index 7b263844d..37018684f 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1148_01c2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1148_01c2system.yaml @@ -1,19 +1,19 @@ -control-group: - id: azure_hipaa_hitrust_v92_1148_01c2system - title: 01c2System.78-01.c 01.02 Authorized Access to Information Systems - description: The organization restricts access to privileged functions and all security-relevant information. - section-code: azure_hipaa_hitrust_v92_1148_01c2system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_iam_no_custom_role - - azure_compute_vm_meet_security_option_requirement_windows +id: azure_hipaa_hitrust_v92_1148_01c2system +title: 01c2System.78-01.c 01.02 Authorized Access to Information Systems +description: The organization restricts access to privileged functions and all security-relevant information. +section-code: azure_hipaa_hitrust_v92_1148_01c2system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_iam_no_custom_role +- azure_compute_vm_meet_security_option_requirement_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1149_01c2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1149_01c2system.yaml index b1012d3c2..bf1486d1a 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1149_01c2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1149_01c2system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1149_01c2system - title: The organization facilitates information sharing by enabling authorized users - description: To determine a business partner's access when discretion is allowed as defined by the organization and by employing manual processes or automated mechanisms to assist users in making information sharing/collaboration decisions. - section-code: azure_hipaa_hitrust_v92_1149_01c2system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/KubernetesService - type: - - Benchmark - controls: - - azure_kubernetes_instance_rbac_enabled +id: azure_hipaa_hitrust_v92_1149_01c2system +title: The organization facilitates information sharing by enabling authorized users +description: To determine a business partner's access when discretion is allowed as defined by the organization and by employing manual processes or automated mechanisms to assist users in making information sharing/collaboration decisions. +section-code: azure_hipaa_hitrust_v92_1149_01c2system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/KubernetesService + type: + - Benchmark +controls: +- azure_kubernetes_instance_rbac_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1150_01c2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1150_01c2system.yaml index 53b20775b..90b22b8af 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1150_01c2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1150_01c2system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1150_01c2system - title: 01c2System.10-01.c 01.02 Authorized Access to Information Systems - description: The access control system for the system components storing, processing or transmitting covered information is set with a default 'deny-all' setting. - section-code: azure_hipaa_hitrust_v92_1150_01c2system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Network - type: - - Benchmark - controls: - - azure_network_security_group_remote_access_restricted +id: azure_hipaa_hitrust_v92_1150_01c2system +title: 01c2System.10-01.c 01.02 Authorized Access to Information Systems +description: The access control system for the system components storing, processing or transmitting covered information is set with a default 'deny-all' setting. +section-code: azure_hipaa_hitrust_v92_1150_01c2system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Network + type: + - Benchmark +controls: +- azure_network_security_group_remote_access_restricted diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1151_01c3system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1151_01c3system.yaml index f2564371d..526047cbe 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1151_01c3system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1151_01c3system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1151_01c3system - title: 01c3System.1-01.c 01.02 Authorized Access to Information Systems - description: The organization limits authorization to privileged accounts on information systems to a pre-defined subset of users. - section-code: azure_hipaa_hitrust_v92_1151_01c3system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark - controls: - - azure_iam_subscription_owner_max_3 +id: azure_hipaa_hitrust_v92_1151_01c3system +title: 01c3System.1-01.c 01.02 Authorized Access to Information Systems +description: The organization limits authorization to privileged accounts on information systems to a pre-defined subset of users. +section-code: azure_hipaa_hitrust_v92_1151_01c3system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark +controls: +- azure_iam_subscription_owner_max_3 diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1152_01c3system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1152_01c3system.yaml index 2e2981fb5..49233f736 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1152_01c3system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1152_01c3system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1152_01c3system - title: 01c3System.2-01.c 01.02 Authorized Access to Information Systems - description: The organization audits the execution of privileged functions on information systems and ensures information systems prevent non-privileged users from executing privileged functions. - section-code: azure_hipaa_hitrust_v92_1152_01c3system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark - controls: - - azure_iam_subscription_owner_more_than_1 +id: azure_hipaa_hitrust_v92_1152_01c3system +title: 01c3System.2-01.c 01.02 Authorized Access to Information Systems +description: The organization audits the execution of privileged functions on information systems and ensures information systems prevent non-privileged users from executing privileged functions. +section-code: azure_hipaa_hitrust_v92_1152_01c3system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark +controls: +- azure_iam_subscription_owner_more_than_1 diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1153_01c3system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1153_01c3system.yaml index 4f3698aec..71423f224 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1153_01c3system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1153_01c3system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1153_01c3system - title: 01c3System.35-01.c 01.02 Authorized Access to Information Systems - description: All file system access not explicitly required is disabled, and only authorized users are permitted access to only that which is expressly required for the performance of the users' job duties. - section-code: azure_hipaa_hitrust_v92_1153_01c3system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/KubernetesService - type: - - Benchmark - controls: - - azure_kubernetes_instance_rbac_enabled +id: azure_hipaa_hitrust_v92_1153_01c3system +title: 01c3System.35-01.c 01.02 Authorized Access to Information Systems +description: All file system access not explicitly required is disabled, and only authorized users are permitted access to only that which is expressly required for the performance of the users' job duties. +section-code: azure_hipaa_hitrust_v92_1153_01c3system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/KubernetesService + type: + - Benchmark +controls: +- azure_kubernetes_instance_rbac_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1154_01c3system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1154_01c3system.yaml index ddaa0cf27..f929010c0 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1154_01c3system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1154_01c3system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1154_01c3system - title: Contractors are provided with minimal system and physical access - description: The allocation and use of privileges to information systems and services shall be restricted and controlled. Special attention shall be given to the allocation of privileged access rights, which allow users to override system controls. Only after the organization assesses the contractor's ability to comply with its security requirements and the contractor agrees to comply. - section-code: azure_hipaa_hitrust_v92_1154_01c3system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark - controls: - - azure_iam_subscription_owner_max_3 +id: azure_hipaa_hitrust_v92_1154_01c3system +title: Contractors are provided with minimal system and physical access +description: The allocation and use of privileges to information systems and services shall be restricted and controlled. Special attention shall be given to the allocation of privileged access rights, which allow users to override system controls. Only after the organization assesses the contractor's ability to comply with its security requirements and the contractor agrees to comply. +section-code: azure_hipaa_hitrust_v92_1154_01c3system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark +controls: +- azure_iam_subscription_owner_max_3 diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1173_01j1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1173_01j1organizational.yaml index 5a8dcd603..a3f7e93a0 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1173_01j1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1173_01j1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1173_01j1organizational - title: If encryption is not used for dial-up connections, the CIO or his/her designated representative provides specific written authorization - description: If encryption is not used for dial-up connections, the CIO or his/her designated representative provides specific written authorization - section-code: azure_hipaa_hitrust_v92_1173_01j1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark - controls: - - azure_iam_user_with_write_permission_on_subscription_mfa_enabled +id: azure_hipaa_hitrust_v92_1173_01j1organizational +title: If encryption is not used for dial-up connections, the CIO or his/her designated representative provides specific written authorization +description: If encryption is not used for dial-up connections, the CIO or his/her designated representative provides specific written authorization +section-code: azure_hipaa_hitrust_v92_1173_01j1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark +controls: +- azure_iam_user_with_write_permission_on_subscription_mfa_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1174_01j1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1174_01j1organizational.yaml index 450a3adf0..d0e6a6d68 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1174_01j1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1174_01j1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1174_01j1organizational - title: The organization protects wireless access to systems containing sensitive information by authenticating both users and devices - description: The organization protects wireless access to systems containing sensitive information by authenticating both users and devices - section-code: azure_hipaa_hitrust_v92_1174_01j1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark - controls: - - azure_iam_user_with_read_permission_on_subscription_mfa_enabled +id: azure_hipaa_hitrust_v92_1174_01j1organizational +title: The organization protects wireless access to systems containing sensitive information by authenticating both users and devices +description: The organization protects wireless access to systems containing sensitive information by authenticating both users and devices +section-code: azure_hipaa_hitrust_v92_1174_01j1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark +controls: +- azure_iam_user_with_read_permission_on_subscription_mfa_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1175_01j1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1175_01j1organizational.yaml index 72601ca68..ca6ad83b6 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1175_01j1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1175_01j1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1175_01j1organizational - title: 01j1Organizational.8-01.j 01.04 Network Access Control - description: Remote access to business information across public networks only takes place after successful identification and authentication. - section-code: azure_hipaa_hitrust_v92_1175_01j1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_jit_access_protected +id: azure_hipaa_hitrust_v92_1175_01j1organizational +title: 01j1Organizational.8-01.j 01.04 Network Access Control +description: Remote access to business information across public networks only takes place after successful identification and authentication. +section-code: azure_hipaa_hitrust_v92_1175_01j1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_jit_access_protected diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1176_01j2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1176_01j2organizational.yaml index 7799b2bcd..225f42026 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1176_01j2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1176_01j2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1176_01j2organizational - title: The organization requires a callback capability with re-authentication to verify dial-up connections from authorized locations - description: The organization requires a callback capability with re-authentication to verify dial-up connections from authorized locations - section-code: azure_hipaa_hitrust_v92_1176_01j2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark - controls: - - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled +id: azure_hipaa_hitrust_v92_1176_01j2organizational +title: The organization requires a callback capability with re-authentication to verify dial-up connections from authorized locations +description: The organization requires a callback capability with re-authentication to verify dial-up connections from authorized locations +section-code: azure_hipaa_hitrust_v92_1176_01j2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark +controls: +- azure_iam_user_with_owner_permission_on_subscription_mfa_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1177_01j2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1177_01j2organizational.yaml index 2ea908553..0805560a8 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1177_01j2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1177_01j2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1177_01j2organizational - title: User IDs assigned to vendors are reviewed in accordance with the organization's access review policy, at a minimum annually - description: User IDs assigned to vendors are reviewed in accordance with the organization's access review policy, at a minimum annually - section-code: azure_hipaa_hitrust_v92_1177_01j2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark - controls: - - azure_iam_user_with_write_permission_on_subscription_mfa_enabled +id: azure_hipaa_hitrust_v92_1177_01j2organizational +title: User IDs assigned to vendors are reviewed in accordance with the organization's access review policy, at a minimum annually +description: User IDs assigned to vendors are reviewed in accordance with the organization's access review policy, at a minimum annually +section-code: azure_hipaa_hitrust_v92_1177_01j2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark +controls: +- azure_iam_user_with_write_permission_on_subscription_mfa_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1178_01j2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1178_01j2organizational.yaml index 4896d8bef..b45996fbe 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1178_01j2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1178_01j2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1178_01j2organizational - title: 01j2Organizational.7-01.j 01.04 Network Access Control - description: 01j2Organizational.7-01.j 01.04 Network Access Control - section-code: azure_hipaa_hitrust_v92_1178_01j2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark - controls: - - azure_iam_user_with_read_permission_on_subscription_mfa_enabled +id: azure_hipaa_hitrust_v92_1178_01j2organizational +title: 01j2Organizational.7-01.j 01.04 Network Access Control +description: 01j2Organizational.7-01.j 01.04 Network Access Control +section-code: azure_hipaa_hitrust_v92_1178_01j2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark +controls: +- azure_iam_user_with_read_permission_on_subscription_mfa_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1179_01j3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1179_01j3organizational.yaml index 6822f550f..d8ddecce9 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1179_01j3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1179_01j3organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1179_01j3organizational - title: 01j3Organizational.1-01.j 01.04 Network Access Control - description: The information system monitors and controls remote access methods. - section-code: azure_hipaa_hitrust_v92_1179_01j3organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_jit_access_protected +id: azure_hipaa_hitrust_v92_1179_01j3organizational +title: 01j3Organizational.1-01.j 01.04 Network Access Control +description: The information system monitors and controls remote access methods. +section-code: azure_hipaa_hitrust_v92_1179_01j3organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_jit_access_protected diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1192_01l1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1192_01l1organizational.yaml index ea005cec2..78962d723 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1192_01l1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1192_01l1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1192_01l1organizational - title: 01l1Organizational.1-01.l 01.04 Network Access Control - description: Access to network equipment is physically protected. - section-code: azure_hipaa_hitrust_v92_1192_01l1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_jit_access_protected +id: azure_hipaa_hitrust_v92_1192_01l1organizational +title: 01l1Organizational.1-01.l 01.04 Network Access Control +description: Access to network equipment is physically protected. +section-code: azure_hipaa_hitrust_v92_1192_01l1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_jit_access_protected diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1193_01l2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1193_01l2organizational.yaml index 78db5dbde..17175ba5d 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1193_01l2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1193_01l2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1193_01l2organizational - title: 01l2Organizational.13-01.l 01.04 Network Access Control - description: Controls for the access to diagnostic and configuration ports include the use of a key lock and the implementation of supporting procedures to control physical access to the port. - section-code: azure_hipaa_hitrust_v92_1193_01l2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Network - type: - - Benchmark - controls: - - azure_network_security_group_remote_access_restricted +id: azure_hipaa_hitrust_v92_1193_01l2organizational +title: 01l2Organizational.13-01.l 01.04 Network Access Control +description: Controls for the access to diagnostic and configuration ports include the use of a key lock and the implementation of supporting procedures to control physical access to the port. +section-code: azure_hipaa_hitrust_v92_1193_01l2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Network + type: + - Benchmark +controls: +- azure_network_security_group_remote_access_restricted diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1194_01l2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1194_01l2organizational.yaml index e14ec34ad..c379decd6 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1194_01l2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1194_01l2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1194_01l2organizational - title: 01l2Organizational.2-01.l 01.04 Network Access Control - description: Ports, services, and similar applications installed on a computer or network systems, which are not specifically required for business functionality, are disabled or removed. - section-code: azure_hipaa_hitrust_v92_1194_01l2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark - controls: - - azure_appservice_api_app_remote_debugging_disabled +id: azure_hipaa_hitrust_v92_1194_01l2organizational +title: 01l2Organizational.2-01.l 01.04 Network Access Control +description: Ports, services, and similar applications installed on a computer or network systems, which are not specifically required for business functionality, are disabled or removed. +section-code: azure_hipaa_hitrust_v92_1194_01l2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark +controls: +- azure_appservice_api_app_remote_debugging_disabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1195_01l3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1195_01l3organizational.yaml index d2d073c17..5e41ed825 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1195_01l3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1195_01l3organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1195_01l3organizational - title: 01l3Organizational.1-01.l 01.04 Network Access Control - description: The organization reviews the information system within every three hundred and sixty-five (365) days to identify and disables unnecessary and non-secure functions, ports, protocols, and/or services. - section-code: azure_hipaa_hitrust_v92_1195_01l3organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark - controls: - - azure_appservice_function_app_remote_debugging_disabled +id: azure_hipaa_hitrust_v92_1195_01l3organizational +title: 01l3Organizational.1-01.l 01.04 Network Access Control +description: The organization reviews the information system within every three hundred and sixty-five (365) days to identify and disables unnecessary and non-secure functions, ports, protocols, and/or services. +section-code: azure_hipaa_hitrust_v92_1195_01l3organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark +controls: +- azure_appservice_function_app_remote_debugging_disabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1197_01l3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1197_01l3organizational.yaml index f1f02dc54..d6ca13a77 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1197_01l3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1197_01l3organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1197_01l3organizational - title: 01l3Organizational.3-01.l 01.04 Network Access Control - description: The organization disables Bluetooth and peer-to-peer networking protocols within the information system determined to be unnecessary or non-secure. - section-code: azure_hipaa_hitrust_v92_1197_01l3organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_adaptive_application_controls_enabled +id: azure_hipaa_hitrust_v92_1197_01l3organizational +title: 01l3Organizational.3-01.l 01.04 Network Access Control +description: The organization disables Bluetooth and peer-to-peer networking protocols within the information system determined to be unnecessary or non-secure. +section-code: azure_hipaa_hitrust_v92_1197_01l3organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_adaptive_application_controls_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1202_09aa1system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1202_09aa1system.yaml index 1be74fac4..6c987dc17 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1202_09aa1system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1202_09aa1system.yaml @@ -1,19 +1,19 @@ -control-group: - id: azure_hipaa_hitrust_v92_1202_09aa1system - title: 09aa1System.1-09.aa 09.10 Monitoring - description: A secure audit record is created for all activities on the system (create, read, update, delete) involving covered information. - section-code: azure_hipaa_hitrust_v92_1202_09aa1system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_compute_vm_scale_set_system_updates_installed - - azure_datalake_store_account_logging_enabled +id: azure_hipaa_hitrust_v92_1202_09aa1system +title: 09aa1System.1-09.aa 09.10 Monitoring +description: A secure audit record is created for all activities on the system (create, read, update, delete) involving covered information. +section-code: azure_hipaa_hitrust_v92_1202_09aa1system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_compute_vm_scale_set_system_updates_installed +- azure_datalake_store_account_logging_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1203_09aa1system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1203_09aa1system.yaml index d0efa7b8a..56f3ec542 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1203_09aa1system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1203_09aa1system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1203_09aa1system - title: 09aa1System.2-09.aa 09.10 Monitoring - description: Audit records include the unique user ID, unique data subject ID, function performed, and date/time the event was performed. - section-code: azure_hipaa_hitrust_v92_1203_09aa1system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Logic - type: - - Benchmark - controls: - - azure_logic_app_workflow_logging_enabled +id: azure_hipaa_hitrust_v92_1203_09aa1system +title: 09aa1System.2-09.aa 09.10 Monitoring +description: Audit records include the unique user ID, unique data subject ID, function performed, and date/time the event was performed. +section-code: azure_hipaa_hitrust_v92_1203_09aa1system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Logic + type: + - Benchmark +controls: +- azure_logic_app_workflow_logging_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1204_09aa1system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1204_09aa1system.yaml index 7d67762c3..7815ec839 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1204_09aa1system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1204_09aa1system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1204_09aa1system - title: 09aa1System.3-09.aa 09.10 Monitoring - description: The activities of privileged users (administrators, operators, etc.) include the success/failure of the event, time the event occurred, the account involved, the processes involved, and additional information about the event. - section-code: azure_hipaa_hitrust_v92_1204_09aa1system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IoTHub - type: - - Benchmark - controls: - - azure_iot_hub_logging_enabled +id: azure_hipaa_hitrust_v92_1204_09aa1system +title: 09aa1System.3-09.aa 09.10 Monitoring +description: The activities of privileged users (administrators, operators, etc.) include the success/failure of the event, time the event occurred, the account involved, the processes involved, and additional information about the event. +section-code: azure_hipaa_hitrust_v92_1204_09aa1system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IoTHub + type: + - Benchmark +controls: +- azure_iot_hub_logging_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1205_09aa2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1205_09aa2system.yaml index 656ce61af..a3700672e 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1205_09aa2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1205_09aa2system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1205_09aa2system - title: 09aa2System.1-09.aa 09.10 Monitoring - description: Logs of messages sent and received are maintained including the date, time, origin and destination of the message, but not its contents. - section-code: azure_hipaa_hitrust_v92_1205_09aa2system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Batch - type: - - Benchmark - controls: - - azure_batch_account_logging_enabled +id: azure_hipaa_hitrust_v92_1205_09aa2system +title: 09aa2System.1-09.aa 09.10 Monitoring +description: Logs of messages sent and received are maintained including the date, time, origin and destination of the message, but not its contents. +section-code: azure_hipaa_hitrust_v92_1205_09aa2system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Batch + type: + - Benchmark +controls: +- azure_batch_account_logging_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1207_09aa2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1207_09aa2system.yaml index 2a17e5417..dc5eea841 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1207_09aa2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1207_09aa2system.yaml @@ -1,19 +1,19 @@ -control-group: - id: azure_hipaa_hitrust_v92_1207_09aa2system - title: 09aa2System.4-09.aa 09.10 Monitoring - description: Audit records are retained for 90 days and older audit records are archived for one year. - section-code: azure_hipaa_hitrust_v92_1207_09aa2system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_eventhub_namespace_logging_enabled - - azure_stream_analytics_job_logging_enabled +id: azure_hipaa_hitrust_v92_1207_09aa2system +title: 09aa2System.4-09.aa 09.10 Monitoring +description: Audit records are retained for 90 days and older audit records are archived for one year. +section-code: azure_hipaa_hitrust_v92_1207_09aa2system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_eventhub_namespace_logging_enabled +- azure_stream_analytics_job_logging_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1208_09aa3system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1208_09aa3system.yaml index 0df5e4503..fba057b83 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1208_09aa3system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1208_09aa3system.yaml @@ -1,19 +1,19 @@ -control-group: - id: azure_hipaa_hitrust_v92_1208_09aa3system - title: 09aa3System.1-09.aa 09.10 Monitoring - description: Audit logs are maintained for management activities, system and application startup/shutdown/errors, file changes, and security policy changes. - section-code: azure_hipaa_hitrust_v92_1208_09aa3system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_search_service_logging_enabled - - azure_servicebus_namespace_logging_enabled +id: azure_hipaa_hitrust_v92_1208_09aa3system +title: 09aa3System.1-09.aa 09.10 Monitoring +description: Audit logs are maintained for management activities, system and application startup/shutdown/errors, file changes, and security policy changes. +section-code: azure_hipaa_hitrust_v92_1208_09aa3system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_search_service_logging_enabled +- azure_servicebus_namespace_logging_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1209_09aa3system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1209_09aa3system.yaml index 0a5fbb220..7107eb545 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1209_09aa3system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1209_09aa3system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1209_09aa3system - title: 09aa3System.2-09.aa 09.10 Monitoring - description: "The information system generates audit records containing the following detailed information: filename accessed, program or command used to initiate the event and source and destination addresses." - section-code: azure_hipaa_hitrust_v92_1209_09aa3system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark - controls: - - azure_appservice_web_app_diagnostic_logs_enabled +id: azure_hipaa_hitrust_v92_1209_09aa3system +title: 09aa3System.2-09.aa 09.10 Monitoring +description: "The information system generates audit records containing the following detailed information: filename accessed, program or command used to initiate the event and source and destination addresses." +section-code: azure_hipaa_hitrust_v92_1209_09aa3system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark +controls: +- azure_appservice_web_app_diagnostic_logs_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_12100_09ab2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_12100_09ab2system.yaml index 7c70f184b..62281a96d 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_12100_09ab2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_12100_09ab2system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_12100_09ab2system - title: 09ab2System.15-09.ab 09.10 Monitoring - description: The organization monitors the information system to identify irregularities or anomalies that are indicators of a system malfunction or compromise and help confirm the system is functioning in an optimal, resilient and secure state. - section-code: azure_hipaa_hitrust_v92_12100_09ab2system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_log_analytics_agent_installed +id: azure_hipaa_hitrust_v92_12100_09ab2system +title: 09ab2System.15-09.ab 09.10 Monitoring +description: The organization monitors the information system to identify irregularities or anomalies that are indicators of a system malfunction or compromise and help confirm the system is functioning in an optimal, resilient and secure state. +section-code: azure_hipaa_hitrust_v92_12100_09ab2system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_log_analytics_agent_installed diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_12101_09ab1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_12101_09ab1organizational.yaml index 844a77435..907ff8ee7 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_12101_09ab1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_12101_09ab1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_12101_09ab1organizational - title: 09ab1Organizational.3-09.ab 09.10 Monitoring - description: The organization specifies how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. - section-code: azure_hipaa_hitrust_v92_12101_09ab1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_scale_set_log_analytics_agent_installed +id: azure_hipaa_hitrust_v92_12101_09ab1organizational +title: 09ab1Organizational.3-09.ab 09.10 Monitoring +description: The organization specifies how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. +section-code: azure_hipaa_hitrust_v92_12101_09ab1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_scale_set_log_analytics_agent_installed diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_12102_09ab1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_12102_09ab1organizational.yaml index d89a46cd2..8e0193758 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_12102_09ab1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_12102_09ab1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_12102_09ab1organizational - title: 09ab1Organizational.4-09.ab 09.10 Monitoring - description: The organization shall periodically test its monitoring and detection processes, remediate deficiencies, and improve its processes. - section-code: azure_hipaa_hitrust_v92_12102_09ab1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_log_analytics_agent_installed_windows +id: azure_hipaa_hitrust_v92_12102_09ab1organizational +title: 09ab1Organizational.4-09.ab 09.10 Monitoring +description: The organization shall periodically test its monitoring and detection processes, remediate deficiencies, and improve its processes. +section-code: azure_hipaa_hitrust_v92_12102_09ab1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_log_analytics_agent_installed_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1210_09aa3system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1210_09aa3system.yaml index 78c362648..f8d6b4e44 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1210_09aa3system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1210_09aa3system.yaml @@ -1,19 +1,19 @@ -control-group: - id: azure_hipaa_hitrust_v92_1210_09aa3system - title: 09aa3System.3-09.aa 09.10 Monitoring - description: All disclosures of covered information within or outside of the organization are logged including type of disclosure, date/time of the event, recipient, and sender. - section-code: azure_hipaa_hitrust_v92_1210_09aa3system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_audit_diagnostic_setting - - azure_datalake_analytics_account_logging_enabled +id: azure_hipaa_hitrust_v92_1210_09aa3system +title: 09aa3System.3-09.aa 09.10 Monitoring +description: All disclosures of covered information within or outside of the organization are logged including type of disclosure, date/time of the event, recipient, and sender. +section-code: azure_hipaa_hitrust_v92_1210_09aa3system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_audit_diagnostic_setting +- azure_datalake_analytics_account_logging_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1211_09aa3system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1211_09aa3system.yaml index ec58e8a44..d56fd0bb8 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1211_09aa3system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1211_09aa3system.yaml @@ -1,20 +1,20 @@ -control-group: - id: azure_hipaa_hitrust_v92_1211_09aa3system - title: 09aa3System.4-09.aa 09.10 Monitoring - description: The organization verifies every ninety (90) days for each extract of covered information recorded that the data is erased or its use is still required. - section-code: azure_hipaa_hitrust_v92_1211_09aa3system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_keyvault_logging_enabled - - azure_keyvault_managed_hms_logging_enabled - - azure_sql_server_auditing_on +id: azure_hipaa_hitrust_v92_1211_09aa3system +title: 09aa3System.4-09.aa 09.10 Monitoring +description: The organization verifies every ninety (90) days for each extract of covered information recorded that the data is erased or its use is still required. +section-code: azure_hipaa_hitrust_v92_1211_09aa3system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_keyvault_logging_enabled +- azure_keyvault_managed_hms_logging_enabled +- azure_sql_server_auditing_on diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1212_09ab1system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1212_09ab1system.yaml index 6e685fc26..861d44351 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1212_09ab1system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1212_09ab1system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1212_09ab1system - title: 09ab1System.1-09.ab 09.10 Monitoring - description: All applicable legal requirements related to monitoring authorized access and unauthorized access attempts are met. - section-code: azure_hipaa_hitrust_v92_1212_09ab1system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Monitor - type: - - Benchmark - controls: - - azure_monitor_log_profile_enabled_for_all_categories +id: azure_hipaa_hitrust_v92_1212_09ab1system +title: 09ab1System.1-09.ab 09.10 Monitoring +description: All applicable legal requirements related to monitoring authorized access and unauthorized access attempts are met. +section-code: azure_hipaa_hitrust_v92_1212_09ab1system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Monitor + type: + - Benchmark +controls: +- azure_monitor_log_profile_enabled_for_all_categories diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1213_09ab2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1213_09ab2system.yaml index cf3aeb0d2..6d76d6580 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1213_09ab2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1213_09ab2system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1213_09ab2system - title: 09ab2System.128-09.ab 09.10 Monitoring - description: Automated systems deployed throughout the organization's environment are used to monitor key events and anomalous activity, and analyze system logs, the results of which are reviewed regularly. - section-code: azure_hipaa_hitrust_v92_1213_09ab2system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark - controls: - - azure_securitycenter_automatic_provisioning_monitoring_agent_on +id: azure_hipaa_hitrust_v92_1213_09ab2system +title: 09ab2System.128-09.ab 09.10 Monitoring +description: Automated systems deployed throughout the organization's environment are used to monitor key events and anomalous activity, and analyze system logs, the results of which are reviewed regularly. +section-code: azure_hipaa_hitrust_v92_1213_09ab2system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark +controls: +- azure_securitycenter_automatic_provisioning_monitoring_agent_on diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1214_09ab2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1214_09ab2system.yaml index df6333a27..bf407a589 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1214_09ab2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1214_09ab2system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1214_09ab2system - title: 09ab2System.3456-09.ab 09.10 Monitoring - description: Monitoring includes privileged operations, authorized access or unauthorized access attempts, including attempts to access deactivated accounts, and system alerts or failures. - section-code: azure_hipaa_hitrust_v92_1214_09ab2system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Monitor - type: - - Benchmark - controls: - - azure_monitor_log_profile_enabled_for_all_regions +id: azure_hipaa_hitrust_v92_1214_09ab2system +title: 09ab2System.3456-09.ab 09.10 Monitoring +description: Monitoring includes privileged operations, authorized access or unauthorized access attempts, including attempts to access deactivated accounts, and system alerts or failures. +section-code: azure_hipaa_hitrust_v92_1214_09ab2system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Monitor + type: + - Benchmark +controls: +- azure_monitor_log_profile_enabled_for_all_regions diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1215_09ab2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1215_09ab2system.yaml index 9c79f1fe8..82c8c1968 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1215_09ab2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1215_09ab2system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1215_09ab2system - title: 09ab2System.7-09.ab 09.10 Monitoring - description: Auditing and monitoring systems employed by the organization support audit reduction and report generation. - section-code: azure_hipaa_hitrust_v92_1215_09ab2system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_log_analytics_agent_installed +id: azure_hipaa_hitrust_v92_1215_09ab2system +title: 09ab2System.7-09.ab 09.10 Monitoring +description: Auditing and monitoring systems employed by the organization support audit reduction and report generation. +section-code: azure_hipaa_hitrust_v92_1215_09ab2system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_log_analytics_agent_installed diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1216_09ab3system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1216_09ab3system.yaml index fd57bdea9..0883d54d3 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1216_09ab3system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1216_09ab3system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1216_09ab3system - title: 09ab3System.12-09.ab 09.10 Monitoring - description: Automated systems are used to review monitoring activities of security systems (e.g., IPS/IDS) and system records on a daily basis, and identify and document anomalies. - section-code: azure_hipaa_hitrust_v92_1216_09ab3system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_scale_set_log_analytics_agent_installed +id: azure_hipaa_hitrust_v92_1216_09ab3system +title: 09ab3System.12-09.ab 09.10 Monitoring +description: Automated systems are used to review monitoring activities of security systems (e.g., IPS/IDS) and system records on a daily basis, and identify and document anomalies. +section-code: azure_hipaa_hitrust_v92_1216_09ab3system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_scale_set_log_analytics_agent_installed diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1217_09ab3system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1217_09ab3system.yaml index e2cd420e6..f1f6f7ca6 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1217_09ab3system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1217_09ab3system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1217_09ab3system - title: 09ab3System.3-09.ab 09.10 Monitoring - description: Alerts are generated for technical personnel to analyze and investigate suspicious activity or suspected violations. - section-code: azure_hipaa_hitrust_v92_1217_09ab3system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_log_analytics_agent_installed_windows +id: azure_hipaa_hitrust_v92_1217_09ab3system +title: 09ab3System.3-09.ab 09.10 Monitoring +description: Alerts are generated for technical personnel to analyze and investigate suspicious activity or suspected violations. +section-code: azure_hipaa_hitrust_v92_1217_09ab3system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_log_analytics_agent_installed_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1219_09ab3system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1219_09ab3system.yaml index 13bf031fa..288967769 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1219_09ab3system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1219_09ab3system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1219_09ab3system - title: 09ab3System.10-09.ab 09.10 Monitoring - description: The information system is able to automatically process audit records for events of interest based on selectable criteria. - section-code: azure_hipaa_hitrust_v92_1219_09ab3system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Monitor - type: - - Benchmark - controls: - - azure_monitor_log_profile_enabled_for_all_categories +id: azure_hipaa_hitrust_v92_1219_09ab3system +title: 09ab3System.10-09.ab 09.10 Monitoring +description: The information system is able to automatically process audit records for events of interest based on selectable criteria. +section-code: azure_hipaa_hitrust_v92_1219_09ab3system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Monitor + type: + - Benchmark +controls: +- azure_monitor_log_profile_enabled_for_all_categories diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1220_09ab3system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1220_09ab3system.yaml index d72b1a4fb..dd1e5fe00 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1220_09ab3system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1220_09ab3system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1220_09ab3system - title: 09ab3System.56-09.ab 09.10 Monitoring - description: Monitoring includes inbound and outbound communications and file integrity monitoring. - section-code: azure_hipaa_hitrust_v92_1220_09ab3system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark - controls: - - azure_securitycenter_automatic_provisioning_monitoring_agent_on +id: azure_hipaa_hitrust_v92_1220_09ab3system +title: 09ab3System.56-09.ab 09.10 Monitoring +description: Monitoring includes inbound and outbound communications and file integrity monitoring. +section-code: azure_hipaa_hitrust_v92_1220_09ab3system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark +controls: +- azure_securitycenter_automatic_provisioning_monitoring_agent_on diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1229_09c1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1229_09c1organizational.yaml index 8c206595f..aca39ef39 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1229_09c1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1229_09c1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1229_09c1organizational - title: 09c1Organizational.1-09.c 09.01 Documented Operating Procedures - description: Separation of duties is used to limit the risk of unauthorized or unintentional modification of information and systems. - section-code: azure_hipaa_hitrust_v92_1229_09c1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/KubernetesService - type: - - Benchmark - controls: - - azure_kubernetes_instance_rbac_enabled +id: azure_hipaa_hitrust_v92_1229_09c1organizational +title: 09c1Organizational.1-09.c 09.01 Documented Operating Procedures +description: Separation of duties is used to limit the risk of unauthorized or unintentional modification of information and systems. +section-code: azure_hipaa_hitrust_v92_1229_09c1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/KubernetesService + type: + - Benchmark +controls: +- azure_kubernetes_instance_rbac_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1230_09c2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1230_09c2organizational.yaml index b1ded6d7c..cbb4dda8e 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1230_09c2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1230_09c2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1230_09c2organizational - title: 09c2Organizational.1-09.c 09.01 Documented Operating Procedures - description: No single person is able to access, modify, or use information systems without authorization or detection. - section-code: azure_hipaa_hitrust_v92_1230_09c2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark - controls: - - azure_iam_no_custom_role +id: azure_hipaa_hitrust_v92_1230_09c2organizational +title: 09c2Organizational.1-09.c 09.01 Documented Operating Procedures +description: No single person is able to access, modify, or use information systems without authorization or detection. +section-code: azure_hipaa_hitrust_v92_1230_09c2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark +controls: +- azure_iam_no_custom_role diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1232_09c3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1232_09c3organizational.yaml index 6f5d8f876..39efa7155 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1232_09c3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1232_09c3organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1232_09c3organizational - title: 09c3Organizational.12-09.c 09.01 Documented Operating Procedures - description: Access for individuals responsible for administering access controls is limited to the minimum necessary based upon each user's role and responsibilities and these individuals cannot access audit functions related to these controls. - section-code: azure_hipaa_hitrust_v92_1232_09c3organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Network - type: - - Benchmark - controls: - - azure_network_security_group_rdp_access_restricted +id: azure_hipaa_hitrust_v92_1232_09c3organizational +title: 09c3Organizational.12-09.c 09.01 Documented Operating Procedures +description: Access for individuals responsible for administering access controls is limited to the minimum necessary based upon each user's role and responsibilities and these individuals cannot access audit functions related to these controls. +section-code: azure_hipaa_hitrust_v92_1232_09c3organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Network + type: + - Benchmark +controls: +- azure_network_security_group_rdp_access_restricted diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1270_09ad1system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1270_09ad1system.yaml index 7824b72f9..b6e58cf2f 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1270_09ad1system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1270_09ad1system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1270_09ad1system - title: 09ad1System.12-09.ad 09.10 Monitoring - description: The organization ensures proper logging is enabled in order to audit administrator activities; and reviews system administrator and operator logs on a regular basis. - section-code: azure_hipaa_hitrust_v92_1270_09ad1system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Monitor - type: - - Benchmark - controls: - - azure_monitor_log_alert_for_administrative_operations +id: azure_hipaa_hitrust_v92_1270_09ad1system +title: 09ad1System.12-09.ad 09.10 Monitoring +description: The organization ensures proper logging is enabled in order to audit administrator activities; and reviews system administrator and operator logs on a regular basis. +section-code: azure_hipaa_hitrust_v92_1270_09ad1system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Monitor + type: + - Benchmark +controls: +- azure_monitor_log_alert_for_administrative_operations diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1271_09ad1system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1271_09ad1system.yaml index a0d3e6574..b4c109581 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1271_09ad1system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1271_09ad1system.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1271_09ad1system - title: 09ad1System.1-09.ad 09.10 Monitoring - description: An intrusion detection system managed outside of the control of system and network administrators is used to monitor system and network administration activities for compliance. - section-code: azure_hipaa_hitrust_v92_1271_09ad1system - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Monitor - type: - - Benchmark - controls: - - azure_monitor_log_alert_for_administrative_operations +id: azure_hipaa_hitrust_v92_1271_09ad1system +title: 09ad1System.1-09.ad 09.10 Monitoring +description: An intrusion detection system managed outside of the control of system and network administrators is used to monitor system and network administration activities for compliance. +section-code: azure_hipaa_hitrust_v92_1271_09ad1system +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Monitor + type: + - Benchmark +controls: +- azure_monitor_log_alert_for_administrative_operations diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1277_09c2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1277_09c2organizational.yaml index 6fcd8a053..90e9db575 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1277_09c2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1277_09c2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1277_09c2organizational - title: 09c2Organizational.4-09.c 09.01 Documented Operating Procedures - description: The initiation of an event is separated from its authorization to reduce the possibility of collusion. - section-code: azure_hipaa_hitrust_v92_1277_09c2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_meet_security_options_user_account_control_requirement_windows +id: azure_hipaa_hitrust_v92_1277_09c2organizational +title: 09c2Organizational.4-09.c 09.01 Documented Operating Procedures +description: The initiation of an event is separated from its authorization to reduce the possibility of collusion. +section-code: azure_hipaa_hitrust_v92_1277_09c2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_meet_security_options_user_account_control_requirement_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1325_09s1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1325_09s1organizational.yaml index 46e0e7dc4..6c84c42ef 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1325_09s1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1325_09s1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1325_09s1organizational - title: 09s1Organizational.3-09.s 09.08 Exchange of Information - description: Ensure the exchange of information within an organization and with any external entity is secured and protected, and carried out in compliance with relevant legislation and exchange agreements. - section-code: azure_hipaa_hitrust_v92_1325_09s1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark - controls: - - azure_appservice_function_app_remote_debugging_disabled +id: azure_hipaa_hitrust_v92_1325_09s1organizational +title: 09s1Organizational.3-09.s 09.08 Exchange of Information +description: Ensure the exchange of information within an organization and with any external entity is secured and protected, and carried out in compliance with relevant legislation and exchange agreements. +section-code: azure_hipaa_hitrust_v92_1325_09s1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark +controls: +- azure_appservice_function_app_remote_debugging_disabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1401_05i1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1401_05i1organizational.yaml index abd2e93d3..1f75071a0 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1401_05i1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1401_05i1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1401_05i1organizational - title: Access to the organizations information and systems by external parties - description: Access to the organizations information and systems by external parties is not permitted until due diligence has been conducted, the appropriate controls have been implemented, and a contract/agreement reflecting the security requirements is signed acknowledging they understand and accept their obligations. - section-code: azure_hipaa_hitrust_v92_1401_05i1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Storage - type: - - Benchmark - controls: - - azure_storage_account_secure_transfer_required_enabled +id: azure_hipaa_hitrust_v92_1401_05i1organizational +title: Access to the organizations information and systems by external parties +description: Access to the organizations information and systems by external parties is not permitted until due diligence has been conducted, the appropriate controls have been implemented, and a contract/agreement reflecting the security requirements is signed acknowledging they understand and accept their obligations. +section-code: azure_hipaa_hitrust_v92_1401_05i1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Storage + type: + - Benchmark +controls: +- azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1402_05i1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1402_05i1organizational.yaml index 3dda84742..0be305098 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1402_05i1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1402_05i1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1402_05i1organizational - title: Remote access connections between the organization and external parties are encrypted - description: Remote access connections between the organization and external parties are encrypted - section-code: azure_hipaa_hitrust_v92_1402_05i1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark - controls: - - azure_appservice_function_app_only_https_accessible +id: azure_hipaa_hitrust_v92_1402_05i1organizational +title: Remote access connections between the organization and external parties are encrypted +description: Remote access connections between the organization and external parties are encrypted +section-code: azure_hipaa_hitrust_v92_1402_05i1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark +controls: +- azure_appservice_function_app_only_https_accessible diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1403_05i1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1403_05i1organizational.yaml index b0b323759..5183e7cab 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1403_05i1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1403_05i1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1403_05i1organizational - title: Access granted to external parties is limited to the minimum necessary and granted only for the duration required - description: Access granted to external parties is limited to the minimum necessary and granted only for the duration required - section-code: azure_hipaa_hitrust_v92_1403_05i1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark - controls: - - azure_appservice_api_app_use_https +id: azure_hipaa_hitrust_v92_1403_05i1organizational +title: Access granted to external parties is limited to the minimum necessary and granted only for the duration required +description: Access granted to external parties is limited to the minimum necessary and granted only for the duration required +section-code: azure_hipaa_hitrust_v92_1403_05i1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark +controls: +- azure_appservice_api_app_use_https diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1418_05i1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1418_05i1organizational.yaml index 2f97ab8a1..16f313d77 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1418_05i1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1418_05i1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1418_05i1organizational - title: The identification of risks related to external party access takes into account a minimal set of specifically defined issues - description: The identification of risks related to external party access takes into account a minimal set of specifically defined issues - section-code: azure_hipaa_hitrust_v92_1418_05i1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/MySQL - type: - - Benchmark - controls: - - azure_mysql_ssl_enabled +id: azure_hipaa_hitrust_v92_1418_05i1organizational +title: The identification of risks related to external party access takes into account a minimal set of specifically defined issues +description: The identification of risks related to external party access takes into account a minimal set of specifically defined issues +section-code: azure_hipaa_hitrust_v92_1418_05i1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/MySQL + type: + - Benchmark +controls: +- azure_mysql_ssl_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1450_05i2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1450_05i2organizational.yaml index de871e11e..fae43c807 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1450_05i2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1450_05i2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1450_05i2organizational - title: 05i2Organizational.2-05.i 05.02 External Parties - description: The organization obtains satisfactory assurances that reasonable information security exists across their information supply chain by performing an annual review, which includes all partners/third party-providers upon which their information supply chain depends. - section-code: azure_hipaa_hitrust_v92_1450_05i2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/PostgreSQL - type: - - Benchmark - controls: - - azure_postgres_sql_ssl_enabled +id: azure_hipaa_hitrust_v92_1450_05i2organizational +title: 05i2Organizational.2-05.i 05.02 External Parties +description: The organization obtains satisfactory assurances that reasonable information security exists across their information supply chain by performing an annual review, which includes all partners/third party-providers upon which their information supply chain depends. +section-code: azure_hipaa_hitrust_v92_1450_05i2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/PostgreSQL + type: + - Benchmark +controls: +- azure_postgres_sql_ssl_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1451_05icsporganizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1451_05icsporganizational.yaml index ec2c252ce..1cbab8c24 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1451_05icsporganizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1451_05icsporganizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1451_05icsporganizational - title: 05iCSPOrganizational.2-05.i 05.02 External Parties - description: Cloud service providers design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privilege access for all personnel within their supply chain. - section-code: azure_hipaa_hitrust_v92_1451_05icsporganizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Redis - type: - - Benchmark - controls: - - azure_redis_cache_ssl_enabled +id: azure_hipaa_hitrust_v92_1451_05icsporganizational +title: 05iCSPOrganizational.2-05.i 05.02 External Parties +description: Cloud service providers design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privilege access for all personnel within their supply chain. +section-code: azure_hipaa_hitrust_v92_1451_05icsporganizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Redis + type: + - Benchmark +controls: +- azure_redis_cache_ssl_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1616_09l1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1616_09l1organizational.yaml index a2cdb5504..8a318458d 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1616_09l1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1616_09l1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1616_09l1organizational - title: 09l1Organizational.16-09.l 09.05 Information Back-Up - description: Backup copies of information and software are made and tests of the media and restoration procedures are regularly performed at appropriate intervals. - section-code: azure_hipaa_hitrust_v92_1616_09l1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark - controls: - - azure_sql_database_long_term_geo_redundant_backup_enabled +id: azure_hipaa_hitrust_v92_1616_09l1organizational +title: 09l1Organizational.16-09.l 09.05 Information Back-Up +description: Backup copies of information and software are made and tests of the media and restoration procedures are regularly performed at appropriate intervals. +section-code: azure_hipaa_hitrust_v92_1616_09l1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark +controls: +- azure_sql_database_long_term_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1617_09l1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1617_09l1organizational.yaml index 81e37a66b..7b4cf31ae 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1617_09l1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1617_09l1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1617_09l1organizational - title: 09l1Organizational.23-09.l 09.05 Information Back-Up - description: A formal definition of the level of backup required for each system is defined and documented including how each system will be restored, the scope of data to be imaged, frequency of imaging, and duration of retention based on relevant contractual, legal, regulatory and business requirements. - section-code: azure_hipaa_hitrust_v92_1617_09l1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/MySQL - type: - - Benchmark - controls: - - azure_mysql_db_server_geo_redundant_backup_enabled +id: azure_hipaa_hitrust_v92_1617_09l1organizational +title: 09l1Organizational.23-09.l 09.05 Information Back-Up +description: A formal definition of the level of backup required for each system is defined and documented including how each system will be restored, the scope of data to be imaged, frequency of imaging, and duration of retention based on relevant contractual, legal, regulatory and business requirements. +section-code: azure_hipaa_hitrust_v92_1617_09l1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/MySQL + type: + - Benchmark +controls: +- azure_mysql_db_server_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1618_09l1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1618_09l1organizational.yaml index 0144a5ad1..e033e44f2 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1618_09l1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1618_09l1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1618_09l1organizational - title: 09l1Organizational.45-09.l 09.05 Information Back-Up - description: The backups are stored in a physically secure remote location, at a sufficient distance to make them reasonably immune from damage to data at the primary site, and reasonable physical and environmental controls are in place to ensure their protection at the remote location. - section-code: azure_hipaa_hitrust_v92_1618_09l1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/PostgreSQL - type: - - Benchmark - controls: - - azure_postgres_db_server_geo_redundant_backup_enabled +id: azure_hipaa_hitrust_v92_1618_09l1organizational +title: 09l1Organizational.45-09.l 09.05 Information Back-Up +description: The backups are stored in a physically secure remote location, at a sufficient distance to make them reasonably immune from damage to data at the primary site, and reasonable physical and environmental controls are in place to ensure their protection at the remote location. +section-code: azure_hipaa_hitrust_v92_1618_09l1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/PostgreSQL + type: + - Benchmark +controls: +- azure_postgres_db_server_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1619_09l1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1619_09l1organizational.yaml index b26c30fda..6dc0bddde 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1619_09l1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1619_09l1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1619_09l1organizational - title: 09l1Organizational.7-09.l 09.05 Information Back-Up - description: Inventory records for the backup copies, including content and current location, are maintained. - section-code: azure_hipaa_hitrust_v92_1619_09l1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/MariaDB - type: - - Benchmark - controls: - - azure_mariadb_server_geo_redundant_backup_enabled +id: azure_hipaa_hitrust_v92_1619_09l1organizational +title: 09l1Organizational.7-09.l 09.05 Information Back-Up +description: Inventory records for the backup copies, including content and current location, are maintained. +section-code: azure_hipaa_hitrust_v92_1619_09l1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/MariaDB + type: + - Benchmark +controls: +- azure_mariadb_server_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1620_09l1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1620_09l1organizational.yaml index fdb6c0d08..f2c55fc31 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1620_09l1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1620_09l1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1620_09l1organizational - title: 09l1Organizational.8-09.l 09.05 Information Back-Up - description: When the backup service is delivered by the third party, the service level agreement includes the detailed protections to control confidentiality, integrity and availability of the backup information. - section-code: azure_hipaa_hitrust_v92_1620_09l1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_azure_backup_enabled +id: azure_hipaa_hitrust_v92_1620_09l1organizational +title: 09l1Organizational.8-09.l 09.05 Information Back-Up +description: When the backup service is delivered by the third party, the service level agreement includes the detailed protections to control confidentiality, integrity and availability of the backup information. +section-code: azure_hipaa_hitrust_v92_1620_09l1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_azure_backup_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1621_09l2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1621_09l2organizational.yaml index 6c82d0e73..0c2f3152c 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1621_09l2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1621_09l2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1621_09l2organizational - title: 09l2Organizational.1-09.l 09.05 Information Back-Up - description: Automated tools are used to track all backups. - section-code: azure_hipaa_hitrust_v92_1621_09l2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark - controls: - - azure_sql_database_long_term_geo_redundant_backup_enabled +id: azure_hipaa_hitrust_v92_1621_09l2organizational +title: 09l2Organizational.1-09.l 09.05 Information Back-Up +description: Automated tools are used to track all backups. +section-code: azure_hipaa_hitrust_v92_1621_09l2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark +controls: +- azure_sql_database_long_term_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1622_09l2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1622_09l2organizational.yaml index 1af17f0b9..82e41c10d 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1622_09l2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1622_09l2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1622_09l2organizational - title: 09l2Organizational.23-09.l 09.05 Information Back-Up - description: The integrity and security of the backup copies are maintained to ensure future availability, and any potential accessibility problems with the backup copies are identified and mitigated in the event of an area-wide disaster. - section-code: azure_hipaa_hitrust_v92_1622_09l2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/MySQL - type: - - Benchmark - controls: - - azure_mysql_db_server_geo_redundant_backup_enabled +id: azure_hipaa_hitrust_v92_1622_09l2organizational +title: 09l2Organizational.23-09.l 09.05 Information Back-Up +description: The integrity and security of the backup copies are maintained to ensure future availability, and any potential accessibility problems with the backup copies are identified and mitigated in the event of an area-wide disaster. +section-code: azure_hipaa_hitrust_v92_1622_09l2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/MySQL + type: + - Benchmark +controls: +- azure_mysql_db_server_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1623_09l2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1623_09l2organizational.yaml index 5338d7d8e..42129263a 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1623_09l2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1623_09l2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1623_09l2organizational - title: 09l2Organizational.4-09.l 09.05 Information Back-Up - description: Covered information is backed-up in an encrypted format to ensure confidentiality. - section-code: azure_hipaa_hitrust_v92_1623_09l2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/PostgreSQL - type: - - Benchmark - controls: - - azure_postgres_db_server_geo_redundant_backup_enabled +id: azure_hipaa_hitrust_v92_1623_09l2organizational +title: 09l2Organizational.4-09.l 09.05 Information Back-Up +description: Covered information is backed-up in an encrypted format to ensure confidentiality. +section-code: azure_hipaa_hitrust_v92_1623_09l2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/PostgreSQL + type: + - Benchmark +controls: +- azure_postgres_db_server_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1624_09l3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1624_09l3organizational.yaml index 160aa0891..59c67b46c 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1624_09l3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1624_09l3organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1624_09l3organizational - title: 09l3Organizational.12-09.l 09.05 Information Back-Up - description: The organization performs incremental or differential backups daily and full backups weekly to separate media. - section-code: azure_hipaa_hitrust_v92_1624_09l3organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/MariaDB - type: - - Benchmark - controls: - - azure_mariadb_server_geo_redundant_backup_enabled +id: azure_hipaa_hitrust_v92_1624_09l3organizational +title: 09l3Organizational.12-09.l 09.05 Information Back-Up +description: The organization performs incremental or differential backups daily and full backups weekly to separate media. +section-code: azure_hipaa_hitrust_v92_1624_09l3organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/MariaDB + type: + - Benchmark +controls: +- azure_mariadb_server_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1625_09l3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1625_09l3organizational.yaml index 220cd3b4d..439f4a63a 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1625_09l3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1625_09l3organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1625_09l3organizational - title: 09l3Organizational.34-09.l 09.05 Information Back-Up - description: Three (3) generations of backups (full plus all related incremental or differential backups) are stored off-site, and both on-site and off-site backups are logged with name, date, time and action. - section-code: azure_hipaa_hitrust_v92_1625_09l3organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_azure_backup_enabled +id: azure_hipaa_hitrust_v92_1625_09l3organizational +title: 09l3Organizational.34-09.l 09.05 Information Back-Up +description: Three (3) generations of backups (full plus all related incremental or differential backups) are stored off-site, and both on-site and off-site backups are logged with name, date, time and action. +section-code: azure_hipaa_hitrust_v92_1625_09l3organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_azure_backup_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1626_09l3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1626_09l3organizational.yaml index 37bf26c33..777e3ba90 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1626_09l3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1626_09l3organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1626_09l3organizational - title: 09l3Organizational.5-09.l 09.05 Information Back-Up - description: The organization ensures a current, retrievable copy of covered information is available before movement of servers. - section-code: azure_hipaa_hitrust_v92_1626_09l3organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/PostgreSQL - type: - - Benchmark - controls: - - azure_postgres_db_server_geo_redundant_backup_enabled +id: azure_hipaa_hitrust_v92_1626_09l3organizational +title: 09l3Organizational.5-09.l 09.05 Information Back-Up +description: The organization ensures a current, retrievable copy of covered information is available before movement of servers. +section-code: azure_hipaa_hitrust_v92_1626_09l3organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/PostgreSQL + type: + - Benchmark +controls: +- azure_postgres_db_server_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1627_09l3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1627_09l3organizational.yaml index bc5a0d254..da72e1171 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1627_09l3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1627_09l3organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1627_09l3organizational - title: 09l3Organizational.6-09.l 09.05 Information Back-Up - description: The organization tests backup information following each backup to verify media reliability and information integrity, and at least annually thereafter. - section-code: azure_hipaa_hitrust_v92_1627_09l3organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/MariaDB - type: - - Benchmark - controls: - - azure_mariadb_server_geo_redundant_backup_enabled +id: azure_hipaa_hitrust_v92_1627_09l3organizational +title: 09l3Organizational.6-09.l 09.05 Information Back-Up +description: The organization tests backup information following each backup to verify media reliability and information integrity, and at least annually thereafter. +section-code: azure_hipaa_hitrust_v92_1627_09l3organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/MariaDB + type: + - Benchmark +controls: +- azure_mariadb_server_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1634_12b1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1634_12b1organizational.yaml index 4f26947b5..a28983ab1 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1634_12b1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1634_12b1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1634_12b1organizational - title: 12b1Organizational.1-12.b 12.01 Information Security Aspects of Business Continuity Management - description: The organization identifies the critical business processes requiring business continuity. - section-code: azure_hipaa_hitrust_v92_1634_12b1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_disaster_recovery_enabled +id: azure_hipaa_hitrust_v92_1634_12b1organizational +title: 12b1Organizational.1-12.b 12.01 Information Security Aspects of Business Continuity Management +description: The organization identifies the critical business processes requiring business continuity. +section-code: azure_hipaa_hitrust_v92_1634_12b1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_disaster_recovery_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1635_12b1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1635_12b1organizational.yaml index 151c3f131..7c5697daa 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1635_12b1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1635_12b1organizational.yaml @@ -1,19 +1,19 @@ -control-group: - id: azure_hipaa_hitrust_v92_1635_12b1organizational - title: 12b1Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management - description: Information security aspects of business continuity are (i) based on identifying events (or sequence of events) that can cause interruptions to the organization's critical business processes (e.g., equipment failure, human errors, theft, fire, natural disasters acts of terrorism); (ii) followed by a risk assessment to determine the probability and impact of such interruptions, in terms of time, damage scale and recovery period; (iii) based on the results of the risk assessment, a business continuity strategy is developed to identify the overall approach to business continuity; and (iv) once this strategy has been created, endorsement is provided by management, and a plan created and endorsed to implement this strategy. - section-code: azure_hipaa_hitrust_v92_1635_12b1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/KeyVault - type: - - Benchmark - controls: - - azure_keyvault_managed_hms_purge_protection_enabled - - azure_keyvault_purge_protection_enabled +id: azure_hipaa_hitrust_v92_1635_12b1organizational +title: 12b1Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management +description: Information security aspects of business continuity are (i) based on identifying events (or sequence of events) that can cause interruptions to the organization's critical business processes (e.g., equipment failure, human errors, theft, fire, natural disasters acts of terrorism); (ii) followed by a risk assessment to determine the probability and impact of such interruptions, in terms of time, damage scale and recovery period; (iii) based on the results of the risk assessment, a business continuity strategy is developed to identify the overall approach to business continuity; and (iv) once this strategy has been created, endorsement is provided by management, and a plan created and endorsed to implement this strategy. +section-code: azure_hipaa_hitrust_v92_1635_12b1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/KeyVault + type: + - Benchmark +controls: +- azure_keyvault_managed_hms_purge_protection_enabled +- azure_keyvault_purge_protection_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1637_12b2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1637_12b2organizational.yaml index e18833fa5..6708d1fd5 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1637_12b2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1637_12b2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1637_12b2organizational - title: 12b2Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management - description: Business impact analysis are used to evaluate the consequences of disasters, security failures, loss of service, and service availability. - section-code: azure_hipaa_hitrust_v92_1637_12b2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_meet_security_options_requirement_windows +id: azure_hipaa_hitrust_v92_1637_12b2organizational +title: 12b2Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management +description: Business impact analysis are used to evaluate the consequences of disasters, security failures, loss of service, and service availability. +section-code: azure_hipaa_hitrust_v92_1637_12b2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_meet_security_options_requirement_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1638_12b2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1638_12b2organizational.yaml index adcb56e88..c57f4065c 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1638_12b2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1638_12b2organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1638_12b2organizational - title: 12b2Organizational.345-12.b 12.01 Information Security Aspects of Business Continuity Management - description: Business continuity risk assessments (i) are carried out annually with full involvement from owners of business resources and processes; (ii) consider all business processes and is not limited to the information assets, but includes the results specific to information security; and (iii) identifies, quantifies, and prioritizes risks against key business objectives and criteria relevant to the organization, including critical resources, impacts of disruptions, allowable outage times, and recovery priorities. - section-code: azure_hipaa_hitrust_v92_1638_12b2organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_disaster_recovery_enabled +id: azure_hipaa_hitrust_v92_1638_12b2organizational +title: 12b2Organizational.345-12.b 12.01 Information Security Aspects of Business Continuity Management +description: Business continuity risk assessments (i) are carried out annually with full involvement from owners of business resources and processes; (ii) consider all business processes and is not limited to the information assets, but includes the results specific to information security; and (iii) identifies, quantifies, and prioritizes risks against key business objectives and criteria relevant to the organization, including critical resources, impacts of disruptions, allowable outage times, and recovery priorities. +section-code: azure_hipaa_hitrust_v92_1638_12b2organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_disaster_recovery_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1699_09l1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1699_09l1organizational.yaml index 61dbe439a..84500ba72 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1699_09l1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1699_09l1organizational.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_hipaa_hitrust_v92_1699_09l1organizational - title: Workforce members roles and responsibilities in the data backup process are identified and communicated to the workforce; in particular, Bring Your Own Device (BYOD) users are required to perform backups of organizational and/or client data on their devices - description: Workforce members roles and responsibilities in the data backup process are identified and communicated to the workforce; in particular, Bring Your Own Device (BYOD) users are required to perform backups of organizational and/or client data on their devices - section-code: azure_hipaa_hitrust_v92_1699_09l1organizational - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_azure_backup_enabled +id: azure_hipaa_hitrust_v92_1699_09l1organizational +title: Workforce members roles and responsibilities in the data backup process are identified and communicated to the workforce; in particular, Bring Your Own Device (BYOD) users are required to perform backups of organizational and/or client data on their devices +description: Workforce members roles and responsibilities in the data backup process are identified and communicated to the workforce; in particular, Bring Your Own Device (BYOD) users are required to perform backups of organizational and/or client data on their devices +section-code: azure_hipaa_hitrust_v92_1699_09l1organizational +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_azure_backup_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_access_control.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_access_control.yaml index 1f5f2df03..9a6a791c4 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_access_control.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_access_control.yaml @@ -1,47 +1,77 @@ +id: azure_hipaa_hitrust_v92_access_control +title: Access Control +description: Default and unnecessary system accounts are removed, disabled, or otherwise secured (e.g., the passwords are changed, and privileges are reduced to the lowest access levels). Account managers are notified when users' access rights change (e.g., termination, change in position) and modify the user's account accordingly. +section-code: access_control +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_hipaa_hitrust_v92_access_control - title: Access Control - description: Default and unnecessary system accounts are removed, disabled, or otherwise secured (e.g., the passwords are changed, and privileges are reduced to the lowest access levels). Account managers are notified when users' access rights change (e.g., termination, change in position) and modify the user's account accordingly. - section-code: access_control - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_hipaa_hitrust_v92_11109_01q1organizational - - id: azure_hipaa_hitrust_v92_11111_01q2system - - id: azure_hipaa_hitrust_v92_11112_01q2organizational - - id: azure_hipaa_hitrust_v92_1116_01j1organizational - - id: azure_hipaa_hitrust_v92_1118_01j2organizational - - id: azure_hipaa_hitrust_v92_11180_01c3system - - id: azure_hipaa_hitrust_v92_1119_01j2organizational - - id: azure_hipaa_hitrust_v92_1120_09ab3system - - id: azure_hipaa_hitrust_v92_1121_01j3organizational - - id: azure_hipaa_hitrust_v92_1123_01q1system - - id: azure_hipaa_hitrust_v92_1125_01q2system - - id: azure_hipaa_hitrust_v92_1127_01q2system - - id: azure_hipaa_hitrust_v92_1143_01c1system - - id: azure_hipaa_hitrust_v92_1144_01c1system - - id: azure_hipaa_hitrust_v92_1145_01c2system - - id: azure_hipaa_hitrust_v92_1146_01c2system - - id: azure_hipaa_hitrust_v92_1147_01c2system - - id: azure_hipaa_hitrust_v92_1148_01c2system - - id: azure_hipaa_hitrust_v92_1150_01c2system - - id: azure_hipaa_hitrust_v92_1151_01c3system - - id: azure_hipaa_hitrust_v92_1152_01c3system - - id: azure_hipaa_hitrust_v92_1153_01c3system - - id: azure_hipaa_hitrust_v92_1175_01j1organizational - - id: azure_hipaa_hitrust_v92_1178_01j2organizational - - id: azure_hipaa_hitrust_v92_1179_01j3organizational - - id: azure_hipaa_hitrust_v92_1192_01l1organizational - - id: azure_hipaa_hitrust_v92_1193_01l2organizational - - id: azure_hipaa_hitrust_v92_1194_01l2organizational - - id: azure_hipaa_hitrust_v92_1195_01l3organizational - - id: azure_hipaa_hitrust_v92_1197_01l3organizational +- id: azure_hipaa_hitrust_v92_11109_01q1organizational + type: "" +- id: azure_hipaa_hitrust_v92_11111_01q2system + type: "" +- id: azure_hipaa_hitrust_v92_11112_01q2organizational + type: "" +- id: azure_hipaa_hitrust_v92_1116_01j1organizational + type: "" +- id: azure_hipaa_hitrust_v92_1118_01j2organizational + type: "" +- id: azure_hipaa_hitrust_v92_11180_01c3system + type: "" +- id: azure_hipaa_hitrust_v92_1119_01j2organizational + type: "" +- id: azure_hipaa_hitrust_v92_1120_09ab3system + type: "" +- id: azure_hipaa_hitrust_v92_1121_01j3organizational + type: "" +- id: azure_hipaa_hitrust_v92_1123_01q1system + type: "" +- id: azure_hipaa_hitrust_v92_1125_01q2system + type: "" +- id: azure_hipaa_hitrust_v92_1127_01q2system + type: "" +- id: azure_hipaa_hitrust_v92_1143_01c1system + type: "" +- id: azure_hipaa_hitrust_v92_1144_01c1system + type: "" +- id: azure_hipaa_hitrust_v92_1145_01c2system + type: "" +- id: azure_hipaa_hitrust_v92_1146_01c2system + type: "" +- id: azure_hipaa_hitrust_v92_1147_01c2system + type: "" +- id: azure_hipaa_hitrust_v92_1148_01c2system + type: "" +- id: azure_hipaa_hitrust_v92_1150_01c2system + type: "" +- id: azure_hipaa_hitrust_v92_1151_01c3system + type: "" +- id: azure_hipaa_hitrust_v92_1152_01c3system + type: "" +- id: azure_hipaa_hitrust_v92_1153_01c3system + type: "" +- id: azure_hipaa_hitrust_v92_1175_01j1organizational + type: "" +- id: azure_hipaa_hitrust_v92_1178_01j2organizational + type: "" +- id: azure_hipaa_hitrust_v92_1179_01j3organizational + type: "" +- id: azure_hipaa_hitrust_v92_1192_01l1organizational + type: "" +- id: azure_hipaa_hitrust_v92_1193_01l2organizational + type: "" +- id: azure_hipaa_hitrust_v92_1194_01l2organizational + type: "" +- id: azure_hipaa_hitrust_v92_1195_01l3organizational + type: "" +- id: azure_hipaa_hitrust_v92_1197_01l3organizational + type: "" diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_audit_logging_and_monitoring.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_audit_logging_and_monitoring.yaml index 28727c386..ba29457ea 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_audit_logging_and_monitoring.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_audit_logging_and_monitoring.yaml @@ -1,43 +1,69 @@ +id: azure_hipaa_hitrust_v92_audit_logging_and_monitoring +title: Audit Logging & Monitoring +description: Audit logging refers to the process of recording and tracking all system activities, such as user logins, data access, and modifications made to sensitive information. By implementing comprehensive audit logging, the website will maintain a detailed trail of events, enabling organizations to track and investigate any potential security breaches or unauthorized access. Furthermore, monitoring mechanisms will be put in place to actively observe and analyze system activities in real time. This includes the monitoring of network traffic, system logs, and user behaviour to detect any anomalous or suspicious activities promptly. +section-code: audit_logging_and_monitoring +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_hipaa_hitrust_v92_audit_logging_and_monitoring - title: Audit Logging & Monitoring - description: Audit logging refers to the process of recording and tracking all system activities, such as user logins, data access, and modifications made to sensitive information. By implementing comprehensive audit logging, the website will maintain a detailed trail of events, enabling organizations to track and investigate any potential security breaches or unauthorized access. Furthermore, monitoring mechanisms will be put in place to actively observe and analyze system activities in real time. This includes the monitoring of network traffic, system logs, and user behaviour to detect any anomalous or suspicious activities promptly. - section-code: audit_logging_and_monitoring - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_hipaa_hitrust_v92_1202_09aa1system - - id: azure_hipaa_hitrust_v92_1203_09aa1system - - id: azure_hipaa_hitrust_v92_1204_09aa1system - - id: azure_hipaa_hitrust_v92_1205_09aa2system - - id: azure_hipaa_hitrust_v92_1207_09aa2system - - id: azure_hipaa_hitrust_v92_1208_09aa3system - - id: azure_hipaa_hitrust_v92_1209_09aa3system - - id: azure_hipaa_hitrust_v92_1210_09aa3system - - id: azure_hipaa_hitrust_v92_12100_09ab2system - - id: azure_hipaa_hitrust_v92_12101_09ab1organizational - - id: azure_hipaa_hitrust_v92_12102_09ab1organizational - - id: azure_hipaa_hitrust_v92_1211_09aa3system - - id: azure_hipaa_hitrust_v92_1212_09ab1system - - id: azure_hipaa_hitrust_v92_1213_09ab2system - - id: azure_hipaa_hitrust_v92_1214_09ab2system - - id: azure_hipaa_hitrust_v92_1215_09ab2system - - id: azure_hipaa_hitrust_v92_1216_09ab3system - - id: azure_hipaa_hitrust_v92_1217_09ab3system - - id: azure_hipaa_hitrust_v92_1219_09ab3system - - id: azure_hipaa_hitrust_v92_1220_09ab3system - - id: azure_hipaa_hitrust_v92_1229_09c1organizational - - id: azure_hipaa_hitrust_v92_1230_09c2organizational - - id: azure_hipaa_hitrust_v92_1232_09c3organizational - - id: azure_hipaa_hitrust_v92_1270_09ad1system - - id: azure_hipaa_hitrust_v92_1271_09ad1system - - id: azure_hipaa_hitrust_v92_1277_09c2organizational +- id: azure_hipaa_hitrust_v92_1202_09aa1system + type: "" +- id: azure_hipaa_hitrust_v92_1203_09aa1system + type: "" +- id: azure_hipaa_hitrust_v92_1204_09aa1system + type: "" +- id: azure_hipaa_hitrust_v92_1205_09aa2system + type: "" +- id: azure_hipaa_hitrust_v92_1207_09aa2system + type: "" +- id: azure_hipaa_hitrust_v92_1208_09aa3system + type: "" +- id: azure_hipaa_hitrust_v92_1209_09aa3system + type: "" +- id: azure_hipaa_hitrust_v92_1210_09aa3system + type: "" +- id: azure_hipaa_hitrust_v92_12100_09ab2system + type: "" +- id: azure_hipaa_hitrust_v92_12101_09ab1organizational + type: "" +- id: azure_hipaa_hitrust_v92_12102_09ab1organizational + type: "" +- id: azure_hipaa_hitrust_v92_1211_09aa3system + type: "" +- id: azure_hipaa_hitrust_v92_1212_09ab1system + type: "" +- id: azure_hipaa_hitrust_v92_1213_09ab2system + type: "" +- id: azure_hipaa_hitrust_v92_1214_09ab2system + type: "" +- id: azure_hipaa_hitrust_v92_1215_09ab2system + type: "" +- id: azure_hipaa_hitrust_v92_1216_09ab3system + type: "" +- id: azure_hipaa_hitrust_v92_1217_09ab3system + type: "" +- id: azure_hipaa_hitrust_v92_1219_09ab3system + type: "" +- id: azure_hipaa_hitrust_v92_1220_09ab3system + type: "" +- id: azure_hipaa_hitrust_v92_1229_09c1organizational + type: "" +- id: azure_hipaa_hitrust_v92_1230_09c2organizational + type: "" +- id: azure_hipaa_hitrust_v92_1232_09c3organizational + type: "" +- id: azure_hipaa_hitrust_v92_1270_09ad1system + type: "" +- id: azure_hipaa_hitrust_v92_1271_09ad1system + type: "" +- id: azure_hipaa_hitrust_v92_1277_09c2organizational + type: "" diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_back_up.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_back_up.yaml index 21f24f19f..e8a878632 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_back_up.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_back_up.yaml @@ -1,18 +1,19 @@ +id: azure_hipaa_hitrust_v92_back_up +title: Back-up +description: Ensure the maintenance, integrity, and availability of organizational information. Back-up copies of information and software shall be taken and tested regularly. +section-code: back_up +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_hipaa_hitrust_v92_back_up - title: Back-up - description: Ensure the maintenance, integrity, and availability of organizational information. Back-up copies of information and software shall be taken and tested regularly. - section-code: back_up - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_hipaa_hitrust_v92_1699_09l1organizational +- id: azure_hipaa_hitrust_v92_1699_09l1organizational + type: "" diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_business_continuity_and_disaster_recovery.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_business_continuity_and_disaster_recovery.yaml index 2bc49182a..d5dc2c164 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_business_continuity_and_disaster_recovery.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_business_continuity_and_disaster_recovery.yaml @@ -1,33 +1,49 @@ +id: azure_hipaa_hitrust_v92_business_continuity_and_disaster_recovery +title: Business Continuity & Disaster Recovery +description: The organization identifies the critical business processes requiring business continuity. Information security aspects of business continuity are (i) based on identifying events (or sequence of events) that can cause interruptions to the organization's critical business processes (e.g., equipment failure, human errors, theft, fire, natural disasters acts of terrorism); (ii) followed by a risk assessment to determine the probability and impact of such interruptions, in terms of time, damage scale and recovery period; (iii) based on the results of the risk assessment, a business continuity strategy is developed to identify the overall approach to business continuity; and (iv) once this strategy has been created, endorsement is provided by management, and a plan created and endorsed to implement this strategy. +section-code: business_continuity_and_disaster_recovery +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_hipaa_hitrust_v92_business_continuity_and_disaster_recovery - title: Business Continuity & Disaster Recovery - description: The organization identifies the critical business processes requiring business continuity. Information security aspects of business continuity are (i) based on identifying events (or sequence of events) that can cause interruptions to the organization's critical business processes (e.g., equipment failure, human errors, theft, fire, natural disasters acts of terrorism); (ii) followed by a risk assessment to determine the probability and impact of such interruptions, in terms of time, damage scale and recovery period; (iii) based on the results of the risk assessment, a business continuity strategy is developed to identify the overall approach to business continuity; and (iv) once this strategy has been created, endorsement is provided by management, and a plan created and endorsed to implement this strategy. - section-code: business_continuity_and_disaster_recovery - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_hipaa_hitrust_v92_1616_09l1organizational - - id: azure_hipaa_hitrust_v92_1617_09l1organizational - - id: azure_hipaa_hitrust_v92_1618_09l1organizational - - id: azure_hipaa_hitrust_v92_1619_09l1organizational - - id: azure_hipaa_hitrust_v92_1620_09l1organizational - - id: azure_hipaa_hitrust_v92_1621_09l2organizational - - id: azure_hipaa_hitrust_v92_1622_09l2organizational - - id: azure_hipaa_hitrust_v92_1623_09l2organizational - - id: azure_hipaa_hitrust_v92_1624_09l3organizational - - id: azure_hipaa_hitrust_v92_1625_09l3organizational - - id: azure_hipaa_hitrust_v92_1626_09l3organizational - - id: azure_hipaa_hitrust_v92_1627_09l3organizational - - id: azure_hipaa_hitrust_v92_1634_12b1organizational - - id: azure_hipaa_hitrust_v92_1635_12b1organizational - - id: azure_hipaa_hitrust_v92_1637_12b2organizational - - id: azure_hipaa_hitrust_v92_1638_12b2organizational +- id: azure_hipaa_hitrust_v92_1616_09l1organizational + type: "" +- id: azure_hipaa_hitrust_v92_1617_09l1organizational + type: "" +- id: azure_hipaa_hitrust_v92_1618_09l1organizational + type: "" +- id: azure_hipaa_hitrust_v92_1619_09l1organizational + type: "" +- id: azure_hipaa_hitrust_v92_1620_09l1organizational + type: "" +- id: azure_hipaa_hitrust_v92_1621_09l2organizational + type: "" +- id: azure_hipaa_hitrust_v92_1622_09l2organizational + type: "" +- id: azure_hipaa_hitrust_v92_1623_09l2organizational + type: "" +- id: azure_hipaa_hitrust_v92_1624_09l3organizational + type: "" +- id: azure_hipaa_hitrust_v92_1625_09l3organizational + type: "" +- id: azure_hipaa_hitrust_v92_1626_09l3organizational + type: "" +- id: azure_hipaa_hitrust_v92_1627_09l3organizational + type: "" +- id: azure_hipaa_hitrust_v92_1634_12b1organizational + type: "" +- id: azure_hipaa_hitrust_v92_1635_12b1organizational + type: "" +- id: azure_hipaa_hitrust_v92_1637_12b2organizational + type: "" +- id: azure_hipaa_hitrust_v92_1638_12b2organizational + type: "" diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_configuration_management.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_configuration_management.yaml index 1861b0c84..230784f8d 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_configuration_management.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_configuration_management.yaml @@ -1,29 +1,41 @@ +id: azure_hipaa_hitrust_v92_configuration_management +title: Configuration Management +description: Configuration management involves implementing processes and controls to effectively manage and track changes to information systems, ensuring their integrity and security. In the context of compliance, organizations need to establish a robust configuration management program that includes documenting the baseline configuration of systems, implementing change management procedures, and conducting regular configuration reviews and audits. +section-code: configuration_management +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_hipaa_hitrust_v92_configuration_management - title: Configuration Management - description: Configuration management involves implementing processes and controls to effectively manage and track changes to information systems, ensuring their integrity and security. In the context of compliance, organizations need to establish a robust configuration management program that includes documenting the baseline configuration of systems, implementing change management procedures, and conducting regular configuration reviews and audits. - section-code: configuration_management - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_hipaa_hitrust_v92_0605_10h1system - - id: azure_hipaa_hitrust_v92_0635_10k1organizational - - id: azure_hipaa_hitrust_v92_0636_10k2organizational - - id: azure_hipaa_hitrust_v92_0637_10k2organizational - - id: azure_hipaa_hitrust_v92_0638_10k2organizational - - id: azure_hipaa_hitrust_v92_0639_10k2organizational - - id: azure_hipaa_hitrust_v92_0640_10k2organizational - - id: azure_hipaa_hitrust_v92_0641_10k2organizational - - id: azure_hipaa_hitrust_v92_0642_10k3organizational - - id: azure_hipaa_hitrust_v92_0643_10k3organizational - - id: azure_hipaa_hitrust_v92_0644_10k3organizational - - id: azure_hipaa_hitrust_v92_0662_09scsporganizational +- id: azure_hipaa_hitrust_v92_0605_10h1system + type: "" +- id: azure_hipaa_hitrust_v92_0635_10k1organizational + type: "" +- id: azure_hipaa_hitrust_v92_0636_10k2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0637_10k2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0638_10k2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0639_10k2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0640_10k2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0641_10k2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0642_10k3organizational + type: "" +- id: azure_hipaa_hitrust_v92_0643_10k3organizational + type: "" +- id: azure_hipaa_hitrust_v92_0644_10k3organizational + type: "" +- id: azure_hipaa_hitrust_v92_0662_09scsporganizational + type: "" diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_control_of_operational_software.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_control_of_operational_software.yaml index 6d61c7328..6197d2882 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_control_of_operational_software.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_control_of_operational_software.yaml @@ -1,19 +1,21 @@ +id: azure_hipaa_hitrust_v92_control_of_operational_software +title: Control of Operational Software +description: There shall be procedures in place to control the installation of software on operational systems. +section-code: control_of_operational_software +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_hipaa_hitrust_v92_control_of_operational_software - title: Control of Operational Software - description: There shall be procedures in place to control the installation of software on operational systems. - section-code: control_of_operational_software - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_hipaa_hitrust_v92_0606_10h2system - - id: azure_hipaa_hitrust_v92_0607_10h2system +- id: azure_hipaa_hitrust_v92_0606_10h2system + type: "" +- id: azure_hipaa_hitrust_v92_0607_10h2system + type: "" diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_education_training_and_awareness.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_education_training_and_awareness.yaml index 516474fdc..ca6ea1144 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_education_training_and_awareness.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_education_training_and_awareness.yaml @@ -1,18 +1,19 @@ +id: azure_hipaa_hitrust_v92_education_training_and_awareness +title: Education, Training and Awareness +description: The organization prohibits users from installing unauthorized software, including data and software from external networks, and ensures users are made aware and trained on these requirements. +section-code: education_training_and_awareness +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_hipaa_hitrust_v92_education_training_and_awareness - title: Education, Training and Awareness - description: The organization prohibits users from installing unauthorized software, including data and software from external networks, and ensures users are made aware and trained on these requirements. - section-code: education_training_and_awareness - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_hipaa_hitrust_v92_1325_09s1organizational +- id: azure_hipaa_hitrust_v92_1325_09s1organizational + type: "" diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_endpoint_protection.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_endpoint_protection.yaml index 81dd69a7c..577073644 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_endpoint_protection.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_endpoint_protection.yaml @@ -1,18 +1,19 @@ +id: azure_hipaa_hitrust_v92_endpoint_protection +title: Endpoint Protection +description: Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software are addressed via a network-based malware detection (NBMD) solution. +section-code: endpoint_protection +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_hipaa_hitrust_v92_endpoint_protection - title: Endpoint Protection - description: Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software are addressed via a network-based malware detection (NBMD) solution. - section-code: endpoint_protection - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_hipaa_hitrust_v92_0201_09j1organizational +- id: azure_hipaa_hitrust_v92_0201_09j1organizational + type: "" diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_identification_of_risks_related_to_external_parties.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_identification_of_risks_related_to_external_parties.yaml index 8e10d2353..27fb54927 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_identification_of_risks_related_to_external_parties.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_identification_of_risks_related_to_external_parties.yaml @@ -1,21 +1,25 @@ +id: azure_hipaa_hitrust_v92_identification_of_risks_related_to_external_parties +title: Identification of Risks Related to External Parties +description: The risks to the organization's information and information assets from business processes involving external parties shall be identified, and appropriate controls implemented before granting access. +section-code: identification_of_risks_related_to_external_parties +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_hipaa_hitrust_v92_identification_of_risks_related_to_external_parties - title: Identification of Risks Related to External Parties - description: The risks to the organization's information and information assets from business processes involving external parties shall be identified, and appropriate controls implemented before granting access. - section-code: identification_of_risks_related_to_external_parties - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_hipaa_hitrust_v92_1401_05i1organizational - - id: azure_hipaa_hitrust_v92_1402_05i1organizational - - id: azure_hipaa_hitrust_v92_1403_05i1organizational - - id: azure_hipaa_hitrust_v92_1418_05i1organizational +- id: azure_hipaa_hitrust_v92_1401_05i1organizational + type: "" +- id: azure_hipaa_hitrust_v92_1402_05i1organizational + type: "" +- id: azure_hipaa_hitrust_v92_1403_05i1organizational + type: "" +- id: azure_hipaa_hitrust_v92_1418_05i1organizational + type: "" diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_network_controls.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_network_controls.yaml index 0559e52dc..7d4390274 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_network_controls.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_network_controls.yaml @@ -1,18 +1,19 @@ +id: azure_hipaa_hitrust_v92_network_controls +title: Network Controls +description: The organization monitors for all authorized and unauthorized wireless access to the information system and prohibits installation of wireless access points (WAPs) unless explicitly authorized in writing by the CIO or his/her designated representative. +section-code: network_controls +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_hipaa_hitrust_v92_network_controls - title: Network Controls - description: The organization monitors for all authorized and unauthorized wireless access to the information system and prohibits installation of wireless access points (WAPs) unless explicitly authorized in writing by the CIO or his/her designated representative. - section-code: network_controls - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_hipaa_hitrust_v92_0867_09m3organizational +- id: azure_hipaa_hitrust_v92_0867_09m3organizational + type: "" diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_network_protection.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_network_protection.yaml index 600ec4e01..289a008df 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_network_protection.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_network_protection.yaml @@ -1,45 +1,73 @@ +id: azure_hipaa_hitrust_v92_network_protection +title: Network Protection +description: The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains, block unauthorized access, and are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet) including DMZs and enforce access control policies for each of the domains. +section-code: network_protection +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_hipaa_hitrust_v92_network_protection - title: Network Protection - description: The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains, block unauthorized access, and are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet) including DMZs and enforce access control policies for each of the domains. - section-code: network_protection - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_hipaa_hitrust_v92_0805_01m1organizational - - id: azure_hipaa_hitrust_v92_0806_01m2organizational - - id: azure_hipaa_hitrust_v92_0809_01n2organizational - - id: azure_hipaa_hitrust_v92_0810_01n2organizational - - id: azure_hipaa_hitrust_v92_0811_01n2organizational - - id: azure_hipaa_hitrust_v92_0812_01n2organizational - - id: azure_hipaa_hitrust_v92_0814_01n1organizational - - id: azure_hipaa_hitrust_v92_0835_09n1organizational - - id: azure_hipaa_hitrust_v92_0836_09_n2organizational - - id: azure_hipaa_hitrust_v92_0837_09_n2Organizational - - id: azure_hipaa_hitrust_v92_0858_09m1organizational - - id: azure_hipaa_hitrust_v92_0859_09m1organizational - - id: azure_hipaa_hitrust_v92_0860_09m1organizational - - id: azure_hipaa_hitrust_v92_0861_09m2organizational - - id: azure_hipaa_hitrust_v92_0862_09m2organizational - - id: azure_hipaa_hitrust_v92_0863_09m2organizational - - id: azure_hipaa_hitrust_v92_0864_09m2organizational - - id: azure_hipaa_hitrust_v92_0865_09m2organizational - - id: azure_hipaa_hitrust_v92_0866_09m3organizational - - id: azure_hipaa_hitrust_v92_0868_09m3organizational - - id: azure_hipaa_hitrust_v92_0869_09m3organizational - - id: azure_hipaa_hitrust_v92_0870_09m3organizational - - id: azure_hipaa_hitrust_v92_0871_09m3organizational - - id: azure_hipaa_hitrust_v92_0885_09n2organizational - - id: azure_hipaa_hitrust_v92_0886_09n2Organizational - - id: azure_hipaa_hitrust_v92_0887_09n2organizational - - id: azure_hipaa_hitrust_v92_0888_09n2Organizational - - id: azure_hipaa_hitrust_v92_0894_01m2organizational +- id: azure_hipaa_hitrust_v92_0805_01m1organizational + type: "" +- id: azure_hipaa_hitrust_v92_0806_01m2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0809_01n2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0810_01n2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0811_01n2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0812_01n2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0814_01n1organizational + type: "" +- id: azure_hipaa_hitrust_v92_0835_09n1organizational + type: "" +- id: azure_hipaa_hitrust_v92_0836_09_n2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0837_09_n2Organizational + type: "" +- id: azure_hipaa_hitrust_v92_0858_09m1organizational + type: "" +- id: azure_hipaa_hitrust_v92_0859_09m1organizational + type: "" +- id: azure_hipaa_hitrust_v92_0860_09m1organizational + type: "" +- id: azure_hipaa_hitrust_v92_0861_09m2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0862_09m2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0863_09m2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0864_09m2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0865_09m2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0866_09m3organizational + type: "" +- id: azure_hipaa_hitrust_v92_0868_09m3organizational + type: "" +- id: azure_hipaa_hitrust_v92_0869_09m3organizational + type: "" +- id: azure_hipaa_hitrust_v92_0870_09m3organizational + type: "" +- id: azure_hipaa_hitrust_v92_0871_09m3organizational + type: "" +- id: azure_hipaa_hitrust_v92_0885_09n2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0886_09n2Organizational + type: "" +- id: azure_hipaa_hitrust_v92_0887_09n2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0888_09n2Organizational + type: "" +- id: azure_hipaa_hitrust_v92_0894_01m2organizational + type: "" diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_on_line_transactions.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_on_line_transactions.yaml index 15ebf0539..c0a33dc97 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_on_line_transactions.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_on_line_transactions.yaml @@ -1,18 +1,19 @@ +id: azure_hipaa_hitrust_v92_on_line_transactions +title: On-line Transactions +description: Information involved in online transactions shall be protected to prevent incomplete transmission, misrouting, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. +section-code: on_line_transactions +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_hipaa_hitrust_v92_on_line_transactions - title: On-line Transactions - description: Information involved in online transactions shall be protected to prevent incomplete transmission, misrouting, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. - section-code: on_line_transactions - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_hipaa_hitrust_v92_0946_09y2organizational +- id: azure_hipaa_hitrust_v92_0946_09y2organizational + type: "" diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_portable_media_security.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_portable_media_security.yaml index 1b9e8f17e..6a201135f 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_portable_media_security.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_portable_media_security.yaml @@ -1,20 +1,23 @@ +id: azure_hipaa_hitrust_v92_portable_media_security +title: Portable Media Security +description: The organization, based on the data classification level, registers media (including laptops) prior to use, places reasonable restrictions on how such media be used, and provides an appropriate level of physical and logical protection (including encryption) for media containing covered information until properly destroyed or sanitized. +section-code: portable_media_security +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_hipaa_hitrust_v92_portable_media_security - title: Portable Media Security - description: The organization, based on the data classification level, registers media (including laptops) prior to use, places reasonable restrictions on how such media be used, and provides an appropriate level of physical and logical protection (including encryption) for media containing covered information until properly destroyed or sanitized. - section-code: portable_media_security - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_hipaa_hitrust_v92_0301_09o1organizational - - id: azure_hipaa_hitrust_v92_0302_09o2organizational - - id: azure_hipaa_hitrust_v92_0304_09o3organizational +- id: azure_hipaa_hitrust_v92_0301_09o1organizational + type: "" +- id: azure_hipaa_hitrust_v92_0302_09o2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0304_09o3organizational + type: "" diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_privilege_management.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_privilege_management.yaml index b7e51e452..118a350a2 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_privilege_management.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_privilege_management.yaml @@ -1,19 +1,21 @@ +id: azure_hipaa_hitrust_v92_privilege_management +title: Privilege Management +description: Privilege management is a crucial aspect of HIPAA and HITRUST compliance, focusing on access control to protect sensitive health information. It involves implementing role-based access controls, strong authentication measures, regular reviews of access privileges, and robust logging and monitoring systems. By enforcing these measures, organizations can ensure that only authorized individuals have appropriate access to electronic protected health information, reducing the risk of unauthorized disclosure and maintaining compliance with HIPAA and HITRUST standards. +section-code: privilege_management +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_hipaa_hitrust_v92_privilege_management - title: Privilege Management - description: Privilege management is a crucial aspect of HIPAA and HITRUST compliance, focusing on access control to protect sensitive health information. It involves implementing role-based access controls, strong authentication measures, regular reviews of access privileges, and robust logging and monitoring systems. By enforcing these measures, organizations can ensure that only authorized individuals have appropriate access to electronic protected health information, reducing the risk of unauthorized disclosure and maintaining compliance with HIPAA and HITRUST standards. - section-code: privilege_management - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_hipaa_hitrust_v92_1149_01c2system - - id: azure_hipaa_hitrust_v92_1154_01c3system +- id: azure_hipaa_hitrust_v92_1149_01c2system + type: "" +- id: azure_hipaa_hitrust_v92_1154_01c3system + type: "" diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_third_party_assurance.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_third_party_assurance.yaml index 0cddb0e40..98889d996 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_third_party_assurance.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_third_party_assurance.yaml @@ -1,19 +1,21 @@ +id: azure_hipaa_hitrust_v92_third_party_assurance +title: Third Party Assurance +description: Where software development is outsourced, the development process is monitored by the organization and includes independent security and code reviews. +section-code: third_party_assurance +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_hipaa_hitrust_v92_third_party_assurance - title: Third Party Assurance - description: Where software development is outsourced, the development process is monitored by the organization and includes independent security and code reviews. - section-code: third_party_assurance - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_hipaa_hitrust_v92_1450_05i2organizational - - id: azure_hipaa_hitrust_v92_1451_05icsporganizational +- id: azure_hipaa_hitrust_v92_1450_05i2organizational + type: "" +- id: azure_hipaa_hitrust_v92_1451_05icsporganizational + type: "" diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_transmission_protection.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_transmission_protection.yaml index c35d8c500..db30b57b4 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_transmission_protection.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_transmission_protection.yaml @@ -1,29 +1,41 @@ +id: azure_hipaa_hitrust_v92_transmission_protection +title: Transmission Protection +description: The organization uses FIPS-validated cryptographic mechanisms during transmission to prevent unauthorized disclosure of information and detect changes to information unless otherwise protected by organization-defined alternative physical measures. +section-code: transmission_protection +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_hipaa_hitrust_v92_transmission_protection - title: Transmission Protection - description: The organization uses FIPS-validated cryptographic mechanisms during transmission to prevent unauthorized disclosure of information and detect changes to information unless otherwise protected by organization-defined alternative physical measures. - section-code: transmission_protection - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_hipaa_hitrust_v92_0901_09s1organizational - - id: azure_hipaa_hitrust_v92_0902_09s2organizational - - id: azure_hipaa_hitrust_v92_0912_09s1organizational - - id: azure_hipaa_hitrust_v92_0913_09s1organizational - - id: azure_hipaa_hitrust_v92_0915_09s2organizational - - id: azure_hipaa_hitrust_v92_0916_09s2organizational - - id: azure_hipaa_hitrust_v92_0943_09y1organizational - - id: azure_hipaa_hitrust_v92_0945_09y1organizational - - id: azure_hipaa_hitrust_v92_0947_09y2organizational - - id: azure_hipaa_hitrust_v92_0948_09y2organizational - - id: azure_hipaa_hitrust_v92_0949_09y2organizational - - id: azure_hipaa_hitrust_v92_0960_09scsporganizational +- id: azure_hipaa_hitrust_v92_0901_09s1organizational + type: "" +- id: azure_hipaa_hitrust_v92_0902_09s2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0912_09s1organizational + type: "" +- id: azure_hipaa_hitrust_v92_0913_09s1organizational + type: "" +- id: azure_hipaa_hitrust_v92_0915_09s2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0916_09s2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0943_09y1organizational + type: "" +- id: azure_hipaa_hitrust_v92_0945_09y1organizational + type: "" +- id: azure_hipaa_hitrust_v92_0947_09y2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0948_09y2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0949_09y2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0960_09scsporganizational + type: "" diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_user_authentication_for_external_connections.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_user_authentication_for_external_connections.yaml index 177204a2c..b9f1d8f18 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_user_authentication_for_external_connections.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_user_authentication_for_external_connections.yaml @@ -1,22 +1,27 @@ +id: azure_hipaa_hitrust_v92_user_authentication_for_external_connections +title: User Authentication for External Connections +description: When accessing electronic protected health information (ePHI) from external sources, it's crucial to prioritize user authentication as part of our commitment to HIPAA and HITRUST compliance. To ensure secure access, we have implemented strong authentication measures, including unique user IDs, strong passwords, and multi-factor authentication. These measures verify the identity of individuals accessing ePHI remotely, ensuring that only authorized users with the right credentials can establish secure connections. By prioritizing user authentication, we protect the confidentiality of sensitive health information and minimize the risk of unauthorized access. +section-code: user_authentication_for_external_connections +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_hipaa_hitrust_v92_user_authentication_for_external_connections - title: User Authentication for External Connections - description: When accessing electronic protected health information (ePHI) from external sources, it's crucial to prioritize user authentication as part of our commitment to HIPAA and HITRUST compliance. To ensure secure access, we have implemented strong authentication measures, including unique user IDs, strong passwords, and multi-factor authentication. These measures verify the identity of individuals accessing ePHI remotely, ensuring that only authorized users with the right credentials can establish secure connections. By prioritizing user authentication, we protect the confidentiality of sensitive health information and minimize the risk of unauthorized access. - section-code: user_authentication_for_external_connections - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_hipaa_hitrust_v92_1117_01j1organizational - - id: azure_hipaa_hitrust_v92_1173_01j1organizational - - id: azure_hipaa_hitrust_v92_1174_01j1organizational - - id: azure_hipaa_hitrust_v92_1176_01j2organizational - - id: azure_hipaa_hitrust_v92_1177_01j2organizational +- id: azure_hipaa_hitrust_v92_1117_01j1organizational + type: "" +- id: azure_hipaa_hitrust_v92_1173_01j1organizational + type: "" +- id: azure_hipaa_hitrust_v92_1174_01j1organizational + type: "" +- id: azure_hipaa_hitrust_v92_1176_01j2organizational + type: "" +- id: azure_hipaa_hitrust_v92_1177_01j2organizational + type: "" diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_user_identification_and_authentication.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_user_identification_and_authentication.yaml index a5d75fcb9..8171a9fd1 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_user_identification_and_authentication.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_user_identification_and_authentication.yaml @@ -1,21 +1,25 @@ +id: azure_hipaa_hitrust_v92_user_identification_and_authentication +title: User Identification and Authentication +description: User identification and authentication play a crucial role. This involves implementing strong measures to verify the identity of users accessing electronic protected health information (ePHI). To comply with these standards, organizations should establish unique user IDs and enforce the use of strong passwords or passphrases. Additionally, implementing multi-factor authentication adds an extra layer of security by requiring users to provide additional verification, such as a code sent to their mobile device, in addition to their login credentials. By implementing robust user identification and authentication practices, organizations can ensure that only authorized individuals can access ePHI, reducing the risk of unauthorized disclosure and maintaining compliance with HIPAA and HITRUST 9.2 regulations. +section-code: user_identification_and_authentication +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_hipaa_hitrust_v92_user_identification_and_authentication - title: User Identification and Authentication - description: User identification and authentication play a crucial role. This involves implementing strong measures to verify the identity of users accessing electronic protected health information (ePHI). To comply with these standards, organizations should establish unique user IDs and enforce the use of strong passwords or passphrases. Additionally, implementing multi-factor authentication adds an extra layer of security by requiring users to provide additional verification, such as a code sent to their mobile device, in addition to their login credentials. By implementing robust user identification and authentication practices, organizations can ensure that only authorized individuals can access ePHI, reducing the risk of unauthorized disclosure and maintaining compliance with HIPAA and HITRUST 9.2 regulations. - section-code: user_identification_and_authentication - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_hipaa_hitrust_v92_11110_01q1organizational - - id: azure_hipaa_hitrust_v92_11208_01q1organizational - - id: azure_hipaa_hitrust_v92_11210_01q2organizational - - id: azure_hipaa_hitrust_v92_11211_01q2organizational +- id: azure_hipaa_hitrust_v92_11110_01q1organizational + type: "" +- id: azure_hipaa_hitrust_v92_11208_01q1organizational + type: "" +- id: azure_hipaa_hitrust_v92_11210_01q2organizational + type: "" +- id: azure_hipaa_hitrust_v92_11211_01q2organizational + type: "" diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_vulnerability_management.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_vulnerability_management.yaml index 1a3807f3c..08e0ba409 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_vulnerability_management.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_vulnerability_management.yaml @@ -1,27 +1,37 @@ +id: azure_hipaa_hitrust_v92_vulnerability_management +title: Vulnerability Management +description: Applications developed by the organization are based on secure coding guidelines to prevent common vulnerabilities or undergo appropriate testing. +section-code: vulnerability_management +type: control-group +tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_hipaa_hitrust_v92_vulnerability_management - title: Vulnerability Management - description: Applications developed by the organization are based on secure coding guidelines to prevent common vulnerabilities or undergo appropriate testing. - section-code: vulnerability_management - tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_hipaa_hitrust_v92_0709_10m1organizational - - id: azure_hipaa_hitrust_v92_0710_10m2organizational - - id: azure_hipaa_hitrust_v92_0711_10m2organizational - - id: azure_hipaa_hitrust_v92_0713_10m2organizational - - id: azure_hipaa_hitrust_v92_0714_10m2organizational - - id: azure_hipaa_hitrust_v92_0715_10m2organizational - - id: azure_hipaa_hitrust_v92_0716_10m3organizational - - id: azure_hipaa_hitrust_v92_0717_10m3organizational - - id: azure_hipaa_hitrust_v92_0718_10m3organizational - - id: azure_hipaa_hitrust_v92_0719_10m3organizational +- id: azure_hipaa_hitrust_v92_0709_10m1organizational + type: "" +- id: azure_hipaa_hitrust_v92_0710_10m2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0711_10m2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0713_10m2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0714_10m2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0715_10m2organizational + type: "" +- id: azure_hipaa_hitrust_v92_0716_10m3organizational + type: "" +- id: azure_hipaa_hitrust_v92_0717_10m3organizational + type: "" +- id: azure_hipaa_hitrust_v92_0718_10m3organizational + type: "" +- id: azure_hipaa_hitrust_v92_0719_10m3organizational + type: "" diff --git a/compliance/frameworks/azure/azure_msb/azure_msb.yaml b/compliance/frameworks/azure/azure_msb/azure_msb.yaml index ddc520345..3aefafd20 100644 --- a/compliance/frameworks/azure/azure_msb/azure_msb.yaml +++ b/compliance/frameworks/azure/azure_msb/azure_msb.yaml @@ -1,33 +1,33 @@ -framework: - id: azure_msb - title: Azure MSB - description: Azure MSB - section-code: azure_msb_main - tags: - category: - - Compliance - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - azure - service: - - Azure - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: azure_cis_v200_2 - - id: azure_cis_v200_3 - - id: azure_cis_v200_4 - - id: azure_msb_5 - - id: azure_cis_v200_6 - - id: azure_cis_v200_7 - - id: azure_cis_v200_8 - - id: azure_cis_v200_9 - - id: azure_cis_v200_10 - - id: azure_msb_ask +id: azure_msb +title: Azure MSB +description: Azure MSB +section-code: azure_msb_main +type: framework +tags: + category: + - Compliance + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - azure + service: + - Azure + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: azure_cis_v200_2 +- id: azure_cis_v200_3 +- id: azure_cis_v200_4 +- id: azure_msb_5 +- id: azure_cis_v200_6 +- id: azure_cis_v200_7 +- id: azure_cis_v200_8 +- id: azure_cis_v200_9 +- id: azure_cis_v200_10 +- id: azure_msb_ask diff --git a/compliance/frameworks/azure/azure_msb/azure_msb_5.yaml b/compliance/frameworks/azure/azure_msb/azure_msb_5.yaml index 44af09e78..da97f9721 100755 --- a/compliance/frameworks/azure/azure_msb/azure_msb_5.yaml +++ b/compliance/frameworks/azure/azure_msb/azure_msb_5.yaml @@ -1,24 +1,27 @@ +id: azure_msb_5 +title: Logging and Monitoring +description: Logging and Monitoring +section-code: "5" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_msb_5 - title: Logging and Monitoring - description: Logging and Monitoring - section-code: "5" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_cis_v200_5_1 - - id: azure_cis_v200_5_2 - - id: azure_cis_v200_5_5 +- id: azure_cis_v200_5_1 + type: "" +- id: azure_cis_v200_5_2 + type: "" +- id: azure_cis_v200_5_5 + type: "" diff --git a/compliance/frameworks/azure/azure_msb/azure_msb_aks.yaml b/compliance/frameworks/azure/azure_msb/azure_msb_aks.yaml index febb76ffc..4515a2853 100755 --- a/compliance/frameworks/azure/azure_msb/azure_msb_aks.yaml +++ b/compliance/frameworks/azure/azure_msb/azure_msb_aks.yaml @@ -1,31 +1,31 @@ -control-group: - id: azure_msb_ask - title: AKS - description: AKS - section-code: "11" - tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_check_for_kubernetes_version - - azure_enable_defender_for_cloud_for_aks_clusters - - azure_enable_kubernetes_role_based_access_control - - azure_kubernetes_api_version - - azure_secure_access_to_kubernetes_api_server_using_authorized_ip_address_ranges - - azure_use_azure_cni_add_on_for_managing_network_resources - - azure_use_microsoft_entra_id_integration_for_aks_clusters - - azure_use_network_contributor_role_for_managing_azure_network_resources - - azure_use_system_assigned_managed_identities_for_aks_clusters - - azure_use_user_assigned_managed_identities_for_aks_clusters +id: azure_msb_ask +title: AKS +description: AKS +section-code: "11" +type: control-group +tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_check_for_kubernetes_version +- azure_enable_defender_for_cloud_for_aks_clusters +- azure_enable_kubernetes_role_based_access_control +- azure_kubernetes_api_version +- azure_secure_access_to_kubernetes_api_server_using_authorized_ip_address_ranges +- azure_use_azure_cni_add_on_for_managing_network_resources +- azure_use_microsoft_entra_id_integration_for_aks_clusters +- azure_use_network_contributor_role_for_managing_azure_network_resources +- azure_use_system_assigned_managed_identities_for_aks_clusters +- azure_use_user_assigned_managed_identities_for_aks_clusters diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2.yaml index 3227262d1..714ae3b33 100644 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2.yaml @@ -1,19 +1,19 @@ -framework: - id: azure_nist_sp_800_171_rev_2 - title: NIST SP 800-171 Revision 2 - description: NIST SP 800-171 Revision 2 signifies a significant endeavor to enhance cybersecurity practices, specifically tailored for organizations engaging with the U.S. federal government. - section-code: azure_nist_sp_800_171_rev_2 - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: azure_nist_sp_800_171_rev_2_3_1 - - id: azure_nist_sp_800_171_rev_2_3_3 - - id: azure_nist_sp_800_171_rev_2_3_4 - - id: azure_nist_sp_800_171_rev_2_3_5 - - id: azure_nist_sp_800_171_rev_2_3_6 - - id: azure_nist_sp_800_171_rev_2_3_8 - - id: azure_nist_sp_800_171_rev_2_3_11 - - id: azure_nist_sp_800_171_rev_2_3_13 - - id: azure_nist_sp_800_171_rev_2_3_14 +id: azure_nist_sp_800_171_rev_2 +title: NIST SP 800-171 Revision 2 +description: NIST SP 800-171 Revision 2 signifies a significant endeavor to enhance cybersecurity practices, specifically tailored for organizations engaging with the U.S. federal government. +section-code: azure_nist_sp_800_171_rev_2 +type: framework +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: azure_nist_sp_800_171_rev_2_3_1 +- id: azure_nist_sp_800_171_rev_2_3_3 +- id: azure_nist_sp_800_171_rev_2_3_4 +- id: azure_nist_sp_800_171_rev_2_3_5 +- id: azure_nist_sp_800_171_rev_2_3_6 +- id: azure_nist_sp_800_171_rev_2_3_8 +- id: azure_nist_sp_800_171_rev_2_3_11 +- id: azure_nist_sp_800_171_rev_2_3_13 +- id: azure_nist_sp_800_171_rev_2_3_14 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1.yaml index bef8ec9d7..399f33e49 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1.yaml @@ -1,14 +1,22 @@ +id: azure_nist_sp_800_171_rev_2_3_1 +title: Access Control +description: This family of requirements deals with access to networks, systems, and information. The 22 different requirements help to ensure only authorized users access the system. Requirements also safeguard the flow of sensitive information within the network and provide guidance on network devices in the system. +section-code: "3_1" +type: control-group control-group: - id: azure_nist_sp_800_171_rev_2_3_1 - title: Access Control - description: This family of requirements deals with access to networks, systems, and information. The 22 different requirements help to ensure only authorized users access the system. Requirements also safeguard the flow of sensitive information within the network and provide guidance on network devices in the system. - section-code: "3_1" - control-group: - - id: azure_nist_sp_800_171_rev_2_3_1_1 - - id: azure_nist_sp_800_171_rev_2_3_1_2 - - id: azure_nist_sp_800_171_rev_2_3_1_3 - - id: azure_nist_sp_800_171_rev_2_3_1_4 - - id: azure_nist_sp_800_171_rev_2_3_1_5 - - id: azure_nist_sp_800_171_rev_2_3_1_12 - - id: azure_nist_sp_800_171_rev_2_3_1_13 - - id: azure_nist_sp_800_171_rev_2_3_1_14 +- id: azure_nist_sp_800_171_rev_2_3_1_1 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_1_2 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_1_3 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_1_4 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_1_5 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_1_12 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_1_13 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_1_14 + type: "" diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_11.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_11.yaml index fe5e44fdb..c9b738933 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_11.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_11.yaml @@ -1,8 +1,10 @@ +id: azure_nist_sp_800_171_rev_2_3_11 +title: Risk Assessment +description: The RA control family relates to an organization's risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts. +section-code: "3_11" +type: control-group control-group: - id: azure_nist_sp_800_171_rev_2_3_11 - title: Risk Assessment - description: The RA control family relates to an organization's risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts. - section-code: "3_11" - control-group: - - id: azure_nist_sp_800_171_rev_2_3_11_2 - - id: azure_nist_sp_800_171_rev_2_3_11_3 +- id: azure_nist_sp_800_171_rev_2_3_11_2 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_11_3 + type: "" diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_11_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_11_2.yaml index d71c1ea4c..2278bc006 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_11_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_11_2.yaml @@ -1,20 +1,20 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_11_2 - title: 11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified - description: "Organizations determine the required vulnerability scanning for all system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. The vulnerabilities to be scanned are readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This process ensures that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in source code reviews and in a variety of tools (e.g., static analysis tools, web-based application scanners, binary analyzers) and in source code reviews. Vulnerability scanning includes: scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating information flow control mechanisms. To facilitate interoperability, organizations consider using products that are Security Content Automated Protocol (SCAP)-validated, scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention, and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of system vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Security assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates thorough vulnerability scanning and protects the sensitive nature of such scanning." - section-code: "2" - controls: - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_mssql_managed_instance_vulnerability_assessment_enabled - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_database_vulnerability_findings_resolved - - azure_sql_server_and_databases_va_enabled - - azure_sql_server_azure_defender_enabled - - azure_synapse_workspace_vulnerability_assessment_enabled +id: azure_nist_sp_800_171_rev_2_3_11_2 +title: 11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified +description: "Organizations determine the required vulnerability scanning for all system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. The vulnerabilities to be scanned are readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This process ensures that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in source code reviews and in a variety of tools (e.g., static analysis tools, web-based application scanners, binary analyzers) and in source code reviews. Vulnerability scanning includes: scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating information flow control mechanisms. To facilitate interoperability, organizations consider using products that are Security Content Automated Protocol (SCAP)-validated, scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention, and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of system vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Security assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates thorough vulnerability scanning and protects the sensitive nature of such scanning." +section-code: "2" +type: control-group +controls: +- azure_compute_vm_vulnerability_assessment_solution_enabled +- azure_mssql_managed_instance_vulnerability_assessment_enabled +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_sqlservervm +- azure_securitycenter_azure_defender_on_for_storage +- azure_sql_database_vulnerability_findings_resolved +- azure_sql_server_and_databases_va_enabled +- azure_sql_server_azure_defender_enabled +- azure_synapse_workspace_vulnerability_assessment_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_11_3.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_11_3.yaml index 9ba0527f1..7be6807e5 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_11_3.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_11_3.yaml @@ -1,20 +1,20 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_11_3 - title: 11.3 Remediate vulnerabilities in accordance with risk assessments - description: Vulnerabilities discovered, for example, via the scanning conducted in response to 3.11.2, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities. - section-code: "3" - controls: - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_mssql_managed_instance_vulnerability_assessment_enabled - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_database_vulnerability_findings_resolved - - azure_sql_server_and_databases_va_enabled - - azure_sql_server_azure_defender_enabled - - azure_synapse_workspace_vulnerability_assessment_enabled +id: azure_nist_sp_800_171_rev_2_3_11_3 +title: 11.3 Remediate vulnerabilities in accordance with risk assessments +description: Vulnerabilities discovered, for example, via the scanning conducted in response to 3.11.2, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities. +section-code: "3" +type: control-group +controls: +- azure_compute_vm_vulnerability_assessment_solution_enabled +- azure_mssql_managed_instance_vulnerability_assessment_enabled +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_sqlservervm +- azure_securitycenter_azure_defender_on_for_storage +- azure_sql_database_vulnerability_findings_resolved +- azure_sql_server_and_databases_va_enabled +- azure_sql_server_azure_defender_enabled +- azure_synapse_workspace_vulnerability_assessment_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13.yaml index 3fdf6690f..805cd83db 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13.yaml @@ -1,13 +1,20 @@ +id: azure_nist_sp_800_171_rev_2_3_13 +title: System and Communications Protection +description: The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others. +section-code: "3_13" +type: control-group control-group: - id: azure_nist_sp_800_171_rev_2_3_13 - title: System and Communications Protection - description: The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others. - section-code: "3_13" - control-group: - - id: azure_nist_sp_800_171_rev_2_3_13_1 - - id: azure_nist_sp_800_171_rev_2_3_13_2 - - id: azure_nist_sp_800_171_rev_2_3_13_5 - - id: azure_nist_sp_800_171_rev_2_3_13_6 - - id: azure_nist_sp_800_171_rev_2_3_13_8 - - id: azure_nist_sp_800_171_rev_2_3_13_10 - - id: azure_nist_sp_800_171_rev_2_3_13_16 +- id: azure_nist_sp_800_171_rev_2_3_13_1 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_13_2 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_13_5 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_13_6 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_13_8 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_13_10 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_13_16 + type: "" diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_1.yaml index f1ae2e47f..f15372636 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_1.yaml @@ -1,50 +1,50 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_13_1 - title: 13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems - description: Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. - section-code: "1" - controls: - - azure_apimanagement_service_with_virtual_network - - azure_app_configuration_private_link_used - - azure_application_gateway_waf_enabled - - azure_cognitive_account_private_link_used - - azure_cognitive_service_local_auth_disabled - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_jit_access_protected - - azure_compute_vm_remote_access_restricted_all_ports - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_container_registry_restrict_public_access - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_cosmosdb_account_with_firewall_rules - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_frontdoor_waf_enabled - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_firewall_enabled - - azure_keyvault_vault_private_link_used - - azure_kubernetes_cluster_authorized_ip_range_defined - - azure_mariadb_server_public_network_access_disabled - - azure_mysql_server_private_link_used - - azure_mysql_server_public_network_access_disabled - - azure_network_interface_ip_forwarding_disabled - - azure_network_security_group_remote_access_restricted - - azure_network_security_group_subnet_associated - - azure_postgres_server_private_link_used - - azure_postgresql_server_public_network_access_disabled - - azure_redis_cache_uses_private_link - - azure_search_service_public_network_access_disabled - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_sql_db_public_network_access_disabled - - azure_sql_server_uses_private_link - - azure_storage_account_block_public_access - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_restrict_network_access - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used +id: azure_nist_sp_800_171_rev_2_3_13_1 +title: 13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems +description: Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. +section-code: "1" +type: control-group +controls: +- azure_apimanagement_service_with_virtual_network +- azure_app_configuration_private_link_used +- azure_application_gateway_waf_enabled +- azure_cognitive_account_private_link_used +- azure_cognitive_service_local_auth_disabled +- azure_compute_disk_access_uses_private_link +- azure_compute_vm_jit_access_protected +- azure_compute_vm_remote_access_restricted_all_ports +- azure_compute_vm_tcp_udp_access_restricted_internet +- azure_container_registry_restrict_public_access +- azure_container_registry_uses_private_link +- azure_cosmosdb_account_uses_private_link +- azure_cosmosdb_account_with_firewall_rules +- azure_data_factory_uses_private_link +- azure_eventgrid_domain_private_link_used +- azure_eventgrid_topic_private_link_used +- azure_eventhub_namespace_private_link_used +- azure_frontdoor_waf_enabled +- azure_healthcare_fhir_uses_private_link +- azure_keyvault_firewall_enabled +- azure_keyvault_vault_private_link_used +- azure_kubernetes_cluster_authorized_ip_range_defined +- azure_mariadb_server_public_network_access_disabled +- azure_mysql_server_private_link_used +- azure_mysql_server_public_network_access_disabled +- azure_network_interface_ip_forwarding_disabled +- azure_network_security_group_remote_access_restricted +- azure_network_security_group_subnet_associated +- azure_postgres_server_private_link_used +- azure_postgresql_server_public_network_access_disabled +- azure_redis_cache_uses_private_link +- azure_search_service_public_network_access_disabled +- azure_search_service_uses_private_link +- azure_search_service_uses_sku_supporting_private_link +- azure_servicebus_name_space_private_link_used +- azure_signalr_service_private_link_used +- azure_sql_db_public_network_access_disabled +- azure_sql_server_uses_private_link +- azure_storage_account_block_public_access +- azure_storage_account_default_network_access_rule_denied +- azure_storage_account_restrict_network_access +- azure_storage_account_uses_private_link +- azure_storage_sync_private_link_used +- azure_synapse_workspace_private_link_used diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_10.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_10.yaml index f4621b0fc..bb3568c45 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_10.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_10.yaml @@ -1,30 +1,30 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_13_10 - title: 13.10 Establish and manage cryptographic keys for cryptography employed in organizational systems - description: Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards specifying appropriate options, levels, and parameters. - section-code: "10" - controls: - - azure_batch_account_encrypted_with_cmk - - azure_cognitive_account_encrypted_with_cmk - - azure_compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed - - azure_compute_os_and_data_disk_encrypted_with_cmk - - azure_container_instance_container_group_encrypted_using_cmk - - azure_container_registry_encrypted_with_cmk - - azure_cosmosdb_account_encryption_at_rest_using_cmk - - azure_data_factory_encrypted_with_cmk - - azure_eventhub_namespace_cmk_encryption_enabled - - azure_hdinsight_cluster_encrypted_at_rest_with_cmk - - azure_hdinsight_cluster_encryption_at_host_enabled - - azure_healthcare_fhir_azure_api_encrypted_at_rest_with_cmk - - azure_hpc_cache_encrypted_with_cmk - - azure_kubernetes_cluster_os_and_data_disks_encrypted_with_cmk - - azure_kusto_cluster_encrypted_at_rest_with_cmk - - azure_machine_learning_workspace_encrypted_with_cmk - - azure_mssql_managed_instance_encryption_at_rest_using_cmk - - azure_mysql_server_encrypted_at_rest_using_cmk - - azure_postgres_sql_server_encrypted_at_rest_using_cmk - - azure_servicebus_premium_namespace_cmk_encrypted - - azure_sql_server_tde_protector_cmk_encrypted - - azure_storage_account_encryption_at_rest_using_cmk - - azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk - - azure_synapse_workspace_encryption_at_rest_using_cmk +id: azure_nist_sp_800_171_rev_2_3_13_10 +title: 13.10 Establish and manage cryptographic keys for cryptography employed in organizational systems +description: Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards specifying appropriate options, levels, and parameters. +section-code: "10" +type: control-group +controls: +- azure_batch_account_encrypted_with_cmk +- azure_cognitive_account_encrypted_with_cmk +- azure_compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed +- azure_compute_os_and_data_disk_encrypted_with_cmk +- azure_container_instance_container_group_encrypted_using_cmk +- azure_container_registry_encrypted_with_cmk +- azure_cosmosdb_account_encryption_at_rest_using_cmk +- azure_data_factory_encrypted_with_cmk +- azure_eventhub_namespace_cmk_encryption_enabled +- azure_hdinsight_cluster_encrypted_at_rest_with_cmk +- azure_hdinsight_cluster_encryption_at_host_enabled +- azure_healthcare_fhir_azure_api_encrypted_at_rest_with_cmk +- azure_hpc_cache_encrypted_with_cmk +- azure_kubernetes_cluster_os_and_data_disks_encrypted_with_cmk +- azure_kusto_cluster_encrypted_at_rest_with_cmk +- azure_machine_learning_workspace_encrypted_with_cmk +- azure_mssql_managed_instance_encryption_at_rest_using_cmk +- azure_mysql_server_encrypted_at_rest_using_cmk +- azure_postgres_sql_server_encrypted_at_rest_using_cmk +- azure_servicebus_premium_namespace_cmk_encrypted +- azure_sql_server_tde_protector_cmk_encrypted +- azure_storage_account_encryption_at_rest_using_cmk +- azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk +- azure_synapse_workspace_encryption_at_rest_using_cmk diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_16.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_16.yaml index ac1002e71..2d5b69bf6 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_16.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_16.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_13_16 - title: 13.16 Protect the confidentiality of CUI at rest - description: Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest. - section-code: "16" - controls: - - azure_app_service_environment_internal_encryption_enabled - - azure_automation_account_variable_encryption_enabled - - azure_compute_vm_and_sacle_set_encryption_at_host_enabled - - azure_databox_edge_device_double_encryption_enabled - - azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host - - azure_kusto_cluster_disk_encryption_enabled - - azure_kusto_cluster_double_encryption_enabled - - azure_mysql_server_infrastructure_encryption_enabled - - azure_postgresql_server_infrastructure_encryption_enabled - - azure_servicefabric_cluster_protection_level_as_encrypt_and_sign - - azure_sql_server_transparent_data_encryption_enabled - - azure_storage_account_infrastructure_encryption_enabled +id: azure_nist_sp_800_171_rev_2_3_13_16 +title: 13.16 Protect the confidentiality of CUI at rest +description: Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest. +section-code: "16" +type: control-group +controls: +- azure_app_service_environment_internal_encryption_enabled +- azure_automation_account_variable_encryption_enabled +- azure_compute_vm_and_sacle_set_encryption_at_host_enabled +- azure_databox_edge_device_double_encryption_enabled +- azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host +- azure_kusto_cluster_disk_encryption_enabled +- azure_kusto_cluster_double_encryption_enabled +- azure_mysql_server_infrastructure_encryption_enabled +- azure_postgresql_server_infrastructure_encryption_enabled +- azure_servicefabric_cluster_protection_level_as_encrypt_and_sign +- azure_sql_server_transparent_data_encryption_enabled +- azure_storage_account_infrastructure_encryption_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_2.yaml index 8f39587c8..98b5cee58 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_2.yaml @@ -1,50 +1,50 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_13_2 - title: 13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems - description: Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions. - section-code: "2" - controls: - - azure_apimanagement_service_with_virtual_network - - azure_app_configuration_private_link_used - - azure_application_gateway_waf_enabled - - azure_cognitive_account_private_link_used - - azure_cognitive_service_local_auth_disabled - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_jit_access_protected - - azure_compute_vm_remote_access_restricted_all_ports - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_container_registry_restrict_public_access - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_cosmosdb_account_with_firewall_rules - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_frontdoor_waf_enabled - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_firewall_enabled - - azure_keyvault_vault_private_link_used - - azure_kubernetes_cluster_authorized_ip_range_defined - - azure_mariadb_server_public_network_access_disabled - - azure_mysql_server_private_link_used - - azure_mysql_server_public_network_access_disabled - - azure_network_interface_ip_forwarding_disabled - - azure_network_security_group_remote_access_restricted - - azure_network_security_group_subnet_associated - - azure_postgres_server_private_link_used - - azure_postgresql_server_public_network_access_disabled - - azure_redis_cache_uses_private_link - - azure_search_service_public_network_access_disabled - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_sql_db_public_network_access_disabled - - azure_sql_server_uses_private_link - - azure_storage_account_block_public_access - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_restrict_network_access - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used +id: azure_nist_sp_800_171_rev_2_3_13_2 +title: 13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems +description: Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions. +section-code: "2" +type: control-group +controls: +- azure_apimanagement_service_with_virtual_network +- azure_app_configuration_private_link_used +- azure_application_gateway_waf_enabled +- azure_cognitive_account_private_link_used +- azure_cognitive_service_local_auth_disabled +- azure_compute_disk_access_uses_private_link +- azure_compute_vm_jit_access_protected +- azure_compute_vm_remote_access_restricted_all_ports +- azure_compute_vm_tcp_udp_access_restricted_internet +- azure_container_registry_restrict_public_access +- azure_container_registry_uses_private_link +- azure_cosmosdb_account_uses_private_link +- azure_cosmosdb_account_with_firewall_rules +- azure_data_factory_uses_private_link +- azure_eventgrid_domain_private_link_used +- azure_eventgrid_topic_private_link_used +- azure_eventhub_namespace_private_link_used +- azure_frontdoor_waf_enabled +- azure_healthcare_fhir_uses_private_link +- azure_keyvault_firewall_enabled +- azure_keyvault_vault_private_link_used +- azure_kubernetes_cluster_authorized_ip_range_defined +- azure_mariadb_server_public_network_access_disabled +- azure_mysql_server_private_link_used +- azure_mysql_server_public_network_access_disabled +- azure_network_interface_ip_forwarding_disabled +- azure_network_security_group_remote_access_restricted +- azure_network_security_group_subnet_associated +- azure_postgres_server_private_link_used +- azure_postgresql_server_public_network_access_disabled +- azure_redis_cache_uses_private_link +- azure_search_service_public_network_access_disabled +- azure_search_service_uses_private_link +- azure_search_service_uses_sku_supporting_private_link +- azure_servicebus_name_space_private_link_used +- azure_signalr_service_private_link_used +- azure_sql_db_public_network_access_disabled +- azure_sql_server_uses_private_link +- azure_storage_account_block_public_access +- azure_storage_account_default_network_access_rule_denied +- azure_storage_account_restrict_network_access +- azure_storage_account_uses_private_link +- azure_storage_sync_private_link_used +- azure_synapse_workspace_private_link_used diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_5.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_5.yaml index f2a0fb586..cf00143ce 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_5.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_5.yaml @@ -1,50 +1,50 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_13_5 - title: 13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks - description: Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies. - section-code: "5" - controls: - - azure_apimanagement_service_with_virtual_network - - azure_app_configuration_private_link_used - - azure_application_gateway_waf_enabled - - azure_cognitive_account_private_link_used - - azure_cognitive_service_local_auth_disabled - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_jit_access_protected - - azure_compute_vm_remote_access_restricted_all_ports - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_container_registry_restrict_public_access - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_cosmosdb_account_with_firewall_rules - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_frontdoor_waf_enabled - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_firewall_enabled - - azure_keyvault_vault_private_link_used - - azure_kubernetes_cluster_authorized_ip_range_defined - - azure_mariadb_server_public_network_access_disabled - - azure_mysql_server_private_link_used - - azure_mysql_server_public_network_access_disabled - - azure_network_interface_ip_forwarding_disabled - - azure_network_security_group_remote_access_restricted - - azure_network_security_group_subnet_associated - - azure_postgres_server_private_link_used - - azure_postgresql_server_public_network_access_disabled - - azure_redis_cache_uses_private_link - - azure_search_service_public_network_access_disabled - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_sql_db_public_network_access_disabled - - azure_sql_server_uses_private_link - - azure_storage_account_block_public_access - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_restrict_network_access - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used +id: azure_nist_sp_800_171_rev_2_3_13_5 +title: 13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks +description: Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies. +section-code: "5" +type: control-group +controls: +- azure_apimanagement_service_with_virtual_network +- azure_app_configuration_private_link_used +- azure_application_gateway_waf_enabled +- azure_cognitive_account_private_link_used +- azure_cognitive_service_local_auth_disabled +- azure_compute_disk_access_uses_private_link +- azure_compute_vm_jit_access_protected +- azure_compute_vm_remote_access_restricted_all_ports +- azure_compute_vm_tcp_udp_access_restricted_internet +- azure_container_registry_restrict_public_access +- azure_container_registry_uses_private_link +- azure_cosmosdb_account_uses_private_link +- azure_cosmosdb_account_with_firewall_rules +- azure_data_factory_uses_private_link +- azure_eventgrid_domain_private_link_used +- azure_eventgrid_topic_private_link_used +- azure_eventhub_namespace_private_link_used +- azure_frontdoor_waf_enabled +- azure_healthcare_fhir_uses_private_link +- azure_keyvault_firewall_enabled +- azure_keyvault_vault_private_link_used +- azure_kubernetes_cluster_authorized_ip_range_defined +- azure_mariadb_server_public_network_access_disabled +- azure_mysql_server_private_link_used +- azure_mysql_server_public_network_access_disabled +- azure_network_interface_ip_forwarding_disabled +- azure_network_security_group_remote_access_restricted +- azure_network_security_group_subnet_associated +- azure_postgres_server_private_link_used +- azure_postgresql_server_public_network_access_disabled +- azure_redis_cache_uses_private_link +- azure_search_service_public_network_access_disabled +- azure_search_service_uses_private_link +- azure_search_service_uses_sku_supporting_private_link +- azure_servicebus_name_space_private_link_used +- azure_signalr_service_private_link_used +- azure_sql_db_public_network_access_disabled +- azure_sql_server_uses_private_link +- azure_storage_account_block_public_access +- azure_storage_account_default_network_access_rule_denied +- azure_storage_account_restrict_network_access +- azure_storage_account_uses_private_link +- azure_storage_sync_private_link_used +- azure_synapse_workspace_private_link_used diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_6.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_6.yaml index d7e2fd043..2eaf9e161 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_6.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_6.yaml @@ -1,26 +1,26 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_13_6 - title: 13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception) - description: This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. - section-code: "6" - controls: - - azure_application_gateway_waf_enabled - - azure_cognitive_service_local_auth_disabled - - azure_compute_vm_jit_access_protected - - azure_compute_vm_remote_access_restricted_all_ports - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_container_registry_restrict_public_access - - azure_cosmosdb_account_with_firewall_rules - - azure_frontdoor_waf_enabled - - azure_keyvault_firewall_enabled - - azure_kubernetes_cluster_authorized_ip_range_defined - - azure_mariadb_server_public_network_access_disabled - - azure_mysql_server_public_network_access_disabled - - azure_network_security_group_remote_access_restricted - - azure_network_security_group_subnet_associated - - azure_postgresql_server_public_network_access_disabled - - azure_search_service_public_network_access_disabled - - azure_sql_db_public_network_access_disabled - - azure_storage_account_block_public_access - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_restrict_network_access +id: azure_nist_sp_800_171_rev_2_3_13_6 +title: 13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception) +description: This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. +section-code: "6" +type: control-group +controls: +- azure_application_gateway_waf_enabled +- azure_cognitive_service_local_auth_disabled +- azure_compute_vm_jit_access_protected +- azure_compute_vm_remote_access_restricted_all_ports +- azure_compute_vm_tcp_udp_access_restricted_internet +- azure_container_registry_restrict_public_access +- azure_cosmosdb_account_with_firewall_rules +- azure_frontdoor_waf_enabled +- azure_keyvault_firewall_enabled +- azure_kubernetes_cluster_authorized_ip_range_defined +- azure_mariadb_server_public_network_access_disabled +- azure_mysql_server_public_network_access_disabled +- azure_network_security_group_remote_access_restricted +- azure_network_security_group_subnet_associated +- azure_postgresql_server_public_network_access_disabled +- azure_search_service_public_network_access_disabled +- azure_sql_db_public_network_access_disabled +- azure_storage_account_block_public_access +- azure_storage_account_default_network_access_rule_denied +- azure_storage_account_restrict_network_access diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_8.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_8.yaml index 1c7de0d95..28be2e6f0 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_8.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_8.yaml @@ -1,17 +1,17 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_13_8 - title: 13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards - description: This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. - section-code: "8" - controls: - - azure_appservice_api_app_latest_tls_version - - azure_appservice_function_app_ftps_enabled - - azure_appservice_function_app_latest_tls_version - - azure_appservice_function_app_only_https_accessible - - azure_appservice_web_app_ftps_enabled - - azure_appservice_web_app_use_https - - azure_hdinsight_cluster_encryption_in_transit_enabled - - azure_mysql_ssl_enabled - - azure_postgres_sql_ssl_enabled - - azure_redis_cache_ssl_enabled - - azure_storage_account_secure_transfer_required_enabled +id: azure_nist_sp_800_171_rev_2_3_13_8 +title: 13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards +description: This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. +section-code: "8" +type: control-group +controls: +- azure_appservice_api_app_latest_tls_version +- azure_appservice_function_app_ftps_enabled +- azure_appservice_function_app_latest_tls_version +- azure_appservice_function_app_only_https_accessible +- azure_appservice_web_app_ftps_enabled +- azure_appservice_web_app_use_https +- azure_hdinsight_cluster_encryption_in_transit_enabled +- azure_mysql_ssl_enabled +- azure_postgres_sql_ssl_enabled +- azure_redis_cache_ssl_enabled +- azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14.yaml index 0f1937323..b877fe769 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14.yaml @@ -1,13 +1,20 @@ +id: azure_nist_sp_800_171_rev_2_3_14 +title: System and Information Integrity +description: The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection. +section-code: "3_14" +type: control-group control-group: - id: azure_nist_sp_800_171_rev_2_3_14 - title: System and Information Integrity - description: The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection. - section-code: "3_14" - control-group: - - id: azure_nist_sp_800_171_rev_2_3_14_1 - - id: azure_nist_sp_800_171_rev_2_3_14_2 - - id: azure_nist_sp_800_171_rev_2_3_14_3 - - id: azure_nist_sp_800_171_rev_2_3_14_4 - - id: azure_nist_sp_800_171_rev_2_3_14_5 - - id: azure_nist_sp_800_171_rev_2_3_14_6 - - id: azure_nist_sp_800_171_rev_2_3_14_7 +- id: azure_nist_sp_800_171_rev_2_3_14_1 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_14_2 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_14_3 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_14_4 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_14_5 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_14_6 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_14_7 + type: "" diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_1.yaml index 5ade9ea88..a40f845cb 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_1.yaml @@ -1,21 +1,21 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_14_1 - title: 14.1 Identify, report, and correct system flaws in a timely manner - description: Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation. - section-code: "1" - controls: - - azure_appservice_function_app_latest_http_version - - azure_appservice_web_app_latest_http_version - - azure_compute_vm_system_updates_installed - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_compute_vm_windows_defender_exploit_guard_enabled - - azure_kubernetes_cluster_upgraded_with_non_vulnerable_version - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_database_vulnerability_findings_resolved +id: azure_nist_sp_800_171_rev_2_3_14_1 +title: 14.1 Identify, report, and correct system flaws in a timely manner +description: Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation. +section-code: "1" +type: control-group +controls: +- azure_appservice_function_app_latest_http_version +- azure_appservice_web_app_latest_http_version +- azure_compute_vm_system_updates_installed +- azure_compute_vm_vulnerability_assessment_solution_enabled +- azure_compute_vm_windows_defender_exploit_guard_enabled +- azure_kubernetes_cluster_upgraded_with_non_vulnerable_version +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_sqlservervm +- azure_securitycenter_azure_defender_on_for_storage +- azure_sql_database_vulnerability_findings_resolved diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_2.yaml index 9b4d335d3..44a52ae9f 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_2.yaml @@ -1,17 +1,17 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_14_2 - title: 14.2 Provide protection from malicious code at designated locations within organizational systems - description: Designated locations include system entry and exit points which may include firewalls, remoteaccess servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. Malicious code protection mechanisms include anti-virus signature definitions and reputationbased technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. - section-code: "2" - controls: - - azure_compute_vm_malware_agent_automatic_upgrade_enabled - - azure_compute_vm_malware_agent_installed - - azure_compute_vm_windows_defender_exploit_guard_enabled - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage +id: azure_nist_sp_800_171_rev_2_3_14_2 +title: 14.2 Provide protection from malicious code at designated locations within organizational systems +description: Designated locations include system entry and exit points which may include firewalls, remoteaccess servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. Malicious code protection mechanisms include anti-virus signature definitions and reputationbased technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. +section-code: "2" +type: control-group +controls: +- azure_compute_vm_malware_agent_automatic_upgrade_enabled +- azure_compute_vm_malware_agent_installed +- azure_compute_vm_windows_defender_exploit_guard_enabled +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_sqlservervm +- azure_securitycenter_azure_defender_on_for_storage diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_3.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_3.yaml index 316a8d1f0..95f9f9719 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_3.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_3.yaml @@ -1,17 +1,17 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_14_3 - title: 14.3 Monitor system security alerts and advisories and take action in response - description: There are many publicly available sources of system security alerts and advisories. For example, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness across the federal government and in nonfederal organizations. Software vendors, subscription services, and industry information sharing and analysis centers (ISACs) may also provide security alerts and advisories. Examples of response actions include notifying relevant external organizations, for example, external mission/business partners, supply chain partners, external service providers, and peer or supporting organizations. - section-code: "3" - controls: - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_securitycenter_email_configured - - azure_securitycenter_notify_alerts_configured - - azure_securitycenter_security_alerts_to_owner_enabled +id: azure_nist_sp_800_171_rev_2_3_14_3 +title: 14.3 Monitor system security alerts and advisories and take action in response +description: There are many publicly available sources of system security alerts and advisories. For example, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness across the federal government and in nonfederal organizations. Software vendors, subscription services, and industry information sharing and analysis centers (ISACs) may also provide security alerts and advisories. Examples of response actions include notifying relevant external organizations, for example, external mission/business partners, supply chain partners, external service providers, and peer or supporting organizations. +section-code: "3" +type: control-group +controls: +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_sqlservervm +- azure_securitycenter_azure_defender_on_for_storage +- azure_securitycenter_email_configured +- azure_securitycenter_notify_alerts_configured +- azure_securitycenter_security_alerts_to_owner_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_4.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_4.yaml index 98e18daa9..f1aabb390 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_4.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_4.yaml @@ -1,9 +1,9 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_14_4 - title: 14.4 Update malicious code protection mechanisms when new releases are available - description: Malicious code protection mechanisms include anti-virus signature definitions and reputationbased technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. - section-code: "4" - controls: - - azure_compute_vm_malware_agent_automatic_upgrade_enabled - - azure_compute_vm_malware_agent_installed - - azure_compute_vm_windows_defender_exploit_guard_enabled +id: azure_nist_sp_800_171_rev_2_3_14_4 +title: 14.4 Update malicious code protection mechanisms when new releases are available +description: Malicious code protection mechanisms include anti-virus signature definitions and reputationbased technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. +section-code: "4" +type: control-group +controls: +- azure_compute_vm_malware_agent_automatic_upgrade_enabled +- azure_compute_vm_malware_agent_installed +- azure_compute_vm_windows_defender_exploit_guard_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_5.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_5.yaml index 5842317af..03002977d 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_5.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_5.yaml @@ -1,10 +1,10 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_14_5 - title: 14.5 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed - description: Periodic scans of organizational systems and real-time scans of files from external sources can detect malicious code. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. - section-code: "5" - controls: - - azure_compute_vm_malware_agent_automatic_upgrade_enabled - - azure_compute_vm_malware_agent_installed - - azure_compute_vm_windows_defender_exploit_guard_enabled - - azure_securitycenter_azure_defender_on_for_server +id: azure_nist_sp_800_171_rev_2_3_14_5 +title: 14.5 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed +description: Periodic scans of organizational systems and real-time scans of files from external sources can detect malicious code. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. +section-code: "5" +type: control-group +controls: +- azure_compute_vm_malware_agent_automatic_upgrade_enabled +- azure_compute_vm_malware_agent_installed +- azure_compute_vm_windows_defender_exploit_guard_enabled +- azure_securitycenter_azure_defender_on_for_server diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_6.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_6.yaml index 540fc6c16..420a32fca 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_6.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_6.yaml @@ -1,28 +1,28 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_14_6 - title: 14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks - description: System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system. Organizations can monitor systems, for example, by observing audit record activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. System monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms supporting critical applications, with such devices being employed at managed system interfaces. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of systems to support such objectives. System monitoring is an integral part of continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Unusual or unauthorized activities or conditions related to inbound/outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. - section-code: "6" - controls: - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_network_watcher_enabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_securitycenter_email_configured - - azure_securitycenter_notify_alerts_configured - - azure_securitycenter_security_alerts_to_owner_enabled - - azure_sql_server_azure_defender_enabled +id: azure_nist_sp_800_171_rev_2_3_14_6 +title: 14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks +description: System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system. Organizations can monitor systems, for example, by observing audit record activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. System monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms supporting critical applications, with such devices being employed at managed system interfaces. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of systems to support such objectives. System monitoring is an integral part of continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Unusual or unauthorized activities or conditions related to inbound/outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. +section-code: "6" +type: control-group +controls: +- azure_arc_compute_machine_linux_log_analytics_agent_installed +- azure_arc_compute_machine_windows_log_analytics_agent_installed +- azure_compute_vm_guest_configuration_installed +- azure_compute_vm_guest_configuration_with_system_assigned_managed_identity +- azure_compute_vm_log_analytics_agent_installed +- azure_compute_vm_network_traffic_data_collection_linux_agent_installed +- azure_compute_vm_network_traffic_data_collection_windows_agent_installed +- azure_compute_vm_scale_set_log_analytics_agent_installed +- azure_network_watcher_enabled +- azure_securitycenter_automatic_provisioning_monitoring_agent_on +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_sqlservervm +- azure_securitycenter_azure_defender_on_for_storage +- azure_securitycenter_email_configured +- azure_securitycenter_notify_alerts_configured +- azure_securitycenter_security_alerts_to_owner_enabled +- azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_7.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_7.yaml index 63f789271..041f51140 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_7.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_7.yaml @@ -1,25 +1,25 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_14_7 - title: 14.7 Identify unauthorized use of organizational systems - description: System monitoring includes external and internal monitoring. System monitoring can detect unauthorized use of organizational systems. System monitoring is an integral part of continuous monitoring and incident response programs. Monitoring is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Output from system monitoring serves as input to continuous monitoring and incident response programs. Unusual/unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. - section-code: "7" - controls: - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_network_watcher_enabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_server_azure_defender_enabled +id: azure_nist_sp_800_171_rev_2_3_14_7 +title: 14.7 Identify unauthorized use of organizational systems +description: System monitoring includes external and internal monitoring. System monitoring can detect unauthorized use of organizational systems. System monitoring is an integral part of continuous monitoring and incident response programs. Monitoring is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Output from system monitoring serves as input to continuous monitoring and incident response programs. Unusual/unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. +section-code: "7" +type: control-group +controls: +- azure_arc_compute_machine_linux_log_analytics_agent_installed +- azure_arc_compute_machine_windows_log_analytics_agent_installed +- azure_compute_vm_guest_configuration_installed +- azure_compute_vm_guest_configuration_with_system_assigned_managed_identity +- azure_compute_vm_log_analytics_agent_installed +- azure_compute_vm_network_traffic_data_collection_linux_agent_installed +- azure_compute_vm_network_traffic_data_collection_windows_agent_installed +- azure_compute_vm_scale_set_log_analytics_agent_installed +- azure_network_watcher_enabled +- azure_securitycenter_automatic_provisioning_monitoring_agent_on +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_sqlservervm +- azure_securitycenter_azure_defender_on_for_storage +- azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_1.yaml index 28fc87487..1a56f77da 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_1.yaml @@ -1,52 +1,52 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_1_1 - title: 1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems) - description: Access control policies (e.g., identity or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2. - section-code: "1" - controls: - - azure_app_configuration_private_link_used - - azure_appservice_api_app_remote_debugging_disabled - - azure_appservice_function_app_remote_debugging_disabled - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_web_app_uses_managed_identity - - azure_cognitive_account_private_link_used - - azure_cognitive_service_local_auth_disabled - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_account_with_password_linux - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux - - azure_compute_vm_ssh_key_authentication_linux - - azure_compute_vm_uses_azure_resource_manager - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_healthcare_fhir_uses_private_link - - azure_iam_deprecated_account_with_owner_roles - - azure_iam_deprecated_account - - azure_iam_external_user_with_owner_role - - azure_iam_external_user_with_read_permission - - azure_iam_external_user_with_write_permission - - azure_iam_no_custom_role - - azure_iam_subscription_owner_max_3 - - azure_keyvault_vault_private_link_used - - azure_mysql_server_private_link_used - - azure_postgres_server_private_link_used - - azure_redis_cache_uses_private_link - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_signalr_service_private_link_used - - azure_spring_cloud_service_network_injection_enabled - - azure_sql_server_azure_ad_authentication_enabled - - azure_sql_server_uses_private_link - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_uses_azure_resource_manager - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used +id: azure_nist_sp_800_171_rev_2_3_1_1 +title: 1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems) +description: Access control policies (e.g., identity or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2. +section-code: "1" +type: control-group +controls: +- azure_app_configuration_private_link_used +- azure_appservice_api_app_remote_debugging_disabled +- azure_appservice_function_app_remote_debugging_disabled +- azure_appservice_function_app_uses_managed_identity +- azure_appservice_web_app_uses_managed_identity +- azure_cognitive_account_private_link_used +- azure_cognitive_service_local_auth_disabled +- azure_compute_disk_access_uses_private_link +- azure_compute_vm_account_with_password_linux +- azure_compute_vm_guest_configuration_installed_linux +- azure_compute_vm_guest_configuration_with_no_managed_identity +- azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity +- azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux +- azure_compute_vm_ssh_key_authentication_linux +- azure_compute_vm_uses_azure_resource_manager +- azure_container_registry_uses_private_link +- azure_cosmosdb_account_uses_private_link +- azure_data_factory_uses_private_link +- azure_eventgrid_domain_private_link_used +- azure_eventgrid_topic_private_link_used +- azure_eventhub_namespace_private_link_used +- azure_healthcare_fhir_uses_private_link +- azure_iam_deprecated_account_with_owner_roles +- azure_iam_deprecated_account +- azure_iam_external_user_with_owner_role +- azure_iam_external_user_with_read_permission +- azure_iam_external_user_with_write_permission +- azure_iam_no_custom_role +- azure_iam_subscription_owner_max_3 +- azure_keyvault_vault_private_link_used +- azure_mysql_server_private_link_used +- azure_postgres_server_private_link_used +- azure_redis_cache_uses_private_link +- azure_search_service_uses_private_link +- azure_search_service_uses_sku_supporting_private_link +- azure_servicebus_name_space_private_link_used +- azure_servicefabric_cluster_active_directory_authentication_enabled +- azure_signalr_service_private_link_used +- azure_spring_cloud_service_network_injection_enabled +- azure_sql_server_azure_ad_authentication_enabled +- azure_sql_server_uses_private_link +- azure_storage_account_default_network_access_rule_denied +- azure_storage_account_uses_azure_resource_manager +- azure_storage_account_uses_private_link +- azure_storage_sync_private_link_used +- azure_synapse_workspace_private_link_used diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_12.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_12.yaml index 60c661573..d0137b788 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_12.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_12.yaml @@ -1,36 +1,36 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_1_12 - title: 1.12 Monitor and control remote access sessions - description: Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyberattacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). - section-code: "12" - controls: - - azure_app_configuration_private_link_used - - azure_appservice_api_app_remote_debugging_disabled - - azure_appservice_function_app_remote_debugging_disabled - - azure_cognitive_account_private_link_used - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_vault_private_link_used - - azure_mysql_server_private_link_used - - azure_postgres_server_private_link_used - - azure_redis_cache_uses_private_link - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_spring_cloud_service_network_injection_enabled - - azure_sql_server_uses_private_link - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used +id: azure_nist_sp_800_171_rev_2_3_1_12 +title: 1.12 Monitor and control remote access sessions +description: Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyberattacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). +section-code: "12" +type: control-group +controls: +- azure_app_configuration_private_link_used +- azure_appservice_api_app_remote_debugging_disabled +- azure_appservice_function_app_remote_debugging_disabled +- azure_cognitive_account_private_link_used +- azure_compute_disk_access_uses_private_link +- azure_compute_vm_guest_configuration_installed_linux +- azure_compute_vm_guest_configuration_with_no_managed_identity +- azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity +- azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux +- azure_container_registry_uses_private_link +- azure_cosmosdb_account_uses_private_link +- azure_data_factory_uses_private_link +- azure_eventgrid_domain_private_link_used +- azure_eventgrid_topic_private_link_used +- azure_eventhub_namespace_private_link_used +- azure_healthcare_fhir_uses_private_link +- azure_keyvault_vault_private_link_used +- azure_mysql_server_private_link_used +- azure_postgres_server_private_link_used +- azure_redis_cache_uses_private_link +- azure_search_service_uses_private_link +- azure_search_service_uses_sku_supporting_private_link +- azure_servicebus_name_space_private_link_used +- azure_signalr_service_private_link_used +- azure_spring_cloud_service_network_injection_enabled +- azure_sql_server_uses_private_link +- azure_storage_account_default_network_access_rule_denied +- azure_storage_account_uses_private_link +- azure_storage_sync_private_link_used +- azure_synapse_workspace_private_link_used diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_13.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_13.yaml index 583f9c414..efa75cad4 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_13.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_13.yaml @@ -1,30 +1,30 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_1_13 - title: 1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions - description: Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. - section-code: "13" - controls: - - azure_app_configuration_private_link_used - - azure_cognitive_account_private_link_used - - azure_compute_disk_access_uses_private_link - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_vault_private_link_used - - azure_mysql_server_private_link_used - - azure_postgres_server_private_link_used - - azure_redis_cache_uses_private_link - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_spring_cloud_service_network_injection_enabled - - azure_sql_server_uses_private_link - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used +id: azure_nist_sp_800_171_rev_2_3_1_13 +title: 1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions +description: Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. +section-code: "13" +type: control-group +controls: +- azure_app_configuration_private_link_used +- azure_cognitive_account_private_link_used +- azure_compute_disk_access_uses_private_link +- azure_container_registry_uses_private_link +- azure_cosmosdb_account_uses_private_link +- azure_data_factory_uses_private_link +- azure_eventgrid_domain_private_link_used +- azure_eventgrid_topic_private_link_used +- azure_eventhub_namespace_private_link_used +- azure_healthcare_fhir_uses_private_link +- azure_keyvault_vault_private_link_used +- azure_mysql_server_private_link_used +- azure_postgres_server_private_link_used +- azure_redis_cache_uses_private_link +- azure_search_service_uses_private_link +- azure_search_service_uses_sku_supporting_private_link +- azure_servicebus_name_space_private_link_used +- azure_signalr_service_private_link_used +- azure_spring_cloud_service_network_injection_enabled +- azure_sql_server_uses_private_link +- azure_storage_account_default_network_access_rule_denied +- azure_storage_account_uses_private_link +- azure_storage_sync_private_link_used +- azure_synapse_workspace_private_link_used diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_14.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_14.yaml index f077007c8..c30b26727 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_14.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_14.yaml @@ -1,30 +1,30 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_1_14 - title: 1.14 Route remote access via managed access control points - description: Routing remote access through managed access control points enhances explicit, organizational control over such connections, reducing the susceptibility to unauthorized access to organizational systems resulting in the unauthorized disclosure of CUI. - section-code: "14" - controls: - - azure_app_configuration_private_link_used - - azure_cognitive_account_private_link_used - - azure_compute_disk_access_uses_private_link - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_vault_private_link_used - - azure_mysql_server_private_link_used - - azure_postgres_server_private_link_used - - azure_redis_cache_uses_private_link - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_spring_cloud_service_network_injection_enabled - - azure_sql_server_uses_private_link - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used +id: azure_nist_sp_800_171_rev_2_3_1_14 +title: 1.14 Route remote access via managed access control points +description: Routing remote access through managed access control points enhances explicit, organizational control over such connections, reducing the susceptibility to unauthorized access to organizational systems resulting in the unauthorized disclosure of CUI. +section-code: "14" +type: control-group +controls: +- azure_app_configuration_private_link_used +- azure_cognitive_account_private_link_used +- azure_compute_disk_access_uses_private_link +- azure_container_registry_uses_private_link +- azure_cosmosdb_account_uses_private_link +- azure_data_factory_uses_private_link +- azure_eventgrid_domain_private_link_used +- azure_eventgrid_topic_private_link_used +- azure_eventhub_namespace_private_link_used +- azure_healthcare_fhir_uses_private_link +- azure_keyvault_vault_private_link_used +- azure_mysql_server_private_link_used +- azure_postgres_server_private_link_used +- azure_redis_cache_uses_private_link +- azure_search_service_uses_private_link +- azure_search_service_uses_sku_supporting_private_link +- azure_servicebus_name_space_private_link_used +- azure_signalr_service_private_link_used +- azure_spring_cloud_service_network_injection_enabled +- azure_sql_server_uses_private_link +- azure_storage_account_default_network_access_rule_denied +- azure_storage_account_uses_private_link +- azure_storage_sync_private_link_used +- azure_synapse_workspace_private_link_used diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_2.yaml index e236a570d..8fcd480cc 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_2.yaml @@ -1,21 +1,21 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_1_2 - title: 1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute - description: Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-oforigin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). - section-code: "2" - controls: - - azure_appservice_api_app_remote_debugging_disabled - - azure_appservice_function_app_remote_debugging_disabled - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_web_app_uses_managed_identity - - azure_cognitive_service_local_auth_disabled - - azure_compute_vm_uses_azure_resource_manager - - azure_iam_deprecated_account_with_owner_roles - - azure_iam_deprecated_account - - azure_iam_external_user_with_owner_role - - azure_iam_external_user_with_read_permission - - azure_iam_external_user_with_write_permission - - azure_iam_no_custom_role - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled - - azure_storage_account_uses_azure_resource_manager +id: azure_nist_sp_800_171_rev_2_3_1_2 +title: 1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute +description: Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-oforigin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). +section-code: "2" +type: control-group +controls: +- azure_appservice_api_app_remote_debugging_disabled +- azure_appservice_function_app_remote_debugging_disabled +- azure_appservice_function_app_uses_managed_identity +- azure_appservice_web_app_uses_managed_identity +- azure_cognitive_service_local_auth_disabled +- azure_compute_vm_uses_azure_resource_manager +- azure_iam_deprecated_account_with_owner_roles +- azure_iam_deprecated_account +- azure_iam_external_user_with_owner_role +- azure_iam_external_user_with_read_permission +- azure_iam_external_user_with_write_permission +- azure_iam_no_custom_role +- azure_servicefabric_cluster_active_directory_authentication_enabled +- azure_sql_server_azure_ad_authentication_enabled +- azure_storage_account_uses_azure_resource_manager diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_3.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_3.yaml index 9269dd84b..3383911f4 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_3.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_3.yaml @@ -1,49 +1,49 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_1_3 - title: 1.3 Control the flow of CUI in accordance with approved authorizations - description: "Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping exportcontrolled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packetfiltering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels." - section-code: "3" - controls: - - azure_apimanagement_service_with_virtual_network - - azure_app_configuration_private_link_used - - azure_appservice_web_app_cors_no_star - - azure_cognitive_account_private_link_used - - azure_cognitive_service_local_auth_disabled - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_jit_access_protected - - azure_compute_vm_remote_access_restricted_all_ports - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_container_registry_restrict_public_access - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_cosmosdb_account_with_firewall_rules - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_firewall_enabled - - azure_keyvault_vault_private_link_used - - azure_kubernetes_cluster_authorized_ip_range_defined - - azure_mariadb_server_public_network_access_disabled - - azure_mysql_server_private_link_used - - azure_mysql_server_public_network_access_disabled - - azure_network_interface_ip_forwarding_disabled - - azure_network_security_group_remote_access_restricted - - azure_network_security_group_subnet_associated - - azure_postgres_server_private_link_used - - azure_postgresql_server_public_network_access_disabled - - azure_redis_cache_uses_private_link - - azure_search_service_public_network_access_disabled - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_sql_db_public_network_access_disabled - - azure_sql_server_uses_private_link - - azure_storage_account_block_public_access - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_restrict_network_access - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used +id: azure_nist_sp_800_171_rev_2_3_1_3 +title: 1.3 Control the flow of CUI in accordance with approved authorizations +description: "Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping exportcontrolled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packetfiltering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels." +section-code: "3" +type: control-group +controls: +- azure_apimanagement_service_with_virtual_network +- azure_app_configuration_private_link_used +- azure_appservice_web_app_cors_no_star +- azure_cognitive_account_private_link_used +- azure_cognitive_service_local_auth_disabled +- azure_compute_disk_access_uses_private_link +- azure_compute_vm_jit_access_protected +- azure_compute_vm_remote_access_restricted_all_ports +- azure_compute_vm_tcp_udp_access_restricted_internet +- azure_container_registry_restrict_public_access +- azure_container_registry_uses_private_link +- azure_cosmosdb_account_uses_private_link +- azure_cosmosdb_account_with_firewall_rules +- azure_data_factory_uses_private_link +- azure_eventgrid_domain_private_link_used +- azure_eventgrid_topic_private_link_used +- azure_eventhub_namespace_private_link_used +- azure_healthcare_fhir_uses_private_link +- azure_keyvault_firewall_enabled +- azure_keyvault_vault_private_link_used +- azure_kubernetes_cluster_authorized_ip_range_defined +- azure_mariadb_server_public_network_access_disabled +- azure_mysql_server_private_link_used +- azure_mysql_server_public_network_access_disabled +- azure_network_interface_ip_forwarding_disabled +- azure_network_security_group_remote_access_restricted +- azure_network_security_group_subnet_associated +- azure_postgres_server_private_link_used +- azure_postgresql_server_public_network_access_disabled +- azure_redis_cache_uses_private_link +- azure_search_service_public_network_access_disabled +- azure_search_service_uses_private_link +- azure_search_service_uses_sku_supporting_private_link +- azure_servicebus_name_space_private_link_used +- azure_signalr_service_private_link_used +- azure_sql_db_public_network_access_disabled +- azure_sql_server_uses_private_link +- azure_storage_account_block_public_access +- azure_storage_account_default_network_access_rule_denied +- azure_storage_account_restrict_network_access +- azure_storage_account_uses_private_link +- azure_storage_sync_private_link_used +- azure_synapse_workspace_private_link_used diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_4.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_4.yaml index 5f4ecb24c..bf7e8e9a6 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_4.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_4.yaml @@ -1,7 +1,7 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_1_4 - title: 1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion - description: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties. - section-code: "4" - controls: - - azure_iam_subscription_owner_more_than_1 +id: azure_nist_sp_800_171_rev_2_3_1_4 +title: 1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion +description: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties. +section-code: "4" +type: control-group +controls: +- azure_iam_subscription_owner_more_than_1 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_5.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_5.yaml index 41d6ba234..b59569d5e 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_5.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_5.yaml @@ -1,8 +1,8 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_1_5 - title: 1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts - description: Organizations employ the principle of least privilege for specific duties and authorized accesses for users and processes. The principle of least privilege is applied with the goal of authorized privileges no higher than necessary to accomplish required organizational missions or business functions. Organizations consider the creation of additional processes, roles, and system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational systems. Security functions include establishing system accounts, setting events to be logged, setting intrusion detection parameters, and configuring access authorizations (i.e., permissions, privileges). Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information or functions. Organizations may differentiate in the application of this requirement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk. - section-code: "5" - controls: - - azure_iam_no_custom_role - - azure_iam_subscription_owner_max_3 +id: azure_nist_sp_800_171_rev_2_3_1_5 +title: 1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts +description: Organizations employ the principle of least privilege for specific duties and authorized accesses for users and processes. The principle of least privilege is applied with the goal of authorized privileges no higher than necessary to accomplish required organizational missions or business functions. Organizations consider the creation of additional processes, roles, and system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational systems. Security functions include establishing system accounts, setting events to be logged, setting intrusion detection parameters, and configuring access authorizations (i.e., permissions, privileges). Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information or functions. Organizations may differentiate in the application of this requirement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk. +section-code: "5" +type: control-group +controls: +- azure_iam_no_custom_role +- azure_iam_subscription_owner_max_3 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3.yaml index eb2cdf690..faa160252 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3.yaml @@ -1,10 +1,14 @@ +id: azure_nist_sp_800_171_rev_2_3_3 +title: Audit and Accountability +description: The AU control family consists of security controls related to an organization’s audit capabilities. This includes audit policies and procedures, audit logging, audit report generation, and protection of audit information. +section-code: "3_3" +type: control-group control-group: - id: azure_nist_sp_800_171_rev_2_3_3 - title: Audit and Accountability - description: The AU control family consists of security controls related to an organization’s audit capabilities. This includes audit policies and procedures, audit logging, audit report generation, and protection of audit information. - section-code: "3_3" - control-group: - - id: azure_nist_sp_800_171_rev_2_3_3_1 - - id: azure_nist_sp_800_171_rev_2_3_3_2 - - id: azure_nist_sp_800_171_rev_2_3_3_4 - - id: azure_nist_sp_800_171_rev_2_3_3_5 +- id: azure_nist_sp_800_171_rev_2_3_3_1 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_3_2 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_3_4 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_3_5 + type: "" diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_1.yaml index dd44bcfee..c250730ed 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_1.yaml @@ -1,39 +1,39 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_3_1 - title: 3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity - description: An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloudbased architectures. Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making. - section-code: "1" - controls: - - azure_appservice_web_app_diagnostic_logs_enabled - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_batch_account_logging_enabled - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_datalake_analytics_account_logging_enabled - - azure_datalake_store_account_logging_enabled - - azure_eventhub_namespace_logging_enabled - - azure_iot_hub_logging_enabled - - azure_keyvault_logging_enabled - - azure_logic_app_workflow_logging_enabled - - azure_network_watcher_enabled - - azure_search_service_logging_enabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_database - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_servicebus_namespace_logging_enabled - - azure_sql_server_auditing_on - - azure_sql_server_auditing_storage_account_destination_retention_90_days - - azure_sql_server_azure_defender_enabled - - azure_stream_analytics_job_logging_enabled +id: azure_nist_sp_800_171_rev_2_3_3_1 +title: 3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity +description: An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloudbased architectures. Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making. +section-code: "1" +type: control-group +controls: +- azure_appservice_web_app_diagnostic_logs_enabled +- azure_arc_compute_machine_linux_log_analytics_agent_installed +- azure_arc_compute_machine_windows_log_analytics_agent_installed +- azure_batch_account_logging_enabled +- azure_compute_vm_guest_configuration_installed +- azure_compute_vm_guest_configuration_with_system_assigned_managed_identity +- azure_compute_vm_log_analytics_agent_installed +- azure_compute_vm_network_traffic_data_collection_linux_agent_installed +- azure_compute_vm_network_traffic_data_collection_windows_agent_installed +- azure_compute_vm_scale_set_log_analytics_agent_installed +- azure_datalake_analytics_account_logging_enabled +- azure_datalake_store_account_logging_enabled +- azure_eventhub_namespace_logging_enabled +- azure_iot_hub_logging_enabled +- azure_keyvault_logging_enabled +- azure_logic_app_workflow_logging_enabled +- azure_network_watcher_enabled +- azure_search_service_logging_enabled +- azure_securitycenter_automatic_provisioning_monitoring_agent_on +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_database +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_sqlservervm +- azure_securitycenter_azure_defender_on_for_storage +- azure_servicebus_namespace_logging_enabled +- azure_sql_server_auditing_on +- azure_sql_server_auditing_storage_account_destination_retention_90_days +- azure_sql_server_azure_defender_enabled +- azure_stream_analytics_job_logging_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_2.yaml index b21e2d2a3..3c30f7b29 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_2.yaml @@ -1,39 +1,39 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_3_2 - title: 3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions - description: This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP). - section-code: "2" - controls: - - azure_appservice_web_app_diagnostic_logs_enabled - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_batch_account_logging_enabled - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_datalake_analytics_account_logging_enabled - - azure_datalake_store_account_logging_enabled - - azure_eventhub_namespace_logging_enabled - - azure_iot_hub_logging_enabled - - azure_keyvault_logging_enabled - - azure_logic_app_workflow_logging_enabled - - azure_network_watcher_enabled - - azure_search_service_logging_enabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_database - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_servicebus_namespace_logging_enabled - - azure_sql_server_auditing_on - - azure_sql_server_auditing_storage_account_destination_retention_90_days - - azure_sql_server_azure_defender_enabled - - azure_stream_analytics_job_logging_enabled +id: azure_nist_sp_800_171_rev_2_3_3_2 +title: 3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions +description: This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP). +section-code: "2" +type: control-group +controls: +- azure_appservice_web_app_diagnostic_logs_enabled +- azure_arc_compute_machine_linux_log_analytics_agent_installed +- azure_arc_compute_machine_windows_log_analytics_agent_installed +- azure_batch_account_logging_enabled +- azure_compute_vm_guest_configuration_installed +- azure_compute_vm_guest_configuration_with_system_assigned_managed_identity +- azure_compute_vm_log_analytics_agent_installed +- azure_compute_vm_network_traffic_data_collection_linux_agent_installed +- azure_compute_vm_network_traffic_data_collection_windows_agent_installed +- azure_compute_vm_scale_set_log_analytics_agent_installed +- azure_datalake_analytics_account_logging_enabled +- azure_datalake_store_account_logging_enabled +- azure_eventhub_namespace_logging_enabled +- azure_iot_hub_logging_enabled +- azure_keyvault_logging_enabled +- azure_logic_app_workflow_logging_enabled +- azure_network_watcher_enabled +- azure_search_service_logging_enabled +- azure_securitycenter_automatic_provisioning_monitoring_agent_on +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_database +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_sqlservervm +- azure_securitycenter_azure_defender_on_for_storage +- azure_servicebus_namespace_logging_enabled +- azure_sql_server_auditing_on +- azure_sql_server_auditing_storage_account_destination_retention_90_days +- azure_sql_server_azure_defender_enabled +- azure_stream_analytics_job_logging_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_4.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_4.yaml index c20cfbfea..c29563ab0 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_4.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_4.yaml @@ -1,15 +1,15 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_3_4 - title: 3.4 Alert in the event of an audit logging process failure - description: Audit logging process failures include software and hardware errors, failures in the audit record capturing mechanisms, and audit record storage capacity being reached or exceeded. This requirement applies to each audit record data storage repository (i.e., distinct system component where audit records are stored), the total audit record storage capacity of organizations (i.e., all audit record data storage repositories combined), or both. - section-code: "4" - controls: - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_server_azure_defender_enabled +id: azure_nist_sp_800_171_rev_2_3_3_4 +title: 3.4 Alert in the event of an audit logging process failure +description: Audit logging process failures include software and hardware errors, failures in the audit record capturing mechanisms, and audit record storage capacity being reached or exceeded. This requirement applies to each audit record data storage repository (i.e., distinct system component where audit records are stored), the total audit record storage capacity of organizations (i.e., all audit record data storage repositories combined), or both. +section-code: "4" +type: control-group +controls: +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_sqlservervm +- azure_securitycenter_azure_defender_on_for_storage +- azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_5.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_5.yaml index c9ef77dca..068de04c1 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_5.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_5.yaml @@ -1,15 +1,15 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_3_5 - title: 3.5 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity - description: Correlating audit record review, analysis, and reporting processes helps to ensure that they do not operate independently, but rather collectively. Regarding the assessment of a given organizational system, the requirement is agnostic as to whether this correlation is applied at the system level or at the organization level across all systems. - section-code: "5" - controls: - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_server_azure_defender_enabled +id: azure_nist_sp_800_171_rev_2_3_3_5 +title: 3.5 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity +description: Correlating audit record review, analysis, and reporting processes helps to ensure that they do not operate independently, but rather collectively. Regarding the assessment of a given organizational system, the requirement is agnostic as to whether this correlation is applied at the system level or at the organization level across all systems. +section-code: "5" +type: control-group +controls: +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_sqlservervm +- azure_securitycenter_azure_defender_on_for_storage +- azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4.yaml index 78317c8ef..6a6b76e44 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4.yaml @@ -1,9 +1,12 @@ +id: azure_nist_sp_800_171_rev_2_3_4 +title: Configuration Management +description: CM controls are specific to an organization's configuration management policies. This includes a baseline configuration to operate as the basis for future builds or changes to information systems. Additionally, this includes information system component inventories and a security impact analysis control. +section-code: "3_4" +type: control-group control-group: - id: azure_nist_sp_800_171_rev_2_3_4 - title: Configuration Management - description: CM controls are specific to an organization's configuration management policies. This includes a baseline configuration to operate as the basis for future builds or changes to information systems. Additionally, this includes information system component inventories and a security impact analysis control. - section-code: "3_4" - control-group: - - id: azure_nist_sp_800_171_rev_2_3_4_1 - - id: azure_nist_sp_800_171_rev_2_3_4_2 - - id: azure_nist_sp_800_171_rev_2_3_4_6 +- id: azure_nist_sp_800_171_rev_2_3_4_1 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_4_2 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_4_6 + type: "" diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4_1.yaml index 859cca296..2bcbdf773 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4_1.yaml @@ -1,15 +1,15 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_4_1 - title: 4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles - description: Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location. - section-code: "1" - controls: - - azure_appservice_api_app_remote_debugging_disabled - - azure_appservice_function_app_client_certificates_on - - azure_appservice_function_app_cors_no_star - - azure_appservice_function_app_remote_debugging_disabled - - azure_appservice_web_app_cors_no_star - - azure_appservice_web_app_incoming_client_cert_on - - azure_compute_vm_meet_security_baseline_requirements_linux - - azure_compute_vm_meet_security_baseline_requirements_windows - - azure_kubernetes_cluster_add_on_azure_policy_enabled +id: azure_nist_sp_800_171_rev_2_3_4_1 +title: 4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles +description: Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location. +section-code: "1" +type: control-group +controls: +- azure_appservice_api_app_remote_debugging_disabled +- azure_appservice_function_app_client_certificates_on +- azure_appservice_function_app_cors_no_star +- azure_appservice_function_app_remote_debugging_disabled +- azure_appservice_web_app_cors_no_star +- azure_appservice_web_app_incoming_client_cert_on +- azure_compute_vm_meet_security_baseline_requirements_linux +- azure_compute_vm_meet_security_baseline_requirements_windows +- azure_kubernetes_cluster_add_on_azure_policy_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4_2.yaml index 06bf34438..3e1a3caab 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4_2.yaml @@ -1,15 +1,15 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_4_2 - title: 4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems - description: "Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors." - section-code: "2" - controls: - - azure_appservice_api_app_remote_debugging_disabled - - azure_appservice_function_app_client_certificates_on - - azure_appservice_function_app_cors_no_star - - azure_appservice_function_app_remote_debugging_disabled - - azure_appservice_web_app_cors_no_star - - azure_appservice_web_app_incoming_client_cert_on - - azure_compute_vm_meet_security_baseline_requirements_linux - - azure_compute_vm_meet_security_baseline_requirements_windows - - azure_kubernetes_cluster_add_on_azure_policy_enabled +id: azure_nist_sp_800_171_rev_2_3_4_2 +title: 4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems +description: "Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors." +section-code: "2" +type: control-group +controls: +- azure_appservice_api_app_remote_debugging_disabled +- azure_appservice_function_app_client_certificates_on +- azure_appservice_function_app_cors_no_star +- azure_appservice_function_app_remote_debugging_disabled +- azure_appservice_web_app_cors_no_star +- azure_appservice_web_app_incoming_client_cert_on +- azure_compute_vm_meet_security_baseline_requirements_linux +- azure_compute_vm_meet_security_baseline_requirements_windows +- azure_kubernetes_cluster_add_on_azure_policy_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4_6.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4_6.yaml index d0d33160f..0f4b9fc5f 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4_6.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4_6.yaml @@ -1,7 +1,7 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_4_6 - title: 4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities - description: Systems can provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. It is sometimes convenient to provide multiple services from single system components. However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per component. Organizations review functions and services provided by systems or components of systems, to determine which functions and services are candidates for elimination. Organizations disable unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of devices, transfer of information, and tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. - section-code: "6" - controls: - - azure_securitycenter_azure_defender_on_for_server +id: azure_nist_sp_800_171_rev_2_3_4_6 +title: 4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities +description: Systems can provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. It is sometimes convenient to provide multiple services from single system components. However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per component. Organizations review functions and services provided by systems or components of systems, to determine which functions and services are candidates for elimination. Organizations disable unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of devices, transfer of information, and tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. +section-code: "6" +type: control-group +controls: +- azure_securitycenter_azure_defender_on_for_server diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5.yaml index ff0a02e5c..50f8d946f 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5.yaml @@ -1,13 +1,20 @@ +id: azure_nist_sp_800_171_rev_2_3_5 +title: Identification and Authentication +description: This family of requirements ensures only authenticated users can access the organization’s network or systems. The 11 requirements cover password and authentication procedures and policy, alongside the reliable identification of users. Requirements ensure the distinction between privileged and non-privileged accounts is reflected in network access. +section-code: "3_5" +type: control-group control-group: - id: azure_nist_sp_800_171_rev_2_3_5 - title: Identification and Authentication - description: This family of requirements ensures only authenticated users can access the organization’s network or systems. The 11 requirements cover password and authentication procedures and policy, alongside the reliable identification of users. Requirements ensure the distinction between privileged and non-privileged accounts is reflected in network access. - section-code: "3_5" - control-group: - - id: azure_nist_sp_800_171_rev_2_3_5_1 - - id: azure_nist_sp_800_171_rev_2_3_5_2 - - id: azure_nist_sp_800_171_rev_2_3_5_5 - - id: azure_nist_sp_800_171_rev_2_3_5_6 - - id: azure_nist_sp_800_171_rev_2_3_5_7 - - id: azure_nist_sp_800_171_rev_2_3_5_8 - - id: azure_nist_sp_800_171_rev_2_3_5_10 +- id: azure_nist_sp_800_171_rev_2_3_5_1 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_5_2 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_5_5 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_5_6 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_5_7 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_5_8 + type: "" +- id: azure_nist_sp_800_171_rev_2_3_5_10 + type: "" diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_1.yaml index d9fec00be..ad9c20bc4 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_1.yaml @@ -1,11 +1,11 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_5_1 - title: 5.1 Identify system users, processes acting on behalf of users, and devices - description: Common device identifiers include Media Access Control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names associated with the system accounts assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. - section-code: "1" - controls: - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_web_app_uses_managed_identity - - azure_cognitive_service_local_auth_disabled - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled +id: azure_nist_sp_800_171_rev_2_3_5_1 +title: 5.1 Identify system users, processes acting on behalf of users, and devices +description: Common device identifiers include Media Access Control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names associated with the system accounts assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. +section-code: "1" +type: control-group +controls: +- azure_appservice_function_app_uses_managed_identity +- azure_appservice_web_app_uses_managed_identity +- azure_cognitive_service_local_auth_disabled +- azure_servicefabric_cluster_active_directory_authentication_enabled +- azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_10.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_10.yaml index 097917b87..d4cef8290 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_10.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_10.yaml @@ -1,11 +1,11 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_5_10 - title: 5.10 Store and transmit only cryptographically-protected passwords - description: Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords. - section-code: "10" - controls: - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_passwords_stored_using_reversible_encryption_windows +id: azure_nist_sp_800_171_rev_2_3_5_10 +title: 5.10 Store and transmit only cryptographically-protected passwords +description: Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords. +section-code: "10" +type: control-group +controls: +- azure_compute_vm_guest_configuration_installed_linux +- azure_compute_vm_guest_configuration_installed_windows +- azure_compute_vm_guest_configuration_with_no_managed_identity +- azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity +- azure_compute_vm_passwords_stored_using_reversible_encryption_windows diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_2.yaml index cf51509b5..bc052fc6e 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_2.yaml @@ -1,19 +1,19 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_5_2 - title: 5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. - description: "Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include certificates and passwords." - section-code: "2" - controls: - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_web_app_uses_managed_identity - - azure_cognitive_service_local_auth_disabled - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_passwords_stored_using_reversible_encryption_windows - - azure_compute_vm_ssh_key_authentication_linux - - azure_keyvault_key_expiration_set - - azure_keyvault_secret_expiration_set - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled +id: azure_nist_sp_800_171_rev_2_3_5_2 +title: 5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. +description: "Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include certificates and passwords." +section-code: "2" +type: control-group +controls: +- azure_appservice_function_app_uses_managed_identity +- azure_appservice_web_app_uses_managed_identity +- azure_cognitive_service_local_auth_disabled +- azure_compute_vm_guest_configuration_installed_linux +- azure_compute_vm_guest_configuration_installed_windows +- azure_compute_vm_guest_configuration_with_no_managed_identity +- azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity +- azure_compute_vm_passwords_stored_using_reversible_encryption_windows +- azure_compute_vm_ssh_key_authentication_linux +- azure_keyvault_key_expiration_set +- azure_keyvault_secret_expiration_set +- azure_servicefabric_cluster_active_directory_authentication_enabled +- azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_5.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_5.yaml index 38b86e34f..9197aea7a 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_5.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_5.yaml @@ -1,11 +1,11 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_5_5 - title: 5.5 Prevent reuse of identifiers for a defined period - description: Identifiers are provided for users, processes acting on behalf of users, or devices (3.5.1). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. - section-code: "5" - controls: - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_web_app_uses_managed_identity - - azure_cognitive_service_local_auth_disabled - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled +id: azure_nist_sp_800_171_rev_2_3_5_5 +title: 5.5 Prevent reuse of identifiers for a defined period +description: Identifiers are provided for users, processes acting on behalf of users, or devices (3.5.1). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. +section-code: "5" +type: control-group +controls: +- azure_appservice_function_app_uses_managed_identity +- azure_appservice_web_app_uses_managed_identity +- azure_cognitive_service_local_auth_disabled +- azure_servicefabric_cluster_active_directory_authentication_enabled +- azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_6.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_6.yaml index 01e18ab3a..d7c062c2f 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_6.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_6.yaml @@ -1,12 +1,12 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_5_6 - title: 5.6 Disable identifiers after a defined period of inactivity - description: Inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier to gain undetected access to organizational devices. The owners of the inactive accounts may not notice if unauthorized access to the account has been obtained. - section-code: "6" - controls: - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_web_app_uses_managed_identity - - azure_cognitive_service_local_auth_disabled - - azure_iam_deprecated_account - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled +id: azure_nist_sp_800_171_rev_2_3_5_6 +title: 5.6 Disable identifiers after a defined period of inactivity +description: Inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier to gain undetected access to organizational devices. The owners of the inactive accounts may not notice if unauthorized access to the account has been obtained. +section-code: "6" +type: control-group +controls: +- azure_appservice_function_app_uses_managed_identity +- azure_appservice_web_app_uses_managed_identity +- azure_cognitive_service_local_auth_disabled +- azure_iam_deprecated_account +- azure_servicefabric_cluster_active_directory_authentication_enabled +- azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_7.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_7.yaml index e7470a20f..43245736e 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_7.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_7.yaml @@ -1,11 +1,11 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_5_7 - title: 5.7 Enforce a minimum password complexity and change of characters when new passwords are created - description: This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. - section-code: "7" - controls: - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_min_password_length_14_windows - - azure_compute_vm_password_complexity_setting_enabled_windows +id: azure_nist_sp_800_171_rev_2_3_5_7 +title: 5.7 Enforce a minimum password complexity and change of characters when new passwords are created +description: This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. +section-code: "7" +type: control-group +controls: +- azure_compute_vm_guest_configuration_installed_windows +- azure_compute_vm_guest_configuration_with_no_managed_identity +- azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity +- azure_compute_vm_min_password_length_14_windows +- azure_compute_vm_password_complexity_setting_enabled_windows diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_8.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_8.yaml index 6d9d589c9..12e8725c3 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_8.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_8.yaml @@ -1,10 +1,10 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_5_8 - title: 5.8 Prohibit password reuse for a specified number of generations - description: Password lifetime restrictions do not apply to temporary passwords. - section-code: "8" - controls: - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_restrict_previous_24_passwords_resuse_windows +id: azure_nist_sp_800_171_rev_2_3_5_8 +title: 5.8 Prohibit password reuse for a specified number of generations +description: Password lifetime restrictions do not apply to temporary passwords. +section-code: "8" +type: control-group +controls: +- azure_compute_vm_guest_configuration_installed_windows +- azure_compute_vm_guest_configuration_with_no_managed_identity +- azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity +- azure_compute_vm_restrict_previous_24_passwords_resuse_windows diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_6.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_6.yaml index 6f99379a7..fcb5bde99 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_6.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_6.yaml @@ -1,7 +1,8 @@ +id: azure_nist_sp_800_171_rev_2_3_6 +title: Incident response +description: IR controls are specific to an organization's incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plan. +section-code: "3_6" +type: control-group control-group: - id: azure_nist_sp_800_171_rev_2_3_6 - title: Incident response - description: IR controls are specific to an organization's incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plan. - section-code: "3_6" - control-group: - - id: azure_nist_sp_800_171_rev_2_3_6_2 +- id: azure_nist_sp_800_171_rev_2_3_6_2 + type: "" diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_6_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_6_2.yaml index c41a77fd3..8d1868e12 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_6_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_6_2.yaml @@ -1,9 +1,9 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_6_2 - title: 6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization - description: Tracking and documenting system security incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. Reporting incidents addresses specific incident reporting requirements within an organization and the formal incident reporting requirements for the organization. Suspected security incidents may also be reported and include the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, Executive Orders, directives, regulations, and policies. - section-code: "2" - controls: - - azure_securitycenter_email_configured - - azure_securitycenter_notify_alerts_configured - - azure_securitycenter_security_alerts_to_owner_enabled +id: azure_nist_sp_800_171_rev_2_3_6_2 +title: 6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization +description: Tracking and documenting system security incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. Reporting incidents addresses specific incident reporting requirements within an organization and the formal incident reporting requirements for the organization. Suspected security incidents may also be reported and include the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, Executive Orders, directives, regulations, and policies. +section-code: "2" +type: control-group +controls: +- azure_securitycenter_email_configured +- azure_securitycenter_notify_alerts_configured +- azure_securitycenter_security_alerts_to_owner_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_8.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_8.yaml index 603f767aa..e07780652 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_8.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_8.yaml @@ -1,7 +1,8 @@ +id: azure_nist_sp_800_171_rev_2_3_8 +title: Media Protection +description: This control family help organizations control access to sensitive media. Requirements cover best practice storage or destruction of sensitive information and media in both physical and digital formats. +section-code: "3_8" +type: control-group control-group: - id: azure_nist_sp_800_171_rev_2_3_8 - title: Media Protection - description: This control family help organizations control access to sensitive media. Requirements cover best practice storage or destruction of sensitive information and media in both physical and digital formats. - section-code: "3_8" - control-group: - - id: azure_nist_sp_800_171_rev_2_3_8_9 +- id: azure_nist_sp_800_171_rev_2_3_8_9 + type: "" diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_8_9.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_8_9.yaml index 27a4b593c..c629fd1e3 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_8_9.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_8_9.yaml @@ -1,11 +1,11 @@ -control-group: - id: azure_nist_sp_800_171_rev_2_3_8_9 - title: 8.9 Protect the confidentiality of backup CUI at storage locations - description: Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information. - section-code: "9" - controls: - - azure_keyvault_purge_protection_enabled - - azure_keyvault_soft_delete_enabled - - azure_mariadb_server_geo_redundant_backup_enabled - - azure_mysql_db_server_geo_redundant_backup_enabled - - azure_postgres_db_server_geo_redundant_backup_enabled +id: azure_nist_sp_800_171_rev_2_3_8_9 +title: 8.9 Protect the confidentiality of backup CUI at storage locations +description: Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information. +section-code: "9" +type: control-group +controls: +- azure_keyvault_purge_protection_enabled +- azure_keyvault_soft_delete_enabled +- azure_mariadb_server_geo_redundant_backup_enabled +- azure_mysql_db_server_geo_redundant_backup_enabled +- azure_postgres_db_server_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5.yaml index 3663b167a..351766a1e 100644 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5.yaml @@ -1,34 +1,34 @@ -framework: - id: azure_nist_sp_800_53_rev_5 - title: NIST SP 800-53 Revision 5 - description: NIST SP 800-53 Revision 5 represents a multi-year effort to develop the next generation of security and privacy controls needed to strengthen and support the U.S. federal government. - section-code: azure_nist_sp_800_53_rev_5 - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Frameworks - plugin: - - azure - service: - - Azure - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: azure_nist_sp_800_53_rev_5_ac - - id: azure_nist_sp_800_53_rev_5_au - - id: azure_nist_sp_800_53_rev_5_cm - - id: azure_nist_sp_800_53_rev_5_cp - - id: azure_nist_sp_800_53_rev_5_ia - - id: azure_nist_sp_800_53_rev_5_ir - - id: azure_nist_sp_800_53_rev_5_ra - - id: azure_nist_sp_800_53_rev_5_sc - - id: azure_nist_sp_800_53_rev_5_si +id: azure_nist_sp_800_53_rev_5 +title: NIST SP 800-53 Revision 5 +description: NIST SP 800-53 Revision 5 represents a multi-year effort to develop the next generation of security and privacy controls needed to strengthen and support the U.S. federal government. +section-code: azure_nist_sp_800_53_rev_5 +type: framework +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Frameworks + plugin: + - azure + service: + - Azure + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: azure_nist_sp_800_53_rev_5_ac +- id: azure_nist_sp_800_53_rev_5_au +- id: azure_nist_sp_800_53_rev_5_cm +- id: azure_nist_sp_800_53_rev_5_cp +- id: azure_nist_sp_800_53_rev_5_ia +- id: azure_nist_sp_800_53_rev_5_ir +- id: azure_nist_sp_800_53_rev_5_ra +- id: azure_nist_sp_800_53_rev_5_sc +- id: azure_nist_sp_800_53_rev_5_si diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac.yaml index 57d6be4fc..23fc44241 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac.yaml @@ -1,24 +1,31 @@ +id: azure_nist_sp_800_53_rev_5_ac +title: Access Control (AC) +description: The AC Control Family consists of security requirements detailing system logging. This includes who has access to what assets and reporting capabilities like account management, system privileges, and remote access logging to determine when users have access to the system and their level of access. +section-code: ac +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_nist_sp_800_53_rev_5_ac - title: Access Control (AC) - description: The AC Control Family consists of security requirements detailing system logging. This includes who has access to what assets and reporting capabilities like account management, system privileges, and remote access logging to determine when users have access to the system and their level of access. - section-code: ac - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_nist_sp_800_53_rev_5_ac_2 - - id: azure_nist_sp_800_53_rev_5_ac_3 - - id: azure_nist_sp_800_53_rev_5_ac_4 - - id: azure_nist_sp_800_53_rev_5_ac_5 - - id: azure_nist_sp_800_53_rev_5_ac_6 - - id: azure_nist_sp_800_53_rev_5_ac_16 - - id: azure_nist_sp_800_53_rev_5_ac_17 +- id: azure_nist_sp_800_53_rev_5_ac_2 + type: "" +- id: azure_nist_sp_800_53_rev_5_ac_3 + type: "" +- id: azure_nist_sp_800_53_rev_5_ac_4 + type: "" +- id: azure_nist_sp_800_53_rev_5_ac_5 + type: "" +- id: azure_nist_sp_800_53_rev_5_ac_6 + type: "" +- id: azure_nist_sp_800_53_rev_5_ac_16 + type: "" +- id: azure_nist_sp_800_53_rev_5_ac_17 + type: "" diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_16.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_16.yaml index 4ca12e50d..f2ee4a7ce 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_16.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_16.yaml @@ -1,19 +1,19 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_ac_16 - title: Security and Privacy Attributes (AC-16) - description: Support and maintains the binding of security attributes to information in storage, in process, and in transition. - section-code: "16" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_sql_server_azure_defender_enabled +id: azure_nist_sp_800_53_rev_5_ac_16 +title: Security and Privacy Attributes (AC-16) +description: Support and maintains the binding of security attributes to information in storage, in process, and in transition. +section-code: "16" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_securitycenter_azure_defender_on_for_sqlservervm +- azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_17.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_17.yaml index 370fd97ff..49ccbd748 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_17.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_17.yaml @@ -1,52 +1,53 @@ +id: azure_nist_sp_800_53_rev_5_ac_17 +title: Remote Access (AC-17) +description: Authorize remote access systems prior to connection. Enforce remote connection requirements to information systems. +section-code: "17" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_nist_sp_800_53_rev_5_ac_17 - title: Remote Access (AC-17) - description: Authorize remote access systems prior to connection. Enforce remote connection requirements to information systems. - section-code: "17" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_nist_sp_800_53_rev_5_ac_17_1 - controls: - - azure_app_configuration_private_link_used - - azure_appservice_api_app_remote_debugging_disabled - - azure_appservice_function_app_remote_debugging_disabled - - azure_redis_cache_uses_private_link - - azure_cognitive_account_private_link_used - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_image_builder_uses_private_link - - azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_vault_private_link_used - - azure_mysql_server_private_link_used - - azure_postgres_server_private_link_used - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_spring_cloud_service_network_injection_enabled - - azure_sql_server_uses_private_link - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used - - azure_web_pub_sub_private_link_used +- id: azure_nist_sp_800_53_rev_5_ac_17_1 + type: "" +controls: +- azure_app_configuration_private_link_used +- azure_appservice_api_app_remote_debugging_disabled +- azure_appservice_function_app_remote_debugging_disabled +- azure_redis_cache_uses_private_link +- azure_cognitive_account_private_link_used +- azure_compute_disk_access_uses_private_link +- azure_compute_vm_guest_configuration_installed_linux +- azure_compute_vm_guest_configuration_installed_windows +- azure_compute_vm_guest_configuration_with_no_managed_identity +- azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity +- azure_compute_vm_image_builder_uses_private_link +- azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux +- azure_container_registry_uses_private_link +- azure_cosmosdb_account_uses_private_link +- azure_data_factory_uses_private_link +- azure_eventgrid_domain_private_link_used +- azure_eventgrid_topic_private_link_used +- azure_eventhub_namespace_private_link_used +- azure_healthcare_fhir_uses_private_link +- azure_keyvault_vault_private_link_used +- azure_mysql_server_private_link_used +- azure_postgres_server_private_link_used +- azure_search_service_uses_private_link +- azure_search_service_uses_sku_supporting_private_link +- azure_servicebus_name_space_private_link_used +- azure_signalr_service_private_link_used +- azure_spring_cloud_service_network_injection_enabled +- azure_sql_server_uses_private_link +- azure_storage_account_default_network_access_rule_denied +- azure_storage_account_uses_private_link +- azure_storage_sync_private_link_used +- azure_synapse_workspace_private_link_used +- azure_web_pub_sub_private_link_used diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_17_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_17_1.yaml index 57ca6fbfd..f3da9fd4c 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_17_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_17_1.yaml @@ -1,50 +1,50 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_ac_17_1 - title: Monitoring and Control AC-17(1) - description: The information system monitors and controls remote access methods. - section-code: "1" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_app_configuration_private_link_used - - azure_appservice_api_app_remote_debugging_disabled - - azure_appservice_function_app_remote_debugging_disabled - - azure_redis_cache_uses_private_link - - azure_cognitive_account_private_link_used - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_image_builder_uses_private_link - - azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_vault_private_link_used - - azure_mysql_server_private_link_used - - azure_postgres_server_private_link_used - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_spring_cloud_service_network_injection_enabled - - azure_sql_server_uses_private_link - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used - - azure_web_pub_sub_private_link_used +id: azure_nist_sp_800_53_rev_5_ac_17_1 +title: Monitoring and Control AC-17(1) +description: The information system monitors and controls remote access methods. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_app_configuration_private_link_used +- azure_appservice_api_app_remote_debugging_disabled +- azure_appservice_function_app_remote_debugging_disabled +- azure_redis_cache_uses_private_link +- azure_cognitive_account_private_link_used +- azure_compute_disk_access_uses_private_link +- azure_compute_vm_guest_configuration_installed_linux +- azure_compute_vm_guest_configuration_installed_windows +- azure_compute_vm_guest_configuration_with_no_managed_identity +- azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity +- azure_compute_vm_image_builder_uses_private_link +- azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux +- azure_container_registry_uses_private_link +- azure_cosmosdb_account_uses_private_link +- azure_data_factory_uses_private_link +- azure_eventgrid_domain_private_link_used +- azure_eventgrid_topic_private_link_used +- azure_eventhub_namespace_private_link_used +- azure_healthcare_fhir_uses_private_link +- azure_keyvault_vault_private_link_used +- azure_mysql_server_private_link_used +- azure_postgres_server_private_link_used +- azure_search_service_uses_private_link +- azure_search_service_uses_sku_supporting_private_link +- azure_servicebus_name_space_private_link_used +- azure_signalr_service_private_link_used +- azure_spring_cloud_service_network_injection_enabled +- azure_sql_server_uses_private_link +- azure_storage_account_default_network_access_rule_denied +- azure_storage_account_uses_private_link +- azure_storage_sync_private_link_used +- azure_synapse_workspace_private_link_used +- azure_web_pub_sub_private_link_used diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2.yaml index 2c1df7472..d32a5172f 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2.yaml @@ -1,33 +1,36 @@ +id: azure_nist_sp_800_53_rev_5_ac_2 +title: Account Management (AC-2) +description: Manage system accounts, group memberships, privileges, workflow, notifications, deactivations, and authorizations. +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_nist_sp_800_53_rev_5_ac_2 - title: Account Management (AC-2) - description: Manage system accounts, group memberships, privileges, workflow, notifications, deactivations, and authorizations. - section-code: "2" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_nist_sp_800_53_rev_5_ac_2_1 - - id: azure_nist_sp_800_53_rev_5_ac_2_7 - - id: azure_nist_sp_800_53_rev_5_ac_2_12 - controls: - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_web_app_uses_managed_identity - - azure_cognitive_service_local_auth_disabled - - azure_iam_deprecated_account - - azure_iam_deprecated_account_with_owner_roles - - azure_iam_external_user_with_owner_role - - azure_iam_external_user_with_read_permission - - azure_iam_external_user_with_write_permission - - azure_iam_no_custom_role - - azure_iam_subscription_owner_max_3 - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled +- id: azure_nist_sp_800_53_rev_5_ac_2_1 + type: "" +- id: azure_nist_sp_800_53_rev_5_ac_2_7 + type: "" +- id: azure_nist_sp_800_53_rev_5_ac_2_12 + type: "" +controls: +- azure_appservice_function_app_uses_managed_identity +- azure_appservice_web_app_uses_managed_identity +- azure_cognitive_service_local_auth_disabled +- azure_iam_deprecated_account +- azure_iam_deprecated_account_with_owner_roles +- azure_iam_external_user_with_owner_role +- azure_iam_external_user_with_read_permission +- azure_iam_external_user_with_write_permission +- azure_iam_no_custom_role +- azure_iam_subscription_owner_max_3 +- azure_servicefabric_cluster_active_directory_authentication_enabled +- azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2_1.yaml index af000ee6d..9172afe2e 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2_1.yaml @@ -1,20 +1,20 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_ac_2_1 - title: Automated System Account Management AC-2(1) - description: The organization employs automated mechanisms to support the management of information system accounts. - section-code: "1" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_cognitive_service_local_auth_disabled - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled +id: azure_nist_sp_800_53_rev_5_ac_2_1 +title: Automated System Account Management AC-2(1) +description: The organization employs automated mechanisms to support the management of information system accounts. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_cognitive_service_local_auth_disabled +- azure_servicefabric_cluster_active_directory_authentication_enabled +- azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2_12.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2_12.yaml index 9b0faa98d..3a499ea79 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2_12.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2_12.yaml @@ -1,28 +1,28 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_ac_2_12 - title: Account Monitoring for Atypical Usage AC-2(12) - description: The organization monitors information system accounts for organization-defined atypical use and reports atypical usage of information system accounts to organization-defined personnel or roles. - section-code: "12" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_arc_kubernetes_cluster_azure_defender_extension_installed - - azure_compute_vm_jit_access_protected - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_dns - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage +id: azure_nist_sp_800_53_rev_5_ac_2_12 +title: Account Monitoring for Atypical Usage AC-2(12) +description: The organization monitors information system accounts for organization-defined atypical use and reports atypical usage of information system accounts to organization-defined personnel or roles. +section-code: "12" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_arc_kubernetes_cluster_azure_defender_extension_installed +- azure_compute_vm_jit_access_protected +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_dns +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_sqlservervm +- azure_securitycenter_azure_defender_on_for_storage diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2_7.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2_7.yaml index 2694a4247..9a7d2fb22 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2_7.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2_7.yaml @@ -1,21 +1,21 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_ac_2_7 - title: Privileged User Accounts AC-2(7) - description: The organization establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles, monitors privileged role assignments, and takes organization-defined actions when privileged role assignments are no longer appropriate. - section-code: "7" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_cognitive_service_local_auth_disabled - - azure_iam_no_custom_role - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled +id: azure_nist_sp_800_53_rev_5_ac_2_7 +title: Privileged User Accounts AC-2(7) +description: The organization establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles, monitors privileged role assignments, and takes organization-defined actions when privileged role assignments are no longer appropriate. +section-code: "7" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_cognitive_service_local_auth_disabled +- azure_iam_no_custom_role +- azure_servicefabric_cluster_active_directory_authentication_enabled +- azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_3.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_3.yaml index d860bc9b7..15afc2892 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_3.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_3.yaml @@ -1,35 +1,36 @@ +id: azure_nist_sp_800_53_rev_5_ac_3 +title: Access Enforcement (AC-3) +description: Enforce approved authorizations for access to systems in accordance with policy. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_nist_sp_800_53_rev_5_ac_3 - title: Access Enforcement (AC-3) - description: Enforce approved authorizations for access to systems in accordance with policy. - section-code: "3" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_nist_sp_800_53_rev_5_ac_3_7 - controls: - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_web_app_uses_managed_identity - - azure_authorize_access_to_security_functions_and_information - - azure_cognitive_service_local_auth_disabled - - azure_compute_vm_account_with_password_linux - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_ssh_key_authentication_linux - - azure_compute_vm_uses_azure_resource_manager - - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled - - azure_iam_user_with_read_permission_on_subscription_mfa_enabled - - azure_iam_user_with_write_permission_on_subscription_mfa_enabled - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled - - azure_storage_account_uses_azure_resource_manager +- id: azure_nist_sp_800_53_rev_5_ac_3_7 + type: "" +controls: +- azure_appservice_function_app_uses_managed_identity +- azure_appservice_web_app_uses_managed_identity +- azure_authorize_access_to_security_functions_and_information +- azure_cognitive_service_local_auth_disabled +- azure_compute_vm_account_with_password_linux +- azure_compute_vm_guest_configuration_installed_linux +- azure_compute_vm_guest_configuration_with_no_managed_identity +- azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity +- azure_compute_vm_ssh_key_authentication_linux +- azure_compute_vm_uses_azure_resource_manager +- azure_iam_user_with_owner_permission_on_subscription_mfa_enabled +- azure_iam_user_with_read_permission_on_subscription_mfa_enabled +- azure_iam_user_with_write_permission_on_subscription_mfa_enabled +- azure_servicefabric_cluster_active_directory_authentication_enabled +- azure_sql_server_azure_ad_authentication_enabled +- azure_storage_account_uses_azure_resource_manager diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_3_7.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_3_7.yaml index 4b953f18f..091a3ab42 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_3_7.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_3_7.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_ac_3_7 - title: Role-based Access Control AC-3(7) - description: The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon organization-defined roles and users authorized to assume such roles. - section-code: "7" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/KubernetesService - type: - - Benchmark - controls: - - azure_kubernetes_instance_rbac_enabled +id: azure_nist_sp_800_53_rev_5_ac_3_7 +title: Role-based Access Control AC-3(7) +description: The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon organization-defined roles and users authorized to assume such roles. +section-code: "7" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/KubernetesService + type: + - Benchmark +controls: +- azure_kubernetes_instance_rbac_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_4.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_4.yaml index 555b415b8..9b54cb1a9 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_4.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_4.yaml @@ -1,68 +1,69 @@ +id: azure_nist_sp_800_53_rev_5_ac_4 +title: Information Flow Enforcement (AC-4) +description: Enforce approved authorizations. Control information workflow between interconnected systems. +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_nist_sp_800_53_rev_5_ac_4 - title: Information Flow Enforcement (AC-4) - description: Enforce approved authorizations. Control information workflow between interconnected systems. - section-code: "4" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_nist_sp_800_53_rev_5_ac_4_3 - controls: - - azure_apimanagement_service_with_virtual_network - - azure_app_configuration_private_link_used - - azure_appservice_web_app_cors_no_star - - azure_redis_cache_uses_private_link - - azure_cognitive_account_private_link_used - - azure_cognitive_account_public_network_access_disabled - - azure_cognitive_account_restrict_public_access - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_adaptive_network_hardening_recommendation_applied - - azure_compute_vm_image_builder_uses_private_link - - azure_compute_vm_jit_access_protected - - azure_compute_vm_non_internet_facing_protected_with_nsg - - azure_compute_vm_remote_access_restricted_all_ports - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_container_registry_restrict_public_access - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_cosmosdb_account_with_firewall_rules - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_firewall_enabled - - azure_keyvault_vault_private_link_used - - azure_kubernetes_cluster_authorized_ip_range_defined - - azure_mariadb_server_public_network_access_disabled - - azure_mysql_server_private_link_used - - azure_mysql_server_public_network_access_disabled - - azure_network_interface_ip_forwarding_disabled - - azure_network_security_group_remote_access_restricted - - azure_network_security_group_subnet_associated - - azure_network_subnet_protected_by_firewall - - azure_postgres_server_private_link_used - - azure_postgresql_server_public_network_access_disabled - - azure_search_service_public_network_access_disabled - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_sql_db_public_network_access_disabled - - azure_sql_server_uses_private_link - - azure_storage_account_block_public_access - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_restrict_network_access - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used - - azure_web_pub_sub_private_link_used +- id: azure_nist_sp_800_53_rev_5_ac_4_3 + type: "" +controls: +- azure_apimanagement_service_with_virtual_network +- azure_app_configuration_private_link_used +- azure_appservice_web_app_cors_no_star +- azure_redis_cache_uses_private_link +- azure_cognitive_account_private_link_used +- azure_cognitive_account_public_network_access_disabled +- azure_cognitive_account_restrict_public_access +- azure_compute_disk_access_uses_private_link +- azure_compute_vm_adaptive_network_hardening_recommendation_applied +- azure_compute_vm_image_builder_uses_private_link +- azure_compute_vm_jit_access_protected +- azure_compute_vm_non_internet_facing_protected_with_nsg +- azure_compute_vm_remote_access_restricted_all_ports +- azure_compute_vm_tcp_udp_access_restricted_internet +- azure_container_registry_restrict_public_access +- azure_container_registry_uses_private_link +- azure_cosmosdb_account_uses_private_link +- azure_cosmosdb_account_with_firewall_rules +- azure_data_factory_uses_private_link +- azure_eventgrid_domain_private_link_used +- azure_eventgrid_topic_private_link_used +- azure_eventhub_namespace_private_link_used +- azure_healthcare_fhir_uses_private_link +- azure_keyvault_firewall_enabled +- azure_keyvault_vault_private_link_used +- azure_kubernetes_cluster_authorized_ip_range_defined +- azure_mariadb_server_public_network_access_disabled +- azure_mysql_server_private_link_used +- azure_mysql_server_public_network_access_disabled +- azure_network_interface_ip_forwarding_disabled +- azure_network_security_group_remote_access_restricted +- azure_network_security_group_subnet_associated +- azure_network_subnet_protected_by_firewall +- azure_postgres_server_private_link_used +- azure_postgresql_server_public_network_access_disabled +- azure_search_service_public_network_access_disabled +- azure_search_service_uses_private_link +- azure_search_service_uses_sku_supporting_private_link +- azure_servicebus_name_space_private_link_used +- azure_signalr_service_private_link_used +- azure_sql_db_public_network_access_disabled +- azure_sql_server_uses_private_link +- azure_storage_account_block_public_access +- azure_storage_account_default_network_access_rule_denied +- azure_storage_account_restrict_network_access +- azure_storage_account_uses_private_link +- azure_storage_sync_private_link_used +- azure_synapse_workspace_private_link_used +- azure_web_pub_sub_private_link_used diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_4_3.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_4_3.yaml index e07f9031b..5d12e7bbb 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_4_3.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_4_3.yaml @@ -1,19 +1,19 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_ac_4_3 - title: Dynamic Information Flow Control AC-4(3) - description: The information system enforces dynamic information flow control based on organization-defined policies. - section-code: "3" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_adaptive_network_hardening_recommendation_applied - - azure_compute_vm_jit_access_protected +id: azure_nist_sp_800_53_rev_5_ac_4_3 +title: Dynamic Information Flow Control AC-4(3) +description: The information system enforces dynamic information flow control based on organization-defined policies. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_adaptive_network_hardening_recommendation_applied +- azure_compute_vm_jit_access_protected diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_5.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_5.yaml index 373a4bfc5..8dcc473a3 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_5.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_5.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_ac_5 - title: Separation of Duties (AC-5) - description: Separate duties of individuals to prevent malevolent activity. automate separation of duties and access authorizations. - section-code: "5" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark - controls: - - azure_iam_subscription_owner_more_than_1 +id: azure_nist_sp_800_53_rev_5_ac_5 +title: Separation of Duties (AC-5) +description: Separate duties of individuals to prevent malevolent activity. automate separation of duties and access authorizations. +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark +controls: +- azure_iam_subscription_owner_more_than_1 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_6.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_6.yaml index a694b8116..67168053d 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_6.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_6.yaml @@ -1,21 +1,22 @@ +id: azure_nist_sp_800_53_rev_5_ac_6 +title: Least Privilege (AC-6) +description: Automate least privilege. Allow only authorized accesses for users and processes which are necessary. +section-code: "6" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark control-group: - id: azure_nist_sp_800_53_rev_5_ac_6 - title: Least Privilege (AC-6) - description: Automate least privilege. Allow only authorized accesses for users and processes which are necessary. - section-code: "6" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark - control-group: - - id: azure_nist_sp_800_53_rev_5_ac_6_7 - controls: - - azure_iam_no_custom_role - - azure_iam_subscription_owner_max_3 +- id: azure_nist_sp_800_53_rev_5_ac_6_7 + type: "" +controls: +- azure_iam_no_custom_role +- azure_iam_subscription_owner_max_3 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_6_7.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_6_7.yaml index 577482244..9b68ab196 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_6_7.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_6_7.yaml @@ -1,19 +1,19 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_ac_6_7 - title: Review of User Privileges AC-6(7) - description: The organization reviews organization-defined frequency the privileges assigned to organization-defined roles or classes of users to validate the need for such privileges and reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs. - section-code: "7" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark - controls: - - azure_iam_no_custom_role - - azure_iam_subscription_owner_max_3 +id: azure_nist_sp_800_53_rev_5_ac_6_7 +title: Review of User Privileges AC-6(7) +description: The organization reviews organization-defined frequency the privileges assigned to organization-defined roles or classes of users to validate the need for such privileges and reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs. +section-code: "7" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark +controls: +- azure_iam_no_custom_role +- azure_iam_subscription_owner_max_3 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au.yaml index e3d2d69dd..26a25358c 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au.yaml @@ -1,20 +1,23 @@ +id: azure_nist_sp_800_53_rev_5_au +title: Audit and Accountability Control (AU) +description: The AU control family consists of security controls related to an organization’s audit capabilities. This includes audit policies and procedures, audit logging, audit report generation, and protection of audit information. +section-code: au +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_nist_sp_800_53_rev_5_au - title: Audit and Accountability Control (AU) - description: The AU control family consists of security controls related to an organization’s audit capabilities. This includes audit policies and procedures, audit logging, audit report generation, and protection of audit information. - section-code: au - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_nist_sp_800_53_rev_5_au_6 - - id: azure_nist_sp_800_53_rev_5_au_11 - - id: azure_nist_sp_800_53_rev_5_au_12 +- id: azure_nist_sp_800_53_rev_5_au_6 + type: "" +- id: azure_nist_sp_800_53_rev_5_au_11 + type: "" +- id: azure_nist_sp_800_53_rev_5_au_12 + type: "" diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_11.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_11.yaml index 13f5fb05e..f9a3a9e4c 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_11.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_11.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_au_11 - title: Audit Record Retention (AU-11) - description: Retain audit records for security investigations. Meet regulatory and organizational data retention requirements. - section-code: "11" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark - controls: - - azure_sql_server_auditing_storage_account_destination_retention_90_days +id: azure_nist_sp_800_53_rev_5_au_11 +title: Audit Record Retention (AU-11) +description: Retain audit records for security investigations. Meet regulatory and organizational data retention requirements. +section-code: "11" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark +controls: +- azure_sql_server_auditing_storage_account_destination_retention_90_days diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_12.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_12.yaml index e3524f6f8..88f8a4d7e 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_12.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_12.yaml @@ -1,52 +1,53 @@ +id: azure_nist_sp_800_53_rev_5_au_12 +title: Audit Record Generation (AU-12) +description: Audit events defined in AU-2. Allow trusted personnel to select which events to audit. Generate audit records for events. +section-code: "12" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_nist_sp_800_53_rev_5_au_12 - title: Audit Record Generation (AU-12) - description: Audit events defined in AU-2. Allow trusted personnel to select which events to audit. Generate audit records for events. - section-code: "12" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_nist_sp_800_53_rev_5_au_12_1 - controls: - - azure_appservice_web_app_diagnostic_logs_enabled - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_arc_kubernetes_cluster_azure_defender_extension_installed - - azure_batch_account_logging_enabled - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_datalake_analytics_account_logging_enabled - - azure_datalake_store_account_logging_enabled - - azure_eventhub_namespace_logging_enabled - - azure_iot_hub_logging_enabled - - azure_keyvault_logging_enabled - - azure_logic_app_workflow_logging_enabled - - azure_network_watcher_enabled - - azure_search_service_logging_enabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_dns - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_servicebus_namespace_logging_enabled - - azure_sql_server_auditing_on - - azure_sql_server_azure_defender_enabled - - azure_stream_analytics_job_logging_enabled +- id: azure_nist_sp_800_53_rev_5_au_12_1 + type: "" +controls: +- azure_appservice_web_app_diagnostic_logs_enabled +- azure_arc_compute_machine_linux_log_analytics_agent_installed +- azure_arc_compute_machine_windows_log_analytics_agent_installed +- azure_arc_kubernetes_cluster_azure_defender_extension_installed +- azure_batch_account_logging_enabled +- azure_compute_vm_guest_configuration_installed +- azure_compute_vm_guest_configuration_with_system_assigned_managed_identity +- azure_compute_vm_log_analytics_agent_installed +- azure_compute_vm_network_traffic_data_collection_linux_agent_installed +- azure_compute_vm_network_traffic_data_collection_windows_agent_installed +- azure_compute_vm_scale_set_log_analytics_agent_installed +- azure_datalake_analytics_account_logging_enabled +- azure_datalake_store_account_logging_enabled +- azure_eventhub_namespace_logging_enabled +- azure_iot_hub_logging_enabled +- azure_keyvault_logging_enabled +- azure_logic_app_workflow_logging_enabled +- azure_network_watcher_enabled +- azure_search_service_logging_enabled +- azure_securitycenter_automatic_provisioning_monitoring_agent_on +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_dns +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_sqlservervm +- azure_securitycenter_azure_defender_on_for_storage +- azure_servicebus_namespace_logging_enabled +- azure_sql_server_auditing_on +- azure_sql_server_azure_defender_enabled +- azure_stream_analytics_job_logging_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_12_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_12_1.yaml index 03abe5ffb..e463a14b4 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_12_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_12_1.yaml @@ -1,50 +1,50 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_au_12_1 - title: System-wide and Time-correlated Audit Trail AU-12(1) - description: The information system compiles audit records from organization-defined information system components into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance for the relationship between timestamps of individual records in the audit trail. - section-code: "1" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_appservice_web_app_diagnostic_logs_enabled - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_arc_kubernetes_cluster_azure_defender_extension_installed - - azure_batch_account_logging_enabled - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_datalake_analytics_account_logging_enabled - - azure_datalake_store_account_logging_enabled - - azure_eventhub_namespace_logging_enabled - - azure_iot_hub_logging_enabled - - azure_keyvault_logging_enabled - - azure_logic_app_workflow_logging_enabled - - azure_network_watcher_enabled - - azure_search_service_logging_enabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_dns - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_servicebus_namespace_logging_enabled - - azure_sql_server_auditing_on - - azure_sql_server_azure_defender_enabled - - azure_stream_analytics_job_logging_enabled +id: azure_nist_sp_800_53_rev_5_au_12_1 +title: System-wide and Time-correlated Audit Trail AU-12(1) +description: The information system compiles audit records from organization-defined information system components into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance for the relationship between timestamps of individual records in the audit trail. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_appservice_web_app_diagnostic_logs_enabled +- azure_arc_compute_machine_linux_log_analytics_agent_installed +- azure_arc_compute_machine_windows_log_analytics_agent_installed +- azure_arc_kubernetes_cluster_azure_defender_extension_installed +- azure_batch_account_logging_enabled +- azure_compute_vm_guest_configuration_installed +- azure_compute_vm_guest_configuration_with_system_assigned_managed_identity +- azure_compute_vm_log_analytics_agent_installed +- azure_compute_vm_network_traffic_data_collection_linux_agent_installed +- azure_compute_vm_network_traffic_data_collection_windows_agent_installed +- azure_compute_vm_scale_set_log_analytics_agent_installed +- azure_datalake_analytics_account_logging_enabled +- azure_datalake_store_account_logging_enabled +- azure_eventhub_namespace_logging_enabled +- azure_iot_hub_logging_enabled +- azure_keyvault_logging_enabled +- azure_logic_app_workflow_logging_enabled +- azure_network_watcher_enabled +- azure_search_service_logging_enabled +- azure_securitycenter_automatic_provisioning_monitoring_agent_on +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_dns +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_sqlservervm +- azure_securitycenter_azure_defender_on_for_storage +- azure_servicebus_namespace_logging_enabled +- azure_sql_server_auditing_on +- azure_sql_server_azure_defender_enabled +- azure_stream_analytics_job_logging_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_6.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_6.yaml index 49dc9950d..105480623 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_6.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_6.yaml @@ -1,33 +1,35 @@ +id: azure_nist_sp_800_53_rev_5_au_6 +title: Audit Record Review, Analysis, and Reporting (AU-6) +description: Integrate audit review, analysis, and reporting with processes for investigation and response to suspicious activities. +section-code: "6" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_nist_sp_800_53_rev_5_au_6 - title: Audit Record Review, Analysis, and Reporting (AU-6) - description: Integrate audit review, analysis, and reporting with processes for investigation and response to suspicious activities. - section-code: "6" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_nist_sp_800_53_rev_5_au_6_4 - - id: azure_nist_sp_800_53_rev_5_au_6_5 - controls: - - azure_arc_kubernetes_cluster_azure_defender_extension_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_network_watcher_enabled - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_dns - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_server_azure_defender_enabled +- id: azure_nist_sp_800_53_rev_5_au_6_4 + type: "" +- id: azure_nist_sp_800_53_rev_5_au_6_5 + type: "" +controls: +- azure_arc_kubernetes_cluster_azure_defender_extension_installed +- azure_compute_vm_network_traffic_data_collection_linux_agent_installed +- azure_compute_vm_network_traffic_data_collection_windows_agent_installed +- azure_network_watcher_enabled +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_dns +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqlservervm +- azure_securitycenter_azure_defender_on_for_storage +- azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_6_4.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_6_4.yaml index 6ec83ddd2..0e70d24cb 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_6_4.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_6_4.yaml @@ -1,50 +1,50 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_au_6_4 - title: Central Review and Analysis AU-6(4) - description: The information system provides the capability to centrally review and analyze audit records from multiple components within the system. - section-code: "4" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_appservice_web_app_diagnostic_logs_enabled - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_arc_kubernetes_cluster_azure_defender_extension_installed - - azure_batch_account_logging_enabled - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_datalake_analytics_account_logging_enabled - - azure_datalake_store_account_logging_enabled - - azure_eventhub_namespace_logging_enabled - - azure_iot_hub_logging_enabled - - azure_keyvault_logging_enabled - - azure_logic_app_workflow_logging_enabled - - azure_network_watcher_enabled - - azure_search_service_logging_enabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_dns - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_servicebus_namespace_logging_enabled - - azure_sql_server_auditing_on - - azure_sql_server_azure_defender_enabled - - azure_stream_analytics_job_logging_enabled +id: azure_nist_sp_800_53_rev_5_au_6_4 +title: Central Review and Analysis AU-6(4) +description: The information system provides the capability to centrally review and analyze audit records from multiple components within the system. +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_appservice_web_app_diagnostic_logs_enabled +- azure_arc_compute_machine_linux_log_analytics_agent_installed +- azure_arc_compute_machine_windows_log_analytics_agent_installed +- azure_arc_kubernetes_cluster_azure_defender_extension_installed +- azure_batch_account_logging_enabled +- azure_compute_vm_guest_configuration_installed +- azure_compute_vm_guest_configuration_with_system_assigned_managed_identity +- azure_compute_vm_log_analytics_agent_installed +- azure_compute_vm_network_traffic_data_collection_linux_agent_installed +- azure_compute_vm_network_traffic_data_collection_windows_agent_installed +- azure_compute_vm_scale_set_log_analytics_agent_installed +- azure_datalake_analytics_account_logging_enabled +- azure_datalake_store_account_logging_enabled +- azure_eventhub_namespace_logging_enabled +- azure_iot_hub_logging_enabled +- azure_keyvault_logging_enabled +- azure_logic_app_workflow_logging_enabled +- azure_network_watcher_enabled +- azure_search_service_logging_enabled +- azure_securitycenter_automatic_provisioning_monitoring_agent_on +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_dns +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_sqlservervm +- azure_securitycenter_azure_defender_on_for_storage +- azure_servicebus_namespace_logging_enabled +- azure_sql_server_auditing_on +- azure_sql_server_azure_defender_enabled +- azure_stream_analytics_job_logging_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_6_5.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_6_5.yaml index e8fd8ed2d..4697fd399 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_6_5.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_6_5.yaml @@ -1,50 +1,50 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_au_6_5 - title: Integrated Analysis of Audit Records AU-6(5) - description: The organization integrates analysis of audit records with analysis of vulnerable scanning information, performance data, and information system monitoring information collected from other sources to further enhance the ability to identify inappropriate or unusual activity. - section-code: "5" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_appservice_web_app_diagnostic_logs_enabled - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_arc_kubernetes_cluster_azure_defender_extension_installed - - azure_batch_account_logging_enabled - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_datalake_analytics_account_logging_enabled - - azure_datalake_store_account_logging_enabled - - azure_eventhub_namespace_logging_enabled - - azure_iot_hub_logging_enabled - - azure_keyvault_logging_enabled - - azure_logic_app_workflow_logging_enabled - - azure_network_watcher_enabled - - azure_search_service_logging_enabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_dns - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_servicebus_namespace_logging_enabled - - azure_sql_server_auditing_on - - azure_sql_server_azure_defender_enabled - - azure_stream_analytics_job_logging_enabled +id: azure_nist_sp_800_53_rev_5_au_6_5 +title: Integrated Analysis of Audit Records AU-6(5) +description: The organization integrates analysis of audit records with analysis of vulnerable scanning information, performance data, and information system monitoring information collected from other sources to further enhance the ability to identify inappropriate or unusual activity. +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_appservice_web_app_diagnostic_logs_enabled +- azure_arc_compute_machine_linux_log_analytics_agent_installed +- azure_arc_compute_machine_windows_log_analytics_agent_installed +- azure_arc_kubernetes_cluster_azure_defender_extension_installed +- azure_batch_account_logging_enabled +- azure_compute_vm_guest_configuration_installed +- azure_compute_vm_guest_configuration_with_system_assigned_managed_identity +- azure_compute_vm_log_analytics_agent_installed +- azure_compute_vm_network_traffic_data_collection_linux_agent_installed +- azure_compute_vm_network_traffic_data_collection_windows_agent_installed +- azure_compute_vm_scale_set_log_analytics_agent_installed +- azure_datalake_analytics_account_logging_enabled +- azure_datalake_store_account_logging_enabled +- azure_eventhub_namespace_logging_enabled +- azure_iot_hub_logging_enabled +- azure_keyvault_logging_enabled +- azure_logic_app_workflow_logging_enabled +- azure_network_watcher_enabled +- azure_search_service_logging_enabled +- azure_securitycenter_automatic_provisioning_monitoring_agent_on +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_dns +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_sqlservervm +- azure_securitycenter_azure_defender_on_for_storage +- azure_servicebus_namespace_logging_enabled +- azure_sql_server_auditing_on +- azure_sql_server_azure_defender_enabled +- azure_stream_analytics_job_logging_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm.yaml index 1986e5767..ff3a72741 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm.yaml @@ -1,21 +1,25 @@ +id: azure_nist_sp_800_53_rev_5_cm +title: Configuration Management (CM) +description: CM controls are specific to an organization’s configuration management policies. This includes a baseline configuration to operate as the basis for future builds or changes to information systems. Additionally, this includes information system component inventories and a security impact analysis control. +section-code: cm +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_nist_sp_800_53_rev_5_cm - title: Configuration Management (CM) - description: CM controls are specific to an organization’s configuration management policies. This includes a baseline configuration to operate as the basis for future builds or changes to information systems. Additionally, this includes information system component inventories and a security impact analysis control. - section-code: cm - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_nist_sp_800_53_rev_5_cm_6 - - id: azure_nist_sp_800_53_rev_5_cm_7 - - id: azure_nist_sp_800_53_rev_5_cm_10 - - id: azure_nist_sp_800_53_rev_5_cm_11 +- id: azure_nist_sp_800_53_rev_5_cm_6 + type: "" +- id: azure_nist_sp_800_53_rev_5_cm_7 + type: "" +- id: azure_nist_sp_800_53_rev_5_cm_10 + type: "" +- id: azure_nist_sp_800_53_rev_5_cm_11 + type: "" diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_10.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_10.yaml index 3cf697bfc..76f4fc763 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_10.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_10.yaml @@ -1,19 +1,19 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_cm_10 - title: Software Usage Restrictions (CM-10) - description: The organization uses software and associated documentation in accordance with contract agreements and copyright laws, tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution, and controls and documents the use of peer-to-peer file-sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. - section-code: "10" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_adaptive_application_controls_enabled - - azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated +id: azure_nist_sp_800_53_rev_5_cm_10 +title: Software Usage Restrictions (CM-10) +description: The organization uses software and associated documentation in accordance with contract agreements and copyright laws, tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution, and controls and documents the use of peer-to-peer file-sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. +section-code: "10" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_adaptive_application_controls_enabled +- azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_11.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_11.yaml index d098dae50..04b710d48 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_11.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_11.yaml @@ -1,19 +1,19 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_cm_11 - title: User-installed Software (CM-11) - description: The organization establishes organization-defined policies governing the installation of software by users, enforces software installation policies through organization-defined methods, and monitors policy compliance at organization-defined frequency. - section-code: "11" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_adaptive_application_controls_enabled - - azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated +id: azure_nist_sp_800_53_rev_5_cm_11 +title: User-installed Software (CM-11) +description: The organization establishes organization-defined policies governing the installation of software by users, enforces software installation policies through organization-defined methods, and monitors policy compliance at organization-defined frequency. +section-code: "11" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_adaptive_application_controls_enabled +- azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_6.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_6.yaml index 6bc370f92..d22dee017 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_6.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_6.yaml @@ -1,38 +1,38 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_cm_6 - title: Configuration Settings (CM-6) - description: The organization establishes and documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists that reflect the most restrictive mode consistent with operational requirements; implements the configuration settings; identifies, documents, and approves any deviations from established configuration settings for organization-defined information system components based on organization-defined operational requirements; and monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. - section-code: "6" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_appservice_api_app_client_certificates_on - - azure_appservice_api_app_cors_no_star - - azure_appservice_api_app_remote_debugging_disabled - - azure_appservice_function_app_client_certificates_on - - azure_appservice_function_app_cors_no_star - - azure_appservice_function_app_remote_debugging_disabled - - azure_compute_vm_meet_security_baseline_requirements_linux - - azure_compute_vm_meet_security_baseline_requirements_windows - - azure_kubernetes_cluster_add_on_azure_policy_enabled - - azure_kubernetes_cluster_container_cpu_and_memory_resource_limit - - azure_kubernetes_cluster_container_host_process_id_not_shared - - azure_kubernetes_cluster_container_privilege_escalation_restricted - - azure_kubernetes_cluster_container_use_allowed_apparmor_profile - - azure_kubernetes_cluster_container_use_allowed_capabilities - - azure_kubernetes_cluster_container_use_allowed_images - - azure_kubernetes_cluster_container_with_read_only_root_file_system - - azure_kubernetes_cluster_pod_host_path_volume_use_allowed_host_path - - azure_kubernetes_cluster_pod_use_approved_host_network_and_port_range - - azure_kubernetes_cluster_pods_and_containers_uses_approved_user_and_group_id - - azure_kubernetes_cluster_privilege_containers_restricted - - azure_kubernetes_cluster_service_listen_to_allowed_ports +id: azure_nist_sp_800_53_rev_5_cm_6 +title: Configuration Settings (CM-6) +description: The organization establishes and documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists that reflect the most restrictive mode consistent with operational requirements; implements the configuration settings; identifies, documents, and approves any deviations from established configuration settings for organization-defined information system components based on organization-defined operational requirements; and monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. +section-code: "6" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_appservice_api_app_client_certificates_on +- azure_appservice_api_app_cors_no_star +- azure_appservice_api_app_remote_debugging_disabled +- azure_appservice_function_app_client_certificates_on +- azure_appservice_function_app_cors_no_star +- azure_appservice_function_app_remote_debugging_disabled +- azure_compute_vm_meet_security_baseline_requirements_linux +- azure_compute_vm_meet_security_baseline_requirements_windows +- azure_kubernetes_cluster_add_on_azure_policy_enabled +- azure_kubernetes_cluster_container_cpu_and_memory_resource_limit +- azure_kubernetes_cluster_container_host_process_id_not_shared +- azure_kubernetes_cluster_container_privilege_escalation_restricted +- azure_kubernetes_cluster_container_use_allowed_apparmor_profile +- azure_kubernetes_cluster_container_use_allowed_capabilities +- azure_kubernetes_cluster_container_use_allowed_images +- azure_kubernetes_cluster_container_with_read_only_root_file_system +- azure_kubernetes_cluster_pod_host_path_volume_use_allowed_host_path +- azure_kubernetes_cluster_pod_use_approved_host_network_and_port_range +- azure_kubernetes_cluster_pods_and_containers_uses_approved_user_and_group_id +- azure_kubernetes_cluster_privilege_containers_restricted +- azure_kubernetes_cluster_service_listen_to_allowed_ports diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_7.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_7.yaml index 77b1885c0..2865f81af 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_7.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_7.yaml @@ -1,23 +1,25 @@ +id: azure_nist_sp_800_53_rev_5_cm_7 +title: Least Functionality (CM-7) +description: The organization configures the information system to provide only essential capabilities and prohibits or restricts the use of organization-defined prohibited or restricted functions, ports, protocols, and/or services. +section-code: "7" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark control-group: - id: azure_nist_sp_800_53_rev_5_cm_7 - title: Least Functionality (CM-7) - description: The organization configures the information system to provide only essential capabilities and prohibits or restricts the use of organization-defined prohibited or restricted functions, ports, protocols, and/or services. - section-code: "7" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - control-group: - - id: azure_nist_sp_800_53_rev_5_cm_7_2 - - id: azure_nist_sp_800_53_rev_5_cm_7_5 - controls: - - azure_compute_vm_adaptive_application_controls_enabled - - azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated - - azure_securitycenter_azure_defender_on_for_server +- id: azure_nist_sp_800_53_rev_5_cm_7_2 + type: "" +- id: azure_nist_sp_800_53_rev_5_cm_7_5 + type: "" +controls: +- azure_compute_vm_adaptive_application_controls_enabled +- azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated +- azure_securitycenter_azure_defender_on_for_server diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_7_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_7_2.yaml index 802694dbb..d8f095289 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_7_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_7_2.yaml @@ -1,19 +1,19 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_cm_7_2 - title: Prevent Program Execution CM-7(2) - description: The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, rules authorizing the terms and conditions of software program usage. - section-code: "2" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_adaptive_application_controls_enabled - - azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated +id: azure_nist_sp_800_53_rev_5_cm_7_2 +title: Prevent Program Execution CM-7(2) +description: The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, rules authorizing the terms and conditions of software program usage. +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_adaptive_application_controls_enabled +- azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_7_5.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_7_5.yaml index 87f6a75d5..a2712cceb 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_7_5.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_7_5.yaml @@ -1,19 +1,19 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_cm_7_5 - title: Authorized Software ??? Allow-by-exception CM-7(5) - description: The organization identifies organization-defined software programs authorized to execute on the information system, employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system, and reviews and updates the list of authorized software programs. - section-code: "5" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_adaptive_application_controls_enabled - - azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated +id: azure_nist_sp_800_53_rev_5_cm_7_5 +title: Authorized Software ??? Allow-by-exception CM-7(5) +description: The organization identifies organization-defined software programs authorized to execute on the information system, employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system, and reviews and updates the list of authorized software programs. +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_adaptive_application_controls_enabled +- azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp.yaml index 99bd8faf0..28c6fc8b2 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp.yaml @@ -1,20 +1,23 @@ +id: azure_nist_sp_800_53_rev_5_cp +title: Contingency Planning (CP) +description: The CP control family includes controls specific to an organization's contingency plan if a cybersecurity event should occur. This includes controls like contingency plan testing, updating, training, and backups, and system reconstitution. +section-code: cp +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_nist_sp_800_53_rev_5_cp - title: Contingency Planning (CP) - description: The CP control family includes controls specific to an organization's contingency plan if a cybersecurity event should occur. This includes controls like contingency plan testing, updating, training, and backups, and system reconstitution. - section-code: cp - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_nist_sp_800_53_rev_5_cp_6 - - id: azure_nist_sp_800_53_rev_5_cp_7 - - id: azure_nist_sp_800_53_rev_5_cp_9 +- id: azure_nist_sp_800_53_rev_5_cp_6 + type: "" +- id: azure_nist_sp_800_53_rev_5_cp_7 + type: "" +- id: azure_nist_sp_800_53_rev_5_cp_9 + type: "" diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_6.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_6.yaml index 0c32422ea..2cb3e7af2 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_6.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_6.yaml @@ -1,24 +1,25 @@ +id: azure_nist_sp_800_53_rev_5_cp_6 +title: Alternate Storage Site (CP-6) +description: The organization establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information and ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site. +section-code: "6" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_nist_sp_800_53_rev_5_cp_6 - title: Alternate Storage Site (CP-6) - description: The organization establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information and ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site. - section-code: "6" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_nist_sp_800_53_rev_5_cp_6_1 - controls: - - azure_mariadb_server_geo_redundant_backup_enabled - - azure_mysql_db_server_geo_redundant_backup_enabled - - azure_postgres_db_server_geo_redundant_backup_enabled - - azure_sql_database_long_term_geo_redundant_backup_enabled - - azure_storage_account_geo_redundant_enabled +- id: azure_nist_sp_800_53_rev_5_cp_6_1 + type: "" +controls: +- azure_mariadb_server_geo_redundant_backup_enabled +- azure_mysql_db_server_geo_redundant_backup_enabled +- azure_postgres_db_server_geo_redundant_backup_enabled +- azure_sql_database_long_term_geo_redundant_backup_enabled +- azure_storage_account_geo_redundant_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_6_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_6_1.yaml index b46c8a2d6..cb7f5feda 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_6_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_6_1.yaml @@ -1,22 +1,22 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_cp_6_1 - title: Separation from Primary Site CP-6(1) - description: The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats. - section-code: "1" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_mariadb_server_geo_redundant_backup_enabled - - azure_mysql_db_server_geo_redundant_backup_enabled - - azure_postgres_db_server_geo_redundant_backup_enabled - - azure_sql_database_long_term_geo_redundant_backup_enabled - - azure_storage_account_geo_redundant_enabled +id: azure_nist_sp_800_53_rev_5_cp_6_1 +title: Separation from Primary Site CP-6(1) +description: The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_mariadb_server_geo_redundant_backup_enabled +- azure_mysql_db_server_geo_redundant_backup_enabled +- azure_postgres_db_server_geo_redundant_backup_enabled +- azure_sql_database_long_term_geo_redundant_backup_enabled +- azure_storage_account_geo_redundant_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_7.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_7.yaml index adaea598d..270aa8971 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_7.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_7.yaml @@ -1,18 +1,18 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_cp_7 - title: Alternate Processing Site (CP-7) - description: The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions/business functions within an organization-defined time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable, ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption and ensure that the alternate processing site provides information security safeguards equivalent to that of the primary site. - section-code: "7" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_disaster_recovery_enabled +id: azure_nist_sp_800_53_rev_5_cp_7 +title: Alternate Processing Site (CP-7) +description: The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions/business functions within an organization-defined time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable, ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption and ensure that the alternate processing site provides information security safeguards equivalent to that of the primary site. +section-code: "7" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_disaster_recovery_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_9.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_9.yaml index 757e941a5..f96897c03 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_9.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_9.yaml @@ -1,22 +1,22 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_cp_9 - title: System Backup (CP-9) - description: The organization conducts backups of information system documentation including security-related documentation, user-level and system-level information contained in the information system with recovery time and recovery point objectives, and protects the confidentiality, integrity, and availability of backup information at storage locations. - section-code: "9" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_keyvault_purge_protection_enabled - - azure_keyvault_soft_delete_enabled - - azure_mariadb_server_geo_redundant_backup_enabled - - azure_mysql_db_server_geo_redundant_backup_enabled - - azure_postgres_db_server_geo_redundant_backup_enabled +id: azure_nist_sp_800_53_rev_5_cp_9 +title: System Backup (CP-9) +description: The organization conducts backups of information system documentation including security-related documentation, user-level and system-level information contained in the information system with recovery time and recovery point objectives, and protects the confidentiality, integrity, and availability of backup information at storage locations. +section-code: "9" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_keyvault_purge_protection_enabled +- azure_keyvault_soft_delete_enabled +- azure_mariadb_server_geo_redundant_backup_enabled +- azure_mysql_db_server_geo_redundant_backup_enabled +- azure_postgres_db_server_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia.yaml index cb5e82247..6ecd63815 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia.yaml @@ -1,20 +1,23 @@ +id: azure_nist_sp_800_53_rev_5_ia +title: Identification and Authentication (IA) +description: IA controls are specific to the identification and authentication policies in an organization. This includes the identification and authentication of organizational and non-organizational users and how the management of those systems. +section-code: ia +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_nist_sp_800_53_rev_5_ia - title: Identification and Authentication (IA) - description: IA controls are specific to the identification and authentication policies in an organization. This includes the identification and authentication of organizational and non-organizational users and how the management of those systems. - section-code: ia - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_nist_sp_800_53_rev_5_ia_2 - - id: azure_nist_sp_800_53_rev_5_ia_4 - - id: azure_nist_sp_800_53_rev_5_ia_5 +- id: azure_nist_sp_800_53_rev_5_ia_2 + type: "" +- id: azure_nist_sp_800_53_rev_5_ia_4 + type: "" +- id: azure_nist_sp_800_53_rev_5_ia_5 + type: "" diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_2.yaml index 3d50c92d3..5231e2510 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_2.yaml @@ -1,28 +1,30 @@ +id: azure_nist_sp_800_53_rev_5_ia_2 +title: Identification and Authentication (organizational Users) (IA-2) +description: Identify and authenticate organization users and processes. +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_nist_sp_800_53_rev_5_ia_2 - title: Identification and Authentication (organizational Users) (IA-2) - description: Identify and authenticate organization users and processes. - section-code: "2" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_nist_sp_800_53_rev_5_ia_2_1 - - id: azure_nist_sp_800_53_rev_5_ia_2_2 - controls: - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_web_app_uses_managed_identity - - azure_cognitive_service_local_auth_disabled - - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled - - azure_iam_user_with_read_permission_on_subscription_mfa_enabled - - azure_iam_user_with_write_permission_on_subscription_mfa_enabled - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled +- id: azure_nist_sp_800_53_rev_5_ia_2_1 + type: "" +- id: azure_nist_sp_800_53_rev_5_ia_2_2 + type: "" +controls: +- azure_appservice_function_app_uses_managed_identity +- azure_appservice_web_app_uses_managed_identity +- azure_cognitive_service_local_auth_disabled +- azure_iam_user_with_owner_permission_on_subscription_mfa_enabled +- azure_iam_user_with_read_permission_on_subscription_mfa_enabled +- azure_iam_user_with_write_permission_on_subscription_mfa_enabled +- azure_servicefabric_cluster_active_directory_authentication_enabled +- azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_2_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_2_1.yaml index 75d63a035..3b0d34534 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_2_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_2_1.yaml @@ -1,8 +1,8 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_ia_2_1 - title: Multi-factor Authentication to Privileged Accounts IA-2(1) - description: Implement multi-factor authentication for access to privileged accounts. - section-code: "1" - controls: - - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled - - azure_iam_user_with_write_permission_on_subscription_mfa_enabled +id: azure_nist_sp_800_53_rev_5_ia_2_1 +title: Multi-factor Authentication to Privileged Accounts IA-2(1) +description: Implement multi-factor authentication for access to privileged accounts. +section-code: "1" +type: control-group +controls: +- azure_iam_user_with_owner_permission_on_subscription_mfa_enabled +- azure_iam_user_with_write_permission_on_subscription_mfa_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_2_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_2_2.yaml index fe450d679..dd17e0089 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_2_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_2_2.yaml @@ -1,7 +1,7 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_ia_2_2 - title: Multi-factor Authentication to Non-privileged Accounts - description: Implement multi-factor authentication for access to non-privileged accounts. - section-code: "2" - controls: - - azure_iam_user_with_read_permission_on_subscription_mfa_enabled +id: azure_nist_sp_800_53_rev_5_ia_2_2 +title: Multi-factor Authentication to Non-privileged Accounts +description: Implement multi-factor authentication for access to non-privileged accounts. +section-code: "2" +type: control-group +controls: +- azure_iam_user_with_read_permission_on_subscription_mfa_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_4.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_4.yaml index a06508a8e..58d7ec713 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_4.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_4.yaml @@ -1,22 +1,22 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_ia_4 - title: Identifier Management (IA-4) - description: Manage information system identifiers for users and devices. Automate authorizing and disabling users to prevent misuse. - section-code: "4" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_web_app_uses_managed_identity - - azure_cognitive_service_local_auth_disabled - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled +id: azure_nist_sp_800_53_rev_5_ia_4 +title: Identifier Management (IA-4) +description: Manage information system identifiers for users and devices. Automate authorizing and disabling users to prevent misuse. +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_appservice_function_app_uses_managed_identity +- azure_appservice_web_app_uses_managed_identity +- azure_cognitive_service_local_auth_disabled +- azure_servicefabric_cluster_active_directory_authentication_enabled +- azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_5.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_5.yaml index 7288c6e54..532fcf3c0 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_5.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_5.yaml @@ -1,29 +1,30 @@ +id: azure_nist_sp_800_53_rev_5_ia_5 +title: Authenticator Management (IA-5) +description: Authenticate users and devices. Automate administrative control. Enforce restrictions. Protect against unauthorized use. +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_nist_sp_800_53_rev_5_ia_5 - title: Authenticator Management (IA-5) - description: Authenticate users and devices. Automate administrative control. Enforce restrictions. Protect against unauthorized use. - section-code: "5" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_nist_sp_800_53_rev_5_ia_5_1 - controls: - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_password_file_permissions_0644_linux - - azure_compute_vm_passwords_stored_using_reversible_encryption_windows - - azure_compute_vm_ssh_key_authentication_linux - - azure_keyvault_certificate_validity_12_months - - azure_keyvault_key_expiration_set - - azure_keyvault_secret_expiration_set +- id: azure_nist_sp_800_53_rev_5_ia_5_1 + type: "" +controls: +- azure_compute_vm_guest_configuration_installed_linux +- azure_compute_vm_guest_configuration_installed_windows +- azure_compute_vm_guest_configuration_with_no_managed_identity +- azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity +- azure_compute_vm_password_file_permissions_0644_linux +- azure_compute_vm_passwords_stored_using_reversible_encryption_windows +- azure_compute_vm_ssh_key_authentication_linux +- azure_keyvault_certificate_validity_12_months +- azure_keyvault_key_expiration_set +- azure_keyvault_secret_expiration_set diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_5_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_5_1.yaml index 88ec888d1..910f9c18c 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_5_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_5_1.yaml @@ -1,28 +1,28 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_ia_5_1 - title: Password-based Authentication IA-5(1) - description: The information system, for password-based authentication, enforces minimum password complexity of organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type; enforces at least the organization-defined number of changed characters when new passwords are created; stores and transmits only cryptographically-protected passwords; enforces password minimum and maximum lifetime restrictions of organization-defined numbers for lifetime minimum, lifetime maximum; prohibits password reuse for organization-defined number generations; and allows the use of a temporary password for system logons with an immediate change to a permanent password. - section-code: "1" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_max_password_age_70_days_windows - - azure_compute_vm_min_password_age_1_day_windows - - azure_compute_vm_min_password_length_14_windows - - azure_compute_vm_password_complexity_setting_enabled_windows - - azure_compute_vm_password_file_permissions_0644_linux - - azure_compute_vm_passwords_stored_using_reversible_encryption_windows - - azure_compute_vm_restrict_previous_24_passwords_resuse_windows +id: azure_nist_sp_800_53_rev_5_ia_5_1 +title: Password-based Authentication IA-5(1) +description: The information system, for password-based authentication, enforces minimum password complexity of organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type; enforces at least the organization-defined number of changed characters when new passwords are created; stores and transmits only cryptographically-protected passwords; enforces password minimum and maximum lifetime restrictions of organization-defined numbers for lifetime minimum, lifetime maximum; prohibits password reuse for organization-defined number generations; and allows the use of a temporary password for system logons with an immediate change to a permanent password. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_guest_configuration_installed_linux +- azure_compute_vm_guest_configuration_installed_windows +- azure_compute_vm_guest_configuration_with_no_managed_identity +- azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity +- azure_compute_vm_max_password_age_70_days_windows +- azure_compute_vm_min_password_age_1_day_windows +- azure_compute_vm_min_password_length_14_windows +- azure_compute_vm_password_complexity_setting_enabled_windows +- azure_compute_vm_password_file_permissions_0644_linux +- azure_compute_vm_passwords_stored_using_reversible_encryption_windows +- azure_compute_vm_restrict_previous_24_passwords_resuse_windows diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir.yaml index b2722659a..a943b9462 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir.yaml @@ -1,20 +1,23 @@ +id: azure_nist_sp_800_53_rev_5_ir +title: Incident Response (IR) +description: IR controls are specific to an organization’s incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plan. +section-code: ir +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_nist_sp_800_53_rev_5_ir - title: Incident Response (IR) - description: IR controls are specific to an organization’s incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plan. - section-code: ir - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_nist_sp_800_53_rev_5_ir_4 - - id: azure_nist_sp_800_53_rev_5_ir_5 - - id: azure_nist_sp_800_53_rev_5_ir_6_2 +- id: azure_nist_sp_800_53_rev_5_ir_4 + type: "" +- id: azure_nist_sp_800_53_rev_5_ir_5 + type: "" +- id: azure_nist_sp_800_53_rev_5_ir_6_2 + type: "" diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir_4.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir_4.yaml index ab4ec59c6..5f6e79830 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir_4.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir_4.yaml @@ -1,30 +1,30 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_ir_4 - title: Incident Handling (IR-4) - description: The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; coordinates incident handling activities with contingency planning activities; and incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly. - section-code: "4" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_dns - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_securitycenter_email_configured - - azure_securitycenter_notify_alerts_configured - - azure_securitycenter_security_alerts_to_owner_enabled - - azure_sql_server_azure_defender_enabled +id: azure_nist_sp_800_53_rev_5_ir_4 +title: Incident Handling (IR-4) +description: The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; coordinates incident handling activities with contingency planning activities; and incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly. +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_dns +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_sqlservervm +- azure_securitycenter_azure_defender_on_for_storage +- azure_securitycenter_email_configured +- azure_securitycenter_notify_alerts_configured +- azure_securitycenter_security_alerts_to_owner_enabled +- azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir_5.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir_5.yaml index 8d8510eb7..19028a8a2 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir_5.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir_5.yaml @@ -1,30 +1,30 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_ir_5 - title: Incident Monitoring (IR-5) - description: The organization tracks and documents information system security incidents. - section-code: "5" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_dns - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_securitycenter_email_configured - - azure_securitycenter_notify_alerts_configured - - azure_securitycenter_security_alerts_to_owner_enabled - - azure_sql_server_azure_defender_enabled +id: azure_nist_sp_800_53_rev_5_ir_5 +title: Incident Monitoring (IR-5) +description: The organization tracks and documents information system security incidents. +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_dns +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_sqlservervm +- azure_securitycenter_azure_defender_on_for_storage +- azure_securitycenter_email_configured +- azure_securitycenter_notify_alerts_configured +- azure_securitycenter_security_alerts_to_owner_enabled +- azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir_6_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir_6_2.yaml index e65b0160e..f5d1a849a 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir_6_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir_6_2.yaml @@ -1,20 +1,20 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_ir_6_2 - title: Vulnerabilities Related to Incidents IR-6(2) - description: The organization reports information system vulnerabilities associated with reported security incidents to organization-defined personnel or roles. - section-code: "6_2" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark - controls: - - azure_securitycenter_email_configured - - azure_securitycenter_notify_alerts_configured - - azure_securitycenter_security_alerts_to_owner_enabled +id: azure_nist_sp_800_53_rev_5_ir_6_2 +title: Vulnerabilities Related to Incidents IR-6(2) +description: The organization reports information system vulnerabilities associated with reported security incidents to organization-defined personnel or roles. +section-code: "6_2" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark +controls: +- azure_securitycenter_email_configured +- azure_securitycenter_notify_alerts_configured +- azure_securitycenter_security_alerts_to_owner_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ra.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ra.yaml index 368c80714..3cb0a0e9a 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ra.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ra.yaml @@ -1,18 +1,19 @@ +id: azure_nist_sp_800_53_rev_5_ra +title: Risk Assessment (RA) +description: The RA control family relates to an organization’s risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts. +section-code: ra +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_nist_sp_800_53_rev_5_ra - title: Risk Assessment (RA) - description: The RA control family relates to an organization’s risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts. - section-code: ra - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_nist_sp_800_53_rev_5_ra_5 +- id: azure_nist_sp_800_53_rev_5_ra_5 + type: "" diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ra_5.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ra_5.yaml index e24939452..b1b259c4b 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ra_5.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ra_5.yaml @@ -1,37 +1,37 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_ra_5 - title: Vulnerability Monitoring and Scanning (RA-5) - description: Scan for system vulnerabilities. Share vulnerability information and security controls that eliminate vulnerabilities. - section-code: "5" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_compute_vm_container_security_configurations_vulnerabilities_remediated - - azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated - - azure_compute_vm_security_configuration_vulnerabilities_remediated - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_compute_vm_vulnerability_findings_resolved_for_sql_server - - azure_container_registry_vulnerabilities_remediated - - azure_mssql_managed_instance_vulnerability_assessment_enabled - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_dns - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_database_vulnerability_findings_resolved - - azure_sql_server_and_databases_va_enabled - - azure_sql_server_azure_defender_enabled - - azure_synapse_workspace_vulnerability_assessment_enabled +id: azure_nist_sp_800_53_rev_5_ra_5 +title: Vulnerability Monitoring and Scanning (RA-5) +description: Scan for system vulnerabilities. Share vulnerability information and security controls that eliminate vulnerabilities. +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_compute_vm_container_security_configurations_vulnerabilities_remediated +- azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated +- azure_compute_vm_security_configuration_vulnerabilities_remediated +- azure_compute_vm_vulnerability_assessment_solution_enabled +- azure_compute_vm_vulnerability_findings_resolved_for_sql_server +- azure_container_registry_vulnerabilities_remediated +- azure_mssql_managed_instance_vulnerability_assessment_enabled +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_dns +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_sqlservervm +- azure_securitycenter_azure_defender_on_for_storage +- azure_sql_database_vulnerability_findings_resolved +- azure_sql_server_and_databases_va_enabled +- azure_sql_server_azure_defender_enabled +- azure_synapse_workspace_vulnerability_assessment_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc.yaml index e8c5bb3ee..a0c9890b6 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc.yaml @@ -1,23 +1,29 @@ +id: azure_nist_sp_800_53_rev_5_sc +title: System and Communications Protection (SC) +description: The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others. +section-code: sc +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_nist_sp_800_53_rev_5_sc - title: System and Communications Protection (SC) - description: The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others. - section-code: sc - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_nist_sp_800_53_rev_5_sc_3 - - id: azure_nist_sp_800_53_rev_5_sc_5 - - id: azure_nist_sp_800_53_rev_5_sc_7 - - id: azure_nist_sp_800_53_rev_5_sc_8 - - id: azure_nist_sp_800_53_rev_5_sc_12 - - id: azure_nist_sp_800_53_rev_5_sc_28 +- id: azure_nist_sp_800_53_rev_5_sc_3 + type: "" +- id: azure_nist_sp_800_53_rev_5_sc_5 + type: "" +- id: azure_nist_sp_800_53_rev_5_sc_7 + type: "" +- id: azure_nist_sp_800_53_rev_5_sc_8 + type: "" +- id: azure_nist_sp_800_53_rev_5_sc_12 + type: "" +- id: azure_nist_sp_800_53_rev_5_sc_28 + type: "" diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_12.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_12.yaml index 9b998dd54..00b103e90 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_12.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_12.yaml @@ -1,50 +1,50 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_sc_12 - title: Cryptographic Key Establishment and Management (SC-12) - description: The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation, distribution, storage, access, and destruction. - section-code: "12" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_automation_account_encrypted_with_cmk - - azure_batch_account_encrypted_with_cmk - - azure_bot_service_encrypted_with_cmk - - azure_cognitive_account_encrypted_with_cmk - - azure_compute_os_and_data_disk_encrypted_with_cmk - - azure_compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed - - azure_container_instance_container_group_encrypted_using_cmk - - azure_container_registry_encrypted_with_cmk - - azure_cosmosdb_account_encryption_at_rest_using_cmk - - azure_data_factory_encrypted_with_cmk - - azure_databox_job_unlock_password_encrypted_with_cmk - - azure_eventhub_namespace_cmk_encryption_enabled - - azure_hdinsight_cluster_encrypted_at_rest_with_cmk - - azure_hdinsight_cluster_encryption_at_host_enabled - - azure_healthcare_fhir_azure_api_encrypted_at_rest_with_cmk - - azure_hpc_cache_encrypted_with_cmk - - azure_iot_hub_encrypted_with_cmk - - azure_kubernetes_cluster_os_and_data_disks_encrypted_with_cmk - - azure_kusto_cluster_encrypted_at_rest_with_cmk - - azure_logic_app_integration_service_environment_encrypted_with_cmk - - azure_machine_learning_workspace_encrypted_with_cmk - - azure_monitor_log_analytics_workspace_integrated_with_encrypted_storage_account - - azure_monitor_log_cluster_encrypted_with_cmk - - azure_mssql_managed_instance_encryption_at_rest_using_cmk - - azure_mysql_server_encrypted_at_rest_using_cmk - - azure_postgres_sql_server_encrypted_at_rest_using_cmk - - azure_recovery_service_vault_encrypted_with_cmk - - azure_servicebus_premium_namespace_cmk_encrypted - - azure_sql_server_tde_protector_cmk_encrypted - - azure_storage_account_encryption_at_rest_using_cmk - - azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk - - azure_stream_analytics_job_encrypted_with_cmk - - azure_synapse_workspace_encryption_at_rest_using_cmk +id: azure_nist_sp_800_53_rev_5_sc_12 +title: Cryptographic Key Establishment and Management (SC-12) +description: The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation, distribution, storage, access, and destruction. +section-code: "12" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_automation_account_encrypted_with_cmk +- azure_batch_account_encrypted_with_cmk +- azure_bot_service_encrypted_with_cmk +- azure_cognitive_account_encrypted_with_cmk +- azure_compute_os_and_data_disk_encrypted_with_cmk +- azure_compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed +- azure_container_instance_container_group_encrypted_using_cmk +- azure_container_registry_encrypted_with_cmk +- azure_cosmosdb_account_encryption_at_rest_using_cmk +- azure_data_factory_encrypted_with_cmk +- azure_databox_job_unlock_password_encrypted_with_cmk +- azure_eventhub_namespace_cmk_encryption_enabled +- azure_hdinsight_cluster_encrypted_at_rest_with_cmk +- azure_hdinsight_cluster_encryption_at_host_enabled +- azure_healthcare_fhir_azure_api_encrypted_at_rest_with_cmk +- azure_hpc_cache_encrypted_with_cmk +- azure_iot_hub_encrypted_with_cmk +- azure_kubernetes_cluster_os_and_data_disks_encrypted_with_cmk +- azure_kusto_cluster_encrypted_at_rest_with_cmk +- azure_logic_app_integration_service_environment_encrypted_with_cmk +- azure_machine_learning_workspace_encrypted_with_cmk +- azure_monitor_log_analytics_workspace_integrated_with_encrypted_storage_account +- azure_monitor_log_cluster_encrypted_with_cmk +- azure_mssql_managed_instance_encryption_at_rest_using_cmk +- azure_mysql_server_encrypted_at_rest_using_cmk +- azure_postgres_sql_server_encrypted_at_rest_using_cmk +- azure_recovery_service_vault_encrypted_with_cmk +- azure_servicebus_premium_namespace_cmk_encrypted +- azure_sql_server_tde_protector_cmk_encrypted +- azure_storage_account_encryption_at_rest_using_cmk +- azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk +- azure_stream_analytics_job_encrypted_with_cmk +- azure_synapse_workspace_encryption_at_rest_using_cmk diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_28.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_28.yaml index ef2cac4d3..bb3d5d015 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_28.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_28.yaml @@ -1,33 +1,34 @@ +id: azure_nist_sp_800_53_rev_5_sc_28 +title: Protection of Information at Rest (SC-28) +description: The information system protects the confidentiality and integrity of organization-defined information at rest. +section-code: "28" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_nist_sp_800_53_rev_5_sc_28 - title: Protection of Information at Rest (SC-28) - description: The information system protects the confidentiality and integrity of organization-defined information at rest. - section-code: "28" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_nist_sp_800_53_rev_5_sc_28_1 - controls: - - azure_app_service_environment_internal_encryption_enabled - - azure_compute_vm_and_sacle_set_encryption_at_host_enabled - - azure_compute_vm_temp_disks_cache_and_data_flows_encrypted - - azure_databox_edge_device_double_encryption_enabled - - azure_databox_job_double_encryption_enabled - - azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host - - azure_kusto_cluster_disk_encryption_enabled - - azure_kusto_cluster_double_encryption_enabled - - azure_monitor_log_cluster_infrastructure_encryption_enabled - - azure_mysql_server_infrastructure_encryption_enabled - - azure_postgresql_server_infrastructure_encryption_enabled - - azure_servicefabric_cluster_protection_level_as_encrypt_and_sign - - azure_sql_server_transparent_data_encryption_enabled - - azure_storage_account_infrastructure_encryption_enabled +- id: azure_nist_sp_800_53_rev_5_sc_28_1 + type: "" +controls: +- azure_app_service_environment_internal_encryption_enabled +- azure_compute_vm_and_sacle_set_encryption_at_host_enabled +- azure_compute_vm_temp_disks_cache_and_data_flows_encrypted +- azure_databox_edge_device_double_encryption_enabled +- azure_databox_job_double_encryption_enabled +- azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host +- azure_kusto_cluster_disk_encryption_enabled +- azure_kusto_cluster_double_encryption_enabled +- azure_monitor_log_cluster_infrastructure_encryption_enabled +- azure_mysql_server_infrastructure_encryption_enabled +- azure_postgresql_server_infrastructure_encryption_enabled +- azure_servicefabric_cluster_protection_level_as_encrypt_and_sign +- azure_sql_server_transparent_data_encryption_enabled +- azure_storage_account_infrastructure_encryption_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_28_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_28_1.yaml index 1ec284b18..94d2366b7 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_28_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_28_1.yaml @@ -1,31 +1,31 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_sc_28_1 - title: Cryptographic Protection SC-28(1) - description: The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of organization-defined information on organization-defined information system components. - section-code: "1" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_app_service_environment_internal_encryption_enabled - - azure_compute_vm_and_sacle_set_encryption_at_host_enabled - - azure_compute_vm_temp_disks_cache_and_data_flows_encrypted - - azure_databox_edge_device_double_encryption_enabled - - azure_databox_job_double_encryption_enabled - - azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host - - azure_kusto_cluster_disk_encryption_enabled - - azure_kusto_cluster_double_encryption_enabled - - azure_monitor_log_cluster_infrastructure_encryption_enabled - - azure_mysql_server_infrastructure_encryption_enabled - - azure_postgresql_server_infrastructure_encryption_enabled - - azure_servicefabric_cluster_protection_level_as_encrypt_and_sign - - azure_sql_server_transparent_data_encryption_enabled - - azure_storage_account_infrastructure_encryption_enabled +id: azure_nist_sp_800_53_rev_5_sc_28_1 +title: Cryptographic Protection SC-28(1) +description: The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of organization-defined information on organization-defined information system components. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_app_service_environment_internal_encryption_enabled +- azure_compute_vm_and_sacle_set_encryption_at_host_enabled +- azure_compute_vm_temp_disks_cache_and_data_flows_encrypted +- azure_databox_edge_device_double_encryption_enabled +- azure_databox_job_double_encryption_enabled +- azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host +- azure_kusto_cluster_disk_encryption_enabled +- azure_kusto_cluster_double_encryption_enabled +- azure_monitor_log_cluster_infrastructure_encryption_enabled +- azure_mysql_server_infrastructure_encryption_enabled +- azure_postgresql_server_infrastructure_encryption_enabled +- azure_servicefabric_cluster_protection_level_as_encrypt_and_sign +- azure_sql_server_transparent_data_encryption_enabled +- azure_storage_account_infrastructure_encryption_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_3.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_3.yaml index 89e98dfa7..65b4a226c 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_3.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_3.yaml @@ -1,21 +1,21 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_sc_3 - title: Security Function Isolation (SC-3) - description: The information system isolates security functions from nonsecurity functions. - section-code: "3" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_monitor_missing_endpoint_protection_in_asc - - azure_compute_vm_scale_set_endpoint_protection_solution_installed - - azure_compute_vm_windows_defender_exploit_guard_enabled - - azure_securitycenter_azure_defender_on_for_server +id: azure_nist_sp_800_53_rev_5_sc_3 +title: Security Function Isolation (SC-3) +description: The information system isolates security functions from nonsecurity functions. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_monitor_missing_endpoint_protection_in_asc +- azure_compute_vm_scale_set_endpoint_protection_solution_installed +- azure_compute_vm_windows_defender_exploit_guard_enabled +- azure_securitycenter_azure_defender_on_for_server diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_5.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_5.yaml index 86e71c75f..a36719969 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_5.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_5.yaml @@ -1,21 +1,21 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_sc_5 - title: Denial-of-service Protection (SC-5) - description: The information system protects against or limits the effects of the organization-defined types of denial of service attacks or reference to a source for such information by employing organization-defined security safeguards. - section-code: "5" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_application_gateway_waf_enabled - - azure_frontdoor_waf_enabled - - azure_network_ddos_enabled - - azure_network_interface_ip_forwarding_disabled +id: azure_nist_sp_800_53_rev_5_sc_5 +title: Denial-of-service Protection (SC-5) +description: The information system protects against or limits the effects of the organization-defined types of denial of service attacks or reference to a source for such information by employing organization-defined security safeguards. +section-code: "5" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_application_gateway_waf_enabled +- azure_frontdoor_waf_enabled +- azure_network_ddos_enabled +- azure_network_interface_ip_forwarding_disabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_7.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_7.yaml index 892287be1..dda7b9101 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_7.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_7.yaml @@ -1,70 +1,71 @@ +id: azure_nist_sp_800_53_rev_5_sc_7 +title: Boundary Protection (SC-7) +description: The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; implements subnetworks for publicly accessible system components that are physically or logically separated from internal organizational networks; and connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. +section-code: "7" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_nist_sp_800_53_rev_5_sc_7 - title: Boundary Protection (SC-7) - description: The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; implements subnetworks for publicly accessible system components that are physically or logically separated from internal organizational networks; and connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. - section-code: "7" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_nist_sp_800_53_rev_5_sc_7_3 - controls: - - azure_apimanagement_service_with_virtual_network - - azure_app_configuration_private_link_used - - azure_application_gateway_waf_enabled - - azure_redis_cache_uses_private_link - - azure_cognitive_account_private_link_used - - azure_cognitive_account_public_network_access_disabled - - azure_cognitive_account_restrict_public_access - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_adaptive_network_hardening_recommendation_applied - - azure_compute_vm_image_builder_uses_private_link - - azure_compute_vm_jit_access_protected - - azure_compute_vm_non_internet_facing_protected_with_nsg - - azure_compute_vm_remote_access_restricted_all_ports - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_container_registry_restrict_public_access - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_cosmosdb_account_with_firewall_rules - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_frontdoor_waf_enabled - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_firewall_enabled - - azure_keyvault_vault_private_link_used - - azure_kubernetes_cluster_authorized_ip_range_defined - - azure_machine_learning_workspace_private_link_used - - azure_mariadb_server_public_network_access_disabled - - azure_mysql_server_private_link_used - - azure_mysql_server_public_network_access_disabled - - azure_network_interface_ip_forwarding_disabled - - azure_network_security_group_remote_access_restricted - - azure_network_security_group_subnet_associated - - azure_network_subnet_protected_by_firewall - - azure_postgres_server_private_link_used - - azure_postgresql_server_public_network_access_disabled - - azure_search_service_public_network_access_disabled - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_sql_db_public_network_access_disabled - - azure_sql_server_uses_private_link - - azure_storage_account_block_public_access - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_restrict_network_access - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used - - azure_web_pub_sub_private_link_used +- id: azure_nist_sp_800_53_rev_5_sc_7_3 + type: "" +controls: +- azure_apimanagement_service_with_virtual_network +- azure_app_configuration_private_link_used +- azure_application_gateway_waf_enabled +- azure_redis_cache_uses_private_link +- azure_cognitive_account_private_link_used +- azure_cognitive_account_public_network_access_disabled +- azure_cognitive_account_restrict_public_access +- azure_compute_disk_access_uses_private_link +- azure_compute_vm_adaptive_network_hardening_recommendation_applied +- azure_compute_vm_image_builder_uses_private_link +- azure_compute_vm_jit_access_protected +- azure_compute_vm_non_internet_facing_protected_with_nsg +- azure_compute_vm_remote_access_restricted_all_ports +- azure_compute_vm_tcp_udp_access_restricted_internet +- azure_container_registry_restrict_public_access +- azure_container_registry_uses_private_link +- azure_cosmosdb_account_uses_private_link +- azure_cosmosdb_account_with_firewall_rules +- azure_data_factory_uses_private_link +- azure_eventgrid_domain_private_link_used +- azure_eventgrid_topic_private_link_used +- azure_eventhub_namespace_private_link_used +- azure_frontdoor_waf_enabled +- azure_healthcare_fhir_uses_private_link +- azure_keyvault_firewall_enabled +- azure_keyvault_vault_private_link_used +- azure_kubernetes_cluster_authorized_ip_range_defined +- azure_machine_learning_workspace_private_link_used +- azure_mariadb_server_public_network_access_disabled +- azure_mysql_server_private_link_used +- azure_mysql_server_public_network_access_disabled +- azure_network_interface_ip_forwarding_disabled +- azure_network_security_group_remote_access_restricted +- azure_network_security_group_subnet_associated +- azure_network_subnet_protected_by_firewall +- azure_postgres_server_private_link_used +- azure_postgresql_server_public_network_access_disabled +- azure_search_service_public_network_access_disabled +- azure_search_service_uses_private_link +- azure_search_service_uses_sku_supporting_private_link +- azure_servicebus_name_space_private_link_used +- azure_signalr_service_private_link_used +- azure_sql_db_public_network_access_disabled +- azure_sql_server_uses_private_link +- azure_storage_account_block_public_access +- azure_storage_account_default_network_access_rule_denied +- azure_storage_account_restrict_network_access +- azure_storage_account_uses_private_link +- azure_storage_sync_private_link_used +- azure_synapse_workspace_private_link_used +- azure_web_pub_sub_private_link_used diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_7_3.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_7_3.yaml index 38c0e4742..c99f8b38e 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_7_3.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_7_3.yaml @@ -1,68 +1,68 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_sc_7_3 - title: Access Points SC-7(3) - description: The organization limits the number of external network connections to the information system. - section-code: "3" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_apimanagement_service_with_virtual_network - - azure_app_configuration_private_link_used - - azure_application_gateway_waf_enabled - - azure_redis_cache_uses_private_link - - azure_cognitive_account_private_link_used - - azure_cognitive_account_public_network_access_disabled - - azure_cognitive_account_restrict_public_access - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_adaptive_network_hardening_recommendation_applied - - azure_compute_vm_image_builder_uses_private_link - - azure_compute_vm_jit_access_protected - - azure_compute_vm_non_internet_facing_protected_with_nsg - - azure_compute_vm_remote_access_restricted_all_ports - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_container_registry_restrict_public_access - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_cosmosdb_account_with_firewall_rules - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_frontdoor_waf_enabled - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_firewall_enabled - - azure_keyvault_vault_private_link_used - - azure_kubernetes_cluster_authorized_ip_range_defined - - azure_machine_learning_workspace_private_link_used - - azure_mariadb_server_public_network_access_disabled - - azure_mysql_server_private_link_used - - azure_mysql_server_public_network_access_disabled - - azure_network_interface_ip_forwarding_disabled - - azure_network_security_group_remote_access_restricted - - azure_network_security_group_subnet_associated - - azure_network_subnet_protected_by_firewall - - azure_postgres_server_private_link_used - - azure_postgresql_server_public_network_access_disabled - - azure_search_service_public_network_access_disabled - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_sql_db_public_network_access_disabled - - azure_sql_server_uses_private_link - - azure_storage_account_block_public_access - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_restrict_network_access - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used - - azure_web_pub_sub_private_link_used +id: azure_nist_sp_800_53_rev_5_sc_7_3 +title: Access Points SC-7(3) +description: The organization limits the number of external network connections to the information system. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_apimanagement_service_with_virtual_network +- azure_app_configuration_private_link_used +- azure_application_gateway_waf_enabled +- azure_redis_cache_uses_private_link +- azure_cognitive_account_private_link_used +- azure_cognitive_account_public_network_access_disabled +- azure_cognitive_account_restrict_public_access +- azure_compute_disk_access_uses_private_link +- azure_compute_vm_adaptive_network_hardening_recommendation_applied +- azure_compute_vm_image_builder_uses_private_link +- azure_compute_vm_jit_access_protected +- azure_compute_vm_non_internet_facing_protected_with_nsg +- azure_compute_vm_remote_access_restricted_all_ports +- azure_compute_vm_tcp_udp_access_restricted_internet +- azure_container_registry_restrict_public_access +- azure_container_registry_uses_private_link +- azure_cosmosdb_account_uses_private_link +- azure_cosmosdb_account_with_firewall_rules +- azure_data_factory_uses_private_link +- azure_eventgrid_domain_private_link_used +- azure_eventgrid_topic_private_link_used +- azure_eventhub_namespace_private_link_used +- azure_frontdoor_waf_enabled +- azure_healthcare_fhir_uses_private_link +- azure_keyvault_firewall_enabled +- azure_keyvault_vault_private_link_used +- azure_kubernetes_cluster_authorized_ip_range_defined +- azure_machine_learning_workspace_private_link_used +- azure_mariadb_server_public_network_access_disabled +- azure_mysql_server_private_link_used +- azure_mysql_server_public_network_access_disabled +- azure_network_interface_ip_forwarding_disabled +- azure_network_security_group_remote_access_restricted +- azure_network_security_group_subnet_associated +- azure_network_subnet_protected_by_firewall +- azure_postgres_server_private_link_used +- azure_postgresql_server_public_network_access_disabled +- azure_search_service_public_network_access_disabled +- azure_search_service_uses_private_link +- azure_search_service_uses_sku_supporting_private_link +- azure_servicebus_name_space_private_link_used +- azure_signalr_service_private_link_used +- azure_sql_db_public_network_access_disabled +- azure_sql_server_uses_private_link +- azure_storage_account_block_public_access +- azure_storage_account_default_network_access_rule_denied +- azure_storage_account_restrict_network_access +- azure_storage_account_uses_private_link +- azure_storage_sync_private_link_used +- azure_synapse_workspace_private_link_used +- azure_web_pub_sub_private_link_used diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_8.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_8.yaml index c538f3fd6..aa3127feb 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_8.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_8.yaml @@ -1,32 +1,33 @@ +id: azure_nist_sp_800_53_rev_5_sc_8 +title: Transmission Confidentiality and Integrity (SC-8) +description: The information system protects the confidentiality and integrity of transmitted information. +section-code: "8" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_nist_sp_800_53_rev_5_sc_8 - title: Transmission Confidentiality and Integrity (SC-8) - description: The information system protects the confidentiality and integrity of transmitted information. - section-code: "8" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_nist_sp_800_53_rev_5_sc_8_1 - controls: - - azure_appservice_api_app_ftps_enabled - - azure_appservice_api_app_latest_tls_version - - azure_appservice_function_app_ftps_enabled - - azure_appservice_function_app_latest_tls_version - - azure_appservice_function_app_only_https_accessible - - azure_appservice_web_app_use_https - - azure_redis_cache_ssl_enabled - - azure_compute_vm_secure_communication_protocols_configured - - azure_hdinsight_cluster_encryption_in_transit_enabled - - azure_kubernetes_cluster_https_enabled - - azure_mysql_ssl_enabled - - azure_postgres_sql_ssl_enabled - - azure_storage_account_secure_transfer_required_enabled +- id: azure_nist_sp_800_53_rev_5_sc_8_1 + type: "" +controls: +- azure_appservice_api_app_ftps_enabled +- azure_appservice_api_app_latest_tls_version +- azure_appservice_function_app_ftps_enabled +- azure_appservice_function_app_latest_tls_version +- azure_appservice_function_app_only_https_accessible +- azure_appservice_web_app_use_https +- azure_redis_cache_ssl_enabled +- azure_compute_vm_secure_communication_protocols_configured +- azure_hdinsight_cluster_encryption_in_transit_enabled +- azure_kubernetes_cluster_https_enabled +- azure_mysql_ssl_enabled +- azure_postgres_sql_ssl_enabled +- azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_8_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_8_1.yaml index 0e45babc3..59af45c62 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_8_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_8_1.yaml @@ -1,30 +1,30 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_sc_8_1 - title: Cryptographic Protection SC-8(1) - description: The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards. - section-code: "1" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_appservice_api_app_ftps_enabled - - azure_appservice_api_app_latest_tls_version - - azure_appservice_function_app_ftps_enabled - - azure_appservice_function_app_latest_tls_version - - azure_appservice_function_app_only_https_accessible - - azure_appservice_web_app_use_https - - azure_redis_cache_ssl_enabled - - azure_compute_vm_secure_communication_protocols_configured - - azure_hdinsight_cluster_encryption_in_transit_enabled - - azure_kubernetes_cluster_https_enabled - - azure_mysql_ssl_enabled - - azure_postgres_sql_ssl_enabled - - azure_storage_account_secure_transfer_required_enabled +id: azure_nist_sp_800_53_rev_5_sc_8_1 +title: Cryptographic Protection SC-8(1) +description: The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards. +section-code: "1" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_appservice_api_app_ftps_enabled +- azure_appservice_api_app_latest_tls_version +- azure_appservice_function_app_ftps_enabled +- azure_appservice_function_app_latest_tls_version +- azure_appservice_function_app_only_https_accessible +- azure_appservice_web_app_use_https +- azure_redis_cache_ssl_enabled +- azure_compute_vm_secure_communication_protocols_configured +- azure_hdinsight_cluster_encryption_in_transit_enabled +- azure_kubernetes_cluster_https_enabled +- azure_mysql_ssl_enabled +- azure_postgres_sql_ssl_enabled +- azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si.yaml index 86d8f66f3..198603d97 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si.yaml @@ -1,21 +1,25 @@ +id: azure_nist_sp_800_53_rev_5_si +title: System and Information Integrity (SI) +description: The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection. +section-code: si +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_nist_sp_800_53_rev_5_si - title: System and Information Integrity (SI) - description: The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection. - section-code: si - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_nist_sp_800_53_rev_5_si_2 - - id: azure_nist_sp_800_53_rev_5_si_3 - - id: azure_nist_sp_800_53_rev_5_si_4 - - id: azure_nist_sp_800_53_rev_5_si_16 +- id: azure_nist_sp_800_53_rev_5_si_2 + type: "" +- id: azure_nist_sp_800_53_rev_5_si_3 + type: "" +- id: azure_nist_sp_800_53_rev_5_si_4 + type: "" +- id: azure_nist_sp_800_53_rev_5_si_16 + type: "" diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_16.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_16.yaml index 8f06c91ce..3e3f5d985 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_16.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_16.yaml @@ -1,19 +1,19 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_si_16 - title: Memory Protection (SI-16) - description: The information system implements organization-defined security safeguards to protect its memory from unauthorized code execution. - section-code: "16" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_windows_defender_exploit_guard_enabled - - azure_securitycenter_azure_defender_on_for_server +id: azure_nist_sp_800_53_rev_5_si_16 +title: Memory Protection (SI-16) +description: The information system implements organization-defined security safeguards to protect its memory from unauthorized code execution. +section-code: "16" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_windows_defender_exploit_guard_enabled +- azure_securitycenter_azure_defender_on_for_server diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_2.yaml index e44f53233..a54815622 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_2.yaml @@ -1,37 +1,38 @@ +id: azure_nist_sp_800_53_rev_5_si_2 +title: Flaw Remediation (SI-2) +description: The organization identifies, reports, and corrects information system flaws, tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation, installs security-relevant software and firmware updates within the organization-defined time period of the release of the updates, and incorporates flaw remediation into the organizational configuration management process. +section-code: "2" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_nist_sp_800_53_rev_5_si_2 - title: Flaw Remediation (SI-2) - description: The organization identifies, reports, and corrects information system flaws, tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation, installs security-relevant software and firmware updates within the organization-defined time period of the release of the updates, and incorporates flaw remediation into the organizational configuration management process. - section-code: "2" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_nist_sp_800_53_rev_5_si_2_6 - controls: - - azure_appservice_function_app_latest_http_version - - azure_appservice_web_app_latest_http_version - - azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated - - azure_compute_vm_scale_set_system_updates_installed - - azure_compute_vm_security_configuration_vulnerabilities_remediated - - azure_compute_vm_system_updates_installed - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_kubernetes_cluster_upgraded_with_non_vulnerable_version - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_dns - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_database_vulnerability_findings_resolved +- id: azure_nist_sp_800_53_rev_5_si_2_6 + type: "" +controls: +- azure_appservice_function_app_latest_http_version +- azure_appservice_web_app_latest_http_version +- azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated +- azure_compute_vm_scale_set_system_updates_installed +- azure_compute_vm_security_configuration_vulnerabilities_remediated +- azure_compute_vm_system_updates_installed +- azure_compute_vm_vulnerability_assessment_solution_enabled +- azure_kubernetes_cluster_upgraded_with_non_vulnerable_version +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_dns +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_sqlservervm +- azure_securitycenter_azure_defender_on_for_storage +- azure_sql_database_vulnerability_findings_resolved diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_2_6.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_2_6.yaml index e94eac2c5..d5638f603 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_2_6.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_2_6.yaml @@ -1,20 +1,20 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_si_2_6 - title: Removal of Previous Versions of Software and Firmware SI-2(6) - description: The organization removes organization-defined software and firmware components after updated versions have been installed. - section-code: "6" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_appservice_function_app_latest_http_version - - azure_appservice_web_app_latest_http_version - - azure_kubernetes_cluster_upgraded_with_non_vulnerable_version +id: azure_nist_sp_800_53_rev_5_si_2_6 +title: Removal of Previous Versions of Software and Firmware SI-2(6) +description: The organization removes organization-defined software and firmware components after updated versions have been installed. +section-code: "6" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_appservice_function_app_latest_http_version +- azure_appservice_web_app_latest_http_version +- azure_kubernetes_cluster_upgraded_with_non_vulnerable_version diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_3.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_3.yaml index d66fef953..827b7679c 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_3.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_3.yaml @@ -1,21 +1,21 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_si_3 - title: Malicious Code Protection (SI-3) - description: The organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code; updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures; addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system; and configures malicious code protection mechanisms to perform periodic scans of the information system and real-time scans of files from external sources at an endpoint, network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy, and block and quarantine malicious code, send alert to the administrator and take organization-defined action in response to malicious code detection. - section-code: "3" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_securitycenter_azure_defender_on_for_server - - azure_compute_vm_monitor_missing_endpoint_protection_in_asc - - azure_compute_vm_scale_set_endpoint_protection_solution_installed - - azure_compute_vm_windows_defender_exploit_guard_enabled +id: azure_nist_sp_800_53_rev_5_si_3 +title: Malicious Code Protection (SI-3) +description: The organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code; updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures; addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system; and configures malicious code protection mechanisms to perform periodic scans of the information system and real-time scans of files from external sources at an endpoint, network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy, and block and quarantine malicious code, send alert to the administrator and take organization-defined action in response to malicious code detection. +section-code: "3" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_securitycenter_azure_defender_on_for_server +- azure_compute_vm_monitor_missing_endpoint_protection_in_asc +- azure_compute_vm_scale_set_endpoint_protection_solution_installed +- azure_compute_vm_windows_defender_exploit_guard_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_4.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_4.yaml index 52dc577e2..0d2175ada 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_4.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_4.yaml @@ -1,40 +1,41 @@ +id: azure_nist_sp_800_53_rev_5_si_4 +title: System Monitoring (SI-4) +description: The organization monitors the information system to detect attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives and unauthorized local, network, and remote connections; identifies unauthorized use of the information system through organization-defined techniques and methods; deploys monitoring devices strategically within the information system to collect organization-determined essential information and at ad hoc locations within the system to track specific types of transactions of interest to the organization; protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and provides organization-defined system monitoring information to organization-defined personnel or roles as needed. +section-code: "4" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_nist_sp_800_53_rev_5_si_4 - title: System Monitoring (SI-4) - description: The organization monitors the information system to detect attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives and unauthorized local, network, and remote connections; identifies unauthorized use of the information system through organization-defined techniques and methods; deploys monitoring devices strategically within the information system to collect organization-determined essential information and at ad hoc locations within the system to track specific types of transactions of interest to the organization; protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and provides organization-defined system monitoring information to organization-defined personnel or roles as needed. - section-code: "4" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_nist_sp_800_53_rev_5_si_4_12 - controls: - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_arc_kubernetes_cluster_azure_defender_extension_installed - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_network_subnet_protected_by_firewall - - azure_network_watcher_enabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_dns - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_server_azure_defender_enabled +- id: azure_nist_sp_800_53_rev_5_si_4_12 + type: "" +controls: +- azure_arc_compute_machine_linux_log_analytics_agent_installed +- azure_arc_compute_machine_windows_log_analytics_agent_installed +- azure_arc_kubernetes_cluster_azure_defender_extension_installed +- azure_compute_vm_guest_configuration_installed +- azure_compute_vm_guest_configuration_with_system_assigned_managed_identity +- azure_compute_vm_log_analytics_agent_installed +- azure_compute_vm_network_traffic_data_collection_linux_agent_installed +- azure_compute_vm_network_traffic_data_collection_windows_agent_installed +- azure_compute_vm_scale_set_log_analytics_agent_installed +- azure_network_subnet_protected_by_firewall +- azure_network_watcher_enabled +- azure_securitycenter_automatic_provisioning_monitoring_agent_on +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_containers +- azure_securitycenter_azure_defender_on_for_dns +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_storage +- azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_4_12.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_4_12.yaml index be14fe77c..1c360a431 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_4_12.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_4_12.yaml @@ -1,20 +1,20 @@ -control-group: - id: azure_nist_sp_800_53_rev_5_si_4_12 - title: Automated Organization-generated Alerts SI-4(12) - description: The organization employs automated mechanisms to alert security personnel of the organization-defined activities that trigger alerts with security implications. - section-code: "12" - tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark - controls: - - azure_securitycenter_email_configured - - azure_securitycenter_notify_alerts_configured - - azure_securitycenter_security_alerts_to_owner_enabled +id: azure_nist_sp_800_53_rev_5_si_4_12 +title: Automated Organization-generated Alerts SI-4(12) +description: The organization employs automated mechanisms to alert security personnel of the organization-defined activities that trigger alerts with security implications. +section-code: "12" +type: control-group +tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark +controls: +- azure_securitycenter_email_configured +- azure_securitycenter_notify_alerts_configured +- azure_securitycenter_security_alerts_to_owner_enabled diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321.yaml index 41d9efd4b..5a75efa95 100644 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321.yaml @@ -1,34 +1,34 @@ -framework: - id: azure_pci_dss_v321 - title: PCI DSS 3.2.1 - description: The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you accept or process payment cards, PCI DSS applies to you. - section-code: azure_pci_dss_v321 - tags: - category: - - Compliance - pci_dss_v321: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Certifications and Attestations - plugin: - - azure - service: - - Azure - type: - - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: azure_pci_dss_v321_requirement_1 - - id: azure_pci_dss_v321_requirement_3 - - id: azure_pci_dss_v321_requirement_4 - - id: azure_pci_dss_v321_requirement_5 - - id: azure_pci_dss_v321_requirement_6 - - id: azure_pci_dss_v321_requirement_7 - - id: azure_pci_dss_v321_requirement_8 - - id: azure_pci_dss_v321_requirement_10 - - id: azure_pci_dss_v321_requirement_11 +id: azure_pci_dss_v321 +title: PCI DSS 3.2.1 +description: The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you accept or process payment cards, PCI DSS applies to you. +section-code: azure_pci_dss_v321 +type: framework +tags: + category: + - Compliance + pci_dss_v321: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Certifications and Attestations + plugin: + - azure + service: + - Azure + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: azure_pci_dss_v321_requirement_1 +- id: azure_pci_dss_v321_requirement_3 +- id: azure_pci_dss_v321_requirement_4 +- id: azure_pci_dss_v321_requirement_5 +- id: azure_pci_dss_v321_requirement_6 +- id: azure_pci_dss_v321_requirement_7 +- id: azure_pci_dss_v321_requirement_8 +- id: azure_pci_dss_v321_requirement_10 +- id: azure_pci_dss_v321_requirement_11 diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1.yaml index f7c50c996..a603fd2bc 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1.yaml @@ -1,18 +1,19 @@ +id: azure_pci_dss_v321_requirement_1 +title: Requirement 1 - Install and maintain a firewall configuration to protect cardholder data +description: Firewalls are devices that control computer traffic allowed into and out of an organization's network, and into sensitive areas within its internal network. Firewall functionality can also appear in other system components. Routers are hardware or software that connects two or more networks. All such networking devices are in scope for assessment of Requirement 1 if used within the cardholder data environment. +section-code: requirement_1 +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_pci_dss_v321_requirement_1 - title: Requirement 1 - Install and maintain a firewall configuration to protect cardholder data - description: Firewalls are devices that control computer traffic allowed into and out of an organization's network, and into sensitive areas within its internal network. Firewall functionality can also appear in other system components. Routers are hardware or software that connects two or more networks. All such networking devices are in scope for assessment of Requirement 1 if used within the cardholder data environment. - section-code: requirement_1 - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_pci_dss_v321_requirement_1_3 +- id: azure_pci_dss_v321_requirement_1_3 + type: "" diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_10.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_10.yaml index 403521c8e..3a3a5f79f 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_10.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_10.yaml @@ -1,18 +1,19 @@ +id: azure_pci_dss_v321_requirement_10 +title: Requirement 10 - Track and monitor all access to network resources and cardholder data +description: Logging mechanisms and the ability to track user activities are critical for effective forensics and vulnerability management. The presence of logs in all environments allows thorough tracking and analysis if something goes wrong. Determining the cause of a compromise is very difficult without system activity logs. +section-code: requirement_10 +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_pci_dss_v321_requirement_10 - title: Requirement 10 - Track and monitor all access to network resources and cardholder data - description: Logging mechanisms and the ability to track user activities are critical for effective forensics and vulnerability management. The presence of logs in all environments allows thorough tracking and analysis if something goes wrong. Determining the cause of a compromise is very difficult without system activity logs. - section-code: requirement_10 - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_pci_dss_v321_requirement_10_5 +- id: azure_pci_dss_v321_requirement_10_5 + type: "" diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_10_5.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_10_5.yaml index 390db2180..fe1095734 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_10_5.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_10_5.yaml @@ -1,18 +1,19 @@ +id: azure_pci_dss_v321_requirement_10_5 +title: PCI DSS requirement 10.5 +description: Secure audit trails so they cannot be altered. +section-code: "5" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_pci_dss_v321_requirement_10_5 - title: PCI DSS requirement 10.5 - description: Secure audit trails so they cannot be altered. - section-code: "5" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_pci_dss_v321_requirement_10_5_4 +- id: azure_pci_dss_v321_requirement_10_5_4 + type: "" diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_10_5_4.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_10_5_4.yaml index 34b5d6237..32773d068 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_10_5_4.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_10_5_4.yaml @@ -1,21 +1,21 @@ -control-group: - id: azure_pci_dss_v321_requirement_10_5_4 - title: PCI DSS requirement 10.5.4 - description: Write logs for external-facing technologies onto a secure, centralized, internal log server or media device. - section-code: "4" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_audit_diagnostic_setting - - azure_compute_vm_uses_azure_resource_manager - - azure_sql_server_auditing_on - - azure_storage_account_uses_azure_resource_manager +id: azure_pci_dss_v321_requirement_10_5_4 +title: PCI DSS requirement 10.5.4 +description: Write logs for external-facing technologies onto a secure, centralized, internal log server or media device. +section-code: "4" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_audit_diagnostic_setting +- azure_compute_vm_uses_azure_resource_manager +- azure_sql_server_auditing_on +- azure_storage_account_uses_azure_resource_manager diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_11.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_11.yaml index 162277840..415b6e8ee 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_11.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_11.yaml @@ -1,18 +1,19 @@ +id: azure_pci_dss_v321_requirement_11 +title: Requirement 11 - Regularly test security systems and processes +description: Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security is maintained over time. Testing of security controls is especially important for any environmental changes such as deploying new software or changing system configurations. +section-code: requirement_11 +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_pci_dss_v321_requirement_11 - title: Requirement 11 - Regularly test security systems and processes - description: Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security is maintained over time. Testing of security controls is especially important for any environmental changes such as deploying new software or changing system configurations. - section-code: requirement_11 - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_pci_dss_v321_requirement_11_2 +- id: azure_pci_dss_v321_requirement_11_2 + type: "" diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_11_2.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_11_2.yaml index a008f7212..7b868a6c2 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_11_2.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_11_2.yaml @@ -1,18 +1,19 @@ +id: azure_pci_dss_v321_requirement_11_2 +title: PCI DSS requirement 11.2 +description: Run internal and external network vulnerability scans at least quarterly and after any significant change in the network. Address vulnerabilities and perform rescans as needed, until passing scans are achieved. After passing a scan for initial PCI DSS compliance, an entity must, in subsequent years, complete four consecutive quarters of passing scans. Quarterly external scans must be performed by an Approved Scanning Vendor (ASV). Scans conducted after network changes and internal scans may be performed by internal staff. +section-code: "2" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_pci_dss_v321_requirement_11_2 - title: PCI DSS requirement 11.2 - description: Run internal and external network vulnerability scans at least quarterly and after any significant change in the network. Address vulnerabilities and perform rescans as needed, until passing scans are achieved. After passing a scan for initial PCI DSS compliance, an entity must, in subsequent years, complete four consecutive quarters of passing scans. Quarterly external scans must be performed by an Approved Scanning Vendor (ASV). Scans conducted after network changes and internal scans may be performed by internal staff. - section-code: "2" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_pci_dss_v321_requirement_11_2_1 +- id: azure_pci_dss_v321_requirement_11_2_1 + type: "" diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_11_2_1.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_11_2_1.yaml index 97dd02b89..7cd584699 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_11_2_1.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_11_2_1.yaml @@ -1,22 +1,22 @@ -control-group: - id: azure_pci_dss_v321_requirement_11_2_1 - title: PCI DSS requirement 11.2.1 - description: Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved. Scans must be performed by qualified personnel. - section-code: "1" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_compute_vm_endpoint_protection_agent_installed - - azure_compute_vm_security_configuration_vulnerabilities_remediated - - azure_compute_vm_system_updates_installed - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_sql_database_vulnerability_findings_resolved +id: azure_pci_dss_v321_requirement_11_2_1 +title: PCI DSS requirement 11.2.1 +description: Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved. Scans must be performed by qualified personnel. +section-code: "1" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_compute_vm_endpoint_protection_agent_installed +- azure_compute_vm_security_configuration_vulnerabilities_remediated +- azure_compute_vm_system_updates_installed +- azure_compute_vm_vulnerability_assessment_solution_enabled +- azure_sql_database_vulnerability_findings_resolved diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1_3.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1_3.yaml index 7d4bb01e4..73dcd1e20 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1_3.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1_3.yaml @@ -1,19 +1,21 @@ +id: azure_pci_dss_v321_requirement_1_3 +title: PCI DSS requirement 1.3 +description: Prohibit direct public access between the Internet and any system component in the cardholder data environment. +section-code: "3" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_pci_dss_v321_requirement_1_3 - title: PCI DSS requirement 1.3 - description: Prohibit direct public access between the Internet and any system component in the cardholder data environment. - section-code: "3" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_pci_dss_v321_requirement_1_3_2 - - id: azure_pci_dss_v321_requirement_1_3_4 +- id: azure_pci_dss_v321_requirement_1_3_2 + type: "" +- id: azure_pci_dss_v321_requirement_1_3_4 + type: "" diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1_3_2.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1_3_2.yaml index e00642feb..26a604378 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1_3_2.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1_3_2.yaml @@ -1,19 +1,19 @@ -control-group: - id: azure_pci_dss_v321_requirement_1_3_2 - title: PCI DSS requirement 1.3.2 - description: Limit inbound Internet traffic to IP addresses within the DMZ. - section-code: "2" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_compute_vm_remote_access_restricted_all_ports - - azure_storage_account_default_network_access_rule_denied +id: azure_pci_dss_v321_requirement_1_3_2 +title: PCI DSS requirement 1.3.2 +description: Limit inbound Internet traffic to IP addresses within the DMZ. +section-code: "2" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_compute_vm_remote_access_restricted_all_ports +- azure_storage_account_default_network_access_rule_denied diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1_3_4.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1_3_4.yaml index 8fed04b18..78211ab1d 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1_3_4.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1_3_4.yaml @@ -1,19 +1,19 @@ -control-group: - id: azure_pci_dss_v321_requirement_1_3_4 - title: PCI DSS requirement 1.3.4 - description: Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. - section-code: "4" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_compute_vm_remote_access_restricted_all_ports - - azure_storage_account_default_network_access_rule_denied +id: azure_pci_dss_v321_requirement_1_3_4 +title: PCI DSS requirement 1.3.4 +description: Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. +section-code: "4" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_compute_vm_remote_access_restricted_all_ports +- azure_storage_account_default_network_access_rule_denied diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_3.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_3.yaml index 3e5af153c..c2134e240 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_3.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_3.yaml @@ -1,19 +1,21 @@ +id: azure_pci_dss_v321_requirement_3 +title: Requirement 3 - Protect stored cardholder data +description: Cardholder data should not be stored unless it's necessary to meet the needs of the business. Sensitive data on the magnetic stripe or chip must never be stored after authorization. If your organization stores PAN, it is crucial to render it unreadable (see 3.4, and table below for guidelines). +section-code: requirement_3 +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_pci_dss_v321_requirement_3 - title: Requirement 3 - Protect stored cardholder data - description: Cardholder data should not be stored unless it's necessary to meet the needs of the business. Sensitive data on the magnetic stripe or chip must never be stored after authorization. If your organization stores PAN, it is crucial to render it unreadable (see 3.4, and table below for guidelines). - section-code: requirement_3 - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_pci_dss_v321_requirement_3_2 - - id: azure_pci_dss_v321_requirement_3_4 +- id: azure_pci_dss_v321_requirement_3_2 + type: "" +- id: azure_pci_dss_v321_requirement_3_4 + type: "" diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_3_2.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_3_2.yaml index 76e169612..4ffc95849 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_3_2.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_3_2.yaml @@ -1,24 +1,24 @@ -control-group: - id: azure_pci_dss_v321_requirement_3_2 - title: PCI DSS requirement 3.2 - description: Do not store sensitive authentication data after authorization (even if it is encrypted). Render all sensitive authentication data unrecoverable upon completion of the authorization process. Issuers and related entities may store sensitive authentication data if there is a business justification, and the data is stored securely. - section-code: "2" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_iam_external_user_with_owner_role - - azure_iam_external_user_with_read_permission - - azure_iam_external_user_with_write_permission - - azure_iam_no_custom_role - - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled - - azure_iam_user_with_write_permission_on_subscription_mfa_enabled - - azure_sql_server_azure_ad_authentication_enabled +id: azure_pci_dss_v321_requirement_3_2 +title: PCI DSS requirement 3.2 +description: Do not store sensitive authentication data after authorization (even if it is encrypted). Render all sensitive authentication data unrecoverable upon completion of the authorization process. Issuers and related entities may store sensitive authentication data if there is a business justification, and the data is stored securely. +section-code: "2" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_iam_external_user_with_owner_role +- azure_iam_external_user_with_read_permission +- azure_iam_external_user_with_write_permission +- azure_iam_no_custom_role +- azure_iam_user_with_owner_permission_on_subscription_mfa_enabled +- azure_iam_user_with_write_permission_on_subscription_mfa_enabled +- azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_3_4.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_3_4.yaml index d6cd0cdc8..70ccf4781 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_3_4.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_3_4.yaml @@ -1,25 +1,25 @@ -control-group: - id: azure_pci_dss_v321_requirement_3_4 - title: PCI DSS requirement 3.4 - description: Render PAN unreadable anywhere it is stored - including on portable digital media, backup media, in logs, and data received from or stored by wireless networks. Technology solutions for this requirement may include strong one-way hash functions of the entire PAN, truncation, index tokens with securely stored pads, or strong cryptography. - section-code: "4" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_appservice_api_app_use_https - - azure_appservice_function_app_only_https_accessible - - azure_automation_account_variable_encryption_enabled - - azure_redis_cache_ssl_enabled - - azure_compute_vm_temp_disks_cache_and_data_flows_encrypted - - azure_servicefabric_cluster_protection_level_as_encrypt_and_sign - - azure_sql_database_transparent_data_encryption_enabled - - azure_storage_account_secure_transfer_required_enabled +id: azure_pci_dss_v321_requirement_3_4 +title: PCI DSS requirement 3.4 +description: Render PAN unreadable anywhere it is stored - including on portable digital media, backup media, in logs, and data received from or stored by wireless networks. Technology solutions for this requirement may include strong one-way hash functions of the entire PAN, truncation, index tokens with securely stored pads, or strong cryptography. +section-code: "4" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_appservice_api_app_use_https +- azure_appservice_function_app_only_https_accessible +- azure_automation_account_variable_encryption_enabled +- azure_redis_cache_ssl_enabled +- azure_compute_vm_temp_disks_cache_and_data_flows_encrypted +- azure_servicefabric_cluster_protection_level_as_encrypt_and_sign +- azure_sql_database_transparent_data_encryption_enabled +- azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_4.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_4.yaml index 399d43e3f..6481f3fbf 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_4.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_4.yaml @@ -1,18 +1,19 @@ +id: azure_pci_dss_v321_requirement_4 +title: Requirement 4 - Encrypt transmission of cardholder data across open, public networks +description: Cyber criminals may be able to intercept transmissions of cardholder data over open, public networks so it is important to prevent their ability to view this data. Encryption is one technology that can be used to render transmitted data unreadable by any unauthorized person. +section-code: requirement_4 +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_pci_dss_v321_requirement_4 - title: Requirement 4 - Encrypt transmission of cardholder data across open, public networks - description: Cyber criminals may be able to intercept transmissions of cardholder data over open, public networks so it is important to prevent their ability to view this data. Encryption is one technology that can be used to render transmitted data unreadable by any unauthorized person. - section-code: requirement_4 - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_pci_dss_v321_requirement_4_1 +- id: azure_pci_dss_v321_requirement_4_1 + type: "" diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_4_1.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_4_1.yaml index e55a62fd3..b4e7f9e1b 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_4_1.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_4_1.yaml @@ -1,25 +1,25 @@ -control-group: - id: azure_pci_dss_v321_requirement_4_1 - title: PCI DSS requirement 4.1 - description: Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks (eg. Internet, wireless technologies, cellular technologies, General Packet Radio Service [GPRS], satellite communications). Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment use industry best practices to implement strong encryption for authentication and transmission. - section-code: "1" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_appservice_api_app_use_https - - azure_appservice_function_app_only_https_accessible - - azure_automation_account_variable_encryption_enabled - - azure_redis_cache_ssl_enabled - - azure_compute_vm_temp_disks_cache_and_data_flows_encrypted - - azure_servicefabric_cluster_protection_level_as_encrypt_and_sign - - azure_sql_database_transparent_data_encryption_enabled - - azure_storage_account_secure_transfer_required_enabled +id: azure_pci_dss_v321_requirement_4_1 +title: PCI DSS requirement 4.1 +description: Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks (eg. Internet, wireless technologies, cellular technologies, General Packet Radio Service [GPRS], satellite communications). Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment use industry best practices to implement strong encryption for authentication and transmission. +section-code: "1" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_appservice_api_app_use_https +- azure_appservice_function_app_only_https_accessible +- azure_automation_account_variable_encryption_enabled +- azure_redis_cache_ssl_enabled +- azure_compute_vm_temp_disks_cache_and_data_flows_encrypted +- azure_servicefabric_cluster_protection_level_as_encrypt_and_sign +- azure_sql_database_transparent_data_encryption_enabled +- azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_5.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_5.yaml index 0c18d9e5f..af86ed0e3 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_5.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_5.yaml @@ -1,18 +1,19 @@ +id: azure_pci_dss_v321_requirement_5 +title: Requirement 5 - Protect all systems against malware and regularly update anti-virus software or programs +description: Malicious software (a.k.a “malware”) exploits system vulnerabilities after entering the network via users' e-mail and other online business activities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats. Additional anti-malware solutions may supplement (but not replace) anti-virus software. +section-code: requirement_5 +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_pci_dss_v321_requirement_5 - title: Requirement 5 - Protect all systems against malware and regularly update anti-virus software or programs - description: Malicious software (a.k.a “malware”) exploits system vulnerabilities after entering the network via users' e-mail and other online business activities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats. Additional anti-malware solutions may supplement (but not replace) anti-virus software. - section-code: requirement_5 - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_pci_dss_v321_requirement_5_1 +- id: azure_pci_dss_v321_requirement_5_1 + type: "" diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_5_1.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_5_1.yaml index c1b59c6e1..1c4a85971 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_5_1.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_5_1.yaml @@ -1,22 +1,22 @@ -control-group: - id: azure_pci_dss_v321_requirement_5_1 - title: PCI DSS requirement 5.1 - description: Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). For systems not affected commonly by malicious software, perform periodic evaluations to evaluate evolving malware threats and confirm whether such systems continue to not require anti-virus software. - section-code: "1" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_compute_vm_endpoint_protection_agent_installed - - azure_compute_vm_security_configuration_vulnerabilities_remediated - - azure_compute_vm_system_updates_installed - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_sql_database_vulnerability_findings_resolved +id: azure_pci_dss_v321_requirement_5_1 +title: PCI DSS requirement 5.1 +description: Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). For systems not affected commonly by malicious software, perform periodic evaluations to evaluate evolving malware threats and confirm whether such systems continue to not require anti-virus software. +section-code: "1" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_compute_vm_endpoint_protection_agent_installed +- azure_compute_vm_security_configuration_vulnerabilities_remediated +- azure_compute_vm_system_updates_installed +- azure_compute_vm_vulnerability_assessment_solution_enabled +- azure_sql_database_vulnerability_findings_resolved diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6.yaml index ade8c3347..b37300259 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6.yaml @@ -1,20 +1,23 @@ +id: azure_pci_dss_v321_requirement_6 +title: Requirement 6 - Develop and maintain secure systems and applications +description: Security vulnerabilities in systems and applications may allow criminals to access PAN and other cardholder data. Many of these vulnerabilities are eliminated by installing vendor-provided security patches, which perform a quick-repair job for a specific piece of programming code. All critical systems must have the most recently released software patches to prevent exploitation. Entities should apply patches to less-critical systems as soon as possible, based on a risk-based vulnerability management program. +section-code: requirement_6 +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_pci_dss_v321_requirement_6 - title: Requirement 6 - Develop and maintain secure systems and applications - description: Security vulnerabilities in systems and applications may allow criminals to access PAN and other cardholder data. Many of these vulnerabilities are eliminated by installing vendor-provided security patches, which perform a quick-repair job for a specific piece of programming code. All critical systems must have the most recently released software patches to prevent exploitation. Entities should apply patches to less-critical systems as soon as possible, based on a risk-based vulnerability management program. - section-code: requirement_6 - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_pci_dss_v321_requirement_6_2 - - id: azure_pci_dss_v321_requirement_6_5 - - id: azure_pci_dss_v321_requirement_6_6 +- id: azure_pci_dss_v321_requirement_6_2 + type: "" +- id: azure_pci_dss_v321_requirement_6_5 + type: "" +- id: azure_pci_dss_v321_requirement_6_6 + type: "" diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_2.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_2.yaml index b0cd2607c..70c92129c 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_2.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_2.yaml @@ -1,22 +1,22 @@ -control-group: - id: azure_pci_dss_v321_requirement_6_2 - title: PCI DSS requirement 6.2 - description: Protect all system components and software from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release. - section-code: "2" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_compute_vm_endpoint_protection_agent_installed - - azure_compute_vm_security_configuration_vulnerabilities_remediated - - azure_compute_vm_system_updates_installed - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_sql_database_vulnerability_findings_resolved +id: azure_pci_dss_v321_requirement_6_2 +title: PCI DSS requirement 6.2 +description: Protect all system components and software from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release. +section-code: "2" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_compute_vm_endpoint_protection_agent_installed +- azure_compute_vm_security_configuration_vulnerabilities_remediated +- azure_compute_vm_system_updates_installed +- azure_compute_vm_vulnerability_assessment_solution_enabled +- azure_sql_database_vulnerability_findings_resolved diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_5.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_5.yaml index 9fe7eb5aa..09f8364ad 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_5.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_5.yaml @@ -1,18 +1,19 @@ +id: azure_pci_dss_v321_requirement_6_5 +title: PCI DSS requirement 6.5 +description: Prevent common coding vulnerabilities in software development processes by training developers in secure coding techniques and developing applications based on secure coding guidelines - including how sensitive data is handled in memory. +section-code: "5" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_pci_dss_v321_requirement_6_5 - title: PCI DSS requirement 6.5 - description: Prevent common coding vulnerabilities in software development processes by training developers in secure coding techniques and developing applications based on secure coding guidelines - including how sensitive data is handled in memory. - section-code: "5" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_pci_dss_v321_requirement_6_5_3 +- id: azure_pci_dss_v321_requirement_6_5_3 + type: "" diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_5_3.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_5_3.yaml index a1e7bd916..d37865009 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_5_3.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_5_3.yaml @@ -1,25 +1,25 @@ -control-group: - id: azure_pci_dss_v321_requirement_6_5_3 - title: PCI DSS requirement 6.5.3 - description: Insecure cryptographic storage. - section-code: "3" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_appservice_api_app_use_https - - azure_appservice_function_app_only_https_accessible - - azure_automation_account_variable_encryption_enabled - - azure_redis_cache_ssl_enabled - - azure_compute_vm_temp_disks_cache_and_data_flows_encrypted - - azure_servicefabric_cluster_protection_level_as_encrypt_and_sign - - azure_sql_database_transparent_data_encryption_enabled - - azure_storage_account_secure_transfer_required_enabled +id: azure_pci_dss_v321_requirement_6_5_3 +title: PCI DSS requirement 6.5.3 +description: Insecure cryptographic storage. +section-code: "3" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_appservice_api_app_use_https +- azure_appservice_function_app_only_https_accessible +- azure_automation_account_variable_encryption_enabled +- azure_redis_cache_ssl_enabled +- azure_compute_vm_temp_disks_cache_and_data_flows_encrypted +- azure_servicefabric_cluster_protection_level_as_encrypt_and_sign +- azure_sql_database_transparent_data_encryption_enabled +- azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_6.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_6.yaml index faa0a9298..1c97103e1 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_6.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_6.yaml @@ -1,22 +1,22 @@ -control-group: - id: azure_pci_dss_v321_requirement_6_6 - title: PCI DSS requirement 6.6 - description: Ensure all public-facing web applications are protected against known attacks, either by performing application vulnerability assessment at least annually and after any changes, or by installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic. - section-code: "6" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_compute_vm_endpoint_protection_agent_installed - - azure_compute_vm_security_configuration_vulnerabilities_remediated - - azure_compute_vm_system_updates_installed - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_sql_database_vulnerability_findings_resolved +id: azure_pci_dss_v321_requirement_6_6 +title: PCI DSS requirement 6.6 +description: Ensure all public-facing web applications are protected against known attacks, either by performing application vulnerability assessment at least annually and after any changes, or by installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic. +section-code: "6" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_compute_vm_endpoint_protection_agent_installed +- azure_compute_vm_security_configuration_vulnerabilities_remediated +- azure_compute_vm_system_updates_installed +- azure_compute_vm_vulnerability_assessment_solution_enabled +- azure_sql_database_vulnerability_findings_resolved diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7.yaml index 04ee536e9..4898b3658 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7.yaml @@ -1,19 +1,21 @@ +id: azure_pci_dss_v321_requirement_7 +title: Requirement 7 - Restrict access to cardholder data by business need-to-know +description: To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities. Need to know is when access rights are granted to only the least amount of data and privileges needed to perform a job. +section-code: requirement_7 +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_pci_dss_v321_requirement_7 - title: Requirement 7 - Restrict access to cardholder data by business need-to-know - description: To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities. Need to know is when access rights are granted to only the least amount of data and privileges needed to perform a job. - section-code: requirement_7 - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_pci_dss_v321_requirement_7_1 - - id: azure_pci_dss_v321_requirement_7_2 +- id: azure_pci_dss_v321_requirement_7_1 + type: "" +- id: azure_pci_dss_v321_requirement_7_2 + type: "" diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1.yaml index e20dc8fc2..b04f7c25c 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1.yaml @@ -1,20 +1,23 @@ +id: azure_pci_dss_v321_requirement_7_1 +title: PCI DSS requirement 7.1 +description: Limit access to system components and cardholder data to only those individuals whose job requires such access. +section-code: "1" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_pci_dss_v321_requirement_7_1 - title: PCI DSS requirement 7.1 - description: Limit access to system components and cardholder data to only those individuals whose job requires such access. - section-code: "1" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_pci_dss_v321_requirement_7_1_1 - - id: azure_pci_dss_v321_requirement_7_1_2 - - id: azure_pci_dss_v321_requirement_7_1_3 +- id: azure_pci_dss_v321_requirement_7_1_1 + type: "" +- id: azure_pci_dss_v321_requirement_7_1_2 + type: "" +- id: azure_pci_dss_v321_requirement_7_1_3 + type: "" diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1_1.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1_1.yaml index 86dcb2453..34d8de4a8 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1_1.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1_1.yaml @@ -1,19 +1,19 @@ -control-group: - id: azure_pci_dss_v321_requirement_7_1_1 - title: PCI DSS requirement 7.1.1 - description: "Define access needs for each role, including: - System components and data resources that each role needs to access for their job function - Level of privilege required (for example, user, administrator, etc.) for accessing resources." - section-code: "1" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark - controls: - - azure_iam_subscription_owner_max_3 - - azure_iam_subscription_owner_more_than_1 +id: azure_pci_dss_v321_requirement_7_1_1 +title: PCI DSS requirement 7.1.1 +description: "Define access needs for each role, including: - System components and data resources that each role needs to access for their job function - Level of privilege required (for example, user, administrator, etc.) for accessing resources." +section-code: "1" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark +controls: +- azure_iam_subscription_owner_max_3 +- azure_iam_subscription_owner_more_than_1 diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1_2.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1_2.yaml index df105ba1c..2af6b3189 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1_2.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1_2.yaml @@ -1,19 +1,19 @@ -control-group: - id: azure_pci_dss_v321_requirement_7_1_2 - title: PCI DSS requirement 7.1.2 - description: Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities. - section-code: "2" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark - controls: - - azure_iam_subscription_owner_max_3 - - azure_iam_subscription_owner_more_than_1 +id: azure_pci_dss_v321_requirement_7_1_2 +title: PCI DSS requirement 7.1.2 +description: Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities. +section-code: "2" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark +controls: +- azure_iam_subscription_owner_max_3 +- azure_iam_subscription_owner_more_than_1 diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1_3.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1_3.yaml index b743947aa..81e79dde6 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1_3.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1_3.yaml @@ -1,19 +1,19 @@ -control-group: - id: azure_pci_dss_v321_requirement_7_1_3 - title: PCI DSS requirement 7.1.3 - description: Assign access based on individual personnel's job classification and function. - section-code: "3" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark - controls: - - azure_iam_subscription_owner_max_3 - - azure_iam_subscription_owner_more_than_1 +id: azure_pci_dss_v321_requirement_7_1_3 +title: PCI DSS requirement 7.1.3 +description: Assign access based on individual personnel's job classification and function. +section-code: "3" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark +controls: +- azure_iam_subscription_owner_max_3 +- azure_iam_subscription_owner_more_than_1 diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_2.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_2.yaml index 7f97420ae..f9110b0d5 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_2.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_2.yaml @@ -1,18 +1,19 @@ +id: azure_pci_dss_v321_requirement_7_2 +title: PCI DSS requirement 7.2 +description: Establish an access control system(s) for systems components that restricts access based on a user's need to know, and is set to “deny all” unless specifically allowed. +section-code: "2" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_pci_dss_v321_requirement_7_2 - title: PCI DSS requirement 7.2 - description: Establish an access control system(s) for systems components that restricts access based on a user's need to know, and is set to “deny all” unless specifically allowed. - section-code: "2" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_pci_dss_v321_requirement_7_2_1 +- id: azure_pci_dss_v321_requirement_7_2_1 + type: "" diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_2_1.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_2_1.yaml index d05adde7d..cf476a805 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_2_1.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_2_1.yaml @@ -1,24 +1,24 @@ -control-group: - id: azure_pci_dss_v321_requirement_7_2_1 - title: PCI DSS requirement 7.2.1 - description: Coverage of all system components. - section-code: "1" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_iam_external_user_with_owner_role - - azure_iam_external_user_with_read_permission - - azure_iam_external_user_with_write_permission - - azure_iam_no_custom_role - - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled - - azure_iam_user_with_write_permission_on_subscription_mfa_enabled - - azure_sql_server_azure_ad_authentication_enabled +id: azure_pci_dss_v321_requirement_7_2_1 +title: PCI DSS requirement 7.2.1 +description: Coverage of all system components. +section-code: "1" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_iam_external_user_with_owner_role +- azure_iam_external_user_with_read_permission +- azure_iam_external_user_with_write_permission +- azure_iam_no_custom_role +- azure_iam_user_with_owner_permission_on_subscription_mfa_enabled +- azure_iam_user_with_write_permission_on_subscription_mfa_enabled +- azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8.yaml index 0d30b820d..47dcdc3b8 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8.yaml @@ -1,20 +1,23 @@ +id: azure_pci_dss_v321_requirement_8 +title: Requirement 8 - Identify and authenticate access to system components +description: Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. Requirements apply to all accounts, including point of sale accounts, with administrative capabilities and all accounts with access to stored cardholder data. Requirements do not apply to accounts used by consumers (eg.,cardholders). +section-code: requirement_8 +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_pci_dss_v321_requirement_8 - title: Requirement 8 - Identify and authenticate access to system components - description: Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. Requirements apply to all accounts, including point of sale accounts, with administrative capabilities and all accounts with access to stored cardholder data. Requirements do not apply to accounts used by consumers (eg.,cardholders). - section-code: requirement_8 - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_pci_dss_v321_requirement_8_1 - - id: azure_pci_dss_v321_requirement_8_2 - - id: azure_pci_dss_v321_requirement_8_3 +- id: azure_pci_dss_v321_requirement_8_1 + type: "" +- id: azure_pci_dss_v321_requirement_8_2 + type: "" +- id: azure_pci_dss_v321_requirement_8_3 + type: "" diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1.yaml index 8fe302b21..cd89749e8 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1.yaml @@ -1,20 +1,23 @@ +id: azure_pci_dss_v321_requirement_8_1 +title: PCI DSS requirement 8.1 +description: Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components. Assign all users a unique user name before allowing them to access system components or cardholder data. +section-code: "1" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_pci_dss_v321_requirement_8_1 - title: PCI DSS requirement 8.1 - description: Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components. Assign all users a unique user name before allowing them to access system components or cardholder data. - section-code: "1" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_pci_dss_v321_requirement_8_1_2 - - id: azure_pci_dss_v321_requirement_8_1_3 - - id: azure_pci_dss_v321_requirement_8_1_5 +- id: azure_pci_dss_v321_requirement_8_1_2 + type: "" +- id: azure_pci_dss_v321_requirement_8_1_3 + type: "" +- id: azure_pci_dss_v321_requirement_8_1_5 + type: "" diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1_2.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1_2.yaml index 243b638a9..7206be453 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1_2.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1_2.yaml @@ -1,22 +1,22 @@ -control-group: - id: azure_pci_dss_v321_requirement_8_1_2 - title: PCI DSS requirement 8.1.2 - description: Control addition, deletion, and modification of user IDs, credentials, and other identifier objects. - section-code: "2" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark - controls: - - azure_iam_deprecated_account_with_owner_roles - - azure_iam_deprecated_account - - azure_iam_external_user_with_owner_role - - azure_iam_external_user_with_read_permission - - azure_iam_external_user_with_write_permission +id: azure_pci_dss_v321_requirement_8_1_2 +title: PCI DSS requirement 8.1.2 +description: Control addition, deletion, and modification of user IDs, credentials, and other identifier objects. +section-code: "2" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark +controls: +- azure_iam_deprecated_account_with_owner_roles +- azure_iam_deprecated_account +- azure_iam_external_user_with_owner_role +- azure_iam_external_user_with_read_permission +- azure_iam_external_user_with_write_permission diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1_3.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1_3.yaml index f1ced8712..9a8952f85 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1_3.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1_3.yaml @@ -1,19 +1,19 @@ -control-group: - id: azure_pci_dss_v321_requirement_8_1_3 - title: PCI DSS requirement 8.1.3 - description: Immediately revoke access for any terminated users. - section-code: "3" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark - controls: - - azure_iam_deprecated_account - - azure_iam_deprecated_account_with_owner_roles +id: azure_pci_dss_v321_requirement_8_1_3 +title: PCI DSS requirement 8.1.3 +description: Immediately revoke access for any terminated users. +section-code: "3" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark +controls: +- azure_iam_deprecated_account +- azure_iam_deprecated_account_with_owner_roles diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1_5.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1_5.yaml index fee86555c..f2acc78fa 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1_5.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1_5.yaml @@ -1,22 +1,22 @@ -control-group: - id: azure_pci_dss_v321_requirement_8_1_5 - title: PCI DSS requirement 8.1.5 - description: "Manage IDs used by thid parties to access, support, or maintain system components via remote access. Remote access are as follows: - Enabled only during the time period needed and disabled when not in use. - Monitored when in use." - section-code: "5" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark - controls: - - azure_iam_deprecated_account_with_owner_roles - - azure_iam_deprecated_account - - azure_iam_external_user_with_owner_role - - azure_iam_external_user_with_read_permission - - azure_iam_external_user_with_write_permission +id: azure_pci_dss_v321_requirement_8_1_5 +title: PCI DSS requirement 8.1.5 +description: "Manage IDs used by thid parties to access, support, or maintain system components via remote access. Remote access are as follows: - Enabled only during the time period needed and disabled when not in use. - Monitored when in use." +section-code: "5" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark +controls: +- azure_iam_deprecated_account_with_owner_roles +- azure_iam_deprecated_account +- azure_iam_external_user_with_owner_role +- azure_iam_external_user_with_read_permission +- azure_iam_external_user_with_write_permission diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_2.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_2.yaml index e278190f5..6eade7157 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_2.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_2.yaml @@ -1,19 +1,21 @@ +id: azure_pci_dss_v321_requirement_8_2 +title: PCI DSS requirement 8.2 +description: "Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric. Use strong authentication methods and render all passwords/passphrases unreadable during transmission and storage using strong cryptography." +section-code: "2" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_pci_dss_v321_requirement_8_2 - title: PCI DSS requirement 8.2 - description: "Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric. Use strong authentication methods and render all passwords/passphrases unreadable during transmission and storage using strong cryptography." - section-code: "2" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_pci_dss_v321_requirement_8_2_3 - - id: azure_pci_dss_v321_requirement_8_2_5 +- id: azure_pci_dss_v321_requirement_8_2_3 + type: "" +- id: azure_pci_dss_v321_requirement_8_2_5 + type: "" diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_2_3.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_2_3.yaml index 8da3aed82..cc4e0d7e7 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_2_3.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_2_3.yaml @@ -1,23 +1,23 @@ -control-group: - id: azure_pci_dss_v321_requirement_8_2_3 - title: PCI DSS requirement 8.2.3 - description: "Passwords/phrases must meet the following: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters. Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above." - section-code: "3" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_max_password_age_70_days_windows - - azure_compute_vm_min_password_length_14_windows - - azure_compute_vm_restrict_previous_24_passwords_resuse_windows +id: azure_pci_dss_v321_requirement_8_2_3 +title: PCI DSS requirement 8.2.3 +description: "Passwords/phrases must meet the following: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters. Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above." +section-code: "3" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_guest_configuration_installed_windows +- azure_compute_vm_guest_configuration_with_no_managed_identity +- azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity +- azure_compute_vm_max_password_age_70_days_windows +- azure_compute_vm_min_password_length_14_windows +- azure_compute_vm_restrict_previous_24_passwords_resuse_windows diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_2_5.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_2_5.yaml index 8aaf81fe5..bf83e4b27 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_2_5.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_2_5.yaml @@ -1,23 +1,23 @@ -control-group: - id: azure_pci_dss_v321_requirement_8_2_5 - title: PCI DSS requirement 8.2.5 - description: Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used. - section-code: "5" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark - controls: - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_max_password_age_70_days_windows - - azure_compute_vm_min_password_length_14_windows - - azure_compute_vm_restrict_previous_24_passwords_resuse_windows +id: azure_pci_dss_v321_requirement_8_2_5 +title: PCI DSS requirement 8.2.5 +description: Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used. +section-code: "5" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark +controls: +- azure_compute_vm_guest_configuration_installed_windows +- azure_compute_vm_guest_configuration_with_no_managed_identity +- azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity +- azure_compute_vm_max_password_age_70_days_windows +- azure_compute_vm_min_password_length_14_windows +- azure_compute_vm_restrict_previous_24_passwords_resuse_windows diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_3.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_3.yaml index cb0cf56b6..bd6f470f4 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_3.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_3.yaml @@ -1,18 +1,19 @@ +id: azure_pci_dss_v321_requirement_8_3 +title: PCI DSS requirement 8.3 +description: Secure all individual non-console administrative access and all remote access to the cardholder data environment using multi-factor authentication. This requires at least two of the three authentication methods described in 8.2 are used for authentication. Using one factor twice (e.g. using two separate passwords) is not considered multi-factor authentication. This requirement applies to administrative personnel with non-console access to the CDE from within the entity's network, and all remote network access (including for users, administrators, and third-parties) originating from outside the entity's network. +section-code: "3" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark control-group: - id: azure_pci_dss_v321_requirement_8_3 - title: PCI DSS requirement 8.3 - description: Secure all individual non-console administrative access and all remote access to the cardholder data environment using multi-factor authentication. This requires at least two of the three authentication methods described in 8.2 are used for authentication. Using one factor twice (e.g. using two separate passwords) is not considered multi-factor authentication. This requirement applies to administrative personnel with non-console access to the CDE from within the entity's network, and all remote network access (including for users, administrators, and third-parties) originating from outside the entity's network. - section-code: "3" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - control-group: - - id: azure_pci_dss_v321_requirement_8_3_1 +- id: azure_pci_dss_v321_requirement_8_3_1 + type: "" diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_3_1.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_3_1.yaml index 84a0dfbbd..5eb7f0454 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_3_1.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_3_1.yaml @@ -1,24 +1,24 @@ -control-group: - id: azure_pci_dss_v321_requirement_8_3_1 - title: PCI DSS requirement 8.3.1 - description: Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access. - section-code: "1" - tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_iam_external_user_with_owner_role - - azure_iam_external_user_with_read_permission - - azure_iam_external_user_with_write_permission - - azure_iam_no_custom_role - - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled - - azure_iam_user_with_write_permission_on_subscription_mfa_enabled - - azure_sql_server_azure_ad_authentication_enabled +id: azure_pci_dss_v321_requirement_8_3_1 +title: PCI DSS requirement 8.3.1 +description: Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access. +section-code: "1" +type: control-group +tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark +controls: +- azure_iam_external_user_with_owner_role +- azure_iam_external_user_with_read_permission +- azure_iam_external_user_with_write_permission +- azure_iam_no_custom_role +- azure_iam_user_with_owner_permission_on_subscription_mfa_enabled +- azure_iam_user_with_write_permission_on_subscription_mfa_enabled +- azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017.yaml index 2e8a18497..b66c9174a 100644 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017.yaml @@ -1,15 +1,15 @@ -framework: - id: azure_rbi_itf_nbfc_v2017 - title: Reserve Bank of India - IT Framework for NBFC Regulatory Compliance - description: Reserve Bank of India - IT Framework for NBFC Regulatory Compliance - section-code: azure_rbi_itf_nbfc_v2017 - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: azure_rbi_itf_nbfc_v2017_business_continuity_planning - - id: azure_rbi_itf_nbfc_v2017_is_audit - - id: azure_rbi_itf_nbfc_v2017_it_governance - - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security - - id: azure_rbi_itf_nbfc_v2017_it_operations +id: azure_rbi_itf_nbfc_v2017 +title: Reserve Bank of India - IT Framework for NBFC Regulatory Compliance +description: Reserve Bank of India - IT Framework for NBFC Regulatory Compliance +section-code: azure_rbi_itf_nbfc_v2017 +type: framework +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: azure_rbi_itf_nbfc_v2017_business_continuity_planning +- id: azure_rbi_itf_nbfc_v2017_is_audit +- id: azure_rbi_itf_nbfc_v2017_it_governance +- id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security +- id: azure_rbi_itf_nbfc_v2017_it_operations diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning.yaml index 9aa25b06a..504c1352c 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning.yaml @@ -1,7 +1,8 @@ +id: azure_rbi_itf_nbfc_v2017_business_continuity_planning +title: Business Continuity Planning +description: Business Continuity Planning +section-code: business_continuity_planning +type: control-group control-group: - id: azure_rbi_itf_nbfc_v2017_business_continuity_planning - title: Business Continuity Planning - description: Business Continuity Planning - section-code: business_continuity_planning - control-group: - - id: azure_rbi_itf_nbfc_v2017_business_continuity_planning_6 +- id: azure_rbi_itf_nbfc_v2017_business_continuity_planning_6 + type: "" diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6.yaml index 125334e89..2bd0f4260 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6.yaml @@ -1,17 +1,20 @@ +id: azure_rbi_itf_nbfc_v2017_business_continuity_planning_6 +title: Business Continuity Planning (BCP) and Disaster Recovery-6 +description: Business Continuity Planning (BCP) and Disaster Recovery-6 +section-code: "6" +type: control-group control-group: - id: azure_rbi_itf_nbfc_v2017_business_continuity_planning_6 - title: Business Continuity Planning (BCP) and Disaster Recovery-6 - description: Business Continuity Planning (BCP) and Disaster Recovery-6 - section-code: "6" - control-group: - - id: azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_2 - - id: azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_3 - - id: azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_4 - controls: - - azure_compute_vm_disaster_recovery_enabled - - azure_mariadb_server_geo_redundant_backup_enabled - - azure_mysql_db_server_geo_redundant_backup_enabled - - azure_postgres_db_server_geo_redundant_backup_enabled - - azure_recovery_service_vault_uses_private_link - - azure_recovery_service_vault_uses_private_link_for_backup - - azure_sql_database_long_term_geo_redundant_backup_enabled +- id: azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_2 + type: "" +- id: azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_3 + type: "" +- id: azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_4 + type: "" +controls: +- azure_compute_vm_disaster_recovery_enabled +- azure_mariadb_server_geo_redundant_backup_enabled +- azure_mysql_db_server_geo_redundant_backup_enabled +- azure_postgres_db_server_geo_redundant_backup_enabled +- azure_recovery_service_vault_uses_private_link +- azure_recovery_service_vault_uses_private_link_for_backup +- azure_sql_database_long_term_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_2.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_2.yaml index b77eb1ee3..03ca85ff3 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_2.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_2.yaml @@ -1,12 +1,12 @@ -control-group: - id: azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_2 - title: Recovery strategy / Contingency Plan-6.2 - description: Recovery strategy / Contingency Plan-6.2 - section-code: "2" - controls: - - azure_compute_vm_disaster_recovery_enabled - - azure_mariadb_server_geo_redundant_backup_enabled - - azure_mysql_db_server_geo_redundant_backup_enabled - - azure_postgres_db_server_geo_redundant_backup_enabled - - azure_recovery_service_vault_uses_private_link_for_backup - - azure_sql_database_long_term_geo_redundant_backup_enabled +id: azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_2 +title: Recovery strategy / Contingency Plan-6.2 +description: Recovery strategy / Contingency Plan-6.2 +section-code: "2" +type: control-group +controls: +- azure_compute_vm_disaster_recovery_enabled +- azure_mariadb_server_geo_redundant_backup_enabled +- azure_mysql_db_server_geo_redundant_backup_enabled +- azure_postgres_db_server_geo_redundant_backup_enabled +- azure_recovery_service_vault_uses_private_link_for_backup +- azure_sql_database_long_term_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_3.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_3.yaml index 891cbaa65..5f206ed56 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_3.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_3.yaml @@ -1,11 +1,11 @@ -control-group: - id: azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_3 - title: Recovery strategy / Contingency Plan-6.3 - description: Recovery strategy / Contingency Plan-6.3 - section-code: "3" - controls: - - azure_mariadb_server_geo_redundant_backup_enabled - - azure_mysql_db_server_geo_redundant_backup_enabled - - azure_postgres_db_server_geo_redundant_backup_enabled - - azure_recovery_service_vault_uses_private_link_for_backup - - azure_sql_database_long_term_geo_redundant_backup_enabled +id: azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_3 +title: Recovery strategy / Contingency Plan-6.3 +description: Recovery strategy / Contingency Plan-6.3 +section-code: "3" +type: control-group +controls: +- azure_mariadb_server_geo_redundant_backup_enabled +- azure_mysql_db_server_geo_redundant_backup_enabled +- azure_postgres_db_server_geo_redundant_backup_enabled +- azure_recovery_service_vault_uses_private_link_for_backup +- azure_sql_database_long_term_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_4.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_4.yaml index 379450693..d90cbd8fb 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_4.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_4.yaml @@ -1,9 +1,9 @@ -control-group: - id: azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_4 - title: Recovery strategy / Contingency Plan-6.4 - description: Recovery strategy / Contingency Plan-6.4 - section-code: "4" - controls: - - azure_compute_vm_disaster_recovery_enabled - - azure_recovery_service_vault_uses_private_link - - azure_recovery_service_vault_uses_private_link_for_backup +id: azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_4 +title: Recovery strategy / Contingency Plan-6.4 +description: Recovery strategy / Contingency Plan-6.4 +section-code: "4" +type: control-group +controls: +- azure_compute_vm_disaster_recovery_enabled +- azure_recovery_service_vault_uses_private_link +- azure_recovery_service_vault_uses_private_link_for_backup diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_is_audit.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_is_audit.yaml index 1c3075bd7..e5b17ee4b 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_is_audit.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_is_audit.yaml @@ -1,7 +1,8 @@ +id: azure_rbi_itf_nbfc_v2017_is_audit +title: IS Audit +description: IS Audit +section-code: is_audit +type: control-group control-group: - id: azure_rbi_itf_nbfc_v2017_is_audit - title: IS Audit - description: IS Audit - section-code: is_audit - control-group: - - id: azure_rbi_itf_nbfc_v2017_is_audit_5 +- id: azure_rbi_itf_nbfc_v2017_is_audit_5 + type: "" diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_is_audit_5.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_is_audit_5.yaml index 98e56a512..891bbaf41 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_is_audit_5.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_is_audit_5.yaml @@ -1,18 +1,19 @@ +id: azure_rbi_itf_nbfc_v2017_is_audit_5 +title: Policy for Information System Audit (IS Audit)-5 +description: Policy for Information System Audit (IS Audit)-5 +section-code: "5" +type: control-group control-group: - id: azure_rbi_itf_nbfc_v2017_is_audit_5 - title: Policy for Information System Audit (IS Audit)-5 - description: Policy for Information System Audit (IS Audit)-5 - section-code: "5" - control-group: - - id: azure_rbi_itf_nbfc_v2017_is_audit_5_2 - controls: - - azure_application_gateway_waf_enabled - - azure_application_gateway_waf_uses_specified_mode - - azure_compute_vm_remote_access_restricted_all_ports - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_cosmosdb_account_with_firewall_rules - - azure_frontdoor_waf_enabled - - azure_network_interface_ip_forwarding_disabled - - azure_network_security_group_subnet_associated - - azure_network_sg_flowlog_enabled - - azure_network_watcher_flow_log_enabled +- id: azure_rbi_itf_nbfc_v2017_is_audit_5_2 + type: "" +controls: +- azure_application_gateway_waf_enabled +- azure_application_gateway_waf_uses_specified_mode +- azure_compute_vm_remote_access_restricted_all_ports +- azure_compute_vm_tcp_udp_access_restricted_internet +- azure_cosmosdb_account_with_firewall_rules +- azure_frontdoor_waf_enabled +- azure_network_interface_ip_forwarding_disabled +- azure_network_security_group_subnet_associated +- azure_network_sg_flowlog_enabled +- azure_network_watcher_flow_log_enabled diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_is_audit_5_2.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_is_audit_5_2.yaml index e78dfacd3..cac6b7df2 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_is_audit_5_2.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_is_audit_5_2.yaml @@ -1,9 +1,9 @@ -control-group: - id: azure_rbi_itf_nbfc_v2017_is_audit_5_2 - title: Policy for Information System Audit (IS Audit)-5.2 - description: Policy for Information System Audit (IS Audit)-5.2 - section-code: "2" - controls: - - azure_mariadb_server_geo_redundant_backup_enabled - - azure_mysql_db_server_geo_redundant_backup_enabled - - azure_postgres_db_server_geo_redundant_backup_enabled +id: azure_rbi_itf_nbfc_v2017_is_audit_5_2 +title: Policy for Information System Audit (IS Audit)-5.2 +description: Policy for Information System Audit (IS Audit)-5.2 +section-code: "2" +type: control-group +controls: +- azure_mariadb_server_geo_redundant_backup_enabled +- azure_mysql_db_server_geo_redundant_backup_enabled +- azure_postgres_db_server_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_governance.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_governance.yaml index 099b0377a..f5d60c44b 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_governance.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_governance.yaml @@ -1,7 +1,8 @@ +id: azure_rbi_itf_nbfc_v2017_it_governance +title: IT Governance +description: IT Governance +section-code: it_governance +type: control-group control-group: - id: azure_rbi_itf_nbfc_v2017_it_governance - title: IT Governance - description: IT Governance - section-code: it_governance - control-group: - - id: azure_rbi_itf_nbfc_v2017_it_governance_1 +- id: azure_rbi_itf_nbfc_v2017_it_governance_1 + type: "" diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_governance_1.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_governance_1.yaml index 94509bac8..eb76618c7 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_governance_1.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_governance_1.yaml @@ -1,17 +1,18 @@ +id: azure_rbi_itf_nbfc_v2017_it_governance_1 +title: IT Governance-1 +description: IT Governance-1 +section-code: "1" +type: control-group control-group: - id: azure_rbi_itf_nbfc_v2017_it_governance_1 - title: IT Governance-1 - description: IT Governance-1 - section-code: "1" - control-group: - - id: azure_rbi_itf_nbfc_v2017_it_governance_1_1 - controls: - - azure_compute_vm_system_updates_installed - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_kubernetes_cluster_upgraded_with_non_vulnerable_version - - azure_mssql_managed_instance_vulnerability_assessment_enabled - - azure_securitycenter_email_configured - - azure_securitycenter_notify_alerts_configured - - azure_securitycenter_security_alerts_to_owner_enabled - - azure_sql_database_vulnerability_findings_resolved - - azure_sql_server_and_databases_va_enabled +- id: azure_rbi_itf_nbfc_v2017_it_governance_1_1 + type: "" +controls: +- azure_compute_vm_system_updates_installed +- azure_compute_vm_vulnerability_assessment_solution_enabled +- azure_kubernetes_cluster_upgraded_with_non_vulnerable_version +- azure_mssql_managed_instance_vulnerability_assessment_enabled +- azure_securitycenter_email_configured +- azure_securitycenter_notify_alerts_configured +- azure_securitycenter_security_alerts_to_owner_enabled +- azure_sql_database_vulnerability_findings_resolved +- azure_sql_server_and_databases_va_enabled diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_governance_1_1.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_governance_1_1.yaml index e342af8fd..8c519c941 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_governance_1_1.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_governance_1_1.yaml @@ -1,9 +1,9 @@ -control-group: - id: azure_rbi_itf_nbfc_v2017_it_governance_1_1 - title: IT Governance-1.1 - description: IT Governance-1.1 - section-code: "1" - controls: - - azure_compute_vm_jit_access_protected - - azure_network_interface_ip_forwarding_disabled - - azure_network_security_group_remote_access_restricted +id: azure_rbi_itf_nbfc_v2017_it_governance_1_1 +title: IT Governance-1.1 +description: IT Governance-1.1 +section-code: "1" +type: control-group +controls: +- azure_compute_vm_jit_access_protected +- azure_network_interface_ip_forwarding_disabled +- azure_network_security_group_remote_access_restricted diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security.yaml index e75feec3d..990391d05 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security.yaml @@ -1,7 +1,8 @@ +id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security +title: Information and Cyber Security +description: Information and Cyber Security +section-code: it_information_and_cyber_security +type: control-group control-group: - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security - title: Information and Cyber Security - description: Information and Cyber Security - section-code: it_information_and_cyber_security - control-group: - - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3 +- id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3 + type: "" diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3.yaml index b16fb330c..40d3a73e8 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3.yaml @@ -1,11 +1,14 @@ +id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3 +title: Information Security-3 +description: Information Security-3 +section-code: "3" +type: control-group control-group: - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3 - title: Information Security-3 - description: Information Security-3 - section-code: "3" - control-group: - - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1 - - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_3 - - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_8 - controls: - - azure_securitycenter_azure_defender_on_for_storage +- id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1 + type: "" +- id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_3 + type: "" +- id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_8 + type: "" +controls: +- azure_securitycenter_azure_defender_on_for_storage diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1.yaml index d95094c5c..83a117ded 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1.yaml @@ -1,12 +1,18 @@ +id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1 +title: Identification and Classification of Information Assets-3.1 +description: Identification and Classification of Information Assets-3.1 +section-code: "1" +type: control-group control-group: - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1 - title: Identification and Classification of Information Assets-3.1 - description: Identification and Classification of Information Assets-3.1 - section-code: "1" - control-group: - - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_a - - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_b - - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_c - - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_f - - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_g - - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_h +- id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_a + type: "" +- id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_b + type: "" +- id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_c + type: "" +- id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_f + type: "" +- id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_g + type: "" +- id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_h + type: "" diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_a.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_a.yaml index 12d73566e..80ead8758 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_a.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_a.yaml @@ -1,12 +1,12 @@ -control-group: - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_a - title: Identification and Classification of Information Assets-3.1.a - description: Identification and Classification of Information Assets-3.1.a - section-code: a - controls: - - azure_iam_deprecated_account - - azure_iam_deprecated_account_with_owner_roles - - azure_iam_external_user_with_owner_role - - azure_iam_external_user_with_read_permission - - azure_iam_external_user_with_write_permission - - azure_iam_no_custom_role +id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_a +title: Identification and Classification of Information Assets-3.1.a +description: Identification and Classification of Information Assets-3.1.a +section-code: a +type: control-group +controls: +- azure_iam_deprecated_account +- azure_iam_deprecated_account_with_owner_roles +- azure_iam_external_user_with_owner_role +- azure_iam_external_user_with_read_permission +- azure_iam_external_user_with_write_permission +- azure_iam_no_custom_role diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_b.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_b.yaml index ea6168622..c71650e20 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_b.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_b.yaml @@ -1,10 +1,10 @@ -control-group: - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_b - title: Segregation of Functions-3.1.b - description: Segregation of Functions-3.1.b - section-code: b - controls: - - azure_appservice_api_app_remote_debugging_disabled - - azure_appservice_function_app_client_certificates_on - - azure_appservice_function_app_remote_debugging_disabled - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity +id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_b +title: Segregation of Functions-3.1.b +description: Segregation of Functions-3.1.b +section-code: b +type: control-group +controls: +- azure_appservice_api_app_remote_debugging_disabled +- azure_appservice_function_app_client_certificates_on +- azure_appservice_function_app_remote_debugging_disabled +- azure_compute_vm_guest_configuration_with_system_assigned_managed_identity diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_c.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_c.yaml index b5794b683..2bf9048bd 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_c.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_c.yaml @@ -1,17 +1,17 @@ -control-group: - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_c - title: Role based Access Control-3.1.c - description: Role based Access Control-3.1.c - section-code: c - controls: - - azure_compute_vm_jit_access_protected - - azure_iam_deprecated_account - - azure_iam_deprecated_account_with_owner_roles - - azure_iam_external_user_with_owner_role - - azure_iam_external_user_with_read_permission - - azure_iam_external_user_with_write_permission - - azure_iam_subscription_owner_max_3 - - azure_iam_subscription_owner_more_than_1 - - azure_log_profile_enabled_for_all_subscription - - azure_securitycenter_email_configured - - azure_securitycenter_security_alerts_to_owner_enabled +id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_c +title: Role based Access Control-3.1.c +description: Role based Access Control-3.1.c +section-code: c +type: control-group +controls: +- azure_compute_vm_jit_access_protected +- azure_iam_deprecated_account +- azure_iam_deprecated_account_with_owner_roles +- azure_iam_external_user_with_owner_role +- azure_iam_external_user_with_read_permission +- azure_iam_external_user_with_write_permission +- azure_iam_subscription_owner_max_3 +- azure_iam_subscription_owner_more_than_1 +- azure_log_profile_enabled_for_all_subscription +- azure_securitycenter_email_configured +- azure_securitycenter_security_alerts_to_owner_enabled diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_f.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_f.yaml index 889d9d2e1..9277e6160 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_f.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_f.yaml @@ -1,25 +1,25 @@ -control-group: - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_f - title: Maker-checker-3.1.f - description: Maker-checker-3.1.f - section-code: f - controls: - - azure_iam_deprecated_account - - azure_iam_deprecated_account_with_owner_roles - - azure_iam_external_user_with_owner_role - - azure_iam_external_user_with_read_permission - - azure_iam_external_user_with_write_permission - - azure_iam_no_custom_role - - azure_iam_subscription_owner_max_3 - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_opensource_relational_db - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_securitycenter_email_configured - - azure_securitycenter_notify_alerts_configured - - azure_securitycenter_security_alerts_to_owner_enabled - - azure_sql_server_azure_defender_enabled +id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_f +title: Maker-checker-3.1.f +description: Maker-checker-3.1.f +section-code: f +type: control-group +controls: +- azure_iam_deprecated_account +- azure_iam_deprecated_account_with_owner_roles +- azure_iam_external_user_with_owner_role +- azure_iam_external_user_with_read_permission +- azure_iam_external_user_with_write_permission +- azure_iam_no_custom_role +- azure_iam_subscription_owner_max_3 +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_keyvault +- azure_securitycenter_azure_defender_on_for_opensource_relational_db +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_sqlservervm +- azure_securitycenter_azure_defender_on_for_storage +- azure_securitycenter_email_configured +- azure_securitycenter_notify_alerts_configured +- azure_securitycenter_security_alerts_to_owner_enabled +- azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_g.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_g.yaml index 1749742fa..bb2e7293b 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_g.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_g.yaml @@ -1,34 +1,34 @@ -control-group: - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_g - title: Trails-3.1.g - description: Trails-3.1.g - section-code: g - controls: - - azure_application_insights_block_log_ingestion_and_querying_from_public - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_iam_subscription_owner_max_3 - - azure_log_analytics_workspace_block_log_ingestion_and_querying_from_public - - azure_log_analytics_workspace_block_non_azure_ingestion - - azure_log_profile_enabled_for_all_subscription - - azure_monitor_log_profile_enabled_for_all_categories - - azure_monitor_log_profile_enabled_for_all_regions - - azure_monitor_log_profile_retention_365_days - - azure_network_sg_flowlog_enabled - - azure_network_watcher_flow_log_enabled - - azure_network_watcher_flow_log_traffic_analytics_enabled - - azure_postgres_db_server_log_checkpoints_on - - azure_postgres_db_server_log_connections_on - - azure_postgres_db_server_log_disconnections_on - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_opensource_relational_db - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_server_auditing_storage_account_destination_retention_90_days - - azure_sql_server_azure_defender_enabled +id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_g +title: Trails-3.1.g +description: Trails-3.1.g +section-code: g +type: control-group +controls: +- azure_application_insights_block_log_ingestion_and_querying_from_public +- azure_compute_vm_log_analytics_agent_installed +- azure_compute_vm_network_traffic_data_collection_linux_agent_installed +- azure_compute_vm_network_traffic_data_collection_windows_agent_installed +- azure_compute_vm_scale_set_log_analytics_agent_installed +- azure_iam_subscription_owner_max_3 +- azure_log_analytics_workspace_block_log_ingestion_and_querying_from_public +- azure_log_analytics_workspace_block_non_azure_ingestion +- azure_log_profile_enabled_for_all_subscription +- azure_monitor_log_profile_enabled_for_all_categories +- azure_monitor_log_profile_enabled_for_all_regions +- azure_monitor_log_profile_retention_365_days +- azure_network_sg_flowlog_enabled +- azure_network_watcher_flow_log_enabled +- azure_network_watcher_flow_log_traffic_analytics_enabled +- azure_postgres_db_server_log_checkpoints_on +- azure_postgres_db_server_log_connections_on +- azure_postgres_db_server_log_disconnections_on +- azure_securitycenter_automatic_provisioning_monitoring_agent_on +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_opensource_relational_db +- azure_securitycenter_azure_defender_on_for_resource_manager +- azure_securitycenter_azure_defender_on_for_server +- azure_securitycenter_azure_defender_on_for_sqldb +- azure_securitycenter_azure_defender_on_for_sqlservervm +- azure_securitycenter_azure_defender_on_for_storage +- azure_sql_server_auditing_storage_account_destination_retention_90_days +- azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_h.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_h.yaml index 4eeb6c8a9..aa83ff2de 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_h.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_h.yaml @@ -1,30 +1,30 @@ -control-group: - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_h - title: Public Key Infrastructure (PKI)-3.1.h - description: Public Key Infrastructure (PKI)-3.1.h - section-code: h - controls: - - azure_app_configuration_encryption_enabled - - azure_app_service_environment_internal_encryption_enabled - - azure_appservice_api_app_latest_tls_version - - azure_appservice_api_app_use_https - - azure_appservice_function_app_latest_tls_version - - azure_appservice_function_app_only_https_accessible - - azure_automation_account_variable_encryption_enabled - - azure_keyvault_firewall_enabled - - azure_keyvault_purge_protection_enabled - - azure_keyvault_secret_expiration_set - - azure_keyvault_soft_delete_enabled - - azure_keyvault_vault_private_link_used - - azure_kusto_cluster_disk_encryption_enabled - - azure_mysql_server_encrypted_at_rest_using_cmk - - azure_mysql_server_infrastructure_encryption_enabled - - azure_mysql_ssl_enabled - - azure_postgres_sql_server_encrypted_at_rest_using_cmk - - azure_postgres_sql_ssl_enabled - - azure_postgresql_server_infrastructure_encryption_enabled - - azure_sql_server_transparent_data_encryption_enabled - - azure_storage_account_encryption_at_rest_using_cmk - - azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk - - azure_storage_account_infrastructure_encryption_enabled - - azure_storage_account_secure_transfer_required_enabled +id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_h +title: Public Key Infrastructure (PKI)-3.1.h +description: Public Key Infrastructure (PKI)-3.1.h +section-code: h +type: control-group +controls: +- azure_app_configuration_encryption_enabled +- azure_app_service_environment_internal_encryption_enabled +- azure_appservice_api_app_latest_tls_version +- azure_appservice_api_app_use_https +- azure_appservice_function_app_latest_tls_version +- azure_appservice_function_app_only_https_accessible +- azure_automation_account_variable_encryption_enabled +- azure_keyvault_firewall_enabled +- azure_keyvault_purge_protection_enabled +- azure_keyvault_secret_expiration_set +- azure_keyvault_soft_delete_enabled +- azure_keyvault_vault_private_link_used +- azure_kusto_cluster_disk_encryption_enabled +- azure_mysql_server_encrypted_at_rest_using_cmk +- azure_mysql_server_infrastructure_encryption_enabled +- azure_mysql_ssl_enabled +- azure_postgres_sql_server_encrypted_at_rest_using_cmk +- azure_postgres_sql_ssl_enabled +- azure_postgresql_server_infrastructure_encryption_enabled +- azure_sql_server_transparent_data_encryption_enabled +- azure_storage_account_encryption_at_rest_using_cmk +- azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk +- azure_storage_account_infrastructure_encryption_enabled +- azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_3.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_3.yaml index 11e1cdfc0..74a5da571 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_3.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_3.yaml @@ -1,13 +1,13 @@ -control-group: - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_3 - title: Vulnerability Management-3.3 - description: Vulnerability Management-3.3 - section-code: "3" - controls: - - azure_compute_vm_system_updates_installed - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_kubernetes_cluster_upgraded_with_non_vulnerable_version - - azure_mssql_managed_instance_vulnerability_assessment_enabled - - azure_sql_database_vulnerability_findings_resolved - - azure_sql_server_and_databases_va_enabled - - azure_synapse_workspace_vulnerability_assessment_enabled +id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_3 +title: Vulnerability Management-3.3 +description: Vulnerability Management-3.3 +section-code: "3" +type: control-group +controls: +- azure_compute_vm_system_updates_installed +- azure_compute_vm_vulnerability_assessment_solution_enabled +- azure_kubernetes_cluster_upgraded_with_non_vulnerable_version +- azure_mssql_managed_instance_vulnerability_assessment_enabled +- azure_sql_database_vulnerability_findings_resolved +- azure_sql_server_and_databases_va_enabled +- azure_synapse_workspace_vulnerability_assessment_enabled diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_8.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_8.yaml index db91b1a51..ae1933e14 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_8.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_8.yaml @@ -1,8 +1,8 @@ -control-group: - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_8 - title: Digital Signatures-3.8 - description: Digital Signatures-3.8 - section-code: "8" - controls: - - azure_appservice_function_app_client_certificates_on - - azure_appservice_web_app_client_certificates_on +id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_8 +title: Digital Signatures-3.8 +description: Digital Signatures-3.8 +section-code: "8" +type: control-group +controls: +- azure_appservice_function_app_client_certificates_on +- azure_appservice_web_app_client_certificates_on diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations.yaml index 9d961bbb6..1b40b7445 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations.yaml @@ -1,7 +1,8 @@ +id: azure_rbi_itf_nbfc_v2017_it_operations +title: IT Operations +description: IT Operations +section-code: it_operations +type: control-group control-group: - id: azure_rbi_itf_nbfc_v2017_it_operations - title: IT Operations - description: IT Operations - section-code: it_operations - control-group: - - id: azure_rbi_itf_nbfc_v2017_it_operations_4 +- id: azure_rbi_itf_nbfc_v2017_it_operations_4 + type: "" diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4.yaml index f9cd9d3f0..0920cb750 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4.yaml @@ -1,8 +1,10 @@ +id: azure_rbi_itf_nbfc_v2017_it_operations_4 +title: IT Operations-4 +description: IT Operations-4 +section-code: "4" +type: control-group control-group: - id: azure_rbi_itf_nbfc_v2017_it_operations_4 - title: IT Operations-4 - description: IT Operations-4 - section-code: "4" - control-group: - - id: azure_rbi_itf_nbfc_v2017_it_operations_4_2 - - id: azure_rbi_itf_nbfc_v2017_it_operations_4_4 +- id: azure_rbi_itf_nbfc_v2017_it_operations_4_2 + type: "" +- id: azure_rbi_itf_nbfc_v2017_it_operations_4_4 + type: "" diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_2.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_2.yaml index 2a28da59d..9ab55282d 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_2.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_2.yaml @@ -1,7 +1,7 @@ -control-group: - id: azure_rbi_itf_nbfc_v2017_it_operations_4_2 - title: IT Operations-4.2 - description: IT Operations-4.2 - section-code: "2" - controls: - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed +id: azure_rbi_itf_nbfc_v2017_it_operations_4_2 +title: IT Operations-4.2 +description: IT Operations-4.2 +section-code: "2" +type: control-group +controls: +- azure_compute_vm_network_traffic_data_collection_linux_agent_installed diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_4.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_4.yaml index 9c2e1d68f..254c4b2df 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_4.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_4.yaml @@ -1,8 +1,10 @@ +id: azure_rbi_itf_nbfc_v2017_it_operations_4_4 +title: IT Operations-4.4 +description: IT Operations-4.4 +section-code: "4" +type: control-group control-group: - id: azure_rbi_itf_nbfc_v2017_it_operations_4_4 - title: IT Operations-4.4 - description: IT Operations-4.4 - section-code: "4" - control-group: - - id: azure_rbi_itf_nbfc_v2017_it_operations_4_4_a - - id: azure_rbi_itf_nbfc_v2017_it_operations_4_4_b +- id: azure_rbi_itf_nbfc_v2017_it_operations_4_4_a + type: "" +- id: azure_rbi_itf_nbfc_v2017_it_operations_4_4_b + type: "" diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_4_a.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_4_a.yaml index 83acdc61e..ae8fdfa49 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_4_a.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_4_a.yaml @@ -1,9 +1,9 @@ -control-group: - id: azure_rbi_itf_nbfc_v2017_it_operations_4_4_a - title: IT Operations-4.4.a - description: IT Operations-4.4.a - section-code: a - controls: - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_sqldb +id: azure_rbi_itf_nbfc_v2017_it_operations_4_4_a +title: IT Operations-4.4.a +description: IT Operations-4.4.a +section-code: a +type: control-group +controls: +- azure_compute_vm_vulnerability_assessment_solution_enabled +- azure_securitycenter_azure_defender_on_for_appservice +- azure_securitycenter_azure_defender_on_for_sqldb diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_4_b.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_4_b.yaml index e4ab69488..ac620378f 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_4_b.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_4_b.yaml @@ -1,8 +1,8 @@ -control-group: - id: azure_rbi_itf_nbfc_v2017_it_operations_4_4_b - title: IT Operations-4.4.b - description: IT Operations-4.4.b - section-code: b - controls: - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_securitycenter_azure_defender_on_for_sqldb +id: azure_rbi_itf_nbfc_v2017_it_operations_4_4_b +title: IT Operations-4.4.b +description: IT Operations-4.4.b +section-code: b +type: control-group +controls: +- azure_compute_vm_network_traffic_data_collection_linux_agent_installed +- azure_securitycenter_azure_defender_on_for_sqldb diff --git a/compliance/frameworks/baseline/efficiency.yaml b/compliance/frameworks/baseline/efficiency.yaml index 2e78058f8..040bbd64a 100644 --- a/compliance/frameworks/baseline/efficiency.yaml +++ b/compliance/frameworks/baseline/efficiency.yaml @@ -1,357 +1,357 @@ -framework: - id: baseline_efficiency - title: Efficiency - description: Efficiency Framework aligns with baseline principles and the Well-Architected Framework, ensuring resources are utilized optimally, reducing waste, and improving performance. - section-code: baseline_efficiency +id: baseline_efficiency +title: Efficiency +description: Efficiency Framework aligns with baseline principles and the Well-Architected Framework, ensuring resources are utilized optimally, reducing waste, and improving performance. +section-code: baseline_efficiency +type: framework +tags: + baseline_category: + - efficiency + type: + - BASELINE +defaults: + is-baseline: true + enabled: true + tracks-drift-events: false +control-group: +- id: aws_baseline_efficiency + title: AWS Baseline Efficiency + description: Ensures optimal use of AWS resources across various categories to enhance performance and reduce costs. + section-code: aws_baseline_efficiency tags: baseline_category: - efficiency type: - BASELINE - defaults: - is-baseline: true - enabled: true - tracks-drift-events: false control-group: - - id: aws_baseline_efficiency - title: AWS Baseline Efficiency - description: Ensures optimal use of AWS resources across various categories to enhance performance and reduce costs. - section-code: aws_baseline_efficiency + - id: aws_baseline_efficiency_compute + title: AWS Compute Efficiency + description: Optimizes AWS compute resources for performance and cost-effectiveness. + section-code: aws_baseline_efficiency_compute tags: baseline_category: - - efficiency + - compute type: - BASELINE control-group: - - id: aws_baseline_efficiency_compute - title: AWS Compute Efficiency - description: Optimizes AWS compute resources for performance and cost-effectiveness. - section-code: aws_baseline_efficiency_compute + - id: aws_baseline_efficiency_compute_ec2 + title: AWS EC2 Optimization + description: Ensures AWS EC2 instances are optimized for performance and cost. + section-code: aws_baseline_efficiency_compute_ec2 tags: baseline_category: - compute type: - BASELINE - control-group: - - id: aws_baseline_efficiency_compute_ec2 - title: AWS EC2 Optimization - description: Ensures AWS EC2 instances are optimized for performance and cost. - section-code: aws_baseline_efficiency_compute_ec2 - tags: - baseline_category: - - compute - type: - - BASELINE - controls: - - aws_ec2_instance_too_old - - aws_ec2_desired_instance_type - - aws_ec2_ami_too_old - - id: aws_baseline_efficiency_compute_kubernetes - title: AWS Kubernetes Optimization - description: Ensures Kubernetes clusters on AWS are optimized for performance and security. - section-code: aws_baseline_efficiency_compute_kubernetes - tags: - baseline_category: - - compute - type: - - BASELINE - controls: - - aws_kubernetes_cluster_version - - aws_enable_support_for_grpc_protocol - - aws_enable_cloudtrail_logging_for_kubernetes_api_calls - - aws_enable_cloudwatch_container_insights - - id: aws_baseline_efficiency_storage - title: AWS Storage Efficiency - description: Optimizes AWS storage services to enhance performance and reduce costs. - section-code: aws_baseline_efficiency_storage + controls: + - aws_ec2_instance_too_old + - aws_ec2_desired_instance_type + - aws_ec2_ami_too_old + - id: aws_baseline_efficiency_compute_kubernetes + title: AWS Kubernetes Optimization + description: Ensures Kubernetes clusters on AWS are optimized for performance and security. + section-code: aws_baseline_efficiency_compute_kubernetes + tags: + baseline_category: + - compute + type: + - BASELINE + controls: + - aws_kubernetes_cluster_version + - aws_enable_support_for_grpc_protocol + - aws_enable_cloudtrail_logging_for_kubernetes_api_calls + - aws_enable_cloudwatch_container_insights + - id: aws_baseline_efficiency_storage + title: AWS Storage Efficiency + description: Optimizes AWS storage services to enhance performance and reduce costs. + section-code: aws_baseline_efficiency_storage + tags: + baseline_category: + - storage + type: + - BASELINE + control-group: + - id: aws_baseline_efficiency_storage_ebs + title: AWS EBS Optimization + description: Optimizes Elastic Block Store (EBS) volumes for cost and performance. + section-code: aws_baseline_efficiency_storage_ebs + tags: + baseline_category: + - storage + type: + - BASELINE + controls: + - aws_ebs_volumes_too_old_snapshots + - aws_ebs_volume_unused + - aws_ebs_volumes_attached_to_stopped_ec2_instances + - aws_use_gp3_not_gp2 + - aws_enable_instance_storage_auto_scaling + - aws_enable_serverless_log_exports + - id: aws_baseline_efficiency_storage_dynamodb + title: AWS DynamoDB Optimization + description: Ensures DynamoDB tables are optimized for performance and cost. + section-code: aws_baseline_efficiency_storage_dynamodb + tags: + baseline_category: + - storage + type: + - BASELINE + controls: + - aws_unused_dynamodb_table + - id: aws_baseline_efficiency_storage_opensearch + title: AWS OpenSearch Optimization + description: Optimizes OpenSearch domains for performance and cost-efficiency. + section-code: aws_baseline_efficiency_storage_opensearch tags: baseline_category: - storage type: - BASELINE - control-group: - - id: aws_baseline_efficiency_storage_ebs - title: AWS EBS Optimization - description: Optimizes Elastic Block Store (EBS) volumes for cost and performance. - section-code: aws_baseline_efficiency_storage_ebs - tags: - baseline_category: - - storage - type: - - BASELINE - controls: - - aws_ebs_volumes_too_old_snapshots - - aws_ebs_volume_unused - - aws_ebs_volumes_attached_to_stopped_ec2_instances - - aws_use_gp3_not_gp2 - - aws_enable_instance_storage_auto_scaling - - aws_enable_serverless_log_exports - - id: aws_baseline_efficiency_storage_dynamodb - title: AWS DynamoDB Optimization - description: Ensures DynamoDB tables are optimized for performance and cost. - section-code: aws_baseline_efficiency_storage_dynamodb - tags: - baseline_category: - - storage - type: - - BASELINE - controls: - - aws_unused_dynamodb_table - - id: aws_baseline_efficiency_storage_opensearch - title: AWS OpenSearch Optimization - description: Optimizes OpenSearch domains for performance and cost-efficiency. - section-code: aws_baseline_efficiency_storage_opensearch - tags: - baseline_category: - - storage - type: - - BASELINE - controls: - - aws_opensearch_version - - aws_opensearch_slow_logs - - id: aws_baseline_efficiency_networking - title: AWS Networking Efficiency - description: Optimizes AWS networking components for performance and cost. - section-code: aws_baseline_efficiency_networking + controls: + - aws_opensearch_version + - aws_opensearch_slow_logs + - id: aws_baseline_efficiency_networking + title: AWS Networking Efficiency + description: Optimizes AWS networking components for performance and cost. + section-code: aws_baseline_efficiency_networking + tags: + baseline_category: + - networking + type: + - BASELINE + control-group: + - id: aws_baseline_efficiency_networking_load_balancers + title: AWS Load Balancers Optimization + description: Optimizes various types of AWS Load Balancers for performance and cost-efficiency. + section-code: aws_baseline_efficiency_networking_load_balancers + tags: + baseline_category: + - networking + type: + - BASELINE + controls: + - aws_unused_gateway_load_balancers + - aws_unused_application_load_balancers + - aws_unused_elastic_load_balancers + - id: aws_baseline_efficiency_networking_enis + title: AWS Elastic Network Interfaces Optimization + description: Ensures Elastic Network Interfaces (ENIs) are optimized and not unused. + section-code: aws_baseline_efficiency_networking_enis tags: baseline_category: - networking type: - BASELINE - control-group: - - id: aws_baseline_efficiency_networking_load_balancers - title: AWS Load Balancers Optimization - description: Optimizes various types of AWS Load Balancers for performance and cost-efficiency. - section-code: aws_baseline_efficiency_networking_load_balancers - tags: - baseline_category: - - networking - type: - - BASELINE - controls: - - aws_unused_gateway_load_balancers - - aws_unused_application_load_balancers - - aws_unused_elastic_load_balancers - - id: aws_baseline_efficiency_networking_enis - title: AWS Elastic Network Interfaces Optimization - description: Ensures Elastic Network Interfaces (ENIs) are optimized and not unused. - section-code: aws_baseline_efficiency_networking_enis - tags: - baseline_category: - - networking - type: - - BASELINE - controls: - - aws_unassociated_elastic_ip_addresses - - aws_unused_elastic_network_interfaces - - id: aws_baseline_efficiency_networking_nat_gateway - title: AWS NAT Gateway Optimization - description: Optimizes NAT Gateways for cost and performance. - section-code: aws_baseline_efficiency_networking_nat_gateway - tags: - baseline_category: - - networking - type: - - BASELINE - controls: - - aws_managed_nat_gateway_in_use - - id: aws_baseline_efficiency_monitoring_logging - title: AWS Monitoring & Logging Efficiency - description: Enhances monitoring and logging configurations for AWS services. - section-code: aws_baseline_efficiency_monitoring_logging + controls: + - aws_unassociated_elastic_ip_addresses + - aws_unused_elastic_network_interfaces + - id: aws_baseline_efficiency_networking_nat_gateway + title: AWS NAT Gateway Optimization + description: Optimizes NAT Gateways for cost and performance. + section-code: aws_baseline_efficiency_networking_nat_gateway + tags: + baseline_category: + - networking + type: + - BASELINE + controls: + - aws_managed_nat_gateway_in_use + - id: aws_baseline_efficiency_monitoring_logging + title: AWS Monitoring & Logging Efficiency + description: Enhances monitoring and logging configurations for AWS services. + section-code: aws_baseline_efficiency_monitoring_logging + tags: + baseline_category: + - monitoring + type: + - BASELINE + control-group: + - id: aws_baseline_efficiency_monitoring_logging_events + title: AWS Events Optimization + description: Optimizes event subscriptions for AWS services. + section-code: aws_baseline_efficiency_monitoring_logging_events + tags: + baseline_category: + - monitoring + type: + - BASELINE + controls: + - aws_instance_level_events_subscriptions + - aws_rds_event_notifications + - aws_security_groups_events_subscriptions + - id: aws_baseline_efficiency_monitoring_logging_security_groups + title: AWS Security Groups Optimization + description: Ensures security groups are efficiently configured and monitored. + section-code: aws_baseline_efficiency_monitoring_logging_security_groups + tags: + baseline_category: + - monitoring + type: + - BASELINE + controls: + - aws_security_groups_events_subscriptions + - id: aws_baseline_efficiency_monitoring_logging_performance + title: AWS Performance Insights Optimization + description: Optimizes performance insights for AWS databases. + section-code: aws_baseline_efficiency_monitoring_logging_performance tags: baseline_category: - monitoring type: - BASELINE - control-group: - - id: aws_baseline_efficiency_monitoring_logging_events - title: AWS Events Optimization - description: Optimizes event subscriptions for AWS services. - section-code: aws_baseline_efficiency_monitoring_logging_events - tags: - baseline_category: - - monitoring - type: - - BASELINE - controls: - - aws_instance_level_events_subscriptions - - aws_rds_event_notifications - - aws_security_groups_events_subscriptions - - id: aws_baseline_efficiency_monitoring_logging_security_groups - title: AWS Security Groups Optimization - description: Ensures security groups are efficiently configured and monitored. - section-code: aws_baseline_efficiency_monitoring_logging_security_groups - tags: - baseline_category: - - monitoring - type: - - BASELINE - controls: - - aws_security_groups_events_subscriptions - - id: aws_baseline_efficiency_monitoring_logging_performance - title: AWS Performance Insights Optimization - description: Optimizes performance insights for AWS databases. - section-code: aws_baseline_efficiency_monitoring_logging_performance - tags: - baseline_category: - - monitoring - type: - - BASELINE - controls: - - aws_performance_insights - - aws_enable_cross_region_replication - - id: azure_baseline_efficiency - title: Azure Baseline Efficiency - description: Ensures optimal use of Azure resources across various categories to enhance performance and reduce costs. - section-code: azure_baseline_efficiency + controls: + - aws_performance_insights + - aws_enable_cross_region_replication +- id: azure_baseline_efficiency + title: Azure Baseline Efficiency + description: Ensures optimal use of Azure resources across various categories to enhance performance and reduce costs. + section-code: azure_baseline_efficiency + tags: + baseline_category: + - efficiency + type: + - BASELINE + control-group: + - id: azure_baseline_efficiency_compute + title: Azure Compute Efficiency + description: Optimizes Azure compute resources for performance and cost-effectiveness. + section-code: azure_baseline_efficiency_compute tags: baseline_category: - - efficiency + - compute type: - BASELINE control-group: - - id: azure_baseline_efficiency_compute - title: Azure Compute Efficiency - description: Optimizes Azure compute resources for performance and cost-effectiveness. - section-code: azure_baseline_efficiency_compute + - id: azure_baseline_efficiency_compute_virtual_machines + title: Azure Virtual Machines Optimization + description: Ensures Azure Virtual Machines are optimized for performance and cost. + section-code: azure_baseline_efficiency_compute_virtual_machines + tags: + baseline_category: + - compute + type: + - BASELINE + controls: + - azure_check_for_usage_of_managed_disk_volumes_for_virtual_machines + - azure_enable_automatic_tuning_for_sql_database_servers + - id: azure_baseline_efficiency_compute_kubernetes + title: Azure Kubernetes Optimization + description: Ensures Kubernetes clusters on Azure are optimized for performance and security. + section-code: azure_baseline_efficiency_compute_kubernetes tags: baseline_category: - compute type: - BASELINE - control-group: - - id: azure_baseline_efficiency_compute_virtual_machines - title: Azure Virtual Machines Optimization - description: Ensures Azure Virtual Machines are optimized for performance and cost. - section-code: azure_baseline_efficiency_compute_virtual_machines - tags: - baseline_category: - - compute - type: - - BASELINE - controls: - - azure_check_for_usage_of_managed_disk_volumes_for_virtual_machines - - azure_enable_automatic_tuning_for_sql_database_servers - - id: azure_baseline_efficiency_compute_kubernetes - title: Azure Kubernetes Optimization - description: Ensures Kubernetes clusters on Azure are optimized for performance and security. - section-code: azure_baseline_efficiency_compute_kubernetes - tags: - baseline_category: - - compute - type: - - BASELINE - controls: - - azure_kubernetes_api_version - - azure_use_azure_cni_add_on_for_managing_network_resources - - id: azure_baseline_efficiency_storage - title: Azure Storage Efficiency - description: Optimizes Azure storage services to enhance performance and reduce costs. - section-code: azure_baseline_efficiency_storage + controls: + - azure_kubernetes_api_version + - azure_use_azure_cni_add_on_for_managing_network_resources + - id: azure_baseline_efficiency_storage + title: Azure Storage Efficiency + description: Optimizes Azure storage services to enhance performance and reduce costs. + section-code: azure_baseline_efficiency_storage + tags: + baseline_category: + - storage + type: + - BASELINE + control-group: + - id: azure_baseline_efficiency_storage_virtual_machine_disks + title: Azure Virtual Machine Disks Optimization + description: Ensures Azure Virtual Machine disks are optimized and not unused. + section-code: azure_baseline_efficiency_storage_virtual_machine_disks + tags: + baseline_category: + - storage + type: + - BASELINE + controls: + - azure_check_for_unattached_virtual_machine_disk_volumes + - azure_check_for_usage_of_managed_disk_volumes_for_virtual_machines + - id: azure_baseline_efficiency_storage_snapshots + title: Azure Snapshots Optimization + description: Optimizes Azure Virtual Machine disk snapshots for performance and cost. + section-code: azure_baseline_efficiency_storage_snapshots tags: baseline_category: - storage type: - BASELINE - control-group: - - id: azure_baseline_efficiency_storage_virtual_machine_disks - title: Azure Virtual Machine Disks Optimization - description: Ensures Azure Virtual Machine disks are optimized and not unused. - section-code: azure_baseline_efficiency_storage_virtual_machine_disks - tags: - baseline_category: - - storage - type: - - BASELINE - controls: - - azure_check_for_unattached_virtual_machine_disk_volumes - - azure_check_for_usage_of_managed_disk_volumes_for_virtual_machines - - id: azure_baseline_efficiency_storage_snapshots - title: Azure Snapshots Optimization - description: Optimizes Azure Virtual Machine disk snapshots for performance and cost. - section-code: azure_baseline_efficiency_storage_snapshots - tags: - baseline_category: - - storage - type: - - BASELINE - controls: - - azure_check_for_old_virtual_machine_disk_snapshots - - azure_disks_should_use_standard_snapshots - - id: azure_baseline_efficiency_networking - title: Azure Networking Efficiency - description: Optimizes Azure networking components for performance and cost. - section-code: azure_baseline_efficiency_networking + controls: + - azure_check_for_old_virtual_machine_disk_snapshots + - azure_disks_should_use_standard_snapshots + - id: azure_baseline_efficiency_networking + title: Azure Networking Efficiency + description: Optimizes Azure networking components for performance and cost. + section-code: azure_baseline_efficiency_networking + tags: + baseline_category: + - networking + type: + - BASELINE + control-group: + - id: azure_baseline_efficiency_networking_load_balancers + title: Azure Load Balancers Optimization + description: Optimizes Azure Load Balancers for performance and cost-efficiency. + section-code: azure_baseline_efficiency_networking_load_balancers + tags: + baseline_category: + - networking + type: + - BASELINE + controls: + - azure_check_for_unused_load_balancers + - id: azure_baseline_efficiency_networking_network_resources + title: Azure Network Resources Optimization + description: Ensures Azure network resources are efficiently managed and optimized. + section-code: azure_baseline_efficiency_networking_network_resources tags: baseline_category: - networking type: - BASELINE - control-group: - - id: azure_baseline_efficiency_networking_load_balancers - title: Azure Load Balancers Optimization - description: Optimizes Azure Load Balancers for performance and cost-efficiency. - section-code: azure_baseline_efficiency_networking_load_balancers - tags: - baseline_category: - - networking - type: - - BASELINE - controls: - - azure_check_for_unused_load_balancers - - id: azure_baseline_efficiency_networking_network_resources - title: Azure Network Resources Optimization - description: Ensures Azure network resources are efficiently managed and optimized. - section-code: azure_baseline_efficiency_networking_network_resources - tags: - baseline_category: - - networking - type: - - BASELINE - controls: - - azure_use_azure_cni_add_on_for_managing_network_resources - - id: azure_baseline_efficiency_monitoring_diagnostics - title: Azure Monitoring & Diagnostics Efficiency - description: Enhances monitoring and diagnostics configurations for Azure services. - section-code: azure_baseline_efficiency_monitoring_diagnostics + controls: + - azure_use_azure_cni_add_on_for_managing_network_resources + - id: azure_baseline_efficiency_monitoring_diagnostics + title: Azure Monitoring & Diagnostics Efficiency + description: Enhances monitoring and diagnostics configurations for Azure services. + section-code: azure_baseline_efficiency_monitoring_diagnostics + tags: + baseline_category: + - monitoring + type: + - BASELINE + control-group: + - id: azure_baseline_efficiency_monitoring_diagnostics_health_monitoring + title: Azure Health Monitoring Optimization + description: Optimizes health monitoring configurations for Azure services. + section-code: azure_baseline_efficiency_monitoring_diagnostics_health_monitoring + tags: + baseline_category: + - monitoring + type: + - BASELINE + controls: + - azure_check_for_configure_health_monitoring + - id: azure_baseline_efficiency_monitoring_diagnostics_performance_diagnostics + title: Azure Performance Diagnostics Optimization + description: Ensures performance diagnostics are properly configured for Azure services. + section-code: azure_baseline_efficiency_monitoring_diagnostics_performance_diagnostics + tags: + baseline_category: + - monitoring + type: + - BASELINE + controls: + - azure_check_for_performance_diagnostics_for_azure_virtual_machines + - azure_check_for_guest_level_diagnostics_for_virtual_machines + - id: azure_baseline_efficiency_monitoring_diagnostics_autoscale_notifications + title: Azure Autoscale Notifications Optimization + description: Optimizes autoscale notifications for Azure services. + section-code: azure_baseline_efficiency_monitoring_diagnostics_autoscale_notifications tags: baseline_category: - monitoring type: - BASELINE - control-group: - - id: azure_baseline_efficiency_monitoring_diagnostics_health_monitoring - title: Azure Health Monitoring Optimization - description: Optimizes health monitoring configurations for Azure services. - section-code: azure_baseline_efficiency_monitoring_diagnostics_health_monitoring - tags: - baseline_category: - - monitoring - type: - - BASELINE - controls: - - azure_check_for_configure_health_monitoring - - id: azure_baseline_efficiency_monitoring_diagnostics_performance_diagnostics - title: Azure Performance Diagnostics Optimization - description: Ensures performance diagnostics are properly configured for Azure services. - section-code: azure_baseline_efficiency_monitoring_diagnostics_performance_diagnostics - tags: - baseline_category: - - monitoring - type: - - BASELINE - controls: - - azure_check_for_performance_diagnostics_for_azure_virtual_machines - - azure_check_for_guest_level_diagnostics_for_virtual_machines - - id: azure_baseline_efficiency_monitoring_diagnostics_autoscale_notifications - title: Azure Autoscale Notifications Optimization - description: Optimizes autoscale notifications for Azure services. - section-code: azure_baseline_efficiency_monitoring_diagnostics_autoscale_notifications - tags: - baseline_category: - - monitoring - type: - - BASELINE - controls: - - azure_check_for_autoscale_notifications + controls: + - azure_check_for_autoscale_notifications diff --git a/compliance/frameworks/baseline/reliability.yaml b/compliance/frameworks/baseline/reliability.yaml index ff33cc113..a62377e4f 100644 --- a/compliance/frameworks/baseline/reliability.yaml +++ b/compliance/frameworks/baseline/reliability.yaml @@ -1,145 +1,145 @@ -framework: - id: baseline_reliability - title: Reliability - description: Reliability Framework aligns with SRE principles and the Well-Architected Framework, ensuring systems are resilient, highly available, and capable of recovering swiftly from failures. - section-code: baseline_reliability +id: baseline_reliability +title: Reliability +description: Reliability Framework aligns with SRE principles and the Well-Architected Framework, ensuring systems are resilient, highly available, and capable of recovering swiftly from failures. +section-code: baseline_reliability +type: framework +tags: + baseline_category: + - reliability + type: + - Baseline +defaults: + is-baseline: true + enabled: true + tracks-drift-events: false +control-group: +- id: aws_baseline_reliability + title: AWS Baseline Reliability + description: AWS reliability framework focusing on resiliency, failover, and disaster recovery. + section-code: aws_baseline_reliability tags: baseline_category: - reliability type: - Baseline - defaults: - is-baseline: true - enabled: true - tracks-drift-events: false control-group: - - id: aws_baseline_reliability - title: AWS Baseline Reliability - description: AWS reliability framework focusing on resiliency, failover, and disaster recovery. - section-code: aws_baseline_reliability + - id: aws_baseline_reliability_infrastructure + title: Infrastructure + description: Ensures AWS infrastructure follows best practices for reliability. + section-code: aws_baseline_reliability_infrastructure tags: baseline_category: - reliability type: - Baseline - control-group: - - id: aws_baseline_reliability_infrastructure - title: Infrastructure - description: Ensures AWS infrastructure follows best practices for reliability. - section-code: aws_baseline_reliability_infrastructure - tags: - baseline_category: - - reliability - type: - - Baseline - controls: - - aws_ec2_ami_too_old - - aws_disable_public_ip_address_assignment_for_ec2_instances - - aws_opensearch_dedicated_master_enabled - - aws_opensearch_zone_awareness_enabled - - aws_elbv2_alb_minimum_number_of_ec2_target_instances - - aws_elbv2_glb_minimum_number_of_ec2_target_instances - - aws_ec2_instance_termination_protection - - aws_enable_deletion_protection - - aws_elb_connection_draining_enabled - - aws_elb_cross_zone_load_balancing_enabled - - aws_check_for_amazon_ecs_service_placement_strategy - - id: aws_baseline_reliability_monitoring - title: Monitoring & Alerts - description: Ensures AWS monitoring systems are in place to detect and respond to reliability events. - section-code: aws_baseline_reliability_monitoring - tags: - baseline_category: - - reliability - type: - - Baseline - controls: - - aws_performance_insights - - aws_rds_event_notifications - - aws_elb_cross_zone_load_balancing_enabled - - aws_enable_cloudtrail_logging_for_kubernetes_api_calls - - aws_enable_cloudwatch_container_insights - - aws_kubernetes_cluster_version - - id: aws_baseline_reliability_backup - title: Backup & Recovery - description: Ensures backups and recovery systems are in place for AWS services. - section-code: aws_baseline_reliability_backup - tags: - baseline_category: - - reliability - type: - - Baseline - controls: - - aws_use_aws_backup_service_in_use_for_amazon_rds - - aws_rds_automated_backups_enabled_test - - aws_backtrack - - aws_aurora_database_instance_accessibility - - aws_dynamodb_instances_have_backup_with_lifecyclepolicy_above_35_days - - aws_dynamodb_instances_have_backup_withing_48_hours - - aws_ebs_instances_have_backup_with_lifecyclepolicy_above_35_days - - aws_ebs_instances_have_backup_withing_rpo_period - - aws_ec2_instances_have_backup_with_lifecyclepolicy_above_35_days - - aws_ec2_instances_have_backup_withing_48_hours - - aws_efs_files_have_backup_with_lifecyclepolicy_above_35_days - - aws_efs_files_have_backup_withing_48_hours - - aws_rds_database_instances_have_a_minimum_acceptable_backup_policy - - aws_rds_database_instances_must_have_a_minimum_acceptable_restore_time - - id: azure_baseline_reliability - title: Azure Baseline Reliability - description: Azure reliability framework focusing on resiliency, failover, and disaster recovery. - section-code: azure_baseline_reliability + controls: + - aws_ec2_ami_too_old + - aws_disable_public_ip_address_assignment_for_ec2_instances + - aws_opensearch_dedicated_master_enabled + - aws_opensearch_zone_awareness_enabled + - aws_elbv2_alb_minimum_number_of_ec2_target_instances + - aws_elbv2_glb_minimum_number_of_ec2_target_instances + - aws_ec2_instance_termination_protection + - aws_enable_deletion_protection + - aws_elb_connection_draining_enabled + - aws_elb_cross_zone_load_balancing_enabled + - aws_check_for_amazon_ecs_service_placement_strategy + - id: aws_baseline_reliability_monitoring + title: Monitoring & Alerts + description: Ensures AWS monitoring systems are in place to detect and respond to reliability events. + section-code: aws_baseline_reliability_monitoring tags: baseline_category: - reliability type: - Baseline - control-group: - - id: azure_baseline_reliability_infrastructure - title: Infrastructure - description: Ensures Azure infrastructure follows best practices for reliability. - section-code: azure_baseline_reliability_infrastructure - tags: - baseline_category: - - reliability - type: - - Baseline - controls: - - azure_check_for_kubernetes_version - - azure_disable_plain_ftp_deployment - - azure_check_for_usage_of_managed_disk_volumes_for_virtual_machines - - azure_check_for_automatic_os_upgrades - - azure_check_for_automatic_instance_repairs - - azure_check_for_instance_termination_notifications_for_virtual_machine_scale_sets - - azure_check_for_associated_load_balancers - - azure_check_for_guest_level_diagnostics_for_virtual_machines - - id: azure_baseline_reliability_backup - title: Backup & Recovery - description: Ensures backups and recovery systems are in place for Azure services. - section-code: azure_baseline_reliability_backup - tags: - baseline_category: - - reliability - type: - - Baseline - controls: - - azure_recovery_service_vault_alert_for_job_failures_enabled - - azure_check_for_sufficient_point_in_time_restore_pitr_backup_retention_period - - azure_check_for_sufficient_soft_deleted_data_retention_period - - azure_check_for_sufficient_daily_backup_retention_period - - azure_check_for_sufficient_instant_restore_retention_period - - azure_enable_soft_delete_for_azure_blob_storage - - azure_enable_auto_failover_groups - - id: azure_baseline_reliability_monitoring - title: Monitoring & Alerts - description: Ensures Azure monitoring systems are in place to detect and respond to reliability events. - section-code: azure_baseline_reliability_monitoring - tags: - baseline_category: - - reliability - type: - - Baseline - controls: - - azure_check_for_configure_health_monitoring - - azure_configure_minimum_tls_version - - azure_check_for_autoscale_notifications - - azure_kubernetes_api_version + controls: + - aws_performance_insights + - aws_rds_event_notifications + - aws_elb_cross_zone_load_balancing_enabled + - aws_enable_cloudtrail_logging_for_kubernetes_api_calls + - aws_enable_cloudwatch_container_insights + - aws_kubernetes_cluster_version + - id: aws_baseline_reliability_backup + title: Backup & Recovery + description: Ensures backups and recovery systems are in place for AWS services. + section-code: aws_baseline_reliability_backup + tags: + baseline_category: + - reliability + type: + - Baseline + controls: + - aws_use_aws_backup_service_in_use_for_amazon_rds + - aws_rds_automated_backups_enabled_test + - aws_backtrack + - aws_aurora_database_instance_accessibility + - aws_dynamodb_instances_have_backup_with_lifecyclepolicy_above_35_days + - aws_dynamodb_instances_have_backup_withing_48_hours + - aws_ebs_instances_have_backup_with_lifecyclepolicy_above_35_days + - aws_ebs_instances_have_backup_withing_rpo_period + - aws_ec2_instances_have_backup_with_lifecyclepolicy_above_35_days + - aws_ec2_instances_have_backup_withing_48_hours + - aws_efs_files_have_backup_with_lifecyclepolicy_above_35_days + - aws_efs_files_have_backup_withing_48_hours + - aws_rds_database_instances_have_a_minimum_acceptable_backup_policy + - aws_rds_database_instances_must_have_a_minimum_acceptable_restore_time +- id: azure_baseline_reliability + title: Azure Baseline Reliability + description: Azure reliability framework focusing on resiliency, failover, and disaster recovery. + section-code: azure_baseline_reliability + tags: + baseline_category: + - reliability + type: + - Baseline + control-group: + - id: azure_baseline_reliability_infrastructure + title: Infrastructure + description: Ensures Azure infrastructure follows best practices for reliability. + section-code: azure_baseline_reliability_infrastructure + tags: + baseline_category: + - reliability + type: + - Baseline + controls: + - azure_check_for_kubernetes_version + - azure_disable_plain_ftp_deployment + - azure_check_for_usage_of_managed_disk_volumes_for_virtual_machines + - azure_check_for_automatic_os_upgrades + - azure_check_for_automatic_instance_repairs + - azure_check_for_instance_termination_notifications_for_virtual_machine_scale_sets + - azure_check_for_associated_load_balancers + - azure_check_for_guest_level_diagnostics_for_virtual_machines + - id: azure_baseline_reliability_backup + title: Backup & Recovery + description: Ensures backups and recovery systems are in place for Azure services. + section-code: azure_baseline_reliability_backup + tags: + baseline_category: + - reliability + type: + - Baseline + controls: + - azure_recovery_service_vault_alert_for_job_failures_enabled + - azure_check_for_sufficient_point_in_time_restore_pitr_backup_retention_period + - azure_check_for_sufficient_soft_deleted_data_retention_period + - azure_check_for_sufficient_daily_backup_retention_period + - azure_check_for_sufficient_instant_restore_retention_period + - azure_enable_soft_delete_for_azure_blob_storage + - azure_enable_auto_failover_groups + - id: azure_baseline_reliability_monitoring + title: Monitoring & Alerts + description: Ensures Azure monitoring systems are in place to detect and respond to reliability events. + section-code: azure_baseline_reliability_monitoring + tags: + baseline_category: + - reliability + type: + - Baseline + controls: + - azure_check_for_configure_health_monitoring + - azure_configure_minimum_tls_version + - azure_check_for_autoscale_notifications + - azure_kubernetes_api_version diff --git a/compliance/frameworks/baseline/security.yaml b/compliance/frameworks/baseline/security.yaml index f352a4dff..4831edcb9 100644 --- a/compliance/frameworks/baseline/security.yaml +++ b/compliance/frameworks/baseline/security.yaml @@ -1,416 +1,416 @@ -framework: - id: baseline_security - title: Security - description: Comprehensive security benchmarks for AWS and Azure environments, categorized for streamlined management. - section-code: baseline_security +id: baseline_security +title: Security +description: Comprehensive security benchmarks for AWS and Azure environments, categorized for streamlined management. +section-code: baseline_security +type: framework +tags: + baseline_category: + - security + type: + - BASELINE +defaults: + is-baseline: true + enabled: true + tracks-drift-events: false +control-group: +- id: aws_baseline_security + title: Security for AWS + description: Comprehensive security controls and benchmarks for AWS environments, categorized for streamlined management. + section-code: aws_baseline_security tags: baseline_category: - security type: - BASELINE - defaults: - is-baseline: true - enabled: true - tracks-drift-events: false control-group: - - id: aws_baseline_security - title: Security for AWS - description: Comprehensive security controls and benchmarks for AWS environments, categorized for streamlined management. - section-code: aws_baseline_security + - id: aws_baseline_security_data_protection + title: Data Protection and Encryption + description: Controls related to encrypting data at rest and in transit to ensure data integrity and confidentiality. + section-code: data_protection_encryption tags: baseline_category: - security type: - BASELINE - control-group: - - id: aws_baseline_security_data_protection - title: Data Protection and Encryption - description: Controls related to encrypting data at rest and in transit to ensure data integrity and confidentiality. - section-code: data_protection_encryption - tags: - baseline_category: - - security - type: - - BASELINE - controls: - - aws_ami_encryption - - aws_ebs_snapshot_encrypted - - aws_ebs_encrypted - - aws_ebs_encrypted_with_kms_customer_master_keys - - aws_encryption_at_rest - - aws_opensearch_domain_encrypted_with_kms_cmks - - aws_rds_encryption_enabled - - aws_rds_encrypted_with_kms_customer_master_keys - - aws_enable_rds_snapshot_encryption - - aws_efs_encryption_enabled - - aws_use_kms_customer_master_keys_for_fsx_windows_file_server_file_systems - - aws_use_kms_customer_master_keys_for_aws_backup - - aws_enable_in_transit_encryption - - aws_tls_security_policy_version - - aws_rotate_ssltls_certificates_for_database_instances - - aws_acm_certificates_validity - - aws_acm_certificate_expired - - aws_acm_certificates_with_wildcard_domain_names - - aws_pre_heartbleed_server_certificates - - aws_ssl_tls_certificate_expiry_30_days - - aws_ssl_tls_certificate_expiry_x_days - - aws_enable_envelope_encryption_for_eks_kubernetes_secrets - - id: aws_baseline_security_iam - title: IAM Security - description: Controls related to Identity and Access Management to ensure secure authentication and authorization mechanisms. - section-code: iam_security - tags: - baseline_category: - - security - type: - - BASELINE - controls: - - aws_sso_users_with_permission_assignments_are_required_to_have_MFA_on_AzureAD - - aws_iam_users_with_console_access_are_requried_to_have_MFA - - aws_root_accounts_needs_to_have_mfa - - aws_iam_users_with_api_keys_should_have_keys_rotated_every_x_days - - aws_valid_iam_identity_providers - - aws_iam_users_with_administrative_privileges - - aws_iam_user_no_policies - - aws_iam_policies_with_effect_set_to_allow_and_notaction - - aws_iam_role_policy_too_permissive - - aws_unapproved_iam_policy_in_use - - aws_iam_policies_with_full_administrative_privileges - - aws_attach_policy_to_iam_roles_associated_with_app_tier_ec2_instances - - aws_unused_iam_group - - aws_iam_user_policies - - aws_iam_groups_with_administrative_privileges - - aws_check_for_individual_iam_users - - aws_check_for_overly_permissive_iam_group_policies - - aws_iam_access_analyzer_in_use - - aws_iam_access_analyzer_findings - - aws_iam_user_password_expiry_30_days - - aws_iam_user_password_expiry_7_days - - aws_iam_user_password_expiry_x_days - - aws_allow_iam_users_to_change_their_own_password - - aws_credentials_last_used - - id: aws_baseline_security_infrastructure - title: Infrastructure Configuration and Compliance - description: Controls ensuring infrastructure adheres to best practices and compliance standards for secure and efficient AWS operations. - section-code: infrastructure_configuration_compliance - tags: - baseline_category: - - security - type: - - BASELINE - controls: - - aws_disable_remote_access_to_eks_cluster_node_groups - - aws_require_imdsv2_for_ec2_instances - - aws_security_group_name_prefixed_with_launch_wizard - - aws_security_group_port_range - - aws_configure_http_desync_mitigation_mode_for_application_load_balancers - - aws_configure_aws_backup_vault_access_policy - - aws_backup_service_lifecycle_configuration - - aws_multi_account_centralized_management - - aws_enable_audit_logs - - aws_enable_rds_snapshot_encryption - - aws_kubernetes_cluster_version - - aws_use_oidc_provider_for_authenticating_kubernetes_api_calls - - aws_enable_envelope_encryption_for_eks_kubernetes_secrets - - aws_ec2_purchase_restriction - - aws_instance_deletion_protection - - aws_elbv2_elastic_load_balancing_deletion_protection - - aws_enforce_infrastructure_as_code_using_iam_policies - - aws_use_aws_managed_policy_to_manage_networking_resources - - aws_use_aws_managed_policy_to_access_amazon_ecr_repositories - - aws_use_aws_managed_policy_to_manage_aws_resources - - id: aws_baseline_security_monitoring - title: Monitoring, Logging, and Auditing - description: Controls focused on monitoring AWS environments, logging activities, and auditing for compliance and security incident response. - section-code: monitoring_logging_auditing - tags: - baseline_category: - - security - type: - - BASELINE - controls: - - aws_enable_audit_logs - - aws_vpc_flow_logs_enabled - - aws_cluster_deletion_protection - - aws_enable_alert_notifications_for_failed_backup_jobs - - aws_enable_cloudtrail_logging_for_kubernetes_api_calls - - aws_kubernetes_cluster_logging - - aws_rds_event_notifications - - aws_enable_scan_on_push_for_ecr_container_images - - aws_ecs_task_log_driver_in_use - - aws_elbv2_access_log - - aws_elb_access_log - - aws_elbv2_access_log - - aws_enable_cloudtrail_logging_for_kubernetes_api_calls - - aws_enable_rds_snapshot_encryption - - aws_enable_envelope_encryption_for_eks_kubernetes_secrets - - id: aws_baseline_security_network - title: Network Security - description: Controls focused on securing network configurations, managing traffic flow, and protecting network boundaries. - section-code: network_security - tags: - baseline_category: - - security - type: - - BASELINE - controls: - - aws_unrestricted_inbound_traffic_on_remote_server_administration_ports - - aws_unrestricted_network_acl_inbound_traffic - - aws_unrestricted_network_acl_outbound_traffic - - aws_security_group_port_range - - aws_security_group_name_prefixed_with_launch_wizard - - aws_ec2_instance_not_in_public_subnet - - aws_disable_public_ip_address_assignment_for_ec2_instances - - aws_ec2_instance_in_vpc - - aws_rds_db_instance_no_public_subnet - - aws_vpc_endpoint_cross_account_access - - aws_vpc_endpoints_in_use - - aws_vpc_peering_connections_to_accounts_outside_aws_organization - - aws_unrestricted_icmp_access - - aws_unrestricted_mongodb_access - - aws_unrestricted_mssql_access - - aws_unrestricted_mysql_access - - aws_unrestricted_netbios_access - - aws_unrestricted_opensearch_access - - aws_unrestricted_oracle_access - - aws_unrestricted_rpc_access - - aws_unrestricted_smtp_access - - aws_unrestricted_security_group_ingress_on_uncommon_ports - - aws_unrestricted_cifs_access - - aws_enable_amazon_waf_integration_for_application_load_balancers - - aws_elbv2_alb_listener_security - - aws_elbv2_nlb_listener_security - - aws_enable_http_to_https_redirect_for_application_load_balancers - - aws_elbv2_alb_security_policy - - aws_enable_cross_zone_load_balancing - - aws_elb_insecure_ssl_protocols - - aws_internet_facing_elbs - - aws_internet_facing_elbv2s - - id: azure_baseline_security - title: Security for Azure - description: Comprehensive security controls and benchmarks for Azure environments, categorized for streamlined management. - section-code: azure_baseline_security + controls: + - aws_ami_encryption + - aws_ebs_snapshot_encrypted + - aws_ebs_encrypted + - aws_ebs_encrypted_with_kms_customer_master_keys + - aws_encryption_at_rest + - aws_opensearch_domain_encrypted_with_kms_cmks + - aws_rds_encryption_enabled + - aws_rds_encrypted_with_kms_customer_master_keys + - aws_enable_rds_snapshot_encryption + - aws_efs_encryption_enabled + - aws_use_kms_customer_master_keys_for_fsx_windows_file_server_file_systems + - aws_use_kms_customer_master_keys_for_aws_backup + - aws_enable_in_transit_encryption + - aws_tls_security_policy_version + - aws_rotate_ssltls_certificates_for_database_instances + - aws_acm_certificates_validity + - aws_acm_certificate_expired + - aws_acm_certificates_with_wildcard_domain_names + - aws_pre_heartbleed_server_certificates + - aws_ssl_tls_certificate_expiry_30_days + - aws_ssl_tls_certificate_expiry_x_days + - aws_enable_envelope_encryption_for_eks_kubernetes_secrets + - id: aws_baseline_security_iam + title: IAM Security + description: Controls related to Identity and Access Management to ensure secure authentication and authorization mechanisms. + section-code: iam_security tags: baseline_category: - security type: - BASELINE - control-group: - - id: azure_baseline_security_data_protection - title: Data Protection and Encryption for Azure - description: Controls related to encrypting data at rest and in transit to ensure data integrity and confidentiality in Azure environments. - section-code: data_protection_encryption - tags: - baseline_category: - - security - type: - - BASELINE - controls: - - azure_enable_infrastructure_encryption - - azure_storage_account_encryption_using_customer_managed_keys - - azure_disk_encryption_for_unattached_disk_volumes - - azure_disk_encryption_for_non_boot_disk_volumes - - azure_disk_encryption_for_boot_disk_volumes - - azure_monitor_log_all_activities - - azure_enable_transparent_data_encryption_for_sql_managed_instance_using_customer_managed_keys - - azure_recovery_service_vault_not_publicly_accessible_and_not_encrypted - - azure_check_for_key_vault_full_administrator_permissions - - azure_check_for_usage_of_byok_for_disk_volumes_encryption - - azure_check_for_usage_of_customer_managed_keys_for_virtual_hard_disk_encryption - - azure_server_side_encryption_for_unattached_disk_using_cmk - - azure_server_side_encryption_for_boot_disk_using_cmk - - azure_server_side_encryption_for_non_boot_disk_using_cmk - - azure_use_byok_for_transparent_data_encryption - - azure_use_byok_for_storage_account_encryption - - azure_enable_trusted_microsoft_services_for_key_vault_access - - azure_set_azure_secret_key_expiration - - id: azure_baseline_security_iam - title: IAM Security for Azure - description: Controls related to Identity and Access Management to ensure secure authentication and authorization mechanisms in Azure. - section-code: iam_security - tags: - baseline_category: - - security - type: - - BASELINE - controls: - - entraid_user_should_have_mfa_enabled_with_azure_subscription_role_assignment - - entraid_spn_with_active_client_secret_created_x_days_ago - - azure_enable_kubernetes_role_based_access_control - - azure_use_system_assigned_managed_identities_for_aks_clusters - - azure_use_user_assigned_managed_identities_for_aks_clusters - - azure_use_microsoft_entra_id_integration_for_aks_clusters - - azure_use_microsoft_entra_admin_for_sql_authentication - - azure_enable_defender_for_cloud_for_aks_clusters - - id: azure_baseline_security_infrastructure - title: Infrastructure Configuration and Compliance for Azure - description: Controls ensuring infrastructure adheres to best practices and compliance standards for secure and efficient Azure operations. - section-code: infrastructure_configuration_compliance - tags: - baseline_category: - - security - type: - - BASELINE - controls: - - azure_check_for_kubernetes_version - - azure_enable_defender_for_cloud_for_aks_clusters - - azure_enable_kubernetes_role_based_access_control - - azure_secure_access_to_kubernetes_api_server_using_authorized_ip_address_ranges - - azure_use_system_assigned_managed_identities_for_aks_clusters - - azure_disable_plain_ftp_deployment - - azure_restrict_default_network_access_for_azure_cosmos_db_accounts - - azure_check_for_publicly_accessible_web_containers - - azure_disable_anonymous_access_to_blob_containers - - azure_disable_public_access_to_storage_accounts_with_blob_containers - - azure_enable_infrastructure_encryption - - azure_private_endpoint_in_use - - azure_restrict_default_network_access_for_storage_accounts - - azure_storage_account_encryption_using_customer_managed_keys - - azure_disk_encryption_for_unattached_disk_volumes - - azure_disk_encryption_for_non_boot_disk_volumes - - azure_disk_encryption_for_boot_disk_volumes - - azure_monitor_log_all_activities - - azure_enable_transparent_data_encryption_for_sql_managed_instance_using_customer_managed_keys - - azure_recovery_service_vault_not_publicly_accessible_and_not_encrypted - - azure_check_for_key_vault_full_administrator_permissions - - azure_restrict_default_network_access_for_azure_key_vaults - - azure_enable_key_vault_recoverability - - azure_check_for_unattached_virtual_machine_disk_volumes - - azure_check_for_allowed_certificate_key_types - - azure_check_for_azure_key_vault_keys_expiration_date - - azure_configure_minimum_tls_version - - azure_limit_storage_account_access_by_ip_address - - azure_app_tier_customer_managed_key_in_use - - azure_database_tier_customer_managed_key_in_use - - azure_check_for_azure_key_vault_secrets_expiration_date - - azure_check_for_certificate_minimum_key_size - - azure_set_encryption_key_expiration - - azure_check_for_unrestricted_sql_database_access - - azure_enable_all_types_of_threat_detection_on_sql_servers - - azure_enable_auditing_for_sql_servers - - azure_enable_vulnerability_assessment_email_notifications_for_admins_and_subscription_owners - - azure_enable_vulnerability_assessment_periodic_recurring_scans - - azure_enable_vulnerability_assessment_for_microsoft_sql_servers - - azure_sql_auditing_retention - - azure_use_byok_for_transparent_data_encryption - - azure_check_for_desired_vm_sku_sizes - - azure_check_for_usage_of_byok_for_disk_volumes_encryption - - azure_check_for_usage_of_customer_managed_keys_for_virtual_hard_disk_encryption - - azure_server_side_encryption_for_unattached_disk_using_cmk - - azure_server_side_encryption_for_boot_disk_using_cmk - - azure_server_side_encryption_for_non_boot_disk_using_cmk - - azure_check_for_usage_of_endpoint_protection - - azure_approved_azure_machine_image_in_use - - azure_check_for_ssh_authentication_type - - azure_check_for_automatic_os_upgrades - - azure_check_for_zone_redundant_virtual_machine_scale_sets - - azure_check_for_just_in_time_access_for_virtual_machines - - azure_check_for_virtual_machine_access_using_microsoft_entra_id_authentication - - azure_check_for_usage_of_approved_extensions_only - - azure_check_for_virtual_machine_boot_diagnostics - - azure_check_for_system_assigned_managed_identities - - azure_check_for_encryption_for_web_tier_disk_volumes - - azure_check_for_guest_level_diagnostics_for_virtual_machines - - azure_use_byok_for_storage_account_encryption - - azure_enable_trusted_microsoft_services_for_storage_account_access - - azure_enable_secure_transfer_in_azure_storage - - azure_enable_logging_for_azure_storage_table_service - - azure_enable_logging_for_azure_storage_queue_service - - azure_enable_logging_for_azure_storage_blob_service - - azure_enable_immutable_blob_storage - - azure_enable_blob_storage_lifecycle_management - - azure_check_for_unrestricted_telnet_access - - azure_enable_azure_network_watcher - - azure_check_for_unrestricted_udp_access - - azure_check_for_unrestricted_ssh_access - - azure_check_for_unrestricted_smtp_access - - azure_check_for_unrestricted_rpc_access - - azure_check_for_unrestricted_mssql_access - - azure_check_for_unrestricted_mysql_database_access - - azure_check_for_unrestricted_oracle_database_access - - azure_check_for_unrestricted_postgresql_database_access - - azure_check_for_unrestricted_rdp_access - - azure_check_for_unrestricted_netbios_access - - azure_check_for_unrestricted_mongodb_access - - azure_review_network_interfaces_with_ip_forwarding_enabled - - azure_enable_ddos_standard_protection_for_virtual_networks - - azure_use_azure_cni_add_on_for_managing_network_resources - - azure_use_microsoft_entra_id_integration_for_aks_clusters - - azure_check_for_installataion_for_latest_os_patches - - azure_check_for_backups_for_azure_virtual_machines - - azure_use_user_assigned_managed_identities_for_aks_clusters - - azure_kubernetes_api_version - - azure_set_azure_secret_key_expiration - - azure_web_tier_customer_managed_key_in_use - - azure_enable_trusted_microsoft_services_for_key_vault_access - - azure_use_network_contributor_role_for_managing_azure_network_resources - - azure_configure_emails_for_vulnerability_assessment_scan_reports_and_alerts - - azure_configure_audit_action_group_for_sql_server_auditing - - azure_use_microsoft_entra_admin_for_sql_authentication - - azure_enable_in_transit_encryption_for_mysql_servers - - azure_enable_automatic_failover - - azure_check_for_sufficient_certificate_auto_renewal_period - - azure_enable_ssl_certificate_auto_renewal - - azure_enable_certificate_transparency - - id: azure_baseline_security_monitoring - title: Monitoring, Logging, and Auditing for Azure - description: Controls focused on monitoring Azure environments, logging activities, and auditing for compliance and security incident response. - section-code: monitoring_logging_auditing - tags: - baseline_category: - - security - type: - - BASELINE - controls: - - azure_monitor_log_all_activities - - azure_enable_defender_for_cloud_for_aks_clusters - - azure_enable_auditevent_logging_for_azure_key_vaults - - azure_enable_auditing_for_sql_servers - - azure_enable_vulnerability_assessment_email_notifications_for_admins_and_subscription_owners - - azure_enable_vulnerability_assessment_periodic_recurring_scans - - azure_enable_vulnerability_assessment_for_microsoft_sql_servers - - azure_sql_auditing_retention - - azure_enable_trusted_microsoft_services_for_key_vault_access - - azure_configure_audit_action_group_for_sql_server_auditing - - id: azure_baseline_security_network - title: Network Security for Azure - description: Controls focused on securing network configurations, managing traffic flow, and protecting network boundaries in Azure environments. - section-code: network_security - tags: - baseline_category: - - security - type: - - BASELINE - controls: - - azure_secure_access_to_kubernetes_api_server_using_authorized_ip_address_ranges - - azure_disable_plain_ftp_deployment - - azure_restrict_default_network_access_for_azure_cosmos_db_accounts - - azure_check_for_publicly_accessible_web_containers - - azure_disable_anonymous_access_to_blob_containers - - azure_disable_public_access_to_storage_accounts_with_blob_containers - - azure_private_endpoint_in_use - - azure_restrict_default_network_access_for_storage_accounts - - azure_limit_storage_account_access_by_ip_address - - azure_enable_trusted_microsoft_services_for_storage_account_access - - azure_enable_secure_transfer_in_azure_storage - - azure_enable_logging_for_azure_storage_table_service - - azure_enable_logging_for_azure_storage_queue_service - - azure_enable_logging_for_azure_storage_blob_service - - azure_enable_immutable_blob_storage - - azure_enable_blob_storage_lifecycle_management - - azure_check_for_unrestricted_telnet_access - - azure_enable_azure_network_watcher - - azure_check_for_unrestricted_udp_access - - azure_check_for_unrestricted_ssh_access - - azure_check_for_unrestricted_smtp_access - - azure_check_for_unrestricted_rpc_access - - azure_check_for_unrestricted_mssql_access - - azure_check_for_unrestricted_mysql_database_access - - azure_check_for_unrestricted_oracle_database_access - - azure_check_for_unrestricted_postgresql_database_access - - azure_check_for_unrestricted_rdp_access - - azure_check_for_unrestricted_netbios_access - - azure_check_for_unrestricted_mongodb_access - - azure_review_network_interfaces_with_ip_forwarding_enabled - - azure_enable_ddos_standard_protection_for_virtual_networks - - azure_use_azure_cni_add_on_for_managing_network_resources + controls: + - aws_sso_users_with_permission_assignments_are_required_to_have_MFA_on_AzureAD + - aws_iam_users_with_console_access_are_requried_to_have_MFA + - aws_root_accounts_needs_to_have_mfa + - aws_iam_users_with_api_keys_should_have_keys_rotated_every_x_days + - aws_valid_iam_identity_providers + - aws_iam_users_with_administrative_privileges + - aws_iam_user_no_policies + - aws_iam_policies_with_effect_set_to_allow_and_notaction + - aws_iam_role_policy_too_permissive + - aws_unapproved_iam_policy_in_use + - aws_iam_policies_with_full_administrative_privileges + - aws_attach_policy_to_iam_roles_associated_with_app_tier_ec2_instances + - aws_unused_iam_group + - aws_iam_user_policies + - aws_iam_groups_with_administrative_privileges + - aws_check_for_individual_iam_users + - aws_check_for_overly_permissive_iam_group_policies + - aws_iam_access_analyzer_in_use + - aws_iam_access_analyzer_findings + - aws_iam_user_password_expiry_30_days + - aws_iam_user_password_expiry_7_days + - aws_iam_user_password_expiry_x_days + - aws_allow_iam_users_to_change_their_own_password + - aws_credentials_last_used + - id: aws_baseline_security_infrastructure + title: Infrastructure Configuration and Compliance + description: Controls ensuring infrastructure adheres to best practices and compliance standards for secure and efficient AWS operations. + section-code: infrastructure_configuration_compliance + tags: + baseline_category: + - security + type: + - BASELINE + controls: + - aws_disable_remote_access_to_eks_cluster_node_groups + - aws_require_imdsv2_for_ec2_instances + - aws_security_group_name_prefixed_with_launch_wizard + - aws_security_group_port_range + - aws_configure_http_desync_mitigation_mode_for_application_load_balancers + - aws_configure_aws_backup_vault_access_policy + - aws_backup_service_lifecycle_configuration + - aws_multi_account_centralized_management + - aws_enable_audit_logs + - aws_enable_rds_snapshot_encryption + - aws_kubernetes_cluster_version + - aws_use_oidc_provider_for_authenticating_kubernetes_api_calls + - aws_enable_envelope_encryption_for_eks_kubernetes_secrets + - aws_ec2_purchase_restriction + - aws_instance_deletion_protection + - aws_elbv2_elastic_load_balancing_deletion_protection + - aws_enforce_infrastructure_as_code_using_iam_policies + - aws_use_aws_managed_policy_to_manage_networking_resources + - aws_use_aws_managed_policy_to_access_amazon_ecr_repositories + - aws_use_aws_managed_policy_to_manage_aws_resources + - id: aws_baseline_security_monitoring + title: Monitoring, Logging, and Auditing + description: Controls focused on monitoring AWS environments, logging activities, and auditing for compliance and security incident response. + section-code: monitoring_logging_auditing + tags: + baseline_category: + - security + type: + - BASELINE + controls: + - aws_enable_audit_logs + - aws_vpc_flow_logs_enabled + - aws_cluster_deletion_protection + - aws_enable_alert_notifications_for_failed_backup_jobs + - aws_enable_cloudtrail_logging_for_kubernetes_api_calls + - aws_kubernetes_cluster_logging + - aws_rds_event_notifications + - aws_enable_scan_on_push_for_ecr_container_images + - aws_ecs_task_log_driver_in_use + - aws_elbv2_access_log + - aws_elb_access_log + - aws_elbv2_access_log + - aws_enable_cloudtrail_logging_for_kubernetes_api_calls + - aws_enable_rds_snapshot_encryption + - aws_enable_envelope_encryption_for_eks_kubernetes_secrets + - id: aws_baseline_security_network + title: Network Security + description: Controls focused on securing network configurations, managing traffic flow, and protecting network boundaries. + section-code: network_security + tags: + baseline_category: + - security + type: + - BASELINE + controls: + - aws_unrestricted_inbound_traffic_on_remote_server_administration_ports + - aws_unrestricted_network_acl_inbound_traffic + - aws_unrestricted_network_acl_outbound_traffic + - aws_security_group_port_range + - aws_security_group_name_prefixed_with_launch_wizard + - aws_ec2_instance_not_in_public_subnet + - aws_disable_public_ip_address_assignment_for_ec2_instances + - aws_ec2_instance_in_vpc + - aws_rds_db_instance_no_public_subnet + - aws_vpc_endpoint_cross_account_access + - aws_vpc_endpoints_in_use + - aws_vpc_peering_connections_to_accounts_outside_aws_organization + - aws_unrestricted_icmp_access + - aws_unrestricted_mongodb_access + - aws_unrestricted_mssql_access + - aws_unrestricted_mysql_access + - aws_unrestricted_netbios_access + - aws_unrestricted_opensearch_access + - aws_unrestricted_oracle_access + - aws_unrestricted_rpc_access + - aws_unrestricted_smtp_access + - aws_unrestricted_security_group_ingress_on_uncommon_ports + - aws_unrestricted_cifs_access + - aws_enable_amazon_waf_integration_for_application_load_balancers + - aws_elbv2_alb_listener_security + - aws_elbv2_nlb_listener_security + - aws_enable_http_to_https_redirect_for_application_load_balancers + - aws_elbv2_alb_security_policy + - aws_enable_cross_zone_load_balancing + - aws_elb_insecure_ssl_protocols + - aws_internet_facing_elbs + - aws_internet_facing_elbv2s +- id: azure_baseline_security + title: Security for Azure + description: Comprehensive security controls and benchmarks for Azure environments, categorized for streamlined management. + section-code: azure_baseline_security + tags: + baseline_category: + - security + type: + - BASELINE + control-group: + - id: azure_baseline_security_data_protection + title: Data Protection and Encryption for Azure + description: Controls related to encrypting data at rest and in transit to ensure data integrity and confidentiality in Azure environments. + section-code: data_protection_encryption + tags: + baseline_category: + - security + type: + - BASELINE + controls: + - azure_enable_infrastructure_encryption + - azure_storage_account_encryption_using_customer_managed_keys + - azure_disk_encryption_for_unattached_disk_volumes + - azure_disk_encryption_for_non_boot_disk_volumes + - azure_disk_encryption_for_boot_disk_volumes + - azure_monitor_log_all_activities + - azure_enable_transparent_data_encryption_for_sql_managed_instance_using_customer_managed_keys + - azure_recovery_service_vault_not_publicly_accessible_and_not_encrypted + - azure_check_for_key_vault_full_administrator_permissions + - azure_check_for_usage_of_byok_for_disk_volumes_encryption + - azure_check_for_usage_of_customer_managed_keys_for_virtual_hard_disk_encryption + - azure_server_side_encryption_for_unattached_disk_using_cmk + - azure_server_side_encryption_for_boot_disk_using_cmk + - azure_server_side_encryption_for_non_boot_disk_using_cmk + - azure_use_byok_for_transparent_data_encryption + - azure_use_byok_for_storage_account_encryption + - azure_enable_trusted_microsoft_services_for_key_vault_access + - azure_set_azure_secret_key_expiration + - id: azure_baseline_security_iam + title: IAM Security for Azure + description: Controls related to Identity and Access Management to ensure secure authentication and authorization mechanisms in Azure. + section-code: iam_security + tags: + baseline_category: + - security + type: + - BASELINE + controls: + - entraid_user_should_have_mfa_enabled_with_azure_subscription_role_assignment + - entraid_spn_with_active_client_secret_created_x_days_ago + - azure_enable_kubernetes_role_based_access_control + - azure_use_system_assigned_managed_identities_for_aks_clusters + - azure_use_user_assigned_managed_identities_for_aks_clusters + - azure_use_microsoft_entra_id_integration_for_aks_clusters + - azure_use_microsoft_entra_admin_for_sql_authentication + - azure_enable_defender_for_cloud_for_aks_clusters + - id: azure_baseline_security_infrastructure + title: Infrastructure Configuration and Compliance for Azure + description: Controls ensuring infrastructure adheres to best practices and compliance standards for secure and efficient Azure operations. + section-code: infrastructure_configuration_compliance + tags: + baseline_category: + - security + type: + - BASELINE + controls: + - azure_check_for_kubernetes_version + - azure_enable_defender_for_cloud_for_aks_clusters + - azure_enable_kubernetes_role_based_access_control + - azure_secure_access_to_kubernetes_api_server_using_authorized_ip_address_ranges + - azure_use_system_assigned_managed_identities_for_aks_clusters + - azure_disable_plain_ftp_deployment + - azure_restrict_default_network_access_for_azure_cosmos_db_accounts + - azure_check_for_publicly_accessible_web_containers + - azure_disable_anonymous_access_to_blob_containers + - azure_disable_public_access_to_storage_accounts_with_blob_containers + - azure_enable_infrastructure_encryption + - azure_private_endpoint_in_use + - azure_restrict_default_network_access_for_storage_accounts + - azure_storage_account_encryption_using_customer_managed_keys + - azure_disk_encryption_for_unattached_disk_volumes + - azure_disk_encryption_for_non_boot_disk_volumes + - azure_disk_encryption_for_boot_disk_volumes + - azure_monitor_log_all_activities + - azure_enable_transparent_data_encryption_for_sql_managed_instance_using_customer_managed_keys + - azure_recovery_service_vault_not_publicly_accessible_and_not_encrypted + - azure_check_for_key_vault_full_administrator_permissions + - azure_restrict_default_network_access_for_azure_key_vaults + - azure_enable_key_vault_recoverability + - azure_check_for_unattached_virtual_machine_disk_volumes + - azure_check_for_allowed_certificate_key_types + - azure_check_for_azure_key_vault_keys_expiration_date + - azure_configure_minimum_tls_version + - azure_limit_storage_account_access_by_ip_address + - azure_app_tier_customer_managed_key_in_use + - azure_database_tier_customer_managed_key_in_use + - azure_check_for_azure_key_vault_secrets_expiration_date + - azure_check_for_certificate_minimum_key_size + - azure_set_encryption_key_expiration + - azure_check_for_unrestricted_sql_database_access + - azure_enable_all_types_of_threat_detection_on_sql_servers + - azure_enable_auditing_for_sql_servers + - azure_enable_vulnerability_assessment_email_notifications_for_admins_and_subscription_owners + - azure_enable_vulnerability_assessment_periodic_recurring_scans + - azure_enable_vulnerability_assessment_for_microsoft_sql_servers + - azure_sql_auditing_retention + - azure_use_byok_for_transparent_data_encryption + - azure_check_for_desired_vm_sku_sizes + - azure_check_for_usage_of_byok_for_disk_volumes_encryption + - azure_check_for_usage_of_customer_managed_keys_for_virtual_hard_disk_encryption + - azure_server_side_encryption_for_unattached_disk_using_cmk + - azure_server_side_encryption_for_boot_disk_using_cmk + - azure_server_side_encryption_for_non_boot_disk_using_cmk + - azure_check_for_usage_of_endpoint_protection + - azure_approved_azure_machine_image_in_use + - azure_check_for_ssh_authentication_type + - azure_check_for_automatic_os_upgrades + - azure_check_for_zone_redundant_virtual_machine_scale_sets + - azure_check_for_just_in_time_access_for_virtual_machines + - azure_check_for_virtual_machine_access_using_microsoft_entra_id_authentication + - azure_check_for_usage_of_approved_extensions_only + - azure_check_for_virtual_machine_boot_diagnostics + - azure_check_for_system_assigned_managed_identities + - azure_check_for_encryption_for_web_tier_disk_volumes + - azure_check_for_guest_level_diagnostics_for_virtual_machines + - azure_use_byok_for_storage_account_encryption + - azure_enable_trusted_microsoft_services_for_storage_account_access + - azure_enable_secure_transfer_in_azure_storage + - azure_enable_logging_for_azure_storage_table_service + - azure_enable_logging_for_azure_storage_queue_service + - azure_enable_logging_for_azure_storage_blob_service + - azure_enable_immutable_blob_storage + - azure_enable_blob_storage_lifecycle_management + - azure_check_for_unrestricted_telnet_access + - azure_enable_azure_network_watcher + - azure_check_for_unrestricted_udp_access + - azure_check_for_unrestricted_ssh_access + - azure_check_for_unrestricted_smtp_access + - azure_check_for_unrestricted_rpc_access + - azure_check_for_unrestricted_mssql_access + - azure_check_for_unrestricted_mysql_database_access + - azure_check_for_unrestricted_oracle_database_access + - azure_check_for_unrestricted_postgresql_database_access + - azure_check_for_unrestricted_rdp_access + - azure_check_for_unrestricted_netbios_access + - azure_check_for_unrestricted_mongodb_access + - azure_review_network_interfaces_with_ip_forwarding_enabled + - azure_enable_ddos_standard_protection_for_virtual_networks + - azure_use_azure_cni_add_on_for_managing_network_resources + - azure_use_microsoft_entra_id_integration_for_aks_clusters + - azure_check_for_installataion_for_latest_os_patches + - azure_check_for_backups_for_azure_virtual_machines + - azure_use_user_assigned_managed_identities_for_aks_clusters + - azure_kubernetes_api_version + - azure_set_azure_secret_key_expiration + - azure_web_tier_customer_managed_key_in_use + - azure_enable_trusted_microsoft_services_for_key_vault_access + - azure_use_network_contributor_role_for_managing_azure_network_resources + - azure_configure_emails_for_vulnerability_assessment_scan_reports_and_alerts + - azure_configure_audit_action_group_for_sql_server_auditing + - azure_use_microsoft_entra_admin_for_sql_authentication + - azure_enable_in_transit_encryption_for_mysql_servers + - azure_enable_automatic_failover + - azure_check_for_sufficient_certificate_auto_renewal_period + - azure_enable_ssl_certificate_auto_renewal + - azure_enable_certificate_transparency + - id: azure_baseline_security_monitoring + title: Monitoring, Logging, and Auditing for Azure + description: Controls focused on monitoring Azure environments, logging activities, and auditing for compliance and security incident response. + section-code: monitoring_logging_auditing + tags: + baseline_category: + - security + type: + - BASELINE + controls: + - azure_monitor_log_all_activities + - azure_enable_defender_for_cloud_for_aks_clusters + - azure_enable_auditevent_logging_for_azure_key_vaults + - azure_enable_auditing_for_sql_servers + - azure_enable_vulnerability_assessment_email_notifications_for_admins_and_subscription_owners + - azure_enable_vulnerability_assessment_periodic_recurring_scans + - azure_enable_vulnerability_assessment_for_microsoft_sql_servers + - azure_sql_auditing_retention + - azure_enable_trusted_microsoft_services_for_key_vault_access + - azure_configure_audit_action_group_for_sql_server_auditing + - id: azure_baseline_security_network + title: Network Security for Azure + description: Controls focused on securing network configurations, managing traffic flow, and protecting network boundaries in Azure environments. + section-code: network_security + tags: + baseline_category: + - security + type: + - BASELINE + controls: + - azure_secure_access_to_kubernetes_api_server_using_authorized_ip_address_ranges + - azure_disable_plain_ftp_deployment + - azure_restrict_default_network_access_for_azure_cosmos_db_accounts + - azure_check_for_publicly_accessible_web_containers + - azure_disable_anonymous_access_to_blob_containers + - azure_disable_public_access_to_storage_accounts_with_blob_containers + - azure_private_endpoint_in_use + - azure_restrict_default_network_access_for_storage_accounts + - azure_limit_storage_account_access_by_ip_address + - azure_enable_trusted_microsoft_services_for_storage_account_access + - azure_enable_secure_transfer_in_azure_storage + - azure_enable_logging_for_azure_storage_table_service + - azure_enable_logging_for_azure_storage_queue_service + - azure_enable_logging_for_azure_storage_blob_service + - azure_enable_immutable_blob_storage + - azure_enable_blob_storage_lifecycle_management + - azure_check_for_unrestricted_telnet_access + - azure_enable_azure_network_watcher + - azure_check_for_unrestricted_udp_access + - azure_check_for_unrestricted_ssh_access + - azure_check_for_unrestricted_smtp_access + - azure_check_for_unrestricted_rpc_access + - azure_check_for_unrestricted_mssql_access + - azure_check_for_unrestricted_mysql_database_access + - azure_check_for_unrestricted_oracle_database_access + - azure_check_for_unrestricted_postgresql_database_access + - azure_check_for_unrestricted_rdp_access + - azure_check_for_unrestricted_netbios_access + - azure_check_for_unrestricted_mongodb_access + - azure_review_network_interfaces_with_ip_forwarding_enabled + - azure_enable_ddos_standard_protection_for_virtual_networks + - azure_use_azure_cni_add_on_for_managing_network_resources diff --git a/compliance/frameworks/baseline/supportability.yaml b/compliance/frameworks/baseline/supportability.yaml index 074ddd849..70c2c01de 100644 --- a/compliance/frameworks/baseline/supportability.yaml +++ b/compliance/frameworks/baseline/supportability.yaml @@ -1,184 +1,184 @@ -framework: - id: baseline_supportability - title: Supportability - description: Comprehensive supportability benchmarks for AWS and Azure environments, categorized for streamlined management. - section-code: baseline_supportability +id: baseline_supportability +title: Supportability +description: Comprehensive supportability benchmarks for AWS and Azure environments, categorized for streamlined management. +section-code: baseline_supportability +type: framework +tags: + baseline_category: + - Supportability + type: + - BASELINE +defaults: + is-baseline: true + enabled: true + tracks-drift-events: false +control-group: +- id: aws_baseline_supportability + title: AWS Baseline Supportability + description: Supportability checks for AWS resources. + section-code: aws_baseline_supportability tags: baseline_category: - - Supportability + - supportability type: - BASELINE - defaults: - is-baseline: true - enabled: true - tracks-drift-events: false control-group: - - id: aws_baseline_supportability - title: AWS Baseline Supportability - description: Supportability checks for AWS resources. - section-code: aws_baseline_supportability + - id: aws_baseline_supportability_compute + title: AWS Baseline Supportability - Compute + description: Ensure AWS compute resources are configured for supportability. + section-code: aws_baseline_supportability_compute tags: baseline_category: - supportability type: - BASELINE - control-group: - - id: aws_baseline_supportability_compute - title: AWS Baseline Supportability - Compute - description: Ensure AWS compute resources are configured for supportability. - section-code: aws_baseline_supportability_compute - tags: - baseline_category: - - supportability - type: - - BASELINE - controls: - - aws_ec2_instance_naming_conventions - - aws_ebs_volumes_attached_to_stopped_ec2_instances - - aws_unused_aws_ec2_key_pairs - - aws_ec2_instances_with_multiple_elastic_network_interfaces - - aws_check_for_ecs_container_instance_agent_version - - id: aws_baseline_supportability_kubernetes_management - title: AWS Baseline Supportability - Kubernetes Management - description: Ensure AWS EKS clusters are configured for supportability. - section-code: aws_baseline_supportability_kubernetes_management - tags: - baseline_category: - - supportability - type: - - BASELINE - controls: - - aws_disable_remote_access_to_eks_cluster_node_groups - - aws_enable_cloudtrail_logging_for_kubernetes_api_calls - - aws_eks_cluster_node_group_iam_role_policies - - aws_use_oidc_provider_for_authenticating_kubernetes_api_calls - - aws_enable_cloudwatch_container_insights - - id: aws_baseline_supportability_networking - title: AWS Baseline Supportability - Networking - description: Ensure AWS networking resources are configured for supportability. - section-code: aws_baseline_supportability_networking - tags: - baseline_category: - - supportability - type: - - BASELINE - controls: - - aws_unused_elastic_network_interfaces - - aws_use_aws_managed_policy_to_manage_networking_resources - - id: aws_baseline_supportability_certificates - title: AWS Baseline Supportability - Certificates - description: Ensure AWS certificates are managed properly. - section-code: aws_baseline_supportability_certificates - tags: - baseline_category: - - supportability - type: - - BASELINE - controls: - - aws_acm_certificate_expired - - aws_acm_certificates_validity - - aws_acm_certificates_with_wildcard_domain_names - - id: aws_baseline_supportability_logging_and_monitoring - title: AWS Baseline Supportability - Logging and Monitoring - description: Ensure AWS logging and monitoring is configured for supportability. - section-code: aws_baseline_supportability_logging_and_monitoring - tags: - baseline_category: - - supportability - type: - - BASELINE - controls: - - aws_opensearch_slow_logs - - aws_enable_serverless_log_exports - - aws_instance_level_events_subscriptions - - aws_log_exports - - aws_performance_insights - - aws_security_groups_events_subscriptions - - aws_ecs_task_log_driver_in_use - - aws_lifecycle_policy_in_use - - aws_enable_aurora_cluster_copy_tags_to_snapshots - - id: aws_baseline_supportability_database - title: AWS Baseline Supportability - Database - description: Ensure AWS RDS instances are configured for supportability. - section-code: aws_baseline_supportability_database - tags: - baseline_category: - - supportability - type: - - BASELINE - controls: - - aws_rds_database_instances_have_a_minimum_acceptable_backup_policy - - aws_rds_database_instances_must_have_a_minimum_acceptable_restore_time - - id: aws_baseline_supportability_iam_and_security - title: AWS Baseline Supportability - IAM and Security - description: Ensure AWS IAM policies and security are configured for supportability. - section-code: aws_baseline_supportability_iam_and_security - tags: - baseline_category: - - supportability - type: - - BASELINE - controls: - - aws_multi_account_centralized_management - - aws_use_aws_managed_policy_to_access_amazon_ecr_repositories - - aws_use_aws_managed_policy_to_manage_aws_resources - - id: azure_baseline_supportability - title: Azure Baseline Supportability - description: Supportability checks for Azure resources. - section-code: azure_baseline_supportability + controls: + - aws_ec2_instance_naming_conventions + - aws_ebs_volumes_attached_to_stopped_ec2_instances + - aws_unused_aws_ec2_key_pairs + - aws_ec2_instances_with_multiple_elastic_network_interfaces + - aws_check_for_ecs_container_instance_agent_version + - id: aws_baseline_supportability_kubernetes_management + title: AWS Baseline Supportability - Kubernetes Management + description: Ensure AWS EKS clusters are configured for supportability. + section-code: aws_baseline_supportability_kubernetes_management tags: baseline_category: - supportability type: - BASELINE - control-group: - - id: azure_baseline_supportability_key_vault_and_certificates - title: Azure Baseline Supportability - Key Vault and Certificates - description: Ensure Azure Key Vault and certificates are configured for supportability. - section-code: azure_baseline_supportability_key_vault_and_certificates - tags: - baseline_category: - - supportability - type: - - BASELINE - controls: - - azure_keyvault_logging_enabled - - azure_configure_minimum_tls_version - - azure_enable_transparent_data_encryption_for_sql_managed_instance_using_customer_managed_keys - - id: azure_baseline_supportability_kubernetes_management - title: Azure Baseline Supportability - Kubernetes Management - description: Ensure Azure Kubernetes Service (AKS) clusters are configured for supportability. - section-code: azure_baseline_supportability_kubernetes_management - tags: - baseline_category: - - supportability - type: - - BASELINE - controls: - - azure_enable_defender_for_cloud_for_aks_clusters - - azure_use_azure_cni_add_on_for_managing_network_resources - - azure_use_microsoft_entra_id_integration_for_aks_clusters - - azure_use_user_assigned_managed_identities_for_aks_clusters - - azure_kubernetes_api_version - - id: azure_baseline_supportability_networking - title: Azure Baseline Supportability - Networking - description: Ensure Azure networking resources are configured for supportability. - section-code: azure_baseline_supportability_networking - tags: - baseline_category: - - supportability - type: - - BASELINE - controls: - - azure_use_network_contributor_role_for_managing_azure_network_resources - - id: azure_baseline_supportability_general_practices - title: Azure Baseline Supportability - General Practices - description: Ensure general practices for Azure resources are in place. - section-code: azure_baseline_supportability_general_practices - tags: - baseline_category: - - supportability - type: - - BASELINE - controls: - - azure_disable_plain_ftp_deployment + controls: + - aws_disable_remote_access_to_eks_cluster_node_groups + - aws_enable_cloudtrail_logging_for_kubernetes_api_calls + - aws_eks_cluster_node_group_iam_role_policies + - aws_use_oidc_provider_for_authenticating_kubernetes_api_calls + - aws_enable_cloudwatch_container_insights + - id: aws_baseline_supportability_networking + title: AWS Baseline Supportability - Networking + description: Ensure AWS networking resources are configured for supportability. + section-code: aws_baseline_supportability_networking + tags: + baseline_category: + - supportability + type: + - BASELINE + controls: + - aws_unused_elastic_network_interfaces + - aws_use_aws_managed_policy_to_manage_networking_resources + - id: aws_baseline_supportability_certificates + title: AWS Baseline Supportability - Certificates + description: Ensure AWS certificates are managed properly. + section-code: aws_baseline_supportability_certificates + tags: + baseline_category: + - supportability + type: + - BASELINE + controls: + - aws_acm_certificate_expired + - aws_acm_certificates_validity + - aws_acm_certificates_with_wildcard_domain_names + - id: aws_baseline_supportability_logging_and_monitoring + title: AWS Baseline Supportability - Logging and Monitoring + description: Ensure AWS logging and monitoring is configured for supportability. + section-code: aws_baseline_supportability_logging_and_monitoring + tags: + baseline_category: + - supportability + type: + - BASELINE + controls: + - aws_opensearch_slow_logs + - aws_enable_serverless_log_exports + - aws_instance_level_events_subscriptions + - aws_log_exports + - aws_performance_insights + - aws_security_groups_events_subscriptions + - aws_ecs_task_log_driver_in_use + - aws_lifecycle_policy_in_use + - aws_enable_aurora_cluster_copy_tags_to_snapshots + - id: aws_baseline_supportability_database + title: AWS Baseline Supportability - Database + description: Ensure AWS RDS instances are configured for supportability. + section-code: aws_baseline_supportability_database + tags: + baseline_category: + - supportability + type: + - BASELINE + controls: + - aws_rds_database_instances_have_a_minimum_acceptable_backup_policy + - aws_rds_database_instances_must_have_a_minimum_acceptable_restore_time + - id: aws_baseline_supportability_iam_and_security + title: AWS Baseline Supportability - IAM and Security + description: Ensure AWS IAM policies and security are configured for supportability. + section-code: aws_baseline_supportability_iam_and_security + tags: + baseline_category: + - supportability + type: + - BASELINE + controls: + - aws_multi_account_centralized_management + - aws_use_aws_managed_policy_to_access_amazon_ecr_repositories + - aws_use_aws_managed_policy_to_manage_aws_resources +- id: azure_baseline_supportability + title: Azure Baseline Supportability + description: Supportability checks for Azure resources. + section-code: azure_baseline_supportability + tags: + baseline_category: + - supportability + type: + - BASELINE + control-group: + - id: azure_baseline_supportability_key_vault_and_certificates + title: Azure Baseline Supportability - Key Vault and Certificates + description: Ensure Azure Key Vault and certificates are configured for supportability. + section-code: azure_baseline_supportability_key_vault_and_certificates + tags: + baseline_category: + - supportability + type: + - BASELINE + controls: + - azure_keyvault_logging_enabled + - azure_configure_minimum_tls_version + - azure_enable_transparent_data_encryption_for_sql_managed_instance_using_customer_managed_keys + - id: azure_baseline_supportability_kubernetes_management + title: Azure Baseline Supportability - Kubernetes Management + description: Ensure Azure Kubernetes Service (AKS) clusters are configured for supportability. + section-code: azure_baseline_supportability_kubernetes_management + tags: + baseline_category: + - supportability + type: + - BASELINE + controls: + - azure_enable_defender_for_cloud_for_aks_clusters + - azure_use_azure_cni_add_on_for_managing_network_resources + - azure_use_microsoft_entra_id_integration_for_aks_clusters + - azure_use_user_assigned_managed_identities_for_aks_clusters + - azure_kubernetes_api_version + - id: azure_baseline_supportability_networking + title: Azure Baseline Supportability - Networking + description: Ensure Azure networking resources are configured for supportability. + section-code: azure_baseline_supportability_networking + tags: + baseline_category: + - supportability + type: + - BASELINE + controls: + - azure_use_network_contributor_role_for_managing_azure_network_resources + - id: azure_baseline_supportability_general_practices + title: Azure Baseline Supportability - General Practices + description: Ensure general practices for Azure resources are in place. + section-code: azure_baseline_supportability_general_practices + tags: + baseline_category: + - supportability + type: + - BASELINE + controls: + - azure_disable_plain_ftp_deployment diff --git a/compliance/frameworks/tagging/tagging.yaml b/compliance/frameworks/tagging/tagging.yaml index 02bea9795..e59427ebe 100755 --- a/compliance/frameworks/tagging/tagging.yaml +++ b/compliance/frameworks/tagging/tagging.yaml @@ -1,8 +1,32 @@ -framework: - id: tagging - title: Tagging - description: Tagging - section-code: tagging +id: tagging +title: Tagging +description: Tagging +section-code: tagging +type: framework +tags: + category: + - Compliance + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - aws + - azure + service: + - AWS + - Azure + type: + - Benchmark +defaults: + is-baseline: false + enabled: false + tracks-drift-events: false +control-group: +- id: tagging_aws_tagging + title: AWS Tagging + description: AWS Tagging + section-code: tagging_aws_tagging tags: category: - Compliance @@ -12,176 +36,152 @@ framework: - Best Practices plugin: - aws - - azure service: - AWS + type: + - Benchmark + controls: + - aws_mandatory_sql_accessanalyzer_analyzer_mandatory + - aws_mandatory_sql_api_gateway_stage_mandatory + - aws_mandatory_sql_cloudfront_distribution_mandatory + - aws_mandatory_sql_cloudtrail_trail_mandatory + - aws_mandatory_sql_cloudwatch_alarm_mandatory + - aws_mandatory_sql_cloudwatch_log_group_mandatory + - aws_mandatory_sql_codebuild_project_mandatory + - aws_mandatory_sql_codecommit_repository_mandatory + - aws_mandatory_sql_codepipeline_pipeline_mandatory + - aws_mandatory_sql_config_rule_mandatory + - aws_mandatory_sql_dax_cluster_mandatory + - aws_mandatory_sql_directory_service_directory_mandatory + - aws_mandatory_sql_dms_replication_instance_mandatory + - aws_mandatory_sql_dynamodb_table_mandatory + - aws_mandatory_sql_ebs_snapshot_mandatory + - aws_mandatory_sql_ebs_volume_mandatory + - aws_mandatory_sql_ec2_application_load_balancer_mandatory + - aws_mandatory_sql_ec2_classic_load_balancer_mandatory + - aws_mandatory_sql_ec2_gateway_load_balancer_mandatory + - aws_mandatory_sql_ec2_instance_mandatory + - aws_mandatory_sql_ec2_network_load_balancer_mandatory + - aws_mandatory_sql_ec2_reserved_instance_mandatory + - aws_mandatory_sql_ecr_repository_mandatory + - aws_mandatory_sql_ecs_container_instance_mandatory + - aws_mandatory_sql_ecs_service_mandatory + - aws_mandatory_sql_efs_file_system_mandatory + - aws_mandatory_sql_eks_addon_mandatory + - aws_mandatory_sql_eks_cluster_mandatory + - aws_mandatory_sql_elastic_beanstalk_application_mandatory + - aws_mandatory_sql_elastic_beanstalk_environment_mandatory + - aws_mandatory_sql_elasticache_cluster_mandatory + - aws_mandatory_sql_elasticsearch_domain_mandatory + - aws_mandatory_sql_eventbridge_rule_mandatory + - aws_mandatory_sql_guardduty_detector_mandatory + - aws_mandatory_sql_iam_role_mandatory + - aws_mandatory_sql_iam_server_certificate_mandatory + - aws_mandatory_sql_iam_user_mandatory + - aws_mandatory_sql_inspector_assessment_template_mandatory + - aws_mandatory_sql_kinesis_firehose_delivery_stream_mandatory + - aws_mandatory_sql_kms_key_mandatory + - aws_mandatory_sql_lambda_function_mandatory + - aws_mandatory_sql_rds_db_cluster_mandatory + - aws_mandatory_sql_rds_db_cluster_parameter_group_mandatory + - aws_mandatory_sql_rds_db_cluster_snapshot_mandatory + - aws_mandatory_sql_rds_db_instance_mandatory + - aws_mandatory_sql_rds_db_option_group_mandatory + - aws_mandatory_sql_rds_db_parameter_group_mandatory + - aws_mandatory_sql_rds_db_snapshot_mandatory + - aws_mandatory_sql_rds_db_subnet_group_mandatory + - aws_mandatory_sql_redshift_cluster_mandatory + - aws_mandatory_sql_route53_domain_mandatory + - aws_mandatory_sql_route53_resolver_endpoint_mandatory + - aws_mandatory_sql_s3_bucket_mandatory + - aws_mandatory_sql_sagemaker_endpoint_configuration_mandatory + - aws_mandatory_sql_sagemaker_model_mandatory + - aws_mandatory_sql_sagemaker_notebook_instance_mandatory + - aws_mandatory_sql_sagemaker_training_job_mandatory + - aws_mandatory_sql_secretsmanager_secret_mandatory + - aws_mandatory_sql_ssm_parameter_mandatory + - aws_mandatory_sql_vpc_eip_mandatory + - aws_mandatory_sql_vpc_mandatory + - aws_mandatory_sql_vpc_nat_gateway_mandatory + - aws_mandatory_sql_vpc_network_acl_mandatory + - aws_mandatory_sql_vpc_security_group_mandatory + - aws_mandatory_sql_vpc_vpn_connection_mandatory + - aws_mandatory_sql_wafv2_ip_set_mandatory + - aws_mandatory_sql_wafv2_regex_pattern_set_mandatory + - aws_mandatory_sql_wafv2_rule_group_mandatory + - aws_mandatory_sql_wafv2_web_acl_mandatory +- id: tagging_azure_tagging + title: Azure Tagging + description: Azure Tagging + section-code: tagging_azure_tagging + tags: + category: + - Compliance + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - azure + service: - Azure type: - Benchmark - defaults: - is-baseline: false - enabled: false - tracks-drift-events: false - control-group: - - id: tagging_aws_tagging - title: AWS Tagging - description: AWS Tagging - section-code: tagging_aws_tagging - tags: - category: - - Compliance - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - aws - service: - - AWS - type: - - Benchmark - controls: - - aws_mandatory_sql_accessanalyzer_analyzer_mandatory - - aws_mandatory_sql_api_gateway_stage_mandatory - - aws_mandatory_sql_cloudfront_distribution_mandatory - - aws_mandatory_sql_cloudtrail_trail_mandatory - - aws_mandatory_sql_cloudwatch_alarm_mandatory - - aws_mandatory_sql_cloudwatch_log_group_mandatory - - aws_mandatory_sql_codebuild_project_mandatory - - aws_mandatory_sql_codecommit_repository_mandatory - - aws_mandatory_sql_codepipeline_pipeline_mandatory - - aws_mandatory_sql_config_rule_mandatory - - aws_mandatory_sql_dax_cluster_mandatory - - aws_mandatory_sql_directory_service_directory_mandatory - - aws_mandatory_sql_dms_replication_instance_mandatory - - aws_mandatory_sql_dynamodb_table_mandatory - - aws_mandatory_sql_ebs_snapshot_mandatory - - aws_mandatory_sql_ebs_volume_mandatory - - aws_mandatory_sql_ec2_application_load_balancer_mandatory - - aws_mandatory_sql_ec2_classic_load_balancer_mandatory - - aws_mandatory_sql_ec2_gateway_load_balancer_mandatory - - aws_mandatory_sql_ec2_instance_mandatory - - aws_mandatory_sql_ec2_network_load_balancer_mandatory - - aws_mandatory_sql_ec2_reserved_instance_mandatory - - aws_mandatory_sql_ecr_repository_mandatory - - aws_mandatory_sql_ecs_container_instance_mandatory - - aws_mandatory_sql_ecs_service_mandatory - - aws_mandatory_sql_efs_file_system_mandatory - - aws_mandatory_sql_eks_addon_mandatory - - aws_mandatory_sql_eks_cluster_mandatory - - aws_mandatory_sql_elastic_beanstalk_application_mandatory - - aws_mandatory_sql_elastic_beanstalk_environment_mandatory - - aws_mandatory_sql_elasticache_cluster_mandatory - - aws_mandatory_sql_elasticsearch_domain_mandatory - - aws_mandatory_sql_eventbridge_rule_mandatory - - aws_mandatory_sql_guardduty_detector_mandatory - - aws_mandatory_sql_iam_role_mandatory - - aws_mandatory_sql_iam_server_certificate_mandatory - - aws_mandatory_sql_iam_user_mandatory - - aws_mandatory_sql_inspector_assessment_template_mandatory - - aws_mandatory_sql_kinesis_firehose_delivery_stream_mandatory - - aws_mandatory_sql_kms_key_mandatory - - aws_mandatory_sql_lambda_function_mandatory - - aws_mandatory_sql_rds_db_cluster_mandatory - - aws_mandatory_sql_rds_db_cluster_parameter_group_mandatory - - aws_mandatory_sql_rds_db_cluster_snapshot_mandatory - - aws_mandatory_sql_rds_db_instance_mandatory - - aws_mandatory_sql_rds_db_option_group_mandatory - - aws_mandatory_sql_rds_db_parameter_group_mandatory - - aws_mandatory_sql_rds_db_snapshot_mandatory - - aws_mandatory_sql_rds_db_subnet_group_mandatory - - aws_mandatory_sql_redshift_cluster_mandatory - - aws_mandatory_sql_route53_domain_mandatory - - aws_mandatory_sql_route53_resolver_endpoint_mandatory - - aws_mandatory_sql_s3_bucket_mandatory - - aws_mandatory_sql_sagemaker_endpoint_configuration_mandatory - - aws_mandatory_sql_sagemaker_model_mandatory - - aws_mandatory_sql_sagemaker_notebook_instance_mandatory - - aws_mandatory_sql_sagemaker_training_job_mandatory - - aws_mandatory_sql_secretsmanager_secret_mandatory - - aws_mandatory_sql_ssm_parameter_mandatory - - aws_mandatory_sql_vpc_eip_mandatory - - aws_mandatory_sql_vpc_mandatory - - aws_mandatory_sql_vpc_nat_gateway_mandatory - - aws_mandatory_sql_vpc_network_acl_mandatory - - aws_mandatory_sql_vpc_security_group_mandatory - - aws_mandatory_sql_vpc_vpn_connection_mandatory - - aws_mandatory_sql_wafv2_ip_set_mandatory - - aws_mandatory_sql_wafv2_regex_pattern_set_mandatory - - aws_mandatory_sql_wafv2_rule_group_mandatory - - aws_mandatory_sql_wafv2_web_acl_mandatory - - id: tagging_azure_tagging - title: Azure Tagging - description: Azure Tagging - section-code: tagging_azure_tagging - tags: - category: - - Compliance - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - azure - service: - - Azure - type: - - Benchmark - controls: - - azure_mandatory_sql_resource_group_api_management_mandatory - - azure_mandatory_sql_resource_group_app_service_environment_mandatory - - azure_mandatory_sql_resource_group_app_service_function_app_mandatory - - azure_mandatory_sql_resource_group_app_service_plan_mandatory - - azure_mandatory_sql_resource_group_app_service_web_app_mandatory - - azure_mandatory_sql_resource_group_application_security_group_mandatory - - azure_mandatory_sql_resource_group_batch_account_mandatory - - azure_mandatory_sql_resource_group_compute_availability_set_mandatory - - azure_mandatory_sql_resource_group_compute_disk_encryption_set_mandatory - - azure_mandatory_sql_resource_group_compute_disk_mandatory - - azure_mandatory_sql_resource_group_compute_image_mandatory - - azure_mandatory_sql_resource_group_compute_snapshot_mandatory - - azure_mandatory_sql_resource_group_compute_virtual_machine_mandatory - - azure_mandatory_sql_resource_group_compute_virtual_machine_scale_set_mandatory - - azure_mandatory_sql_resource_group_container_registry_mandatory - - azure_mandatory_sql_resource_group_cosmosdb_account_mandatory - - azure_mandatory_sql_resource_group_cosmosdb_mongo_database_mandatory - - azure_mandatory_sql_resource_group_cosmosdb_sql_database_mandatory - - azure_mandatory_sql_resource_group_data_factory_mandatory - - azure_mandatory_sql_resource_group_data_lake_analytics_account_mandatory - - azure_mandatory_sql_resource_group_data_lake_store_mandatory - - azure_mandatory_sql_resource_group_eventhub_namespace_mandatory - - azure_mandatory_sql_resource_group_express_route_circuit_mandatory - - azure_mandatory_sql_resource_group_firewall_mandatory - - azure_mandatory_sql_resource_group_iothub_mandatory - - azure_mandatory_sql_resource_group_key_vault_deleted_vault_mandatory - - azure_mandatory_sql_resource_group_key_vault_key_mandatory - - azure_mandatory_sql_resource_group_key_vault_managed_hardware_security_module_mandatory - - azure_mandatory_sql_resource_group_key_vault_mandatory - - azure_mandatory_sql_resource_group_key_vault_secret_mandatory - - azure_mandatory_sql_resource_group_kubernetes_cluster_mandatory - - azure_mandatory_sql_resource_group_lb_mandatory - - azure_mandatory_sql_resource_group_log_alert_mandatory - - azure_mandatory_sql_resource_group_log_profile_mandatory - - azure_mandatory_sql_resource_group_logic_app_workflow_mandatory - - azure_mandatory_sql_resource_group_mariadb_server_mandatory - - azure_mandatory_sql_resource_group_mssql_elasticpool_mandatory - - azure_mandatory_sql_resource_group_mssql_managed_instance_mandatory - - azure_mandatory_sql_resource_group_mysql_server_mandatory - - azure_mandatory_sql_resource_group_network_interface_mandatory - - azure_mandatory_sql_resource_group_network_security_group_mandatory - - azure_mandatory_sql_resource_group_network_watcher_flow_log_mandatory - - azure_mandatory_sql_resource_group_network_watcher_mandatory - - azure_mandatory_sql_resource_group_postgresql_server_mandatory - - azure_mandatory_sql_resource_group_public_ip_mandatory - - azure_mandatory_sql_resource_group_recovery_services_vault_mandatory - - azure_mandatory_sql_resource_group_redis_cache_mandatory - - azure_mandatory_sql_resource_group_route_table_mandatory - - azure_mandatory_sql_resource_group_search_service_mandatory - - azure_mandatory_sql_resource_group_servicebus_namespace_mandatory - - azure_mandatory_sql_resource_group_sql_database_mandatory - - azure_mandatory_sql_resource_group_sql_server_mandatory - - azure_mandatory_sql_resource_group_storage_account_mandatory - - azure_mandatory_sql_resource_group_stream_analytics_job_mandatory - - azure_mandatory_sql_resource_group_virtual_network_gateway_mandatory - - azure_mandatory_sql_resource_group_virtual_network_mandatory - - azure_mandatory_sql_subscription_resource_group_mandatory + controls: + - azure_mandatory_sql_resource_group_api_management_mandatory + - azure_mandatory_sql_resource_group_app_service_environment_mandatory + - azure_mandatory_sql_resource_group_app_service_function_app_mandatory + - azure_mandatory_sql_resource_group_app_service_plan_mandatory + - azure_mandatory_sql_resource_group_app_service_web_app_mandatory + - azure_mandatory_sql_resource_group_application_security_group_mandatory + - azure_mandatory_sql_resource_group_batch_account_mandatory + - azure_mandatory_sql_resource_group_compute_availability_set_mandatory + - azure_mandatory_sql_resource_group_compute_disk_encryption_set_mandatory + - azure_mandatory_sql_resource_group_compute_disk_mandatory + - azure_mandatory_sql_resource_group_compute_image_mandatory + - azure_mandatory_sql_resource_group_compute_snapshot_mandatory + - azure_mandatory_sql_resource_group_compute_virtual_machine_mandatory + - azure_mandatory_sql_resource_group_compute_virtual_machine_scale_set_mandatory + - azure_mandatory_sql_resource_group_container_registry_mandatory + - azure_mandatory_sql_resource_group_cosmosdb_account_mandatory + - azure_mandatory_sql_resource_group_cosmosdb_mongo_database_mandatory + - azure_mandatory_sql_resource_group_cosmosdb_sql_database_mandatory + - azure_mandatory_sql_resource_group_data_factory_mandatory + - azure_mandatory_sql_resource_group_data_lake_analytics_account_mandatory + - azure_mandatory_sql_resource_group_data_lake_store_mandatory + - azure_mandatory_sql_resource_group_eventhub_namespace_mandatory + - azure_mandatory_sql_resource_group_express_route_circuit_mandatory + - azure_mandatory_sql_resource_group_firewall_mandatory + - azure_mandatory_sql_resource_group_iothub_mandatory + - azure_mandatory_sql_resource_group_key_vault_deleted_vault_mandatory + - azure_mandatory_sql_resource_group_key_vault_key_mandatory + - azure_mandatory_sql_resource_group_key_vault_managed_hardware_security_module_mandatory + - azure_mandatory_sql_resource_group_key_vault_mandatory + - azure_mandatory_sql_resource_group_key_vault_secret_mandatory + - azure_mandatory_sql_resource_group_kubernetes_cluster_mandatory + - azure_mandatory_sql_resource_group_lb_mandatory + - azure_mandatory_sql_resource_group_log_alert_mandatory + - azure_mandatory_sql_resource_group_log_profile_mandatory + - azure_mandatory_sql_resource_group_logic_app_workflow_mandatory + - azure_mandatory_sql_resource_group_mariadb_server_mandatory + - azure_mandatory_sql_resource_group_mssql_elasticpool_mandatory + - azure_mandatory_sql_resource_group_mssql_managed_instance_mandatory + - azure_mandatory_sql_resource_group_mysql_server_mandatory + - azure_mandatory_sql_resource_group_network_interface_mandatory + - azure_mandatory_sql_resource_group_network_security_group_mandatory + - azure_mandatory_sql_resource_group_network_watcher_flow_log_mandatory + - azure_mandatory_sql_resource_group_network_watcher_mandatory + - azure_mandatory_sql_resource_group_postgresql_server_mandatory + - azure_mandatory_sql_resource_group_public_ip_mandatory + - azure_mandatory_sql_resource_group_recovery_services_vault_mandatory + - azure_mandatory_sql_resource_group_redis_cache_mandatory + - azure_mandatory_sql_resource_group_route_table_mandatory + - azure_mandatory_sql_resource_group_search_service_mandatory + - azure_mandatory_sql_resource_group_servicebus_namespace_mandatory + - azure_mandatory_sql_resource_group_sql_database_mandatory + - azure_mandatory_sql_resource_group_sql_server_mandatory + - azure_mandatory_sql_resource_group_storage_account_mandatory + - azure_mandatory_sql_resource_group_stream_analytics_job_mandatory + - azure_mandatory_sql_resource_group_virtual_network_gateway_mandatory + - azure_mandatory_sql_resource_group_virtual_network_mandatory + - azure_mandatory_sql_subscription_resource_group_mandatory diff --git a/integrations.yaml b/manifest.yaml similarity index 100% rename from integrations.yaml rename to manifest.yaml